Jump to content
documentation.suse.com / Hardening SUSE Linux Enterprise with OpenSCAP
SUSE Linux Enterprise Server

Hardening SUSE Linux Enterprise with OpenSCAP

Publication Date: May 23, 2024

This document introduces you to auditing and hardening SUSE Linux Enterprise with OpenSCAP and the SCAP Security Guide.

Important
Important: Disclaimer

SUSE seeks to provide customers with quick and easy guides that can assist them in maintaining security compliance. Implementation of the settings contained within this guide without its prior testing in a non-operational environment is highly discouraged. The developers of these profiles and documentation have made reasonable efforts to ensure overall compliance. They assume no responsibility for its use by other parties, and make no guarantee, expressed or implied, about its quality, reliability or any other characteristic.

1 What are SCAP and OpenSCAP?

SCAP stands for Security Content Automation Protocol. It is a framework of specifications that support automated configuration, vulnerability scanning, and policy compliance evaluation of systems deployed in an organization. It also standardizes how vulnerabilities and security configurations are communicated both to machines and human beings.

OpenSCAP is a collection of open source tools that implement the SCAP framework for Linux. SCAP is maintained by the National Institute of Standards and Technology (NIST) . OpenSCAP received the SCAP 1.2 certification by NIST in 2014.

2 Benefits

The OpenSCAP tools, together with the SCAP Security Guide, can be used for auditing your system in an automated way. The SCAP Security Guide implements security guidances recommended by respected authorities. These security guidances are transformed into a machine-readable format which then can be used by OpenSCAP and other tools.

3 Installation

To use the OpenSCAP tools and the SCAP Security Guide for hardening your target system by scanning and remediating vulnerabilities, install the following core packages:

  • openscap

  • openscap-utils

  • scap-security-guide

> sudo zypper install openscap openscap-utils scap-security-guide
Note
Note

These packages are dependencies for other optional packages discussed below.

Optionally, install the following packages:

  • scap-workbench: This package provides the SCAP Workbench graphical utility to perform common oscap tasks.

  • ssg-apply: When used along with SCAP Workbench, this package helps you conveniently apply a tailoring file for customized hardening.

> sudo zypper install scap-workbench scap-workbench-doc ssg-apply
Tip
Tip: Security best practice for SCAP Workbench

As a security best practice, avoid installing an application software such as SCAP Workbench on the target system that you are planning to harden. Instead, install SCAP Workbench on a client machine and apply the hardening on the target system, while maintaining an air gap before the target system is connected to a potentially insecure network.

4 Important SCAP components

SCAP consists of the following important components which interact with each other.

Open Vulnerability and Assessment Language (OVAL)

An XML format for testing the presence of a specific state.

Extensible Configuration Checklist Description Format (XCCDF)

An XML format that specifies security checklists, benchmarks and configuration documentation. The XCCDF file includes a benchmark as a set of different profiles related to different groups. Each group is a set of rules which have OVAL definitions. Each profile is related to different good practices such as STIG, HIPAA, PCI-DSS, or ANSSI.

Common Platform Enumeration (CPE)

A structured naming scheme to identify information technology systems, platforms and software packages. It is maintained by NIST and NDV. The naming scheme consists of the following elements: cpe:/part:vendor:product:version:update:edition:language

DataStreams (DS)

An XML format which packs different SCAP components (CPE, XCCDF, OVAL) into a single file. It can be used to distribute SCAP content over the network. The DataStreams files are useful because they include everything you need when you want to harden and audit your SUSE Linux Enterprise system.

Common Configuration Enumeration (CCE)

Unique identifiers to security-related system configuration issues.

5 SCAP Security Guide content and directories

SUSE ships the SCAP Security Guide (SSG) toolset in the scap-security-guide package. It contains the latest set of security polices for Linux systems. The SCAP Security Guide is maintained upstream in the ComplianceAsCode repository.

