OpenScap is a tool that allows you to scan and audit your system for compliance with various security standards, such as CIS (Center for Internet Security) benchmarks. In this blog post, we will use OpenScap to deploy CIS standards on Ubuntu Server 23.04, the same steps can be used with other flavors of Linux such as RHEL
CIS benchmarks are a set of best practices for securing your system against common threats and vulnerabilities. They are divided into two levels: level 1 and level 2. Level 1 items are intended to provide a minimum level of security that can be applied to any system without affecting its functionality. Level 2 items are intended to provide a higher level of security that may have some impact on the system’s performance or usability.
Installing OpenScap on Ubuntu
To use OpenScap to deploy CIS standards on Ubuntu Server 23.04, you will need to install the following packages:
- openscap-scanner: the command line tool for scanning and auditing
- scap-security-guide: the collection of security content that includes CIS benchmarks
- oscap-anaconda-addon: the tool for applying security profiles during installation
You can install them with the following command:
sudo apt install openscap-scanner scap-security-guide oscap-anaconda-addon
Checking the OpenScap Ubuntu Profiles
Once you have installed the packages, you can list the available security profiles with the following command:
sudo oscap info /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml
You should see something like this:
Document type: Source Data Stream
Imported: 2021-05-20T12:34:56
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-ubuntu2004-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-ubuntu2004-xccdf-1.2.xml
Profiles:
xccdf_org.ssgproject.content_profile_cis_level1_server
xccdf_org.ssgproject.content_profile_cis_level2_server
...
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-ubuntu2004-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-ubuntu2004-cpe-dictionary.xml
Ref-Id: scap_org.open-scap_cref_ssg-ubuntu2004-cpe-oval.xml
As you can see, there are two profiles for CIS level 1 and level 2 server. You can choose which one to apply depending on your security needs and system requirements. For example, you may choose level 1 if you want to have a basic level of security without affecting the system’s functionality too much. You may choose level 2 if you want to have a higher level of security and are willing to accept some trade-offs in performance or usability.
Auditing your Ubuntu Server with OpenScap
To apply a profile, you can use the following command:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_server --report report.html /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml
This command will scan your server against the selected profile and generate a HTML report that should be reviewed to verify compliancy. The report will also provide guidlines on remediating any non-compliant areas of your server, alternatively you can use the –remediate option and OpenScap will automatically try and remediate for you, just remember to run this on a test environment before you deploy into production as this may have a negative impact such as uninstall Apache from a Ubuntu Server configured as a web server.
Once you’ve reviewed your report and confirmed that the –remediate option will not have any negative impacts on your server, you can use the following command:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_server --remediate --report report.html /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml
Once again, we have a HTML report generated that we can use to confirm the servers compliancy and referenced later for any audits.
Using OpenScap to deploy CIS standards on Ubuntu Server 23.04 is a simple and effective way to improve your system’s security posture. You can choose between level 1 and level 2 profiles depending on your security needs and system requirements. You can also customize the profiles or create your own ones using the scap-workbench tool or editing the XML files directly.