OpenSCAP

OpenSCAP is an ecosystem that provides several tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. It allows the use of different profiles aligned with different standards such as PCI-DSS.

The plugin provides a Technique to execute the OpenSCAP tool at regular interval, centralize the generated report on the Rudder Server, and show the report in a new tab in the Node details for all Nodes having the OpenSCAP Technique.

Installation

  • Your Rudder server must have python-requests and rudder-api-client installed

  • Install the plugin on the Rudder Server with rudder package

Usage

In order to use the Technique provided and get reports from your nodes, you will need to decline it in different directives following your requirements.

The technique comes with two parameters:

  • profile which is the profile name you want to audit

  • scap_file which is the absolute path (on the node) of the SCAP content from which you will base the audit on

OpenSCAP directive example

SCAP content refers to document in the XCCDF, OVAL and Source DataStream formats. These documents can be presented in different forms and by different organizations to meet their security automation and technical implementation needs. You can find more informations on the ComplianceAsCode GitHub project.

By default, available scap_files are located on /usr/share/xml/scap/ssg/content/ after installation of the openSCAP agent on the nodes. Given profiles for specific scap_files can be obtain with the command:

oscap info <scap_file>

The technique will take care of the openSCAP agent installation and will by default, trigger an audit every hour on your nodes. The reporting file will then be uploaded on your Rudder Server under the folder:

/var/rudder/shared-files/root/files/<node-id>/openscap_report.html

Rudder Webapp integration

A new tab in Node Details called OpenSCAP is added by this plugin for nodes configured to have the OpenSCAP Technique running. It displays the report in an iframe in this tab, as it is sent by the node, without any sanitization yet.

OpenSCAP tab in node details

A new API endpoint is also available:

  • /latest/openscap/report/{nodeId} : the OpenSCAP report


← Notification Scale out relay servers →