Security compliance automation with Red Hat Satellite

Transcription

1 Security compliance automation with Red Hat Satellite Matt Micene Solution Architect,

2 Created with

3 Compliance is a major problem About half of the CVEs exploited in 2014 went from publish to pwn in less than a month. - Verizon Breach Investigations Report, 2015 We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published. - Verizon Breach Investigations Report, 2015 Patch management and associated vulnerability management processes represent the biggest problem areas, because they re rarely well documented and automated. Anton Chuvakin [ 2014/]

4 YourApp from MyCO poised to revolutionize the industry MyCo CEO

5 Meet Simon, MyCo Lead System Engineer

6 YourApp

7 Regulations, Catalogs, Guidelines

8

9 Advanced Persistent Marketing Poster created by Ken Westin, 2015, used with permission of author. Hi Ken!

10 Meet Sarah, MyCo CISO

11 Sarah's initial SWAG Need local values for 50 controls (password lengths, C2S Profile = 250 controls login timeouts, etc) YourApp Env = 35 systems Only YourApp new systems in scope Project team bringing Security in late

12

13 Simon's back of the napkin Number of Controls Time per Control Number of Hosts Minutes per Hour min min 145 hours or ~18 Days

14

15 SCAP SECURITY STREET Brought to you by the letters NVD and CVE!

16 What does Simon need? SCAP Content SCAP Scanner Centralization

17 The final controls!

18 Final policy Annual audits C2S Profile = 400 controls Requires 2 additional regular reviews YourApp Env = 100 systems Need local values for 100 controls (password lengths, login timeouts, etc) 15 current production systems added to scope DR site also required

19 Simon's new napkin Number of Controls Time per Control Number of Hosts Minutes per Hour min min ~666 hours or ~83 Days

20 SPOILER ALERT!

21 What Simon's compliance system can do C2S Run time = 73 seconds s min ~61 hours or ~8 Days

22 ~8 Days * Mostly computer time, highly parallel Little administrator interaction required Still Oh, and 150 more checks (62.5% more work) ~75 Days saved Or %

23 The Tool Chain that Simon Built

24 What does Simon need? SCAP Content SCAP Scanner Centralization

25 The Content SCAP Scanner Centralization

26 SCAP (Security Content Automation Protocol) 1.2 NIST SP Rev. 2 CCE : Common Configuration Enumeration CPE : Common Platform Enumeration CVE : Common Vulnerabilities and Exposures CVSS: Common Vulnerability Scoring System CCSS: Common Configuration Scoring System XCCDF: The Extensible Configuration Checklist Description Format OVAL : Open Vulnerability and Assessment Language OCIL: Open Checklist Interactive Language AI: Asset Identification ARF: Asset Reporting Format

27 SCAP (Security Content Automation Protocol) 1.2 NIST SP Rev. 2 CCE : Common Configuration Enumeration CPE : Common Platform Enumeration CVE : Common Vulnerabilities and Exposures CVSS: Common Vulnerability Scoring System CCSS: Common Configuration Scoring System XCCDF: The Extensible Configuration Checklist Description Format OVAL : Open Vulnerability and Assessment Language OCIL: Open Checklist Interactive Language AI: Asset Identification ARF: Asset Reporting Format

28 Great who makes it?

29 Red Hat provided feeds

30 Building and modifying content

31 XCCDF PROFILE PROFILE RULES RULES CHECK CHECK VALUES VALUES CHECK CHECK

32 XCCDF Profile

33 XCCDF Profile

34 XCCDF Profile

35 XCCDF Rule

36 XCCDF Rule

37 XCCDF Rule

38 OVAL Entities DEFINITION DEFINITION TEST TEST OBJECT OBJECT TEST TEST STATE STATE OBJECT OBJECT STATE STATE

39 OVAL Definition

40 OVAL Walking back the cat

41 A plug for upstream Sane separation of files with XSLT to create valid content OVAL in single check file with human readable IDs XCCDF in descriptive structure Modify make file to include and build content or RPM

42 What about the analyst?

43

44 SCAP Tailoring file

45 The Scanner Centralization

46 OpenSCAP NIST validated SCAP scanner by Red Hat

47 The Centralization

48 Workflow

49 SATELLITE 5 WORK FLOW

50 Use RPMs

51 Scanning hosts

52 Scan list

53 Scan detail

54 Diff results

55 Diff to any!

56 Change some defaults

57 Detailed Report

58 Scanning groups with SSM

59 Scanning groups with SSM

60 Advanced searches CVE

61 System built after scans

62 Automation Cron + Satellite API Use with a different change manager /github.com/nzwulfin/rhsummit15

63 SATELLITE 6 WORK FLOW

64 From Tailoring to Profile

65 Upload Datastream

66 Create scan profile

67 Create scan profile

68 Create scan profile

69 Create scan profile

70 Create scan profile

71 Create scan profile

72 Reporting

73 Reporting

74 Reporting

75 Reporting

76 Install tools on client

77 Matt Micene Solution Architect,

78 Resources John Boyd and the OODA Loop Satellite API scripts and RPM spec file OpenSCAP Github Organization Red Hat Security Data site Red Hat Security RHSA Checklist Anton Chuvakin: Highlights from '14 Verizon PCI Report NIST Validated SCAP tools