Chapter 5. Scanning the system for configuration compliance


A compliance audit is a process of determining whether a given object follows all the rules specified in a compliance policy. The compliance policy is defined by security professionals who specify the required settings, often in the form of a checklist, that a computing environment should use.

Compliance policies can vary substantially across organizations and even across different systems within the same organization. Differences among these policies are based on the purpose of each system and its importance for the organization. Custom software settings and deployment characteristics also raise a need for custom policy checklists.

5.1. Configuration compliance tools in RHEL

You can perform a fully automated compliance audit in Red Hat Enterprise Linux by using the following configuration compliance tools. These tools are based on the Security Content Automation Protocol (SCAP) standard and are designed for automated tailoring of compliance policies.

OpenSCAP

The OpenSCAP library, with the accompanying oscap command-line utility, is designed to perform configuration and vulnerability scans on a local system, to validate configuration compliance content, and to generate reports and guides based on these scans and evaluations.

Important

You can experience memory-consumption problems while using OpenSCAP, which can cause stopping the program prematurely and prevent generating any result files. See the OpenSCAP memory-consumption problems Knowledgebase article for details.

SCAP Security Guide (SSG)
The scap-security-guide package provides collections of security policies for Linux systems. The guidance consists of a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.
Script Check Engine (SCE)
With SCE, which is an extension to the SCAP protocol, administrators can write their security content by using a scripting language, such as Bash, Python, and Ruby. The SCE extension is provided in the openscap-engine-sce package. The SCE itself is not part of the SCAP standard.

To perform automated compliance audits on multiple systems remotely, you can use the OpenSCAP solution for Red Hat Satellite.

5.2. Configuration compliance scanning

5.2.1. Configuration compliance in RHEL

You can use configuration compliance scanning to conform to a baseline defined by a specific organization. For example, if you are a payment processor, you might have to align your systems with the Payment Card Industry Data Security Standard (PCI-DSS). You can also perform configuration compliance scanning to harden your system security.

Red Hat recommends you follow the Security Content Automation Protocol (SCAP) content provided in the SCAP Security Guide package because it is in line with Red Hat best practices for affected components.

The SCAP Security Guide package provides content which conforms to the SCAP 1.2 and SCAP 1.3 standards. The openscap scanner utility is compatible with both SCAP 1.2 and SCAP 1.3 content provided in the SCAP Security Guide package.

Important

Performing a configuration compliance scanning does not guarantee the system is compliant.

The SCAP Security Guide suite provides profiles for several platforms in a form of data stream documents. A data stream is a file that contains definitions, benchmarks, profiles, and individual rules. Each rule specifies the applicability and requirements for compliance. RHEL provides several profiles for compliance with security policies. In addition to the industry standard, Red Hat data streams also contain information for remediation of failed rules.

Structure of compliance scanning resources

Data stream
   ├── xccdf
   |      ├── benchmark
   |            ├── profile
   |            |    ├──rule reference
   |            |    └──variable
   |            ├── rule
   |                 ├── human readable data
   |                 ├── ocil reference
   ├── ocil          ├── cpe reference
   └── cpe           └── remediation

A profile is a set of rules based on a security policy, such as PCI-DSS and Health Insurance Portability and Accountability Act (HIPAA). This enables you to audit the system in an automated way for compliance with security standards.

You can modify (tailor) a profile to customize certain rules, for example, password length.

For more information about profile tailoring, see Customizing a security profile with autotailor.

