Jump to content
documentation.suse.com / Hardening SUSE Linux Enterprise with OpenSCAP
SUSE Linux Enterprise Server

Hardening SUSE Linux Enterprise with OpenSCAP

This document introduces you to auditing and hardening SUSE Linux Enterprise with OpenSCAP and the SCAP Security Guide.

Publication Date: January 26, 2023

1 What are SCAP and OpenSCAP?

SCAP stands for Security Content Automation Protocol. It is a framework of specifications that support automated configuration, vulnerability scanning, and policy compliance evaluation of systems deployed in an organization. It also standardizes how vulnerabilities and security configurations are communicated both to machines and human beings.

OpenSCAP is a collection of open source tools that implement the SCAP framework for Linux. SCAP is maintained by the National Institute of Standards and Technology (NIST). OpenSCAP received the SCAP 1.2 certification by NIST in 2014.

2 Benefits

The OpenSCAP tools, together with the SCAP Security Guide, can be used for auditing your system in an automated way. The SCAP Security Guide implements security guidances recommended by respected authorities. These security guidances are transformed into a machine-readable format which then can be used by OpenSCAP and other tools.

3 Important SCAP components

SCAP consists of the following important components which interact with each other.

Open Vulnerability and Assessment Language (OVAL)

An XML format for testing the presence of a specific state.

Extensible Configuration Checklist Description Format (XCCDF)

An XML format that specifies security checklists, benchmarks and configuration documentation. The XCCDF file includes a benchmark as a set of different profiles related to different groups. Each group is a set of rules which have OVAL definitions. Each profile is related to different good practices such as STIG, HIPAA, PCI-DSS, or ANSSI.

Common Platform Enumeration (CPE)

A structured naming scheme to identify information technology systems, platforms and software packages. It is maintained by NIST and NDV. The naming scheme consists of the following elements: cpe:/part:vendor:product:version:update:edition:language

DataStreams (DS)

An XML format which packs different SCAP components (CPE, XCCDF, OVAL) into a single file. It can be used to distribute SCAP content over the network. The DataStreams files are very useful because they include everything you need when you want to harden and audit your SUSE Linux Enterprise system.

Common Configuration Enumeration (CCE)

Unique identifiers to security-related system configuration issues.

4 SCAP Security Guide content and directories

SUSE ships the SCAP Security Guide (SSG) toolset in the scap-security-guide package. It contains the latest set of security polices for Linux systems. The SCAP Security Guide is maintained upstream in the ComplianceAsCode repository.

After you have installed the package, the SSG security content and the related files are available in your system from the following directories:

Overview of files and directories
/usr/share/xml/scap/ssg/content/

Contains the SSG security content. It consists of several Important SCAP components, which are all based on XML. All XML files in that directory are named according to the SCAP component and to the SUSE Linux Enterprise codestream they apply to (code 12 or 15). The directory also holds XML files specific to openSUSE.

/usr/share/doc/scap-security-guide/guides/

Contains profiles for different hardening policies in human-readable format. They describe the profiles that are included in the DataStream files. The profiles applicable to SUSE Linux Enterprise are codestream-specific and differ between code 12 and code 15. Each profile is a guide on how to secure your operating system according to a regulation that you want your system to comply with.

The guides usually have the following structure:

  • Short description

  • Profile Title. For example: DISA STIG for SUSE Linux Enterprise 15

  • Profile ID. For example: xccdf_org.ssgproject.content_profile_stig

  • Revision History. Information about the current version and status of the profile. For example: xccdf_org.ssgproject.content_profile_stig

  • Platforms (in CPE notation). Which product or system the profile applies to. For example: cpe:/o:suse:linux_enterprise_server:15

  • A table of contents

  • A checklist which consists of groups (and subgroups) with rules

    Each rule consists of a short description, the rationale behind the rule, a severity (low, medium or high) and a unique identifier in the Common Configuration Enumeration (CCE) format. The CCE number for each rule is provided to SUSE by NIST.

    Each rule also lists references to different good practices. For example, the rule known by the unique identifier CCE-83289-9 in STIG has a reference to a specific good practice A.12.4.1 in ISO/IEC 27001:2013.

    If remediation options exist for a rule, they are listed in different formats.

/usr/share/scap-security-guide

Contains subdirectories with fix scripts which can be used to remediate the target system in case a vulnerability is found during a scan. Fix scripts are available in the following two formats: Shell scripts (bash/*.sh) and Ansible snippets (ansible/*.yml).

5 SCAP Security Guide profiles

The SCAP Security Guide contains multiple profiles. The profiles applicable to SUSE Linux Enterprise are codestream-specific and differ between code 12 and code 15.

They are maintained and hosted here:

After the installation of the scap-security-guide package, human-readable versions of the profiles are available in your file system in /usr/share/doc/scap-security-guide/guides.

