 Hello everyone, welcome to the security dev room and we are now going to have a talk by Andre who's going to talk about Systems configuration management system for man and with openscap. Please welcome Andre. I Hope the sound is okay So today I'll be talking about for man auditing and how you can do that with for man at all and open scap So in the beginning, I'd like to talk a little bit about our motivation Why we would want to do any of this then I'll talk about open scap and for man because I don't know if you know these projects Maybe you do and maybe use them if that's the case then feel free to sleep and in the end I'll show you how these two sort of come together and what you can do with it Okay, so a brief info about me. I work at red hat. I'm one of the for man open scap maintainers That's about it really So why compliance? Well, if you have been without any kind of a security incident in the past then that's great And I hope it will last in the future but the future is always uncertain and There's always a chance that there is something bad lurking just behind the corner and for me personally I don't think I will be targeted because I'm not really a person of interest to anyone I don't have any business critical information I don't have anything related to national security and I definitely don't have it in my private email account But if you're a company or a government, then you're much more visible and you're much more likely to be a target And maybe people will try to take over your service and get to your data and maybe they won't but that's not something You really want to leave to a chance entirely So one of the things that you can actually do is to set up a policy a compliance policy and then try to force yourselves and your users to comply with it and The policy tries to mitigate the risks that things go really bad and If you decide to go this way then a scab is actually something that can help you with it it's security content automation protocol and it was designed for vulnerability management and to automate the whole process and OpenScap is open source implementation of that. It's NIST certified NIST is a national Institute of Standards and Technology It's a part of US Department of Commerce So if you tell your auditors that you use a tool that has a government stamp on it I'm sure they'll be quite happy and OpenScap Provides you with a bunch of tools basically the first one here is Command line scanner then you have OpenScap demon that surprisingly runs as a demon Down here is anaconda plug-in that you can use with anaconda installer and OpenScap workbench that provides you with graphical interface you can run scans locally and many more things Okay Moving on to Foreman Basically a foreman in a nutshell does three things provisioning configuration and monitoring and I'll stop to talk a little bit about each of these Provisioning so Foreman provisions Containers VMs or bare metal I've heard this one story that someone was actually doing experiments and trying to provision cash registers in a supermarket But for some reason it didn't work the hardware just couldn't handle it somehow, but still it got my attention Basically Foreman works with most of the well-known computer resource providers like VMware EC2 Amazon you name it If you think we're missing something then let us know and maybe we'll do something about it And if not, you can always write your own plug-in and support it yourselves Some of these are already supported through plugins. So you can use that as an inspiration And Foreman does both network and image based provisioning Okay configuration Puppet is kind of a first-class citizen for Foreman Because I've heard this rumor that Foreman started as a UI for Puppet But that was a long time ago and Foreman evolved a lot since then You can if you don't like Puppet for some reason you can use also Ansible or Chef or Salt It's entirely up to you Okay monitoring basically Foreman receives data from hosts and tries to display it to users in a meaningful way That's your graphs your reports your trends and so on Basically in this area also for all the OpenScap reports that we'll see in just a minute And right now I think it's kind of obvious where we're headed We have Foreman that can set up your machines and we have OpenScap that can monitor them for Compliance policy violations. So people said hey, let's get these two together and they did created Foreman OpenScap which is a Foreman plugin and now I'll try to show you what you can do with it Basically, yeah, you could see my You could see my Foreman now Maybe I'll try to a little bit zoom out Maybe not. Okay Basically, I have two hosts here. The third one is actually my Foreman server and if you If you are looking for the OpenScap related stuff, okay It's Down here. Okay, this is not good. I'll try to zoom out Yeah, that's much better. Okay Down here on the host And first thing we'll take a look at look at our SCAP contents Basically SCAP content is an XML file That has a specific format and You can see I have already a couple of these here These come From one of the OpenScap packages and they get uploaded once you install the plugins So you get them right out of the box So we can always but you can always upload new one if you Have one so let's do them do that right now We'll actually choose the file Right and Submit maybe let's do this Yeah Right So I uploaded my SCAP content and I'll move on to the policies and Policy is actually something that gets applied directly to your host. So let's create a new policy Okay, let's name it again