Security & Compliance automation with Foreman

Shlomi Zadok

@shlomizadok

Introduce myself,Foreman team memberContributed to foreman_openscap

What's on our plate?

What is OpenSCAP?

How it integrates with the Foreman?

Installation process

Setting and running

In this presentation I'm gonna cover the concept of openscap, what it does & some of the tools openscap provides

Then I'm gonna talk about how it plays w/ foreman, how to install, configure and run

Made with by

imon Lukak

Marek Huln

ohadlevy
cristifalcas
sean797
lzap
unorthodoxgeek
domcleal
GregSutcliffe

ondej prak

Before we startI'd like to begin with thanking Simon, Marek and Ondrej who made this plugin.

Simon is the lead of openscap projectMarek and Ondrej from the foreman team and many contributions from other team members.

What is OpenSCAP?

SCAP = Security Content Automation Protocol

Created by NIST

Represents de-facto security standards

OpenSCAP = Open source implementation of SCAP

* US National Institute of Standard and Technology

Security compliance is a state where computer systems are in line with a specific security policy.

Let's see a movie.

OpenSCAP

Tachlis

Defines Security and audit rules

Scans your systems if they apply those rules

Reports about your systems security status

To sum it all:OpenSCAP provides rules, profiles, and datastreams to scan systems and report back the scan results

Policies (AKA scap content) A list of rule titles and descriptions. These come from so called prose guides text documents that describe security policies in a human-readable form. However, the most valuable part of an SCAP security policy is the code for automated evaluation of each rule. This code is what allows auditors to evaluate compliance without tedious manual checking.

SDS - SCAP source data stream that is a standalone XML file containing XCCDF, OVAL, CPE

XCCDF - (eXtensible Configuration Checklist Description Format,) - is a language to express, organize, and manage security policies

OVAL - The Open Vulnerability and Assessment Language is declarative language for making logical assertions about the state of endpoint system.

CPE - Common Platform Enumeration, part of the SCAP standard, is a structured naming scheme used to identify information technology systems, platforms, and packages.

How can I use OpenSCAP?

Base tool `oscap`

SCAP Workbench

OSCAP Anaconda Add-on

OpenSCAP Daemon

Scaptimony

More @ open-scap.org

The OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines

Oscap cli scanner

SCAP Workbench - is a graphical utility that offers an easy way to perform common oscap tasks. This tool allows users to perform configuration and vulnerability scans on a single local or a remote system, perform remediation of the system

Anaconda addon - ensures that a system is compliant with the targeted security profile before you finish installing?. Create a compliant system image easily.

Daemon Runs 'oscap' periodically

Scaptimony Rails engine to persist openscap reports

Hey, this is a Foreman track

Okay, let's move to the Foreman implementation of OpenSCAP

Automating OpenSCAP with Foreman

Goal: Your client(s) running oscap, with selected profiles and report to a central place.

(Hello Foreman )

So, as in other components of Foreman, we'd like to automate the usage of OpenSCAP, so our hosts will have the desired tools, policies, configuration and cron jobs

Achieved with

foreman_openscap

smart_proxy_openscap

foreman_scap_client

puppet-foreman_scap_client

Automating OpenSCAP

Demo

Installation

1. puppet-foreman_scap_client

2. smart_proxy_openscap

3. foreman_openscap

1. Why puppet module needs to go first2. Settings openscap.yaml3. if all goes puupet installs foreman_scap_client

Versions

Foreman & Proxy 1.7 1.10 run with 0.4.x

Foreman & Proxy >= 1.11 run with 0.5.x

What's the diff?

(hint: Huge.)

Explain how each works,How it started (scaptimony)What were the concerns

The flow

foreman_openscap:

Adds OpenSCAP datastream files

Defines profiles to run on clients

Assigns profile to host(group)

Puppet configures foreman_scap_client with profile data (including path to datastream file)

The Flow

Once configured, foreman_scap_client runs with selected profile id

It searches for the datastream files (or downloads it from the Proxy [which downloads it from the Foreman])

Once file is acquired, oscap scanner is running and the results (ARF report) is bzipped and uploaded to the Proxy

The flow

Proxy receives A Bizzped ARF report and sends it to Foreman

ARF reports are available to evaluate

On the Foreman