A simple (but equivalent) format for writing SCAP tests by GovReady.
Security Content Automation Protocol (SCAP) is a set of standards for automated security auditing of computer systems. But writing SCAP tests is a pain. The XCCDF and OVAL formats are cumbersome. easyscap
is a YAML-based representation format for SCAP tests that can be converted into and out of XCCDF 1.2 and OVAL 5.
Before using easyscap
, you'll need to install prerequisities:
sudo apt-get update
sudo apt-get install python3 python3-pip pandoc
sudo pip3 install rtyaml
easyscap
converts XCCDF 1.2 and OVAL into YAML, and vice-versa. To demonstrate converting into YAML, we'll use the Red Hat Enterprise Linux SCAP Security Guide (SSG), which provides test definitions for Red Hat Enterprise Linux. An XCCDF 1.2 file contains the descriptions of tests and several profiles for which tests to run on which systems. It references an OVAL file which defines how the tests are to be executed by a SCAP implementation.
Let's convert the SSG into easyscap
. Actually even SSG doesn't use XCCDF and OVAL directly! They build their XCCDF and OVAL file from small, broken-out XML files. But for this example we'll do the conversion from their complete XCCDF and OVAL files, so you'll need to compile their XCCDF and OVAL files first:
sudo apt-get install git wget unzip libopenscap8 expat xsltproc libxml2-utils python-lxml
git clone git://git.fedorahosted.org/git/scap-security-guide.git
cd scap-security-guide
make rhel6
Now run our import script to convert ssg-rhel6-xccdf-1.2.xml
and ssg-rhel6-oval.xml
into YAML:
./import.py scap-security-guide/RHEL/6/output/ssg-rhel6-xccdf-1.2.xml easy-ssg
Note that the OVAL file is not specified on the command line. It is referenced inside the XCCDF file and we locate it automatically.
This saves the test definitions into a number of files in a directory tree rooted at easy-ssg
. There are two sorts of files created: group files (all named group.yaml
) and rule files.
Group files look like this (this is adapted from output/ssgproject_services/ssh/group.yaml
):
id: xccdf_org.ssgproject.content_group_ssh
title: SSH Server
description: |
The SSH protocol is recommended for remote login and remote file
transfer. SSH provides confidentiality and integrity for data exchanged
between two systems, as well as server authentication, through the use
of public key cryptography.
The implementation included with the system is called OpenSSH, and more
detailed documentation is available from its website, http://www.openssh.org.
Its server program is called `sshd` and provided by the RPM package
`openssh-server`.
rules:
- ssh_server_disabled
- ssh_server_iptables_exception
subgroups:
- ssh_server
The description
field (and rationale
if present) is a Markdown string. The |
character at the start of the field indicates a YAML literal block follows.
The list of subgroups
references other group.yaml
files in subdirectories. The list of rules
references .yaml
files located in the same directory.
The file ssh_server_iptables_exception.yaml
in the same directory looks like this:
id: xccdf_org.ssgproject.content_rule_ssh_server_iptables_exception
severity: low
title: Remove SSH Server iptables Firewall exception (Unusual)
description: |
By default, inbound connections to SSH’s port are allowed. If the SSH
server is not being used, this exception should be removed from the
firewall configuration.
rationale: |
If inbound SSH connections are not expected, disallowing access to the
SSH port will avoid possible exploitation of the port by an attacker.
tests:
- type: ind:textfilecontent54_test
check: all
check_existence: none_exist
object:
ind:path: /etc/sysconfig
ind:filename: iptables
ind:pattern:
operation: pattern match
value: ^-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT$
ind:instance: 1
The metadata (id, title, description, etc) is similar to that of groups. But rules have a severity
field and a tests
field which lists the tests that are run as a part of this rule. The tests are a 1-to-1 mapping from the OVAL test definitions in SSG. You will need to read the OVAL specification to see how to specify tests.
We'll now convert the YAML back to OVAL. (Exporting to XCCDF is not yet implemented.)
./export.py easy-ssg/group.yaml output-oval.xml
This writes output-oval.xml
. Then try running the tests in the file:
oscap oval eval output-oval.xml