Masaryk University Faculty}w¡¢£¤¥¦§¨ of Informatics!"#$%&'()+,-./012345<yA| Compliance Audit of Linux Environments Thesis Šimon Lukašík Brno, May 2013 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Advisor: RNDr. Jan Kasprzak ii Acknowledgement I would hereby like to thank my advisor RNDr. Jan Kasprzak. I must also ac- knowledge the extraordinary efforts of my consultant from Red Hat Czech s.r.o, Jan Pazdziora Ph.D. for his professional help, support, and every day inspiration. Red Hat, Red Hat Enterprise Linux, JBoss, Fedora are either registered trade- marks, or trademarks of Red Hat, Inc. in the United States and other countries. Linux® is the registered trademark of Linus Torvalds in the United States and other countries. OVAL, CVE are registered trademarks and OCIL, CCE, and CPE are trademarks of The MITRE Corporation. XCCDF and SCAP are trademarks of the National Institute of Standards and Technology. Oracle® and Java® are registered trademarks of Oracle and/or its affiliates. All other trademarks are the property of their respective owners. iii Abstract SCAP is a U.S. Government standard facilitating automated compliance audit. OpenSCAP is an open source scanner which allows assessment of target system in line with SCAP standard. Spacewalk is an open source management solution for Linux systems. The main goal is to integrate OpenSCAP and Spacewalk projects enabling sys- tem administrators to audit their Linux systems in fully automated way. The coales- cence of subset of SCAP data model into Spacewalk database allows administrators to search and compare archived scan results in centralized user interface. iv Keywords Security Audit, Compliance Management, Reporting, System Assessment, Remedi- ation, System Management, Security Content Automation Protocol, Linux, Open- SCAP, Spacewalk. v Contents 1 Introduction .................................5 1.1 Related Technologies ...........................5 2 Compliance Audit ..............................7 2.1 Customization of Security Policy ....................7 2.2 Implications of Heterogeneous Environments .............8 2.3 U.S. Government Program ........................9 2.4 SCAP—Security Content Automation Protocol ............9 2.4.1 SCAP Adoption . .9 2.4.2 SCAP Components . 10 2.4.3 Document Formats . 12 2.4.4 XCCDF . 12 2.4.4.1 Short Description of XCCDF Elements . 13 2.4.5 OVAL . 14 2.4.5.1 OVAL Document Formats . 16 2.4.6 DataStreams . 17 2.4.7 Asset Reporting Format . 17 2.4.8 Forms of SCAP Security Policy . 17 2.4.9 SCAP Challenges . 18 2.4.9.1 Human and Machine Readable Format . 19 2.4.9.2 Limitation of Interoperability . 19 3 OpenSCAP .................................. 21 3.1 OpenSCAP Library ........................... 21 3.2 OpenSCAP Tool: oscap ......................... 21 3.2.1 Output of oscap xccdf eval .................. 22 3.3 SCE: Script Check Engine ........................ 23 3.3.1 Exemple of SCE Content . 24 3.4 Security Guidances Related to OpenSCAP ............... 24 3.4.1 Platform Limitations of Security Guidances . 24 3.4.2 OpenSCAP Example Content . 25 3.4.3 SCAP Security Guide . 25 3.4.4 SCE Community Content . 26 3.5 OpenSCAP Competing Projects .................... 26 3.5.1 OVALDI Project . 26 3.5.1.1 Comparison with OpenSCAP . 26 3.5.2 XCCDF Interpreter . 27 1 3.5.3 jOval Project . 27 3.5.3.1 Comparison with OpenSCAP . 28 3.5.4 Modulo Open Distributed SCAP Infrastructure Collector . 28 3.5.4.1 Comparison with OpenSCAP . 29 4 Spacewalk ................................... 30 4.1 A Short History of the Spacewalk .................... 30 4.2 Spacewalk Deployment Model ...................... 31 4.3 Spacewalk Competing Projects ..................... 31 4.4 Server Architecture ............................ 32 4.4.1 HTTP Server . 32 4.4.2 Backend Tools . 33 4.5 Database ................................. 33 4.5.1 Differences between PostgreSQL and Oracle . 34 4.6 Concept of Software Channels ...................... 34 4.7 Concept of Configuration Channel ................... 34 4.8 Remote Client Actions .......................... 35 4.8.1 Life-cycle of RHN Action . 35 4.8.2 Client Tools Supporting Remote Actions . 36 4.8.2.1 rhn_check utility . 36 4.8.2.2 RNSD Daemon . 37 4.8.2.3 OSAD Daemon . 37 5 Spacewalk and OpenSCAP Integration ................ 38 5.1 Requirements Analysis .......................... 38 5.1.1 Summary of the Functional Requirements . 38 5.1.2 Constraints Arising from Technologies Used . 39 5.1.2.1 Status of the OpenSCAP Project . 39 5.1.2.2 Spacewalk Life Cycle . 40 5.1.3 Infrastructure Deployments: Pull versus Push Approaches . 40 5.1.3.1 Pull versus Push for the Purpose of Auditing . 41 5.1.4 Content Delivery . 