SlideShare una empresa de Scribd logo

SCAP for openSUSE

K
Kazuki Omo

This document discusses customizing Security Content Automation Protocol (SCAP) content for openSUSE. It begins with an introduction to SCAP and its components like OVAL, XCCDF, and OCIL. It notes that while OVAL definitions exist for openSUSE, an XCCDF benchmark is needed to enable compliance testing. The document considers customizing an existing SLES or RHEL XCCDF file by changing platform identifiers and related files. It demonstrates using the oscap tool to evaluate a customized RHEL XCCDF benchmark against an openSUSE system and generating results. Further work is needed to fully adapt the customized XCCDF content to the openSUSE standard and profile for compliance benchmarks.

Software
1 de 52
Descargar para leer sin conexión
OpenSCAP and related contents for openSUSE Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc.
2 Who am I ? - Security Researcher/Engineer (16 years) - SELinux/MAC Evangelist (11 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux Engineer (16 years)
3 Agenda - What is SCAP? - Enumerations - Language/Contents - OpenSCAP - OpenSUSE contents - Customize RHEL’s XCCDF file - Conclusion
What is SCAP?
5 SCAP (Security Content Automation Protocol) Object: Automated for - Vulnerability management - Vulnerability measurement - Policy compliance evaluation
6 SCAP Components.. SCAP Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Extensible Configuration Checklist Description Format (XCCDF) and so on…. Open Vulnerability and Assessment Language (OVAL) Lang Enumerations
Enumerations
8 CVE: Common Vulnerabilities and Exposures
9 CVE: Common Vulnerabilities and Exposures CVE ID CPE Summary CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.15 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51- 38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.16 CVE-2016-2107 cpe:/o:redhat:enterprise _linux_server:7.0 Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVE-2016-2107 cpe:/o:novell:leap:42.1 CVE-2016-2107 cpe:/o:novell:opensuse: 13.2 CVE-2016-4979 cpe:/a:apache:http_serv er:2.4.20 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
10 CPE: Common Platform Enumeration CPE name title href cpe:/o:novell:leap: 42.0 Novell Leap 42.0 https://en.opensuse.org/openSUSE:Leap cpe:/o:novell:leap: 42.1 Novell Leap 42.1 https://en.opensuse.org/openSUSE:Leap cpe:/o:redhat:ente rprise_linux:7.0 Red Hat Enterpris e Linux 7.0 http://www.redhat.com/resourcelibrary/datash eets/rhel-7-whats-new cpe:/o:redhat:ente rprise_linux:7.1 Red Hat Enterpris e Linux 7.1 http://www.redhat.com/en/resources/whats- new-red-hat-enterprise-linux-71
11 CPE: Common Platform Enumeration linux-vs1z:~ # cat /etc/os-release NAME="openSUSE Leap" VERSION="42.1" VERSION_ID="42.1" PRETTY_NAME="openSUSE Leap 42.1 (x86_64)" ID=opensuse ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:opensuse:42.1" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://opensuse.org/" ID_LIKE="suse"
12 CCE: Common Configuration Enumeration CCE IDs Description CCE- 5317-3 Core dump size limits should be set appropriately CCE- 5384-3 The read-only SNMP community string should be set appropriately. CCE- 5664-8 The minimum password age should be set as appropriate CCE- 5804-0 The minimum required password length should be set as appropriate CCE- 4858-7 Password history should be saved for an appropriate number of password changes CCE- 5775-2 The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate
13 CWE: Common Weakness Enumeration CVE ID CWE-ID CVE-2016-6662 CWE-264 CVE-2016-2107 CWE-310 CVE-2016-4979 CWE-284
14 CVSS: Common Vulnerability Scoring System
Language/Contents
16 OVAL: Open Vulnerability and Assessment Language OVAL: - Check Vulnerabilities / configuration issues (XML) - Using for Patch Management - Composed by - Collection of CVEs - list of standardized names for vulnerabilities
17 OVAL: Open Vulnerability and Assessment Language <title>CVE-2012-2150</title> <affected family="unix"> <platform>openSUSE Leap 42.1</platform> </affected> <reference ref_id="CVE-2012-2150" ref_url= "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" source="CVE"/> </metadata> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009117743" comment="openSUSE Leap 42.1 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009120999" comment="xfsprogs-3.2.1-5.1 is installed"/>
18 OVAL: Open Vulnerability and Assessment Language <definition class="compliance" id="oval:ssg- file_permissions_httpd_server_conf_files:def:1" version="2"> <metadata> <title>Verify Permissions On Apache Web Server Configuration Files </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>
19 OVAL: Open Vulnerability and Assessment Language
20 OVAL: Open Vulnerability and Assessment Language
21 XCCDF: The eXtensible Configuration Checklist Description Format XCCDF: - Writing security checklists, benchmarks, etc. (XML) - Automated compliance testing, Compliance scoring (PCIDSS, etc.) - Collection of security configuration rules for some set of target systems (Docker-Enabled Host)
22 XCCDF: The eXtensible Configuration Checklist Description Format <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1"> <status date="2016-09-20">draft</status> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title> <Profile id="pci-dss"> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This is a *draft* profile for PCI-DSS v3</description> <select idref="service_auditd_enabled" selected="true"/> <select idref="bootloader_audit_argument" selected="true"/> <select idref="auditd_data_retention_num_logs" selected="true"/> <select idref="audit_rules_dac_modification_chmod" selected="true"/> ...
