SCAP testing on RHEL 7

To keep our systems (for example our HPW servers) secure and standardized we use multiple techniques such as configuration management systems and PCI-DSS audits. During the past few months we have worked with an additional technique called SCAP testing. In this article we will tell you how to test your RHEL 7 server and have some example Puppet remediation code.

This is an informative guide. We cannot be held responsible for problems caused by following this guide.

Intro SCAP

What is SCAP? On the OpenSCAP website it is described very well:

“SCAP is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.”

The SCAP standard consists of multiple test approaches. At LinQhost we are mainly using the OVAL and XCCDF tests. With the OVAL (will be ignored in this guide) test you can test if your server has package versions installed which have a CVE score. With the XCCDF test we will test a server against a defined baseline.

We are using the SSG list with the Certified Cloud Providers (RH CCP draft) profile as our baseline. Some of the things that are checked with this profile:

  • Correct permissions on the passwd and gshadow files
  • SELinux enabled
  • Only root user has UID 0
  • Login accounts without password
  • SSH settings: Protocol 2, root login disabled, approved ciphers

Sometimes it’s not possible to meet all requirements (mostly the partition scheme). The SSG is just a guidance and you are free to change it to your own needs. Just don’t make it to relaxed. 🙂

Let’s test

Enough talk! Let’s test your system now and see how many fails you will get. 🙂

Step 1 – Install openscap:
yum install openscap openscap-utils rubygem-openscap

Step 2 – Install the Scap-security-guide from EPEL:
yum install http://dl.fedoraproject.org/pub/epel/7/x86_64/s/scap-security-guide-0.1.5-4.el7.noarch.rpm

Step 3 – Do your first test

oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp \
  --results /tmp/`hostname`-ssg-results.xml \
  --report /tmp/`hostname`-ssg-results.html \
  --cpe /usr/share/openscap/cpe/openscap-cpe-dict.xml \
  /usr/share/xml/scap/ssg/rhel7/ssg-rhel7-ds.xml

The screen output will show you the basic results. In the HTML-report you will see more details about the failed and passed checks. Also there are remediation tips for most of the checks. Below we have two Puppet (needs Augeas support!) examples for fixing some failed tests on a default RHEL 7 machine.

It’s adviced to run these tests periodically (daily or weekly) and do something with the results.

Puppet Augeas example 1

Enable authenticating for entering single boot mode:

# SCAP ID: xccdf_org.ssgproject.content_rule_require_singleuser_auth
augeas { 'AUTH-enable_password_auth_single_mode':
  context => '/files/etc/sysconfig/init',
  changes => [
              'set SINGLE "/sbin/sulogin"',
             ],
}

Puppet Augeas example 2

Change the password length requirement to 8 (default = 5):

# SCAP ID: xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
augeas { 'AUTH-login_defs_password_len':
  context => '/files/etc/login.defs',
  changes => [
              'set PASS_MIN_LEN 8',
             ],
}