Encryption and Security

Travis Michette

Version 1.3
Table of Contents
1. System Security Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1  

1.1. Protecting System Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1  

1.2. Protecting System Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1  

2. Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
 

2.1. Using LUKS to Encrypt Disks on Linux Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3  

2.1.1. Creating an Encrypted Disk with LUKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5  

2.2. Using Clevis and Tang to have Network Bound Disk Encryption (NBDE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9  

2.2.1. Setting up a Tang Sever . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11  

2.2.2. Setting up Clevis Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12  

2.3. Using LUKS, Clevis, and Tang to have NBDE (Putting it all Together) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14  

3. System Security Policy and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17  

3.1. Customizing SCAP Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17  

3.2. Running a SCAP Scan with Custom Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28  

3.3. Creating an Ansible Remediation Playbook Based on SCAP Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35  

Chapter 1. System Security Fundamentals

1. System Security Fundamentals

There are multiple steps to system security. At the most basic levels, the following items need to be protected:

• Access to the System

• Access to the Data

The above items are the starting points for system security. This guide will focus mainly on data security and providing some
hands-on labs which will demonstrate encrypting and decrypting of disks using LUKS. The guide will also provide a recap and
overview of system security with OpenSCAP and have a hands-on lab for generating Ansible remediation playbooks based on
SCAP compliance scans.

1.1. Protecting System Integrity

Protecting system integrity includes protecting the following:

• Access to the system (physical)

◦ Locked room

◦ On person

◦ Network (network-based firewalls)

◦ etc.

• Access to the system (logical)

◦ Password

◦ Network (host-based firewalls)

◦ Encryption

◦ etc.

• Valid Operating System and Configurations

◦ Installed from trusted source

◦ Updated and patched

◦ Configured with recommended lockdown settings

Most of the system integrity and security concepts will not be discussed as part of this demonstration. We will mainly be focusing
on the data security portion of encryption and a brief review of OpenSCAP as well as showing a hands-on demo of extending the
SCAP presentation from a previous MeetUp.

1.2. Protecting System Data

One of the most valuable portions of a system is the actual data it contains. There are many things that can be done to protect
both the system and the data. In addition to a solid backup procedure, there should be steps taken for protecting data should
someone get unauthorized access to a computer. Most newer computer systems allow for encrypting. Windows has Bitlocker,
MacOS allows for filesystem security, and Linux provides LUKS for disk encryption. There are also several other multi-platform,

1 Encryption and Security Version: 1.3

 Section 1.2. Protecting System Data

third-party utilities for disk and file encryption. An older open-source encryption utility, TrueCrypt has been forked and is now
released under several names, one of which is VeraCrypt.

 VeraCrypt can be obtained from: https://www.veracrypt.fr/en/Home.html

With the portability of thumb drives, laptops, and other devices, it is critical to have personal and private information protected
should the device become comprimised, stolen, or lost.

Version: 1.3 Encryption and Security 2

Chapter 2. Data Encryption

2. Data Encryption

2.1. Using LUKS to Encrypt Disks on Linux Systems

LUKS uses dmcrypt in Linux as part of the kernel to interact with block storage devices and allow encryption. The
application/utility that will be used as part of the hands-on exercise is cryptsetup. The diagram in Figure 1 shows the basic
layers involved with LUKS. Fortunately, Linux has all the pieces needed to complete end-to-end encryption of block devices using
LUKS.

Figure 1. LUKS Layers and Interface Components

In the first portion of the encryption lab, we will be creating a partition and utilizing cryptsetup to prepare our disk partition to be
encryped with LUKS.

The next diagram gives shows what is contained in the LUKS header on an encrypted volume/disk. It is important to note that in
addition to the header, there are key slots which allow for multiple encryption/decryption keys to be stored.

3 Encryption and Security Version: 1.3

 Section 2.1. Using LUKS to Encrypt Disks on Linux Systems

Figure 2. LUKS Partition Header

After the creation of the LUKS volume, we will use the cryptsetup command to dump the LUKS information for the encrypted
volume to the screen.

It is a good practice to have a backup of LUKS header information in the event a volume gets damaged or

 something happens to the original header. Without LUKS header backup and metadata, if something goes
wrong, the data becomes lost.

The diagram below shows a typical LUKS encryption setup in which the password and parameters can be provided all as part of
the /etc/crypttab file or have human intervention in which the end-user is prompted for a password.

Version: 1.3 Encryption and Security 4

Chapter 2. Data Encryption

Figure 3. Traditional LUKS Password-Based Decryption Framework

For laptops or personal devices, it makes sense to prompt end-users for passwords as the device is typically easily accessible
and there are typically few devices in use. For servers, the use of LUKS prompting for passwords can present challenges as
typically servers reside in DataCenters with no keyboard/monitor. Security professionals generally frown on keeping the
decryption key on the local drive which can be accessed by anyone, but allows for the system to be booted without prompting for
a decryption password. Because of these scenarios, Network Bound Disk Encryption (NBDE) is often used as a solution for
servers in a DataCenter environment.

2.1.1. Creating an Encrypted Disk with LUKS

The first portion of the lab will be to create the encrypted volume. For the sake of time, the virtual HDDs have been already
applied to the systems and these will be used as part of the partition creation process and LUKS creation process.

Servers to Use

• servera

Step 1 - Looking at Disks and Partitions

5 Encryption and Security Version: 1.3

 Section 2.1. Using LUKS to Encrypt Disks on Linux Systems

Example 1. Use parted to find partition details

Listing 1. parted to list disks

[root@servera ~]# parted -l

Model: Virtio Block Device (virtblk)
Disk /dev/vda: 10.7GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags

 1 1049kB 10.7GB 10.7GB primary xfs boot

Error: /dev/vdb: unrecognised disk label

Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:

[root@servera ~]#

Step 2 - Creating a Disk Partition

Example 2. Use parted to Create a Partition

Listing 2. Create Partition

# parted /dev/vdb \
 mklabel msdos \
 mkpart primary xfs 1M 1G

Listing 3. Verify Partition

# parted /dev/vdb print

Model: Virtio Block Device (virtblk)
Disk /dev/vdb: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags

 1 1049kB 1074MB 1073MB primary

Step 3 - Preparing a Disk Partition for LUKS

Version: 1.3 Encryption and Security 6

Chapter 2. Data Encryption

Example 3. Use cryptsetup to Prepare Partition with LUKS

Listing 4. LUKS Formatting

# cryptsetup luksFormat /dev/vdb1

WARNING!
========
This will overwrite data on /dev/vdb1 irrevocably.

