Some of the most comprehensive, ready-made security policies can be found as part of the SCAP Security Guide (SSG) project, and you will often find reference to the ssg acronym in the directory and sometimes even package names. These policies, just like the CIS Benchmark we explored previously, cover many facets of Linux security and offer remediation steps. Hence, OpenSCAP can be used not just for auditing, but also for enforcing a security policy. However, it must be stated that given its nature, it is my opinion that Ansible is best suited for this task, and it is notable that, in recent upstream releases of SCAP Security Guide, Ansible playbooks are now being provided alongside the XML formatted SCAP policies themselves.

OpenSCAP policies, like any security definition, will evolve and change over time as new vulnerabilities and attacks are discovered. Hence, when considering which version of SSG you wish to work with, you will need to take into account how up to date the copy you are using is and whether this meets your needs. It might seem obvious to state that you should always use the latest version, but there are exceptions as we shall see shortly.

This decision requires careful consideration, and it is not as obvious as it might at first seem to state, just go and download the latest copy. Although the versions that are included with most major Linux distributions tend to lag behind the versions available from the SSG project's GitHub page (see https://github.com/ComplianceAsCode/content/releases), in some cases (especially on Red Hat Enterprise Linux), they have been tested and are known to work on the Linux distribution they are provided with.

On other distributions, however, your mileage may vary. For example, at the time of writing, the latest publicly available version of the SSG policies is 0.1.47, while the version included with Ubuntu Server 18.04.3 is 0.1.31. This version of SSG does not even support Ubuntu 18.04, and if you attempt to run a scan against Ubuntu Server 18.04 using the Ubuntu 16.04 policy, all of the scan results will be notapplicable. All scans validate the host on which they are run and ensure it matches the one they were intended to be run against, and so if they detect a mismatch, they will report notapplicable rather than applying the tests.

Users of Red Hat Enterprise Linux will need to find that Red Hat will only support users with their OpenSCAP scanning if they are using the SSG policies that ship with RHEL, and so in this scenario, it is even more important to make use of the vendor-provided policy files.

As with any open source environment, the beauty is that the choice is up to you—if you wish to evaluate the newer policies available, then you are free to do so, and for Ubuntu 18.04, you must do this or the scans will not work! However, if you wish to take advantage of a commercially-supported environment, then that is available too, especially if you use RHEL.

To install the vendor-provided SSG packages on CentOS 7 or RHEL 7, you would run this command:

$ sudo yum -y install scap-security-guide

This package contains the SSG policies for all operating systems and applications that Red Hat directly supports (bearing in mind that CentOS is based on RHEL). Hence, you will only find policies for RHEL 6 and 7, CentOS 6 and 7, the Java Runtime Environment (JRE), and Firefox when you install this package. At the time of writing, this installs version 0.1.43 of the SSG.

On Ubuntu Server, SSG is split across multiple packages but offers cross-platform support. To install the complete set of SSG packages on Ubuntu Server 18.04, you would run the following:

$ sudo apt -y install ssg-base ssg-debderived ssg-debian ssg-nondebian ssg-applications

These packages provide policies for the following systems:

Hence, it is fair to say that, at the time of writing, although Ubuntu Server ships a much older package version (0.1.13), it offers support for a wider range of platforms.

The choice of which SSG you wish to install is up to you, or if you are feeling bold, you may even choose to write your own! The most important thing is that you make an informed choice and retain support from your operating system vendor if that is a requirement for you. Before we proceed to explore other policies you might also download, it is worth looking in greater detail at two of the security policy file formats you may come across when you are searching for and implementing your OpenSCAP auditing architecture. We shall proceed with this in the next section.