Skip to content

Latest commit

 

History

History
650 lines (520 loc) · 23.6 KB

user_guide.adoc

File metadata and controls

650 lines (520 loc) · 23.6 KB

ComplianceAsCode User Guide

1. Introduction

The ComplianceAsCode (SSG) project delivers security guidance, baselines and associated validation mechanisms utilizing the Security Content Automation Protocol (SCAP). SSG provides content for Red Hat Enterprise Linux. In addition to hardening advice, SSG links back to compliance requirements in order to eease deployment activities, such as certification and accreditation. These include requirements in the U.S. Government (Federal, Defense, and Intelligence Community) as well as of the financial services and health care industries. For example, high-level and widely-accepted policies such as NIST 80-53 provide prose stating that System Administrators must audit "privileged user actions," but do not define what "privileged actions" are. The SSG bridges the gap between generalized policy requirements and specific implementation guidance, in SCAP formats to support automation whenever possible. The project homepage is https://www.open-scap.org/security-policies/scap-security-guide.

1.1. Government/Industry Collaboration

logos 400x400 nsa 300x300

The National Security Agency's Information Assuranc Directorate (NSA IAD) is presidentially mandated to protect Confidential, Secret, and Top Secret information that could reasonably be expected to cause damage to U.S. National Security. As part of this mission, NSA develops and distributes configuration guidance for operating systems. These guides are currently being used throughout the U.S. government and by numerous entities as a security baseline for their systems. The ComplianceAsCode project serves as NSA’s upstream source for Red Hat Enterprise Linux operating system guidance.

logos 400x400 disa 300x300

The U.S. Defense Information Systems Agency, Field Security Operations (DISA FSO) authors hardening guidance known as Security Technical Implementation Guides (STIGs). These documents, used throughout the U.S. military to harden systems, establish formal security compliance baselines. The ComplianceAsCode project serves as the usptream development source for Red Hat STIG content and helps DISA FSO move towards their business objective of utilizing SCAP-based formats to automate security compliance across U.S. military organizations.

logos 400x400 nist 300x300

NIST publishes 'National Checklists' for software, which as defined directly by NIST:

“The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 2, is the U.S. Government repositiory of publicly available securiyy checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the Security Content Automation Protocol (SCAP).”

The ComplianceAsCode project serves as the upstream repository for Red Hat Enterprise Linux related checklists.

2. Installing

By installing distribution packages, you will get the built content. For example, on Red Hat-based distributions, those will be files under the /usr/share/xml/scap/ssg/content/ directory. What files will that be depends on the distribution, but for example on Fedora, you will get the Fedora datastream at /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml.

2.1. Installing from distribution packages

  • Red Hat Enterprise Linux 7+

    $ sudo yum -y install scap-security-guide
  • Fedora

    $ sudo dnf -y install scap-security-guide

2.2. Installing content from upstream

If you need to use upstream content rather than what is shipped in the distribution, you can download the nightly build, or build it yourself.

The nightly builds are performed by our Jenkins instance, in the nightly jobs. Below are direct links to the latest builds:

If you wish to build the content yourself, please, refer to Building Compliance as Code section, in the Developer Guide.

3. Running a Scan

3.1. Command Line Interface (CLI)

This document outlines the usage of OpenSCAP, a command-line utility packaged within Fedora and Red Hat Enterprise Linux which allows users to load, scan, validate, edit, and export SCAP documents.

See also OpenSCAP User Manual for instructions how to use OpenSCAP. Additional details regarding OpenSCAP can be found on the project homepage located at http://open-scap.org/.

Five arguments to OpenSCAP are needed to perform a system scan against the upstream DISA STIG profile:

  • --profile
    Mandatory, identifies which profile to scan against

  • --results
    Optional, indicates location to place XML formatted results

  • --report
    Optional, indicates location to place HTML formatted results

  • datastream location
    Mandatory, identifies location of SCAP Source Datastream file

Putting these arguments together, a properly formatted command would be:

$ sudo oscap xccdf eval --profile stig \
--results /tmp/results.xml \
--report /tmp/report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

While the scan is running, you will see output similar to the following on your screen:

Title   Install AIDE
Rule    package_aide_installed
Ident   CCE-27024-9
Result  fail

Title   Configure Periodic Execution of AIDE
Rule    aide_periodic_cron_checking
Ident   CCE-27222-9
Result  notchecked

Title   Verify File Permissions with RPM
Rule    rpm_verify_permissions
Ident   CCE-26731-0
Result  fail

Title   Verify File Hashes with RPM
Rule    rpm_verify_hashes
Ident   CCE-27223-7
Result  pass

3.2. Results Interpretation

3.2.1. HTML Results

Just open the /tmp/report.html file in your favorite browser.

