The ComplianceAsCode (SSG) project delivers security guidance, baselines and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP). SSG provides content for Red Hat Enterprise Linux. In addition to hardening advice, SSG links back to compliance requirements in order to eease deployment activities, such as certification and accreditation. These include requirements in the U.S. Government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and widely-accepted policies such as NIST 80-53 provide prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible. The project homepage is https://www.open-scap.org/security-policies/scap-security-guide.
The National Security Agency's Information Assuranc Directorate (NSA IAD) is presidentially mandated to protect Confidential, Secret, and Top Secret information that could reasonably be expected to cause damage to U.S. National Security. As part of this mission, NSA develops and distributes configuration guidance for operating systems. These guides are currently being used throughout the U.S. government and by numerous entities as a security baseline for their systems. The ComplianceAsCode project serves as NSA’s upstream source for Red Hat Enterprise Linux operating system guidance.
The U.S. Defense Information Systems Agency, Field Security Operations (DISA FSO) authors hardening guidance known as Security Technical Implementation Guides (STIGs). These documents, used throughout the U.S. military to harden systems, establish formal security compliance baselines. The ComplianceAsCode project serves as the usptream development source for Red Hat STIG content and helps DISA FSO move towards their business objective of utilizing SCAP-based formats to automate security compliance across U.S. military organizations.
NIST publishes 'National Checklists' for software, which as defined directly by NIST:
“The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 2, is the U.S. Government repositiory of publicly available securiyy checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP).”
The ComplianceAsCode project serves as the upstream repository for Red Hat Enterprise Linux related checklists.
By installing distribution packages, you will get the built content.
For example, on Red Hat-based distributions, those will be files under the /usr/share/xml/scap/ssg/content/
directory.
What files will that be depends on the distribution, but for example on Fedora, you will get the Fedora datastream at /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
.
-
Red Hat Enterprise Linux 7+
$ sudo yum -y install scap-security-guide
-
Fedora
$ sudo dnf -y install scap-security-guide
If you need to use upstream content rather than what is shipped in the distribution, you can download the nightly build, or build it yourself.
The nightly builds are performed by our Jenkins instance, in the nightly jobs. Below are direct links to the latest builds:
If you wish to build the content yourself, please, refer to Building Compliance as Code section, in the Developer Guide.
This document outlines the usage of OpenSCAP, a command-line utility packaged within Fedora and Red Hat Enterprise Linux which allows users to load, scan, validate, edit, and export SCAP documents.
See also OpenSCAP User Manual for instructions how to use OpenSCAP. Additional details regarding OpenSCAP can be found on the project homepage located at http://open-scap.org/.
Five arguments to OpenSCAP are needed to perform a system scan against the upstream DISA STIG profile:
-
--profile
Mandatory, identifies which profile to scan against -
--results
Optional, indicates location to place XML formatted results -
--report
Optional, indicates location to place HTML formatted results -
datastream location
Mandatory, identifies location of SCAP Source Datastream file
Putting these arguments together, a properly formatted command would be:
$ sudo oscap xccdf eval --profile stig \ --results /tmp/results.xml \ --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
While the scan is running, you will see output similar to the following on your screen:
Title Install AIDE Rule package_aide_installed Ident CCE-27024-9 Result fail Title Configure Periodic Execution of AIDE Rule aide_periodic_cron_checking Ident CCE-27222-9 Result notchecked Title Verify File Permissions with RPM Rule rpm_verify_permissions Ident CCE-26731-0 Result fail Title Verify File Hashes with RPM Rule rpm_verify_hashes Ident CCE-27223-7 Result pass
Looking at the /tmp/results.xml
file, you will notice lines similar to those below:
<rule-result idref="ensure_gpgcheck_globally_activated" time="2013-10-22T10:03:43" severity="high" weight="1.000000"> <result>pass</result> <ident system="http://cce.mitre.org">CCE-26709-6</ident> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:ssg:def:413" href="ssg-rhel6-oval.xml"/> </check> </rule-result> ...... <rule-result idref="package_aide_installed" time="2013-10-22T10:03:43" severity="medium" weight="1.000000"> <result>pass</result> <ident system="http://cce.mitre.org">CCE-27024-9</ident> <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" system="urn:xccdf:fix:script:sh"> yum -y install aide </fix> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref name="oval:ssg:def:245" href="ssg-rhel6-oval.xml"/> </check> </rule-result>
The XML above can be parsed as follows:
XML Tag |
Meaning |
<rule-result idref…..> |
Identifies which XCCDF rule the result reflects |
<result> |
Pass/Fail/Not Applicable |
<ident system…..> |
Identifies corresponding CCE |
<fix> |
Remediation actions, in bash, which will configure the system to be in compliance with the XCCDF rule |
<check system….> |
Identifies which version of OVAL the check was authored against |
<check-content-ref ….> |
Corresponding OVAL check name (name=….) and source OVAL file (href=….) this check came from. For general purpose users, this information can be ignored. |
A Bash remediation script for each profile is shipped in scap-security-guide
package.
