6.4 System Security via OpenSCAP

The Security Certification and Authorization Package (SCAP) is a standardized compliance checking solution for enterprise-level Linux infrastructures. It is a line of specifications maintained by the National Institute of Standards and Technology (NIST) for maintaining system security for enterprise systems.

SUSE Manager uses OpenSCAP to implement the SCAP specifications. OpenSCAP is an auditing tool that utilizes the Extensible Configuration Checklist Description Format (XCCDF). XCCDF is a standard way of expressing checklist content and defines security checklists. It also combines with other specifications such as Common Platform Enumeration (CPE), Common Configuration Enumeration (CCE), and Open Vulnerability and Assessment Language (OVAL), to create a SCAP-expressed checklist that can be processed by SCAP-validated products.

6.4.1 OpenSCAP Features

OpenSCAP verifies the presence of patches by using content produced by the SUSE Security Team (https://www.suse.com/support/security/), checks system security configuration settings and examines systems for signs of compromise by using rules based on standards and specifications.

To effectively use OpenSCAP, the following must be available:

A tool to verify a system confirms to a standard

SUSE Manager uses OpenSCAP as an auditing feature. It allows you to schedule and view compliance scans for any system.

SCAP content

SCAP content files defining the test rules can be created from scratch if you understand at least XCCDF or OVAL. XCCDF content is also frequently published online under open source licenses and this content can be customized to suit your needs.

The openscap-content package provides default content guidance for systems via a template.

NOTE: SUSE supports the use of templates to evaluate your systems. However, you are creating custom content at your own risk.

SCAP was created to provide a standardized approach to maintaining system security, and the standards that are used will therefore continually change to meet the needs of the community and enterprise businesses. New specifications are governed by NIST's SCAP Release cycle in order to provide a consistent and repeatable revision work flow. For more information, see http://scap.nist.gov/timeline.html.

6.4.2 Prerequisites for Using OpenSCAP in SUSE Manager

The following sections describe the server and client prerequisites for using OpenSCAP.

Package Requirements

As Server: SUSE Manager 1.7 or later.

For the Client: spacewalk-oscap package (available from the SUSE Manager Tools Child Channel).

Entitlement Requirements

A Management entitlement is required for scheduling scans.

Other Requirements

Client: Distribution of the XCCDF content to all client machines.

You can distribute XCCDF content to client machines using any of the following methods:

  • Traditional Methods (CD, USB, NFS, scp, ftp)

  • SUSE Manager Scripts

  • RPMs

Custom RPMs are the recommended way to distribute SCAP content to other machines. RPM packages can be signed and verified to ensure their integrity. Installation, removal, and verification of RPM packages can be managed from the user interface.

6.4.3 Performing Audit Scans

OpenSCAP integration in SUSE Manager provides the ability to perform audit scans on client systems. This section describes the available scanning methods.

Scans via the Web Interface

  1. To perform a scan via the Web interface, log in to SUSE Manager.

  2. Click on Systems and select the target system.

  3. Click on Audit > Schedule.

  4. Fill in the Schedule New XCCDF Scan form. See Schedule Page for more information about the fields on this page.

    WARNING: The XCCDF content is validated before it is run on the remote system. Specifying invalid arguments can make spacewalk-oscap fail to validate or run. Due to security concerns the oscap xccdf eval command only accepts a limited set of parameters.

    Run the mgr_check command to ensure the action is being picked up by the client system.

    mgr_check -vv

    NOTE: If the SUSE Manager daemon (rhnsd) or osad are running on the client system, the action will be picked up by these services. To check if they are running, use:

    service rhnsd start

    or

    service osad start

To view the results of the scan, refer to Section 6.4.4, Viewing SCAP Results.