23 XCCDF: The eXtensible Configuration Checklist Description Format <Profile id="docker-host"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Standard Docker Host Security Profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. </description> <select idref="service_docker_enabled" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="selinux_state" selected="true"/> <select idref="selinux_policytype" selected="true"/> <select idref="docker_selinux_enabled" selected="true"/> <select idref="docker_storage_configured" selected="true"/> <select idref="remediation_functions" selected="false"/>
24 XCCDF: The eXtensible Configuration Checklist Description Format
25 XCCDF: The eXtensible Configuration Checklist Description Format
OpenSCAP
27 OpenSCAP OpenSCAP: - Provides multiple tools for Administrators/Auditors Tools: - OpenSCAP Base (oscap) - SCAP Workbench (GUI tool) - OpenSCAP Daemon - SCAPTimony - OSCAP Anaconda Add-on
OpenSUSE contents
29 OVAL: Open Vulnerability and Assessment Language Available on ftp.suse.com/pub
30 OVAL: Open Vulnerability and Assessment Language
31 OVAL: Open Vulnerability and Assessment Language
32 XCCDF: The eXtensible Configuration Checklist Description Format No XCCDF file…. Then We can - check Vulnerabilities for openSUSE We can’t - check Configuration Standard (ex. PCIDSS) :-(
33 XCCDF: The eXtensible Configuration Checklist Description Format 1. Customize old SLES XCCDF file (“SLES v11 for System z”) 2. Customize “RHEL_STIG” XML file. Which is better? There are 2 options;
34 1. Customize “SLES v11 for System z” 1. Customize old “SLES v11 for System z” (http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip) - Profile for MAC(Mandatory Access Control) Level + Public/Sensitive/Classified. → DoD/Federal Government System. - No Benchmark XML file (DPMS_XCCDF_Benchmark_SuSe zLinux.xml) → SuSE is providing XML file (not open). Hard to Develop. But we need it in future.
35 2. Customize “RHEL_STIG” XML file. 2. Customize RHEL’s “RHEL_STIG” XML file. - use latest RHEL7 STIG - Including PCIDSS v3.0, etc. https://github.com/OpenSCAP/openscap More easy to Develop. Take a look for now. ;-)
Customize RHEL’s XCCDF file
37 Customize RedHat’s XCCDF file Customize RedHat XCCDF file; Change Platform ID <platform idref="cpe:/o:redhat:enterprise_linux:7"/> <platform idref="cpe:/o:opensuse:opensuse"/> Change/Copy related XML file <check-content-ref href="ssg-rhel7-ocil.xml" <check-content-ref href="ssg-opensuse-ocil.xml"
38 Scan Customized RedHat’s XCCDF file oscap xccdf eval --profile "Profile" --report “Report” “input xccdf XML file” ex. ) oscap xccdf eval --profile "pci-dss" --report /tmp/opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml Profile: <profile id> in xccdf.xml file; <Profile id="standard"> <Profile id="pci-dss"> <Profile id="rht-ccp"> <Profile id="docker-host"> … etc.
39 Scan by “oscap” # oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg- results.html ./ssg-opensuse-xccdf.xml Title Ensure auditd Collects Information on Kernel Module Loading and Unloading Rule audit_rules_kernel_module_loading Ident CCE-27129-6 Result fail Title Make the auditd Configuration Immutable Rule audit_rules_immutable Ident CCE-27097-5 Result fail Title Set SSH Idle Timeout Interval Rule sshd_set_idle_timeout Ident CCE-27433-2 Result pass
40 “oscap” result html
41 “oscap” result html (cont'd)
42 Scap-workbench
43 Customize Rule (with scap-workbench) Some of Rule can modify, and can not → No good for fitting to openSUSE
44 Customize Rule (xml file) OVAL: <definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1"> <metadata> <title>Service autofs Disabled</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The autofs service should be disabled if possible.</description> <reference source="JL" ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/ scap-security-guide/wiki/Contributors"/> <reference ref_id="service_autofs_disabled" source="ssg"/></metadata> <criteria comment="package autofs removed or service autofs is not configured to start" operator="OR"> <extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_ removed:def:1"/> <criteria operator="OR" comment="service autofs is not configured to start"> <criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_ autofs_not_wanted_by_multi_user_target:tst:1"/>
45 OVAL Language Dictionary
46 Customize Rule (xml file) OCIL: <questionnaire id="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"> <title>Disable Core Dumps for All Users</title> <actions> <test_action_ref>ocil:ssg-disable_users_coredumps_action:testaction:1</test_action_ref> </actions> </questionnaire> <questionnaire id="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1"> <title>Disable Core Dumps for SUID programs</title> <actions> <test_action_ref>ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1</test_action_ref> </actions> </questionnaire>
47 OCIL Language Dictionary
48 Remain Task - Not only for PCI-DSS, other Profile: - Check details which modified. - Change those XCCDF file as openscap-ssg standard style. - Follow SUSE11 Standard also.
Conclusion
50 Conclusion - SCAP OVAL file for openSUSE is released from SUSE. - SCAP XCCDF file for openSUSE needs to be under PCI-DSS etc. - Still customizing contents for publishing. :-)
51 Any Questinos?
52 Thank You!!!

Recomendados

Getting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceGetting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceAndi Sugandi
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOSKentaro Hatori
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 William Lee
 
Sweden11
Sweden11Sweden11
Sweden11Dru Lavigne
 
Usage Note of SWIG for PHP
Usage Note of SWIG for PHPUsage Note of SWIG for PHP
Usage Note of SWIG for PHPWilliam Lee
 
Usage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxUsage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxWilliam Lee
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3William Lee
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesWilliam Lee
 

Recomendados

Getting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceGetting Started on Packaging Apps with Open Build Service
Getting Started on Packaging Apps with Open Build ServiceAndi Sugandi
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOSKentaro Hatori
 
Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 Upgrade GCC & Install Qt 5.4 on CentOS 6.5
Upgrade GCC & Install Qt 5.4 on CentOS 6.5 William Lee
 
Sweden11
Sweden11Sweden11
Sweden11Dru Lavigne
 
Usage Note of SWIG for PHP
Usage Note of SWIG for PHPUsage Note of SWIG for PHP
Usage Note of SWIG for PHPWilliam Lee
 
Usage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxUsage Note of Qt ODBC Database Access on Linux
Usage Note of Qt ODBC Database Access on LinuxWilliam Lee
 
Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3Usage Notes of The Bro 2.2 / 2.3
Usage Notes of The Bro 2.2 / 2.3William Lee
 
Usage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesUsage Note of Apache Thrift for C++ Java PHP Languages
Usage Note of Apache Thrift for C++ Java PHP LanguagesWilliam Lee
 
Posscon2013
Posscon2013Posscon2013
Posscon2013Dru Lavigne
 
Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCapWilliam Lee
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceSUSE Labs Taipei
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux UsersDru Lavigne
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernetSUSE Labs Taipei
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorialDru Lavigne
 
Oclug 2010
Oclug 2010Oclug 2010
Oclug 2010Dru Lavigne
 
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Kentaro Hatori
 
Nelf2012
Nelf2012Nelf2012
Nelf2012Dru Lavigne
 
SELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux UsersSELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux UsersDru Lavigne
 
