OpenScap Security Guide

What is the SCAP Standard?

Security Content Automation Protocol (SCAP) is not a single standard but rather a collection of open standards. SCAP tool integrates a set of existing standards to create a standardized approach to security automation, configuration, patch checking, compliance and automated configurations. SCAP is managed by the National Institute of Standards and Technology (NIST).

The key components of the SCAP Security Guide package include:

Common Vulnerabilities and Exposures (CVE): serves as a list of publicly known security weaknesses and risks. Each specific vulnerability is recognized through a unique CVE identifier.

Common Configuration Enumeration (CCE): acts as a guide for typical security setup problems. This resource assigns standardized labels to different system configurations.

Common Platform Enumeration (CPE): a standardized way to name and recognize hardware, operating systems, and applications. CPE assigns a unique identifier to each system setup.

Common Vulnerability Scoring System (CVSS): a structure for evaluating and conveying the features and seriousness of weaknesses and vulnerabilities in software.

Open Vulnerability and Assessment Language (OVAL): a standard for presenting weaknesses in systems and applications, as well as configuration problems and fixes. OVAL enables sharing information on security issues and patch solutions.

Asset Identification (Asset Identification (AI) Standard): It’s a standard for recognizing and organizing assets within a company.

What is OpenScap used for?

OpenSCAP toolkit is a set of open-source tools that implements and enforces the SCAP Standard for hardening. However, OpenSCAP is not a silver bullet and has some limitations. For example, it can be difficult to use for non-technical users, and it may not be suitable for all types of IT systems. Additionally, OpenSCAP may not be as comprehensive as recognized security solutions like CalCom Hardening Suite (CHS).

CHS performs configuration and vulnerability hardening to complex infrastructures to minimize attack surfaces and achieve compliance. It eliminates outages and reduces hardening costs by indicating the impact of a security hardening change on production services. It ensures a resilient, constantly hardened, and monitored server environment.

OpenSCAP vs CIS Benchmarks

OpenSCAP and Center for Internet Security (CIS) serve different roles, with OpenSCAP focusing on SCAP standards, and CIS providing detailed benchmarks for securing IT systems. They can be used together to enhance overall cybersecurity. OpenSCAP is a tool that can be used to implement the CIS benchmarks for hardening. Since the CIS benchmarks are a set of guidelines to secure IT systems they are widely used in the industry.

Is OpenSCAP for Windows?

OpenSCAP is available on Microsoft Windows and various operating systems. OpenSCAP is well-supported on Linux-based systems, and it is commonly used on distributions such as:

Red Hat Enterprise Linux (RHEL): OpenSCAP RedHat is often integrated into the Redhat systems, including RHEL and CentOS.

Fedora: Fedora, being a community-supported distribution related to RHEL, also supports OpenSCAP.

Debian: OpenSCAP is available for Debian-based systems, including Debian itself and Ubuntu.

SUSE Linux Enterprise Server (SLES): OpenSCAP is compatible with SUSE Linux distributions.

Other Linux Distributions: Many other Linux distributions provide OpenSCAP packages through their package management systems.

UNIX: OpenSCAP also has support for UNIX-like operating systems.

Is OpenSCAP free?

OpenSCAP is freely accessible on any platform, just like the CIS Benchmarks. The OpenSCAP project offers tools that are unrestricted in use and can be downloaded and utilized freely. All projects affiliated with OpenSCAP are open source and available for free download and use.

CIS Benchmark for Windows Server 2022 new recommendations

What is the OpenSCAP project?

The OpenSCAP project offers an extensive range of hardening guides, configuration baselines, and tools for assessing vulnerabilities and configuration issues, utilizing SCAP as the protocol for storing the foundational data. Created by the open-source community, OpenSCAP hardening allows a selection of a security policy that aligns with an organization’s needs, irrespective of its size.

What is the difference between OpenSCAP and OpenVAS?

Both OpenSCAP and OpenVAS contribute to the overall security posture of an organization and are both open-source security tools, but they serve different purposes within the realm of cybersecurity. Here are the key differences between OpenSCAP and OpenVAS:

Purpose of OpenSCAP: It is primarily focused on automating security compliance checks, configuration management, and vulnerability management. OpenSCAP is often used to ensure that systems adhere to security policies and standards.

