This document summarizes a presentation about security automation updates for Red Hat Enterprise Linux 7 (RHEL7) Department of Defense Security Technical Implementation Guide (DoD STIG) compliance. The presentation covers RHEL7 STIG and DoD Secure Host Baseline status, demonstrations of deploying systems in STIG compliance and configuration compliance scanning with OpenSCAP, and a discussion of government plans and future profiles.
2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells
The document discusses how Security Content Automation Protocol (SCAP) is making security compliance easier. It summarizes that SCAP allows automated compliance checks of systems through profiles that can remediate configurations with a single command. Live demos show using SCAP for installation, scanning systems, and remediating any issues in real-time.
This document provides an agenda for an OpenSCAP workshop that will explore scanning, reporting, and remediation using OpenSCAP tools and SCAP content. The workshop will include installing and reviewing compliance profiles in RHEL 7, performing and interpreting compliance scans and remediating findings, and creating a custom configuration baseline. It outlines the tasks to be completed which include installing OpenSCAP and SCAP content, reviewing available profiles and hardening guides, performing a local scan and reviewing results, extracting and reviewing remediation scripts, scanning a VM with the DISA STIG profile, and demonstrating the SCAP Workbench tool.
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
The document discusses compromise assessments, which are proactive evaluations of systems to detect threats that have evaded existing security controls. A compromise assessment is faster, more affordable, and independent compared to traditional vulnerability assessments and penetration tests. The assessment methodology involves planning, preparation, discovery, collection of data from endpoints, analysis of the collected data using techniques like forensic state analysis, and reporting of findings. It is recommended that organizations conduct regular compromise assessments by a third party to validate network security and detect any unauthorized access.
This document discusses how to harden the Solaris operating system to prevent attacks. It provides guidance on configuring the kernel, filesystem permissions, user accounts, services, and network settings to improve security. A variety of tools are also summarized that can help automate and guide the hardening process, such as Fix-modes, Titan, Jass, and Yassp. Regular patching is emphasized as a key part of maintaining a hardened Solaris system.
Whats new in oracle trace file analyzer 19.2Sandesh Rao
The document discusses new features in Oracle Trace File Analyzer (TFA) 19.2, including the ability to temporarily restrict automatic diagnostic collections for specific events, new Service Request Data Collections (SRDCs) to collect data for various issues, performing diagnostic collections for a specific event, and optionally restricting the collection of excessively large files.
Whats new in oracle trace file analyzer 18.3.0Gareth Chapman
The document summarizes new features in Oracle Trace File Analyzer (TFA) 18.3.0, including:
1) TFA will now invoke targeted diagnostic collections (SRDCs) for specific error codes to provide more focused diagnostics.
2) New commands have been added to the REST API to retrieve diagnostic information.
3) TFA can now deploy the REST service via Apache Tomcat.
4) New SRDCs have been added to collect diagnostics for specific problems like data import performance.
5) ORAchk will now be automatically configured during TFA installation to regularly collect diagnostics.
This document summarizes a presentation about security automation updates for Red Hat Enterprise Linux 7 (RHEL7) Department of Defense Security Technical Implementation Guide (DoD STIG) compliance. The presentation covers RHEL7 STIG and DoD Secure Host Baseline status, demonstrations of deploying systems in STIG compliance and configuration compliance scanning with OpenSCAP, and a discussion of government plans and future profiles.
2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells
The document discusses how Security Content Automation Protocol (SCAP) is making security compliance easier. It summarizes that SCAP allows automated compliance checks of systems through profiles that can remediate configurations with a single command. Live demos show using SCAP for installation, scanning systems, and remediating any issues in real-time.
This document provides an agenda for an OpenSCAP workshop that will explore scanning, reporting, and remediation using OpenSCAP tools and SCAP content. The workshop will include installing and reviewing compliance profiles in RHEL 7, performing and interpreting compliance scans and remediating findings, and creating a custom configuration baseline. It outlines the tasks to be completed which include installing OpenSCAP and SCAP content, reviewing available profiles and hardening guides, performing a local scan and reviewing results, extracting and reviewing remediation scripts, scanning a VM with the DISA STIG profile, and demonstrating the SCAP Workbench tool.
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentChristopher Gerritz
The document discusses compromise assessments, which are proactive evaluations of systems to detect threats that have evaded existing security controls. A compromise assessment is faster, more affordable, and independent compared to traditional vulnerability assessments and penetration tests. The assessment methodology involves planning, preparation, discovery, collection of data from endpoints, analysis of the collected data using techniques like forensic state analysis, and reporting of findings. It is recommended that organizations conduct regular compromise assessments by a third party to validate network security and detect any unauthorized access.
This document discusses how to harden the Solaris operating system to prevent attacks. It provides guidance on configuring the kernel, filesystem permissions, user accounts, services, and network settings to improve security. A variety of tools are also summarized that can help automate and guide the hardening process, such as Fix-modes, Titan, Jass, and Yassp. Regular patching is emphasized as a key part of maintaining a hardened Solaris system.
Whats new in oracle trace file analyzer 19.2Sandesh Rao
The document discusses new features in Oracle Trace File Analyzer (TFA) 19.2, including the ability to temporarily restrict automatic diagnostic collections for specific events, new Service Request Data Collections (SRDCs) to collect data for various issues, performing diagnostic collections for a specific event, and optionally restricting the collection of excessively large files.
Whats new in oracle trace file analyzer 18.3.0Gareth Chapman
The document summarizes new features in Oracle Trace File Analyzer (TFA) 18.3.0, including:
1) TFA will now invoke targeted diagnostic collections (SRDCs) for specific error codes to provide more focused diagnostics.
2) New commands have been added to the REST API to retrieve diagnostic information.
3) TFA can now deploy the REST service via Apache Tomcat.
4) New SRDCs have been added to collect diagnostics for specific problems like data import performance.
5) ORAchk will now be automatically configured during TFA installation to regularly collect diagnostics.
Presented at NSA User Group. Steps through recent activities and technologies in use across NSA and the IC. Specifically mentions data ingress/egress with JBoss Messaging and MRG-M, storage of data with XFS and GFS, and data presentation capabilities with JBoss Enterprise Middleware Portfolio. 15-20min on Security Automation with SCAP.
2013-07-21 MITRE Developer Days - Red Hat SCAP RemediationShawn Wells
Steps through how Red Hat added the <fix> tag to XCCDF content, in order to support scripted remediations of OVAL findings. Presented 21-JUL-2013 at MITRE Developer Days in McLean, VA.
This document provides an overview of the SCAP Security Guide (SSG) project, which develops security configuration guidance for Red Hat Enterprise Linux and other technologies using the Security Content Automation Protocol (SCAP). It discusses the background and goals of the SSG project, how to install the SSG content on RHEL6, and an introduction to the key components - OpenSCAP, XCCDF, OVAL, and profiles. It also provides instructions for performing common SSG tasks like validating and generating HTML guides from the XCCDF content, as well as interpreting scan results.
