Quick review of SPAWAR SCC 4.2 Beta 1 with OpenSCAP/SCAP Security Guide

Earlier today (Fri 3-FEB-2017), SPAWAR released a beta edition of their SCAP Compliance Checker 4.2 Beta 1, also known as SPAWAR SCC. Their tool works across multiple operating systems and their latest release “adds NIST 800-53 mappings to reports when CCE/CCI references are included in the content.” The inclusion of NIST and CCE metadata is extremely helpful when reporting compliance of US Government systems, so lets try it out!

I first met Jack Vander Pol, the SPAWAR Project Manager behind the SPAWAR SCC, during the Military Open Source Software Working Group in 2013. We wanted to talk through collaboration between the OpenSCAP and SPAWAR SCC communities — could we open source the government tooling? Could we share code between OpenSCAP and SPAWAR SCC? Would SCC run SCAP Security Guide content?

These deep collaboration questions required a productive space to have them…. Jack suggested a local Charleston brewery, where these topics were discussed over a few pints and cornhole games :). It was really great to get to know Jack and his team. They agreed give Red Hat access to their beta releases to ensure OpenSCAP content works without a hitch — a relationship that’s going on its 5th year.

This post documents my experiences with installing+using SCC 4.2 Beta 1. The average person may not find such verbose notes interesting — but posting to share feedback with our friends at SPAWAR.

INSTALLATION
  • STEP 1: Unzip the original file
    SPAWAR SCC ships in a zip file, which you decompress to find an RPM. Given that SPAWAR must release a single initial package format for multiple RPMs, I suppose embedding an RPM inside a ZIP file can be forgiven ;)SPAWAR SCC ships in a zip file, which you decompress to find an RPM. Given that SPAWAR must release a single initial package format for multiple RPMs, I suppose embedding an RPM inside a ZIP file can be forgiven 😉

    $ unzip SCC_4.2_BETA1_rhel_x86_64.zip 
    Archive:  SCC_4.2_BETA1_rhel_x86_64.zip
      inflating: SCC_4.2_BETA1_rhel_x86_64/SCC_4.2_BETA1_rhel_x86_64_checksums.txt  
      inflating: SCC_4.2_BETA1_rhel_x86_64/SCC_4.2_BETA1_rhel_x86_64_ReleaseNotes.txt  
      inflating: SCC_4.2_BETA1_rhel_x86_64/SCC_4.2_BETA1_rhel_x86_64_UserManual.pdf  
      inflating: SCC_4.2_BETA1_rhel_x86_64/scc-4.2_beta1.x86_64.rpm  
      inflating: SCC_4.2_BETA1_rhel_x86_64/scc-4.2_beta1_rhel_x86_64.tar.gz  
    
  • STEP 2: Install the RPM
    I haven’t tinkered with SCC for about six months, so I don’t recall where things get installed. To check install directories prior to (blindly) installing an RPM, we can use the rpm -qp (RPM query package) command:

    $ rpm -qp scc-4.2_beta1.x86_64.rpm -i
    Name        : spawarscc
    Version     : 4.2
    Release     : beta1
    Architecture: x86_64
    Install Date: (not installed)
    Group       : Applications/System
    Size        : 116682145
    License     : DFARS
    Signature   : (none)
    Source RPM  : spawarscc-4.2-beta1.src.rpm
    Build Date  : Thu 02 Feb 2017 10:27:22 AM EST
    Build Host  : scc-build-centos-511-x86-64.testlab.chs
    Relocations : /opt 
    URL         : http://www.public.navy.mil/spawar/Atlantic/ProductsServices/Pages/SCAP.aspx
    Summary     : SCAP Content Checker
    Description :
    SCAP Compliance Checker
    
    SPAWAR's SCAP Validated FDCC Scanner and Open Vulnerability Assessment
    Language (OVAL) adopter, capable of performing compliance verification
    using SCAP content, and authenticated vulnerability scanning using OVAL
    content.
    

