Versions Compared

Old Version 6

changes.mady.by.user Umair Fayaz

Saved on

compared with

New Version 7

changes.mady.by.user Gurpreet Luthra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Compliance testing” also know as Conformance testing is a nonfunctional testing technique which is done to validate, whether the system developed meets the organization’s prescribed standards or not. Bahmni cannot provide end to end compliance testing for host machine as it depends a lot on the implementer. This document provides a guideline to implement perform compliance testing as per the Industry standards .

Tool:

...

on your Bahmni server (or any Linux server) using OpenSCAP tool, to find out if your server host is vulnerable to newly reported issues, misconfiguration or vulnerabilities, etc.

Tip

For better understanding of OpenSCAP and SCAP compliance testing please also refer the following resources:

  1. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-compliance_and_vulnerability_scanning

  2. https://cromwell-intl.com/cybersecurity/openscap.html

  3. https://en.wikipedia.org/wiki/Security_Content_Automation_Protocol

OpenSCAP opensource tool

OpenSCAP can be used to check security configuration settings of a system, and examine the system for signs of a compromise by using rules based on standards and specifications.

OpenSCAP uses SCAP which is a line of specifications maintained by the NIST. SCAP was created to provide a standardized approach for maintaining system security. New specifications are governed by NIST’s SCAP Release cycle in order to provide a consistent and repeatable revision workflow. OpenSCAP mainly processes the XCCDF which is a standard way of expressing a checklist content and defines security checklists. It also combines with other specifications such as CPE, CCE and OVAL to create a SCAP-expressed checklist that can be processed by SCAP-validated products.

Using OpenSCAP with CentOS 7:

...

Installation:

Code Block
yum install openscap-scanner

...

The SCAP content will be installed in /usr/share/xml/scap/ssg/content/.

Running Compliance Test:

For using OpenSCAP in Bahmni we need data stream files that can be listed under /usr/share/xml/scap/ssg/content

...

Code Block
oscap xccdf eval \
 --profile xccdf_org.ssgproject.content_profile_standard \
 --results-arf arf.xml \
 --report report.html \
 --fetch-remote-resources \
 /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

Analyzing Results:

A report will be generated after running the test with the name that was provided as arguments in the above command for example 'report.html' in this case.

Human readable report report.html is generated, as well as "machine" readable report results.xml. Both files hold information about vulnerability status of scanned system. They map RHSA to CVEs and report what security advisories are not applied to the scanned system. CVE identifiers are linked with National Vulnerability Databases where additional information like CVE description, CVSS score, CVSS vector, etc. are stored.

...

Implementing the fixes:

The html file gives suggestions to fix the failed rules of profile. These suggestions can be implemented to harden the host system against vulnerabilities.

...

🔗 Links