SCAP & Remediation: Lessons Learned and Path Ahead

A presentation at MITRE Developer Day in July 2013 in McLean, VA, USA by Shawn Wells

Slide 1

Slide 1

SCAP & Remediation: Lessons Learned and Path Ahead SHAWN WELLS DIRECTOR, INNOVATION PROGRAMS unclass: shawn@redhat.com (+1) 443-534-0130 1

Slide 2

Slide 2

RHEL5 STIG Delay: 1,988 days

Slide 3

Slide 3

RHEL5 STIG Delay: 1,988 days RHEL6 STIG Delay: 932 days

Slide 4

Slide 4

SCAP Security Guide

Slide 5

Slide 5

In a Nutshell, SCAP Security Guide: … has had 1,943 commits from 24 contributors, representing 164,355 lines of source

Slide 6

Slide 6

In a Nutshell, SCAP Security Guide: … has had 1,943 commits from 24 contributors, representing 164,355 lines of source … took an estimated 43 years of effort (COCOMO model)

Slide 7

Slide 7

In a Nutshell, SCAP Security Guide: … has had 1,943 commits from 24 contributors, representing 164,355 lines of source … took an estimated 43 years of effort (COCOMO model) … has become upstream for DISA RHEL6 STIG, NIST NVD for JBoss EAP, NSA SNAC guide in progress

Slide 8

Slide 8

60 MINUTES, 3 GOALS [ 1 ] Review SCAP remediation initiatives @ Red Hat [ 2 ] Demonstrate current capabilities (walk the code) [ 3 ] Fedora 20 / RHEL7 Roadmap

Slide 9

Slide 9

Linking XCCDF + OVAL + Remediation

Slide 10

Slide 10

Step 1 / 3: XCCDF Short Hand <Rule id=“ ” severity=“ ”> <title> </title> <description> </description> <ocil> </ocil> <rationale> </rationale> <ident cce=“ ” /> <ref nist=“ ” disa=“ ” /> <oval id=“ ” /> </Rule>

Slide 11

Slide 11

Step 1 / 3: XCCDF Short Hand <Rule id=“ ” severity=“ ”> <title> </title> <description> </description> <ocil> </ocil> <rationale> </rationale> <ident cce=“ ” /> <ref nist=“ ” disa=“ ” /> <oval id=“ ” /> </Rule>

Slide 12

Slide 12

Step 2 / 3: OVAL Linking OVAL developed independently from XCCDF, <oval id=“”> tag matches OVAL filename: $ ls RHEL6/input/checks/ ; ls RHEL6/input/checks/ | echo “Total Checks: wc -l” accounts_dangerous_path_for_root.xml package_dovecot_removed.xml accounts_disable_post_pw_expiration.xml package_hal_removed.xml accounts_max_concurrent_login_sessions.xml package_httpd_removed.xml accounts_maximum_age_login_defs.xml package_iptables_installed.xml accounts_minimum_age_login_defs.xml package_iptables-ipv6_installed.xml accounts_no_uid_except_zero.xml package_iputils_removed.xml accounts_pam_no_nullok.xml package_irqbalance_installed.xml accounts_password_all_shadowed.xml package_kexec-tools_removed.xml accounts_password_minclass_login_defs.xml package_libcgroup_removed.xml accounts_password_minlen_login_defs.xml package_mdadm_removed.xml Total Checks: 342

Slide 13

Slide 13

Step 3 / 3: Remediation Linking • Bash first <fix system=”urn:xccdf:fix:script:sh”> yum -y install screen </fix>

Slide 14

Slide 14

Step 3 / 3: Remediation Linking • Bash first • Someday Puppet <fix-group id=”puppet-clip” system=”urn:xccdf:fix:script:puppet” xmlns=”http://checklists.nist.gov/xccdf/1.1”> <fix rule=”disable_vsftp”>class vsftp</fix> <fix rule=”package_aide_installed”>class aide</fix> </fix-group>

Slide 15

Slide 15

Step 3 / 3: Remediation Linking • Bash first • Someday Puppet • URN’s via NIST IR 7275 Rev 4, Table 17