description is optional. So let's skip it and Here we can choose SCAP content So I'll choose the one that I've just uploaded and I have to choose a profile and the profile is within The actual file that I have uploaded and it's basically says what gets checked during the scan So there's only this one in the file. So I'll select that and move on and Now I will choose my schedule how often my policy runs You can choose from weekly monthly custom. So let's say I want monthly and I want every fourth day in the month and I move on and The last thing I'll do is to choose my host group and basically I'm done So what exactly is a host group? Well, basically if you are creating a lot of hosts, these hosts usually have something in common and You don't want to Do it each time from scratch. So as you can see, this is the place where I can create a new host and basically it has a lot of tabs and Lots of fields to be filled in and I don't really want to do that each time So I have my host group and I choose my host group and now I choose my Choose where to deploy I want to deploy on Libvert and basically I'm done because all this gets populated from the information This gets populated from the host group. So if I now if I now click submit I can create a new host and it would start to provision Now assuming that I have configured everything correctly, but I don't really want to create a new host now So let's go back and that's why you have the host group selector in our policy in the policy wizard because that policy gets applied to our all hosts that have that host group Okay, so now we have set up your policy and now you have your host and you have applied the policy to your host and So what next? Well next thing you can do is to sit back and wait for your report to come in Based on the schedule that you have selected in your policy But you can always do that you can always run scan manually and you would do that by using SSH and you would SSH into our host and Then you would type in command to run a scan and it would run a scan and it would send it to foreman But if you have a remote execution plug-in for foreman, you can do it do it from UI So I have that already set up. I have a host with my policy and now I have a prepared job that can Basically run a scan. So I'll do that now. I'll select my host the one that is online and I'll select run job Basically job category OpenScap. I won't start OpenScap scan. I want to apply it to my Danish Queen host and execute now So this should take only a few seconds It seems it seems like it started and this is the command that gets executed and it's it's done And it's a success. So let's check out our reports. So I go to reports and I see I have a new report here that landed just a minute ago And from the overview I can see that it's failing. So let's take a look at the details So here you can actually see all the rules that were checked and what the result of the actual check was and you have the metrics and so this sort of breakdown how many rules failed and how many passed and If you I go to view full report Then this is actually what OpenScap sends with some styling and you have again lots of info here What rules failed how how many of them passed and so on and so on and one important interesting thing is Down here if I go to the details of the actual rule and scroll down I have a remediation script and if you run this on your host you should get the This rule fixed. So let's let's do that now and let's try to fix one of these rules So again, I have prepared a job with this script. So I will run it to Using remote execution and try to get it fixed. So again, I go to all my hosts I have all selected so select action grand job Again category OpenScap and this time I want fixed Java config there So let's execute seems like a success and Yeah, all I have to do is actually a year on the scan So I learned I already run the scan once I find the correct page so again run a job and OpenScap start OpenScap scan submit success Okay, again, let's take a look at the report and as you can see I have a new report and it has one one rule that has Pa that is that is okay and the remaining needs to be fixed So basically, this is how you can check the compliance with OpenScap and I'll just get get back to my slides future features basically One of the features that was done recently is the learning files. This allows you to This allows you to modify your profiles and modify your policies. It's done It will be in the next release of form and openScap Then we have planned running the remediation using and using remote execution like we would We would parse the remediation step remediation scripts from From the report that came in and was failing and you would have this one sort of button that you would just push and Everything would be fixed and we're always happy to hear your suggestions So basically, that's all I have if you have any questions Please don't hesitate Okay So questions First thing my boss will ask does it apply to Windows as well well Basically We are limited by By openscap what openscap support and what openscap scans we can We can we can basically Use it. I Don't think openscap supports Windows. So Raise your hand if you want to ask a question. There's one over here and one over there Hi, how do you extend the escape rule rule set to include your own checks? Basically, you can use OpenScap workbench To motive to create the tailoring files. That's the new feature that will be introduced and Basically people People write their own scap contents themselves if you It has a specific format that