Scanning your system for security problems

dos2unix

Well-Known Member
Joined
May 3, 2019
Messages
3,237
Reaction score
2,988
Credits
28,493
This article is 100% meat free, 100% peanut free, and 100% Ai free.

I like to use a tool called openscap. There are others. Ansible also has a good script.

You need to install it, for rpm-based systems it looks like this.

Code:
dnf install -y openscap openscap-perl openscap-python3 openscap-scanner openscap-utils openscap-report oscap-anaconda-addon

For deb/apt based-systems it looks like this.

Code:
apt-get install openscap openscap-perl python3-openscap openscap-utils

Next, we need to find out what scan profiles are available for your flavor of Linux.

Code:
ls /usr/share/xml/scap/ssg/content/

ssg-al2023-ds.xml    ssg-chromium-ds.xml  ssg-fedora-ds.xml         ssg-ol7-ds.xml            ssg-rhcos4-ds.xml  ssg-sle15-ds.xml
ssg-alinux2-ds.xml   ssg-cs10-ds.xml      ssg-firefox-ds.xml        ssg-ol8-ds.xml            ssg-rhel10-ds.xml  ssg-slmicro5-ds.xml
ssg-alinux3-ds.xml   ssg-cs9-ds.xml       ssg-kylinserver10-ds.xml  ssg-ol9-ds.xml            ssg-rhel8-ds.xml   ssg-ubuntu1604-ds.xml
ssg-anolis23-ds.xml  ssg-debian11-ds.xml  ssg-macos1015-ds.xml      ssg-openembedded-ds.xml   ssg-rhel9-ds.xml   ssg-ubuntu1804-ds.xml
ssg-anolis8-ds.xml   ssg-debian12-ds.xml  ssg-ocp4-ds.xml           ssg-openeuler2203-ds.xml  ssg-rhv4-ds.xml    ssg-ubuntu2004-ds.xml
ssg-centos8-ds.xml   ssg-eks-ds.xml       ssg-ol10-ds.xml           ssg-opensuse-ds.xml       ssg-sle12-ds.xml   ssg-ubuntu2204-ds.xml

We can see quite a few in here. debian, ubuntu, fedora, redhat, opensuse, and a few others.
The name of the xml file should make it obvious which distro it's for.

Now we need to run a command to see what scan profiles are available for your distro.
In my case, I'm using fedora, so I would use this command

Code:
oscap info /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

That returns some output that looks like this.

Code:
Document type: Source Data Stream
Imported: 2024-11-13T16:00:00

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-fedora-xccdf.xml
Generated: (null)
Version: 1.3
Checklists:
        Ref-Id: scap_org.open-scap_cref_ssg-fedora-xccdf.xml
                Status: draft
                Generated: 2024-12-04
                Resolved: true
                Profiles:
                        Title: CUSP - Common User Security Profile for Fedora Workstation
                                Id: xccdf_org.ssgproject.content_profile_cusp_fedora
                        Title: OSPP - Protection Profile for General Purpose Operating Systems
                                Id: xccdf_org.ssgproject.content_profile_ospp
                        Title: PCI-DSS v3.2.1 Control Baseline for Fedora
                                Id: xccdf_org.ssgproject.content_profile_pci-dss
                        Title: Standard System Security Profile for Fedora
                                Id: xccdf_org.ssgproject.content_profile_standard
                Referenced check files:
                        ssg-fedora-oval.xml
                                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
                        ssg-fedora-ocil.xml
                                system: http://scap.nist.gov/schema/ocil/2
Checks:
        Ref-Id: scap_org.open-scap_cref_ssg-fedora-oval.xml
        Ref-Id: scap_org.open-scap_cref_ssg-fedora-ocil.xml
        Ref-Id: scap_org.open-scap_cref_ssg-fedora-cpe-oval.xml
Dictionaries:
        Ref-Id: scap_org.open-scap_cref_ssg-fedora-cpe-dictionary.xml

Obviously if you're using a different distro, it will look a little different for you.

But notice under the "Profiles" section it lists four profiles I can use to scan.
There is a common one, a standard one, and a general purpose one, there is also one for PCI.
You can use any one of the profiles you want, but I'm just going to pick the common (CUSP) one for
this scan. Just replace the profile name with whichever one you want to use.

So, to scan my system, I would use.

Code:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cusp_fedora /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

I need to enter both the profile and the xml file where the profile is referenced.
This can take a while to run depending on the speed on your computer and how many packages you have installed.

Note: This doesn't fix anything for you ( that's another article maybe )
It just shows you where the potential security problems might be.

Now as you watch all this scrolling by, you'll notice it's a pretty big report. How do we make this more manageable?

Code:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cusp_fedora --report report.html /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml

You can output the results as an html file and view it in your browser. It normally places this the directory you ran the command from.
 
Last edited:


I should probably have one of the site admins move this to the "Server Security" forum.

@KGIII @wizardfromoz
 
Last edited:
I should probably have one of the site admins move this to the "Server Security" forum.
I'm surprised that your articles have not find their place in Forum Tutorials, especially since new tutorials are not made.
I'm not criticizing but Tutorials sections should belong to skilled and dedicated people who write good articles and not to single person.

However I do think that tutorial should be more comprehensive to avoid as many subquestions as possible.
And I'm against the AI, the best tutorial is one that's written solely based on testing and hand written on tutorial writer's computer rather that using AI.

Curious what @wizardfromoz , @KGIII and @Rob have to say about it?
 
There has been some discussion about this.
I have over 10K lines of high quality tutorials that I made myself to recall fixing problems, and keep them for myself since I started using Linux.

However I'm not sharing them with anybody because one day I might want to sell them to blogs but this was only my wish that I forgot about and no longer interested.

If you think you can spend your time sharing expertise and do extensive testings there are many blogs out there that pay for collaboration.
But it requires dedication and a lot of time, I dislike how AI generated stuff get it's place on such blogs though. it feels like my works would not gain any value, and also because a lot of niche stuff has already been written everywhere so one need to write something new that is also attractive and short enough.
 
Good sites to be familiar with.




You can get automated email feeds from these sites, I did this for a while, but sometimes I got over 50 emails a day.
For now, I usually just try to scan through the big ones.
 
Good sites to be familiar with.
Here are 2 more:


This one is about choosing software:
 
@dos2unix Aren't tools like openscap more for scannning servers, as in I'd expect a default desktop installation to be secure enough for the average user?
 
Aren't tools like openscap more for scannning servers, as in I'd expect a default desktop installation to be secure enough for the average user?

I agree. I don't really run it on my desktop systems. I have, but it's not something I make a habit of.
But there are the hacker types you "just need to know".
The other side of this is... if you a are a hacker, you can find the weak spots with this.

Usually, your ISP router has a firewall that's going to block you from 99% of this stuff.
 

Members online


Latest posts

Top