Figure 6-10 Scheduling a Scan via the Web Interface

Scans via API

  1. To perform an audit scan via API, choose an existing script or create a script for scheduling a system scan through system.scap.scheduleXccdfScan, the front end API, for example:

    #!/usr/bin/python
    client = xmlrpclib.Server('https://spacewalk.example.com/rpc/api')
    key = client.auth.login('username', 'password')
    client.system.scap.scheduleXccdfScan(key, 1000010001,
        '/usr/local/share/scap/usgcb-sled11desktop-xccdf.xml',
        '--profile united_states_government_configuration_baseline')

    Where:

    • 1000010001 is the system ID (sid).

    • /usr/local/share/scap/usgcb-sled11desktop-xccdf.xml is the path to the content location on the client system. In this case, it assumes USGCB content in the /usr/local/share/scap directory.

    • --profile united_states_government_configuration_baseline is an additional argument for the oscap command. In this case, it is using the USGCB.

  2. Run the script on the command-line interface of any system. The system needs the appropriate Python and XML-RPC libraries installed.

  3. Run the mgr_check command to ensure that the action is being picked up by the client system.

    mgr_check -vv

    If the SUSE Manager daemon (rhnsd) or osad are running on the client system, the action will be picked up by these services. To check if they are running, use:

    service rhnsd start

    or

    service osad start

NOTE: Enabling Upload of Detailed SCAP Files

To make sure detailed information about the scan will be available, activate the upload of detailed SCAP files on the clients to be evaluated. On the Admin page, click on Organization and select one. Click on the Configuration tab and check Enable Upload Of Detailed SCAP Files. This feature generates an additional HTML version when you run a scan. The results will show an extra line like: Detailed Results: xccdf-report.html xccdf-results.xml scap-yast2sec-oval.xml.result.xml.

6.4.4 Viewing SCAP Results

There are three methods of viewing the results of finished scans:

  • Via the Web interface. Once the scan has finished, the results should show up on the Audit tab of a specific system. This page is discussed in Section 6.4.5, OpenSCAP SUSE Manager Web Interface.

  • Via the API functions in handler system.scap.

  • Via the spacewalk-report command as follows:

    spacewalk-report system-history-scap
    spacewalk-report scap-scan
    spacewalk-report scap-scan-results

6.4.5 OpenSCAP SUSE Manager Web Interface

The following sections describe the tabs in the SUSE Manager Web interface that provide access to OpenSCAP and its features.

OpenSCAP Scans Page

Click the Audit tab on the top navigation bar, then OpenSCAP on the left. Here you can view, search for, and compare completed OpenSCAP scans.

OpenSCAP > All Scans

All Scans is the default page that appears on the Audit > OpenSCAP page. Here you see all the completed OpenSCAP scans you have permission to view. Permissions for scans are derived from system permissions.

For each scan, the following information is displayed:

System:

the scanned system.

XCCDF Profile:

the evaluated profile.

Completed:

time of completion.

Satisfied:

number of rules satisfied. A rule is considered to be satisfied if the result of the evaluation is either Pass or Fixed.

Dissatisfied:

number of rules that were not satisfied. A rule is considered Dissatisfied if the result of the evaluation is a Fail.

Unknown:

number of rules which failed to evaluate. A rule is considered to be Unknown if the result of the evaluation is an Error, Unknown or Not Checked.

The evaluation of XCCDF rules may also return status results like Informational, Not Applicable, or not Selected. In such cases, the given rule is not included in the statistics on this page. See System Details > Audit for information on these types of results.

OpenSCAP > XCCDF Diff

XCCDF Diff is an application that visualizes the comparison of two XCCDF scans. It shows metadata for two scans as well as the lists of results.

Click the appropriate icon on the Scans page to access the diff output of similar scans. Alternatively, specify the ID of scans you want to compare.

Items that show up in only one of the compared scans are considered to be "varying". Varying items are always highlighted in beige. There are three possible comparison modes:

Full Comparison

all the scanned items.

Only Changed Items:

items that have changed.

Only Invariant:

unchanged or similar items.

OpenSCAP > Advanced Search

Use the Advanced Search page to search through your scans according to specified criteria including:

  • rule results,

  • targeted machine,

  • time frame of the scan.

