Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
OpenSCAP and related contents for
openSUSE
Kazuki Omo( 面 和毅 ): ka-omo@sios.com
SIOS Technology, Inc.
2
Who am I ?
- Security Researcher/Engineer (16 years)
- SELinux/MAC Evangelist (11 years)
- Antivirus Engineer (3 years)
...
3
Agenda
- What is SCAP?
- Enumerations
- Language/Contents
- OpenSCAP
- OpenSUSE contents
- Customize RHEL’s XCCDF file
-...
What is SCAP?
5
SCAP
(Security Content Automation Protocol)
Object: Automated for
- Vulnerability management
- Vulnerability measurement...
6
SCAP Components..
SCAP
Common Vulnerabilities and Exposures (CVE)
Common Configuration Enumeration (CCE)
Common Platform...
Enumerations
8
CVE:
Common Vulnerabilities and Exposures
9
CVE:
Common Vulnerabilities and Exposures
CVE ID CPE Summary
CVE-2016-6662 cpe:/a:mariadb:mariadb:
10.1.15
Oracle MySQL ...
10
CPE:
Common Platform Enumeration
CPE name title href
cpe:/o:novell:leap:
42.0
Novell
Leap
42.0
https://en.opensuse.org/...
11
CPE:
Common Platform Enumeration
linux-vs1z:~ # cat /etc/os-release
NAME="openSUSE Leap"
VERSION="42.1"
VERSION_ID="42....
12
CCE:
Common Configuration Enumeration
CCE IDs Description
CCE-
5317-3
Core dump size limits should be set appropriately...
13
CWE:
Common Weakness Enumeration
CVE ID CWE-ID
CVE-2016-6662 CWE-264
CVE-2016-2107 CWE-310
CVE-2016-4979 CWE-284
14
CVSS:
Common Vulnerability Scoring System
Language/Contents
16
OVAL: Open Vulnerability and
Assessment Language
OVAL:
- Check Vulnerabilities / configuration issues (XML)
- Using for...
17
OVAL: Open Vulnerability and
Assessment Language
<title>CVE-2012-2150</title>
<affected family="unix">
<platform>openSU...
18
OVAL: Open Vulnerability and
Assessment Language
<definition class="compliance" id="oval:ssg-
file_permissions_httpd_se...
19
OVAL: Open Vulnerability and
Assessment Language
20
OVAL: Open Vulnerability and
Assessment Language
21
XCCDF: The eXtensible Configuration
Checklist Description Format
XCCDF:
- Writing security checklists, benchmarks, etc....
22
XCCDF: The eXtensible Configuration
Checklist Description Format
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1...
23
XCCDF: The eXtensible Configuration
Checklist Description Format
<Profile id="docker-host">
<title xmlns:xhtml="http://...
24
XCCDF: The eXtensible Configuration
Checklist Description Format
25
XCCDF: The eXtensible Configuration
Checklist Description Format
OpenSCAP
27
OpenSCAP
OpenSCAP:
- Provides multiple tools for Administrators/Auditors
Tools:
- OpenSCAP Base (oscap)
- SCAP Workbenc...
OpenSUSE contents
29
OVAL: Open Vulnerability and
Assessment Language
Available on ftp.suse.com/pub
30
OVAL: Open Vulnerability and
Assessment Language
31
OVAL: Open Vulnerability and
Assessment Language
32
XCCDF: The eXtensible Configuration
Checklist Description Format
No XCCDF file….
Then
We can
- check Vulnerabilities fo...
33
XCCDF: The eXtensible Configuration
Checklist Description Format
1. Customize old SLES XCCDF file (“SLES v11 for System...
34
1. Customize “SLES v11 for System z”
1. Customize old “SLES v11 for System z”
(http://iasecontent.disa.mil/stigs/zip/Co...
35
2. Customize “RHEL_STIG” XML file.
2. Customize RHEL’s “RHEL_STIG” XML file.
- use latest RHEL7 STIG
- Including PCIDSS...
Customize RHEL’s XCCDF file
37
Customize RedHat’s XCCDF file
Customize RedHat XCCDF file;
Change Platform ID
<platform idref="cpe:/o:redhat:enterprise...
38
Scan Customized RedHat’s XCCDF file
oscap xccdf eval --profile "Profile" --report “Report”
“input xccdf XML file”
ex. )...
39
Scan by “oscap”
# oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg-
results.html ./ssg-opensuse-xccdf.x...
40
“oscap” result html
41
“oscap” result html (cont'd)
42
Scap-workbench
43
Customize Rule
(with scap-workbench)
Some of Rule can modify, and can not
→ No good for fitting to openSUSE
44
Customize Rule
(xml file)
OVAL:
<definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1">...
45
OVAL Language Dictionary
46
Customize Rule
(xml file)
OCIL:
<questionnaire id="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1">
<title>Disab...
47
OCIL Language Dictionary
48
Remain Task
- Not only for PCI-DSS, other Profile:
- Check details which modified.
- Change those XCCDF file as
opensca...
Conclusion
50
Conclusion
- SCAP OVAL file for openSUSE is
released from SUSE.
- SCAP XCCDF file for openSUSE
needs to be under PCI-DS...
51
Any Questinos?
52
Thank You!!!
Upcoming SlideShare
Loading in …5
×

