# AlmaLinux 8 OpenSCAP Guide
This guide was developed for AlmaLinux 8 OS. Running OpenSCAP for AlmaLinux 9 OS may work differently, please, refer to AlmaLinux 9 OpenSCAP Guide.
# About OpenSCAP
SCAP - The Security Content Automation Protocol - is an automated method that uses standards to enable vulnerability management, measurement, and policy compliance evaluation of systems. SCAP is a U.S. standard maintained by the National Institute of Standards and Technology.
The AlmaLinux OpenSCAP Guide describes how to use OpenSCAP software to audit your AlmaLinux 8 system for security compliance.
# About SCAP packages and how to Enable them
AlmaLinux provides the following SCAP packages for AlmaLinux 8:
|openscap||Provides the OpenSCAP library and tool for evaluating a system generating reports.|
|openscap-utils||Includes command-line tools that use the OpenSCAP library.|
|openscap-scanner||Enables many SCAP options, like vulnerability and configuration scanning, along with the SCAP Security Guide.|
|scap-security-guide||Contains SCAP-format system-hardening guide. The guide has links to government requirements and provides security profiles.|
SCAP packages are available in the AlmaLinux 8 AppStream repository. Use the dnf command to install the SCAP packages. The openscap-scanner package will be installed as a dependency.
sudo dnf install openscap openscap-utils scap-security-guide
After installion, all SCAP security policies are located in the /usr/share/xml/scap/ssg/content/ directory.
# About the
oscap command is a utility that helps evaluate the system, check compliance, and perform various functions like showing information and generating reports.
This utility has many options, but uses the following general structure:
oscap [options] module operation [operation_options_and_arguments]
Module types that are supported by the oscap command are mentioned in the list:
|cpe||Uses a Common Platform Enumeration (CPE) file to perform operations.|
|cve||Uses a Common Vulnerabilities and Exposures (CVE) file to perform operations.|
|cvss||Uses a Common Vulnerability Scoring System (CVSS) file to perform operations.|
|ds||Uses a SCAP Data Stream (DS) to perform operations.|
|info||Determines a file's type and prints information about the file.|
|oval||Uses an Open Vulnerability and Assessment Language (OVAL) file to perform operations.|
|xccdf||Uses a file in eXtensible Configuration Checklist Description Format (XCCDF) to perform operations.|
|eval||For an OVAL file, oscap probes the system, evaluates each definition in the file and then prints the results to standard output. |
For a specified profile in an XCCDF file, oscap tests the system against each rule in the file and prints the results to standard output.
|generate||For an OVAL XML results file, generate converts the specified file into an HTML report. |
For an XCCDF file, generate outputs a full security guide for a specified profile.
|validate||Validates an OVAL or XCCDF file against an XML schema to check for errors.|
These modules such as info, oval, xccdf are effective for scanning the system.
Also, keep in mind, that sometimes the
oscap command performs different operations depending on the module type. Pay attention to the eval and generate module types.
Now, let's take a look at some more detailed examples with the oscap command.
# Displaying information, using
oscap -V command displays information such as the specifications which the version of oscap supports; capabilities of the oscap version; where schema, CPE, and probe files are stored; inbuilt CPE names; supported OVAL objects and associated SCAP probes.
As an example of an output you will see this:
OpenSCAP command line tool (oscap) 1.3.6 Copyright 2009--2021 Red Hat Inc., Durham, North Carolina. ==== Supported specifications ==== SCAP Version: 1.3 XCCDF Version: 1.2 OVAL Version: 5.11.1 CPE Version: 2.3 CVSS Version: 2.0 CVE Version: 2.0 Asset Identification Version: 1.1 Asset Reporting Format Version: 1.1 CVRF Version: 1.1 ==== Capabilities added by auto-loaded plugins ==== No plugins have been auto-loaded... ==== Paths ==== Schema files: /usr/share/openscap/schemas Default CPE files: /usr/share/openscap/cpe ==== Inbuilt CPE names ==== Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux:- ... Community Enterprise Operating System 8 - cpe:/o:centos:centos:8 AlmaLinux 8 - cpe:/o:almalinux:almalinux:8 ... Fedora 35 - cpe:/o:fedoraproject:fedora:35 ==== Supported OVAL objects and associated OpenSCAP probes ==== OVAL family OVAL object OpenSCAP probe ---------- ---------- ---------- independent environmentvariable probe_environmentvariable independent environmentvariable58 probe_environmentvariable58 ... unix uname probe_uname unix xinetd probe_xinetd
# Displaying Available Profiles
A profile consists of common security suggestions that are related to any AlmaLinux installation. Profiles also have supplementary recommendations for the system to use. So, the
oscap info command is used to see available profiles that are currently supported by the SCAP Security Guide which is a checklist file.
oscap info /usr/share/xml/scap/ssg/content/ssg-almalinux8-xccdf.xml
The part in quotes is the full path to the security content file being examined.
