Using the OpenSCAP daemon on Ubuntu 18.04

The OpenSCAP daemon is currently available for Ubuntu 18.04 and Fedora in their respective repositories, but not for RHEL or CentOS. Although the package name is openscap-daemon, there's also a command-line component that goes with it. The daemon runs in the background, constantly checking for any tasks that you've created with the command-line utility. The command-line utility allows you to create scanning tasks in an interactive mode. It's a lot easier than crafting each scan command with the normal openscap utility, as we've done previously. However, there are a few downsides:

  • To install it on RHEL or CentOS, you'll have to download the source code and compile it yourself.
  • The documentation isn't that good.
  • Supposedly, you can use this to automatically scan either the localhost or a remote machine. However, I wasn't able to make the remote scanning option work. 

So, yeah, there are a few downsides at the moment. However, users have been requesting a daemon service of this type, so the OpenSCAP developers have finally obliged them. For this demo, I've created a fresh Ubuntu 18.04 VM. To my own home directory, I've already transferred the Ubuntu 18.04 profile files from the code archive file that you can download from the Packt Publishing website. (You'll find the link for that at the beginning of this chapter.)

To install it, just do the following:

sudo apt install openscap-daemon ssg-applications ssg-debderived ssg-nondebian ssg-base ssg-debian

After the installation is complete, the daemon will already be running. Next, I'll transfer the Ubuntu 18.04 profiles over to the proper directory:

donnie@ubuntu4:~$ ls
ssg-ubuntu1804-cpe-dictionary.xml  ssg-ubuntu1804-ds.xml    ssg-ubuntu1804-xccdf.xml
ssg-ubuntu1804-cpe-oval.xml        ssg-ubuntu1804-ocil.xml
ssg-ubuntu1804-ds-1.2.xml          ssg-ubuntu1804-oval.xml
donnie@ubuntu4:~$ sudo cp *.xml /usr/share/scap-security-guide/
donnie@ubuntu4:~$

Now, you can use the oscapd-cli tool to set up a scanning job for either the local machine or a remote machine. You can configure the job to run once, or on a periodic schedule. The oscapd-cli man page is fairly worthless, so your best bet is to consult the OpenSCAP website.

You'll find documentation for oscapd-cli at https://github.com/OpenSCAP/openscap-daemon/blob/master/README.md.

Start the process by creating a task. It's all interactive, so it's really just a matter of answering some questions. Here's the command that gets the ball rolling:

donnie@ubuntu4:~$ sudo oscapd-cli task-create -i
Creating new task in interactive mode
Title: Localhost scan

The -i option at the end means interactive. If it's not there, the command will just throw an angry error message at you. As you can see, you need to create a title for the job. Your best bet here is to just name the job after either the machine or the software package that you're scanning. In this case, I'll name it Localhost scan.

Next, enter the address of the machine that you want to scan. To scan the localhost, I'll just hit the Enter key. Then, choose a profile file. I'll choose number 15, for Ubuntu 18.04:

donnie@ubuntu4:~$ sudo oscapd-cli task-create -i
Creating new task in interactive mode
Title: Localhost scan
Target (empty for localhost): 
Found the following SCAP Security Guide content: 
    1:  /usr/share/scap-security-guide/ssg-centos5-ds.xml
    . . .
    15:  /usr/share/scap-security-guide/ssg-ubuntu1804-ds.xml
    16:  /usr/share/scap-security-guide/ssg-webmin-ds.xml
Choose SSG content by number (empty for custom content): 15

The profile file contains six profiles to choose from.

The ANSSI DAT-NT28 profiles are from the Agence nationale de la sécurité des systèmes d’information in France. You would think that there would be some profiles for stig or pci-dss, but there aren't.

