Chapter 5. Scanning the system for configuration compliance
A compliance audit is a process of determining whether a given object follows all the rules specified in a compliance policy. The compliance policy is defined by security professionals who specify the required settings, often in the form of a checklist, that a computing environment should use.
Compliance policies can vary substantially across organizations and even across different systems within the same organization. Differences among these policies are based on the purpose of each system and its importance for the organization. Custom software settings and deployment characteristics also raise a need for custom policy checklists.
5.1. Configuration compliance tools in RHEL
You can perform a fully automated compliance audit in Red Hat Enterprise Linux by using the following configuration compliance tools. These tools are based on the Security Content Automation Protocol (SCAP) standard and are designed for automated tailoring of compliance policies.
- OpenSCAP
The
OpenSCAP
library, with the accompanyingoscap
command-line utility, is designed to perform configuration and vulnerability scans on a local system, to validate configuration compliance content, and to generate reports and guides based on these scans and evaluations.ImportantYou can experience memory-consumption problems while using OpenSCAP, which can cause stopping the program prematurely and prevent generating any result files. See the OpenSCAP memory-consumption problems Knowledgebase article for details.
- SCAP Security Guide (SSG)
-
The
scap-security-guide
package provides collections of security policies for Linux systems. The guidance consists of a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines. - Script Check Engine (SCE)
-
With SCE, which is an extension to the SCAP protocol, administrators can write their security content by using a scripting language, such as Bash, Python, and Ruby. The SCE extension is provided in the
openscap-engine-sce
package. The SCE itself is not part of the SCAP standard.
To perform automated compliance audits on multiple systems remotely, you can use the OpenSCAP solution for Red Hat Satellite.
Additional resources
-
oscap(8)
andscap-security-guide(8)
man pages on your system - Red Hat Security Demos: Creating Customized Security Policy Content to Automate Security Compliance
- Red Hat Security Demos: Defend Yourself with RHEL Security Technologies
- Managing security compliance in Red Hat Satellite
5.2. Configuration compliance scanning
5.2.1. Configuration compliance in RHEL
You can use configuration compliance scanning to conform to a baseline defined by a specific organization. For example, if you are a payment processor, you might have to align your systems with the Payment Card Industry Data Security Standard (PCI-DSS). You can also perform configuration compliance scanning to harden your system security.
Red Hat recommends you follow the Security Content Automation Protocol (SCAP) content provided in the SCAP Security Guide package because it is in line with Red Hat best practices for affected components.
The SCAP Security Guide package provides content which conforms to the SCAP 1.2 and SCAP 1.3 standards. The openscap scanner
utility is compatible with both SCAP 1.2 and SCAP 1.3 content provided in the SCAP Security Guide package.
Performing a configuration compliance scanning does not guarantee the system is compliant.
The SCAP Security Guide suite provides profiles for several platforms in a form of data stream documents. A data stream is a file that contains definitions, benchmarks, profiles, and individual rules. Each rule specifies the applicability and requirements for compliance. RHEL provides several profiles for compliance with security policies. In addition to the industry standard, Red Hat data streams also contain information for remediation of failed rules.
Structure of compliance scanning resources
Data stream ├── xccdf | ├── benchmark | ├── profile | | ├──rule reference | | └──variable | ├── rule | ├── human readable data | ├── ocil reference ├── ocil ├── cpe reference └── cpe └── remediation
A profile is a set of rules based on a security policy, such as PCI-DSS and Health Insurance Portability and Accountability Act (HIPAA). This enables you to audit the system in an automated way for compliance with security standards.
You can modify (tailor) a profile to customize certain rules, for example, password length.
For more information about profile tailoring, see Customizing a security profile with autotailor.
5.2.2. Possible results of an OpenSCAP scan
Depending on the data stream and profile applied to an OpenSCAP scan, as well as various properties of your system, each rule may produce a specific result. These are the possible results with brief explanations of their meanings:
- Pass
- The scan did not find any conflicts with this rule.
- Fail
- The scan found a conflict with this rule.
- Not checked
- OpenSCAP does not perform an automatic evaluation of this rule. Check whether your system conforms to this rule manually.