5.2.2. Possible results of an OpenSCAP scan

Depending on the data stream and profile applied to an OpenSCAP scan, as well as various properties of your system, each rule may produce a specific result. These are the possible results with brief explanations of their meanings:

Pass
The scan did not find any conflicts with this rule.
Fail
The scan found a conflict with this rule.
Not checked
OpenSCAP does not perform an automatic evaluation of this rule. Check whether your system conforms to this rule manually.
Not applicable
This rule does not apply to the current configuration.
Not selected
This rule is not part of the profile. OpenSCAP does not evaluate this rule and does not display these rules in the results.
Error
The scan encountered an error. For additional information, you can enter the oscap command with the --verbose DEVEL option. File a support case on the Red Hat customer portal or open a ticket in the RHEL project in Red Hat Jira.
Unknown
The scan encountered an unexpected situation. For additional information, you can enter the oscap command with the `--verbose DEVEL option. File a support case on the Red Hat customer portal or open a ticket in the RHEL project in Red Hat Jira.

5.2.3. Viewing profiles for configuration compliance

Before you decide to use profiles for scanning or remediation, you can list them and check their detailed descriptions by using the oscap info subcommand.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.

Procedure

  1. List all available files with security compliance profiles provided by the SCAP Security Guide project:

    $ ls /usr/share/xml/scap/ssg/content/
    ssg-rhel9-ds.xml
  2. Display detailed information about a selected data stream by using the oscap info subcommand. XML files containing data streams are indicated by the -ds string in their names. In the Profiles section, you can find a list of available profiles and their IDs:

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Profiles:
    …
      Title: Australian Cyber Security Centre (ACSC) Essential Eight
        Id: xccdf_org.ssgproject.content_profile_e8
      Title: Health Insurance Portability and Accountability Act (HIPAA)
        Id: xccdf_org.ssgproject.content_profile_hipaa
      Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9
        Id: xccdf_org.ssgproject.content_profile_pci-dss
    …
  3. Select a profile from the data stream file and display additional details about the selected profile. To do so, use oscap info with the --profile option followed by the last section of the ID displayed in the output of the previous command. For example, the ID of the HIPPA profile is xccdf_org.ssgproject.content_profile_hipaa, and the value for the --profile option is hipaa:

    $ oscap info --profile hipaa /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    …
    Profile
    	Title: Health Insurance Portability and Accountability Act (HIPAA)
    
    	Description: The HIPAA Security Rule establishes U.S. national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity.
    …

Additional resources

5.2.4. Assessing configuration compliance with a specific baseline

You can determine whether your system or a remote system conforms to a specific baseline, and save the results in a report by using the oscap command-line tool.

Prerequisites

  • The openscap-scanner and scap-security-guide packages are installed.
  • You know the ID of the profile within the baseline with which the system should comply. To find the ID, see the Viewing profiles for configuration compliance section.

Procedure

  1. Scan the local system for compliance with the selected profile and save the scan results to a file:

    $ oscap xccdf eval --report <scan-report.html> --profile <profileID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

    Replace:

    • <scan-report.html> with the file name where oscap saves the scan results.
    • <profileID> with the profile ID with which the system should comply, for example, hipaa.
  2. Optional: Scan a remote system for compliance with the selected profile and save the scan results to a file:

    $ oscap-ssh <username>@<hostname> <port> xccdf eval --report <scan-report.html> --profile <profileID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

    Replace:

    • <username>@<hostname> with the user name and host name of the remote system.
    • <port> with the port number through which you can access the remote system.
    • <scan-report.html> with the file name where oscap saves the scan results.
    • <profileID> with the profile ID with which the system should comply, for example, hipaa.

Additional resources

  • scap-security-guide(8) man page on your system
  • SCAP Security Guide documentation in the /usr/share/doc/scap-security-guide/ directory
  • /usr/share/doc/scap-security-guide/guides/ssg-rhel10-guide-index.html - [Guide to the Secure Configuration of RHEL 10] installed with the scap-security-guide-doc package
  • OpenSCAP memory consumption problems

5.2.5. Assessing security compliance of a container or a container image with a specific baseline

You can assess the compliance of your container or a container image with a specific security baseline, such as Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA).

Prerequisites

  • The openscap-utils and scap-security-guide packages are installed.
  • You have root access to the system.

