Scanning and Remediating Red Hat Enterprise Linux with the SCAP Security Guide (SSG) and the DoD STIG

Posted: March 25, 2018 in Cool Projects, Security, Software

It is easier today than ever before to maintain the security posture of your servers thanks to the SCAP Security Guide, an open source project creating and providing SCAP security policies (such as PCI-DSS, STIG and USGCB) for various platforms – namely Red Hat Enterprise Linux 6 and 7, Fedora, Firefox, and others.

In this post, I will show how the SCAP Security Guide can be used to automate the application of a security policy on Red Hat Enterprise Linux and (RHEL) then validated with the official DoD STIG configuration that the Defense Information Systems Agency (DISA) publishes.

To ensure ease of use, the SCAP Security Guide developers work to keep the content that they provide with RHEL in close synchronization with DoD SCAP Content.  They also provide automation content to automatically remediate systems. The DoD SCAP content does currently provide the ability to automatically remediate configuration issues.
Resolution

To complete the scanning and automated remediation of your Red Hat Enterprise Linux (RHEL) Server, follow the below steps:

Configure the RHEL Server for Scanning

  • Ensure that openscap-utils and the scap-security-guide packages have been installed on your system.

# yum install openscap-utils scap-security-guide

Download the DoD SCAP Content

  • Obtain the latest version of the RHEL 7 STIG from the Defense Information System Agency (DISA) Information Assurance Support Environment (IASE) SCAP Content page site. At the time of this writing, the available version of RHEL 7 was version 1, release 2.
  • Unzip the archive. There should be one file present named similarly to “U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.xml”. The file can be extracted and moved to the same directory as the SCAP Security Guide content.

# mv U_Red_Hat_Enterprise_Linux_7_V1R2_STIG_SCAP_1-2_Benchmark.xml /usr/share/xml/scap/ssg/content/

Scan the System

  • Get a list of available profiles from the DoD Content using the OpenSCAP command (osacp).

# oscap info /usr/share/xml/scap/ssg/content/U_Red_Hat_Enterprise_Linux_7_V1R1_STIG_SCAP_1-2_Benchmark.xml
Document type: Source Data Stream
Imported: 2017-11-15T15:00:15

Stream: scap_mil.disa.stig_datastream_U_Red_Hat_Enterprise_Linux_7_V1R1_STIG_SCAP_1-2_Benchmark
Generated: 2017-11-15T15:00:14
Version: 1.2
Checklists:
Ref-Id: scap_mil.disa.stig_cref_U_Red_Hat_Enterprise_Linux_7_V1R1_STIG_SCAP_1-2_Benchmark-xccdf.xml
Status: accepted
Generated: 2017-12-01
Resolved: false
Profiles:
xccdf_mil.disa.stig_profile_MAC-1_Classified
xccdf_mil.disa.stig_profile_MAC-1_Public
xccdf_mil.disa.stig_profile_MAC-1_Sensitive
xccdf_mil.disa.stig_profile_MAC-2_Classified
xccdf_mil.disa.stig_profile_MAC-2_Public
xccdf_mil.disa.stig_profile_MAC-2_Sensitive
xccdf_mil.disa.stig_profile_MAC-3_Classified
xccdf_mil.disa.stig_profile_MAC-3_Public
xccdf_mil.disa.stig_profile_MAC-3_Sensitive
xccdf_mil.disa.stig_profile_CAT_I_Only
Referenced check files:
U_Red_Hat_Enterprise_Linux_7_V1R1_STIG_SCAP_1-2_Benchmark-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5

  • Scan the system using the appropriate profile. In this example, the “xccdf_mil.disa.stig_profile_MAC-1_Public” profile is used and a report is generated called “DoD_STIG_scan-pre-remediation.html”

# oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-1_Public --results DoD_STIG_scan-pre-remediation.xml --report DoD_STIG_scan-pre-remediation.html /usr/share/xml/scap/ssg/content/U_Red_Hat_Enterprise_Linux_7_V1R1_STIG_SCAP_1-2_Benchmark.xml

  • Review the state of the system before remediation takes place.

Remediate the system

  • After the review is complete, get a list of profiles available in the SCAP Security Guide content.

# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 2017-09-19T06:40:38
Status: draft
Generated: 2017-09-19
Resolved: true
Profiles:
standard
pci-dss
C2S
rht-ccp
common
stig-rhel7-disa
stig-rhevh-upstream
ospp-rhel7
cjis-rhel7-server
docker-host
nist-800-171-cui
Referenced check files:
ssg-rhel7-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-rhel7-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
system: http://oval.mitre.org/XMLSchema/oval-definitions-5

  • Run oscap again using the SCAP Security Guide content and the remediate option to bring the server into compliance with the chosen security policy.  No report is generated this time since the DoD SCAP content will be used to validate the server’s configuration settings.

# oscap xccdf eval --remediate --profile stig-rhel7-disa --results scan-sccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

  • Scan the system one last time using the same DoD profile as before. In this example, the “xccdf_mil.disa.stig_profile_MAC-1_Public” profile is used and a report is generated called “DoD_STIG_scan-post-remediation.html”

# oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-1_Public --results DoD_STIG_scan-post-remediation.xml --report DoD_STIG_scan-post-remediation.html /usr/share/xml/scap/ssg/content/U_Red_Hat_Enterprise_Linux_7_V1R1_STIG_SCAP_1-2_Benchmark.xml

  • After the scan completes, review the report file to determine if any manual intervention is required to bring the system 100% into compliance.

There are several other ways in which OpenSCAP can be used in conjunction with the SCAP security guide and the DoD SCAP content.  One such way is to checck for configuration drift after maintenance actions have come been completed.  If any issues are founf when scanning with the DoD SCAP content, the SCAP Security Guide can be used to bring the system into compliance in a consistent manner across the data center.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s