So I was tasked with implementing OpenSCAP by yesterday. You know the drill. Never used it. So I started looking at it. In hindsight, you might say I jumped ahead and looked at it backwards. I installed the OpenSCAP scanner on a CentOS box and fiddled around until I got a working scan. After getting some successful scans, which presented data in a very unhelpful manner, I was shown a report generated from a preferred (by this party) style of scan. I switched to this method, and was appalled by the low scores I was getting from stock installs. I was scanning to generate reports (html files) and results (xml files), and was getting overall “score ratings” in the 50% range.
Again, in hindsight, this shouldn’t have been super surprising. I was using the DISA STIG profile as a baseline, and that profile includes many nonstandard requirements. Very deep auditing configuration, sensible partition separation, loads of policies to prevent SUID abuse, and more. Yet some of the policies seemed to be showing false positives, meaning they were reporting unfixed but clearly the system was already configured in the way that the policy dictated. So I had to dig deeper.
At first, the questions were “how do I see how this mechanism is doing this check, because clearly it’s doing it wrong?” But there were also a number of policies that don’t apply to my network, and I wanted to find out how to configure them. I could have just read through the very large .xml file and manually edited individual policy definitions to tweak or disable them, but that would take forever.
Enter SCAP Workbench. Simple solution — run it, customize an existing profile (whichever is closest to your desired posture), and run through and disable the policies that aren’t applicable. Then save “customizations only.” It will create an xml file called a “tailoring file,” which you insert where your existing policy .xml lives, and is guaranteed to boost your overall score. Just be careful not to be so lazy that you disable legitimate requirements rather than learning in depth about how to mitigate them properly.
More on this later, this is a continuing process.