3.2.2. XML Results

Looking at the /tmp/results.xml file, you will notice lines similar to those below:

    <rule-result idref="ensure_gpgcheck_globally_activated" time="2013-10-22T10:03:43" severity="high" weight="1.000000">
      <result>pass</result>
      <ident system="http://cce.mitre.org">CCE-26709-6</ident>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <check-content-ref name="oval:ssg:def:413" href="ssg-rhel6-oval.xml"/>
      </check>
    </rule-result>
    ......
    <rule-result idref="package_aide_installed" time="2013-10-22T10:03:43" severity="medium" weight="1.000000">
      <result>pass</result>
      <ident system="http://cce.mitre.org">CCE-27024-9</ident>
      <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" system="urn:xccdf:fix:script:sh">
        yum -y install aide
      </fix>
      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
        <check-content-ref name="oval:ssg:def:245" href="ssg-rhel6-oval.xml"/>
      </check>
    </rule-result>
The XML above can be parsed as follows:
Table 1. Table XCCDF Rule Elements

XML Tag

Meaning

<rule-result idref…​..>

Identifies which XCCDF rule the result reflects

<result>

Pass/Fail/Not Applicable

<ident system…​..>

Identifies corresponding CCE

<fix>

Remediation actions, in bash, which will configure the system to be in compliance with the XCCDF rule

<check system…​.>

Identifies which version of OVAL the check was authored against

<check-content-ref …​.>

Corresponding OVAL check name (name=…​.) and source OVAL file (href=…​.) this check came from. For general purpose users, this information can be ignored.

3.3. Remediation

3.3.1. Bash Scripts

A Bash remediation script for each profile is shipped in scap-security-guide package. The scripts can be found in /usr/share/scap-security-guide/bash/ or if you build the project from source in ./build/bash.

Moreover, ComplianceAsCode embeds bash remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aide in potential remediation of system misconfigurations.

OpenSCAP, the CLI delivered with Fedora and Red Hat Enterprise Linux systems, contains the ability to transform XML results into an executable script. The syntax to generate a remediation script is:

$ oscap xccdf generate fix \
--result-id xccdf_org.open-scap_testresult_{profile-name} \
/root/ssg-results.xml

Replace {profile-name} with the profile the system was scanned against. For example, for stig-rhel6-server:

$ oscap xccdf generate fix \
--result-id xccdf_org.open-scap_testresult_stig \
/root/ssg-results.xml

You will receive output similar to the following:

$ oscap xccdf generate fix \
--result-id xccdf_org.open-scap_testresult_stig \
/root/ssg-results.xml

#!/bin/bash
# OpenSCAP fix generator output for benchmark: DRAFT Guide
# to the Secure Configuration of Red Hat Enterprise Linux 8

# XCCDF rule: set_sysctl_net_ipv4_conf_default_rp_filter
# CCE-26915-9
#
# Set runtime for net.ipv4.conf.default.rp_filter
#
sysctl -q -n -w net.ipv4.conf.default.rp_filter=1

#
# If net.ipv4.conf.default.rp_filter present in
# /etc/sysctl.conf, change value to "1"
# else, add "net.ipv4.conf.default.rp_filter = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.conf.default.rp_filter /etc/sysctl.conf ; then sed -i \
 's/^net.ipv4.conf.default.rp_filter.*/net.ipv4.conf.default.rp_filter \
 = 1/g' /etc/sysctl.conf
else
echo "" >> /etc/sysctl.conf
echo "# Set net.ipv4.conf.default.rp_filter to 1 per \
 security requirements" >> /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
fi

# XCCDF rule: uninstall_xinetd
# CCE-27005-8
if rpm -qa | grep -q xinetd; then
yum -y remove xinetd
fi

# generated: 2013-07-05T13:56:30-04:00
# END OF SCRIPT

This output could be redirected to a bash script, or built into your RHEL7 provisioning process (e.g. the %post section of a kickstart).

