Are you an administrator of a Red Hat Enterprise Linux 7.2 (RHEL7.2) Server and you want to handle credit card information and payments? Then you probably already heard about the Payment Card Industry Data Security Standard (PCI DSS). Now the question is how to validate your server if it is PCI DSS compliant. That’s where OpenSCAP ecosystem can help you.
If you are not yet familiar with SCAP and XCCDF or OVAL means nothing to you then please refer to the SCAP Standards page. One of the OpenSCAP projects is scap security guide (SSG) which provides a detailed guidance that can help you with the configuration of your server. You can take a look at generated guidance for the PCI-DSS. Choose the PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7 as a profile in the top right corner. Going through this guidance and trying to check the compliance of the server manually would consume a lot of your time. That’s where the SCAP and SCAP Workbench comes in handy.
In this tutorial I will walk you through the process of making your RHEL7.2 server PCI DSS compliant. First we will need the PCI DSS profile which can be found in the scap-security-guide package and then theSCAP Workbench tool which will help us to automate the compliance process.
If you don’t have the RHEL7.2 installed on your system yet and you are wondering how to make your server PCI-DSS compliant during the installation process then the OSCAP Anaconda Addon may come in handy. Take a look the Install PCI-DSS compliant RHEL-7.2 using oscap Anaconda Add-on tutorial which will show you through the whole process.
1. Installation
First we need to install both the SCAP content which can provide the SSG project and the SCAP Workbench tool. The scap-security-guide package will also install openscap library and a scanner which will be used by the SCAP Workbench that will serve as a scanning tool. You can build both packages from source or you can install them using the YUM.
$ sudo yum install scap-security-guide scap-workbench
The SCAP Workbench is a GUI for the OpenSCAP Base. If you rather prefer a command-line utility instead of
the GUI please install the openscap-scanner package instead and see the oscap user manual for instructions on
how to evaluate the PCI DSS profile.
The PCI-DSS profile is only available in the SSG since version
0.1.23 and that’s the reason why you need version 7.2 of
Red Hat Enterprise Linux or newer. You can check out your current version with the following command $ cat /etc/redhat-release. If your current version of RHEL is 7.1 or older then you must update in order to get the newer version of the SSG.
2. Run SCAP Workbench
After the installation procedure is done you can run the SCAP Workbench either from a command-line running scap-workbench command or you can find it under Applications -> System Tools -> SCAP Workbench.
Run the SCAP Workbench.
3. Select SCAP Content
The SCAP Workbench will now ask you to open some SCAP content. All the scap content, provided by the SSG project, is located in the /usr/share/xml/scap/ssg/content directory. The PCI-DSS profile can be found in the ssg-rhel7-ds.xml or ssg-rhel7- xccdf.xml. You can either choose content in XCCDF or Datastream format. We will use datastream in this tutorial.
Choose security policy for RHEL7.
4. Choose Profile
Once you have selected the SCAP content you have to select a profile. In the Profile combobox you can see that the SCAP content for RHEL7 contains more than one profile. There are multiple profiles in which we will choose the PCI-DSS Baseline for Red Hat Enterprise Linux 7 profile. The SCAP-Workbench is also able to evaluate a remote machine but we will be evaluating a localhost in this tutorial so make sure that the Target is set to local machine.
Select the PCI-DSS profile.
5. Run Scan
Now you are ready to hit the Scan button and start the evaluation of your machine. The application will run the oscap tool and wait for it to finish, reporting partial results along the way in the rule result list. Keep in mind that the SCAP Workbench cannot guess how long processing of any particular rule will take. Only the number of rules that have been processed and the number that remain are used to estimate progress. Please be patient and wait for oscap to finish evaluation.
Evaluation in progress.
The SCAP Workbench will ask you for is a GUI for the OpenSCAP Base. If you rather prefer a command-line utility instead of the GUI please install the openscap-scanner package instead and see the oscap user manual for instructions on how to evaluate the PCI DSS profile.
You can cancel the scan at any point by clicking the Cancel button. Canceling will only give you partial results in the evaluation progress list, you cannot get HTML report, XCCDF results or ARF if you cancel evaluation! After you press the Scan button, all the previous options will be disabled and greyed-out. You cannot change them until you press the Clear button which will clear all results.
6. View and Analyze Results
After evaluation finishes, you should see new buttons: Clear, Show Report and Save Results. Pressing the Show Report button will open the HTML report of the evaluation in your internet browser. The SCAP Workbench will open the report in the default web browser set in your desktop environment. Make sure you have a browser installed. Your evaluation results can be saved in several formats:
Evaluation has finished.
HTML report Human readable and convenient, not suitable for machine processing. Can be examined by any web browser. You can examine the final report here.
Readable HTML resuts.
XCCDF result
Machine readable file with just the results, not suitable for manual processing. Requires a special tool that can parse the format.
ARF
Also called result datastream. Packs input content, asset information and results into a single machine readable file, not suitable for manual processing. Requires a special tool that can parse the format.
If you are unsure which format to choose for archiving results, XCCDF Result is commonly supported and HTML reports can be generated from it with the oscap tool. The ARF file is the only format that contains everything the evaluation has generated. On top of XCCDF results, it contains OVAL results, SCE results (if any), asset identification data. If you want to keep all of the generated data, choose ARF when archiving. However, ARF files are not as well supported by SCAP toolchains as XCCDF result files are. XCCDF result files can be generated from ARF files, this operation is called ARF splitting.
7. Remediate your Server
Remediation is an automatic attempt to change configuration of your scanned server in a way that fixes a failed rule result. By fixing, we mean changing configuration, ensuring that the rule would pass in the new configuration. The Online Remediaton checkbox will do remediation as part of the evaluation itself. After evaluation is done, oscap will go over failed rules and attempt to remediate each of them.
Enable online remediation.
The success of automatic remediation greatly depends on a content quality and could result in a broken machine if not used carefully!
The rules that were remediated will show up as fixed in the rule result list.
The SCAP Workbench will ask you for your user’s password if you are a member of the wheel group or for the root’s password if you are not. The root privileges are necessary for the remediation otherwise not all rules will remediate correctly.
If there are still some rules that failed or wasn’t checked you can open the HTML report by clicking the Show Report button in the right bottom corner. Find the failed or nonchecked rules. When you click on a rule you can find a detailed information about the rule which can help you to remediate the rule yourself. Let’s say that for some reason the rule that checks whether the NTP Daemon is enabled or not failed. You can find the rule in the HTML report in the Services section under Network Time Protocol. You can take a look at the details in the following screenshot.
Online remediation has finished.
Detail of a specific rule.