Figure 6-11 OpenSCAP Advanced Search

The search either returns a list of results or a list of scans, which are included in the results.

Systems Audit Page

To display a system's audit page, click Systems > system_name > Audit. Use this page to schedule and view compliance scans for a particular system. Scans are performed by the OpenSCAP tool, which implements NIST's standard Security Content Automation Protocol (SCAP). Before you scan a system, make sure that the SCAP content is prepared and all prerequisites in Section 6.4.2, Prerequisites for Using OpenSCAP in SUSE Manager are met.

List Scans

This subtab lists a summary of all scans completed on the system. The following columns are displayed:

XCCDF Test Result

The scan test result name, which provides a link to the detailed results of the scan.

Completed

The exact time the scan finished.

Compliance

The unweighted pass/fail ratio of compliance based on the Standard used.

P

Number of checks that passed.

F

Number of checks that failed.

E

Number of errors that occurred during the scan.

U

Unknown.

N

Not applicable to the machine.

K

Not checked.

S

Not Selected.

I

Informational.

X

Fixed.

Total

Total number of checks.

Each entry starts with an icon indicating the results of a comparison to a previous similar scan. The icons indicate the following:

  • "RHN List Checked" Icon — no difference between the compared scans.

  • "RHN List Alert" Icon — arbitrary differences between the compared scans.

  • "RHN List Error" Icon — major differences between the compared scans. Either there are more failures than the previous scan or less passes

  • "RHN List Check In" Icon — no comparable scan was found, therefore, no comparison was made.

To find out what has changed between two scans in more detail, select the ones you are interested in and click Compare Selected Scans. To delete scans that are no longer relevant, select those and click on Remove Selected Scans. Scan results can also be downloaded in CSV format.

Scan Details

The Scan Details page contains the results of a single scan. The page is divided into two sections:

Details of the XCCDF Scan

This section displays various details about the scan, including:

  • File System Path: the path to the XCCDF file used for the scan.

  • Command-line Arguments: any additional command-line arguments that were used.

  • Profile Identifier: the profile identifier used for the scan.

  • Profile Title: the title of the profile used for the scan.

  • Scan's Error output: any errors encountered during the scan.

XCCDF Rule Results

The rule results provide the full list of XCCDF rule identifiers, identifying tags, and the result for each of these rule checks. This list can be filtered by a specific result.

Schedule Page

Use the Schedule New XCCDF Scan page to schedule new scans for specific machines. Scans occur at the system's next scheduled check-in that occurs after the date and time specified. The following fields can be configured:

Command-line Arguments:

Optional arguments to the oscap command, either:

  • --profile PROFILE: Specifies a particular profile from the XCCDF document.

    Profiles are determined by the Profile tag in the XCCDF XML file. Use the oscap command to see a list of profiles within a given XCCDF file, for example:

     oscap info /usr/local/share/scap/dist_sles12_scap-sles12-oval.xml
    Document type: XCCDF Checklist
    Checklist version: 1.1
    Status: draft
    Generated: 2015-12-12
    Imported: 2016-02-15T22:09:33
    Resolved: false
    Profiles: SLES12-Default

    If not specified, the default profile is used. Some early versions of OpenSCAP in require that you use the --profile option or the scan will fail.

  • --skip-valid: Do not validate input and output files. You can use this option to bypass the file validation process if you do not have well-formed XCCDF content.

Path to XCCDF Document:

This is a required field. The path parameter points to the XCCDF content location on the client system. For example: /usr/local/scap/dist_rhel6_scap-rhel6-oval.xml

WARNING: The XCCDF content is validated before it is run on the remote system. Specifying invalid arguments can cause spacewalk-oscap to fail to validate or run. Due to security concerns, the oscap xccdf eval command only accepts a limited set of parameters.

For information about how to schedule scans using the Web UI, refer to Scans via the Web Interface.