SlideShare ist ein Scribd-Unternehmen logo

SCAP for openSUSE

K
Kazuki Omo

This document discusses customizing Security Content Automation Protocol (SCAP) content for openSUSE. It begins with an introduction to SCAP and its components like OVAL, XCCDF, and OCIL. It notes that while OVAL definitions exist for openSUSE, an XCCDF benchmark is needed to enable compliance testing. The document considers customizing an existing SLES or RHEL XCCDF file by changing platform identifiers and related files. It demonstrates using the oscap tool to evaluate a customized RHEL XCCDF benchmark against an openSUSE system and generating results. Further work is needed to fully adapt the customized XCCDF content to the openSUSE standard and profile for compliance benchmarks.

Software
1 von 52
Downloaden Sie, um offline zu lesen
OpenSCAP and related contents for openSUSE Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc.
2 Who am I ? - Security Researcher/Engineer (16 years) - SELinux/MAC Evangelist (11 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux Engineer (16 years)
3 Agenda - What is SCAP? - Enumerations - Language/Contents - OpenSCAP - OpenSUSE contents - Customize RHEL’s XCCDF file - Conclusion
What is SCAP?
5 SCAP (Security Content Automation Protocol) Object: Automated for - Vulnerability management - Vulnerability measurement - Policy compliance evaluation
6 SCAP Components.. SCAP Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Extensible Configuration Checklist Description Format (XCCDF) and so on…. Open Vulnerability and Assessment Language (OVAL) Lang Enumerations
Enumerations
8 CVE: Common Vulnerabilities and Exposures
9 CVE: Common Vulnerabilities and Exposures CVE ID CPE Summary CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.15 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51- 38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.16 CVE-2016-2107 cpe:/o:redhat:enterprise _linux_server:7.0 Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVE-2016-2107 cpe:/o:novell:leap:42.1 CVE-2016-2107 cpe:/o:novell:opensuse: 13.2 CVE-2016-4979 cpe:/a:apache:http_serv er:2.4.20 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
10 CPE: Common Platform Enumeration CPE name title href cpe:/o:novell:leap: 42.0 Novell Leap 42.0 https://en.opensuse.org/openSUSE:Leap cpe:/o:novell:leap: 42.1 Novell Leap 42.1 https://en.opensuse.org/openSUSE:Leap cpe:/o:redhat:ente rprise_linux:7.0 Red Hat Enterpris e Linux 7.0 http://www.redhat.com/resourcelibrary/datash eets/rhel-7-whats-new cpe:/o:redhat:ente rprise_linux:7.1 Red Hat Enterpris e Linux 7.1 http://www.redhat.com/en/resources/whats- new-red-hat-enterprise-linux-71
11 CPE: Common Platform Enumeration linux-vs1z:~ # cat /etc/os-release NAME="openSUSE Leap" VERSION="42.1" VERSION_ID="42.1" PRETTY_NAME="openSUSE Leap 42.1 (x86_64)" ID=opensuse ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:opensuse:42.1" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://opensuse.org/" ID_LIKE="suse"
12 CCE: Common Configuration Enumeration CCE IDs Description CCE- 5317-3 Core dump size limits should be set appropriately CCE- 5384-3 The read-only SNMP community string should be set appropriately. CCE- 5664-8 The minimum password age should be set as appropriate CCE- 5804-0 The minimum required password length should be set as appropriate CCE- 4858-7 Password history should be saved for an appropriate number of password changes CCE- 5775-2 The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate
13 CWE: Common Weakness Enumeration CVE ID CWE-ID CVE-2016-6662 CWE-264 CVE-2016-2107 CWE-310 CVE-2016-4979 CWE-284
14 CVSS: Common Vulnerability Scoring System
