Master In-Depth Security Audits with OpenSCAP

Published:10 May 2022 - 8 min. read

Arvid Larson Image

Arvid Larson

Read more tutorials by Arvid Larson!

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Security is one of the critical successes of the IT industry, and implementing security compliance for your products is crucial for security and your business. Not sure how? Consider using the free and open-source OpenSCAP and SCAP Security Guide (SSG).

In this tutorial, you’ll learn how to install and use OpenSCAP and SSG for auditing Linux servers. You’ll implement security compliance automatically on your server deployment.

Read on and tightly secure your Linux servers!

Prerequisites

This tutorial will be a hands-on demonstration. To follow along, be sure you have the following requirements:

  • A Linux server – This demo uses the latest Ubuntu 20.04 Server.
  • A user root and password.
  • Ansible and Apache/NGINX installed on the Linux server.

Installing OpenSCAP and SSG Packages

OpenSCAP is a free and open-source security automation tool for managing system security and compliance testing. OpenSCAP provides various tools for auditing systems and fixing problems in your system, according to the SCAP Security Guide (SSG).

To take advantage of OpenSCAP and SSG, you’ll first have to install them on your server:

1. Log in to your server using the root user.

2. Next, run the apt update command below to update and refresh the repository package index on your server. This command lets you get the latest version of any packages to install.

sudo apt update
Refreshing Package Index
Refreshing Package Index

3. Run the following apt install command to install the OpenSCAP and SSG packages for Debian-derived systems (ssg-debderived).

SSG provides security guidance and baseline for Linux systems. SSG contents are based on high-level security compliance, such as NIST, CIS Benchmark, and STIGs security compliance.

This command also automatically installs the libopenscap8 package that provides a command-line tool (oscap) for managing SCAP specifications and guidance.

sudo apt install -y ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications
Installing OpenSCAP and SSG Packages
Installing OpenSCAP and SSG Packages

4. Lastly, run the below ls command to verify the list of SSG contents from the official Ubuntu repository (/usr/share/xml/scap/content).

ls /usr/share/xml/scap/ssg/content

As you can see below, the default SSG packages from the Ubuntu repository do not provide a SCAP guide for Ubuntu 20.04 server. As a solution, you’ll download SSG’s latest version manually from GitHub in the following section.

Checking Default SSG Contents
Checking Default SSG Contents

Downloading the Latest SCAP Contents

Now that you have installed the OpenSCAP security tool, it’s time to download the latest version of SSG packages, which provides SSG contents for the latest Ubuntu 20.04 server.

You can check the official GitHub repository of the ComplianceAsCode Content, which provides complete information about the SSG build system.

1. Run the wget command below to download the latest version of the SSG package from the GitHub repository.

Check the latest SSG package version in the official GitHub repository.

As of this writing, the latest version of SSG packages is v0.1.60.

wget https://github.com/ComplianceAsCode/content/releases/download/v0.1.60/scap-security-guide-0.1.60.zip
Downloading the Latest Version of the SSG package
Downloading the Latest Version of the SSG package

2. Next, run the commands below to extract (unzip) the scap-security-guide-0.1.60.zip file and verify the scap-security-guide-0.1.60 directory exists.

# Unzip the scap-security-guide-0.1.60.zip file
unzip -q scap-security-guide-0.1.60.zip
# List all contents in the working directory
ls
Download latest version of SCAP Contents and extract the file
Download latest version of SCAP Contents and extract the file

3. Run the below command (with no output) to move the SSG content directory to the /opt/ssg/ directory, and create the /opt/reports directory for storing OpenSCAP audit reports.

# Move SSG contents to /opt/ssg
mv scap-security-guide-0.1.60 /opt/ssg
# Make a directory called /opt/reports
mkdir -p /opt/reports/
Moving the SSG Content Directory and Creating the /opts/reports/ Directory
Moving the SSG Content Directory and Creating the /opts/reports/ Directory

4. Lastly, run the ls command below to check available SSG contents on the /opt/ssg/ directory.

ls /opt/ssg/

Below, you’ll see a list of SSG contents, including SCAP DataStream for the Ubuntu 20.04 server.

