Pract ical Examples

This s e ction de mons trate s practical us age of ce rtain s e curity conte nt provide d for Re d Hat products .

6.6.1. Audit ing Securit y Vulnerabilit ies of Red Hat Product s

Re d Hat continuous ly provide s OVAL de finitions for the ir products . The s e de finitions allow for fully automate d audit of vulne rabilitie s in the ins talle d s oftware . To find out more information about this proje ct, s e e http://www.re dhat.com/s e curity/data/me trics /. To download the s e de finitions , run the following command:

~]$ wget http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml

The us e rs of Re d Hat Sate llite 5 may find us e ful the XCCDF part of the patch de finitions . To download the s e de finitions , run the following command:

~]$ wget http://www.redhat.com/security/data/metrics/com.redhat.rhsa-all.xccdf.xml

To audit s e curity vulne rabilitie s for the s oftware ins talle d on the s ys te m, run the following command:

~]$ oscap oval eval --results rhsa-results-oval.xml --report oval-report.html com.redhat.rhsa-all.xml

The o scap utility maps Re d Hat Se curity Advis orie s to CVE ide ntifie rs that are linke d to the National Vulne rability Databas e and re ports which s e curity advis orie s are not applie d.

Note

Note that the s e OVAL de finitions are de s igne d to only cove r s oftware and update s re le as e d by Re d Hat. You ne e d to provide additional de finitions in orde r to de te ct the patch s tatus of third-party s oftware .

6.6.2. Audit ing Syst em Set t ings wit h SCAP Securit y Guide

The SCAP Se curity Guide (SSG) proje ct's package , scap-security-guide, contains the late s t s e t of s e curity police s for Linux s ys te ms . Se e the SSG proje ct page to le arn how to de ploy the package on your s ys te m. Part of scap-security-guide is als o a guidance for Re d Hat Ente rpris e Linux 7 s e ttings . To ins pe ct the s e curity conte nt available with scap-security-guide, us e the oscap info module :

~]$ oscap info /usr/share/xml/scap/ssg/rhel7/ssg-rhel7-ds.xml

The output of this command is an outline of the SSG docume nt and it contains available configuration profile s . To audit your s ys te m s e ttings , choos e a s uitable profile and run the appropriate e valuation command. For e xample , the following command is us e d to as s e s s the give n s ys te m agains t a draft SCAP profile for Re d Hat Ce rtifie d Cloud Provide rs :

~]$ oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_rht-ccp --results ssg-rhel7-xccdf-result.xml --report ssg-rhel7-report.html /usr/share/xml/scap/ssg/rhel7/ssg-rhel7-ds.xml

6.7. Addit ional Resources

For more information about various s e curity compliance fie lds of inte re s t, s e e the re s ource s be low.

Inst alled Document at ion

oscap(8) — The manual page for the o scap command-line utility provide s a comple te lis t of available options and the ir us age e xplanation.

scap-workbench(8) — The manual page for the SCAP Workbench application provide s a bas ic information about the application as we ll as s ome links to pote ntial s ource s of SCAP conte nt.

Guide to the Se cure Configuration of Re d Hat Ente rpris e Linux 7 — An HTML docume nt locate d in the /usr/share/doc/scap-security-guide-0.1.5/ dire ctory that provide s a de taile d guide for s e curity s e ttings of your s ys te m in form of an XCCDF che cklis t.

Online Document at ion

The Ope nSCAP proje ct page — The home page to the Ope nSCAP proje ct provide s de taile d information about the o scap utility and othe r compone nts and proje cts re late d to SCAP.

The SCAP Workbe nch proje ct page — The home page to the SCAP Workbe nch proje ct provide s de taile d information about the scap-wo rkbench application.

The SCAP Se curity Guide (SSG) proje ct page — The home page to the SSG proje ct that provide s the late s t s e curity conte nt for Re d Hat Ente rpris e Linux.

National Ins titute of Standards and Te chnology (NIST) SCAP page — This page

re pre s e nts a vas t colle ction of SCAP re late d mate rials , including SCAP publications , s pe cifications , and the SCAP Validation Program.

National Vulne rability Databas e (NVD) — This page re pre s e nts the large s t re pos itory of SCAP conte nt and othe r SCAP s tandards bas e d vulne rability manage me nt data.

Re d Hat OVAL conte nt re pos itory — This is a re pos itory containing OVAL de finitions for Re d Hat Ente rpris e Linux s ys te ms .

MITRE CVE — This is a databas e of publicly known s e curity vulne rabilitie s provide d by the MITRE corporation.

MITRE OVAL — This page re pre s e nts an OVAL re late d proje ct provide d by the MITRE corporation. Amongs t othe r OVAL re late d information, the s e page s contain the late s t

thous ands OVAL de finitions .

Re d Hat Sate llite 5.6 Us e r Guide — This book de s cribe s , amongs t othe r topics , how to maintain s ys te m s e curity on multiple s ys te ms by us ing Ope nSCAP.