System Security with OpenSCAP

SUSE Manager uses OpenSCAP to audit clients. It allows you to schedule and view compliance scans for any client.

1. About SCAP

The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. It is a line of specifications maintained by the National Institute of Standards and Technology (NIST) for maintaining system security for enterprise systems.

SCAP was created to provide a standardized approach to maintaining system security, and the standards that are used continually change to meet the needs of the community and enterprise businesses. New specifications are governed by NIST’s SCAP Release cycle to provide a consistent and repeatable revision work flow. For more information, see:

SUSE Manager uses OpenSCAP to implement the SCAP specifications. OpenSCAP is an auditing tool that utilizes the Extensible Configuration Checklist Description Format (XCCDF). XCCDF is a standard way of expressing checklist content and defines security checklists. It also combines with other specifications such as Common Platform Enumeration (CPE), Common Configuration Enumeration (CCE), and Open Vulnerability and Assessment Language (OVAL), to create a SCAP-expressed checklist that can be processed by SCAP-validated products.

OpenSCAP verifies the presence of patches by using content produced by the SUSE Security Team. OpenSCAP checks system security configuration settings and examines systems for signs of compromise by using rules based on standards and specifications. For more information about the SUSE Security Team, see https://www.suse.com/support/security.

2. Prepare Clients for an SCAP Scan

Before you begin, you need to prepare your client systems for SCAP scanning.

OpenSCAP auditing is not available on Salt clients that use the SSH contact method.

Scanning clients can consume a lot of memory and compute power on the client being scanned. For Red Hat clients, ensure you have at least 2 GB of RAM available on each client to be scanned.

Install the OpenSCAP scanner and the SCAP Security Guide (content) packages on the client before you begin. Depending on the operating system, these packages are included either on the base operating system, or in the SUSE Manager Client Tools.

The table below lists the packages you need:

Table 1. OpenSCAP packages
Operating system Scanner Content

SLES

openscap-utils

scap-security-guide

openSUSE

openscap-utils

scap-security-guide

RHEL

openscap-utils

scap-security-guide-redhat

CentOS

openscap-utils

scap-security-guide-redhat

Oracle Linux

openscap-utils

scap-security-guide-redhat

Ubuntu

libopenscap8

scap-security-guide-ubuntu

Debian

libopenscap8

scap-security-guide-debian

RHEL 7 and compatible systems provide a scap-security-guide package, which contains outdated contents. You are advised to use the scap-security-guide-redhat package you will find in the SUSE Manager Client Tools.

SUSE provides the scap-security-guide package for different openscap profiles. In the current version of scap-security-guide, SUSE supports the following profiles:

  • DISA STIG profile for SUSE Linux Enterprise Server 12 and 15

  • ANSSI-BP-028 profile for SUSE Linux Enterprise Server 12 and 15

  • PCI-DSS profile for SUSE Linux Enterprise Server 12 and 15

  • HIPAA profile for SUSE Linux Enterprise Server 15

  • CIS profile for SUSE Linux Enterprise Server 12 and 15

  • Hardening for Public Cloud Image of SUSE Linux Enterprise Server for SAP Applications 15

  • Public Cloud Hardening for SUSE Linux Enterprise 15

  • Standard System Security profile for SLE 12 and 15

Any other profile out of this lists are community supplied and not officially supported by SUSE.

For Non-SUSE operating systems the included profiles are community supplied. They are not officially supported by SUSE.

3. OpenSCAP Content Files

OpenSCAP uses SCAP content files to define test rules. These content files are created based on the XCCDF or OVAL standards. In addition to the SCAP Security Guide, you can download publicly available content files and customize it to your requirements. You can install the SCAP Security Guide package for default content file templates. Alternatively, if you are familiar with XCCDF or OVAL, you can create your own content files.

We recommend you use templates to create your SCAP content files. If you create and use your own custom content files, you do so at your own risk. If your system becomes damaged through the use of custom content files, you might not be supported by SUSE.

