SCAP and Remediation

Posted: September 8, 2013 in Security
Tags: ,

Chances are if you are a security conscious server administrator that you have had to endure the hardship of locking down a server.  A lot of times the lockdown process consists of following a checklist and completing several hours of configuration changes, scans and more configuration changes.  You have probably also noticed that even with a detailed checklist, scans often reveal that no two server are configured in the same manner.  Fortunately, the work being done on the Security Configuration Automation Protocol (SCAP) and the SCAP Security Guide (SSG) is going to make your life easier.

The National Institute of Standards and Technology (NIST) is spearheading the use of SCAP and says it is “a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.”

In this post I am going to demonstrate how to install and use the OpenSCAP scanner along with content from the SCAP Security Guide (SSG) website to scan and secure a Red Hat Enterprise Linux 6 server.  If you decide to try this, do it on a test server since the configuration changes could affect your ability to access the server.

Getting OpenSCAP and SSG Content

To configure the server to use OpenSCAP and content from the SSG project, we first have to install a new package repo on the server.  The below commands outline to steps needed to accomplish this.

 [ted@rhel64-scap ~]$ wget
 --2013-09-08 20:50:53--
 Resolving, 2610:28:3090:3001:5054:ff:fedb:7f5a
 Connecting to||:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 449 [text/plain]
 Saving to: “epel-6-scap-security-guide.repo”
 100%[======================================>] 449 --.-K/s in 0s
 2013-09-08 20:50:54 (46.4 MB/s) - “epel-6-scap-security-guide.repo” saved [449/449]

Once the repo file is downloaded, copy it to /etc/yum.repos.d

 [ted@rhel64-scap ~]$ sudo cp epel-6-scap-security-guide.repo /etc/yum.repos.d/

Then install the scap-security-guide package.

 [ted@rhel64-scap ~]$ sudo yum install scap-security-guide

A number of packages are installed including some dependencies for the scap-security-guide and the OpenSCAP program and utilities.  If we look at the files included in the scap-security-guide package we will see that the yum transaction installed the following:

 [ted@rhel64-scap ~]$ rpm -ql scap-security-guide

We will be concentrating solely on the RHEL6 content, but as you can see, the SSG project provides content for securing a JBoss EAP server as well.  The files that were installed were put into several sub directories of /usr/share/xml/scap and each with it’s own purpose.

  • /usr/share/xml/scap/ssg/content – contains SCAP content files
  • /usr/share/xml/scap/ssg/guide – HTML versions of the SCAP Security Guide profiles
  • /usr/share/xml/scap/ssg/policytables – HTML tables of policies that the different profile adhere to

As you may have noticed, there are a few different XML files in the /usr/share/xml/scap/ssg/content directory that are used by SCAP.  Based on the naming convention, these file serve the following purposes:

  • XCCDF (eXtensible Configuration Checklist Description Format) – These files contain the security configuration rules for a given target system type.  The format can be used to automate the generation of security checklists and benchmarks through the exchange of information.
  • CPE (Common Platform Enumeration) Dictionary – The CPE dictionary provides a repository for names and metadata associated with IT equipment.
  • OVAL (Open Vulnerability and Assessment Language) – An internationally accepted standard of transferring security content information in a common format to a wide array of information security tools and services.
  • CPE-OVAL – Definitions for OVAL content

Exploring the XCCDF File

The first thing that we will do is take a closer look at the XCCDF file.  This file consists of configuration setting and rules that are tested during the SCAP scan.  The rules and settings can be grouped into profiles so that the rules are customized based on the system being scanned.  For example, a workstation installation would have different rules that it must meet than a server installation.  To list all of the profiles contained in the file:

[ted@rhel64-scap ~]$ grep -n "<Profile" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
40: <Profile id="rht-ccp">
157: <Profile id="test">
184: <Profile id="common">
399: <Profile id="desktop">
638: <Profile id="server">
857: <Profile id="ftp">
1082: <Profile id="stig-rhel6-server">

Profiles can be extended to build on top of tests performed by other profiles.  If you ever see “extends” after a profile name with the name of another profile (i.e. extends “common”) that profile would use all of the tests and configurations from the “common” profile and also include the tests from it’s own profile.  This is an easy way to maintain several different profiles that have a common set of configurations between them.

If we go into the XCCDF file and look at one of the profiles, such as the stig-rhel6-server from above, we can see some of the rules that it will run tests against.

<Profile id="stig-rhel6-server">
xml:lang="en-US">Common Profile for General-Purpose SystemsPre-release Draft STIG for RHEL 6 Server
xmlns:xhtml="" xml:lang="en-US">This profile contains items common to general-purpose desktop and server installations.This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.
<select idref="partition_for_tmp" selected="true"/>
<select idref="partition_for_var" selected="true"/>
<select idref="partition_for_var_log" selected="true"/>
<select idref="partition_for_var_log_audit" selected="true"/>
<select idref="partition_for_home" selected="true"/>
<select idref="ensure_redhat_gpgkey_installed" selected="true"/>
<select idref="service_rhnsd_disabled" selected="true"/>
<select idref="security_patches_up_to_date" selected="true"/>
<select idref="ensure_gpgcheck_globally_activated" selected="true"/>
<select idref="ensure_gpgcheck_never_disabled" selected="true"/>
<select idref="package_aide_installed" selected="true"/>

The settings for the profile that we are going to use can be changed by editing the XCCDF File.  This allows flexibility to meet the unique security needs that you or your organization may require.  For example, if you do not need to install the AIDE intrusion detection system, you would change the selected attribute to “false” for select tag (or rule) that contains the idref attribute of “package_aide_installed”.

Generating a Checklist

The SSG project provides a default HTML checklist file for our RHEL 6 server created at /usr/share/xml/scap/ssg/guide/rhel6-guide.html that can be loaded into Firefox by using drag-and-drop or on the command line.  Once loaded, the guide will look like the below image.

ssg-guideIf there is ever a need to re-create the guide, or create a guide for a particular profile, you can use the OpenSCAP command, oscap, to do so.  In the following example, I create a guide for the stig-rhel6-server profile contained in the XCCDF file that we examined earlier.  I have to pass the profile to use from the XCCDF file as well as the file to output the guide to.  The final piece of information in the command is the XCCDF file to use.

 [ted@rhel64-scap ~]$ oscap xccdf generate guide --profile stig-rhel6-server --output stig-guide.html /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

It’s worth taking a look over the file and examining the contents of it.  There are several sections including the rule selection for the profile and references for each rule that will be evaluated.

Running a Scan

Running a scan using OpenSCAP is just a bit more difficult than generating a security guide.  When a scan is run, you can specify where to output the XML-based results as well as were to output an HTML based report.  Providing the CPE dictionary aand the XCCDF file are mandatory for this command.  The command should look like this to run properly:

[ted@rhel64-scap ~]$ oscap xccdf eval --profile stig-rhel6-server --results `hostname`-ssg-results.xml --report `hostname`-ssg-results.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

While the command is running, you will see output similar to this on your screen:

Title   Install AIDE
Rule    package_aide_installed
Ident   CCE-27024-9
Result  fail

Title   Configure Periodic Execution of AIDE
Rule    aide_periodic_cron_checking
Ident   CCE-27222-9
Result  notchecked

Title   Verify File Permissions with RPM
Rule    rpm_verify_permissions
Ident   CCE-26731-0
Result  fail

Title   Verify File Hashes with RPM
Rule    rpm_verify_hashes
Ident   CCE-27223-7
Result  pass

Notice the Ident field and how it references a CCE number.  Those numbers map to configuration items that are maintained by NIST.  The This text is the same information that is going to populate the results and report files that we specified on the command line.

Once the command is done running, you can view the report file in Firefox.  As you can see in the screenshot below, on my default install of RHEL 6, I satisfy slightly less than 50% of the tests required by the stig-rhel6-server profile.


It is important to mention that rules have inheritance built in so the results may show many more “not checked” results than expected.  The reason for this is if a check has already failed, for example yum not being configured for GPG key checking, then OpenSCAP will not try to determine if packages are installed properly since the tool to install packages is considered not to be configured properly.

Generating “Fix” Content

Now that we have scanned the server and have generated and had oscap output the results of the scan into an XML file, it is time to transform the XML file into a script that we can use to remediate the problems with the server.

Looking at the XML file we may notice see lines similar to the below XML code.

<rule-result idref="ensure_gpgcheck_globally_activated" time="2013-09-09T01:56:26" severity="high" weight="1.000000">
<ident system="">CCE-26709-6
<check system="">
ssg:def:606" href="ssg-rhel6-oval.xml"/>
<rule-result idref="package_aide_installed" time="2013-09-09T01:56:26" severity="medium" weight="1.000000">
<ident system="">CCE-27024-9
xmlns:xhtml="" system="urn:xccdf:fix:script:sh">yum -y install aide
<check system="">
ssg:def:1091" href="ssg-rhel6-oval.xml"/>

The first result shows that yum is properly configured to use GPG key checks.  The second  result is a fail due to aide not being installed.  Notice that for failed rules, a “fix” is provided.  We will now transform this XML file into a script that can be used to fix the failed tests.

[ted@rhel64-scap ~]$ oscap xccdf generate fix --result-id rhel64-scap.brunell.lab-ssg-results.xml >

The result-id field can be found on the top line of the report that was previously generated.  It is possible to manually determine the result id, which is part of the specification for SCAP, by prepending “” to the name of the profile that was used to scan the server.

Opening the file in your favorite editor will allow you to inspect the proposed changes to a system.

[ted@rhel64-scap ~]$ vi
# OpenSCAP fix generator output for benchmark: Guide to the Secure Configuration of Red Hat Enterprise Linux 6

# Generating fixes for all failed rules in test result ''.

# XCCDF rule: package_aide_installed
# CCE-27024-9
yum -y install aide

# XCCDF rule: package_screen_installed
# CCE-26940-7
yum -y install screen

I ran the resulting script after changing the permissions on it and then scanned the server again.  The results of this scan can be seen below.

ssg-report-fixedThe results are a little better since I now have an over 50% pass rate.  The remaining issues either cannot be fixed easily (like partition issues) or there is not “fix” content available yet.  Either way, automating my scans and remediation can save a lot of time setting up a secure server.

There are systems that can help automate the process further and provide a central way of reporting results including integration with Red Hat Satellite Server and it’s associated upstream project named Spacewalk.

I would like to thank @ShawnDWells for his tireless work on the SSG project and getting me interested in blogging on this topic.

  1. basis points says:

    Wow that was strange. I just wrote an very long comment but after I clicked submit my comment didn’t appear.

    Grrrr… well I’m not writing all that over again. Anyway, just wanted to say great blog!

  2. Mike Carlson says:

    I found this blog post helpful, but want to point out that the ‘generate fix’ section is a bit outdated now – section 2.4.3 under provides newer parameters, which worked for me on an Oracle Enterprise Linux 6.10 system without issue.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s