by Ginny Henningsen
Learn how to use the OpenSCAP compliance checker, a standardized way in Oracle Linux to evaluate security configurations and vulnerabilities.
Challenges in IT Security Management
An IT security breach—an incident of system tampering, intrusion, or data compromise—can have significant consequences. Companies can experience dramatic revenue losses, miss out on strategic business opportunities, and incur expenses associated with recovery and remediation. Government and regulatory agencies may impose legal penalties, mandate restitution, or levy fines. The potential impacts make IT system security a serious business concern.
As a part of IT security management, organizations usually define a security policy that standardizes optimal internal practices, processes, and configurations. When a company stores or processes sensitive data (including personal identity, financial data, or healthcare records), the security policy must also reflect relevant government and regulatory standards such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), and the Payment Card Industry Data Security Standard (PCI DSS). Standards often specify hardening guidelines and IT system requirements as well as required security practices. Many standards also mandate formal security reviews that must be performed by certified auditors on a regular schedule. In addition to these formal compliance assessments, IT departments typically conduct informal security reviews to detect and remedy vulnerabilities that might otherwise result in system or data compromise.
The diversity of data center systems adds to the challenge of developing effective and efficient strategies for IT security management. To help organizations automate compliance checks and implement security policy more universally across heterogeneous data centers, the US National Institute of Standards and Technology (NIST) developed the Security Content Automation Protocol (SCAP) standard. NIST created SCAP to provide a standardized approach for implementing enterprise system security and baseline profiles for compliance audits. Based on the SCAP standard, the OpenSCAP project supplies open source tools and policies to automate compliance checking and consistently apply security policy across different system types.
To automate compliance checking on Oracle Linux servers, the operating system includes packages containing an OpenSCAP framework and an implementation of the OpenSCAP interpreter, oscap. In addition, Oracle makes SCAP content files available to evaluate Oracle Linux system configurations against a defined security policy, industry-accepted hardening guidelines, and known vulnerabilities. This article can help administrators get started using the OpenSCAP functionality in Oracle Linux. It describes the various SCAP content files available to automate compliance checks, as well as how to obtain and use security advisory content that Oracle regularly publishes. It also discusses how to use Spacewalk, a tool for Linux systems management, to run OpenSCAP audits on Spacewalk-managed Oracle Linux client systems. Spacewalk is an open source (GPLv2) project. It officially became an open source, community-driven project in June 2008; it is the upstream project for the Red Hat Satellite product.
OpenSCAP and Best Practice
OpenSCAP compliance checking, of course, is only one element in an effective IT system security strategy. IT departments must document policy, establish procedures, and follow industry-standard best practices throughout application and system lifecycles.
At system installation, it's recommended that administrators minimize the operating system software image, eliminating unnecessary packages and removing unnecessary network services that could be possible attack vectors. While a hardened Oracle Linux configuration might be provisioned initially using VM cloning or Kickstart, in practice, administrators sometimes modify initial configurations to simplify the process of installing and configuring applications. Before a system is put into production, it's essential to revisit the system configuration and remediate any changes, locking down the system before deployment. Running an OpenSCAP assessment is one way an administrator can assess a system configuration to identify weaknesses and correct them before the system is actually deployed to production.
As a technology preview, the latest Oracle Linux 7.2 release includes OpenSCAP functionality as a part of the installation process, via either an add-on to the Anaconda GUI installer or Kickstart. As shown in Figure 1, the administrator specifies an OpenSCAP profile during the initial system configuration steps at installation. The add-on checks for potential misconfiguration—for example, it might report noncompliant partitioning. The initial scan results against the profile are saved as an XML file in the directory /root/openscap_data.
Figure 1. By specifying a profile to the Anaconda installer or Kickstart, an administrator can run an OpenSCAP scan at installation.
Once a system is put into production, administrators can continue to use OpenSCAP auditing to help identify issues of noncompliance and detect vulnerabilities. A crucial step in maintaining systems and preserving application continuity is to keep systems up to date and patched with the latest published security errata. OpenSCAP assessments can evaluate compliance against content that reflects the latest available security errata.
Automation makes it relatively easy to conduct periodic OpenSCAP assessments at various stages of the system lifecycle, and can be implemented as a standard part of an overall security management strategy. Good security practice includes examining scan results, comparing them to a baseline scan, performing remediation as necessary, and rerunning scans to confirm compliance. Just as periodic reviews of system log files and audit trails are considered good practice, analyzing OpenSCAP scan results can be a valuable part of a regular security review.
SCAP Content
The SCAP standard and OpenSCAP project bring together four crucial functions in IT security management: asset management, vulnerability management, configuration management, and compliance management. OpenSCAP automates the tasks of identifying and assessing vulnerabilities, measuring compliance, and enforcing security policy. Because a number of information security (IS) standards have emerged and evolved over time, there are multiple benchmarks for evaluating security. OpenSCAP specifies a standardized format for content that evaluates different IS protocols and policy definitions. The US National Vulnerability Database (NVD), which is managed by NIST, contains the SCAP content used to manage IT systems owned by the US government, and this content is made freely available to the general IT community.