After you have installed the package, the SSG security content and the related files are available in your system from the following directories:

Overview of files and directories
/usr/share/xml/scap/ssg/content/

Contains the SSG security content. It consists of several Important SCAP components, which are all based on XML. All XML files in that directory are named according to the SCAP component and to the SUSE Linux Enterprise codestream they apply to (code 12 or 15). The directory also holds XML files specific to openSUSE.

/usr/share/doc/scap-security-guide/guides/

Contains profiles for different hardening policies in human-readable format. They describe the profiles that are included in the DataStream files. The profiles applicable to SUSE Linux Enterprise are codestream-specific and differ between code 12 and code 15. Each profile is a guide on securing your operating system to ensure compliance with a regulation.

The guides usually have the following structure:

  • Short description

  • Profile Title. For example: DISA STIG for SUSE Linux Enterprise 15

  • Profile ID. For example: xccdf_org.ssgproject.content_profile_stig

  • Revision History. Information about the current version and status of the profile. For example: xccdf_org.ssgproject.content_profile_stig

  • Platforms (in CPE notation). Which product or system the profile applies to. For example: cpe:/o:suse:linux_enterprise_server:15

  • A table of contents

  • A checklist which consists of groups (and subgroups) with rules

    Each rule consists of a short description, the rationale behind the rule, a severity (low, medium or high) and a unique identifier in the Common Configuration Enumeration (CCE) format. The CCE number for each rule is provided to SUSE by NIST.

    Each rule also lists references to different good practices. For example, the rule known by the unique identifier CCE-83289-9 in STIG has a reference to a specific good practice A.12.4.1 in ISO/IEC 27001:2013.

    If remediation options exist for a rule, they are listed in different formats.

/usr/share/scap-security-guide

Contains subdirectories with fix scripts which can be used to remediate the target system in case a vulnerability is found during a scan. Fix scripts are available in the following two formats: Shell scripts (bash/*.sh) and Ansible snippets (ansible/*.yml).

6 SCAP Security Guide profiles

The SCAP Security Guide contains multiple profiles. The profiles applicable to SUSE Linux Enterprise are codestream-specific and differ between code 12 and code 15.

They are maintained and hosted at the following repositories:

After the installation of the scap-security-guide package, human-readable versions of the profiles are available in your file system in /usr/share/doc/scap-security-guide/guides.

Alternatively, find the same content online as static HTML pages:

In the online versions, use the drop-down list in the upper-right corner of the page to select one of the available profiles and to view a command-line snippet about how to evaluate the respective profile with OpenSCAP.

6.1 SUSE Linux Enterprise 15 profiles

For code 15, the following profiles are supported by SUSE:

  • ANSSI-BP-028 (enhanced)

  • ANSSI-BP-028 (high)

  • ANSSI-BP-028 (intermediary)

  • ANSSI-BP-028 (minimal)

  • CIS SUSE SUSE Linux Enterprise 15 Benchmark Level 2 (Workstation)

  • CIS SUSE Linux Enterprise 15 Benchmark for Level 1 (Server)

  • CIS SUSE Linux Enterprise 15 Benchmark for Level 1 (Workstation)

  • CIS SUSE Linux Enterprise 15 Benchmark for Level 2 (Server)

  • DISA STIG for SUSE Linux Enterprise 15

  • Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP Applications 15

  • Health Insurance Portability and Accountability Act (HIPAA)

  • PCI-DSS v3.2.1 Control Baseline for SUSE Linux Enterprise 15

  • PCI-DSS v4 Control Baseline for SUSE Linux Enterprise 15

  • Public Cloud Hardening for SUSE Linux Enterprise 15

  • Standard System Security Profile for SUSE Linux Enterprise 15

SCAP Security Guide profiles for SUSE Linux Enterprise 15
Figure 1: SCAP Security Guide profiles for SUSE Linux Enterprise 15

6.2 SUSE Linux Enterprise 12 profiles

For code 12, the following profiles are supported by SUSE:

  • ANSSI-BP-028 (enhanced)

  • ANSSI-BP-028 (high)

  • ANSSI-BP-028 (intermediary)

  • ANSSI-BP-028 (minimal)

  • CIS SUSE SUSE Linux Enterprise 12 Benchmark Level 2 (Workstation)

  • CIS SUSE Linux Enterprise 12 Benchmark for Level 1 (Server)

  • CIS SUSE Linux Enterprise 12 Benchmark for Level 1 (Workstation)

  • CIS SUSE Linux Enterprise 12 Benchmark for Level 2 (Server)

  • DISA STIG for SUSE Linux Enterprise 12

  • PCI-DSS v3.2.1 Control Baseline for SUSE Linux Enterprise 12

  • PCI-DSS v.4 Control Baseline for SUSE Linux Enterprise 12

  • Standard System Security Profile for SUSE Linux Enterprise 12

SCAP Security Guide profiles for SUSE Linux Enterprise 12
Figure 2: SCAP Security Guide profiles for SUSE Linux Enterprise 12

7 Vulnerability scanning

7.1 Targets to scan

The content provided by the SCAP Security Guide can be used to scan the following targets for vulnerabilities:

  • bare-metal machines

  • virtual machines

  • virtual machine images

  • containers

  • container images

Automated checks help to identify the target and to select only the rules that make sense for this specific target. For example, checks for separate partitions make sense for bare-metal machines but not for containers.

7.2 Tools for scanning

Note
Note

Before using the tools described in this section, ensure that you have installed them as described in Section 3, “Installation”, as they are interdependent.

Depending on your setup and the target to scan (remote or local), you can use either of the following tools:

oscap

A command-line interface that can be used to scan local machines. Both the openscap-utils and scap-security-guide package need to be installed on the local machine.

To understand the basic usage of oscap, run it with the -h option:

> oscap -h

  oscap

  OpenSCAP command-line tool

  Usage: oscap [options] module operation [operation-options-and-arguments]

  Common options:
    --verbose <verbosity_level>   - Turn on verbose mode at specified verbosity level.
                                    Verbosity level must be one of: DEVEL, INFO, WARNING, ERROR.
    --verbose-log-file <file>     - Write verbose information into file.

  oscap options:
    -h --help                     - show this help
    -q --quiet                    - quiet mode
    -V --version                  - print info about supported SCAP versions

  Commands:
      ds - Data stream utilities
      oval - Open Vulnerability and Assessment Language
      xccdf - eXtensible Configuration Checklist Description Format
      cvss - Common Vulnerability Scoring System
      cpe - Common Platform Enumeration
      cve - Common Vulnerabilities and Exposures
      cvrf - Common Vulnerability Reporting Framework
      info - Print information about a SCAP file.

To understand oscap in greater detail, read its man pages by running the man oscap.

oscap-ssh

A command-line interface that can be used to scan a remote machine via SSH with an interface resembling the oscap tool. On the local machine, the package openscap-utils needs to be installed. On the remote machine, the openscap-utils package needs to be installed.

To understand the basic usage of oscap-ssh, run it with the -h option:

> oscap -h

  oscap-ssh -- Tool for running oscap over SSH and collecting results.

  Usage:

  $ oscap-ssh user@host 22 info INPUT_CONTENT
  $ oscap-ssh user@host 22 xccdf eval [options] INPUT_CONTENT

  Only source data streams are supported as INPUT_CONTENT!

  supported oscap xccdf eval options are:
    --profile
    --tailoring-file
    --tailoring-id
    --cpe (external OVAL dependencies are not supported yet!)
    --oval-results
    --results
    --results-arf
    --report
    --skip-valid
    --skip-validation
    --fetch-remote-resources
    --local-files
    --progress
    --datastream-id
    --xccdf-id
    --benchmark-id
    --remediate

  $ oscap-ssh user@host 22 oval eval [options] INPUT_CONTENT

  supported oscap oval eval options are:
    --id
    --variables
    --directives
    --results
    --report
    --skip-valid
    --skip-validation
    --datastream-id
    --oval-id

  $ oscap-ssh user@host 22 oval collect [options] INPUT_CONTENT

  supported oscap oval collect options are:
    --id
    --syschar
    --variables
    --skip-valid
    --skip-validation

  specific option for oscap-ssh (must be first argument):
    --sudo

  To supply additional options to ssh/scp, define the SSH_ADDITIONAL_OPTIONS variable
  For instance, to ignore known hosts records, define SSH_ADDITIONAL_OPTIONS='-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'

  specific option for oscap-ssh (must be first argument):

  See `man oscap` to learn more about semantics of these options.