Procedure

  1. Find the ID of a container or a container image:

    1. To find the ID of a container, enter the podman ps -a command.
    2. To find the ID of a container image, enter the podman images command.
  2. Evaluate the compliance of the container or container image with a profile and save the scan results into a file:

    # oscap-podman <ID> xccdf eval --report <scan-report.html> --profile <profileID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

    Replace:

    • <ID> with the ID of your container or container image
    • <scan-report.html> with the file name where oscap saves the scan results
    • <profileID> with the profile ID with which the system should comply, for example, hipaa or pci-dss

Verification

  • Check the results in a browser of your choice, for example:

    $ firefox <scan-report.html> &amp;
Note

The rules marked as notapplicable apply only to bare-metal and virtualized systems and not to containers or container images.

Additional resources

  • oscap-podman(8) and scap-security-guide(8) man pages on your system
  • /usr/share/doc/scap-security-guide/ directory

5.3. Configuration compliance remediation

To automatically align you system with a specific profile, you can perform a remediation. You can remediate the system to align with any profile provided by the SCAP Security Guide.

5.3.1. Remediating the system to align with a specific baseline

You can remediate the RHEL system to align with a specific baseline. You can remediate the system to align with any profile provided by the SCAP Security Guide.

Warning

If not used carefully, running the system evaluation with the Remediate option enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.

Prerequisites

  • The scap-security-guide package is installed.

Procedure

  1. Remediate the system by using the oscap command with the --remediate option:

    # oscap xccdf eval --profile <profileID> --remediate /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

    Replace <profileID> with the profile ID with which the system should comply, for example, hipaa.

  2. Restart your system.

Verification

  1. Evaluate compliance of the system with the profile, and save the scan results to a file:

    $ oscap xccdf eval --report <scan-report.html> --profile <profileID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

    Replace:

    • <scan-report.html> with the file name where oscap saves the scan results.
    • <profileID> with the profile ID with which the system should comply, for example, hipaa.

Additional resources

  • scap-security-guide(8) and oscap(8) man pages on your system

5.3.2. Remediating the system to align with a specific baseline by using an SSG Ansible playbook

You can remediate your system to align with a specific baseline by using an Ansible playbook file from the SCAP Security Guide (SSG) project. This example uses the Health Insurance Portability and Accountability Act (HIPAA) profile, but you can remediate to align with any other profile provided by the SCAP Security Guide.

Warning

If not used carefully, running the system evaluation with the Remediate option enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.

Prerequisites

  • The scap-security-guide package is installed.
  • The ansible-core package is installed. See the Ansible Installation Guide for more information.

Procedure

  1. Remediate your system to align with HIPAA by using Ansible:

    # ansible-playbook -i localhost, -c local /usr/share/scap-security-guide/ansible/rhel10-playbook-hipaa.yml
  2. Restart the system.

Verification

  1. Evaluate the compliance of the system with the HIPAA profile, and save the scan results to a file:

    # oscap xccdf eval --profile hipaa --report <scan-report.html> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

    Replace <scan-report.html> with the file name where oscap saves the scan results.

Additional resources

5.3.3. Creating a remediation Ansible playbook to align the system with a specific baseline

You can create an Ansible playbook containing only the remediations that are required to align your system with a specific baseline. This playbook is smaller because it does not cover already satisfied requirements. Creating the playbook does not modify your system in any way, you only prepare a file for later application. This example uses the Health Insurance Portability and Accountability Act (HIPAA) profile.

Prerequisites

  • The scap-security-guide package is installed.

Procedure

  1. Scan the system and save the results:

    # oscap xccdf eval --profile hipaa --results <hipaa-results.xml> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
  2. Find the value of the result ID in the file with the results:

    # oscap info <hipaa-results.xml>
  3. Generate an Ansible playbook based on the file generated in step 1:

    # oscap xccdf generate fix --fix-type ansible --result-id <xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_hipaa> --output <hipaa-remediations.yml> <hipaa-results.xml>
  4. Review the generated file, which contains the Ansible remediations for rules that failed during the scan performed in step 1. After reviewing this generated file, you can apply it by using the ansible-playbook <hipaa-remediations.yml> command.

