Securing a Linux system does not end with the introduction of a Mandatory Access Control system like SELinux, or by applying hardening measures on the OS level such as grsecurity. A big part of a system's security is the secure configuration of the operating system and its components.

Security guides are a useful resource for hardening a system. And perhaps unknown to many, there is even a standard for hardening benchmarks, called SCAP.

Using SCAP content

When using SCAP, the hardening guides themselves are written in a format called XCCDF, the Extensible Configuration Checklist Description Format. It contains the human-readable instructions for hardening a component, in a checklist-like structure (but with support for chapters and the like).

The XCCDF documents then point to a number of other components, with CPE and OVAL being two important ones, related to the automatic checking of the benchmark. Yes, automatic checking, because one of the huge advantages of using SCAP is that it also provides the means to automatically validate if a system complies to the rules in that document.

The CPE or Common Platform Enumeration standard allows SCAP enabled content to identify what system, operating system or application is meant when pointing to a particular target. It is a format for identifying a target. For instance, the Gentoo Linux operating system could be shown as cpe:/o:gentoo:linux.

The OVAL file is the true workhorse for the automation. Its name already implies what it is meant for: Open Vulnerability and Assessment Language. It contains the instructions for automatically validating (assessing) the state of the system.

SCAP content can be provided as separate XCCDF, OVAL, CPE and the like files, but can also be combined in a single file called a Datastream. This can be seen as an archive-like format for all SCAP content, and allows for easy transferring of SCAP content towards SCAP capable systems.

To use SCAP content on Gentoo Linux (or other Linux distributions for that matter), one well supporting tool is OpenSCAP, provided through the app-forensics/openscap package:

~$ oscap xccdf eval --profile gentoo-ds.xml

The gentoo-ds.xml file is the SCAP data stream that contains the Gentoo OS related instructions. The is a profile name that tells OpenSCAP what items to validate. XCCDF documents can support multiple profiles to allow differentiation based on the purpose of the system.

Gentoo hardening benchmarks

To facilitate hardening various components on a Gentoo Linux system, a number of benchmarks are created and maintained. One of the ideas is that each component has its own guide, rather than creating a comprehensive one. This allows fine-tuning of the guides depending on the use.

For instance, some systems might be running two OpenSSH deployments: one for administrative purposes and another for end-user, sftp-only purposes. By having a dedicated OpenSSH benchmark it is possible to easily run the assessment against the two instantiations.

Although this might also be possible with an all-encompassing guide, it is easier for end users and documentation writers to keep this separate as the influence of a refactored or redesigned guide is much lower with dedicated guides than with a single one.

The following table shows the hardening guides maintained by me:

Benchmark XCCDF XML OVAL XML CPE XML DS XML Sample XCCDF Report Sample OVAL Report
Gentoo Linux Gentoo XCCDF Gentoo OVAL Gentoo CPE Gentoo DS Gentoo XCCDF Report Gentoo OVAL Report
Kernel Kernel XCCDF Kernel OVAL     Kernel XCCDF Report