SCAP for openSUSE

OpenSCAP and related contents for openSUSE

Kazuki Omo( 面　和毅 ): [email protected]

SIOS Technology, Inc.

mailto:[email protected]

2

Who am I ?

- Security Researcher/Engineer (16 years)

- SELinux/MAC Evangelist (11 years)

- Antivirus Engineer (3 years)

- SIEM Engineer (3 years)

- Linux Engineer (16 years)

3

Agenda

- What is SCAP?

- Enumerations

- Language/Contents

- OpenSCAP

- OpenSUSE contents

- Customize RHEL’s XCCDF file

- Conclusion

What is SCAP?

5

SCAP(Security Content Automation Protocol)

Object: Automated for

- Vulnerability management

- Vulnerability measurement

- Policy compliance evaluation

6

SCAP Components..

SCAP

Common Vulnerabilities and Exposures (CVE)

Common Configuration Enumeration (CCE)

Common Platform Enumeration (CPE)

Common Weakness Enumeration (CWE)

Common Vulnerability Scoring System (CVSS)

Extensible Configuration Checklist Description Format (XCCDF)

and so on….

Open Vulnerability and Assessment Language (OVAL)

Lang

Enumerations

Enumerations

8

CVE: Common Vulnerabilities and Exposures

9

CVE: Common Vulnerabilities and Exposures

CVE ID CPE Summary

CVE-2016-6662 cpe:/a:mariadb:mariadb:10.1.15

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration.

CVE-2016-6662 cpe:/a:mariadb:mariadb:10.1.16

CVE-2016-2107 cpe:/o:redhat:enterprise_linux_server:7.0

Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.

CVE-2016-2107 cpe:/o:novell:leap:42.1

CVE-2016-2107 cpe:/o:novell:opensuse:13.2

CVE-2016-4979 cpe:/a:apache:http_server:2.4.20

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

10

CPE: Common Platform Enumeration

CPE name title href

cpe:/o:novell:leap:42.0

Novell Leap 42.0

https://en.opensuse.org/openSUSE:Leap

cpe:/o:novell:leap:42.1

Novell Leap 42.1

https://en.opensuse.org/openSUSE:Leap

cpe:/o:redhat:enterprise_linux:7.0

Red Hat Enterprise Linux 7.0

http://www.redhat.com/resourcelibrary/datasheets/rhel-7-whats-new

cpe:/o:redhat:enterprise_linux:7.1

Red Hat Enterprise Linux 7.1

http://www.redhat.com/en/resources/whats-new-red-hat-enterprise-linux-71

11

CPE: Common Platform Enumeration

linux-vs1z:~ # cat /etc/os-release NAME="openSUSE Leap"VERSION="42.1"VERSION_ID="42.1"PRETTY_NAME="openSUSE Leap 42.1 (x86_64)"ID=opensuseANSI_COLOR="0;32"

CPE_NAME="cpe:/o:opensuse:opensuse:42.1"

BUG_REPORT_URL="https://bugs.opensuse.org"HOME_URL="https://opensuse.org/"ID_LIKE="suse"

12

CCE: Common Configuration Enumeration

CCE IDs Description

CCE-5317-3

Core dump size limits should be set appropriately

CCE-5384-3

The read-only SNMP community string should be set appropriately.

CCE-5664-8

The minimum password age should be set as appropriate

CCE-5804-0

The minimum required password length should be set as appropriate

CCE-4858-7

Password history should be saved for an appropriate number of password changes

CCE-5775-2

The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate

13

CWE: Common Weakness Enumeration

CVE ID CWE-ID

CVE-2016-6662 CWE-264

CVE-2016-2107 CWE-310

CVE-2016-4979 CWE-284

14

CVSS:Common Vulnerability Scoring System

Language/Contents

16

OVAL: Open Vulnerability and Assessment Language

OVAL:

- Check Vulnerabilities / configuration issues (XML)

- Using for Patch Management

- Composed by

- Collection of CVEs

- list of standardized names for vulnerabilities

17

OVAL: Open Vulnerability and Assessment Language <title>CVE-2012-2150</title> <affected family="unix"> <platform>openSUSE Leap 42.1</platform> </affected> <reference ref_id="CVE-2012-2150" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" source="CVE"/> </metadata> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009117743" comment="openSUSE Leap 42.1 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009120999" comment="xfsprogs-3.2.1-5.1 is installed"/>

18

OVAL: Open Vulnerability and Assessment Language <definition class="compliance" id="oval:ssg-file_permissions_httpd_server_conf_files:def:1" version="2"> <metadata> <title>Verify Permissions On Apache Web Server Configuration Files </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>

19


20


21

XCCDF: The eXtensible Configuration Checklist Description Format

XCCDF:

- Writing security checklists, benchmarks, etc. (XML)

- Automated compliance testing, Compliance scoring

(PCIDSS, etc.)

