KO
Uploaded byKazuki Omo
PDF, PPTX3,165 views

SCAP for openSUSE

This document discusses customizing Security Content Automation Protocol (SCAP) content for openSUSE. It begins with an introduction to SCAP and its components like OVAL, XCCDF, and OCIL. It notes that while OVAL definitions exist for openSUSE, an XCCDF benchmark is needed to enable compliance testing. The document considers customizing an existing SLES or RHEL XCCDF file by changing platform identifiers and related files. It demonstrates using the oscap tool to evaluate a customized RHEL XCCDF benchmark against an openSUSE system and generating results. Further work is needed to fully adapt the customized XCCDF content to the openSUSE standard and profile for compliance benchmarks.

Software
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
OpenSCAP and related contents for openSUSE Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc.
2 Who am I ? - Security Researcher/Engineer (16 years) - SELinux/MAC Evangelist (11 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux Engineer (16 years)
3 Agenda - What is SCAP? - Enumerations - Language/Contents - OpenSCAP - OpenSUSE contents - Customize RHEL’s XCCDF file - Conclusion
What is SCAP?
5 SCAP (Security Content Automation Protocol) Object: Automated for - Vulnerability management - Vulnerability measurement - Policy compliance evaluation
6 SCAP Components.. SCAP Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Extensible Configuration Checklist Description Format (XCCDF) and so on…. Open Vulnerability and Assessment Language (OVAL) Lang Enumerations
Enumerations
8 CVE: Common Vulnerabilities and Exposures
9 CVE: Common Vulnerabilities and Exposures CVE ID CPE Summary CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.15 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51- 38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.16 CVE-2016-2107 cpe:/o:redhat:enterprise _linux_server:7.0 Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVE-2016-2107 cpe:/o:novell:leap:42.1 CVE-2016-2107 cpe:/o:novell:opensuse: 13.2 CVE-2016-4979 cpe:/a:apache:http_serv er:2.4.20 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
10 CPE: Common Platform Enumeration CPE name title href cpe:/o:novell:leap: 42.0 Novell Leap 42.0 https://en.opensuse.org/openSUSE:Leap cpe:/o:novell:leap: 42.1 Novell Leap 42.1 https://en.opensuse.org/openSUSE:Leap cpe:/o:redhat:ente rprise_linux:7.0 Red Hat Enterpris e Linux 7.0 http://www.redhat.com/resourcelibrary/datash eets/rhel-7-whats-new cpe:/o:redhat:ente rprise_linux:7.1 Red Hat Enterpris e Linux 7.1 http://www.redhat.com/en/resources/whats- new-red-hat-enterprise-linux-71
11 CPE: Common Platform Enumeration linux-vs1z:~ # cat /etc/os-release NAME="openSUSE Leap" VERSION="42.1" VERSION_ID="42.1" PRETTY_NAME="openSUSE Leap 42.1 (x86_64)" ID=opensuse ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:opensuse:42.1" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://opensuse.org/" ID_LIKE="suse"
12 CCE: Common Configuration Enumeration CCE IDs Description CCE- 5317-3 Core dump size limits should be set appropriately CCE- 5384-3 The read-only SNMP community string should be set appropriately. CCE- 5664-8 The minimum password age should be set as appropriate CCE- 5804-0 The minimum required password length should be set as appropriate CCE- 4858-7 Password history should be saved for an appropriate number of password changes CCE- 5775-2 The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate
13 CWE: Common Weakness Enumeration CVE ID CWE-ID CVE-2016-6662 CWE-264 CVE-2016-2107 CWE-310 CVE-2016-4979 CWE-284
14 CVSS: Common Vulnerability Scoring System
Language/Contents
16 OVAL: Open Vulnerability and Assessment Language OVAL: - Check Vulnerabilities / configuration issues (XML) - Using for Patch Management - Composed by - Collection of CVEs - list of standardized names for vulnerabilities
17 OVAL: Open Vulnerability and Assessment Language <title>CVE-2012-2150</title> <affected family="unix"> <platform>openSUSE Leap 42.1</platform> </affected> <reference ref_id="CVE-2012-2150" ref_url= "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" source="CVE"/> </metadata> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009117743" comment="openSUSE Leap 42.1 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009120999" comment="xfsprogs-3.2.1-5.1 is installed"/>
18 OVAL: Open Vulnerability and Assessment Language <definition class="compliance" id="oval:ssg- file_permissions_httpd_server_conf_files:def:1" version="2"> <metadata> <title>Verify Permissions On Apache Web Server Configuration Files </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>
19 OVAL: Open Vulnerability and Assessment Language
20 OVAL: Open Vulnerability and Assessment Language
21 XCCDF: The eXtensible Configuration Checklist Description Format XCCDF: - Writing security checklists, benchmarks, etc. (XML) - Automated compliance testing, Compliance scoring (PCIDSS, etc.) - Collection of security configuration rules for some set of target systems (Docker-Enabled Host)
22 XCCDF: The eXtensible Configuration Checklist Description Format <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1"> <status date="2016-09-20">draft</status> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title> <Profile id="pci-dss"> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This is a *draft* profile for PCI-DSS v3</description> <select idref="service_auditd_enabled" selected="true"/> <select idref="bootloader_audit_argument" selected="true"/> <select idref="auditd_data_retention_num_logs" selected="true"/> <select idref="audit_rules_dac_modification_chmod" selected="true"/> ...
