 Okay, hello everybody. Thank you very much for coming. Nice to see all of you here. My name is Jan Czerny. I work in Red Hat in the security technology team, and I'm a developer on the OpenSCAP project, which is a security compliance tool. And I came to Flock to tell you something about OpenSCAP and also to introduce a new component within the OpenSCAP project which is called OpenSCAP Demon. But let's start from the beginning. Computer security is a very broad topic. And today and yesterday we have heard a lot of talks which touched the security somehow. But from the most high level of political view, we can say that safe systems or secure systems they don't contain vulnerabilities and they are also configured in a way that they don't expose any weaknesses. And our tool of OpenSCAP is able to detect both of those vulnerabilities and weaknesses. And sorry. First, let's start with those vulnerabilities. Every software has a lot of vulnerabilities. The good news is that some of those vulnerabilities have been already found and the sixes were made and the details are publicly available. But the good news is that attackers tries to find some systems that run without those patches installed. So they would like to misuse those exploits which are already publicly available. So some of those vulnerabilities are well known. They have even fancy names. You have definitely heard about Shell, Chalk and Random. And so how can we detect that our system is affected by one of those known vulnerabilities? Basically, we can compare our, the dozens of our installed packages with a list of packages provided by the vendor. So we know in which version of the particular package the patch was merged in. And if we have an older version, it means that we have installed, we have on our system vulnerability package so to update it. And this was about vulnerabilities. And the second thing that I mentioned is the configuration. The system must be configured or should be configured in a way that it prevents a lot of security issues. This includes a lot of things. For example, you should have SEO limits enabled. You shouldn't run some protocols like Donut which are not considered secure. Or you shouldn't allow your users to log in without the password. There are many recommendations. Many recommendations. And there is no document guidance or this secure configuration really depends on the workload or the usage of the system. So there are many security identities for a different purpose. And how can we check that our system is configured in line with any of those guidances? Basically you will have to browse all of the configuration files and check which services are turned on and which are disabled and do a lot of stuff to audit the computer. I will ask you a question. Would you like to do that manually? Definitely not. And that's why we have OpenSCAP. OpenSCAP is a security compliance tool. It provides both configuration scanning and vulnerability scanning of your system. OpenSCAP is already a stable project We have started to develop it in redhead seven years ago but OpenSCAP is a scanner tool. It provides a command line tool called OSCAP which has a scanner system and OpenSCAP is available in Fedora so you can install this package and you will get the OSCAP tool. But having a scanner is not enough because you need also some rules or we say security policies and those security policies are input for OpenSCAP for the scanner and those security policies are measuring available implementation of the security guidances. There are also some standardized security guidances for example if you have server or your computer needs to process payments of using credit cards then it needs to follow security guidance called ECIDS, the payment card industry security data security standard and there are many others depending on the purpose and those guidances are usually some fake books with a lot of parts but we can conduct them or implement them using the SCAP format SCAP stands for Security Content Automation Protocol and it's a standard used in this area to write checks, to write benchmarks, to write rules so SCAP documents are a very huge semaphiles and I will ask you would you like to develop some huge semaphiles? No, definitely you wouldn't but there are some crazy guys who do that and they develop the SCAP Security Guys project SCAP Security Guys project is a set of open source security policies it provides security policies in SCAP format therefore it's mission readable and they can be used by open SCAP and also it provides human readable HTML guys so you can read why a party to your rule is good to follow or why a party to your policy is good to follow and it also, the SCAP Security Guy also contains the so-called remediation scripts those are scripts which can fix your system if your system don't follow a particular rule or don't comply a particular rule you can run those scripts and those scripts will fix the particular thing so then you will pass and SCAP Security Guy provides benchmarks for various operating systems of course Fedor, RML and also for some applications like Syrupons and Formule and those benchmarks implement those security guidances and the SCAP Security Guy project is available in many distributions on Fedora you can also install it and this is a screenshot from the HTML guide it says we have the groups of rules and here is one rule and this is what you can read why this rule requires that you shouldn't direct please very simple remediation script but we have also some more complex just to do this thing and in each of those rules there is a corresponding SCAP check which can be evaluated by OpenSCAP so if you want to so now we have the security policies we have the scanner and we could start scanning actually it would be nice or it would be better to start with SCAP Workbench because it's a graphical application which allows you to scan in a few resistance and this application can scan both local systems and remote systems using SSH and it provides nice reports and also machine reader results so SCAP Workbench can be installed also on Fedora I have it on my laptop so I will show you that we have SCAP Workbench now it installs the SCAP Security Guy as a dependency so since I am using Fedora I will choose the benchmark for Fedora and here is the profile which means a particular security policy we have much more of them for well and for sentos Fedora is here for