Several of the projects I am or have been matrixed to leverage the oscap utility to perform hardening based on common security-benchmarks. However, some of the profile-defaults are either too strict or too lax for a given application-deployment. While one can wholly ignore the common security-benchmarks selected hardenings and create one's own custom hardening-profile(s), that's a bit too much like reinventing the wheel.
Checking Which Security-Profiles Are Available
The oscap utility can be used to quickly show what profile-names are available for use. This is done by executing:
$ oscap info /PATH/TO/OS/<XCCDF>.xml
On Red Hat systems (and derivatives) with the scap-security-guide RPM installed, the XCCDF files will be installed in the /usr/share/xml/scap/ssg/content directory. To see which profiles are available for Red Hat 8 distros, one would execute:
$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml
Which would give an output like:
Document type: XCCDF Checklist Checklist version: 1.2 Imported: 2023-02-13T11:49:00 Status: draft Generated: 2023-02-13 Resolved: true Profiles: Title: ANSSI-BP-028 (enhanced) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced Title: ANSSI-BP-028 (high) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high Title: ANSSI-BP-028 (intermediary) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary Title: ANSSI-BP-028 (minimal) Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal Title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server Id: xccdf_org.ssgproject.content_profile_cis Title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server Id: xccdf_org.ssgproject.content_profile_cis_server_l1 Title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1 Title: CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation Id: xccdf_org.ssgproject.content_profile_cis_works Title: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) Id: xccdf_org.ssgproject.content_profile_cui Title: Australian Cyber Security Centre (ACSC) Essential Eight Id: xccdf_org.ssgproject.content_profile_e8 Title: Health Insurance Portability and Accountability Act (HIPAA) Id: xccdf_org.ssgproject.content_profile_hipaa Title: Australian Cyber Security Centre (ACSC) ISM Official Id: xccdf_org.ssgproject.content_profile_ism_o Title: Protection Profile for General Purpose Operating Systems Id: xccdf_org.ssgproject.content_profile_ospp Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_pci-dss Title: DISA STIG for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_stig Title: DISA STIG with GUI for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_stig_gui Referenced check files: ssg-rhel8-oval.xml system: http://oval.mitre.org/XMLSchema/oval-definitions-5 ssg-rhel8-ocil.xml system: http://scap.nist.gov/schema/ocil/2 https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2 system: http://oval.mitre.org/XMLSchema/oval-definitions-5
The critical items, here, are the lines that begin with "Title" and the lines that begin with "Id".
- The lines that begine with "Title" are what will appear in graphical tools like the SCAP WorkBench GUI.
- The lines that begin with "Id" are used with the `oscap` utility. These identifiers one given as arguments to the utility's --profile flag (when using the `oscap` utility to scan and/or remediate a system).
Note: When using the values from the "Id" lines, either the fully-qualified ID-string may be given or just the parts after the "…profile_" substring. As such, one could specify either "xccdf_org.ssgproject.content_profile_stig" or just "stig".
Creating Tailored Security-Profiles:
The easiest method for tailoring security-profiles is to use the SCAP Workbench to generate the appropriately-formatted XML. However, if one already has an appropriately-formatted tailoring XML file, a plain text-editor (such as vim) is a very quick way to add or remove content.
It's worth noting that the SCAP Workbench is a GUI. As such, it will be necessary to either have access to the graphical console of Linux or OSX host or the ability to display a remote Linux host's GUI-programs locally. Remote display to local system can be the entire remote desktop (via things like Xrdp, VNC, XNest or other) or just the SCAP Workbench client, itself (personally, I leverage X11-over-SSH tunnels).
On a Red Hat (or derivative) system, you'll want to install the scap-workbench and the scap-security-guide RPMs. The former provides the SCAP Workbench GUI while the latter provides the content you'll typically want to use. Alternate to the scap-security-guide RPM, you can install SCAP content from the Compliance As Code project (the upstream source for the scap-security-guide RPM's contents).
To generate a "null" tailoring-profile – one that doesn't change the behavior of a given profile's execution – use the following generic procedure:
- Establish GUI access to the system that will run the scap-workbench binary
- Execute `scap-workbench`. This will bring up a banner that looks like:
The above is shown with the "content to load" list expanded. This demonstrates the content that's loaded to a Red Hat 8 system by way of the scap-security-guide RPM. - Select the appropriate content from the dropdown: if using vendor-content, one of the RHELn menu items; if opening content from another source (e.g. the Compliance as Code project), select the "Other SCAP Content" option
- Click the "Load Content" button. if the "Other SCAP Content" option was selected, this will open up a dialog for navigating to the desired content. Otherwise, the vendor-content for the selected RHEL version will be opened.
- Once the selected content has been read, the GUI will display a page with the Title of the opened-content, a "Customization" dropdown-menu and a "Profile" drop-down menu.
- Select the appropriate hardening-profile from the "Profile" drop-down menu (e.g., "DISA STIG for Red Hat Enterprise Linux 8")
- Click on the "Customize" button next to the selected "Profile":
- This will bring up a window like:
Accept the default value for the "New Profile ID" field and click on the "Ok" button - This will open a new window:
- To save a "null" tailoring-file, immediately hit the "Ok" button
- Alternately, pick through the list of available settings, selecting or unselecting boxes as seems appropriate for the target use-case, then hit the "Ok" button
- This will close the customization-window and change the main window's "Customization" drop-down to include the string "(unsaved changes)"
- Click on the "File" dropdown-menu at the top of the window and select the "Save Customization Only" menu-item. Select a file-name that makes sense (I typically choose something like "tailoring-<OS_VERSION>-<PROFILE_NAME>.xml" (e.g., "tailoring-el8-stig.xml", "tailoring-el8-cis-server-l1.xml", etc.)
- Exit the SCAP workbench.
The resultant file will contain a line similar to:
<xccdf:Profile id="xccdf_org.ssgproject.content_profile_stig_customized" extends="xccdf_org.ssgproject.content_profile_stig">
The actual contents of the line will vary, but the critical components are the "id" and "extends" tokens:
- id: the name of the profile to use when invoking the oscap utility
- extends: the name of the profile that will get modified by the tailoring-file's contents
The contents of the tailoring-file are generally pretty basic – something like:
<xccdf:tailoring id="xccdf_scap-workbench_tailoring_default" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"> <xccdf:benchmark href="/tmp/scap-workbench-WOghwr/ssg-rhel8-xccdf.xml"> <xccdf:version time="2023-09-11T17:10:35">1</xccdf:version> <xccdf:profile extends="xccdf_org.ssgproject.content_profile_stig" id="xccdf_org.ssgproject.content_profile_stig_customized"> <xccdf:title override="true" xml:lang="en-US" xmlns:xhtml="http://www.w3.org/1999/xhtml">DISA STIG for Red Hat Enterprise Linux 8 [CUSTOMIZED]</xccdf:title> <xccdf:description override="true" xml:lang="en-US" xmlns:xhtml="http://www.w3.org/1999/xhtml">This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R9.</xccdf:description> <xccdf:select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="false"> </xccdf:select></xccdf:profile> </xccdf:benchmark></xccdf:"tailoring>
Rules that have been added to the execution list will look something like (note the "true" condition/key):
<xccdf:select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/>
While rules that have been deslected for execution will look something like (note the "false" condition/key):
<xccdf:select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="false"/>
Whether adding extra rules or deselecting rules from the execution-profile, the rules will be placed after the "</xccdf:description>" token and before the "</xccdf:Profile>" token.
Note that the action/rule is effectively null if the condition/key for a rule in the tailoring-file has the same value as the action/rule value in the profile referenced by the "extends" token.
Using Tailored Security-Profiles:
Once generated, the tailoring-file is used by calling the oscap utility in the normal way but for:
- Adding a "--tailoring" flag (with the path of the tailoring-file as its argument)
- Ensuring the value of the "--profile" matches the profile "id" token's value in the tailoring-file (and that the "extends" token's value in the tailoring-file matches the "id" token's value in the referenced XCCDF file)
For example, if executing a remediation using a tailored-execution of the STIG profile, one would execute something like:
oscap xccdf eval \ --profile stig_custom \ --tailoring-file /root/tailoring-el8-stig.xml \ /usr/share/scap-content/openscap/ssg-rhel8-xccdf.xml
The above tells the oscap utility to use the tailoring-file located at "/root/tailoring-watchmaker-el8.xml" to modify the behavior of the "stig" profile as defined in the "/usr/share/scap-content/openscap/ssg-rhel8-xccdf.xml" file.
No comments:
Post a Comment