OpenSCAP Cyber-Security Framework

Linux

Security

Published

July 7, 2023

Modified

July 13, 2023

Two approaches to recognized in computer security…

Reactive …disaster recover plans
- …eliminate threat …attack surface analysis and investigation
- …remediation of compromised systems …switch to alternate system
Proactive …preventive action to reduce risk of damage or compromise

Mitigations must be recognized prior to the attack…

…implement security guidance …systems need to be hardened
…continuously monitoring during life cycle for security compliance
…regular security audits of infrastructure deployments

What is a security framework?

Guidelines to mitigate potential cybersecurity risks…

…structured approach manage cyber threats and incidents
…holistic view of cybersecurity …emphasizing continuous improvement

Reasons why they are essential…

Risk management..
- …systematic approach to manage security risk
- …identify significant risks …implement controls for mitigation
Compliance …regulatory requirements and avoid potential fines or sanctions
Standardization
- …common language, set of standards for communication about security
- …align with industry best practices
Trust & Reputation
Incident response …guidelines for responding to and recovering from security incidents

Organizations

Organizations contributing to security frameworks…

ISO (International Organization for Standardization)
IEC (International Electrotechnical Commission)
- ISO/IEC 27000 series …standards, guidelines, best practices for security management
- ISO/IEC 27001 …ISMS (Information Security Management System)
- …assessment of security risks
- …value of assets, potential vulnerabilities, potential impact
- …maintaining confidentiality, integrity, availability of information assets
- …keep pace with emerging threats …adapt to changing landscape
NIST (National Institute of Standards and Technology), USA
BSI (Bundesamt für Sicherheit in der Informationstechnik), Germany
- Standard 200-1 (compatible to ISO 27001) defines requirements to an ISMS
- IT-Grundschutz-Kompendium

Cypersecurity Framework

CSF (Cypersecurity Framework) by NIST …five core functions…

Identify …understand and manage security risks…
- …systems, assets, data, and capabilities
- …comprehensive understanding an organizations security situation
Protect …implementation of safeguards to…
- …operate critical services and the protection of data
- …access control, awareness training, data encryption
- …secure configurations for systems and networks
Detect …identifying cybersecurity incidents
- …continuous monitoring and anomaly detection
- …timely detection of potential threats or vulnerabilities
Respond …action to mitigate the impact of a detected incident
- …incident response activities …threat hunting
- …efforts o minimize the damage caused by an incident
Recover …restoring services and capabilities after an incident
- …developing recovery plans
- …conducting system backups

SCAP

SCAP (Security Content Automation Protocol) …defined by NIST IR 800-117

…standardized approach for maintaining system security
…specifications for exchanging security automation content
…continuously updated following a release-cycle
Tools to help automate…
- …assessment of system security configuration compliance
- …automatically verify the presence of patches
- …examine systems for signs of compromises, vulnerability detection

Components

Standardization to create a SCAP-expressed checklist …processed by SCAP-validated products

Terminology…

Enumeration …dictionaries used to provide common identifiers for items
Languages …structure and organization to guide security assessment
Metrics …algorithms to rank importance to items

List of components:

Languages…
- XCCDF (Extensible Configuration Checklist Description Format ) …defines security checklists
  - …driver of automated assessments
  - …annotation for checklists …encapsulating security policy recommendations
  - …can be converted to human-readable output and/or processable by automation tools
- OVAL (Open Vulnerability and Assessment Language) …describes tests for system states
  - …required state of resources in a declarative manner
  - …ensures that the state of the assessed system is not modified
  - …cf. RHEL OVAL definitions
  - …updated within an hour of a new security advisory
  - …maps one-to-one to a Red Hat Security Advisory (RHSA)
- OCIL (Open Checklist Interactive Language) …user questionnaires
Enumerations…
- CVE (Common Vulnerabilities and Exposures) …software vulnerabilities
- CCE (Common Configuration Enumeration) …CCE list
  - …identifiers for configuration guidance statements
  - …specifies a preferred or required setting or policy for a computer system
  - …bridge between human documentation and machine-readable configuration
  - …identifier number …example “CCE-2715-1” …form CCE-number-checksum
- CPE (Common Platform Enumeration) …identities of software/hardware entities
  - …maps platforms to vulnerabilities or policy statements
  - …descriptive URI cpe:/{part}:{vendor}:{product}:{version}:{update}:{edition}:{language}
  - …part is o operating system, a application, h hardware
  - …empty blocks cover all possible values
Metrics…
- CVSS (Common Vulnerability Scoring System) …rank vulnerabilities to prioritize
- CCSS (Common Configuration Scoring System) …rank security-relevant configurations

Benefits

Administrators …configure and assess systems

…update and verify configuration guidance requirements
…update and verify that systems are not vulnerable to known attacks

Incident responders …craft response to specific threats

…receive vulnerability information …track patches
…craft configuration changes/policies to deal with threats

Security Profiles

Organisationen that provide SCAP profiles…

STIG (Security Technical Implementation Guide) from DISA (Defense Information Systems Agency)
- …public domain license …configuration standard for of cybersecurity requirements
- …methodology for securing computers and networks
- …describe maintenance processes such as software updates and vulnerability patching
- references …STIG Viewer RHEL 8 …DISA STIG on RockyLinux
CIS (Center for Internet Security) Controls
- …community of cybersecurity experts
- …baseline of cybersecurity practices
- …asset management, vulnerability management, access control, incident response
PCI Security Standards Council
ANSSI (Agence nationale de la sécurité des systèmes d’information), France

OpenSCAP

OpenSCAP project …validated by NIST

…framework, libraries and tools to access SCAP
…the library provides an API to SCAP documents
…oscap …SCAP scanner …command-line tool
- …front-end to the OpenSCAP library
- …functionality grouped into sub-commands (called modules)
References…
- OpenSCAP User Manual
- RHEL 8 - Security hardening

Packages on RPM based distributions…

openscap* …OpenSCAP library and tools
- openscap-scanner …oscap CLI scanner tool
- openscap-engine-sce …extension to the SCAP protocol (not part of the standard)
  - …write security content using a scripting language, such as Bash, Python
scap-workbench …GUI utility to scan local and remote hosts
scap-security-guide
- …latest collection of security policies for Linux systems
- …installed to /usr/share/xml/scap/ssg/content

`oscap`

Prerequisites…

# ...install required OpenSCAP sanner and SCAP content
dnf install openscap-utils openscap-scanner scap-security-guide

Display information about the SCAP contents within a file…

oscap info /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml

…Rocky linux 8 content will use the tag rl8 in the filename…
Profiles …lists available profile IDs that you can use for the --profile
…security profiles from multiple organisation supported DISA, CIS, NIST, etc.

Run a scan and create an HTML report for the DISA STIG…

sudo oscap xccdf eval --report DISA-STIG-report.html --profile stig /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml

`oscap-ssh`

Check remote systems for vulnerabilities…

…uses SSH connection to copy the SCAP content
…runs an evaluation of the target system and downloads the results back
…remote machine needs to have OpenSCAP installed

# prerequisites on the admin workstation
sudo dnf install -y openscap-utils openscap-scanner

# ...download the latest RHSA OVAL definitions
cd $(mktemp -d /tmp/oscap-XXXXXX)
wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2