testing purposes and I will choose the standard system security profile because it's the shortest so it will not be so long I will click on scan it will ask me for my root password and it has started to scan my computer here are those rules and it takes OpenSCAP broses the system and tries to verify whether my system is in line with that rule or fulfills this rule so the important thing to mention is that we are checking the configuration for example if we will have some rule that if we will have some rule that will check whether SCAP is enabled and we have contributed correctly sorry we haven't contributed correctly in our configuration file it is turned off but before I understand we started it it will still report that we failed that rule because it is trying to scan the system configuration and not some temporary settings so we just finished and now I will show you the report where we can see some details they should increase the font size but ok so this is the report of OpenSCAP here is some disclaimer at the beginning not so much interesting here it becomes a little more interesting there are some metadata and here you can see that we have checked for 9 rules 5 of them passed for fail so we have 58% successful and here there is a table of those rules with detailed results I will show you for example here my system failed on this rule login to accounts with empty password impossible and if I click on it it will show me again this first part comes from the SCAP security guide and this second part down here comes from my system and you can see that the rule said that we shouldn't have in this configuration file the string but it found a violation in Python that in that configuration file on my system in it it found this so the rule was not filtered so those details can be displayed also for each other but I will not show you now instead I will continue with the presentation because we have seen that we have run SCAP Worldbench but the problem is that here run it only once but the security settings or the configuration can be easily changed the system administrator can change it every day when he tries to enable a new application or install some software or just change something so we today can pass every rule but after a week our system can be considered unsecured so we would like to we would like to do the scan on a let's say on a daily basis or continuously we would like to schedule a scan and let the let's have some service which will do the job automatically so we don't have to run SCAP Worldbench every day so for this reason we need a continuous management we have introduced a new component within our ecosystem which is called Open SCAP Deheman what is Open SCAP Deheman it is a project that allows automated continuous security management the work on this project has started started last year and it's a small basically it's a small tool written in Python which leverages the Open SCAP library so how does the Open SCAP how does the Open SCAP Deheman work it is a system service it runs in background and it has some event schedule and it executes scanning of our security policies according to that schedule it has integrated results storage so the results of the scan are activated within the Deheman and you can you can read then afterwards when you have time the Deheman is a system service and you can communicate with it using tether or SCAP is an online tool to manage the Deheman or it has also DDoS interface so we have DDoS interface because we would like to integrate with other tools for example now it's possible to integrate it's a concrete it is important to mention that Open SCAP Deheman is not only for scanning your ROG or system or ROG server it can as far as SCAP workbench it can scan remote machines over SSH but what is very interesting it can do an offline scan of virtual machine virtual machine images and containers what does an offline scan mean offline scanning that you don't have to install any agents inside the container you don't basically you don't touch the container you mount the container of the virtual machine which to the host power system and you scan the power system read only from outside Open SCAP Deheman is available in Fedora and you can install it around this area and we also provide containerized version it is on Docker Hub this image called Open SCAP Deheman and this is the same job that is inside the container sorry as I told you can manage the Deheman and communicate with the Deheman using OSCAP DCRI which is command line manager it is supposed to be an interactive tool because the OSCAP command line tool was quite complicated so we would like to avoid typing long IDs and copying some results files and avoid some complicated stuff that was there so OSCAP DCRI it is supposed to create a task in a few easy steps I will try to show you that on my system there is Open SCAP Deheman running and I will show you how to create a new task using the command line interface OSCAP DCRI create task and I will run it in the interactive mode sorry task create task create choose some type here now it is asked for target if I leave this empty it will scan my laptop but I can specify a URI of a container or virtual machine or a remote server and now it detects that we have an OSCAP security guide installed and it allows me to choose I will choose Fedora content Fedora security policy here it asked for tailoring file which is a way how you can customize the security policy what if you wanted to set exceptions exactly and so I will leave this empty to tailoring now and here are again the profiles that we have seen in the SCAP Worldbench so I will choose again those standard profiles and here is the remediation which will run the remediation scripts after the scan word where the remediation scripts are available I will not do that now and I will schedule it I can specify the time if I leave this empty it should start now and here I can specify how often I would like to repeat the scan for example every six hours and it just created the task which is disabled now but I can enable it using this command and now it will it is the it is in the calendar of events and it will does the job without my attendance so I have using SCAP DCRI you can you can display which tasks are here on my system I have like I have created I was playing with that I have created a lot of tasks for example we will try the task number six and here are the