As an example of displaying available profiles output you'll see next:
Document type: XCCDF Checklist Checklist version: 1.1 Imported: 2022-05-03T13:52:24 Status: draft Generated: 2022-05-03 Resolved: true Profiles: Title: ANSSI-BP-028 (enhanced) Id: anssi_bp28_enhanced Title: ANSSI-BP-028 (high) Id: anssi_bp28_high Title: ANSSI-BP-028 (intermediary) Id: anssi_bp28_intermediary Title: ANSSI-BP-028 (minimal) Id: anssi_bp28_minimal Title: CIS AlmaLinux OS 8 Benchmark for Level 2 - Server Id: cis Title: CIS AlmaLinux OS 8 Benchmark for Level 1 - Server Id: cis_server_l1 Title: CIS AlmaLinux OS 8 Benchmark for Level 1 - Workstation Id: cis_workstation_l1 Title: CIS AlmaLinux OS 8 Benchmark for Level 2 - Workstation Id: cis_workstation_l2 Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Id: cui Title: Australian Cyber Security Centre (ACSC) Essential Eight Id: e8 Title: Health Insurance Portability and Accountability Act (HIPAA) Id: hipaa Title: Australian Cyber Security Centre (ACSC) ISM Official Id: ism_o Title: Protection Profile for General Purpose Operating Systems Id: ospp Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Id: pci-dss Title: DISA STIG for Red Hat Enterprise Linux 8 Id: stig Title: DISA STIG with GUI for Red Hat Enterprise Linux 8 Id: stig_gui Referenced check files: ssg-almalinux8-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 ssg-almalinux8-ocil.xml system: http://scap.nist.gov/schema/ocil/2 https://security.almalinux.org/oval/org.almalinux.alsa-8.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5
We'd like to mention, that the profiles in the example list may not be the same with your system.
--profile option is useful to get information about a specific profile.
oscap info --profile hipaa /usr/share/xml/scap/ssg/content/ssg-almalinux8-xccdf.xml
There's an output example:
Document type: XCCDF Checklist Profile Title: Health Insurance Portability and Accountability Act (HIPAA) Id: hipaa Description: The HIPAA Security Rule establishes U.S. national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. This profile configures AlmaLinux 8 to the HIPAA Security Rule identified for securing of electronic protected health information. Use of this profile in no way guarantees or makes claims against legal compliance against the HIPAA Security Rule(s).
# Scanning the system
The most effective use of the oscap utility is the feature to perform configuration and vulnerability scans of a local system. The
oscap xccdf eval command is useful to scan a system against an XCCDF profile.
The output of this command shows a scan operation. It uses the ssg-almalinux8-cpe-dictionary.xml CPE dictionary to run against the HIPAA profile of the ssg-almalinux8-xccdf.xml checklist. The results are shown in a terminal window, as well as saved in XML and HTML formats in the two directories. One directory is /tmp, and the other is the ~home/user catalog that you choose by yourself where you'd like to save the results. Any rule in a profile that results in a fail potentially requires the system to be reconfigured.
oscap xccdf eval --profile hipaa \ --results /tmp/`hostname`-ssg-results.xml \ --report ~/report/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-almalinux8-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-almalinux8-xccdf.xml
Here is an example output of this command:
Title Verify File Hashes with RPM Rule rpm_verify_hashes Result pass Title Verify and Correct File Permissions with RPM Rule rpm_verify_permissions Result fail Title Configure SSH to use System Crypto Policy Rule configure_ssh_crypto_policy Result pass ... Title Remove Rsh Trust Files Rule no_rsh_trust_files Result pass Title Disable KDump Kernel Crash Analyzer (kdump) Rule service_kdump_disabled Result fail
The HTML report which you can view in a browser looks like as follows:
# Generating a Full Security Guide
To create a full security guide for a system based on an XCCDF profile, use the
oscap xccdf generate guide command. Pay attention, that like in the previous command you choose your home path ~home/user to save the HTML security guide.
oscap xccdf generate guide --profile hipaa \ --cpe /usr/share/xml/scap/ssg/content/ssg-almalinux8-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-almalinux8-xccdf.xml > ~/report/security_guide.html
You can view the HTML report in a browser. Here is an example:
# OVAL Scan
# About OVAL
The OVAL definition file is used to scan the system in order to verify if applicable errata have been installed. To see the information about supported AlmaLinux OS versions and their public OVAL streams, please, visit the AlmaLinux OVAL streams (opens new window) wiki page.