Are you sure? (Type uppercase yes): YES

Enter passphrase: meetup2018
Verify passphrase: meetup2018

Step 4 - Opening an Encrypted LUKS Partition

Example 4. Use cryptsetup to Open a LUKS Partition

Listing 5. LUKS Opening

# cryptsetup luksOpen /dev/vdb1 Encrypted_Disk

Enter passphrase for /dev/vdb1: meetup2018

Step 5 - Creating a Filesystem on an Un-Encrypted (Open) LUKS Partition

Example 5. Creating a Filesystem

Listing 6. Creating XFS Filesystem on LUKS Partition

# mkfs.xfs /dev/mapper/Encrypted_Disk
meta-data=/dev/mapper/Encrypted_Disk isize=512 agcount=4, agsize=65344 blks
  = sectsz=512 attr=2, projid32bit=1
  = crc=1 finobt=0, sparse=0
data = bsize=4096 blocks=261376, imaxpct=25
  = sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=1
log =internal log bsize=4096 blocks=855, version=2
  = sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0

Step 6 - Creating a Mount Point

Example 6. Creating a Mountpoint

Listing 7. Creating a Filesystem Mount Point

# mkdir /EncryptedDrive

7 Encryption and Security Version: 1.3

 Section 2.1. Using LUKS to Encrypt Disks on Linux Systems

Step 7 - Mounting the Partition

Example 7. Mounting Filesystem and Creating a Test File

Listing 8. Creating a Filesystem Mount Point

# mount /dev/mapper/Encrypted_Disk /EncryptedDrive

Listing 9. Creating a Test File

# echo "This is a test on encrypted filesystem" > /EncryptedDrive/TestFile.txt

Listing 10. Verifying Test File Contents

# cat /EncryptedDrive/TestFile.txt
This is a test on encrypted filesystem

Step 8 - Unmounting LUKS Partition

Example 8. Unmount the Filesystem

Listing 11. Unmounting the Filesystem

# umount /EncryptedDrive

Step 9 - Encrypting (Close) the LUKS Partition

Example 9. Closing the LUKS Device

Listing 12. cryptsetup to Close Partition

# cryptsetup luksClose Encrypted_Disk

Version: 1.3 Encryption and Security 8

Chapter 2. Data Encryption

Obtaining LUKS Information

# cryptsetup luksDump /dev/vdb1

LUKS header information for /dev/vdb1

Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 256
MK digest: 5d f5 d6 77 40 25 6e d8 b8 d7 b8 34 9a d7 37 48 c4 4f a0 41
MK salt: 7e ac e3 68 3c 52 12 f5 ca cd 3d ef 42 96 cd 7e
  61 52 17 c0 2e 4a ba 46 5d 4d ed c7 0a 1e 1e 72

 MK iterations:
UUID:
75250
21e34e9f-0142-44ad-a628-b9934d8c2225

Key Slot 0: ENABLED

  Iterations: 598830
  Salt: ba 06 6b 66 d9 28 33 75 65 33 08 61 91 bc f4 a1
  05 30 20 44 0c d1 2c d0 53 79 a7 24 cf 98 5d cf
  Key material offset: 8
  AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Backup of LUKS Header

It is a good idea to backup LUKS in the event the encrypted volume would need to be repaired.

Listing 13. Backup of LUKS Header

# cryptsetup luksHeaderBackup /path/to/encrypted/device --header-backup-file

/path/to/backup/file

 Listing 14. Testing a Backup of LUKS Header

# cryptsetup luksOpen /path/to/encrypted/device --header /path/to/backup/file

Listing 15. Restoring a LUKS Header Backup

# cryptsetup luksHeaderRestore path/to/encrypted/device --header-backupfile

/path/to/backup/file

2.2. Using Clevis and Tang to have Network Bound Disk Encryption (NBDE)

Clevis and Tang are two complimentary services that are provided to allow Network Bound Disk Encryption (NBDE). Clevis is
considered the client while Tang is considered the server.

9 Encryption and Security Version: 1.3

 Section 2.2. Using Clevis and Tang to have Network Bound Disk Encryption (NBDE)

Terms

Clevis: Clevis is a plugable framework for automated decryption. It can be used to provide automated decryption of data or even
automated unlocking of LUKS volumes.

Tang: Server side service that Clevis connects to in order to receive a decryption key and allow the NBDE service connection.

 A really good reference from Red Hat is available here: https://rhelblog.redhat.com/2018/04/13/an-easier-

way-to-manage-disk-decryption-at-boot-with-red-hat-enterprise-linux-7-5-using-nbde/#more-4351

The diagram below depicts the Clevis and Tang framework on a high-level. As seen the cryptographic interface used between the
two applications is the JOSE Crypto Library.

Figure 4. NBDE Decryption Framework

As part of the second portion of disk encryption labs, we will be setting up three (3) Tang servers and configuring the Clevis client
to decrypt the volume created in the first portion of the encryption lab. We will be using Shamir’s Secret Sharing (SSS) with Clevis
to have a threshold of two (2) across the three (3) Tang servers.

 The threshold is how many Tang servers must supply the LUKS key before the disk can be decrypted.

Version: 1.3 Encryption and Security 10

Chapter 2. Data Encryption

2.2.1. Setting up a Tang Sever

The Tang packages and services must be setup and configured. As part of the demonstration and hands-on lab, you will be
installing the Tang packages and configuring servers for the service along with the Linux firewall service. In the hands-on lab
below, you will be configuring three (3) Tang servers so that Clevis can be setup to require responses from any two (2) Tang
servers.

