End-to-end OpenSCAP for automated compliance

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right so it's it's 11:30 on the dot so we get started so my name is Sean wells I work in public sectors CTO office and for this conversation I write a lot of the DoD Stig's and the baselines and I also am one of the maintainer Zoar something called open s cap which is our strategy for security automation and we're really fortunate today to have Jeff of NSA join us so Jeff thanks John thanks Sean I'm just like I'm a tech director for an office within NSA's information assurance Directorate that's NSA's defensive mission that does security analysis of operating systems and applications and we've invested a lot in from the government side in trying to get industry interested in security automation by publishing a series of standards to that end and and I'm very happy to see this kind of uptake Thanks yeah so today part of the idea is to really kind of tell everybody what's the latest in security automation both from the perspective of Red Hat as well as this perspective of the US government so what standards are coming has Red Hat implementing them and we'll define kind of the rel seven roadmap as well as the more nebulous like rel future and rel AIDS and and what we're doing with that including containers and then also really talk about tools so the second part of this conversation is going to be a series of demos where I those who came early so I'm compiling my demo and quickly scanning make sure I didn't break anything but we'll go through actually assess compliance on rel seven answer questions of like if I want to take the US military baseline how do I tailor it for my own needs and run a scan with that tailored content both locally like a command line as well as through satellite for a group of systems and/or assuming my demo doesn't break in the next like 30 minutes we'll also start doing introspective scanning of docker containers so that's so you have a docker registry and you want to scan everything for both configuration miss compliance like PCI or HIPAA as well as CVEs you know binary heartbleed things like that so with that one of the things we we forgot to do last year was asked kind of by a show of hands how many people are not government like banks and finance holy crap that's that's great that's awesome so in the past you know this is like this is the second year and it was always you know the spooks like people who didn't want to raise their hand from three-letter agencies so we try and gauge how much a commercial uptake there are let me there really government or maybe yeah the contractors raise their hand a so the idea then is we ask so if most people are more or less commercial um does anybody follow the government baselines like the DoD Stig Oh a little bit or how about PCI compliance much more so we will tailor the demos basically to do PCI compliance over a DoD stig arm and we'll keep kind of asking questions like that so we got some demos will talk about the roadmap what other kind of things do you guys want to see when you're all here for a reason c2s okay so there's a profile that's inspired by the Center for Internet expressly applicable um thank you all right so let's get it rolling um I guess you have to point it directly like two feet away so with that we have some use cases so for those who you know we'll get into s cap but we really have more or less three or four problem areas that we're trying to solve the first that we've mentioned is configuration management like are my passwords the right length do I have crypto enabled appropriately and then we also want to talk a vulnerability out of stations so known software flaws things that have a CVE or a Red Hat security errata I want to go ahead and scan and know if these apply to me whether it's bare metal virtual container we don't care and then there is also the ability to start doing things like system inventory management so what operating systems do I have installed and do they have any known malware so the malware detection is in evolving space so I want to you know pre precondition everybody to say that's where we're talking about what we're planning on doing for like rel next and rel8 not necessarily for l7 so that's more of a cotton conversational and with that kind of turn it over to Jeff Fisher thanks Sean that's great so yeah as everybody probably knows s cap stands for the security content automation protocol that funny enough it's not actually a protocol it's actually a series of data formats that are all defined in XML although more later on that about becoming a network protocol but the real point is that you know the government felt there was a serious need for having standardized formats for expressing this kind of information I'll get into all the exact ones in the next slide but the general idea is that if you have a series of standardized inputs which are flexible depending on your security needs like like compliance baselines or status queries about software inventory or that kind of thing you should be able to get standardized outputs from the system and originally at least the the thought was that you could do this with a variety of third-party tools they would all be consistent and in fact NIST has a validation program trying to ensure consistency there although I'll talk more later about what the government strategy is there with regard to endpoints and third-party tools but the nice thing about s cap today is that you could have one compliance baseline and you should still be able to expect that a variety of tools on that you have installed on your endpoint can provide the same basic results based on that on the information that they're there after and that you know it gives you some interoperability at least in a sense as to data in data out and it should allow you to have a void fence on vendor lock-in you don't need to make some sort of specialized language tied to your requirements you should be able to select whatever tools best for your use at that time and then backing that up of course that there is federal procurement language requiring s captain in some cases there was an OMB memo a few years back that was the first one ran right now DHS has this large effort called continuous diagnostics and mitigations that they're working on used to be continuous diagnostics and monitoring within you know monitoring has bad connotation especially if we're anywhere involved goodbye now so but so these now it's going to use diagnostics and mitigations and so and so here are see try to try the