2013-06-12 Compliance Made Easy, Red Hat Summit 2013Shawn Wells
The document discusses security compliance tools and initiatives including the SCAP Security Guide Project, Security Technical Implementation Guides (STIGs), and FedRAMP/FISMA Moderate. It demonstrates current compliance capabilities using OpenSCAP with SCAP Security Guides and RHN Satellite Audit. The document also reviews the compliance content roadmap and discusses providing content for OpenStack Security Guide and forming a Red Hat OpenStack STIG.
This document proposes an architecture for building a GED mission cloud using open source technologies from Red Hat. Key elements include using KVM as the hypervisor, Red Hat Enterprise Virtualization for virtualization management, Red Hat OpenStack for cloud infrastructure, Deltacloud for a common API, GlusterFS for storage, and Red Hat Grid for high performance computing. Training, certification and accreditation activities are also discussed to support adoption of the proposed architecture.
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...Shawn Wells
Was asked by In-Q-Tel leadership to present on how Open Source competes with larger technology companies (e.g. VMWare) and how household cloud providers (SalesForce, Amazon...) are embedding open source for competitive advantages. Step through Navy CANES program as example of DoD usage. Covers IBM and DreamWorks commercial references. Illustrates DISA Anti-Drug Network (ADNET) and U.S. Intelligence Community Persons of Interest programs. Talk about Open Source initiatives at NGA lead by Bert Beaulieu (Director, Innovision, NGA) and Michael Cline (R&D Technologist, NGA).
2011-11-03 Intelligence Community Cloud Users GroupShawn Wells
Hosted by TMA, spoke about Red Hat's virtualization portfolio, RHEV & KVM technical updates (Xen vs KVM, sVirt), RHEV 3, and security automation (OpenSCAP).
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security GuideShawn Wells
This document summarizes the SCAP Security Guide (SSG) Project, which delivers security guidance, baselines, and validation mechanisms for Red Hat Enterprise Linux 6 (RHEL6) and JBoss Enterprise Application Platform 5 using the Security Content Automation Protocol (SCAP). It provides concise instructions on downloading the SSG code, reviewing the various output formats including prose guides, XCCDF rule files, OVAL check files, and profiles. It also demonstrates how to run a SCAP scan against a system to evaluate compliance with a profile like the RHEL6 STIG.
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...Shawn Wells
RHEL 5.4 focused on virtualization improvements like full support for KVM hypervisor on x86_64, network performance enhancements through GRO, and storage updates including Ext4 bug fixes and a technology preview of XFS file system support. For System z, RHEL 5.4 included features like support for large volumes, FCP performance monitoring, shutdown action tools, and improved installation workflow.
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...Shawn Wells
This document discusses securing intelligence in an open hybrid cloud environment. It covers foundational security practices like testing identity and access management, continuous monitoring, and standardized implementations. It also discusses enabling federated data access across systems while maintaining security and privacy. Finally, it presents examples of projects that map security policies to systems and provide abstracted views of data to allow searching across different agencies' databases.
2011-03-15 Lockheed Martin Open Source DayShawn Wells
This document provides an overview of Red Hat's enterprise products and technologies, including Red Hat Enterprise Linux, Red Hat Network Satellite, Red Hat Enterprise Virtualization, JBoss middleware, and Red Hat cloud technologies. It discusses features of Red Hat Enterprise Linux 6 such as resource management, security capabilities, and support period. It also summarizes Red Hat Network Satellite, Red Hat Enterprise Virtualization, JBoss products, and Red Hat's approach to open source cloud computing technologies and standards.
Presentation at the NSA Technical Symposium, November 2011. Covers Red Hat Enterprise Linux 6 update, Red Hat in the Virtualized Environment & Security, and Q&A Panel. Co-presented with Chris Runge (Technical Director, U.S. Government) and Gunnar Hellekson (CTO, Red Hat Public Sector).
CSCF participates in open source security projects like SELinux and OpenSCAP. It collaborates with Red Hat to integrate these projects into Red Hat Enterprise Linux to create open, secure platforms. Red Hat then commercializes these platforms along with services and certifications, serving over 100,000 customers.
2013-08-22 NSA System Security & ManagementShawn Wells
The document outlines three goals for a 60 minute meeting: 1) Review compliance technologies and initiatives from various government organizations, 2) Present the T3 ATO'd system management framework for system provisioning, patching, monitoring, and configuration management, and 3) Demonstrate current capabilities. It then provides background on the SCAP Security Guide and how it has been used to develop security baselines and standards for Red Hat Enterprise Linux, along with details on the T3 system management capabilities and the new T3 RHN Satellite version 6.
2011-12-08 Red Hat Enterprise Virtualization for Desktops (RHEV VDI) with Cis...Shawn Wells
Field call with Cisco on integrating Red Hat's Virtual Desktop capabilities with Cisco UCS hardware. Steps through underling virtualization technology, performance & scalability, and SPICE display protocol.
2014-05-08 IT Craftsmanship to IT ManufacturingShawn Wells
This document discusses Red Hat's transition from IT craftsmanship to IT manufacturing. It notes that any forward-looking statements represent Red Hat's estimates or views as of the date of the presentation only, and are subject to change. The focus of the next 30 minutes will be on how Open Compute fits within Red Hat's strategy, differences between IaaS, PaaS and cloud offerings, and upcoming technology projects. Geard is introduced as a command-line tool for integrating and managing Docker containers in Linux systemd. It allows building, deploying, and monitoring containerized applications from the CLI or API. OpenSCAP is also briefly mentioned as a tool for software supply chain hardening through whitelisting, measurements,
2015-10-05 Fermilabs DevOps Alone in the DarkShawn Wells
This document discusses the differences between DevOps practices in private industry and security practices in government. It notes that private companies can deploy code over 10,000 times per day, whereas government processes involve multiple standardized steps for categorizing, selecting, implementing, assessing, authorizing, and monitoring controls. The document proposes two initiatives - standardizing controls and configuration baselines across the government, and automating assessments using the Security Content Automation Protocol (SCAP). It provides information on engaging with the OpenSCAP community and learning more about SCAP.
2016-08-18 Red Hat Partner Security UpdateShawn Wells
The document discusses a security update presentation given by Shawn Wells, Chief Security Strategist. The presentation covered security initiatives like the Common Criteria and FIPS 140-2 standards. It also included a live demo of scanning systems for compliance with configuration guidelines like the Department of Defense STIG using OpenSCAP tools. Wells discussed compliance status and remediation timelines for Red Hat Enterprise Linux versions 5, 6 and 7. The presentation provided an overview of the SCAP standard and how it helps provide standardized security configuration and reporting.
The document argues that IT professionals are manufacturers rather than craftsmen because they share resources through open source and cloud computing to work more quickly and flexibly. It suggests that agility is enabled by sharing code and infrastructure, and that Red Hat acts as a catalyst for this type of collaborative development approach.
The document discusses HP ArcSight ESM network monitoring standard content. It includes an overview of standard content packages, the network monitoring content, supported devices, and how bandwidth usage is calculated. It also outlines chapters on installing and configuring the network monitoring package, the various network monitoring resources, and how to provide documentation feedback.
The document discusses an automation tool called the Compliance Operator that scans systems for compliance with security policies. It can automate compliance checks across an OpenShift cluster using custom resources to configure compliance profiles, scan settings, and monitor compliance status. The operator addresses challenges of maintaining compliance for fast-moving clusters by interpreting compliance standards and providing remediation suggestions.
Presented at NSA User Group. Steps through recent activities and technologies in use across NSA and the IC. Specifically mentions data ingress/egress with JBoss Messaging and MRG-M, storage of data with XFS and GFS, and data presentation capabilities with JBoss Enterprise Middleware Portfolio. 15-20min on Security Automation with SCAP.
2013-07-21 MITRE Developer Days - Red Hat SCAP RemediationShawn Wells
Steps through how Red Hat added the <fix> tag to XCCDF content, in order to support scripted remediations of OVAL findings. Presented 21-JUL-2013 at MITRE Developer Days in McLean, VA.
This document provides an overview of the SCAP Security Guide (SSG) project, which develops security configuration guidance for Red Hat Enterprise Linux and other technologies using the Security Content Automation Protocol (SCAP). It discusses the background and goals of the SSG project, how to install the SSG content on RHEL6, and an introduction to the key components - OpenSCAP, XCCDF, OVAL, and profiles. It also provides instructions for performing common SSG tasks like validating and generating HTML guides from the XCCDF content, as well as interpreting scan results.
2013-06-12 Compliance Made Easy, Red Hat Summit 2013Shawn Wells
The document discusses security compliance tools and initiatives including the SCAP Security Guide Project, Security Technical Implementation Guides (STIGs), and FedRAMP/FISMA Moderate. It demonstrates current compliance capabilities using OpenSCAP with SCAP Security Guides and RHN Satellite Audit. The document also reviews the compliance content roadmap and discusses providing content for OpenStack Security Guide and forming a Red Hat OpenStack STIG.
This document proposes an architecture for building a GED mission cloud using open source technologies from Red Hat. Key elements include using KVM as the hypervisor, Red Hat Enterprise Virtualization for virtualization management, Red Hat OpenStack for cloud infrastructure, Deltacloud for a common API, GlusterFS for storage, and Red Hat Grid for high performance computing. Training, certification and accreditation activities are also discussed to support adoption of the proposed architecture.
2011-08-10 In-Q-Tel Technology Focus Day, Trends & Observations in Open Sourc...Shawn Wells
Was asked by In-Q-Tel leadership to present on how Open Source competes with larger technology companies (e.g. VMWare) and how household cloud providers (SalesForce, Amazon...) are embedding open source for competitive advantages. Step through Navy CANES program as example of DoD usage. Covers IBM and DreamWorks commercial references. Illustrates DISA Anti-Drug Network (ADNET) and U.S. Intelligence Community Persons of Interest programs. Talk about Open Source initiatives at NGA lead by Bert Beaulieu (Director, Innovision, NGA) and Michael Cline (R&D Technologist, NGA).
2011-11-03 Intelligence Community Cloud Users GroupShawn Wells
Hosted by TMA, spoke about Red Hat's virtualization portfolio, RHEV & KVM technical updates (Xen vs KVM, sVirt), RHEV 3, and security automation (OpenSCAP).
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security GuideShawn Wells
This document summarizes the SCAP Security Guide (SSG) Project, which delivers security guidance, baselines, and validation mechanisms for Red Hat Enterprise Linux 6 (RHEL6) and JBoss Enterprise Application Platform 5 using the Security Content Automation Protocol (SCAP). It provides concise instructions on downloading the SSG code, reviewing the various output formats including prose guides, XCCDF rule files, OVAL check files, and profiles. It also demonstrates how to run a SCAP scan against a system to evaluate compliance with a profile like the RHEL6 STIG.
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...Shawn Wells
RHEL 5.4 focused on virtualization improvements like full support for KVM hypervisor on x86_64, network performance enhancements through GRO, and storage updates including Ext4 bug fixes and a technology preview of XFS file system support. For System z, RHEL 5.4 included features like support for large volumes, FCP performance monitoring, shutdown action tools, and improved installation workflow.
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...Shawn Wells
This document discusses securing intelligence in an open hybrid cloud environment. It covers foundational security practices like testing identity and access management, continuous monitoring, and standardized implementations. It also discusses enabling federated data access across systems while maintaining security and privacy. Finally, it presents examples of projects that map security policies to systems and provide abstracted views of data to allow searching across different agencies' databases.
2011-03-15 Lockheed Martin Open Source DayShawn Wells
This document provides an overview of Red Hat's enterprise products and technologies, including Red Hat Enterprise Linux, Red Hat Network Satellite, Red Hat Enterprise Virtualization, JBoss middleware, and Red Hat cloud technologies. It discusses features of Red Hat Enterprise Linux 6 such as resource management, security capabilities, and support period. It also summarizes Red Hat Network Satellite, Red Hat Enterprise Virtualization, JBoss products, and Red Hat's approach to open source cloud computing technologies and standards.
Presentation at the NSA Technical Symposium, November 2011. Covers Red Hat Enterprise Linux 6 update, Red Hat in the Virtualized Environment & Security, and Q&A Panel. Co-presented with Chris Runge (Technical Director, U.S. Government) and Gunnar Hellekson (CTO, Red Hat Public Sector).
CSCF participates in open source security projects like SELinux and OpenSCAP. It collaborates with Red Hat to integrate these projects into Red Hat Enterprise Linux to create open, secure platforms. Red Hat then commercializes these platforms along with services and certifications, serving over 100,000 customers.
2013-08-22 NSA System Security & ManagementShawn Wells
The document outlines three goals for a 60 minute meeting: 1) Review compliance technologies and initiatives from various government organizations, 2) Present the T3 ATO'd system management framework for system provisioning, patching, monitoring, and configuration management, and 3) Demonstrate current capabilities. It then provides background on the SCAP Security Guide and how it has been used to develop security baselines and standards for Red Hat Enterprise Linux, along with details on the T3 system management capabilities and the new T3 RHN Satellite version 6.
2011-12-08 Red Hat Enterprise Virtualization for Desktops (RHEV VDI) with Cis...Shawn Wells
Field call with Cisco on integrating Red Hat's Virtual Desktop capabilities with Cisco UCS hardware. Steps through underling virtualization technology, performance & scalability, and SPICE display protocol.
2014-05-08 IT Craftsmanship to IT ManufacturingShawn Wells
This document discusses Red Hat's transition from IT craftsmanship to IT manufacturing. It notes that any forward-looking statements represent Red Hat's estimates or views as of the date of the presentation only, and are subject to change. The focus of the next 30 minutes will be on how Open Compute fits within Red Hat's strategy, differences between IaaS, PaaS and cloud offerings, and upcoming technology projects. Geard is introduced as a command-line tool for integrating and managing Docker containers in Linux systemd. It allows building, deploying, and monitoring containerized applications from the CLI or API. OpenSCAP is also briefly mentioned as a tool for software supply chain hardening through whitelisting, measurements,
2015-10-05 Fermilabs DevOps Alone in the DarkShawn Wells
This document discusses the differences between DevOps practices in private industry and security practices in government. It notes that private companies can deploy code over 10,000 times per day, whereas government processes involve multiple standardized steps for categorizing, selecting, implementing, assessing, authorizing, and monitoring controls. The document proposes two initiatives - standardizing controls and configuration baselines across the government, and automating assessments using the Security Content Automation Protocol (SCAP). It provides information on engaging with the OpenSCAP community and learning more about SCAP.
2016-08-18 Red Hat Partner Security UpdateShawn Wells
The document discusses a security update presentation given by Shawn Wells, Chief Security Strategist. The presentation covered security initiatives like the Common Criteria and FIPS 140-2 standards. It also included a live demo of scanning systems for compliance with configuration guidelines like the Department of Defense STIG using OpenSCAP tools. Wells discussed compliance status and remediation timelines for Red Hat Enterprise Linux versions 5, 6 and 7. The presentation provided an overview of the SCAP standard and how it helps provide standardized security configuration and reporting.
The document argues that IT professionals are manufacturers rather than craftsmen because they share resources through open source and cloud computing to work more quickly and flexibly. It suggests that agility is enabled by sharing code and infrastructure, and that Red Hat acts as a catalyst for this type of collaborative development approach.
The document discusses HP ArcSight ESM network monitoring standard content. It includes an overview of standard content packages, the network monitoring content, supported devices, and how bandwidth usage is calculated. It also outlines chapters on installing and configuring the network monitoring package, the various network monitoring resources, and how to provide documentation feedback.
The document discusses an automation tool called the Compliance Operator that scans systems for compliance with security policies. It can automate compliance checks across an OpenShift cluster using custom resources to configure compliance profiles, scan settings, and monitor compliance status. The operator addresses challenges of maintaining compliance for fast-moving clusters by interpreting compliance standards and providing remediation suggestions.
Configuration Monitoring Standard Content Guide for ESM 6.8cProtect724migration
The document discusses HP ArcSight ESM standard content, which provides pre-configured monitoring, reporting, and analysis resources. It includes content packages that are automatically installed for system health monitoring and optional packages that can be selected during installation for specific monitoring needs like configuration monitoring. The standard content coordinates filters, rules, dashboards and other resources to address common security tasks with minimal configuration.
ArcSight Core, ArcSight Administration, and ArcSight System Standard Content ...Protect724migration
The Configuration Monitoring content package provides resources to identify, analyze, and remediate undesired modifications to systems, devices, and applications. This includes monitoring for new software installations, system changes, vulnerability updates, and asset configuration changes. The package helps IT and security teams understand network configurations and pinpoint issues. Key steps to implement the content include installing the package, modeling the network, categorizing critical assets, configuring active lists with environment-specific data, and ensuring relevant events are captured by filters and rules. Reports and trends then provide visibility into configuration changes over time.
This document discusses HP ArcSight ESM standard content, which includes pre-configured resources like filters, rules, and reports that address common security tasks. It is organized into packages that are automatically installed or optional. The document outlines the included packages, how to install and configure the workflow content, and provides an overview of the key workflow resources for case tracking, event tracking, and notification tracking.
The document discusses NetFlow monitoring standard content for HP ArcSight ESM. It covers installing the NetFlow monitoring package, modeling the network in ESM, categorizing assets, ensuring filters capture relevant events, configuring reports and trends, and viewing a use case resource. The document provides guidance on setting up and configuring the NetFlow monitoring content to monitor network bandwidth usage and correlate it with other security events.
AWS Summit 2014 Melbourne - Breakout 2
Intel is contributing to a common security framework for Apache Hadoop, in the form of Project Rhino, which enables Hadoop to run workloads without compromising performance or security. Join this session to learn how your enterprise can take advantage of the security capabilities in the Intel Data Platform running on AWS to analyze data while ensuring technical safeguards that help you remain in compliance.
Presenter: Peter Kerney, Senior Solution Architect, Intel
This document provides an overview of standard content for NetFlow monitoring in ArcSight ESM. It discusses what standard content is, including that it provides out-of-the-box correlation, monitoring, reporting, alerting and case management. It also describes the different types of standard content packages that are available and how the NetFlow monitoring content fits into the standard content framework.
Sqrrl Data, Inc. is a startup company founded in July 2012 that is focused on building secure, scalable, and adaptive applications using Apache Accumulo. The company was founded by former engineers and contributors to Accumulo, including the former Tech Director of Accumulo at NSA. Sqrrl aims to develop lightweight applications for discovery analytics, targeted analysis, and big-picture analytics using Accumulo's capabilities for security, scalability, and flexibility.
This document provides an overview and instructions for installing and configuring the Intrusion Monitoring standard content package for HP ArcSight ESM. The content package includes alerts, reports, and resources for monitoring intrusions, attacks, vulnerabilities, and other security events. It discusses the various resource groups and the types of events and information monitored by each. The document also provides instructions for modeling assets, configuring rules, notifications, and other settings to fully implement intrusion monitoring with the standard content.
The document discusses HP's DNS Malware Analytics solution, which analyzes DNS network traffic to detect malware and security threats. It began as a research project at HP Labs and has grown into a commercial product. The solution captures DNS packets, analyzes them for blacklisted domains and abnormal patterns using security analytics, and provides alerts and visualizations to help security teams detect threats early. It has been piloted with HP IT and customers and is now offered as a software-as-a-service cloud solution to help security operations centers.
Sqrrl is a NoSQL data platform built on Apache Accumulo that provides real-time analytics capabilities at scale. Accumulo enables cell-level security and stores data in a sorted, five-tuple key format. Sqrrl integrates with Accumulo's security features and scales to petabytes of data through its use of technologies like HDFS, Zookeeper, and Apache Thrift. Sqrrl is suited for organizations that need to unlock value from disparate, large datasets while meeting security requirements.
FIM and System Call Auditing at Scale in a Large Container DeploymentPriyanka Aash
This will show how, on a large container deployment, the speaker achieved insight into security events like file events on sensitive files, system call auditing, user level activity trail, network activity, etc., by customizing and plumbing a stack of open source tools that use the underlying Linux’s inotify and kernel audit components and by aggregating these events centrally in Elasticsearch.
(Source: RSA Conference USA 2018)
This document describes OWASP Dependency-Track, a tool for continuous component analysis to reduce open source risk. It integrates with vulnerability databases and monitors applications to identify vulnerabilities. Dependency-Track is designed for automated DevOps environments to accelerate development while monitoring component usage and risk. It supports ingesting software bills of materials during CI/CD to analyze components continuously and provide notifications.
