Security Profiles

Support for security such as Firewalls and securing linux
ron7000
Posts: 162
Joined: 2019/01/15 20:00:28

Re: Security Profiles

Post by ron7000 » 2020/01/07 21:14:33

I am on CentOS 7.6, or RHEL 7.6. I am not installing Fedora31 on a separate disk.
I have installed

Code: Select all

openscap-containers-1.2.17-4.el7.noarch
openscap-1.2.17-4.el7.x86_64
openscap-engine-sce-1.2.17-4.el7.x86_64
openscap-utils-1.2.17-4.el7.x86_64
openscap-scanner-1.2.17-4.el7.x86_64
scap-security-guide-0.1.43-13.el7.centos.noarch
here are the contents of /usr/share/xml/scap/ssg/content/

Code: Select all

-rw-r--r-- 1 ron     users 15538695 Aug 23 10:22 ssg-centos6-ds.xml
-rw-r--r-- 1 ron     users  5086947 Aug 23 10:22 ssg-centos6-xccdf.xml
-rw-r--r-- 1 ron     users 25972220 Aug 23 10:22 ssg-centos7-ds.xml
-rw-r--r-- 1 ron     users  8156658 Aug 23 10:22 ssg-centos7-xccdf.xml
-rw-r--r-- 1 ron     users      546 Aug 23 10:21 ssg-firefox-cpe-dictionary.xml
-rw-r--r-- 1 ron     users     3635 Aug 23 10:21 ssg-firefox-cpe-oval.xml
-rw-r--r-- 1 ron     users   235231 Aug 23 10:21 ssg-firefox-ds.xml
-rw-r--r-- 1 ron     users    34640 Aug 23 10:21 ssg-firefox-ocil.xml
-rw-r--r-- 1 ron     users    45611 Aug 23 10:21 ssg-firefox-oval.xml
-rw-r--r-- 1 ron     users   145235 Aug 23 10:21 ssg-firefox-xccdf.xml
-rw-r--r-- 1 ron     users     1409 Aug 23 10:21 ssg-jre-cpe-dictionary.xml
-rw-r--r-- 1 ron     users     5516 Aug 23 10:21 ssg-jre-cpe-oval.xml
-rw-r--r-- 1 ron     users   160594 Aug 23 10:21 ssg-jre-ds.xml
-rw-r--r-- 1 ron     users    15346 Aug 23 10:21 ssg-jre-ocil.xml
-rw-r--r-- 1 ron     users    21363 Aug 23 10:21 ssg-jre-oval.xml
-rw-r--r-- 1 ron     users   113243 Aug 23 10:21 ssg-jre-xccdf.xml
-rw-r--r-- 1 ron     users     4407 Aug 23 10:21 ssg-rhel6-cpe-dictionary.xml
-rw-r--r-- 1 ron     users    68416 Aug 23 10:21 ssg-rhel6-cpe-oval.xml
-rw-r--r-- 1 ron     users 15815774 Aug 23 10:22 ssg-rhel6-ds.xml
-rw-r--r-- 1 ron     users   453844 Aug 23 10:22 ssg-rhel6-ocil.xml
-rw-r--r-- 1 ron     users  1920901 Aug 23 10:22 ssg-rhel6-oval.xml
-rw-r--r-- 1 ron     users  5410079 Aug 23 10:22 ssg-rhel6-xccdf.xml
-rw-r--r-- 1 ron     users     5047 Aug 23 10:21 ssg-rhel7-cpe-dictionary.xml
-rw-r--r-- 1 ron     users    68416 Aug 23 10:21 ssg-rhel7-cpe-oval.xml
-rw-r--r-- 1 ron     users 26278709 Aug 23 10:22 ssg-rhel7-ds.xml
-rw-r--r-- 1 ron     users  1119204 Aug 23 10:22 ssg-rhel7-ocil.xml
-rw-r--r-- 1 ron     users  2943691 Aug 23 10:22 ssg-rhel7-oval.xml
-rw-r--r-- 1 ron     users  8671063 Aug 23 10:22 ssg-rhel7-xccdf.xml
I try to read any of those and I want to blow my brains out.
how do I map any of those to the list of profiles shown at install time?
To know what in linux is turned on/off/modified when a given profile is selected?
here is the list of profiles displayed at install time from dvd
  • DISA STIG for RHEL 7
  • Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)
  • Criminal Justice Information Services (CJIS) Security Policy
  • Health Insurance Portability and Accountability Act (HIPAA)
  • PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7
  • C2S for Red Hat Enterprise Linux
  • Standard System Security Profile for RHEL 7
  • OSPP - Protection Profile for General Purpose Operating Systems v. 4.2
  • USG Configuration Baseline {not applicable to CentOS linux}
  • Unclassified Information in Non-federal Information Systems & Organizations (NIST 800-171)
If I apply DISA STIG, how then do I know what got changed from a default install of no security profile applied?
In order to go about rolling back any changes to troubleshoot when things don't work, I need to know what they were.

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Security Profiles

Post by KernelOops » 2020/01/07 23:17:46

If you can't handle the shell.. use a GUI :D

In this case, you are supposed to use scap-workbench, which offers a nice GUI for scanning and using the profiles.
--
R.I.P. CentOS :cry:
--

ron7000
Posts: 162
Joined: 2019/01/15 20:00:28

Re: Security Profiles

Post by ron7000 » 2020/01/09 22:49:45

completely missed "scap-workbench" when looking for all rpm's "scap" related as most everything I was seeing was "oscap"

When I install centos 7.6+ from dvd, there's a list of security profiles to choose from which I posted earlier in this thread. None of those can I reasonably map to the files under "/usr/share/xml/scap/ssg/content/"

With "scap-workbench" installed,
whatever content that comes with it or if I try to open other scap xml content from "/usr/share/xml/scap/ssg/content/"
how any of that maps to "DISA STIG RHEL7" or any of the profiles that are listed during install time from dvd.

The security profile listings shown at install time are very elusive and I still cannot figure out exactly what they are. I would be ok with if one of the xml files under "/usr/share/xml/scap/ssg/content/" had a name of something rationally close to the Names listed at install time. But they do not. Is there a way to do this? I don't want to just look at a bunch of scap crap, I want to know specifically what "DISA STIG for RHEL 7" is comprised of. Or any of the others in that listing at install time.

Image

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Security Profiles

Post by KernelOops » 2020/01/10 00:04:35

I can tell you what I did... I read ALL of them. One by one and I kept notes on what is relevant to my systems and networks. Then I ditched them all and I created a large ansible playbook that enforces all the security things that I had noted down.

Eventually I came to the conclusion, that while all those profiles are a good general guide, they can't cover specific areas and they can't enforce too many restrictions because they inhibit normal usage. In other words, my own set of rules came to be 100 times more restrictive because I know the specific requirements of my setup(s).

In other words, if you know what you are doing from a security point of view, none of these profiles will offer you anything new, chances are, you've created your own standard profile. These profiles are there to provide a company-wide security standard.
--
R.I.P. CentOS :cry:
--

Post Reply