SCAP for openSUSE

2,101 views

Published on

Presentation on openSUSE Asia Summit 2016, Indonesia

Published in: Software
  • Be the first to comment

  • Be the first to like this

SCAP for openSUSE

  1. 1. OpenSCAP and related contents for openSUSE Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc.
  2. 2. 2 Who am I ? - Security Researcher/Engineer (16 years) - SELinux/MAC Evangelist (11 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux Engineer (16 years)
  3. 3. 3 Agenda - What is SCAP? - Enumerations - Language/Contents - OpenSCAP - OpenSUSE contents - Customize RHEL’s XCCDF file - Conclusion
  4. 4. What is SCAP?
  5. 5. 5 SCAP (Security Content Automation Protocol) Object: Automated for - Vulnerability management - Vulnerability measurement - Policy compliance evaluation
  6. 6. 6 SCAP Components.. SCAP Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Extensible Configuration Checklist Description Format (XCCDF) and so on…. Open Vulnerability and Assessment Language (OVAL) Lang Enumerations
  7. 7. Enumerations
  8. 8. 8 CVE: Common Vulnerabilities and Exposures
  9. 9. 9 CVE: Common Vulnerabilities and Exposures CVE ID CPE Summary CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.15 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51- 38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.16 CVE-2016-2107 cpe:/o:redhat:enterprise _linux_server:7.0 Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVE-2016-2107 cpe:/o:novell:leap:42.1 CVE-2016-2107 cpe:/o:novell:opensuse: 13.2 CVE-2016-4979 cpe:/a:apache:http_serv er:2.4.20 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
  10. 10. 10 CPE: Common Platform Enumeration CPE name title href cpe:/o:novell:leap: 42.0 Novell Leap 42.0 https://en.opensuse.org/openSUSE:Leap cpe:/o:novell:leap: 42.1 Novell Leap 42.1 https://en.opensuse.org/openSUSE:Leap cpe:/o:redhat:ente rprise_linux:7.0 Red Hat Enterpris e Linux 7.0 http://www.redhat.com/resourcelibrary/datash eets/rhel-7-whats-new cpe:/o:redhat:ente rprise_linux:7.1 Red Hat Enterpris e Linux 7.1 http://www.redhat.com/en/resources/whats- new-red-hat-enterprise-linux-71
  11. 11. 11 CPE: Common Platform Enumeration linux-vs1z:~ # cat /etc/os-release NAME="openSUSE Leap" VERSION="42.1" VERSION_ID="42.1" PRETTY_NAME="openSUSE Leap 42.1 (x86_64)" ID=opensuse ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:opensuse:42.1" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://opensuse.org/" ID_LIKE="suse"
  12. 12. 12 CCE: Common Configuration Enumeration CCE IDs Description CCE- 5317-3 Core dump size limits should be set appropriately CCE- 5384-3 The read-only SNMP community string should be set appropriately. CCE- 5664-8 The minimum password age should be set as appropriate CCE- 5804-0 The minimum required password length should be set as appropriate CCE- 4858-7 Password history should be saved for an appropriate number of password changes CCE- 5775-2 The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate
  13. 13. 13 CWE: Common Weakness Enumeration CVE ID CWE-ID CVE-2016-6662 CWE-264 CVE-2016-2107 CWE-310 CVE-2016-4979 CWE-284
  14. 14. 14 CVSS: Common Vulnerability Scoring System
  15. 15. Language/Contents
  16. 16. 16 OVAL: Open Vulnerability and Assessment Language OVAL: - Check Vulnerabilities / configuration issues (XML) - Using for Patch Management - Composed by - Collection of CVEs - list of standardized names for vulnerabilities
