OpenSCAP - PSJoshi/Notes GitHub Wiki

Vulnerabilities scanning of Windows using OVAL

Using open vulnerability assessment language(OVAL), it is possible to determine the compliance/patching/vulnerability status of any windows system. To accomplish this, you need to have OVAL interpreter and OVAL definitions. There are open-source(openscap) as well as commercial solutions(Qualys) are available.

In open-source case, you can make use of ovaldi interpreter and oval definitions from MITRE.

There are four OVAL compliance classes as given below:

  • Compliance - checks that the installation is compliant with recommended security practices.
  • Inventory - checks that produce results of what is installed.
  • Patch - these test indicate patching status
  • Vulnerability - tests that verify if there are vulnerabilities present on the machine.
  • Miscellaneous - tests in misc category

Installation of OVAL Interpreter on Windows

  • Visit Sourceforge page to download Ovaldi Interpreter file (32-bit or 64-bit depending on your Windows version): https://sourceforge.net/projects/ovaldi/files/ovaldi/5.10.1%20Build%207/ It is recommended to always choose the latest ovaldi build. e.g. ovaldi-5.10.1.7 is the LATEST at present.
  • Unzip the EXE file to a directory - say, c:\Program files\OVAL
  • Now, a directory "ovaldi-5.10.1.7-x64" will be created under directory "c:\Program files\OVAL"
  • Check if "ovaldi.exe" file is available in installation directory.

Downloading of OVAL definitions

Now, it is time to download OVAL definitions for various categories like compliance, inventory,patch, vulnerability etc. For this, visit OVAL repository contents site from MITRE - http://oval.mitre.org/rep-data/index.html

Please remember, you have to download oval definitions as per your "ovaldi" program version.

In our present case, ovaldi interpreter program version is 5.10. So, you have to download oval definitions corresponding to this version as given below:

Special note about change of Ovaldi definitions

MITRE site(http://oval.mitre.org/) is now having "archive" status and will no longer be updated. A new site for oval definitions is setup by Center for Internet Security - https://oval.cisecurity.org/repository/download

So, various oval checks for compliance,vulnerability, patching etc. for ovaldi-5.10 are required to be downloaded from here:

Please choose the appropriate oval definition file depending on your platform/family. e.g. for Vulnerability analysis of Windows 10 system, download url for oval definition will be https://oval.cisecurity.org/repository/download/5.10/vulnerability/microsoft_windows_10.xml

It is recommended to rename the file to a specific category for easy identification .e.g. for vulnerability scanning - the file "microsoft_windows_10.xml" can be renamed as "microsoft_windows_10_vulnerability.xml".

The same logic can be applied for compliance, inventory and patch feeds.

Executing Vulnerability scan:

It is assumed that ovaldi.exe is installed in d:\OVAL\ovaldi-5.10.1.7-x64

D:\OVAL>d:\OVAL\ovaldi-5.10.1.7-x64\ovaldi.exe -m -a "d:\OVAL\ovaldi-5.10.1.7-x64\xml" -o d:\OVAL\microsoft_windows_10_vulnerability.xml -r 20170831-win10-results.xml -x 20170831-win10-results.html -d 20170831-system-charcterstics.xml

The above command will check vulnerabilities that are present on the system. Of course, only the vulnerabilities defined in the database (microsoft_windows_10_vulnerability.xml) will checked.

An explanation for various command line options is given below:

Option -m. Don't check md5 sum of oval definitions file (in this case that is microsoft.windows.7.vulnerability.xml).

Option -a specifies where all the auxiliary files necessary for interpreter are. For example, default style sheet file is there, also, XML definitions and tests are also there. The default value of this option assumes that you are running ovaldi in its base directory (i.e. where it is installed) so it has to be specified in order for everything to work.

Option -o specifies oval definition file to use.

Option -r specifies XML result file. The default value is results.xml and in the case of multiple runs, default file name will be overwritten. So, using this option prevents that from happening.

Option -x specifies HTML result file. This file is generated from XML result file by applying style sheet (XSL) file. Default file is used if none is specified on the command line.

Option -d specifies in which file will be saved system characteristics, i.e. installed options, existing files, etc. used during interpreter run of oval definition file.

