1. Using OpenSCAP for Security Compliance
  2. Checking Compliance With XCCDF Profiles

4 Checking Compliance With XCCDF Profiles

Use the the oscap command to check how your system complies with a security compliance checklist. OSCAP can generate reports and display information about your system by using XCCDF profiles that can help you harden a system to meet particular security requirements, recommendations or guidelines. Note that XCCDF profiles can be contained either in an XCCDF file or within a SCAP data stream file.

Validating an XCCDF File or Data Stream File

Use oscap xccdf validate and examine the exit code to validate an XCCDF file against its schema. This confirms that the file is properly structured.

For example, to validate an XCCDF file you can run:

oscap xccdf validate /path/to/xccdf-file.xml \
  && echo "ok" || echo "exit code = $? not ok"

If the file is valid, the command example returns:

ok

XCCDF files are shipped along with several other SCAP security guide files as part of the scap-security-guide package.

Similarly, use oscap ds sds-validate and examin the exit code to validate a source data stream file against its schema. XCCDF content can be bundled and included within a single source data stream file, often included as part of the scap-security-guide package and are preferred for shipping a number of SCAP related artifacts.

To validate a source data stream file, you can run:

oscap ds sds-validate /path/to/ds-file.xml \
  && echo "ok" || echo "exit code = $? not ok"

If the file is valid, the command example returns:

ok

Displaying Available Profiles

Use oscap info to display profiles that are supported by a checklist file such as the SCAP Security Guide XCCDF file or a SCAP data stream that contains XCCDF content.

A profile contains generic security recommendations that apply to all Oracle Linux installations and additional security recommendations that are specific to the intended usage of a system. The listed profiles might not necessarily be appropriate to your system. However, you can use them to create new profiles that test compliance with your site's security policies.

View available profiles

oscap info <path>/<file>.xml

For example:

oscap info /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml

Sample output: 

Document type: Source Data Stream
Imported: 2022-07-05T20:10:04

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-ol8-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-ol8-xccdf-1.2.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-oval-com.oracle.elsa-all.xml.bz2' points out 
 to the remote 'https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2'.
 Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://linux.oracle.com/security/oval/com.oracle.elsa-all.xml.bz2' file which is referenced 
 from datastream
		Status: draft
		Generated: 2022-07-05
		Resolved: true
		Profiles:
			Title: ANSSI-BP-028 (enhanced)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
			Title: ANSSI-BP-028 (high)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
			...
			Title: Standard System Security Profile for Oracle Linux 8
				Id: xccdf_org.ssgproject.content_profile_standard
			Title: DISA STIG for Oracle Linux 8
				Id: xccdf_org.ssgproject.content_profile_stig
			Title: DISA STIG with GUI for Oracle Linux 8
				Id: xccdf_org.ssgproject.content_profile_stig_gui
		Referenced check files:
			ssg-ol8-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
			ssg-ol8-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
			security-oval-com.oracle.elsa-all.xml.bz2
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
  Ref-Id: scap_org.open-scap_cref_ssg-ol8-oval.xml
  Ref-Id: scap_org.open-scap_cref_ssg-ol8-ocil.xml
  Ref-Id: scap_org.open-scap_cref_--builddir--build--BUILD--scap-security-guide-0.1.60--build--ssg-ol8-cpe-oval.xml
  Ref-Id: scap_org.open-scap_cref_security-oval-com.oracle.elsa-all.xml.bz2
Dictionaries:
  Ref-Id: scap_org.open-scap_cref_--builddir--build--BUILD--scap-security-guide-0.1.60--build--ssg-ol8-cpe-dictionary.xml

Note:

You can ignore warnings about remote data stream components when viewing information about XCCDF profiles, but when performing an evaluation you must either use the --fetch-remote-resources option to allow OSCAP to automatically download these resources, or you should manually download the resources beforehand and use the --local-files option to provide the path that should be used for these components. The ssg-ol8-ds.xml data stream file contains information about where to download OVAL definitions so that evaluations are able to audit against the most recent version of these definitions.

View information about a profile

Specify the --profile option. 

oscap info --profile <profile_id> <path>/<file>.xml

For example: 

oscap info --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml

Sample output: 

Document type: Source Data Stream
Imported: 2022-07-05T20:10:04

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-ol8-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Profile
	Title: Standard System Security Profile for Oracle Linux 8
	Id: xccdf_org.ssgproject.content_profile_standard

	Description: This profile contains rules to ensure standard security baseline of 
       Oracle Linux 8 system. Regardless of your system's workload all of these checks 
       should pass.

In the example the full profile ID is used, but OSCAP also recognizes short profile IDs and these are commonly used.

Running a Scan Against an XCCDF Profile

Use the oscap xccdf eval command to scan a system against an XCCDF profile and generate a compliance evaluation report.

