Approved for open-source release via C21099 / C22007 as rhelhostinfo v1.x, authored by Skip McGee

Abstract:

rhelhostinfo v1.X adds some functionality to the existing rhelhostinfo project by enumerating host configuration information and 
identifying changes over time. It provides a framework that allows organizations to modify the application 
functionality for their own requirements, to add python scripting as needed or desired, including the ability to configure 
or return a host to DoD STIG specifications, or to implement lynis configuration, identify user command-line history, 
enumerate the local OSI layer 3 environment, identify and assist with configuring the host firewall, 
conduct limited packet capture and identify relevant network information. It uses the host-as-sensor model 
to enumerate security-relevant information about the host and the surrounding network and report relevant changes. 

Objective

rhelhostinfo primarily provides passive host inventory and change detection via the --checkconfig option 
and active host inventory and change detection on an IPv4 /24 network segment via the --scan option. 
Additionally, the application provides enumeration of Red Hat host configuration vulnerabilities via the Lynis --lynis 
option and DISA STIG evaluation and/or remediation via the openscap project with tailoring files that can be edited for 
organizational needs. rhelhostinfo provides an easy mechanism and architecture to deploy python scripting across an enterprise's 
Red Hat hosts for monitoring and detection purposes. This includes a --everyday and a --weekly option to enable 
tailoring to needs and desires as appropriate. Finally, the data generated by the rhelhostinfo application is sent via syslog 
to an enterprise log server for parsing, alerting, reporting and display.  

Requirements

1. The syslog client (rsyslog / syslog-ng) is configured and functional on your RHEL host
2. If use of the openscap functionality is desired, use the openscap guide at:
`https://www.open-scap.org/resources/documentation/customizing-scap-security-guide-for-your-use-case/` 
to develop (and test!) tailoring files and place them in the `scap_tailoring`directory. 
Substitute in your organization's name for the profile variables in app/openscap.py
3. Use the provided gitlab-ci.yml to build a binary/rpm on your gitlab infrastructure

Useage:

1. Use the latest rpm artifact to the workflow or fork this repo and build your own rpm!
2. Install the rpm rpm -Uvh <path_to_rpm>
3. To run via the installed rpm: rhelhostinfo --help

usage: rhelhostinfo [options]

rhelhostinfo v1.X provides cybersecurity / host monitoring functionality for
detection of configuration vulnerabilities, remediation, identification of
host changes and user activity.

optional arguments:
  -h, --help           show this help message and exit
  -c, --checkconfig    Check the local host for configuration changes
  -d, --debug          Debug granularity for application troubleshooting
  -e, --everyday       Actions to conduct every day
  -g, --generate       Generate oscap remediation script
  -l, --list           Parse splunk output
  -o, --oscap          Report the oscap findings for the host and view html report
  -r, --remediate      Remediate the host to comply with STIG content
  -s, --scan           Scan the local network
  -v, --verbose        Add verbose output to console.
  -w, --weekly         Weekly enumeration of host information
  -y, --lynis          Implement Lynis system configuration checks

2. To run natively in python3:

• yum install rh-python38
• python3 -m venv venv
• source venv/bin/activate
• python3 -m pip install --upgrade -r requirements.txt
• python3 main.py --help

Project Tree:

├── app
│   ├── __init__.py
│   ├── rhelhostinfo.py
│   ├── rhelsknr.py
│   ├── key.key
│   ├── log.conf
│   ├── openscap.py
│   ├── state.py
│   └── syslog.conf
├── CHANGELOG
├── CONTRIBUTING.md
├── current_rpms
│   └── x86_64
│       ├── rhelhostinfo-*-*.*.el7.x86_64.rpm
│       └── rhelhostinfo-*-*.*.el8.x86_64.rpm
├── __init__.py
├── LICENSE
├── main.py
├── pyinstaller
│   └── rhelhostinfo.bin.spec
├── pytest
│   └── test_initial.py
├── README.md
├── requirements.txt
├── rpmbuild
│   └── rhelhostinfo.spec
├── sast
│   ├── bandit_improvements.txt
│   └── flake8_improvements.txt
├── scripts
│   ├── netsane.sh
│   ├── rh_python38_setup.sh
│   ├── scap_report_viewer.sh
├── scap_tailoring
│   ├── rhel7-gui-tailoring.xml
│   ├── rhel7-no-gui-tailoring.xml
│   ├── rhel7-rhev-tailoring.xml
│   ├── rhel8-gui-tailoring.xml
│   └── rhel8-no-gui-tailoring.xml
└──Software_Bill_of_Materials.md

2. To run natively in python3:

• yum install rh-python38
• python3 -m venv venv
• source venv/bin/activate
• python3 -m pip install --upgrade -r requirements.txt
• python3 main.py --help
• python3 main.py <option>

Additional resources and references:

• openscap project
• lynis

Still to do / functionality to add:

1. Consider scapy for limited packet capture / scripting options?

• Consider: https://github.com/SecurityNik/pktIntel
• Consider: https://drive.google.com/file/d/0B0qDfJ30s2I9bXVwX3VXNzBOMzA/edit?resourcekey=0-oqLLcXC14yCT5uzRUt9gcg

2. Consider p0f / PRADS
3. Add directory or file encryption for application .ini files
4. Add verbose and debug options
5. Add pytest tests
6. Parse the RHEL sw vuln xml report for vulns and send via syslog
7. Test remediation option tailoring
8. Add scan types and subnet as sub-args for the scan option
9. Consider potential for incorporating PEASS: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS