SW
Uploaded byShawn Wells
PDF, PPTX240 views

2014 04-17 Applied SCAP, Red Hat Summit 2014

The document outlines a 45 minute presentation with 3 goals: 1) detail security automation technology and initiatives including OpenSCAP, configuration compliance using SCAP Security Guides, and evolving remediation capabilities; 2) provide a live demo of configuration compliance scanning, patch and vulnerability scanning, and certification/accreditation paperwork generation; 3) discuss the roadmap for government plans, packaging, and future profiles. It then provides an overview of SCAP, the SCAP Security Guide project and contributors, and remediation capabilities including both bash and puppet approaches.

Software◦

Embed presentation

Download as PDF, PPTX
Applied SCAP Shawn Wells Director, Innovation Programs Red Hat Public Sector shawn@redhat.com Jeff Blank Technical Director, Network Components & Applications Division, NSA Information Assurance Directorate blank@eclipse.ncsc.mil
45 MINUTES, 3 GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ]
45 MINUTES, 3 GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ] 2.  Live Demo •  Configuration Compliance Scanning •  Patch & Vulnerability Scanning •  Certification/Accreditation Paperwork Generation
45 MINUTES, 3 GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ] 2.  Live Demo •  Configuration Compliance Scanning •  Patch & Vulnerability Scanning •  Certification/Accreditation Paperwork Generation 3.  Discuss Roadmap (Gov’t Plans, Packaging, Future Profiles)
FIRST, AN SCAP PRIMER •  A family of specifications managed by NIST •  Really a bunch of XML schema •  which are data formats •  so not a protocol at all, it turns out •  openly defined, community developed, and evolving … So, what kind of data do these formats organize?
FIRST, AN SCAP PRIMER •  Defines standardized formats … okay, but why bother? •  Because you’ll get: •  Standardized inputs (e.g. a compliance baseline, status query) •  Standardized outputs (results) •  Provides the enterprise liberty with regard to product choices •  Avoids vendor lock-in, enables interoperability •  Provides common technical position to vendors •  Federal procurement language requires SCAP support in some cases
SCAP Security Guide https://fedorahosted.org/scap-security-guide/
Contributors Include…
… has had 2,408 commits from 36 contributors, representing 224,872 lines of code … took an estimated 43 years of effort (COCOMO model) … has become upstream for all Red Hat STIGs, NIST NVD for JBoss, NSA’s RHEL SNAC Guides In A Nutshell, SCAP Security Guide…
“The consensus content was developed using an open source project called SCAP Security Guide. The project’s website is https://fedorahosted.org/scap-security-guide/. Except for differences in formatting to accommodate the DISA STIG publishing process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process” DISA STIG, Version 1, Release 2, Section 1.1:
RHEL 5 STIG: RHEL 6 STIG: RHEL 7 STIG:
RHEL 5 STIG: 1,988 DAYS RHEL 6 STIG: RHEL 7 STIG:
RHEL 5 STIG: 1,988 DAYS RHEL 6 STIG: 932 DAYS RHEL 7 STIG:
RHEL 5 STIG: 1,988 DAYS RHEL 6 STIG: 932 DAYS RHEL 7 STIG: +/- 90 DAYS
TECH + INITIATIVES Native Tooling, Configuration Compliance, Evolving Remediation Capabilities
TOOLS vs CONTENT
OpenSCAP
SCAP ACRONYM: XCCDF •  eXtensible Configuration Checklist Description Format •  Human(ish) readable, format for configuration <Rule>s •  <Rule>s selected to form <Profile>s •  <refine-value>s
SCAP ACRONYM: OVAL •  Open Vulnerability and Assessment Language •  Specifies how to get information about system configuration •  Stores it in a structured, well defined format
XCCDF PROFILES •  Shipping as of 16-APR-2014: •  C2S: Commercial baseline derived from CIS v1.2.0 [1] (go google “Amazon C2S”…) •  CS2: RHEL6 baseline example for Intelligence Community •  CSCF: NRO’s Centralized Super Computer Facility (CSCF) Baseline (cross domain controls from CNSSI 1253) •  STIG: U.S. DoD RHEL6 baseline, produced by DISA FSO [1] https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.2.0.pdf
REMEDIATION CAPABILITIES •  Bash first <fix system="urn:xccdf:fix:script:sh"> yum -y install screen </fix>
REMEDIATION CAPABILITIES •  Bash first •  Soon(ish), puppet <fix-group id="puppet-clip” system="urn:xccdf:fix:script:puppet xmlns="http://checklists.nist.gov/xccdf/1.1"> <fix rule="disable_vsftp">class vsftp</fix> <fix rule="package_aide_installed">class aide</fix> </fix-group>
<result>Error</result> <rule-result idref="xccdf_moc.elpmaxe.www_rule_1”
 time="2013-03-22T19:15:11" weight="1.000000">
 
