Automate Security Testing and System Compliance Agenda - PowerPoint PPT Presentation

Automate Security Testing and System Compliance Agenda ● Introduction to SCAP ● Introduction to STIG ● SUSE STIG Automation ● Demo Time ● What’s next?

What is SCAP? The Security Content Automation Protocol is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. ● Automated ● vulnerability management and measurement ● policy compliance evaluation ● OpenSCAP has received a NIST certification for SCAP 1.2.

What is SCAP? SCAP uses several formats and enumerations XML format specifying security XML format specifying security Extensible Configuration Extensible Configuration XCCDF XCCDF checklists, benchmarks and checklists, benchmarks and Checklist Description Format Checklist Description Format configuration documentation. configuration documentation. XML format for testing the XML format for testing the Open Vulnerability and Open Vulnerability and OVAL OVAL presence of a specific machine presence of a specific machine Assessment Language Assessment Language state. state. Common Vulnerabilities Common Vulnerabilities Reference IDs for publicly known Reference IDs for publicly known CVE CVE and Exposures and Exposures security vulnerabilities. security vulnerabilities. Common Vulnerability Common Vulnerability Standard for assessing the Standard for assessing the CVSS CVSS Scoring System severity of security vulnerabilities. Scoring System severity of security vulnerabilities. Structured naming scheme for Structured naming scheme for Common Platform Common Platform CPE CPE information technology systems, information technology systems, Enumeration Enumeration software, and packages. software, and packages. Unique identifiers to security- Unique identifiers to security- Common Configuration Common Configuration CCE CCE related system configuration related system configuration Enumeration Enumeration issues. issues.

XCCDF Extensible Configuration Checklist Description Format ● Development led by NIST ● XML format ● Automated compliance testing and scoring ● Security checklists ● Benchmarks ● Configuration documentation

OVAL Open Vulnerability and Assessment Language ● Moderated by the Center for Internet Security (CIS) ● XML format ● Representing system information and reporting results ● Reliable and reproducible

OVAL Open Vulnerability and Assessment Language ● Platform dependent (Linux, Windows, etc.) and independent tests. Independent Linux ● family_test ● partition_test ● filehash58_test ● rpminfo_test ● ldap57_test ● selinuxboolean_test ● sql57_test ● systemdunitdependency_test ● textfilecontent54_test ● dpkginfo_test ... ... ● All tests have an _object and _state element.

CPE Common Platform Enumeration ● Maintained by NIST / NVD ● Updated online CPE dictionary XML file. ● Standardized naming scheme for IT products. ● cpe:/{part}:{vendor}:{product}:{version}:{update}:{edition}:{language} Examples: cpe:/o:suse cpe:/o:suse:linux_enterprise_server:12 cpe:/o:opensuse:leap:15.0 cpe:/a:open-scap:oscap cpe:/h:hp:laserjet_p4014

SCAP component interaction (simplyfied) SCAP SCAP XCCDF XCCDF CPE (OVAL) CPE (OVAL) remediate OVAL OVAL System Settings System Settings

XCCDF Tailoring <Benchmark> <Profile id="stig"> X <select rule="1 " > XCCDF ✔ <select rule="2 " > ✔ <select rule="3 " > ✔ <select rule="4" ✖ > <refine-value "logins" selector="3"/> <Tailoring> Tailoring <Benchmark> File <Profile id="stig_new" extends="stig"> X <select rule="2" > ✖ <refine-value "logins" selector="2"/>

DataStreams <data-stream-collection> ● XML format that packs other <data-stream> SCAP components into a <dictionaries> <checklists> single file. <checks> ● Useful when distributing SCAP </data-stream> content for example over the <component> web. CPE Dictionary XCCDF Benchmark - Profiles - Tailored Profiles OVAL Definitions

What is STIG? Security Technical Implementation Guide ● System hardening – prevent system access (physically/network) – defined maintenance processes / patching – might cover configuration settings ● Required to be able to connect to DoD networks ● Approved and published by the Defense Information Systems Agency (DISA) ● Also used in the non government sector

SLES 12 STIG ● SUSE Linux Enterprise Server (SLES) 12 STIG ● Version 1, Release 1 ● Officially published September 2018 ● 204 Rules ● Available at DISA web page: https://iase.disa.mil/stigs/os/unix-linux/

SLES 12 STIG IDs Requirement VulDiscussion Status Check Fix Severity CCI- The SUSE opera�ng A SUSE opera�ng Applicable - Verify that the SUSE opera�ng Upgrade the SUSE CAT I 001230 system must be a system release is Configurable system is a vendor supported Linux Enterprise vendor supported considered release. SUSE opera�ng SRG-OS- release. "supported" if the system to a version 000480- vendor con�nues to Check that the SUSE opera�ng supported by the GPOS- provide security system is a vendor supported vendor. If the system 00227 patches for the release with the following is not registered with product. With an command: the SUSE Customer SUSE- unsupported release, Center register the 12- it will not be possible #cat /etc/os-release system against the 010000 to resolve security correct subscrip�on. issues discovered in NAME="SLES" If the system the system so�ware. VERSION="12" requires Long Term Service Pack Support Current End of Life for SLES 12 (LTSS) support obtain is 31 Oct 2024. the correct LTSS subscrip�on for the If the release is not supported system. by the vendor, this is a finding.

SLES 12 STIG ● DISA STIG Viewer

SLES 12 STIG ● DISA STIG Viewer

SLES 12 STIG ● DISA STIG Viewer

SLES 12 STIG Automation ● Using “ComplianceAsCode” project framework ● Publicly hosted at github.com ● https://github.com/openSUSE/ComplianceAsCode-content/ [branch: stig-sle12] ● Project status: ● ~90% of the rules are implemented with automated remediation.

OpenSCAP: CLI

OpenSCAP: Remediation

OpenSCAP: DISA STIG Viewer output

OpenSCAP: DISA STIG Viewer output

What’s next?

What’s next? ● SUSE Linux Enterprise Server STIG ● Update and refinement SLES 12 Version ● Customer ready automated version ● SUSE Linux Enterprise Server 15 STIG ● ComplianceAsCode extention ● SUSE Security and Hardening Guide ● Implementation of PCI-DSS rules

What’s next? YOUR INPUT IS NEEDED!

What’s next? security@suse.com