Hardening
Last updated
Last updated
Hi guys, this is not a complete list for hardening but compiles a set of things I usually use in my hardening exercises.
This exercise will cover off the basics of SCAP (Security Content Automation Protocol) and using OpenSCAP to Harden our Linux based OS. We will show you how easy it is to proactively scan and lock down our systems to ensure they are hardened to best practices using the SCAP Security Guide.
In short, SCAP standard consists of these components: XCCDF, OVAL, DataStream, ARF, CPE, CVE, CWE. In this article we will use the OVAL format for assessing our output using XCCDF as well as CPE for identifying the packages installed on the host system. A brief summary of these components are as follows:
OVAL: The Open Vulnerability and Assessment Language is declarative language for making logical assertions about the state of endpoint system.
XCCDF: The eXtensible Configuration Checklist Description Format is a language to express, organize, and manage security policies. These are the basic building block of security policy.
CPE: The Common Platform Enumeration is a structured naming scheme used to identify information technology systems, platforms, and packages. It will be used to identify uniquely identify a “platform” of software, hardware, or application.
Firstly, let’s install openscap, openscap-utils and scap-security-guide CentOS (you can be run on many variants of Linux such as RHEL, Ubuntu, Debian and so on…):
Once installed, the SCAP Security Guide will include a set of pre-defined checklist we can make use of. available in the SCAP Security Guide content directory. Let’s list the available XCDF checklists we can take advantage of:
We will scan our system against “ssg-centos7-xccdf.xml”. We can inspect this checklist:
As you can see above, we have a set of profiles we can use when assessing our system against within the checklist. For example, if this was a host that needed to be in compliance with PCI-DSS or RHEL7 DISA STIG, we can use these profiles in our assessment and check for compliance.
Now we can run our scan. We will execute the following command:
Once run, the system will be assessed based on the options above. We defined:
“standard” profile
“ssg-centos7-xccdf.xml” checklist
“ssg-rhel7-cpe-dictionary.xml” CPE dictionary which will download the OVAL tests to be run
The output is a configuration assessment report stored in a HTML file within the local directory by the value “$(hostname)-scap-report-$(date +%Y%m%d)-after.html”.
We can view this HTML file and assess the output to determine the changes we need to make on our system. It will give us a score and for each issue identified, provide an explanation as well as scripts that can be run to rectify.
SCAP Compliance Checker (SCC) version 5.4 is officially released, and for the first time SCC will be available to the general public, not just government employees and contractors.
How to create tailored profiles and import in another instance:
Start to edit the target profile.
Copy the tailored file from: C:\Program Files\SCAP Compliance Checker 5.4\Resources\Content\XCCDF_Tailoring
Create the dir: C:\Program Files\SCAP Compliance Checker 5.4\Resources\Content\XCCDF_Tailoring on the target instance
Import the tailored file
Export the options.xml file (FILE > Save Options as)
Import the options.xml file into the target instance.
Why not using LinEnum