23 XCCDF: The eXtensible Configuration Checklist Description Format <Profile id="docker-host"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Standard Docker Host Security Profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. </description> <select idref="service_docker_enabled" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="selinux_state" selected="true"/> <select idref="selinux_policytype" selected="true"/> <select idref="docker_selinux_enabled" selected="true"/> <select idref="docker_storage_configured" selected="true"/> <select idref="remediation_functions" selected="false"/>
24 XCCDF: The eXtensible Configuration Checklist Description Format
25 XCCDF: The eXtensible Configuration Checklist Description Format
OpenSCAP
27 OpenSCAP OpenSCAP: - Provides multiple tools for Administrators/Auditors Tools: - OpenSCAP Base (oscap) - SCAP Workbench (GUI tool) - OpenSCAP Daemon - SCAPTimony - OSCAP Anaconda Add-on
OpenSUSE contents
29 OVAL: Open Vulnerability and Assessment Language Available on ftp.suse.com/pub
30 OVAL: Open Vulnerability and Assessment Language
31 OVAL: Open Vulnerability and Assessment Language
32 XCCDF: The eXtensible Configuration Checklist Description Format No XCCDF file…. Then We can - check Vulnerabilities for openSUSE We can’t - check Configuration Standard (ex. PCIDSS) :-(
33 XCCDF: The eXtensible Configuration Checklist Description Format 1. Customize old SLES XCCDF file (“SLES v11 for System z”) 2. Customize “RHEL_STIG” XML file. Which is better? There are 2 options;
34 1. Customize “SLES v11 for System z” 1. Customize old “SLES v11 for System z” (http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip) - Profile for MAC(Mandatory Access Control) Level + Public/Sensitive/Classified. → DoD/Federal Government System. - No Benchmark XML file (DPMS_XCCDF_Benchmark_SuSe zLinux.xml) → SuSE is providing XML file (not open). Hard to Develop. But we need it in future.
35 2. Customize “RHEL_STIG” XML file. 2. Customize RHEL’s “RHEL_STIG” XML file. - use latest RHEL7 STIG - Including PCIDSS v3.0, etc. https://github.com/OpenSCAP/openscap More easy to Develop. Take a look for now. ;-)
Customize RHEL’s XCCDF file
37 Customize RedHat’s XCCDF file Customize RedHat XCCDF file; Change Platform ID <platform idref="cpe:/o:redhat:enterprise_linux:7"/> <platform idref="cpe:/o:opensuse:opensuse"/> Change/Copy related XML file <check-content-ref href="ssg-rhel7-ocil.xml" <check-content-ref href="ssg-opensuse-ocil.xml"
38 Scan Customized RedHat’s XCCDF file oscap xccdf eval --profile "Profile" --report “Report” “input xccdf XML file” ex. ) oscap xccdf eval --profile "pci-dss" --report /tmp/opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml Profile: <profile id> in xccdf.xml file; <Profile id="standard"> <Profile id="pci-dss"> <Profile id="rht-ccp"> <Profile id="docker-host"> … etc.
39 Scan by “oscap” # oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg- results.html ./ssg-opensuse-xccdf.xml Title Ensure auditd Collects Information on Kernel Module Loading and Unloading Rule audit_rules_kernel_module_loading Ident CCE-27129-6 Result fail Title Make the auditd Configuration Immutable Rule audit_rules_immutable Ident CCE-27097-5 Result fail Title Set SSH Idle Timeout Interval Rule sshd_set_idle_timeout Ident CCE-27433-2 Result pass
40 “oscap” result html
41 “oscap” result html (cont'd)
42 Scap-workbench
43 Customize Rule (with scap-workbench) Some of Rule can modify, and can not → No good for fitting to openSUSE
44 Customize Rule (xml file) OVAL: <definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1"> <metadata> <title>Service autofs Disabled</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The autofs service should be disabled if possible.</description> <reference source="JL" ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/ scap-security-guide/wiki/Contributors"/> <reference ref_id="service_autofs_disabled" source="ssg"/></metadata> <criteria comment="package autofs removed or service autofs is not configured to start" operator="OR"> <extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_ removed:def:1"/> <criteria operator="OR" comment="service autofs is not configured to start"> <criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_ autofs_not_wanted_by_multi_user_target:tst:1"/>
45 OVAL Language Dictionary
46 Customize Rule (xml file) OCIL: <questionnaire id="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"> <title>Disable Core Dumps for All Users</title> <actions> <test_action_ref>ocil:ssg-disable_users_coredumps_action:testaction:1</test_action_ref> </actions> </questionnaire> <questionnaire id="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1"> <title>Disable Core Dumps for SUID programs</title> <actions> <test_action_ref>ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1</test_action_ref> </actions> </questionnaire>
47 OCIL Language Dictionary
48 Remain Task - Not only for PCI-DSS, other Profile: - Check details which modified. - Change those XCCDF file as openscap-ssg standard style. - Follow SUSE11 Standard also.
Conclusion
50 Conclusion - SCAP OVAL file for openSUSE is released from SUSE. - SCAP XCCDF file for openSUSE needs to be under PCI-DSS etc. - Still customizing contents for publishing. :-)
51 Any Questinos?
52 Thank You!!!