button that looks like a right arrow oh good call Thanks thank you so yeah so what's the nest cap again a security content automation protocol the foundational one that's probably the closest to what a human see in day-to-day life is X CDF which stands for extensible configuration checklist document format this is essentially the security guide just in an XML format in a consistent XML schema the most part it's just a series of rules that you want to check compliance against their individual items there that you'd expect like title the actual description text and then references there to some kind of external checking system which brings me to the next slide two feet away look too far so so exci cdf contains the configuration checklist that you've got and that can be rendered as sean will show later in HTML using any stylesheet like write some style sheets are prettier than others the Red Hat one looks pretty good I think and then of course the X CDF each rule that specifies what you're actually trying to look for in your compliance baseline can refer to either an oval schema or or or oh so oval is open vulnerability assessment language that's also an XML schema that instructs an oval interpreter how to look inside the system and determine whether the setting that you're after is actually set the right way o soul is a open content interactive language I think probably probably here and that's a design for doing questionnaires things like that I mean there are some settings about a system that you simply can't have can't be automated in some way stuff regarding the bios maybe things about physical protection so oh soul was invented for that reason and by the way these are all open specifications managed by nist often historically with the support of mitre and then then there are what I'd say is the enumerations layer which are which exists to let you know what is actually there CCE is common configuration enumeration it basically just gives you a numerical identifier for the kind of setting or checking for like just as an easy example password length for each version of rel there would be an identifier just an identifier purely let you know you're talking about password length let's say inside one of the one of the configuration files that's ECE CPE is common platform enumeration I'll talk a little bit later about how that's getting replaced with software ID tags this is all in motion of course but CPE is let's give unique identifiers for the actual piece of software or indeed the OS platform so that's there just as a common identifier so that you know you're talking about a particular thing and CB finally everyone is very familiar with and was very successful in establishing identifiers for a particular vulnerability in a particular product and that's the common common vulnerabilities and exposures CVE so a lot of acronyms and then of course see VSS is a common vulnerability scoring system which has unfortunately from from my perspective that it is frequently scrunched down into one number but there really are six different fields like access vector of other types of severity that give you a good description about like what the bug actually means so yeah it really distill is it allows us to create a human readable prose guide that says set your password set your crypto set your disks in the following way and that's that that checklist language the oval is just a machine code that allows us to do red light green light pass or fail but if we write content for say Apache to make sure all of our Apache hosts have PKI enabled I can write a regex to query the Apache config file and that same content can be used in the Red Hat tooling or trip wire or Splunk so that's a benefit there and it also can be cross-platform so I can give you one security checklist that will work on say Mac Linux and Windows so it allows us to standardize that and then that risk measurement one of the things it's like all right so I write a security checklist for PCI compliance but how do I know what's more important how do I know if this is a high severity or low severity and that's that risk measurement so now we can pair a little bit of intelligence of risk score with your checklist so it's not just pass or fail it's you fail and this is remotely exploitable so it's like super severe or you fail but you already have to be root to exploit this so maybe you don't care as much so that's that's kind of all these protocols are in a language and then wouldn't the great sounds good thanks and so right being here from the government I'll give you a quick okay if you have the government on these things I mean there are two big US government evaluation programs that everybody's probably heard of one is the the nips NIST's FIPS 140 program for evaluating cryptographic modules and the other one is a common criteria which is executed by Nayak which is the national information assurance partnership which has to do with expressing the ia functionality requirements in products and vendors I guess actively seek both of these evaluations as a way of letting their government customers know that in fact they've met the government's requirements for this my evaluation is required for use in US national security systems while of course Phipps is required for protecting sensitive information on any US federal any US federal information and in fact 'no steven says that if it hasn't gone through FIPS they don't assign any value to whatever encryption might be happening and both of them have provenance in policies of the federal government for example my apt evaluation is required through the CNSs policy 11 for use in national security systems and phipps has a basis in the federal Information Security Management Act of 2002 and I think the 1996 IT management Reform Act probably getting them a little bit wrong but but they're they're strong policy basis and legal basis for both of these so since we're talking to largely commercial how many people know what Common Criteria is so just more than we thought um so before we we're going to keep mentioning it so it's probably worth you know a couple minutes so the idea is when Red Hat makes a claim that says something like we page in data into memory and then when you D allocate it we swap it out and zero that memory out so we make this claim that I can page made page data into memory and page it out and when I page it out red hat erases it so there's no residual data left so we make this security claim what Common Criteria does is they actually take a look at our source code to make sure this security