Despite being different, Security and Compliance often go hand-in-hand in an IT organization. While it is important to ensure that the IT environment is secure enough to protect against internal and external threats, compliance to applicable standards like HIPAA, PCI-DSS etc. for contractual or, regulatory requirements, holds equal importance.
While these two topics span across multiple components within an IT organization’s infrastructure, in this post, we are going to talk about Linux (specifically Oracle Linux) security and compliance.
How can I ensure that my Oracle Linux environment is secure and compliant?
The very first step to ensure that your Oracle Linux environment is secure and compliant to the applicable minimum standard/s, is to scan and audit your systems for known vulnerabilities and configuration against a pre-defined checklist. There are several tools (both opensource as well as licensed) like Nessus, Nmap, Nikto, OpenVAS and OpenSCAP etc. (the list goes on..) available in the market which can help you to scan your Linux environment and provide necessary recommendations and in some cases remediate known issues for you.
What is OpenSCAP?
While not advocating in favor or, against any of the available products, I found OpenSCAP really easy to install and use. SCAP is the U.S. Standard maintained by NIST (National Institute of Standards and Technology). OpenSCAP is a set or, suite of opensource tools which provides a standardized and automated solution to audit and manage system security and vulnerabilities against a variety of system hardening guidelines and baselines. It is compatible with both Windows and Linux operating systems. The toolset includes:
- OpenSCAP Daemon: continuously evaluates infrastructure components
- OpenSCAP Base: command-line utility to scan systems
- SCAP Workbench: provides capability to scan systems against customized security profile
- SCAPTimony: provides centralized storage of scan findings
- OSCAP Anaconda Add-on: scans the system before it is even created or, installed !!
The Oracle Configuration and compliance cloud offering as part of OMC (Oracle Management Cloud) also uses SCAP for assessments. You can also integrate OpenSCAP with Spacewalk for Oracle!
How to install and audit systems using OpenSCAP?
The method will depend on what you want to go with. The links above provides details on how to install and configure each component and then integrate with OMC or, Spacewalk. The base requirement to install the required packages and security guides remains common though.
If you are an experienced user and would like to perform the scans using command line and also leverage the beauty of ansible, please feel free to download the “ansible-oracle-linux-oscap” role from my github repository.
ansible-oracle-linux-oscap
Ansible role to execute OVAL (Open Vulnerability and Assessment Language) and XCCDF (Extensible Configuration Checklist Description Format) based OSCAP (OpenSCAP) scan on multiple Oracle Linux machines.
Use this role to:
- Install the latest oscap packages and security guides
- Scan Oracle Linux systems
- Collect all the html and xml reports at a centralized location
By default, this role scans the systems based on standard profile however, the behavior can be controlled by the variable “oscap_profile”.
IMP: Do not use this role on engineered systems like (PCA, ZFS and Exadata).
Role variables:
This role requires the following variables which are defined in defaults/main.yml.
oscap_profile: standard
oscap_policy_oel7: ssg-rhel7-xccdf
oscap_policy_oel6: ssg-rhel6-xccdf
local_report_dir: /tmp/oscap-scan-latest
Central_report_dir: /mnt/sec_scan
scap_config_dir: /usr/share/xml/scap/ssg/content
ansible_python_interpreter: "/usr/bin/python"
central_server: <FQDN of ansible controller server>
Download the OVAL definitions file (com.oracle.elsa-all.xml) from https://linux.oracle.com/security/oval/ , save it to {{ Central_report_dir }}/OVAL directory and execute the role in a playbook.
- hosts: servers
roles:
- { role: ansible-oracle-linux-oscap }
Report samples:
IT-Noesis 