- Not applicable
- This rule does not apply to the current configuration.
- Not selected
- This rule is not part of the profile. OpenSCAP does not evaluate this rule and does not display these rules in the results.
- Error
-
The scan encountered an error. For additional information, you can enter the
oscap
command with the--verbose DEVEL
option. File a support case on the Red Hat customer portal or open a ticket in the RHEL project in Red Hat Jira. - Unknown
-
The scan encountered an unexpected situation. For additional information, you can enter the
oscap
command with the`--verbose DEVEL
option. File a support case on the Red Hat customer portal or open a ticket in the RHEL project in Red Hat Jira.
5.2.3. Viewing profiles for configuration compliance
Before you decide to use profiles for scanning or remediation, you can list them and check their detailed descriptions by using the oscap info
subcommand.
Prerequisites
-
The
openscap-scanner
andscap-security-guide
packages are installed.
Procedure
List all available files with security compliance profiles provided by the SCAP Security Guide project:
$ ls /usr/share/xml/scap/ssg/content/ ssg-rhel9-ds.xml
Display detailed information about a selected data stream by using the
oscap info
subcommand. XML files containing data streams are indicated by the-ds
string in their names. In theProfiles
section, you can find a list of available profiles and their IDs:$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml Profiles: … Title: Australian Cyber Security Centre (ACSC) Essential Eight Id: xccdf_org.ssgproject.content_profile_e8 Title: Health Insurance Portability and Accountability Act (HIPAA) Id: xccdf_org.ssgproject.content_profile_hipaa Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9 Id: xccdf_org.ssgproject.content_profile_pci-dss …
Select a profile from the data stream file and display additional details about the selected profile. To do so, use
oscap info
with the--profile
option followed by the last section of the ID displayed in the output of the previous command. For example, the ID of the HIPPA profile isxccdf_org.ssgproject.content_profile_hipaa
, and the value for the--profile
option ishipaa
:$ oscap info --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml … Profile Title: Health Insurance Portability and Accountability Act (HIPAA) Description: The HIPAA Security Rule establishes U.S. national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. …
Additional resources
-
scap-security-guide(8)
man page - OpenSCAP memory consumption problems
5.2.4. Assessing configuration compliance with a specific baseline
You can determine whether your system or a remote system conforms to a specific baseline, and save the results in a report by using the oscap
command-line tool.
Prerequisites
-
The
openscap-scanner
andscap-security-guide
packages are installed. - You know the ID of the profile within the baseline with which the system should comply. To find the ID, see the Viewing profiles for configuration compliance section.
Procedure
Scan the local system for compliance with the selected profile and save the scan results to a file:
$ oscap xccdf eval --report <scan-report.html> --profile <profileID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Replace:
-
<scan-report.html>
with the file name whereoscap
saves the scan results. -
<profileID>
with the profile ID with which the system should comply, for example,hipaa
.
-
Optional: Scan a remote system for compliance with the selected profile and save the scan results to a file:
$ oscap-ssh <username>@<hostname> <port> xccdf eval --report <scan-report.html> --profile <profileID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Replace:
-
<username>@<hostname>
with the user name and host name of the remote system. -
<port>
with the port number through which you can access the remote system. -
<scan-report.html>
with the file name whereoscap
saves the scan results. -
<profileID>
with the profile ID with which the system should comply, for example,hipaa
.
-
Additional resources
-
scap-security-guide(8)
man page on your system -
SCAP Security Guide documentation in the
/usr/share/doc/scap-security-guide/
directory -
/usr/share/doc/scap-security-guide/guides/ssg-rhel10-guide-index.html
- [Guide to the Secure Configuration of RHEL 10] installed with thescap-security-guide-doc
package - OpenSCAP memory consumption problems
5.2.5. Assessing security compliance of a container or a container image with a specific baseline
You can assess the compliance of your container or a container image with a specific security baseline, such as Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA).
Prerequisites
-
The
openscap-utils
andscap-security-guide
packages are installed. - You have root access to the system.
