“Compliance testing” also know as Conformance testing is a nonfunctional testing technique which is done to validate, whether the system developed meets the organization’s prescribed standards or not. This document provides a guideline to perform compliance testing as per the Industry standards on your Bahmni server (or any Linux server) using OpenSCAP tool, to find out if your server host is vulnerable to newly reported issues, misconfiguration or vulnerabilities, etc.
For better understanding of OpenSCAP and SCAP compliance testing please also refer the following resources:
OpenSCAP opensource tool
OpenSCAP can be used to check security configuration settings of a system, and examine the system for signs of a compromise by using rules based on standards and specifications.
OpenSCAP uses SCAP which is a line of specifications maintained by the NIST. SCAP was created to provide a standardized approach for maintaining system security. New specifications are governed by NIST’s SCAP Release cycle in order to provide a consistent and repeatable revision workflow. OpenSCAP mainly processes the XCCDF which is a standard way of expressing a checklist content and defines security checklists. It also combines with other specifications such as CPE, CCE and OVAL to create a SCAP-expressed checklist that can be processed by SCAP-validated products.
Using OpenSCAP with CentOS 7:
Installation:
yum install openscap-scanner
The above command can be used to install OpenSCAP on RHEL 6, RHEL7, CentOS 6 and CentOS 7.
Installation can be confirmed by running:
oscap -V
Before using the oscap tool you must have some SCAP content on your system. You can download it from the respective web site but we will use the SSG project in the following sections. You can build it from the source or you can install it using a package management system:
yum install scap-security-guide
The SCAP content will be installed in /usr/share/xml/scap/ssg/content/.
Running Compliance Test:
For using OpenSCAP in Bahmni we need data stream files that can be listed under /usr/share/xml/scap/ssg/content
One of the capabilities of oscap is to display information about the SCAP contents within a file. Running the oscap info command allows the examination of the internal structure of a SCAP document and displays information such as the document type, specification version, status, the date the document was published (Generated) and the date the document was copied to file system (Imported)
Example:
oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
After running the aforementioned command you will find some profiles like:
Profile Title | Standard System Security Profile for Red Hat Enterprise Linux 7 |
|---|---|
Profile ID | xccdf_org.ssgproject.content_profile_standard |
OpenSCAP compliance test can be run against these profile IDs like:
oscap xccdf eval \ --profile xccdf_org.ssgproject.content_profile_standard \ --results-arf arf.xml \ --report report.html \ --fetch-remote-resources \ /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
Analyzing Results:
A report will be generated after running the test with the name that was provided as arguments in the above command for example 'report.html' in this case.
Human readable report report.html is generated, as well as "machine" readable report results.xml. Both files hold information about vulnerability status of scanned system. They map RHSA to CVEs and report what security advisories are not applied to the scanned system. CVE identifiers are linked with National Vulnerability Databases where additional information like CVE description, CVSS score, CVSS vector, etc. are stored.
Implementing the fixes:
The html file gives suggestions to fix the failed rules of profile. These suggestions can be implemented to harden the host system against vulnerabilities.