results that it was run twice and the evaluation error means that my system is not compliant with the security policy that I choose when I was creating the task so I can display the report the same report as was generated by SCAP World Bench of SCAP DCRI result now it wants the idea of the task the idea of the run and I can save it to some file and display it using and it generated the report from the storage of results from the integrated stage of results and now me as a sysadmin I can browse the report it is very like similar as we have seen with SCAP World Bench so that was the usage of the SCAP Demon in a short demo but another reason why we started to develop the OpenSCAP Demon was that feature that I told you about it can scan containers it can scan images from outside because we wanted to integrate our OpenSCAP solution with Project Atomic Atomic is a tool for managing containers and there is one problem with containers each container has inside a set of binaries but those binaries can contain vulnerabilities each container has a different they have a different set of binaries we would like to somehow identify that our container is vulnerable our image is vulnerable so we could use OpenSCAP somehow scan the image or scan the container and identify whether a container is vulnerable or not and perhaps stop the container or update it based on the results so that's why with Atomic Pulse we have developed Atomic Scan command Atomic Scan can scan your container it uses OpenSCAP for doing that the nice thing is that Atomic Scan automatically determine which operating system is inside the container or which operating system is the container based on and then it finds the appropriate feed of CDPs it means the list of packages which are vulnerable currently Red Hat provides CDPs for level 6 and level 7 so if you have containers based on level 6 or level 7 you can use Atomic Scan and do the OpenSCAP and identify whether your container is vulnerable or not I will show you that I will try to run some container I have some old image of level 6.6 and let's say something simple sleep one hour yeah and now I can use Atomic Scan Atomic Scan and ID container ID and it will start the OpenSCAP demon and identify that my container is based on level 6 and it should report me whether there are some vulnerabilities or not most likely there will be some because it's a level 6.6 container this uses the offline scanning capability so actually it doesn't touch the container like it does not make any changes inside the container to get results in a while does it have to be a running container or can it be a container image it can be a container image yes the same way as I run the Atomic Scan you can provide the ID or the name of the image so yeah container image running container, stop containers yeah I wonder what's happening now try to go hoo hoo hoo anyway anyway it should show something the feed so the feed of the OpenSCAP is provided in a container so it's very interesting I promise you it won't work an hour well anyway how is supposed to how is it supposed to work the OpenSCAP is inside the container this container is called OpenSCAP and it's somewhere in Red Hat Registry Red Hat Registry is something like the Docter Hub but it provides images of containers which are officially built by Red Hat so when this image of OpenSCAP is not present on your system it will download it automatically if you run Atomic Scan for the first time and it works like that atomic mounts the container that you want to scan and it mounts it inside the OpenSCAP container and OpenSCAP does the compliance scan and it should produce a result that we will see which packages are vulnerable and what series are in those packages and it should display also links to our data so the system can decide whether he wants to update the container or for example whether the vulnerability is very serious that he wants to disable the container and don't run it so we have now the vulnerability scan of the containers and images but we would like to also evaluate the configuration of the containers for example there are also some good practices for example you shouldn't run a SSHG inside the container or you shouldn't like set additional capabilities that you don't really need so we are now working on some things like profile for systems inside container within the SSHG project so there will be some security policies for running inside containers and there is we are also starting to develop a benchmarking the security guide to protect the container or to provide some configurations configuration recommendations for document and also this should be also used in the atomic scan command and actually atomic scan command is not end only for vulnerability scanning or security scanning you can have different scanners not only OpenSCAR currently you can provide for example an image with it should scan the container using that and you can display the list of the available scanners using atomic scan basically now there is only OpenSCAR as far as I know but it would be nice if there will be some configuration scan and if there will be some more things and since this is Federal Contributors Conference we are looking for people who are who would like to continue to express on container security or on whatever which has something to do with security compliance or scanning and we would really welcome contributions you can start with really our nice new website at open-scar.org it's a really powerful a lot of information there all our small scores of all the projects that I mentioned today including SCAR security guide and OpenSCAR team these are available on mid-hub you have a repository you can follow us on Twitter you can send if you have any questions you can send it on the mail and you can join our OpenSCAR channel on FreeNode that's everything for me thank you very much for your attention did you have any questions then I don't yet good idea but it's not possible yet because we don't have the appropriate there are some differences between systems running on bare metal or dimensions in the containers so here we welcome contributions you can be done but inside the container all the devices on SCAR are open not now I'm sure it's just my first talk in English you did that what language do you speak normally check you did better than I would in a check so what time is it I don't know I don't know I don't know I don't know