Security compliance with Ansible and OpenScap - Part 1

Getting Started

considering the rise in Cyber Security attacks, there’s a growing need to bolster security within our networks, at an operating system level. This means that, every time we deploy a Virtual Workload into our Data Centers, we need to ensure the very foundation is secure and meets NIST and Company policies and standards.

In order to comply with security regulations and policies, we take the following approach:

  1. Create a clean vSphere (or other) Workload from ISO (or use an existing clean Template)

  2. Scan the Workload, on which the Template will be based, using a tool like OpenScap

  3. Generate a report on the compliance

  4. Remediate the issues

  5. Scan again to ensure compliance

  6. Convert to Template, and we’re good to go

High-level process

The first thing you’ll need to do is to download OpenScap. This can be found at the link below, however, it’s also provided within many Linux Distro repositories. This means we’ll be automating the installation of Openscap using Ansible, without having to worry about manually installing it.
https://www.open-scap.org

In this article, I’m using CentOS8 as my foundational Operating System (since it’s close to RHEL), however, OpenScap provides scanning for many operating systems.
Unfortunately, getting Openscap to work on Windows requires a great deal of tinkering and effort, so I’ll stick to Linux for the purposes of this article.

The first step, really, is to define which policies you want to use, and which rules within those policies you want to include or omit. There are two main subjects to pay attention to here:

  1. Profiles (sets of predefined rules for an operating system)

  2. Customizations (overrides the inclusion or omission of certain rules within profiles)

In order to define which profile you want to use, and which rules you want to enforce (or omit), you’ll need to download the profiles and then create customization policies.

SCAP Workbench

In order to more easily understand the various facets of openscap, you can follows these steps:

  1. Create a VM using the operating system you want to scan

  2. Install SCAP Workbench

  3. Load the relevant profile for the OS

  4. Decide which rules to include or omit

  5. Save the customization file(s) for later use

Since I’m using CentOS8 (with GNOME Interface), I simply installed SCAP Workbench using the below command:

yum install scap-workbench

Once installed, launch it from the terminal: scap-workbench

The application will open, and you’ll be prompted to load a profile:

SCAP Workbench initial form

As alluded to before in this article, I’m using CentOS8, so I loaded the CentOS8 content. The next form will show you a list of Profiles to choose from. Since content for CentOS8, at the time of this writing, was still being created and verified, I used the only profile I had available to me.

SCAP Workbench Profiles

In order to choose which rules you want to enforce, hit the “Customize” button and you’ll be presented with a form which shows all of the associated rules. It will first prompt you to choose the ID for the profile, for which I just used the recommended, pre-populated Profile ID.

Customizing your Profile

warning!

I have broken a few Workloads already by being overzealous with my security rules.
Heed my warning here: start small and build on from there. I ended up with all sorts of issues where, after reboot, CentOS8 refused to exit Emergency Boot Mode, and I had to redeploy a fresh Workload and start again.

This took many hours of time to figure out. You have been warned :-)

Once you’ve chosen which rules (from the hundreds available) you want to enforce (or, in my case, omit), click on the “OK” button.

Saving your customization

Now that you’ve hit “OK”, you’ll be back at previous form. Click on “File”, then click on “Save All”, then “Into a Directory”.

Saving your customizations

Once you’ve saved, you should notice two .XML files present in the directory you chose. Keep these files for later - we’ll use these to scan our VM with Ansible.

In my case, I uploaded these two files into a directory within my Ansible project, which is committed to my git repo.

Save your files to a directory accessible by Ansible

In part 2 of this article, we’ll cover the Ansible-specific implementation, where things REALLY start to become impressive. Here’s a teaser:

  1. Install openscap on the remote machine

  2. Scan and generate a report

  3. Generate a remediation playbook on-the-fly (yes, you read correctly)

  4. Dynamically include the tasks and vars from this playbook to automatically remediate the remote machine

  5. Rescan and download the new report

Ready? Continue on to Part 2