Chapter 5 Using OpenSCAP to Scan for Vulnerabilities

This chapter describes how to use OpenSCAP to scan your Oracle Linux system for security vulnerabilities.

5.1 About SCAP

The Security Content Automation Protocol (SCAP) provides an automated, standardized methodology for managing system security, including measuring and managing system vulnerability, and evaluating policy compliance against security standards such as the Federal Information Security Management Act (FISMA). The U.S. government content repository for SCAP standards is the National Vulnerability Database (NVD), which is managed by the National Institute of Standards and Technology (NIST).

Oracle Linux provides the following SCAP packages for Oracle Linux 7:

openscap-utils

The openscap-utils package contains command-line tools that use the OpenSCAP library. This package previously included the oscap command-line configuration and vulnerability scanner, but this is now made available separately in the openscap-scanner package. The openscap-scanner package is installed as a dependency when you install the openscap-utils package.

openscap-scanner

Provides the oscap command-line configuration and vulnerability scanner, which can perform compliance checking against SCAP content including the SCAP Security Guide. This is a dependency of the openscap-utils package.

openscap

Provides the OpenSCAP open-source libraries for generating SCAP-compliance documentation. OpenSCAP received SCAP 1.2 certification from NIST in April 2014.

scap-security-guide

Provides system-hardening guidance in SCAP format, including links to government requirements. The guide provides security profiles that you can modify to comply with the security policies that you have established for your site. Starting from version v0.1.46-11.0.2.el7, a stig profile is included in this package to align with the DISA STIG for Oracle Linux 7 V1R1 published at https://public.cyber.mil/stigs/. See Section 5.6, “Displaying Available Profiles”.

5.2 Installing the SCAP Packages

Use the yum command to install the SCAP packages from the ol7_x86_64_latest channel on ULN or the ol7_latest repository on the Oracle Linux yum server:

# yum install scap-security-guide

5.3 About the oscap Command

The oscap command has the following general syntax:

# oscap [options] module operation [operation_options_and_arguments]

oscap supports the following module types:

cpe

Performs operations using a Common Platform Enumeration (CPE) file.

cve

Performs operations using a Common Vulnerabilities and Exposures (CVE) file.

cvss

Performs operations using a Common Vulnerability Scoring System (CVSS) file.

ds

Performs operations using a SCAP Data Stream (DS).

info

Determines a file's type and prints information about the file.

oval

Performs operations using an Open Vulnerability and Assessment Language (OVAL) file.

xccdf

Performs operations using a file in eXtensible Configuration Checklist Description Format (XCCDF).

The info, oval, and xccdf modules are the most generally useful for scanning Oracle Linux systems.

The operations that oscap can perform depend on the module type. The following operations are the most generally useful with the oval and xccdf modules on Oracle Linux systems:

eval

For an OVAL file, oscap probes the system, evaluates each definition in the file, and prints the results to the standard output.

For a specified profile in an XCCDF file, oscap tests the system against each rule in the file and prints the results to the standard output.

generate

For an OVAL XML results file, generate report converts the specified file to an HTML report.

For an XCCDF file, generate guide outputs a full security guide for a specified profile.

validate

Validates an OVAL or XCCDF file against an XML schema to check for errors.

For more information, see the oscap(8) manual page.

5.4 Displaying the Available SCAP Information

To display the supported SCAP specifications, any loaded plug-in capabilities, the locations of schema, Common Platform Enumeration (CPE), and probe files, inbuilt CPE names, and supported Open Vulnerability and Assessment Language (OVAL) objects and associated SCAP probes, use the oscap -V command, for example:

# oscap -V
OpenSCAP command line tool (oscap) 1.2.10
Copyright 2009--2016 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Scientific Linux 5 - cpe:/o:scientificlinux:scientificlinux:5
Scientific Linux 6 - cpe:/o:scientificlinux:scientificlinux:6
Scientific Linux 7 - cpe:/o:scientificlinux:scientificlinux:7
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19
Fedora 20 - cpe:/o:fedoraproject:fedora:20
Fedora 21 - cpe:/o:fedoraproject:fedora:21
Fedora 22 - cpe:/o:fedoraproject:fedora:22
Fedora 23 - cpe:/o:fedoraproject:fedora:23
Fedora 24 - cpe:/o:fedoraproject:fedora:24
Fedora 25 - cpe:/o:fedoraproject:fedora:25
SUSE Linux Enterprise all versions - cpe:/o:suse:sle
SUSE Linux Enterprise Server 10 - cpe:/o:suse:sles:10
SUSE Linux Enterprise Desktop 10 - cpe:/o:suse:sled:10
SUSE Linux Enterprise Server 11 - cpe:/o:suse:sles:11
SUSE Linux Enterprise Desktop 11 - cpe:/o:suse:sled:11
SUSE Linux Enterprise Server 12 - cpe:/o:suse:sles:12
SUSE Linux Enterprise Desktop 12 - cpe:/o:suse:sled:12
openSUSE 11.4 - cpe:/o:opensuse:opensuse:11.4
openSUSE 13.1 - cpe:/o:opensuse:opensuse:13.1
openSUSE 13.2 - cpe:/o:opensuse:opensuse:13.2
openSUSE 42.1 - cpe:/o:novell:leap:42.1
openSUSE All Versions - cpe:/o:opensuse:opensuse
Red Hat Enterprise Linux Optional Productivity Applications - cpe:/a:redhat:rhel_productivity
Red Hat Enterprise Linux Optional Productivity Applications 5 - cpe:/a:redhat:rhel_productivity:5
Oracle Linux 5 - cpe:/o:oracle:linux:5
Oracle Linux 6 - cpe:/o:oracle:linux:6
Oracle Linux 7 - cpe:/o:oracle:linux:7

