diff --git a/DC-compliance-scans b/DC-compliance-scans new file mode 100644 index 0000000..f2fc105 --- /dev/null +++ b/DC-compliance-scans @@ -0,0 +1,9 @@ +MAIN="art-compliance-scans.xml" +ROOTID="art-compliance-scans" + +PROFCONDITION="suse-product" +#PROFCONDITION="suse-product;beta" +#PROFCONDITION="community-project" + +STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2022-ns" +FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2021-ns" diff --git a/images/src/png/example.png b/images/src/png/example.png deleted file mode 100644 index 639a02f..0000000 Binary files a/images/src/png/example.png and /dev/null differ diff --git a/images/src/png/openscap-report-header-example.png b/images/src/png/openscap-report-header-example.png new file mode 100644 index 0000000..f47a480 Binary files /dev/null and b/images/src/png/openscap-report-header-example.png differ diff --git a/images/src/png/openscap-report-rule-details-example.png b/images/src/png/openscap-report-rule-details-example.png new file mode 100644 index 0000000..6d21be5 Binary files /dev/null and b/images/src/png/openscap-report-rule-details-example.png differ diff --git a/images/src/png/openscap-report-rules-example.png b/images/src/png/openscap-report-rules-example.png new file mode 100644 index 0000000..89faa73 Binary files /dev/null and b/images/src/png/openscap-report-rules-example.png differ diff --git a/images/src/png/openscap-report-summary-example.png b/images/src/png/openscap-report-summary-example.png new file mode 100644 index 0000000..fe1165e Binary files /dev/null and b/images/src/png/openscap-report-summary-example.png differ diff --git a/xml/art-compliance-scans.xml b/xml/art-compliance-scans.xml new file mode 100644 index 0000000..17752c4 --- /dev/null +++ b/xml/art-compliance-scans.xml @@ -0,0 +1,648 @@ + + + + %entities; +]> + +
+ + + Running &openscap; compliance scans for &productname; + &productname; + &productnameshort; + + + + + This guide explains how to use &openscap; to run compliance scans on + Enterprise Linux systems registered with &productname; &productnumber;. + + + + + https://github.com/SUSE/doc-liberty/issues/new + documentation,issue + 7 + tahliar + + https://github.com/SUSE/doc-liberty/edit/maintenance/SLL7/xml/ + no + + Running &openscap; compliance scans for &productname; + How to use &openscap; to run compliance scans on systems registered with &productname; &productnumber;. + Run compliance scans for &productname; &productnumber;. + + Auditing + Compliance + + + + 2025-02-28 + + + Initial guide creation + + + + + + + Disclaimer + + &suse; seeks to provide customers with quick and easy guides that can + assist them in maintaining security compliance. Implementation of the + settings contained within this guide without its prior testing in a + non-operational environment is highly discouraged. The developers of + these profiles and documentation have made reasonable efforts to ensure + overall compliance. They assume no responsibility for its use by other + parties, and make no guarantee, expressed or implied, about its quality, + reliability or any other characteristic. + + + + End of general support + + &productname; &productnumber; has reached the end of general support and is now in LTSS + (Long Term Service Support). + + + If you have a &productname; subscription but do not have an + LTSS subscription, you can continue to use your systems. However, + registering new &rhla; &productnumber; or CentOS Linux &productnumber; + systems with the general subscription is no longer supported. + + + To register new &rhla; &productnumber; or CentOS Linux &productnumber; + systems, and to continue receiving new updates for existing systems, you must use an + LTSS subscription. + + + Additionally, the optional &ha; extension is no longer supported with + &productname; &productnumber; LTSS. You must remove this product from your system + before you can register with an LTSS subscription. + + + +
+ Introduction + + &productname; is a technology and support solution for mixed Linux environments. + With a &productname; subscription, you can register and update &rhel; and CentOS Linux. + + + Because &productname; uses its own branding and paths that are different from &rhla; and + CentOS Linux, it also uses different profiles for running compliance scans with &openscap;. + + + SCAP is a framework of specifications that support automated configuration, vulnerability + scanning, and policy compliance evaluation of systems deployed in an organization. + &openscap; is a collection of open source tools that implement the SCAP framework for Linux. + + + &productname; provides the following components in its software update repositories: + + + + + The &openscap; scanner and utilities. + + + + + The &ssg;, a collection of security guidance and baselines from + + to apply against systems for compliance. + + + + + SCAP Workbench, a utility with a graphical user interface for + SCAP content tailoring, editing, and validation. + + + + + This guide describes running compliance scans locally using the oscap + command-line tool. To run scans remotely or with the SCAP Workbench GUI tool, + see the list of . + + + Third-party compliance tools are not supported + + Third-party compliance tools, such as proprietary security scanners and upstream builds + of ComplianceAsCode content, might not recognize &productname; properly + and are not currently supported. + + + + Overview of procedures + + + Review to make sure your + system has the registration and packages required to run compliance scans + with &productname; profiles. + + + + + Choose a profile for running compliance scans in + . + + + + + Run the compliance scan as described in . + If you need to include remote resources in the compliance scan, use + instead. + + + + + Review the report generated by the compliance scan. + shows examples of the main sections + of the report. + + + + + <emphasis>&productname;</emphasis> and <emphasis>SUSE Liberty Linux</emphasis> + or <emphasis>Expanded Support</emphasis> + + &productname; was previously named SUSE Liberty Linux + and &sles; with Expanded Support. During the transition period, some + components might still use one of these names. + + + + Related information + + + OpenSCAP User Manual: + + + + + + &ssg;: + + + + + + ComplianceAsCode README: + + + + + + + Hardening &sle; with &openscap; + + + +