Language/Contents
16 OVAL: Open Vulnerability and Assessment Language OVAL: - Check Vulnerabilities / configuration issues (XML) - Using for Patch Management - Composed by - Collection of CVEs - list of standardized names for vulnerabilities
17 OVAL: Open Vulnerability and Assessment Language <title>CVE-2012-2150</title> <affected family="unix"> <platform>openSUSE Leap 42.1</platform> </affected> <reference ref_id="CVE-2012-2150" ref_url= "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" source="CVE"/> </metadata> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009117743" comment="openSUSE Leap 42.1 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009120999" comment="xfsprogs-3.2.1-5.1 is installed"/>
18 OVAL: Open Vulnerability and Assessment Language <definition class="compliance" id="oval:ssg- file_permissions_httpd_server_conf_files:def:1" version="2"> <metadata> <title>Verify Permissions On Apache Web Server Configuration Files </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>
19 OVAL: Open Vulnerability and Assessment Language
20 OVAL: Open Vulnerability and Assessment Language
21 XCCDF: The eXtensible Configuration Checklist Description Format XCCDF: - Writing security checklists, benchmarks, etc. (XML) - Automated compliance testing, Compliance scoring (PCIDSS, etc.) - Collection of security configuration rules for some set of target systems (Docker-Enabled Host)
22 XCCDF: The eXtensible Configuration Checklist Description Format <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1"> <status date="2016-09-20">draft</status> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title> <Profile id="pci-dss"> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This is a *draft* profile for PCI-DSS v3</description> <select idref="service_auditd_enabled" selected="true"/> <select idref="bootloader_audit_argument" selected="true"/> <select idref="auditd_data_retention_num_logs" selected="true"/> <select idref="audit_rules_dac_modification_chmod" selected="true"/> ...
23 XCCDF: The eXtensible Configuration Checklist Description Format <Profile id="docker-host"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Standard Docker Host Security Profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. </description> <select idref="service_docker_enabled" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="selinux_state" selected="true"/> <select idref="selinux_policytype" selected="true"/> <select idref="docker_selinux_enabled" selected="true"/> <select idref="docker_storage_configured" selected="true"/> <select idref="remediation_functions" selected="false"/>
24 XCCDF: The eXtensible Configuration Checklist Description Format
25 XCCDF: The eXtensible Configuration Checklist Description Format
OpenSCAP
27 OpenSCAP OpenSCAP: - Provides multiple tools for Administrators/Auditors Tools: - OpenSCAP Base (oscap) - SCAP Workbench (GUI tool) - OpenSCAP Daemon - SCAPTimony - OSCAP Anaconda Add-on
OpenSUSE contents
29 OVAL: Open Vulnerability and Assessment Language Available on ftp.suse.com/pub
30 OVAL: Open Vulnerability and Assessment Language
31 OVAL: Open Vulnerability and Assessment Language
32 XCCDF: The eXtensible Configuration Checklist Description Format No XCCDF file…. Then We can - check Vulnerabilities for openSUSE We can’t - check Configuration Standard (ex. PCIDSS) :-(
33 XCCDF: The eXtensible Configuration Checklist Description Format 1. Customize old SLES XCCDF file (“SLES v11 for System z”) 2. Customize “RHEL_STIG” XML file. Which is better? There are 2 options;
