Getting Started
considering the rise in Cyber Security attacks, there’s a growing need to bolster security within our networks, at an operating system level. This means that, every time we deploy a Virtual Workload into our Data Centers, we need to ensure the very foundation is secure and meets NIST and Company policies and standards.
In order to comply with security regulations and policies, we take the following approach:
Create a clean vSphere (or other) Workload from ISO (or use an existing clean Template)
Scan the Workload, on which the Template will be based, using a tool like OpenScap
Generate a report on the compliance
Remediate the issues
Scan again to ensure compliance
Convert to Template, and we’re good to go
The first thing you’ll need to do is to download OpenScap. This can be found at the link below, however, it’s also provided within many Linux Distro repositories. This means we’ll be automating the installation of Openscap using Ansible, without having to worry about manually installing it.
https://www.open-scap.org
In this article, I’m using CentOS8 as my foundational Operating System (since it’s close to RHEL), however, OpenScap provides scanning for many operating systems.
Unfortunately, getting Openscap to work on Windows requires a great deal of tinkering and effort, so I’ll stick to Linux for the purposes of this article.
The first step, really, is to define which policies you want to use, and which rules within those policies you want to include or omit. There are two main subjects to pay attention to here:
Profiles (sets of predefined rules for an operating system)
Customizations (overrides the inclusion or omission of certain rules within profiles)
In order to define which profile you want to use, and which rules you want to enforce (or omit), you’ll need to download the profiles and then create customization policies.
SCAP Workbench
In order to more easily understand the various facets of openscap, you can follows these steps:
Create a VM using the operating system you want to scan
Install SCAP Workbench
Load the relevant profile for the OS
Decide which rules to include or omit
Save the customization file(s) for later use
Since I’m using CentOS8 (with GNOME Interface), I simply installed SCAP Workbench using the below command:
yum install scap-workbench
Once installed, launch it from the terminal: scap-workbench
The application will open, and you’ll be prompted to load a profile:
As alluded to before in this article, I’m using CentOS8, so I loaded the CentOS8 content. The next form will show you a list of Profiles to choose from. Since content for CentOS8, at the time of this writing, was still being created and verified, I used the only profile I had available to me.
In order to choose which rules you want to enforce, hit the “Customize” button and you’ll be presented with a form which shows all of the associated rules. It will first prompt you to choose the ID for the profile, for which I just used the recommended, pre-populated Profile ID.
warning!
I have broken a few Workloads already by being overzealous with my security rules.
Heed my warning here: start small and build on from there. I ended up with all sorts of issues where, after reboot, CentOS8 refused to exit Emergency Boot Mode, and I had to redeploy a fresh Workload and start again.
This took many hours of time to figure out. You have been warned :-)
Once you’ve chosen which rules (from the hundreds available) you want to enforce (or, in my case, omit), click on the “OK” button.
Saving your customization
Now that you’ve hit “OK”, you’ll be back at previous form. Click on “File”, then click on “Save All”, then “Into a Directory”.
Once you’ve saved, you should notice two .XML files present in the directory you chose. Keep these files for later - we’ll use these to scan our VM with Ansible.
In my case, I uploaded these two files into a directory within my Ansible project, which is committed to my git repo.
In part 2 of this article, we’ll cover the Ansible-specific implementation, where things REALLY start to become impressive. Here’s a teaser:
Install openscap on the remote machine
Scan and generate a report
Generate a remediation playbook on-the-fly (yes, you read correctly)
Dynamically include the tasks and vars from this playbook to automatically remediate the remote machine
Rescan and download the new report