Upload
truongliem
View
224
Download
2
Embed Size (px)
Citation preview
Slide 1Computing Department –Vasileios Baousis -2016
Continuous security audit automation
with
Spacewalk, Puppet, Mcollective and
SCAP
Vasileios A. Baousis (Ph.D)
Network Applications Team
Slide 2Computing Department –Vasileios Baousis -2016
Agenda
Introduction
Background
- SCAP
- Puppet &Mcollective
- Spacewalk
System setup
Reports and use of the output
Questions
Slide 3Computing Department –Vasileios Baousis -2016
Why we should perform “Continuous security audit”?
Why to automate this process?
Manual ? No way.
Security should be considered and implemented for the entire
lifecycle of a system.
The same applies for the auditing of a system but most of the times it
is neglected.
Security (mis)configuration drifts, missing important package
patches are identified when it is tooooooooooooooooooo late.
Continuous auditing/reporting in a consistent & automated manner.
Work in progress
Introduction
Slide 4Computing Department –Vasileios Baousis -2016
A standardized compliance checking solution for enterprise-level Linux systems. It is
a line of specifications maintained by the NIST for system security.
OpenSCAP implements the SCAP specifications, and is an auditing tool that utilizes
the Extensible Configuration Checklist Description Format (XCCDF).
XCCDF is a standard way of expressing checklist content and defines security checklists
&combines with other specifications to create a SCAP-expressed checklist that can be
processed by SCAP-validated products. These are:
Common Platform Enumeration (CPE),
Common Configuration Enumeration(CCE),
Open Vulnerability and Assessment Language (OVAL).
OpenSCAP
a. verifies the presence of patches by using content produced by the distro distributors
b. checks system security configuration settings and
c. examines systems for signs of compromise/misconfiguration by using rules based on
standards and specifications.
Security Content Automation Protocol (SCAP)
Slide 5Computing Department –Vasileios Baousis -2016
oscap -h
oscap
OpenSCAP command-line tool
Usage: oscap [options] module operation [operation-options-and-arguments]
oscap options:
-h --help - show this help
-q --quiet - quiet mode
-V --version - print info about supported SCAP versions
Commands:
ds - DataStream utilities
oval - Open Vulnerability and Assessment Language
xccdf - eXtensible Configuration Checklist Description Format
cvss - Common Vulnerability Scoring System
cpe - Common Platform Enumeration
cve - Common Vulnerabilities and Exposures
info - info module
Oscap command line
oscap ds -h
oscap -> ds
DataStream utilities
Usage: oscap [options] ds command
Commands:
sds-split - Split given SourceDataStream into separate files
sds-compose - Compose SourceDataStream from given XCCDF
sds-add - Add a component to the existing SourceDataStream
sds-validate - Validate given SourceDataStream
rds-split - Splits a ResultDataStream. Creating source datastream (from report-request) and report in target directory.
rds-create - Create a ResultDataStream from given SourceDataStream, XCCDF results and one or more OVAL results
rds-validate - Validate given ResultDataStream
Datastreams: an archive of interlinked SCAP content
(XCCDF,OVAL,CPE) .Source and Result DataStreams
Slide 6Computing Department –Vasileios Baousis -2016
oscap -> xccdf
eXtensible Configuration Checklist Description Format
Usage: oscap [options] xccdf command [command-specific-options]
Commands:
eval - Perform evaluation driven by XCCDF file and use OVAL as checking engine
resolve - Resolve an XCCDF document
validate - Validate XCCDF XML content
validate-xml - Validate XCCDF XML content
export-oval-variables - Export XCCDF values as OVAL external-variables document(s)
generate - Convert XCCDF Benchmark to other formats
remediate - Perform remediation driven by XCCDF TestResult file or ARF.
oscap xccdf eval --profile MAC-1_Public --cpe /usr/share/openscap/redhat_simple/U_RedHat_6_V1R4_Benchmark-cpe-dictionary.xml
/usr/share/openscap/redhat_simple/U_RedHat_6_V1R4_Benchmark-xccdf.xml
oscap -> xccdf -> eval
Perform evaluation driven by XCCDF file and use OVAL as checking engine
Usage: oscap [options] xccdf eval [options] INPUT_FILE [oval-definitions-files]
INPUT_FILE - XCCDF file or a source data stream file
Options:
--profile <name> - The name of Profile to be evaluated.
--tailoring-file <file> - Use given XCCDF Tailoring file.
