Home Tools OSCAP Anaconda Addon Documentation Customizing SCAP Security Guide for your use-case

Customizing SCAP Security Guide for your use-case

SCAP Security Guide is a open-source project creating security policies for various platforms. Security policies contained in SCAP Security Guide usually strictly implement requirements of some standard (eg. PCI-DSS or USGCB). But sometimes you can need to adjust the security policy to your company needs. In this tutorial, we will show you how to customize the SCAP Security Guide using the SCAP Workbench tool. We will use the SCAP Workbench 1.1.0 on Fedora 22 Workstation. We will customize the Upstream STIG for Red Hat Enterprise Linux 6 Server security policy. This is only an example, the procedure for other policies is the same. We will show you step by step the most common use case. The Upstream STIG for Red Hat Enterprise Linux 6 Server security policy forbids root user to login through SSH. If you need to eliminate this requirement from the security policy, it is easily possible to do it with the SCAP Workbench. We will customize the security policy to not require disabling ssh root login on the target system.

Customization is also sometimes called “tailoring”.

1. Run the SCAP Workbench

When installed, the SCAP Workbench can be run from the Activities Overview.


SCAP Workbench icon on Fedora Workstation.

2. Choose a variant for target system

The SCAP Security Guide was automatically installed when you installed the SCAP Workbench. The tool can recognize this and will offer you target platforms of policy. On the following screenshot, click on RHEL6 to choose security guide for Red Hat Enterprise Linux 6.


Open SCAP Security Guide

3. Select a profile with desired policy

Main window of the SCAP Workbench has opened and has loaded Guide to the Secure Configuration of Red Hat Enterprise Linux 6. We want now to select the STIG profile now. Click on the Profile combobox and then on Upstream STIG for RHEL6 server.. If you want to customize some different policy, select a different profile in this step.


SCAP Workbench icon on Fedora Workstation.

4. Fork a profile

Click on Customize button in the main window. It will open a new window where you can create a new profile. A new profile which is a duplicate copy of original profile will be created soon. You have to set an ID of this new profile. This ID is used when you will use in future the customized profile with OpenSCAP command-line utilities and/or various integration tools. The ID can’t be changed later using the SCAP Workbench. The ID has to have a format of “xccdf_{reverse DNS}_profile_{rest of the ID}, For example “xccdf_org.mycorporation_profile_server”. Fill in the profile ID and click on OK.


Create a new profile ID

5. Deselect the rule in the Customization dialog

A new window appeared on your screen. This is the Customization dialog. You can see all rules from the RHEL6 security guide grouped in a form of a tree. Now find the rule “Disable SSH Root Login”.

NoteFor faster searching, you can use the Search field above the rule tree. Type “Disable SSH Root Login” to the search field and click on the Search button. Rule will be highlighted.

You can select and deselect rules if you click on a small checkbox next to the rule name. Click on the check-box left to Disable SSH Root Login to deselect the rule.


The Customization dialog

7. Save your changes to a file

8. Finished!

You have now a customized security policy that doesn’t require disabled SSH login for root user.

9. Using the customization file

To use your new customization file in the SCAP Workbench, select Open Customization File from the File menu on the main window of the SCAP Workbench and open your customization file from your hard drive. Customization will apply at once. To use your new customization file with oscap command-line tool, use the following option:

–tailoring-file TAILORING_FILE

  For more information about customization, you can visit our Customization page. For more information about the SCAP Workbench, you can see the SCAP Workbench User Manual