1secstate(1) USER COMMANDS secstate(1)
2secstate - security auditing and remediation.
6
8 secstate <command> [options]
9
11 Secstate is a tool that streamlines security lockdown and monitoring on
12 Linux systems. It provides auditing of a system against security
13 requirements and, optionally, remediating a system to meet those
14 requirements. Secstate uses the SCAP language (a NIST standard -
15 http://scap.nist.gov) and Puppet internally (http://www.puppet‐
16 labs.com).
17 Using secstate involves importing security auditing and remediation
19 information (referred to generically as content in this documentation)
20 into a stored content directory, customizing that content, and using it
21 to audit and remediate the state of the system.
22 The results of system audits are available as in SCAP XML formats or
24 HTML.
25
27 import [options] <ContentFile>
28 Validate and import an XCCDF benchmark and referenced OVAL and
30 Puppet files or a stand-alone OVAL file into the secstate stored
31 content directory. Content can be stored as an XCCDF file, OVAL
32 file, ZIP file, tarball (.tar.gz).
33 If an XCCDF file is provided that XCCDF benchmark is imported
35 and all dependent OVAL and Puppet files are imported from the
36 directory containing the XCCDF file. Archives (ZIP or .tar.gz)
37 are assumed to contain an XCCDF file and one or more dependent
38 OVAL and Puppet files and are imported as a group. Finally, a
39 single (stand-alone) OVAL or Puppet file can be imported.
40 An OVAL file which is imported on its own is treated as a top-
42 level item and it is audited separately from any XCCDF content.
43 All Puppet files which are imported are stored in a common loca‐
44 tion and are available to all imported XCCDF content for remedi‐
45 ation.
46 After import, the content can be viewed using list or search,
48 customized using select / deselect, and used to audit and reme‐
49 diate. By default, top-level content is selected after import.
50 Example of importing an XCCDF file:
52 # ls content/
53 2-19PasswordComlexity_Lowercase.xml 2-22PasswordComplexityy_Special.xml
54 PasswordComplexity.xccdf.xml 2-23PasswordComplexity_Upercase.xml
55 # secstate import content/PasswordComplexity.xccdf.xml
56 Example of importing a tarball containing XCCDF and OVAL:
58 # secstate import PasswordComplexity.tar.gz
59 Options:
61 -h
63 Show the help message for import
64 --profile=PROFILE
66 Set the active profile during import. The profile must exist in the
67 XCCDF benchmark.
68 remove [options] <ContentID>
70 Remove previously imported content. Like import, remove will remove
72 associated OVAL content if an XCCDF benchmark is specified. The content
73 ID can be found using the list command for both XCCDF and stand-alone
74 OVAL.
75 Example of removing a benchmark:
77 # secstate list
78 Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: None
79 # secstate remove PassComp
80 export [options] <ContentID> <OutputFile>
82 The export command exports an XCCDF benchmark or stand-alone OVAL file
84 from the secstate stored content directory. The content ID can be obtained with
85 secstate list. By default, the exported version includes any profiles and
86 customizations. Use -o to export the originally imported file.
87 # secstate list
89 Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: None
90 # secstate export PassComp PassComp.xccdf.xml
91 # ls PassComp.xccdf.xml
92 PassComp.xccdf.xml
93 Options:
95 -h
97 show the help message for import
98 -o, --original
100 exports the original imported content without customizations or profiles.
101 select [options] <ContentID> [GroupID|RuleID|ProfileID]
103 The select command sets an XCCDF benchmark, group, rule, profile, or a
105 stand-alone OVAL file as active. Only selected items will be used for
106 auditing and remediation. When selecting an XCCDF group, rule, or profile
107 the XCCDF benchmark ID must be also be provided. This eliminates the
108 possibility of inadvertently selecting the wrong item when multiple
109 benchmarks contain the same ID for a group, rule, or profile.
110 Profile selection:
112 Selecting a profile changes the active profile for an XCCDF benchmark. Profiles
114 can contain modifications to the default state of a benchmark including but
115 not limited to rule/group selection status.
116 Group/Rule selection:
118 A rule and every one of its ancestor groups and its XCCDF benchmark must be selected
120 in order for the rule to be active during auditing and remediation. Selecting
121 a rule or group will cause every one of its ancestors to also be selected.
122 When a selection is made on an XCCDF rule or group, the change is stored in a
124 profile. If the active profile at the time of the selection was a profile
125 native to the rule or group's parent benchmark, then a new profile named 'Custom' is
126 added which extends the original profile. If the active profile was one added by using
127 the select or deselect commands, then the active profile is modified.
128 Benchmark/OVAL selection:
130 Selecting an XCCDF benchmark or stand-alone OVAL file marks the content as
132 active when auditing or remediating imported content.
133 Examples of select:
135 # secstate list -a -r
136 [ ]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom'
137 [ ]Group - ID: PassComp-G-2-2, Title: 'Password'
138 [ ]Group - ID: PassComp-G-2-3, Title: 'Password Complexity'
139 [ ]Rule - ID: PassComp-R-2-1, Title: 'Lowercase'
140 [ ]Rule - ID: PassComp-R-2-2, Title: 'Min. Length'
141 [ ]Rule - ID: PassComp-R-2-3, Title: 'Numeric'
142 [ ]Rule - ID: PassComp-R-2-4, Title: 'Special'
143 [ ]Rule - ID: PassComp-R-2-5, Title: 'Uppercase'
144 [ ]OVAL File - ID: homedirs.oval
145 # secstate select PassComp PassComp-R-2-2
147 # secstate list -a -r
148 [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom'
149 [X]Group - ID: PassComp-G-2-2, Title: 'Password'
150 [X]Group - ID: PassComp-G-2-3, Title: 'Password Complexity'
151 [ ]Rule - ID: PassComp-R-2-1, Title: 'Lowercase'
152 [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length'
153 [ ]Rule - ID: PassComp-R-2-3, Title: 'Numeric'
154 [ ]Rule - ID: PassComp-R-2-4, Title: 'Special'
155 [ ]Rule - ID: PassComp-R-2-5, Title: 'Uppercase'
156 [ ]OVAL File - ID: homedirs.oval
157 # secstate select -r PassComp
159 # secstate list -a -r
160 [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom'
161 [X]Group - ID: PassComp-G-2-2, Title: 'Password'
162 [X]Group - ID: PassComp-G-2-3, Title: 'Password Complexity'
163 [X]Rule - ID: PassComp-R-2-1, Title: 'Lowercase'
164 [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length'
165 [X]Rule - ID: PassComp-R-2-3, Title: 'Numeric'
166 [X]Rule - ID: PassComp-R-2-4, Title: 'Special'
167 [X]Rule - ID: PassComp-R-2-5, Title: 'Uppercase'
168 [ ]OVAL File - ID: homedirs.oval
169 # secstate select homedirs.oval
171 # secstate list -a -r
172 [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom'
173 [X]Group - ID: PassComp-G-2-2, Title: 'Password'
174 [X]Group - ID: PassComp-G-2-3, Title: 'Password Complexity'
175 [X]Rule - ID: PassComp-R-2-1, Title: 'Lowercase'
176 [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length'
177 [X]Rule - ID: PassComp-R-2-3, Title: 'Numeric'
178 [X]Rule - ID: PassComp-R-2-4, Title: 'Special'
179 [X]Rule - ID: PassComp-R-2-5, Title: 'Uppercase'
180 [X]OVAL File - ID: homedirs.oval
181 Options:
183 -h
185 show the help text.
186 -r, --recurse
188 Recursively select XCCDF groups and rules inside groups or benchmarks.
189 deselect [options] <ContentID> [GroupID|RuleID]
191 The deselect command sets an XCCDF benchmark, group, or rule, or a stand-alone
193 OVAL file as deselected. Deselected items will be omitted from
194 auditing and remediation. When deselecting an XCCDF group, rule, or profile
195 the XCCDF benchmark ID must be also be provided. This eliminates the
196 possibility of inadvertently deselecting the wrong item when multiple
197 benchmarks contain the same ID for a group, rule, or profile.
198 Group/Rule deselection:
200 An XCCDF rule and every one of its ancestor groups and its parent benchmark must
202 be selected in order for the rule to be active during auditing and remediation.
203 Deselecting a group will cause any child groups or rules to be omitted during
204 auditing and remediation regardless of their selection status.
205 When a deselection is made on an XCCDF rule or group, the change is stored in a
207 profile. If the active profile at the time of the deselection was a profile
208 native to the rule or group's parent benchmark, then a new profile named 'Custom'
209 is addedwhich extends the original profile. If the active profile was one added by
210 using the select or deselect commands, then the active profile is modified.
211 Benchmark/OVAL deselection:
213 Deselecting an XCCDF benchmark or a stand-alone OVAL file marks the content as
215 inactive when auditing or remediating imported content.
216 Examples of deselect:
218 # secstate list -a -r
220 [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom'
221 [X]Group - ID: PassComp-G-2-2, Title: 'Password'
222 [X]Group - ID: PassComp-G-2-3, Title: 'Password Complexity'
223 [X]Rule - ID: PassComp-R-2-1, Title: 'Lowercase'
224 [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length'
225 [X]Rule - ID: PassComp-R-2-3, Title: 'Numeric'
226 [X]Rule - ID: PassComp-R-2-4, Title: 'Special'
227 [X]Rule - ID: PassComp-R-2-5, Title: 'Uppercase'
228 [X]OVAL File - ID: homedirs.oval
229 # secstate deselect PassComp PassComp-R-2-3
231 # secstate list -a -r
232 [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom'
233 [X]Group - ID: PassComp-G-2-2, Title: 'Password'
234 [X]Group - ID: PassComp-G-2-3, Title: 'Password Complexity'
235 [X]Rule - ID: PassComp-R-2-1, Title: 'Lowercase'
236 [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length'
237 [ ]Rule - ID: PassComp-R-2-3, Title: 'Numeric'
238 [X]Rule - ID: PassComp-R-2-4, Title: 'Special'
239 [X]Rule - ID: PassComp-R-2-5, Title: 'Uppercase'
240 [X]OVAL File - ID: homedirs.oval
241 # secstate deselect -r PassComp
243 # secstate list -a -r
244 [ ]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom'
245 [ ]Group - ID: PassComp-G-2-2, Title: 'Password'
246 [ ]Group - ID: PassComp-G-2-3, Title: 'Password Complexity'
247 [ ]Rule - ID: PassComp-R-2-1, Title: 'Lowercase'
248 [ ]Rule - ID: PassComp-R-2-2, Title: 'Min. Length'
249 [ ]Rule - ID: PassComp-R-2-3, Title: 'Numeric'
250 [ ]Rule - ID: PassComp-R-2-4, Title: 'Special'
251 [ ]Rule - ID: PassComp-R-2-5, Title: 'Uppercase'
252 [X]OVAL File - ID: homedirs.oval
253 # secstate deselect homedirs.oval
255 # secstate list -a -r
256 [ ]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom'
257 [ ]Group - ID: PassComp-G-2-2, Title: 'Password'
258 [ ]Group - ID: PassComp-G-2-3, Title: 'Password Complexity'
259 [ ]Rule - ID: PassComp-R-2-1, Title: 'Lowercase'
260 [ ]Rule - ID: PassComp-R-2-2, Title: 'Min. Length'
261 [ ]Rule - ID: PassComp-R-2-3, Title: 'Numeric'
262 [ ]Rule - ID: PassComp-R-2-4, Title: 'Special'
263 [ ]Rule - ID: PassComp-R-2-5, Title: 'Uppercase'
264 [ ]OVAL File - ID: homedirs.oval
265 Options:
267 -h
269 show the help text.
270 -r, --recurse
272 Recursively deselect XCCDF groups and rules rules inside group or benchmark.
273 save <BenchmarkID> <ProfileName>
275 The save command saves the currently active profile to a profile of the
277 provided name.
278 Options:
280 -h
282 show the help text.
283 list [options] [ContentID]
285 The list command displays the available XCCDF benchmarks and/or
287 stand-alone OVAL. By default, list only shows the benchmarks and OVAL
288 that are currently selected. The -a and -r can show deselected items
289 and all of the groups and rules in an XCCDF benchmark respectively.
290 Examples of list:
292 # secstate list
294 Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'all_deselected'
295 # secstate list -r
297 Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'all_deselected'
298 Group - ID: PassComp-G-2-2, Title: 'Password'
299 # secstate list -a -r
301 [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'all_deselected'
302 [X]Group - ID: PassComp-G-2-2, Title: 'Password'
303 [ ]Group - ID: PassComp-G-2-3, Title: 'Password Complexity'
304 [X]Rule - ID: PassComp-R-2-1, Title: 'Lowercase'
305 [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length'
306 [X]Rule - ID: PassComp-R-2-3, Title: 'Numeric'
307 [X]Rule - ID: PassComp-R-2-4, Title: 'Special'
308 [X]Rule - ID: PassComp-R-2-5, Title: 'Uppercase'
309 [ ]OVAL File - ID: 2-20PasswordComplexity_MinLen
310 Options:
312 -h
314 show the help text.
315 -a, --all
317 Show all items regardless of selection status.
318 -r, --recurse
320 Recursively list XCCDF rules inside groups or benchmarks.
321 show [options] <ContentID>
323 Show information on an XCCDF benchmark, rule, or group.
325 Example of show on various types of items:
327 # secstate show PassComp
329 PassComp:
330 Title: 'Password Complexity'
331 Selected: True
332 Profiles:
333 [ ]emptyProfile - 'An empty profile'
334 [ ]None
335 [X]all_deselected
336 # secstate show PassComp-G-2-3
338 PassComp-G-2-3:
339 Title: 'Password Complexity'
340 Description: Group pertaining specifically to password complexity.
341 Selected: True
342 # secstate show PassComp-R-2-1
344 PassComp-R-2-1:
345 Title: 'Lowercase'
346 Description: Password contains minimum number of lowercase letters.
347 Selected: True
348 # secstate show -v PassComp-R-2-1
350 PassComp-R-2-1:
351 Title: 'Lowercase'
352 Description: Password contains minimum number of lowercase letters.
353 Selected: True
354 Member of PassComp-G-2-3
355 Referenced Definitions:
356 oval:com.tresys.oval.rhel:def:1000
357 Options:
359 -h
361 show the help text.
362 -v, --verbose
363 Show additional information on the item.
364 search [options] <string>
366 The search command searches through titles and descriptions of all imported
368 content and returns all items which match the provided string.
369 Options:
371 -h
373 show the help text.
374 -r, --reverse
376 Search for XCCDF rules which match an OVAL definition id.
377 -v, --verbose
379 Show additional information on matching items.
380 remediate [options] [BenchmarkID|BenchmarkFile]
382 The remediate command brings the system into compliance with one or more
384 XCCDF benchmarks. It uses information from the fix elements of selected rules
385 and passes that information on to Puppet which makes changes to the system.
386 Options:
388 -h
390 show the help text.
391 -l, --log-dest
393 Output logs to FILE instead of stdout.
394 -n, --noop
396 Run puppet in noop mode. No changes will be made to the system.
397 -p, --profile
399 Specifies the profile to use when remediating the system.
400 -v, --verbose
402 Prints out extra information during the remediate process.
403 -x, --xccdf-results
405 XCCDF results file to provide for selective remediation.
406 -y, --yes
408 Respond 'yes' to all prompts.
409 audit [options] [ContentID|ContentFile]
411 The audit command evaluates whether the current state of the system
413 complies with the selected rules in the specified content. If no content
414 is specified then all imported content that is selected is evaluated. After
415 scanning, a summary is printed and by default a report is generated in
416 SCAP XML and HTML and saved to a directory named based on the hostname,
417 date, and time.
418 Example showing the use of audit:
420 # secstate list
422 Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'all_deselected'
423 OVAL File - ID: 2-20PasswordComplexity_MinLen
424 # secstate audit PassComp
425 --Results for 'PassComp' (Profile: 'all_deselected')--
426 Passed: 0
427 Failed: 5
428 Fixed: 0
429 Not Selected: 0
430 Not Checked: 0
431 Not Applicable: 0
432 Error: 0
433 Informational: 0
434 Unknown: 0
435 # ls audit-localhost.localdomain-Fri-August-27-22_30_12-2010/
436 2-19PasswordComplexity_Lowercase.results.xml index.html
437 2-20PasswordComplexity_MinLen.results.xml media
438 2-21PasswordComplexity_Numeric.results.xml PassComp.results.html
439 2-22PasswordComplexity_Special.results.xml PassComp.results.xml
440 2-23PasswordComplexity_Uppercase.results.xml
441 Options:
442 -h
444 show the help text.
445 -p <PROFILE>, --profile=<PROFILE>
447 Selects the profile to use during auditing.
448 -o <OUTPUT>, --output=<OUTPUT>
450 Set the name of the output directory for XML or HTML output.
451 --no-xml
453 Disable XML output.
454 --no-html
456 Disable HTML output.
457 -v, --verbose
459 Show additional information on the item.
460 -a, --all
462 Audit all rules and groups regardless of selection status.
463 -r <RULE>, --rule=<RULE>
465 Audit only the specified rule.
466
468 secstate returns 0 for success and non-0 for error.
469
471 Karl MacMillan <kmacmillan@tresys.com>
472
474 oscap(30) puppet(8)
475version 1.0 August 27, 2010 secstate(1)