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System zShawn Wells
Red Hat Update at IBM Teach the Teacher (IBM T3) Conference in Endicott, NY. Covering Red Hat's community development model, System z announcements, SELinux, SCAP, and Red Hat Network Satellite for Systems Management.
The document describes a Secure File System (SFS) that is implemented in the Linux kernel to provide encryption of file data for confidentiality. SFS sits between the Virtual File System (VFS) layer and underlying file systems. It transparently encrypts and decrypts file data on read/write. SFS uses AES for encryption and has components for key management, access control, encryption/decryption. It generates per-file random keys, encrypts them with user public keys and stores in a file header for access control. This provides file-level encryption and access control within the kernel for improved security and performance compared to user-space solutions.
The document provides instructions for configuring NetFlow monitoring content in ArcSight ESM, including installing the NetFlow monitoring package, modeling the network, categorizing assets, ensuring filters capture relevant events, scheduling reports, restricting access to vulnerability reports, and configuring trends.
The IPv6 use case resources in ESM include reports that provide visibility into IPv6 network traffic and security events. Key reports show successful login attempts by IPv6 address, top alert sources and destinations, top IDS signatures by source and destination IPv6 address, counts of attack events by IPv6 priority and device, and denied outbound connections by IPv6 address. These resources help monitor authentication, attacks, alerts and denied connections originating from or targeting systems using IPv6 addresses.
Similar to 2013-04-03 Open Source Framework to Catch the Bad Guys (20)
The document discusses challenges that ARCYBER faces in deploying numerous applications for their DCO mission using traditional methods and proposes adopting a container strategy using technologies like Docker and Kubernetes to package applications and dependencies to allow for easier and faster deployment. It outlines how a container platform based on these technologies can provide benefits like continuous integration/delivery, rapid scaling, service discovery, and management of the application lifecycle and services. The presentation promotes Red Hat OpenShift as a container application platform that can provide these capabilities along with security features and certifications needed for government use.
2017-07-12 GovLoop: New Era of Digital SecurityShawn Wells
This document discusses the new era of digital security in light of emerging technologies like cloud computing, software-defined infrastructure, and the increased use of applications and devices outside of IT's control. It argues that traditional network-based defenses are no longer enough and that security must evolve to be continuous and integrated throughout the IT lifecycle. It presents containers and container platforms like Kubernetes as an approach that can help achieve both agility and improved security by allowing for easy and secure application deployment across hybrid environments.
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...Shawn Wells
Microsoft and Red Hat have certified OpenShift Container Platform to run on Microsoft Azure. This talk steps through the reference architecture and ongoing work to accelerate government ATOs.
This document discusses building trust and compliance in cloud environments. It covers hardware and software building blocks like Intel TXT and Linux/KVM that can establish a root of trust from the hardware level. It then discusses how open source projects like OpenCIT can provide visibility into platform trust and enforce compliance. Example reference architectures are provided using solutions from Intel, Red Hat, HyTrust and others. The presentation concludes with a demo of security scanning and OpenCIT capabilities.
2014-12-16 defense news - shutdown the hackersShawn Wells
The document discusses technologies for continuous monitoring and data standardization. It begins with an overview of a presentation on vulnerability management, configuration management, and the DoD Centralized Super Computing Facility story. It then covers various topics related to cybersecurity including reliance on technology over time, the ever-increasing capability and complexity of systems, cybercrime statistics, and the Security Content Automation Protocol (SCAP).
This document outlines a presentation on applying SCAP (Security Content Automation Protocol) to automate security compliance and remediation. The presentation has three main goals: 1) detail security automation technology and initiatives like OpenSCAP, the SCAP Security Guide, and evolving remediation capabilities; 2) provide a live demo of configuration compliance scanning, patch and vulnerability scanning, and generating certification/accreditation paperwork; and 3) discuss the roadmap for government initiatives, SCAP packaging, and future profiles. The document provides an overview of the topics that will be covered in each section of the presentation.
2014-07-30 defense in depth scap workbookShawn Wells
The document provides information about a workshop on SCAP and STIGs. It discusses the SCAP Security Guide project which produces security guidance and baselines using SCAP. It describes how to install the SCAP content for Red Hat Enterprise Linux 6. It then explains the key components of SCAP - XCCDF for security checklists, OVAL for vulnerabilities, and OpenSCAP for interpreting SCAP data. It outlines how to operate SCAP tools to validate rules, generate HTML guides, perform scans, and interpret results. It also covers customizing SCAP content by authoring new rules and profiles.
2014-04-28 cloud security frameworks and enforcementShawn Wells
This document discusses cloud security frameworks and enabling technologies. It begins with an overview of the cloud security lifecycle and government certification models. It then discusses the Security Content Automation Protocol (SCAP) and containers as enabling security technologies. The remainder of the document focuses on a case study of Westfield's MADFW/MITE infrastructure as a service platform and how it plans to transition to a platform as a service model using containerization to provide multi-tenancy.
2014 04-17 Applied SCAP, Red Hat Summit 2014Shawn Wells
The document outlines a 45 minute presentation with 3 goals: 1) detail security automation technology and initiatives including OpenSCAP, configuration compliance using SCAP Security Guides, and evolving remediation capabilities; 2) provide a live demo of configuration compliance scanning, patch and vulnerability scanning, and certification/accreditation paperwork generation; 3) discuss the roadmap for government plans, packaging, and future profiles. It then provides an overview of SCAP, the SCAP Security Guide project and contributors, and remediation capabilities including both bash and puppet approaches.
SELinux is a Linux kernel security module that allows strict control over processes and their access to files. It was developed by the NSA and integrated into the mainline Linux kernel in 2003. SELinux uses security labels on processes and files to control access between them based on their labels. This prevents processes from accessing files or resources they are not authorized for. It also compartmentalizes systems and users to restrict what an attacker can do if they compromise a process. SELinux supports role-based access control and can label users into roles to control their access. It also supports multi-level security to compartmentalize applications and users.
Food safety, prepare for the unexpected - So what can be done in order to be ready to address food safety, food Consumers, food producers and manufacturers, food transporters, food businesses, food retailers can ...
Contributi dei parlamentari del PD - Contributi L. 3/2019Partito democratico
DI SEGUITO SONO PUBBLICATI, AI SENSI DELL'ART. 11 DELLA LEGGE N. 3/2019, GLI IMPORTI RICEVUTI DALL'ENTRATA IN VIGORE DELLA SUDDETTA NORMA (31/01/2019) E FINO AL MESE SOLARE ANTECEDENTE QUELLO DELLA PUBBLICAZIONE SUL PRESENTE SITO
United Nations World Oceans Day 2024; June 8th " Awaken new dephts".Christina Parmionova
The program will expand our perspectives and appreciation for our blue planet, build new foundations for our relationship to the ocean, and ignite a wave of action toward necessary change.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Bharat Mata - History of Indian culture.pdfBharat Mata
Bharat Mata Channel is an initiative towards keeping the culture of this country alive. Our effort is to spread the knowledge of Indian history, culture, religion and Vedas to the masses.