When you have created your content files, you need to transfer the file to the client. You can do this in the same way as you move any other file, using physical storage media, or across a network with Salt (for example, salt-cp or the Salt File Server), ftp or scp.

We recommend that you create a package to distribute content files to clients that you are managing with SUSE Manager. Packages can be signed and verified to ensure their integrity. For more information, see Custom Channels.

4. Find OpenSCAP profiles

Different operating systems make available different OpenSCAP content files and profiles. One content file may contain more than one profile.

On RPM-based operating systems, use this command to determine the location of the available SCAP files:

rpm -ql <scap-security-guide-package-name-from-table>

On DEB-based operating systems, use this command to determine the location of the available SCAP files:

dpkg -L <scap-security-guide-package-name-from-table>

When you have identified one SCAP content file that suits your needs, list profiles available on the client:

oscap info /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml
Document type: Source Data Stream
Imported: 2021-03-24T18:14:45

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-sle15-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
        Ref-Id: scap_org.open-scap_cref_ssg-sle15-xccdf-1.2.xml
                Status: draft
                Generated: 2021-03-24
                Resolved: true
                Profiles:
                        Title: CIS SUSE Linux Enterprise 15 Benchmark
                                Id: xccdf_org.ssgproject.content_profile_cis
                        Title: Standard System Security Profile for SUSE Linux Enterprise 15
                                Id: xccdf_org.ssgproject.content_profile_standard
                        Title: DISA STIG for SUSE Linux Enterprise 15
                                Id: xccdf_org.ssgproject.content_profile_stig
                Referenced check files:
                        ssg-sle15-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-sle15-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
                        https://ftp.suse.com/pub/projects/security/oval/suse.linux.enterprise.15.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
        Ref-Id: scap_org.open-scap_cref_ssg-sle15-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-sle15-ocil.xml
        Ref-Id: scap_org.open-scap_cref_ssg-sle15-cpe-oval.xml
Dictionaries:
        Ref-Id: scap_org.open-scap_cref_ssg-sle15-cpe-dictionary.xml

Take a note of the file paths and profiles for performing the scan.

5. Perform an Audit Scan

When you have installed or transferred your content files, you can perform audit scans. Audit scans can be triggered using the SUSE Manager Web UI. You can also use the SUSE Manager API to schedule regular scans.

Procedure: Running an Audit Scan from the Web UI
  1. In the SUSE Manager Web UI, navigate to Systems  Systems List and select the client you want to scan.

  2. Navigate to the Audit tab, and the Schedule subtab.

  3. In the Path to XCCDF Document field, enter the parameters for the SCAP template and profile you want to use on the client. For example:

      Command: /usr/bin/oscap xccdf eval
      Command-line arguments: --profile xccdf_org.ssgproject.content_profile_stig
      Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml

    If you use --fetch-remote-resources parameter a lot of RAM is required. In addition, you may need to increase the value of file_recv_max_size.

  4. The scan runs at the client’s next scheduled synchronization.

The XCCDF content file is validated before it is run on the remote system. If the content file includes invalid arguments, the test fails.

Procedure: Running an Audit Scan from the API
  1. Before you begin, ensure that the client to be scanned has Python and XML-RPC libraries installed.

  2. Choose an existing script or create a script for scheduling a system scan through system.scap.scheduleXccdfScan. For example:

    #!/usr/bin/python3
    client = xmlrpc.client.ServerProxy('https://server.example.com/rpc/api')
    key = client.auth.login('username', 'password')
    client.system.scap.scheduleXccdfScan(key, <1000010001>,
        '<path_to_xccdf_file.xml>',
        '--profile <profile_name>')

    In this example: * <1000010001> is the system ID (sid). * <path_to_xccdf_file.xml> is the path to the content file location on the client. For example, /usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml. * <profile_name> is an additional argument for the oscap command. For example, use united_states_government_configuration_baseline (USGCB).

  3. Run the script on the client you want to scan, from the command prompt.

6. Scan Results

Information about the scans you have run is in the SUSE Manager Web UI. Navigate to to Audit  OpenSCAP  All Scans for a table of results. For more information about the data in this table, see All Scans.

To ensure that detailed information about scans is available, you need to enable it on the client. In the SUSE Manager Web UI, navigate to Admin  Organizations and click on the organization the client is a part of. Navigate to the Configuration tab, and check the Enable Upload of Detailed SCAP Files option. When enabled, this generates an additional HTML file on every scan, which contains extra information. The results show an extra line similar to this:

Detailed Results: xccdf-report.html xccdf-results.xml scap-yast2sec-oval.xml.result.xml

To retrieve scan information from the command line, use the spacewalk-report command:

spacewalk-report system-history-scap
spacewalk-report scap-scan
spacewalk-report scap-scan-results

You can also use the SUSE Manager API to view results, with the system.scap handler.

7. Remediation

Remediation Bash scripts and Ansible playbooks are provided in the same SCAP Security Guide packages to harden the client systems. For example:

Listing 1. bash scripts
/usr/share/scap-security-guide/bash/sle15-script-cis.sh
/usr/share/scap-security-guide/bash/sle15-script-standard.sh
/usr/share/scap-security-guide/bash/sle15-script-stig.sh
Listing 2. Ansible playbooks
/usr/share/scap-security-guide/ansible/sle15-playbook-cis.yml
/usr/share/scap-security-guide/ansible/sle15-playbook-standard.yml
/usr/share/scap-security-guide/ansible/sle15-playbook-stig.yml

You can run them using remote commands or with Ansible, after enabling Ansible in the client system.

7.1. Run remediation using a Bash script

Install the scap-security-guide package on all your target systems. For more information, see Setup Ansible Control Node.

Packages, channels and scripts are different for each operating system and distribution. Examples are listed in the Example remediation Bash scripts section.

7.1.1. Run the Bash script on single systems as a remote command

Run the Bash script as a remote command on single systems.

  1. From System  Overview tab, select your instance. Then in Details  Remote Commands, write a Bash script such as:

    #!/bin/bash
    chmod +x -R /usr/share/scap-security-guide/bash
    /usr/share/scap-security-guide/bash/sle15-script-stig.sh
  2. Click Schedule.

Folder and script names change between distribution and version. Examples are listed in the Example remediation Bash scripts section.

7.1.2. Run the bash script using System Set Manager on multiple systems

Run the Bash script as a remote command on multiple systems at once.

  1. When a system group has been created click System Groups, select Use in SSM from the table.

  2. From the System Set Manager, under Misc  Remote Command, write a Bash script such as:

    #!/bin/bash
    chmod +x -R /usr/share/scap-security-guide/bash
    /usr/share/scap-security-guide/bash/sle15-script-stig.sh
  3. Click Schedule.

7.2. Example remediation Bash scripts

7.2.1. SUSE Linux Enterprise openSUSE and variants

Example SUSE Linux Enterprise and openSUSE script data.

Package

scap-security-guide

Channels
  • SLE12: SLES12 Updates

  • SLE15: SLES15 Module Basesystem Updates

Bash script directory

/usr/share/scap-security-guide/bash/

Bash scripts
opensuse-script-standard.sh
sle12-script-standard.sh
sle12-script-stig.sh
sle15-script-cis.sh
sle15-script-standard.sh
sle15-script-stig.sh

7.2.2. Red Hat Enterprise Linux and CentOS Bash script data

Example Red Hat Enterprise Linux and CentOS script data.

scap-security-guide in centos7-updates only contains the Red Hat Enterprise Linux script.

