scap-workbench is a tool that can open XCCDF [1] or SDS [2] files and allows the user to evaluate either local or remote machine using the content in the opened file.

Feature Highlights

intro screenshot

  • XCCDF 1.1 and 1.2 support

  • Source DataStream 1.2 support

  • XCCDF 1.2 Tailoring file support

  • Evaluation of local machine

  • Evaluation of remote machine (using SSH)

  • Limited tailoring support - selection and unselection

  • Saving results as XCCDF 1.1 or 1.2 (depending on input) or ARF 1.1

Requirements

Build Dependencies

  • cmake >= 2.6

  • Qt4 (Core, GUI, XmlPatterns)

  • openscap >= 1.0.5

  • cmake-gui [optional]

  • Qt4 (WebKit) [optional]

Runtime Dependencies (workbench machine)

  • setsid

  • nice

  • ssh and scp (if you want remote scanning)

Runtime Dependencies (evaluated machine)

  • oscap >= 0.8.0

Installation

From package repository (YUM)

# yum install scap-workbench

From package repository (APT)

# apt-get install scap-workbench

From source

  1. $ mkdir build ; cd build

  2. $ cmake ../

  3. $ make

  4. # make install

From source (custom options)

  1. $ mkdir build ; cd build

  2. $ cmake-gui ../

  3. (select appropriate options in cmake-gui)

  4. $ make

  5. # make install

Typical Use Case

Let us go over a common use case. Any section marked (optional) can be skipped if you do not need the feature explained in it.

Obtain SCAP content

Even before we start the workbench we need to find content to open. Probably the best choice right now is scap-security-guide [3].

From the package repository (YUM)

# yum install scap-security-guide

From the package repository (APT)

# apt-get install scap-security-guide

From upstream source (for advanced users or content developers)

  1. $ git clone https://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide

  2. $ make

Alternative SCAP content (optional)

Start scap-workbench

After installation a new application entry for scap-workbench should appear in your desktop environments application menu.

starting scap workbench
Figure 1. scap-workbench application entry in GNOME 3

In case you cannot find any scap-workbench application icon / entry to click, press Alt+F2 to bring up the run command dialog (works in Gnome 3 and KDE 4), type 'scap-workbench' and confirm.

scap-workbench should start and if you installed scap-security-guide from your package repository, workbench will immediately open it without any interaction being necessary.

default content opened
Figure 2. Default content opened in workbench

Open Different Content (optional)

Clicking Open button in the bottom left part of the main window will enable you to change opened content. Keep in mind that workbench only supports opening XCCDF and Source DataStream files. Everything else will result in an error dialog being shown.

Only one content file can be opened by a single scap-workbench instance. Opening a different content file will DESTROY all your tailoring changes and you will also LOSE profile selection.

The one content file however can contain multiple checklists if it is a datastream. Changing the checklist will CHANGE profile selection and MAY make your tailoring unusable / not applicable to the newly selected checklist.

As a general rule, make sure you have the right file and right checklist selected before proceeding to tailoring and/or profile selection.

To prevent workbench from opening default content when it starts you can either uninstall the content or pass a different path via command line.

scap-workbench PATH_TO_SCAP_CONTENT

See alternative contents for more content choices.

If you pass a path that is invalid or points to a file that is not valid XCCDF or SDS, workbench will show an error dialog and open default content automatically.

Load a Ready-Made Tailoring File (optional)

In case you have prepared or were given a tailoring file for your specific evaluation use-case, you can load by clicking on the Tailoring file combobox and selecting the (open tailoring file…​) option. This will bring up a file open dialog where you can select your tailoring file.

Loading a tailoring file will DESTROY all your tailoring changes that you have done either by customizing profiles or loaded from another tailoring file.

Only XCCDF 1.2 supports tailoring officially. The openscap project has an extension that allows tailoring files to be used with XCCDF 1.1 so scap-workbench supports that as well. The details are out of scope of this document but keep in mind that tailoring of an XCCDF 1.1 file might not work with scanners other than openscap.

opening tailoring file
Figure 3. Opening a tailoring file

Choose a Profile

XCCDF profiles are in essence configurations of the content for a particular evaluation scenario. XCCDF profiles decide which rules are selected and which values they use - e.g.: one profile may enforce password length to be at least 10 characters, a different one may be more lenient and enforce password length of at least 6 characters.

