This tutorial will walk you through the evaluation of a remote machine for the United States Government Configuration Baseline (USGCB) content using the SCAP Workbench tool. We will use a machine with RHEL7.1 Workstation installed on to scan a remote RHEL6.6 Server. Our remote server has IP address 192.168.122.31. To evaluate a machine you need two things:
As a scanner we will use the SCAP Workbench which is a GUI for our oscap command-line tool. The USGCB SCAP security policy can be acquired from the SCAP Security Guide which is one the OpenSCAP projects and can be installed from scap-security-guide package. This project is also often called SSG.
First we need to install the SCAP Workbench and the SSG. You can build both packages from source or you can install them using the YUM.
$ sudo yum install scap-workbench scap-security-guide
After you have installed the SCAP Workbench successfully you can open it using a terminal, the binary is called scap-workbench, or you can find it under: Applications -> System Tools -> SCAP Workbench
Run the SCAP Workbench.
The SCAP Workbench will ask to open a content. If you have installed the SSG then it should point you to /usr/share/xml/scap/ directory and then in the ssg/content directory you can find provided contents. We want to scan RHEL6 Server so we will choose the ssg-rhel6-ds.xml. The file represents the SCAP security policy for RHEL6 providing various profiles including the USGCB in source datastream format.
Choose security policy for RHEL7.
Once you have selected the SCAP security policy you can use Profile combobox to choose the United States Government Configuration Baseline profile.
If you want to make slight alterations to the USGCB profile like discard an undesirable rule that makes no sense on your server machine you can use the Customize button. The Customize action will create a new profile and you will be presented with a dialog that lets you choose an ID for that new profile. Choose the ID wisely, you may need it later.
Select the USGCB profile.
In the example case, we do not care about making sure that /tmp and /var are located on a separated partitions and we do not want the rules failing for our configuration. Let us expand the tree until we find the offending rules and discard them both.
After desired customization changes are done, click Confirm changes to get back to the previous GUI. To undo all of the changes to the profile, click Discard. If you want to delete the profile from tailoring, click Delete profile.
Discard the rules.
If you want to save your customized content for the future use you can do it in three different ways:
Click File → Save Customization Only and choose the destination file. The SCAP Workbench saves just the customization which you can use with the content you opened.
Select File → Save All and choose Into a directory. After selecting the destination directory the SCAP Workbench exports both input content and a tailoring file there.
Select File → Save All and choose As RPM. A dialog will pop-up asking for details regarding the RPM that will be generated. Choose the desired name of the package and leave the other fields at their default settings and confirm the dialog. Another dialog opens, this time asking for destination directory where the SCAP Workbench will create the RPM.
The resulting RPM contains both the input content and the tailoring file. It will not contain any evaluation result files (HTML report, ARF, XCCDF results).
If you wish to sign the resulting RPM, make sure you have rpm-sign installed, the /usr/bin/rpmsign binary available and GPG as well as related rpmmacros setup. Then execute:
$ rpm --addsign my-content-1.1.noarch.rpm
The resulting package is signed and ready to use, provided that your desired system management tool accepts the key you used.
For more information please have a look at the How to sign your custom RPM package with GPG Key article.
Save customized security policy.
If you are more interested in customizing SCAP security policies please have a look at the Customizing SCAP Security Guide for your use-case tutorial.
To scan our remote RHEL6 server machine, select Remote Machine (over SSH) in the Target combobox. A pair of input boxes will appear. Input the desired username and hostname and select the port. Username and hostname should be put into the first edit box in the format commonly accepted by ssh which is username@hostname. Make sure the machine is reachable, the selected user can log in over SSH, and has sufficient privileges to evaluate the machine.
Set the IP address of the remote server.
Everything is set up so we can start the evaluation now. Click the Scan button to proceed. The SCAP Workbench never processes your SSH password in any way. Instead an ssh process is spawned which itself spawns the ssh-askpass program which asks for the password.
The application now starts the oscap tool on the remote server and waits for it to finish, reporting partial results along the way in the rule result list. Keep in mind that the tool cannot guess how long processing of any particular rule will take. Only the number of rules that have been processed and the number that remain are used to estimate progress. Please be patient and wait for oscap to finish evaluation.
You can cancel the scan at any point by clicking the Cancel button. Canceling will only give you partial results in the evaluation progress list, you cannot get HTML report, XCCDF results or ARF if you cancel evaluation!
After you press the Scan button, all the previous options will be disabled and greyed-out. You cannot change them until you press the Clear button which will clear all results.
Evaluation in progress.
After evaluation finishes, you should see new buttons: Clear, Save Results and Show Report. Pressing the Show Report button will open the HTML report of the evaluation in your internet browser. SCAP Workbench will open the report in the default web browser set in your desktop environment. Make sure you have a browser installed. Your evaluation results can be saved in several formats:
View human readable results.
Machine readable file with just the results, not suitable for manual processing. Requires a special tool that can parse the format.
Also called result datastream. Packs input content, asset information and results into a single machine readable file, not suitable for manual processing. Requires a special tool that can parse the format.
If you are unsure which format to choose for archiving results, XCCDF Result is commonly supported and HTML reports can be generated from it with the oscap tool. The ARF file is the only format that contains everything the evaluation has generated. On top of XCCDF results, it contains OVAL results, SCE results (if any), asset identification data. If you want to keep all of the generated data, choose ARF when archiving. However, ARF files are not as well supported by SCAP toolchains as XCCDF result files are. XCCDF result files can be generated from ARF files, this operation is called ARF splitting.
Detail of a specific rule.