Servers to Configure

• serverb

• serverc

• serverd

Packages to Install

• tang

Step 1 - Install Tang Packages on Each Server

Example 10. Install Tang on the Keyservers

# yum install tang

Step 2 - Configure Tang Service on Each Server

Example 11. Configure the Tang Service

systemctl enable tangd.socket --now

Step 3 - Configure Tang Firewall Ports on Each Server

Example 12. Configure Firewalld on the Tang Servers

# firewall-cmd --zone=public --add-port=80/tcp \

--permanent

# firewall-cmd --reload

 Before proceeding, please repeat steps 1-3 on the remaining servers (serverc and serverd).

11 Encryption and Security Version: 1.3

 Section 2.2. Using Clevis and Tang to have Network Bound Disk Encryption (NBDE)

2.2.2. Setting up Clevis Client

The Clevis client packages must be installed and setup on the server containing the encrypted LUKS device. This service allows
the server to connect to the Tang server for obtaining the network-based decryption keys.

Servers to Configure

• servera

Packages to Install

• clevis

• clevis-luks

• clevis-dracut

Step 1 - Install the Packages

Example 13. Install Clevis packages on the Server

# yum install clevis clevis-luks clevis-dracut

Step 2 - Create the SSS Config for LUKS Binding

For this step, we are wanting to use a TANG configuration of 3 servers noting that at least two (2) of the TANG servers need to
be contacted. You could just as easily have a threshold of 1 or 3.

The Clevis client

Use the # man clevis to see the usage and syntax information for Clevis.

Listing 16. Excerpts from man page

For example, let's create a high-availability setup using Tang:

   cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'

... output omitted ...

Clevis can be used to bind an existing LUKS volume to its automation policy. This is accomplished with a simple
command:

  $ clevis luks bind -d /dev/sda tang '{"url":...}'

Other Clevis Client References

 # man clevis-encrypt-sss

# man clevis-luks-bind

Version: 1.3 Encryption and Security 12

Chapter 2. Data Encryption

The threshold specifies how many TANG servers must provide a key to decrypt a given LUKS volume. If

 one (1) is specified as the threshold value, then as long as a single TANG server can be reached and
provides a valid key, the volume can be decrypted.

Example 14. Associate the LUKS partition and Configure Clevis to use Tang Servers

Listing 17. Configuring SSS Encryption

# cfg=$'{"t":2,"pins":{"tang":[\
{"url":"http://serverb.lab.example.com"},\
{"url":"http://serverc.lab.example.com"},\
{"url":"http://serverd.lab.example.com"}]}}'

Step 3 - Use the SSS Config for Clevis LUKS Binding

Example 15. Clevis to Bind a LUKS Volume

Listing 18. Binding to LUKS with SSS Encryption to Tang Servers

[root@servera ~]# clevis luks bind -d /dev/vdb1 sss "$cfg"

The advertisement contains the following signing keys:

9B65OW9ly08QrYjGZ5CgMv2H7XM

Do you wish to trust these keys? [ynYN] y

The advertisement contains the following signing keys:

-IGeEyKKphOqu3-1DPtP7CN_ESw

Do you wish to trust these keys? [ynYN] y

The advertisement contains the following signing keys:

LDGB1B4_Va1skLi7npgv-uQPryg

Do you wish to trust these keys? [ynYN] y

You are about to initialize a LUKS device for metadata storage.
Attempting to initialize it may result in data loss if data was
already written into the LUKS header gap in a different format.
A backup is advised before initialization is performed.

Do you wish to initialize /dev/vdb1? [yn] y

Enter existing LUKS password:

[root@servera ~]#

Step 4 - Enable Clevis Client Services

13 Encryption and Security Version: 1.3

 Section 2.3. Using LUKS, Clevis, and Tang to have NBDE (Putting it all Together)

Example 16. Enabling Clevis Services

Listing 19. Enabling Clevis Service

[root@servera ~]# systemctl enable clevis-luks-askpass.path

Created symlink from /etc/systemd/system/remote-fs.target.wants/clevis-luks-askpass.path to /usr/lib/systemd/system/clevis-luks-
askpass.path.
[root@servera ~]#

Verifying TANG Keys Added to LUKS

It is possible to verify that new keys have been added to the keyslots in LUKS for the Clevis/Tang setup by
using crypsetup luksDump <volume>.

Listing 20. Verifying New Key Exists

[root@servera ~]# cryptsetup luksDump /dev/vdb1

LUKS header information for /dev/vdb1

Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
Payload offset: 4096
MK bits: 256
MK digest: 12 5b 60 00 1a 90 d6 69 10 75 4d df a5 e8 f9 85 bd 22 72 1a
MK salt: 1e fd 23 69 3f a3 6d 45 82 ba 93 bc 37 dd db 33
  a3 93 63 43 29 49 60 a7 ab 10 8c fd 29 a3 4b f2


MK iterations: 73500
UUID: c2ef1b5a-7c1d-4a22-be9d-4728fe9a9975

Key Slot 0: ENABLED

  Iterations: 618357
  Salt: 62 cb 43 7c 59 20 2f 9e 62 7f e9 a7 e7 9f ff 3c
  38 b9 92 35 b6 2e 88 74 84 6c a8 2b ec f7 28 b5
  Key material offset: 8
  AF stripes: 4000
Key Slot 1: ENABLED
  Iterations: 593277
  Salt: c0 6c 8b 70 85 c5 2e 4d c6 12 c6 cc e9 a1 46 5a
  39 43 94 fb 9c c1 cf b5 d1 f6 4d ec 67 1d ad 40
  Key material offset: 264
  AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
[root@servera ~]#

2.3. Using LUKS, Clevis, and Tang to have NBDE (Putting it all Together)

Once all the preliminary setup is done, you can setup the /etc/crypttab on the client machine as well as the /etc/fstab file to
mount the filesystem upon boot using the Clevis client and the Tang server. This is the main purpose of setting up NBDE as it
prevents the system from prompting for a password providing that the proper network requirements are met.

