Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Vasileios A. Baousis (Ph.D) Network Applications Team Slide 1

Agenda Introduction Background - SCAP - Puppet &Mcollective - Spacewalk System setup Reports and use of the output Questions Slide 2

Introduction Why we should perform Continuous security audit? Why to automate this process? Manual? No way. Security should be considered and implemented for the entire lifecycle of a system. The same applies for the auditing of a system but most of the times it is neglected. Security (mis)configuration drifts, missing important package patches are identified when it is tooooooooooooooooooo late. Continuous auditing/reporting in a consistent & automated manner. Work in progress Slide 3

Security Content Automation Protocol (SCAP) A standardized compliance checking solution for enterprise-level Linux systems. It is a line of specifications maintained by the NIST for system security. OpenSCAP implements the SCAP specifications, and is an auditing tool that utilizes the Extensible Configuration Checklist Description Format (XCCDF). XCCDF is a standard way of expressing checklist content and defines security checklists &combines with other specifications to create a SCAP-expressed checklist that can be processed by SCAP-validated products. These are: Common Platform Enumeration (CPE), Common Configuration Enumeration(CCE), Open Vulnerability and Assessment Language (OVAL). OpenSCAP a. verifies the presence of patches by using content produced by the distro distributors b. checks system security configuration settings and c. examines systems for signs of compromise/misconfiguration by using rules based on standards and specifications. Slide 4

Oscap command line oscap -h oscap OpenSCAP command-line tool Usage: oscap [options] module operation [operation-options-and-arguments] oscap options: -h --help - show this help -q --quiet - quiet mode -V --version - print info about supported SCAP versions Commands: ds oval xccdf cvss cpe cve info - DataStream utilities - Open Vulnerability and Assessment Language - extensible Configuration Checklist Description Format - Common Vulnerability Scoring System - Common Platform Enumeration - Common Vulnerabilities and Exposures - info module oscap ds -h oscap -> ds DataStream utilities Usage: oscap [options] ds command Datastreams: an archive of interlinked SCAP content (XCCDF,OVAL,CPE).Source and Result DataStreams Commands: sds-split sds-compose sds-add sds-validate rds-split rds-create rds-validate - Split given SourceDataStream into separate files - Compose SourceDataStream from given XCCDF - Add a component to the existing SourceDataStream - Validate given SourceDataStream - Splits a ResultDataStream. Creating source datastream (from report-request) and report in target directory. - Create a ResultDataStream from given SourceDataStream, XCCDF results and one or more OVAL results - Validate given ResultDataStream Slide 5

Oscap command line oscap -> xccdf extensible Configuration Checklist Description Format Usage: oscap [options] xccdf command [command-specific-options] Commands: eval - Perform evaluation driven by XCCDF file and use OVAL as checking engine resolve - Resolve an XCCDF document validate - Validate XCCDF XML content validate-xml - Validate XCCDF XML content export-oval-variables - Export XCCDF values as OVAL external-variables document(s) generate - Convert XCCDF Benchmark to other formats remediate - Perform remediation driven by XCCDF TestResult file or ARF. oscap -> xccdf -> eval Perform evaluation driven by XCCDF file and use OVAL as checking engine Usage: oscap [options] xccdf eval [options] INPUT_FILE [oval-definitions-files] INPUT_FILE - XCCDF file or a source data stream file Options: --profile <name> - The name of Profile to be evaluated. --tailoring-file <file> - Use given XCCDF Tailoring file. --tailoring-id <component-id> - Use given DS component as XCCDF Tailoring file. --cpe <name> - Use given CPE dictionary or language (autodetected).. oscap xccdf eval --profile MAC-1_Public --cpe /usr/share/openscap/redhat_simple/u_redhat_6_v1r4_benchmark-cpe-dictionary.xml /usr/share/openscap/redhat_simple/u_redhat_6_v1r4_benchmark-xccdf.xml Slide 6