To run an OpenSCAP compliance scan, an administrator specifies which content (in the form of XML files) the scanner should use as the basis of an assessment. The available SCAP content for Oracle Linux reflects several protocols and standards including
- XCCDF, eXtensible Configuration Checklist Description Format. This format expresses widely accepted guidelines for hardening system configurations.
- OVAL, Open Vulnerability and Assessment Language. The OVAL language provides information about system state with respect to known vulnerabilities.
- CPE, Common Platform Enumeration. CPE is a naming scheme that categorizes operating systems, platforms, and software packages.
- CVE, Common Vulnerabilities and Exposures. CVE content reflects a standardized method of representing identified software vulnerabilities and exposures.
Using the OpenSCAP Scanner in Oracle Linux
In Oracle Linux 6 and 7, the following packages contain the OpenSCAP framework and tools:
openscap—The open source OpenSCAP libraries that enable the integration of SCAP standards.openscap-scanner—The OpenSCAP interpreter (oscap).openscap-utils—Command-line tools built on the OpenSCAP libraries.scap-security-guide—SCAP system hardening guidelines that map general policy requirements to practical implementation steps. This package includes SCAP content (in the form of XML files) that is used with the oscap scanner to assess guideline compliance.
OpenSCAP packages are available for Oracle Linux via either the ol6_x86_64_latest or ol7_x86_64_latest channels on Unbreakable Linux Network or the ol6_latest or ol7_latest repositories on Oracle Public Yum.
To get started and execute a compliance assessment, install the SCAP Security Guide (SSG) package, which also installs the other OpenSCAP packages as dependencies:
# yum install scap-security-guide
Installing the scap-security-guide package populates the latest SSG content for Oracle Linux in the directory /usr/share/xml/scap/ssg/content:
ssg-rhel6-cpe-dictionary.xmlssg-rhel6-cpe-oval.xmlssg-rhel6-ds.xmlssg-rhel6-oval.xmlssg-rhel6-xccdf.xmlssg-rhel7-ds.xml
The filenames indicate the type of SCAP content in the file. The OpenSCAP scanner features an info module that can supply details about each file in a more readable form than raw XML. Running the following simple script lists information about the installed SSG content files:
# find /usr/share/xml/scap/ssg/content/*.xml -exec oscap info {} \;
Figure 2 shows an excerpt of the script's results. The oscap info command lists details such as the SCAP content type, the relevant version of the SCAP specification, dates on which the content file was created and imported, and so forth. For XCCDF and Data Stream SCAP files, the description includes identifiers that can be used as evaluation targets.
Figure 2. The oscap info command gives information about SSG content files.
The syntax for oscap follows this format:
# oscap [options] module operation [operation_options_and_arguments]
In most cases, the module parameter is oval or xccdf to indicate the type of content being evaluated. The operation argument is usually eval, generate, or validate:
eval—For OVAL, evaluates each definition in an OVAL content file and prints the results to stdout.generate—For OVAL, generate report converts results to HTML; for XCCDF, generate guide outputs a full security guide for the specified profile.validate—This operation is used to analyze whether the specified content file is in a valid format. This argument is commonly used to validate content after it has been customized (tailoring content allows a scan to more closely match defined security policy).
The Oracle Linux 7.2 release also includes a technology preview of scap-workbench, a GUI interface that can be used for tailoring content and running customized OpenSCAP scans. For more information, see the upstream scap-workbench project information.
Example: Running a Scan Against an XCCDF Profile
Running oscap using an XCCDF profile demonstrates how OpenSCAP can evaluate a system configuration against defined policy. To learn which XCCDF profiles are available on an Oracle Linux 7 machine, enter the following:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml. . . Profiles: standard pci-dss rht-ccp common stig-rhel7-server-upstream . . .
The XCCDF profile rht-ccp is the Red Hat Certified Cloud Providers profile. The following command runs an OpenSCAP scan against this profile defined in the ssg-rhel7-xccdf.xml content file:
# oscap xccdf eval --profile server \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xmlTitle Ensure /tmp Located On Separate Partition Rule partition_for_tmp Ident CCE-27173-4 Result fail. . . Title Ensure gpgcheck Enabled For All Yum Package Repositories Rule ensure_redhat_gpgcheck_never_disabled Ident CCE-26647-8 Result pass . . .
In addition to the output being logged to stdout, the scan generates results as an XML file and as HTML (Figure 3).
Figure 3. An OpenSCAP evaluation against an XCCDF profile can output scan results as an HTML report.
