 Hello, hello. Okay. Hello, everyone. Good evening. So my name is Daskaran and I'm one of satellite engineer at Radat. Today, my major topic, my topic is securing infrastructure with opens cap, the automation way because it's an era of automation, right? We are far, far behind with manual tasks and doing all those things. So automation in terms of working with it. I'm so sorry. Right. So let's, let's start this. My major agenda is to cover what's openscap. Why do we need it? Right? Components, something around it and integration with four men. A lot of you might have heard about four men in just, you know, last 15 minutes. So I'll give a more idea on that and how it actually works. So in between the talk, I'll have a demo as well. You know, the first question comes to my mind is of whosoever listens to this is what is openscap, right? It's an open source security scanning tool which, uh, which is used for two primary purposes that is soft to mitigate software vulnerabilities to check configurational flaws, to check security flaws, right? So these are the two things that we, that the openscap, you know, directly focuses on whatever software we have in our infrastructure. We have to figure out what flaws are in it or configurational things that normal day to day sister, sister admins or someone who, you know, manages the infrastructure, make mistakes. Why do we need openscap? It's a way to express security policies in a user interactive format. You know, a lot of people come across and say, you know what, there is a vulnerability in a system, but I don't know what it is. You know, what is meltdown, what is specter? I don't know. A lot of vulnerabilities are out there, but I don't know what to do with it. It's, it's in my infrastructure, right? Openscap gives you a clear idea what a vulnerability is all about. You know, what to meet, what to do about it, what to, how to mitigate all those things. Openscap scap, uh, generally known as is, is, is, is an NISC standard certified standard and is a lot of security policies. So take that word security policies. I'll be explaining more about security policies in my latest slide, a tool to verify system or infrastructure to make up a certain standards. Now, standard comes to my mind. There are a lot of organizations, which needs to tends to have a set of standards in their organization. Let's say, you know, talking about XYZ organization, whenever they gave a laptop to a new employee, they want a particular set of operating system to be installed and not any other operating system, right? That's a standard for them or for our organization, SSH access to certain systems is disabled. That's a standard. That's a security standard that's required, right? To maintain those standards, make it more easy for the people who work over there because just maintaining up the standard is not your work. There's something else you need to do, right? You have your own time to work on different things, not just to maintain up the standards. So openscap helps you on that front from the time the system has been being provisioned or it's into your organization, it's into your infrastructure opens up takes control of that. Modification can be done using tailoring files. Obviously it's an open source. You can do all your modifications that you want to do. Whatever whatsoever you want to do it, you can do it and you can make it across all your fear infrastructure. It's supported cross platform, made by windows, made by Linux, anything you want to do it, anything, whatever your infrastructure is consist of openscaps supports that. So that's a good point where you know a lot of organizations say, okay, this particular open source tool is something for Linux. We can't use it. No, it's for windows as well. All the standard, all the security profiles, all those things are for windows as well. There are a few couple of tools which openscap gives you that's first one is anaconda. A lot of people have heard about anaconda. That's an installer for a Linux, right? Linux based system. That's an installer. So in anaconda, there's a plugin for openscap. The time you are building up a system, let's say you are building your own desktop system on once in a one system, anaconda is out there or if you are building a number of systems, yes, you can have your own set of anaconda file where you can mention out those profiles. You can mention on those rules that you need to check mention on those standards, which you want to, you know, put it in your, in your, in the system that you are building up. Scab workbench. This is an GUI tool with scab gives you. So, you know, people not comfortable with command line. You can use this tool. It's, it's absolutely brilliant tool because it gives you, it gives the user an approach for, you know, tailoring out things. Modification can be done. Even if the person is not core technical or he doesn't know, he or she doesn't know that if I, you know, omitted out this particular rule or omitted out this particular standard, what impact it will create, right? What at the background, the system is going to happen. Even if it