claim is implemented correctly as well as functionally attested so like yes you're doing the 14 way wipe it with zero is wipe it with randoms wipe it with zeros and repeat so whether that something like our claims about SELinux and how if we apply a label to JBoss and a label to Oracle we can say they don't talk the NSA actually goes in with a third-party lab and verifies well yeah yeah so they don't as a program office that is run by NSA and uses mr. credited test labs third party test labs because that's the only way to make evaluation activities scale so but the final validation does come to the NAIOP office and they see oh yes in fact this testing did occur and it meets meets the requirements that were defining the protection profile yeah so so that's the other's reason yeah why I mention these things and has to do with security automation first off is that Common Criteria evaluations are now down to about 90 days for from any product types and we've recently revamped that in the the OS space previously os evaluations and Red Hat has one underway did take on the order of almost two years which just doesn't really keep pace with industry in any way seriously and so we did release a revent completely revamped OS protection profile later last year one vendors already gone through evaluations that's at least consider that proof that it's possible right and and we look forward to working with Red Hat for evaluations of future versions of rel against that particular protection profile in a very timely manner the other thing we're doing that I think is great and I did some policy and legal work internally to get permission for is developing the protection profile documents which are the actual requirements on github and that's it's right there people go go see it if they like and but how this relates carry automation is that we're encouraging the development of administrative guidance as part of those formal evaluations also NS cap it's it's just one more way for us to reinforce the fact that we care about security automation and that we want guidance to be ideally created by the vendor you know in accordance with the government's requirements for for its format and one of the other things we're doing that I know a lot of folks mostly in the government care about is providing NIST 853 tables so that you so if a comment criteria evaluation has occurred for the product that it's it'll help you satisfy these security controls for your for your overall network and that's there's that supports you know risk management framework based accreditation processes which are common in the government right now and unfortunately I think frequently misunderstood but that's that's an entirely different talk it's a it's a good idea and so unfortunately today the product evaluation and hardening guidance are frequently developed separately people confuse them with you know what what does it mean for example if I have a Stig has the product been evaluated well maybe maybe not but we're hoping for ever tighter integration especially within government for those two things to march along together and to support automation Thanks so right now s cap is defined that in that series of specifications that I mentioned I set version 1.2 and it's all just data formats right I mean that's useful but it's not where we really could be so s cap 2.0 which isn't out yet and it could be you know possibly a year or two is going to is working on adding messaging protocols for data transport over the network and the primary I guess group doing that work is in the IETF and they have a security automation a continuous monitoring working group or sockem people might say IETF sockem and there's a NSA and DHS and NIST heavy participation in that working group along with a lot of folks in industry and the real point of this is that it'll give you interoperability at the network layer so right now network devices and endpoints like Red Hat Enterprise Linux systems if they want to talk elsewhere in the network and provide their their assessment results or information about their security state who knows what would happen they would talk to probably some kind of vertically integrated system you know in this case satellite is provided by Red Hat and of course satellite knows how to talk to Red Hat hosts but a satellite can I'll be able to ask network infrastructure devices like routers and switches anything about there security state you know if so it's not based on any kind of open standard that's already published right so this is designed there's a first time to give proper ability between all the different nodes on our network and it's based on a lot of trusted computing group work in the past so you probably easy to find announcements about how the trusted computing groups trusted network connect and network endpoint assessment protocols are going to be the basis for SK 2.0 so what is a what would you say is a sample use case of all of this like how would people use it you boot and then what well I mean the idea right as the sort of getting to the third third bullet point there you should be able to get any network endpoint like a PC or server or network infrastructure device and just out of the box it should be able to tell the enterprise some information about its security state a part of the idea is where we're getting at is let's say you have OpenStack and you blow out like 30 nodes of a web server and some database servers we're going to be wonderful if we could build in logic into OpenStack or OpenShift or other management tools like cloud forms that say things like are all of my endpoints PCI compliant let me do a couple seconds of a scan if yes allow them on the network if no let it admin no so that's kind of that from the power button power button gets pressed then we measure the bios make sure there wasn't like a rogue USB device inserted then we measure the operating system boot and make sure device drivers are signed and you have the right modules and then we do the configuration check like a PCI or a DoD stig and all of these things have to pass before you're allowed to you know fully boot into an interactive mode or just get an IP address so is that kind is that kind of workflow interesting okay so this big vision with this right not gonna happen overnight but people are working on it and it certainly is the government strategy for that to be where we end up and then one other quick mention here also as part of that effort we mentioned a common platform enumeration earlier as being the identifier for pieces of software