More Related Content

PPTX
Cloud Custodian
byJamison Roberts
 
PPTX
SIEM - Varolan Verilerin Anlamı
byBGA Cyber Security
 
PPTX
Different types of Symmetric key Cryptography
bysubhradeep mitra
 
PDF
AWS load balancers deep dive-AWSKRUG
byha suyoung
 
PDF
AWS IoT를 통해 클라우드로 세상을 연결하는 방법 - 이종화 솔루션즈 아키텍트, AWS / 최원근 솔루션즈 아키텍트, AWS :: AW...
byAmazon Web Services Korea
 
PPTX
Implementing and Running SIEM: Approaches and Lessons
byAnton Chuvakin
 
PDF
Linear Regression Algorithm | Linear Regression in Python | Machine Learning ...
byEdureka!
 
DOC
SIEM
byvikasraina
 
Cloud Custodian
byJamison Roberts
 
SIEM - Varolan Verilerin Anlamı
byBGA Cyber Security
 
Different types of Symmetric key Cryptography
bysubhradeep mitra
 
AWS load balancers deep dive-AWSKRUG
byha suyoung
 
AWS IoT를 통해 클라우드로 세상을 연결하는 방법 - 이종화 솔루션즈 아키텍트, AWS / 최원근 솔루션즈 아키텍트, AWS :: AW...
byAmazon Web Services Korea
 
Implementing and Running SIEM: Approaches and Lessons
byAnton Chuvakin
 
Linear Regression Algorithm | Linear Regression in Python | Machine Learning ...
byEdureka!
 
SIEM
byvikasraina
 

What's hot

PDF
AWS DMS를 통한 오라클 DB 마이그레이션 방법 - AWS Summit Seoul 2017
byAmazon Web Services Korea
 
PPTX
Elastic Compute Cloud (EC2) on AWS Presentation
byKnoldus Inc.
 