 " "<result>error</result>
 
 " "<message severity="info">
 " " "Fix execution comleted and returned: 1
 " "</message>
 
 " "<message severity="info">
 " " "Loaded plugins: auto-update-debuginfo, langpacks, presto, 
 " " "refresh-packagekit
 
 " " "You need to be root to perform this command.
 " "</message>
 </rule-result>"
<result>Fixed</result> <rule-result idref="xccdf_moc.elpmaxe.www_rule_1” time="2014-03-22T19:16:03" weight="1.000000"> <result>fixed</result> <message severity="info">Fix execution completed and returned: 0</message> <message severity="info"> …. Remove 1 Package Installed size: 53 k Downloading Packages: Running Transaction Check Running Transaction Test Transaction Test Succeeded Running Transaction Erasing : 1:telnet-server-0.17-51.fc16.x86_64 1/1 Verifying : 1:telnet-server-0.17-51.fc16.x86_64 1/1 Removed: telnet-server.x86_64 1:0.17-51.fc16 </message>
REMEDIATION REVIEW •  Bash first •  Soon(ish), puppet •  Reference Šimon Lukašík’s blog for a great write-up: http://isimluk.livejournal.com/3573.html •  Thank you Peter Vrabec & Martin Preisler for the work on OpenSCAP!
LIVE DEMO Patch & vuln. Scanning, configuration baseline scanning, Certification & Accreditation Paperwork Generation
ROADMAP Gov’t Initiatives, SSG Packaging, Future Profiles
Government Initiatives •  Continuous Diagnostics and Mitigations (CDM) http://www.dhs.gov/cdm •  SCAP path forward •  Evaluation + Configuration activities for Certification and Accreditation
RPM Packaging •  Currently in EPEL, both Fedora and RHEL (thank you, Jan Lieskovsky!) •  SSG scheduled to ship in RHEL 6.6 •  https://bugzilla.redhat.com/show_bug.cgi?id=1038655 •  RHEL 7 GA
SCAP + Anaconda Integration •  <fix> elements targeting installation process •  Kickstart support allowing specification of SCAP content •  UI screen(s) that provide ways to set values •  Project started as Vratislav Podzimek’s masters thesis http://is.muni.cz/th/324874/fi_m/?lang=en (thanks, Vratislav!) •  https://fedorahosted.org/oscap-anaconda-addon/
SCAP + Anaconda Integration ( 1 / 3)
SCAP + Anaconda Integration ( 2 / 3 )
SCAP + Anaconda Integration ( 3 / 3 )
SCAP Workbench GUI tool that serves as an SCAP scanner and provides tailoring functionality. Primary Goals: •  Lower the initial barrier of using SCAP. •  Great for hand-tuning content before enterprise deployment (e.g. via spacewalk/RHN Satellite) https://fedorahosted.org/scap-workbench/
SCAP Workbench ( 1 / 2 )
SCAP Workbench ( 2 / 2 )
38
SUPPLEMENTAL Helpful Links
Helpful Links (to community projects) •  SCAP Security Guide: https://fedorahosted.org/scap-security-guide/ •  OpenSCAP: http://open-scap.org/ •  OSCAP Anaconda: https://fedorahosted.org/oscap-anaconda-addon/ •  SCAP Workbench: https://fedorahosted.org/scap-workbench/
Helpful Links (to government baselines) •  DISA’s Security Technical Implementation Guides (STIGs) http://iase.disa.mil/stigs/ •  NIST National Checklist Program Repository http://web.nvd.nist.gov/view/ncp/repository •  NSA Security Configuration Guides http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/
Helpful Links (to communities of interest) •  Red Hat’s Government Security User Group (gov-sec) http://www.redhat.com/mailman/listinfo/gov-sec •  Military Open Source Software (Mil-OSS) http://mil-oss.org/
Replicating the Demo -  Assumes RHEL 6 and EPEL already enabled! -  Assumes httpd installed, DocumentRoot /var/www/html/ -  My IP was 10.211.55.3. Change as appropriate. -  This is meant to replicate the demo, not fully explain it. Come to Summit next year!
Step 1: Install $ yum install scap-security-guide $ rpm –ql scap-security-guide . . . /usr/share/doc/scap-security-guide-0.1/rhel6-guide.html . . . /usr/share/man/en/man8/scap-security-guide.8.gz . . . /usr/share/xml/scap/ssg/content . . . /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
Step 2: Review Prose Guide $ cp /usr/share/doc/scap-security-guide-0.1/*.html /var/www/html $ firefox http://10.211.55.3/rhel6-guide.html - Review “Check Procedure,” “Security Identifiers,” “References”
Step 3: JBoss, too! $ refox http://10.211.55.3/JBossEAP5_Guide.html
Step 4: XCCDF vs DATASTREAMS $ grep "<Profile" /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml <Profile id="xccdf_org.ssgproject.content_profile_CS2”> <Profile id="xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream"> $ grep "<Profile" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml <Profile id="CS2”> <Profile id="stig-rhel6-server-upstream”>
Step 5: Run a scan! $ sudo oscap xccdf eval --profile C2S --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml --report /var/www/html/summit-report.html --results /var/www/html/summit-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml Console Output: •  Pass •  Fail •  “notchecked”: (a) not applicable; (b) no OVAL associated … and unclear which reason!
Step 6: HTML Results $ refox /var/www/html/summit-report.html
Step 6: HTML Results
Step 6: HTML Results
Step 7: XML Results $ refox /var/www/html/summit-results.xml /CCE-27024-9
Step 8: Remediation /CCE-27024-9 (ß type that again) note the <fix> tag!
Step 8: Remediation $ oscap xccdf generate x --result-id xccdf_org.open-scap_testresult_C2S /var/www/html/summit-results.xml > /var/www/html/summit-script.sh.txt