like individual software packages for example in Red Hat's case like rpms or an OS platform itself so CPE if you've seen its webpage lately it's clear that it's a win dling effort at this point it's still still valid and everything but it's going to be replaced by software ID tags which is an ISO standard for identifying software it includes cryptographic measures also so that's just one more example of the way this is active in changing going forward and so the other other related question is well how about the baselines themselves right and so Red Hat Shawn you may want to talk about this actually for we with regard to federal civilian use case yeah so one of the things we've ended up doing is as Jeff mentioned the expectation is that the vendor will offer configuration guidance for their products so like a security guide for rel a security guide for JBoss and so forth what we've ended up doing and we'll show it in a minute is throwing all of that development on an open source project on github and it kind of invited industry academia government to create a catalog of security controls so like all the different nerd knobs that we can think of that are security relevant and document how to verify them how to set them what their impact might be like if you if you turn this just control setting you're going to break your web server so documenting these these hierarchy of needs if you will and out of that big catalog we derive baselines so we go to the government and say hey federal civilian here's a big catalog based on the requirements you gave us we're going to group 200 security checks into the US government baseline do you agree that it's comprehensive do you agree we've included everything that you think should be there and we do that for the civilians like FBI Department of Energy and we also do that for the intelligence or national security systems with the military what's called a DoD stig Duty security guide so what we've ended up doing is we're actually going to show for the military guys the pre-release Rell seven stig I know there's a lot of questions about that and then we also just last week one of the Red Hat solution architects wrote the baseline for Department of Justice so it's how to house and handle at criminal data like evidence that need to be submitted in court so we open source all of these PCI compliance is one a CIS baseline for those commercial guys and as of about two weeks ago we got our content validated by NIST so it's again it's that third-party auditing that says like if we make a claim for 30 character passwords it fails when they're set to five and it passes when they're set to 40 so that's super in sub compliance testing and then they also do a limited amount of false positives so we did our release last week and that's what I'm going to show for the demos yeah and so us UCB is a US government configuration baseline which is it was run by NIST it's a program run by NIST that vendors can submit security guidance for and then once it passes a series of validations by NIST it can be considered the US government security configuration baseline for that product and Red Hat has submitted that to NIST and passed and passed okay great and so it should be available if it's not up it should be available on this website shortly for federal agencies and it's fully automated everything and of course financial security systems NSA is involved and in security guidance business again and will be working with our partners at DISA on automation and and approval and Mike Sean said the two projects that you want to pay attention to are open s gap and indeed everything under the open s cap umbrella which includes s cap security guide for the individual security settings that you might be interested in and so just one quick example back to what I said before with regard to the require requirements for IT products that we're doing driving as part of Common Criteria evaluation we've got the requirement here and they sort of excessively verbose text that says you know as part of the formal evaluation that vendors do we would like you to provide your operational user guidance in automated formats like XE CDF so C so with that we'll spend like the next 30 minutes we'll show you the code we'll do some scans show the scanning remediation bare-metal docker so before that there's a surprising amount of commercial people here so Jeff has to be whisked away to some of the executive forum no it's the government luncheon across the hall yeah so any other kind of questions for Jeff immediately relating to like the government roadmap security automation standards from the government yeah oh where do I go I mean I know the starting point where do we end so how do I make sure that the code that I'm writing today is going to be functional or valid like an ear down the road if I'm setting up my servers and I'm you know buying real seven and I'm spending all that money are you going be in sync with red hat or is a red hat going to be in sync with what we need as a bank so that the money is that I have spent I'm not going to go for a waste in 2017 or 2018 so yes a great question I like there are several dimensions to it so hopefully I'll be able to cover at least one before running off one way in which you stay in sync is by using what's provided as part of the product and the really nice thing in this case is that there's an S cap software as part of the product itself so indeed you don't have to install third party product in order to have the ability to scan and assess the system so that because it's provided as part of the Red Hat product that stays perfectly in sync which is which is excellent the other part that you may be thinking of is the actual security baselines themselves which has been I think it's been disappointing with regard to the speed with which those have been delivered by a variety of government agencies or other organizations and we're studying this closely and trying to speed it up so as as so let's say the government comes out with new DoD requirements for medical records or a duty stick or something like that what red head ends up doing is we were actually involved in the communities that write the standards anybody can be it's on github and Jeff put a link there so we're actually one of the steering committee members so we participate in the policy if you will from there we take it and actually put it into well these two projects the yes cap content right automated remediations or automated pass or fail and from there we rebase with every Red Hat service pack so with