Configuration
Basic usage
To configure the options for OpenSCAP go to ossec.conf, or for more details about specific options, see the OpenSCAP section.
In this example, we configure ThreatLockDown to run OpenSCAP each day, with a timeout of 30 minutes.
<wodle name="open-scap">
<disabled>no</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<content type="xccdf" path="ssg-centos-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
<profile>xccdf_org.ssgproject.content_profile_common</profile>
</content>
</wodle>
Evaluate PCI-DSS compliance on RHEL7
This section describes how to evaluate the Payment Card Industry Data Security Standard (PCI-DSS) compliance on Red Hat Enterprise Linux 7 agents.
Step 1: Configure the agents
Each agent must be properly identified in order to know which policy and profile to execute. To do this, configure <config-profile>
with the desired identifier.
Modify the ossec.conf
file in the agent side to apply the desired profile:
<client>
<server>
<address>10.0.1.4</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>redhat7</config-profile>
</client>
After this, restart the agents to apply the configuration.
# /var/ossec/bin/agent_control -R -a
If you prefer, you can restart a specific agent with option -u <id>
.
Step 2: Configure shared settings
We want to execute the PCI-DSS profile of the SSG RH7 policy only on Red Hat 7 agents.
To do this, modify the /var/ossec/etc/shared/default/agent.conf
file in the manager (assuming that the agent is on the default
group):
<agent_config profile="redhat7">
<wodle name="open-scap">
<content type="xccdf" path="ssg-rhel7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
</content>
</wodle>
</agent_config>
When the agents receive this configuration, they will restart to apply the changes and start the evaluation.
Step 3: See alerts
When the evaluation is complete, you will see the results as OSSEC alerts:
/var/ossec/logs/alerts/alerts.log
** Alert 1463752181.32768: - oscap,rule-result,pci_dss_2.2,
2016 May 20 13:49:41 (RH_Agent) 10.0.1.7->wodle_open-scap
Rule: 81529 (level 5) -> 'OpenSCAP rule failed (severity low).'
oscap: msg: "rule-result", id: "47T7_Qd08gm4y8TSoD53", policy: "ssg-rhel7-ds.xml", profile: "xccdf_org.ssgproject.content_profile_pci-dss", rule_id: "xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout", result: "fail", title: "Set SSH Idle Timeout Interval", ident: "CCE-26611-4", severity: "low".
** Alert 1463752181.33254: - oscap,report-overview,pci_dss_2.2,
2016 May 20 13:49:41 (RH_Agent) 10.0.1.7->wodle_open-scap
Rule: 81542 (level 4) -> 'OpenSCAP Report overview: Score less than 80'
oscap: msg: "report-overview", id: "47T7_Qd08gm4y8TSoD53", policy: "ssg-rhel7-ds.xml", profile: "xccdf_org.ssgproject.content_profile_pci-dss", score: "56.835060" / "100.000000", severity of failed rules: "high": "1", "medium": "9", "low": "34", "n/a": "0".
Wazuh dashboard
Note that each field is extracted to facilitate searches and analysis.
Step 4: Dashboards
Finally, you can explore all results using the OpenSCAP module.
Auditing Security Vulnerabilities of Red Hat Products
The Red Hat Security Response Team provides OVAL definitions for all vulnerabilities (identified by CVE name) that affect Red Hat Enterprise Linux 3, 4, 5, 6, and 7. This enables users to perform a vulnerability scan and diagnose whether a system is vulnerable or not.
Step 1: Configure the agents
Each agent must be properly identified in order to know which policy and profile to execute. To do this, configure <config-profile>
with the desired identifier.
Modify the ossec.conf
file in the agent side to apply the desired profile:
<client>
<server>
<address>10.0.1.4</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>redhat7</config-profile>
</client>
After this, restart the agents to apply the configuration.
# /var/ossec/bin/agent_control -R -a
If you prefer, you can restart a specific agent with option -u <id>
.
Step 2: Configure the manager
We only want to execute the RedHat security policy on Red Hat 7 agents.
To do this, modify the /var/ossec/etc/shared/default/agent.conf
file in the manager (assuming that the agent is on the default
group):
<agent_config profile="redhat7">
<wodle name="open-scap">
<content type="xccdf" path="com.redhat.rhsa-RHEL7.ds.xml"/>
</wodle>
</agent_config>
When the agents receive this configuration, they will restart to apply the changes and start the auditing.
Step 3: See alerts
When the evaluation is completed, you will see the results as OSSEC alerts:
/var/ossec/logs/alerts/alerts.log
** Alert 1463757700.70731: mail - oscap,rule-result,pci_dss_2.2,
2016 May 20 15:21:40 (RH_Agent) 10.0.1.7->wodle_open-scap
Rule: 81531 (level 9) -> 'OpenSCAP rule failed (severity high).'
oscap: msg: "rule-result", id: "I0iLEGFi4iTkxjnL9LWQ", policy: "com.redhat.rhsa-RHEL7.ds.xml", profile: "no-profiles", rule_id: "xccdf_com.redhat.rhsa_rule_oval-com.redhat.rhsa-def-20160722", result: "fail", title: "RHSA-2016:0722: openssl security update (Important)", ident: "RHSA-2016-0722, CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2842", severity: "high".
** Alert 1463757700.71339: - oscap,report-overview,pci_dss_2.2,
2016 May 20 15:21:40 (RH_Agent) 10.0.1.7->wodle_open-scap
Rule: 81540 (level 1) -> 'OpenSCAP Report overview.'
oscap: msg: "report-overview", id: "I0iLEGFi4iTkxjnL9LWQ", policy: "com.redhat.rhsa-RHEL7.ds.xml", profile: "no-profiles", score: "92.617447" / "100.000000", severity of failed rules: "high": "8", "medium": "14", "low": "0", "n/a": "0".
Wazuh dashboard
Note that each field is extracted to facilitate searches and analysis.
Step 4: Dashboards
Finally, you can explore all scan results using the OpenSCAP module.
Overwriting the timeout
It is possible to overwrite the timeout for a specific evaluation:
<wodle name="open-scap">
<timeout>1800</timeout>
<content type="xccdf" path="ssg-centos-7-ds.xml">
<timeout>120</timeout>
</content>
<content type="xccdf" path="ssg-centos-6-ds.xml"/>
</wodle>
Using profiles
We can limit the evaluation to only specific profiles of a policy:
<wodle name="open-scap">
<content type="xccdf" path="ssg-centos-7-ds.xml">
<profile>xccdf_org.ssgproject.content_profile_standard</profile>
<profile>xccdf_org.ssgproject.content_profile_pci-dss</profile>
</content>
<content type="xccdf" path="ssg-centos-6-ds.xml"/>
</wodle>
Using CPE dictionary
You can also optionally specify the CPE dictionary file, which is used to determine which checks are relevant to specific platforms.
<wodle name="open-scap">
<content type="xccdf" path=policy="ssg-centos-7-ds.xml">
<cpe>file.xml</cpe>
</content>
<content type="xccdf" path="ssg-centos-6-ds.xml" />
</wodle>
Using IDs
You can select a specific ID of the datastream file:
<wodle name="open-scap">
<content type="xccdf" path="ssg-centos-7-ds.xml">
<datastream-id>id</datastream-id>
<xccdf-id>id</xccdf-id>
</content>
<content type="xccdf" path="ssg-centos-6-ds.xml" />
</wodle>