34 1. Customize “SLES v11 for System z” 1. Customize old “SLES v11 for System z” (http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip) - Profile for MAC(Mandatory Access Control) Level + Public/Sensitive/Classified. → DoD/Federal Government System. - No Benchmark XML file (DPMS_XCCDF_Benchmark_SuSe zLinux.xml) → SuSE is providing XML file (not open). Hard to Develop. But we need it in future.
35 2. Customize “RHEL_STIG” XML file. 2. Customize RHEL’s “RHEL_STIG” XML file. - use latest RHEL7 STIG - Including PCIDSS v3.0, etc. https://github.com/OpenSCAP/openscap More easy to Develop. Take a look for now. ;-)
Customize RHEL’s XCCDF file
37 Customize RedHat’s XCCDF file Customize RedHat XCCDF file; Change Platform ID <platform idref="cpe:/o:redhat:enterprise_linux:7"/> <platform idref="cpe:/o:opensuse:opensuse"/> Change/Copy related XML file <check-content-ref href="ssg-rhel7-ocil.xml" <check-content-ref href="ssg-opensuse-ocil.xml"
38 Scan Customized RedHat’s XCCDF file oscap xccdf eval --profile "Profile" --report “Report” “input xccdf XML file” ex. ) oscap xccdf eval --profile "pci-dss" --report /tmp/opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml Profile: <profile id> in xccdf.xml file; <Profile id="standard"> <Profile id="pci-dss"> <Profile id="rht-ccp"> <Profile id="docker-host"> … etc.
39 Scan by “oscap” # oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg- results.html ./ssg-opensuse-xccdf.xml Title Ensure auditd Collects Information on Kernel Module Loading and Unloading Rule audit_rules_kernel_module_loading Ident CCE-27129-6 Result fail Title Make the auditd Configuration Immutable Rule audit_rules_immutable Ident CCE-27097-5 Result fail Title Set SSH Idle Timeout Interval Rule sshd_set_idle_timeout Ident CCE-27433-2 Result pass
40 “oscap” result html
41 “oscap” result html (cont'd)
42 Scap-workbench
43 Customize Rule (with scap-workbench) Some of Rule can modify, and can not → No good for fitting to openSUSE
44 Customize Rule (xml file) OVAL: <definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1"> <metadata> <title>Service autofs Disabled</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The autofs service should be disabled if possible.</description> <reference source="JL" ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/ scap-security-guide/wiki/Contributors"/> <reference ref_id="service_autofs_disabled" source="ssg"/></metadata> <criteria comment="package autofs removed or service autofs is not configured to start" operator="OR"> <extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_ removed:def:1"/> <criteria operator="OR" comment="service autofs is not configured to start"> <criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_ autofs_not_wanted_by_multi_user_target:tst:1"/>
45 OVAL Language Dictionary
46 Customize Rule (xml file) OCIL: <questionnaire id="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"> <title>Disable Core Dumps for All Users</title> <actions> <test_action_ref>ocil:ssg-disable_users_coredumps_action:testaction:1</test_action_ref> </actions> </questionnaire> <questionnaire id="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1"> <title>Disable Core Dumps for SUID programs</title> <actions> <test_action_ref>ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1</test_action_ref> </actions> </questionnaire>
47 OCIL Language Dictionary
48 Remain Task - Not only for PCI-DSS, other Profile: - Check details which modified. - Change those XCCDF file as openscap-ssg standard style. - Follow SUSE11 Standard also.
Conclusion
50 Conclusion - SCAP OVAL file for openSUSE is released from SUSE. - SCAP XCCDF file for openSUSE needs to be under PCI-DSS etc. - Still customizing contents for publishing. :-)
51 Any Questinos?
52 Thank You!!!