--- title: OpenSCAP Cyber-Security Framework categories: - Linux - Security date: 2023/07/07 date-modified: 2023/07/13 --- Two approaches to recognized in computer security... - **Reactive** ...disaster recover plans - ...eliminate threat ...attack surface analysis and investigation - ...remediation of compromised systems ...switch to alternate system - **Proactive** ...preventive action to reduce risk of damage or compromise Mitigations must be recognized prior to the attack... - ...implement security guidance ...systems need to be hardened - ...continuously monitoring during life cycle for security compliance - ...regular security audits of infrastructure deployments # What is a security framework? Guidelines to mitigate potential cybersecurity risks... - ...structured approach manage cyber threats and incidents - ...holistic view of cybersecurity ...emphasizing continuous improvement Reasons why they are essential... - Risk management.. - ...systematic approach to manage security risk - ...identify significant risks ...implement controls for mitigation - Compliance ...regulatory requirements and avoid potential fines or sanctions - Standardization - ...common language, set of standards for communication about security - ...align with industry best practices - Trust & Reputation - Incident response ...guidelines for responding to and recovering from security incidents # Organizations Organizations contributing to security frameworks... - ISO (International Organization for Standardization) - IEC (International Electrotechnical Commission) - ISO/IEC 27000 series ...standards, guidelines, best practices for security management - ISO/IEC 27001 ...**ISMS** (Information Security Management System) - ...assessment of security risks - ...value of assets, potential vulnerabilities, potential impact - ...maintaining confidentiality, integrity, availability of information assets - ...keep pace with emerging threats ...adapt to changing landscape - **NIST** (National Institute of Standards and Technology), USA - **BSI** (Bundesamt für Sicherheit in der Informationstechnik), Germany - [Standard 200-1][bsi:200-1] (compatible to ISO 27001) defines requirements to an ISMS - [IT-Grundschutz-Kompendium][bsi:gk] [nist:csf]: https://www.nist.gov/cyberframework [bsi:200-1]: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/BSI-Standards/BSI-Standard-200-1-Managementsysteme-fuer-Informationssicherheit/bsi-standard-200-1-managementsysteme-fuer-informationssicherheit_node.html [bsi:gk]: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/IT-Grundschutz-Kompendium/it-grundschutz-kompendium_node.html # Cypersecurity Framework [CSF][nist:csf] (Cypersecurity Framework) by NIST ...five core functions... - **Identify** ...understand and manage security risks... - ...systems, assets, data, and capabilities - ...comprehensive understanding an organizations security situation - **Protect** ...implementation of safeguards to... - ...operate critical services and the protection of data - ...access control, awareness training, data encryption - ...secure configurations for systems and networks - **Detect** ...identifying cybersecurity incidents - ...continuous monitoring and anomaly detection - ...timely detection of potential threats or vulnerabilities - **Respond** ...action to mitigate the impact of a detected incident - ...incident response activities ...threat hunting - ...efforts o minimize the damage caused by an incident - **Recover** ...restoring services and capabilities after an incident - ...developing recovery plans - ...conducting system backups # SCAP SCAP (Security Content Automation Protocol) ...defined by NIST IR 800-117 - ...standardized approach for maintaining system security - ...specifications for exchanging security automation content - ...continuously updated following a [release-cycle](https://csrc.nist.gov/projects/security-content-automation-protocol/release-cycle) - Tools to help automate... - ...assessment of system security **configuration compliance** - ...automatically **verify the presence of patches** - ...examine systems for signs of compromises, **vulnerability detection** ## Components Standardization to create a SCAP-expressed checklist ...processed by SCAP-validated products Terminology... * Enumeration ...dictionaries used to provide common identifiers for items * Languages ...structure and organization to guide security assessment * Metrics ...algorithms to rank importance to items List of components: - **Languages**... - XCCDF (Extensible Configuration Checklist Description Format ) ...defines security checklists - ...driver of automated assessments - ...annotation for checklists ...encapsulating security policy recommendations - ...can be converted to human-readable output and/or processable by automation tools - OVAL (Open Vulnerability and Assessment Language) ...describes tests for system states - ...required state of resources in a declarative manner - ...ensures that the state of the assessed system is not modified - ...cf. RHEL [OVAL definitions](https://www.redhat.com/security/data/oval/v2) - ...updated within an hour of a new security advisory - ...maps one-to-one to a Red Hat Security Advisory (RHSA) - OCIL (Open Checklist Interactive Language) ...user questionnaires - **Enumerations**... - CVE (Common Vulnerabilities and Exposures) ...software vulnerabilities - **CCE** (Common Configuration Enumeration) ...