Recommended
More Related Content
What's hot
What's hot (15)
Viewers also liked
Viewers also liked (16)
Similar to Osc2017 tokyo spring_soss_sig
Similar to Osc2017 tokyo spring_soss_sig (20)
More from Kazuki Omo
More from Kazuki Omo (10)
Recently uploaded
Osc2017 tokyo spring_soss_sig
- 2. 2 Who am I ? - Security Researcher/Engineer (17 years) - SELinux/MAC Evangelist (12 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux Engineer (17 years)
- 4. 1. SCAP 2. Katello 3. AntiVirus/Malware 4. SELinux
- 5. SCAP
- 6. 6 SCAP (Security Content Automation Protocol) 目的 : 下記のための自動化の規約 - 脆弱性管理 - 脆弱性診断 - ポリシ・コンプライアンス評価
- 7. 7 SCAP コンポーネント SCAP Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Extensible Configuration Checklist Description Format (XCCDF) and so on…. Open Vulnerability and Assessment Language (OVAL) 言語 要素
- 8. 8 CVE: Common Vulnerabilities and Exposures CVE ID CPE Summary CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.15 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51- 38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.16 CVE-2016-2107 cpe:/o:redhat:enterprise _linux_server:7.0 Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVE-2016-2107 cpe:/o:novell:leap:42.1 CVE-2016-2107 cpe:/o:novell:opensuse: 13.2 CVE-2016-4979 cpe:/a:apache:http_serv er:2.4.20 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
- 9. 9 XCCDF: XML 形式の検査項目設定言語 OS の構成がどのようになっていなければならないかを記述 <Profile id="docker-host"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Standard Docker Host Security Profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. </description> <select idref="service_docker_enabled" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="selinux_state" selected="true"/> <select idref="selinux_policytype" selected="true"/> <select idref="docker_selinux_enabled" selected="true"/> <select idref="docker_storage_configured" selected="true"/> <select idref="remediation_functions" selected="false"/>
- 10. 10 OpenSCAP(OSS プロジェクト ) OpenSCAP: - 管理/監査のために様々なツールを提供 Tools: - OpenSCAP Base (oscap) - SCAP Workbench (GUI tool) - OpenSCAP Daemon - OSCAP Anaconda Add-on
- 11. 11 openscap を使った PC の検査 ( PCI-DSS v3 ) Demo!!
- 12. 12 openscap を使った PC の検査 ( PCI-DSS v3 ) Demo!!
- 17. AntiVirus
- 19. SELinux
- 22. Docker
- 23. アプライアンスでも設定されている
- 24. SELinuxの新機能・その他色々 ● CIL (新しいポリシー言語) ● RBACSEP ● RS/container + SELinux – Docker+SELinuxはある程度資料がある。 新しい動きがあったら直ぐに国内で展開 国内で面白い動きがあったら海外に展開
- 27. 結論