S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918SUSE Labs Taipei
 
Lavigne bsdmag sept12
Lavigne bsdmag sept12Lavigne bsdmag sept12
Lavigne bsdmag sept12Dru Lavigne
 
Scale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersScale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersDru Lavigne
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationTony McKeown
 
Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Dru Lavigne
 
Fsoss2011
Fsoss2011Fsoss2011
Fsoss2011Dru Lavigne
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2Trinh Tuan
 
Olf2012
Olf2012Olf2012
Olf2012Dru Lavigne
 
Fosscon2013
Fosscon2013Fosscon2013
Fosscon2013Dru Lavigne
 
Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your programSUSE Labs Taipei
 
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System zShawn Wells
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 

Más contenido relacionado

La actualidad más candente

Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCapWilliam Lee
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceSUSE Labs Taipei
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux UsersDru Lavigne
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernetSUSE Labs Taipei
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorialDru Lavigne
 
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Kentaro Hatori
 
SELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux UsersSELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux UsersDru Lavigne
 
Lavigne bsdmag sept12
Lavigne bsdmag sept12Lavigne bsdmag sept12
Lavigne bsdmag sept12Dru Lavigne
 
Scale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersScale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersDru Lavigne
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationTony McKeown
 
Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Dru Lavigne
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2Trinh Tuan
 
Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your programSUSE Labs Taipei
 

La actualidad más candente (20)

Posscon2013
Posscon2013Posscon2013
Posscon2013
 
Usage Note of PlayCap
Usage Note of PlayCapUsage Note of PlayCap
Usage Note of PlayCap
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build Service
 
BSD for Linux Users
BSD for Linux UsersBSD for Linux Users
BSD for Linux Users
 
Use bonding driver with ethernet
Use bonding driver with ethernetUse bonding driver with ethernet
Use bonding driver with ethernet
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorial
 
Oclug 2010
Oclug 2010Oclug 2010
Oclug 2010
 
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
Booting directly opensuse iso file by grub2 @ openSUSE Asia Summit2015
 
Nelf2012
Nelf2012Nelf2012
Nelf2012
 
SELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux UsersSELF 2010: BSD For Linux Users
SELF 2010: BSD For Linux Users
 
S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918
 
Lavigne bsdmag sept12
Lavigne bsdmag sept12Lavigne bsdmag sept12
Lavigne bsdmag sept12
 
Scale 2010: BSD for Linux Users
Scale 2010: BSD for Linux UsersScale 2010: BSD for Linux Users
Scale 2010: BSD for Linux Users
 
Anthony McKeown Drupal Presentation
Anthony McKeown Drupal PresentationAnthony McKeown Drupal Presentation
Anthony McKeown Drupal Presentation
 
Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012
 
Fsoss2011
Fsoss2011Fsoss2011
Fsoss2011
 
Snort296x centos6x 2
Snort296x centos6x 2Snort296x centos6x 2
Snort296x centos6x 2
 
Olf2012
Olf2012Olf2012
Olf2012
 
Fosscon2013
Fosscon2013Fosscon2013
Fosscon2013
 
Use build service API in your program
Use build service API in your programUse build service API in your program
Use build service API in your program
 

Similar a SCAP for openSUSE

2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System zShawn Wells
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System zShawn Wells
 
OSC2023_security_automation_data.pdf
OSC2023_security_automation_data.pdfOSC2023_security_automation_data.pdf
OSC2023_security_automation_data.pdfMarcus Meissner
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1Hajime Tazaki
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Runos OpenFlow Controller (eng)
Runos OpenFlow Controller (eng)Runos OpenFlow Controller (eng)
Runos OpenFlow Controller (eng)Alexander Shalimov
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in LinuxSadegh Dorri N.
 