doesn't know, openscap will take care of that. I mean, the workbench takes care of that openscap debon. Again, the system has been, I mean the service will be running up in your systems, in your containers, in your infrastructure at the background. And at the time when it feels or you want to configure according to it, you know, every Monday at 6pm, the scan needs to be run up. That's one thing. Or at the regular intervals, it needs to be run up. It's again taking care of a lot of people. A lot of people has this idea that, you know, what, whatever scan we did in last six months, it should be stored just for verification, just for analyzing how we are moving towards security, right? In that case, it's kept up. It's kept up on me is a very useful tool for you. You can use your SQL search query and you can get whatever things, whatever scanned reports of just one system or in other, you know, scan reports of your entire systems or entire infrastructure will be out there and you can, you know, search what all things I can do with that. Openscap base. It's just a command line tool, which I'll be showing you up. Openscap components. Okay. So languages is something which, I mean, openscap is written in XML. So if you want to write up a rule, you have to know what is XML. XCDF is a, is a sort of language where it's a kind of a wrapper over, over OAL rule. So you write a rule in OAL and over that there's a wrapper, you know, a lot of people who are from programming background, you must be knowing it. What is a wrapper of, you know, in a programming? So XCDF is a wrapper. And with the help of these two things, XCDF and OAL, it creates, creates a data stream file, which is the file, which openscap used to scan your systems. That's again a rule list. Let's say in OAL, you have a lot of rules to return it. I need access to be disabled. You know, it should be installed on your system. A lot of other things you mentioned in the form of rules or it's in the upstream that has been again, uh, you know, collaborated with XCDF and you get a data stream file. That particular file is used for scanning up your system. Yeah, I have a report. This is a sort of a report, a format of a report in which the openscap, you know, gives you the result. The first result comes up. Also you can have your results in HTML format in a beautiful format. You know, you can open up in your browsers and you can give it to people who are, who just want to know what all things or how many systems are being scanned up or how if a system is scanned to watch the level of, you know, it is, uh, vulnerable, vulnerable. Openscap components, CVS, CVSS, all these things openscap looks from NIST. So whatever NIST has its own standard indexing of each and every vulnerability, openscap copies that and has the source, uh, as it indexed. It's all about openscap openscap, but how does it work? Okay. It's a beautiful diagram out here and it says there are few profiles which I have written over here. PC, PCI DSS profile. It's a profile which has been used by payment gateways. A lot of companies which are using payment gateways, the particular profile has been used by them. Standard Docker. If you are using Docker in your infrastructure, you can use this profile. Standard system profile, that's normal system profile. Maybe you are using CentOS, Ubuntu, Debian, maybe Red Hat, Fedora, something, anything, right? Or maybe Microsoft windows, right? That's a standard system profile in which all the rules have been mentioned based on your infrastructure, right? These collaborative profiles are known as cap profiles and it's distributed among the operating system, whatever operating system you use. Lot of pro, I mean collection of these profiles is known as cap content. That's all content. Now, as cap content can be directly apply to your client systems with the help of openscap. That's one thing. But now this particular project is an open source project. It should have a ability to communicate or to get integrated with other open source projects as well. So here four men comes into the picture that a diagram with a helmet is four men. So with the help of four men, you can either use puppet, whatever puppet you want to use, you want to use puppet enterprise, right? Or you want to go with Ansible, you want to go with with Chef, Salt, anything can be used with four men and you can then apply it on your client systems sorted. If it's, I mean you are using four men in your infrastructure by four men, nothing in your infrastructure, just direct systems, do it with openscap. I was talking about profiles. So this is just an image which gives you an idea that what all sort of profiles. I mean, I was talking about that is health insurance portability, maybe something related to hospitals. PC idea. I've already talked about Red Hat corporate profile. Again, this is a company specific profile, right? If you have a systems on that C2S and for Red Hat, you know, cloud based instances, a lot of other profiles, which we can scroll down and we can have those profiles mentioned over there. There's also an option of tailoring files. Let's say