Empfohlen

Getting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceGetting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build Service
Andi Sugandi
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
Kentaro Hatori
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
William Lee
 
Sweden11
Sweden11Sweden11
Sweden11
Dru Lavigne
 
Usage Note of SWIG for PHP
Usage Note of SWIG for PHPUsage Note of SWIG for PHP
Usage Note of SWIG for PHP
William Lee
 
Usage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxUsage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on Linux
William Lee
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3
William Lee
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP Languages
William Lee
 

Empfohlen

Getting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceGetting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build Service
Andi Sugandi
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
Kentaro Hatori
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
William Lee
 
Sweden11
Sweden11Sweden11
Sweden11
Dru Lavigne
 
Usage Note of SWIG for PHP
Usage Note of SWIG for PHPUsage Note of SWIG for PHP
Usage Note of SWIG for PHP
William Lee
 
Usage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxUsage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on Linux
William Lee
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3
William Lee
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP Languages
William Lee
 
Posscon2013
Posscon2013Posscon2013
Posscon2013
Dru Lavigne
 
Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCap
William Lee
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build Service
SUSE Labs Taipei
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
Dru Lavigne
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernet
SUSE Labs Taipei
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorial
Dru Lavigne
 
Oclug 2010
Oclug 2010Oclug 2010
Oclug 2010
Dru Lavigne
 
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Kentaro Hatori
 
Nelf2012
Nelf2012Nelf2012
Nelf2012
Dru Lavigne
 
SELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux UsersSELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux Users
Dru Lavigne
 
S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918
SUSE Labs Taipei
 
Lavigne bsdmag sept12
Lavigne bsdmag sept12Lavigne bsdmag sept12
Lavigne bsdmag sept12
Dru Lavigne
 
Scale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersScale 2010: BSD for Linux Users
Scale 2010: BSD for Linux Users
Dru Lavigne
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal Presentation
Tony McKeown
 
Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012
Dru Lavigne
 
Fsoss2011
Fsoss2011Fsoss2011
Fsoss2011
Dru Lavigne
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2
Trinh Tuan
 
Olf2012
Olf2012Olf2012
Olf2012
Dru Lavigne
 
Fosscon2013
Fosscon2013Fosscon2013
Fosscon2013
Dru Lavigne
 
Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your program
SUSE Labs Taipei
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
Shawn Wells
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 

Weitere ähnliche Inhalte

Was ist angesagt?

Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build Service
SUSE Labs Taipei
 

Was ist angesagt? (20)

Posscon2013
Posscon2013Posscon2013
Posscon2013
 
Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCap
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build Service
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernet
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorial
 
Oclug 2010
Oclug 2010Oclug 2010
Oclug 2010
 
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
 
Nelf2012
Nelf2012Nelf2012
Nelf2012
 
SELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux UsersSELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux Users
 
S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918
 
Lavigne bsdmag sept12
Lavigne bsdmag sept12Lavigne bsdmag sept12
Lavigne bsdmag sept12
 
Scale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersScale 2010: BSD for Linux Users
Scale 2010: BSD for Linux Users
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal Presentation
 
Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012
 
Fsoss2011
Fsoss2011Fsoss2011
Fsoss2011
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2
 
Olf2012
Olf2012Olf2012
Olf2012
 
Fosscon2013
Fosscon2013Fosscon2013
Fosscon2013
 
Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your program
 

Ähnlich wie SCAP for openSUSE

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
Sadegh Dorri N.
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 

Ähnlich wie SCAP for openSUSE (20)

2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
KVM_security
KVM_securityKVM_security
KVM_security
 
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
 
OSC2023_security_automation_data.pdf
OSC2023_security_automation_data.pdfOSC2023_security_automation_data.pdf
OSC2023_security_automation_data.pdf
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Rhel7 vs rhel6
Rhel7 vs rhel6Rhel7 vs rhel6
Rhel7 vs rhel6
 
Runos OpenFlow Controller (eng)
Runos OpenFlow Controller (eng)Runos OpenFlow Controller (eng)
Runos OpenFlow Controller (eng)
 
optimizing_ceph_flash
optimizing_ceph_flashoptimizing_ceph_flash
optimizing_ceph_flash
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
Beyond static configuration
Beyond static configurationBeyond static configuration
Beyond static configuration
 
Describing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked DataDescribing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked Data
 
Amis Query (02-09-2008): Reports From Oracle Open World - Database
Amis Query (02-09-2008): Reports From Oracle Open World - DatabaseAmis Query (02-09-2008): Reports From Oracle Open World - Database
Amis Query (02-09-2008): Reports From Oracle Open World - Database
 
Sql on linux - ITpro
Sql on linux - ITproSql on linux - ITpro
Sql on linux - ITpro
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 

Mehr von Kazuki Omo

Mehr von Kazuki Omo (15)

OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.
 
Don't you have dream about Foreign Company? How about real one?
Don't you have dream about Foreign Company? How about real one?Don't you have dream about Foreign Company? How about real one?
Don't you have dream about Foreign Company? How about real one?
 