Describing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked DataDescribing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked DataJoachim Van Herwegen
 
Amis Query (02-09-2008): Reports From Oracle Open World - Database
Amis Query (02-09-2008): Reports From Oracle Open World - DatabaseAmis Query (02-09-2008): Reports From Oracle Open World - Database
Amis Query (02-09-2008): Reports From Oracle Open World - DatabaseMarco Gralike
 
Sql on linux - ITpro
Sql on linux - ITproSql on linux - ITpro
Sql on linux - ITproKiki Noviandi
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 

Similar a SCAP for openSUSE (20)

2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
KVM_security
KVM_securityKVM_security
KVM_security
 
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
 
OSC2023_security_automation_data.pdf
OSC2023_security_automation_data.pdfOSC2023_security_automation_data.pdf
OSC2023_security_automation_data.pdf
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Rhel7 vs rhel6
Rhel7 vs rhel6Rhel7 vs rhel6
Rhel7 vs rhel6
 
Runos OpenFlow Controller (eng)
Runos OpenFlow Controller (eng)Runos OpenFlow Controller (eng)
Runos OpenFlow Controller (eng)
 
optimizing_ceph_flash
optimizing_ceph_flashoptimizing_ceph_flash
optimizing_ceph_flash
 
Lightweight Virtualization in Linux
Lightweight Virtualization in LinuxLightweight Virtualization in Linux
Lightweight Virtualization in Linux
 
Beyond static configuration
Beyond static configurationBeyond static configuration
Beyond static configuration
 
Describing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked DataDescribing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked Data
 
Amis Query (02-09-2008): Reports From Oracle Open World - Database
Amis Query (02-09-2008): Reports From Oracle Open World - DatabaseAmis Query (02-09-2008): Reports From Oracle Open World - Database
Amis Query (02-09-2008): Reports From Oracle Open World - Database
 
Sql on linux - ITpro
Sql on linux - ITproSql on linux - ITpro
Sql on linux - ITpro
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 

Más de Kazuki Omo

OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.Kazuki Omo
 
Don't you have dream about Foreign Company? How about real one?
Don't you have dream about Foreign Company? How about real one?Don't you have dream about Foreign Company? How about real one?
Don't you have dream about Foreign Company? How about real one?Kazuki Omo
 
2022Q2 最新ランサムウェア動向と対処方法.pptx
2022Q2 最新ランサムウェア動向と対処方法.pptx2022Q2 最新ランサムウェア動向と対処方法.pptx
2022Q2 最新ランサムウェア動向と対処方法.pptxKazuki Omo
 
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)Kazuki Omo
 
Osc2018 tokyo spring_scap
Osc2018 tokyo spring_scapOsc2018 tokyo spring_scap
Osc2018 tokyo spring_scapKazuki Omo
 
Linux Security Status on 2017
Linux Security Status on 2017Linux Security Status on 2017
Linux Security Status on 2017Kazuki Omo
 
Cve trends 20170531
Cve trends 20170531Cve trends 20170531
Cve trends 20170531Kazuki Omo
 
SELinux_Updates_PoC_20170516
SELinux_Updates_PoC_20170516SELinux_Updates_PoC_20170516
SELinux_Updates_PoC_20170516Kazuki Omo
 
Postgre SQL security_20170412
Postgre SQL security_20170412Postgre SQL security_20170412
Postgre SQL security_20170412Kazuki Omo
 
OSC ossセキュリティ技術の会について
OSC ossセキュリティ技術の会についてOSC ossセキュリティ技術の会について
OSC ossセキュリティ技術の会についてKazuki Omo
 
Osc2017 tokyo spring_soss_sig
Osc2017 tokyo spring_soss_sigOsc2017 tokyo spring_soss_sig
Osc2017 tokyo spring_soss_sigKazuki Omo
 
RHELのEOLがCentOSに及ぼす影響
RHELのEOLがCentOSに及ぼす影響RHELのEOLがCentOSに及ぼす影響
RHELのEOLがCentOSに及ぼす影響Kazuki Omo
 
Edb summit 2016_20160216.omo
Edb summit 2016_20160216.omoEdb summit 2016_20160216.omo
Edb summit 2016_20160216.omoKazuki Omo
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 

Más de Kazuki Omo (15)

OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.OpenSSF Day Tokyo 2023 Keynote presentation.
OpenSSF Day Tokyo 2023 Keynote presentation.
 
Don't you have dream about Foreign Company? How about real one?
Don't you have dream about Foreign Company? How about real one?Don't you have dream about Foreign Company? How about real one?
Don't you have dream about Foreign Company? How about real one?
 
