4 Checking Compliance With XCCDF Profiles

Use the the oscap command to check how the system complies with a security compliance checklist. OSCAP can generate reports and display information about the system by using XCCDF profiles. These can help you harden a system to meet particular security requirements, recommendations, or guidelines. XCCDF profiles can be contained either in an XCCDF file or within a SCAP data stream file.

Validating an XCCDF File or Data Stream File

This task shows how to use oscap sub commands to check that XCCDF and data stream files are correctly formatted.

To check that an XCCDF file is valid, use oscap xccdf validate and examine the exit code. This validates the file against its schema.

To validate an XCCDF file, run the following command:

oscap xccdf validate /path/to/xccdf-file.xml \
  && echo "ok" || echo "exit code = $? not ok"

If the XCCDF file is valid, the command example returns:

ok

Note:

Various XCCDF files and other SCAP security guide files are included in the scap-security-guide package.

To validate a source data stream file against its schema, use oscap ds sds-validate. XCCDF content can be bundled and included within a single source data stream file, often included as part of the scap-security-guide package and are preferred for shipping many SCAP related artifacts.

To validate a source data stream file, run the following command:

oscap ds sds-validate /path/to/ds-file.xml \
  && echo "ok" || echo "exit code = $? not ok"

If the source data stream file is valid, the command example returns:

ok

Displaying Available Profiles

A profile contains generic security recommendations that apply to all Oracle Linux installations and other security recommendations that are specific to the intended usage of a system. You can use these unmodified, or adapt them to create profiles that test the system's compliance with site security policies.

Use oscap info to display profiles that work with a checklist file such as the SCAP Security Guide XCCDF file or a SCAP data stream that contains XCCDF content. The syntax is as follows: 

oscap info path/file.xml

For example:

oscap info /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml

Sample output: 

Document type: Source Data Stream
Imported: date and time

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-ol8-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-ol8-xccdf.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-oval-com.oracle.elsa-ol8.xml.bz2' points out to the 
      remote 'https://linux.oracle.com/security/oval/com.oracle.elsa-ol8.xml.bz2'. Use '--fetch-remote-resources' 
      option to download it.
WARNING: Skipping 'https://linux.oracle.com/security/oval/com.oracle.elsa-ol8.xml.bz2' file which is referenced 
      from datastream
		Status: draft
		Generated: date
		Resolved: true
		Profiles:
			Title: ANSSI-BP-028 (enhanced)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
			Title: ANSSI-BP-028 (high)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
			Title: ANSSI-BP-028 (intermediary)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
			Title: ANSSI-BP-028 (minimal)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
			Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
				Id: xccdf_org.ssgproject.content_profile_cui
			Title: DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight
				Id: xccdf_org.ssgproject.content_profile_e8
			Title: Health Insurance Portability and Accountability Act (HIPAA)
				Id: xccdf_org.ssgproject.content_profile_hipaa
			Title: Australian Cyber Security Centre (ACSC) ISM Official
				Id: xccdf_org.ssgproject.content_profile_ism_o
			Title: DRAFT - Protection Profile for General Purpose Operating Systems
				Id: xccdf_org.ssgproject.content_profile_ospp
			Title: PCI-DSS v4.0 Control Baseline for Oracle Linux 8
				Id: xccdf_org.ssgproject.content_profile_pci-dss
			Title: Standard System Security Profile for Oracle Linux 8
				Id: xccdf_org.ssgproject.content_profile_standard
			Title: DISA STIG for Oracle Linux 8
				Id: xccdf_org.ssgproject.content_profile_stig
			Title: DISA STIG with GUI for Oracle Linux 8
				Id: xccdf_org.ssgproject.content_profile_stig_gui
		Referenced check files:
			ssg-ol8-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
			ssg-ol8-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
			security-oval-com.oracle.elsa-ol8.xml.bz2
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5

Note:

You can ignore warnings about remote data stream components when viewing information about XCCDF profiles, but when performing an evaluation you must either use the --fetch-remote-resources option for OSCAP to automatically download these resources, or manually download the resources beforehand and use the --local-files option to provide the path of these components.

The ssg-ol8-ds.xml data stream file contains information about where to download OVAL definitions so that evaluations can audit against the most recent version of these definitions.