To understand oscap-ssh in greater detail, read its man pages by running man oscap-ssh.

SCAP Workbench

SCAP Workbench is a graphical user interface for OpenSCAP. You can use it for convenience instead of using oscap. For example, you can use SCAP Workbench for scanning a single machine, either local or remote (via SSH).

To use SCAP Workbench, both the scap-workbench and scap-security-guide packages need to be installed on the local machine. On the remote machine, the openscap-utils package needs to be installed.

To start SCAP Workbench, run the following command:

> scap-workbench
Start screen of SCAP Workbench
Figure 3: SCAP Workbench

Although not recommended, you can invoke and perform certain basic operations by using SCAP Workbench as a command-line tool. To know more, read its man page by running man scap-workbench.

7.3 Scanning a SUSE Linux Enterprise system

The following example shows how to scan SUSE Linux Enterprise 15 locally with oscap for vulnerability issues according to a certain profile. You can save the results in XML format and generate an HTML report.

Example 1: Scanning SUSE Linux Enterprise with oscap
> sudo oscap xccdf eval1 \
    --profile stig2 \
    --results /tmp/results.xml3 \
    --report /tmp/report.html4 \
    /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml5

1

Calls the oscap xccdf module and tells it to perform an evaluation (vulnerability scan).

2

Specifies the profile to use, in this case, stig.

3

Saves the results of the evaluation to /tmp/results.xml.

4

Generates an HTML report called /tmp/report.html in addition to the results in XML.

5

Specifies the SCAP Security Guide policy file to use. In this example, we use a policy file in the DataStream format that applies to SUSE Linux Enterprise code 15. To list all available policies, run: ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml. For more information about a particular policy, run oscap info on the file.

The evaluation process usually takes a few minutes, depending on the number of selected rules.

7.4 Using external or remote resources for scanning

SCAP content may reference external resources. For example, the SCAP Security Guide uses an external OVAL file to check whether the system is up to date and patched against known security vulnerabilities. However, OpenSCAP can handle remote resources differently, based on the options used while invoking the oscap command. In addition, you can use strategies like downloading specific remote resources in advance, and pointing the OpenSCAP tool towards the downloaded resources while invoking it.

7.4.1 Default warning for remote resources by OpenSCAP while performing evaluation

While evaluating SCAP content with external resources, the OpenSCAP tool displays a warning. For example, OpenSCAP displays the following warning while performing the default evaluation of a system based on the SCAP Security Guide:

> sudo oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_stig \
--results ssg-sle15-xccdf-stig-results.xml \
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml

WARNING: Datastream component 'scap_org.open-scap_cref_pub-projects-security-oval-suse.linux.enterprise.15-
patch.xml.bz2' points out to the remote 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.
15-patch.xml.bz2'. Use '--fetch-remote-resources' option to download it.

WARNING: Skipping 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2' file
which is referenced from datastream

WARNING: Skipping ./pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2 file which is referenced
from XCCDF content

The following sections describe certain strategies to force OpenSCAP to fetch remote resources in real time, or download them in advance and use for evaluation and scanning the system.

7.4.2 Fetching remote resources for evaluation

If you trust your local content and the remote content it references, you can use the --fetch-remote-resources option to automatically download it when invoking the OpenSCAP tool.

> sudo oscap xccdf eval \
--fetch-remote-resources \
--profile xccdf_org.ssgproject.content_profile_stig \
--results ssg-sle15-xccdf-stig-results.xml \
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml

Downloading: https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2 ... ok

--- Starting Evaluation —
...

However, if access to the Internet is unavailable at the time of evaluation, or is considered a security risk, you can instruct OpenSCAP to use local files instead of remote resources.

