Linux Security Hardening with OpenSCAP and Ansible

In some organizations, Linux systems are audited for security compliance by an external auditor. Remediating the findings and making the systems compliant used to be a matter of manually applying changes or running monolithic scripts. Today, remediation can be fully automated with Ansible, and security compliance can be checked before the auditor arrives with OpenSCAP. Below, we’ll see how to do this for Red Hat Enterprise Linux 6.

Security Technical Implementation Guides

If you have done Linux security hardening in the past, you may be familiar with the CIS Security Benchmarks. These are human-readable documents with information about each security vulnerability, commands to check if the system is configured correctly, and commands to set the right configuration if it is not.

The Security Technical Implementation Guides (STIG) published by the Defense Information Systems Agency (DISA) contain similar information in machine-readable format. There is a graphical utility to view the STIG content, and an OpenSCAP policy to audit a system against the list of vulnerabilities.

On a Linux system, download the RHEL 6 STIG from http://iase.disa.mil/stigs/os/unix-linux/ and extract the ZIP archive. Download the STIG Viewer from http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx

The viewer comes as a JAR file. Trying to run it with java-1.8.0-openjdk-1.8.0.101-1.b14.fc24 on Fedora 24 fails with the following error:

Error: JavaFX runtime components are missing, and are required to run this application

Until https://bugzilla.redhat.com/show_bug.cgi?id=1145303 is fixed, we’ll have to use the Oracle JRE to run the STIG viewer. Download the Linux x64 TAR.GZ from http://www.oracle.com/technetwork/java/javase/downloads/index.html, as root extract it to a directory under /usr/local and then run the STIG viewer with your own account:

export JAVA_HOME=/usr/local/jre1.8.0_101
$JAVA_HOME/bin/java -jar STIGViewer_2.3.jar &

Use File – Import STIG to import the XML file from the extracted STIG ZIP file.

STIG Viewer

Vulnerabilities are divided into three severities (CAT I to III), which can be filtered in the lower left. The same filter box allows you to only show vulnerabilities that contain a string like xinetd.

There also is a Web-based STIG viewer available at https://stigviewer.com/stig/red_hat_enterprise_linux_6/

OpenSCAP Auditing

To audit our RHEL 6 system against the STIG vulnerabilities, we use the OpenSCAP tool and the the OpenSCAP security guide provided by Red Hat:

yum install openscap openscap-utils scap-security-guide

oscap xccdf eval \
  --profile stig-rhel6-server-upstream \
  --results /tmp/oscap-results.xml \
  --report /tmp/oscap-results.html \
  --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \
  /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

Copy the output /tmp/oscap-results.html to your desktop and open it with a browser. The list can be filtered to exclude passed tests, and clicking on a vulnerability shows more information about it.

OpenSCAP Results

Save a copy of the HTML file so you can rerun oscap after applying the STIG remediation rules and compare the output.

Ansible Remediation Playbook

Most of the STIG vulnerabilities can be automatically fixed by the Ansible playbook from https://github.com/MindPointGroup/RHEL6-STIG. Clone the Git repository on a system that can connect to the target RHEL 6 systems via SSH. The repository defines an Ansible role, and should be put into a roles directory.

mkdir roles
cd roles
git clone https://github.com/MindPointGroup/RHEL6-STIG.git

The repository contains the remediation tasks, but no playbook to execute them. A simple playbook can be created by putting this into stig.yml on the same directory level as the roles directory:

---
- name: Apply STIG
  hosts: all
  become: yes
  roles:
    - role: RHEL6-STIG
      rhel6stig_cat3: yes
      rhel6stig_cat2: yes
      rhel6stig_other: yes

Create an Ansible inventory file listing the hosts you want to apply the changes to. Note that the playbook modifies configuration settings on these hosts and might break installed applications and system services. For example, you will no longer be able to log in as root via SSH (STIG V-38613).

[rhel6]
rhel6-1.example.com

Apply the playbook to all hosts in the inventory file with

 ansible-playbook -i hosts stig.yml 

This will take a while to complete. Once Ansible is done, re-run the oscap command shown above and you should see a higher compliance score and less failed OpenSCAP rules.

Not all STIG vulnerabilities can be remediated automatically. The file roles/RHEL6-STIG/tasks/not_automated.yml lists of some of those that are skipped.

The playbook can be customized by changing the variables defined in roles/RHEL6-STIG/defaults/main.yml, or by editing the tasks in roles/RHEL6-STIG/tasks/cat1.yml, cat2.yml and cat3.yml.

Given the number of tasks in the playbook, checking the output on the command line can be a bit overwhelming. Importing the playbook into Ansible Tower is easy though, and gives you a nice graphical overview when you run the playbook:

Ansible Tower STIG Playbook

Leave a Reply

Your email address will not be published. Required fields are marked *