Typical output for the above command will be: ` D:\OVAL>d:\OVAL\ovaldi-5.10.1.7-x64\ovaldi.exe -m -a "d:\OVAL\ovaldi-5.10.1.7-x64\xml" -o d:\OVAL\microsoft_windows_10_vulnerability.xml -r 20170831-win10-results.xml -x 20170831-win10-results.html -d 20170831-system-charcterstics.xml

OVAL Definition Interpreter Version: 5.10.1 Build: 7 Build date: Apr 10 2014 06:41:32 Copyright (c) 2002-2014 - The MITRE Corporation

Start Time: Thu Aug 31 15:45:04 2017

** parsing d:\OVAL\microsoft_windows_10_vulnerability.xml file. - validating xml schema. ** checking schema version - Schema version - 5.10 ** skipping Schematron validation ** creating a new OVAL System Characteristics file. ** gathering data for the OVAL definitions. Collecting object: FINISHED ** saving data model to 20170831-system-charcterstics.xml. ** running the OVAL Definition analysis. Analyzing definition: FINISHED ** applying directives to OVAL results. ** OVAL definition results.

OVAL Id                                 Result
-------------------------------------------------------
oval:org.mitre.oval:def:29117           true
oval:org.cisecurity:def:1379            true
oval:org.mitre.oval:def:18343           true
.....
......   
oval:org.cisecurity:def:1233            error
oval:org.cisecurity:def:1238            error
oval:org.cisecurity:def:720             error
oval:org.cisecurity:def:1802            error
oval:org.cisecurity:def:1242            error
oval:org.cisecurity:def:736             error
oval:org.cisecurity:def:1256            error
-------------------------------------------------------

** finished evaluating OVAL definitions.

** saving OVAL results to 20170831-win10-results.xml. ** running OVAL Results xsl: d:\OVAL\ovaldi-5.10.1.7-x64\xml\results_to_html.xsl.

`

Once "ovaldi" program has finished its execution, there will be three new files in the directory.

  • System characterstics file - 20170831-system-charcterstics.xml
  • XML file - 20170831-win10-results.xml
  • HTML report file - 20170831-win10-results.html
  • ovaldi.log - log file for any debugging/analysis.

Open the HTML report file in browser to see the vulnerability report of the system.

ovaldi-scap batch file

@echo off
REM This program runs a SCAP-based vulnerability scan of the system at periodic intervals and send the report to a centralized server

SET program_name="d:\OVAL\ovaldi-5.10.1.7-x64\ovaldi.exe"
SET xml_dir="d:\OVAL\ovaldi-5.10.1.7-x64\xml"
SET vuln_xml_file="d:\OVAL\microsoft_windows_10_vulnerability.xml"
SET results_xml="20180410-win10-results.xml"
SET results_html="20180410-win10-results.html"
SET system_characerstics="20180410-system-characertstics.xml"

%program_name% -m -a %xml_dir% -o %vuln_xml_file% -r %results_xml% -x %results_html% -d %system_characterstics%

Installation of openscap packages on Ubuntu14.04 for SCAP requirements

Now, it's time to compile openscap and scap-security-guide packages from source. Please follow the instructions as given below:

Compiling SCAP security guide from source for Ubuntu - 14.04

root@joshi:~# unzip scap-security-guide-master.zip
root@joshi:~/scap-security-guide-master/build# apt install cmake
root@joshi:~/openscap-maint-1.2# apt install autoconf automake libtool
root@joshi:~/scap-security-guide-master/# apt install python-yaml python-jinja2
root@joshi:~/scap-security-guide-master/build# apt install expat libxml2-utils xsltproc

Now, enter 'build' directory under scap-security-guide directory and compile the package:

root@joshi:~/scap-security-guide-master/build# cmake ../
root@joshi:~/scap-security-guide-master/build# cat /etc/lsb-release
root@joshi:~/scap-security-guide-master/build# make -j4 ubuntu1404 
root@joshi:~/scap-security-guide-master/build# make -j4 
root@joshi:~/scap-security-guide-master/build# make install

Compiling OpenSCAP from source for Ubuntu - 14.04

root@joshi:~/openscap-maint-1.2# apt install -y autoconf automake libtool make libdbus-1-dev libdbus-glib-1-dev libgcrypt-dev libselinux1-dev libxslt1-dev libgconf2-dev libacl1-dev libblkid-dev libcap-dev libxml2-dev libldap2-dev libpcre3-dev python-dev swig libxml-parser-perl libxml-xpath-perl libperl5.18 python-dev libbz2-dev librpm-dev swig

root@joshi:~# apt install libcurl4-openssl-dev
root@joshi:~# apt install python-yaml python-jinja2

root@joshi:~/openscap-maint-1.2# ./autogen.sh
root@joshi:~/openscap-maint-1.2# ./configure