PPT
Chapter 12 Presentation
byAmy McMullin
 
PDF
Scada Sistemlerde Siber Guvenlik by Cagri POLAT
byÇağrı Polat
 
PDF
Terraform을 이용한 Infrastructure as Code 실전 구성하기 :: 변정훈::AWS Summit Seoul 2018
byAmazon Web Services Korea
 
PPT
The rsa algorithm
byKomal Singh
 
PPTX
Overview on Cryptography and Network Security
byDr. Rupa Ch
 
PPTX
Aws- Amazon Web Services
byShreya Srivastava
 
ODP
Introduction to Amazon Web Services
byJames Armes
 
PDF
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe Önal
byBGA Cyber Security
 
PPTX
AWS Lambda Features and Uses
byGlobalLogic Ukraine
 
PDF
APIC/DataPower security
byShiu-Fun Poon
 
PDF
SAP, 아마존 클라우드에서 어떻게 하면 잘한다고 소문이 날까? AWS 클라우드 환경에서 ISMS-P(정보보호 관리체계) "인싸"가 되는 ...
byAmazon Web Services Korea
 
PPTX
Lecture 2 introduction to cloud computing
bydralaa7
 
PDF
AWS와 함께 하는 클라우드 비즈니스 (임성은 매니저, AWS) :: AWS TechShift 2018
byAmazon Web Services Korea
 
PPTX
Introduction of AWS KMS
byRicardo Schmidt
 
PPTX
Cloud Computing
byTilani Gunawardena PhD(UNIBAS), BSc(Pera), FHEA(UK), CEng, MIESL
 
PDF
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
byBGA Cyber Security
 
PDF
Ethical Considerations in AI
byKenny Huang Ph.D.
 
PPTX
Survival Analysis Superlearner
byColleen Farrelly
 
AWS DMS를 통한 오라클 DB 마이그레이션 방법 - AWS Summit Seoul 2017
byAmazon Web Services Korea
 
Elastic Compute Cloud (EC2) on AWS Presentation
byKnoldus Inc.
 
Chapter 12 Presentation
byAmy McMullin
 
Scada Sistemlerde Siber Guvenlik by Cagri POLAT
byÇağrı Polat
 
Terraform을 이용한 Infrastructure as Code 실전 구성하기 :: 변정훈::AWS Summit Seoul 2018
byAmazon Web Services Korea
 
The rsa algorithm
byKomal Singh
 
Overview on Cryptography and Network Security
byDr. Rupa Ch
 
Aws- Amazon Web Services
byShreya Srivastava
 
Introduction to Amazon Web Services
byJames Armes
 
NetSecTR - "Siem / Log Korelasyon Sunumu" Huzeyfe Önal
byBGA Cyber Security
 
AWS Lambda Features and Uses
byGlobalLogic Ukraine
 
APIC/DataPower security
byShiu-Fun Poon
 
SAP, 아마존 클라우드에서 어떻게 하면 잘한다고 소문이 날까? AWS 클라우드 환경에서 ISMS-P(정보보호 관리체계) "인싸"가 되는 ...
byAmazon Web Services Korea
 
Lecture 2 introduction to cloud computing
bydralaa7
 
AWS와 함께 하는 클라우드 비즈니스 (임성은 매니저, AWS) :: AWS TechShift 2018
byAmazon Web Services Korea
 
Introduction of AWS KMS
byRicardo Schmidt
 
Cloud Computing
byTilani Gunawardena PhD(UNIBAS), BSc(Pera), FHEA(UK), CEng, MIESL
 
BGA SOME/SOC Etkinliği - Kurumsal SOME’ler için SOC Modeli Nasıl Olmalı?
byBGA Cyber Security
 
Ethical Considerations in AI
byKenny Huang Ph.D.
 
Survival Analysis Superlearner
byColleen Farrelly
 

Similar to SCAP for openSUSE

PDF
KVM_security
byFrank Caviggia
 
PDF
OSC2023_security_automation_data.pdf
byMarcus Meissner
 
PDF
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
PDF
2008-01-22 Red Hat (Security) Roadmap Presentation
byShawn Wells
 
PDF
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
byShawn Wells
 
PDF
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
byShawn Wells
 
PDF
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
PDF
2013-04-03 Open Source Framework to Catch the Bad Guys
byShawn Wells
 
PDF
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
byShawn Wells
 
PDF
2014-07-30 defense in depth scap workbook
byShawn Wells
 
PDF
2013-03-25 SCAP Workshop Workbook
byShawn Wells
 
PDF
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
byShawn Wells
 
PDF
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
byShawn Wells
 
PDF
2008-03-06 Harris Corp Security Seminar
byShawn Wells
 
PPTX
Security Walls in Linux Environment: Practice, Experience, and Results
byIgor Beliaiev
 
