Computer systems are often affected by software vulnerabilities and flaws. The fundamental feature of OpenSCAP is the vulnerability assessment. Vulnerability assessment is a process that identifies and classifies vulnerabilities of a system. With OpenSCAP, you can identify vulnerabilities of your system and mitigate them.
In this tutorial, we will show you step by step how to scan for vulnerabilities a machine running Red Hat Enterprise Linux 6.7. We will use the OpenSCAP command-line tool.
1. Install the OpenSCAP
First thing that you need to perform a vulnerability scan, is a program called scanner. We will use the oscap command-line tool from the OpenSCAP Base. You can install it using the yum package manager:
# yum install openscap-scanner
2. Download the security policy
Second thing that you need are security policies in a form of SCAP documents. Security vulnerabilities are usually described using definitions written in the Open Vulnerability and Assessment Language (OVAL).
Red Hat continuously provides OVAL definitions for their products. These definitions allow for fully automated audit of vulnerabilities in the installed software. These definitions describe all known vulnerabilities of the Red Hat Enterprise Linux. To find out more information about this project, see http://www.redhat.com/security/data/metrics/. Known security issues are identified by Red Hat Security Advisories (RHSA) are mapped to CVE identifiers that are linked to the National Vulnerability Database.
All definitions provided by Red Hat Product Security can be found in the Red Hat OVAL repository. The repository contains all OVAL files for RHEL3 and above. You have more options to download:
- Files containing all OVAL definitions split by a product – eg. Red_Hat_Enterprise_Linux_6.xml
- Files with only one vulnerability by RHSA identifier – their names are com.redhat.rhsa-{RHSA}.xml
- A file containing OVAL definitions for all RHSAs for all Red Hat products – com.redhat.rhsa-all.xml
- A file containing OVAL definitions for all RHSAs for all Red Hat products compressed with bzip – com.redhat.rhsa-all.xml.bz2
Note that these OVAL definitions are designed to only cover software and updates released by Red Hat. You need to provide additional definitions in order to detect the patch status of third-party software.
In this tutorial, we will use the Red Hat Enterprise Linux 6 specific file. This file conatins OVAL definitions describing all known vulnerabilities of Red Hat Enterpise Linux 6. To download it, run the following command:
$ wget https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml
3. Start scanning
Perfom the vulnerability scan using the following command:
$ oscap oval eval --results rhsa-results-oval.xml --report oval-report.html Red_Hat_Enterprise_Linux_6.xml
OpenSCAP performs a scan to find out show which Red Hat Security Advisories are not satisfied and therefore which security vulnerabilities are present in scanned system. You will see the scan progress in your terminal.
4. View the results
After the scan, you have results in two files:
- File rhsa-results-oval.xml contains machine-readable report in a form of an OVAL Results document.
- File oval-report.html contains a human readable report as a HTML document. To view it, open this file in your web browser. The report contains references to respective CVEs and RHSAs of tested vulnerabilities.
Definitions evaluated as true mean that the system is affected by the vulnerability. False results mean that the vulnerability doesn’t affect your system.
It is possible to produce only an OVAL Results document. You can generate HTML report anytime later from an OVAL Results document using OpenSCAP:
$ oscap oval generate report results-oval.xml > report.html
For more information about using the OpenSCAP command-line tool, see the OpenSCAP user manual.
Figure 1: HTML report of vulnerability scan
Choose your preferred language.
