security for the cloud with red hat, inc. scap martin preisler, ján ... · scap martin preisler,...
TRANSCRIPT
![Page 1: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/1.jpg)
Security for the Cloud with SCAP
Martin Preisler, Ján Lieskovský
Red Hat, Inc.
![Page 2: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/2.jpg)
Everything is indeed on fire!
● let’s fight the fires!● software flaws - vulnerabilities● configuration flaws - weaknesses
![Page 3: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/3.jpg)
Vulnerabilities
● undiscovered vulnerabilities are bad
But not all that bad, everybody has them.
It’s a lot of effort to use those for exploits.
![Page 4: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/4.jpg)
Vulnerabilities
● undiscovered vulnerabilities are bad● known vulnerabilities are much worse
CVE-2016-1283
Details are publicly available.
![Page 5: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/5.jpg)
Vulnerabilities
● undiscovered vulnerabilities are bad● known vulnerabilities are much worse● some are so bad that they have fancy names
Shellshock, POODLE, VENOM, ...
![Page 6: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/6.jpg)
Vulnerabilities
● undiscovered vulnerabilities are bad● known vulnerabilities are much worse● some are so bad that they have fancy names● … and logos
![Page 7: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/7.jpg)
Vulnerabilities
● vulnerabilities are dangerous● nothing we can do about unknown vulnerabilities● let’s never have any known ones in our infrastructure!
![Page 8: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/8.jpg)
We are in the cloud age!
● production deployments are getting complex● containers are everywhere● single-purpose containers → many different containers
![Page 9: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/9.jpg)
We need automation!
Need to automatically check all our containers for vulnerabilities!
![Page 10: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/10.jpg)
atomic scan
● new feature in atomic● scan a container or container image for CVEs● scan containers or images en masse● outputs summary, detailed results, json
![Page 11: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/11.jpg)
atomic scan
![Page 12: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/12.jpg)
atomic scan with multiple targets
● atomic scan --containers● atomic scan --images● atomic scan --all
![Page 13: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/13.jpg)
So… How does this work?
1. detect the OS version2. get the appropriate CVE feed3. evaluate with OpenSCAP4. parse the results
![Page 14: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/14.jpg)
atomic scan in SPC
![Page 15: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/15.jpg)
Security?
● security is a very broad term● secure a system according to a security policy
○ avoid unpatched vulnerable software○ get the configuration right - hardening
![Page 16: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/16.jpg)
Security?
● security is a very broad term● secure a system according to a security policy
○ avoid unpatched vulnerable software○ get the configuration right - hardening
![Page 17: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/17.jpg)
What is a security policy?
● what it means to secure a system● set of rules to follow
○ description○ rationale○ how to check○ how to fix
● text - PDF, spreadsheet, …● very often comes from standard organizations or government bodies● can be very useful for pro-active security
![Page 18: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/18.jpg)
![Page 19: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/19.jpg)
What is SCAP?
● Security Content Automation Protocol● NIST standard● express security policies with machine readable code● several data-formats specified● XCCDF and OVAL are the main components
![Page 20: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/20.jpg)
![Page 21: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/21.jpg)
Two types of SCAP security policies
● Vulnerability Assessment● detect CVEs● Heartbleed● Shellshock● Ghost● VENOM● ...
● Security Compliance● proper configuration● USGCB● DISA STIG● PCI DSS● ...
![Page 22: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/22.jpg)
Two main use-cases
● Vulnerability Assessment● are my machines vulnerable?
○ to Heartbleed?○ to Shellshock?○ to Ghost?○ to VENOM?○ ...
● Security Compliance● is root login over ssh forbidden?● is /tmp on a separate partition?● are we using strict password
policy?● no obsolete/insecure services?
○ telnet, rsh
● ...
![Page 23: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/23.jpg)
OpenSCAP
● SCAP 1.2 implementation● stable and mature project, started by Red Hat in 2009● certified by NIST since 2014● open source - LGPL 2.1+● library and a command-line tool● GUI frontend - SCAP Workbench● https://www.open-scap.org/
![Page 24: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/24.jpg)
Scanning a single machine
● Fedora 23● OpenSCAP + SCAP Workbench● Common profile from SCAP Security Guide
![Page 25: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/25.jpg)
Install and start SCAP Workbench
(Assuming Fedora 23)
# yum install scap-security-guide# yum install scap-workbench
$ scap-workbench
![Page 26: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/26.jpg)
![Page 27: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/27.jpg)
![Page 28: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/28.jpg)
![Page 29: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/29.jpg)
![Page 30: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/30.jpg)
![Page 31: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/31.jpg)
![Page 32: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/32.jpg)
Why the need for security policies?