AHMR is an interdisciplinary peer-reviewed online journal created to encourage and facilitate the study of all aspects (socio-economic, political, legislative and developmental) of Human Mobility in Africa. Through the publication of original research, policy discussions and evidence research papers AHMR provides a comprehensive forum devoted exclusively to the analysis of contemporaneous trends, migration patterns and some of the most important migration-related issues.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
karnataka housing board schemes . all schemesnarinav14
The Karnataka government, along with the central government’s Pradhan Mantri Awas Yojana (PMAY), offers various housing schemes to cater to the diverse needs of citizens across the state. This article provides a comprehensive overview of the major housing schemes available in the Karnataka housing board for both urban and rural areas in 2024.
Combined Illegal, Unregulated and Unreported (IUU) Vessel List.Christina Parmionova
The best available, up-to-date information on all fishing and related vessels that appear on the illegal, unregulated, and unreported (IUU) fishing vessel lists published by Regional Fisheries Management Organisations (RFMOs) and related organisations. The aim of the site is to improve the effectiveness of the original IUU lists as a tool for a wide variety of stakeholders to better understand and combat illegal fishing and broader fisheries crime.
To date, the following regional organisations maintain or share lists of vessels that have been found to carry out or support IUU fishing within their own or adjacent convention areas and/or species of competence:
Commission for the Conservation of Antarctic Marine Living Resources (CCAMLR)
Commission for the Conservation of Southern Bluefin Tuna (CCSBT)
General Fisheries Commission for the Mediterranean (GFCM)
Inter-American Tropical Tuna Commission (IATTC)
International Commission for the Conservation of Atlantic Tunas (ICCAT)
Indian Ocean Tuna Commission (IOTC)
Northwest Atlantic Fisheries Organisation (NAFO)
North East Atlantic Fisheries Commission (NEAFC)
North Pacific Fisheries Commission (NPFC)
South East Atlantic Fisheries Organisation (SEAFO)
South Pacific Regional Fisheries Management Organisation (SPRFMO)
Southern Indian Ocean Fisheries Agreement (SIOFA)
Western and Central Pacific Fisheries Commission (WCPFC)
The Combined IUU Fishing Vessel List merges all these sources into one list that provides a single reference point to identify whether a vessel is currently IUU listed. Vessels that have been IUU listed in the past and subsequently delisted (for example because of a change in ownership, or because the vessel is no longer in service) are also retained on the site, so that the site contains a full historic record of IUU listed fishing vessels.
Unlike the IUU lists published on individual RFMO websites, which may update vessel details infrequently or not at all, the Combined IUU Fishing Vessel List is kept up to date with the best available information regarding changes to vessel identity, flag state, ownership, location, and operations.
Indira awas yojana housing scheme renamed as PMAYnarinav14
Indira Awas Yojana (IAY) played a significant role in addressing rural housing needs in India. It emerged as a comprehensive program for affordable housing solutions in rural areas, predating the government’s broader focus on mass housing initiatives.
PUBLIC FINANCIAL MANAGEMENT SYSTEM (PFMS) and DBT.pptx
2013-04-03 Open Source Framework to Catch the Bad Guys
1. RHEL6: Native Defense In Depth Tooling
Norman Mark St. Laurent,
Senior Solutions Architect
msl@redhat.com
Shawn Wells
Director, Innovation Programs
shawn@redhat.com
2. Agenda
l Security Compliance Management [Prevention]
Shawn Wells
l Incident Response [Detection
Mark St Laurent +
Response]
3. SCAP Security Guide
l Delivers practical security guidance, baselines,
and associated validation mechanisms using the
SCAP protocol suite.
l Current upstream source for STIG and NSA
SNAC documents
4. SCAP Security Guide
l Recommendations map to institutionalized
policies where applicable
l Because of this mapping, we can create custom
profiles
l RHEL6 STIG (collaboration with DISA FSO)
l RHEL6 SNAC (collaboration with NSA)
l Baseline content for NIST 800-53 (working on USGCB now!)
5. Sample SSG Rule
<Rule id="enable_auditd_service”>
<title>Enable auditd Service</title>
<description>
The <tt>auditd</tt> service is an essential userspace
component of the Linux Auditing System, as it is
responsible for writing audit records to disk.
<service-enable-macro service="auditd" />
</description>
<ocil><service-enable-check-macro service="auditd" /></ocil>
<rationale>
Ensuring that the <tt>auditd</tt> service is active ensures that
audit records generated by the kernel can be written to disk, or
that appropriate actions will be taken if other obstacles exist.
</rationale>
<ident cce="4292-9" />
<oval id="service_auditd_enabled" />
<ref nist="CM-6, CM-7"
disa="169,172,174,1353,1462,1487,1115,1454,067,158,831,1123,1190,1312,126
3,130" />
</Rule>"
11. More Information
l Project Homepage
https://fedorahosted.org/scap-security-guide/
l Mailing List
https://fedorahosted.org/mailman/listinfo/scap-security-guide
12. USING AN OPEN SOURCE FRAMEWORK
TO CATCH THE BAD GUY
BUILT-IN FORENSICS, INCIDENT RESPONSE, AND SECURITY
WITH RED HAT ENTERPRISE LINUX 6
Norman Mark St. Laurent,
Senior Solutions Architect
Red Hat, Inc.
msl@redhat.com
13. Agenda
l Integrity Checking with RHEL 6
l Background
l Terminology
l Operational Use of RHEL 6 RPM and AIDE
l RPM
l AIDE
l Conclusion
14. Agenda
l Integrity Checking with RHEL 6
l Background
l Terminology
l Operational Use of RHEL 6 RPM and AIDE
l RPM
l AIDE
l Conclusion
15. Agenda
l Integrity Checking with RHEL 6
l Background
l Terminology
l Operational Use of RHEL 6 RPM and AIDE
l RPM
l AIDE
l Conclusion
16. Integrity Checking with RHEL 6
l Part 1:
Using the RHEL audit sub system for forensics and
incident response to meet security requirement objectives
and goals.
Closely followed and mapped NIST Special Publication
800-92 “Guide to Computer Security Log Management”.
http://www.redhat.com/solutions/industry/government/
17. Integrity Checking with RHEL 6
l Part 2:
Integrity checking with RHEL 6, involves calculating a
message digest for each file and storing the message
digest securely to ensure changes to files such as
archived logs are detected.
A message digest, also called a digital signature,
uniquely identifies data and has the property that
changing a single bit in the data causes a completely
different message digest to be generated.
http://www.redhat.com/solutions/industry/government/
18. Integrity Checking with RHEL 6
l RHEL 6 allows incident response, forensics examiners,
and system administrators easy access to lightweight,
easy-to-use tools and techniques that allow them to
quickly identify file system modifications, changes or
compromises.
l A host-based IDS provides the data integrity needed to
ensure adequate protection of information and system
data, and helps meet security requirements and
compliance.
