Using SCAP Workbench

6.3. Using SCAP Workbench

SCAP Wo rkbench (scap-workbench) is a graphical utility that allows us e rs to pe rform configuration and vulne rability s cans on a s ingle local or a re mote s ys te m, pe rform re me diation of the s ys te m, and ge ne rate re ports bas e d on s can e valuations . Note that compare d with the o scap command-line utility, SCAP Wo rkbench has only limite d functionality. SCAP Wo rkbench can als o proce s s only s e curity conte nt in the form of XCCDF and data-s tre am file s .

The following s e ctions e xplain how to ins tall, s tart, and utilize SCAP Workbe nch in orde r to pe rform s ys te m s cans , re me diation, s can cus tomization, and dis play re le vant e xample s for the s e tas ks .

6.3.1. Inst alling SCAP Workbench

To ins tall SCAP Wo rkbench on your s ys te m, run the following command as root:

~]# yum install scap-workbench

This command ins talls all package s re quire d by SCAP Workbe nch to function prope rly, including the scap-workbench package that provide s the utility its e lf. Note that re quire d de pe nde ncie s , s uch as the qt and openssh package s , will be automatically update d to the ne we s t available ve rs ion if the package s are alre ady ins talle d on your s ys te m.

Be fore you can s tart us ing SCAP Workbe nch e ffe ctive ly, you als o ne e d to ins tall or import s ome s e curity conte nt on your s ys te m. You can download the SCAP conte nt from the re s pe ctive we b s ite , or if s pe cifie d as an RPM file or package , you can ins tall it from the s pe cifie d location, or known re pos itory, us ing the Yum package manage r.

For e xample , you can ins tall the SCAP Se curity Guide (SSG) package , scap-security-guide, that contains the curre ntly mos t e volve d and e laborate s e t of s e curity police s for Linux s ys te ms . Se e the SSG proje ct page to le arn the e xact s te ps how to de ploy the package on your s ys te m.

Afte r you ins tall the scap-security-guide on your s ys te m, unle s s s pe cifie d othe rwis e , the SSG s e curity conte nt is available unde r the /usr/share/xml/scap/ssg/rhel7/ dire ctory, and you can proce e d with othe r s e curity compliance ope rations .

To find othe r pos s ible s ource s of e xis ting SCAP conte nt that might s uit your ne e ds , s e e Se ction 6.7, “Additional Re s ource s ”.

6.3.2. Running SCAP Workbench

Afte r a s ucce s s ful ins tallation of both, the SCAP Wo rkbench utility and SCAP conte nt, you can s tart us ing SCAP Wo rkbench on your s ys te ms . For running SCAP Wo rkbench from the GNOME Classic de s ktop e nvironme nt, pre s s the Super ke y to e nte r the Activities Overview, type scap-workbench, and the n pre s s Enter. The Super ke y appe ars in a varie ty of guis e s , de pe nding on the ke yboard and othe r hardware , but ofte n as e ithe r the Windows or Command ke y, and typically to the le ft of the Spacebar ke y.

As s oon as you s tart the utility, the SCAP Workbench window appe ars . The SCAP

Workbench window cons is ts of s e ve ral inte ractive compone nts , which you s hould be come familiar with be fore you s tart s canning your s ys te m:

Input f ile

This fie ld contains the full path to the chos e n s e curity policy. You can s e arch for applicable SCAP conte nt on your s ys te m by clicking the Browse button.

Checklist

This combo box dis plays the name of the che cklis t that is to be applie d by the s e le cte d s e curity policy. You can choos e a s pe cific che cklis t by clicking this combo box if more than one che cklis t is available .

T ailo ring

This combo box informs you about the cus tomization us e d for the give n s e curity policy. You can s e le ct cus tom rule s that will be applie d for the s ys te m e valuation by clicking this combo box. The de fault value is (no t ailo ring), which me ans that the re will be no change s to the us e d s e curity policy. If you made any change s to the s e le cte d s e curity profile , you can s ave thos e change s as an XML file by clicking the Save Tailoring button.

Pro f ile

This combo box contains the name of the s e le cte d s e curity profile . You can s e le ct the s e curity profile from a give n XCCDF or data-s tre am file by clicking this combo box. To cre ate a ne w profile that inhe rits prope rtie s of the s e le cte d s e curity profile , click the Customize button.

T arget

The two radio buttons e nable you to s e le ct whe the r the s ys te m to be e valuate d is a local or re mote machine .

Select ed Rules

This fie ld dis plays a lis t of s e curity rule s that are s ubje ct of the s e curity policy.

Hove ring ove r a particular s e curity rule provide s de taile d information about that rule .

Save co nt ent

This me nu allows you to s ave SCAP file s that have be e n s e le cte d in the Input f ile and T ailo ring fie lds e ithe r to the s e le cte d dire ctory or as an RPM package . St at us bar

This is a graphical bar that indicate s s tatus of an ope ration that is be ing pe rforme d.

Online remediat io n

This che ck box e nable s the re me diation fe ature during the s ys te m e valuation. If you che ck this box, SCAP Workbe nch will atte mpt to corre ct s ys te m s e ttings that would fail to match the s tate de fine d by the policy.

Scan

Figure 6.1. SCAP Wo rkbench Windo w

6.3.3. Scanning t he Syst em

The main functionality of SCAP Wo rkbench is to pe rform s e curity s cans on a s e le cte d s ys te m in accordance with the give n XCCDF or data s tre am file . To e valuate your s ys te m agains t the s e le cte d s e curity policy, follow the s e s te ps :

1. Se le ct a s e curity policy by clicking the Browse button and s e arching the re s pe ctive XCCDF or data s tre am file .

Warning

Se le cting a s e curity policy re s ults in the los s of any pre vious tailoring change s that we re not s ave d. To re -apply the los t options , you have to choos e the available profile and tailoring conte nt again. Note that your

pre vious cus tomizations may not be applicable with the ne w s e curity policy.

2. If the s e le cte d SCAP file is a data s tre am file that provide s more than one

che cklis t, you can s e le ct the particular che cklis t by clicking the Checklist combo box.

Warning

Changing the che cklis t may re s ult in a s e le ction of a diffe re nt profile , and any pre vious cus tomizations may not be applicable to the ne w che cklis t.

3. To us e a pre -arrange d a file with cus tomize d s e curity conte nt s pe cific to your us e cas e , you can load this file by clicking on the T ailo ring combo box. You can als o cre ate a cus tom tailoring file by alte ring an available s e curity profile . For more information, s e e Se ction 6.3.4, “Cus tomizing Se curity Profile s ”.

a. Se le ct the (no tailoring) option if you do not want to us e any

cus tomization for the curre nt s ys te m e valuation. This is the de fault option if no pre vious cus tomization was s e le cte d.

b. Se le ct the (open tailoring file...) option to s e arch for the particular tailoring file to be us e d for the curre nt s ys te m e valuation.

c. If you have pre vious ly us e d s ome tailoring file , SCAP Wo rkbench re me mbe rs this file and adds it to the lis t. This s implifie s re pe titive application of the s ame s can.