Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective

transcript

MCollective OpenSCAP Validation

Distributed OpenSCAP Compliance Validationwith MCollective

Trevor Vaughan - Onyx Point, Inc.License: Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)

Hi Everybody!Puppet Certified ProfessionalPuppet Certified DeveloperRed Hat Certified EngineerCo-Founder of (2009)

Puppet Labs Services PartnerGovernment ContractingAutomation, Data Flow, and Cloud Infrastructure ConsultingFOSS Supporters

Onyx Point, Inc.

What We Will CoverIntro to SCAPIntro to MCollectiveThe SCAP Security GuideDevelopment ProcessPlugin CapabilitiesThe FutureDemo

Introduction to SCAP

What is SCAPSecurity Automation Content Protocol

Language Definitions ForConfigurationPatch CheckingVulnerability CheckingTechnical Control ComplianceSecurity Measurement

NIST - 800-126

Relevant SCAP LanguagesXCCDF

Extensible Configuration Checklist Description FormatProvides mappings from Policy to Assessment

OVALOpen Vulnerability Assessment Language

Provides the actual checks against the system

Why This is ImportantA recognized standard for Federal Systems

Often used for FISMA compliance checkingSupported by most major vendorsAbility to switch between approved tools (or write your own!)Everyone should support Open Standards!

What is the ?SSGOfficial SCAP baseline project for

Red Hat Enterprise LinuxFedora LinuxJavaJBossOpenStack

Upstream project for the DISA STIGCreators of USGCB Red Hat baseline contentGET INVOLVED!

It's Open SourceHelp Shape Rational Policy

MCollective

What is ?MCollectiveA Plugin-centric Command and Control FrameworkDesigned to Work at Scale

Publish/Subscribe AMQP MiddlewareSecurity Friendly

Middleware Enables Few Port ConnectionsAMQP Provides Inbuilt Failover and ScalingAll Messages are Encrypted

Regardless of TransportPlugin System

Enhanced Authentication/AuthorizationAuditing and Restriction

MCollective Communication

(R.I. Pienaar - )Summary Sparklines

Plugin Development Process

Writing the Agent: DDLaction 'scan', :description => 'Run an OpenSCAP scan.' do display :always

# Required Parameters input :profile, :prompt => 'Profile Name', :description => 'A specific Profile to run.', :type => :string, :validation => '.*', :optional => false, :maxlength => 1024

output :score, :description => 'OpenSCAP Scan Score', :display_as => 'Score', :default => '0'

summarize do aggregate summary(:score) end

Writing the Agent: CapabilitiesKnow what you need to run by hand firstRemember: This part runs on the server

$ oscap xccdf eval --profile 'my-profile' --cpe cpe-dict.xml \ --results /tmp/scan.xml os-xccdf.xml

With SCAP, and are your friendsLoad the XML and dig for gold

Pry Nokigiri

Writing the Agent: Functionality1. Create your Scaffold2. Add your actions3. Rinse and Repeat

module MCollective module Agent class Oscap<RPC::Agent require 'mcollective/agent/oscap/util' include MCollective::Agent::Oscap::Util

require 'mcollective/agent/oscap/profiles' include MCollective::Agent::Oscap::Profiles

action 'profiles' do get_profiles(xccdf(request)) end end endend

Writing the ApplicationThe User Interface to the SystemIndependent ValidationReceive and Process Results

def main rpcutil = rpcclient('oscap') # The name of your agent goes here printrpc rpcutil.send(configuration[:command],configuration)

printrpcstats :summarize => trueend

Testing!The Easy Way

some boxesRun 'mco oscap' a lot

The Right Way

Lots of examples with I'll get around to it one day ;-)

Vagrant Up

Rspecexisting plugins

Doing Horrible ThingsI have these great RHEL Profiles....But, can I run them on CentOS?Why Yes, now you can!Agents run Ruby and Ruby can manipulate data

Therefore...you can convert profiles on the fly!

No, this is not supported by the SSG team and my sincerest apologies toShawn Wells

Are You Awake?!

Plugin Capabilities

Operating System SupportCurrently Tested on RHEL7 and CentOS7Tested Against the SSG ProfilesOther Systems should work

Profile DiscoveryNeed to know what profiles exist before scanningMines the XCCDF file for a list of supported profilesReturns the list from all Nodes

$ mco oscap profiles

master OpenSCAP Profiles: ["rht-ccp"]

Finished processing 1 / 1 hosts in 172.97 ms

OVAL DiscoveryMany times only a targeted scan is requiredNo obvious list of what scan targets are availbleExtracts the common name of plugins from the system

$ mco oscap oval_checks

master OVAL Checks: ["partition_for_tmp => oval:ssg:def:272", "partition_for_var => oval:ssg:def:151", "partition_for_var_log => oval:ssg:def:334",# Lots more... "snmpd_not_default_password => oval:ssg:def:164"]

Performing a Full ScanSimplest scan formMay take a LONG time

$ mco oscap scan -p rht-ccp -i ALL

master Scan Results: Score: 64.405869

Summary of Score:

64.405869 = 1

Pfft...Scores are for the Weak

Yep, That's a LOT of Data$ mco oscap scan -p rht-ccp -i ALL -f

master Scan Results: {"partition_for_tmp"=>{ :severity=>"low", :result=>"fail" },# 71 More Results... "sshd_use_approved_ciphers"=>{ :severity=>"medium", :result=>"fail" }} Score: 64.405869

Summary of Score:

64.405869 = 1

Something More Reasonable$ mco oscap scan -p rht-ccp -i package_telnet_removed

master Scan Results: Pass Score: 0

Summary of Score:

Future: Automated Patch ScanningWe can scan OVAL ContentVendors put out OVAL Patch ChecksSecurity authorities should be able to scan systems as data ispublished

Future: Profile ManglingWe can already mangle Red Hat to CentOSWhy not more?!

Only Target Scans of a Particular LevelScan all nodes for High risk items

Disable Individual ChecksBy regex or name

Disable Long Running ChecksChange Setting Thresholds on the Fly

Ex: Check that password length > 32For targetd scansWrite a custom profile for large changes

Future: Better ReportingUsing the default reports for nowIdeally would have rich summariesComplex analytics done elsewhere

Future: OutputLogStash

For advanced reportingSend useful summary to MCO clientsSend tagged data to LogStashBest of both worlds!

Demonstration

Resources

The MCollective Plugin for OpenSCAPPlease help make it better!

The source code for this presentation.

The official documentation on writing MCollective Agents andApplications.

The definitive book on MCollective by

Excellent SCAP Learning Material by

The Plugin

Presentation Source

Puppet Labs' MCollective Documentation

Learning MCollective BookJo Rhett

SCAP & STIG WorkshopShawn Wells

Presentation Information

This presentation was made possible by: by Reveal.js Hakim El Hattab

Thanks for Coming!

Questions?

Puppet Camp DC 2015: Distributed OpenSCAP Compliance Validation with MCollective

Software