Automate Security Testing and System Compliance Agenda - - PowerPoint PPT Presentation

automate security testing and system compliance
SMART_READER_LITE
LIVE PREVIEW

Automate Security Testing and System Compliance Agenda - - PowerPoint PPT Presentation

Nov 02, 2023 308 likes •686 views

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction to STIG SUSE STIG Automation Demo Time Whats next? What is SCAP? The Security Content Automation Protocol is a multi-purpose

slide-1
SLIDE 1
slide-2
SLIDE 2

Automate Security Testing and System Compliance

Agenda

  • Introduction to SCAP
  • Introduction to STIG
  • SUSE STIG Automation
  • Demo Time
  • What’s next?
slide-3
SLIDE 3
slide-4
SLIDE 4

What is SCAP?

The Security Content Automation Protocol

is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.

  • Automated
  • vulnerability management and measurement
  • policy compliance evaluation
  • OpenSCAP has received a NIST certification for SCAP 1.2.
slide-5
SLIDE 5

What is SCAP?

SCAP uses several formats and enumerations

XCCDF

Extensible Configuration Checklist Description Format XML format specifying security checklists, benchmarks and configuration documentation.

OVAL

Open Vulnerability and Assessment Language XML format for testing the presence of a specific machine state.

CVE

Common Vulnerabilities and Exposures Reference IDs for publicly known security vulnerabilities.

CVSS

Common Vulnerability Scoring System Standard for assessing the severity of security vulnerabilities.

CPE

Common Platform Enumeration Structured naming scheme for information technology systems, software, and packages.

CCE

Common Configuration Enumeration Unique identifiers to security- related system configuration issues.

XCCDF

Extensible Configuration Checklist Description Format XML format specifying security checklists, benchmarks and configuration documentation.

OVAL

Open Vulnerability and Assessment Language XML format for testing the presence of a specific machine state.

CVE

Common Vulnerabilities and Exposures Reference IDs for publicly known security vulnerabilities.

CVSS

Common Vulnerability Scoring System Standard for assessing the severity of security vulnerabilities.

CPE

Common Platform Enumeration Structured naming scheme for information technology systems, software, and packages.

CCE

Common Configuration Enumeration Unique identifiers to security- related system configuration issues.

slide-6
SLIDE 6
slide-7
SLIDE 7

XCCDF

Extensible Configuration Checklist Description Format

  • Development led by NIST
  • XML format
  • Automated compliance testing and scoring
  • Security checklists
  • Benchmarks
  • Configuration documentation
slide-8
SLIDE 8

OVAL

Open Vulnerability and Assessment Language

  • Moderated by the Center for Internet Security (CIS)
  • XML format
  • Representing system information and reporting results
  • Reliable and reproducible
slide-9
SLIDE 9

OVAL

Open Vulnerability and Assessment Language

  • Platform dependent (Linux, Windows, etc.) and independent tests.

Independent

  • family_test
  • filehash58_test
  • ldap57_test
  • sql57_test
  • textfilecontent54_test

... Linux

  • partition_test
  • rpminfo_test
  • selinuxboolean_test
  • systemdunitdependency_test
  • dpkginfo_test

...

  • All tests have an _object and _state element.
slide-10
SLIDE 10

CPE

Common Platform Enumeration

  • Maintained by NIST / NVD
  • Updated online CPE dictionary XML file.
  • Standardized naming scheme for IT products.
  • cpe:/{part}:{vendor}:{product}:{version}:{update}:{edition}:{language}

Examples: cpe:/o:suse cpe:/o:suse:linux_enterprise_server:12 cpe:/o:opensuse:leap:15.0 cpe:/a:open-scap:oscap cpe:/h:hp:laserjet_p4014

slide-11
SLIDE 11

SCAP component interaction (simplyfied)

System Settings System Settings OVAL OVAL XCCDF XCCDF SCAP SCAP

remediate

CPE (OVAL) CPE (OVAL)

slide-12
SLIDE 12
slide-13
SLIDE 13

XCCDF Tailoring XCCDF

X X

<Benchmark>

<Profile id="stig"> <select rule="1 ✔ " > <select rule="2 ✔ " > <select rule="3 ✔ " > <select rule="4" ✖ > <refine-value "logins" selector="3"/>

<Tailoring>

<Benchmark>

<Profile id="stig_new" extends="stig"> ✖ <select rule="2" > <refine-value "logins" selector="2"/>

Tailoring File

slide-14
SLIDE 14

DataStreams

OVAL Definitions CPE Dictionary <data-stream-collection> <data-stream>

<dictionaries> <checklists> <checks> </data-stream>

  • XML format that packs other

SCAP components into a single file.

