Continuous security audit automation with Spacewalk ... · PDF fileComputing Department –Vasileios Baousis -2016 Slide 1 Continuous security audit automation with Spacewalk, Puppet,

Slide 1Computing Department –Vasileios Baousis -2016

Continuous security audit automation

with

Spacewalk, Puppet, Mcollective and

SCAP

Vasileios A. Baousis (Ph.D)

Network Applications Team


Agenda

Introduction

Background

- SCAP

- Puppet &Mcollective

- Spacewalk

System setup

Reports and use of the output

Questions


Why we should perform “Continuous security audit”?

Why to automate this process?

Manual ? No way.

Security should be considered and implemented for the entire

lifecycle of a system.

The same applies for the auditing of a system but most of the times it

is neglected.

Security (mis)configuration drifts, missing important package

patches are identified when it is tooooooooooooooooooo late.

Continuous auditing/reporting in a consistent & automated manner.

Work in progress

Introduction


A standardized compliance checking solution for enterprise-level Linux systems. It is

a line of specifications maintained by the NIST for system security.

OpenSCAP implements the SCAP specifications, and is an auditing tool that utilizes

the Extensible Configuration Checklist Description Format (XCCDF).

XCCDF is a standard way of expressing checklist content and defines security checklists

&combines with other specifications to create a SCAP-expressed checklist that can be

processed by SCAP-validated products. These are:

Common Platform Enumeration (CPE),

Common Configuration Enumeration(CCE),

Open Vulnerability and Assessment Language (OVAL).

OpenSCAP

a. verifies the presence of patches by using content produced by the distro distributors

b. checks system security configuration settings and

c. examines systems for signs of compromise/misconfiguration by using rules based on

standards and specifications.

Security Content Automation Protocol (SCAP)


oscap -h

oscap

OpenSCAP command-line tool

Usage: oscap [options] module operation [operation-options-and-arguments]

oscap options:

-h --help - show this help

-q --quiet - quiet mode

-V --version - print info about supported SCAP versions

Commands:

ds - DataStream utilities

oval - Open Vulnerability and Assessment Language

xccdf - eXtensible Configuration Checklist Description Format

cvss - Common Vulnerability Scoring System

cpe - Common Platform Enumeration

cve - Common Vulnerabilities and Exposures

info - info module

Oscap command line

oscap ds -h

oscap -> ds

DataStream utilities

Usage: oscap [options] ds command

Commands:

sds-split - Split given SourceDataStream into separate files

sds-compose - Compose SourceDataStream from given XCCDF

sds-add - Add a component to the existing SourceDataStream

sds-validate - Validate given SourceDataStream

rds-split - Splits a ResultDataStream. Creating source datastream (from report-request) and report in target directory.

rds-create - Create a ResultDataStream from given SourceDataStream, XCCDF results and one or more OVAL results

rds-validate - Validate given ResultDataStream

Datastreams: an archive of interlinked SCAP content

(XCCDF,OVAL,CPE) .Source and Result DataStreams


oscap -> xccdf

eXtensible Configuration Checklist Description Format

Usage: oscap [options] xccdf command [command-specific-options]

Commands:

eval - Perform evaluation driven by XCCDF file and use OVAL as checking engine

resolve - Resolve an XCCDF document

validate - Validate XCCDF XML content

validate-xml - Validate XCCDF XML content

export-oval-variables - Export XCCDF values as OVAL external-variables document(s)

generate - Convert XCCDF Benchmark to other formats

remediate - Perform remediation driven by XCCDF TestResult file or ARF.

oscap xccdf eval --profile MAC-1_Public --cpe /usr/share/openscap/redhat_simple/U_RedHat_6_V1R4_Benchmark-cpe-dictionary.xml

/usr/share/openscap/redhat_simple/U_RedHat_6_V1R4_Benchmark-xccdf.xml

oscap -> xccdf -> eval

Perform evaluation driven by XCCDF file and use OVAL as checking engine

Usage: oscap [options] xccdf eval [options] INPUT_FILE [oval-definitions-files]

INPUT_FILE - XCCDF file or a source data stream file

Options:

--profile <name> - The name of Profile to be evaluated.

--tailoring-file <file> - Use given XCCDF Tailoring file.

--tailoring-id <component-id> - Use given DS component as XCCDF Tailoring file.

--cpe <name> - Use given CPE dictionary or language (autodetected)

…..

Oscap command line


oscap oval -h

oscap -> oval

Open Vulnerability and Assessment Language

Usage: oscap [options] oval command

Commands:

collect - Probe the system and create system characteristics

eval - Probe the system and evaluate definitions from OVAL Definition file

analyse - Evaluate provided system characteristics file

validate - Validate OVAL XML content

validate-xml - Validate OVAL XML content

generate - Convert an OVAL file to other formats

list-probes - List supported object types (i.e. probes)

oscap oval collect com.redhat.rhsa-all.xml

oscap -> oval -> eval

Probe the system and evaluate definitions from OVAL Definition file

Usage: oscap [options] oval eval [options] oval-definitions.xml

Options:

--id <definition-id> - ID of the definition we want to evaluate.

--variables <file> - Provide external variables expected by OVAL Definitions.

--directives <file> - Use OVAL Directives content to specify desired results content.

--results <file> - Write OVAL Results into file.

--report <file> - Create human readable (HTML) report from OVAL Results.

--skip-valid - Skip validation.

--datastream-id <id> - ID of the datastream in the collection to use. (only applicable for source datastreams)

--oval-id <id> - ID of the OVAL component ref in the datastream to use. (only applicable for source datastreams)

--probe-root <dir> - Change the root directory before scanning the system.

Oscap command line


oscap cvss -h

oscap -> cvss

Common Vulnerability Scoring System

Usage: oscap [options] cvss command

Commands:

score - CVSS score from a CVSS vector

describe - Describe a CVSS vector

oscap cpe -h

oscap -> cpe

Common Platform Enumeration

Usage: oscap [options] cpe command

Commands:

match - Match CPE name against provided dictionary

check - Check if CPE name is valid

validate - Validate CPE Dictionary content

validate-xml - Validate CPE Dictionary content

Oscap command line


IT automation software that helps system administrators manage infrastructure

throughout its lifecycle, from provisioning and configuration to orchestration

and reporting.

Easily automate repetitive tasks

Quickly deploy critical applications,

Proactively manage change, scaling from 10s of servers to 1000s, on-premise or in

the cloud.

Puppet


Puppet typical workflow

Version Control Repository Puppet master

Nodes

1. Commit changes

2. Perform checkout

3. Apply changes

4. Report back the

performed changes

Puppet Interface

Puppet agent

SSL


Puppet interface


The Marionette Collective MCollective is a framework to build server

orchestration and parallel job execution systems

Uses Publish/Subscribe Middleware and real time discovery of network

resources using meta-data and not hostnames.

Delivering a scalable and fast parallel execution environment.

Mcollective 1/2


Use a broadcast paradigm for request distribution. - All servers get all requests at the same time, requests have filters attached and

only servers matching the filter will act on requests.

- There is no central asset database to go out of sync, the network is the only source

of truth.

Supports complex naming conventions for hostnames as a means of

identity. Meta data comes from Puppet, Facter or custom plugins.

CLI tools to call remote agents.

Ability to write custom reports about your infrastructure.

Allows you to write simple RPC style agents, clients and Web UIs in an

easy to understand language - Ruby.

Include Authentication, Authorization and Auditing (AAA) of requests.

Mcollective 2/2


MCO in action


MCO in action


MCO in action


MCO in action


Open source Linux systems management software from RH (under the

terms of the GNU General Public License version 2)

Satellite and Novell SUSE Manager commercial products are identical.

Manages software content updates for Red Hat derived distributions

(Fedora, CentOS, SL and SUSE).

You can:

- stage software content through different environments,

- managing the deployment of updates to systems and

- allowing you to view at which update level any given system is at across your

deployment.

Provides central web interface allowing viewing of systems, their

associated software update status, and initiating update actions…...

What is Spacewalk (1/2)


Provides provisioning/monitoring capabilities, allowing:

- Inventory your systems (hardware and software information)

- Install and update software on your systems

-Collect and distribute your custom software packages into manageable groups

-Provision (kickstart) your systems

-Manage and deploy configuration files to your systems

-Monitor your systems

-Provision virtual guests

-Start/stop/configure virtual guests

-Distribute content across multiple geographical sites in an efficient manner

Multiple Spacewalk Proxies can connect to a central Spacewalk server and

cache and distribute content from the Spacewalk Server in various

geographical locations.

More on spacewalk.redhat.com

What is Spacewalk (2/2)


Spacewalk architecture

Three tier architecture

1. Presentation tier : web UI, command line

clients, and XML-RPC clients

2. Logic tier :Spread across the four languages:

Java, Perl, python, and PL/SQL.

3. Data tier =>RDBMS :Oracle or PostgreSQL

Entities

Backend provides a set of APIs that the different

client utilities (rhn_register, up2date, yum) can

connect to.

Taskomatic is a daemon whose job is to perform

long running tasks that are scheduled to run

asynchronously, such as clean up the sessions

table, or send out email notifications for new errata


A Spacewalk typical configuration


Cooking all together!!!!

Mcollective


Fetching and updating oval files

Redhat

com.redhat.rhsa-all.xmlNovel

suse.linux.enterprise.server.11.xml

Puppet-Master

node 'puppet-master-ent.ecmwf.int' {

filefetcher::fetch { 'Security Oval':

filename => 'com.redhat.rhsa-all.xml',

target_dir => '/etc/puppet/environments/production/modules/ecpds/files/rootHomeFolder',

user => 'root',

rights => '644',

url => 'http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml',

redownload => true,

}

filefetcher::fetch { 'suse.linux.enterprise.server.11.xml':

filename => 'suse.linux.enterprise.server.11.xml',

target_dir => '/etc/puppetlabs/code/environments/production/modules/ecpds/files/rootHomeFolder',

user => 'root',

rights => '644',

url => 'http://support.novell.com/security/oval/suse.linux.enterprise.server.11.xml',

redownload => true,

}

filefetcher::fetch { 'suse.linux.enterprise.server.11-patch.xml':

filename => 'suse.linux.enterprise.server.11-patch.xml',

target_dir => '/etc/puppetlabs/code/environments/production/modules/ecpds/files/rootHomeFolder',

user => 'root',

rights => '644',

url => 'http://support.novell.com/security/oval/suse.linux.enterprise.server.11-patch.xml',

redownload => true,

}

}

Nodes class { openscap::xccdf::eval:

name => my-daily-ssg-audit,

period => daily,

}

class openscap::params {$period = 'weekly'$weekday = 'Sat'

$content_package = ['scap-security-guide']$xccdf_path = '/usr/share/xml/scap/ssg/fedora/ssg-fedora-ds.xml'$xccdf_profile = 'xccdf_org.ssgproject.content_profile_common'

case $::osfamily {'redhat' : {$packages = ['rubygem-openscap']‘suse' : {$packages = ['openscap']

}

default : {fail("The ${module_name} module is not supported on an ${::osfamily} based system.")}

}}

http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml

http://support.novell.com/security/oval/suse.linux.enterprise.server.11.xml


Execute audit –Report results

Nodes

Spacewalk Puppet-master

Mcollective

Report results Schedule audit Execute audit Report results


Reports 1/5


Reports 2/5


Reports 3/5


Reports 4/5


Reports 5/5


Consistent system configuration and compliance with

standards.

Integration of security and auditing into the entire lifecycle

of a system

- Configuration Management Frameworks

- Security and auditing are not isolated processes.

- Prevention of Configuration and/or security drifts

- Early warning of missing packages/patches and potential

vulnerabilities.

Automation of the entire process to be scalable with

considerable system number increase

Can be used to different environments ranging from

physical- on premise systems to virtual on the Cloud or

remote systems (which may need additional protection and

auditing)

Results


1. SCAP : http://scap.nist.gov/

2. XCCDF - The Extensible Configuration Checklist Description Format : http://scap.nist.gov/specifications/xccdf/

1. CPE-Common Platform Enumeration https://nvd.nist.gov/cpe.cfm

3. CCE -Common Configuration Enumeration https://nvd.nist.gov/cce/index.cfm

4. OVAL-Open Vulnerability and Assessment Language . https://oval.mitre.org/

5. Puppet : https://puppetlabs.com

6. Spacewalk: http://spacewalk.redhat.com/

7. Mcollective : https://puppetlabs.com/mcollective

Resources

http://scap.nist.gov/

http://scap.nist.gov/specifications/xccdf/

https://nvd.nist.gov/cpe.cfm

https://nvd.nist.gov/cce/index.cfm

https://oval.mitre.org/

https://puppetlabs.com/

http://spacewalk.redhat.com/

https://puppetlabs.com/mcollective


Continuous security audit automation

with

Spacewalk, Puppet, Mcollective and

SCAP

Vasileios A. Baousis (Ph.D)

Network Applications Team

Documents

Continuous security audit automation with Spacewalk ... · PDF fileComputing Department –Vasileios Baousis -2016 Slide 1 Continuous security audit automation with Spacewalk, Puppet,