based on these profiles, C2S profile for Red Hat Enterprise Linux seven is a very strict for your infrastructure. Let's move out some, you know, cross out some rules and that particular file, I mean, you have to generate a new file and that particular file can be known is known as tailoring file. So based on one standard profile, you have your own custom tailoring profile, which have an addition of rules or some rules which you have striked off. So this is a report of how openscap report comes up. So there's an evaluation target. I have mitigated it. I mean, it will give you or, you know, host by system when the scan happened, when it got finished by which user, even if you are using ADA or LDAP or something, it will give you the user, which users can this result. What, how many rules got passed, which were failed and which were not even checked, right? Checked as in, you want a particular rule not to be checked in a system because that is something your organization wants. So you can skip that rule. These are rules which you have in your system, whichever are failed, whichever are passed, somewhere are not checked. The beautiful thing is you can just click on the rule and it will give you the description about it, what that particular rule was and what all things you need to do about it to mitigate that particular thing or to pass that result, right? With openscap, you get an all, you get also a flexibility to do all the stuff with bash with Ansible playbook or with puppet modules. So this is how some, you know, you just click on Ansible scriptlet and it gives you the answer playbook. But this is, you know, for each and every rule which got filled, but you want to mitigate all the rules. You just have to create, click a command. Okay, I'll give you the command now and the Ansible playbook will be generated for all those rules which are failed. This is the command and it will generate the Ansible playbook. We have the Ansible playbook over here. Simple. How does it looks like? I'll give you that also. How that my Ansible playbook looks like something like this. It got generated with this particular command was for this system, all the inventories and everything out are out here for all those rules which were failed, right? Now this is, this is the command that I have used. Now opens, openscap get also integrated with a lot of other enterprise products or open source products as well. So let's say you want to use on a very small infrastructure, you can use them and or work bench because it's easy to manage. Or if you want to use on a large systems, you can definitely use foreman, sousai manager, red hot cloud forms, satellite five, satellite six, anything you want to use. You can integrate with, let's say, I mean, I'm giving an example with foreman because it's open source, right? What foreman does is it gives you a platform to manage your infrastructure. Let's say you have VMs, you have containers, what all things do you have in your infrastructure? It gives you all the help to manage out your infrastructure. It gives you, I mean, it has three major features that is provisioning up a system, configuration, monitoring, because once you provision it, you need some sort of configuration on that in your infrastructure. And then once everything is set up, monitoring is done. So foreman is quite integrative with, you know, a lot of other components easy to Google cloud, word, open stack, what all things you want to use, you can use it and you can manage all your systems which are deployed over there, you can manage over here as well. Provisioning, you can provision, I mean, once you set up foreman, you can provision any system on any sort of platform which you have. You have platform, you have, you are using, uh, distillation, maybe a word, VMware, Docker, anything, any platform you're using. It's very easily integratable and you can deploy all the systems on the platform that you are using. Configuration, majorly it's puppet and Ansible. Previously it was using with puppet and now it's been using Ansible, but let's say you don't want to use this. You want to go some with something else, chef, salt, anything else can be used. Right? Uh, I guess I'm monitoring. This is one thing which needs to be done. There are a lot of APIs which are well documented. The documentation is fabulous and gives you proper API monitoring, gives you the openscap report generation. You can generate that report, you can get it on a web UI, a single dashboard, you can get all the reports of entire infrastructure. Now, uh, you have a lot of systems and you don't know which particular system lies in which organization or which place, which which data center can directly search it through SQL query or directly with hostname. And it works, you know, across the application, whatever page you are, it will search it and it will give it to you. This is how something you're openscap data, a foreman data dashboard looks like. It gives you what all things like the overview, what all systems have been scanned, what all systems are singed, you know, updated. All the things can will be, you know, in