2022Q2 最新ランサムウェア動向と対処方法.pptx
2022Q2 最新ランサムウェア動向と対処方法.pptx2022Q2 最新ランサムウェア動向と対処方法.pptx
2022Q2 最新ランサムウェア動向と対処方法.pptx
 
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
エンジニアのキャリアアップを考える(OSC 2018 Fall Tokyo)
 
Osc2018 tokyo spring_scap
Osc2018 tokyo spring_scapOsc2018 tokyo spring_scap
Osc2018 tokyo spring_scap
 
Linux Security Status on 2017
Linux Security Status on 2017Linux Security Status on 2017
Linux Security Status on 2017
 
Cve trends 20170531
Cve trends 20170531Cve trends 20170531
Cve trends 20170531
 
SELinux_Updates_PoC_20170516
SELinux_Updates_PoC_20170516SELinux_Updates_PoC_20170516
SELinux_Updates_PoC_20170516
 
Postgre SQL security_20170412
Postgre SQL security_20170412Postgre SQL security_20170412
Postgre SQL security_20170412
 
OSC ossセキュリティ技術の会について
OSC ossセキュリティ技術の会についてOSC ossセキュリティ技術の会について
OSC ossセキュリティ技術の会について
 
Osc2017 tokyo spring_soss_sig
Osc2017 tokyo spring_soss_sigOsc2017 tokyo spring_soss_sig
Osc2017 tokyo spring_soss_sig
 
RHELのEOLがCentOSに及ぼす影響
RHELのEOLがCentOSに及ぼす影響RHELのEOLがCentOSに及ぼす影響
RHELのEOLがCentOSに及ぼす影響
 
6 anti virus
6 anti virus6 anti virus
6 anti virus
 
Edb summit 2016_20160216.omo
Edb summit 2016_20160216.omoEdb summit 2016_20160216.omo
Edb summit 2016_20160216.omo
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 

Último

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 

Último (20)