==== Supported OVAL objects and associated OpenSCAP probes ====
system_info                  probe_system_info           
family                       probe_family                
filehash                     probe_filehash              
environmentvariable          probe_environmentvariable   
textfilecontent54            probe_textfilecontent54     
textfilecontent              probe_textfilecontent       
variable                     probe_variable              
xmlfilecontent               probe_xmlfilecontent        
environmentvariable58        probe_environmentvariable58 
filehash58                   probe_filehash58            
inetlisteningservers         probe_inetlisteningservers  
rpminfo                      probe_rpminfo               
partition                    probe_partition             
iflisteners                  probe_iflisteners           
rpmverify                    probe_rpmverify             
rpmverifyfile                probe_rpmverifyfile         
rpmverifypackage             probe_rpmverifypackage      
selinuxboolean               probe_selinuxboolean        
selinuxsecuritycontext       probe_selinuxsecuritycontext
systemdunitproperty          probe_systemdunitproperty   
systemdunitdependency        probe_systemdunitdependency 
file                         probe_file                  
interface                    probe_interface             
password                     probe_password              
process                      probe_process               
runlevel                     probe_runlevel              
shadow                       probe_shadow                
uname                        probe_uname                 
xinetd                       probe_xinetd                
sysctl                       probe_sysctl                
process58                    probe_process58             
fileextendedattribute        probe_fileextendedattribute 
routingtable                 probe_routingtable          
symlink                      probe_symlink  

5.5 Displaying Information About a SCAP File

To display information about a SCAP file, use the oscap info command, for example:

# oscap info com.oracle.elsa-2017.xml
Document type: OVAL Definitions
OVAL version: 5.3
Generated: 2017-06-01T00:00:00
Imported: 2017-06-13T23:12:06

This output shows that the file com.oracle.elsa-2017.xml is an OVAL definitions file.

5.6 Displaying Available Profiles

You can use the oscap info command to display the profiles that are supported by a checklist file such as the SCAP Security Guide, for example:

# oscap info "/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml" 
Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 2020-04-21T19:46:55
Status: draft
Generated: 2020-04-21
Resolved: true
Profiles:
	Title: DISA STIG for Oracle Linux 7
		Id: stig
Referenced check files:
	ssg-ol7-oval.xml
		system: http://oval.mitre.org/XMLSchema/oval-definitions-5
	ssg-ol7-ocil.xml
		system: http://scap.nist.gov/schema/ocil/2
	https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2
		system: http://oval.mitre.org/XMLSchema/oval-definitions-5
[vagrant@localhost ~]$ 
Note

Other profiles are available and located in a different set of files, such as ssg-rhel7-* files. For example, to view other profiles, replace ssg-ol7-xccdf.xml in the command with ssg-rhel7-xccdf.xml.

This output shows that ssg-ol7-xccdf.xml provides the DISA STIG for Oracle Linux 7 (stig). A profile contains generic security recommendations that apply to all Oracle Linux installations and additional security recommendations that are specific to the intended usage of a system.

To obtain information about a specific profile, specify the --profile option.

# oscap info --profile stig /usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml
Document type: XCCDF Checklist
Profile
        Title: DISA STIG for Oracle Linux 7
        Id: stig

        Description: This profile contains configuration checks that align to
the DISA STIG for Oracle Linux V1R1.

This DISA STIG profile can be used to check compliance with the published Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Oracle Linux. For more information, see https://public.cyber.mil/stigs/.

Note

Starting from version v0.1.46-11.0.2.el7 the DISA STIG profile and it's checklist definition is deprecated in the ssg-rhel7-xccdf.xml and ssg-rhel7-ds.xml files . The scap-security-guide package now provides a profile aligned to DISA STIG for Oracle Linux V1R1 and the profile is available in the ssg-ol7-xccdf.xml and ssg-ol7-ds.xml files.

Note that the provided profiles in Oracle Linux 7 might not all be appropriate to your system. However, you can use them to create new profiles that test compliance with your site's security policies.