19. Integrity Checking with RHEL 6
l RPM Package Manager (RPM) and Advanced
Intrusion Detection Environment (AIDE) delivers
continuous and automated monitoring for security
compliance and for implementing the needed
security controls for a true “Defense in Depth”
approach.
l Revealing unwanted changes.
20. Integrity Checking with RHEL 6
l An altered environment could be achieved on a
compromised system where a root kit has been installed.
l A root kit contains a collection of “Bad Guy” tools that an
intruder installs on a victims computer after gaining access.
- Log-cleaning scripts, network sniffers, and most importantly Trojan
replacements of core system utility programs....
last, ps, netstat, killall, ifconfig, find, du, passwd, pidof, tcpd, top...
21. Integrity Checking with RHEL 6
l A root kit does not have to be a sophisticated program. It
could be as easy as replacing the binary of the last
program with a simple wrapper script.
#last | awk ‘$1 !~ /UserName/ { print 0}’
22. Integrity Checking with RHEL 6
l RPM can be used as a host-based IDS. Verification options with
RPM can be invaluable to a forensics investigation and could
detect critical system files and executables that have been
modified.
l AIDE is a file integrity checker. Using rules read from /etc/
aide.conf AIDE will create a database of file attributes and
extended attribute information. Once the database is initialized, it
can be used to verify the integrity of files.
l Hashing Algorithms: md5, sha1, rmd10, tiger, haval, sha256, and
sha512.
23. Integrity Checking with RHEL 6
l Every Good Computer Forensics Examiner / Incident Response Analyst
understands atime, ctime, and mtime......
24. Agenda
l Integrity Checking with RHEL 6
l Background
l Terminology
l Operational Use of RHEL 6 RPM and AIDE
l RPM
l AIDE
l Conclusion
25. l It is important to understand specific terms dealing with Intrusion
detection tools with RHEL 6.
l Understanding the terms will help you if your system defenses has been
penetrated or if you come in after-the-fact for forensics analysis.
l They will allow you to know the factors and mechanics needed to:
- Perform a forensics exam
- Deep dive into an incident
- Assist when something goes wrong from a systems administrative
perspective.
Integrity Checking with RHEL 6
26. l Baseline
A baseline is a set of data used for comparison. A major advantage of a
baseline is that a file can be summarized by its file attributes.
When file attributes provide enough detail about a fiven file, then changes to
that file can be detected by comparing snapshot data to the
corresponding baseline data.
A baseline is usually the first snapshot taken.
Integrity Checking with RHEL 6
27. l Snapshot
A snapshot is a view of something transitory in nature. A snapshot can be
taken multiple times to provide a “picture” of a specific point in time.
In the context of file integrity, a snapshot refers to a set of critical
observations (file attributes) taken at a particular point in time from one or
more file objects stored on a given Red Hat system.
When a particular snapshot is used as the reference in cange analysis, it is
called a baseline.
Integrity Checking with RHEL 6
28. l Change Analysis
Change analysis is the process of comparing a snapshot to a baseline.
Change analysis improves the overall security and operational performance
by automatically analyzing detected changes against security policies.
It enhances file integrity monitoring to close the time gap between a bad
change of a file and detecting and correcting it.
Integrity Checking with RHEL 6
29. l Digital Signature | Message Digest | Hash
A digital signature (also known as message digest, cryptographic check-
sum or cryptographic hash) is nothing more than a number.
A special number that is effectively a hash code produced by a functin
that is very difficult to reverse.
A message digest is a cryptographic hash computed over a given block
of data such as a file’s content.
Integrity Checking with RHEL 6
30. l Digital Signature | Message Digest
Integrity: A digital signature indicates whether a file or a message has
been modified.
Authentication: A digital signature allows you to mathematical verify the
name of the file.
Integrity Checking with RHEL 6
31. Agenda
l Integrity Checking with RHEL 6
l Background
l Terminology
l Operational Use of RHEL 6 RPM and AIDE
l RPM
l AIDE
l Conclusion
32. Agenda
l Integrity Checking with RHEL 6
l Background
l Terminology
l Operational Use of RHEL 6 RPM and AIDE
l RPM
l AIDE
l Conclusion
33. l Engineers at Red Hat and in the open source community
developed RPM Package Manger.
l Used to Install ,upgrade, and verify software packages on a Red hat
system.
l The verify feature of RPM can be used to check file integrity and
make sure that files have not been modified or replaced.
l Verifying a package compares information about the installed files in
the package with information about the files taken from the package
metadata stored in the RPM database.
Integrity Checking with RHEL 6
34. l The RPM database is known as the Baseline.
l File size, file type, owner and group, file permissions, time stamps
and the MD5 are all stored in the database.
l The format of the rpm -V or rpm --verify command is a string of
characters. The mnemonically emBoldened character denotes
failure of the corresponding test.
A single “.” (period) means the test passed, while a single “?” means the test
could not be performed (e.g., file permissions prevent reading).
Integrity Checking with RHEL 6
35. Integrity Checking with RHEL 6
Output String Definition
S The file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink (2) mismatch
U User ownership differs
G Group ownership differs
T mTime differs
P caPabilities differ
36. l In the root kit example, lets say you need to find out which Red Hat
package the pidof command is a part of.
#rpm -qf `which pidof`
sysvinit-tools-2.87.4.dsf.el6.x86_64
#rpm --verify sysvinit-tools-2.87.4.dsf.el6.x86_64
Integrity Checking with RHEL 6
37. l
[root@mstlaure mstlaure]# rpm -qf /etc/profile
setup-2.8.14-20.el6.noarch
[root@mstlaure mstlaure]# rpm --verify setup
SM5....T. c /etc/hosts.allow
S.5....T. c /etc/printcap
S.5....T. c /etc/profile
[root@mstlaure mstlaure]#
Integrity Checking with RHEL 6
38. l An additional RPM challenge is that an intelligent attacker will
modify RPM itself to hide changes done by a root kit.
l Allowing the attacker to mask its intrusion and gain root privilege.
Note: To solve this, you should implement a secondary check that can also be run
completely independent of the installed system.
***RPM from a Boot Disk as an Example...
l RPM was not designed to specifically be a file auditing tool. However,
the nice thing is that it is installed on every version of supported
RHEL.
Integrity Checking with RHEL 6
39. l In rescue mode, you can use RPM to install, remove, update or
verify packages from the installed system:
1. Boot the system into rescue mode with the linux rescue command at the boot
prompt.
2. Change to the root directory
#chroot /mnt/sysimage
3. Use RPM to verify a package
#rpm --verify /package/of/your/choice.rpm
Integrity Checking with RHEL 6
40. l Backing up the RPM database
The /var/lib/rpm directory stores all files used by the RPM
command. All files inside this directory are binary files.