Purpose of OpenVAS: It is a vulnerability scanner designed to identify and assess security vulnerabilities in networks and systems. OpenVAS is more oriented towards actively scanning and finding vulnerabilities within the target environment.

OpenSCAP Functionality: It provides capabilities for configuration compliance checks, measuring security posture, and ensuring that systems are configured securely. It often works with predefined security baselines and policies.

OpenVAS Functionality: It conducts comprehensive vulnerability scans, checking for known security issues, misconfigurations, and potential weaknesses. It helps organizations identify and prioritize vulnerabilities for remediation.

OpenSCAP Components: It includes a set of open standards and tools that support automated security configuration checks, vulnerability assessments, and compliance activities. OpenSCAP integrates with the Security Content Automation Protocol (SCAP) standards.

OpenVAS Components: It consists of a network vulnerability scanner that performs configuration and vulnerability scans on target systems to identify vulnerabilities. OpenVAS includes a database of known vulnerabilities and is often used for penetration testing and security assessments.

OpenSCAP Integration: It is often integrated into security and compliance management frameworks, allowing organizations to automate and standardize security-related tasks.

OpenVAS Integration: It can be integrated into larger security management processes and frameworks, and its results can be used to guide remediation efforts.

What is OpenSCAP Vulnerability Scan?

An OpenSCAP vulnerability scan refers to the process of using the OpenSCAP tool to identify and assess vulnerabilities within a system or network. It aims to determine the security impact and consequences of each detected vulnerability, such as remote code execution, privilege escalation, excessive resource consumption, denial of service, etc.

Continuous vulnerability management necessitates a robust policy. A solid policy involves understanding the computer infrastructure, regular delivery of certified information on known security flaws, quick system security analysis, prompt response, and the ability to automate regular security assessments, regardless of infrastructure complexity.

What is the OpenSCAP library and OpenSCAP Toolkit?

The OpenSCAP library serves as both a programming library and a command-line tool for parsing and assessing each component of the SCAP standard.

This library approach enables the rapid development of new SCAP tools, eliminating the need to invest time in understanding the intricacies of existing file structures.

The OpenSCAP Base hardening tool is designed to analyze and evaluate each component of the SCAP standard on various systems and allows you to perform compliance scanning on a single system.

The command-line tool, known as Oscap, serves as a versatile tool capable of formatting content into documents or scanning the system based on the provided content.

With the oscap tool you can perform configuration and vulnerability scans, validate your SCAP content in line with SCAP standard XML schemas, display basic information about your content, or list profiles in an XCCDF benchmark.

OpenSCAP hardening Steps

Here are the general steps to perform OpenSCAP hardening:

Install OpenSCAP:
- Ensure that OpenSCAP is installed on your system. You can typically install it using your system’s package manager.
Download Security Content:
- Obtain the SCAP Security Guide content for your specific operating system. This content includes security policies and benchmarks that define the secure configuration for the system.
Select a Profile:
- OpenSCAP uses profiles to determine the set of security rules to apply. Choose a profile that matches your security requirements. Common profiles include common, server, and desktop. Each profile has a different set of rules for system hardening.
Scan the System:
- Use the oscap command-line tool to perform a security scan on your system. This tool will evaluate your system against the selected security profile.
  
  oscap xccdf eval --profile <profile> --report <output-report-file> <path-to-security-content>
Remediate Findings:
- Review the scan results to identify security vulnerabilities and non-compliance issues. Develop a plan to remediate these findings, addressing each issue according to the security guidelines.
Apply Remediations:
- Use the oscap tool to apply remediations based on the security content. This may involve modifying configuration files, installing or removing packages, and making other system changes.
  
  oscap xccdf remediate --profile <profile> --result-id <result-id> <path-to-security-content>
Re-scan the System:
- After applying remediations, re-scan the system to ensure that the changes were effective in addressing security vulnerabilities and achieving compliance.
Automate with CHS:
- OpenSCAP needs to be integrated with automation tools for scanning and remediation. CHS can automate the entire hardening process while the operating systems remain constantly monitored and streamlined across multiple servers.
Regularly Update and Review:
- Security policies and benchmarks change over time. Regularly update your security content and review your system configurations to ensure ongoing compliance with the latest security standards.
Documentation:
- Document the hardening process, including the security content used, chosen profiles, and any deviations made to meet specific system requirements. This documentation is valuable for audits and future reference.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.