Displaying Profile Information

This task shows you how to find out more information about a specific profile.

To view information about a profile, use the oscap info command with the --profile option. The syntax is as follows: 

oscap info --profile profile_id path/file.xml

For example, to find out information about the Health Insurance Portability and Accountability Act (HIPAA) profile, xccdf_org.ssgproject.content_profile_hipaa: 

oscap info --profile xccdf_org.ssgproject.content_profile_hipaa /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml

Tip:

Most examples in this guide use the full profile ID, but you can specify a profile by using its short ID instead. The short ID is whatever appears after profile_ in the full profile ID. For example, instead of --profile xccdf_org.ssgproject.content_profile_hipaa, you can use --profile hipaa.

Sample output: 

Document type: Source Data Stream
Imported: date and time

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-ol8-xccdf.xml
Generated: (null)
Version: 1.3
WARNING: Datastream component 'scap_org.open-scap_cref_security-oval-com.oracle.elsa-ol8.xml.bz2' points out to the remote 
      'https://linux.oracle.com/security/oval/com.oracle.elsa-ol8.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://linux.oracle.com/security/oval/com.oracle.elsa-ol8.xml.bz2' file which is referenced from datastream
Profile
	Title: Health Insurance Portability and Accountability Act (HIPAA)
	Id: xccdf_org.ssgproject.content_profile_hipaa

	Description: The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health 
            information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate 
            administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic 
            protected health information.  This profile configures Oracle Linux 8 to the HIPAA Security Rule identified for securing
            of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal 
            compliance against the HIPAA Security Rule(s).

Running a Scan Against an XCCDF Profile

This task describes how to use the oscap xccdf eval command to scan a system against an XCCDF profile and generate a compliance evaluation report.

  1. Decide which profile to use.
  2. Run a scan using that profile.

    The syntax is as follows:

    sudo oscap xccdf eval --profile profile-name \
  --fetch-remote-resources \
  --results path/results-name.xml \
  --report path/report-name.html \
       /usr/share/xml/scap/ssg/content/file.xml

    For example:

    sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard \
  --fetch-remote-resources \
  --results /var/www/html/ssg-results.xml \
  --report /var/www/html/ssg-results.html \
    /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml
    The --fetch-remote-resources option lets OSCAP connect to the internet to download remote resources that are required for the XCCDF profile evaluation. Or, you can use the --local-files option for OSCAP to access those resources at the specified path. The ssg-ol8-ds.xml data stream file includes a reference to the remotely hosted OVAL definitions that can verify whether a system is patched appropriately.

    If you use an XCCDF file instead of the recommended data stream, you must also specify the location of the CPE dictionaries by using the --cpe option, for example: 

    sudo oscap xccdf eval  --profile standard \
  --fetch-remote-resources \
  --results /var/www/html/ssg-results.xml \
  --report /var/www/html/ssg-results.html \
  --cpe /usr/share/xml/scap/ssg/content/ssg-ol8-cpe-dictionary.xml \
    /usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml

    Sample output:

    --- Starting Evaluation ---

Title   Verify File Hashes with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Result  pass

Title   Verify and Correct File Permissions with RPM
Rule    xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Result  pass

...

Title   Disable At Service (atd)
Rule    xccdf_org.ssgproject.content_rule_service_atd_disabled
Result  fail

...

    Note:

    Any rule in a profile that results in a fail might require system reconfiguration.

  3. View the HTML report in a browser.

    Sample report:


    The image shows a partial view of the HTML version of a scan report generated by oscap. The top of the report contains the title and the report description. A summary information is provided based on evaluation characteristics, overall score with regards to compliance, and the severity of any reported failed flags. The rest of the report contains more detailed information about each scan action.
  4. Review the resulting XML file.

    You can use the results XML file to obtain remediation scripts and other information if required. To review the results file, run:

    oscap info /var/www/html/ssg-results.xml

    The following sample output shows the Test Results section of the results file. This section includes the source profile that the results apply to. You can use this value when obtaining remediation scripts for later use. See Remediating a System For Compliance With a Security Profile for more information about remediation. 