%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 

SCAP for openSUSE

  • 1. OpenSCAP and related contents for openSUSE Kazuki Omo( 面 和毅 ): ka-omo@sios.com SIOS Technology, Inc.
  • 2. 2 Who am I ? - Security Researcher/Engineer (16 years) - SELinux/MAC Evangelist (11 years) - Antivirus Engineer (3 years) - SIEM Engineer (3 years) - Linux Engineer (16 years)
  • 3. 3 Agenda - What is SCAP? - Enumerations - Language/Contents - OpenSCAP - OpenSUSE contents - Customize RHEL’s XCCDF file - Conclusion
  • 5. 5 SCAP (Security Content Automation Protocol) Object: Automated for - Vulnerability management - Vulnerability measurement - Policy compliance evaluation
  • 6. 6 SCAP Components.. SCAP Common Vulnerabilities and Exposures (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Extensible Configuration Checklist Description Format (XCCDF) and so on…. Open Vulnerability and Assessment Language (OVAL) Lang Enumerations
  • 9. 9 CVE: Common Vulnerabilities and Exposures CVE ID CPE Summary CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.15 Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51- 38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. CVE-2016-6662 cpe:/a:mariadb:mariadb: 10.1.16 CVE-2016-2107 cpe:/o:redhat:enterprise _linux_server:7.0 Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVE-2016-2107 cpe:/o:novell:leap:42.1 CVE-2016-2107 cpe:/o:novell:opensuse: 13.2 CVE-2016-4979 cpe:/a:apache:http_serv er:2.4.20 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
  • 10. 10 CPE: Common Platform Enumeration CPE name title href cpe:/o:novell:leap: 42.0 Novell Leap 42.0 https://en.opensuse.org/openSUSE:Leap cpe:/o:novell:leap: 42.1 Novell Leap 42.1 https://en.opensuse.org/openSUSE:Leap cpe:/o:redhat:ente rprise_linux:7.0 Red Hat Enterpris e Linux 7.0 http://www.redhat.com/resourcelibrary/datash eets/rhel-7-whats-new cpe:/o:redhat:ente rprise_linux:7.1 Red Hat Enterpris e Linux 7.1 http://www.redhat.com/en/resources/whats- new-red-hat-enterprise-linux-71
  • 11. 11 CPE: Common Platform Enumeration linux-vs1z:~ # cat /etc/os-release NAME="openSUSE Leap" VERSION="42.1" VERSION_ID="42.1" PRETTY_NAME="openSUSE Leap 42.1 (x86_64)" ID=opensuse ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:opensuse:42.1" BUG_REPORT_URL="https://bugs.opensuse.org" HOME_URL="https://opensuse.org/" ID_LIKE="suse"
  • 12. 12 CCE: Common Configuration Enumeration CCE IDs Description CCE- 5317-3 Core dump size limits should be set appropriately CCE- 5384-3 The read-only SNMP community string should be set appropriately. CCE- 5664-8 The minimum password age should be set as appropriate CCE- 5804-0 The minimum required password length should be set as appropriate CCE- 4858-7 Password history should be saved for an appropriate number of password changes CCE- 5775-2 The number of consecutive failed login attempts required to trigger a lockout should be set as appropriate
  • 13. 13 CWE: Common Weakness Enumeration CVE ID CWE-ID CVE-2016-6662 CWE-264 CVE-2016-2107 CWE-310 CVE-2016-4979 CWE-284
  • 16. 16 OVAL: Open Vulnerability and Assessment Language OVAL: - Check Vulnerabilities / configuration issues (XML) - Using for Patch Management - Composed by - Collection of CVEs - list of standardized names for vulnerabilities
  • 17. 17 OVAL: Open Vulnerability and Assessment Language <title>CVE-2012-2150</title> <affected family="unix"> <platform>openSUSE Leap 42.1</platform> </affected> <reference ref_id="CVE-2012-2150" ref_url= "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" source="CVE"/> </metadata> <criteria operator="AND"> <criterion test_ref="oval:org.opensuse.security:tst:2009117743" comment="openSUSE Leap 42.1 is installed"/> <criteria operator="OR"> <criterion test_ref="oval:org.opensuse.security:tst:2009120999" comment="xfsprogs-3.2.1-5.1 is installed"/>
  • 18. 18 OVAL: Open Vulnerability and Assessment Language <definition class="compliance" id="oval:ssg- file_permissions_httpd_server_conf_files:def:1" version="2"> <metadata> <title>Verify Permissions On Apache Web Server Configuration Files </title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>
  • 19. 19 OVAL: Open Vulnerability and Assessment Language
  • 20. 20 OVAL: Open Vulnerability and Assessment Language
  • 21. 21 XCCDF: The eXtensible Configuration Checklist Description Format XCCDF: - Writing security checklists, benchmarks, etc. (XML) - Automated compliance testing, Compliance scoring (PCIDSS, etc.) - Collection of security configuration rules for some set of target systems (Docker-Enabled Host)
  • 22. 22 XCCDF: The eXtensible Configuration Checklist Description Format <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.1"> <status date="2016-09-20">draft</status> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title> <Profile id="pci-dss"> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This is a *draft* profile for PCI-DSS v3</description> <select idref="service_auditd_enabled" selected="true"/> <select idref="bootloader_audit_argument" selected="true"/> <select idref="auditd_data_retention_num_logs" selected="true"/> <select idref="audit_rules_dac_modification_chmod" selected="true"/> ...