+ +
+ Requirements + + Before running compliance scans, make sure your system meets the following requirements: + + + + + You can log in to the target system as either the &rootuser; user or a user with + sudo privileges. Without &rootuser; access, some tests in the + compliance scan might not run correctly. + + + + + The target system is registered with &productname; as described in one + of the following guides: + + + + + + Registering &rhla; &productnumber; or CentOS Linux &productnumber; with &rmt; + + + + + + Registering &rhla; &productnumber; or CentOS Linux &productnumber; with &suma; + + + + + + + The most recent versions of the following packages are installed: + + + + + sles_es-release-server + + + + + openscap + + + + + openscap-scanner + + + + + scap-security-guide + + + + + Supported <package>scap-security-guide</package> version + + &rhla; 7 and its clones are no longer supported by the upstream + ComplianceAsCode project. Therefore, the most + recent version of scap-security-guide + available from the &productname; LTSS &productnumber; repository is + scap-security-guide-0.1.73-1.el7_9. + + + + Installing these packages might also install additional dependencies. + + + + + The installed packages are provided by &suse;. You can use rpm -qi + to check the vendor. For example: + +&prompt.root;rpm -qi openscap-scanner | grep -i vendor +Vendor : SUSE LLC <https://www.suse.com/> + + You can also check the distribution name. For example: + +&prompt.root;rpm -q --queryformat '%{DISTRIBUTION}\n' openscap +SLES Expanded Support platform + + If the vendor or distribution is different from the output shown above, + reinstall the packages from the &productname; LTSS &productnumber; repository, + and make sure no other repository overrides &productname;. + + + + + SCAP Workbench + + The optional package scap-workbench is also available, + but is not required to run scans locally from the command line. + + + As a security best practice, avoid installing an application software such as + SCAP Workbench on the target system. Instead, install SCAP Workbench on a + client machine and scan the target system remotely. + + +
+ +
+ Choosing an &openscap; compliance profile + + The &ssg; contains the latest set of security polices for Linux systems. Each security policy + includes multiple compliance profiles, which contain sets of rules to test the system against. + Before you can run a compliance scan, you must choose the appropriate compliance profile + for your system. + + + Security policy compatibility + + The security policies are installed in /usr/share/xml/scap/ssg/content/. + For compatibility, builds of the &ssg; for &productname; also provide &rhla; policies in + the same location. + + + + To list the profiles for &productname; &productnumber;, query + the ssg-sles_esp7-ds security policy: + +&prompt.root;oscap info /usr/share/xml/scap/ssg/content/ssg-sles_esp7-ds.xml + + You can use grep to narrow down the results. For example, + to see only CIS profiles, run the following command: + +&prompt.root;oscap info /usr/share/xml/scap/ssg/content/ssg-sles_esp7-ds.xml | grep -i cis + Title: CIS Benchmark for Level 2 - Server + Id: xccdf_org.ssgproject.content_profile_cis + Title: CIS Benchmark for Level 1 - Server + Id: xccdf_org.ssgproject.content_profile_cis_server_l1 + Title: CIS Benchmark for Level 1 - Workstation + Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1 + Title: CIS Benchmark for Level 2 - Workstation + Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2 + + Select the profile to use. You will specify this profile when you run the compliance scan. + + + The output of oscap info also includes a WARNING + if the security policy includes a reference to remote resources from + . Using remote resources in the compliance scan + is not compulsory, but can provide useful data about known security vulnerabilities. + You can continue with either of the following options: + + + + + Ignore the warning and perform the compliance scan without remote resources as + described in . + + + + + Download the remote resources and use them in the compliance scan as described in + . + + + +
+ +
+ Running an &openscap; compliance scan + + After choosing a profile, run a compliance scan on the target system with the + oscap xccdf eval command. Specify the profile as shown in + the following example: + +&prompt.root;oscap xccdf eval \ +--profile xccdf_org.ssgproject.content_profile_cis \ +--report /tmp/report.html \ +--results-arf /tmp/results-arf.xml \ +/usr/share/xml/scap/ssg/content/ssg-sles_esp7-ds.xml + + + + The compliance profile to use for the scan. + + + + + Where to save the HTML report with test results and recommended remediations. + + + + + Where to save the XML report, which can be used later in automation and + report generation. + + + + + The &ssg; policy file that the compliance profile belongs to. + + + + + The compliance scan collects information from the target system and evaluates it against + the rules set by the selected compliance profile. The scan will take some time to complete. + The results of the scan are saved in the specified files and also appear onscreen as shown + in this example snippet: + +[...] +Title Configure auditd Max Log File Size +Rule xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file +Result pass + +Title Configure auditd max_log_file_action Upon Reaching Maximum Log Size +Rule xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action +Result fail +[...] + + When the scan is complete, you can review the report by opening + /tmp/report.html in a browser. See + for an example of + the information provided in the report. + +
