More Musings on OpenSCAP

If you come here looking for definitive answers, you’re barking up the wrong hacker. At this point and time, my relationship with OpenSCAP can be summed up with a single photograph:

In other words, don’t consider me an expert source. Consider this a documentation of the learning process. There seems to be no definitive single source or coherent integration guide that I can find that covers everything OpenSCAP. I spent some time searching for ways to scan Ubuntu boxes (my scanning box is CentOS). The CentOS packages, for both the SCAP security guide as well as the SCAP workbench, don’t include the necessary xml files to run Ubuntu scans out of the box. Google is a mixed bag, revealing projects abandoned six years ago, workaround hacks, and the like. Eventually I came across some useful information, and I thought I’d share that.

First, I’m scanning Ubuntu 16.04 boxes along with CentOS boxes. Eventually I found ssg-ubuntu-1604-ds.xml, which contains numerous security profiles for use with OpenSCAP. Running it results in errors — it’s looking for some CPE files that weren’t included for some reason in Ubuntu’s SCAP implementation, but are required. /usr/share/openscap/openscap-cpe-dict.xml and /usr/share/openscap/openscap-cpe-oval.xml can also be found by Google, once you’re made aware that you need them. They go on the scanned host, while the *ds.xml file goes on the scanner. Once it’s in place, you can load the content into SCAP Workbench and play with it.

I still haven’t figured out why my tailoring files (customization files which are able to override the test profile in order to enable or disable specific tests) are not being honored. Running the command shows the scanner copying the tailoring file into the working directory, but the tests I’m attempting to disable are still run, and still fail. So far the only way around that has been to edit the *ds.xml file itself to disable the checks, and if you’ve ever looked into one, you know it’s a bit of a beast.

All in all, it’s a fun learning process, though, and I’m definitely moving forward, so I’m not complaining and neither is my employer.