Upload
kazuki-omo
View
809
Download
1
Embed Size (px)
Citation preview
OpenSCAP and related contents for openSUSE
Kazuki Omo( 面 和毅 ): [email protected]
SIOS Technology, Inc.
2
Who am I ?
- Security Researcher/Engineer (16 years)
- SELinux/MAC Evangelist (11 years)
- Antivirus Engineer (3 years)
- SIEM Engineer (3 years)
- Linux Engineer (16 years)
3
Agenda
- What is SCAP?
- Enumerations
- Language/Contents
- OpenSCAP
- OpenSUSE contents
- Customize RHEL’s XCCDF file
- Conclusion
What is SCAP?
5
SCAP(Security Content Automation Protocol)
Object: Automated for
- Vulnerability management
- Vulnerability measurement
- Policy compliance evaluation
6
SCAP Components..
SCAP
Common Vulnerabilities and Exposures (CVE)
Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Common Weakness Enumeration (CWE)
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
and so on….
Open Vulnerability and Assessment Language (OVAL)
Lang
Enumerations
Enumerations
8
CVE: Common Vulnerabilities and Exposures
9
CVE: Common Vulnerabilities and Exposures
CVE ID CPE Summary
CVE-2016-6662 cpe:/a:mariadb:mariadb:10.1.15
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration.
CVE-2016-6662 cpe:/a:mariadb:mariadb:10.1.16
CVE-2016-2107 cpe:/o:redhat:enterprise_linux_server:7.0
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
CVE-2016-2107 cpe:/o:novell:leap:42.1
CVE-2016-2107 cpe:/o:novell:opensuse:13.2
CVE-2016-4979 cpe:/a:apache:http_server:2.4.20
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
10
CPE: Common Platform Enumeration
CPE name title href
cpe:/o:novell:leap:42.0
Novell Leap 42.0
https://en.opensuse.org/openSUSE:Leap
cpe:/o:novell:leap:42.1
Novell Leap 42.1
https://en.opensuse.org/openSUSE:Leap
cpe:/o:redhat:enterprise_linux:7.0
Red Hat Enterprise Linux 7.0
http://www.redhat.com/resourcelibrary/datasheets/rhel-7-whats-new
cpe:/o:redhat:enterprise_linux:7.1
Red Hat Enterprise Linux 7.1
http://www.redhat.com/en/resources/whats-new-red-hat-enterprise-linux-71
11
CPE: Common Platform Enumeration
linux-vs1z:~ # cat /etc/os-release NAME="openSUSE Leap"VERSION="42.1"VERSION_ID="42.1"PRETTY_NAME="openSUSE Leap 42.1 (x86_64)"ID=opensuseANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:opensuse:42.1"
BUG_REPORT_URL="https://bugs.opensuse.org"HOME_URL="https://opensuse.org/"ID_LIKE="suse"
12
CCE: Common Configuration Enumeration
CCE IDs Description
CCE-5317-3
Core dump size limits should be set appropriately
CCE-5384-3
The read-only SNMP community string should be set appropriately.
CCE-5664-8
The minimum password age should be set as appropriate
CCE-5804-0
The minimum required password length should be set as appropriate
CCE-4858-7
Password history should be saved for an appropriate number of password changes
CCE-5775-2
The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate
13
CWE: Common Weakness Enumeration
CVE ID CWE-ID
CVE-2016-6662 CWE-264
CVE-2016-2107 CWE-310
CVE-2016-4979 CWE-284
14
CVSS:Common Vulnerability Scoring System
Language/Contents
16
OVAL: Open Vulnerability and Assessment Language
OVAL:
- Check Vulnerabilities / configuration issues (XML)
- Using for Patch Management
- Composed by
- Collection of CVEs
- list of standardized names for vulnerabilities
17
OVAL: Open Vulnerability and Assessment Language <title>CVE-2012-2150</title> <affected family="unix"> <platform>openSUSE Leap 42.1</platform> </affected> <reference ref_id="CVE-2012-2150" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" source="CVE"/> </metadata> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009117743" comment="openSUSE Leap 42.1 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009120999" comment="xfsprogs-3.2.1-5.1 is installed"/>
18
OVAL: Open Vulnerability and Assessment Language <definition class="compliance" id="oval:ssg-file_permissions_httpd_server_conf_files:def:1" version="2"> <metadata> <title>Verify Permissions On Apache Web Server Configuration Files </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>
19
OVAL: Open Vulnerability and Assessment Language
20
OVAL: Open Vulnerability and Assessment Language
21
XCCDF: The eXtensible Configuration Checklist Description Format
XCCDF:
- Writing security checklists, benchmarks, etc. (XML)
- Automated compliance testing, Compliance scoring
(PCIDSS, etc.)
- Collection of security configuration rules for some set of target systems (Docker-Enabled Host)
22
XCCDF: The eXtensible Configuration Checklist Description Format
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1"> <status date="2016-09-20">draft</status> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title>
<Profile id="pci-dss"> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This is a *draft* profile for PCI-DSS v3</description> <select idref="service_auditd_enabled" selected="true"/> <select idref="bootloader_audit_argument" selected="true"/> <select idref="auditd_data_retention_num_logs" selected="true"/> <select idref="audit_rules_dac_modification_chmod" selected="true"/>...
23
XCCDF: The eXtensible Configuration Checklist Description Format
<Profile id="docker-host"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Standard Docker Host Security Profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. </description> <select idref="service_docker_enabled" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="selinux_state" selected="true"/> <select idref="selinux_policytype" selected="true"/> <select idref="docker_selinux_enabled" selected="true"/> <select idref="docker_storage_configured" selected="true"/> <select idref="remediation_functions" selected="false"/>
24
XCCDF: The eXtensible Configuration Checklist Description Format
25
XCCDF: The eXtensible Configuration Checklist Description Format
OpenSCAP
27
OpenSCAP
OpenSCAP:
- Provides multiple tools for Administrators/Auditors
Tools:
- OpenSCAP Base (oscap)
- SCAP Workbench (GUI tool)
- OpenSCAP Daemon
- SCAPTimony
- OSCAP Anaconda Add-on
OpenSUSE contents
29
OVAL: Open Vulnerability and Assessment Language
Available on ftp.suse.com/pub
30
OVAL: Open Vulnerability and Assessment Language
31
OVAL: Open Vulnerability and Assessment Language
32
XCCDF: The eXtensible Configuration Checklist Description Format
No XCCDF file….
Then
We can - check Vulnerabilities for openSUSE
We can’t- check Configuration Standard (ex. PCIDSS) :-(
33
XCCDF: The eXtensible Configuration Checklist Description Format
1. Customize old SLES XCCDF file (“SLES v11 for System z”)
2. Customize “RHEL_STIG” XML file.
Which is better?
There are 2 options;
34
1. Customize “SLES v11 for System z”
1. Customize old “SLES v11 for System z” (http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip)
- Profile for MAC(Mandatory Access Control) Level + Public/Sensitive/Classified.
→ DoD/Federal Government System.
- No Benchmark XML file (DPMS_XCCDF_Benchmark_SuSe zLinux.xml)
→ SuSE is providing XML file (not open).
Hard to Develop.But we need it in future.
35
2. Customize “RHEL_STIG” XML file.
2. Customize RHEL’s “RHEL_STIG” XML file.
- use latest RHEL7 STIG- Including PCIDSS v3.0, etc.
https://github.com/OpenSCAP/openscap
More easy to Develop.
Take a look for now. ;-)
Customize RHEL’s XCCDF file
37
Customize RedHat’s XCCDF file
Customize RedHat XCCDF file;
Change Platform ID <platform idref="cpe:/o:redhat:enterprise_linux:7"/>
<platform idref="cpe:/o:opensuse:opensuse"/>
Change/Copy related XML file<check-content-ref href="ssg-rhel7-ocil.xml"
<check-content-ref href="ssg-opensuse-ocil.xml"
38
Scan Customized RedHat’s XCCDF fileoscap xccdf eval --profile "Profile" --report “Report” “input xccdf XML file”
ex. ) oscap xccdf eval --profile "pci-dss" --report /tmp/opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml
Profile: <profile id> in xccdf.xml file;
<Profile id="standard"> <Profile id="pci-dss"> <Profile id="rht-ccp"> <Profile id="docker-host"> … etc.
39
Scan by “oscap”# oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml
Title Ensure auditd Collects Information on Kernel Module Loading and UnloadingRule audit_rules_kernel_module_loadingIdent CCE-27129-6Result fail
Title Make the auditd Configuration ImmutableRule audit_rules_immutableIdent CCE-27097-5Result fail
Title Set SSH Idle Timeout IntervalRule sshd_set_idle_timeoutIdent CCE-27433-2Result pass
40
“oscap” result html
41
“oscap” result html (cont'd)
42
Scap-workbench
43
Customize Rule(with scap-workbench)
Some of Rule can modify, and can not → No good for fitting to openSUSE
44
Customize Rule(xml file)
OVAL:
<definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1"> <metadata> <title>Service autofs Disabled</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The autofs service should be disabled if possible.</description> <reference source="JL" ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/ scap-security-guide/wiki/Contributors"/> <reference ref_id="service_autofs_disabled" source="ssg"/></metadata> <criteria comment="package autofs removed or service autofs is not configured to start" operator="OR"> <extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_ removed:def:1"/> <criteria operator="OR" comment="service autofs is not configured to start"> <criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_ autofs_not_wanted_by_multi_user_target:tst:1"/>
45
OVAL Language Dictionary
46
Customize Rule(xml file)
OCIL:
<questionnaire id="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"> <title>Disable Core Dumps for All Users</title> <actions> <test_action_ref>ocil:ssg-disable_users_coredumps_action:testaction:1</test_action_ref> </actions> </questionnaire> <questionnaire id="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1"> <title>Disable Core Dumps for SUID programs</title> <actions> <test_action_ref>ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1</test_action_ref> </actions> </questionnaire>
47
OCIL Language Dictionary
48
Remain Task
- Not only for PCI-DSS, other Profile:
- Check details which modified.
- Change those XCCDF file as
openscap-ssg standard style.
- Follow SUSE11 Standard also.
Conclusion
50
Conclusion
- SCAP OVAL file for openSUSE is released from SUSE.
- SCAP XCCDF file for openSUSE needs to be under PCI-DSS etc.
- Still customizing contents for publishing. :-)
51
Any Questinos?
52
Thank You!!!