OpenSCAP is an open source tool for performing automated vulnerability assessment and policy compliance verification on linux. SCAP, pronounced “ess-cap”, is the Security Content Automation Protocol which pulls together open standards for describing vulnerabilities like CVE, CVSS, OVAL, and XCCDF. The OpenSCAP tool, which is NIST certified, ingests the SCAP content and outputs a report of which checks passed and failed.

Let’s walkthrough an example of how to audit a RedHat 6 machine against SCAP content provided by DISA known as the Redhat 6 STIG Benchmark.

First, you need to install OpenSCAP and its dependencies (and I’m installing wget and unzip so that I can download the STIG and unzip it).

$ yum install openscap-utils wget unzip
================================================================================
 Package               Arch   Version                Repository            Size
================================================================================
Installing:
 openscap-utils        x86_64 1.0.8-1.el6_5.1        rhel-x86_64-server-6  52 k
 unzip                 x86_64 6.0-1.el6              rhel-x86_64-server-6 149 k
 wget                  x86_64 1.12-5.el6_6.1         rhel-x86_64-server-6 483 k
Installing for dependencies:
 bzip2                 x86_64 1.0.5-7.el6_0          rhel-x86_64-server-6  49 k
 elfutils              x86_64 0.158-3.2.el6          rhel-x86_64-server-6 233 k
 elfutils-libs         x86_64 0.158-3.2.el6          rhel-x86_64-server-6 211 k
 fakeroot              x86_64 1.12.2-22.2.el6        rhel-x86_64-server-6  73 k
 fakeroot-libs         x86_64 1.12.2-22.2.el6        rhel-x86_64-server-6  23 k
 file                  x86_64 5.04-21.el6            rhel-x86_64-server-6  47 k
 gdb                   x86_64 7.2-75.el6             rhel-x86_64-server-6 2.3 M
 libxslt               x86_64 1.1.26-2.el6_3.1       rhel-x86_64-server-6 452 k
 man                   x86_64 1.6f-32.el6            rhel-x86_64-server-6 263 k
 openscap              x86_64 1.0.8-1.el6_5.1        rhel-x86_64-server-6 2.9 M
 patch                 x86_64 2.6-6.el6              rhel-x86_64-server-6  91 k
 perl                  x86_64 4:5.10.1-136.el6_6.1   rhel-x86_64-server-6  10 M
 perl-Module-Pluggable x86_64 1:3.90-136.el6_6.1     rhel-x86_64-server-6  40 k
 perl-Pod-Escapes      x86_64 1:1.04-136.el6_6.1     rhel-x86_64-server-6  32 k
 perl-Pod-Simple       x86_64 1:3.13-136.el6_6.1     rhel-x86_64-server-6 212 k
 perl-libs             x86_64 4:5.10.1-136.el6_6.1   rhel-x86_64-server-6 578 k
 perl-version          x86_64 3:0.77-136.el6_6.1     rhel-x86_64-server-6  51 k
 rpm-build             x86_64 4.8.0-38.el6_6         rhel-x86_64-server-6 127 k
 rpmdevtools           noarch 7.5-2.el6              rhel-x86_64-server-6 109 k
 xz                    x86_64 4.999.9-0.5.beta.20091007git.el6
                                                     rhel-x86_64-server-6 137 k
 xz-lzma-compat        x86_64 4.999.9-0.5.beta.20091007git.el6
                                                     rhel-x86_64-server-6  16 k
Updating for dependencies:
 elfutils-libelf       x86_64 0.158-3.2.el6          rhel-x86_64-server-6 182 k
 file-libs             x86_64 5.04-21.el6            rhel-x86_64-server-6 313 k
 rpm                   x86_64 4.8.0-38.el6_6         rhel-x86_64-server-6 902 k
 rpm-libs              x86_64 4.8.0-38.el6_6         rhel-x86_64-server-6 313 k
 rpm-python            x86_64 4.8.0-38.el6_6         rhel-x86_64-server-6  57 k
 xz-libs               x86_64 4.999.9-0.5.beta.20091007git.el6
                                                     rhel-x86_64-server-6  89 k

Transaction Summary
================================================================================
Install      24 Package(s)
Upgrade       6 Package(s)

Total download size: 21 M

Now with the tool installed we can audit our server against the DISA STIG. The DISA STIG can be downloaded from DISA’s web site.

$ wget http://iase.disa.mil/stigs/Documents/U_RedHat_6_V1R6_STIG_SCAP_1-1_Benchmark.zip
$ unzip U_RedHat_6_V1R6_STIG_SCAP_1-1_Benchmark.zip
$ oscap info U_RedHat_6_V1R6_STIG_SCAP_1-1_Benchmark-xccdf.xml
$ oscap xccdf eval \
  --report `hostname`-redhat_6_v1r6_stig.html \
  --cpe U_RedHat_6_V1R6_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml \
  U_RedHat_6_V1R6_STIG_SCAP_1-1_Benchmark-xccdf.xml

The HTML report that is generated can be viewed in the browser. It summarizes each rule with a simple pass/fail result. There are details for each rule and remediation instructions.

DISA STIG Sample Report

Another useful test for RedHat systems is to verify that all of the required patches have been installed to address the RedHat security advisories, RHSA (you can subscribe for announcements here.

$ wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml
$ oscap oval eval \  
  --results rhsa-results-oval.xml \  
  --report `hostname`-rhsa-report.html \  
  com.redhat.rhsa-all.xml

Again, you can view the report in the browser to see what patches have been applied and what patches need to be applied.

RHSA Sample Report