    ...
Test Results:
  Result ID: xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_standard
  Source benchmark: /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml
  Source profile: xccdf_org.ssgproject.content_profile_standard
  Evaluation started: date and time
  Evaluation finished: date and time
  Platform CPEs:
    #system_with_kernel
    #package_yum
    #not_aarch64_arch
    #not_bootc_and_not_container
    cpe:/o:oracle:linux:8
    #not_bootc
    #not_aarch64_arch_and_not_s390x_arch
    #package_audit

Generating a Full Security Guide

This task shows how to use the oscap xccdf generate guide command to create a full security guide. The security guide provides a catalog of security configuration settings for the system and often includes example bash remediation scripts and Ansible snippets that can be run to automatically resolve issues.

Caution:

Always test remediation scripts before applying them to production systems.

  1. Create a full security guide for a system based on an XCCDF profile.

    Use the oscap xccdf generate guide command. The syntax is as follows: 

    sudo oscap xccdf generate guide --profile profile-name \
/usr/share/xml/scap/ssg/content/file.xml > path/security-guide-name.html

    For example:

    sudo oscap xccdf generate guide --profile xccdf_org.ssgproject.content_profile_standard \
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml > /var/www/html/security_guide.html
  2. View the security guide in a browser.

    Open the generated security guide in a web browser. The following is a sample guide:


    The image shows a partial view of the HTML version of a security guide generated by the oscap command. The top of the report contains the guide's title and description. The table of contents is listed, followed by the checklist that is used for generating the guide.

Customizing a Profile

You can customize an OpenSCAP security profile to tailor security rules and variable values for an organization's requirements. To customize an OpenSCAP security profile, you use the autotailor tool, which is provided by the scap-security-guide package.

The autotailor command syntax is as follows: 

autotailor [options] -o tailoring_file -p profile_id datastream profile
[options]

Use --var-value VARIABLE=VALUE to set variable values, --select RULE_ID or --unselect RULE_ID to select and clear rules, or other available autotailor options.

-o tailoring_file

Output file to write the tailoring data.

-p profile_id

Identifier for the custom profile.

datastream

Path to the source datastream file. autotailor requires a SCAP datastream as input and doesn't work with individual XCCDF files.

PROFILE

The profile to base the customization on.

  1. Generate a tailoring file for the custom profile.

    Use the autotailor tool to create a profile, select, or clear rules, and set variable values. For example, the following command creates a new profile named tailored_profile, selects a specific rule, and sets two variables. The output is saved as tailoring.xml: 

    autotailor --select gconf_gnome_screensaver_idle_delay \
    --var-value var_screensaver_lock_delay=120 \
    --var-value inactivity_timeout_value=600 \
    -o tailoring.xml \
    -p tailored_profile \
    /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml \
    anssi_bp28_minimal

    The contents of the tailoring.xml file are as follows: 

    <?xml version="1.0" ?>
<ns0:Tailoring xmlns:ns0="http://checklists.nist.gov/xccdf/1.2" id="xccdf_auto_tailoring_default">
	<ns0:benchmark href="file:///usr/share/xml/scap/ssg/content/ssg-ol10-ds.xml"/>
	<ns0:version time="date and time">1</ns0:version>
	<ns0:Profile id="xccdf_org.ssgproject.content_profile_tailored_profile" extends="xccdf_org.ssgproject.content_profile_anssi_bp28_minimal">
		<ns0:title override="false"/>
		<ns0:select idref="xccdf_org.ssgproject.content_rule_gconf_gnome_screensaver_idle_delay" selected="true"/>
		<ns0:set-value idref="xccdf_org.ssgproject.content_value_inactivity_timeout_value">600</ns0:set-value>
		<ns0:set-value idref="xccdf_org.ssgproject.content_value_var_screensaver_lock_delay">120</ns0:set-value>
	</ns0:Profile>
</ns0:Tailoring>
  2. Use the tailored profile for scanning.

    When scanning, specify both the customized profile and the tailoring file. For example:

    oscap xccdf eval \
--profile tailored_profile \
--tailoring-file tailoring.xml \
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml

    This command evaluates compliance using the customized profile.

For more information on the autotailor tool, see the autotailor(8) manual page.