More Related Content

PDF
2014 04-03 xyratex event
byShawn Wells
 
PDF
2014-07-31 customer convergence applied scap
byShawn Wells
 
PPTX
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
byOWASP Kyiv
 
PPTX
Cloud Platform Symantec Meetup Nov 2014
byMiguel Zuniga
 
PDF
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
byAlessandro Silva
 
PPTX
InSpec Workshop DevSecCon 2017
byMandi Walls
 
PPTX
Securing Hadoop with OSSEC
byVic Hargrave
 
PPTX
Automating Post Exploitation with PowerShell
byEnclaveSecurity
 
2014 04-03 xyratex event
byShawn Wells
 
2014-07-31 customer convergence applied scap
byShawn Wells
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
byOWASP Kyiv
 
Cloud Platform Symantec Meetup Nov 2014
byMiguel Zuniga
 
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
byAlessandro Silva
 
InSpec Workshop DevSecCon 2017
byMandi Walls
 
Securing Hadoop with OSSEC
byVic Hargrave
 
Automating Post Exploitation with PowerShell
byEnclaveSecurity
 

What's hot

PDF
Nessus and Reporting Karma
byn|u - The Open Security Community
 
PDF
Linux Security, from Concept to Tooling
byMichael Boelen
 
PDF
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
byNGINX, Inc.
 
PDF
Learning Nagios module 1
byJayant Chutke
 
PPTX
An Introduction to PowerShell for Security Assessments
byEnclaveSecurity
 
PDF
Protecting confidential files using SE-Linux
byGiuseppe Paterno'
 
PPTX
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
byDevSecCon
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PPTX
Hacked? Pray that the Attacker used PowerShell
byNikhil Mittal
 
PPTX
Purpose Driven Hunt (DerbyCon 2017)
byJared Atkinson
 
PDF
Rundeck Open Source Workflow Automation
byinovex GmbH
 
PPT
Creating Secure Applications
byguest879f38
 
PDF
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
byScott Sutherland
 
PPTX
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
bydrewz lin
 
PPTX
Secure360 - Extracting Password from Windows
byScott Sutherland
 
PDF
Attack All the Layers: What's Working during Pentests (OWASP NYC)
byScott Sutherland
 
PDF
OSMC 2021 | Use OpenSource monitoring for an Enterprise Grade Platform
byNETWAYS
 
PDF
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
byChris Gates
 
PPTX
OpenVAS: Vulnerability Assessment Scanner
byChandrak Trivedi
 
PPTX
Nagios Conference 2011 - Michael Medin - NSClient++: Whats New
byNagios
 
Nessus and Reporting Karma
byn|u - The Open Security Community
 
Linux Security, from Concept to Tooling
byMichael Boelen
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
byNGINX, Inc.
 
