SW
Uploaded byShawn Wells
PDF, PPTX198 views

2014-07-31 customer convergence applied scap

This document outlines a presentation on applying SCAP (Security Content Automation Protocol) to automate security compliance and remediation. The presentation has three main goals: 1) detail security automation technology and initiatives like OpenSCAP, the SCAP Security Guide, and evolving remediation capabilities; 2) provide a live demo of configuration compliance scanning, patch and vulnerability scanning, and generating certification/accreditation paperwork; and 3) discuss the roadmap for government initiatives, SCAP packaging, and future profiles. The document provides an overview of the topics that will be covered in each section of the presentation.

Embed presentation

Download as PDF, PPTX
Applied SCAP: Automating Security Compliance and Remediation Shawn Wells Maintainer, SCAP Security Guide 31-JULY-2014
45 MINUTES, 3 GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ]
45 MINUTES, 3 GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ] 2.  Live Demo •  Configuration Compliance Scanning •  Patch & Vulnerability Scanning •  Certification/Accreditation Paperwork Generation
45 MINUTES, 3 GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ] 2.  Live Demo •  Configuration Compliance Scanning •  Patch & Vulnerability Scanning •  Certification/Accreditation Paperwork Generation 3.  Discuss Roadmap (Gov’t Plans, Packaging, Future Profiles)
FIRST, AN SCAP PRIMER •  A family of specifications managed by NIST •  Really a bunch of XML schema •  which are data formats •  so not a protocol at all, it turns out •  openly defined, community developed, and evolving … So, what kind of data do these formats organize?
FIRST, AN SCAP PRIMER •  Defines standardized formats … okay, but why bother? •  Because you’ll get: •  Standardized inputs (e.g. a compliance baseline, status query) •  Standardized outputs (results) •  Provides the enterprise liberty with regard to product choices •  Avoids vendor lock-in, enables interoperability •  Provides common technical position to vendors •  Federal procurement language requires SCAP support in some cases
SCAP Security Guide https://fedorahosted.org/scap-security-guide/
Contributors Include…
… has had 2,408 commits from 36 contributors, representing 224,872 lines of code … took an estimated 43 years of effort (COCOMO model) … has become upstream for all Red Hat STIGs, NIST NVD for JBoss, NSA’s RHEL SNAC Guides In A Nutshell, SCAP Security Guide…
“The consensus content was developed using an open source project called SCAP Security Guide. The project’s website is https://fedorahosted.org/scap-security-guide/. Except for differences in formatting to accommodate the DISA STIG publishing process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process” DISA STIG, Version 1, Release 2, Section 1.1:
RHEL 5 STIG: RHEL 6 STIG: RHEL 7 STIG:
RHEL 5 STIG: 1,988 DAYS RHEL 6 STIG: RHEL 7 STIG:
RHEL 5 STIG: 1,988 DAYS RHEL 6 STIG: 932 DAYS RHEL 7 STIG:
RHEL 5 STIG: 1,988 DAYS RHEL 6 STIG: 932 DAYS RHEL 7 STIG: +/- 90 DAYS
TECH + INITIATIVES Native Tooling, Configuration Compliance, Evolving Remediation Capabilities
TOOLS vs CONTENT
OpenSCAP
SCAP ACRONYM: XCCDF •  eXtensible Configuration Checklist Description Format •  Human(ish) readable, format for configuration <Rule>s •  <Rule>s selected to form <Profile>s •  <refine-value>s
SCAP ACRONYM: OVAL •  Open Vulnerability and Assessment Language •  Specifies how to get information about system configuration •  Stores it in a structured, well defined format
XCCDF PROFILES •  Shipping as of 16-APR-2014: •  C2S: Commercial baseline derived from CIS v1.2.0 [1] (go google “Amazon C2S”…) •  CS2: RHEL6 baseline example for Intelligence Community •  CSCF: NRO’s Centralized Super Computer Facility (CSCF) Baseline (cross domain controls from CNSSI 1253) •  STIG: U.S. DoD RHEL6 baseline, produced by DISA FSO [1] https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.2.0.pdf
REMEDIATION CAPABILITIES •  Bash first <fix system="urn:xccdf:fix:script:sh"> yum -y install screen </fix>
REMEDIATION CAPABILITIES •  Bash first •  Soon(ish), puppet <fix-group id="puppet-clip” system="urn:xccdf:fix:script:puppet xmlns="http://checklists.nist.gov/xccdf/1.1"> <fix rule="disable_vsftp">class vsftp</fix> <fix rule="package_aide_installed">class aide</fix> </fix-group>
<result>Error</result> <rule-result idref="xccdf_moc.elpmaxe.www_rule_1”
 time="2013-03-22T19:15:11" weight="1.000000">
 