PDF
2014 04-17 Applied SCAP, Red Hat Summit 2014
byShawn Wells
 
PDF
2014-07-31 customer convergence applied scap
byShawn Wells
 
PPT
2016-08-18 Red Hat Partner Security Update
byShawn Wells
 
PDF
2016-08-29 AFITC Security Automation
byShawn Wells
 
PPTX
Spacewalk deployment at Fuqua
byAndy Ingham
 
KVM_security
byFrank Caviggia
 
OSC2023_security_automation_data.pdf
byMarcus Meissner
 
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
2008-01-22 Red Hat (Security) Roadmap Presentation
byShawn Wells
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
byShawn Wells
 
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
byShawn Wells
 
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
2013-04-03 Open Source Framework to Catch the Bad Guys
byShawn Wells
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
byShawn Wells
 
2014-07-30 defense in depth scap workbook
byShawn Wells
 
2013-03-25 SCAP Workshop Workbook
byShawn Wells
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
byShawn Wells
 
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
byShawn Wells
 
2008-03-06 Harris Corp Security Seminar
byShawn Wells
 
Security Walls in Linux Environment: Practice, Experience, and Results
byIgor Beliaiev
 
2014 04-17 Applied SCAP, Red Hat Summit 2014
byShawn Wells
 
2014-07-31 customer convergence applied scap
byShawn Wells
 
2016-08-18 Red Hat Partner Security Update
byShawn Wells
 
2016-08-29 AFITC Security Automation
byShawn Wells
 
Spacewalk deployment at Fuqua
byAndy Ingham
 

More from Kazuki Omo

PDF
Cve trends 20170531
byKazuki Omo
 
PDF
Osc2017 tokyo spring_soss_sig
byKazuki Omo
 
PDF
Osc2018 tokyo spring_scap
byKazuki Omo
 
PDF
SELinux_Updates_PoC_20170516
byKazuki Omo
 
ODP
Postgre SQL security_20170412
byKazuki Omo
 
PDF
Linux Security Status on 2017
byKazuki Omo
 
PDF
Docker app armor_usecase
byKazuki Omo
 
PDF
RHELのEOLがCentOSに及ぼす影響
byKazuki Omo
 
PDF
OpenSSF Day Tokyo 2023 Keynote presentation.
byKazuki Omo
 
PDF
Edb summit 2016_20160216.omo
byKazuki Omo
 
PDF
6 anti virus
byKazuki Omo
 
PPTX
2022Q2 最新ランサムウェア動向と対処方法.pptx
byKazuki Omo
 
PDF
OSC ossセキュリティ技術の会について
byKazuki Omo
 
PDF
Don't you have dream about Foreign Company? How about real one?
byKazuki Omo
 
PDF
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
byKazuki Omo
 
Cve trends 20170531
byKazuki Omo
 
Osc2017 tokyo spring_soss_sig
byKazuki Omo
 
Osc2018 tokyo spring_scap
byKazuki Omo
 
SELinux_Updates_PoC_20170516
byKazuki Omo
 
Postgre SQL security_20170412
byKazuki Omo
 
Linux Security Status on 2017
byKazuki Omo
 
Docker app armor_usecase
byKazuki Omo
 
RHELのEOLがCentOSに及ぼす影響
byKazuki Omo
 
OpenSSF Day Tokyo 2023 Keynote presentation.
byKazuki Omo
 
Edb summit 2016_20160216.omo
byKazuki Omo
 
6 anti virus
byKazuki Omo
 
2022Q2 最新ランサムウェア動向と対処方法.pptx
byKazuki Omo
 
OSC ossセキュリティ技術の会について
byKazuki Omo
 
Don't you have dream about Foreign Company? How about real one?
byKazuki Omo
 
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
byKazuki Omo
 

Recently uploaded

PDF
INTRODUCTION TO DATABASES, MYSQL, MS ACCESS, PHARMACY DRUG DATABASE.pdf
bylikudas9861
 
PPTX
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
PPTX
#15 All About Anypoint MQ - Calicut MuleSoft Meetup Group
bycalicutmulesoftmeetu
 
PPTX
NSF Converter Software to Convert NSF to PST, EML, MSG
byNSF Converter Software
 
PDF
Constraints First - Why Our On-Prem Ticketing System Starts With Limits, Not ...
bySpirit Face
 
PPTX
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
PDF
What Is A Woman (WIAW) Token – Smart Contract Security Audit Report by EtherA...
byEtherAuthority
 