Scrolling down, the HTML provides an easy-to-read summary of the OpenSCAP assessment (Figure 4). The results are color-coded, highlighting pass/fail results against industry-standard configuration hardening guidelines.
Figure 4. Color-coded pass/fail results highlight system configuration issues that require attention.
An administrator can drill down into the results to learn more about the cause of a failure (Figure 5).
Figure 5. Example of a failed rule.
For some rules, the report includes remediation advice or scripts that can be used to try to fix the issue (Figure 6).
Figure 6. This rule includes a remediation script that the administrator can run to remedy the failure.
On a single server, an administrator might run suggested remediation scripts manually. There is, however, the ability to automate fixes during a scan using the --remediate option:
# oscap xccdf eval --profile rht-ccp -remediate \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xmlTitle Ensure /tmp Located On Separate Partition Rule partition_for_tmp Ident CCE-27173-4 Result fail. . . --- Starting Remediation --- Title Ensure RedHat GPG Key Installed Rule ensure_redhat_gpgkey_installed Ident CCE-26506-6 Result error. . . Title Use Only Approved Ciphers Rule sshd_use_approved_ciphers Ident CCE-27051-2 Result fixed. . .
In a large data center environment with many servers, automating scripted changes is usually done using a configuration management solution (such as Ansible or Puppet).
Example: Generating a Security Guide
Some regulatory requirements mandate that an organization document system configuration guidelines, supplying this documentation to security auditors during the formal review process. OpenSCAP simplifies this task, allowing a full security guide to be automatically created based on an XCCDF profile:
# oscap xccdf generate guide --profile rht-ccp \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml \ > /tmp/`hostname`-ssg.html
Figure 7 shows an excerpt of the resulting security guide.
Figure 7. OpenSCAP can automatically generate a security guide that documents configuration best practice.
Example: Running an OVAL Vulnerability Assessment
As described in the Mitre Use Cases Guide, the primary advantage of the OVAL language is that it provides a standardized way of developing and sharing definitions for assessing security vulnerabilities. When a vendor (such as Oracle) releases a security advisory, the vendor can also publish a corresponding OVAL definition, enabling a means of checking whether an update has been applied to address the issue. While certain command-line tools (such as yum updateinfo list security installed) can provide useful details about system state, OVAL allows different security products to work together and exchange data because it stipulates a standardized, platform-independent definition format and checking language. OVAL capabilities are especially advantageous in heterogeneous environments that deploy OVAL-compatible tools.
Oracle makes OVAL content available on the Oracle Linux security page. Using this content, an administrator can run an OpenSCAP audit on Oracle Linux systems and determine whether security updates have been applied to systems. Based on the results, the administrator can identify unpatched weaknesses and apply updates to eliminate vulnerabilities.
Oracle posts both individual OVAL definition files and consolidated OVAL definitions (in compressed bzip2 format). An individual OVAL definition file corresponds to a security advisory; it is named using a combination of the provider's reverse FQDN and the specific advisory number. The following commands download a single OVAL definition file for advisory ELSA-20151834 and run an assessment against that definition:
# wget https://linux.oracle.com/oval/com.oracle.elsa-20151834.xml# oscap oval eval --results /tmp/`hostname`-oval-results.xml \ --report /tmp/`hostname`-oval-results.html \ ./com.oracle.elsa-20151834.xmlDefinition oval:com.oracle.elsa:def:20151834: true Evaluation done.
Figure 8. HTML results from scan using the com.oracle.elsa-20151834.xml OVAL definition.
The OVAL definition specifies a class that tells the OVAL interpreter what kind of assessment is being performed—in this case, "patch" indicates that the test is evaluating whether the relevant patch is installed.
The criteria used in an OVAL evaluation are contained in the XML definition. Each definition includes a set of conditions that is evaluated (for example, is Oracle Linux 6 installed; does an object such as an RPM package have a version less than a certain value; and so on). Typically multiple conditions are evaluated during an OVAL scan. A logical expression for the evaluated criteria produces an overall true or false test result. If the result is true, then the installed software is vulnerable and should be patched.
In Figure 8 (which shows the scan result for advisory ELSA-20151834), the OVAL definition evaluates whether the OS is Oracle Linux 6 and the Firefox package version is earlier than 38.3.0-2.0.1.el6_7. In this case it is, so the system is subject to the vulnerability described in the listed CVEs (CVE-2015-4500, CVE-2015-4509, and CVE-2015-4510). To address this issue, the administrator can run yum update --cve=CVE-2015-4500 and then rerun the OpenSCAP test, which gives the result shown in Figure 9.
Figure 9. HTML results from the same scan after applying the patch that addresses the vulnerability.