2022Q2 最新ランサムウェア動向と対処方法.pptx
2022Q2 最新ランサムウェア動向と対処方法.pptx2022Q2 最新ランサムウェア動向と対処方法.pptx
2022Q2 最新ランサムウェア動向と対処方法.pptx
 
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
 
Osc2018 tokyo spring_scap
Osc2018 tokyo spring_scapOsc2018 tokyo spring_scap
Osc2018 tokyo spring_scap
 
Linux Security Status on 2017
Linux Security Status on 2017Linux Security Status on 2017
Linux Security Status on 2017
 
Cve trends 20170531
Cve trends 20170531Cve trends 20170531
Cve trends 20170531
 
SELinux_Updates_PoC_20170516
SELinux_Updates_PoC_20170516SELinux_Updates_PoC_20170516
SELinux_Updates_PoC_20170516
 
Postgre SQL security_20170412
Postgre SQL security_20170412Postgre SQL security_20170412
Postgre SQL security_20170412
 
OSC ossセキュリティ技術の会について
OSC ossセキュリティ技術の会についてOSC ossセキュリティ技術の会について
OSC ossセキュリティ技術の会について
 
Osc2017 tokyo spring_soss_sig
Osc2017 tokyo spring_soss_sigOsc2017 tokyo spring_soss_sig
Osc2017 tokyo spring_soss_sig
 
RHELのEOLがCentOSに及ぼす影響
RHELのEOLがCentOSに及ぼす影響RHELのEOLがCentOSに及ぼす影響
RHELのEOLがCentOSに及ぼす影響
 
6 anti virus
6 anti virus6 anti virus
6 anti virus
 
Edb summit 2016_20160216.omo
Edb summit 2016_20160216.omoEdb summit 2016_20160216.omo
Edb summit 2016_20160216.omo
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 

Kürzlich hochgeladen

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Kürzlich hochgeladen (20)