Procedure
Find the ID of a container or a container image:
-
To find the ID of a container, enter the
podman ps -a
command. -
To find the ID of a container image, enter the
podman images
command.
-
To find the ID of a container, enter the
Evaluate the compliance of the container or container image with a profile and save the scan results into a file:
# oscap-podman <ID> xccdf eval --report <scan-report.html> --profile <profileID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Replace:
-
<ID>
with the ID of your container or container image -
<scan-report.html>
with the file name whereoscap
saves the scan results -
<profileID>
with the profile ID with which the system should comply, for example,hipaa
orpci-dss
-
Verification
Check the results in a browser of your choice, for example:
$ firefox <scan-report.html> &
The rules marked as notapplicable
apply only to bare-metal and virtualized systems and not to containers or container images.
Additional resources
-
oscap-podman(8)
andscap-security-guide(8)
man pages on your system -
/usr/share/doc/scap-security-guide/
directory
5.3. Configuration compliance remediation
To automatically align you system with a specific profile, you can perform a remediation. You can remediate the system to align with any profile provided by the SCAP Security Guide.
5.3.1. Remediating the system to align with a specific baseline
You can remediate the RHEL system to align with a specific baseline. You can remediate the system to align with any profile provided by the SCAP Security Guide.
If not used carefully, running the system evaluation with the Remediate
option enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.
Prerequisites
-
The
scap-security-guide
package is installed.
Procedure
Remediate the system by using the
oscap
command with the--remediate
option:# oscap xccdf eval --profile <profileID> --remediate /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Replace
<profileID>
with the profile ID with which the system should comply, for example,hipaa
.- Restart your system.
Verification
Evaluate compliance of the system with the profile, and save the scan results to a file:
$ oscap xccdf eval --report <scan-report.html> --profile <profileID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Replace:
-
<scan-report.html>
with the file name whereoscap
saves the scan results. -
<profileID>
with the profile ID with which the system should comply, for example,hipaa
.
-
Additional resources
-
scap-security-guide(8)
andoscap(8)
man pages on your system
5.3.2. Remediating the system to align with a specific baseline by using an SSG Ansible playbook
You can remediate your system to align with a specific baseline by using an Ansible playbook file from the SCAP Security Guide (SSG) project. This example uses the Health Insurance Portability and Accountability Act (HIPAA) profile, but you can remediate to align with any other profile provided by the SCAP Security Guide.
If not used carefully, running the system evaluation with the Remediate
option enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.
Prerequisites
-
The
scap-security-guide
package is installed. -
The
ansible-core
package is installed. See the Ansible Installation Guide for more information.
Procedure
Remediate your system to align with HIPAA by using Ansible:
# ansible-playbook -i localhost, -c local /usr/share/scap-security-guide/ansible/rhel10-playbook-hipaa.yml
- Restart the system.
Verification
Evaluate the compliance of the system with the HIPAA profile, and save the scan results to a file:
# oscap xccdf eval --profile hipaa --report <scan-report.html> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Replace
<scan-report.html>
with the file name whereoscap
saves the scan results.
Additional resources
-
scap-security-guide(8)
andoscap(8)
man pages on your system - Ansible Documentation
5.3.3. Creating a remediation Ansible playbook to align the system with a specific baseline
You can create an Ansible playbook containing only the remediations that are required to align your system with a specific baseline. This playbook is smaller because it does not cover already satisfied requirements. Creating the playbook does not modify your system in any way, you only prepare a file for later application. This example uses the Health Insurance Portability and Accountability Act (HIPAA) profile.
Prerequisites
-
The
scap-security-guide
package is installed.
Procedure
Scan the system and save the results:
# oscap xccdf eval --profile hipaa --results <hipaa-results.xml> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Find the value of the result ID in the file with the results:
# oscap info <hipaa-results.xml>
Generate an Ansible playbook based on the file generated in step 1:
# oscap xccdf generate fix --fix-type ansible --result-id <xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_hipaa> --output <hipaa-remediations.yml> <hipaa-results.xml>
-
Review the generated file, which contains the Ansible remediations for rules that failed during the scan performed in step 1. After reviewing this generated file, you can apply it by using the
ansible-playbook <hipaa-remediations.yml>
command.