rel 7.3 you'll have the latest content 7.4 the latest content so that's kind of how we ensure customers continue to be in sync with baseline development whether it's DoD stig or PC I just came out with a new version plus or minus a month ago we'll ship all of those baseline updates in service packs so you can yum update for customers who need out-of-band updates like rel 7.3 we had a code freeze last week it'll ship in a couple months so what happens if you need the updated PCI profile this week for that we as Red Hat offer what we call hot fixes so the idea is it's escalated delivery of a future relief expedited delivery of a future release and that's kind of a one-off like we'd give it just to you as a bank or just to somebody else and not necessarily make it public but people could request it as I hope okay thanks all right good right off jeff has to run so with that um thank you okay thanks guys yeah oh microphone problems then you're good to go all right so yeah Jeff Jeff is a little bit modest he says he's the tech director which is true but he's also the highest ranking civilian in that division the equivalent of a two-star general so it's really great to come so how many people would have known that about him so with that we have these two projects so the grand story is about three four years ago we got together with a bunch of Gov EES a bunch of industry-leading like Lockheed Martin Northrop Grumman Booz Allen and some others and we went ahead and created this catalog of nerd knobs and we got together and said what are every security relevant check that we can possibly think of and we just documented them so over the past couple years you know Jeff and I met because I got a phone call and it was hi this is mr. blank from the NSA we'd like to talk to you about security and I thought he was you know full of crap and that's not his real name and you fast forward we have about 100 different community members contributing code about 23 different 2324 government agencies and that's now spanned to banks and Airlines so it's a huge vibrant community so with that well seven ships a couple profiles today that are noteworthy one of them is PCI compliance so that's shipping the other is what's called the the DoD vendor stick the military baseline as we just had the code freeze for rel 7.3 roughly last week comes out in a couple months we're adding profiles the first is for FBI criminal justice system so courts and law enforcement things like that there's other one we worked with CIA to open-source what they called the C 2's baseline so the CIA went to Amazon and said hey we want a region of ec2 just for the intelligence community here's like 800 million dollars build us one and Amazon took the money and did so we've worked with Amazon and CIA to open-source their baseline it is directly derived from CIS or the Center for Internet Security as Red Hat we are not allowed to call the profile see is baseline because that infringes on their trademark so what we have to say is that is CAS inspired so I have to make the sense I'm being videotaped I have to make sure I say that the other thing is what's called certified cloud providers so the idea here is wouldn't it be wonderful if I could use the same baseline that Amazon and Rackspace and Terra market s2 where I don't necessarily need like the full blown-out military system but I want to make sure direct route login isn't enabled I want to make sure my passwords are like 8 or 10 characters and why don't we call it like a common core set of plus or minus 30 or 40 things and then the other thing that's in progress is we're making content slowly for OpenShift OpenStack and JBoss so the idea is while we have secured baselines for rel what about the infrastructure that runs them so we've we've been a little deficient in that regard so we need to own up to it to to that point we've started to write content for OpenStack right now it's plus or minus 30 or 40 I'll actually show it since the OpenStack PM sitting in the front row it's plus or minus 30 or 40 controls that go through horizon Nova Neutron and I want to say Swift but I'll double check that I'll double check that in a live demo how about that so one of the things we're trying to figure out is extending these security baselines beyond rel is OpenStack more important than openshift is JBoss more important than everything else so what would you guys like to see like I don't know how to hide and pull an audience OpenStack raise of hands very few open shift JBoss what about everybody else yeah Trevor do it satellite yeah yeah okay um cool so enough slides demos so what I ended up doing is I'm going to switch to the command line and actually run some scans and show everything I just talked about with that said in the slide deck it'll be posted Red Hat comm I went through and documented all the commands I'm about to run so you can get the deck copy and paste installing all the tools where to find the content on the system breaking down how to get the profiles how to run a scan so there's no necessarily need to to take you know crib notes here so let me go ahead and get out and is that kind of thing interesting to you so you want to what what the heck do we ship let's actually see it right does anybody use ASCAP today more than I thought all right so with that the very first thing we end up shipping is let me pull it up is we ship what are called where's the PCI profile so here is the relative and PCI profile so the idea is it's human readable prose guide it's a big HTML document all of the ships under user share dock I am just cheating and using my development environment so you see a weird URL but it's user share doc s cap security guide and they're all there so with that I can go through and it's pretty pretty basic right so how do I check file permissions well I need to check UMass I need to check permissions on on important files so you know who owns Etsy shadow it's it's pretty basic stuff but when we go through for one you get the check right make sure this is Etsy shadow run this command and you know it sets it this is this is a little bit of a hammer but it also tells some rationale and it gets what's called a CCE number or a common configuration enumerator the idea is for every nerd knob we want to create a unique I keep saying nerd knobs maybe I should stop for every configuration check we give it a unique identifier and that's kind of like a pivot point to policy references so in this case Red Hat configuration you know 2 6 7.2 PCI section 8.7 3 what we end up then doing is transforming that