Continuous security audit automation
with
Spacewalk, Puppet, Mcollective and
SCAP
Agenda
Introduction
Background
-
SCAP
-
Puppet &Mcollective
-
Spacewalk
System setup
Reports and use of the output
Questions
Why we should perform “Continuous security audit”?
Why to automate this process?
Manual ? No way.
Security should be considered and implemented for the entire
lifecycle of a system.
The same applies for the auditing of a system but most of the times it
is neglected.
Security (mis)configuration drifts, missing important package
patches are identified when it is tooooooooooooooooooo late.
Continuous auditing/reporting in a consistent & automated manner.
Work in progress
A standardized compliance checking solution for enterprise-level Linux systems. It is
a line of specifications maintained by the NIST for system security.
OpenSCAP implements the SCAP specifications, and is an auditing tool that utilizes
the Extensible Configuration Checklist Description Format (XCCDF).
XCCDF is a standard way of expressing checklist content and defines security checklists
&combines with other specifications to create a SCAP-expressed checklist that can be
processed by SCAP-validated products. These are:
Common Platform Enumeration (CPE),
Common Configuration Enumeration(CCE),
Open Vulnerability and Assessment Language (OVAL).
OpenSCAP
a. verifies the presence of patches by using content produced by the distro distributors
b. checks system security configuration settings and
c. examines systems for signs of compromise/misconfiguration by using rules based on
standards and specifications.
oscap -h
oscap
OpenSCAP command-line tool
Usage: oscap [options] module operation [operation-options-and-arguments] oscap options:
-h --help - show this help -q --quiet - quiet mode
-V --version - print info about supported SCAP versions Commands:
ds - DataStream utilities
oval - Open Vulnerability and Assessment Language
xccdf - eXtensible Configuration Checklist Description Format cvss - Common Vulnerability Scoring System
cpe - Common Platform Enumeration
cve - Common Vulnerabilities and Exposures info - info module
Oscap command line
oscap ds -h
oscap -> ds
DataStream utilities
Usage: oscap [options] ds command Commands:
sds-split - Split given SourceDataStream into separate files sds-compose - Compose SourceDataStream from given XCCDF sds-add - Add a component to the existing SourceDataStream sds-validate - Validate given SourceDataStream
Datastreams: an archive of interlinked SCAP content
(XCCDF,OVAL,CPE) .Source and Result DataStreams
oscap -> xccdf
eXtensible Configuration Checklist Description Format
Usage: oscap [options] xccdf command [command-specific-options] Commands:
eval - Perform evaluation driven by XCCDF file and use OVAL as checking engine resolve - Resolve an XCCDF document
validate - Validate XCCDF XML content validate-xml - Validate XCCDF XML content
export-oval-variables - Export XCCDF values as OVAL external-variables document(s) generate - Convert XCCDF Benchmark to other formats
remediate - Perform remediation driven by XCCDF TestResult file or ARF.
oscap xccdf eval --profile MAC-1_Public --cpe /usr/share/openscap/redhat_simple/U_RedHat_6_V1R4_Benchmark-cpe-dictionary.xml
oscap -> xccdf -> eval
Perform evaluation driven by XCCDF file and use OVAL as checking engine Usage: oscap [options] xccdf eval [options] INPUT_FILE [oval-definitions-files] INPUT_FILE - XCCDF file or a source data stream file
Options:
--profile <name> - The name of Profile to be evaluated. --tailoring-file <file> - Use given XCCDF Tailoring file.
--tailoring-id <component-id> - Use given DS component as XCCDF Tailoring file. --cpe <name> - Use given CPE dictionary or language (autodetected) …..
oscap oval -h
oscap -> oval
Open Vulnerability and Assessment Language Usage: oscap [options] oval command
Commands:
collect - Probe the system and create system characteristics
eval - Probe the system and evaluate definitions from OVAL Definition file analyse - Evaluate provided system characteristics file
validate - Validate OVAL XML content validate-xml - Validate OVAL XML content
generate - Convert an OVAL file to other formats list-probes - List supported object types (i.e. probes)
oscap oval collectcom.redhat.rhsa-all.xml
oscap -> oval -> eval
Probe the system and evaluate definitions from OVAL Definition file Usage: oscap [options] oval eval [options] oval-definitions.xml Options:
--id <definition-id> - ID of the definition we want to evaluate.
--variables <file> - Provide external variables expected by OVAL Definitions. --directives <file> - Use OVAL Directives content to specify desired results content. --results <file> - Write OVAL Results into file.
--report <file> - Create human readable (HTML) report from OVAL Results. --skip-valid - Skip validation.
--datastream-id <id> - ID of the datastream in the collection to use. (only applicable for source datastreams)
Oscap command line
oscap cvss -h
oscap -> cvss
Common Vulnerability Scoring System Usage: oscap [options] cvss command Commands:
score - CVSS score from a CVSS vector describe - Describe a CVSS vector
oscap cpe -h
oscap -> cpe
Common Platform Enumeration Usage: oscap [options] cpe command Commands:
match - Match CPE name against provided dictionary check - Check if CPE name is valid
validate - Validate CPE Dictionary content validate-xml - Validate CPE Dictionary content
IT automation software that helps system administrators manage infrastructure
throughout its lifecycle, from provisioning and configuration to orchestration
and reporting.
Easily automate repetitive tasks
Quickly deploy critical applications,
Proactively manage change, scaling from 10s of servers to 1000s, on-premise or in
the cloud.
Puppet typical workflow
Version Control Repository
Puppet master
Nodes
1. Commit changes
2. Perform checkout
3. Apply changes
4. Report back the
performed changes
Puppet Interface
Puppet agent
SSL
The Marionette Collective MCollective is a framework to build server
orchestration and parallel job execution systems
Uses Publish/Subscribe Middleware and real time discovery of network
resources using meta-data and not hostnames.
Delivering a scalable and fast parallel execution environment.
Use a broadcast paradigm for request distribution.
-
All servers get all requests at the same time, requests have filters attached and
only servers matching the filter will act on requests.
-
There is no central asset database to go out of sync, the network is the only source
of truth.
Supports complex naming conventions for hostnames as a means of
identity. Meta data comes from Puppet, Facter or custom plugins.
CLI tools to call remote agents.
Ability to write custom reports about your infrastructure.
Allows you to write simple RPC style agents, clients and Web UIs in an
easy to understand language - Ruby.
Include Authentication, Authorization and Auditing (AAA) of requests.
Open source Linux systems management software from RH (under the
terms of the GNU General Public License version 2)
Satellite and Novell SUSE Manager commercial products are identical.
Manages software content updates for Red Hat derived distributions
(Fedora, CentOS, SL and SUSE).
You can:
-
stage software content through different environments,
-
managing the deployment of updates to systems and
-
allowing you to view at which update level any given system is at across your
deployment.
Provides central web interface allowing viewing of systems, their
associated software update status, and initiating update actions…...
Provides provisioning/monitoring capabilities, allowing:
-
Inventory your systems (hardware and software information)
- Install and update software on your systems
-Collect and distribute your custom software packages into manageable groups
-Provision (kickstart) your systems
-Manage and deploy configuration files to your systems
-Monitor your systems
-Provision virtual guests
-Start/stop/configure virtual guests
-Distribute content across multiple geographical sites in an efficient manner
Multiple Spacewalk Proxies can connect to a central Spacewalk server and
cache and distribute content from the Spacewalk Server in various
geographical locations.
Spacewalk architecture
Three tier architecture
1.
Presentation tier : web UI, command line
clients, and XML-RPC clients
2.
Logic tier :Spread across the four languages:
Java, Perl, python, and PL/SQL.
3.
Data tier =>RDBMS :Oracle or PostgreSQL
Entities
Backend provides a set of APIs that the different
client utilities (rhn_register, up2date, yum) can
connect to.
Taskomatic is a daemon whose job is to perform
long running tasks that are scheduled to run
asynchronously, such as clean up the sessions
table, or send out email notifications for new errata
Cooking all together!!!!
Fetching and updating oval files
Redhat
com.redhat.rhsa-all.xml
Novel suse.linux.enterprise.server.11.xmlPuppet-Master
node 'puppet-master-ent.ecmwf.int' { filefetcher::fetch { 'Security Oval':filename => 'com.redhat.rhsa-all.xml', target_dir => '/etc/puppet/environments/production/modules/ecpds/files/rootHomeFolder', user => 'root', rights => '644', url => 'http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml', redownload => true, } filefetcher::fetch { 'suse.linux.enterprise.server.11.xml': filename => 'suse.linux.enterprise.server.11.xml', target_dir => '/etc/puppetlabs/code/environments/production/modules/ecpds/files/rootHomeFolder', user => 'root', rights => '644', url => 'http://support.novell.com/security/oval/suse.linux.enterprise.server.11.xml', redownload => true, } filefetcher::fetch { 'suse.linux.enterprise.server.11-patch.xml': filename => 'suse.linux.enterprise.server.11-patch.xml', target_dir => '/etc/puppetlabs/code/environments/production/modules/ecpds/files/rootHomeFolder', user => 'root', rights => '644', url => 'http://support.novell.com/security/oval/suse.linux.enterprise.server.11-patch.xml', redownload => true, } }
Nodes
class { openscap::xccdf::eval: name => my-daily-ssg-audit, period => daily, } classopenscap::params { $period = 'weekly' $weekday = 'Sat' $content_package = ['scap-security-guide'] $xccdf_path = '/usr/share/xml/scap/ssg/fedora/ssg-fedora-ds.xml' $xccdf_profile = 'xccdf_org.ssgproject.content_profile_common' case$::osfamily { 'redhat': { $packages = ['rubygem-openscap'] ‘suse': { $packages = ['openscap'] } default: {Execute audit –Report results
Nodes
Spacewalk
Puppet-master
Mcollective
Report results
Consistent system configuration and compliance with
standards.
Integration of security and auditing into the entire lifecycle
of a system
-
Configuration Management Frameworks
-
Security and auditing are not isolated processes.
-
Prevention of Configuration and/or security drifts
-
Early warning of missing packages/patches and potential
vulnerabilities.
Automation of the entire process to be scalable with
considerable system number increase
Can be used to different environments ranging from
physical- on premise systems to virtual on the Cloud or
remote systems (which may need additional protection and
auditing)
1. SCAP : http://scap.nist.gov/
2. XCCDF - The Extensible Configuration Checklist Description Format : http://scap.nist.gov/specifications/xccdf/
1. CPE-Common Platform Enumeration https://nvd.nist.gov/cpe.cfm
3. CCE -Common Configuration Enumeration https://nvd.nist.gov/cce/index.cfm
4. OVAL-Open Vulnerability and Assessment Language . https://oval.mitre.org/
5. Puppet :https://puppetlabs.com
6. Spacewalk: http://spacewalk.redhat.com/
7. Mcollective : https://puppetlabs.com/mcollective
