Applied SCAP Lab Automating Security Compliance & Remediation Shawn Wells Office of the Chief Technologist Director, Innovation Programs Red Hat Dave Smith Infosec Engineer / Penetration Tester / OpenSCAP Upstream Maintainer Secure Innovations, LLC ADD NAME (View > Master > Slide master)
Slide 1
Slide 2
MOTIVATION RHEL5 STIG (U.S. Military Baseline) ● 587 compliance items ● Many are manual Avg Time to Configure & Verify Setting 1 minute 3 minutes 5 minutes
controls * 587 * 587 * 587
Total Time per RHEL instance 9.7 hours 29.4 hours 48.9 hours
Slide 3
Slide 4
… or a single LOC in kickstart $ oscap xccdf eval \ —profile rht-ccp \ —remediate \ —report /root/scan-report.html \ /usr/share/xml/scap/content.xml
Slide 5
Slide 6
OUR (very ambitious) AGENDA 1.What’s the latest in the Security Automation space? a.Government & Commercial Initiatives b.Formal and Emerging SCAP Standards 2.What tools and content are available today? a.For enumerating (known) software vulnerabilities b.For assessing configuration
Slide 7
LABS 1.Install & Review SCAP profiles in RHEL 7 2.Performing a Compliance Scan 3.System Remediation 4.Creating Custom (derived) Configuration Baselines with SCAP Workbench 5.RHEL 7 “Easy Button” Installations
Slide 8
COMPLIANCE BIG PICTURE: PRODUCTS AND SYSTEMS ADD NAME (View > Master > Slide master)
Slide 9
SYSTEM VIEW PRODUCT VIEW System Controls Product Mandates Compliance Checklist Product Evaluations Report / Results Certificates ACCREDITATION
Slide 10
SYSTEM VIEW OF ACCREDITATION System Controls Compliance Checklist NIST 800-53 FedRAMP CNSSI 1253 Report / Results PCI
Slide 11
SYSTEM VIEW OF ACCREDITATION System Controls Compliance Checklist DISA STIGs NSA SNAC Guides CIS Benchmarks Report / Results
Slide 12
SYSTEM VIEW OF ACCREDITATION System Controls Compliance Checklist Tenable Nessus SECSCAN SPAWAR SCC Report / Results OpenSCAP
Slide 13
PRODUCT VIEW OF ACCREDITATION Product Mandates Product Evaluations Certificates Common Criteria FIPS 140-2
Slide 14
…. wait… what’s COMMON CRITERIA? - international framework for specifying and testing security functional and assurance requirements in IT products - through the use of Protection Profiles (PPs) - vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.
Slide 15
PRODUCT VIEW OF ACCREDITATION Product Mandates Product Evaluations Certificates Operating System Protection Profile Server Virtualization Protection Profile FIPS Validation
Slide 16
PRODUCT VIEW OF ACCREDITATION Product Mandates Product Evaluations Certificates NIAP Product Compliant List FIPS Crypto Module Validation List
Slide 17
PRODUCT VIEW OF ACCREDITATION Product Mandates 1-2 years+ Product Evaluations Certificates Costly ($millions)
Slide 18
Slide 19
COMMON CRITERIA - REVAMPED ● Requirements specified in Protection Profiles ■ see https://www.niap-ccevs.org ■ development on https://github.com/commoncriteria ■ revamped OS Protection Profile due this July ● Dramatically reduced evaluation time and cost ■ 90 days possible, 180 max ■ compliance checklist produced during evaluation (SCAP) ■ list of system controls provided for evaluated products
Slide 20
COMMON CRITERIA - REVAMPED ● DISA STIG creation through ~25 selectable “management functions” ● DoD specific values expressed in DoD Annexes to Protection Profiles (succeeding SRGs) ● Remember… ■ RHEL5 STIG: 587 rules ■ RHEL6 STIG: ~255 ■ RHEL.future STIG: est. < 100
Slide 21
SYSTEM VIEW PRODUCT VIEW System Controls Product Mandates Compliance Checklist Product Evaluations Report / Results Certificates ACCREDITATION
Slide 22
OPEN SOURCE CONFRONTS THE C&A CHALLENGE: SYSTEM COMPLIANCE ADD NAME (View > Master > Slide master)
Slide 23
Community created portfolio of tools and content to assess systems for known vulnerabilities. https://github.com/OpenSCAP
Slide 24
2008 First commit to OpenSCAP, execution capability for SCAP on Linux 2011 First commit to SCAP Security Guide, hardening guidance + policy references Colloquially, “SCAP Content”
Slide 25
Slide 26
Slide 27
Slide 28
Slide 29
Slide 30
Slide 31
Slide 32
Slide 33
Slide 34
DEMO #1: INSTALL, REVIEW PROFILES Install OpenSCAP and SCAP Content $ sudo yum install openscap-scanner scap-security-guide What default profiles exist? $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml …. Profiles: pci-dss rht-ccp common stig-rhel7-server-upstream ….
Slide 35
DEMO #2: REVIEW HARDENING GUIDES Review manpage $ man scap-security-guide Review HTML gudes $ ls -l /usr/share/doc/scap-security-guide/rhel7-guide.html
Slide 36
DEMO #3: LOCAL SCAN, REVIEW RESULTS Perform 1st Scan $ sudo oscap xccdf eval —profile rht-ccp \ —results /root/afternoon-results.html \ —report /root/afternoon-report.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml Review Results $ ${web_browser} /root/afternoon-results.html
Slide 37
DEMO #4: REMEDIATION Generate remediation scripts from results $ sudo oscap xccdf generate fix \ —result-id xccdf_org.open-scap_testresult_rht-ccp \ /root/afternoon-results.xml Or, remediate automatically (be careful - no “undo”!) $ sudo oscap xccdf eval —profile rht-ccp \ —results /root/afternoon-results.xml \ —report /root/afternoon-report.xml \ —remediate \ /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Slide 38
DEMO #5: SCAP WORKBENCH Download SCAP Workbench $ sudo yum -y install scap-workbench Much of this demo is live. For extra details, https://open-scap.org
