Many users customize their SCAP content before use. Usually they use SCAP Workbench. When they are done they end up with the original source datastream and a customization file. If they are scanning using the oscap tool or SCAP Workbench they can use them as they are. If they are however using Red Hat Satellite 6 to do their SCAP scans they cannot upload the 2 files to form a single policy. Instead they need to somehow combine the tailoring and datastream to get a single file. In this blog post we will explore how to do just that.
Option 1: Manual surgery (not recommended)
The first option is to take the Profile from the tailoring file and insert it into the XCCDF Benchmark. Let us see how the tailoring file looks like:
<?xml version="1.0" encoding="UTF-8"?> <xccdf:Tailoring xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" id="xccdf_scap-workbench_tailoring_default"> <xccdf:benchmark href="/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml"/> <xccdf:version time="2016-05-26T14:15:02">1</xccdf:version> <xccdf:Profile id="xccdf_org.ssgproject.content_profile_common_customized" extends="xccdf_org.ssgproject.content_profile_common"> <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Common Profile for General-Purpose Fedora Systems [CUSTOMIZED]</xccdf:title> <xccdf:description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile contains items common to general-purpose Fedora installations.</xccdf:description> <xccdf:select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/> </xccdf:Profile> </xccdf:Tailoring>
In the example above I have created a really small tailoring file which selects one extra rule in the Fedora common profile from SCAP Security Guide. The most important part of the tailoring file are the Profiles. In our example it’s just the one xccdf_org.ssgproject.content_profile_common_customized profile. Let us copy the entire <xccdf:Profile> element into the clipboard.
If we look at a source datastream file things get a lot more complicated. There are catalogs, checklists, checks, extended components and all sorts of other things. Let us assume that our datastream only contains one XCCDF Benchmark. We first need to find it. Look for the <xccdf:Benchmark> element. Keep in mind that the XML namespace prefixes may differ depending on where you got the content.
<ds:component id="scap_org.open-scap_comp_ssg-fedora-xccdf-1.2.xml" timestamp="2016-05-10T14:08:41"><Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.ssgproject.content_benchmark_FEDORA" resolved="1" xml:lang="en-US" style="SCAP_1.2"> <status date="2016-05-10">draft</status> <title xml:lang="en-US">Guide to the Secure Configuration of Fedora</title> <description xml:lang="en-US">This guide presents a catalog of security-relevant configuration settings for Fedora operating system formatted in the eXtensible Configuration Checklist Description Format (XCCDF). <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> <html:br xmlns:html="http://www.w3.org/1999/xhtml"/> Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy
OK, so we have found the Benchmark! That’s the hardest part of this whole operation. We now need to find a good place to insert the Profile element. I like to insert tailored profiles as the last Profile in the benchmark. This ensures that the profiles they are derived from come first.
<refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" selector="7"/> <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_num_logs" selector="5"/> <refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="5_minutes"/> </Profile> ... INSERT HERE ... <Group id="xccdf_org.ssgproject.content_group_intro"> <title xml:lang="en-US">Introduction</title> <description xml:lang="en-US">
Insert the Profile, make sure you add the namespace declaration if necessary, save the file and we are done! We can now upload this file to Satellite 6 and use our customized profile.
Option 2: Use a script
I have written a small Python helper script that does this entire surgical operation for you. Check it out at https://github.com/mpreisler/combine-tailoring.
Usage:
./combine-tailoring.py ssg-fedora-ds.xml ssg-fedora-ds-tailoring.xml --output o.xml
It is a quick and dirty script, pull requests welcome.
The resulting file can be used in Satellite 6 and the customized profile will show up.
Great help, thanks!
/combine-tailoring.py ssg-rhel7-ds.xml tailoring-xccdf.xml –output test-ssg-centos7.ds.xml
Traceback (most recent call last):
File “./combine-tailoring.py”, line 87, in
main()
File “./combine-tailoring.py”, line 68, in main
“benchmarks.” % (len(benchmarks))
RuntimeError: Expected exactly one Benchmark in the file, instead found 2 benchmarks.
Thanks for the bug report. The script doesn’t handle the new fancy multi benchmark datastreams well. Patches welcome!
To workaround this you could also use an older SSG release that doesn’t have multi benchmark datastreams.
Hello,
Do you plan to create a new version of the script?
I tried to merge the two files; however I have the same problem as the user above.
RuntimeError: Expected exactly one Benchmark in the file, instead found 2 benchmarks.
I fixed the issue using the next procedure:
– remove the unused benchmarks from the ssg-rhel-ds.xml file.
– run the script
– remove any paragraphs that have the unused benchmarks from the output file.
– generate a report.
It worked fine.
In foreman_openscap 0.6.5+ the native support for tailoring files was added. The same way one upload the scap content file, the tailoring file can be uploaded. Later when a policy is defined, user chooses the scap content file and it’s xccdf profile and optionally the tailoring file that should be applied withing this policy. For more information, please see https://theforeman.org/plugins/foreman_openscap/0.6/index.html#4.5Tailoringfiles(foreman_openscap>=0.6.5)
I have created a pull request for original repository for multi benchmark support,
You can get it from https://github.com/brlbil/combine-tailoring/tree/multibenchmark
Martin,
We spoke yesterday in the freenode #openscap. I tried inserting the profile piece of my tailoring file into the datastream file. Now, our tailored profile is based off of the C2S profile. I appended the tailored profile section we created directly after the end of the C2S profile in the ssg-rhel7-ds.xml, however Sat 6 still says it is not a valid OSCAP datastream. Do you have any words of advice?
Thanks in advance,
Cody