Learning Nagios module 1
byJayant Chutke
 
An Introduction to PowerShell for Security Assessments
byEnclaveSecurity
 
Protecting confidential files using SE-Linux
byGiuseppe Paterno'
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
byDevSecCon
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
Hacked? Pray that the Attacker used PowerShell
byNikhil Mittal
 
Purpose Driven Hunt (DerbyCon 2017)
byJared Atkinson
 
Rundeck Open Source Workflow Automation
byinovex GmbH
 
Creating Secure Applications
byguest879f38
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
byScott Sutherland
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
bydrewz lin
 
Secure360 - Extracting Password from Windows
byScott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
byScott Sutherland
 
OSMC 2021 | Use OpenSource monitoring for an Enterprise Grade Platform
byNETWAYS
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
byChris Gates
 
OpenVAS: Vulnerability Assessment Scanner
byChandrak Trivedi
 
Nagios Conference 2011 - Michael Medin - NSClient++: Whats New
byNagios
 

Similar to 2014 04-17 Applied SCAP, Red Hat Summit 2014

PDF
2016 -11-18 OpenSCAP Workshop Coursebook
byShawn Wells
 
PDF
2014-07-30 defense in depth scap workbook
byShawn Wells
 
PDF
2013-06-12 Compliance Made Easy, Red Hat Summit 2013
byShawn Wells
 
PPT
2016-08-18 Red Hat Partner Security Update
byShawn Wells
 
PDF
2013-03-25 SCAP Workshop Workbook
byShawn Wells
 
PDF
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
byShawn Wells
 
PDF
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
byShawn Wells
 
PDF
KVM_security
byFrank Caviggia
 
PDF
2016-08-29 AFITC Security Automation
byShawn Wells
 
PDF
SCAP for openSUSE
byKazuki Omo
 
PDF
Securing Infrastructure with OpenScap The Automation Way !!
byJaskaran Narula
 
PDF
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
PDF
OSC2023_security_automation_data.pdf
byMarcus Meissner
 
PDF
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
PDF
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
byPuppet
 
PDF
2013-07-21 MITRE Developer Days - Red Hat SCAP Remediation
byShawn Wells
 
PDF
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
PDF
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
byShawn Wells
 
PDF
2013-08-22 NSA System Security & Management
byShawn Wells
 
PDF
Implementing Secure DevOps on Public Cloud Platforms
byGaurav "GP" Pal
 
2016 -11-18 OpenSCAP Workshop Coursebook
byShawn Wells
 
2014-07-30 defense in depth scap workbook
byShawn Wells
 
2013-06-12 Compliance Made Easy, Red Hat Summit 2013
byShawn Wells
 
2016-08-18 Red Hat Partner Security Update
byShawn Wells
 
2013-03-25 SCAP Workshop Workbook
byShawn Wells
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
byShawn Wells
 
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
byShawn Wells
 
KVM_security
byFrank Caviggia
 
2016-08-29 AFITC Security Automation
byShawn Wells
 
SCAP for openSUSE
byKazuki Omo
 
Securing Infrastructure with OpenScap The Automation Way !!
byJaskaran Narula
 
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
OSC2023_security_automation_data.pdf
byMarcus Meissner
 
