Run OpenSCAP Vulnerability Scan on Linux 9

Share on Social Media

In this tutorial, you will learn, how to install and run OpenSCAP Vulnerability Scan on Rocky Linux 9 or other Red hat based Linux OS. #centlinux #linux #openscap

What is OpenSCAP?

OpenSCAP (Security Content Automation Protocol) is an open-source framework designed for managing security compliance checking, vulnerability management, and policy enforcement. It provides a standardized approach for maintaining system security and compliance with various security policies, benchmarks, and guidelines.

Key components of OpenSCAP include:

  1. SCAP Content: OpenSCAP provides a collection of security policies, benchmarks, and guidelines in the form of SCAP (Security Content Automation Protocol) content. This content is based on various standards such as Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), etc.
  2. Scanner: OpenSCAP includes a scanner component that can assess the security posture of systems by evaluating them against predefined security policies and benchmarks. The scanner can check for vulnerabilities, misconfigurations, and adherence to security best practices.
  3. Utilities: OpenSCAP provides various command-line utilities and APIs for interacting with SCAP content, running scans, generating reports, and integrating it’s functionality into other security management tools and systems.
  4. Reporting: OpenSCAP generates detailed reports after scanning systems, providing information on security vulnerabilities, compliance status, and recommendations for remediation. These reports help system administrators and security professionals to identify and address security issues effectively.
  5. Integration: OpenSCAP can be integrated with other security tools and systems, such as configuration management systems, security information and event management (SIEM) solutions, and vulnerability management platforms, to enhance overall security management capabilities.

OpenSCAP is widely used in enterprise environments, government agencies, and other organizations to ensure the security and compliance of their IT infrastructure, including servers, workstations, and cloud environments. It helps organizations automate security assessments, streamline compliance efforts, and improve overall security posture.

How to perform OpenSCAP Vulnerability Scan?

An OpenSCAP vulnerability scan is a process where the OpenSCAP tool is utilized to assess the security posture of a system or a network by scanning for vulnerabilities, misconfigurations, and adherence to security policies and standards. Here’s an overview of how an OpenSCAP vulnerability scan typically works:

Preparation: Before initiating the scan, the user typically selects or defines the security benchmarks, policies, or standards against which the system will be evaluated. These benchmarks may include industry standards like CIS (Center for Internet Security), DISA STIGs (Defense Information Systems Agency Security Technical Implementation Guides), or other custom policies.

Scanning: The OpenSCAP scanner then conducts the scan based on the selected benchmarks and policies. It checks various aspects of the system configuration, including but not limited to:

  • Presence of known vulnerabilities (identified by CVE IDs)
  • Configuration settings that deviate from best practices or security standards
  • Compliance with specific security requirements outlined in the selected benchmarks

Evaluation: During the scan, OpenSCAP evaluates the system’s configuration and settings against the predefined benchmarks and policies. It identifies vulnerabilities, weaknesses, and areas of non-compliance.

Reporting: Once the scan is completed, OpenSCAP generates a detailed report summarizing the findings. This report typically includes:

  • List of vulnerabilities detected, along with their severity ratings and CVE identifiers
  • Configuration issues and deviations from security best practices
  • Compliance status with respect to the selected benchmarks or standards
  • Recommendations for remediation, including steps to mitigate identified vulnerabilities and improve overall security posture

Remediation: Based on the findings of the vulnerability scan, system administrators and security professionals can take appropriate actions to address the identified issues. This may involve applying software patches, reconfiguring system settings, or implementing additional security controls to mitigate risks and improve security.

Overall, an OpenSCAP vulnerability scan provides organizations with valuable insights into the security status of their systems, helping them identify and prioritize security risks, comply with regulatory requirements, and enhance their overall security posture.

Recommended Training: Linux Command Line

Environment Specification:

We are using a minimal Rocky Linux 9 virtual machine with following specifications.

  • CPU – 3.4 Ghz (2 cores)
  • Memory – 4 GB
  • Storage – 40 GB
  • Operating System – Rocky Linux release 9.3 (Blue Onyx)
  • Hostname – openscap-01.centlinux.com
  • IP Address – 192.168.18.121/24

Pre-installation Configuration:

Login to your Rocky Linux Server as a privileged user by using any ssh client.

Set hostname for your Linux machine and configure local DNS resolution as follows.

# hostnamectl set-hostname openscap-01.centlinux.com
# echo 192.168.18.121 openscap-01 openscap-01.centlinux.com >> /etc/hosts

Update Linux software packages by executing following command.

# dnf update -y

The above command may also update software packages related to Linux Kernel. In such case, reboot your Linux machine before moving forward.

# reboot

Check the Linux OS & Linux Kernel version.

# cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

# uname -r
5.14.0-362.18.1.el9_3.0.1.x86_64

Install OpenSCAP on Rocky Linux 9

You will require, following two packages to install and run OpenSCAP vulnerability scan from Linux command line. Both of these packages are available in standard yum repositories.