3.3.2. Ansible Playbooks

ComplianceAsCode embeds ansible remediation scripts into the SCAP content. This allows for SCAP compatible tools to extract these remediation scripts to aide in potential remediation of system misconfigurations. When using OpenSCAP with Ansible, it is advisable to use the playbooks from https://github.com/RedHatOfficial. These playbooks are generated from the ComplianceAsCode project and are also available on Ansible Galaxy.

Important
The minimum version of Ansible must be at the latest supported version. See https://access.redhat.com/support/policy/updates/ansible-engine for information on the supported Ansible versions.

4. Content Notes

4.1. Note on content for Red Hat Virtualization 4

As RHV moves to be based on el8, the contents of rhv4 will also move to be based on el8.

If you need content for RHV based on el7, use the Red Hat Enterprise Linux 7 (rhel7) content.

5. Deprecated Content

Table 2. Deprecated or Removed Content
Product EOL Date Last Release

Debian 8

June 30, 2020

content 0.1.52

Red Hat OpenStack Platform 7

August 5, 2018

content 0.1.41

Webmin

-

SSG 0.1.38

Red Hat Enterprise Virtualization Manager 3

September 30, 2018

SSG 0.1.38

JBoss EAP 5

November 30, 2016

SSG 0.1.35

JBoss EAP 6

June 30, 2019

content 0.1.53

JBoss Fuse 6

January 1, 2022

content 0.1.64

Red Hat Enterprise Linux 5

March 31, 2017

SSG 0.1.34

Ubuntu 14.04

April 30, 2019

content 0.1.52

SUSE Enterprise Linux 11

March 31, 2019

content 0.1.52

Red Hat OpenShift Container Platform 3

June 1, 2022

content 0.1.52

Red Hat Enterprise Linux 6

November 1, 2020

content 0.1.52

Java Runtime Environment

6. Alternative Scanning Tools

6.1. NIWC SCAP Compliance Checker (SCC)

Funded by the Internal Revenue Service and the National Security Agency, Naval Information Warfare Center (NIWC) Atlantic has authored a SCAP Compliance Checker (SCC). The NIWC SCC tool is available to the general public. The NIWC SCC website is https://www.niwcatlantic.navy.mil/scap/. The SCC tool is available for download at https://public.cyber.mil/stigs/scap.

To utilize SCC with ComplianceAsCode content:

  1. Import SSG content into SCC through the cscc -is command

        [root@localhost scc]# cd /opt/scc
    
        [root@localhost scc]# ./cscc -is /home/testUser/Desktop/ssg_scc.zip
        Extracted: /opt/scc/Resources/Content/ssg-rhel6-cpe-oval.xml.
        Extracted: /opt/scc/Resources/Content/ssg-rhel6-cpe-dictionary.xml.
        Extracted: /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml.
        Extracted: /opt/scc/Resources/Content/ssg-rhel6-ocil.xml.
        Extracted: /opt/scc/Resources/Content/ssg-rhel6-oval.xml.
        SCAP Content successfully installed to the Resources/Content directory.
        Please enable content by running CSCC with the '--config' option.
  2. Enable the SSG content by first executing cscc --config:

        [root@localhost scc]# ./cscc --config
    
        SCC 3.1 RC2 configuration edit menu.
        Make menu selection:
    
        1. Configure SCAP content
        2. Configure SCAP profiles
        3. Delete SCAP content
        4. Configure OVAL content
        5. Delete OVAL content
        6. Configure Options
        7. Configure SSH Options
        8. Exit and save changes
        9. Exit without saving changes
    
        SCAP Processing is Enabled
        - 0 of 3 SCAP streams are enabled
    
        OVAL Processing is Disabled
        - 0 of 0 OVAL streams are enabled
    
        Enter menu selection: 1

    You will be presented with a list of imported SCAP content. Select the option for SSG, which will be simular to option 1 shown below:

        SCC 3.1 RC2 Available SCAP Content
        All content paths are relative to the installation directory at: /opt/scc/Resources
    
        1.  [ ] ssg-rhel6   2013-02-01-05:00   0.1
                path: Content/
                profile: test
        2.  [ ] U_RedHat_5_V1R2_STIG_Benchmark   2013-01-17   1
                path: Content/
                profile: MAC-1_Classified
        3.  [ ] usgcb-rhel5desktop   2011-09-30   1.0.5.0
                path: Content/USGCB-RHEL5-1.0.5.0/
                profile: united_states_government_configuration_baseline
        SCAP Content 0 of 3 enabled.
    
