Adding new or modifying rules in Security Content Automation Protocol (SCAP) Security Guide (SSG)

Hi Experts,

I am investigating  SCAP to automate security checks for Red Hat.  I am using SCAP Workbench to perform configuration and vulnerability scans on the systems.  Selected Security Profile does not meet my requirements. I need to either add new rules or modify the existing rules on the profile. I have not able to figure out how to do that locally.

Please let me know if this is possible.

Thanks,
LVL 1
DeoraliAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
you probably can take a look at this but do note that WB only supports opening XCCDF, Source DataStream, SCAP RPM files or their bzip2 variants
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_manual.html#_customize_the_selected_profile_optional

... and there are also other template compliant to standard (esp for audit checks) and from community.
USGCB for RHEL5 - XCCDF and OVAL, only suitable for RHEL5.
SCE Community Content - Uses SCE, only suitable for Fedora.
https://fedorahosted.org/scap-workbench/raw-attachment/wiki/UserManual/user_manual.html#alternative-contents

But In understand there is limitation or in future plan for WB e.g
Future plans
Proper tailoring

Currently, SCAP Workbench doesn’t follow the specification when it comes to XCCDF profile tailoring. It changes profiles directly instead of tailoring them even though the feature is called Tailoring in the tool. The new workbench will work with tailoring files and will correctly inherit the profile to tailor it.
This has been enabled by improvements in openscap that allows profile inheritance and name shadowing.
http://martin.preisler.me/2013/04/scap-workbench-redesign/

Hence, if you find the limited tailoring as posted in first link guide is lacking, then it means to get really into hands-on and produce your XCCDF using OpenSCAP toolkit (or the openscap-utils package in specific), then create the SCAP content (XCCDF benchmark) based on OVAL language to execute the scan checks. WB is a sort of GUI OVAL interpreter that can still takes XCCDF and there is also the oscap that is more console based to run the XCCDF policies. You can check out this example for the hands-on  https://securityblog.redhat.com/2013/11/13/automated-auditing-the-system-using-scap-2/
1
DeoraliAuthor Commented:
There is not much document available as to how  to create your own SCAP content.  Profiles / template available does not fully meet my needs. I need to either add new rules or modify the existing rule. If any one here know how to do it and done before, please I need your help.

Thanks,
0
btanExec ConsultantCommented:
The scapworkbench has customised profile, so you meant not able to meet your needs then this requires actually changing the xccdf rule in xml itself in the last link shared in previous post. You meant even customisation also does not fit your use case..will help if you can share more specific in use case.
0
DeoraliAuthor Commented:
That's correct btan.

Say for example, DOD's STIG RHEL6 profile uses McAfee as antivirus software and I use ClamAV. I need to be able change this rule to use ClamAV. This is just one case but I have lot more.
0
btanExec ConsultantCommented:
Looks like non-trivial. I suggest that you see this workshop pdf which stated the req and guidance under the "CONTENT CUSTOMIZATION" section
Using the template above, create a rule which:
1. Has an XCCDF rule id of “package_scap-security-guide_installed” with a severity of “high”
2. Has a human readable title of 'Install SCAP Security Guide”
3. Outlines a method to install SSG. For example, “yum install scap-security-guide”
4. States that “if SCAP Security Guide is not installed” this is a finding
5. Includes the proper package name, scap-security-guide, in the package check macro
6. Includes rational on why the SSG project is awesome, and should be installed
7. Corresponds to a (currently non-existent) OVAL rule named “package_scap-security-guide_installed”

Through this workshop we've made several modifications to the SSG source code. Specifically:
1. Creation of a new XCCDF rule, package_scap-security-guide_installed, which was placed into RHEL6/input/system/software/integrity.xml.
2. Creation of a new OVAL rule, package_scap-security-guide_installed.xml, which also involved updating the OVAL template file RHEL6/input/checks/templates/packages_installed.csv.
3. Modification of the STIG profile, located at RHEL6/input/profiles/stig-rhel6-server.xml.
http://blog-shawndwells.rhcloud.com/wp-content/uploads/2013/07/SCAP-Workshop-Coursebook-v2.pdf

SCAP Security Guide
provides practical security hardening advice for Red Hat products, and also links it to compliance requirements in order to ease deployment activities, such as certification and accreditation.
- https://fedorahosted.org/scap-security-guide/
It also shared the online Guide to the Secure Configuration of Red Hat Enterprise Linux 6 that include the example you stated (under "CCE-27529-7" - http://scap-securityguide.rhcloud.com/RHEL6/output/rhel6-guide.html#item-install_antivirus)
http://scap-securityguide.rhcloud.com/RHEL6/output/rhel6-guide.html

I suggest instead join their mailing list and sought help from their community of developer instead. pardon me as I am not into depth for such customisation
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.