--tailoring-id <component-id> - Use given DS component as XCCDF Tailoring file.
--cpe <name> - Use given CPE dictionary or language (autodetected)
…..
Oscap command line
Slide 7Computing Department –Vasileios Baousis -2016
oscap oval -h
oscap -> oval
Open Vulnerability and Assessment Language
Usage: oscap [options] oval command
Commands:
collect - Probe the system and create system characteristics
eval - Probe the system and evaluate definitions from OVAL Definition file
analyse - Evaluate provided system characteristics file
validate - Validate OVAL XML content
validate-xml - Validate OVAL XML content
generate - Convert an OVAL file to other formats
list-probes - List supported object types (i.e. probes)
oscap oval collect com.redhat.rhsa-all.xml
oscap -> oval -> eval
Probe the system and evaluate definitions from OVAL Definition file
Usage: oscap [options] oval eval [options] oval-definitions.xml
Options:
--id <definition-id> - ID of the definition we want to evaluate.
--variables <file> - Provide external variables expected by OVAL Definitions.
--directives <file> - Use OVAL Directives content to specify desired results content.
--results <file> - Write OVAL Results into file.
--report <file> - Create human readable (HTML) report from OVAL Results.
--skip-valid - Skip validation.
--datastream-id <id> - ID of the datastream in the collection to use. (only applicable for source datastreams)
--oval-id <id> - ID of the OVAL component ref in the datastream to use. (only applicable for source datastreams)
--probe-root <dir> - Change the root directory before scanning the system.
Oscap command line
Slide 8Computing Department –Vasileios Baousis -2016
oscap cvss -h
oscap -> cvss
Common Vulnerability Scoring System
Usage: oscap [options] cvss command
Commands:
score - CVSS score from a CVSS vector
describe - Describe a CVSS vector
oscap cpe -h
oscap -> cpe
Common Platform Enumeration
Usage: oscap [options] cpe command
Commands:
match - Match CPE name against provided dictionary
check - Check if CPE name is valid
validate - Validate CPE Dictionary content
validate-xml - Validate CPE Dictionary content
Oscap command line
Slide 9Computing Department –Vasileios Baousis -2016
IT automation software that helps system administrators manage infrastructure
throughout its lifecycle, from provisioning and configuration to orchestration
and reporting.
Easily automate repetitive tasks
Quickly deploy critical applications,
Proactively manage change, scaling from 10s of servers to 1000s, on-premise or in
the cloud.
Puppet
Slide 10Computing Department –Vasileios Baousis -2016
Puppet typical workflow
Version Control Repository Puppet master
Nodes
1. Commit changes
2. Perform checkout
3. Apply changes
4. Report back the
performed changes
Puppet Interface
Puppet agent
SSL
Slide 12Computing Department –Vasileios Baousis -2016
The Marionette Collective MCollective is a framework to build server
orchestration and parallel job execution systems
Uses Publish/Subscribe Middleware and real time discovery of network
resources using meta-data and not hostnames.
Delivering a scalable and fast parallel execution environment.
Mcollective 1/2
Slide 13Computing Department –Vasileios Baousis -2016
Use a broadcast paradigm for request distribution. - All servers get all requests at the same time, requests have filters attached and
only servers matching the filter will act on requests.
- There is no central asset database to go out of sync, the network is the only source
of truth.
Supports complex naming conventions for hostnames as a means of
identity. Meta data comes from Puppet, Facter or custom plugins.
CLI tools to call remote agents.
Ability to write custom reports about your infrastructure.
Allows you to write simple RPC style agents, clients and Web UIs in an
easy to understand language - Ruby.
Include Authentication, Authorization and Auditing (AAA) of requests.
Mcollective 2/2
Slide 18Computing Department –Vasileios Baousis -2016
Open source Linux systems management software from RH (under the
terms of the GNU General Public License version 2)
Satellite and Novell SUSE Manager commercial products are identical.
Manages software content updates for Red Hat derived distributions
(Fedora, CentOS, SL and SUSE).
You can:
- stage software content through different environments,
- managing the deployment of updates to systems and
- allowing you to view at which update level any given system is at across your
deployment.
Provides central web interface allowing viewing of systems, their
associated software update status, and initiating update actions…...
What is Spacewalk (1/2)
Slide 19Computing Department –Vasileios Baousis -2016
Provides provisioning/monitoring capabilities, allowing:
- Inventory your systems (hardware and software information)
- Install and update software on your systems
-Collect and distribute your custom software packages into manageable groups
-Provision (kickstart) your systems
-Manage and deploy configuration files to your systems
-Monitor your systems
-Provision virtual guests
-Start/stop/configure virtual guests
-Distribute content across multiple geographical sites in an efficient manner
Multiple Spacewalk Proxies can connect to a central Spacewalk server and
cache and distribute content from the Spacewalk Server in various
geographical locations.
More on spacewalk.redhat.com
What is Spacewalk (2/2)
Slide 20Computing Department –Vasileios Baousis -2016
Spacewalk architecture
Three tier architecture
1. Presentation tier : web UI, command line
clients, and XML-RPC clients
2. Logic tier :Spread across the four languages:
Java, Perl, python, and PL/SQL.
3. Data tier =>RDBMS :Oracle or PostgreSQL
Entities
Backend provides a set of APIs that the different
client utilities (rhn_register, up2date, yum) can
connect to.
Taskomatic is a daemon whose job is to perform
long running tasks that are scheduled to run
asynchronously, such as clean up the sessions
table, or send out email notifications for new errata
Slide 23Computing Department –Vasileios Baousis -2016
Fetching and updating oval files
Redhat
com.redhat.rhsa-all.xmlNovel
suse.linux.enterprise.server.11.xml
Puppet-Master
node 'puppet-master-ent.ecmwf.int' {
filefetcher::fetch { 'Security Oval':
filename => 'com.redhat.rhsa-all.xml',
target_dir => '/etc/puppet/environments/production/modules/ecpds/files/rootHomeFolder',
user => 'root',
rights => '644',
url => 'http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml',
redownload => true,
}
filefetcher::fetch { 'suse.linux.enterprise.server.11.xml':
filename => 'suse.linux.enterprise.server.11.xml',
target_dir => '/etc/puppetlabs/code/environments/production/modules/ecpds/files/rootHomeFolder',
user => 'root',
rights => '644',
url => 'http://support.novell.com/security/oval/suse.linux.enterprise.server.11.xml',
redownload => true,
}
filefetcher::fetch { 'suse.linux.enterprise.server.11-patch.xml':
filename => 'suse.linux.enterprise.server.11-patch.xml',
target_dir => '/etc/puppetlabs/code/environments/production/modules/ecpds/files/rootHomeFolder',
user => 'root',
rights => '644',
url => 'http://support.novell.com/security/oval/suse.linux.enterprise.server.11-patch.xml',
redownload => true,
}
}
Nodes class { openscap::xccdf::eval:
name => my-daily-ssg-audit,
period => daily,
}
class openscap::params {$period = 'weekly'$weekday = 'Sat'
$content_package = ['scap-security-guide']$xccdf_path = '/usr/share/xml/scap/ssg/fedora/ssg-fedora-ds.xml'$xccdf_profile = 'xccdf_org.ssgproject.content_profile_common'
case $::osfamily {'redhat' : {$packages = ['rubygem-openscap']‘suse' : {$packages = ['openscap']
}
default : {fail("The ${module_name} module is not supported on an ${::osfamily} based system.")}
}}
Slide 24Computing Department –Vasileios Baousis -2016
Execute audit –Report results
Nodes
Spacewalk Puppet-master
Mcollective
Report results Schedule audit Execute audit Report results
Slide 30Computing Department –Vasileios Baousis -2016
Consistent system configuration and compliance with
standards.
Integration of security and auditing into the entire lifecycle
of a system
- Configuration Management Frameworks
- Security and auditing are not isolated processes.
- Prevention of Configuration and/or security drifts
- Early warning of missing packages/patches and potential
vulnerabilities.
Automation of the entire process to be scalable with
considerable system number increase
Can be used to different environments ranging from
physical- on premise systems to virtual on the Cloud or
remote systems (which may need additional protection and
auditing)
Results
Slide 31Computing Department –Vasileios Baousis -2016
1. SCAP : http://scap.nist.gov/
2. XCCDF - The Extensible Configuration Checklist Description Format : http://scap.nist.gov/specifications/xccdf/
1. CPE-Common Platform Enumeration https://nvd.nist.gov/cpe.cfm
3. CCE -Common Configuration Enumeration https://nvd.nist.gov/cce/index.cfm
4. OVAL-Open Vulnerability and Assessment Language . https://oval.mitre.org/
5. Puppet : https://puppetlabs.com
6. Spacewalk: http://spacewalk.redhat.com/
7. Mcollective : https://puppetlabs.com/mcollective
Resources