  • Useful when distributing SCAP

content for example over the web.

<component>

XCCDF Benchmark

  • Profiles
  • Tailored Profiles
slide-15
SLIDE 15
slide-16
SLIDE 16

What is STIG?

Security Technical Implementation Guide

  • System hardening

– prevent system access (physically/network) – defined maintenance processes / patching – might cover configuration settings

  • Required to be able to connect to DoD networks
  • Approved and published by

the Defense Information Systems Agency (DISA)

  • Also used in the non government sector
slide-17
SLIDE 17

SLES 12 STIG

  • SUSE Linux Enterprise Server (SLES) 12 STIG
  • Version 1, Release 1
  • Officially published September 2018
  • 204 Rules
  • Available at DISA web page:

https://iase.disa.mil/stigs/os/unix-linux/

slide-18
SLIDE 18

SLES 12 STIG

IDs Requirement VulDiscussion Status Check Fix Severity

CCI- 001230 SRG-OS- 000480- GPOS- 00227 SUSE- 12- 010000 The SUSE operang system must be a vendor supported release. A SUSE operang system release is considered "supported" if the vendor connues to provide security patches for the

  • product. With an

unsupported release, it will not be possible to resolve security issues discovered in the system soware. Applicable - Configurable Verify that the SUSE operang system is a vendor supported release. Check that the SUSE operang system is a vendor supported release with the following command: #cat /etc/os-release NAME="SLES" VERSION="12" Current End of Life for SLES 12 is 31 Oct 2024. If the release is not supported by the vendor, this is a finding. Upgrade the SUSE Linux Enterprise SUSE operang system to a version supported by the

  • vendor. If the system

is not registered with the SUSE Customer Center register the system against the correct subscripon. If the system requires Long Term Service Pack Support (LTSS) support obtain the correct LTSS subscripon for the system. CAT I

slide-19
SLIDE 19

SLES 12 STIG

  • DISA STIG Viewer
slide-20
SLIDE 20

SLES 12 STIG

  • DISA STIG Viewer
slide-21
SLIDE 21

SLES 12 STIG

  • DISA STIG Viewer
slide-22
SLIDE 22

SLES 12 STIG Automation

  • Using “ComplianceAsCode” project framework
  • Publicly hosted at github.com
  • https://github.com/openSUSE/ComplianceAsCode-content/ [branch: stig-sle12]
  • Project status:
  • ~90% of the rules are implemented with automated remediation.
slide-23
SLIDE 23
slide-24
SLIDE 24

OpenSCAP: CLI

slide-25
SLIDE 25

OpenSCAP: Remediation

slide-26
SLIDE 26

OpenSCAP: DISA STIG Viewer output

slide-27
SLIDE 27

OpenSCAP: DISA STIG Viewer output

slide-28
SLIDE 28
slide-29
SLIDE 29
slide-30
SLIDE 30
slide-31
SLIDE 31
slide-32
SLIDE 32

What’s next?

slide-33
SLIDE 33

What’s next?

  • SUSE Linux Enterprise Server STIG
  • Update and refinement SLES 12 Version
  • Customer ready automated version
  • SUSE Linux Enterprise Server 15 STIG
  • ComplianceAsCode extention
  • SUSE Security and Hardening Guide
  • Implementation of PCI-DSS rules
slide-34
SLIDE 34

What’s next?

YOUR

INPUT

IS NEEDED!

slide-35
SLIDE 35

What’s next?

security@suse.com

slide-36
SLIDE 36
slide-37
SLIDE 37