8.3. Configuration Compliance Scanning
8.3.1. Configuration Compliance in RHEL 7
You can use configuration compliance scanning to conform to a baseline defined by a specific organization. For example, if you work with the US government, you might have to comply with the Operating System Protection Profile (OSPP), and if you are a payment processor, you might have to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS). You can also perform configuration compliance scanning to harden your system security.
Red Hat recommends you follow the Security Content Automation Protocol (SCAP) content provided in the SCAP Security Guide package because it is in line with Red Hat best practices for affected components.
The SCAP Security Guide package provides content which conforms to the SCAP 1.2 and SCAP 1.3 standards. The openscap scanner utility is compatible with both SCAP 1.2 and SCAP 1.3 content provided in the SCAP Security Guide package.
Important
Performing a configuration compliance scanning does not guarantee the system is compliant.
The SCAP Security Guide suite provides profiles for several platforms in a form of data stream documents. A data stream is a file that contains definitions, benchmarks, profiles, and individual rules. Each rule specifies the applicability and requirements for compliance. RHEL 7 provides several profiles for compliance with security policies. In addition to the industry standard, Red Hat data streams also contain information for remediation of failed rules.
Structure of Compliance Scanning Resources
Data stream ├── xccdf | ├── benchmark | ├── profile | ├──rule | ├── xccdf | ├── oval reference ├── oval ├── ocil reference ├── ocil ├── cpe reference └── cpe └── remediation
A profile is a set of rules based on a security policy, such as Operating System Protection Profile (OSPP) or Payment Card Industry Data Security Standard (PCI-DSS). This enables you to audit the system in an automated way for compliance with security standards.
You can modify (tailor) a profile to customize certain rules, for example, password length. For more information on profile tailoring, see Section 8.7.2, “Customizing a Security Profile with SCAP Workbench”
Note
To scan containers or container images for configuration compliance, see Section 8.9, “Scanning Containers and Container Images for Vulnerabilities”
8.3.2. Possible results of an OpenSCAP scan
Depending on various properties of your system and the data stream and profile applied to an OpenSCAP scan, each rule may produce a specific result. This is a list of possible results with brief explanations of what they mean.
Result | Explanation |
---|---|
Pass | The scan did not find any conflicts with this rule. |
Fail | The scan found a conflict with this rule. |
Not checked | OpenSCAP does not perform an automatic evaluation of this rule. Check whether your system conforms to this rule manually. |
Not applicable | This rule does not apply to the current configuration. |
Not selected | This rule is not part of the profile. OpenSCAP does not evaluate this rule and does not display these rules in the results. |
Error | The scan encountered an error. For additional information, you can enter the oscap-scanner command with the --verbose DEVEL option. Consider opening a bug report. |
Unknown | The scan encountered an unexpected situation. For additional information, you can enter the oscap-scanner command with the --verbose DEVEL option. Consider opening a bug report. |
8.3.3. Viewing Profiles for Configuration Compliance
Before you decide to use profiles for scanning or remediation, you can list them and check their detailed descriptions using the
oscap info
sub-command.
Prerequisites
- The openscap-scanner and scap-security-guide packages are installed.
Procedure
- List all available files with configuration compliance profiles provided by the SCAP Security Guide project:
~]$
ls /usr/share/xml/scap/ssg/content/ ssg-firefox-cpe-dictionary.xml ssg-rhel6-ocil.xml ssg-firefox-cpe-oval.xml ssg-rhel6-oval.xml ... ssg-rhel6-ds-1.2.xml ssg-rhel8-xccdf.xml ssg-rhel6-ds.xml ... - Display detailed information about a selected data stream using the
oscap info
sub-command. XML files containing data streams are indicated by the-ds
string in their names. In theProfiles
section, you can find a list of available profiles and their IDs:~]$
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml ... Profiles: Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: OSPP - Protection Profile for General Purpose Operating Systems v. 4.2.1 Id: xccdf_org.ssgproject.content_profile_ospp ... - Select a profile from the data stream file and display additional details about the selected profile. To do so, use
oscap info
with the--profile
option followed by the suffix of the ID displayed in the output of the previous command. For example, the ID of the PCI-DSS profile is:xccdf_org.ssgproject.content_profile_pci-dss
, and the value for the--profile
option can be_pci-dss
:~]$
oscap info --profile _pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml ... Profile Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7 Id: xccdf_org.ssgproject.content_profile_pci-dss Description: Ensures PCI-DSS v3.2.1 related security configuration settings are applied. ... - Alternatively, when using GUI, install the scap-security-guide-doc package and open the
file:///usr/share/doc/scap-security-guide-doc-0.1.46/ssg-rhel7-guide-index.html
file in a web browser. Select the required profile in the upper right field of the Guide to the Secure Configuration of Red Hat Enterprise Linux 7 document, and you can see the ID already included in the relevant command for the subsequent evaluation.
Additional Resources
- The
scap-security-guide(8)
man page also contains the list of profiles.
8.3.4. Assessing Configuration Compliance with a Specific Baseline
To determine whether your system conforms to a specific baseline, follow these steps.
Prerequisites
- The openscap-scanner and scap-security-guide packages are installed.
- You know the ID of the profile within the baseline with which the system should comply. To find the ID, see Section 8.3.3, “Viewing Profiles for Configuration Compliance”.
Procedure
- Evaluate the compliance of the system with the selected profile and save the scan results in the report.html HTML file, for example:
~]$
sudo oscap xccdf eval --report report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml - Optional: Scan a remote system with the machine1 host name, SSH running on port 22, and the joesec user name for vulnerabilities and save results to the remote-report.html file:
~]$
oscap-ssh joesec@machine1 22 xccdf eval --report remote_report.html --profile ospp /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Additional Resources
scap-security-guide(8)
man page- The
SCAP Security Guide
documentation installed in thefile:///usr/share/doc/scap-security-guide-doc-0.1.46/
directory. - The
file:///usr/share/doc/scap-security-guide-doc-0.1.46/ssg-rhel7-guide-index.html"
Guide to the Secure Configuration of Red Hat Enterprise Linux 7 installed with the scap-security-guide-doc package.