Avatar of Deorali
Deorali
 asked on

Adding new or modifying rules in Security Content Automation Protocol (SCAP) Security Guide (SSG)

Hi Experts,

I am investigating  SCAP to automate security checks for Red Hat.  I am using SCAP Workbench to perform configuration and vulnerability scans on the systems.  Selected Security Profile does not meet my requirements. I need to either add new rules or modify the existing rules on the profile. I have not able to figure out how to do that locally.

Please let me know if this is possible.

Thanks,
Linux SecurityLinuxOS SecuritySecurity

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
btan

you probably can take a look at this but do note that WB only supports opening XCCDF, Source DataStream, SCAP RPM files or their bzip2 variants
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_manual.html#_customize_the_selected_profile_optional

... and there are also other template compliant to standard (esp for audit checks) and from community.
USGCB for RHEL5 - XCCDF and OVAL, only suitable for RHEL5.
SCE Community Content - Uses SCE, only suitable for Fedora.
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_manual.html#alternative-contents

But In understand there is limitation or in future plan for WB e.g
Future plans
Proper tailoring

Currently, SCAP Workbench doesn’t follow the specification when it comes to XCCDF profile tailoring. It changes profiles directly instead of tailoring them even though the feature is called Tailoring in the tool. The new workbench will work with tailoring files and will correctly inherit the profile to tailor it.
This has been enabled by improvements in openscap that allows profile inheritance and name shadowing.
http://martin.preisler.me/2013/04/scap-workbench-redesign/

Hence, if you find the limited tailoring as posted in first link guide is lacking, then it means to get really into hands-on and produce your XCCDF using OpenSCAP toolkit (or the openscap-utils package in specific), then create the SCAP content (XCCDF benchmark) based on OVAL language to execute the scan checks. WB is a sort of GUI OVAL interpreter that can still takes XCCDF and there is also the oscap that is more console based to run the XCCDF policies. You can check out this example for the hands-on  https://securityblog.redhat.com/2013/11/13/automated-auditing-the-system-using-scap-2/
Deorali

ASKER
There is not much document available as to how  to create your own SCAP content.  Profiles / template available does not fully meet my needs. I need to either add new rules or modify the existing rule. If any one here know how to do it and done before, please I need your help.

Thanks,
btan

The scapworkbench has customised profile, so you meant not able to meet your needs then this requires actually changing the xccdf rule in xml itself in the last link shared in previous post. You meant even customisation also does not fit your use case..will help if you can share more specific in use case.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Deorali

ASKER
That's correct btan.

Say for example, DOD's STIG RHEL6 profile uses McAfee as antivirus software and I use ClamAV. I need to be able change this rule to use ClamAV. This is just one case but I have lot more.
ASKER CERTIFIED SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question