 " "<result>error</result>
 
 " "<message severity="info">
 " " "Fix execution comleted and returned: 1
 " "</message>
 
 " "<message severity="info">
 " " "Loaded plugins: auto-update-debuginfo, langpacks, presto, 
 " " "refresh-packagekit
 
 " " "You need to be root to perform this command.
 " "</message>
 </rule-result>"
<result>Fixed</result> <rule-result idref="xccdf_moc.elpmaxe.www_rule_1” time="2014-03-22T19:16:03" weight="1.000000"> <result>fixed</result> <message severity="info">Fix execution completed and returned: 0</message> <message severity="info"> …. Remove 1 Package Installed size: 53 k Downloading Packages: Running Transaction Check Running Transaction Test Transaction Test Succeeded Running Transaction Erasing : 1:telnet-server-0.17-51.fc16.x86_64 1/1 Verifying : 1:telnet-server-0.17-51.fc16.x86_64 1/1 Removed: telnet-server.x86_64 1:0.17-51.fc16 </message>
REMEDIATION REVIEW •  Bash first •  Soon(ish), puppet •  Reference Šimon Lukašík’s blog for a great write-up: http://isimluk.livejournal.com/3573.html •  Thank you Peter Vrabec & Martin Preisler for the work on OpenSCAP!
LIVE DEMO Patch & vuln. Scanning, configuration baseline scanning, Certification & Accreditation Paperwork Generation
ROADMAP Gov’t Initiatives, SSG Packaging, Future Profiles
Government Initiatives •  Continuous Diagnostics and Mitigations (CDM) http://www.dhs.gov/cdm •  SCAP path forward •  Evaluation + Configuration activities for Certification and Accreditation
RPM Packaging •  Currently in EPEL, both Fedora and RHEL (thank you, Jan Lieskovsky!) •  SSG scheduled to ship in RHEL 6.6 •  https://bugzilla.redhat.com/show_bug.cgi?id=1038655 •  RHEL 7 GA
SCAP + Anaconda Integration •  <fix> elements targeting installation process •  Kickstart support allowing specification of SCAP content •  UI screen(s) that provide ways to set values •  Project started as Vratislav Podzimek’s masters thesis http://is.muni.cz/th/324874/fi_m/?lang=en (thanks, Vratislav!) •  https://fedorahosted.org/oscap-anaconda-addon/
SCAP + Anaconda Integration ( 1 / 3)
SCAP + Anaconda Integration ( 2 / 3 )
SCAP + Anaconda Integration ( 3 / 3 )
SCAP Workbench GUI tool that serves as an SCAP scanner and provides tailoring functionality. Primary Goals: •  Lower the initial barrier of using SCAP. •  Great for hand-tuning content before enterprise deployment (e.g. via spacewalk/RHN Satellite) https://fedorahosted.org/scap-workbench/
SCAP Workbench ( 1 / 2 )
SCAP Workbench ( 2 / 2 )
37
SUPPLEMENTAL Helpful Links
Helpful Links (to community projects) •  SCAP Security Guide: https://fedorahosted.org/scap-security-guide/ •  OpenSCAP: http://open-scap.org/ •  OSCAP Anaconda: https://fedorahosted.org/oscap-anaconda-addon/ •  SCAP Workbench: https://fedorahosted.org/scap-workbench/
Helpful Links (to government baselines) •  DISA’s Security Technical Implementation Guides (STIGs) http://iase.disa.mil/stigs/ •  NIST National Checklist Program Repository http://web.nvd.nist.gov/view/ncp/repository •  NSA Security Configuration Guides http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/
Helpful Links (to communities of interest) •  Red Hat’s Government Security User Group (gov-sec) http://www.redhat.com/mailman/listinfo/gov-sec •  Military Open Source Software (Mil-OSS) http://mil-oss.org/
Replicating the Demo -  Assumes RHEL 6 and EPEL already enabled! -  Assumes httpd installed, DocumentRoot /var/www/html/ -  My IP was 10.211.55.3. Change as appropriate. -  This is meant to replicate the demo, not fully explain it. Come to Summit next year!
Step 1: Install $ yum install scap-security-guide $ rpm –ql scap-security-guide . . . /usr/share/doc/scap-security-guide-0.1/rhel6-guide.html . . . /usr/share/man/en/man8/scap-security-guide.8.gz . . . /usr/share/xml/scap/ssg/content . . . /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
Step 2: Review Prose Guide $ cp /usr/share/doc/scap-security-guide-0.1/*.html /var/www/html $ firefox http://10.211.55.3/rhel6-guide.html - Review “Check Procedure,” “Security Identifiers,” “References”
Step 3: JBoss, too! $ firefox http://10.211.55.3/JBossEAP5_Guide.html
Step 4: XCCDF vs DATASTREAMS $ grep "<Profile" /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml <Profile id="xccdf_org.ssgproject.content_profile_CS2”> <Profile id="xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream"> $ grep "<Profile" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml <Profile id="CS2”> <Profile id="stig-rhel6-server-upstream”>
Step 5: Run a scan! $ sudo oscap xccdf eval --profile C2S --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml --report /var/www/html/summit-report.html --results /var/www/html/summit-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml Console Output: •  Pass •  Fail •  “notchecked”: (a) not applicable; (b) no OVAL associated … and unclear which reason!
Step 6: HTML Results $ firefox /var/www/html/summit-report.html
Step 6: HTML Results
Step 6: HTML Results
Step 7: XML Results $ firefox /var/www/html/summit-results.xml /CCE-27024-9
Step 8: Remediation /CCE-27024-9 (ß type that again) note the <fix> tag!
Step 8: Remediation $ oscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_C2S /var/www/html/summit-results.xml > /var/www/html/summit-script.sh.txt

