Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
2 likes1,094 views
The document discusses the integration of OpenSCAP compliance validation with MCollective, focusing on security automation, compliance checking, and the development process of plugins. It highlights the functionalities and capabilities of MCollective in managing and executing OpenSCAP scans, as well as the future possibilities for automated patch scanning and tailored reporting. The presentation emphasizes the importance of open standards in security compliance and invites participation in the development of the project.
![WritingtheApplication
The User Interface to the System
Independent Validation
Receive and Process Results
def main
rpcutil = rpcclient('oscap') # The name of your agent goes here
printrpc rpcutil.send(configuration[:command],configuration)
printrpcstats :summarize => true
end](https://image.slidesharecdn.com/distributedopenscapcompliancevalidationwithmcollective-150521185250-lva1-app6891/85/Puppet-Camp-DC-2015-Distributed-OpenSCAP-Compliance-Validation-with-MCollective-25-320.jpg)
![ProfileDiscovery
Need to know what profiles exist before scanning
Mines the XCCDF file for a list of supported profiles
Returns the list from all Nodes
$ mco oscap profiles
master
OpenSCAP Profiles: ["rht-ccp"]
Finished processing 1 / 1 hosts in 172.97 ms](https://image.slidesharecdn.com/distributedopenscapcompliancevalidationwithmcollective-150521185250-lva1-app6891/85/Puppet-Camp-DC-2015-Distributed-OpenSCAP-Compliance-Validation-with-MCollective-31-320.jpg)
![OVALDiscovery
Many times only a targeted scan is required
No obvious list of what scan targets are availble
Extracts the common name of plugins from the system
$ mco oscap oval_checks
master
OVAL Checks: ["partition_for_tmp => oval:ssg:def:272",
"partition_for_var => oval:ssg:def:151",
"partition_for_var_log => oval:ssg:def:334",
# Lots more...
"snmpd_not_default_password => oval:ssg:def:164"]
Finished processing 1 / 1 hosts in 204.91 ms](https://image.slidesharecdn.com/distributedopenscapcompliancevalidationwithmcollective-150521185250-lva1-app6891/85/Puppet-Camp-DC-2015-Distributed-OpenSCAP-Compliance-Validation-with-MCollective-32-320.jpg)
Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective
- 1. MCollectiveOpenSCAPValidation DistributedOpenSCAPComplianceValidation withMCollective Trevor Vaughan - Onyx Point, Inc. License:Attribution-ShareAlike3.0Unported(CCBY-SA3.0) 3
- 2. HiEverybody! Puppet Certified Professional Puppet Certified Developer Red Hat Certified Engineer Co-Founder of (2009) Puppet Labs Services Partner Government Contracting Automation, Data Flow, and Cloud Infrastructure Consulting FOSS Supporters Onyx Point, Inc.
- 3. WhatWeWillCover Intro to SCAP Intro to MCollective The SCAP Security Guide Development Process Plugin Capabilities The Future Demo
- 5. WhatisSCAP Security Automation Content Protocol Language Definitions For Configuration Patch Checking Vulnerability Checking Technical Control Compliance Security Measurement NIST - 800-126
- 6. RelevantSCAPLanguages XCCDF Extensible Configuration Checklist Description Format Provides mappings from Policy to Assessment OVAL Open Vulnerability Assessment Language Provides the actual checks against the system
- 7. WhyThisisImportant A recognized standard for Federal Systems Often used for FISMA compliance checking Supported by most major vendors Ability to switch between approved tools (or write your own!) Everyone should support Open Standards!
