CONQUERING COMPLIANCE ISSUES WITH RHN SATELLITE AND TENABLE NESSUS SECURITY

CONQUERING COMPLIANCE ISSUES WITH RHN SATELLITE AND TENABLE NESSUS SECURITY Akash Chandrashekar - Solution Architect, Red Hat Renaud Deraison - Tenable Network Security, Inc. / Nessus.org

Compliance Issues Can Be a Growing Pain Each industry affected by its own compliance rules (FDCC, HIPPA, SOX, PCI, and many, many more) Executive summary of all the requirements: control your network, keep it tight and up to date, be able to prove it Not all requirements affect the entire network (ie: PCI)

Requirement 11: Regularly test security systems and processes Regular audits of the perimeter (or network) by 3rd parties (every quarter) Typical example: ecommerce site scanned by a PCI ASV ( Approved Scanning Vendor ) PCI ASVs scans use Nessus and other scanners to do their jobs

Issues with PCI ASVs (and auditors in general) False positives : Red Hat backports security patches. A site advertising Apache 2.2.4 may not be vulnerable to all flaws affecting Apache < 2.2.18. In doubt, most vendors prefer a false positive to a false negative Findings can now be disputed. However: This is expensive (charged per scan) This is time consuming (where to get the information)

Issues with PCI ASVs (and auditors in general) How to prepare for an audit and be ready to explain why some findings are false positives? How to prove that patches are applied regularly? What if your patch schedule does not fit the quarterly scans?

Red Hat Satellite PCI compliance features provided by Red Hat Satellite include: One-click software updates in an easy-to-use interface Role-based administration Flexible delivery architectures- Satellite, Proxy, Hosted Group systems together for easier administration Automate formerly manual tasks Manage the complete life-cycle of Linux infrastructure Track the performance of Linux systems WEB INTERFACE RHN Satellite API LAYER Reporting Compliant Systems Centralized management of configurations and policies enables enterprises to efficiently implement and monitor controls.

Red Hat Satellite (cont.) Red Hat Satellite is a great way to manage one s network in a compliant way. However we still need to: - Prove that every host scanned is indeed managed by Satellite - Prove that every host scanned is patched (regularly) - Prove that every host is configured properly from a security point of view

Red Hat Satellite (cont.) Systems audited for PCI Systems managed by Satellite Not every host related to PCI is managed by Satellite (yet :) Different views between Satellite and the scan results

Red Hat Satellite: Unlocking the Power of the API Connect to the Satellite server via XML-RPC library Authenticate Session Key Perform queries and operations of interest Logout (when Auth) * Normal Satellite server permissions/roles apply

Red Hat Satellite: Nessus Integration with RHN Satellite Satellite API Integration Software Distribution Account Management Channel Management Monitoring Provisioning API LAYER XML-RPC The API layer can be used to integrate with disparate systems by making remote procedure calls using XML over HTTP

Nessus + RHN Satellite Each time Nessus Scans a host, It can connect to the local RHN Satellite server and ask Do you manage it? AND How do you Manage it?

Nessus Popular vulnerability scanner with open source roots, since 1998 Over 40,000 vulnerability checks Used by most auditors/pci ASVs out there Scans a network for remote and local vulnerabilities and misconfigurations Least expensive commercial vulnerability scanner out there ($1200/year, unlimited targets, free for home use) Also includes web app auditing, local policy audits and more... - http://www.nessus.org for more information

How to use Nessus for PCI scanning? As a product, Nessus can NOT be certified by the PCI council (only services are) However, Nessus helps you prepare for a PCI scan: will report the results that most ASVs will report, so you are prepared Helps you to find all the justifications for false positives

Nessus + RHN Satellite What if the hosts scanned for PCI have not been updated yet? (outside of regular patch schedule) Launch the patch application process from your scan directly!

Nessus + RHN Satellite How to prove that patches are applied regularly? Nessus will do a per-host spacewalk report showing the history of applied patches

Nessus + RHN Satellite Reports contain both the results found remotely and information gathered from Satellite Arms you with all the facts you need to successfully pass your PCI audit: - Host is managed by Satellite - Host is up to date - Host is patched regularly

DEMO 21

QUESTIONS? http://www.redhat.com/red_hat_network/ http://www.nessus.org/ http://blog.tenable.com 31