Slide 16

Slide 16

<Rule id=”package_screen_installed” selected=”false” severity=”low”> <title xml:lang=”en-US”>Install the screen Package</title> <description xmlns:xhtml=”http://www.w3.org/1999/xhtml” xml:lang=”en-US”> ….. </description> <reference href=”http://iase.disa.mil/cci/index.html”>58</reference> <reference xmlns:dc=”http://purl.org/dc/elements/1.1/” href=”test_attestation”> </reference> <rationale xmlns:xhtml=”http://www.w3.org/1999/xhtml” xml:lang=”en-US”> ….. </rationale> <ident system=”http://cce.mitre.org”>CCE-26940-7</ident> <fix system=”urn:xccdf:fix:script:sh”> yum -y install screen </fix> <check system=”http://oval.mitre.org/XMLSchema/oval-definitions-5”> <check-content-ref name=”oval:ssg:def:897” href=”ssg-rhel6-oval.xml”/> </check> <check system=”ocil-transitional”> <check-export export-name=”the package is not installed” value-id=”conditional_clause”/> <check-content xmlns:xhtml=”http://www.w3.org/1999/xhtml”> ….. </check-content> </check> </Rule>

Slide 17

Slide 17

Inclusion of XCCDF Variables • Approached authored by Jeff Blank (NSA) • “Sourcing” XCCDF variable in bash script, build process converts to proper XCCDF • Sample source: (input/fixes/bash/set_system_login_banner.sh) source ./templates/support.sh populate login_banner_text cat <<EOF >/etc/issue $login_banner_text EOF”

Slide 18

Slide 18

Inclusion of XCCDF Variables • Final XCCDF: <Value id=”login_banner_text” operator=”equals” type=”string”> “<title xml:lang=”en-US”>Login Banner Verbiage</title> “<description xmlns:xhtml= “”http://www.w3.org/1999/xhtml” xml:lang=”en-US”> ” “…………… “</description> “<value selector=”dod_short”> ” “I’ve read &amp; consent to terms in IS user agreem’t. “</value> </Value> “” …… <fix system=”urn:xccdf:fix:script:sh”>login_banner_text=”<sub idref=”login_banner_text”/>” cat <<EOF >/etc/issue $login_banner_text EOF </fix>”

Slide 19

Slide 19

Inclusion of XCCDF Variables • Remediation Script: cat <<EOF >/etc/issue I’ve read and consent to the terms in IS user agreem’t EOF “

Slide 20

Slide 20

Approach Limitations • fixType data type for xccdf:fix elements[1] not automated (or even included) • complexity • disruption, • reboot • …… • “undo” specification? [1] http://scap.nist.gov/specifications/xccdf/xccdf_element_dictionary.html#fixType

Slide 21

Slide 21

Online & Offline Remediation ( reference Šimon Lukašík’s blog for a great write-up: http://isimluk.livejournal.com/3573.html )

Slide 22

Slide 22

Online Remediation $ oscap xccdf eval —remediate \ —results ~/my-results-xccdf.xml \ ~/my-policy-xccdf.xml” 1. OpenSCAP will perform “first pass” evaluation 2. Upon failure, executes <fix> content 3. Returns “fixed” or “error” <result> 4. Command output logged

Slide 23

Slide 23

Offline Remediation $ oscap xccdf generate fix \ —result-id xccdf_org.openscap_testresult_stig-rhel6-server \ /var/www/html/results/results.xml \ > /tmp/remediation-script.sh”

Slide 24

Slide 24

<result>error</result> <rule-result idref=”xccdf_moc.elpmaxe.www_rule_1” time=”2013-03-22T19:15:11” weight=”1.000000”> ” “<result>error</result> ” ” ” “<message severity=”info”> ” “Fix execution comleted and returned: 1 “</message> ” ” ” “<message severity=”info”> ” “Loaded plugins: auto-update-debuginfo, langpacks, presto, ” “refresh-packagekit ” ” ” “You need to be root to perform this command. “</message> … . .” </rule-result>”

Slide 25

Slide 25

<result>fixed</result> <rule-result idref=”xccdf_moc.elpmaxe.www_rule_1” time=”2013-03-22T19:16:03” weight=”1.000000”> <result>fixed</result> <message severity=”info”>Fix execution comleted and returned: 0</message> <message severity=”info”> …. Remove 1 Package Installed size: 53 k Downloading Packages: Running Transaction Check Running Transaction Test Transaction Test Succeeded Running Transaction Erasing : 1:telnet-server-0.17-51.fc16.x86_64 1/1 Verifying : 1:telnet-server-0.17-51.fc16.x86_64 1/1 Removed: telnet-server.x86_64 1:0.17-51.fc16 </message>

Slide 26

Slide 26

Fedora 20 / RHEL7 Roadmap ( Vimeo demo by Vratislav Podzimek @ http://vimeo.com/66085973 )

Slide 27

Slide 27

Remediation During Provisioning

Slide 28

Slide 28

Slide 29

Slide 29

Slide 30

Slide 30

THANK YOU! 30