Customizing SCAP Security Guide for your use-case

SCAP Security Guide is a open-source project creating security policies for various platforms. Security policies contained in SCAP Security Guide usually strictly implement requirements of some standard (eg. PCI-DSS or USGCB). But sometimes you can need to adjust the security policy to your company needs.

In this tutorial, we will show you how to customize the SCAP Security Guide using the SCAP Workbench tool.

We will use the SCAP Workbench 1.1.0 on Fedora 22 Workstation. We will customize the Upstream STIG for Red Hat Enterprise Linux 6 Server security policy. This is only an example, the procedure for other policies is the same.

We will show you step by step the most common usecase. The Upstream STIG for Red Hat Enterprise Linux 6 Server security policy forbids root user to login through SSH. If you need to eliminate this requirement from the security policy, it is easily possible to do it with the SCAP Workbench.

We will customize the security policy to not reuqire disabling ssh root login on the target system.

Customization is also sometimes called “tailoring”.

1. Run the SCAP Workbench

When installed, the SCAP Workbench can be run from the Activities Overview.

workbench_in_desktop

SCAP Workbench icon on Fedora Workstation.

2. Choose a variant for target system

The SCAP Security Guide was automatically installed when you installed the SCAP Workbench. The tool can recognize this and will offer you target platforms of policy. On the following screenshot, click on RHEL6 to choose security guide for Red Hat Enterprise Linux 6.

workbench-select-content

Open SCAP Security Guide

3. Select a profile with desired policy

Main window of the SCAP Workbench has opened and has loaded Guide to the Secure Configuration of Red Hat Enterprise Linux 6. We want now to select the STIG profile now. Click on the Profile combobox and then on Upstream STIG for RHEL6 server.. If you want to customize some different policy, select a different profile in this step.

workbench_main

SCAP Workbench icon on Fedora Workstation.

4. Fork a profile

Click on Customize button in the main window. It will open a new window where you can create a new profile.

A new profile which is a duplicate copy of original profile will be created soon. You have to set an ID of this new profile. This ID is used when you will use in future the customized profile with OpenSCAP command-line utilities and/or various integration tools. The ID can’t be changed later using the SCAP Workbench. The ID has to have a format of “xccdf_{reverse DNS}_profile_{rest of the ID}, For example “xccdf_org.mycorporation_profile_server”.

Fill in the profile ID and click on OK.

workbench_main

Create a new profile ID

5. Deselect the rule in the Customization dialog

A new window appeared on your screen. This is the Customization dialog. You can see all rules from the RHEL6 security guide grouped in a form of a tree.

Now find the rule “Disable SSH Root Login”.

Note For faster searching, you can use the Search field above the rule tree. Type “Disable SSH Root Login” to the search field and click on the Search button. Rule will be highlighted.

You can select and deselect rules if you click on a small checkbox next to the rule name. Click on the check-box left to Disable SSH Root Login to deselect the rule.

workbench_customize

The Customization dialog

7. Save your changes to a file

Click on File → Save customization only. This will create a small file which contains only changes to the original profile. This file is called customization file or sometimes also tailoring file. It is a good idea to use the customization file that saves only differences from original security policy instead of changing the original policy. The advantage of this approach is that in case of update of the SCAP Security Guide you needn’t do the customization again, you just apply your customization file to that new version.

Here is an example of a customization file. You can see that it contains only one profile, which is extended form an external profile and differs only by disabling one rule.

See the code

You can also save all content into a directory. For this, select File → Save All → Into a directory. After selecting the destination directory the SCAP Workbench exports both input content and a customization file to the selected directory.

<?xml version="1.0" encoding="UTF-8"?>
<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default">
  <xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml"/>
  <xccdf:version time="2015-10-01T11:34:58">1</xccdf:version>
  <xccdf:Profile id="xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream_customized" extends="xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream">
    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Upstream STIG for RHEL 6 Server [CUSTOMIZED]</xccdf:title>
    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">
[ ... snip .. ]
    </xccdf:description>
    <xccdf:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="false"/>
  </xccdf:Profile>
</xccdf:Tailoring>

8. Finished!

You have now a customized security policy that doesn’t require disabled SSH login for root user.

9. Using the customization file

To use your new customization file in the SCAP Workbench, select Open Customization File from the File menu on the main window of the SCAP Workbench and open your customization file from your hard drive. Customization will apply at once.

To use your new customization file with oscap command-line tool, use the following option:

--tailoring-file TAILORING_FILE

For more information about customization, you can visit our Customization page.

For more information about the SCAP Workbench, you can see the SCAP Workbench User Manual