- 概要
- 参考url
- install pre-requisites
- install OpenSCAP ver.1.3.5
- download xccdf and oval
- scan by OpenSCAP
- 結果
概要
SCAP (Security Content Automation Protocol : セキュリティ設定共通化手順)は 知っていましたが、OpenSCAP は、使用したことがありませんでした。
インターネット上には、yum install の方法が見つかりますが、 ソースからのインストール方法は情報が少なかった為、 今回、ソースからのインストールを行っています。
OpenSCAPのインストール後、実際に手元にあるcentos7の脆弱性scanを行いましたが、 設定方法が悪かった為か、理解できるレポート内容ではなかったので、 今後、使用する or not 不明です。
その他、OpenSCAPには、windows版もあるようです。
参考url
- OpenSCAP on CentOS 7 - Installing from source - Linux Audit
- OpenSCAP User Manual
- CentOS 7でOpenSCAPを使ったセキュリティチェックを行う | 俺的備忘録 〜なんかいろいろ〜
- OpenSCAPの検証/導入編 - s_tajima:TechBlog
- OpenSCAPの検証/実用編 - s_tajima:TechBlog
install pre-requisites
cmake 3系
$ sudo yum install gcc-c++ $ wget https://github.com/Kitware/CMake/releases/download/v3.21.0/cmake-3.21.0.tar.gz $ tar -xvf cmake-3.21.0.tar.gz $ cd cmake-3.21.0 $ ./configure $ make $ make test $ sudo make install
rpm packages
「cmake ..」実行時の error を見ながら、最終的に以下をinstall
sudo yum install libacl-devel sudo yum install popt-devel sudo yum install python3-devel sudo yum install swig-devel sudo yum install libxml2-devel sudo yum install libxslt-devel sudo yum install xmlsec1-devel sudo yum install xmlsec1-openssl-devel sudo yum install bzip2-devel sudo yum install rpm-devel sudo yum install GConf2-devel
install OpenSCAP ver.1.3.5
$ wget https://github.com/OpenSCAP/openscap/archive/refs/tags/1.3.5.tar.gz $ tar -xvf 1.3.5.tar.gz $ cd openscap-1.3.5/build $ /usr/local/bin/cmake .. $ make $ sudo make install
$ /usr/local/bin/oscap --version OpenSCAP command line tool (oscap) 1.3.5 Copyright 2009--2021 Red Hat Inc., Durham, North Carolina. ==== Supported specifications ==== SCAP Version: 1.3 XCCDF Version: 1.2 OVAL Version: 5.11.1 CPE Version: 2.3 CVSS Version: 2.0 CVE Version: 2.0 Asset Identification Version: 1.1 Asset Reporting Format Version: 1.1 CVRF Version: 1.1 ==== Capabilities added by auto-loaded plugins ==== SCE Version: 1.0 (from libopenscap_sce.so.25) ==== Paths ==== Schema files: /usr/local/share/openscap/schemas Default CPE files: /usr/local/share/openscap/cpe ==== Inbuilt CPE names ==== Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux:- Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5 Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6 Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7 Red Hat Enterprise Linux 8 - cpe:/o:redhat:enterprise_linux:8 Community Enterprise Operating System 5 - cpe:/o:centos:centos:5 Community Enterprise Operating System 6 - cpe:/o:centos:centos:6 Community Enterprise Operating System 7 - cpe:/o:centos:centos:7 Community Enterprise Operating System 8 - cpe:/o:centos:centos:8 Fedora 32 - cpe:/o:fedoraproject:fedora:32 Fedora 33 - cpe:/o:fedoraproject:fedora:33 Fedora 34 - cpe:/o:fedoraproject:fedora:34 Fedora 35 - cpe:/o:fedoraproject:fedora:35 ==== Supported OVAL objects and associated OpenSCAP probes ==== OVAL family OVAL object OpenSCAP probe ---------- ---------- ---------- independent environmentvariable probe_environmentvariable independent environmentvariable58 probe_environmentvariable58 independent family probe_family independent filehash probe_filehash independent filehash58 probe_filehash58 independent system_info probe_system_info independent textfilecontent probe_textfilecontent independent textfilecontent54 probe_textfilecontent54 independent variable probe_variable independent xmlfilecontent probe_xmlfilecontent linux iflisteners probe_iflisteners linux inetlisteningservers probe_inetlisteningservers linux rpminfo probe_rpminfo linux rpmverify probe_rpmverify linux rpmverifyfile probe_rpmverifyfile linux rpmverifypackage probe_rpmverifypackage linux selinuxboolean probe_selinuxboolean linux selinuxsecuritycontext probe_selinuxsecuritycontext linux systemdunitdependency probe_systemdunitdependency linux systemdunitproperty probe_systemdunitproperty unix dnscache probe_dnscache unix file probe_file unix fileextendedattribute probe_fileextendedattribute unix gconf probe_gconf unix interface probe_interface unix password probe_password unix process probe_process unix routingtable probe_routingtable unix runlevel probe_runlevel unix shadow probe_shadow unix symlink probe_symlink unix sysctl probe_sysctl unix uname probe_uname unix xinetd probe_xinetd
download xccdf and oval
$ wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml $ wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml
scan by OpenSCAP
私の使用した centos7 on virtual box の場合、 以下のコマンドを実行すると、10分程度で完了します。
xccdf - com.redhat.rhsa-all.xccdf.xml
$ /usr/local/bin/oscap --verbose INFO xccdf eval \ --report openscap_xccdf.html \ com.redhat.rhsa-all.xccdf.xml ; date I: oscap: Identified document type: Benchmark I: oscap: Created a new XCCDF session from a XCCDF Checklist 'com.redhat.rhsa-all.xccdf.xml'. I: oscap: Identified document type: oval_definitions <省略> Title RHSA-2021:4622: freerdp security update (Important) Rule oval-com.redhat.rhsa-def-20214622 Ident RHSA-2021:4622 Ident CVE-2021-41159 Ident CVE-2021-41160 I: oscap: Evaluating XCCDF rule 'oval-com.redhat.rhsa-def-20214622'. I: oscap: Evaluating definition 'oval:org.open-scap.cpe.rhel:def:1': Red Hat Enterprise Linux. I: oscap: Definition 'oval:org.open-scap.cpe.rhel:def:1' evaluated as false. I: oscap: Evaluating definition 'oval:org.open-scap.cpe.rhel:def:5': Red Hat Enterprise Linux 5. I: oscap: Definition 'oval:org.open-scap.cpe.rhel:def:5' evaluated as false. I: oscap: Evaluating definition 'oval:org.open-scap.cpe.rhel:def:6': Red Hat Enterprise Linux 6. I: oscap: Definition 'oval:org.open-scap.cpe.rhel:def:6' evaluated as false. I: oscap: Evaluating definition 'oval:org.open-scap.cpe.rhel:def:7': Red Hat Enterprise Linux 7. I: oscap: Definition 'oval:org.open-scap.cpe.rhel:def:7' evaluated as false. I: oscap: Evaluating definition 'oval:org.open-scap.cpe.rhel:def:8': Red Hat Enterprise Linux 8. I: oscap: Definition 'oval:org.open-scap.cpe.rhel:def:8' evaluated as false. I: oscap: Rule 'oval-com.redhat.rhsa-def-20214622' is not applicable. Result notapplicable I: oscap: Identified document type: oval_definitions W: oscap: Exporting ARF from XCCDF 1.1 is not allowed by SCAP specification. The resulting ARF will not validate. Convert the input to XCCDF 1.2 to get valid ARF results. The xccdf_1.1_to_1.2.xsl transformation.that ships with OpenSCAP can do that automatically. Sun Nov 14 19:34:26 JST 2021
oval - com.redhat.rhsa-all.xml
$ /usr/local/bin/oscap --verbose INFO oval eval \ --report com.redhat.rhsa-all.html \ com.redhat.rhsa-all.xml ; date I: oscap: Identified document type: oval_definitions I: oscap: Created a new OVAL session from input file 'com.redhat.rhsa-all.xml'. <省略> I: oscap: No item matching object 'oval:com.redhat.rhba:obj:20070304011' was found on the system. (flag=does not exist) I: oscap: Test 'oval:com.redhat.rhba:tst:20070304021' evaluated as false. I: oscap: Evaluating rpminfo test 'oval:com.redhat.rhba:tst:20070304022': kernel-xenU-devel is signed with Red Hat master key. I: oscap: Test 'oval:com.redhat.rhba:tst:20070304022' evaluated as false. I: oscap: Definition 'oval:com.redhat.rhba:def:20070304' evaluated as true. Definition oval:com.redhat.rhba:def:20070304: true I: oscap: OVAL agent finished evaluation. I: oscap: OVAL evaluation successfully finished. Evaluation done. Sun Nov 14 19:46:57 JST 2021
結果
設定方法が悪かった為か、理解できるレポート内容ではなかったので、 今後、使用する or not 不明です。
xccdf - com.redhat.rhsa-all.xccdf.xml
https://end0tknr.github.io/sandbox/openscap/openscap_xccdf.html
oval - com.redhat.rhsa-all.xml
https://end0tknr.github.io/sandbox/openscap/com.redhat.rhsa-all.html