The scripts can be found in /usr/share/scap-security-guide/bash/
or if you build the project from source in ./build/bash
.
Moreover, ComplianceAsCode embeds bash remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aide in potential remediation of system misconfigurations.
OpenSCAP, the CLI delivered with Fedora and Red Hat Enterprise Linux systems, contains the ability to transform XML results into an executable script. The syntax to generate a remediation script is:
$ oscap xccdf generate fix \ --result-id xccdf_org.open-scap_testresult_{profile-name} \ /root/ssg-results.xml
Replace {profile-name} with the profile the system was scanned against. For example, for stig-rhel6-server:
$ oscap xccdf generate fix \ --result-id xccdf_org.open-scap_testresult_stig \ /root/ssg-results.xml
You will receive output similar to the following:
$ oscap xccdf generate fix \ --result-id xccdf_org.open-scap_testresult_stig \ /root/ssg-results.xml #!/bin/bash # OpenSCAP fix generator output for benchmark: DRAFT Guide # to the Secure Configuration of Red Hat Enterprise Linux 8 # XCCDF rule: set_sysctl_net_ipv4_conf_default_rp_filter # CCE-26915-9 # # Set runtime for net.ipv4.conf.default.rp_filter # sysctl -q -n -w net.ipv4.conf.default.rp_filter=1 # # If net.ipv4.conf.default.rp_filter present in # /etc/sysctl.conf, change value to "1" # else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf # if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then sed -i \ 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter \ = 1/g' /etc/sysctl.conf else echo "" >> /etc/sysctl.conf echo "# Set net.ipv4.conf.default.rp_filter to 1 per \ security requirements" >> /etc/sysctl.conf echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf fi # XCCDF rule: uninstall_xinetd # CCE-27005-8 if rpm -qa | grep -q xinetd; then yum -y remove xinetd fi # generated: 2013-07-05T13:56:30-04:00 # END OF SCRIPT
This output could be redirected to a bash script, or built into your RHEL7 provisioning process (e.g. the %post section of a kickstart).
ComplianceAsCode embeds ansible remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aide in potential remediation of system misconfigurations. When using OpenSCAP with Ansible, it is advisable to use the playbooks from https://github.com/RedHatOfficial. These playbooks are generated from the ComplianceAsCode project and are also available on Ansible Galaxy.
Important
|
The minimum version of Ansible must be at the latest supported version. See https://access.redhat.com/support/policy/updates/ansible-engine for information on the supported Ansible versions. |
Product | EOL Date | Last Release |
---|---|---|
Debian 8 |
June 30, 2020 |
|
Red Hat OpenStack Platform 7 |
August 5, 2018 |
|
Webmin |
- |
|
Red Hat Enterprise Virtualization Manager 3 |
September 30, 2018 |
|
JBoss EAP 5 |
November 30, 2016 |
|
JBoss EAP 6 |
June 30, 2019 |
JBoss Fuse 6 |
January 1, 2022 |
Red Hat Enterprise Linux 5 |
|
March 31, 2017 |
Ubuntu 14.04 |
|
April 30, 2019 |
SUSE Enterprise Linux 11 |
|
March 31, 2019 |
Red Hat OpenShift Container Platform 3 |
|
June 1, 2022 |
Red Hat Enterprise Linux 6 |
|
November 1, 2020 |
Java Runtime Environment |
Funded by the Internal Revenue Service and the National Security Agency, Naval Information Warfare Center (NIWC) Atlantic has authored a SCAP Compliance Checker (SCC). The NIWC SCC tool is available to the general public. The NIWC SCC website is https://www.niwcatlantic.navy.mil/scap/. The SCC tool is available for download at https://public.cyber.mil/stigs/scap.
To utilize SCC with ComplianceAsCode content:
-
Import SSG content into SCC through the cscc -is command
[root@localhost scc]# cd /opt/scc [root@localhost scc]# ./cscc -is /home/testUser/Desktop/ssg_scc.zip Extracted: /opt/scc/Resources/Content/ssg-rhel6-cpe-oval.xml. Extracted: /opt/scc/Resources/Content/ssg-rhel6-cpe-dictionary.xml. Extracted: /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml. Extracted: /opt/scc/Resources/Content/ssg-rhel6-ocil.xml. Extracted: /opt/scc/Resources/Content/ssg-rhel6-oval.xml. SCAP Content successfully installed to the Resources/Content directory. Please enable content by running CSCC with the '--config' option.