More Related Content

PDF
2014-07-30 defense in depth scap workbook
byShawn Wells
 
PDF
2016 -11-18 OpenSCAP Workshop Coursebook
byShawn Wells
 
PDF
2014 04-17 Applied SCAP, Red Hat Summit 2014
byShawn Wells
 
PDF
Securing Infrastructure with OpenScap The Automation Way !!
byJaskaran Narula
 
PDF
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
PDF
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
byShawn Wells
 
PDF
2016-08-29 AFITC Security Automation
byShawn Wells
 
PDF
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
2014-07-30 defense in depth scap workbook
byShawn Wells
 
2016 -11-18 OpenSCAP Workshop Coursebook
byShawn Wells
 
2014 04-17 Applied SCAP, Red Hat Summit 2014
byShawn Wells
 
Securing Infrastructure with OpenScap The Automation Way !!
byJaskaran Narula
 
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
byShawn Wells
 
2016-08-29 AFITC Security Automation
byShawn Wells
 
OpenSCAP Overview(security scanning for docker image and container)
byJooho Lee
 

What's hot

ODP
Automating OpenSCAP with Foreman
byszadok
 
PDF
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
byRootedCON
 
PDF
2013-07-21 MITRE Developer Days - Red Hat SCAP Remediation
byShawn Wells
 
PDF
Security on a Container Platform
byAll Things Open
 
PPTX
Getting Started with OpenStack Development
byRackspace
 
PDF
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
PPTX
InSpec Workshop DevSecCon 2017
byMandi Walls
 
PPTX
The Usual Suspects - Red Hat Developer Day 2012-11-01
byJorge Hidalgo
 
PDF
UKOUG Tech17 - Stay Secure With Oracle Solaris
byJomaSoft
 
PDF
Docker In Bank Unrated
byAleksandr Tarasov
 
PDF
Service Discovery. Spring Cloud Internals
byAleksandr Tarasov
 
PDF
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
byShawn Wells
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PDF
Hardening solaris
byFemi Adeyemi
 
ODP
Tracking vulnerable JARs
byDavid Jorm
 
PPTX
DevOOPS: Attacks and Defenses for DevOps Toolchains
byChris Gates
 
PDF
Dev confus.2020 compliance operator
byjaormx
 
PDF
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
byCODE BLUE
 
PDF
Openstack bug list
byopenstackcisco
 
PDF
Docker In the Bank
byAleksandr Tarasov
 
Automating OpenSCAP with Foreman
byszadok
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
byRootedCON
 
2013-07-21 MITRE Developer Days - Red Hat SCAP Remediation
byShawn Wells
 
Security on a Container Platform
byAll Things Open
 
Getting Started with OpenStack Development
byRackspace
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
byDevSecCon
 
InSpec Workshop DevSecCon 2017
byMandi Walls
 
The Usual Suspects - Red Hat Developer Day 2012-11-01
byJorge Hidalgo
 
UKOUG Tech17 - Stay Secure With Oracle Solaris
byJomaSoft
 
Docker In Bank Unrated
byAleksandr Tarasov
 
Service Discovery. Spring Cloud Internals
byAleksandr Tarasov
 
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
byShawn Wells
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
Hardening solaris
byFemi Adeyemi
 
Tracking vulnerable JARs
byDavid Jorm
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
byChris Gates
 
Dev confus.2020 compliance operator
byjaormx
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
byCODE BLUE
 
Openstack bug list
byopenstackcisco
 
Docker In the Bank
byAleksandr Tarasov
 

Viewers also liked

PDF
Business Development at St. Lawrence College 2017: A Corporate Community Inte...
bySmith School of Business, Queen's University
 
PDF
Business Development & St. Lawrence College - 2017 Review
bySmith School of Business, Queen's University
 
PPTX
Compliance y Reputación - Reputation Risks and Compliance
byHernan Huwyler, MBA CPA
 
PPTX
Compliance Risks
byHernan Huwyler, MBA CPA
 
DOCX
Mathew James Phillips Resume Feb 2017
byMathew J Phillips MBA
 
DOCX
CV Irene CAST 2017
byIrene Chivite
 
PPTX
Ppt final
byFiona Prioux
 
PPTX
Compliance Ambiental / Compliance Medio Ambiental
byHernan Huwyler, MBA CPA
 
PPTX
Lightning talk- testing
byNatasha Hull-Richter
 
DOCX
Soal askeb 2 iik 2016
byEllatyas Tejo Putri
 
PPTX
7. evaluation
byJack Bevens
 
PDF
Ud4 el presupuesto público y la intervención del estado en la economía
byDaniel Onorato Bravo
 
Business Development at St. Lawrence College 2017: A Corporate Community Inte...
bySmith School of Business, Queen's University
 
Business Development & St. Lawrence College - 2017 Review
bySmith School of Business, Queen's University
 
Compliance y Reputación - Reputation Risks and Compliance
byHernan Huwyler, MBA CPA
 
Compliance Risks
byHernan Huwyler, MBA CPA
 
Mathew James Phillips Resume Feb 2017
byMathew J Phillips MBA
 
CV Irene CAST 2017
byIrene Chivite
 
Ppt final
byFiona Prioux
 
Compliance Ambiental / Compliance Medio Ambiental
byHernan Huwyler, MBA CPA
 
Lightning talk- testing
byNatasha Hull-Richter
 
Soal askeb 2 iik 2016
byEllatyas Tejo Putri
 
7. evaluation
byJack Bevens
 
Ud4 el presupuesto público y la intervención del estado en la economía
byDaniel Onorato Bravo
 

Similar to 2014-07-31 customer convergence applied scap

PDF
2013-06-12 Compliance Made Easy, Red Hat Summit 2013
byShawn Wells
 
PPT
2016-08-18 Red Hat Partner Security Update
byShawn Wells
 
PDF
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
byShawn Wells
 
PDF
2013-03-25 SCAP Workshop Workbook
byShawn Wells
 
PDF
KVM_security
byFrank Caviggia
 
PDF
SCAP for openSUSE
byKazuki Omo
 
PDF
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
byPuppet
 
PDF
OSC2023_security_automation_data.pdf
byMarcus Meissner
 
PDF
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
PDF
Automating security compliance for physical, virtual, cloud, and container en...
byLucy Huh Kerner
 
PDF
2013-08-22 NSA System Security & Management
byShawn Wells
 
PPTX
Making Strong Security Easier
byFen Labalme
 
PDF
Implementing Secure DevOps on Public Cloud Platforms
byGaurav "GP" Pal
 
PDF
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
byLucy Huh Kerner
 
PDF
OSDC 2017 | Do you trust your containers? by Erez Freiberger
byNETWAYS
 
PPT
scap_compliance_program_briefing_v4.ppt
bymaguette2
 
PDF
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
byShawn Wells
 
PPTX
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
byEric Vanderburg
 
PDF
Proactive monitoring tools or services - Open Source
byB.A.
 