PDF
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
PPT
This-Project-Demonstrates-How-to-Create.ppt
byjayasuryanexinfo
 
PDF
SecureChain AI (SCAI) Token – Smart Contract Security Audit Report by EtherAu...
byEtherAuthority
 
PDF
Advanced Prompt Engineering: The Art and Science
byMaxim Salnikov
 
PDF
IT Estate Modernization: Transform Your Infrastructure for the Future .pdf
byAstuteBusiness
 
PDF
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
PDF
How Modern Custom Software is Revolutionizing Mortgage Lending Processes -Ma...
byMatellio
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
Influence Without Power - Why Empathy is Your Best Friend.pdf
bySuzanne Lagerweij
 
PPTX
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
PPTX
Reimagining Service with AI Voice Agents | Webinar
byCEPTES Software
 
PDF
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
PDF
Intelligent CRM for Insurance Brokers: Managing Clients with Precision
byInsurance Tech Services
 
INTRODUCTION TO DATABASES, MYSQL, MS ACCESS, PHARMACY DRUG DATABASE.pdf
bylikudas9861
 
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
#15 All About Anypoint MQ - Calicut MuleSoft Meetup Group
bycalicutmulesoftmeetu
 
NSF Converter Software to Convert NSF to PST, EML, MSG
byNSF Converter Software
 
Constraints First - Why Our On-Prem Ticketing System Starts With Limits, Not ...
bySpirit Face
 
Deep Dive into Durable Functions, presented at Cloudbrew 2025
byJoonas Westlin
 
What Is A Woman (WIAW) Token – Smart Contract Security Audit Report by EtherA...
byEtherAuthority
 
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
This-Project-Demonstrates-How-to-Create.ppt
byjayasuryanexinfo
 
SecureChain AI (SCAI) Token – Smart Contract Security Audit Report by EtherAu...
byEtherAuthority
 
Advanced Prompt Engineering: The Art and Science
byMaxim Salnikov
 
IT Estate Modernization: Transform Your Infrastructure for the Future .pdf
byAstuteBusiness
 
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
How Modern Custom Software is Revolutionizing Mortgage Lending Processes -Ma...
byMatellio
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
Influence Without Power - Why Empathy is Your Best Friend.pdf
bySuzanne Lagerweij
 
AI Clinic Management Software for Pulmonology Clinics Bringing Clarity, Contr...
byEasy Clinic
 
Reimagining Service with AI Voice Agents | Webinar
byCEPTES Software
 
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
Intelligent CRM for Insurance Brokers: Managing Clients with Precision
byInsurance Tech Services
 

