1 00:00:00,000 --> 00:00:09,000 In this lesson, you are going to learn about OpenSCAP. 2 00:00:09,000 --> 00:00:11,440 OpenSCAP is a vulnerability scanner, 3 00:00:11,440 --> 00:00:15,840 which can scan a system against certain security baselines. 4 00:00:15,840 --> 00:00:18,280 Now, it has command line utilities, 5 00:00:18,280 --> 00:00:20,080 and on RHEL 9, 6 00:00:20,080 --> 00:00:22,200 it also had SCAP workbench. 7 00:00:22,200 --> 00:00:24,840 They've removed it from RHEL 10 because Red Hat 8 00:00:24,840 --> 00:00:26,879 wants you to use different utilities, 9 00:00:26,879 --> 00:00:29,320 and that is why I'm showing you on RHEL 9. 10 00:00:29,639 --> 00:00:32,639 It's an awesome utility, and let's go check it out. 11 00:00:33,639 --> 00:00:37,480 Okay, let me start by doing a sudo dnf install, 12 00:00:38,360 --> 00:00:39,959 SCAP workbench. 13 00:00:42,360 --> 00:00:43,919 That's a graphical utility. 14 00:00:43,919 --> 00:00:46,919 There's also a command line scan utility, 15 00:00:46,919 --> 00:00:49,439 but SCAP workbench is so convenient, 16 00:00:49,439 --> 00:00:51,200 so I want to go for this. 17 00:00:51,840 --> 00:00:55,880 You can see that it's installing the important dependency, 18 00:00:55,880 --> 00:00:57,880 the SCAP security guide. 19 00:00:57,880 --> 00:01:02,160 The SCAP security guide has external security profiles 20 00:01:02,160 --> 00:01:03,480 that have been provided, 21 00:01:03,480 --> 00:01:05,760 and which you can use to easily and conveniently 22 00:01:05,760 --> 00:01:08,320 scan your current systems. 23 00:01:09,120 --> 00:01:10,839 So now that it has been installed, 24 00:01:10,839 --> 00:01:13,919 let's start the SCAP workbench utility. 25 00:01:16,440 --> 00:01:19,480 And there you can see that it's asking for content to load. 26 00:01:19,480 --> 00:01:22,839 Well, I'm on RHEL 9, so I want to go for RHEL 9. 27 00:01:22,839 --> 00:01:24,959 And next, I'm using load content, 28 00:01:25,000 --> 00:01:28,160 and there you can see the different profiles 29 00:01:28,160 --> 00:01:29,760 that are available. 30 00:01:29,760 --> 00:01:31,080 So the important question is, 31 00:01:31,080 --> 00:01:34,080 which profile do you want to use to scan your system? 32 00:01:34,080 --> 00:01:38,959 Well, I want DISA stick with GUI for Red Hat Enterprise Linux. 33 00:01:38,959 --> 00:01:41,279 And then you can see all the different rules, 34 00:01:41,279 --> 00:01:43,080 and in all of these different rules, 35 00:01:43,080 --> 00:01:47,360 it is going to see if you are compliant. 36 00:01:47,919 --> 00:01:51,120 And that is the entire idea. 37 00:01:51,120 --> 00:01:53,680 If you don't like the different settings, 38 00:01:53,680 --> 00:01:56,320 you can also do your customization. 39 00:01:56,320 --> 00:01:58,959 And in the customization, you get an entire tree 40 00:01:58,959 --> 00:02:02,000 with all the different options that are available. 41 00:02:02,000 --> 00:02:06,839 And here you can enable or disable specific options 42 00:02:06,839 --> 00:02:08,520 that are provided. 43 00:02:08,520 --> 00:02:10,039 I'm not going to do any of these. 44 00:02:10,039 --> 00:02:12,080 Let's just use the default solution, 45 00:02:12,080 --> 00:02:14,160 and then we are going to scan. 46 00:02:15,360 --> 00:02:16,479 Now, in order to scan, 47 00:02:16,479 --> 00:02:19,199 obviously you need administrator privileges. 48 00:02:19,199 --> 00:02:23,039 So it's prompting for my sudo password, 49 00:02:23,039 --> 00:02:25,360 and here it is generating the report 50 00:02:25,360 --> 00:02:28,479 on my out-of-the-box RHEL 9 installation. 51 00:02:29,479 --> 00:02:31,559 Depending on the size of your system, 52 00:02:31,559 --> 00:02:33,479 this might take a couple of minutes. 53 00:02:34,360 --> 00:02:36,199 So now it is done, 54 00:02:36,199 --> 00:02:39,839 and I can have a look at the rules 55 00:02:39,839 --> 00:02:42,720 and whether or not it was compliant. 56 00:02:42,720 --> 00:02:45,639 So here we can see configure all the disk error action 57 00:02:45,639 --> 00:02:47,360 on disk error with a description. 58 00:02:47,360 --> 00:02:48,679 Just click it open, 59 00:02:48,679 --> 00:02:51,679 and you can see what is going on. 60 00:02:51,679 --> 00:02:56,000 Now, one of the nicest thing about this OpenSCAP utility 61 00:02:56,000 --> 00:02:59,399 is that you can generate remediation roles, 62 00:02:59,399 --> 00:03:01,639 and that would be either a shell script 63 00:03:01,639 --> 00:03:07,399 or an Ansible playbook or a Puppet manifest. 64 00:03:07,399 --> 00:03:11,199 So select whichever solution you want, 65 00:03:11,199 --> 00:03:16,199 and here you can see it wants to generate remediation.sh. 66 00:03:16,199 --> 00:03:19,000 Well, let me save remediation.sh 67 00:03:19,000 --> 00:03:22,679 so that it can create the shell script. 68 00:03:22,679 --> 00:03:25,960 So then once you are done, 69 00:03:25,960 --> 00:03:28,559 you can close the utility, 70 00:03:28,559 --> 00:03:30,960 and now it's closing the main window. 71 00:03:30,960 --> 00:03:33,360 Once it is done and it has closed everything, 72 00:03:33,360 --> 00:03:36,559 I can check out my shell script. 73 00:03:36,559 --> 00:03:40,759 So the next step would be to use your remediation shell script 74 00:03:40,759 --> 00:03:44,279 or your Ansible playbook or your Puppet manifest 75 00:03:44,279 --> 00:03:46,520 to make sure that your system is compliant.