Alternatively, find the same content online as static HTML pages:

In the online versions, use the drop-down list in the upper-right corner of the page to select one of the available profiles and to view a command-line snippet about how to evaluate the respective profile with OpenSCAP.

5.1 SUSE Linux Enterprise 15 profiles

For code 15, the following profiles are supported by SUSE:

  • ANSSI-BP-028 (enhanced)

  • ANSSI-BP-028 (high)

  • ANSSI-BP-028 (intermediary)

  • ANSSI-BP-028 (minimal)

  • DISA STIG for SUSE Linux Enterprise 15

  • Health Insurance Portability and Accountability Act (HIPAA)

  • PCI-DSS v.3.2.1 Control Baseline for SUSE Linux Enterprise 15

  • Public Cloud Hardening for SUSE Linux Enterprise 15

SCAP Security Guide profiles for SUSE Linux Enterprise 15
Figure 1: SCAP Security Guide profiles for SUSE Linux Enterprise 15

5.2 SUSE Linux Enterprise 12 profiles

For code 12, the following profiles are supported by SUSE:

  • ANSSI-BP-028 (enhanced)

  • ANSSI-BP-028 (high)

  • ANSSI-BP-028 (intermediary)

  • ANSSI-BP-028 (minimal)

  • DISA STIG for SUSE Linux Enterprise 12

SCAP Security Guide profiles for SUSE Linux Enterprise 12
Figure 2: SCAP Security Guide profiles for SUSE Linux Enterprise 12

6 Vulnerability scanning

6.1 Targets to scan

The content provided by the SCAP Security Guide can be used to scan the following targets for vulnerabilities:

  • bare-metal machines

  • virtual machines

  • virtual machine images

  • containers

  • container images

Automated checks help to identify the target and to select only the rules that make sense for this specific target. For example, checks for separate partitions make sense for bare-metal machines but not for containers.

6.2 Tools for scanning

Depending on your setup and the target to scan (remote or local), you can use either of the following tools:

oscap

A command-line interface that can be used to scan local machines. Both the openscap-utils and scap-security-guide package need to be installed on the local machine.

SCAP Workbench

A graphical user interface that can be used for scanning a single machine, either local or remote (via SSH). Both the scap-workbench and scap-security-guide packages need to be installed on the local machine. On the remote machine, the openscap-utils package needs to be installed.

oscap-ssh

A command-line interface that can be used to scan a remote machine via SSH with an interface resembling the oscap tool. On the local machine, the package openscap-utils needs to be installed. On the remote machine, the openscap-utils package needs to be installed.

6.3 Scanning a SUSE Linux Enterprise system

The following example shows how to scan SUSE Linux Enterprise 15 locally with oscap for vulnerability issues according to a certain profile. In addition to saving the results in XML format, an HTML report can be generated.

Example 1: Scanning SUSE Linux Enterprise with oscap
> sudo oscap xccdf eval1 \
    --profile stig2 \
    --results /tmp/results.xml3 \
    --report /tmp/report.html4 \
    /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml5

1

Calls the oscap xccdf module and tells it to perform an evaluation (vulnerability scan).

2

Specifies the profile to use, in this case, stig.

3

Saves the results of the evaluation to /tmp/results.xml.

4

Generates an HTML report called /tmp/report.html in addition to the results in XML.

5

Specifies the SCAP Security Guide policy file to use. In this example, we use a policy file in DataStream format that applies to SUSE Linux Enterprise code 15. To list all available policies, run: ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml. For more information about a particular policy, run oscap info on the file.

The evaluation process usually takes a few minutes, depending on the number of selected rules.

7 Vulnerability remediation

The security policy profiles in the SCAP Security Guide can not only be used to scan a target system and to generate reports, but also to automatically apply fixes to the target system (remediation), if possible.

Important
Important: Automatic remediation not always available

Automatic remediation is not offered in case the automatic application of a fix is too dangerous to be enforced in a running target system.

7.1 OpenSCAP remediation process

OpenSCAP allows to automatically remediate target systems that have been found in a non-compliant state. This requires an XCCDF file with instructions. The overall process is as follows:

  1. The oscap command-line tool performs a system scan.

  2. Each rule that fails is marked as a candidate for remediation.

  3. Within the XCCDF file, oscap then searches for an appropriate <xccdf:fix> element, resolves it, prepares the environment, and executes the fix script. The fix scripts can be either Bash *.sh files or Ansible playbook *.yml files.

  4. After the execution of the script, the respective rule is evaluated again to check if the fix was successful.

All results of the remediation are stored in an output XCCDF file.