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
byPuppet
 
2013-07-21 MITRE Developer Days - Red Hat SCAP Remediation
byShawn Wells
 
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
byShawn Wells
 
2013-08-22 NSA System Security & Management
byShawn Wells
 
Implementing Secure DevOps on Public Cloud Platforms
byGaurav "GP" Pal
 

More from Shawn Wells

PDF
2017-10-10 AUSA 2017: Repeatable DCO Platforms
byShawn Wells
 
PDF
2017-07-12 GovLoop: New Era of Digital Security
byShawn Wells
 
PDF
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
byShawn Wells
 
PDF
2017 02-17 rsac 2017 tech-f02
byShawn Wells
 
PDF
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
byShawn Wells
 
PDF
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
byShawn Wells
 
PDF
2015-11-15 - Supercomputing 2015 - Applied Cross Domain
byShawn Wells
 
PDF
2015-10-05 Fermilabs DevOps Alone in the Dark
byShawn Wells
 
PPTX
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
byShawn Wells
 
PDF
2015-01-27 ssa opening remarks
byShawn Wells
 
PDF
2014-12-16 defense news - shutdown the hackers
byShawn Wells
 
PDF
2014-05-08 IT Craftsmanship to IT Manufacturing
byShawn Wells
 
PDF
2014-04-28 cloud security frameworks and enforcement
byShawn Wells
 
PDF
2013-05-22 RedHatGov Partner Event
byShawn Wells
 
PDF
2013-04-03 Open Source Framework to Catch the Bad Guys
byShawn Wells
 
PDF
2012-08-21 NRO GED Industry Day
byShawn Wells
 
PDF
2012-03-15 What's New at Red Hat
byShawn Wells
 
PDF
2011-12-08 Red Hat Enterprise Virtualization for Desktops (RHEV VDI) with Cis...
byShawn Wells
 
2017-10-10 AUSA 2017: Repeatable DCO Platforms
byShawn Wells
 
2017-07-12 GovLoop: New Era of Digital Security
byShawn Wells
 
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
byShawn Wells
 
2017 02-17 rsac 2017 tech-f02
byShawn Wells
 
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
byShawn Wells
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
byShawn Wells
 
2015-11-15 - Supercomputing 2015 - Applied Cross Domain
byShawn Wells
 
2015-10-05 Fermilabs DevOps Alone in the Dark
byShawn Wells
 
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
byShawn Wells
 
2015-01-27 ssa opening remarks
byShawn Wells
 
2014-12-16 defense news - shutdown the hackers
byShawn Wells
 
2014-05-08 IT Craftsmanship to IT Manufacturing
byShawn Wells
 
2014-04-28 cloud security frameworks and enforcement
byShawn Wells
 
2013-05-22 RedHatGov Partner Event
byShawn Wells
 
2013-04-03 Open Source Framework to Catch the Bad Guys
byShawn Wells
 
2012-08-21 NRO GED Industry Day
byShawn Wells
 
2012-03-15 What's New at Red Hat
byShawn Wells
 
2011-12-08 Red Hat Enterprise Virtualization for Desktops (RHEV VDI) with Cis...
byShawn Wells
 

Recently uploaded

PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel AraĂşjo
 
PDF
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel AraĂşjo
 
PDF
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel AraĂşjo
 
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel AraĂşjo
 
Mastering Zero-Allocation Parsers: A Deep Dive into High-Performance C#
byVineet Sharma
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 