Version: 1.3 Encryption and Security 14

Chapter 2. Data Encryption

Servers to Configure

• servera

Step 1 - Create the Crypttab File

 The /etc/crypttab file describes encrypted block devices that are set up during system boot.

Example 17. Creating /etc/crypttab

Listing 21. Creating a Crypttab for LUKS Volumes

# vi /etc/crypttab
Encrypted_Disk /dev/vdb1 none _netdev

Step 2 - Modify the fstab File

Example 18. Modifying /etc/fstab

Listing 22. Modifying fstab for LUKS Volumes

# vi /etc/fstab
...output omitted...

/dev/mapper/Encrypted_Disk /EncryptedDrive xfs _netdev 1 2

Step 3 - Reboot the System

Example 19. Rebooting the System

Listing 23. Rebooting

# reboot

Step 4 - Verify Server Rebooted and Drive is Mapped with Data

15 Encryption and Security Version: 1.3

 Section 2.3. Using LUKS, Clevis, and Tang to have NBDE (Putting it all Together)

Example 20. System Verification

Listing 24. Verifying System

# ssh root@servera
System is booting up. See pam_nologin(8)
Last login: Thu Sep 6 19:40:06 2018 from 172.25.250.250

[root@servera ~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/vda1 10474476 1744372 8730104 17% /
devtmpfs 486060 0 486060 0% /dev
tmpfs 507768 0 507768 0% /dev/shm
tmpfs 507768 13188 494580 3% /run
tmpfs 507768 0 507768 0% /sys/fs/cgroup
/dev/mapper/Encrypted_Disk 1042084 32948 1009136 4% /EncryptedDrive
tmpfs 101556 0 101556 0% /run/user/0

[root@servera ~]# cat /EncryptedDrive/TestFile.txt

This is a test on encrypted filesystem
[root@servera ~]#

Version: 1.3 Encryption and Security 16

Chapter 3. System Security Policy and Compliance

3. System Security Policy and Compliance

System security and compliance is a primary concern for people when thinking about the protection of systems and integrity of
data. This set of hands-on procedures will focus on obtaining the content and necessary packages to perform a basic scan and
remediate the system based on scan results. As part of the lab, you will be customizing your own SCAP content for a scan, view
the results, and generate an Ansible playbook based on the failed results.

3.1. Customizing SCAP Content

Red Hat includes the SCAP Workbench application as a GUI application which allows scanning, customizing, and saving SCAP
scans and results. The SCAP Workbench can be used to perform scans of remote systems over an SSH connection or it can be
utilized to scan the local system. Since the SCAP Workbench is a GUI application, it must run on a system with X-Windows
installed.

Servers to Configure

• workstation

Packages to Install

• scap-workbench

 Since we are using an application on a VM that requires a GUI, we can use X11 forwarding with the SSH
connection by specifying a -X on the command line.

Step 1 - SSH to Workstation

The fist step is to connect to the workstation and forward X11 traffic back to the local system.

Example 21. Connecting to the Workstation VM

Listing 25. Connecting to Workstation Using SSH

# ssh root@workstation -X

Step 2 - Install Packages

After connecting to the Workstation VM, you will need to install the SCAP Workbench and its dependencies.

17 Encryption and Security Version: 1.3

 Section 3.1. Customizing SCAP Content

Example 22. Installing SCAP Workbench

Listing 26. Using Yum to Install SCAP Workbench

# yum install scap-workbench

Loaded plugins: langpacks, search-disabled-repos

Resolving Dependencies
--> Running transaction check
---> Package scap-workbench.x86_64 0:1.1.6-1.el7 will be installed
--> Processing Dependency: openscap-utils >= 1.2.0 for package: scap-workbench-1.1.6-1.el7.x86_64
--> Processing Dependency: scap-security-guide for package: scap-workbench-1.1.6-1.el7.x86_64
--> Running transaction check
---> Package openscap-utils.x86_64 0:1.2.16-8.el7_5 will be installed
--> Processing Dependency: openscap-containers = 1.2.16-8.el7_5 for package: openscap-utils-1.2.16-8.el7_5.x86_64
---> Package scap-security-guide.noarch 0:0.1.36-9.el7_5 will be installed
--> Processing Dependency: openscap-scanner >= 1.2.5 for package: scap-security-guide-0.1.36-9.el7_5.noarch
--> Running transaction check
---> Package openscap-containers.noarch 0:1.2.16-8.el7_5 will be installed
---> Package openscap-scanner.x86_64 0:1.2.16-8.el7_5 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package Arch Version Repository Size
================================================================================
Installing:
 scap-workbench x86_64 1.1.6-1.el7 rhel--server-dvd 1.8 M
Installing for dependencies:
 openscap-containers noarch 1.2.16-8.el7_5 rhel_updates 27 k
 openscap-scanner x86_64 1.2.16-8.el7_5 rhel_updates 61 k
 openscap-utils x86_64 1.2.16-8.el7_5 rhel_updates 27 k
 scap-security-guide noarch 0.1.36-9.el7_5 rhel_updates 2.6 M

Transaction Summary
================================================================================
Install 1 Package (+4 Dependent packages)

Total download size: 4.5 M

Installed size: 64 M
Is this ok [y/d/N]:

Some things might already be installed for you, if SCAP Workbench is already installed, please move

 on to the next step. Also note the dependencies for SCAP Workbench as they are automatically
installed.

Step 3 - Launching SCAP Workbench

In order to run a scan or customize SCAP content, you will need to launch the SCAP Workbench application.

 You must use SCAP Workbench from a GUI, so it will need to run either locally or through an SSH
connection with X11 forwarded.

Version: 1.3 Encryption and Security 18

Chapter 3. System Security Policy and Compliance

Example 23. Launching SCAP Workbench

Listing 27. Using SCAP Workbench

# scap-workbench

Figure 5. SCAP Workbench Startup

Step 4 - Creating Custom Content

19 Encryption and Security Version: 1.3

 Section 3.1. Customizing SCAP Content

Once SCAP Workbench has been launched, select the content to load. For this lab, we will be using the RHEL7 content.