PDF
Janice Singh - Writing Custom Nagios Plugins
byNagios
 
2013-06-12 Compliance Made Easy, Red Hat Summit 2013
byShawn Wells
 
2016-08-18 Red Hat Partner Security Update
byShawn Wells
 
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
byShawn Wells
 
2013-03-25 SCAP Workshop Workbook
byShawn Wells
 
KVM_security
byFrank Caviggia
 
SCAP for openSUSE
byKazuki Omo
 
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
byPuppet
 
OSC2023_security_automation_data.pdf
byMarcus Meissner
 
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
Automating security compliance for physical, virtual, cloud, and container en...
byLucy Huh Kerner
 
2013-08-22 NSA System Security & Management
byShawn Wells
 
Making Strong Security Easier
byFen Labalme
 
Implementing Secure DevOps on Public Cloud Platforms
byGaurav "GP" Pal
 
2017 Red Hat Summit Lab: Proactive security compliance automation with Red Ha...
byLucy Huh Kerner
 
OSDC 2017 | Do you trust your containers? by Erez Freiberger
byNETWAYS
 
scap_compliance_program_briefing_v4.ppt
bymaguette2
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
byShawn Wells
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
byEric Vanderburg
 
Proactive monitoring tools or services - Open Source
byB.A.
 
Janice Singh - Writing Custom Nagios Plugins
byNagios
 

More from Shawn Wells

PDF
2017-10-10 AUSA 2017: Repeatable DCO Platforms
byShawn Wells
 
PDF
2017-07-12 GovLoop: New Era of Digital Security
byShawn Wells
 
PDF
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
byShawn Wells
 
PDF
2017 02-17 rsac 2017 tech-f02
byShawn Wells
 
PDF
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
byShawn Wells
 
PDF
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
byShawn Wells
 
PDF
2015-11-15 - Supercomputing 2015 - Applied Cross Domain
byShawn Wells
 
PDF
2015-10-05 Fermilabs DevOps Alone in the Dark
byShawn Wells
 
PPTX
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
byShawn Wells
 
PDF
2015-01-27 ssa opening remarks
byShawn Wells
 
PDF
2014-12-16 defense news - shutdown the hackers
byShawn Wells
 
PDF
2014-05-08 IT Craftsmanship to IT Manufacturing
byShawn Wells
 
PDF
2014-04-28 cloud security frameworks and enforcement
byShawn Wells
 
PDF
2014 04-03 xyratex event
byShawn Wells
 
PDF
2013-05-22 RedHatGov Partner Event
byShawn Wells
 
PDF
2013-04-03 Open Source Framework to Catch the Bad Guys
byShawn Wells
 
PDF
2012-08-21 NRO GED Industry Day
byShawn Wells
 
PDF
2012-03-15 What's New at Red Hat
byShawn Wells
 
PDF
2011-12-08 Red Hat Enterprise Virtualization for Desktops (RHEV VDI) with Cis...
byShawn Wells
 
2017-10-10 AUSA 2017: Repeatable DCO Platforms
byShawn Wells
 
2017-07-12 GovLoop: New Era of Digital Security
byShawn Wells
 
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
byShawn Wells
 
2017 02-17 rsac 2017 tech-f02
byShawn Wells
 
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
byShawn Wells
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
byShawn Wells
 
2015-11-15 - Supercomputing 2015 - Applied Cross Domain
byShawn Wells
 
2015-10-05 Fermilabs DevOps Alone in the Dark
byShawn Wells
 
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
byShawn Wells
 
2015-01-27 ssa opening remarks
byShawn Wells
 
2014-12-16 defense news - shutdown the hackers
byShawn Wells
 
2014-05-08 IT Craftsmanship to IT Manufacturing
byShawn Wells
 
2014-04-28 cloud security frameworks and enforcement
byShawn Wells
 
2014 04-03 xyratex event
byShawn Wells
 
2013-05-22 RedHatGov Partner Event
byShawn Wells
 
2013-04-03 Open Source Framework to Catch the Bad Guys
byShawn Wells
 
2012-08-21 NRO GED Industry Day
byShawn Wells
 
2012-03-15 What's New at Red Hat
byShawn Wells
 
2011-12-08 Red Hat Enterprise Virtualization for Desktops (RHEV VDI) with Cis...
byShawn Wells
 