5.7 Validating OVAL and XCCDF Files

To validate an OVAL or XCCDF file against its schema, use the oscap validate command and examine the exit code, for example:

# oscap oval validate com.oracle.elsa-2017.xml \
  && echo "ok" || echo "exit code = $? not ok"
ok
# oscap xccdf validate /usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml \
  && echo "ok" || echo "exit code = $? not ok"
ok

An exit code of 0 indicates that the file is valid, 1 indicates an error prevented validation, and 2 indicates that the file is invalid. Error messages are written to the standard error output.

5.8 Running a Scan Against a Profile

To scan a system against an XCCDF profile, use the oscap xccdf eval command, for example:

# oscap xccdf eval --profile stig \
  --results /tmp/`hostname`-ssg-results.xml \
  --report /var/www/html/`hostname`-ssg-results.html \
  --cpe /usr/share/xml/scap/ssg/content/ssg-ol7-cpe-dictionary.xml \
       /usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml
WARNING: This content points out to the remote resources. 
   Use `--fetch-remote-resources' option to download them.
WARNING: Skipping https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2 file 
   which is referenced from XCCDF content
Title   Remove User Host-Based Authentication Files
Rule    no_user_host_based_files
Result  pass

Title   Remove Host-Based Authentication Files
Rule    no_host_based_files
Result  pass

Title   Uninstall rsh-server Package
Rule    package_rsh-server_removed
Result  pass

Title   Uninstall telnet-server Package
Rule    package_telnet-server_removed
Result  pass

...

This example scan performs the scan against the stig profile of the ssg-ol7-xccdf.xml checklist using the ssg-ol7-cpe-dictionary.xml CPE dictionary, and outputs the XML results and HTML report files to /tmp and /var/www/html respectively. Any rule in a profile that results in a fail potentially requires the system to be reconfigured.

You can view the HTML report in a browser as shown in Figure 5.1.

Figure 5.1 Sample Scan Report

5.9 Generating a Full Security Guide

To create a full security guide for a system based on an XCCDF profile, use the oscap xccdf generate guide command, for example:

# oscap xccdf generate guide --profile stig \
  --cpe /usr/share/xml/scap/ssg/content/ssg-ol7-cpe-dictionary.xml \
        /usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml > /var/www/html/security_guide.html

You can view the security guide in a browser as shown in Figure 5.2.

Figure 5.2 Sample Security Guide

5.10 Running an OVAL Auditing Scan

Oracle provides OVAL definitions for all errata on ULN. You can use these definitions to ensure that all applicable errata are installed on an Oracle Linux system. For example, Spacewalk allows you to schedule regular auditing scans.

The following OVAL definition files are available:

com.oracle.elsa-cve.xml

OVAL definition file for a single ELSA security patch. For example, com.oracle.elsa-20150377.xml relates to ELSA-2015-0377.

com.oracle.elsa-year.xml.bz2

Compressed archive of OVAL definition files for all ELSA patches released in a given year.

com.oracle.else-all.xml.bz2

Compressed archive of all applicable OVAL definition files for all available ELSA patches.

To download an OVAL definitions file and perform an audit on a system:

  1. Use wget or a similar command to download a definitions file from https://linux.oracle.com/security, for example:

    # wget https://linux.oracle.com/security/oval/com.oracle.elsa-2017.xml.bz2
  2. In the definitions file is a compressed bz2 archive, use bzip2 to extract the OVAL definitions file:

    # bzip2 -d com.oracle.elsa-2017.xml.bz2
  3. Use oscap oval eval to audit a system using an OVAL definitions file, for example:

    # oscap oval eval --results /tmp/elsa-results-oval.xml \
      --report /var/www/html/elsa-report-oval.html \
      /tmp/com.oracle.elsa-2017.xml 
    Definition oval:com.oracle.elsa:def:20173580: false
    Definition oval:com.oracle.elsa:def:20173579: true
    Definition oval:com.oracle.elsa:def:20173576: false
    Definition oval:com.oracle.elsa:def:20173575: false
    Definition oval:com.oracle.elsa:def:20173574: true
    Definition oval:com.oracle.elsa:def:20173567: false
    Definition oval:com.oracle.elsa:def:20173566: false
    Definition oval:com.oracle.elsa:def:20173565: true
    Definition oval:com.oracle.elsa:def:20173539: true
    Definition oval:com.oracle.elsa:def:20173538: false
    Definition oval:com.oracle.elsa:def:20173537: false
    ...
    Evaluation done.

    This example scan uses the OVAL definitions in com.oracle.elsa-2017.xml and outputs the XML results and HTML report files to /tmp and /var/www/html respectively. A result of true for a patch means that it has not been applied to a system; a result of false means that it has been applied.

    If you generate an XML results file but not the HTML report, you can use oscap oval generate report to convert the results file to an HTML report, for example:

    # oscap oval generate report /tmp/elsa-results-oval.xml \ 
      > /var/www/html/elsa-report-oval.html

You can view the HTML report in a browser as shown in Figure 5.3.

Figure 5.3 Sample OVAL Report