I am exploring how to create a Fedora CoreOS server that can pass as many security checks as possible. However, I am not a security guru. Make sure to vet anything you read here with your own experts.

This work is being done at the request of the Enterprise Container Working Group (ECWG) of the Office of Information and Technology (OIT - https://www.oit.va.gov/) at the Department of Veteran Affairs.

Goal

Run oscap on a Fedora CoreOS server.

Definitions

Fedora CoreOS is an automatically-updating, minimal operating system for running containerized workloads securely and at scale. However, we’ll probably be replacing virtual servers instead of updating them.

OpenSCAP is an ecosystem providing multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. SCAP or Security Content Automation Protocol is a U.S. standard maintained by National Institute of Standards and Technology (NIST).

rpm-ostree - rpm-ostree is a hybrid image/package system. It uses libOSTree as a base image format, and accepts RPM on both the client and server side, sharing code with the dnf project

XCCDF - XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems.

Installation

The first step is to install the software.

sudo rpm-ostree install openscap-scanner scap-security-guide zip
sudo reboot

Of note is that the installation provides the following files.

$ ls -c1  /usr/share/xml/scap/ssg/content/*fedora*.xml
/usr/share/xml/scap/ssg/content/ssg-fedora-cpe-dictionary.xml
/usr/share/xml/scap/ssg/content/ssg-fedora-cpe-oval.xml
/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml
/usr/share/xml/scap/ssg/content/ssg-fedora-oval.xml
/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml

I don’t yet know how they are used, but the XCCDF file looks promising. We can find more information. The profiles are relevant, I think.

$ oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml
Document type: XCCDF Checklist
Checklist version: 1.1
Imported: 1970-01-01T00:00:00
Status: draft
Generated: 2020-06-03
Resolved: true
Profiles:
	Title: OSPP - Protection Profile for General Purpose Operating Systems
		Id: ospp
	Title: PCI-DSS v3 Control Baseline for Fedora
		Id: pci-dss
	Title: Standard System Security Profile for Fedora
		Id: standard
Referenced check files:
	ssg-fedora-oval.xml
		system: http://oval.mitre.org/XMLSchema/oval-definitions-5
	ssg-fedora-ocil.xml
		system: http://scap.nist.gov/schema/ocil/2

Run Evaluation

Let’s use the standard profile to run an evaluation. I change the ownership of the result files so that I can scp them to my local workstation.

sudo oscap xccdf eval \
    --profile standard \
    --fetch-remote-resources \
    --report xccdf-report.html \
    --results ssg-fedora-xccdf-results.xml \
    /usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml

sudo chown core:core xccdf-report.html ssg-fedora-xccdf-results.xml

Open the HTML file in a web broswer to view the results.

Generate Fixes

oscap has a wonderful feature to suggest fixes. The following command does this. It does not need to be run as root. If you prefer a different fix-type, use --help to learn how.

oscap xccdf generate fix \
    --fix-type ansible \
    --output playbook-xccdf-fixes.yml \
    --profile standard \
    ssg-fedora-xccdf-results.xml

Right off the bat, I needed to add to the playbook.

    become: yes

    vars:   
        ansible_python_interpreter: '/usr/bin/python3'

These changes allowed the playbook to get started but it wasn’t long before the first task failure. That’s tale for another time.

Generate Guide

oscap xccdf generate guide \
    --profile standard \
    --output xccdf-guide.html \
    ssg-fedora-xccdf-results.xml