Recently uploaded

PDF
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
PPTX
AI Clinic Management Software for Otolaryngology Clinics Bringing Precision, ...
byEasy Clinic
 
PDF
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
PDF
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
PDF
From Boroughs to Browsers: Naresh Ramaiya’s Digital Journey
bynareshramaiyaus
 
PDF
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
API_SECURITY CONSULTANCY SERVICES IN USA
bydavidjohansen1597
 
PDF
Imed Eddine Bouchoucha | computer engineer | software Architect
byImed Bouchoucha
 
PDF
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
PDF
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
PPTX
application security presentation 2 by harman
byharmanideapad
 
PDF
Transforming Compliance Through Policy & Procedure Management
byInsurance Tech Services
 
PDF
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
PPTX
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
PPT
This-Project-Demonstrates-How-to-Create.ppt
byjayasuryanexinfo
 
PDF
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
PDF
Digitizing Banquet Management_ Why It Matters for Modern Hotels.pdf
byHotelogix
 
Red Hat Summit 2025 - Triton GPU Kernel programming.pdf
bySanjeev Rampal
 
AI Clinic Management Software for Otolaryngology Clinics Bringing Precision, ...
byEasy Clinic
 
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
Operating System (OS) :UNIT-I Introduction to Operating System BCA SEP SEM-II...
byKuvempu University
 
From Boroughs to Browsers: Naresh Ramaiya’s Digital Journey
bynareshramaiyaus
 
Database Management Systems(DBMS):UNIT-I Introduction to Database(DBMS) BCA S...
byKuvempu University
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
API_SECURITY CONSULTANCY SERVICES IN USA
bydavidjohansen1597
 
Imed Eddine Bouchoucha | computer engineer | software Architect
byImed Bouchoucha
 
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
Blueprint to build quality before the code exists - StackConnect Milan 2025
byLudovicoBesana1
 
application security presentation 2 by harman
byharmanideapad
 
Transforming Compliance Through Policy & Procedure Management
byInsurance Tech Services
 
KoderXpert – Odoo, Web & AI Solutions for Growing Businesses
byDhvanil Trivedi
 
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
This-Project-Demonstrates-How-to-Create.ppt
byjayasuryanexinfo
 
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
Digitizing Banquet Management_ Why It Matters for Modern Hotels.pdf
byHotelogix
 