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 

SCAP for openSUSE

  • 1. OpenSCAP and related contents for openSUSE Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc.
  • 2. 2 Who am I ? - Security Researcher/Engineer (16 years) - SELinux/MAC Evangelist (11 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux Engineer (16 years)
  • 3. 3 Agenda - What is SCAP? - Enumerations - Language/Contents - OpenSCAP - OpenSUSE contents - Customize RHEL’s XCCDF file - Conclusion
  • 5. 5 SCAP (Security Content Automation Protocol) Object: Automated for - Vulnerability management - Vulnerability measurement - Policy compliance evaluation
  • 6. 6 SCAP Components.. SCAP Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Extensible Configuration Checklist Description Format (XCCDF) and so on…. Open Vulnerability and Assessment Language (OVAL) Lang Enumerations
  • 9. 9 CVE: Common Vulnerabilities and Exposures CVE ID CPE Summary CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.15 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51- 38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.16 CVE-2016-2107 cpe:/o:redhat:enterprise _linux_server:7.0 Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVE-2016-2107 cpe:/o:novell:leap:42.1 CVE-2016-2107 cpe:/o:novell:opensuse: 13.2 CVE-2016-4979 cpe:/a:apache:http_serv er:2.4.20 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
  • 10. 10 CPE: Common Platform Enumeration CPE name title href cpe:/o:novell:leap: 42.0 Novell Leap 42.0 https://en.opensuse.org/openSUSE:Leap cpe:/o:novell:leap: 42.1 Novell Leap 42.1 https://en.opensuse.org/openSUSE:Leap cpe:/o:redhat:ente rprise_linux:7.0 Red Hat Enterpris e Linux 7.0 http://www.redhat.com/resourcelibrary/datash eets/rhel-7-whats-new cpe:/o:redhat:ente rprise_linux:7.1 Red Hat Enterpris e Linux 7.1 http://www.redhat.com/en/resources/whats- new-red-hat-enterprise-linux-71
  • 11. 11 CPE: Common Platform Enumeration linux-vs1z:~ # cat /etc/os-release NAME="openSUSE Leap" VERSION="42.1" VERSION_ID="42.1" PRETTY_NAME="openSUSE Leap 42.1 (x86_64)" ID=opensuse ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:opensuse:42.1" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://opensuse.org/" ID_LIKE="suse"
  • 12. 12 CCE: Common Configuration Enumeration CCE IDs Description CCE- 5317-3 Core dump size limits should be set appropriately CCE- 5384-3 The read-only SNMP community string should be set appropriately. CCE- 5664-8 The minimum password age should be set as appropriate CCE- 5804-0 The minimum required password length should be set as appropriate CCE- 4858-7 Password history should be saved for an appropriate number of password changes CCE- 5775-2 The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate
  • 13. 13 CWE: Common Weakness Enumeration CVE ID CWE-ID CVE-2016-6662 CWE-264 CVE-2016-2107 CWE-310 CVE-2016-4979 CWE-284
  • 16. 16 OVAL: Open Vulnerability and Assessment Language OVAL: - Check Vulnerabilities / configuration issues (XML) - Using for Patch Management - Composed by - Collection of CVEs - list of standardized names for vulnerabilities
  • 17. 17 OVAL: Open Vulnerability and Assessment Language <title>CVE-2012-2150</title> <affected family="unix"> <platform>openSUSE Leap 42.1</platform> </affected> <reference ref_id="CVE-2012-2150" ref_url= "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" source="CVE"/> </metadata> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009117743" comment="openSUSE Leap 42.1 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009120999" comment="xfsprogs-3.2.1-5.1 is installed"/>
  • 18. 18 OVAL: Open Vulnerability and Assessment Language <definition class="compliance" id="oval:ssg- file_permissions_httpd_server_conf_files:def:1" version="2"> <metadata> <title>Verify Permissions On Apache Web Server Configuration Files </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>
  • 19. 19 OVAL: Open Vulnerability and Assessment Language
  • 20. 20 OVAL: Open Vulnerability and Assessment Language
  • 21. 21 XCCDF: The eXtensible Configuration Checklist Description Format XCCDF: - Writing security checklists, benchmarks, etc. (XML) - Automated compliance testing, Compliance scoring (PCIDSS, etc.) - Collection of security configuration rules for some set of target systems (Docker-Enabled Host)
  • 22. 22 XCCDF: The eXtensible Configuration Checklist Description Format <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1"> <status date="2016-09-20">draft</status> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title> <Profile id="pci-dss"> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This is a *draft* profile for PCI-DSS v3</description> <select idref="service_auditd_enabled" selected="true"/> <select idref="bootloader_audit_argument" selected="true"/> <select idref="auditd_data_retention_num_logs" selected="true"/> <select idref="audit_rules_dac_modification_chmod" selected="true"/> ...