    Looks like everything gets dropped into /opt. Can further explore what gets installed via `rpm -qpl`(query package list):

    The output is rather long, so concatenated here:

    $ rpm -qpl scc-4.2_beta1.x86_64.rpm 
    /etc/pam.d/scc_root
    /opt
    /opt/scc
    /opt/scc/Documentation
    ....
    /opt/scc/cscc
    /opt/scc/cscc.bin
    /opt/scc/scc
    /opt/scc/scc.bin
    /usr/share/man/man1/cscc.1.gz
    /usr/share/man/man1/scc.1.gz
    

    Instead of /usr/share/docs, looks like everything is dropped into /opt/scc/Documentation. And instead of /usr/bin (or /usr/local/bin), the binaries are installed to /opt/scc/scc. Not particularly a big deal — but something to remember when typing “scc” doesn’t work (since /opt/scc is likely not in your environmental path)

    So, to finally install the package:

    $ sudo rpm -ivh scc-4.2_beta1.x86_64.rpm 
    Preparing...                          ################################# [100%]
    ************************************ NOTICE *************************************
    *                                                                               *
    * By installing this package, you agree to the terms of this license agreement. *
    *                                                                               *
    ************************************ NOTICE *************************************
    
    Any usage or distribution of this software outside of the U.S. Federal Government shall be reviewed by the agency distributing the software to ensure the distribution complies with the government purpose rights listed below, and is in the best interest of the U.S. Federal Government.
    
    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
    
    The U.S. Federal Government has at least "government purpose rights" for this computer software under DFARS 252.227-7014.  This computer software is to be used only for a "government purpose" as generally defined in DFARS 252.227-7014, and specifically defined below.
    
    The U.S Federal Government's rights to use, modify, reproduce, release, perform, display, or disclose this software are restricted by paragraph (b)(2) of the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation.  Any reproduction of the software or portions thereof marked with this legend must also reproduce the markings.
    
    This software is designed to review computer security settings and can be installed on any U.S. Federal Government computer or any computer that is mandated to comply with U.S. Federal Government security regulations such as OMB M-08-22, FISMA, HIPPA, NIST FDCC, NIST USGCB, DISA STIGs and IRS.
    
    The U.S Federal Government purpose in distributing this software is to increase computer security and awareness for U.S entities interfacing with the U.S Federal Government.
    
    ************************************ NOTICE *************************************
    *                                                                               *
    * By installing this package, you agree to the terms of this license agreement. *
    *                                                                               *
    ************************************ NOTICE *************************************
    Updating / installing...
       1:spawarscc-4.2-beta1              ################################# [100%]
    
    Copying Default Options.
    
    
    SCC 4.2 installed in /opt/scc.
USAGE

RHEL7 ships SCAP content via the SCAP Security Guide project (also known as SSG), installable via the scap-security-guide package. This content is open source and co-developed with the US Government to establish formal configuration standards. It includes profiles such as DoD STIG, CJIS, and commercial baselines like PCI.

To install SSG:

$ sudo yum -y install scap-security-guide

SSG files will be installed under /usr/share/xml/scap/ssg/content/. This isn’t meant to be a full tutorial on SSG, so ‘man scap-security-guide’ for details on included security baselines and CLI instructions 🙂

  • STEP 1: Configure SPAWAR SCC to use SCAP Security Guide
    Reviewing the SCC documentation, it appears we can use the CLI to pass SCAP content and profiles into SCC and perform an immediate scan. From section “5.2.1 Installing Content into SCC”:

    -isr 
    Install, enable and conduct an analysis with a SCAP Content (1.0, 1.1, 1.2) stream from a zip file, or from a single SCAP 1.2 datastream XML file.. Specifying an XCCDF benchmark profile name after the file path will enable that profile for the given SCAP stream.
    Example: # ./cscc -isr 
    

    So, with SCAP Security Guide values:

    $ sudo ./cscc -isr /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream
    Preparing to execute...
    DEVBOX: Validating '/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'...
    [ERROR] SCAP12 document '/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml' contains an XML validation error '/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml:0: Schemas validity error : Element '{http://scap.nist.gov/schema/scap/source/1.2}data-stream-collection': No matching global declaration available for the validation root.
    ' . Content Installation Skipped.
    [ERROR] SCAP12 document '/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml' contains an XML validation error, please see error log for details. Content Installation Skipped.
    
    If you would like to force installation of this content, disable the option to validate content on install, and try again.
    

    Well, that error is unexpected. The NIST SCAP Validation Suite is ran against SSG releases, which ensures SCAP schema validation. If you’re a content developer, that test suite can be found on the NIST website.

    Just to double check, we can use the SCAP validation routines of OpenSCAP to validate our content (note: no output means validated):

    $ oscap xccdf validate /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 
    $ oscap oval validate /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 
    

    Lets to ahead and turn off the SCAP validation. To do that, add the –config option to the CLI. To measure how long a scan takes, I also prepended “time” to the CLI:

    $ time sudo ./cscc -is /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream --config

     

    A TUI will pop up in your terminal, similar to the following.