[CCE list](https://ncp.nist.gov/cce) - ...identifiers for configuration guidance statements - ...specifies a preferred or required setting or policy for a computer system - ...bridge between human documentation and machine-readable configuration - ...identifier number ...example "CCE-2715-1" ...form CCE-_number_-_checksum_ - CPE (Common Platform Enumeration) ...identities of software/hardware entities - ...maps platforms to vulnerabilities or policy statements - ...descriptive URI `cpe:/{part}:{vendor}:{product}:{version}:{update}:{edition}:{language}` - ...`part` is `o` operating system, `a` application, `h` hardware - ...empty blocks cover all possible values - **Metrics**... - CVSS (Common Vulnerability Scoring System) ...rank vulnerabilities to prioritize - CCSS (Common Configuration Scoring System) ...rank security-relevant configurations ## Benefits Administrators ...configure and assess systems - ...update and verify configuration guidance requirements - ...update and verify that systems are not vulnerable to known attacks Incident responders ...craft response to specific threats - ...receive vulnerability information ...track patches - ...craft configuration changes/policies to deal with threats # Security Profiles Organisationen that provide SCAP profiles... - **STIG** (Security Technical Implementation Guide) from DISA (Defense Information Systems Agency) - ...public domain license ...configuration standard for of cybersecurity requirements - ...methodology for securing computers and networks - ...describe maintenance processes such as software updates and vulnerability patching - references ...STIG Viewer [RHEL 8](https://www.stigviewer.com/stig/red_hat_enterprise_linux_8) ...[DISA STIG on RockyLinux](https://docs.rockylinux.org/books/disa_stig/disa_stig_part2) - CIS (Center for Internet Security) Controls - ...community of cybersecurity experts - ...baseline of cybersecurity practices - ...asset management, vulnerability management, access control, incident response - PCI Security Standards Council - ANSSI (Agence nationale de la sécurité des systèmes d'information), France # OpenSCAP [OpenSCAP][oscap] project ...validated by NIST [oscap]: https://static.open-scap.org/openscap-1.2/oscap_user_manual.html - ...framework, libraries and tools to access SCAP - ...the library provides an API to SCAP documents - ...`oscap` ...SCAP scanner ...command-line tool - ...front-end to the OpenSCAP library - ...functionality grouped into sub-commands (called modules) * References... - OpenSCAP [User Manual](https://static.open-scap.org/openscap-1.2/oscap_user_manual.html) - [RHEL 8 - Security hardening](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#doc-wrapper) Packages on RPM based distributions... - `openscap*` ...OpenSCAP library and tools - `openscap-scanner` ...`oscap` CLI scanner tool - `openscap-engine-sce` ...extension to the SCAP protocol (not part of the standard) - ...write security content using a scripting language, such as Bash, Python - `scap-workbench` ...GUI utility to scan local and remote hosts - `scap-security-guide` - ...latest collection of security policies for Linux systems - ...installed to `/usr/share/xml/scap/ssg/content` ## `oscap` Prerequisites... ```sh # ...install required OpenSCAP sanner and SCAP content dnf install openscap-utils openscap-scanner scap-security-guide ``` Display information about the SCAP contents within a file... ```sh oscap info /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml ``` - ...Rocky linux 8 content will use the tag `rl8` in the filename... - `Profiles` ...lists available profile IDs that you can use for the `--profile` - ...security profiles from multiple organisation supported DISA, CIS, NIST, etc. Run a scan and create an HTML report for the DISA STIG... ```sh sudo oscap xccdf eval --report DISA-STIG-report.html --profile stig /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml ``` ## `oscap-ssh` Check remote systems for vulnerabilities... - ...uses SSH connection to copy the SCAP content - ...runs an evaluation of the target system and downloads the results back - ...remote machine needs to have OpenSCAP installed ```sh # prerequisites on the admin workstation sudo dnf install -y openscap-utils openscap-scanner # ...download the latest RHSA OVAL definitions cd $(mktemp -d /tmp/oscap-XXXXXX) wget https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 ```