Oracle publishes consolidated compressed bzip2 files containing OVAL definitions for advisories for each year. As an example, the following commands download the OVAL consolidated definitions for 2015, extract them, and evaluate the system against these definitions:
# wget https://linux.oracle.com/security/oval/com.oracle.elsa-2015.xml.bz2# bunzip2 ./com.oracle.elsa-2015.xml.bz2# oscap oval eval --results /tmp/`hostname`-oval-results.xml \ --report /tmp/`hostname`-oval-results.html \ ./com.oracle.elsa-2015.xml
Figure 10. Running a scan using a consolidated definition set produces a list of true/false results.
Using Spacewalk to Run Compliance Checks
As the number of servers increases in a data center, Spacewalk (which is the upstream open source code for Red Hat Satellite and SUSE Manager) is often used to achieve more efficient Linux systems management. Oracle Linux Premier Support and Oracle Linux Basic Support contracts include support for Spacewalk implementations deployed with Oracle Database (more information about Spacewalk support can be found in the Spacewalk documentation).
Spacewalk helps to simplify management tasks and includes the ability to run OpenSCAP scans as well as applying security updates. As with other management tasks, before Spacewalk can execute an OpenSCAP audit, the Spacewalk client must be properly registered with the Spacewalk server. (A hands-on lab is available that can guide administrators who are new to Spacewalk through the process of setting up a Spacewalk server, and it contains the steps required to populate Spacewalk repositories and define software channels to which clients can subscribe. Refer to the Spacewalk 2.2 for Oracle Linux 6 Client Life Cycle Management Guide for more information.)
A significant advantage of Spacewalk is that it allows an administrator to manage a group of systems as a whole using the System Set Manager feature. In this way, an administrator can deploy packages to many systems, as well as run OpenSCAP scans against multiple systems, by scheduling a single Spacewalk operation.
To use Spacewalk to perform OpenSCAP audits, an administrator must first install the Spacewalk OpenSCAP package (spacewalk-oscap) and the OpenSCAP content packages (scap-security-guide) on the clients. Packages can be installed on clients using yum, but a more efficient way is to use Spacewalk's System Set Manager. Alternatively, packages can be added via Kickstart profiles or by associating them with particular activation keys so they are installed by default when systems are first configured.
Using the interface on the Spacewalk server, the Spacewalk clients to be scanned are selected using the System Set Manager or the Systems tab. Then, for the targeted system or system set, Audit tab and the Schedule subtab are selected. The form shown in Figure 11 is completed by entering command-line arguments and the appropriate path to the OpenSCAP content. Command-line arguments for an XCCDF evaluation of an Oracle Linux 6 system could be
--profile rht-ccp --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml
The path argument points to the OpenSCAP content on the client system, by default:
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Figure 11. Scheduling an OpenSCAP scan from Spacewalk.
After the Spacewalk client picks up and executes the scheduled scan, the Spacewalk administrator can view results by selecting the Audit tab and clicking the scan. After resolving any configuration issues that the XCCDF scan detects, rerunning the scan is good practice. Spacewalk provides the ability to compare scans. Figure 12 shows how Spacewalk highlights the differences between the results of two scans.
Figure 12. Viewing the results of an OpenSCAP scan executed from Spacewalk.
At this time, Spacewalk supports only XCCDF scans (not OVAL scans) using the Spacewalk GUI and spacecmd interfaces. To run an OVAL scan, administrators can instead use Spacewalk's remote command capabilities, as shown in Figure 13.
Figure 13. Spacewalk's remote command capabilities can perform OVAL scans on remote clients.
Conclusion
OpenSCAP provides a standardized mechanism for evaluating security configurations and vulnerabilities. By installing OpenSCAP packages on Oracle Linux, administrators can use the provided OpenSCAP interpreter and security content to evaluate system configurations and make sure systems are locked down before they are deployed into production. In addition, by routinely conducting OVAL scans—using the OVAL definitions that are released and continuously updated by Oracle—administrators can determine if deployed systems are subject to known vulnerabilities.
Learn More
The Oracle Linux security page contains a number of useful links, including links to download the individual OVAL definitions as well as the consolidated OVAL definitions for each year (packaged as a bzip2 compressed archive). The site also includes links to HTML and PDF files for the Oracle Linux 6 Security Guide and Oracle Linux 7 Security Guide.
To learn more about running SCAP compliance checks using Spacewalk, see the Spacewalk 2.2 for Oracle Linux 6 Client Life Cycle Management Guide as well as the discussion about integrating the open source Spacewalk and OpenSCAP projects.
About the Author
Ginny Henningsen has worked for the last 18 years as a freelance writer developing technical collateral and documentation for high-tech companies. Prior to that, Ginny worked for Sun Microsystems, Inc. as a Systems Engineer in King of Prussia, PA and Milwaukee, WI. Ginny has a BA from Carnegie-Mellon University and an MSCS from Villanova University.
| Revision 1.0, 01/20/2016 |
Follow us:
Blog | Facebook | Twitter | YouTube