the dashboard. And this particular image is of a system which has been provisioned with the help of four men. So all the IPs, all the system facts will be out there for each and every system, whatever configuration you want to do, it will be out there even before deploying the system. Once it's deployed and comes to your hand, you can do other configuration things. Let's say, you know what provision the system, make this sort of configuration. And once this whole conviction is done, when the system is built, you know, scan with this openscap, everything is sorted. You have all the automation done at your end and it's good to go anyways. Okay. So all right. So like every other product openscap also has a limitation, you know, if you want to keep, if you want to make a new rule, you know, a lot of, a lot of people comes to, you know, say, and you know what, we have our own auditing system. We have our own auditors, which at which they have their own scripts and they come and they check our organization and they audit the organization. So what if we want to write our own rules? It's, I would say it's not that easy to write your own rules. You just need to know XML and then a proper wrapper should be out there and you can build your own rule. But yeah, by default, whatever rules are out there, you have to use that. Only thing is vulnerability in vendor's package, not in EPL as of now. There are future plans of openscap to, you know, have EPL into place, but, you know, I'm not pretty sure how far it's been going on. Not in third party vendors, like, you know, software that you develop, you know, let's say you develop for some, some RPM or some other software package you develop, openscap won't be able to help on that front. Right? It's only vulnerability important enough to fix RSAs. So it's, it's more of, you know, company-driven where your security advisories are being concerned. Security policies don't get updated automatically under foreman. So in whichever open source or enterprise level, uh, you know, project you integrate openscap, it has a drawback that the profile that I was talking about in the diagram, the doctor profile, the standard profile doesn't gets updated automatically. We need to have some sort of automation done at that end so that, you know, from repository, those profiles gets updated. And once those are updated again, things will be sorted at your end. Right? So it was all in a nutshell that how an open source tool is easy to use at your end, right? Just for one, two systems or for your entire infrastructure, whether it's, uh, you know, it is on any of the platforms. So yes, that is all. I'm running out of my time, I guess. So it's fine. It's good. Okay. Any questions anyone have around this, around foreman, around openscap, anything you can, you know, guys, you can shoot me out. Hi. So basically I have a question regarding this openscap. So there is an infrastructure tool, Nessus, right? So what's the difference between these two? I mean, uh, so openscap is just for only like you mentioned, NIST based framework as well as PCI DSS. So for those policies, it will scan for a whole infrastructure also like Nessus in Nessus scans. Yes. Nessus scans will be, I mean, you can integrate openscap profiles in your system. Let's say you have already paid for it. It's a paid product, I believe, right? You have already paid for it. So you can, you know, you can pull out those profiles, which opensap gives you and you can integrate it with within your Nessus tool. Okay. Right. So you have, you don't have to again redeploy openscap, but it's just like, it's an add on security, which, uh, which, which gives you, uh, you know, advantage of covering a larger database of security policies. So it's specific to the, um, standards like PCI DSS and NIST based frameworks. It's specific to that only or it will scan for a whole infrastructure also. It will scan the entire infrastructure. So it's, it will scan the networking part, whatever networking part you have in your infrastructure and as well as the standardizations that you want to maintain. Okay. Right. So anytime you can, you know, uh, tailor out those things in the, in the rule list, I can show you the rule, how rules are being done. So these are the rules that we have and anytime you want to customize it, you can directly go and you can just click it or let's say I want to have this rule, just click it and make a customization file. There's a tailoring file you have. And now you can integrate it with your Nessus tool or if you're going to use it with openscap, you can use this directly with openscap. So since you mentioned it only supports RHS says the policies that you're showing also are very RPS specific. It works with non-radar executions. Absolutely fine. It works with open to because, okay, I'll show you the open to part. So as of now I can load any sort of, you know, operating system you have and these are the profiles which will be, you know, in your system and you can, you know, use anything. It's when we debut and it can be one to it can be even windows. I don't have a windows right now, but