Openscap is a great addition to Red Hat Satellite, you can now use Satellite to scan your RHEL servers in the goal of validating your configurations and also checking if your RHEL servers are vulnerable. You will find in this article how to prepare your server to be openscap ready then how to scan your RHEL servers using Openscap through the Satellite webui and via the command line. This article has been written using Red Hat Satellite 5.5 and a RHEL 6.4 virtual machine.
First, you need to prepare your RHEL server to be “Openscap ready”, I’m using the manual way for education purpose, but this can be automated with Satellite.
1. install spacewalk-oscap
# yum install spacewalk-oscap
2. you need to enable the open-scap and scap-security-guide yum repositories (taken from here : https://fedorahosted.org/scap-security-guide/)
# wget -O /etc/yum.repos.d/epel-6-scap-security-guide.repo http://repos.fedorapeople.org/repos/scap-security-guide/epel-6-scap-security-guide.repo # wget -O /etc/yum.repos.d/epel-6-openscap.repo http://repos.fedorapeople.org/repos/
3. then finally we need to install the scap security guide, that includes files require to launch a scan.
# sudo sh -c "yum install scap-security-guide"
So now, your RHEL server is ready to be scanned by openscap. Let’s begin to schedule a scan from the Satellite web ui. Using the Satellite web UI, click on your rhel server -> audit -> schedule on the command-line arguments box, put this : –profile stig-rhel6-server –cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml on the Patch to XCCDF box, put this : /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Then click on schedule. It will take few seconds to complete. Once it’s done, you should see a new report marked with a green check box. Click on that report, you can filter the result to show tests that have failed only. You can fix some failed tests and re-run the scan again. The new report should show a yellow exclamation mark because something changed since the last report.
Now let’s try the openscap command line scanner, that can produce a very nice and complete html report. On a RHEL server :
# oscap xccdf eval --profile stig-rhel6-server --results /tmp/`hostname`-ssg-results.xml --report /tmp/`hostname`-ssg-results.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
After few seconds, the test should be completed, and you can open using a web browser the report /tmp/`hostname`-ssg-results.html. You will see that all tests have more detailed content and explanation and you won’t need to correlate the cce numbers as all suggestions to pass a test are now listed in the html file. Note that it is possible to adapt the Openscap tests by creating your own files XCCDF test.