Package

scap-security-guide-redhat

Channels
  • SUSE Manager Tools

Bash script directory

/usr/share/scap-security-guide/bash/

Bash scripts
centos7-script-pci-dss.sh
centos7-script-standard.sh
centos8-script-pci-dss.sh
centos8-script-standard.sh
fedora-script-ospp.sh
fedora-script-pci-dss.sh
fedora-script-standard.sh
ol7-script-anssi_nt28_enhanced.sh
ol7-script-anssi_nt28_high.sh
ol7-script-anssi_nt28_intermediary.sh
ol7-script-anssi_nt28_minimal.sh
ol7-script-cjis.sh
ol7-script-cui.sh
ol7-script-e8.sh
ol7-script-hipaa.sh
ol7-script-ospp.sh
ol7-script-pci-dss.sh
ol7-script-sap.sh
ol7-script-standard.sh
ol7-script-stig.sh
ol8-script-anssi_bp28_enhanced.sh
ol8-script-anssi_bp28_high.sh
ol8-script-anssi_bp28_intermediary.sh
ol8-script-anssi_bp28_minimal.sh
ol8-script-cjis.sh
ol8-script-cui.sh
ol8-script-e8.sh
ol8-script-hipaa.sh
ol8-script-ospp.sh
ol8-script-pci-dss.sh
ol8-script-standard.sh
rhel7-script-anssi_nt28_enhanced.sh
rhel7-script-anssi_nt28_high.sh
rhel7-script-anssi_nt28_intermediary.sh
rhel7-script-anssi_nt28_minimal.sh
rhel7-script-C2S.sh
rhel7-script-cis.sh
rhel7-script-cjis.sh
rhel7-script-cui.sh
rhel7-script-e8.sh
rhel7-script-hipaa.sh
rhel7-script-ncp.sh
rhel7-script-ospp.sh
rhel7-script-pci-dss.sh
rhel7-script-rhelh-stig.sh
rhel7-script-rhelh-vpp.sh
rhel7-script-rht-ccp.sh
rhel7-script-standard.sh
rhel7-script-stig_gui.sh
rhel7-script-stig.sh
rhel8-script-anssi_bp28_enhanced.sh
rhel8-script-anssi_bp28_high.sh
rhel8-script-anssi_bp28_intermediary.sh
rhel8-script-anssi_bp28_minimal.sh
rhel8-script-cis.sh
rhel8-script-cjis.sh
rhel8-script-cui.sh
rhel8-script-e8.sh
rhel8-script-hipaa.sh
rhel8-script-ism_o.sh
rhel8-script-ospp.sh
rhel8-script-pci-dss.sh
rhel8-script-rhelh-stig.sh
rhel8-script-rhelh-vpp.sh
rhel8-script-rht-ccp.sh
rhel8-script-standard.sh
rhel8-script-stig_gui.sh
rhel8-script-stig.sh
rhel9-script-pci-dss.sh
rhosp10-script-cui.sh
rhosp10-script-stig.sh
rhosp13-script-stig.sh
rhv4-script-pci-dss.sh
rhv4-script-rhvh-stig.sh
rhv4-script-rhvh-vpp.sh
sl7-script-pci-dss.sh
sl7-script-standard.sh

7.2.3. Ubuntu Bash script data

Example Ubuntu script data.

Package

scap-security-guide-ubuntu

Channels
  • SUSE Manager Tools

Bash script directory

/usr/share/scap-security-guide/

Bash scripts
ubuntu1804-script-anssi_np_nt28_average.sh
ubuntu1804-script-anssi_np_nt28_high.sh
ubuntu1804-script-anssi_np_nt28_minimal.sh
ubuntu1804-script-anssi_np_nt28_restrictive.sh
ubuntu1804-script-cis.sh
ubuntu1804-script-standard.sh
ubuntu2004-script-standard.sh

7.2.4. Debian Bash script data

Example Debian script data.

Package

scap-security-guide-debian

Channels
  • SUSE Manager Tools

Bash script directory

/usr/share/scap-security-guide/bash/

Bash scripts
# Debian 11
debian11-script-anssi_np_nt28_average.sh
debian11-script-anssi_np_nt28_high.sh
debian11-script-anssi_np_nt28_minimal.sh
debian11-script-anssi_np_nt28_restrictive.sh
debian11-script-standard.sh
# Debian 12
debian12-script-anssi_np_nt28_average.sh
debian12-script-anssi_np_nt28_high.sh
debian12-script-anssi_np_nt28_minimal.sh
debian12-script-anssi_np_nt28_restrictive.sh
debian12-script-standard.sh