41 5.1.4.1 Forms of Security Policy Content . 42 5.1.4.2 Timing of Content Delivery . 42 5.1.5 Support of Older OpenSCAP Libraries . 42 5.1.6 Audit Results Processing . 42 5.2 Design ................................... 43 5.2.1 RHN Action to Facilitate Compliance Audit . 43 5.2.2 OpenSCAP library vs oscap Choice . 44 5.2.2.1 Limiting Interface Available to User . 45 5.2.3 Security Policy Distribution . 45 5.2.4 Audit Results Processing . 46 5.2.4.1 Intermediary Format for Results Reporting . 46 5.2.4.2 Choosing XCCDF over OVAL . 46 5.2.4.3 XCCDF Items For Aggregation . 47 5.2.4.4 Examplary XCCDF Résumé . 48 2 5.3 Conceptual Data Model ......................... 48 5.3.1 Definition of Existing Kernel Sorts . 49 5.3.2 Definition of New Kernel Sorts . 49 5.3.3 Definition of New Associative Sorts . 50 5.3.4 Definition of Existing HIT Attributes . 50 5.3.5 Definition of New HIT Attributes . 50 5.3.6 Entity Relationship Diagram . 50 6 Implementation ............................... 52 6.1 Client Side Changes ........................... 52 6.1.1 Plugin Interface . 52 6.1.2 Execution of the oscap Command . 53 6.1.2.1 Preprocessing of Command-Line Arguments . 53 6.1.3 XSLT for Results Processing . 53 6.2 Database Schema Changes ........................ 54 6.2.1 New Tables Definition . 55 6.2.1.1 Choosing Data Type for XCCDF Identifiers . 55 6.2.2 Database Constraints . 56 6.2.3 Indexes for Performance Porposes . 56 6.2.4 Reference Tables Content . 57 6.2.5 INSERT Anomalies . 57 6.2.6 Stored Procedures . 57 6.2.7 Schema Upgrades . 58 6.3 Backend Server Changes ......................... 59 6.3.1 Assembling Input for Clients . 59 6.3.2 Storing Scan Results from Client . 59 6.4 Web User Interface ............................ 60 6.4.1 Technologies Used . 60 6.4.1.1 How is Single Web Page Served . 61 6.4.1.2 Components of the Model . 61 6.4.2 Audit Scheduling . 62 6.4.3 Audit Reporting . 63 6.4.3.1 Scan Details Page . 63 6.4.3.2 XCCDF Diff Page . 63 6.4.3.3 Results Summary Pages . 65 6.4.3.4 Using XCCDF Diff for Simple Comparison . 66 6.5 API for Fully Automated Audits .................... 67 6.6 Full Text Search ............................. 67 6.6.1 OpenSCAP Search Dialog . 67 6.6.2 Lucene Search Post-Processing . 68 6.6.3 Indexing with Lucene and Quartz Frameworks . 69 6.7 Spacewalk Reports ............................ 69 6.7.1 OpenSCAP Reports . 69 6.8 Source Code ................................ 69 7 Conclusion .................................. 71 3 7.1 Further Work ............................... 72 A Example of XCCDF Document ..................... 81 4 Chapter 1 Introduction During the last 30 years, almost every organization moved its operations into the digital world. The computer security has became increasingly important as these entities have realized the need to protected their interests. Two major approaches can be recognized in computer security: reactive and proactive. The reactive ap- proach is involved in disaster recovery plans which mainly comprise of eliminating threat, switching to alternate systems, attack surface analysis, investigation, and re- mediation of compromised systems. Per contra, this work relates with the proactive approach which consists of any actions that reduce the risk of damage or compro- mise. To be able to mitigate consequences of possible attack, the assets at risk must be recognized prior to the attack. Importance of correct determination of possible attack targets is illustrated by great number of approaches to risk analysis. The security guidance on how the computers shall be set up to mitigate the risk for the organization is rendered on the basis of risk analysis. To properly implement the guidance, not only target computers need to be hardened but it is essential to ensure that these computers remain compliant for their whole lifetime. That can be achieved by compliance audit which repeatedly asserts that all the expected settings are in place. The major focus of this work is to accommodate compliance audit in large infras- tructure deployments using the open source software. This shall be accomplished by integration of existing open source technologies which are already adopted by en- terprises. The objective is to enable users to perform the security audit on multiple remote systems from single, centralized environment. 1.1 Related Technologies The first three chapters present the concepts, standards, and technologies relatedto this work. Major technologies used are SCAP—the compliance automation proto- col, OpenSCAP—the compliance scanner, and Spacewalk—the systems managing system. Figure 1.1 illustrates relationships between them. Dotted relationships are concern