[root@mstlaure mstlaure]# file /var/lib/rpm/*
/var/lib/rpm/Basenames: Berkeley DB (Hash, version 9, native
byte-order)
/var/lib/rpm/Conflictname: Berkeley DB (Hash, version 9, native
byte-order)
/var/lib/rpm/__db.001: Applesoft BASIC program data
/var/lib/rpm/__db.002: 386 pure executable
/var/lib/rpm/__db.003: 386 pure executable
/var/lib/rpm/__db.004: 386 pure executable
/var/lib/rpm/Dirnames: Berkeley DB (Btree, version 9, native
byte-order)
/var/lib/rpm/Filedigests: Berkeley DB (Hash, version 9, native
byte-order)
Integrity Checking with RHEL 6
41. l To back up the RPM data base stored in the /var/lib/rpm directory:
1. Log in as the root user.
2. Remove any Stale Lock Files. (You may need to make ensure
that no application has any of the RPM database files open using
the lsof command).
#losf /var/lib/rpm
#/bin/rm -f /var/lib/rpm/__db*
3. Backup the /var/lib/rpm directory using the tar command. Once the
back up is complete move the tar file to safe offline storage.
#tar -czfg $
(hostname).rpmdatabase.tar.gz /var/lib/rpm
Integrity Checking with RHEL 6
42. l A couple of neat RPM scripts will be presented at this years
Red Hat Summit in Boston.
l A script that will find all files in a given directory (or on a system
from “/” that do not belong to an RPM.
Note: It is important to verify which files were not put on a system by an RPM file.
l A script that can be used as a System Integrity checking
script (finding all files on a system that have been
modified).
Integrity Checking with RHEL 6
43. Agenda
l Integrity Checking with RHEL 6
l Background
l Terminology
l Operational Use of RHEL 6 RPM and AIDE
l RPM
l AIDE
l Conclusion
44. l Aide is a tool for monitoring file system changes.
l Aide was written to be a simple and free alternative to
Tripwire.
l Aide is not installed by default on a RHEL 6 system.
l Aide will build a database of the files specified in the
configuration file /etc/aide.conf
Integrity Checking with RHEL 6
45. l Aide stores various file attributes including: permissions,
inode number, user, group, file size, mtime-ctime-atime,
growing size, number of links, and link name.
l Aide also generates a cryptographic check-sum of each file
using one or a combination of the following message digest
algorithms:
sha1, sha256, sha512, md5, rmd160, and tiger.
Integrity Checking with RHEL 6
46. l After installation and setting up the RHEL 6 AIDE RPM, the
extended attributes acl, xattr, and selinux are ready to be
used because they have been explicitly enabled during
compile time.
l The configuration file is /etc/aide.conf. Setting up this file can
be difficult and must be done on a case-by-case basis.
Note: At this years Red Hat summit, we will dive deeply into the /etc/
aide.conf file.
Integrity Checking with RHEL 6
47. l The file /etc/aide.conf contains the runtime configuration AIDE
uses to initialize or check the AIDE database.
l There are 3 types of of lines in the /etc/aide.conf file:
l Configuration lines used to set the configuration parameters and
define/undefine variables.
l Selection lines used to indicate which files are added to the database.
l Macro lines used to define (or undefine) variables within the
configuration file.
Note: Lines starting with # are comments.
Integrity Checking with RHEL 6
48. l The standard RHEL 6 /etc/aide.conf file is set up to pass the
Common Criteria Labeled Security Protection Profile (LSPP).
Note: This is a huge benefit for installing on government systems and
commercial systems who need to pass specific security accreditation and
allow for appropriate security policy settings.
(DoD 5300, DCID 6/3 at PL3, SOX, HIPPA, and PCI)
Integrity Checking with RHEL 6
53. l Creating the AIDE Baseline Database
l Once the /etc/aide.conf file has been constructed, it is time to
create the baseline database.
Note: This should be done as soon as all the system tools and
programs have been loaded and installed and before it is put onto the
network.
l After specific changes have been made to the /etc/aide.conf file,
you can validate that the file is capable of running (e.g., no
syntax errors).
Integrity Checking with RHEL 6
54. l The error message contains the last successful read line of
the /etc/aide.conf file. In the example here, line 40 has an
unexpected error.
#aide --verbose=255
#aide --config-check
39:sysntax error:!
39:error while reading configuration:!
Configuration error
Integrity Checking with RHEL 6
55. l You can specify where the Baseline Database goes in the /
etc/aide.conf file. Default is:
/var/lib/aide/aide.db.gz
l As soon as the baseline database has been created, a copy
should be saved to a secure location (e.g., CD-R or DVD-R or
a remote server or USB Disk) for later snapshot comparisons.
Integrity Checking with RHEL 6
56. l Initialize the AIDE database:
#aide -i
#mv /var/lib/aide/aide.db.gz /mnt/usbdrive/aide_baseline_database/
aide.db.gz
l Create the AIDE snapshot for comparison:
#cp /mnt/usbdrive/aide_baseline_database/aide.db.gz /var/lib/aide/
aide.db.baseline.gz
Note: The first step in creating the snapshot comparison is to copy the
saved baseline database to the file that you noted in the /etc/aide.conf.
This is denoted with the
database_new=file:@@(DBDIR)/aide.db.baseline directive.
Integrity Checking with RHEL 6
57. l Perform the snapshot comparison.
#aide --check
Note: If no output follows, then, no changes were detected.
Integrity Checking with RHEL 6
58. l Perform the snapshot comparison.
#aide --check
Note: If output follows, then, changes were detected.
---
AIDE found differences between database and filesystem!!
Summary:
Total number of files: 32,056
Added files: 0
Removed files: 0
Changed files: 1
....
Integrity Checking with RHEL 6
59. l Snapshot Comaprison in Verbose Mode will go into great
detail about any and all changes.
#aide –check -V
---
AIDE found differences between database and filesystem!!
Summary:
Total number of files: 32,056
Added files: 0
Removed files: 0
Changed files: 1
------------------------------------------------------
Changed Files:
------------------------------------------------------
changed: /etc/passwd
Integrity Checking with RHEL 6
60. Agenda
l Integrity Checking with RHEL 6
l Background
l Terminology
l Operational Use of RHEL 6 RPM and AIDE
l RPM
l AIDE
l Conclusion
61. l From an intrusion detection point-of-view, incident response
teams, forensic analysts, systems administrators, and security
engineers need the ability to detect change correctly and
consistently on their machines.
l Using lightweight, open source tools that come with RHEL 6 such
as RPM and AIDE provide incident response techniques that are
recognized in the court of law.
Integrity Checking with RHEL 6
62. l Klayton Monroe Quote:
“When it comes to incident response and forensics analysis,
one snapshot is better than none. Two snapshots are better
than one, and a complete history of snapshots is nearly ideal.
However, even if no baseline exists, one should not rule out
the usefulness of baselining tools. A significant amount of
information can be collected or derived from data collected by
such tools even though a history of prior snapshots does not
exist.”
Integrity Checking with RHEL 6