you have to stick to and that's that's how you basically create your own checks and Decide what gets checked during the scan. Hi Yeah Given that you said that puppet is a first-class citizen with foreman Is this how openscap runs on the house and If yes, can it run with anything other than puppet puppet? And if no, can it run with puppet? Yeah, basically we use puppets to deliver the client that runs the scan to the host right now it it it can Right now it can't really Run without puppet at least we haven't tried to Because it's kind of tied tied together and There are few there are future plans as we progress with uncivil and other config management tools also to Make it more available to other config tools to work with Follow up on the first question. You mentioned something about the openscap not supporting windows There are scap templates supporting Windows. Oh, and you can also for example Use puppets over to windows machine. So why would there be any limitations in the open scap? Okay, so I didn't know there were There are really policies for windows. So my bad And for Cisco devices and all clones over there if there are policies and if Open scap can actually scan a windows machine then we can support. Yeah, just Questioning the openscap versus scap Format so For scap. It's possible. Apparently. Yeah, as I've said, we are we are using openscap and what openscap is able to do We can support. Okay, so But thanks for more questions Hello, I have a question about the output. So if we have some findings say 10 findings for a server Some might be a false positive But that scan might still apply to my other servers Say if I have this false positive or this thing I accept at one server, for example, I be Forwarding on my VPN server. Can I whitelist that or acknowledge that as a false positive for that specific server? well for that I Would I would recommend to basically tailor that policy and answer uncheck the rule Basically remove the the rule from scan So you wouldn't have to deal deal with it if you if you if you think it's a false positive You can just make a separate policy for one Yeah, you can basically make a Like do you mean you have for example, I have a VPN server which allows IP forwarding and On all my other servers. I don't want that Yeah, okay, I get it for you The new tailoring file feature will be very useful because you can assign assign a tailoring file to that policy and that That host basically, okay, there's one more. Yeah, we can take this one first It's a quick question actually for man is the only tool to allow the orchestration of Opens cap or Is there is there any other tool that you you may use to to orchestrate or deliver all your agents of openscap? It's not clear it's not quite clear Basically, you can use you can use openscap on its own Without foreman and you have some user interface You have some kind of user interface so now well the tools that I've shown here basically this you can use these on your own and the Open as Capric Bench has Graphical interface and this is basically only a command line scanner. Okay that you can use on your own We have plenty of time for questions so raise your hand if you have any we have one over here You mentioned that there's a plug-in for anaconda for the installer Yeah, does is there any plans to back? I know it's in seven. Is there any plans to backport that to six? I don't really know what openscap guys have planned. Oh, this is the red hat team That's developing the anaconda installation component. Yeah, but I Don't have what they have what they have in mind for the future. It's Not really on my radar, so I can't really tell It's it's the best thing for you would be to contact the openscap guys and ask them there directly No, it's actually the red hat guys that are developing the anaconda installation wrapper To support the scap policies at install time again, raise your hand if you want to ask a question Hi another question, okay, so this is about the execution bit And is there a possibility in extending foreman in such a way that when you have the remediation step? You can directly run it From the you know the bit that that suggests it Run it directly, how do you mean so you know you have the remote execution engine with foreman Yeah, and the openscap gives you a remediation step that says run this for your hosts. Okay, can you? Is there a way of running it directly from that? from that input No, not yet Not yet, but there are plans for that in the future excellent Raise your hand if you have another question Yes over there two more minutes for questions Is there a way in that UI except for perhaps using using cron to run these jobs to do these checks periodically To maybe detect that there was an attack and something was changed in the meantime and get alerted about this Well automatically we use cron in the background and So I can say run this every day or something. Yeah, you can run this every day You can basically If I go to the policies art you can You can You can choose a crown you can choose how often you want your policy to run based on the cron line If I take this custom you just specify a crown line and that's Thank you very much We have a final question here Is it is it possible to trigger from an outside application via API call? Instead of scheduling a scan and the second question Can you can we hook up like for an event in an external system after that? now right now It's meant to run periodically and to check it at certain times But maybe that that could be a quest for feature Okay, let's thank Andre once again and there will