Example 24. Creating Custom Content

1. For Select content to load: select "RHEL7", then click "Load Content"

2. Select the Profile you want to use to start customization

 For this example, we will use the USGCB/STIG Baseline

Figure 6. SCAP Workbench USGCB/STIG Profile

Version: 1.3 Encryption and Security 20

Chapter 3. System Security Policy and Compliance

3. Click "Customize" to create custom SCAP content based on the chosen profile, and give it a name.

Figure 7. SCAP Custom STIG Profile Creation

 The name for this is: xccdf_org.ssgproject.content_profile_rhel7__stig_customized

4. Click "Deselect All" so that you can select the items you wish to include in your custom scan profile. NOTE: we are
doing this to also limit it to a few checks for the example.

21 Encryption and Security Version: 1.3

 Section 3.1. Customizing SCAP Content

Figure 8. SCAP Custom Profile Selections

 For this lab, we will be setting the minimum password length and PAM Password quality settings

5. Search for Password to set minimum password length and set the values in login.defs. Check Set Password
Minimum Length in login.defs and click on the minimum password legnth and set the value to 18

Version: 1.3 Encryption and Security 22

Chapter 3. System Security Policy and Compliance

Figure 9. SCAP Custom Profile Password Settings for Login.Defs

6. Set password quality reqirements with PAM. Search for the minlen and set it to 18. Also, place a checkbox in Set
Password Quality Requirements with pam_quality. Then click "OK"

23 Encryption and Security Version: 1.3

 Section 3.1. Customizing SCAP Content

Figure 10. SCAP Custom Profile PAM Quality Requirements

7. At this point, we have taken the default settings from the STIG profile with only the tailored pieces that we selected.
The next step is to click "File ⇒ Save Customization Only" to save the custom content

Version: 1.3 Encryption and Security 24

Chapter 3. System Security Policy and Compliance

Figure 11. SCAP Custom Profile Selected Settings View

25 Encryption and Security Version: 1.3

 Section 3.1. Customizing SCAP Content

Figure 12. SCAP Custom Profile Creation Saving

Version: 1.3 Encryption and Security 26

Chapter 3. System Security Policy and Compliance

Figure 13. SCAP Custom Profile Final View

8. Copy the custom tailoring file to the server(s) being scanned. In this case, we will want to copy the file to serverc

Listing 28. Copy custom content

[root@workstation ~]# scp ssg-rhel7-ds-tailoring.xml root@serverc:

Warning: Permanently added 'serverc,172.25.250.12' (ECDSA) to the list of known hosts.
ssg-rhel7-ds-tailoring.xml 100% 51KB 14.9MB/s 00:00
[root@workstation ~]#

27 Encryption and Security Version: 1.3

 Section 3.2. Running a SCAP Scan with Custom Content

3.2. Running a SCAP Scan with Custom Content

Servers to Configure

• serverc

Packages to Install

• openscap-scanner

• scap-security-guide

Step 1 - SSH to serverc

The fist step is to connect to the server.

Example 25. Connecting to the serverc VM

Listing 29. Connecting to serverc Using SSH

# ssh root@serverc

Step 2 - Install packages on serverc

The second step is to install software on the server.

Version: 1.3 Encryption and Security 28

Chapter 3. System Security Policy and Compliance

Example 26. Install software on serverc

Listing 30. Installing Software on serverc

# yum install scap-security-guide

Loaded plugins: langpacks, search-disabled-repos
rhel--server-dvd | 4.3 kB 00:00
(1/2): rhel--server-dvd/group_gz | 145 kB 00:00
(2/2): rhel--server-dvd/primary_db | 4.1 MB 00:00
Resolving Dependencies
--> Running transaction check
---> Package scap-security-guide.noarch 0:0.1.36-7.el7 will be installed
--> Processing Dependency: openscap-scanner >= 1.2.5 for package: scap-security-guide-0.1.36-7.el7.noarch
--> Processing Dependency: xml-common for package: scap-security-guide-0.1.36-7.el7.noarch
--> Running transaction check
---> Package openscap-scanner.x86_64 0:1.2.16-6.el7 will be installed
--> Processing Dependency: openscap(x86-64) = 1.2.16-6.el7 for package: openscap-scanner-1.2.16-6.el7.x86_64
--> Processing Dependency: libopenscap.so.8()(64bit) for package: openscap-scanner-1.2.16-6.el7.x86_64
---> Package xml-common.noarch 0:0.6.3-39.el7 will be installed
--> Running transaction check
---> Package openscap.x86_64 0:1.2.16-6.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package Arch Version Repository Size
================================================================================
Installing:
 scap-security-guide noarch 0.1.36-7.el7 rhel--server-dvd 2.6 M
Installing for dependencies:
 openscap x86_64 1.2.16-6.el7 rhel--server-dvd 3.8 M
 openscap-scanner x86_64 1.2.16-6.el7 rhel--server-dvd 61 k
 xml-common noarch 0.6.3-39.el7 rhel--server-dvd 26 k

Transaction Summary
================================================================================
Install 1 Package (+3 Dependent packages)

Total download size: 6.5 M

Installed size: 122 M
Is this ok [y/d/N]: y

... output omitted ...

Installed:
  scap-security-guide.noarch 0:0.1.36-7.el7

Dependency Installed:
  openscap.x86_64 0:1.2.16-6.el7 openscap-scanner.x86_64 0:1.2.16-6.el7
  xml-common.noarch 0:0.6.3-39.el7

Learning about SCAP Commands

The SSG man page is a very good source of information for usage of the oscap tool as well as provides
examples of how to use the SCAP SSG Guide profiles itself.