Oscap command line oscap oval -h oscap -> oval Open Vulnerability and Assessment Language oscap oval collect com.redhat.rhsa-all.xml Usage: oscap [options] oval command Commands: collect eval analyse validate validate-xml generate list-probes - Probe the system and create system characteristics - Probe the system and evaluate definitions from OVAL Definition file - Evaluate provided system characteristics file - Validate OVAL XML content - Validate OVAL XML content - Convert an OVAL file to other formats - List supported object types (i.e. probes) oscap -> oval -> eval Probe the system and evaluate definitions from OVAL Definition file Usage: oscap [options] oval eval [options] oval-definitions.xml Options: --id <definition-id> - ID of the definition we want to evaluate. --variables <file> - Provide external variables expected by OVAL Definitions. --directives <file> - Use OVAL Directives content to specify desired results content. --results <file> - Write OVAL Results into file. --report <file> - Create human readable (HTML) report from OVAL Results. --skip-valid - Skip validation. --datastream-id <id> - ID of the datastream in the collection to use. (only applicable for source datastreams) --oval-id <id> - ID of the OVAL component ref in the datastream to use. (only applicable for source datastreams) --probe-root <dir> - Change the root directory before scanning the system. Slide 7

Oscap command line oscap cvss -h oscap -> cvss Common Vulnerability Scoring System Usage: oscap [options] cvss command Commands: score describe - CVSS score from a CVSS vector - Describe a CVSS vector oscap cpe -h oscap -> cpe Common Platform Enumeration Usage: oscap [options] cpe command Commands: match check validate validate-xml - Match CPE name against provided dictionary - Check if CPE name is valid - Validate CPE Dictionary content - Validate CPE Dictionary content Slide 8

Puppet IT automation software that helps system administrators manage infrastructure throughout its lifecycle, from provisioning and configuration to orchestration and reporting. Easily automate repetitive tasks Quickly deploy critical applications, Proactively manage change, scaling from 10s of servers to 1000s, on-premise or in the cloud. Slide 9

Puppet typical workflow Puppet Interface Version Control Repository Puppet master 2. Perform checkout 1. Commit changes 3. Apply changes 4. Report back the performed changes SSL Nodes Puppet agent Slide 10

Puppet interface Slide 11

Mcollective 1/2 The Marionette Collective MCollective is a framework to build server orchestration and parallel job execution systems Uses Publish/Subscribe Middleware and real time discovery of network resources using meta-data and not hostnames. Delivering a scalable and fast parallel execution environment. Slide 12

Mcollective 2/2 Use a broadcast paradigm for request distribution. - All servers get all requests at the same time, requests have filters attached and only servers matching the filter will act on requests. - There is no central asset database to go out of sync, the network is the only source of truth. Supports complex naming conventions for hostnames as a means of identity. Meta data comes from Puppet, Facter or custom plugins. CLI tools to call remote agents. Ability to write custom reports about your infrastructure. Allows you to write simple RPC style agents, clients and Web UIs in an easy to understand language - Ruby. Include Authentication, Authorization and Auditing (AAA) of requests. Slide 13

MCO in action Slide 14

MCO in action Slide 15

MCO in action Slide 16

MCO in action Slide 17

What is Spacewalk (1/2) Open source Linux systems management software from RH (under the terms of the GNU General Public License version 2) Satellite and Novell SUSE Manager commercial products are identical. Manages software content updates for Red Hat derived distributions (Fedora, CentOS, SL and SUSE). You can: - stage software content through different environments, - managing the deployment of updates to systems and - allowing you to view at which update level any given system is at across your deployment. Provides central web interface allowing viewing of systems, their associated software update status, and initiating update actions... Slide 18

What is Spacewalk (2/2) Provides provisioning/monitoring capabilities, allowing: - Inventory your systems (hardware and software information) - Install and update software on your systems -Collect and distribute your custom software packages into manageable groups -Provision (kickstart) your systems -Manage and deploy configuration files to your systems -Monitor your systems -Provision virtual guests -Start/stop/configure virtual guests -Distribute content across multiple geographical sites in an efficient manner Multiple Spacewalk Proxies can connect to a central Spacewalk server and cache and distribute content from the Spacewalk Server in various geographical locations. More on spacewalk.redhat.com Slide 19