There are two types of OVAL files: org.almalinux.alsa-8.xml and org.almalinux.alsa-8.xml.bz2, which contain the same information but archived.
# Performing a scan
The first thing to run the OVAL scan is to download a file from an AlmaLinux OVAL stream using the browser or the
Don't forget to extract the OVAL file if you downloaded the compressed file:
bzip2 -d org.almalinux.alsa-8.xml.bz2
- The following command to perform an audit scan of the AlmaLinux:
oscap oval eval --results /tmp/alsa-results-oval.xml \ --report ~/report/alsa-report-oval.html org.almalinux.alsa-8.xml
Here is an example output you can see:
Definition oval:org.almalinux.alsa:def:20224887: false Definition oval:org.almalinux.alsa:def:20224872: true Definition oval:org.almalinux.alsa:def:20224855: false ... Definition oval:org.almalinux.alsa:def:20224769: false ... Evaluation done.
A result of false means that the patch has been applied. A result of true means that the system is vulnerable and the patch is yet to be applied.
- Run the following command to generate the HTML report to view in a browser:
oscap oval generate report /tmp/alsa-results-oval.xml \ ~/report/alsa-report-oval.html
Here is the example of the HTML report:
# SCAP Workbench
One more way to scan a local or a remote system is SCAP Workbench. The SCAP Workbench utility also allows generating reports based on scan evaluations.
To install SCAP Workbench run the following command as root:
sudo dnf install scap-workbench
scap-security-guide package wasn't installed from the package repository before, you need to install it too, to use SCAP Workbench effectively. All the other packages and dependencies are installed and updated automatically.
After SCAP Workbench is installed, it should appear in your desktop environments application menu and you can run it.
After you start Workbench, a dialog window will offer you to choose which SCAP Security Guide to open.
When one of the guides is chosen, the next SCAP Workbench window appears. There is a menu, which offers you some more options to select before scanning the system.
File This option offers to load or save SCAP-related content. The Save Customization Only item is useful if you selected 'Customization Only' and you want to save it as an XCCDF XML file. The Save All item is useful to save SCAP files to the selected directory or as an RPM package.
Customization This option informs you about the customization used for the given security policy. The default is no customization.
Profile This option allows choosing the security profile by clicking this menu. You can create a new profile by clicking the Customize button.
Here is the list of available profiles that can be used to evaluate the system:
- ANSSI-BP-028 (enhanced)
- ANSSI-BP-028 (high)
- ANSSI-BP-028 (intermediary)
- ANSSI-BP-028 (minimal)
- CIS AlmaLinux 8 Benchmark for Level 2 - Server
- CIS AlmaLinux 8 Benchmark for Level 1 - Server
- CIS AlmaLinux 8 Benchmark for Level 1 - Workstation
- CIS AlmaLinux 8 Benchmark for Level 2 - Workstation
- Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
- Australian Cyber Security Centre (ACSC) Essential Eight
- Health Insurance Portability and Accountability Act (HIPAA)
- Australian Cyber Security Centre (ACSC) ISM Official
- Protection Profile for General Purpose Operating Systems
- PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
- DISA STIG for Red Hat Enterprise Linux 8
- DISA STIG with GUI for Red Hat Enterprise Linux 8
Target Here you can select the system you want to be evaluated - a local or a remote one.
Selected Rules This field shows you a list of security rules that security policy applies to.
Fetch remote resources You need to check this box in case you want the scanner to download remote OVAL content defined in an XML file.
Remediate If you check this box, SCAP Workbench will attempt to correct system settings that would fail to match the state defined by the policy.
After the profile is chosen, press the SCAN button. You will see how the process is going on the status bar.
After the scanning is finished, you'll have a diagnostics window.
You can Save Results as XCCDF Result file, ARF, or HTML Report, in case you need them. If you press the Show Report button, it'll be displayed in a browser:
# Applying Security Policy during Installation
Note that you can also choose one of the earlier mentioned profiles while running AlmaLinux Installation. To do this, go to the Security Policy option to choose the profile you need.
No profile is chosen by default, as applying a security policy is not necessary. The applied security policy will be installed to the system using the compliance policies defined by SCAP.