SCAP for openSUSE

  • 1.
    OpenSCAP and relatedcontents for openSUSE Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc.
  • 2.
    2 Who am I? - Security Researcher/Engineer (16 years) - SELinux/MAC Evangelist (11 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux Engineer (16 years)
  • 3.
    3 Agenda - What isSCAP? - Enumerations - Language/Contents - OpenSCAP - OpenSUSE contents - Customize RHEL’s XCCDF file - Conclusion
  • 4.
  • 5.
    5 SCAP (Security Content AutomationProtocol) Object: Automated for - Vulnerability management - Vulnerability measurement - Policy compliance evaluation
  • 6.
    6 SCAP Components.. SCAP Common Vulnerabilitiesand Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Extensible Configuration Checklist Description Format (XCCDF) and so on…. Open Vulnerability and Assessment Language (OVAL) Lang Enumerations
  • 7.
  • 8.
  • 9.
    9 CVE: Common Vulnerabilities andExposures CVE ID CPE Summary CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.15 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51- 38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.16 CVE-2016-2107 cpe:/o:redhat:enterprise _linux_server:7.0 Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVE-2016-2107 cpe:/o:novell:leap:42.1 CVE-2016-2107 cpe:/o:novell:opensuse: 13.2 CVE-2016-4979 cpe:/a:apache:http_serv er:2.4.20 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
  • 10.
    10 CPE: Common Platform Enumeration CPEname title href cpe:/o:novell:leap: 42.0 Novell Leap 42.0 https://en.opensuse.org/openSUSE:Leap cpe:/o:novell:leap: 42.1 Novell Leap 42.1 https://en.opensuse.org/openSUSE:Leap cpe:/o:redhat:ente rprise_linux:7.0 Red Hat Enterpris e Linux 7.0 http://www.redhat.com/resourcelibrary/datash eets/rhel-7-whats-new cpe:/o:redhat:ente rprise_linux:7.1 Red Hat Enterpris e Linux 7.1 http://www.redhat.com/en/resources/whats- new-red-hat-enterprise-linux-71
  • 11.
    11 CPE: Common Platform Enumeration linux-vs1z:~# cat /etc/os-release NAME="openSUSE Leap" VERSION="42.1" VERSION_ID="42.1" PRETTY_NAME="openSUSE Leap 42.1 (x86_64)" ID=opensuse ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:opensuse:42.1" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://opensuse.org/" ID_LIKE="suse"
  • 12.
    12 CCE: Common Configuration Enumeration CCEIDs Description CCE- 5317-3 Core dump size limits should be set appropriately CCE- 5384-3 The read-only SNMP community string should be set appropriately. CCE- 5664-8 The minimum password age should be set as appropriate CCE- 5804-0 The minimum required password length should be set as appropriate CCE- 4858-7 Password history should be saved for an appropriate number of password changes CCE- 5775-2 The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate
  • 13.
    13 CWE: Common Weakness Enumeration CVEID CWE-ID CVE-2016-6662 CWE-264 CVE-2016-2107 CWE-310 CVE-2016-4979 CWE-284
  • 14.
  • 15.
  • 16.
    16 OVAL: Open Vulnerabilityand Assessment Language OVAL: - Check Vulnerabilities / configuration issues (XML) - Using for Patch Management - Composed by - Collection of CVEs - list of standardized names for vulnerabilities
  • 17.
    17 OVAL: Open Vulnerabilityand Assessment Language <title>CVE-2012-2150</title> <affected family="unix"> <platform>openSUSE Leap 42.1</platform> </affected> <reference ref_id="CVE-2012-2150" ref_url= "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" source="CVE"/> </metadata> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009117743" comment="openSUSE Leap 42.1 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009120999" comment="xfsprogs-3.2.1-5.1 is installed"/>
  • 18.
    18 OVAL: Open Vulnerabilityand Assessment Language <definition class="compliance" id="oval:ssg- file_permissions_httpd_server_conf_files:def:1" version="2"> <metadata> <title>Verify Permissions On Apache Web Server Configuration Files </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>
  • 19.
    19 OVAL: Open Vulnerabilityand Assessment Language
  • 20.
    20 OVAL: Open Vulnerabilityand Assessment Language
  • 21.
    21 XCCDF: The eXtensibleConfiguration Checklist Description Format XCCDF: - Writing security checklists, benchmarks, etc. (XML) - Automated compliance testing, Compliance scoring (PCIDSS, etc.) - Collection of security configuration rules for some set of target systems (Docker-Enabled Host)
  • 22.
    22 XCCDF: The eXtensibleConfiguration Checklist Description Format <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1"> <status date="2016-09-20">draft</status> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title> <Profile id="pci-dss"> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This is a *draft* profile for PCI-DSS v3</description> <select idref="service_auditd_enabled" selected="true"/> <select idref="bootloader_audit_argument" selected="true"/> <select idref="auditd_data_retention_num_logs" selected="true"/> <select idref="audit_rules_dac_modification_chmod" selected="true"/> ...
  • 23.
