wiki:RhelUsgcb
Warning: Can't synchronize with repository "(default)" (/srv/svn/aqueduct does not appear to be a Subversion repository.). Look in the Trac log for more information.
Last modified 2 years ago Last modified on 03/19/12 03:02:20

Overview information about the US Government Configuration Baseline (USGCB), including its federal mandate, is available at: http://usgcb.nist.gov

USGCB settings for Red Hat Enterprise Linux 5 (as a desktop), along with deployment resources such as a kickstart and Puppet modules, are at http://usgcb.nist.gov/usgcb/rhel_content.html. The Puppet modules are also hosted on Aqueduct, in combination with other modules. Many of the USGCB desktop settings can also be applied to a server installation of RHEL 5 (though the federal mandate does not apply there). The USGCB settings (as well as other SCAP content) can be tailored using tools such as https://fedorahosted.org/scap-workbench/

How To Easily Scan a System Against the RHEL 5 Desktop USGCB Settings

Prerequisite: Ensure that the openscap RPM is installed. It's part of RHEL 5 and RHEL 6.

  • First, visit http://usgcb.nist.gov/usgcb/rhel/download_rhel5.html to download the SCAP Content and unzip it (into its own directory).
  • Second, to evaluate your system against its requirements, run the following commands:
    $ oscap xccdf eval --profile united_states_government_configuration_baseline --results results.xml usgcb-rhel5desktop-xccdf.xml
    
    Some of the checks will require root privileges to run, to get a complete report. Also note that it's possible to speed up the process by selectively disabling some checks (such as those that need to walk the filesystem) by manually editing the <Profile> section inside usgcb-rhel5desktop-xccdf.xml (or using scap-benchmark). The result for some checks is listed as unknown, which was due to the version of OVAL available during the development of the baseline. This is largely addressed in newer versions of OVAL (which are also supported by OpenSCAP), however.
  • Third, see a report generated by the scan by doing:
    $ oscap xccdf generate report results.xml > report-xccdf.html
    

For more information, including examples of other powerful things possible with OpenSCAP, see http://www.open-scap.org/page/Documentation

Future Plans

SCAP content development is currently underway at https://fedorahosted.org/scap-security-guide/. Its goals include submitting SCAP content to NIST for Red Hat Enterprise Linux 6 USGCB settings (per NIST 800-70, Appendix E), as well as submitting SCAP content to DISA FSO for a RHEL 6 STIG. The content developed on scap-security-guide will also include some "remediation" content (viz. direct configuration actions) embedded into the usual SCAP content (which ordinarily only provides descriptive information for administrators and the means to carry out compliance checks). These will be coordinated closely with Aqueduct. Only a subset of the automated actions (typically, simpler bash commands) can be responsibly embedded into the SCAP content using <fix> tags; more complicated configuration actions will require external tools and resources such as those available on Aqueduct.