Note: If you wish to disable python, you can do so.

root@joshi:~/openscap-maint-1.2# ./configure --disable-python

root@joshi:~/openscap-maint-1.2# make
root@joshi:~/openscap-maint-1.2# make check
root@joshi:~/openscap-maint-1.2# make install

Note: Ubunut trustry has a package called libopenscap8. You can install it.

root@joshi:~/openscap-maint-1.2# apt search scap8
Sorting... Done
Full Text Search... Done
libopenscap8/trusty 1.0.2-1 amd64
  Set of libraries enabling integration of the SCAP line of standards

libopenscap8-dbg/trusty 1.0.2-1 amd64
  Set of libraries enabling integration of the SCAP line of standards
root@joshi:~/ apt install libopenscap8

Now, you can run openscap(oscap) commands:

root@joshi:~/openscap-maint-1.2# oscap oval eval --help

If you wish, you can now run vulnerabilities scan using oval feed in security guide:

root@joshi:~# oscap oval eval --results r.xml --report r.html /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-oval.xml

Download latest oval feed from Ubuntu site:http://people.canonical.com/~ubuntu-security/oval

Run oval vulnerabilities scan:

root@joshi:~# oscap oval eval --results r.xml --report r.html com.ubuntu.trusty.cve.oval.xml

You can tell openscap scanner to ignore schema differences and evaluate oval vulnerabilities.

root@joshi:~# oscap oval eval --results r.xml --report r.html --skip-valid com.ubuntu.trusty.cve.oval.xml

All definition files related to SCAP are located under the directory:

root@joshi:~# ls -l /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-*
-rw-r--r-- 1 root staff    578 May 22 12:41 /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-cpe-dictionary.xml
-rw-r--r-- 1 root staff  39847 May 22 12:41 /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-cpe-oval.xml
-rw-r--r-- 1 root staff 762241 May 22 12:41 /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-ds.xml
-rw-r--r-- 1 root staff  41976 May 22 12:41 /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-ocil.xml
-rw-r--r-- 1 root staff 417649 May 22 12:41 /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-oval.xml
-rw-r--r-- 1 root staff 229295 May 22 12:41 /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-xccdf.xml

Note: If you encounter any swig related errors during configure or make, ignore them!

xccdf scan:

root@joshi:~# oscap xccdf eval --profile standard --report xccdf.html /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-
ssg-ubuntu1404-cpe-dictionary.xml  ssg-ubuntu1404-ds.xml              ssg-ubuntu1404-oval.xml
ssg-ubuntu1404-cpe-oval.xml        ssg-ubuntu1404-ocil.xml            ssg-ubuntu1404-xccdf.xml
root@joshi:~# oscap xccdf eval --profile standard --report xccdf.html /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-xccdf.xml

By providing cpe dictionary, it returns more meaningful results:

root@joshi:~/ubuntu-scap-master# oscap xccdf eval --profile standard --cpe /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-cpe-dictionary.xml /usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-xccdf.xml

Getting profile information

root@joshi:~# oscap info "/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1404-xccdf.xml"
Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 2018-05-22T15:17:23
Status: draft
Generated: 2018-05-22
Resolved: true
Profiles:
        Title: Profile for ANSSI DAT-NT28 Minimal Level
                Id: anssi_np_nt28_minimal
        Title: Standard System Security Profile for Ubuntu 14
                Id: standard
        Title: Profile for ANSSI DAT-NT28 Average (Intermediate) Level
                Id: anssi_np_nt28_average
        Title: Profile for ANSSI DAT-NT28 Restrictive Level
                Id: anssi_np_nt28_restrictive
        Title: Profile for ANSSI DAT-NT28 High (Enforced) Level
                Id: anssi_np_nt28_high

GovReady Git repository - https://github.com/GovReady/ubuntu-scap

If you wish, you can also download xccdf file from GovReady github repository. It contains a various templates/scripts/programs that are helpful in making your system compliant as per govt requirements.