-
Enable the SSG content by first executing cscc --config:
[root@localhost scc]# ./cscc --config SCC 3.1 RC2 configuration edit menu. Make menu selection: 1. Configure SCAP content 2. Configure SCAP profiles 3. Delete SCAP content 4. Configure OVAL content 5. Delete OVAL content 6. Configure Options 7. Configure SSH Options 8. Exit and save changes 9. Exit without saving changes SCAP Processing is Enabled - 0 of 3 SCAP streams are enabled OVAL Processing is Disabled - 0 of 0 OVAL streams are enabled Enter menu selection: 1
You will be presented with a list of imported SCAP content. Select the option for SSG, which will be simular to option 1 shown below:
SCC 3.1 RC2 Available SCAP Content All content paths are relative to the installation directory at: /opt/scc/Resources 1. [ ] ssg-rhel6 2013-02-01-05:00 0.1 path: Content/ profile: test 2. [ ] U_RedHat_5_V1R2_STIG_Benchmark 2013-01-17 1 path: Content/ profile: MAC-1_Classified 3. [ ] usgcb-rhel5desktop 2011-09-30 1.0.5.0 path: Content/USGCB-RHEL5-1.0.5.0/ profile: united_states_government_configuration_baseline SCAP Content 0 of 3 enabled. Enter content number to enable or disable content ('all', 'clear', or ranges N-N are allowed, type 'back' or '0' to return): 1
Once selected, an [X] will be shown before the SSG SCAP content. Verify the SSG content has been enabled, then enter 0 to return to the SCC main screen:
SCC 3.1 RC2 Available SCAP Content All content paths are relative to the installation directory at: /opt/scc/Resources 1. [X] ssg-rhel6 2013-02-01-05:00 0.1 path: Content/ profile: test 2. [ ] U_RedHat_5_V1R2_STIG_Benchmark 2013-01-17 1 path: Content/ profile: MAC-1_Classified 3. [ ] usgcb-rhel5desktop 2011-09-30 1.0.5.0 path: Content/USGCB-RHEL5-1.0.5.0/ profile: united_states_government_configuration_baseline SCAP Content 1 of 3 enabled. Enter content number to enable or disable content ('all', 'clear', or ranges N-N are allowed, type 'back' or '0' to return): 0
-
Select SSG Profile
From the SCC home screen, select option 2, "Configure SCAP profiles"SCC 3.1 RC2 configuration edit menu. Make menu selection: 1. Configure SCAP content 2. Configure SCAP profiles 3. Delete SCAP content 4. Configure OVAL content 5. Delete OVAL content 6. Configure Options 7. Configure SSH Options 8. Exit and save changes 9. Exit without saving changes SCAP Processing is Enabled - 1 of 3 SCAP streams are enabled OVAL Processing is Disabled - 0 of 0 OVAL streams are enabled Enter menu selection: 2
You will be brought to the SCAP content selection screen. Select the option for SSG, simular to option 1 shown below:
Select SCAP Content to view available profiles 1. [X] ssg-rhel6 2013-02-01-05:00 0.1 path: Content/ profile: stig-rhel6-server Enter content number to view available profiles (type 'back' or '0' to return): 1
You will be shown available SSG profiles. Select the numerical identifier for the profile you wish to scan against, such as stig-rhel6-server:
Available Profiles for ssg-rhel6 2013-02-01-05:00 0.1 1. [ ] test 2. [ ] common 3. [ ] desktop 4. [ ] server 5. [ ] ftp 6. [ ] ftp 7. [X] stig-rhel6-server Enter profile number to set selected profile (type 'back' or '0' to return): 7
You will be brought to the SCAP Content screen. Enter '0' to return to the SCC main screen:
Select SCAP Content to view available profiles 1. [X] ssg-rhel6 2013-02-01-05:00 0.1 path: Content/ profile: stig-rhel6-server Enter content number to view available profiles (type 'back' or '0' to return): 0
-
Configure SSC Options
From the SCC main screen, select option 6, "Configure Options"SCC 3.1 RC2 configuration edit menu. Make menu selection: 1. Configure SCAP content 2. Configure SCAP profiles 3. Delete SCAP content 4. Configure OVAL content 5. Delete OVAL content 6. Configure Options 7. Configure SSH Options 8. Exit and save changes 9. Exit without saving changes SCAP Processing is Enabled - 1 of 3 SCAP streams are enabled OVAL Processing is Disabled - 0 of 0 OVAL streams are enabled Enter menu selection: 6
On the options menu, ensure the following settings are enabled (indicated by [X]). To enable/disable settings, enter their corresponding numerical identifier:
