8.7. Scanning the System with a Customized Profile Using SCAP Workbench

Procedure

1. To run SCAP Workbench from the GNOME Classic desktop environment, press the Super key to enter the Activities Overview, type scap-workbench, and then press Enter. Alternatively, use:

   ~]$ scap-workbench &

   Copy to Clipboard Toggle word wrap
2. Select a security policy by using any of the following options:
   • Load Content button on the starting window
   • Open content from SCAP Security Guide
   • Open Other Content in the File menu, and search the respective XCCDF, SCAP RPM, or data stream file.
     

     View larger image

     
3. You can enable automatic correction of the system configuration by selecting the Remediate check box. With this option enabled, SCAP Workbench attempts to change the system configuration in accordance with the security rules applied by the policy. This process attempts to fix the related checks that fail during the system scan.

   Warning

   If not used carefully, running the system evaluation with the Remediate option enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.
4. Scan your system with the selected profile by clicking the Scan button.
   

   View larger image

   
5. To store the scan results in form of an XCCDF, ARF, or HTML file, click the Save Results combo box. Choose the HTML Report option to generate the scan report in a human-readable format. The XCCDF and ARF (data stream) formats are suitable for further automatic processing. You can repeatedly choose all three options.
6. To export results-based remediations to a file, use the Generate remediation role pop-up menu.

Procedure

1. Run SCAP Workbench, and select the profile you want to customize by using either Open content from SCAP Security Guide or Open Other Content in the File menu.
2. To adjust the selected security profile according to your needs, click the Customize button.
   This opens the new Customization window that enables you to modify the currently selected XCCDF profile without changing the original XCCDF file. Choose a new profile ID.
   

   View larger image

   
3. Find a rule to modify using either the tree structure with rules organized into logical groups or the Search field.
4. Include or exclude rules using check boxes in the tree structure, or modify values in rules where applicable.
   

   View larger image

   
5. Confirm the changes by clicking the OK button.
6. To store your changes permanently, use one of the following options:
   • Save a customization file separately by using Save Customization Only in the File menu.
   • Save all security content at once using Save All in the File menu.
     If you select the Into a directory option, SCAP Workbench saves both the XCCDF or data stream file and the customization file to the specified location. You can use this as a backup solution.
     By selecting the As RPM option, you can instruct SCAP Workbench to create an RPM package containing the data stream file and the customization file. This is useful for distributing the security content to systems that cannot be scanned remotely, and for delivering the content for further processing.