OSCAP hardening

Open SCAP is quite nice: https://www.open-scap.org/tools/openscap-base/

I created my own customization:

<?xml version="1.0" encoding="UTF-8"?>
<xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default">
  <xccdf:benchmark href="/tmp/scap-workbench-oMQosO/ssg-rl9-ds.xml"/>
  <xccdf:version time="2024-03-31T21:06:09">1</xccdf:version>
  <xccdf:Profile id="xccdf_org.ssgproject.content_profile_stig_customized_001">
    <xccdf:version>V1R2</xccdf:version>
    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">DISA STIG for Red Hat Enterprise Linux 9 [CUSTOMIZED]</xccdf:title>
    <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile contains configuration checks that align to the
DISA STIG for Red Hat Enterprise Linux 9 V1R2.
<snip>
    <xccdf:refine-value idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" selector="18_hours"/>
    <xccdf:refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="dod_banners"/>
    <xccdf:refine-value idref="xccdf_org.ssgproject.content_value_var_authselect_profile" selector="sssd"/>
  </xccdf:Profile>
</xccdf:Tailoring>

I should make a new one based on what I’ve learnt from hardering my jumppoints, which are the only nodes on my network reachable from the internet. They only use VPN and SSH and have OSSEC installed to ban anyone that repeatedly trips various rules. They also have SELinux, which was a bit of pain when I installed Keepalived to move a Virtual IP around but I made the requisite type-enforcement:

module newmodule 1.0;

require {
        type keepalived_t;
        type systemd_systemctl_exec_t;
        class file { execute read };
}

#============= keepalived_t ==============
allow keepalived_t systemd_systemctl_exec_t:file { execute read };

I started with a template:

ausearch -ts today | tail -100 | audit2allow -M vpn03

Then made some changes, compiled and imported it:

vim vpn03.te
checkmodule -M -m -o vpn03.mod vpn03.te
semodule_package -o vpn03.pp -m vpn03.mod
semodule -i vpn03.pp
systemctl restart keepalived

So it’s pretty tightly locked down. OSSEC is doing it’s job:

Sat Apr 20 10:43:26 AM CEST 2024 /var/ossec/active-response/bin/firewall-drop.sh add - 218.92.0.XY 1713602606.209438 5752
Sat Apr 20 10:46:08 AM CEST 2024 /var/ossec/active-response/bin/firewall-drop.sh delete - 43.140.225.XY 1712997913.210209 100001
Sat Apr 20 10:46:08 AM CEST 2024 /var/ossec/active-response/bin/firewall-drop.sh delete - 87.248.226.XY 1712997899.208567 100001
Sat Apr 20 10:46:08 AM CEST 2024 /var/ossec/active-response/bin/firewall-drop.sh add - 185.196.8.XY 1713602768.210489 5752
Sat Apr 20 10:49:09 AM CEST 2024 /var/ossec/active-response/bin/firewall-drop.sh delete - 165.227.166.XY 1712998067.212706 100001

But I wanted it to be really secure. In comes OSCAP which checks hosts against known definitions of security standards. When I ran it originally jumppoint02 was so-so:

Generating remediation in the GUI failed so I had to do it via the CLI which in turn required some changes to the oscap-ssh file:

161a162,163
elif [ "$1 $2" == "xccdf generate" ]; then
    true

With that added command being allowed to use I then invoked the check and got the remediation out:

oscap-ssh --sudo username@jumppoint02.incandescent.tech 22 xccdf generate fix --template urn:xccdf:fix:script:ansible --fetch-remote-resources --tailoring-file /home/user/Documents/custom_002/tailoring-xccdf.xml --profile xccdf_org.ssgproject.content_profile_stig_customized_001 /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml > fix_jumppoint02.yml

The yml-file needs to be edited since it isn’t valid YAML but I think that’s easy enough to fix. I ran the test again:

I checked things that were Failed and they all checked out so I’m not sure why they show up as failed here. In fairness it sometimes has the wrong path to files(it seems not to understand that /etc/sudoers defaults propagate to defined users).