it can be anything. So it doesn't know, it doesn't restrict you to red hat. It's a part, but you know, you can go around with any of the other operating systems. Yeah, I have two questions. First one is what are the reason that they chose XML as a formatting thing? And secondly, how hard is it to write some JSON or YAML, you know, formatted that openscap can take us in? I would say this is all, I mean, I'm not pretty sure why they have chosen XML as a part. They could have chosen other languages to work, but I'm not pretty sure on this front. And I'm, I'm, I'm, I'm, since I'm not a maintainer, I'm not, you know, the correct person for that, but for in terms of the next next part was YAML, right? So it all depends on the person who is using it. So for me, if I'm using, you know, openscap for me, it's not a very difficult to write an XML or YAML, right? But for the person that say who is on a, on a position as known as manager, you just want to know what all things are there, but he still wants to, you know, have a tech background, or you want to still touch base on, you still have to check what all things are going on in the system. This particular tool gives you a proper insight what with host, which rule, why, how to mitigate it. And it also gives you the, you know, flexibility with the Ansible if he knows or he or she knows it, you know, Ansible puppet or anything, you know, you can mitigate it, the description of the, about it. So all the things are, you know, done for the person who is not even very good in terms of technicalities, but yes, he still want to go. Does it has the capability to scan docker images? Yes, it has. There is an auto, uh, atomic scan, which can be run on dockers. I have not shown over here, but yes, openscap has the capability, you know, to scan docker images and, uh, it has inbuilt profiles. Pardon. Inbuilt profiles. Inbuilt profiles. Yes, we have different profiles as well for that. Hi, I have one question on web, web, web scanning part. I can't see. Okay. Okay. Yeah. So, uh, as NASA scanner or open vast, we do have a ability to scan web, web, web based URL as well as well as a system profiles. So if I'm running a open vast, do you recommend to go for this, uh, scab? It all depends on you and your infrastructure, right? Let's say you're pretty much comfortable with open vast. You can go with that. Not a problem. But if you still want to give a try to open scab, definitely should give because there could be certain changes or, uh, different approach towards scanning up your same infrastructure. So I would say definitely give a try. And but if you still don't want, again, it's an open source world, you know, walk off. I have actually two questions. One, does it scan the container itself or it scans the image? No, it's kind of container as well. Okay. And second one is, um, how do you make sure that the code, um, that your tool has generated is, uh, compatible with the version of Ansible or a popular chef you are using. Uh, the second question, I'm not clear. Can you just repeat it? So there might be, you know, um, uh, compatibility metrics in between, uh, um, the confusion management tool and open scab. Okay. So how you're making sure that they both are compatible. Right. So behind this, whatever rule, let's say you write today, you have to give Ansible playbook or a puppet playbook, whatever feasible to you, whatever feasible to the developer or the person who is writing a rule and give it in the upstream, right? So they upstream gets checked, which rule or which pants were playbook runs on which systems. I mean, let's say that's one thing for your configurational tool. I mean, openscap should, uh, needs to manage by, uh, Ansible 2.7, right? So both it's again at the end, Ansible playbook will be running up. And the rule, I mean, the task in the Ansible playbook will be the one of your own system, not for puppet or not for, uh, Ansible core Ansible or core puppet. The rule, the task will be for the system or the, uh, you know, the infrastructure that you have, the configuration that you have done. It won't change the puppet configurations. It won't change the Ansible configurations, but it will change the system configurations. So let's say you have, uh, I mean, in login.tef, um, you know, some, some rule you have written or in profiles, you have mentioned some sort of things, right? Once you log in into bash, you have some things in your terminal, it won't change that, but it will give you a hint that you know what you have to, you, this is something which is deprecated or this is something which is not secure enough for your infrastructure. So now you can use it with, with a basket or Ansible playbook. So it will change that configuration. So custom scans, I mean, custom things, custom configurations will be something which will be, uh, a human invention needs to take place. But if this is something related to more of a package, openscab will take place of that. So I, I'm not pretty sure whether I have answered your question, but yeah, we can discuss that offline. Anyone else? All right. Okay. Thank you, uh, Jessica. So, uh,