Each SCAP document below with the .xml format contains SCAP DataStream modules, such as XCCDF, OVAL, CPE, and CPE OVAL.

Verifying SSG Contents in the /opt/ssg/ Directory
Verifying SSG Contents in the /opt/ssg/ Directory

Check out the NIST SCAP documentation to know more about SCAP specifications.

Performing Server Audits and Generating Reports

After successfully installing the OpenSCAP tool and downloading the latest version of SSG contents, it’s now time to start auditing your system. You’ll perform a server audit using OpenSCAP and SSG by running the oscap command.

But before jumping to server auditing, you’ll first check available profiles on a SCAP document. This tutorial uses Ubuntu 20.04 server, so you’ll be using the latest version of the SCAP document (ssg-ubuntu2004-ds.xml) as an example.

1. Run the oscap command below with the info module to check available profiles on the ssg-ubuntu2004-ds.xml SCAP document.

The –fetch-remote-resources option allows the oscap command to download remote components referenced from DataStream.

sudo oscap info --fetch-remote-resources /opt/ssg/ssg-ubuntu2004-ds.xml

Notice below that there are multiple profiles for guidance and security compliance you can use to audit your system. The profiles include CIS Benchmark, STIGs security compliance, and standard security profile.

Checking Available Security Compliance Profile from SSG DataStream File
Checking Available Security Compliance Profile from SSG DataStream File

2. Next, run the below oscap command with the xccdf module to audit (eval) your server using OpenSCAP and SSG DataStream (ssg-ubuntu2004-ds.xml).

This command performs the following:

  • Audits your server with the xccdf_org.ssgproject.content_profile_stig profile (STIGs security compliance).
  • Generates an HTML page report (/opt/reports/report.html).
  • Generates the Asset Reporting Format (ARF) file (/opt/reports/arf.xml).
sudo oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig \
--results-arf /opt/reports/arf.xml --report /opt/reports/report.html \
/opt/ssg/ssg-ubuntu2004-ds.xml

You’ll see a lot of output and tests performed by the oscap command. There are different results in audit reports: pass, fail, notchecked, and notapplicable.

Auditing Server with OpenSCAP and SSG DataStream
Auditing Server with OpenSCAP and SSG DataStream

3. Once the audit completes, run the below ls command to check the directory /opt/reports and make sure audit report files are available.

ls /opt/reports

As shown below, you’ll see two report files, arf.xml, and reports.html.

Checking Audit Report Files
Checking Audit Report Files

4. Now, run the below cp command to copy the report.html file to the Apache document root directory (/var/www/html) to show the report from the web browser.

This command doesn’t have an output, but you’ll see the contents of the report file in your web browser in the following step.

cp /opt/reports/report.html /var/www/html

5. Lastly, open your favorite browser and navigate the server IP address followed by the URL path /report.html (i.e., http://172.16.1.10/report.html).

If all goes well, you’ll see the detailed report of your server audit performed with OpenSCAP, as shown below. In this tutorial, Ubuntu 20.04 scored 68% for STIGs security compliance.

Viewing Audit Report on the Web Browser
Viewing Audit Report on the Web Browser

Generating SSG Guides and Checklist

You’ve now generated the audit report for your server with a score of 67%, but can your server get a higher score? Yes! You’ll generate an SSG guide for hardening your server with STIGs compliance.

The oscap command can generate detailed instructions on how to set up your system according to the security compliance profile you are using.

1. Run the below command to generate an SSG guide and security checklist for STIGs security compliance. The output will be available as the /opt/reports/guide-stig-checklist.html file.

sudo oscap xccdf generate guide --profile xccdf_org.ssgproject.content_profile_stig \
/opt/ssg/ssg-ubuntu2004-ds.xml > /opt/reports/guide-stig-checklist.html
Generating an SSG guide and Security Checklist
Generating an SSG guide and Security Checklist

2. Next, run each command below to verify the generated guide file (/opt/reports/guide-stig-checklist.html) and copy the file to the /var/www/html directory.

# Checking reports
ls /opt/reports

# Copy guide-stig-checklist.html to /var/www/html
/opt/reports/guide-stig-checklist.html /var/www/html
Generating security guide and checklists using OpenSCAP
Generating security guide and checklists using OpenSCAP

3. Lastly, switch to your web browser and input the URL path of the /guide-stig-checklist.html guide file (i.e., http://172.16.1.10/guide-stig-checklist.html).