I'll just choose profile number 2, for the Standard System Security Profile:

Found the following possible profiles: 
    1:  Profile for ANSSI DAT-NT28 Minimal Level (id='xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal')
    2:  Standard System Security Profile for Ubuntu 18.04 (id='xccdf_org.ssgproject.content_profile_standard')
    3:  Profile for ANSSI DAT-NT28 Restrictive Level (id='xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive')
    4:  Profile for ANSSI DAT-NT28 Average (Intermediate) Level (id='xccdf_org.ssgproject.content_profile_anssi_np_nt28_average')
    5:  Profile for ANSSI DAT-NT28 High (Enforced) Level (id='xccdf_org.ssgproject.content_profile_anssi_np_nt28_high')
    6:  (default) (id='')
Choose profile by number (empty for (default) profile): 2

Next, I'll choose whether or not to do automatic remediation, and then set a schedule. For now, I'll choose to not do remediation, since I just want to test this first. I'll choose to scan NOW and repeat the job weekly:

Online remediation (1, y or Y for yes, else no): 
Schedule: 
 - not before (YYYY-MM-DD HH:MM in UTC, empty for NOW): 
 - repeat after (hours or @daily, @weekly, @monthly, empty or 0 for no repeat): @weekly
Task created with ID '1'. It is currently set as disabled. You can enable it with `oscapd-cli task 1 enable`.
donnie@ubuntu4:~$

Now, we have task ID 1, which we still need to enable. We'll do that with the following code:

donnie@ubuntu4:~$ sudo oscapd-cli task 1 enable
donnie@ubuntu4:~$

To see the list of created tasks, use the task option:

donnie@ubuntu4:~$ sudo oscapd-cli task
---+----------------+-----------+---------------------+--------
ID | Title | Target | Modified | Enabled
---+----------------+-----------+---------------------+--------
1 | Localhost scan | localhost | 2019-11-20 23:39:26 | enabled

Found 1 tasks, 1 of them enabled.
donnie@ubuntu4:~$

Once a scan completes, you'll find the results in a results.xml file in the /var/lib/oscapd directory. Within that directory, you'll see a new numbered subdirectory for each enabled task. Within each of those subdirectories, you'll see more numbered subdirectories, one for each time that the task has run. The /var/lib/oscapd directory is only readable for the root user, so you'll need to go to the root shell to see what's in it:

donnie@ubuntu4:~$ sudo su -
root@ubuntu4:~# cd /var/lib/oscapd/results/
root@ubuntu4:/var/lib/oscapd/results# ls
1
root@ubuntu4:/var/lib/oscapd/results# cd 1
root@ubuntu4:/var/lib/oscapd/results/1# ls
1
root@ubuntu4:/var/lib/oscapd/results/1# cd 1
root@ubuntu4:/var/lib/oscapd/results/1/1# ls
exit_code results.xml stderr stdout
root@ubuntu4:/var/lib/oscapd/results/1/1#

Since we mere mortals aren't meant to read .xml files, we'll convert it into a more human-friendly .html file, the same as we did when we used the command-line scanner:

root@ubuntu4:/var/lib/oscapd/results/1/1# ls
exit_code  results.xml  stderr  stdout
root@ubuntu4:/var/lib/oscapd/results/1/1# oscap xccdf generate report results.xml > /home/donnie/results.html

root@ubuntu4:/var/lib/oscapd/results/1/1# exit
logout
donnie@ubuntu4:~$

Then, just open the file in your web browser.

If all you want to see is whether your machine or software is compliant without having to view the entire output file, just use the result option, followed by the task number:

donnie@ubuntu4:~$ sudo oscapd-cli result 1
Results of Task "Localhost scan", ID = 1

---+---------------------+--------------
ID | Timestamp | Status 
---+---------------------+--------------
1 | 2019-11-20 23:39:26 | Non-Compliant
donnie@ubuntu4:~$

Oh dear, I'm non-compliant. I'll have to look in the report that I just generated to see what needs to be fixed. Once I look that over to see if I agree with its findings, I'll create another task that will perform automatic remediation.

So, what's the bottom line? Well, the OpenSCAP daemon is a really cool concept, and I like it. I can't wait until it comes to the RHEL and CentOS repositories.

Next up, let's look at some criteria for choosing an OpenSCAP profile.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.196.184