After unzipping, the zip file of the repository will look like this:

root@joshi:~/ubuntu-scap-master# ls -l
total 1104
-rw-r--r-- 1 root root   1390 Jun 10  2014 check_refine_value.py
-rw-r--r-- 1 root root   1239 Jun 10  2014 check_test_requirements.py
-rw-r--r-- 1 root root   1582 Jun 10  2014 import-ssg.py
-rw-r--r-- 1 root root    638 Jun 10  2014 Makefile
-rw-r--r-- 1 root root   2986 Jun 10  2014 README.md
-rwxr-xr-x 1 root root   6619 Jun 10  2014 remediation.sh
-rwxr-xr-x 1 root root    203 Jun 10  2014 run_tests.sh
-rw-r--r-- 1 root root 757267 Jun 10  2014 ssg-rhel6-oval.xml
-rw-r--r-- 1 root root   1705 Jun 10  2014 ubuntu-cpe-oval.xml
-rw-r--r-- 1 root root    586 Jun 10  2014 ubuntu-cpe.xml
-rw-r--r-- 1 root root 324240 Jun 10  2014 ubuntu-xccdf.xml
-rw-r--r-- 1 root root    436 Jun 10  2014 Vagrantfile

To get the compliance status, run like this:

root@joshi:~/ubuntu-scap-master# oscap xccdf eval --profile standard ubuntu-xccdf.xml
No profile matching suffix "standard" was found. Get available profiles using:

$ oscap info "ubuntu-xccdf.xml"
root@joshi:~/ubuntu-scap-master# oscap info ubuntu-xccdf.xml
Document type: XCCDF Checklist
Checklist version: 1.2
Imported: 2014-06-10T18:35:34
Status: draft
Generated: 2014-06-06
Resolved: false
Profiles:
        Title: Ubuntu 12.04/14.04 Server
                Id: xccdf_ubuntu_profile_default
Referenced check files:
        ssg-rhel6-oval.xml
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5

root@joshi:~/ubuntu-scap-master# oscap xccdf eval --profile xccdf_ubuntu_profile_default ubuntu-xccdf.xml

By providing cpe dictionary, it gives more meaningful results:

root@joshi:~/ubuntu-scap-master# oscap xccdf eval --profile xccdf_ubuntu_profile_default --cpe ubuntu-cpe.xml ubuntu-xccdf.xml

Other interesting links:

SCAP tools

OVAL repository links:

Presentations:

Interesting IEEE paper:

CentOS compliance:(yum install openscap-scanner scap-security-guide)

# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss ssg-centos-7-ds.xml
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common ssg-centos-7-ds.xml

Installation of SCAP on CentOS/RHEL/SL

# yum install openscap openscap-utils
# yum install scap-security-guide

#get information about profiles, schema etc
# oscap info /usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml

# run compliance scan
#oscap xccdf eval --profile standard --results r.xml --report r.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml

Installation of OpenSCAP for Windows

Openscap is a great project for tracking system compliance and vulnerabilities. The team is working hard and they have also released a Windows version. I just took a Windows version for a spin and encountered some errors. Here are some of my installation notes:

Donwload and Install OpenSCAP ".msi" file from github repository: https://github.com/OpenSCAP/openscap/releases/download/1.3.0/OpenSCAP-1.3.0-win32.msi

After installation, you may have to rename VCRUNTIME140.dll to 1VCRUNTIME140.dll as it is a 64-bit binary and is unfit for 32-bit OS.

Let's say, you have installed it under c:\Program Files\OpenSCAP-1.3 directory. Now, if you try to run "oscap.exe --help", you may encounter errors like:

"MSVCP140.dll is either not designed to run on this computer or it contains error...." "VCRUNTIME140.dll is either not designed to run on Windows or it contains error..."

To get rid of these errors, do this:

Basically, you are installing Visual C++ Redistributable versions - 2012 and 2015.

Restart the computer and reinstall the program if the error persists.

After doing this, the above errors might go away.

we will be using this policy to test our system.

Hopefully, after installation of Visual C++ redistributables on the system, dll related errors might have go away. Now, it's time to run "Openscap" tool and running it will allow you get a nice report of system compliance and vulnerabilities.

Check compliance

c:\OpenSCAP-1.30> oscap.exe xccdf eval --profile xccdf_gov.nist_profile_united_states_government_configuration_baseline_version_2.0.5.1 c:\Downloads\scap_gov.nist_USGCB-Windows-7.xml

Find profile

c:\OpenSCAP-1.30> oscap.exe info c:\Downloads\scap_gov.nist_USGCB-Windows-7.xml