Assessing CentOS 7 with OpenSCAP

In this post I’ll be using a tool called OpenSCAP (Details can be found here, check it out https://www.open-scap.org/) to assess a CentOS 7 system. If you have never heard of OpenSCAP before but have had to perform a hardening assessment of a system, OpenSCAP will be a life saver. You can use OpenSCAP with different profiles aligned with different standards such as PCI-DSS. In this example I will be using the DISA STIG (security technical implementation guides) profile which is quite stringent. Exercise with caution when using the suggested hardening parameters, many of them are invasive changes that could impact applications running.

Typically, a method that has been helpful is to bake an image with the hardened parameters that will be used, update the image with newly hardened parameters as they come out. This isn’t necessarily required but it can help speed things up, also tools like Ansible, Chef, and Puppet can help automate the hardening.

Open up a shell to the system you wish to assess and install the necessary packages:

sudo yum install openscap scap-security-guide -y

This will install oscap server/client needed to run the scan as well as the security content (STIGs) for each operating system. You can find this information located on your system at:

/usr/share/xml/scap/ssg/content/

To see the different profiles that can be executed you can run the following command to output information for your operating system. Since ours is CentOS 7 I selected that, if you are using RHEL you would select that profile. This will list all the profiles you can run your scan against, we are going to use the DISA STIG profile as mentioned earlier on.

oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

We are selecting the profile:

Id: xccdf_org.ssgproject.content_profile_stig-rhel7-disa

To run the scan against the DISA STIG we execute the following command.  This command will output an html report to /tmp/report.html , this report allows you to visually see the findings.

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa --report /tmp/report.html /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

You will begin to see the scan execute, with results similar to those below, the scan takes time to complete, this is expected.

View the output file /tmp/report.html once the scan has been completed.

The OpenSCAP evaluation report provides a summary of findings.  Navigate to “Compliance and Scoring” here you will see the summary of results, in this case out of the box my CentOS 7 system is 53.9% compliant.

For this score to increase you would need to remediate the findings and rerun the scan. Again be careful, many of the findings and implementations could be dangerous to enable in your environment. Always remediate with caution when hardening your system.

Leave a Reply

Your email address will not be published. Required fields are marked *