automating openscap with foreman
Post on 15-Jan-2017
Embed Size (px)
Security & Compliance automation with Foreman
Introduce myself,Foreman team memberContributed to foreman_openscap
What's on our plate?
What is OpenSCAP?
How it integrates with the Foreman?
Setting and running
In this presentation I'm gonna cover the concept of openscap, what it does & some of the tools openscap provides
Then I'm gonna talk about how it plays w/ foreman, how to install, configure and run
Made with by
Before we startI'd like to begin with thanking Simon, Marek and Ondrej who made this plugin.
Simon is the lead of openscap projectMarek and Ondrej from the foreman team and many contributions from other team members.
What is OpenSCAP?
SCAP = Security Content Automation Protocol
Created by NIST
Represents de-facto security standards
OpenSCAP = Open source implementation of SCAP
* US National Institute of Standard and Technology
Security compliance is a state where computer systems are in line with a specific security policy.
Let's see a movie.
Defines Security and audit rules
Scans your systems if they apply those rules
Reports about your systems security status
To sum it all:OpenSCAP provides rules, profiles, and datastreams to scan systems and report back the scan results
Policies (AKA scap content) A list of rule titles and descriptions. These come from so called prose guides text documents that describe security policies in a human-readable form. However, the most valuable part of an SCAP security policy is the code for automated evaluation of each rule. This code is what allows auditors to evaluate compliance without tedious manual checking.
SDS - SCAP source data stream that is a standalone XML file containing XCCDF, OVAL, CPE
XCCDF - (eXtensible Configuration Checklist Description Format,) - is a language to express, organize, and manage security policies
OVAL - The Open Vulnerability and Assessment Language is declarative language for making logical assertions about the state of endpoint system.
CPE - Common Platform Enumeration, part of the SCAP standard, is a structured naming scheme used to identify information technology systems, platforms, and packages.
How can I use OpenSCAP?
Base tool `oscap`
OSCAP Anaconda Add-on
More @ open-scap.org
The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines
Oscap cli scanner
SCAP Workbench - is a graphical utility that offers an easy way to perform common oscap tasks. This tool allows users to perform configuration and vulnerability scans on a single local or a remote system, perform remediation of the system
Anaconda addon - ensures that a system is compliant with the targeted security profile before you finish installing?. Create a compliant system image easily.
Daemon Runs 'oscap' periodically
Scaptimony Rails engine to persist openscap reports
Hey, this is a Foreman track
Okay, let's move to the Foreman implementation of OpenSCAP
Automating OpenSCAP with Foreman
Goal: Your client(s) running oscap, with selected profiles and report to a central place.
(Hello Foreman )
So, as in other components of Foreman, we'd like to automate the usage of OpenSCAP, so our hosts will have the desired tools, policies, configuration and cron jobs
1. Why puppet module needs to go first2. Settings openscap.yaml3. if all goes puupet installs foreman_scap_client
Foreman & Proxy 1.7 1.10 run with 0.4.x
Foreman & Proxy >= 1.11 run with 0.5.x
What's the diff?
Explain how each works,How it started (scaptimony)What were the concerns
Adds OpenSCAP datastream files
Defines profiles to run on clients
Assigns profile to host(group)
Puppet configures foreman_scap_client with profile data (including path to datastream file)
Once configured, foreman_scap_client runs with selected profile id
It searches for the datastream files (or downloads it from the Proxy [which downloads it from the Foreman])
Once file is acquired, oscap scanner is running and the results (ARF report) is bzipped and uploaded to the Proxy
Proxy receives A Bizzped ARF report and sends it to Foreman
ARF reports are available to evaluate
On the Foreman