● Linux distributions are multi-purpose (classroom workstation vs HPC server vs airport laptop)
● High-level 3rd-party standards (e.g. PCI DSS) vs concrete hardening steps
● Desire for automation
![Page 33: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/33.jpg)
Introducing SCAP Security Guide (SSG)
● Suite of policies expressed in SCAP format● Suitable for both:
○ Machines (XML, ARF)○ Humans (HTML)
![Page 34: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/34.jpg)
Introducing SCAP Security Guide (SSG)
● Provides all content necessary for automated assessment of systems● Community project● Open source - public domain
![Page 35: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/35.jpg)
![Page 36: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/36.jpg)
Missingsome?
![Page 37: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/37.jpg)
Missingsome?
Contribute!!!
![Page 38: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/38.jpg)
Meet security policies
● Bad news● Good news
![Page 39: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/39.jpg)
Meet security policies (in the clouds)
![Page 40: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/40.jpg)
Meet security policies (on localhost)
![Page 41: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/41.jpg)
Meet security policies (during OS install)
![Page 42: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/42.jpg)
Meet security policies (during OS install)
...%addon org_fedora_oscap content-type = scap-security-guide profile = pci-dss%end...
![Page 43: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/43.jpg)
Firefox policy preview
Policy Example #1
Disable SSL Version 2.0 in Firefox
Disable SSL Version 3.0 in Firefox
Enable TLS Usage in Firefox
..
![Page 44: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/44.jpg)
Firefox policy preview
Policy Example #2
Enable Certificate Validation
..
![Page 45: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/45.jpg)
Firefox policy preview
Policy Example #3
Enable Firefox Pop-up Blocker
..
How were these policies created?
![Page 46: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/46.jpg)
Why to customize policy?
![Page 47: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/47.jpg)
Why to customize policy?
● To strengthen (weaken) the existing policy!
![Page 48: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/48.jpg)
Why to customize policy?
● To create own one!
![Page 49: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/49.jpg)
Customizing policies
![Page 50: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/50.jpg)
Customizing policies #2
![Page 51: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/51.jpg)
Customizing policies - Further information
![Page 52: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/52.jpg)
Is there something left for the future?
SURE THING!!!
![Page 53: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/53.jpg)
Is there something left for the future?
We want policies and tools to be integrated with even more
technologies: Docker, OpenShift, OpenStack, RHEV, …
Got interested? Let’s talk!
![Page 54: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/54.jpg)
Scanning without GUI tools
# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml
![Page 55: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/55.jpg)
oscap-docker, oscap-vm
● command-line tools● scan containers and container images● scan virtual machines● no need to install any tools inside the containers / VMs
![Page 56: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/56.jpg)
Continuous scans
● Scanning a single machine, VM or container is just a learning step● So far we have only seen one-off solicited scans● Doing manual scans of a few machines is workable but doesn’t scale● Continuous compliance to the rescue
“Scan every Sunday around midnight”
![Page 57: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/57.jpg)
OpenSCAP-daemon
● a service!● provides a dbus interface● oscapd-cli● “task” is a central concept of the daemon● tasks usually evaluate some resource
○ local machine○ container, container image○ VM○ remote machine
● tasks can be evaluated on demand● tasks can be planned and repeated
![Page 58: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/58.jpg)
Creating Tasks
● interactive interfaces● no need to remember any IDs!
![Page 59: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/59.jpg)
Creating Tasks
● interactive interfaces● no need to remember any IDs!
![Page 60: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/60.jpg)
Creating Tasks
● interactive interfaces● no need to remember any IDs!
![Page 61: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/61.jpg)
Creating Tasks
● interactive interfaces● no need to remember any IDs!
![Page 62: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/62.jpg)
Task Overview
![Page 63: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/63.jpg)
Querying results
● oscapd-cli result 1○ overview of all results for task 1
● oscapd-cli result 1 1 arf○ get ARF of result 1 of task 1
● oscapd-cli result 1 1 report○ get HTML report of result 1 of task 1
● oscapd-cli result 1 1 {stdout,stderr,exit_code}○ get other outputs from the oscap tool
![Page 64: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/64.jpg)
Foreman
● OpenSCAP-daemon is a very new project● OpenSCAP-daemon is for smaller deployments● Foreman is older and more production ready● Foreman is more suitable for large deployments
![Page 65: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/65.jpg)
Foreman
![Page 66: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/66.jpg)
Foreman
![Page 67: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/67.jpg)
Foreman
![Page 68: Security for the Cloud with Red Hat, Inc. SCAP Martin Preisler, Ján ... · SCAP Martin Preisler, Ján Lieskovský Red Hat, Inc. Everything is indeed on fire! let’s fight the fires!](https://reader030.vdocuments.mx/reader030/viewer/2022040608/5ec56650fd680a5105410466/html5/thumbnails/68.jpg)
Thanks for your attention!
● Questions?
● https://www.open-scap.org/● https://github.com/OpenSCAP● twitter: @OpenSCAP