2014 04-17 Applied SCAP, Red Hat Summit 2014

  • 1.
    Applied SCAP Shawn Wells Director, InnovationPrograms Red Hat Public Sector shawn@redhat.com Jeff Blank Technical Director, Network Components & Applications Division, NSA Information Assurance Directorate blank@eclipse.ncsc.mil
  • 2.
    45 MINUTES, 3GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ]
  • 3.
    45 MINUTES, 3GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ] 2.  Live Demo •  Configuration Compliance Scanning •  Patch & Vulnerability Scanning •  Certification/Accreditation Paperwork Generation
  • 4.
    45 MINUTES, 3GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ] 2.  Live Demo •  Configuration Compliance Scanning •  Patch & Vulnerability Scanning •  Certification/Accreditation Paperwork Generation 3.  Discuss Roadmap (Gov’t Plans, Packaging, Future Profiles)
  • 5.
    FIRST, AN SCAPPRIMER •  A family of specifications managed by NIST •  Really a bunch of XML schema •  which are data formats •  so not a protocol at all, it turns out •  openly defined, community developed, and evolving … So, what kind of data do these formats organize?
  • 6.
    FIRST, AN SCAPPRIMER •  Defines standardized formats … okay, but why bother? •  Because you’ll get: •  Standardized inputs (e.g. a compliance baseline, status query) •  Standardized outputs (results) •  Provides the enterprise liberty with regard to product choices •  Avoids vendor lock-in, enables interoperability •  Provides common technical position to vendors •  Federal procurement language requires SCAP support in some cases
  • 7.
  • 8.
  • 9.
    … has had2,408 commits from 36 contributors, representing 224,872 lines of code … took an estimated 43 years of effort (COCOMO model) … has become upstream for all Red Hat STIGs, NIST NVD for JBoss, NSA’s RHEL SNAC Guides In A Nutshell, SCAP Security Guide…
  • 10.
    “The consensus contentwas developed using an open source project called SCAP Security Guide. The project’s website is https://fedorahosted.org/scap-security-guide/. Except for differences in formatting to accommodate the DISA STIG publishing process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process” DISA STIG, Version 1, Release 2, Section 1.1:
  • 11.
    RHEL 5 STIG: RHEL6 STIG: RHEL 7 STIG:
  • 12.
    RHEL 5 STIG:1,988 DAYS RHEL 6 STIG: RHEL 7 STIG:
  • 13.
    RHEL 5 STIG:1,988 DAYS RHEL 6 STIG: 932 DAYS RHEL 7 STIG:
  • 14.
    RHEL 5 STIG:1,988 DAYS RHEL 6 STIG: 932 DAYS RHEL 7 STIG: +/- 90 DAYS
  • 15.
    TECH + INITIATIVES NativeTooling, Configuration Compliance, Evolving Remediation Capabilities
  • 16.
  • 17.
  • 18.
    SCAP ACRONYM: XCCDF • eXtensible Configuration Checklist Description Format •  Human(ish) readable, format for configuration <Rule>s •  <Rule>s selected to form <Profile>s •  <refine-value>s
  • 19.
    SCAP ACRONYM: OVAL • Open Vulnerability and Assessment Language •  Specifies how to get information about system configuration •  Stores it in a structured, well defined format
  • 20.
    XCCDF PROFILES •  Shippingas of 16-APR-2014: •  C2S: Commercial baseline derived from CIS v1.2.0 [1] (go google “Amazon C2S”…) •  CS2: RHEL6 baseline example for Intelligence Community •  CSCF: NRO’s Centralized Super Computer Facility (CSCF) Baseline (cross domain controls from CNSSI 1253) •  STIG: U.S. DoD RHEL6 baseline, produced by DISA FSO [1] https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.2.0.pdf
  • 21.
    REMEDIATION CAPABILITIES •  Bashfirst <fix system="urn:xccdf:fix:script:sh"> yum -y install screen </fix>
  • 22.
    REMEDIATION CAPABILITIES •  Bashfirst •  Soon(ish), puppet <fix-group id="puppet-clip” system="urn:xccdf:fix:script:puppet xmlns="http://checklists.nist.gov/xccdf/1.1"> <fix rule="disable_vsftp">class vsftp</fix> <fix rule="package_aide_installed">class aide</fix> </fix-group>
  • 23.
    <result>Error</result> <rule-result idref="xccdf_moc.elpmaxe.www_rule_1”
 time="2013-03-22T19:15:11" weight="1.000000">
 
 ""<result>error</result>
 
 " "<message severity="info">
 " " "Fix execution comleted and returned: 1
 " "</message>
 
 " "<message severity="info">
 " " "Loaded plugins: auto-update-debuginfo, langpacks, presto, 
 " " "refresh-packagekit
 