        Enter content number to enable or disable content
        ('all', 'clear', or ranges N-N are allowed, type 'back' or '0' to return): 1

    Once selected, an [X] will be shown before the SSG SCAP content. Verify the SSG content has been enabled, then enter 0 to return to the SCC main screen:

        SCC 3.1 RC2 Available SCAP Content
        All content paths are relative to the installation directory at: /opt/scc/Resources
    
        1.  [X] ssg-rhel6   2013-02-01-05:00   0.1
                path: Content/
                profile: test
        2.  [ ] U_RedHat_5_V1R2_STIG_Benchmark   2013-01-17   1
                path: Content/
                profile: MAC-1_Classified
        3.  [ ] usgcb-rhel5desktop   2011-09-30   1.0.5.0
                path: Content/USGCB-RHEL5-1.0.5.0/
                profile: united_states_government_configuration_baseline
        SCAP Content 1 of 3 enabled.
    
        Enter content number to enable or disable content
        ('all', 'clear', or ranges N-N are allowed, type 'back' or '0' to return): 0
  3. Select SSG Profile
    From the SCC home screen, select option 2, "Configure SCAP profiles"

        SCC 3.1 RC2 configuration edit menu.
        Make menu selection:
    
        1. Configure SCAP content
        2. Configure SCAP profiles
        3. Delete SCAP content
        4. Configure OVAL content
        5. Delete OVAL content
        6. Configure Options
        7. Configure SSH Options
        8. Exit and save changes
        9. Exit without saving changes
    
        SCAP Processing is Enabled
        - 1 of 3 SCAP streams are enabled
    
        OVAL Processing is Disabled
        - 0 of 0 OVAL streams are enabled
    
        Enter menu selection: 2

    You will be brought to the SCAP content selection screen. Select the option for SSG, simular to option 1 shown below:

        Select SCAP Content to view available profiles
        1.  [X] ssg-rhel6   2013-02-01-05:00   0.1
                path: Content/
                profile: stig-rhel6-server
    
        Enter content number to view available profiles (type 'back' or '0' to return): 1

    You will be shown available SSG profiles. Select the numerical identifier for the profile you wish to scan against, such as stig-rhel6-server:

        Available Profiles for ssg-rhel6 2013-02-01-05:00 0.1
        1.  [ ] test
        2.  [ ] common
        3.  [ ] desktop
        4.  [ ] server
        5.  [ ] ftp
        6.  [ ] ftp
        7.  [X] stig-rhel6-server
        Enter profile number to set selected profile (type 'back' or '0' to return): 7

    You will be brought to the SCAP Content screen. Enter '0' to return to the SCC main screen:

        Select SCAP Content to view available profiles
        1.  [X] ssg-rhel6   2013-02-01-05:00   0.1
                path: Content/
                profile: stig-rhel6-server
    
        Enter content number to view available profiles (type 'back' or '0' to return): 0
  4. Configure SSC Options
    From the SCC main screen, select option 6, "Configure Options"

        SCC 3.1 RC2 configuration edit menu.
        Make menu selection:
    
        1. Configure SCAP content
        2. Configure SCAP profiles
        3. Delete SCAP content
        4. Configure OVAL content
        5. Delete OVAL content
        6. Configure Options
        7. Configure SSH Options
        8. Exit and save changes
        9. Exit without saving changes
    
        SCAP Processing is Enabled
        - 1 of 3 SCAP streams are enabled
    
        OVAL Processing is Disabled
        - 0 of 0 OVAL streams are enabled
    
        Enter menu selection: 6

    On the options menu, ensure the following settings are enabled (indicated by [X]). To enable/disable settings, enter their corresponding numerical identifier:

        SCC 3.1 RC2 Options menu.
        Make menu selection:
    
        Content Scan Methods
         1. [X] Perform SCAP Scan
         2. [ ] Perform OVAL Scan
    
        Select Reports
         3. [X] Generate 'All Settings' report
         4. [ ] Generate 'All Settings Summary' report
         5. [X] Generate 'Non-Compliance' report
         6. [ ] Generate 'Non-Compliance Summary' report
    
        Report File Types
         7. [X] Generate reports as HTML
         8. [ ] Generate reports as Text
    
