- 1.0 What is SCAP
- 2.0 What is OpenSCAP
- 3.0 OSCAP Command Line Tool
- 4.0 Scanning with OSCAP
- 5.0 Generating Reports and Guides
- 6.0 SCAP Content
- 7.0 Practical Examples
- 7.1 Auditing Security Vulnerabilities of Red Hat Products
- 7.2 Auditing System Settings with SCAP Security Guide
- 7.3 How to Evaluate Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) on Red Hat Enterprise Linux 5
- 7.4 How to Evaluate United States Government Configuration Baseline (USGCB) on Red Hat Enterprise Linux 5
- 7.5 How to Evaluate Third-Party Guidances
- 7.6 How to run vulnerability can on Red Hat Enterprise Linux
The SCAP (Security Content Automation Protocol) is a line of specifications maintained by the NIST (National Institute of Standards and Technology) for maintaining system security for enterprise systems.
SCAP was created to provide a standardized approach to maintaining system security, and the standards that are used will therefore continually change to meet the needs of the community and enterprise businesses. New specifications are governed by NIST’s SCAP Release cycle in order to provide a consistent and repeatable revision workflow.
OpenSCAP checks system security configuration settings, and examines systems for signs of compromise by using rules based on standards and specifications.
OpenSCAP is an auditing tool that utilizes the XCCDF (Extensible Configuration Checklist Description Format) what is a standard way of expressing checklist content and defines security checklists. It also combines with other specifications such as CPE (Common Platform Enumeration), CCE (Common Configuration Enumeration), OVAL (Open Vulnerability and Assessment Language) to create a SCAP-expressed checklist that can be processed by SCAP-validated products.
The oscap is a command line tool that allows users to load, scan, validate, edit and export SCAP documents. Its alternative is SCAP Workbench GUI.
For information about oscap capabilities and complete list of options, refer to the oscap manual pages:
$ man oscap
To display the version of oscap, supported specifications, built-in CPE names and supported OVAL objects:
$ oscap -V
Prior using the oscap tool, you have to install SCAP content on your system. You can download the SCAP content from the respective web site or you can install it using a package management system implemented in by your Linux distribution.
# dnf install scap-security-guide or # yum install scap-security-guide
The SCAP content will be installed in /usr/share/xml/scap/ssg/content/.
When the SCAP content is imported or installed on your system, oscap can process the content by specifying the file path to the content. The oscap tool supports SCAP 1.2 and is backward compatible with SCAP 1.1 and 1.0. No special treatment is required in order to import and process earlier versions of the SCAP content.
The main goal of the oscap tool is to perform configuration and vulnerability scans of a local system. Oscap is able to evaluate both XCCDF benchmarks and OVAL definitions and generate the appropriate results.
SCAP content can be provided either in a single file (as an OVAL file or SCAP Data Stream), or as multiple separate XML files.
$ oscap [options] module eval [module_operation_options_and_arguments]
The SCAP document can have a form of a single OVAL file (an OVAL Definition file). The oscap tool processes the OVAL Definition file during evaluation of OVAL definitions. The tool collects system information, evaluates it and generates an OVAL Result file. The result of evaluation of each OVAL definition is printed to standard output stream. The following examples describe the most common scenarios involving an OVAL Definition file:
-
To evaluate all definitions within the given OVAL Definition file, run the following command:
$ oscap oval eval --results oval-results.xml scap-oval.xml
-
To evaluate one particular definition within the given OVAL Definition file:
$ oscap oval eval --id oval:rhel:def:1000 --results oval-results.xml scap-oval.xml
-
To evaluate all definitions from the OVAL component that are part of a particular data stream within a SCAP data stream collection, run the following command:
$ oscap oval eval --datastream-id ds.xml --oval-id xccdf.xml --results oval-results.xml scap-ds.xml
Where ds.xml is the given data stream, xccdf.xml is an XCCDF file specifying the OVAL component, oval-results.xml is the OVAL Result file, and scap-ds.xml is a file representing the SCAP data stream collection.
When the SCAP content is represented by multiple XML files, the OVAL Definition file can be distributed along with the XCCDF file. In such a situation, OVAL definitions may depend on variables that are exported from the XCCDF file during the scan, and separate evaluation of the OVAL definition(s) would produce misleading results. Therefore, any external variables has to be exported to a special file that is used during the OVAL definitions evaluation. The following commands are examples of this scenario:
$ oscap xccdf export-oval-variables --profile united_states_government_configuration_baseline usgcb-rhel5desktop-xccdf.xml
$ oscap oval eval --variables usgcb-rhel5desktop-oval.xml-0.variables-0.xml --results usgcb-results-oval.xml usgcb-rhel5desktop-oval.xml
Where united_states_government_configuration_baseline represents a profile in the XCCDF document, usgcb-rhel5desktop-xccdf.xml is a file specifying the XCCDF document, usgcb-rhel5desktop-oval.xml is the OVAL Definition file, usgcb-rhel5desktop-oval.xml-0.variables-0.xml is the file containing exported variables from the XCCDF file, and usgcb-results-oval.xml is the the OVAL Result file.
Another useful features of oscap is the ability to generate SCAP content in a human-readable format. The oscap utility allows you to transform an XML file into the HTML or plain-text format. This feature is used to generate security guides and checklists, which serve as a source of information, as well as guidance for secure system configuration. The results of system scans can also be transformed to well-readable result reports. The general command syntax is the following:
$ oscap module generate sub-module [specific_module/sub-module_options_and_arguments] file
where module is either xccdf or oval, sub-module is a type of the generated document, and file represents an XCCDF or OVAL file.
Before you can start using the oscap utility effectively, you also have to install or import some security content on your system. You can download SCAP content from the respective web site, or if specified as an RPM file or package, you can install it from the specified location, or known repository, using the Yum package manager.
You can generate your own SCAP content if you have an understanding of at least XCCDF or OVAL. XCCDF content is also frequently published online under open source licenses, and you can customize this content to suit your needs instead. SCAP Workbench is a great tool to do the customization.
OSCAP can display information about the SCAP contents within a file. Such as the document type, specification version, status, when the document was generated (published) or imported (copied).
$ oscap info
This command allows you to install all packages required by oscap to function properly, including the openscap package, which provides the utility itself.
Before you start using a security policy on your systems, you should first verify the policy in order to avoid any possible syntax or semantic errors in the policy. The oscap utility can be used to validate the security content against standard SCAP XML schemas. The validation results are printed to the standard error stream (stderr). The general syntax of such a validation command is the following:
$ scap module validate [module_options_and_arguments] file
where file is the full path to the file being validated. The only exception is the data stream module (ds), which uses the sds-validate operation instead of validate. So for example, it would be like:
$ oscap ds sds-validate scap-ds.xml
Note that all SCAP components within the given data stream are validated automatically and none of the components is specified separately.
You can also enable extra Schematron-based validation if you validate OVAL specification. This validation method is slower but it provides deeper analysis. Run the following command to validate an OVAL document using Schematron:
$ oscap oval validate --schematron oval-file.xml
This section demonstrates practical usage of certain security content provided for Red Hat products.