- 9. Whatisthe ?SSG Official SCAP baseline project for Red Hat Enterprise Linux Fedora Linux Java JBoss OpenStack Upstream project for the DISA STIG Creators of USGCB Red Hat baseline content GET INVOLVED! It's Open Source Help Shape Rational Policy
- 10. MCollective
- 11. Whatis ?MCollective A Plugin-centric Command and Control Framework Designed to Work at Scale Publish/Subscribe AMQP Middleware Security Friendly Middleware Enables Few Port Connections AMQP Provides Inbuilt Failover and Scaling All Messages are Encrypted Regardless of Transport Plugin System Enhanced Authentication/Authorization Auditing and Restriction
- 22. WritingtheAgent:DDL action 'scan', :description => 'Run an OpenSCAP scan.' do display :always # Required Parameters input :profile, :prompt => 'Profile Name', :description => 'A specific Profile to run.', :type => :string, :validation => '.*', :optional => false, :maxlength => 1024 output :score, :description => 'OpenSCAP Scan Score', :display_as => 'Score', :default => '0' summarize do aggregate summary(:score) end
- 23. WritingtheAgent:Capabilities Know what you need to run by hand first Remember: This part runs on the server $ oscap xccdf eval --profile 'my-profile' --cpe cpe-dict.xml --results /tmp/scan.xml os-xccdf.xml With SCAP, and are your friends Load the XML and dig for gold Pry Nokigiri
- 24. WritingtheAgent:Functionality 1. Create your Scaffold 2. Add your actions 3. Rinse and Repeat module MCollective module Agent class Oscap<RPC::Agent require 'mcollective/agent/oscap/util' include MCollective::Agent::Oscap::Util require 'mcollective/agent/oscap/profiles' include MCollective::Agent::Oscap::Profiles action 'profiles' do get_profiles(xccdf(request)) end end end end
- 25. WritingtheApplication The User Interface to the System Independent Validation Receive and Process Results def main rpcutil = rpcclient('oscap') # The name of your agent goes here printrpc rpcutil.send(configuration[:command],configuration) printrpcstats :summarize => true end
- 26. Testing! The Easy Way some boxes Run 'mco oscap' a lot The Right Way Lots of examples with I'll get around to it one day ;-) Vagrant Up Rspec existing plugins
- 27. DoingHorribleThings I have these great RHEL Profiles.... But, can I run them on CentOS? Why Yes, now you can! Agents run Ruby and Ruby can manipulate data Therefore...you can convert profiles on the fly! No, this is not supported by the SSG team and my sincerest apologies to Shawn Wells
- 28. AreYouAwake?!
- 30. OperatingSystemSupport Currently Tested on RHEL7 and CentOS7 Tested Against the SSG Profiles Other Systems should work
- 31. ProfileDiscovery Need to know what profiles exist before scanning Mines the XCCDF file for a list of supported profiles Returns the list from all Nodes $ mco oscap profiles master OpenSCAP Profiles: ["rht-ccp"] Finished processing 1 / 1 hosts in 172.97 ms
- 32. OVALDiscovery Many times only a targeted scan is required No obvious list of what scan targets are availble Extracts the common name of plugins from the system $ mco oscap oval_checks master OVAL Checks: ["partition_for_tmp => oval:ssg:def:272", "partition_for_var => oval:ssg:def:151", "partition_for_var_log => oval:ssg:def:334", # Lots more... "snmpd_not_default_password => oval:ssg:def:164"] Finished processing 1 / 1 hosts in 204.91 ms
- 33. PerformingaFullScan Simplest scan form May take a LONG time $ mco oscap scan -p rht-ccp -i ALL master Scan Results: Score: 64.405869 Summary of Score: 64.405869 = 1 Finished processing 1 / 1 hosts in 31973.00 ms
- 35. Yep,That'saLOTofData $ mco oscap scan -p rht-ccp -i ALL -f master Scan Results: {"partition_for_tmp"=>{ :severity=>"low", :result=>"fail" }, # 71 More Results... "sshd_use_approved_ciphers"=>{ :severity=>"medium", :result=>"fail" }} Score: 64.405869 Summary of Score: 64.405869 = 1 Finished processing 1 / 1 hosts in 10236.46 ms
- 36. SomethingMoreReasonable $ mco oscap scan -p rht-ccp -i package_telnet_removed master Scan Results: Pass Score: 0 Summary of Score: 0 = 1 Finished processing 1 / 1 hosts in 737.32 ms
- 38. Future:AutomatedPatchScanning We can scan OVAL Content Vendors put out OVAL Patch Checks Security authorities should be able to scan systems as data is published
- 39. Future:ProfileMangling We can already mangle Red Hat to CentOS Why not more?! Only Target Scans of a Particular Level Scan all nodes for High risk items Disable Individual Checks By regex or name Disable Long Running Checks Change Setting Thresholds on the Fly Ex: Check that password length > 32 For targetd scans Write a custom profile for large changes
- 40. Future:BetterReporting Using the default reports for now Ideally would have rich summaries Complex analytics done elsewhere
- 41. Future: OutputLogStash For advanced reporting Send useful summary to MCO clients Send tagged data to LogStash Best of both worlds!
- 42. Demonstration
- 44. Resources The MCollective Plugin for OpenSCAP Please help make it better! The source code for this presentation. The official documentation on writing MCollective Agents and Applications. The definitive book on MCollective by Excellent SCAP Learning Material by The Plugin Presentation Source Puppet Labs' MCollective Documentation Learning MCollective Book Jo Rhett SCAP & STIG Workshop Shawn Wells
- 45. PresentationInformation This presentation was made possible by: byReveal.js Hakim El Hattab