    1) Select option ‘6. Configure Options’
    2) Select option ‘5. Configure XML Validation Options’
    3) Select option ‘5. Perform XML Schema Validation….’
    4) Select option 0 to return to the XML Validation menu
    5) Select option 0 to return to the main menu
    6) Select option ‘9. Exit, save changes, and execute scan’

    The scan begins and ran without issues. The CLI summary output:

    ...
    DEVBOX: Saving XML /home/shawn/SCC/Results/2017-02-03_143551/SCAP/XML/DEVBOX_SCC-4.2_BETA1_2017-02-03_143551_ARF_from_xccdf_ssg-rhel7-xccdf-1.2.xml-scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml.xml
    
    DEVBOX: Adjusted Score - 60% [RED]
    DEVBOX: Original Score - 60% [RED]
    
    Creating Summary Viewer
    Starting file scan, this may take a minute
    File scan complete
    Reading metadata for 8 files
    Finished reading metadata
    Generating report
    Summary Viewer created at /home/shawn/SCC/Results/2017-02-03_143551/SCC_Summary_Viewer_2017-02-03_143551.html
    
    Total Errors: 0
    Total Warnings: 0
    
    Review complete.
    Session Results (XML, HTML, Text), if any, are located in the following directory:
    /home/shawn/SCC/Results/2017-02-03_143551/
    
    Session Logs (Debug, Screen, Error), if any, are located in the following directory:
    /home/shawn/SCC/Logs/2017-02-03_143551/
    
    Application Logs (Debug, Screen, Error), if any, are located in the following directory:
    /home/shawn/SCC/Logs/ApplicationLogs/
    
    real	25m53.402s
    user	18m12.508s
    sys	4m51.387s
REVIEW SCAN RESULTS

SCC generates result files in your user directory, creating a structure with the timestamp of the scan. For me, that was /home/shawn/SCC/Results/2017-02-03_143551/.

Taking a look at the directory:

$ ll /home/shawn/SCC/Results/2017-02-03_143551/*/*
./SCAP/DEVBOX_SCC-4.2_BETA1_2017-02-03_143551_All-Settings_from_xccdf_ssg-rhel7-xccdf-1.2.xml-scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml.htm
./SCAP/DEVBOX_SCC-4.2_BETA1_2017-02-03_143551_Non-Compliance_from_xccdf_ssg-rhel7-xccdf-1.2.xml-scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml.htm

/home/shawn/SCC/Results/2017-02-03_143551/SCAP/XML:
total 26520
./DEVBOX_SCC-4.2_BETA1_2017-02-03_143551_ARF_from_xccdf_ssg-rhel7-xccdf-1.2.xml-scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml.xml
./DEVBOX_SCC-4.2_BETA1_2017-02-03_143551_OCIL-Results_from_xccdf_ssg-rhel7-xccdf-1.2.xml-scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml.xml
./DEVBOX_SCC-4.2_BETA1_2017-02-03_143551_OVAL-CPE-Results_from_xccdf_ssg-rhel7-xccdf-1.2.xml-scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml.xml
./DEVBOX_SCC-4.2_BETA1_2017-02-03_143551_OVAL-Results_from_xccdf_ssg-rhel7-xccdf-1.2.xml-scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml.xml
./DEVBOX_SCC-4.2_BETA1_2017-02-03_143551_OVAL-Variables_from_xccdf_ssg-rhel7-xccdf-1.2.xml-scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml.xml
./DEVBOX_SCC-4.2_BETA1_2017-02-03_143551_XCCDF-Results_from_xccdf_ssg-rhel7-xccdf-1.2.xml-scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml.xml

Taking a look at the main results file, ‘DEVBOX_SCC-4.2_BETA1_2017-02-03_143551_All-Settings_from_xccdf_ssg-rhel7-xccdf-1.2.xml-scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml‘, it appears the CCE numbers made it into the report. However, the NIST references show a URL (vs the actual NIST reference, e.g. CM-6):

FINDINGS SUMMARY

With a few changes, SCC seems ready to run on Linux systems. To review the findings above:

  1. Installation was a snap. The documentation told me where to look for the binaries, and the CLI interface worked as expected.

    SUGGESTION:
     Document the use must update their PATH variable to include /opt/scc
  2. We need to explore why OpenSCAP/SCAP Security Guide content does not validate. I’ve EMailed the SPAWAR SCC team to investigate this together.
  3. The HTML report includes CCEs, but the NIST references show as URL vs the control number. This is likely a minor stylesheet issue, and I’ve reported to SPAWAR.
  4. Performing a scan took almost 30 minutes, versus 2-3min using OpenSCAP. Unsure why. Have reported to SPAWAR.

Leave a Reply

Your email address will not be published. Required fields are marked *