We thank our friend and contributor Theresa Meiksner for writing and sharing this post!

Wazuh has now integrated OpenSCAP into the brand-new v2.0 release.

I’m presenting this new release on Saturday, April 29th 2017, as part of the Linux Days conference in Graz, Austria. Come and see my talk to find out why Wazuh has integrated OpenSCAP as part of Wazuh v2.0 and how the results of the OpenSCAP definitions and checks can be viewed in your Wazuh environment.

Aligning the company’s infrastructure to comply with specific compliance-requirements usually isn’t a favorite task of any system or security engineer. But the open-source framework OpenSCAP (Open Security Content Automation Protocol) helps to make this task a little easier.

In the german-speaking area there is the “Grundschutz-Standard” (engl. Baseline-Standard of the federal office for security in informationtechnology; short: BSI) that specifies a baseline security recommendation how systems need to be setup and configured securely. Companies and Security experts often reference this guideline to make sure their systems comply with this standard (most often used during security audits).

However, there are other organizations as well that also specify security standards, such as the security-guides of the NSA or the Defense Information Systems Agency (DISA). The latter even provides the so-called Unix Security Technical Implementation Guide (STIG), which essentially is a checklist that aims at providing secure configurations for Linux and UNIX systems.

This security standard for instance specifies how to setup the partition table of a disk or the correct permissions of individual system-specific files should be set.

Single-handedly going through every check is tedious and time-consuming and that is why the National Institute of Standards and Technology (NIST) has come up with a procedure to automate this task. It’s called “Security Content Automation Protocol” (SCAP). SCAP integrates a lot of those standard methods by describing those system configuration files and security management as part of XML files. These XML files can then be parsed with a scanner and be checked against the current system configuration.

SCAP also integrates standards such as CVE, CCE, CPE, CVSS, OVAL and XCCDF.

The Extensible Configuration Checklist Description Format  (XCCDF) helps to define policies that should ensure a secure configuration of IT systems. In order to be able to check against those policies it requires various tests. The Open Vulnerability and Assessment Language (OVAL) describes those testing procedures based on XML files. The OVAL definitions can then either be used “standalone” or also combined with existing XCCDF templates for example for a secure and sane webserver configuration standard running on a Red Hat Enterprise Linux system.

Red Hat as well as other Linux distributions release their patch definitions in the OVAL format, which can then be parsed by a tool called openscap-scanner to scan each system of a company’s environment. This OpenSCAP scanner is open-source software and can be used by everyone.

I must admit that at first it sounds rather complex and overwhelming, but I can promise you that it is all nicely integrated into Wazuh and does the heavy-lifting for you.

Most importantly what people usually want to know is, how this can be used in practice. Here are some use-cases:

  • Prevent Log In to Accounts With Empty Password (high)
  • Disable SSH Access via Empty Passwords (high)
  • Disable SSH Root Login (high)
  • Install the ntp service (high)
  • Enable SSH Warning Banner (medium)
  • Limit Password Reuse (medium)
  • Ensure SELinux State is Enforcing (medium)

So as you can see, just baseline security settings that are important to keep your systems safe. The tags “high” or “medium” specify the importance of each requirement.

I hope you now got an idea what OpenSCAP is and why we have integrated it into Wazuh. If you are at the Linux Days conference (https://www.linuxtage.at) then please come say “hello!”.

By Theresa Meiksner