2014-07-31 customer convergence applied scap

  • 1.
    Applied SCAP: Automating SecurityCompliance and Remediation Shawn Wells Maintainer, SCAP Security Guide 31-JULY-2014
  • 2.
    45 MINUTES, 3GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ]
  • 3.
    45 MINUTES, 3GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ] 2.  Live Demo •  Configuration Compliance Scanning •  Patch & Vulnerability Scanning •  Certification/Accreditation Paperwork Generation
  • 4.
    45 MINUTES, 3GOALS (+15 MIN Q&A) 1.  Detail Security Automation Technology + Initiatives •  Native Tooling [ OpenSCAP ] •  Configuration Compliance [ SCAP Security Guide ] •  Evolving Remediation Capabilities [ currently, bash + puppet ] 2.  Live Demo •  Configuration Compliance Scanning •  Patch & Vulnerability Scanning •  Certification/Accreditation Paperwork Generation 3.  Discuss Roadmap (Gov’t Plans, Packaging, Future Profiles)
  • 5.
    FIRST, AN SCAPPRIMER •  A family of specifications managed by NIST •  Really a bunch of XML schema •  which are data formats •  so not a protocol at all, it turns out •  openly defined, community developed, and evolving … So, what kind of data do these formats organize?
  • 6.
    FIRST, AN SCAPPRIMER •  Defines standardized formats … okay, but why bother? •  Because you’ll get: •  Standardized inputs (e.g. a compliance baseline, status query) •  Standardized outputs (results) •  Provides the enterprise liberty with regard to product choices •  Avoids vendor lock-in, enables interoperability •  Provides common technical position to vendors •  Federal procurement language requires SCAP support in some cases
  • 7.
  • 8.
  • 9.
    … has had2,408 commits from 36 contributors, representing 224,872 lines of code … took an estimated 43 years of effort (COCOMO model) … has become upstream for all Red Hat STIGs, NIST NVD for JBoss, NSA’s RHEL SNAC Guides In A Nutshell, SCAP Security Guide…
  • 10.
    “The consensus contentwas developed using an open source project called SCAP Security Guide. The project’s website is https://fedorahosted.org/scap-security-guide/. Except for differences in formatting to accommodate the DISA STIG publishing process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process” DISA STIG, Version 1, Release 2, Section 1.1:
  • 11.
    RHEL 5 STIG: RHEL6 STIG: RHEL 7 STIG:
  • 12.
    RHEL 5 STIG:1,988 DAYS RHEL 6 STIG: RHEL 7 STIG:
  • 13.
    RHEL 5 STIG:1,988 DAYS RHEL 6 STIG: 932 DAYS RHEL 7 STIG:
  • 14.
    RHEL 5 STIG:1,988 DAYS RHEL 6 STIG: 932 DAYS RHEL 7 STIG: +/- 90 DAYS
  • 15.
    TECH + INITIATIVES NativeTooling, Configuration Compliance, Evolving Remediation Capabilities
  • 16.
  • 17.
  • 18.
    SCAP ACRONYM: XCCDF • eXtensible Configuration Checklist Description Format •  Human(ish) readable, format for configuration <Rule>s •  <Rule>s selected to form <Profile>s •  <refine-value>s
  • 19.
    SCAP ACRONYM: OVAL • Open Vulnerability and Assessment Language •  Specifies how to get information about system configuration •  Stores it in a structured, well defined format
  • 20.
    XCCDF PROFILES •  Shippingas of 16-APR-2014: •  C2S: Commercial baseline derived from CIS v1.2.0 [1] (go google “Amazon C2S”…) •  CS2: RHEL6 baseline example for Intelligence Community •  CSCF: NRO’s Centralized Super Computer Facility (CSCF) Baseline (cross domain controls from CNSSI 1253) •  STIG: U.S. DoD RHEL6 baseline, produced by DISA FSO [1] https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.2.0.pdf
  • 21.
    REMEDIATION CAPABILITIES •  Bashfirst <fix system="urn:xccdf:fix:script:sh"> yum -y install screen </fix>
  • 22.
    REMEDIATION CAPABILITIES •  Bashfirst •  Soon(ish), puppet <fix-group id="puppet-clip” system="urn:xccdf:fix:script:puppet xmlns="http://checklists.nist.gov/xccdf/1.1"> <fix rule="disable_vsftp">class vsftp</fix> <fix rule="package_aide_installed">class aide</fix> </fix-group>
  • 23.
    <result>Error</result> <rule-result idref="xccdf_moc.elpmaxe.www_rule_1”
 time="2013-03-22T19:15:11" weight="1.000000">
 
 ""<result>error</result>
 
 " "<message severity="info">
 " " "Fix execution comleted and returned: 1
 " "</message>
 
 " "<message severity="info">
 " " "Loaded plugins: auto-update-debuginfo, langpacks, presto, 
 " " "refresh-packagekit
 