7.4.3 Downloading and saving remote resources locally for evaluation

On systems without Internet access, or in security sensitive deployments where OpenSCAP cannot connect to the Internet, download the remote content using other tools and save it locally. You can then pass it to OpenSCAP as a local file using the --local-files option, instead of the --fetch-remote-resources option.

For example, to prevent OpenSCAP from accessing the Internet but still use the patch file https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2, perform the following procedure.

  1. (Optional) Create a directory for storing the downloaded remote resources.

    > mkdir ~/scap-files 1

    1

    Directory to store downloaded remote resources. If you have identified a suitable directory, skip this step.

  2. Download the remote resource and save it as a local file.

    > wget -O ~/scap-files/pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz21 \
    https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz22

    1

    The path to the locally saved file.

    2

    The remote resource to be downloaded and saved locally.

    Note
    Note

    In this example, the name of the local file is not arbitrary. Notice the following information in the SCAP source data stream file available at /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml:

    > cat /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml | \
    grep -n "scap_org.open-scap_cref_pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2"
    
    17:          <cat:uri name="pub-projects-security-oval-suse.linux.enterprise.15.xml" uri="#scap_org.open-scap_cref_pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2"/>
    25:      <ds:component-ref id="scap_org.open-scap_cref_pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2" xlink:href="https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2"/>
  3. Run the evaluation using the local files downloaded earlier from the remote source.

    > sudo oscap xccdf eval \
     --local-files ~/scap-files \
     --profile xccdf_org.ssgproject.content_profile_stig \
     --results ssg-sle15-xccdf-stig-results.xml \
     /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml
    
     WARNING: Using local file '~/scap-files/pub-projects-security-oval-suse.linux.enterprise.15-patch.xml.bz2'
     instead of 'https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz2'
    
     --- Starting Evaluation —
    Tip
    Tip

    Download and use the specific files that are relevant for your SUSE Linux Enterprise product version, and avoid more generic ones. Being specific about the purpose and the files helps reduce the usage of server resources such as the processor, memory, storage and bandwidth. In addition, smaller file sizes also reduce the time required to complete the evaluation. For example, if you are interested only in SUSE Linux Enterprise 15 SP5, use the file available at https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-sp5-patch.xml.bz2.

  4. Optionally, you can generate an HTML report from the XML results file.

    > sudo oscap xccdf generate report ssg-sle15-xccdf-stig-results.xml >
    ssg-sle15-xccdf-stig-report.html
    Tip
    Tip

    You can generate an HTML report directly using the oscap xccdf eval --report option, but separating the scan and the HTML report generation leads to less usage of server resources.

7.5 Scanning and auditing systems using OVAL files

Using the OVAL content files for SUSE Linux Enterprise products, you can assess your SUSE Linux Enterprise systems and generate reports on the RPM package names and versions that are known to be affected by security issues in published CVEs.

The OVAL data provided by SUSE includes the following:

  • The patch-style OVAL data, which expresses all security updates on a patch level. These can include multiple CVEs per patch.

  • The vulnerability OVAL data, which expresses security vulnerabilities on a CVE level.

For detailed information on OVAL support provided by SUSE, refer to https://www.suse.com/support/security/oval/.

You can download OVAL files provided by SUSE from https://ftp.suse.com/pub/projects/security/oval/. As a best practice for scanning and auditing systems using OVAL files, perform the following procedure:

  1. (Optional) Create a directory for downloading and storing remote resources.

    > mkdir ~/oval-files 1

    1

    Directory to store downloaded remote resources such as OVAL patch files. If you have identified a suitable directory, skip this step.

  2. Download the remote resource and save it as a local file.

    > wget -O ~/oval-files/suse.linux.enterprise.15-patch.xml.bz21 \
    https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-patch.xml.bz22

    1

    The path to the locally saved file.

    2

    The remote resource to be downloaded and saved locally.

  3. Run the evaluation using the local files downloaded earlier from the remote source.

    > sudo oscap oval eval \
    --results sle15-oval-results.xml \
    ~/oval-files/suse.linux.enterprise.15-patch.xml.bz2 \
    
    Definition oval:org.opensuse.security:def:45435: false
    Definition oval:org.opensuse.security:def:45434: false
    Definition oval:org.opensuse.security:def:45433: false
    Definition oval:org.opensuse.security:def:45432: false
    Definition oval:org.opensuse.security:def:45431: false
    Definition oval:org.opensuse.security:def:45430: false
    Definition oval:org.opensuse.security:def:45429: false
    ...
    
    Evaluation done.
    Tip
    Tip

    Download and use the specific files that are relevant for your SUSE Linux Enterprise product version, and avoid more generic ones. Being specific about the purpose and the files helps reduce the usage of server resources such as the processor, memory, storage and bandwidth. In addition, smaller file sizes also reduce the time required to complete the evaluation. For example, if you are interested only in SUSE Linux Enterprise 15 SP5, use the file available at https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15-sp5-patch.xml.bz2.

  4. Optionally, you can generate an HTML report from the XML results file.

    > sudo oscap oval generate report results sle15-oval-results.xml >
    sle15-oval-report.html
    Tip
    Tip

    You can generate an HTML report directly using the oscap oval eval --report option, but separating the scan and the HTML report generation leads to less usage of server resources.

8 Vulnerability remediation

The security policy profiles in the SCAP Security Guide can not only be used to scan a target system and to generate reports, but also to automatically apply fixes to the target system (remediation), if possible.

Important
Important: Automatic remediation not always available

Automatic remediation is not offered in case the automatic application of a fix is too dangerous to be enforced in a running target system.

8.1 OpenSCAP remediation process

OpenSCAP allows to automatically remediate target systems that have been found in a non-compliant state. This requires an XCCDF file with instructions. The overall process is as follows:

  1. The oscap command-line tool performs a system scan.

  2. Each rule that fails is marked as a candidate for remediation.

  3. Within the XCCDF file, oscap then searches for an appropriate <xccdf:fix> element, resolves it, prepares the environment, and executes the fix script. The fix scripts can be either Bash *.sh files or Ansible playbook *.yml files.

  4. After the execution of the script, the respective rule is evaluated again to check if the fix was successful.

All results of the remediation are stored in an output XCCDF file.

8.2 OpenSCAP remediation options

For remediating a target system with oscap, you have the following options:

Remediation on the fly

You can remediate a target system on the fly, while you are scanning it. In this case, evaluation and remediation are performed as a part of a single command. For details, see Section 8.3.1, “Remediating SUSE Linux Enterprise (on the fly)”.

Remediation after scanning

You can remediate a target system after you have scanned it. In the first step, the system is only evaluated, and the results are stored in the XCCDF results file. In the second step, oscap executes the fix scripts and verifies the result. For details, see Section 8.3.2, “Remediating SUSE Linux Enterprise (after scanning)”.

Review mode

The review mode allows to save remediation instructions to a file for further review. The remediation content is not executed during this operation. For details, see Section 8.3.3, “Storing SLE remediation instructions for review”.

8.3 Remediating a SLE system with oscap

The following examples show how to scan and remediate SUSE Linux Enterprise locally with oscap to comply with a certain profile.

8.3.1 Remediating SUSE Linux Enterprise (on the fly)

For remediation on the fly, use the --remediate command-line option.

Example 2: Remediating SLE 15 (on the fly)
> sudo oscap xccdf eval --remediate1 \
     --profile stig2 \
     --results /tmp/results.xml3 \
     /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml4

1

Calls the oscap xccdf module and tells it to perform an evaluation plus a remediation of the target system in one go.

2

Specifies the profile to use, in this case, stig.

3

Saves the results of the evaluation to /tmp/results.xml.

4

Specifies the SCAP Security Guide policy file to use. In this example, we use a policy file in the DataStream format that applies to SUSE Linux Enterprise code 15. To list all available policies, run: ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml. For more information about a particular policy, run oscap info on the file.