into an HTML table where the first column didn't did not mean to click on that the first column is like PCI requirement 1 PCI requirement 2 3 4 5 all the way to 8 and then we document how we met that requirement and I'll show that table in a minute ah so AC 6 is an estate hundred fifty-three reference so it should actually I'll have to double check why I did it but it should say NIST 853 AC 6 PCI version bla 8.7 um and then with that we also include remediation scripts so let's say you actually run this check and Etsy Shadow is owned by Bob well I want to remediate so here's a command to do that so we have these guides with that I also mentioned these human readable tables so let me show you the one for PCI here PCI so here's kind of that table I mentioned let me make it a little bit a little bit more readable so apparently there's some requirement 8.1 dot eight that says you know do screen savers so we have a description of what to do a description of rationale a description of how to manually check if you didn't want to use our automation content and as we go through you know 8.1 8.7 so forth so these policy tables are really just for one it makes sure that we documented all of the controls in PCI or DoD stig or the government recs so it is that kind of useful for you guys these policy tables are actually quite annoying because we have to have like one screen with the PCI document and one screen with the s cap and link all these through metadata so it sounds like good very useful cool so human readable prose guide go through get your table of contents very easy to read we have these policy mappings and that actually brings us to the command line so I'm going to cheat and become route so part of that is a lot of the scans will read your audit rules file or sis control or other memory settings that require route just to even see what the configuration value is so you can kick off scans with sudo or you can just sit and read directly it's totally up to you um so with that open s cap on the command line is a tool called ESCAP uh open s Kapo scat and it allows us to do things like I want to evaluate a system SSG rule seven yes so I apologize so when we actually run on the content itself we can run a command called info that lists out all the available profiles that are to be deployed or can be scanned on the box so I think people a lot of people were from commercial so I'll just randomly pick the PCI profile XD CDF eval profile I can give it the profile name but I'm also going to do a couple things VAR WG male summit PC I dot HTML um I'm going to create an XML file of results so the idea is I don't want to just have stuff fly by the screen and give me a pass or fail I want to generate like human readable HTML report that has colors and pictures and red light green light so that's that - - report right now I'm showing command line in a minute I'll show some gooeys Oh XML and I want to give it my data stream so what did I do Oh plural results plural why can't I command insert so my bad ah so this is my personal development laptop clearly I am up to spec on all of the security standards as all my fails fly by but ultimately as it goes through here it's really just doing this command line output because writing a percentage complete in python is annoying so we just outputted per rule where it is um so right now it's it's actually going through my entire box in verifying RPM positions apparently I really need to secure my box a little bit I did not imagine that would be in the live demo um you know what I don't have a single pass oh oh oh there we go alright well my audit logs are owned by root I am ready to put my machine on the internet and I have NTP servers turned on so all this is good and you know now now I'm complete I didn't get any errors pass or fail so how do I turn this into something more usable that I can like email my boss or whatever so if you notice I outputted it too like VAR dub dub HTML it's because I'm running on a virtual machine here so where is PCI so if I go through you know basically hey this is a PCI profile provided by Red Hat I get some little statistics about like you know my hostname I do not have fqdn set but if I did it would show it here the timestamp the profile what's also nice is it will make sure it shows who the scan was performed by so you notice I actually sudo - it'll take the effective user ID of that shell session so you know in my case my username Sean W so even though I ran the scan its root it knows it was me tells me it's on rel seven gives me some IP address info and let me uh it's still pretty pretty big it gives me some results so I passed a couple things more than apparently my three audit rules that I thought and I failed some things and severity x' so we use largely because a lot of the code contributors from the government we use government definitions of high medium low so it's effectively like a high severity finding would be something that is remotely exploitable or would lead to elevated privileges in arguably trivial way so like direct route login over SSH we'd consider that a high finding not having the right file permissions set on your ntp kampf might be like a moderate maybe um so I can go through here and I get now my results my red light green light Christmas tree so I get some highs i'm it'll tell you the severity of the of the rule it's not particularly ordered in any way it just happens to be all hives and mediums here your pass or fail but you'll also notice there's one called a result called not checked and what that ultimately means is that there are some controls that we recognize a security relevant like make sure you have all of your patches applied but how do i automate the security check of that like especially if you're disconnected from the internet i can't do like a young check update so we recognize the validity of the rule but we may not be able to automate it like do you have badge readers on your data center i can't what file do i regex to to let you know that um so not checked so if i click on one like install aid that's that's going to be a complicated one so where is an activity timeout so i failed this rule I get my identifier I get my policy mappings this is the DoD one I get a description of what it actually checked like a human readable you know hey we checked these files for this name pair value kind of thing and then if I scroll down you'll notice there is a bit of a remediation script so all of these are written in back and it was really because if we had to pick a remediation language like chef puppeted ansible are the better choices but we in no particular order but we cannot necessarily guarantee that puppet is installed on every Red Hat endpoint but we can guarantee that Bash will be so we chose Bosch first and that was that was the extended logic of it as we move on I'll show you how we've starting to write extensions for puppet and ansible but today it's all bash based as a result though there's no undo so fair warning so I go through I can do my bash remediations that was actually a little bit of a complicated one for some reason maximum ages yeah so that's probably an easier one right so it takes the variable apparently the this baseline was checking PCI compliance means passwords have to be changed every three months so it goes ahead and you know changes that in your files so is that useful is this report useful what do you get do you guys use anything today for similar some people said they're not using a s kept like tripwire key radar some people all right um the other thing that Jeff mentioned is we wanted to sever the tie between tools security analysis tools or evaluations and content ah my personal frustration I work in the DD space so we would go to the US Navy who at their time was using called something SPAWAR escape compliance checker it was like this command-line utility wrote by some people in the Navy and it was fine but then I would go to the FBI they would use a different tool so even though they were checking the same rule like password lengths equals 90 days one would say true one would say false so they each had their own proprietary content they'd argue over which one's better and it was really frustrating so what we've ended up doing is all of this s cap code we wrote to a formal spec so we can actually ingest it to Splunk or tripwire or q radar or the Red Hat satellite so in that way we can have consistent security scans regardless of what tool you use so I forgot to mention that are there so where was I I ran a scan of the PCI compliance profile I have this really pretty HTML result I can click and great I can see all this so then how do I get all this remediation out of HTML report and how do I like run it it's usually the the next question um so in that case if you know let me make this a little bit bigger so if you notice I started my command as ESCAP XE CDF eval all I would end up needing to do should I do this on my live demo machine yeah this like a double dog dare so I add I'm actually a little bit nervous now so let's take my own advice so before your immediate remember it's bash and like it's kind of scary so it's important to actually take a look at what it changes so passwords you know well I don't have any accounts with empty passwords maximum age I know I haven't changed my password in like two years on my development VM I certainly don't my password password so I don't have any of these set log files audit events I'm clearly up to date on my audit events so yeah well alright um got open so what it's doing right now that - session remediate will go ahead and it does two passes the first pass is it will generate the pass/fail report that you just saw with that a I noticed I didn't necessary go through it but it has an XML file that - - results say that I mistyped it generates an XML file that one of those tags actually has it's called fixed tag and that's where we embed all the bash scripts so it does the first pass it generates that XML file and when it's done with that it will take the XML and extract all of the bash and run it one by one make sure it doesn't error on any particular one so that's called the remediation phase and then it will do a second pass where it goes through and will up here we go oh that's fine it'll do a second pass and go through and make sure that it fixed everything that was broken originally so oh what this is so this - - vet remit sources so if I were if I added this remote sources it would go ahead and download CVE data for me so it would marry my configuration of PCI compliance to make sure I have all of the the latest CVE vulnerabilities patched as well oh so now it's doing remediation and at least it installed aid so you can go through this is that remediation phase and it says fixed so it'll take a second yeah a lot of machines I run use PTP for their time which does not play nice with ntp so we feel that the spirit of the rule is complied with we've got accurate time sync from an external source but this would fail with a breaker setting and if we did the remediation it would then break PT P so this is you know just one example could we like turn that check off or even extend that check yourselves yeah so the question was like how do I take the PCI baseline and tailor it so check what I want and uncheck what I don't want and I'll show you that next so I still have a system that's a good sign so while it's running through our if you'll notice oh yeah one question please so what we are doing here is we are putting a fix on your laptop right yep our or anybody my box right here so in a CI CD bar where I spawn you know hundreds of VMs using my scripts is there a way to go fix my baseline scripts for the failures that we have discovered or maybe we would have already done that you know doing the testing of my VM scripts you know check one and make one pass yes then use that to spawn your other rest to 300 whatever yeah so I made a note I'll show that to you okay thank you so with that I am like dangerously at a 10-minute warning sign so why don't we speed it up these are remediations it's going to fix stuff hopefully I don't like crash my laptop showing a bunch of fixes on the screens really boring so to your question about tailoring the PCI profile what we ended up doing was writing a tool called s cap workbench it's available on Mac Windows and Linux um it's actually I think like the only Red Hat tool that is so the guy who wrote it's in the front row so you can thank Martin um yes really he wrote it so and and he caught a lot of crap from his manager so like this is a big validation of him compiling it and cross compiling it so it's really great so I'm sorry I click too fast so I load up s cap workbench I close my chat that popped up and I'm provided with a series like here's all of the content that we ship real five rl6 you'll notice some other things sent to us whatever Chrome Firefox so that's just arbitrarily pick rl6 and choose the c2 s which is that CIF benchmark the CIS derived or whatever a CS inspired is my on video recorded thing and sorry clicked so again this is a GUI tool so I could actually scan my remote systems through this tool you get the HTML report like you just saw but for this conversation I want to customize it so I hit customize I can give it a name summit demo 2016 all this all this gobbledygook in front of it is part of the s cap naming schemes we generate it automatically for you you don't necessarily have to keep it but it other tools like trip wire and Splunk expect it to be named in this way so I'm going to generate hit OK and I'm brought to a screen with checkboxes so let's say I'm running on ec2 and I don't have a VM with like its own partition for temp and var and var log and I want to stop failing those rules because that's really annoying well I can uncheck that whole group if I go through and where's it good one my demon you masks so by default the CIS or c2 s profile looks for you mask 0 to 2 I want to change that to 0 to 7 I want to Dan Walsh is going to kill me I want to disable selinux so you know with a check of a button you can make Dan lose all of his hair so or maybe instead of you know enforcing I just want to put it into permissive which maybe he won't kill kittens so I hit confirm change and great now I have the c2s customized profile era wonderful I can go ahead and scan a box but really I want to save this and like ingest it into a cm tool if you're running s kept workbench on a Mac I'm sorry on Linux it will go ahead and generate an RPM for you that you can ingest into like a young repo or satellite if you're running it on anything else it just generates what's called a customization file it's like a XML spec why don't we call a tailoring file or a drift file and I'm going to save this as a summit tailoring and it saved so hey look at that my remediation didn't crush my box it worked yeah yes yes so the question was yeah so the question was like that's say I take a PCI profile and I uncheck a bunch of stuff I don't want to have that be held against me in terms of like percent complete or percent compliant so yes the updated profile would not include those rules so let me make this or attempt to make this a little bit reasonable so five minutes in this profile ID I basically say hey I created something called summit demo 2016 that extends the base CIS profile so it's a way in code to basically say what I took and what I changed and codify that a bunch of random s cap things but as I go through you'll notice now there's rule selections like my my entire group of disk partitioning is now false my variable for selinux I am enforcing SELinux but however the state is now set to permissive so it has like this variable refinement what's nice is I'm showing the XML for one just to see show you that it's codified but behind the scenes I showed you that policy mappings table that HTML pros guide like a privileged user guide when I create this tailoring file you can regenerate all of those HTML guides dynamically for you yeah the standards sorry if you had some local site requirements that weren't captured in one of the standards document some additional security controls could you write those into a file either with the workbench tool or some other way and then like merge it so you have like a comprehensive one based on like C 2's plus some additional brand-new rules or okay so the question is like if I have I'm going to demo something and then I'm going to come back to that fair cool so I got three minutes from trying to be like super respectful of everybody's time so while I do that one about four people five people before the session came up and said like Sean that's great you're scanning rel host but what the heck do I do with open shift and docker what do I do like so the question was how do i introspectively scan my docker registry for like PCI compliance so all of my docker images I want to know if the PCI compliant all of my open shift environment I want to know if they're CVEs um so it's actually kind of intimidating to like a demo the code of the guy who wrote it which is Martin again so he wrote a tool called escape docker that we now ship in rel seven let's so escape docker it's the same command syntax it's the same everything and it will go ahead and docker in docker in fo yeah just making sure it's running docker images so on my box I just have a docker image of rel seven nothing super sexy it's it's not real it's not running so I can actually go in and introspectively scan a docker image that is turned off for in this case I'm using what's called well I'm using the PCI report so X CCDF eval so in case that happened I went ahead and to do help me out see why it's intimidating to have him in the room now Oh SCAP talker Hey ah thank you so I tried to I tried to have it in my hour that's what you get for non you know live demos but the idea is as soon as I get my commands index right even I'm copy and pasting it'll go ahead and run a docker scan so with that I am officially out of time but I will be here any any other kind of questions was this worth your while very good if we get to questions yeah you showed us how to how to scan single OS instances and generate reports my question is what if I have a thousand Linux hosts mostly well six were seven how do I get a report an overall report over all of them sure so the question was how do I scan multiple multiple nodes Krupa systems thousand systems so for that you'd use something like satellite um I did run out of time for the demo but it is in satellite we go through you can choose your profile like PCI or US government and it will go ahead and scan a group of systems like a host group like all of production and you can get a per host report pass/fail so forth and then you can also go in and view the HTML report as well so you get a centralized roll-up of all of production like 80% of my production systems pass and then you can also go in on a per host basis and drill down for a report six satellites six shipping today and if you have more questions come see me I'll be hanging out here and as a plug it's great to have Jeff here but the session reviews are incredibly important to allowing us to have having Jeff come back having me come back so please we we review every single report so if you get a chance give us a session review on the app or I think they're floating papers around and I'll be up here for questions you you

Info

Channel: Red Hat Summit

Views: 12,119

Rating: 4.9540229 out of 5

Keywords: openscap, management, compliance, automation, red hat, red hat satellite, it management

Id: xmTt0MvyYQ8

Channel Id: undefined

Length: 61min 11sec (3671 seconds)

Published: Sun Oct 23 2016