    23 XCCDF: The eXtensibleConfiguration Checklist Description Format <Profile id="docker-host"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Standard Docker Host Security Profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. </description> <select idref="service_docker_enabled" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="selinux_state" selected="true"/> <select idref="selinux_policytype" selected="true"/> <select idref="docker_selinux_enabled" selected="true"/> <select idref="docker_storage_configured" selected="true"/> <select idref="remediation_functions" selected="false"/>
  • 24.
    24 XCCDF: The eXtensibleConfiguration Checklist Description Format
  • 25.
    25 XCCDF: The eXtensibleConfiguration Checklist Description Format
  • 26.
  • 27.
    27 OpenSCAP OpenSCAP: - Provides multipletools for Administrators/Auditors Tools: - OpenSCAP Base (oscap) - SCAP Workbench (GUI tool) - OpenSCAP Daemon - SCAPTimony - OSCAP Anaconda Add-on
  • 28.
  • 29.
    29 OVAL: Open Vulnerabilityand Assessment Language Available on ftp.suse.com/pub
  • 30.
    30 OVAL: Open Vulnerabilityand Assessment Language
  • 31.
    31 OVAL: Open Vulnerabilityand Assessment Language
  • 32.
    32 XCCDF: The eXtensibleConfiguration Checklist Description Format No XCCDF file…. Then We can - check Vulnerabilities for openSUSE We can’t - check Configuration Standard (ex. PCIDSS) :-(
  • 33.
    33 XCCDF: The eXtensibleConfiguration Checklist Description Format 1. Customize old SLES XCCDF file (“SLES v11 for System z”) 2. Customize “RHEL_STIG” XML file. Which is better? There are 2 options;
  • 34.
    34 1. Customize “SLESv11 for System z” 1. Customize old “SLES v11 for System z” (http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip) - Profile for MAC(Mandatory Access Control) Level + Public/Sensitive/Classified. → DoD/Federal Government System. - No Benchmark XML file (DPMS_XCCDF_Benchmark_SuSe zLinux.xml) → SuSE is providing XML file (not open). Hard to Develop. But we need it in future.
  • 35.
    35 2. Customize “RHEL_STIG”XML file. 2. Customize RHEL’s “RHEL_STIG” XML file. - use latest RHEL7 STIG - Including PCIDSS v3.0, etc. https://github.com/OpenSCAP/openscap More easy to Develop. Take a look for now. ;-)
  • 36.
  • 37.
    37 Customize RedHat’s XCCDFfile Customize RedHat XCCDF file; Change Platform ID <platform idref="cpe:/o:redhat:enterprise_linux:7"/> <platform idref="cpe:/o:opensuse:opensuse"/> Change/Copy related XML file <check-content-ref href="ssg-rhel7-ocil.xml" <check-content-ref href="ssg-opensuse-ocil.xml"
  • 38.
    38 Scan Customized RedHat’sXCCDF file oscap xccdf eval --profile "Profile" --report “Report” “input xccdf XML file” ex. ) oscap xccdf eval --profile "pci-dss" --report /tmp/opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml Profile: <profile id> in xccdf.xml file; <Profile id="standard"> <Profile id="pci-dss"> <Profile id="rht-ccp"> <Profile id="docker-host"> … etc.
  • 39.
    39 Scan by “oscap” #oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg- results.html ./ssg-opensuse-xccdf.xml Title Ensure auditd Collects Information on Kernel Module Loading and Unloading Rule audit_rules_kernel_module_loading Ident CCE-27129-6 Result fail Title Make the auditd Configuration Immutable Rule audit_rules_immutable Ident CCE-27097-5 Result fail Title Set SSH Idle Timeout Interval Rule sshd_set_idle_timeout Ident CCE-27433-2 Result pass
  • 40.
  • 41.
  • 42.
  • 43.
    43 Customize Rule (with scap-workbench) Someof Rule can modify, and can not → No good for fitting to openSUSE
  • 44.
    44 Customize Rule (xml file) OVAL: <definitionclass="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1"> <metadata> <title>Service autofs Disabled</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The autofs service should be disabled if possible.</description> <reference source="JL" ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/ scap-security-guide/wiki/Contributors"/> <reference ref_id="service_autofs_disabled" source="ssg"/></metadata> <criteria comment="package autofs removed or service autofs is not configured to start" operator="OR"> <extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_ removed:def:1"/> <criteria operator="OR" comment="service autofs is not configured to start"> <criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_ autofs_not_wanted_by_multi_user_target:tst:1"/>
  • 45.
  • 46.
    46 Customize Rule (xml file) OCIL: <questionnaireid="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"> <title>Disable Core Dumps for All Users</title> <actions> <test_action_ref>ocil:ssg-disable_users_coredumps_action:testaction:1</test_action_ref> </actions> </questionnaire> <questionnaire id="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1"> <title>Disable Core Dumps for SUID programs</title> <actions> <test_action_ref>ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1</test_action_ref> </actions> </questionnaire>
  • 47.
  • 48.
    48 Remain Task - Notonly for PCI-DSS, other Profile: - Check details which modified. - Change those XCCDF file as openscap-ssg standard style. - Follow SUSE11 Standard also.
  • 49.
  • 50.
    50 Conclusion - SCAP OVALfile for openSUSE is released from SUSE. - SCAP XCCDF file for openSUSE needs to be under PCI-DSS etc. - Still customizing contents for publishing. :-)
  • 51.
  • 52.