7.2 OpenSCAP remediation options

For remediating a target system with oscap, you have the following options:

Remediation on the fly

You can remediate a target system on the fly, while you are scanning it. In this case, evaluation and remediation are performed as a part of a single command. For details, see Section 7.3.1, “Remediating SUSE Linux Enterprise (on the fly)”.

Remediation after scanning

You can remediate a target system after you have scanned it. In the first step, the system is only evaluated, and the results are stored in the XCCDF results file. In the second step, oscap executes the fix scripts and verifies the result. For details, see Section 7.3.2, “Remediating SUSE Linux Enterprise (after scanning)”.

Review mode

The review mode allows to save remediation instructions to a file for further review. The remediation content is not executed during this operation. For details, see Section 7.3.3, “Storing SLE remediation instructions for review”.

7.3 Remediating a SLE system with oscap

The following examples show how to scan and remediate SUSE Linux Enterprise locally with oscap to comply with a certain profile.

7.3.1 Remediating SUSE Linux Enterprise (on the fly)

For remediation on the fly, use the --remediate command-line option.

Example 2: Remediating SLE 15 (on the fly)
> sudo oscap xccdf eval --remediate1 \
     --profile stig2 \
     --results /tmp/results.xml3 \
     /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml4

1

Calls the oscap xccdf module and tells it to perform an evaluation plus a remediation of the target system in one go.

2

Specifies the profile to use, in this case, stig.

3

Saves the results of the evaluation to /tmp/results.xml.

4

Specifies the SCAP Security Guide policy file to use. In this example, we use a policy file in DataStream format that applies to SUSE Linux Enterprise code 15. To list all available policies, run: ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml. For more information about a particular policy, run oscap info on the file.

In the resulting /tmp/results.xml file, the first TestResult element shows the result of the scan prior to the remediation. The second TestResult element shows the result of the scan after applying the remediation. In the second TestResult element, if the result of a rule is fixed, this means that the fix was successfully applied, and this rule now passes evaluation. If the result of a rule is error, this means that remediation for this rule was not successful, and the rule still does not pass evaluation.

7.3.2 Remediating SUSE Linux Enterprise (after scanning)

In this example, we first execute a scan and then run the remediation as next step.

Example 3: Remediating SLE (after scanning)
  1. > sudo oscap xccdf eval1 \
          --profile stig2 \
          --results /tmp/results.xml3 \
          /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml4

    1

    Calls the oscap xccdf module and tells it to perform an evaluation.

    2

    Specifies the profile to use, in this case, stig.

    3

    Saves the results of the evaluation as an XCCDF file to /tmp/results.xml.

    4

    Specifies the SCAP Security Guide policy file to use. In this example, we use a policy file in DataStream format that applies to SUSE Linux Enterprise code 15. To list all available policies, run: ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml. For more information about a particular policy, run oscap info on the file.

    During this step, the system is only evaluated, and the results are stored in a TestResult element in /tmp/results.xml.

  2. > sudo oscap xccdf remediate1 \
         --results /tmp/results.xml2 \
         /tmp/results.xml3

    1

    Calls the oscap xccdf module and tells it to perform a remediation.

    2

    Saves the results of the remediation to /tmp/results.xml.

    3

    Uses the /tmp/results.xml XCCDF file from the first step (evaluation) as input file.

    During this step, the results file from the first step is used as input for the oscap command. You can safely store the results from the second step in the same file that you use as input file, /tmp/results.xml. During this run, oscap creates a new xccdf:TestResult element in the file. The new element is based on the previous one and inherits all the data. The newly created xccdf:TestResult element differs only in the rule-result elements which had failed in the first run. Only for those is the remediation executed.

7.3.3 Storing SLE remediation instructions for review

You can also run oscap in review mode to store remediation instructions to a file for further review. During this operation, the remediation content is not executed. The following shows how to generate remediation instructions in the form of a shell script:

Example 4: Storing SLE 15 remediation instructions for review
> sudo oscap xccdf generate fix1 \
     --template urn:xccdf:fix:script:sh2 \
     --profile stig3 \
     --output my-remediation-script.sh4 \
     /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml5

1

Calls the oscap xccdf module and tells it to generate a file with remediation instructions.

2

Specifies the template to use, in this case, a shell script.

3

Specifies the profile to use, in this case, stig.

4

Specifies the file to which the remediation instructions are written.

5

Specifies the SCAP Security Guide policy file to use. In this example, we use a policy file in DataStream format that applies to SUSE Linux Enterprise code 15. To list all available policies, run: ls -1 /usr/share/xml/scap/ssg/content/ssg-*-ds.xml. For more information about a particular policy, run oscap info on the file.

9 Legal Notice

Copyright © 2006–2023 SUSE LLC and contributors. All rights reserved.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled GNU Free Documentation License.

For SUSE trademarks, see http://www.suse.com/company/legal/. All third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.