 Welcome everyone, my name is Gabriel Becker, I'm a software engineer at Red Hat and I'm part of the platform Secure Compliance team, mostly for Ralph and here with my colleague. Hello, my name is Vojtych Polaszek, I'm also part of the same team as Gabriel. Yeah, so what is this workshop? So first we are going to give you an introduction on some concepts for Secure Compliance, what is it about, explain some of the details and some of the motivations behind all these projects. And then we'll talk about a little bit about the project itself, the compliance code and all the tools that compose this ecosystem. And later we'll give you some details about the workshop, what kind of exercises you'll be going through and what kind of things you'll be learning from this workshop. And in the final part there will be some technical instructions and practical considerations about this workshop. So now I give the word to Vojtych. Okay, thank you. So once again welcome everyone. And as you can see in the name, this workshop is going to be about security compliance a lot. You will end the content which will help you in a security compliance and you will hear the word security compliance a lot in this workshop. So I think it's a good idea to say something about some basic terminology. So let's start like with the word compliance. So compliance, it means that something is aligned according to some security policy or according to some standard. I don't know, let's say that your phone should be IP68 compliance, which means that it should withstand some harsh conditions, water and stuff like that. So it's compliance and the security compliance is compliance in the security, let's say frame like framed within the security area. It's actually quite large area of things. You can have for example, compliant door to your server room, you can have that so that they can withstand the fire. You can have compliant reporting you can you can be have like some legal in the insecurity compliance. So like it's quite wide area. But part of it is also compliance of your computer systems and especially their configuration. And that's, that's what we are going to talk about in this workshop. So how does it work like usually, let's say that you're a bank or like some financial finance processing company. And there exists some standards which you should fulfill you should be compliant with as a financial organization. So how does it usually work is that there is some there is something called policy is usually some document. You can have many, many requirements, including as I said legal and like physical security and stuff like that. But also it has some requirements for systems configuration of computer systems. And someone has to go through that and like configure systems configure the systems and then check it and then they can pronounce themselves. Yes, we are compliant, for example, with PCI DSS, which is exactly the policy for payment, payment industry. And this can be actually quite tedious and long because these policies can have hundreds of requirements. And when you have hundreds of servers and hundreds of requirements, this can take a long time. It can be error prone. So that's where there comes an automation to help you achieve this. So next slide please. Automating security compliance and I want to stress that I'm talking really about compliance of your computer systems and their configurations. We have a we have a tools, let's call them scanner in general. And you will use actually one of these tools here in this workshop. And how does it work so the scanner, it can basically do two important things first thing is to check the configuration. Like if the, I don't know, let's give an example that one of the requirements from the policy is that the minimum password client length on the system has to be eight characters. So the scanner, I can check this. And if if it's possible, it can also fix it, we call it remedy eight and throughout the whole project remedy eight equals fix. And, but the scanner is just a tool. Yeah, scanner is just a tool. So it can do some things but it needs to know what to check and what to fix. And that's when the content comes to comes to comes to the scene. And this content has some standard. It's, it's called this cup with means which means security content automation protocol. And this is the thing which is consumed by the scanner and the scanner can actually do its work. And the content is the thing which we are going to work with in this workshop actually. So next slide please. So the compliance is content compliance is code. It's a big, actually the world's largest open source repository of the security content, which is used to achieve compliance. I would like to say one more thing. You can imagine you can translate compliance very loosely as a security. If you are, if you are compliant, you're secure, but secure according to some standard, just just like a side note so that so that it's easier to understand the terms. So back to the slide. The content lives on GitHub. It's highly customizable as you will see this workshop because you will be able to create your own content to for your use cases. It's compatible with various scanners, including open scope scanner, open scope scanner, which you will also use in this, in this workshop, and it's closely related to the project product to the content. So you will use its common line interface, but you will also be able to use a scope workbench, which is actually it's, it's, it's a graphical interface to various features of the scanner. So now I will tell you just a little bit about the content itself, how it's, how it's composed, how it's produced, or like why the content looks like, like it looks. So imagine that you have the security policy, for example, PC idea says it's a long PDF document, it can be quite high level. And it's of course very hard. It's, it's very hard to be consumed by, by a, by a computers, because it's written in human readable. And so what usually happens is that you can take this policy and decompose it into requirements, getting to low level, like I don't know requirement, prevent route from logging in through SSH, or, as I said, set configure the system so that the passwords has to have at least eight characters. And these are quite low level things and these can be translated into code. So that's where the rules come to play in our system in the content, because the rule one rule is actually a specification of some system configuration. It's composed of some metadata like description like yeah what is this rule about how it's called, like, which policies reference this rule and stuff. Then it contains usually some check, which is written, for example, in all the language, and this check is then consumed by the scanner which we talked about before. And according to this check the scanner checks the configuration file like opens the configuration for SSHD and like looks if there is the line. And if the line is not there, it can remediate it. That's, that's why the rules contain also remediations they can be like batch scripts or Ansible snippets or, or, or some other, other scripts we support several languages. So this is a rule. And then we take the rule and we take many rules and we put them together together with some additional metadata and variables. And this creates something which we call profile in the content and with a profile we are at the high level again, and the profile is actually representation of a policy like PCI DSS. But it's code. It's already consumable by a software in this case in this workshop, it will be openscap scanner. So that's, that's what this content is about we take policies and we decompose it translated into rules and you create a profile. And then you can then actually this profile you can use to help you with achieving compliance. It will not, not make your systems magically compliant. Of course, you should like review it and some things are not even possible to automate properly, but it will help you I believe in the great great deal. Next slide please. So this is just the, this is just a summary. Where can you actually use the content. So you can use it together with appropriate scanner like an open scope. You can use it to scan, like to ensure compliance of physical machines. There can be like your local machine or it can be also machine which you can access through SSH. You can try to achieve compliance of containers. For example, on podman backend or docker backend. You can also check images of virtual machines, like a hard drive images. And you can also use it within your Kubernetes infrastructure to ensure that the infrastructure stays compliant. That's, that's I think enough of theory. I think we should get to some practical things. So I'm giving word back to Gabriel who will tell you something about about the workshop. Okay, thank you for this explanation. And now I will talk a little bit about what you will be learning throughout this workshop. And mainly the first part is composed by creating rules and profiles, modifying them and making it according to your needs. And then with this content you will perform a scan using the open scope scanner and checking like results if the configuration actually actually passes or fail. And furthermore, you're going to learn how to customize the content like change a variable. In this case, for example, the password length. Instead of eight my organization requires to be 12. So this kind of customizations. And for the last part, you will see how the Ansible remedations are integrated to the project and how they are handled by the project and how can you can develop them and apply the fix to bring the system to a desired state. And now some, some of the practical considerations for this workshop. Okay, can you please mute your microphone. Yes, I'm just trying to find the proper button. Okay. Yeah. Okay, so, and some practical considerations about workshop. This workshop is developed mainly to be a self based workshop. If you need it will be written to the documentation. And this, the direction of the session, unfortunately, is like quite short. So it takes like two hours for the whole workshop, but the environment will stay longer. So you can finish, finish it on your own. If you have any questions after the during the session and after the workshop you can use either the chat here in the hopping or the discord channel workshop. And also one extra thing I would like to say is that this workshop is designed to to use this graphical user interface from Ralph. So you'll be accessing the remote desktop. And you need to have the VNC client installed. Everything is described in the documentation how to install how to connect. If for some reason you don't get to, you cannot install this application. There is still a benefit from the workshop because like 70% of them is through the common line. So no worries about that. And right now I'm going to do a quick demo of how to get access to this infrastructure that we are providing you. And so basically there is this web page where you can access through this link that I will later post to the chat, the instructions so you can easily access. So let's do it. So I have here the page, and I put the security keyword and my email address. And in this case it will lead me to the page like this. And in the square red box there is the important information for this workshop you get a unique link that will lend you to the page similar to this one. And in this documentation it contains, for example, unique credentials. There is this embedded terminal that you can use to ease and like this. I'm coming back from the documentation to the terminal, but of course you can use your own terminal there are like the credentials at the SSH command to connect. So it's really up to you. So if I get back to the, to the page here, it gave me this link. And let's say I open it here. Then there is the setup steps. It's the place where you have the credentials so you can basically copy paste and use the password. Now you're in. The, the labs, everything I'm saying is described in the documentation. And right now for the VNC client, there are some instructions on how to connect to the, how to install the target VNC application. But then there is this trick that you have to use to open the, the tunnel you have to use your own terminal. You go back to your terminal, paste the command and it will ask for the password. So you input the password and you'll notice that it will show nothing here. It will hang because after you are finished with the lab, you can just kill this application with control C. In another tab in this case, there is the VNC viewer. You have to run it. In this case, you can also just run VNC viewer and it will show you this window. You put localhost colon one and it will ask for a password again and it's basically the same one. And here and then you have the access to the user interface. And from here you, you can access the web browser, the SCAP workbench and everything that is described in the documentation from this workshop. So, now going back to the presentation. As I said, I would like just before giving the links just some references. This workshop is available as a static version. So there are no like credentials, it's just the documentation. You can use as a reference later. And there's also the possibility to run this same workshop on a Fedora VM. So there are instructions on how to set up your VM accordingly. And furthermore, there are some links to where to reach us after the workshop. For example, the discussion pages and some mailing lists and etc. So finally, I will be pasting the instructions to the chat if you don't have it already. So you just click this link and input the data and you will be able to access your environment. So I guess this is it pretty much from the presentation. You'll be here to answer any questions you have during these first phases. And after the session finishes, we'll be around the Discord channel to answer any questions.