ansible-scap

ansible roles for easy SCAP scanning

Overview

This repository provides a demo of easy SCAP scanning using a Free and Open Source tool chain. SCAP (Security Content Automation Protocol) is a government and enterprise endorsed standard for trustworthy checking of both software configuration and known vulnerabilities.

This demo uses Ansible and Vagrant to create a dashboard server with GovReady and the SCAP Security Guide installed that runs the OpenSCAP scanner against a "remote" server. The server is then "hardened" using built-in remediation scripts and the installation of a compliant audit.rules file, and the scan is run again.

Several ansible "roles" (openscap, scap-security-guide, harden, govready) are employed that may be adapted with minor or no modifications for use on local or remote servers.

Demo Requirements

• ansible
• vagrant
• virtualbox (default provider)
• Internet access

Operation

Clone this repository

• git clone https://github.com/openprivacy/ansible-scap.git
• cd ansible-scap

Note: the "inventory" symlink will be broken until vagrant up is run in the first step below.

Run the commands below on the indicated machine

Key:

• Host - the machine which is hosting your Vagrant virtual machines (VMs)
• Dashboard - the VM that will be running scans on a remote server (IP=192.168.56.101)
• Server - the VM that will be scanned and hardened (IP=192.168.56.102)

When prompted for a password for the "vagrant" user, enter "vagrant". In practice, SSH keys should be generated on the 'dashboard' and installed on the 'servers' negating the need for password authentication.

Host: Provision two vagrant machines: dashboard and server

• vagrant up

This creates the two VMs and, in addition, an "vagrant_ansible_inventory" file that will be used in a step below. On most GNU/Linux boxes, this inventory file can be viewed with this command:

• cat .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory

To simplify access, this repository has a symlink "inventory" that points to the above file.

Host: Networking fails until... have you turned it off and on again?

Try:

• ping 192.168.56.101

If that fails, then do:

• vagrant halt
• vagrant up

For some reason, this seems to fix the networking. Magic.

Dashboard: Run the first scan of 'server'

Note: The myfisma/GovReadyfile was set up during provisioning.

• vagrant ssh dashboard
• cd myfisma
• govready scan

Host: Copy your (Host) SSH public key identities to the 'server'

Note: Your port values may be different - check the vagrant-created inventory file

• ssh-copy-id vagrant@localhost -p 2200

This enables the following 'ansible-playbook' command to run...

Host: Update audit rules and issue.txt ('harden' role)

By default this will be part of provision.yml but is separated out here for demo purposes.

• ansible-playbook -i inventory -u vagrant -l server harden.yml

Dashboard: Execute standard remediations suggested by the SSG

• # govready scan # optional to view effect of 'harden'
• govready fix

Dashboard: Run a final scan (and compare)

• govready scan
• # govready compare # not currently working with remote scans

Results

Stock CentOS 7 - results from first scan:

Full HTML Scan Report

• This profile identifies 4 high severity selected controls. OpenSCAP says 2 passing, 1 failing, and 1 notchecked.
• This profile identifies 12 medium severity selected controls. OpenSCAP says 5 passing, 6 failing, and 1 notchecked.
• This profile identifies 44 low severity selected controls. OpenSCAP says 7 passing, 35 failing, and 2 notchecked.

After 'harden' - results from second scan:

Full HTML Scan Report

• This profile identifies 4 high severity selected controls. OpenSCAP says 2 passing, 1 failing, and 1 notchecked.
• This profile identifies 12 medium severity selected controls. OpenSCAP says 5 passing, 6 failing, and 1 notchecked.
• This profile identifies 44 low severity selected controls. OpenSCAP says 33 passing, 9 failing, and 2 notchecked.

After govready fix - results from third scan:

Full HTML Scan Report

• This profile identifies 4 high severity selected controls. OpenSCAP says 2 passing, 1 failing, and 1 notchecked.
• This profile identifies 12 medium severity selected controls. OpenSCAP says 11 passing, 0 failing, and 1 notchecked.
• This profile identifies 44 low severity selected controls. OpenSCAP says 40 passing, 2 failing, and 2 notchecked.

Notes on the three fails in the final report:

• Two fails (CCE-26967-0 & CCE-26971-2) are due to /var/log/ and /var/log/audit/ not being located on a separate partition.
• One fail (CCE-26957-1) is because the Red Hat GPG Key Installed (a holdover from RHEL).

Glossary:

• CCE - Common Configuration Enumeration
• SCAP - Security Content Automation Protocol
• SSG - SCAP Security Guide

Afterword

Standing on the shoulders of giants, I thank the OpenSCAP, SSG and GovReady developers as well as the entire F/OSS stack they run on (and which I use daily).

Now that I understand SCAP and vulnerability scanning in general, I expect that every server I deploy to the InterWebs will have OpenSCAP installed and running for my piece of mind. All that remains is the creation of new content that will provide configuration and vulnerability testing of the sundry applications and operating systems that I will be using.

This project is licensed under the GPL v3.

Work on this project has been supported by CivicActions, Inc.