SCC 3.1 RC2 Options menu. Make menu selection: Content Scan Methods 1. [X] Perform SCAP Scan 2. [ ] Perform OVAL Scan Select Reports 3. [X] Generate 'All Settings' report 4. [ ] Generate 'All Settings Summary' report 5. [X] Generate 'Non-Compliance' report 6. [ ] Generate 'Non-Compliance Summary' report Report File Types 7. [X] Generate reports as HTML 8. [ ] Generate reports as Text Logging and Debugging 9. [ ] Save screen logs 10. [ ] Save debug logs 11. [ ] Suppress warnings XML Results 12. [X] Save generated XCCDF OXML files 13. [X] Save generated OVAL XML files 14. [ ] Create ARF XML output 15. [ ] Validate XML output files 16. [ ] Save failed CPE XML results files Content Processing 17. [ ] Scan content directories on application load 18. [ ] Validate content stream(s) XML files Data Directory 19. /opt/scc OVAL Processing Options 20. [X] Ignore remote fileSystems 21. [X] Enable item creation threshold 22. Item creation threshold: 50000 23. [X] Ignore file extended ACL attributes Enter menu selection (type 'back' or '0' to return):
Once the above options are set, return to the SCC main screen by entering 0.
-
Select option 8, "Exit and save changes":
SCC 3.1 RC2 configuration edit menu. Make menu selection: 1. Configure SCAP content 2. Configure SCAP profiles 3. Delete SCAP content 4. Configure OVAL content 5. Delete OVAL content 6. Configure Options 7. Configure SSH Options 8. Exit and save changes 9. Exit without saving changes SCAP Processing is Enabled - 1 of 3 SCAP streams are enabled OVAL Processing is Disabled - 0 of 0 OVAL streams are enabled Enter menu selection: 8 Saving changes.
-
Execute an SCC scan. Results should end simularly to the following:
localhost: Processing (391 of 411) Configure Dovecot to Use the SSL Certificate file localhost: Processing (392 of 411) Configure Dovecot to Use the SSL Key file localhost: Processing (393 of 411) Disable Plaintext Authentication - (CCE-27144-5) localhost: Processing (394 of 411) Disable Samba - (CCE-27143-7) localhost: Processing (395 of 411) Disable Root Access localhost: Processing (396 of 411) Disable Root Access localhost: Processing (397 of 411) Require Client SMB Packet Signing, if using smbclient - (CCE-26328-5) localhost: Processing (398 of 411) Require Client SMB Packet Signing, if using mount.cifs - (CCE-26792-2) localhost: Processing (399 of 411) Disable Squid - (CCE-27146-0) localhost: Processing (400 of 411) Uninstall squid Package - (CCE-26977-9) localhost: Processing (401 of 411) Disable snmpd Service - (CCE-26906-8) localhost: Processing (402 of 411) Uninstall net-snmp Package - (CCE-26332-7) localhost: Processing (403 of 411) Configure SNMP Service to Use Only SNMPv3 or Newer localhost: Processing (404 of 411) Ensure Default Password Is Not Used localhost: Processing (405 of 411) Product Meets this Requirement localhost: Processing (406 of 411) Product Meets this Requirement localhost: Processing (407 of 411) Product Meets this Requirement localhost: Processing (408 of 411) Guidance Does Not Meet this Requirement Due to Impracticality or Scope localhost: Processing (409 of 411) Implementation of the Requirement is Not Supported localhost: Processing (410 of 411) Guidance Does Not Meet this Requirement Due to Impracticality or Scope localhost: Processing (411 of 411) A process for prompt installation of OS updates must exist. localhost: Calculating scores localhost: User: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OVAL-Results_ssg-rhel6.xml localhost: OCIL Schema Version: 2.0 localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OCIL-Results_ssg-rhel6.xml localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OVAL-Variables_ssg-rhel6.xml localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_XCCDF-Results_ssg-rhel6.xml localhost: Generating report testUser_SCC-3.1_RC2_2013-02-04_145218_All-Settings_ssg-rhel6.htm localhost: Generating report testUser_SCC-3.1_RC2_2013-02-04_145218_Non-Compliance_ssg-rhel6.htm localhost: Adjusted Score - 0% [RED] localhost: Original Score - 0% [RED] Total Errors: 11 Total Warnings: 2 Review complete. Results, if any, are located in the following directory: /opt/scc/Results Logs, if any, are located in the following directory: /opt/scc/Logs