In the resulting /tmp/results.xml file, the first TestResult element shows the result of the scan before the remediation. The second TestResult element shows the result of the scan after applying the remediation. In the second TestResult element, if the result of a rule is fixed, this means that the fix was successfully applied, and this rule now passes evaluation. If the result of a rule is error, this means that the remediation for this rule was not successful, and the rule still does not pass evaluation.

8.3.2 Remediating SUSE Linux Enterprise (after scanning)

In this example, we first execute a scan and then run the remediation as next step.

Example 3: Remediating SLE (after scanning)
  1. > sudo oscap xccdf eval1 \
          --profile stig2 \
          --results /tmp/results.xml3 \
          /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml4

    1

    Calls the oscap xccdf module and tells it to perform an evaluation.

    2

    Specifies the profile to use, in this case, stig.

    3

    Saves the results of the evaluation as an XCCDF file to /tmp/results.xml.

    4

    Specifies the SCAP Security Guide policy file to use. In this example, we use a policy file in the DataStream format that applies to SUSE Linux Enterprise code 15. To list all available policies, run: ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml. For more information about a particular policy, run oscap info on the file.

    During this step, the system is only evaluated, and the results are stored in a TestResult element in /tmp/results.xml.

  2. > sudo oscap xccdf remediate1 \
         --results /tmp/results.xml2 \
         /tmp/results.xml3

    1

    Calls the oscap xccdf module and tells it to perform a remediation.

    2

    Saves the results of the remediation to /tmp/results.xml.

    3

    Uses the /tmp/results.xml XCCDF file from the first step (evaluation) as input file.

    During this step, the results file from the first step is used as input for the oscap command. You can safely store the results from the second step in the same file that you use as input file, /tmp/results.xml. During this run, oscap creates a new xccdf:TestResult element in the file. The new element is based on the previous one and inherits all the data. The newly created xccdf:TestResult element differs only in the rule-result elements which failed in the first run. Only for those is the remediation executed.

8.3.3 Storing SLE remediation instructions for review

You can also run oscap in review mode to store remediation instructions to a file for further review. During this operation, the remediation content is not executed. The following shows how to generate remediation instructions in the form of a shell script:

Example 4: Storing SLE 15 remediation instructions for review
> sudo oscap xccdf generate fix1 \
     --template urn:xccdf:fix:script:sh2 \
     --profile stig3 \
     --output my-remediation-script.sh4 \
     /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml5

1

Calls the oscap xccdf module and tells it to generate a file with remediation instructions.

2

Specifies the template to use, in this case, a shell script.

3

Specifies the profile to use, in this case, stig.

4

Specifies the file to which the remediation instructions are written.

5

Specifies the SCAP Security Guide policy file to use. In this example, we use a policy file in the DataStream format that applies to SUSE Linux Enterprise code 15. To list all available policies, run: ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml. For more information about a particular policy, run oscap info on the file.

8.4 Remediating a SLE system with Ansible

You can use the Ansible playbooks provided by the SCAP Security Guide to remediate a local system.

The ansible package is available from SUSE Package Hub. Register your SUSE Linux Enterprise system and enable the SUSE Package Hub extension. For SUSE Linux Enterprise 12, you additionally need to enable the Public Cloud module. Then install the package with sudo zypper in ansible.

Example 5: Remediating SLE 15 with Ansible

For example, to remediate your system using the STIG Ansible playbook for SUSE Linux Enterprise 15 provided by the SCAP Security Guide, use the following command.

Warning
Warning: System configuration changes

The following command alters the configuration of your system immediately. Make sure to test this thoroughly in a non-production system first.

> sudo ansible-playbook -i "localhost," -c local \
/usr/share/scap-security-guide/ansible/sle15-playbook-stig.yml

After the playbook has finished, you are prompted to log in to your system, which is now compliant to the chosen policy.

10 Legal Notice

Copyright © 2006–2024 SUSE LLC and contributors. All rights reserved.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled GNU Free Documentation License.

For SUSE trademarks, see https://www.suse.com/company/legal/. All third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.