Verification
-
In a text editor of your choice, review that the generated
<hipaa-remediations.yml>
file contains rules that failed in the scan performed in step 1.
Additional resources
-
scap-security-guide(8)
andoscap(8)
man pages on your system - Ansible Documentation
5.4. Performing a hardened installation of RHEL with Kickstart
If you need your system to be compliant with a specific security profile, such as DISA STIG, CIS, or ANSSI, you can prepare a Kickstart file that defines the hardened configuration, customize the configuration with a tailoring file, and start an automated installation of the hardened system.
Prerequisites
-
The
openscap-scanner
is installed on your system. The
scap-security-guide
package is installed on your system and the package version corresponds to the version of RHEL that you want to install. For more information, see Supported versions of the SCAP Security Guide in RHEL. Using a different version can cause conflicts.NoteIf your system has the same version of RHEL as the version you want to install, you can install the
scap-security-guide
package directly.
Procedure
Find the ID of the security profile from the data stream file:
$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml Profiles: … Title: Australian Cyber Security Centre (ACSC) Essential Eight Id: xccdf_org.ssgproject.content_profile_e8 Title: Health Insurance Portability and Accountability Act (HIPAA) Id: xccdf_org.ssgproject.content_profile_hipaa Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 10 Id: xccdf_org.ssgproject.content_profile_pci-dss …
-
Optional: If you want to customize your hardening with XCCDF Tailoring file you can use the
autotailor
command provided in theopenscap-utils
package. For more information, see Customizing a security profile with autotailor. Generate the kickstart file from the SCAP source data stream:
$ oscap xccdf generate fix --profile <profile_ID> --output <kickstart_file>.cfg --fix-type kickstart /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
If you are using a tailoring file, embed the tailoring file into the generated kickstart file by using the
--tailoring-file tailoring.xml
option and your custom profile ID, for example:$ oscap xccdf generate fix --tailoring-file tailoring.xml --profile <custom_profile_ID> --output <kickstart_file>.cfg --fix-type kickstart ./ssg-rhel10-ds.xml
Review and, if necessary, manually modify the generated
<kickstart_file>.cfg
to fit the needs of your deployment. Follow the instructions in the comments in the file.NoteSome changes might affect the compliance of the systems installed by the kickstart file. For example, some security policies require defined partitions or specific packages and services.
- Use the kickstart file for your installation. For the installer to use the kickstart, the kickstart can be served through a web server, provided in PXE, or embedded into the ISO image. For detailed steps, see Installing RHEL fully and semi-automated in RHEL product documentation.
-
After the installation finishes, the system reboots automatically. After the reboot, log in and review the installation SCAP report saved in the
/root
directory.
Verification
Scan the system for compliance and save the report in a HTML file for review:
With the original profile:
# oscap xccdf eval --report report.html --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
With the tailored profile:
# oscap xccdf eval --report report.html --tailoring-file tailoring.xml --profile <custom_profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
5.5. Customizing a security profile with autotailor
You can customize a security profile to better adjust it to your specific needs, for example, to implement an internal policy that differs from the official profile. When customizing a profile, you can select additional rules, remove rules that you cover differently, and change parameters of certain rules such as minimum password length. You cannot define new rules when customizing a profile.
By using the autotailor
utility, you create an XCCDF tailoring file that contains all of the modifications of the original profile. Then, when you are scanning, remediating, or installing a system in accordance to a SCAP profile, you pass this tailoring file to the oscap
command-line utility.
Prerequisites
-
The
openscap-utils
package is installed on your system. - You know the ID of the profile within the baseline which you want to customize. To find the ID, see the Viewing profiles for configuration compliance section.
Procedure
Create a tailoring file for your profile by using the
autotailor
command, for example:$ autotailor \ --select=<ruleID_1> \ --select=<ruleID_2> \ --unselect=<ruleID_3> \ --var-value=<valueID_1>=<value_1> \ --var-value=<valueID_2>=<value_2> \ --output=<tailoring.xml> \ --tailored-profile-id=<custom_profileID> \ /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml <profileID>
Where:
<customization_options>
are the modifications of the profile. Use one or more of the following options:--select=<ruleID>
- Add an existing rule to the profile.