29 Encryption and Security Version: 1.3

 Section 3.2. Running a SCAP Scan with Custom Content

Listing 31. Looking at SCAP Security Guide (SSG) Man Page

# man scap-security-guide

scap-security-guide(8) System Manager's Manual scap-security-guide(8)

NAME
  SCAP Security Guide - Delivers security guidance, baselines, and asso‐
  ciated validation mechanisms utilizing the Security Content Automation
  Protocol (SCAP).

... output omitted ...

EXAMPLES
  To scan your system utilizing the OpenSCAP utility against the ospp-
  rhel7 profile:

  oscap xccdf eval --profile ospp-rhel7 --results /tmp/`hostname`-ssg-

  results.xml --report /tmp/`hostname`-ssg-results.html --oval-results
  /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

Listing 32. Looking at oscap Man Page

# man oscap

OSCAP(8) System Administration Utilities OSCAP(8)

NAME
  oscap - OpenSCAP command line tool

SYNOPSIS
  oscap [general-options] module operation [operation-options-and-argu‐
  ments]

DESCRIPTION
  oscap is Security Content Automation Protocol (SCAP) toolkit based on
  OpenSCAP library. It provides various functions for different SCAP
  specifications (modules).

  OpenSCAP tool claims to provide capabilities of Authenticated Configu‐

  ration Scanner and Authenticated Vulnerability Scanner as defined by
  The National Institute of Standards and Technology.

... output omitted ...

EXAMPLES
  Evaluate XCCDF content using CPE dictionary and produce html report. In
  this case we use United States Government Configuration Baseline
  (USGCB) for Red Hat Enterprise Linux 5 Desktop.

  oscap xccdf eval --fetch-remote-resources --oval-results \

  --profile united_states_government_configuration_baseline
 \
  --report usgcb-rhel5desktop.report.html \
  --results usgcb-rhel5desktop-xccdf.xml.result.xml \
  --cpe usgcb-rhel5desktop-cpe-dictionary.xml \
  usgcb-rhel5desktop-xccdf.xml

Step 3 - Running oscap scan

Version: 1.3 Encryption and Security 30

Chapter 3. System Security Policy and Compliance

We will run the oscap utility to generate a report and a results file that can be sent back to the workstation system so that we
can create an Ansible playbook for remediation and view the results of the report.

 Be very careful about the name of the profile as this was selected during the creation of the custom
profile/tailoring file portion when doing SCAP Workbench customizations.

Example 27. Scanning serverc

Listing 33. Using oscap and the tailoring profile to scan serverc

# [root@serverc ~]# oscap xccdf eval \

--profile xccdf_org.ssgproject.content_profile_rhel7__stig_customized \
--tailoring-file ssg-rhel7-ds-tailoring.xml \
--results custom_scan_results.xml \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.

WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content

Title Set Password Minimum Length in login.defs

Rule xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
Ident CCE-27123-9
Result fail

Title Set Password Retry Prompts Permitted Per-Session

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
Ident CCE-27160-1
Result pass

Title Set Password Maximum Consecutive Repeating Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
Ident CCE-27333-4
Result fail

Title Set Password to Maximum of Consecutive Repeating Characters from Same Character Class
Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
Ident CCE-27512-3
Result fail

Title Set Password Strength Minimum Digit Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
Ident CCE-27214-6
Result fail

Title Set Password Minimum Length

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
Ident CCE-27293-0
Result fail

Title Set Password Strength Minimum Uppercase Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
Ident CCE-27200-5
Result fail

Title Set Password Strength Minimum Special Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
Ident CCE-27360-7
Result fail

Title Set Password Strength Minimum Lowercase Characters

31 Encryption and Security Version: 1.3

 Section 3.2. Running a SCAP Scan with Custom Content

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
Ident CCE-27345-8
Result fail

Title Set Password Strength Minimum Different Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
Ident CCE-26631-2
Result fail

Title Set Password Strength Minimum Different Categories

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
Ident CCE-27115-5
Result fail

[root@serverc ~]#

Getting Custom Profile Name from Tailoring File

If you need to locate the profile used for the custom scanning content from the tailoring file, you can
search for it with grep.

[root@serverc ~]# grep "Profile id" ssg-rhel7-ds-tailoring.xml
  <xccdf:Profile id="xccdf_org.ssgproject.content_profile_rhel7__stig_customized" extends
="xccdf_org.ssgproject.content_profile_ospp-rhel7">

Step 4 - Creating a Results Report

You can create a results report file from the results file so you have a nice HTML file that is easy to ready with the results from the
SCAP scan.

Example 28. Creating a SCAP Report from a Results File

Listing 34. Generating a Report

[root@serverc ~]# oscap xccdf generate report \

custom_scan_results.xml > Custom_Scan_Report.html

Combining Steps 3 & 4

It is possible to perform a custom content scan which will generate the results file and the report for transfer
back to the workstation for review.

Need to Specify

• --results

• --report

Listing 35. Creating a Results File and Report During Custom Content Scan

[root@serverc ~]# oscap xccdf eval \

Version: 1.3 Encryption and Security 32

Chapter 3. System Security Policy and Compliance

--profile xccdf_org.ssgproject.content_profile_rhel7__stig_customized \
--tailoring-file ssg-rhel7-ds-tailoring.xml \
--results custom_scan_results_2.xml \
--report Custom_Scan_Report_2.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

WARNING: This content points out to the remote resources. Use `--fetch-remote-resources' option to download them.

WARNING: Skipping https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from

XCCDF content

Title Set Password Minimum Length in login.defs

Rule xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
Ident CCE-27123-9
Result fail

Title Set Password Retry Prompts Permitted Per-Session

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
Ident CCE-27160-1
Result pass

Title Set Password Maximum Consecutive Repeating Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
Ident CCE-27333-4
Result fail

Title Set Password to Maximum of Consecutive Repeating Characters from Same Character Class
Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
Ident CCE-27512-3
Result fail

Title Set Password Strength Minimum Digit Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
Ident CCE-27214-6
Result fail

Title Set Password Minimum Length

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
Ident CCE-27293-0
Result fail

Title Set Password Strength Minimum Uppercase Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
Ident CCE-27200-5
Result fail

Title Set Password Strength Minimum Special Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
Ident CCE-27360-7
Result fail

Title Set Password Strength Minimum Lowercase Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
Ident CCE-27345-8
Result fail

Title Set Password Strength Minimum Different Characters

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
Ident CCE-26631-2
Result fail

Title Set Password Strength Minimum Different Categories

Rule xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
Ident CCE-27115-5
Result fail

33 Encryption and Security Version: 1.3

 Section 3.2. Running a SCAP Scan with Custom Content

[root@serverc ~]#

Step 5 - Transferring Results File and Report to Workstation

After you have the results files and the report, you should transfer it to your graphical workstation (workstation) for further
analysis.

