ansible roles for easy SCAP scanning

This repository provides a demo of easy SCAP scanning using a Free and Open Source tool chain. SCAP (Security Content Automation Protocol) is a government and enterprise endorsed standard for trustworthy checking of both software configuration and known vulnerabilities.

This demo uses Ansible and Vagrant to create a dashboard server with GovReady and the SCAP Security Guide installed that runs the OpenSCAP scanner against a "remote" server. The server is then "hardened" using built-in remediation scripts and the installation of a compliant audit.rules file, and the scan is run again.

Several ansible "roles" (openscap, scap-security-guide, harden, govready) are employed that may be adapted with minor or no modifications for use on local or remote servers.

• ansible
• vagrant
• virtualbox (default provider)
• Internet access

• git clone https://github.com/openprivacy/ansible-scap.git
• cd ansible-scap

Note: the "inventory" symlink will be broken until vagrant up is run in the first step below.

Key:

• Host - the machine which is hosting your Vagrant virtual machines (VMs)
• Dashboard - the VM that will be running scans on a remote server (IP=192.168.56.101)
• Server - the VM that will be scanned and hardened (IP=192.168.56.102)

When prompted for a password for the "vagrant" user, enter "vagrant". In practice, SSH keys should be generated on the 'dashboard' and installed on the 'servers' negating the need for password authentication.

• vagrant up

This creates the two VMs and, in addition, an "vagrant_ansible_inventory" file that will be used in a step below. On most GNU/Linux boxes, this inventory file can be viewed with this command:

• cat .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory

To simplify access, this repository has a symlink "inventory" that points to the above file.

Try:

• ping 192.168.56.101

If that fails, then do:

• vagrant halt
• vagrant up

For some reason, this seems to fix the networking. Magic.

Note: The myfisma/GovReadyfile was set up during provisioning.

• vagrant ssh dashboard
• cd myfisma
• govready scan

Note: Your port values may be different - check the vagrant-created inventory file

• ssh-copy-id vagrant@localhost -p 2200

This enables the following 'ansible-playbook' command to run...

By default this will be part of provision.yml but is separated out here for demo purposes.

• ansible-playbook -i inventory -u vagrant -l server harden.yml

• # govready scan # optional to view effect of 'harden'
• govready fix

• govready scan
• # govready compare # not currently working with remote scans

Full HTML Scan Report

• This profile identifies 4 high severity selected controls. OpenSCAP says 2 passing, 1 failing, and 1 notchecked.
• This profile identifies 12 medium severity selected controls. OpenSCAP says 5 passing, 6 failing, and 1 notchecked.
• This profile identifies 44 low severity selected controls. OpenSCAP says 7 passing, 35 failing, and 2 notchecked.

Full HTML Scan Report

• This profile identifies 4 high severity selected controls. OpenSCAP says 2 passing, 1 failing, and 1 notchecked.
• This profile identifies 12 medium severity selected controls. OpenSCAP says 5 passing, 6 failing, and 1 notchecked.
• This profile identifies 44 low severity selected controls. OpenSCAP says 33 passing, 9 failing, and 2 notchecked.

Full HTML Scan Report

• This profile identifies 4 high severity selected controls. OpenSCAP says 2 passing, 1 failing, and 1 notchecked.
• This profile identifies 12 medium severity selected controls. OpenSCAP says 11 passing, 0 failing, and 1 notchecked.
• This profile identifies 44 low severity selected controls. OpenSCAP says 40 passing, 2 failing, and 2 notchecked.

• Two fails (CCE-26967-0 & CCE-26971-2) are due to /var/log/ and /var/log/audit/ not being located on a separate partition.
• One fail (CCE-26957-1) is because the Red Hat GPG Key Installed (a holdover from RHEL).

• CCE - Common Configuration Enumeration
• SCAP - Security Content Automation Protocol
• SSG - SCAP Security Guide

Standing on the shoulders of giants, I thank the OpenSCAP, SSG and GovReady developers as well as the entire F/OSS stack they run on (and which I use daily).

Now that I understand SCAP and vulnerability scanning in general, I expect that every server I deploy to the InterWebs will have OpenSCAP installed and running for my piece of mind. All that remains is the creation of new content that will provide configuration and vulnerability testing of the sundry applications and operating systems that I will be using.

This project is licensed under the GPL v3.

Work on this project has been supported by CivicActions, Inc.