You’ll see the single-page guide for securing your server, as shown below, which includes system settings and services configurations.

Verifying OpenSCAP Guide with STIGs Compliance
Verifying OpenSCAP Guide with STIGs Compliance

Remediating Server Automatically with OpenSCAP and Ansible

You’ve now generated the SSG guide to set up your server based on the STIGs security compliance. Now, you’ll generate an Ansible playbook to remediate your server according to security compliance automatically.

The OpenSCAP is not only an auditing tool but also provides automatic remediation with automation scripts such as Bash and Ansible.

You’ll need the ARF (Asset Reporting Format) result to generate a Bash script or Ansible Playbook for automatic remediation.

1. Run the below command to generate the Ansible playbook stig_fix.yml based on the audit ARF result file (/opt/report/arf.xml), which uses the STIGs security compliance.

This command doesn’t have an output, but you’ll verify the content of the generated playbook in the following step.

sudo oscap xccdf generate fix --fetch-remote-resources --fix-type ansible --result-id "" /opt/reports/arf.xml > stig_fix.yml

2. Next, run the cat command below to show and verify the content of the Ansible playbook stig_fix.yml.

cat stig_fix.yml

At the top of the file, you will see information about the generated Ansible Playbook.s

Generating and Verifying Ansible Playbook OpenSCAP
Generating and Verifying Ansible Playbook OpenSCAP

3. Once verifying the playbook, run the ansible-playbook command below to apply the generated Ansible playbook (stig_fix.yml) to the server.

sudo ansible-playbook -i localhost, -c local stig_fix.yml

You can also run the Ansible playbook from outside the server through the SSH connections. The generated Ansible playbook will not solve all of your server tests but still makes your server more secure.

In the end, you will still need to read and check the audit report, the generated guidance, and the checklist.

As shown below, Ansible installs some packages and applies new changes to your system as the STIGs security compliance.

Running the Generated Ansible Playbook
Running the Generated Ansible Playbook

Below is the summary of changes done by the Ansible playbook (stig_fix.yml). You may have different outputs, depending on your system.

Viewing Final Results of Ansible Playbook
Viewing Final Results of Ansible Playbook

4. Lastly, reboot your server to apply all new changes on your server.

Verifying Changes to the Server’s Security Compliance

After the server remediation with OpenSCAP and Ansible, you’ll perform another audit on your server to verify the changes.

1. Log in again to your server using the root user.

2. Next, run the oscap command below to generate a new audit report and verify the score.

This command uses the same security compliance to audit the server. The only difference is the report file (/opt/reports/report2.html) and the ARF XML file (/opt/reports/arf2.xml).

sudo oscap xccdf eval --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig \
--results-arf /opt/reports/arf2.xml --report /opt/reports/report2.html \
/opt/ssg/ssg-ubuntu2004-ds.xml
Regenerating Audit report for Ubuntu Server
Regenerating Audit report for Ubuntu Server

3. After the auditing, run each command below to verify and copy the new audit report (/opt/reports/report2.html) to the /var/www/html directory.

# Verify reports
ls /opt/reports

# Copy report2.html to /var/www/html
cp /opt/reports/report2.html /var/www/html
Verifying and Copying report2.html File
Verifying and Copying report2.html File

4. Finally, switch back to your web browser and navigate to your server IP address, followed by the new audit report path /report2.html (i.e., http://172.16.1.10/report2.html).

Below, the audit score increased to 83% of the STIGs security compliance. But there is more failed report because the system also has changed. You can now regenerate the guidance and security checklist and try to solve errors manually.

Verifying Audit Result of OpenSCAP from Web Browser
Verifying Audit Result of OpenSCAP from Web Browser

Conclusion

In this tutorial, you’ve learned how to install OpenSCAP and audit your server security using SSG DataStream. You’ve also remediated the system according to security compliance automatically using Ansible playbook and OpenSCAP.

With this newfound knowledge, why not try other SSG policies for your operating system? Or try to implement OpenSCAP to secure the container image?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!