Remediating a System For Compliance With a Security Profile

5 Remediating a System For Compliance With a Security Profile

In addition to identifying security and compliance issues through automated scanning, OSCAP can help by generating remediation steps to resolve those issues. The remediation steps might include configuration changes, package installations, or changes to system settings so that the system conforms to selected security baselines.

Security guides and evaluation reports generated from XCCDF profiles often include remediation information, such as bash scripts or Ansible playbooks, that you can run to apply recommended changes.
OSCAP can automatically apply remediation steps during a scan when the system fails to comply with the specified XCCDF profile, or these remediation steps can be generated during the scan and applied later.
You can also generate remediation content for every rule in a profile without scanning the system first. These remediation steps can be produced in several formats, including Bash, Ansible, Puppet, Kickstart files, and resources suitable for integration into automation workflows such as Image Builder blueprints.

WARNING:

Remediation steps are designed to be run on a base install of the OS and can be applied by selecting a compliance profile using the "Security Profile" option in the Oracle Linux installer. If you changed the system configuration after installing the OS, a remediation step doesn't guarantee compliance with the XCCDF profile.

Remediation steps can restrict accesses or change how a system functions. After the remediation has been applied, it can't be automatically reverted. Don't apply remediation steps to production systems without testing them first.

Applying Remediation Steps During a Scan

This task shows you how to instruct OSCAP to apply remediation steps during the scan of an XCCDF profile. We recommended performing this process after installation of the OS, where a security profile wasn't selected at the time that the system was installed.

To have OSCAP automatically apply remediation steps while an XCCDF profile scan is in progress, include the --remediate option.

For example:

sudo oscap xccdf eval --profile standard \
                --remediate /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml

Changes are applied automatically as the system is evaluated.

After the command has finished running, reboot the system. You can scan the system again to validate the changes.

Generating Remediation Steps During a Scan for Later Application

You can have the scan generate remediation scripts without applying them, so that you can review the remediation actions and, if required, change them before implementing them.

To generate a remediation script that provides fixes specific to a system, first perform a scan against an XCCDF profile and output an XML file by using the --results option. See Running a Scan Against an XCCDF Profile.

Using the XML results file, run the oscap xccdf generate fix command to generate a bash script that you can use, for example:

oscap xccdf generate fix --profile profile id --fix-type bash --output remediations.sh ssg-results.xml

You can change the value of the --fix-type option to ansible to generate an Ansible remediation script in YAML format. Other options include puppet, anaconda, ignition, and kubernetes. The default is bash.

Using OSCAP Remediation to Automate Compliance

You can use the OpenSCAP tool (oscap) to automatically assess a system's compliance with a selected security profile and apply remediation steps for many of its rules using available formats such as Bash, Ansible, Kickstart, or Image Builder blueprints for automated installation and configuration. Not all compliance rules have automated remediations or are available in all formats, so OpenSCAP remediation provides a strong baseline. Some extra manual configuration might be needed to achieve full compliance with the profile.

To generate a script that includes all remediation actions for a profile, run the oscap xccdf generate command against the data stream or XCCDF file, for example:

oscap xccdf generate fix --profile profile id --fix-type bash \
                --output all-remediations.sh /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml

Valid options for --fix-type are bash, ansible, puppet, anaconda, ignition, kubernetes, kickstart, blueprint, and bootc.

For example, to generate an Image Builder blueprint for an Oracle Cloud Infrastructure image that complies with a specific XCCDF profile, run the following command:

oscap xccdf generate fix --profile profile id --fix-type blueprint \
                --output blueprint.toml /usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml