OpenSCAP & Security compliance

I am in the IT business for decades and followed the Linux desktop development years after years. I tried numerous Linux desktop distributions (Ubuntu, Mint, ...)

But i have to say that with Zorin i have the impression that the Linux desktop is finally here mainly because it is so polished.

On the security side, there is a tool, OpenSCAP that verify the compliance of an OS distribution to a security policy (DoD STIG, ANSSI, CIS, ...).

Ubuntu has its security profile. However even if Zorin is an Ubuntu derivatives, to have OpenSCAP working, it is mandatory to tweak the lsb-release and os-release to make it as an Ubuntu distro, then
$ sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level1_workstation --report report.html ssg-ubuntu2204-ds-1.2.xml
is working.

I discovered that RockLinux as a derivative of CentOS had the same issue, they produced patches here ROCKY/_supporting/0001-Add-Rocky-Linux-as-a-derivative-of-RHEL.patch · r9 · staging / patch / scap-security-guide · GitLab

By the way, Ubuntu has now also Ubuntu Pro with all OpenSCAP tools and profiles and better security patches.

So it would be great to have OpenSCAP tools working with Zorin, of course it is more for the enterprise market than personal.

Best and long life to Zorin !

1 Like

I think anything to do with security should not just be available to enterprises but available to all.

2 Likes

Here are the results for "CIS Level1 Workstation" compliance

Here is the results for "Standard" compliance (minimal)

Some medium (Standard profile) failed :

  1. Ensure the audit Subsystem is Installed
  2. Ensure Log Files Are Owned By Appropriate User
  3. Ensure Logrotate Runs Periodically
  4. Verify Group Who Owns gshadow File
  5. Verify Permissions on gshadow File
  6. Verify Permissions on shadow File
  7. Disable Core Dumps for SUID programs
  8. Enable Randomized Layout of Virtual Address Space

That is in addition to the usual separate partition rule (/home, /tmp, /var, /var/log, /var/log/audit)

And some non compliance for CIS L1:

  1. Install AIDE
  2. Ensure Sudo Logfile Exists - sudo logfile
  3. Limit Password Reuse
  4. Set Deny For Failed Password Attempts
  5. Set Password Quality Requirements with pam_pwquality (several rules)
  6. Set Account Expiration Following Inactivity
  7. Verify All Account Password Hashes are Shadowed with SHA512
  8. Ensure that Users Have Sensible Umask Values (several rules)
  9. Verify iptables Enabled
  10. Kernel Parameters Which Affect Networking
    and more

Please keep in mind that this results are more or less the same as a plain Ubuntu distrib without any hardening