  • 23. 23 XCCDF: The eXtensible Configuration Checklist Description Format <Profile id="docker-host"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Standard Docker Host Security Profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. </description> <select idref="service_docker_enabled" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="selinux_state" selected="true"/> <select idref="selinux_policytype" selected="true"/> <select idref="docker_selinux_enabled" selected="true"/> <select idref="docker_storage_configured" selected="true"/> <select idref="remediation_functions" selected="false"/>
  • 24. 24 XCCDF: The eXtensible Configuration Checklist Description Format
  • 25. 25 XCCDF: The eXtensible Configuration Checklist Description Format
  • 27. 27 OpenSCAP OpenSCAP: - Provides multiple tools for Administrators/Auditors Tools: - OpenSCAP Base (oscap) - SCAP Workbench (GUI tool) - OpenSCAP Daemon - SCAPTimony - OSCAP Anaconda Add-on
  • 29. 29 OVAL: Open Vulnerability and Assessment Language Available on ftp.suse.com/pub
  • 30. 30 OVAL: Open Vulnerability and Assessment Language
  • 31. 31 OVAL: Open Vulnerability and Assessment Language
  • 32. 32 XCCDF: The eXtensible Configuration Checklist Description Format No XCCDF file…. Then We can - check Vulnerabilities for openSUSE We can’t - check Configuration Standard (ex. PCIDSS) :-(
  • 33. 33 XCCDF: The eXtensible Configuration Checklist Description Format 1. Customize old SLES XCCDF file (“SLES v11 for System z”) 2. Customize “RHEL_STIG” XML file. Which is better? There are 2 options;
  • 34. 34 1. Customize “SLES v11 for System z” 1. Customize old “SLES v11 for System z” (http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip) - Profile for MAC(Mandatory Access Control) Level + Public/Sensitive/Classified. → DoD/Federal Government System. - No Benchmark XML file (DPMS_XCCDF_Benchmark_SuSe zLinux.xml) → SuSE is providing XML file (not open). Hard to Develop. But we need it in future.
  • 35. 35 2. Customize “RHEL_STIG” XML file. 2. Customize RHEL’s “RHEL_STIG” XML file. - use latest RHEL7 STIG - Including PCIDSS v3.0, etc. https://github.com/OpenSCAP/openscap More easy to Develop. Take a look for now. ;-)
  • 37. 37 Customize RedHat’s XCCDF file Customize RedHat XCCDF file; Change Platform ID <platform idref="cpe:/o:redhat:enterprise_linux:7"/> <platform idref="cpe:/o:opensuse:opensuse"/> Change/Copy related XML file <check-content-ref href="ssg-rhel7-ocil.xml" <check-content-ref href="ssg-opensuse-ocil.xml"
  • 38. 38 Scan Customized RedHat’s XCCDF file oscap xccdf eval --profile "Profile" --report “Report” “input xccdf XML file” ex. ) oscap xccdf eval --profile "pci-dss" --report /tmp/opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml Profile: <profile id> in xccdf.xml file; <Profile id="standard"> <Profile id="pci-dss"> <Profile id="rht-ccp"> <Profile id="docker-host"> … etc.
  • 39. 39 Scan by “oscap” # oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg- results.html ./ssg-opensuse-xccdf.xml Title Ensure auditd Collects Information on Kernel Module Loading and Unloading Rule audit_rules_kernel_module_loading Ident CCE-27129-6 Result fail Title Make the auditd Configuration Immutable Rule audit_rules_immutable Ident CCE-27097-5 Result fail Title Set SSH Idle Timeout Interval Rule sshd_set_idle_timeout Ident CCE-27433-2 Result pass
  • 43. 43 Customize Rule (with scap-workbench) Some of Rule can modify, and can not → No good for fitting to openSUSE
  • 44. 44 Customize Rule (xml file) OVAL: <definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1"> <metadata> <title>Service autofs Disabled</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The autofs service should be disabled if possible.</description> <reference source="JL" ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/ scap-security-guide/wiki/Contributors"/> <reference ref_id="service_autofs_disabled" source="ssg"/></metadata> <criteria comment="package autofs removed or service autofs is not configured to start" operator="OR"> <extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_ removed:def:1"/> <criteria operator="OR" comment="service autofs is not configured to start"> <criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_ autofs_not_wanted_by_multi_user_target:tst:1"/>
  • 46. 46 Customize Rule (xml file) OCIL: <questionnaire id="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"> <title>Disable Core Dumps for All Users</title> <actions> <test_action_ref>ocil:ssg-disable_users_coredumps_action:testaction:1</test_action_ref> </actions> </questionnaire> <questionnaire id="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1"> <title>Disable Core Dumps for SUID programs</title> <actions> <test_action_ref>ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1</test_action_ref> </actions> </questionnaire>
  • 48. 48 Remain Task - Not only for PCI-DSS, other Profile: - Check details which modified. - Change those XCCDF file as openscap-ssg standard style. - Follow SUSE11 Standard also.
  • 50. 50 Conclusion - SCAP OVAL file for openSUSE is released from SUSE. - SCAP XCCDF file for openSUSE needs to be under PCI-DSS etc. - Still customizing contents for publishing. :-)