Are your Linux server patches up to date? Find out with OpenSCAP.
Your data center probably makes use of a few Linux Servers either for containers, virtual machines, or various types of servers. Because of this, you want to know as much about those servers as possible. Are they patched or are they vulnerable? This means you need to run security audits.
But how? Which tools should you use? If you do a search for Linux audit tools, you'll find more results than you probably care to scan. However, among the results you'll come across one such tool, called OpenSCAP.
SEE: Hiring kit: Database administrator (TechRepublic Premium)
OpenSCAP provides the necessary tools for admins and auditors to assess, measure, and enforce security baselines. It's fairly easy to install and almost as easy to use. I'm going to demonstrate how to do just this on Ubuntu Server 18.04.
What you need
The only things you need to make this happen is a working instance of Ubuntu Server 18.04 (that includes a running web server) and a user account with sudo privileges. With that in mind, let's make with the audit.
The first task to take care of is the installation of OpenSCAP. Since we're working from the command line, we're going to only install the OpenSCAP base (which is a command line-only tool). To do this, open a terminal window (or log into your Linux Server) and issue the command:
sudo apt-get install libopenscap8 -y
If your data center server is CentOS, you can install the tool with the command:
sudo yum install openscap-scanner
Once the installation completes, you're ready to continue.
Download the SCAP profile
Next we need to download the Ubuntu-specific profile the OpenSCAP command will use for the audit. On the off-chance your Ubuntu machine doesn't include the wget command, install it with:
sudo apt-get install wget -y
With wget installed, download the necessary OVAL definitions with the command:
Warning, this download will take a minute or two (it's a large file coming from a sluggish server).
Note: If you run CentOS or RHEL on your data center servers, the OVAL definitions can be downloaded with the command:
You will then need to extract that file with the command:
Run the audit
Now that you have the profile in place, it's time to run the audit. For that, issue the command:
oscap oval eval --results /tmp/oscap_results.xml --report /tmp/oscap_report.html com.ubuntu.xenial.cve.oval.xml
The full scan does take considerable time (and initially outputs nothing to stdout), so it'll appear to do nothing. It is. Be patient.
View the report
The scan will output its results into two files, an .xml and .html file. We want to view the .html file. To do that, issue the command:
sudo cp /tmp/oscap_report.html /var/www/html/
Note: If the document root of your web server is in a location other than /var/www/html, copy the report file there instead. Point your browser to http://SERVER_IP/oscap_report.html (where SERVER_IP is the IP address of your Linux server). What you should see is a fairly lengthy report, detailing every scan result provided (Figure A).
As you can see, the results display the details of each vulnerability, as well as a link to the CVE for each vulnerability. If you see any result listed as true, you will want to address that vulnerability immediately. Do understand, there are quite a lot of vulnerabilities tested (more than 13,000), so hopefully your Ubuntu server will come up false for every test.
Of course, you don't really have to scroll through the entirety of the results. You can always do a quick glance at the OVAL Results Generator Information (Figure B) to see how many vulnerabilities are:
- Unpatched (red)
- Patched (green)
- Errors (yellow)
- Unknown (blue)
- Other (white)
Should you see anything in red, you need to scroll through the listing, find out what is unpatched, and patch it right away.
Reliable CVE scan
This could be your best bet for scanning against known vulnerabilities on your data center Linux servers. Give OpenSCAP a try, and see if it doesn't help ensure you are as informed about the state of your Linux server vulnerabilities as you can be.
- How to know who logged into your data center Linux servers (TechRepublic)
- How to find and kill zombie processes on your Linux data center servers (TechRepublic)
- How to change the default SSH port on your data center Linux servers (TechRepublic)
- How to monitor events on your Linux data center servers with auditd (TechRepublic)
- Intel's cascade of data centre riches (ZDNet)
- Hyperconverged infrastructure: A cheat sheet (TechRepublic)
- 10 things companies are keeping in their own data centers (TechRepublic download)
- How hyperscale data centers are reshaping all of IT (ZDNet)
- Best cloud services for small businesses (CNET)
- DevOps: More must-read coverage (TechRepublic on Flipboard)