Example 29. Transferring Results

Listing 36. Transferring the Results and Report Files

[root@serverc ~]# scp *.xml *.html root@workstation:

The authenticity of host 'workstation (172.25.250.254)' can't be established.
ECDSA key fingerprint is SHA256:GCpIQxItJSWgZDzlmpnZINbwsjf9axrs+o6170OyOuk.
ECDSA key fingerprint is MD5:2b:98:e1:85:8b:c7:ea:31:72:08:4d:39:15:ec:5d:da.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'workstation,172.25.250.254' (ECDSA) to the list of known hosts.
root@workstation's password:
custom_scan_results_2.xml 100% 4307KB 62.5MB/s 00:00
custom_scan_results.xml 100% 4307KB 56.7MB/s 00:00
ssg-rhel7-ds-tailoring.xml 100% 51KB 23.6MB/s 00:00
Custom2_Report.html 100% 0 0.0KB/s 00:00
Custom_Scan_Report_2.html 100% 331KB 29.1MB/s 00:00
Custom_Scan_Report.html 100% 331KB 35.8MB/s 00:00
[root@serverc ~]#

Step 6 - Viewing the SCAP scan report

After you have transferred the results file to workstation you can open the HTML report in a web browser. In this case we will
use firefox to open the file.

Version: 1.3 Encryption and Security 34

Chapter 3. System Security Policy and Compliance

Example 30. Viewing the SCAP Report

Listing 37. Opening the SCAP HTML Report with Firefox

[root@workstation ~]# firefox Custom_Scan_Report.html

Figure 14. SCAP Scan Results Report in Firefox

 Firefox may not open the file based on SELinux context triggers. In order to get around this you can
use the command prompt and do setenforce 0 to allow you to open the report.

3.3. Creating an Ansible Remediation Playbook Based on SCAP Scan Results

The OpenSCAP project and content created by Red Hat can automatically remediate findings from OpenSCAP scans. The
findings can be remediated in many ways (BASH, Ansible, etc.). While things are mostly complete, there are some automated
remediations that have not yet been developed.

35 Encryption and Security Version: 1.3

 Section 3.3. Creating an Ansible Remediation Playbook Based on SCAP Scan Results

 There are multiple automatic remediation methods developed, but at this time, there isn’t a script to fix
everything.

Servers to Configure

• serverc

 We will continue to use workstation as our master SCAP system as it should have Ansible and SCAP
Workbench installed.

Step 1 - Creating an Ansible Playbook from Results

The first step will be to generate an Ansible playbook from the SCAP scan results for system remediation.

Example 31. Generating Ansible Playbook

Listing 38. Ansible Playbook Generation

[root@workstation ~]# oscap xccdf generate fix \

--profile xccdf_org.ssgproject.content_profile_rhel7__stig_customized \
--tailoring-file ssg-rhel7-ds-tailoring.xml \
--fix-type ansible \
--result-id "" \
custom_scan_results.xml > Custom_Scan_Fix.yml

Viewing Remediation Playbook

It is also a good idea to view the created playbook for the system prior to running it.

[root@workstation ~]# cat Custom_Scan_Fix.yml

---
###############################################################################
#
# Ansible remediation role for the results of evaluation of profile
xccdf_org.ssgproject.content_profile_rhel7__stig_customized
# XCCDF Version: unknown
#
# Evaluation Start Time: 2018-09-06T15:42:54
# Evaluation End Time: 2018-09-06T15:42:54
#
# This file was generated by OpenSCAP 1.2.16 using:
# $ oscap xccdf generate fix --result-id xccdf_org.open-
scap_testresult_xccdf_org.ssgproject.content_profile_rhel7__stig_customized --template
urn:xccdf:fix:script:ansible xccdf-results.xml
#
# This script is generated from the results of a profile evaluation.
# It attempts to remediate all issues from the selected rules that failed the test.
#
# How to apply this remediation role:
# $ ansible-playbook -i "192.168.1.155," playbook.yml
# $ ansible-playbook -i inventory.ini playbook.yml
#
###############################################################################


Version: 1.3 Encryption and Security 36
Chapter 3. System Security Policy and Compliance

 - hosts: all
  vars:
  var_accounts_password_minlen_login_defs: 18
  var_password_pam_maxrepeat: 2
  var_password_pam_maxclassrepeat: 4
  var_password_pam_dcredit: -1
  var_password_pam_minlen: 18
  var_password_pam_ucredit: -1
  var_password_pam_ocredit: -1
  var_password_pam_lcredit: -1
  var_password_pam_difok: 8
  var_password_pam_minclass: 4
  tasks:

  - name: "Set Password Minimum Length in login.defs"

  lineinfile:
  dest: /etc/login.defs
  regexp: "^PASS_MIN_LEN *[0-9]*"
  state: present
  line: "PASS_MIN_LEN {{ var_accounts_password_minlen_login_defs }}"
  tags:
  - accounts_password_minlen_login_defs
  - medium_severity
  - restrict_strategy
  - low_complexity
  - low_disruption
  - CCE-27123-9
  - NIST-800-53-IA-5(f)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-171-3.5.7
  - CJIS-5.6.2.1

... Output Omitted ...