+ +
+ Including remote resources in an &openscap; scan + + &productname; provides external OVAL-formatted content for use in scans. This + content is downloaded from + and includes information such as recently addressed security vulnerabilities. You can + automatically download remote resources during a compliance scan with the + --fetch-remote-resources option. + + + + Scans using remote resources take longer to complete and generate much larger reports. + + + + Make sure the machine you run the scan from has access to : + +&prompt.root;nc -zv ftp.suse.com 21 +Connection to ftp.suse.com 21 port [tcp/ftp] succeeded! + + Run a compliance scan on the target system with the + oscap xccdf eval command. Specify the profile and use the option + --fetch-remote-resources as shown in the following example: + +&prompt.root;oscap xccdf eval --fetch-remote-resources \ +--profile xccdf_org.ssgproject.content_profile_cis \ +--report /tmp/report.html \ +--results-arf /tmp/results-arf.xml \ +/usr/share/xml/scap/ssg/content/ssg-sles_esp7-ds.xml + + + + Downloads remote resources from for use in the + compliance scan. + + + + + The compliance profile to use for the scan. + + + + + Where to save the HTML report with test results and recommended remediations. + + + + + Where to save the XML report, which can be used later in automation and + report generation. + + + + + The &ssg; policy file that the compliance profile belongs to. + + + + + The compliance scan collects information from the target system and evaluates it against + the rules set by the selected compliance profile. The scan will take some time to complete. + The results of the scan are saved in the specified files and also appear onscreen as shown + in this example snippet: + +[...] +Title Configure auditd Max Log File Size +Rule xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file +Result pass + +Title Configure auditd max_log_file_action Upon Reaching Maximum Log Size +Rule xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action +Result fail +[...] + + When the scan is complete, you can review the report by opening + /tmp/report.html in a browser. See + for an example of + the information provided in the report. + +
+ +
+ Reviewing the &openscap; evaluation report + + The HTML-formatted &openscap; report shows the results of the compliance scan in a + human-readable format. These examples show the main features of the report. + + + + Report header + + + The header of the report shows information about the chosen compliance profile. + +
+ Header of a typical &openscap; report + + + + + + + + + + The header of a typical HTML-formatted report generated by &openscap;. This example + report is titled "Guide to the Secure Configuration of SUSE Liberty Linux 7" and + uses the profile "CIS Benchmark for Level 2 - Server". + + + +
+ + + + Compliance and Scoring + + + The Compliance and Scoring section shows a summary of the + scan's results, including the number of passed and failed rules and the severity of + the failures. + +
+ Summary of results in a typical &openscap; report + + + + + + + + + + The Compliance and Scoring section shows a green and red color-coded bar indicating + the number of passed and failed rules. It also shows a color-coded bar indicating the + severity of the failed rules, in this case mostly blue (low) and yellow (medium). + There is also a percentage score of passed rules. This example shows 68.72%. + + + +
+ + + + Rule Overview + + + The Rule Overview section shows a list of rules included with the + compliance profile, along with the severity and test result of each rule. This section is + interactive. You can check and uncheck filter options, group rules by different criteria, + search the list with a search bar, and click the rule names to see more details. + +
+ List of rules in a typical &openscap; report + + + + + + + + + + The Rule Overview section shows the full list of rules along with their + severity and test results. Above the list is a group of check boxes for filtering + the rule list, a search bar to search the list, and a drop-down list of different + ways to group the rules in the list. + + + +
+ + + + Rule details and remediation + + + Clicking the name of a rule opens a window showing detailed information about that rule. + Depending on the rule, the detail window might also include multiple remediation options. + Click (show) to expand each remediation option. + +
+ Detailed information about a rule in a typical &openscap; report + + + + + + + + + + This example shows details about the rule Verify /boot/grub2/grub.cfg + Permissions, including the result, the time the test ran, the severity of the + rule, clickable references, a description of the rule, and a rationale for the rule. + The bottom of the window has an expandable Remediation Ansible snippet + and Remediation Shell script. + + + +
+ + + + + You can also expand the details for every rule by clicking + Show all result details at the bottom of the report. + +
+ + +