 " " "You need to be root to perform this command.
 " "</message>
 </rule-result>"
  • 24.
    <result>Fixed</result> <rule-result idref="xccdf_moc.elpmaxe.www_rule_1” time="2014-03-22T19:16:03"weight="1.000000"> <result>fixed</result> <message severity="info">Fix execution completed and returned: 0</message> <message severity="info"> …. Remove 1 Package Installed size: 53 k Downloading Packages: Running Transaction Check Running Transaction Test Transaction Test Succeeded Running Transaction Erasing : 1:telnet-server-0.17-51.fc16.x86_64 1/1 Verifying : 1:telnet-server-0.17-51.fc16.x86_64 1/1 Removed: telnet-server.x86_64 1:0.17-51.fc16 </message>
  • 25.
    REMEDIATION REVIEW •  Bashfirst •  Soon(ish), puppet •  Reference Šimon Lukašík’s blog for a great write-up: http://isimluk.livejournal.com/3573.html •  Thank you Peter Vrabec & Martin Preisler for the work on OpenSCAP!
  • 26.
    LIVE DEMO Patch &vuln. Scanning, configuration baseline scanning, Certification & Accreditation Paperwork Generation
  • 28.
    ROADMAP Gov’t Initiatives, SSGPackaging, Future Profiles
  • 29.
    Government Initiatives •  ContinuousDiagnostics and Mitigations (CDM) http://www.dhs.gov/cdm •  SCAP path forward •  Evaluation + Configuration activities for Certification and Accreditation
  • 30.
    RPM Packaging •  Currentlyin EPEL, both Fedora and RHEL (thank you, Jan Lieskovsky!) •  SSG scheduled to ship in RHEL 6.6 •  https://bugzilla.redhat.com/show_bug.cgi?id=1038655 •  RHEL 7 GA
  • 31.
    SCAP + AnacondaIntegration •  <fix> elements targeting installation process •  Kickstart support allowing specification of SCAP content •  UI screen(s) that provide ways to set values •  Project started as Vratislav Podzimek’s masters thesis http://is.muni.cz/th/324874/fi_m/?lang=en (thanks, Vratislav!) •  https://fedorahosted.org/oscap-anaconda-addon/
  • 32.
    SCAP + AnacondaIntegration ( 1 / 3)
  • 33.
    SCAP + AnacondaIntegration ( 2 / 3 )
  • 34.
    SCAP + AnacondaIntegration ( 3 / 3 )
  • 35.
    SCAP Workbench GUI toolthat serves as an SCAP scanner and provides tailoring functionality. Primary Goals: •  Lower the initial barrier of using SCAP. •  Great for hand-tuning content before enterprise deployment (e.g. via spacewalk/RHN Satellite) https://fedorahosted.org/scap-workbench/
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
    Helpful Links (tocommunity projects) •  SCAP Security Guide: https://fedorahosted.org/scap-security-guide/ •  OpenSCAP: http://open-scap.org/ •  OSCAP Anaconda: https://fedorahosted.org/oscap-anaconda-addon/ •  SCAP Workbench: https://fedorahosted.org/scap-workbench/
  • 41.
    Helpful Links (togovernment baselines) •  DISA’s Security Technical Implementation Guides (STIGs) http://iase.disa.mil/stigs/ •  NIST National Checklist Program Repository http://web.nvd.nist.gov/view/ncp/repository •  NSA Security Configuration Guides http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/
  • 42.
    Helpful Links (tocommunities of interest) •  Red Hat’s Government Security User Group (gov-sec) http://www.redhat.com/mailman/listinfo/gov-sec •  Military Open Source Software (Mil-OSS) http://mil-oss.org/
  • 43.
    Replicating the Demo - Assumes RHEL 6 and EPEL already enabled! -  Assumes httpd installed, DocumentRoot /var/www/html/ -  My IP was 10.211.55.3. Change as appropriate. -  This is meant to replicate the demo, not fully explain it. Come to Summit next year!
  • 44.
    Step 1: Install $yum install scap-security-guide $ rpm –ql scap-security-guide . . . /usr/share/doc/scap-security-guide-0.1/rhel6-guide.html . . . /usr/share/man/en/man8/scap-security-guide.8.gz . . . /usr/share/xml/scap/ssg/content . . . /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
  • 45.
    Step 2: ReviewProse Guide $ cp /usr/share/doc/scap-security-guide-0.1/*.html /var/www/html $ firefox http://10.211.55.3/rhel6-guide.html - Review “Check Procedure,” “Security Identifiers,” “References”
  • 46.
    Step 3: JBoss,too! $ refox http://10.211.55.3/JBossEAP5_Guide.html
  • 47.
    Step 4: XCCDFvs DATASTREAMS $ grep "<Profile" /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml <Profile id="xccdf_org.ssgproject.content_profile_CS2”> <Profile id="xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream"> $ grep "<Profile" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml <Profile id="CS2”> <Profile id="stig-rhel6-server-upstream”>
  • 48.
    Step 5: Runa scan! $ sudo oscap xccdf eval --profile C2S --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml --report /var/www/html/summit-report.html --results /var/www/html/summit-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml Console Output: •  Pass •  Fail •  “notchecked”: (a) not applicable; (b) no OVAL associated … and unclear which reason!
  • 49.
    Step 6: HTMLResults $ refox /var/www/html/summit-report.html
  • 50.
    Step 6: HTMLResults
  • 51.
    Step 6: HTMLResults
  • 52.
    Step 7: XMLResults $ refox /var/www/html/summit-results.xml /CCE-27024-9
  • 53.
    Step 8: Remediation /CCE-27024-9(ß type that again) note the <fix> tag!
  • 54.
    Step 8: Remediation $oscap xccdf generate x --result-id xccdf_org.open-scap_testresult_C2S /var/www/html/summit-results.xml > /var/www/html/summit-script.sh.txt