  - name: Ensure PAM variable minclass is set accordingly

  lineinfile:
  create=yes
  dest="/etc/security/pwquality.conf"
  regexp="^minclass"
  line="minclass = {{ var_password_pam_minclass }}"
  tags:
  - accounts_password_pam_minclass
  - medium_severity
  - CCE-27115-5
  - NIST-800-53-IA-5
  - DISA-STIG-RHEL-07-010170

37 Encryption and Security Version: 1.3

 Section 3.3. Creating an Ansible Remediation Playbook Based on SCAP Scan Results

Ansible is not setup for the lab

Before we can do the next steps, we will download an Ansible config file and an inventory file so we can
properly run the playbook.

Listing 39. Error Output Message


[root@workstation ~]# ansible-playbook Custom_Scan_Fix.yml
 [WARNING]: provided hosts list is empty, only localhost is available. Note
that the implicit localhost does not match 'all'

PLAY [all] *********************************************************************

skipping: no hosts matched

PLAY RECAP *********************************************************************

[root@workstation ~]#

Step 2 - Downloading Ansible Config and Ansible Inventory Files

This step is needed so that our Ansible system can be configured with various configuration options and the inventory files so we
can run the given playbook.

Example 32. Downloading Ansible Files

Listing 40. Downloading Ansible Files

[root@workstation ~]# wget http://content/meetup/inventory

--2018-09-06 17:49:04-- http://content/meetup/inventory
Resolving content (content)... 172.25.254.254
Connecting to content (content)|172.25.254.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24
Saving to: ‘inventory’

100%[======================================>] 24 --.-K/s in 0s

2018-09-06 17:49:04 (2.74 MB/s) - ‘inventory’ saved [24/24]

[root@workstation ~]# wget http://content/meetup/ansible.cfg

--2018-09-06 17:49:19-- http://content/meetup/ansible.cfg
Resolving content (content)... 172.25.254.254
Connecting to content (content)|172.25.254.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 159
Saving to: ‘ansible.cfg’

100%[======================================>] 159 --.-K/s in 0s

2018-09-06 17:49:19 (12.0 MB/s) - ‘ansible.cfg’ saved [159/159]

[root@workstation ~]#

Version: 1.3 Encryption and Security 38

Chapter 3. System Security Policy and Compliance

Reviewing Ansible Configurations

The inventory file provided only has a single host serverc in there. On real systems, you must be very
cautious of running remediation playbooks against an inventory file as it could apply to unintended systems.
Additionally the ansible.cfg file provided was created for use in this lab environment. Both of these items
should be taken into account when doing going through the process on production systems.

[root@workstation ~]# cat inventory

 serverc.lab.example.com

[root@workstation ~]# cat ansible.cfg

[defaults]
roles_path = /etc/ansible/roles:/usr/share/ansible/roles
log_path = /tmp/ansible.log
inventory = ./inventory

[privilege_escalation]
become=True
[root@workstation ~]#

Step 3 - Run the Ansible Playbook

This step will utilize the workstation system which is configured as your Ansible management node and will run the playbook to
remediate the results on the serverc system.

39 Encryption and Security Version: 1.3

 Section 3.3. Creating an Ansible Remediation Playbook Based on SCAP Scan Results

Example 33. Remediation of serverc with Ansible Playbook

Listing 41. Running the Ansible Playbook

[root@workstation ~]# ansible-playbook Custom_Scan_Fix.yml

PLAY [all] *********************************************************************

TASK [Gathering Facts] *********************************************************

ok: [serverc.lab.example.com]

TASK [Set Password Minimum Length in login.defs] *******************************

changed: [serverc.lab.example.com]

TASK [Ensure PAM variable maxrepeat is set accordingly] ************************

changed: [serverc.lab.example.com]

TASK [Ensure PAM variable maxclassrepeat is set accordingly] *******************

changed: [serverc.lab.example.com]

TASK [Ensure PAM variable dcredit is set accordingly] **************************

changed: [serverc.lab.example.com]

TASK [Ensure PAM variable minlen is set accordingly] ***************************

changed: [serverc.lab.example.com]

TASK [Ensure PAM variable ucredit is set accordingly] **************************

changed: [serverc.lab.example.com]

TASK [Ensure PAM variable ocredit is set accordingly] **************************

changed: [serverc.lab.example.com]

TASK [Ensure PAM variable lcredit is set accordingly] **************************

changed: [serverc.lab.example.com]

TASK [Ensure PAM variable difok is set accordingly] ****************************

changed: [serverc.lab.example.com]

TASK [Ensure PAM variable minclass is set accordingly] *************************

changed: [serverc.lab.example.com]

PLAY RECAP *********************************************************************

serverc.lab.example.com : ok=11 changed=10 unreachable=0 failed=0

[root@workstation ~]#

After running the playbook, you can see that there were 10 changes that were made to the system

 and exactly which parameters were changed. The next thing to do is perform another scan of the
system to ensure that it is now fully compliant.

Step 4 - Rescan System and Review Results

Example 34. Scanning System after Fixes and Verifying Results

Version: 1.3 Encryption and Security 40

Chapter 3. System Security Policy and Compliance

Listing 42. Performing SCAP Verification Scan

[root@serverc ~]# oscap xccdf eval \

--profile xccdf_org.ssgproject.content_profile_rhel7__stig_customized \
--tailoring-file ssg-rhel7-ds-tailoring.xml \
--results custom_scan_results_fixed.xml \
--report Custom_Scan_Report_Fixed.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Listing 43. Copying Results to Workstation

[root@serverc ~]# scp custom_scan_results_fixed.xml Custom_Scan_Report_Fixed.html workstation:

root@workstation's password:
custom_scan_results_fixed.xml 100% 4330KB 70.2MB/s 00:00
Custom_Scan_Report_Fixed.html 100% 291KB 33.1MB/s 00:00
[root@serverc ~]#

Listing 44. Viewing Results on Workstation

[root@workstation ~]# firefox Custom_Scan_Report_Fixed.html

41 Encryption and Security Version: 1.3

 Section 3.3. Creating an Ansible Remediation Playbook Based on SCAP Scan Results

Figure 15. Fixed SCAP Scan Results Report in Firefox

Version: 1.3 Encryption and Security 42