- Collection of security configuration rules for some set of target systems (Docker-Enabled Host)

22


<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1"> <status date="2016-09-20">draft</status> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title>

<Profile id="pci-dss"> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This is a *draft* profile for PCI-DSS v3</description> <select idref="service_auditd_enabled" selected="true"/> <select idref="bootloader_audit_argument" selected="true"/> <select idref="auditd_data_retention_num_logs" selected="true"/> <select idref="audit_rules_dac_modification_chmod" selected="true"/>...

http://www.w3.org/1999/xhtml

23


<Profile id="docker-host"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Standard Docker Host Security Profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. </description> <select idref="service_docker_enabled" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="selinux_state" selected="true"/> <select idref="selinux_policytype" selected="true"/> <select idref="docker_selinux_enabled" selected="true"/> <select idref="docker_storage_configured" selected="true"/> <select idref="remediation_functions" selected="false"/>

24


25


OpenSCAP

27

OpenSCAP

OpenSCAP:

- Provides multiple tools for Administrators/Auditors

Tools:

- OpenSCAP Base (oscap)

- SCAP Workbench (GUI tool)

- OpenSCAP Daemon

- SCAPTimony

- OSCAP Anaconda Add-on

OpenSUSE contents

29


Available on ftp.suse.com/pub

30


31


32


No XCCDF file….

Then

We can - check Vulnerabilities for openSUSE

We can’t- check Configuration Standard (ex. PCIDSS) :-(

33


1. Customize old SLES XCCDF file (“SLES v11 for System z”)

2. Customize “RHEL_STIG” XML file.

Which is better?

There are 2 options;

34

1. Customize “SLES v11 for System z”

1. Customize old “SLES v11 for System z” (http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip)

- Profile for MAC(Mandatory Access Control) Level + Public/Sensitive/Classified.

→ DoD/Federal Government System.

- No Benchmark XML file (DPMS_XCCDF_Benchmark_SuSe zLinux.xml)

→ SuSE is providing XML file (not open).

Hard to Develop.But we need it in future.

http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip

35

2. Customize “RHEL_STIG” XML file.

2. Customize RHEL’s “RHEL_STIG” XML file.

- use latest RHEL7 STIG- Including PCIDSS v3.0, etc.

https://github.com/OpenSCAP/openscap

More easy to Develop.

Take a look for now. ;-)

Customize RHEL’s XCCDF file

37

Customize RedHat’s XCCDF file

Customize RedHat XCCDF file;

Change Platform ID <platform idref="cpe:/o:redhat:enterprise_linux:7"/>

<platform idref="cpe:/o:opensuse:opensuse"/>

Change/Copy related XML file<check-content-ref href="ssg-rhel7-ocil.xml"

<check-content-ref href="ssg-opensuse-ocil.xml"

38

Scan Customized RedHat’s XCCDF fileoscap xccdf eval --profile "Profile" --report “Report” “input xccdf XML file”

ex. ) oscap xccdf eval --profile "pci-dss" --report /tmp/opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml

Profile: <profile id> in xccdf.xml file;

<Profile id="standard"> <Profile id="pci-dss"> <Profile id="rht-ccp"> <Profile id="docker-host"> … etc.

39

Scan by “oscap”# oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml

Title Ensure auditd Collects Information on Kernel Module Loading and UnloadingRule audit_rules_kernel_module_loadingIdent CCE-27129-6Result fail

Title Make the auditd Configuration ImmutableRule audit_rules_immutableIdent CCE-27097-5Result fail

Title Set SSH Idle Timeout IntervalRule sshd_set_idle_timeoutIdent CCE-27433-2Result pass

40

“oscap” result html

41

“oscap” result html (cont'd)

42

Scap-workbench

43

Customize Rule(with scap-workbench)

Some of Rule can modify, and can not → No good for fitting to openSUSE

44

Customize Rule(xml file)

OVAL:

<definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1"> <metadata> <title>Service autofs Disabled</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The autofs service should be disabled if possible.</description> <reference source="JL" ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/ scap-security-guide/wiki/Contributors"/> <reference ref_id="service_autofs_disabled" source="ssg"/></metadata> <criteria comment="package autofs removed or service autofs is not configured to start" operator="OR"> <extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_ removed:def:1"/> <criteria operator="OR" comment="service autofs is not configured to start"> <criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_ autofs_not_wanted_by_multi_user_target:tst:1"/>

https://github.com/OpenSCAP/

45

OVAL Language Dictionary

46

Customize Rule(xml file)

OCIL:

<questionnaire id="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"> <title>Disable Core Dumps for All Users</title> <actions> <test_action_ref>ocil:ssg-disable_users_coredumps_action:testaction:1</test_action_ref> </actions> </questionnaire> <questionnaire id="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1"> <title>Disable Core Dumps for SUID programs</title> <actions> <test_action_ref>ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1</test_action_ref> </actions> </questionnaire>

47

OCIL Language Dictionary

48

Remain Task

- Not only for PCI-DSS, other Profile:

- Check details which modified.

- Change those XCCDF file as

openscap-ssg standard style.

- Follow SUSE11 Standard also.

Conclusion

50

Conclusion

- SCAP OVAL file for openSUSE is released from SUSE.

- SCAP XCCDF file for openSUSE needs to be under PCI-DSS etc.

- Still customizing contents for publishing. :-)

51

Any Questinos?

52

Thank You!!!

Software

SCAP for openSUSE