Link to home
Avatar of Deorali
Deorali

asked on

Adding new or modifying rules in Security Content Automation Protocol (SCAP) Security Guide (SSG)

Hi Experts,

I am investigating  SCAP to automate security checks for Red Hat.  I am using SCAP Workbench to perform configuration and vulnerability scans on the systems.  Selected Security Profile does not meet my requirements. I need to either add new rules or modify the existing rules on the profile. I have not able to figure out how to do that locally.

Please let me know if this is possible.

Thanks,
Avatar of btan
btan

you probably can take a look at this but do note that WB only supports opening XCCDF, Source DataStream, SCAP RPM files or their bzip2 variants
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_manual.html#_customize_the_selected_profile_optional

... and there are also other template compliant to standard (esp for audit checks) and from community.
USGCB for RHEL5 - XCCDF and OVAL, only suitable for RHEL5.
SCE Community Content - Uses SCE, only suitable for Fedora.
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_manual.html#alternative-contents

But In understand there is limitation or in future plan for WB e.g
Future plans
Proper tailoring

Currently, SCAP Workbench doesn’t follow the specification when it comes to XCCDF profile tailoring. It changes profiles directly instead of tailoring them even though the feature is called Tailoring in the tool. The new workbench will work with tailoring files and will correctly inherit the profile to tailor it.
This has been enabled by improvements in openscap that allows profile inheritance and name shadowing.
http://martin.preisler.me/2013/04/scap-workbench-redesign/

Hence, if you find the limited tailoring as posted in first link guide is lacking, then it means to get really into hands-on and produce your XCCDF using OpenSCAP toolkit (or the openscap-utils package in specific), then create the SCAP content (XCCDF benchmark) based on OVAL language to execute the scan checks. WB is a sort of GUI OVAL interpreter that can still takes XCCDF and there is also the oscap that is more console based to run the XCCDF policies. You can check out this example for the hands-on  https://securityblog.redhat.com/2013/11/13/automated-auditing-the-system-using-scap-2/
Avatar of Deorali

ASKER

There is not much document available as to how  to create your own SCAP content.  Profiles / template available does not fully meet my needs. I need to either add new rules or modify the existing rule. If any one here know how to do it and done before, please I need your help.

Thanks,
The scapworkbench has customised profile, so you meant not able to meet your needs then this requires actually changing the xccdf rule in xml itself in the last link shared in previous post. You meant even customisation also does not fit your use case..will help if you can share more specific in use case.
Avatar of Deorali

ASKER

That's correct btan.

Say for example, DOD's STIG RHEL6 profile uses McAfee as antivirus software and I use ClamAV. I need to be able change this rule to use ClamAV. This is just one case but I have lot more.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial