In this guide, we will go through how to install OpenSCAP on Debian 11. OpenSCAPis an auditing tool that makes use of Extensible Configuration Checklist Description Format(XCCDF) to define security checklists. It also connects with other specifications such as CPE, CCE, and OVAL, to create a SCAP-expressed checklist that SCAP-validated products can process.
How to Install OpenSCAP on Debian 11
- Update Debian 11 packages.
sudo apt update- Navigate to the Debian OpenSCAP FTP download page and get the latest download link then download it using
wgetcommand as shown below.
wget http://ftp.us.debian.org/debian/pool/main/o/openscap/libopenscap8_1.3.4-1_amd64.deb- After downloading, install it using the command below.
sudo apt install ./libopenscap8_1.3.4-1_amd64.deb- Next, download scrap security guide using the following commands.
wget http://ftp.us.debian.org/debian/pool/main/s/scap-security-guide/ssg-base_0.1.62-2_all.debwget http://ftp.us.debian.org/debian/pool/main/s/scap-security-guide/ssg-debian_0.1.62-2_all.deb- Install scrap security guide on Debian.
sudo apt install ./ssg-base_0.1.62-2_all.debsudo apt install ./ssg-debian_0.1.62-2_all.deb- Confirm the OpenSCAP version installed.
oscap --version- List SCAP security guide located in the
/usr/share/xml/scap/ssg/contentdirectory after the installation.
ls /usr/share/xml/scap/ssg/content/Sample output
ssg-debian10-cpe-dictionary.xml ssg-debian11-ocil.xml ssg-debian10-cpe-oval.xml ssg-debian11-oval.xml ssg-debian10-ds-1.2.xml ssg-debian11-xccdf.xml ssg-debian10-ds.xml ssg-debian9-cpe-dictionary.xml ssg-debian10-ocil.xml ssg-debian9-cpe-oval.xml ssg-debian10-oval.xml ssg-debian9-ds-1.2.xml ssg-debian10-xccdf.xml ssg-debian9-ds.xml ssg-debian11-cpe-dictionary.xml ssg-debian9-ocil.xml ssg-debian11-cpe-oval.xml ssg-debian9-oval.xml ssg-debian11-ds-1.2.xml ssg-debian9-xccdf.xml ssg-debian11-ds.xml
- View description by running the following command with the guide name at the end e.g.
ssg-debian11-ds-1.2.xml
oscap info /usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xmlSample output
Document type: Source Data Stream
Imported: 2022-08-16T20:59:52
Stream: scap_org.open-scap_datastream_from_xccdf_ssg-debian11-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-debian11-xccdf-1.2.xml
Status: draft
Generated: 2022-08-16
Resolved: true
Profiles:
Title: Profile for ANSSI DAT-NT28 Average (Intermediate) Level
Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_average
Title: Profile for ANSSI DAT-NT28 High (Enforced) Level
Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_high
Title: Profile for ANSSI DAT-NT28 Minimal Level
Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal
Title: Profile for ANSSI DAT-NT28 Restrictive Level
Id: xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive
Title: Standard System Security Profile for Debian 11
Id: xccdf_org.ssgproject.content_profile_standard
Referenced check files:
ssg-debian11-oval.xml
system: http://oval.mitre.org/XMLSchema/oval-definitions-5
ssg-debian11-ocil.xml
system: http://scap.nist.gov/schema/ocil/2
Checks:
Ref-Id: scap_org.open-scap_cref_ssg-debian11-oval.xml
Ref-Id: scap_org.open-scap_cref_ssg-debian11-ocil.xml
Ref-Id: scap_org.open-scap_cref_ssg-debian11-cpe-oval.xml
Dictionaries:
Ref-Id: scap_org.open-scap_cref_ssg-debian11-cpe-dictionary.xml
- In the oscap command below, enter the profile to perform an audit scan.
oscap xccdf eval \
--profile xccdf_org.ssgproject.content_profile_standard \
--results ssg-debian11-ds-1.2.xml \
--report ssg-debian11-ds-1.2.html \
--fetch-remote-resources \
/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xmlSample output
Title Ensure /home Located On Separate Partition Rule xccdf_org.ssgproject.content_rule_partition_for_home W: oscap: OVAL object 'partition_object' is not supported. Result unknown Title Ensure /tmp Located On Separate Partition Rule xccdf_org.ssgproject.content_rule_partition_for_tmp W: oscap: OVAL object 'partition_object' is not supported. Result unknown Title Ensure /var Located On Separate Partition Rule xccdf_org.ssgproject.content_rule_partition_for_var W: oscap: OVAL object 'partition_object' is not supported. Result unknown Title Ensure /var/log Located On Separate Partition Rule xccdf_org.ssgproject.content_rule_partition_for_var_log W: oscap: OVAL object 'partition_object' is not supported. Result unknown Title Ensure /var/log/audit Located On Separate Partition Rule xccdf_org.ssgproject.content_rule_partition_for_var_log_audit W: oscap: OVAL object 'partition_object' is not supported. Result unknown Title Ensure the audit Subsystem is Installed Rule xccdf_org.ssgproject.content_rule_package_audit_installed Result fail Title Enable auditd Service Rule xccdf_org.ssgproject.content_rule_service_auditd_enabled Result notapplicable Title Ensure rsyslog is Installed Rule xccdf_org.ssgproject.content_rule_package_rsyslog_installed Result pass Title Enable rsyslog Service Rule xccdf_org.ssgproject.content_rule_service_rsyslog_enabled Result pass Title Ensure Log Files Are Owned By Appropriate Group Rule xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! Result pass Title Ensure Log Files Are Owned By Appropriate User Rule xccdf_org.ssgproject.content_rule_rsyslog_files_ownership W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! Result pass Title Ensure System Log Files Have Correct Permissions Rule xccdf_org.ssgproject.content_rule_rsyslog_files_permissions W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! Result pass Title Ensure Logrotate Runs Periodically Rule xccdf_org.ssgproject.content_rule_ensure_logrotate_activated Result fail Title Verify that local System.map file (if exists) is readable only by root Rule xccdf_org.ssgproject.content_rule_file_permissions_systemmap Result fail Title Enable Kernel Parameter to Enforce DAC on Hardlinks Rule xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! E: oscap: Can't read sysctl value from "/proc/sys/fs/protected_hardlinks": 13, Permission denied Result error Title Enable Kernel Parameter to Enforce DAC on Symlinks Rule xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! W: oscap: Obtrusive data from probe! E: oscap: Can't read sysctl value from "/proc/sys/fs/protected_symlinks": 13, Permission denied Result error Title Verify Group Who Owns group File Rule xccdf_org.ssgproject.content_rule_file_groupowner_etc_group Result pass Title Verify Group Who Owns gshadow File Rule xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow Result pass Title Verify Group Who Owns passwd File Rule xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd Result pass Title Verify Group Who Owns shadow File Rule xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow Result pass Title Verify User Who Owns group File Rule xccdf_org.ssgproject.content_rule_file_owner_etc_group Result pass
- Open system results that will be in HTML format. Sample OpenSCAP Evaluation Report.
- System recommendations.
- Specific result details.
- You have reached the end of our article, we have gone through how to install OpenSCAP on Debian 11.
Read more on OpenSCAP Documentation