--unselect=<ruleID>
- Remove a rule from the profile.
--var-value=<valueID>=<value>
-
Override a pre-set value. For example, to set
var_sshd_max_sessions
to10
, use--var-value=var_sshd_max_sessions=10
.
-
<tailoring.xml>
is the file name whereautotailor
saves the tailoring. -
<custom_profileID>
is the profile ID within which theautotailor
saves customizations, for example,custom_cis
. -
<profileID>
is the profile ID with which the system should comply, for example,cis
.
NoteFor all profile, rule, and variable XCCDF IDs you can use either a full namespaced identifier or a shortened ID which
autotailor
automatically augments with the namespace prefix. For example,cis
is equivalent toxccdf_org.ssgproject.content_profile_cis
.You can override the default namespace
org.ssgproject.content
by using the--id-namespace
option.Optional: Create a tailoring file based on the customizations defined in the JSON Tailoring format:
$ autotailor --output=<tailoring.xml> --json-tailoring=<json_tailoring.json>
Replace:
-
<json_tailoring.json>
with the file name with JSON Tailoring definitions.
NoteYou can mix
--json-tailoring
with--select
,--unselect
, and--var-value
command-line customizations. In that case, command-line customizations have priority over JSON Tailoring.-
Additional resources
-
autotailor(8)
man page on your system
5.6. SCAP Security Guide profiles supported in RHEL 10
Use only the SCAP content provided in the particular minor release of RHEL. This is because components that participate in hardening are sometimes updated with new capabilities. SCAP content changes to reflect these updates, but it is not always backward compatible.
Profile name | Profile ID | Policy version |
---|---|---|
[DRAFT] French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level |
| 2.0 |
[DRAFT] French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level |
| 2.0 |
[DRAFT] French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level |
| 2.0 |
[DRAFT] French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level |
| 2.0 |
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server |
| DRAFT |
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server |
| DRAFT |
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation |
| DRAFT |
[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation |
| DRAFT |
[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight |
| not versioned |
[DRAFT] Health Insurance Portability and Accountability Act (HIPAA) |
| not versioned |
[DRAFT] Australian Cyber Security Centre (ACSC) ISM Official - Base |
| not versioned |
[DRAFT] Australian Cyber Security Centre (ACSC) ISM Official - Secret |
| not versioned |
[DRAFT] Australian Cyber Security Centre (ACSC) ISM Official - Top Secret |
| not versioned |
[DRAFT] PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9 |
| 4.0 |
[DRAFT] The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 10 |
| DRAFT |
[DRAFT] The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 10 |
| DRAFT |
5.7. Additional resources
- Supported versions of the SCAP Security Guide in RHEL
-
The OpenSCAP project page provides detailed information about the
oscap
utility and other components and projects related to SCAP. - The SCAP Security Guide (SSG) project page provides the latest security content for Red Hat Enterprise Linux.
- Using OpenSCAP for security compliance and vulnerability scanning - A hands-on lab on running tools based on the Security Content Automation Protocol (SCAP) standard for compliance scanning in RHEL.
- Red Hat Security Demos: Creating Customized Security Policy Content to Automate Security Compliance - A hands-on lab to get initial experience in automating security compliance using the tools that are included in RHEL to comply with both industry standard security policies and custom security policies. If you want training or access to these lab exercises for your team, contact your Red Hat account team for additional details.
- Red Hat Security Demos: Defend Yourself with RHEL Security Technologies - A hands-on lab to learn how to implement security at all levels of your RHEL system, using the key security technologies available to you in RHEL, including OpenSCAP. If you want training or access to these lab exercises for your team, contact your Red Hat account team for additional details.
- National Institute of Standards and Technology (NIST) SCAP page has a vast collection of SCAP-related materials, including SCAP publications, specifications, and the SCAP Validation Program.
- Managing security compliance in Red Hat Satellite - This set of guides describes, among other topics, how to maintain system security on multiple systems by using OpenSCAP.