Spacewalk architecture Three tier architecture 1. Presentation tier : web UI, command line clients, and XML-RPC clients 2. Logic tier :Spread across the four languages: Java, Perl, python, and PL/SQL. 3. Data tier =>RDBMS :Oracle or PostgreSQL Entities Backend provides a set of APIs that the different client utilities (rhn_register, up2date, yum) can connect to. Taskomatic is a daemon whose job is to perform long running tasks that are scheduled to run asynchronously, such as clean up the sessions table, or send out email notifications for new errata Slide 20

A Spacewalk typical configuration Slide 21

Cooking all together!!!! Mcollective Slide 22

Fetching and updating oval files Redhat com.redhat.rhsa-all.xml Puppet-Master Novel suse.linux.enterprise.server.11.xml node 'puppet-master-ent.ecmwf.int' { filefetcher::fetch { 'Security Oval': filename => 'com.redhat.rhsa-all.xml', target_dir => '/etc/puppet/environments/production/modules/ecpds/files/roothomefolder', user => 'root', rights => '644', url => 'http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml', redownload => true, } filefetcher::fetch { 'suse.linux.enterprise.server.11.xml': filename => 'suse.linux.enterprise.server.11.xml', target_dir => '/etc/puppetlabs/code/environments/production/modules/ecpds/files/roothomefolder', user => 'root', rights => '644', url => 'http://support.novell.com/security/oval/suse.linux.enterprise.server.11.xml', redownload => true, } filefetcher::fetch { 'suse.linux.enterprise.server.11-patch.xml': filename => 'suse.linux.enterprise.server.11-patch.xml', target_dir => '/etc/puppetlabs/code/environments/production/modules/ecpds/files/roothomefolder', user => 'root', rights => '644', url => 'http://support.novell.com/security/oval/suse.linux.enterprise.server.11-patch.xml', redownload => true, } } Nodes class { openscap::xccdf::eval: name => my-daily-ssg-audit, period => daily, } class openscap::params { $period = 'weekly' $weekday = 'Sat' $content_package = ['scap-security-guide'] $xccdf_path = '/usr/share/xml/scap/ssg/fedora/ssg-fedora-ds.xml' $xccdf_profile = 'xccdf_org.ssgproject.content_profile_common' case $::osfamily { 'redhat' : { $packages = ['rubygem-openscap'] suse' : { $packages = ['openscap'] } default : { fail("the ${module_name} module is not supported on an ${::osfamily} based system.") } } } Slide 23

Execute audit Report results Spacewalk Puppet-master Mcollective Schedule audit Report results Execute audit Report results Nodes Slide 24

Reports 1/5 Slide 25

Reports 2/5 Slide 26

Reports 3/5 Slide 27

Reports 4/5 Slide 28

Reports 5/5 Slide 29

Results Consistent system configuration and compliance with standards. Integration of security and auditing into the entire lifecycle of a system - Configuration Management Frameworks - Security and auditing are not isolated processes. - Prevention of Configuration and/or security drifts - Early warning of missing packages/patches and potential vulnerabilities. Automation of the entire process to be scalable with considerable system number increase Can be used to different environments ranging from physical- on premise systems to virtual on the Cloud or remote systems (which may need additional protection and auditing) Slide 30

Resources 1. SCAP : http://scap.nist.gov/ 2. XCCDF - The Extensible Configuration Checklist Description Format : http://scap.nist.gov/specifications/xccdf/ 1. CPE-Common Platform Enumeration https://nvd.nist.gov/cpe.cfm 3. CCE -Common Configuration Enumeration https://nvd.nist.gov/cce/index.cfm 4. OVAL-Open Vulnerability and Assessment Language. https://oval.mitre.org/ 5. Puppet : https://puppetlabs.com 6. Spacewalk: http://spacewalk.redhat.com/ 7. Mcollective : https://puppetlabs.com/mcollective Slide 31

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Vasileios A. Baousis (Ph.D) Network Applications Team Slide 32