  1. Determine which profile to use. See Displaying Available Profiles.

  2. Run a scan specifying the specific profile.

    sudo oscap xccdf eval --profile <profile-name> \
  --fetch-remote-resources \
  --results <path>/<results-name>.xml \
  --report <path>/<report-name>.html \
       /usr/share/xml/scap/ssg/content/<file>.xml

    For example:

    sudo oscap xccdf eval  --profile standard \
  --fetch-remote-resources \
  --results /var/www/html/ssg-results.xml \
  --report /var/www/html/ssg-results.html \
    /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml
    The --fetch-remote-resources option allows OSCAP to connect to the internet to download remote resources that are required for the XCCDF profile evaluation. If your systems are in a disconnected environment, you can use the --local-files option to allow OSCAP to use pre-downloaded resources at a specified path. The ssg-ol8-ds.xml data stream file includes a reference to the remotely hosted OVAL definitions that should be used when evaluating whether a system is properly patched.

    If you use an XCCDF file instead of the recommended data stream, you must alos specify the location of the CPE dictionaries by using using the --cpe option, for example: 

    sudo oscap xccdf eval  --profile standard \
  --fetch-remote-resources \
  --results /var/www/html/ssg-results.xml \
  --report /var/www/html/ssg-results.html \
  --cpe /usr/share/xml/scap/ssg/content/ssg-ol8-cpe-dictionary.xml \
    /usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml

    Sample output:

    ...
--- Starting Evaluation ---

Title   Verify File Hashes with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Result  pass

Title   Verify and Correct File Permissions with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Result  pass

...

Title   Disable At Service (atd)
Rule    xccdf_org.ssgproject.content_rule_service_atd_disabled
Result  fail
    Any rule in a profile that results in a fail potentially requires the system to be reconfigured.

  3. View the HTML report in a browser, as shown in the following figure.


    The image shows a partial view of the HTML version of a scan report generated by oscap. The top of the report contains the title and the report description. A summary information is provided based on evaluation characteristics, overall score with regards to compliance, and the severity of any reported failed flags. The rest of the report contains more detailed information about each scan action.

  4. Review the results XML file.

    You can use the results XML file to obtain remediation scripts and other information if required. To review the results file, run:

    oscap info ssg-results.xml

    Note that the Test Results section includes the source profile that the results apply to. You can use this value when obtaining remediation scripts for later use. See Remediating a System For Compliance With a Security Profile for more information about remediation.

Generating a Full Security Guide

Use the oscap xccdf generate guide command to create a full security guide which provides a catalog of security-relavant configuration settings for the system. Security guides often include example bash remediation scripts and Ansible snippets that can be helpful when run against the system to automatically resolve issues. Be aware that you should test remediation scripts on systems within a test environment as actions taken by scripts may not be desirable for your enterprise.

To create a full security guide:

  1. Create a full security guide for a system based on an XCCDF profile, for example: 

    sudo oscap xccdf generate guide --profile <profile-name> \
/usr/share/xml/scap/ssg/content/<file>.xml > <path>/<security-guide-name>.html

    For example:

    sudo oscap xccdf generate guide --profile standard \
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml > /var/www/html/security_guide.html

  2. View the security guide in a browser, as shown in the following figure.

    Figure 4-1 Sample Security Guide


    The image shows a partial view of the HTML version of a security guide generated by the oscap command. The top of the report contains the guide's title and description. The table of contents is listed, followed by the checklist that is used for generating the guide.

Remediating a System For Compliance With a Security Profile

Security Guides and Evaluation Reports that are generated from an XCCDF profile may contain remediation information that can help you to resolve potential compliance issues. Remediation information is usually provided in the form of a bash script or Ansible playbook that can be run on the system where the report or guide was generated.

OSCAP also provides commands that can automatically apply remediation steps where the system fails to comply with the XCCDF profile. Remediation steps are typically performed against a fresh install to provide an initial configuration that is compliant with a baseline XCCDF profile.

WARNING:

Remediation steps can make changes to a system that may restrict accesses or alter how a system functions. There is no way to automatically revert a remediation once it is applied. Remediation steps are also designed to be run against a base install of the operating system. If you have changed system configuration, a remediation step does not guarantee compliance with the XCCDF profile. Do not apply remediation steps to production systems without testing them first.

Note:

Although Ansible playbook remediation is available for large portions of the Oracle Linux SCAP content provided, these are currently considered to be less complete than bash script remediation.

Immediate Remediation

To allow OSCAP to automatically apply remediation steps immediately during the scan against an XCCDF profile, include the --remediate option, for example: 

sudo oscap xccdf eval --profile standard \
  --remediate /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml

Changes are applied automatically as the system is evaluated.

After the command has finished running, reboot the system. You can scan the system again to validate the changes.

This process is generally recommended after installation where a security profile was not selected at the time that the system was installed.

Generating Remediation Scripts For Later Use

It is possible to generate remediation scripts for later use, so that you can review the remediation actions and modify them before applying the changes to a system.

To generate a remediation script that provides fixes specific to a system perform a scan against an XCCDF profile and output an XML file by using the --results option. See Running a Scan Against an XCCDF Profile.

Using the XML results file, run the oscap xccdf generate fix command to generate a bash script that you can use, for example:
oscap xccdf generate fix --profile standard --fix-type bash --output remediations.sh ssg-results.xml
You can change the value of the --fix-type option to ansible to generate an Ansible compatible remediation script in YAML format.

To generate a script that provides all of the remediations present in a profile, run the same command against the data stream or XCCDF file, for example: 

oscap xccdf generate fix --profile standard --fix-type bash \
 --output all-remediations.sh /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml