This document discusses customizing Security Content Automation Protocol (SCAP) content for openSUSE. It begins with an introduction to SCAP and its components like OVAL, XCCDF, and OCIL. It notes that while OVAL definitions exist for openSUSE, an XCCDF benchmark is needed to enable compliance testing. The document considers customizing an existing SLES or RHEL XCCDF file by changing platform identifiers and related files. It demonstrates using the oscap tool to evaluate a customized RHEL XCCDF benchmark against an openSUSE system and generating results. Further work is needed to fully adapt the customized XCCDF content to the openSUSE standard and profile for compliance benchmarks.
6. 6
SCAP Components..
SCAP
Common Vulnerabilities and Exposures (CVE)
Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Common Weakness Enumeration (CWE)
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
and so on….
Open Vulnerability and Assessment Language (OVAL)
Lang
Enumerations
9. 9
CVE:
Common Vulnerabilities and Exposures
CVE ID CPE Summary
CVE-2016-6662 cpe:/a:mariadb:mariadb:
10.1.15
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x
through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27,
and 10.1.x before 10.1.17; and Percona Server before 5.5.51-
38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow
local users to create arbitrary configurations and bypass
certain protection mechanisms by setting general_log_file to a
my.cnf configuration.
CVE-2016-6662 cpe:/a:mariadb:mariadb:
10.1.16
CVE-2016-2107 cpe:/o:redhat:enterprise
_linux_server:7.0
Integer overflow in the EVP_EncryptUpdate function in
crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2
before 1.0.2h allows remote attackers to cause a denial of
service (heap memory corruption) via a large amount of data.
CVE-2016-2107 cpe:/o:novell:leap:42.1
CVE-2016-2107 cpe:/o:novell:opensuse:
13.2
CVE-2016-4979 cpe:/a:apache:http_serv
er:2.4.20
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18
namespace conflicts and therefore does not protect applications from the presence
of untrusted client data in the HTTP_PROXY environment variable, which might
allow remote attackers to redirect an application's outbound HTTP traffic to an
arbitrary proxy server via a crafted Proxy header in an HTTP request, as
demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2)
a CGI configuration of PHP, aka an "httpoxy" issue.
10. 10
CPE:
Common Platform Enumeration
CPE name title href
cpe:/o:novell:leap:
42.0
Novell
Leap
42.0
https://en.opensuse.org/openSUSE:Leap
cpe:/o:novell:leap:
42.1
Novell
Leap
42.1
https://en.opensuse.org/openSUSE:Leap
cpe:/o:redhat:ente
rprise_linux:7.0
Red Hat
Enterpris
e Linux
7.0
http://www.redhat.com/resourcelibrary/datash
eets/rhel-7-whats-new
cpe:/o:redhat:ente
rprise_linux:7.1
Red Hat
Enterpris
e Linux
7.1
http://www.redhat.com/en/resources/whats-
new-red-hat-enterprise-linux-71
12. 12
CCE:
Common Configuration Enumeration
CCE IDs Description
CCE-
5317-3
Core dump size limits should be set appropriately
CCE-
5384-3
The read-only SNMP community string should be set appropriately.
CCE-
5664-8
The minimum password age should be set as appropriate
CCE-
5804-0
The minimum required password length should be set as appropriate
CCE-
4858-7
Password history should be saved for an appropriate number of
password changes
CCE-
5775-2
The number of consecutive failed login attempts required to trigger a
lockout should be set as appropriate
16. 16
OVAL: Open Vulnerability and
Assessment Language
OVAL:
- Check Vulnerabilities / configuration issues (XML)
- Using for Patch Management
- Composed by
- Collection of CVEs
- list of standardized names for vulnerabilities
17. 17
OVAL: Open Vulnerability and
Assessment Language
<title>CVE-2012-2150</title>
<affected family="unix">
<platform>openSUSE Leap 42.1</platform>
</affected>
<reference ref_id="CVE-2012-2150" ref_url=
"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" source="CVE"/>
</metadata>
<criteria operator="AND">
<criterion test_ref="oval:org.opensuse.security:tst:2009117743"
comment="openSUSE Leap 42.1 is installed"/>
<criteria operator="OR">
<criterion test_ref="oval:org.opensuse.security:tst:2009120999"
comment="xfsprogs-3.2.1-5.1 is installed"/>
18. 18
OVAL: Open Vulnerability and
Assessment Language
<definition class="compliance" id="oval:ssg-
file_permissions_httpd_server_conf_files:def:1" version="2">
<metadata>
<title>Verify Permissions On Apache Web Server Configuration Files
</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The /etc/httpd/conf/* files should have the appropriate
permissions (0640 or stronger).</description>
21. 21
XCCDF: The eXtensible Configuration
Checklist Description Format
XCCDF:
- Writing security checklists, benchmarks, etc. (XML)
- Automated compliance testing, Compliance
scoring
(PCIDSS, etc.)
- Collection of security configuration rules for
some set of target systems (Docker-Enabled
Host)
22. 22
XCCDF: The eXtensible Configuration
Checklist Description Format
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1">
<status date="2016-09-20">draft</status>
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang=
"en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title>
<Profile id="pci-dss">
<description xmlns:xhtml="http://www.w3.org/1999/xhtml"
xml:lang="en-US">This is a *draft* profile for PCI-DSS v3</description>
<select idref="service_auditd_enabled" selected="true"/>
<select idref="bootloader_audit_argument" selected="true"/>
<select idref="auditd_data_retention_num_logs" selected="true"/>
<select idref="audit_rules_dac_modification_chmod" selected="true"/>
...
23. 23
XCCDF: The eXtensible Configuration
Checklist Description Format
<Profile id="docker-host">
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang=
"en-US">Standard Docker Host Security Profile</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang=
"en-US">This profile contains rules to ensure standard security baseline of
Red Hat Enterprise Linux 7 system running the docker daemon.
</description>
<select idref="service_docker_enabled" selected="true"/>
<select idref="enable_selinux_bootloader" selected="true"/>
<select idref="selinux_state" selected="true"/>
<select idref="selinux_policytype" selected="true"/>
<select idref="docker_selinux_enabled" selected="true"/>
<select idref="docker_storage_configured" selected="true"/>
<select idref="remediation_functions" selected="false"/>
32. 32
XCCDF: The eXtensible Configuration
Checklist Description Format
No XCCDF file….
Then
We can
- check Vulnerabilities for openSUSE
We can’t
- check Configuration Standard (ex. PCIDSS) :-(
33. 33
XCCDF: The eXtensible Configuration
Checklist Description Format
1. Customize old SLES XCCDF file (“SLES v11 for System z”)
2. Customize “RHEL_STIG” XML file.
Which is better?
There are 2 options;
34. 34
1. Customize “SLES v11 for System z”
1. Customize old “SLES v11 for System z”
(http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip)
- Profile for MAC(Mandatory Access Control) Level
+ Public/Sensitive/Classified.
→ DoD/Federal Government System.
- No Benchmark XML file (DPMS_XCCDF_Benchmark_SuSe zLinux.xml)
→ SuSE is providing XML file (not open).
Hard to Develop.
But we need it in future.
35. 35
2. Customize “RHEL_STIG” XML file.
2. Customize RHEL’s “RHEL_STIG” XML file.
- use latest RHEL7 STIG
- Including PCIDSS v3.0, etc.
https://github.com/OpenSCAP/openscap
More easy to Develop.
Take a look for now. ;-)
39. 39
Scan by “oscap”
# oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg-
results.html ./ssg-opensuse-xccdf.xml
Title Ensure auditd Collects Information on Kernel Module Loading
and Unloading
Rule audit_rules_kernel_module_loading
Ident CCE-27129-6
Result fail
Title Make the auditd Configuration Immutable
Rule audit_rules_immutable
Ident CCE-27097-5
Result fail
Title Set SSH Idle Timeout Interval
Rule sshd_set_idle_timeout
Ident CCE-27433-2
Result pass
44. 44
Customize Rule
(xml file)
OVAL:
<definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1">
<metadata>
<title>Service autofs Disabled</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The autofs service should be disabled if possible.</description>
<reference source="JL" ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/
scap-security-guide/wiki/Contributors"/>
<reference ref_id="service_autofs_disabled" source="ssg"/></metadata>
<criteria comment="package autofs removed or service autofs is not configured to start"
operator="OR">
<extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_
removed:def:1"/>
<criteria operator="OR" comment="service autofs is not configured to start">
<criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_
autofs_not_wanted_by_multi_user_target:tst:1"/>
48. 48
Remain Task
- Not only for PCI-DSS, other Profile:
- Check details which modified.
- Change those XCCDF file as
openscap-ssg standard style.
- Follow SUSE11 Standard also.
50. 50
Conclusion
- SCAP OVAL file for openSUSE is
released from SUSE.
- SCAP XCCDF file for openSUSE
needs to be under PCI-DSS etc.
- Still customizing contents for
publishing. :-)