Verification

  • In a text editor of your choice, review that the generated <hipaa-remediations.yml> file contains rules that failed in the scan performed in step 1.

Additional resources

5.4. Performing a hardened installation of RHEL with Kickstart

If you need your system to be compliant with a specific security profile, such as DISA STIG, CIS, or ANSSI, you can prepare a Kickstart file that defines the hardened configuration, customize the configuration with a tailoring file, and start an automated installation of the hardened system.

Prerequisites

  • The openscap-scanner is installed on your system.
  • The scap-security-guide package is installed on your system and the package version corresponds to the version of RHEL that you want to install. For more information, see Supported versions of the SCAP Security Guide in RHEL. Using a different version can cause conflicts.

    Note

    If your system has the same version of RHEL as the version you want to install, you can install the scap-security-guide package directly.

Procedure

  1. Find the ID of the security profile from the data stream file:

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    Profiles:
    …
      Title: Australian Cyber Security Centre (ACSC) Essential Eight
    	Id: xccdf_org.ssgproject.content_profile_e8
      Title: Health Insurance Portability and Accountability Act (HIPAA)
    	Id: xccdf_org.ssgproject.content_profile_hipaa
      Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 10
    	Id: xccdf_org.ssgproject.content_profile_pci-dss
    …
  2. Optional: If you want to customize your hardening with XCCDF Tailoring file you can use the autotailor command provided in the openscap-utils package. For more information, see Customizing a security profile with autotailor.
  3. Generate the kickstart file from the SCAP source data stream:

    $ oscap xccdf generate fix --profile <profile_ID> --output <kickstart_file>.cfg --fix-type kickstart /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

    If you are using a tailoring file, embed the tailoring file into the generated kickstart file by using the --tailoring-file tailoring.xml option and your custom profile ID, for example:

    $ oscap xccdf generate fix --tailoring-file tailoring.xml --profile <custom_profile_ID> --output <kickstart_file>.cfg --fix-type kickstart ./ssg-rhel10-ds.xml
  4. Review and, if necessary, manually modify the generated <kickstart_file>.cfg to fit the needs of your deployment. Follow the instructions in the comments in the file.

    Note

    Some changes might affect the compliance of the systems installed by the kickstart file. For example, some security policies require defined partitions or specific packages and services.

  5. Use the kickstart file for your installation. For the installer to use the kickstart, the kickstart can be served through a web server, provided in PXE, or embedded into the ISO image. For detailed steps, see Installing RHEL fully and semi-automated in RHEL product documentation.
  6. After the installation finishes, the system reboots automatically. After the reboot, log in and review the installation SCAP report saved in the /root directory.

Verification

  • Scan the system for compliance and save the report in a HTML file for review:

    • With the original profile:

      # oscap xccdf eval --report report.html --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
    • With the tailored profile:

      # oscap xccdf eval --report report.html --tailoring-file tailoring.xml --profile <custom_profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

5.5. Customizing a security profile with autotailor

You can customize a security profile to better adjust it to your specific needs, for example, to implement an internal policy that differs from the official profile. When customizing a profile, you can select additional rules, remove rules that you cover differently, and change parameters of certain rules such as minimum password length. You cannot define new rules when customizing a profile.

By using the autotailor utility, you create an XCCDF tailoring file that contains all of the modifications of the original profile. Then, when you are scanning, remediating, or installing a system in accordance to a SCAP profile, you pass this tailoring file to the oscap command-line utility.