For more details refer to the XCCDF specification.

This section mentions (default) profile a lot. The word 'default' is not a very fortunate choice considering what the profile does. This profile is empty, it has no select or refine-value elements.

Whenever we talk about this special profile we use '(default)' with braces to avoid confusion. As a contrast, 'default profile' means the profile selected by default.

All SCAP content has at least one profile - the (default) profile which is an empty profile that does not change selection of any rules and does not affect values passed to any of the checks. Only rules with the selection attribute equal to "true" and all their ancestor xccdf:Group selection attribute also being "true" are evaluated in a (default) profile.

It depends on the content, but the (default) profile is unlikely to be the choice you want. scap-workbench will only choose it implicitly if there are no other profiles. The first profile that is not the (default) profile will be chosen.

Use the Profile combobox to change which profile will be used for subsequent evaluation. When scap-workbench is not evaluating, it previews selected rules of the current profile. This list will refresh every time you customize a profile or select a different one.

Customize the Selected Profile (optional)

After you have selected the profile suitable for your desired evaluation, you still may want to make slight alterations to it. Most commonly, it would be unselecting that one undesirable rule that makes no sense on this particular machine.

Make sure your desired profile is selected and click Customize.

customizing ssg profile
Figure 4. Customizing scap-security-guide’s "common" profile

A new modal window will be shown, you cannot interact with the rest of the application until you either confirm or discard your tailoring changes.

In the example case, we do not care about minimum and maximum age for passwords and do not want the rules failing for our configuration. Let us expand the tree until we find the offending rules and unselect them both.

tailoring dialog opened
Figure 5. Unselecting minimum and maximum password age rules

This tailoring dialog supports undo/redo. If you accidentally make changes you want to undo, press CTRL+Z or click the Undo button.

Keep in mind that the undo history gets lost when you confirm or discard tailoring changes and the window is closed.

After desired tailoring changes are done, click Confirm changes to get back to the previous GUI. To undo all of the changes to the profile, click Discard. If you want to delete the profile from tailoring, click Delete profile.

All of these options will close the tailoring window.

Save content (optional)

Save just the tailoring file

Click Save Tailoring and choose the destination file. Workbench saves just the tailored changes, which you can use with the content you opened.

If XCCDF version of the content is lower than 1.2 [4] workbench will create a file that is not compliant to the official specification! openscap and scap-workbench support tailoring in XCCDF 1.1.4 through an extension. Keep in mind that such content will work in openscap powered tools but may not work in tools from other vendors!

Save all content into a directory

Click Save and choose Save into a directory. After selecting the destination directory, scap-workbench exports both input content and a tailoring file into the directory.

Save as RPM

Click Save and choose Save as RPM. A dialog will pop-up asking for details regarding the RPM that will be generated. Choose the desired name of the package and leave the other fields at their default settings and confirm the dialog.

Another dialog opens, this time asking for destination directory where scap-workbench will create the RPM.

save as rpm dialog
Figure 6. Saving Fedora scap-security-guide content as RPM

The resulting RPM contains both the input content and the tailoring file. It will not contain any evaluation result files (HTML report, ARF, XCCDF results).

Please note that the resulting RPM will not be signed! This means that it can be rejected for deployment by system management tools like Spacewalk.

If you wish to sign the resulting RPM, make sure you have rpm-sign installed, the /usr/bin/rpmsign binary available and GPG as well as related rpmmacros setup. [5] Then execute:

$ rpm --addsign my-content-1.1.noarch.rpm

The resulting package is signed and ready to use, provided that your desired system management tool accepts the key you used.

Choose the Target Machine

scap-workbench will scan local machine by default. However, you can also scan remote machines using SSH.

To scan a remote machine, select remote machine (over ssh) in the Target combobox. A pair of input boxes will appear. Input the desired username and hostname and select the port. Username and hostname should be put into the first editbox in the format commonly accepted by ssh - username@hostname. Make sure the machine is reachable, the selected user can log in over SSH, and has sufficient privileges to evaluate the machine.

The target machine must have the oscap tool of version 0.8.0 or greater installed and in $PATH!

You can achieve that by installing openscap-scanner on the target machine. If openscap-scanner is not available install openscap-utils instead.

Only a Source DataStream can be used to scan a remote machine. Plain XCCDF files are not supported yet!

scanning remote machine
Figure 7. Selecting a remote machine for scanning

Enable Online Remediation (optional)

Remediation is an automatic attempt to change configuration of the scanned machine in a way that fixes a failed rule result. By fixing, we mean changing configuration, ensuring that the rule would pass in the new configuration.

The success of automatic remediation greatly depends on content quality and could result in broken machines if not used carefully!

The Online Remediation checkbox will do remediation as part of the evaluation itself. After evaluation is done, oscap will go over failed rules and attempt to remedy each of them.

The rules that were remedied will show up as fixed in the rule result list.

Evaluate

Everything is set up we can now start the evaluation. Click the Scan button to proceed. If you selected a remote machine target, SSH may ask you for a password at this point.

scap-workbench never processes your SSH password in any way. Instead an ssh process is spawned which itself spawns the ssh-askpass program which asks for the password.

If you selected to scan the local machine, workbench will show a dialog that allows you to authenticate and scan the machine with superuser rights. You can click Cancel if you wish to scan using your current permissions.

If pkexec is not available or no policykit agent is running, the privilege escalation dialog is not shown and scap-workbench will scan using your current permissions. If you need superuser permissions, you can start scap-workbench using sudo or as root.

$ sudo scap-workbench

The application now starts the oscap tool and waits for it to finish, reporting partial results along the way in the rule result list. Keep in mind that the tool cannot guess how long will processing of any particular rule take. Only the number of rules that have been processed and the number that is remain are used to estimate progress. Please be patient and wait for oscap to finish evaluation.

You can cancel the scan at any point by clicking the Cancel button. Canceling will only give you partial results in the evaluation progress list, you cannot get HTML report, XCCDF results or ARF if you cancel evaluation!

After you press the Scan button, all the previous options will be disabled and greyed-out. You cannot change them until you press the Clear button which will clear all results.

View and Analyze Results

After evaluation finishes, you should see two new buttons: Clear and Report.

Pressing Clear will permanently destroy scan results! This action cannot be undone.

Pressing Show Report will open the HTML report of the evaluation in your internet browser.

scap-workbench will open the report in the default web browser set in your desktop environment. Make sure you have a browser installed.

If nothing happens after pressing the button, check which browser is the default. See System Settings → System Info → Default Applications in GNOME 3 or System Settings → Default Applications in KDE4.

In case you still can’t get scap-workbench to open a browser, save the report to a HTML file on your hard drive and open it manually.

Your evaluation results can be saved in several formats:

HTML report

Human readable and convenient, not suitable for machine processing. Can be examined by any web browser.

XCCDF result

Machine readable file with just the results, not suitable for manual processing. Requires a special tool that can parse the format.

ARF

Also called result datastream. Packs input content, asset information and results into a single machine readable file, not suitable for manual processing. Requires a special tool that can parse the format.

If you are unsure which format to choose for archiving results, XCCDF Result is commonly supported and HTML reports can be generated from it with the oscap tool.

The ARF file is the only format that contains everything the evaluation has generated. On top of XCCDF results, it contains OVAL results, SCE results (if any), asset identification data. If you want to keep all of the generated data, choose ARF when archiving.

However, ARF files are not as well supported by SCAP toolchains as XCCDF result files are. XCCDF result files can be generated from ARF files, this operation is called ARF splitting.

Notable shortcuts

Main Window

Browse

Alt + B

Scan

Alt + S

Clear after scanning

Alt + C

Show report

Alt + R

Open evaluation report in browser

Alt + O

Where to Get Help?

You ask for help with the application using

In case you have found a bug, do not hesitate to submit it (requires a GitHub account). Make sure you provide as many details as possible, including your distribution, architecture, openscap, scap-workbench and Qt versions and any output scap-workbench writes to stderr.

1. The Extensible Configuration Checklist Description Format
2. Source DataStream
3. https://fedorahosted.org/scap-security-guide/
4. Tailoring is not officially supported in XCCDF 1.1.x, the feature has been added in 1.2
5. Please see http://fedoranews.org/tchung/gpg/ for a detailed write-up on how to sign RPMs