  17. 17. 17 OVAL: Open Vulnerability and Assessment Language <title>CVE-2012-2150</title> <affected family="unix"> <platform>openSUSE Leap 42.1</platform> </affected> <reference ref_id="CVE-2012-2150" ref_url= "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" source="CVE"/> </metadata> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009117743" comment="openSUSE Leap 42.1 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009120999" comment="xfsprogs-3.2.1-5.1 is installed"/>
  18. 18. 18 OVAL: Open Vulnerability and Assessment Language <definition class="compliance" id="oval:ssg- file_permissions_httpd_server_conf_files:def:1" version="2"> <metadata> <title>Verify Permissions On Apache Web Server Configuration Files </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>
  19. 19. 19 OVAL: Open Vulnerability and Assessment Language
  20. 20. 20 OVAL: Open Vulnerability and Assessment Language
  21. 21. 21 XCCDF: The eXtensible Configuration Checklist Description Format XCCDF: - Writing security checklists, benchmarks, etc. (XML) - Automated compliance testing, Compliance scoring (PCIDSS, etc.) - Collection of security configuration rules for some set of target systems (Docker-Enabled Host)
  22. 22. 22 XCCDF: The eXtensible Configuration Checklist Description Format <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1"> <status date="2016-09-20">draft</status> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title> <Profile id="pci-dss"> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This is a *draft* profile for PCI-DSS v3</description> <select idref="service_auditd_enabled" selected="true"/> <select idref="bootloader_audit_argument" selected="true"/> <select idref="auditd_data_retention_num_logs" selected="true"/> <select idref="audit_rules_dac_modification_chmod" selected="true"/> ...
  23. 23. 23 XCCDF: The eXtensible Configuration Checklist Description Format <Profile id="docker-host"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Standard Docker Host Security Profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. </description> <select idref="service_docker_enabled" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="selinux_state" selected="true"/> <select idref="selinux_policytype" selected="true"/> <select idref="docker_selinux_enabled" selected="true"/> <select idref="docker_storage_configured" selected="true"/> <select idref="remediation_functions" selected="false"/>
  24. 24. 24 XCCDF: The eXtensible Configuration Checklist Description Format
  25. 25. 25 XCCDF: The eXtensible Configuration Checklist Description Format
  26. 26. OpenSCAP
  27. 27. 27 OpenSCAP OpenSCAP: - Provides multiple tools for Administrators/Auditors Tools: - OpenSCAP Base (oscap) - SCAP Workbench (GUI tool) - OpenSCAP Daemon - SCAPTimony - OSCAP Anaconda Add-on
  28. 28. OpenSUSE contents
  29. 29. 29 OVAL: Open Vulnerability and Assessment Language Available on ftp.suse.com/pub
  30. 30. 30 OVAL: Open Vulnerability and Assessment Language
  31. 31. 31 OVAL: Open Vulnerability and Assessment Language
  32. 32. 32 XCCDF: The eXtensible Configuration Checklist Description Format No XCCDF file…. Then We can - check Vulnerabilities for openSUSE We can’t - check Configuration Standard (ex. PCIDSS) :-(
  33. 33. 33 XCCDF: The eXtensible Configuration Checklist Description Format 1. Customize old SLES XCCDF file (“SLES v11 for System z”) 2. Customize “RHEL_STIG” XML file. Which is better? There are 2 options;
  34. 34. 34 1. Customize “SLES v11 for System z” 1. Customize old “SLES v11 for System z” (http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip) - Profile for MAC(Mandatory Access Control) Level + Public/Sensitive/Classified. → DoD/Federal Government System. - No Benchmark XML file (DPMS_XCCDF_Benchmark_SuSe zLinux.xml) → SuSE is providing XML file (not open). Hard to Develop. But we need it in future.
