Security Content Automation Protocol (SCAP) Scanning
Security Content Automation Protocol (SCAP) Scanning
Configuration Compliance of IT systems is an important part of system hardening and is part of most security attestations and third party audits. Security Content Automation Protocol (SCAP) is a common method of automating these configuration compliance checks and identifying remediation.
Background
Security Content Automation Protocol is a US standard maintained by NIST, and is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance of information systems. it is most often used for compliance scanning, that is to measure IT systems against specific compliance standards like CIS or PCI-DSS.
OpenSCAP is a very popular open-source ecosystem for SCAP scanning and is maintained by Red Hat. It is the most common way to conduct SCAP scanning and assessment.
SCAP modules
Each SCAP (Security Content Automation Protocol) module has a specific function to help automate security checks, assessments, and vulnerability management. Here is a breakdown of the key SCAP modules and what each one does:
1. XCCDF (Extensible Configuration Checklist Description Format)
- Purpose: XCCDF is used to create security checklists, benchmarks, and configuration guidance.
- Function: It defines security policies as XML documents that include rules, checks, and remediation guidance. XCCDF files are structured to represent security profiles, with each profile containing rules for configuration and compliance.
- Example Use: A benchmark to verify that SSH settings align with best practices would be defined in an XCCDF file.
2. OVAL (Open Vulnerability and Assessment Language)
- Purpose: OVAL provides a standard way to represent system configuration information, state, and vulnerability data.
- Function: OVAL definitions describe security checks for specific configurations, patches, or vulnerabilities. It allows scanners to evaluate system compliance and find vulnerabilities by checking if specific conditions are met.
- Example Use: An OVAL check might confirm that a particular version of a package is installed, or that a configuration file contains certain values.
3. CPE (Common Platform Enumeration)
- Purpose: CPE is a standardized naming scheme to identify information technology systems, platforms, and applications.
- Function: CPE names uniquely identify specific platforms, operating systems, or applications, enabling SCAP tools to apply relevant checks based on the target system.
- Example Use: A CPE identifier might specify a system as “cpe:/o:redhat:enterprise_linux:8” to apply checks specific to Red Hat Enterprise Linux 8.
4. CVE (Common Vulnerabilities and Exposures)
- Purpose: CVE provides a unique identifier for publicly known vulnerabilities.
- Function: Each CVE ID refers to a specific vulnerability, describing the affected software and the nature of the issue. CVE identifiers help track vulnerabilities across databases and security tools.
- Example Use: CVE-2021-34527 (PrintNightmare) is an identifier that refers to a specific Windows vulnerability, allowing security tools to recognize and reference it in scans and reports.
How These Modules Work Together
- XCCDF defines what should be checked and provides remediation guidance.
- OVAL performs the actual checks by evaluating system state and configurations.
- CPE identifies the target systems to apply the correct XCCDF and OVAL rules.
- CVE provides a way to reference specific vulnerabilities in security content and scan results.
These modules collectively enable SCAP tools to perform consistent and automated security assessments across diverse systems and platforms.
How this applies to GitLab systems
At GitLab we primarily deploy our production application through containers. OpenSCAP can be ran against a wide variety of deployment options, but mainly it is ran against operating systems and container images. We run OpenSCAP against our infrastructure operating systems and container images to validate their compliance.
OpenSCAP cannot evaluate container images on it’s own and requires a container engine like Podman to do so.
Getting Started with OpenSCAP Compliance Scanning
- Choose your module based on your intent (XCCDF, OVAL, CPE, CVE)
- Source your SCAP content (for example, XCCDF files are part of the
ssg
family of packages) - Decide on your standard (PCI-DSS, CIS, CUI, etc)
- Check your SCAP content for the relevant OS standard file.
- RedHat 9 Example:
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml
- RedHat 9 Example:
- For compliance scanning, get the profile name of the standard you want to use.
- You can find the list within the SCAP content file using
oscap info [filename]
- e.g.
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml
- e.g.
- You can find the list within the SCAP content file using
- put together your command and run it against your system or container image.
- IMPORTANT:
oscap-podman
can only run as root (sudo oscap-podman
orsudo su -
thenoscap-podman
), and podman is designed to isolate container images and configurations between users. You need to pull the containers as the root user or usingsudo
so thatoscap-podman
can see the container image.
Container image example: CIS L2 benchmark for RedHat 9 against a UBI9-minimal image using oscap-podman
.
# COMMAND CONTAINER_IMAGE MODULE MODE --report DESIRED_REPORT_LOCATION --profile STANDARD_FROM_5 LOCATION_OF_SCAP_CONTENT_FILE
oscap-podman c8d01adc0698 xccdf eval --report /tmp/ubi9-min-scap-cis-2.html --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml
# This evaluates the container image c8d01adc0698 against the CIS benchmark that exists in ssg-rhel9-ds-1.2.xml and outputs the file to /tmp/
Practical Steps
We will:
- Setup OpenSCAP on an Ubuntu 24.04 system
- evaluate the RedHat 9 UBI image against the CIS benchmark
Prep the system
On an Ubuntu 24.04 system:
- Install Podman (included in the default
apt
repositories in 24.04) - install
openscap-scanner openscap-utils openscap-common openscap-doc
- Install
ssg-base ssg-nondebian
- check
/usr/share/xml/scap/ssg/content
for SCAP profiles- These are installed by
ssg-base
andssg-nondebian
- These are installed by
- There is a bootstrap script here for ease of setup.
SCAP Evaluation Commands
# Become root so the command works (alternatively use sudo for each command)
sudo su -
# Pull the latest container image
podman pull registry.access.redhat.com/ubi9/ubi
# check for the container image ID
podman image ls
# grab the container image ID and run your command
oscap-podman a674bd5e68d9 xccdf eval --report /tmp/ubi9-min-scap-cis-2.html --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml
# Open the final HTML file in your brower
Other Points
- OpenSCAP can be used for a variety of standards and formats. For example, US Department of Defense Security Technical Implementation Guides (STIGs) are some of the strictest configuration standards that are publicly available. STIGs can be used with OpenSCAP.
- OpenSCAP can generate different kinds of reports and scripts, not just HTML. Depending on the specific system it can generate the exact commands necessary to remediate failures.
- If JSON output is needed, this OSCAP-JSON tool will intake the standard output of openscap and convert it into JSON. If using an ARM architecture you will need to build it from source using
make
.- This is a working example script that uses the oscap-json tool to generate JSON SCAP reports from a list of containers.
References
- this video from RedHat
- Red Hat article on OpenSCAP
- OpenSCAP website: https://www.open-scap.org/
- The source of the
ssg
family of packages and other SCAP content: https://github.com/ComplianceAsCode/content
01458d6f
)