 " " "You need to be root to perform this command.
 " "</message>
 </rule-result>"
  • 24.
    <result>Fixed</result> <rule-result idref="xccdf_moc.elpmaxe.www_rule_1” time="2014-03-22T19:16:03"weight="1.000000"> <result>fixed</result> <message severity="info">Fix execution completed and returned: 0</message> <message severity="info"> …. Remove 1 Package Installed size: 53 k Downloading Packages: Running Transaction Check Running Transaction Test Transaction Test Succeeded Running Transaction Erasing : 1:telnet-server-0.17-51.fc16.x86_64 1/1 Verifying : 1:telnet-server-0.17-51.fc16.x86_64 1/1 Removed: telnet-server.x86_64 1:0.17-51.fc16 </message>
  • 25.
    REMEDIATION REVIEW •  Bashfirst •  Soon(ish), puppet •  Reference Šimon Lukašík’s blog for a great write-up: http://isimluk.livejournal.com/3573.html •  Thank you Peter Vrabec & Martin Preisler for the work on OpenSCAP!
  • 26.
    LIVE DEMO Patch &vuln. Scanning, configuration baseline scanning, Certification & Accreditation Paperwork Generation
  • 27.
    ROADMAP Gov’t Initiatives, SSGPackaging, Future Profiles
  • 28.
    Government Initiatives •  ContinuousDiagnostics and Mitigations (CDM) http://www.dhs.gov/cdm •  SCAP path forward •  Evaluation + Configuration activities for Certification and Accreditation
  • 29.
    RPM Packaging •  Currentlyin EPEL, both Fedora and RHEL (thank you, Jan Lieskovsky!) •  SSG scheduled to ship in RHEL 6.6 •  https://bugzilla.redhat.com/show_bug.cgi?id=1038655 •  RHEL 7 GA
  • 30.
    SCAP + AnacondaIntegration •  <fix> elements targeting installation process •  Kickstart support allowing specification of SCAP content •  UI screen(s) that provide ways to set values •  Project started as Vratislav Podzimek’s masters thesis http://is.muni.cz/th/324874/fi_m/?lang=en (thanks, Vratislav!) •  https://fedorahosted.org/oscap-anaconda-addon/
  • 31.
    SCAP + AnacondaIntegration ( 1 / 3)
  • 32.
    SCAP + AnacondaIntegration ( 2 / 3 )
  • 33.
    SCAP + AnacondaIntegration ( 3 / 3 )
  • 34.
    SCAP Workbench GUI toolthat serves as an SCAP scanner and provides tailoring functionality. Primary Goals: •  Lower the initial barrier of using SCAP. •  Great for hand-tuning content before enterprise deployment (e.g. via spacewalk/RHN Satellite) https://fedorahosted.org/scap-workbench/
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
    Helpful Links (tocommunity projects) •  SCAP Security Guide: https://fedorahosted.org/scap-security-guide/ •  OpenSCAP: http://open-scap.org/ •  OSCAP Anaconda: https://fedorahosted.org/oscap-anaconda-addon/ •  SCAP Workbench: https://fedorahosted.org/scap-workbench/
  • 40.
    Helpful Links (togovernment baselines) •  DISA’s Security Technical Implementation Guides (STIGs) http://iase.disa.mil/stigs/ •  NIST National Checklist Program Repository http://web.nvd.nist.gov/view/ncp/repository •  NSA Security Configuration Guides http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/
  • 41.
    Helpful Links (tocommunities of interest) •  Red Hat’s Government Security User Group (gov-sec) http://www.redhat.com/mailman/listinfo/gov-sec •  Military Open Source Software (Mil-OSS) http://mil-oss.org/
  • 42.
    Replicating the Demo - Assumes RHEL 6 and EPEL already enabled! -  Assumes httpd installed, DocumentRoot /var/www/html/ -  My IP was 10.211.55.3. Change as appropriate. -  This is meant to replicate the demo, not fully explain it. Come to Summit next year!
  • 43.
    Step 1: Install $yum install scap-security-guide $ rpm –ql scap-security-guide . . . /usr/share/doc/scap-security-guide-0.1/rhel6-guide.html . . . /usr/share/man/en/man8/scap-security-guide.8.gz . . . /usr/share/xml/scap/ssg/content . . . /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
  • 44.
    Step 2: ReviewProse Guide $ cp /usr/share/doc/scap-security-guide-0.1/*.html /var/www/html $ firefox http://10.211.55.3/rhel6-guide.html - Review “Check Procedure,” “Security Identifiers,” “References”
  • 45.
    Step 3: JBoss,too! $ firefox http://10.211.55.3/JBossEAP5_Guide.html
  • 46.
    Step 4: XCCDFvs DATASTREAMS $ grep "<Profile" /usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml <Profile id="xccdf_org.ssgproject.content_profile_CS2”> <Profile id="xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream"> $ grep "<Profile" /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml <Profile id="CS2”> <Profile id="stig-rhel6-server-upstream”>
  • 47.
    Step 5: Runa scan! $ sudo oscap xccdf eval --profile C2S --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml --report /var/www/html/summit-report.html --results /var/www/html/summit-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml Console Output: •  Pass •  Fail •  “notchecked”: (a) not applicable; (b) no OVAL associated … and unclear which reason!
  • 48.
    Step 6: HTMLResults $ firefox /var/www/html/summit-report.html
  • 49.
    Step 6: HTMLResults
  • 50.
    Step 6: HTMLResults
  • 51.
    Step 7: XMLResults $ firefox /var/www/html/summit-results.xml /CCE-27024-9
  • 52.
    Step 8: Remediation /CCE-27024-9(ß type that again) note the <fix> tag!
  • 53.
    Step 8: Remediation $oscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_C2S /var/www/html/summit-results.xml > /var/www/html/summit-script.sh.txt