# dnf install -y openscap-scanner scap-security-guide

Here,

  • openscap-scanner package provides the oscap command.
  • scap-security-guide provides the Security Policies.

You can optionally install scap-workbench package, if you wish to use OpenSCAP from graphical interface.

Select a Security Policy

SSG (SCAP Security Guide) policy files are located in the /usr/share/xml/scap/ssg/content/ directory.

You can execute following command to get list of SSG policy files.

# ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
/usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml

Select a Security Profile

Each security policy can have multiple profiles which provide policies implemented according to specific security baselines. Every profile can select different rules and use different values. You can list these profiles using the following command:

# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml [
Document type: Source Data Stream
Imported: 2024-02-26T20:55:34

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2' file which is referenced from datastream
                Status: draft
                Generated: 2024-02-26
                Resolved: true
                Profiles:
                        Title: ANSSI-BP-028 (enhanced)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
                        Title: ANSSI-BP-028 (high)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
                        Title: ANSSI-BP-028 (intermediary)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
                        Title: ANSSI-BP-028 (minimal)
                                Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
                        Title: CCN Red Hat Enterprise Linux 9 - Advanced
                                Id: xccdf_org.ssgproject.content_profile_ccn_advanced
                        Title: CCN Red Hat Enterprise Linux 9 - Basic
                                Id: xccdf_org.ssgproject.content_profile_ccn_basic
                        Title: CCN Red Hat Enterprise Linux 9 - Intermediate
                                Id: xccdf_org.ssgproject.content_profile_ccn_intermediate
                        Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
                                Id: xccdf_org.ssgproject.content_profile_cis
                        Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
                                Id: xccdf_org.ssgproject.content_profile_cis_server_l1
                        Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
                                Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
                        Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
                                Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
                        Title: DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
                                Id: xccdf_org.ssgproject.content_profile_cui
                        Title: Australian Cyber Security Centre (ACSC) Essential Eight
                                Id: xccdf_org.ssgproject.content_profile_e8
                        Title: Health Insurance Portability and Accountability Act (HIPAA)
                                Id: xccdf_org.ssgproject.content_profile_hipaa
                        Title: Australian Cyber Security Centre (ACSC) ISM Official
                                Id: xccdf_org.ssgproject.content_profile_ism_o
                        Title: Protection Profile for General Purpose Operating Systems
                                Id: xccdf_org.ssgproject.content_profile_ospp
                        Title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9
                                Id: xccdf_org.ssgproject.content_profile_pci-dss
                        Title: DISA STIG for Red Hat Enterprise Linux 9
                                Id: xccdf_org.ssgproject.content_profile_stig
                        Title: DISA STIG with GUI for Red Hat Enterprise Linux 9
                                Id: xccdf_org.ssgproject.content_profile_stig_gui
                Referenced check files:
                        ssg-rhel9-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-rhel9-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
                        security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel9-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel9-ocil.xml
        Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-oval.xml
        Ref-Id: scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2
Dictionaries:
        Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-dictionary.xml

You can any of the above Security Profile for your Linux server.

We have selected xccdf_org.ssgproject.content_profile_cis for demonstration in this Linux tutorial.

Run an OpenSCAP Vulnerability Scan

Hopefully, You have selected the Security Policy and Security Profile by now.

Now, you can run an OpenSCAP Vulnerability Scan on your Rocky Linux server, by using oscap command.

# oscap xccdf eval \
 --profile xccdf_org.ssgproject.content_profile_cis \
 --results-arf arf.xml \
 --report report.html \
 /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2' file which is referenced from datastream
WARNING: Skipping ./security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2 file which is referenced from XCCDF content
--- Starting Evaluation ---

Title   Install AIDE
Rule    xccdf_org.ssgproject.content_rule_package_aide_installed
Ident   CCE-90843-4
Result  notapplicable

Title   Build and Test AIDE Database
Rule    xccdf_org.ssgproject.content_rule_aide_build_database
Ident   CCE-83438-2
Result  notapplicable

Title   Configure AIDE to Verify the Audit Tools
Rule    xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Ident   CCE-87757-1
Result  notapplicable

Title   Configure Periodic Execution of AIDE
Rule    xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Ident   CCE-83437-4
Result  notapplicable

Title   Configure System Cryptography Policy
Rule    xccdf_org.ssgproject.content_rule_configure_crypto_policy
Ident   CCE-83450-7
Result  notapplicable

The On-screen output of this command is quiet long, therefore, we are only show a couple of lines.

However, the results of OpenSCAP vulnerability scan were also stored in arf.xml and report.html files.

report.html file has better readability. You can open this file in a web browser.

OpenSCAP Vulnerability Scan Output 1
OpenSCAP Vulnerability Scan Output 2

Conclusion:

In this tutorial, you have learned, how to install OpenSCAP on Rocky Linux 9 or other Red hat based Linux OS. We have also performed an OpenSCAP Vulnerability Scan on our Linux server.

Scroll to Top