  • 23. 23 XCCDF: The eXtensible Configuration Checklist Description Format <Profile id="docker-host"> <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">Standard Docker Host Security Profile</title> <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang= "en-US">This profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. </description> <select idref="service_docker_enabled" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="selinux_state" selected="true"/> <select idref="selinux_policytype" selected="true"/> <select idref="docker_selinux_enabled" selected="true"/> <select idref="docker_storage_configured" selected="true"/> <select idref="remediation_functions" selected="false"/>
  • 24. 24 XCCDF: The eXtensible Configuration Checklist Description Format
  • 25. 25 XCCDF: The eXtensible Configuration Checklist Description Format
  • 27. 27 OpenSCAP OpenSCAP: - Provides multiple tools for Administrators/Auditors Tools: - OpenSCAP Base (oscap) - SCAP Workbench (GUI tool) - OpenSCAP Daemon - SCAPTimony - OSCAP Anaconda Add-on
  • 29. 29 OVAL: Open Vulnerability and Assessment Language Available on ftp.suse.com/pub
  • 30. 30 OVAL: Open Vulnerability and Assessment Language
  • 31. 31 OVAL: Open Vulnerability and Assessment Language
  • 32. 32 XCCDF: The eXtensible Configuration Checklist Description Format No XCCDF file…. Then We can - check Vulnerabilities for openSUSE We can’t - check Configuration Standard (ex. PCIDSS) :-(
  • 33. 33 XCCDF: The eXtensible Configuration Checklist Description Format 1. Customize old SLES XCCDF file (“SLES v11 for System z”) 2. Customize “RHEL_STIG” XML file. Which is better? There are 2 options;
  • 34. 34 1. Customize “SLES v11 for System z” 1. Customize old “SLES v11 for System z” (http://iasecontent.disa.mil/stigs/zip/Compilations/U_SRG-STIG_Library_2016_07.zip) - Profile for MAC(Mandatory Access Control) Level + Public/Sensitive/Classified. → DoD/Federal Government System. - No Benchmark XML file (DPMS_XCCDF_Benchmark_SuSe zLinux.xml) → SuSE is providing XML file (not open). Hard to Develop. But we need it in future.
  • 35. 35 2. Customize “RHEL_STIG” XML file. 2. Customize RHEL’s “RHEL_STIG” XML file. - use latest RHEL7 STIG - Including PCIDSS v3.0, etc. https://github.com/OpenSCAP/openscap More easy to Develop. Take a look for now. ;-)
  • 37. 37 Customize RedHat’s XCCDF file Customize RedHat XCCDF file; Change Platform ID <platform idref="cpe:/o:redhat:enterprise_linux:7"/> <platform idref="cpe:/o:opensuse:opensuse"/> Change/Copy related XML file <check-content-ref href="ssg-rhel7-ocil.xml" <check-content-ref href="ssg-opensuse-ocil.xml"
  • 38. 38 Scan Customized RedHat’s XCCDF file oscap xccdf eval --profile "Profile" --report “Report” “input xccdf XML file” ex. ) oscap xccdf eval --profile "pci-dss" --report /tmp/opensuse42.1-ssg-results.html ./ssg-opensuse-xccdf.xml Profile: <profile id> in xccdf.xml file; <Profile id="standard"> <Profile id="pci-dss"> <Profile id="rht-ccp"> <Profile id="docker-host"> … etc.
  • 39. 39 Scan by “oscap” # oscap xccdf eval --profile "pci-dss" --report ./opensuse42.1-ssg- results.html ./ssg-opensuse-xccdf.xml Title Ensure auditd Collects Information on Kernel Module Loading and Unloading Rule audit_rules_kernel_module_loading Ident CCE-27129-6 Result fail Title Make the auditd Configuration Immutable Rule audit_rules_immutable Ident CCE-27097-5 Result fail Title Set SSH Idle Timeout Interval Rule sshd_set_idle_timeout Ident CCE-27433-2 Result pass
  • 43. 43 Customize Rule (with scap-workbench) Some of Rule can modify, and can not → No good for fitting to openSUSE
  • 44. 44 Customize Rule (xml file) OVAL: <definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1"> <metadata> <title>Service autofs Disabled</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The autofs service should be disabled if possible.</description> <reference source="JL" ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/ scap-security-guide/wiki/Contributors"/> <reference ref_id="service_autofs_disabled" source="ssg"/></metadata> <criteria comment="package autofs removed or service autofs is not configured to start" operator="OR"> <extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_ removed:def:1"/> <criteria operator="OR" comment="service autofs is not configured to start"> <criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_ autofs_not_wanted_by_multi_user_target:tst:1"/>
  • 46. 46 Customize Rule (xml file) OCIL: <questionnaire id="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"> <title>Disable Core Dumps for All Users</title> <actions> <test_action_ref>ocil:ssg-disable_users_coredumps_action:testaction:1</test_action_ref> </actions> </questionnaire> <questionnaire id="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1"> <title>Disable Core Dumps for SUID programs</title> <actions> <test_action_ref>ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1</test_action_ref> </actions> </questionnaire>
  • 48. 48 Remain Task - Not only for PCI-DSS, other Profile: - Check details which modified. - Change those XCCDF file as openscap-ssg standard style. - Follow SUSE11 Standard also.
  • 50. 50 Conclusion - SCAP OVAL file for openSUSE is released from SUSE. - SCAP XCCDF file for openSUSE needs to be under PCI-DSS etc. - Still customizing contents for publishing. :-)