  35. 35. 35 2. Customize “RHEL_STIG” XML file. 2. Customize RHEL’s “RHEL_STIG” XML file. - use latest RHEL7 STIG - Including PCIDSS v3.0, etc. https://github.com/OpenSCAP/openscap More easy to Develop. Take a look for now. ;-)
  36. 36. Customize RHEL’s XCCDF file
  37. 37. 37 Customize RedHat’s XCCDF file Customize RedHat XCCDF file; Change Platform ID <platform idref="cpe:/o:redhat:enterprise_linux:7"/> <platform idref="cpe:/o:opensuse:opensuse"/> Change/Copy related XML file <check-content-ref href="ssg-rhel7-ocil.xml" <check-content-ref href="ssg-opensuse-ocil.xml"
  38. 38. 38 Scan Customized RedHat’s XCCDF file oscap xccdf eval --profile "Profile" --report “Report” “input xccdf XML file” ex. ) oscap xccdf eval --profile "pci-dss" --report /tmp/opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml Profile: <profile id> in xccdf.xml file; <Profile id="standard"> <Profile id="pci-dss"> <Profile id="rht-ccp"> <Profile id="docker-host"> … etc.
  39. 39. 39 Scan by “oscap” # oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg- results.html ./ssg-opensuse-xccdf.xml Title Ensure auditd Collects Information on Kernel Module Loading and Unloading Rule audit_rules_kernel_module_loading Ident CCE-27129-6 Result fail Title Make the auditd Configuration Immutable Rule audit_rules_immutable Ident CCE-27097-5 Result fail Title Set SSH Idle Timeout Interval Rule sshd_set_idle_timeout Ident CCE-27433-2 Result pass
  40. 40. 40 “oscap” result html
  41. 41. 41 “oscap” result html (cont'd)
  42. 42. 42 Scap-workbench
  43. 43. 43 Customize Rule (with scap-workbench) Some of Rule can modify, and can not → No good for fitting to openSUSE
  44. 44. 44 Customize Rule (xml file) OVAL: <definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1"> <metadata> <title>Service autofs Disabled</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The autofs service should be disabled if possible.</description> <reference source="JL" ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/ scap-security-guide/wiki/Contributors"/> <reference ref_id="service_autofs_disabled" source="ssg"/></metadata> <criteria comment="package autofs removed or service autofs is not configured to start" operator="OR"> <extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_ removed:def:1"/> <criteria operator="OR" comment="service autofs is not configured to start"> <criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_ autofs_not_wanted_by_multi_user_target:tst:1"/>
  45. 45. 45 OVAL Language Dictionary
  46. 46. 46 Customize Rule (xml file) OCIL: <questionnaire id="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"> <title>Disable Core Dumps for All Users</title> <actions> <test_action_ref>ocil:ssg-disable_users_coredumps_action:testaction:1</test_action_ref> </actions> </questionnaire> <questionnaire id="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1"> <title>Disable Core Dumps for SUID programs</title> <actions> <test_action_ref>ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1</test_action_ref> </actions> </questionnaire>
  47. 47. 47 OCIL Language Dictionary
  48. 48. 48 Remain Task - Not only for PCI-DSS, other Profile: - Check details which modified. - Change those XCCDF file as openscap-ssg standard style. - Follow SUSE11 Standard also.
  49. 49. Conclusion
  50. 50. 50 Conclusion - SCAP OVAL file for openSUSE is released from SUSE. - SCAP XCCDF file for openSUSE needs to be under PCI-DSS etc. - Still customizing contents for publishing. :-)
  51. 51. 51 Any Questinos?
  52. 52. 52 Thank You!!!

×