Post on 15-Jan-2017
Security & Compliance automation with Foreman
Shlomi Zadok
@shlomizadok
Introduce myself,Foreman team memberContributed to foreman_openscap
What's on our plate?
What is OpenSCAP?
How it integrates with the Foreman?
Installation process
Setting and running
In this presentation I'm gonna cover the concept of openscap, what it does & some of the tools openscap provides
Then I'm gonna talk about how it plays w/ foreman, how to install, configure and run
Made with by
imon Lukak
Marek Huln
ohadlevy
cristifalcas
sean797
lzap
unorthodoxgeek
domcleal
GregSutcliffe
ondej prak
Before we startI'd like to begin with thanking Simon, Marek and
Ondrej who made this plugin.
Simon is the lead of openscap projectMarek and Ondrej from the foreman team and many contributions from other team members.
What is OpenSCAP?
SCAP = Security Content Automation Protocol
Created by NIST
Represents de-facto security standards
OpenSCAP = Open source implementation of SCAP
* US National Institute of Standard and Technology
Security compliance is a state where computer systems are in line with a specific security policy.
Let's see a movie.
OpenSCAP
Tachlis
Defines Security and audit rules
Scans your systems if they apply those rules
Reports about your systems security status
To sum it all:OpenSCAP provides rules, profiles, and datastreams to scan systems and report back the scan results
Policies (AKA scap content) A list of rule titles and descriptions. These come from so called prose guides text documents that describe security policies in a human-readable form. However, the most valuable part of an SCAP security policy is the code for automated evaluation of each rule. This code is what allows auditors to evaluate compliance without tedious manual checking.
SDS - SCAP source data stream that is a standalone XML file containing XCCDF, OVAL, CPE
XCCDF - (eXtensible Configuration Checklist Description Format,) - is a language to express, organize, and manage security policies
OVAL - The Open Vulnerability and Assessment Language is declarative language for making logical assertions about the state of endpoint system.
CPE - Common Platform Enumeration, part of the SCAP standard, is a structured naming scheme used to identify information technology systems, platforms, and packages.
How can I use OpenSCAP?
Base tool `oscap`
SCAP Workbench
OSCAP Anaconda Add-on
OpenSCAP Daemon
Scaptimony
More @ open-scap.org
The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines
Oscap cli scanner
SCAP Workbench - is a graphical utility that offers an easy way to perform common oscap tasks. This tool allows users to perform configuration and vulnerability scans on a single local or a remote system, perform remediation of the system
Anaconda addon - ensures that a system is compliant with the targeted security profile before you finish installing?. Create a compliant system image easily.
Daemon Runs 'oscap' periodically
Scaptimony Rails engine to persist openscap reports
Hey, this is a Foreman track
Okay, let's move to the Foreman implementation of OpenSCAP
Automating OpenSCAP with Foreman
Goal: Your client(s) running oscap, with selected profiles and report to a central place.
(Hello Foreman )
So, as in other components of Foreman, we'd like to automate the usage of OpenSCAP, so our hosts will have the desired tools, policies, configuration and cron jobs
Achieved with
foreman_openscap
smart_proxy_openscap
foreman_scap_client
puppet-foreman_scap_client
Automating OpenSCAP
Demo
Installation
1. puppet-foreman_scap_client
2. smart_proxy_openscap
3. foreman_openscap
1. Why puppet module needs to go first2. Settings openscap.yaml3. if all goes puupet installs foreman_scap_client
Versions
Foreman & Proxy 1.7 1.10 run with 0.4.x
Foreman & Proxy >= 1.11 run with 0.5.x
What's the diff?
(hint: Huge.)
Explain how each works,How it started (scaptimony)What were the concerns
The flow
foreman_openscap:
Adds OpenSCAP datastream files
Defines profiles to run on clients
Assigns profile to host(group)
Puppet configures foreman_scap_client with profile data (including path to datastream file)
The Flow
Once configured, foreman_scap_client runs with selected profile id
It searches for the datastream files (or downloads it from the Proxy [which downloads it from the Foreman])
Once file is acquired, oscap scanner is running and the results (ARF report) is bzipped and uploaded to the Proxy
The flow
Proxy receives A Bizzped ARF report and sends it to Foreman
ARF reports are available to evaluate
On the Foreman