How to Audit Linux Systems using OpenSCAP

Reading Time: 4 minutes

Introduction

In an organization,Suppose there are multiple systems that could be either virtual servers, containers, windows, or even workstations. security should be a major concern for these systems to avoid from any unauthorized access and irrelevant activities.

As in this current COVID-19 pandemic situation where everyone is working from home. it’s good to secure our workstations too as many important data resides in our laptops. We need an advanced and standard way to avoid vulnerability and provide the best possible option to audit all the systems.

I have deep dive on the Internet and I came across a tool called OpenSCAP.

before moving to openscap let’s know a little bit about scap.

SCAP

Security Content Automation Protocol (SCAP) is a standard method that provides automated vulnerability management and compliance checks in various hosts. it is maintained by NIST.

SCAP checks security compliance by using XCCDF(Extensible content checklist definition format) and OVAL(open vulnerability automation language) components.

XCCDF:- It is an XML file that contains policy structure. it must have a unique name and benchmark ID. it helps to check the vulnerability of hosts.

OVAL:- this file contains policy checks. it helps to check whether the host has up-to-date patches or not.

these are two components that we would use in our audit checks with openscap in further demo part.

OpenSCAP

openscap is the best tool for performing security audits and provides a great way to check systems vulnerability in an easy and automated way.

It is a collection of open-source tools for implementing and enforcing security audits that helps system administrators and auditors with assessment, measurement, and enforcement of security baselines.

It is a cross-platform open-source tool that provides a wide range of hardening and auditing guidelines for enforcing security.

In this demo, we are going to perform security audits to the remote hosts from the policy server using openscap.

Prerequisites:

  • Two Ubuntu servers having IP’s 192.168.1.103, 192.168.1.104 with network connectivity with each other.
  • user with sudo rights.
  • both servers should have libopenscap8 installed.
  • policy server should have oscap-ssh configured.
  • policy server should have keyless to other Ubuntu server in order to avoid password prompt.

Installation:

We are going to perform these steps in server : 192.168.1.103 which would treat as a policy server to perform audits.

sudo apt-get install libopenscap8 openssh-server -y
sudo apt-get install ssg-debian openssh-client -y

Now we need to install oscap-ssh which would allow to perform audit on remote hosts.

However, this is a part of openscap project but it’s not included in libopenscap8 package. we would need to download it from openscap project repository.

wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.2/utils/oscap-ssh

sudo su -
chmod 755 oscap-ssh
mv -v oscap-ssh /usr/local/bin
chown root:root /usr/local/bin/oscap-ssh

furthermore we need to make keyless by adding the public key to remote host.

take the content of id_rsa.pub from home directory of user of the policy server. then go to the remote host and make authorized_keys file if not exists in home directory of user under .ssh and add whole content of id_rsa.pub of the policy server.

after that give 600 rights to authorized_keys and 700 to .ssh directory, which is placed under home directory of user.

chmod 700 /home/gopal/.ssh
chmod 600 /home/gopal/.ssh/authorized_keys

Introduction to scap security guide

scap security guide is a security policy that is written in scap document. it covers many areas of system security and provides best practices to check security audits in hosts.

In addition, this guide consists of predefined rules and remediations scripts for target hosts.

scap security guide with openscap can be used together to perform security audits in an automated way.

It implements security guidelines recommended by respected authorities PCI DSS, STIG, and USGCB.

Download this scap security guide from scap project repo and extract it.

wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.50/scap-security-guide-0.1.50.zip

unzip scap-security-guide-0.1.50.zip

Now we will perform vulnerability check with the collaboration of openscap and scap security guide content in another ubuntu host which has IP 192.168.1.104.

Launching compliance test:

oscap-ssh gopal@192.168.1.104 22 xccdf eval --profile xccdf_org.ssgproject.content_profile_standard --report ~/192.168.1.104.html ~/Downloads/scap-security-guide-0.1.50/ssg-ubuntu1804-ds-1.2.xml

oscap-ssh: this is a script that allows us to ssh to the remote host to check the security audit.

xccdf_org.ssgproject.content_profile_standard: this is a xccdf profile id(benchmark id) which is part of xccdf xml file.

And this is the main xccdf file “ssg-ubuntu1804-ds-1.2.xml” which we would use to check the vulnerability of hosts.

however this is in-build security rules which come with scap security guide.

After running the above command, we will get an evaluation report which explicitly displays remote hosts details with pass and fail status of various security rules.

this rule is defined in the XCCDF profile file “ssg-ubuntu1804-ds-1.2.xml” of scap security guide.

Here is a sample openscap evaluation report output.


For more details of the evaluation report please click here

Remediation:

After the vulnerability check, it’s our responsibility to remediate these vulnerabilities which have found in our security audit.

scap security guide provides us various ways to remediate these vulnerabilities. these are few methods such as bash script, Ansible playbook, and even with GUI of openscap.

In this demo, I will show you with Ansible playbook. you can use other methods as per your convenience.

Here, I have mentioned scap security remediation path where we will get various Ansible playbooks for different Linux distributions.

cd ~/Downloads/scap-security-guide-0.1.50/ansible/

As we have Ubuntu 18.04 so we will remediate with this playbook “ubuntu1804-playbook-standard.yml” which is resided under the above path.

ansible-playbook -i "192.168.1.104," ubuntu1804-playbook-standard.yml -u gopal

We can see, these are sample output of Ansible playbook which remediates remote host 192.168.1.104.

TASK [Ensure permission 0640 on /etc/gshadow] *
ok: [192.168.1.104]
TASK [Test for existence /etc/passwd] *
ok: [192.168.1.104]
TASK [Ensure permission 0644 on /etc/passwd]
ok: [192.168.1.104]
TASK [Test for existence /etc/shadow] *
ok: [192.168.1.104]
TASK [Ensure group owner 42 on /etc/shadow] *
ok: [192.168.1.104]
TASK [Deduplicate values from /etc/ssh/sshd_config] *
changed: [192.168.1.104]
TASK [Insert correct line to /etc/ssh/sshd_config]
changed: [192.168.1.104]
TASK [Deduplicate values from /etc/ssh/sshd_config] *
changed: [192.168.1.104]
TASK [Insert correct line to /etc/ssh/sshd_config]
changed: [192.168.1.104]
TASK [Ensure cron is installed] *
ok: [192.168.1.104]
TASK [Gather the package facts] *
ok: [192.168.1.104]
TASK [Enable service cron] ****
ok: [192.168.1.104]
TASK [Ensure ntp is installed]
ok: [192.168.1.104]
TASK [Gather the package facts] *
ok: [192.168.1.104]
TASK [Enable service ntp] *
changed: [192.168.1.104]
TASK [Gather the package facts] *
ok: [192.168.1.104]
TASK [Enable service systemd-timesyncd] *
changed: [192.168.1.104]
TASK [Ensure inetutils-telnetd is removed] **
ok: [192.168.1.104]
TASK [Ensure nis is removed] **
ok: [192.168.1.104]
TASK [Ensure ntpdate is removed]
ok: [192.168.1.104]
TASK [Ensure telnetd-ssl is removed]
ok: [192.168.1.104]
TASK [Ensure telnetd is removed]
ok: [192.168.1.104]
PLAY RECAP
192.168.1.104 : ok=52 changed=6 unreachable=0 failed=0

Conclusion:

Here, we have determined how we can do security audits and remediation of ubuntu servers, however, we can perform these tasks on other Linux distributions as well to achieve security goals.

References:

openscap

scap remediations