How to perform security audits on Ubuntu server with OpenSCAP

Are your Linux server patches up to date? Find out with OpenSCAP.

How to perform security audits on Ubuntu server with OpenSCAP Are your Linux server patches up to date? Find out with OpenSCAP.

Your data center probably makes use of a few Linux Servers either for containers, virtual machines, or various types of servers. Because of this, you want to know as much about those servers as possible. Are they patched or are they vulnerable? This means you need to run security audits.

But how? Which tools should you use? If you do a search for Linux audit tools, you'll find more results than you probably care to scan. However, among the results you'll come across one such tool, called OpenSCAP.

SEE: Hiring kit: Database administrator (TechRepublic Premium)

OpenSCAP provides the necessary tools for admins and auditors to assess, measure, and enforce security baselines. It's fairly easy to install and almost as easy to use. I'm going to demonstrate how to do just this on Ubuntu Server 18.04.

What you need

The only things you need to make this happen is a working instance of Ubuntu Server 18.04 (that includes a running web server) and a user account with sudo privileges. With that in mind, let's make with the audit.

Installation

The first task to take care of is the installation of OpenSCAP. Since we're working from the command line, we're going to only install the OpenSCAP base (which is a command line-only tool). To do this, open a terminal window (or log into your Linux Server) and issue the command:

sudo apt-get install libopenscap8 -y

If your data center server is CentOS, you can install the tool with the command:

sudo yum install openscap-scanner

Once the installation completes, you're ready to continue.

Download the SCAP profile

Next we need to download the Ubuntu-specific profile the OpenSCAP command will use for the audit. On the off-chance your Ubuntu machine doesn't include the wget command, install it with:

sudo apt-get install wget -y

With wget installed, download the necessary OVAL definitions with the command:

wget https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml

Warning, this download will take a minute or two (it's a large file coming from a sluggish server).

Note: If you run CentOS or RHEL on your data center servers, the OVAL definitions can be downloaded with the command:

wget https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2

You will then need to extract that file with the command:

bunzip2 com.redhat.rhsa-RHEL7.xml.bz2

Run the audit

Now that you have the profile in place, it's time to run the audit. For that, issue the command:

oscap oval eval --results /tmp/oscap_results.xml --report /tmp/oscap_report.html com.ubuntu.xenial.cve.oval.xml

The full scan does take considerable time (and initially outputs nothing to stdout), so it'll appear to do nothing. It is. Be patient.

View the report

The scan will output its results into two files, an .xml and .html file. We want to view the .html file. To do that, issue the command:

sudo cp /tmp/oscap_report.html /var/www/html/

Note: If the document root of your web server is in a location other than /var/www/html, copy the report file there instead. Point your browser to http://SERVER_IP/oscap_report.html (where SERVER_IP is the IP address of your Linux server). What you should see is a fairly lengthy report, detailing every scan result provided (Figure A).

oscapa.jpg

Figure A: The results of an oscap scan.

As you can see, the results display the details of each vulnerability, as well as a link to the CVE for each vulnerability. If you see any result listed as true, you will want to address that vulnerability immediately. Do understand, there are quite a lot of vulnerabilities tested (more than 13,000), so hopefully your Ubuntu server will come up false for every test.

Of course, you don't really have to scroll through the entirety of the results. You can always do a quick glance at the OVAL Results Generator Information (Figure B) to see how many vulnerabilities are:

  • Unpatched (red)
  • Patched (green)
  • Errors (yellow)
  • Unknown (blue)
  • Other (white)
oscapb.jpg

Figure B: The quick-view results of our report.

Should you see anything in red, you need to scroll through the listing, find out what is unpatched, and patch it right away.

Reliable CVE scan

This could be your best bet for scanning against known vulnerabilities on your data center Linux servers. Give OpenSCAP a try, and see if it doesn't help ensure you are as informed about the state of your Linux server vulnerabilities as you can be.

Also see

linuxhero.jpg

Jack Wallen

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.