        Logging and Debugging
         9.  [ ] Save screen logs
         10. [ ] Save debug logs
         11. [ ] Suppress warnings
    
        XML Results
         12. [X] Save generated XCCDF OXML files
         13. [X] Save generated OVAL XML files
         14. [ ] Create ARF XML output
         15. [ ] Validate XML output files
         16. [ ] Save failed CPE XML results files
    
        Content Processing
         17. [ ] Scan content directories on application load
         18. [ ] Validate content stream(s) XML files
    
        Data Directory
         19. /opt/scc
    
        OVAL Processing Options
         20. [X] Ignore remote fileSystems
         21. [X] Enable item creation threshold
         22. Item creation threshold: 50000
         23. [X] Ignore file extended ACL attributes
    
        Enter menu selection (type 'back' or '0' to return):

    Once the above options are set, return to the SCC main screen by entering 0.

  5. Select option 8, "Exit and save changes":

        SCC 3.1 RC2 configuration edit menu.
        Make menu selection:
    
        1. Configure SCAP content
        2. Configure SCAP profiles
        3. Delete SCAP content
        4. Configure OVAL content
        5. Delete OVAL content
        6. Configure Options
        7. Configure SSH Options
        8. Exit and save changes
        9. Exit without saving changes
    
        SCAP Processing is Enabled
        - 1 of 3 SCAP streams are enabled
    
        OVAL Processing is Disabled
        - 0 of 0 OVAL streams are enabled
    
        Enter menu selection: 8
        Saving changes.
  6. Execute an SCC scan. Results should end simularly to the following:

        localhost: Processing (391 of 411) Configure Dovecot to Use the SSL Certificate file
        localhost: Processing (392 of 411) Configure Dovecot to Use the SSL Key file
        localhost: Processing (393 of 411) Disable Plaintext Authentication - (CCE-27144-5)
        localhost: Processing (394 of 411) Disable Samba - (CCE-27143-7)
        localhost: Processing (395 of 411) Disable Root Access
        localhost: Processing (396 of 411) Disable Root Access
        localhost: Processing (397 of 411) Require Client SMB Packet Signing, if using smbclient - (CCE-26328-5)
        localhost: Processing (398 of 411) Require Client SMB Packet Signing, if using mount.cifs - (CCE-26792-2)
        localhost: Processing (399 of 411) Disable Squid - (CCE-27146-0)
        localhost: Processing (400 of 411) Uninstall squid Package - (CCE-26977-9)
        localhost: Processing (401 of 411) Disable snmpd Service - (CCE-26906-8)
        localhost: Processing (402 of 411) Uninstall net-snmp Package - (CCE-26332-7)
        localhost: Processing (403 of 411) Configure SNMP Service to Use Only SNMPv3 or Newer
        localhost: Processing (404 of 411) Ensure Default Password Is Not Used
        localhost: Processing (405 of 411) Product Meets this Requirement
        localhost: Processing (406 of 411) Product Meets this Requirement
        localhost: Processing (407 of 411) Product Meets this Requirement
        localhost: Processing (408 of 411) Guidance Does Not Meet this Requirement Due to Impracticality or Scope
        localhost: Processing (409 of 411) Implementation of the Requirement is Not Supported
        localhost: Processing (410 of 411) Guidance Does Not Meet this Requirement Due to Impracticality or Scope
        localhost: Processing (411 of 411) A process for prompt installation of OS updates must exist.
        localhost: Calculating scores
        localhost: User: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OVAL-Results_ssg-rhel6.xml
        localhost: OCIL Schema Version: 2.0
        localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OCIL-Results_ssg-rhel6.xml
        localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_OVAL-Variables_ssg-rhel6.xml
        localhost: Saving testUser_SCC-3.1_RC2_2013-02-04_145218_XCCDF-Results_ssg-rhel6.xml
        localhost: Generating report testUser_SCC-3.1_RC2_2013-02-04_145218_All-Settings_ssg-rhel6.htm
        localhost: Generating report testUser_SCC-3.1_RC2_2013-02-04_145218_Non-Compliance_ssg-rhel6.htm
    
        localhost: Adjusted Score - 0% [RED]
        localhost: Original Score - 0% [RED]
    
    
        Total Errors: 11
        Total Warnings: 2
        Review complete.
        Results, if any, are located in the following directory:
        /opt/scc/Results
    
        Logs, if any, are located in the following directory:
        /opt/scc/Logs