Addendum 2024-06-27:

Note that the in this line:

[user@openscap ~]$ oscap-ssh --sudo username@jumppoint04.incandescent.tech 22 xccdf generate fix --template urn:xccdf:fix:script:ansible --fetch-remote-resources --tailoring-file /home/user/Documents/custom_004/ssg-rl9-ds-tailoring.xml --profile xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary_customized /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml

The profile name xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary_customized must match the ID specified in the tailoring file:

[user@openscap ~]$ oscap info Documents/custom_004/ssg-rl9-ds-tailoring.xml 
Document type: XCCDF Tailoring
Imported: 2024-06-27T18:58:41
Benchmark Hint: /tmp/scap-workbench-UntgnT/ssg-rl9-ds.xml
Profiles:
	Title: ANSSI-BP-028 (intermediary) [CUSTOMIZED]
		Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary_customized

Not the IDs mentioned in the original file, not even the one we based our tailoring stuff on:

[user@openscap ~]$ oscap info /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml 
Document type: Source Data Stream
Imported: 2024-06-27T17:52:11

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel9-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-xccdf.xml
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/v2/RHEL9/rhel-9.oval.xml.bz2' file which is referenced from datastream
		Status: draft
		Generated: 2024-02-26
		Resolved: true
		Profiles:
			Title: ANSSI-BP-028 (enhanced)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
			Title: ANSSI-BP-028 (high)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
			Title: ANSSI-BP-028 (intermediary)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
			Title: ANSSI-BP-028 (minimal)
				Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
			Title: CCN Red Hat Enterprise Linux 9 - Advanced
				Id: xccdf_org.ssgproject.content_profile_ccn_advanced
			Title: CCN Red Hat Enterprise Linux 9 - Basic
				Id: xccdf_org.ssgproject.content_profile_ccn_basic
			Title: CCN Red Hat Enterprise Linux 9 - Intermediate
				Id: xccdf_org.ssgproject.content_profile_ccn_intermediate
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server
				Id: xccdf_org.ssgproject.content_profile_cis
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server
				Id: xccdf_org.ssgproject.content_profile_cis_server_l1
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
			Title: CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation
				Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
			Title: DRAFT - Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)
				Id: xccdf_org.ssgproject.content_profile_cui
			Title: Australian Cyber Security Centre (ACSC) Essential Eight
				Id: xccdf_org.ssgproject.content_profile_e8
			Title: Health Insurance Portability and Accountability Act (HIPAA)
				Id: xccdf_org.ssgproject.content_profile_hipaa
			Title: Australian Cyber Security Centre (ACSC) ISM Official
				Id: xccdf_org.ssgproject.content_profile_ism_o
			Title: Protection Profile for General Purpose Operating Systems
				Id: xccdf_org.ssgproject.content_profile_ospp
			Title: PCI-DSS v4.0 Control Baseline for Red Hat Enterprise Linux 9
				Id: xccdf_org.ssgproject.content_profile_pci-dss
			Title: DISA STIG for Red Hat Enterprise Linux 9
				Id: xccdf_org.ssgproject.content_profile_stig
			Title: DISA STIG with GUI for Red Hat Enterprise Linux 9
				Id: xccdf_org.ssgproject.content_profile_stig_gui
		Referenced check files:
			ssg-rhel9-oval.xml
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
			ssg-rhel9-ocil.xml
				system: http://scap.nist.gov/schema/ocil/2
			security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2
				system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-oval.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-ocil.xml
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-oval.xml
	Ref-Id: scap_org.open-scap_cref_security-data-oval-v2-RHEL9-rhel-9.oval.xml.bz2
Dictionaries:
	Ref-Id: scap_org.open-scap_cref_ssg-rhel9-cpe-dictionary.xml