Prerequisites

Procedure

  1. Create a tailoring file for your profile by using the autotailor command, for example:

    $ autotailor \ --select=<ruleID_1> \ --select=<ruleID_2> \ --unselect=<ruleID_3> \ --var-value=<valueID_1>=<value_1> \ --var-value=<valueID_2>=<value_2> \ --output=<tailoring.xml> \ --tailored-profile-id=<custom_profileID> \ /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml <profileID>

    Where:

    • <customization_options> are the modifications of the profile. Use one or more of the following options:

      --select=<ruleID>
      Add an existing rule to the profile.
      --unselect=<ruleID>
      Remove a rule from the profile.
      --var-value=<valueID>=<value>
      Override a pre-set value. For example, to set var_sshd_max_sessions to 10, use --var-value=var_sshd_max_sessions=10.
    • <tailoring.xml> is the file name where autotailor saves the tailoring.
    • <custom_profileID> is the profile ID within which the autotailor saves customizations, for example, custom_cis.
    • <profileID> is the profile ID with which the system should comply, for example, cis.
    Note

    For all profile, rule, and variable XCCDF IDs you can use either a full namespaced identifier or a shortened ID which autotailor automatically augments with the namespace prefix. For example, cis is equivalent to xccdf_org.ssgproject.content_profile_cis.

    You can override the default namespace org.ssgproject.content by using the --id-namespace option.

  2. Optional: Create a tailoring file based on the customizations defined in the JSON Tailoring format:

    $ autotailor --output=<tailoring.xml> --json-tailoring=<json_tailoring.json>

    Replace:

    • <json_tailoring.json> with the file name with JSON Tailoring definitions.
    Note

    You can mix --json-tailoring with --select, --unselect, and --var-value command-line customizations. In that case, command-line customizations have priority over JSON Tailoring.

Additional resources

  • autotailor(8) man page on your system

5.6. SCAP Security Guide profiles supported in RHEL 10

Use only the SCAP content provided in the particular minor release of RHEL. This is because components that participate in hardening are sometimes updated with new capabilities. SCAP content changes to reflect these updates, but it is not always backward compatible.

Table 5.1. SCAP Security Guide profiles supported in RHEL 10.0
Profile nameProfile IDPolicy version

[DRAFT] French National Agency for the Security of Information Systems (ANSSI) BP-028 Enhanced Level

xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

2.0

[DRAFT] French National Agency for the Security of Information Systems (ANSSI) BP-028 High Level

xccdf_org.ssgproject.content_profile_anssi_bp28_high

2.0

[DRAFT] French National Agency for the Security of Information Systems (ANSSI) BP-028 Intermediary Level

xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

2.0

[DRAFT] French National Agency for the Security of Information Systems (ANSSI) BP-028 Minimal Level

xccdf_org.ssgproject.content_profile_anssi_bp28_minimal

2.0

[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server

xccdf_org.ssgproject.content_profile_cis

DRAFT

[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server

xccdf_org.ssgproject.content_profile_cis_server_l1

DRAFT

[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l1

DRAFT

[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation

xccdf_org.ssgproject.content_profile_cis_workstation_l2

DRAFT

[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight

xccdf_org.ssgproject.content_profile_e8

not versioned

[DRAFT] Health Insurance Portability and Accountability Act (HIPAA)

xccdf_org.ssgproject.content_profile_hipaa

not versioned

[DRAFT] Australian Cyber Security Centre (ACSC) ISM Official - Base

xccdf_org.ssgproject.content_profile_ism_o

not versioned

[DRAFT] Australian Cyber Security Centre (ACSC) ISM Official - Secret

xccdf_org.ssgproject.content_profile_ism_o_secret

not versioned

[DRAFT] Australian Cyber Security Centre (ACSC) ISM Official - Top Secret

xccdf_org.ssgproject.content_profile_ism_o_top_secret

not versioned

[DRAFT] PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9

xccdf_org.ssgproject.content_profile_pci-dss

4.0

[DRAFT] The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) for Red Hat Enterprise Linux 10

xccdf_org.ssgproject.content_profile_stig

DRAFT

[DRAFT] The Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) with GUI for Red Hat Enterprise Linux 10

xccdf_org.ssgproject.content_profile_stig_gui

DRAFT

5.7. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.