Security compliance automation with Red Hat SatelliteMatt MiceneSolution Architect, DLT Solutions@cleverbeard@nzwulfin Created with http://wordle.net Compliance is a major problemAbout half of the CVEs exploited in 2014 went from publish to pwn in less than a month.- Verizon rea!h "n#esti$ations %eport& 201'()e found that 99.9% of the exploited #ulnerabilities had been !ompromised more than a year after the asso!iated CVE was published.- Verizon rea!h "n#esti$ations %eport& 201'(*at!h mana$ement and associated vulnerability management processes represent the bi$$est problem areas& be!ause the+,re rarely well documented and automated.- Anton Chu#a.in /http011blo$s.$artner.!om1anton-!hu#a.in120141021121hi$hli$hts-from-#erizon-p!i-report-201413 Meet Simon, MyCo Lead System Engineer YourApp Regulations, Catalogs, Guidelines AdvancedPersistentMarketing"oster #reated $y %en &estin' ()*+' used with permission of author. ,i %en- Meet Sarah, MyCo CIS Sarah!s initial S"AG4eed lo!al #alues for '0 !ontrols 5password len$ths& lo$in timeouts& et!67nl+ 8ourApp new s+stems in s!ope*ro9e!t team brin$in$ :e!urit+ in lateC2: *ro;le < 250 !ontrols8ourApp En# < 35 s+stems Simon!s bac# o$ the nap#in145 hours or 1! "ays2501min3560minNumber of ControlsTime per ControlNumber of HostsMinutes per Hour SCA%Brought to you by the lettersNVD and CVE!SECURITY STREET "hat does Simon need&:CA* Content:CA* Content:CA* :!anner:CA* :!annerCentralizationCentralization 'he $inal controls( )inal policy#nnual audits%e=uires 2 additional re$ular re#iews4eed lo!al #alues for 100 controls 5password len$ths& lo$in timeouts& et!615 current production systems added to s!ope "$ site also re=uiredC2: *ro;le < 400 !ontrols8ourApp En# < 100 s+stems Simon!s ne* nap#inNumber of ControlsTime per ControlNumber of HostsMinutes per Hour%%% hours or !3 "ays4001min10060min "hat Simon!s compliance system can do4005.5 s10060min%1 hours or ! "aysC2: %un time < &3 se!onds +, -ays .>ostl+ computer time& hi$hl+ parallel'ittle administrator intera!tion re=uired:till ?7h& and 150 more !he!.s 5%2.5% more wor.6&5 "ays saved(r 90.3% % "hat does Simon need&:CA* Content:CA* Content:CA* :!anner:CA* :!annerCentralizationCentralization 'he Content:CA* :!anner:CA* :!annerCentralizationCentralization SCA% /Security Content Automation %rotocol0 123)*+, +- !00.12% $ev. 2//012 Common Con;$uration Enumeration/-012 Common *latform Enumeration/3042 Common Vulnerabilities and Exposures/3++2 Common Vulnerabilit+ :!orin$ :+stem//++2 Common Con;$uration :!orin$ :+stem5//"62 @he Extensible Con;$uration Che!.list Aes!ription Bormat(3#'42 7pen Vulnerabilit+ and Assessment Can$ua$e(/*'2 7pen Che!.list "ntera!ti#e Can$ua$e#*2 Asset "denti;!ation#$62 Asset %eportin$ Bormat SCA% /Security Content Automation %rotocol0 123)*+, +- !00.12% $ev. 2//012 /ommon /on7guration 0numeration/-012 /ommon -latform 0numeration/3042 /ommon 3ulnerabilities and 08posures/3++2 /ommon 3ulnerability +coring +ystem//++2 /ommon /on7guration +coring +ystem5//"62 ,he 08tensible /on7guration /hec9list "escription 6ormat(3#'42 (pen 3ulnerability and #ssessment 'anguage(/*'2 (pen /hec9list *nteractive 'anguage#*2 #sset *denti7cation#$62 #sset $eporting 6ormat Great *ho ma#es it& Red 4at pro5ided $eedshttp://www.redhat.co/securit!/data/etrics/http://www.redhat.co/securit!/data/etrics/co.redhat.rhsa"all.#ccdf.#l 6uilding and modi$ying content 7CC-)"1O4/0!"1O4/0!150!.150!.6A05!.6A05!.C,!C%C,!C%C,!C%C,!C% 7CC-) %ro$ile 7CC-) %ro$ile 7CC-) %ro$ile 7CC-) Rule 7CC-) Rule 7CC-) Rule 8AL Entities7!4/8/2/O87!4/8/2/O82!.22!.2O39!C2O39!C2.2A2!.2A2!2!.22!.2O39!C2O39!C2.2A2!.2A2! 8AL -e$inition 8AL "al#ing bac# the cat :ane separation of 7les with D:C@ to !reate #alid !ontent7VAC in single chec9 7le with human readable "AsDCCAB in descriptive structure>odif+ ma9e 7le to in!lude and build !ontent or $-:A plug $or upstream "hat about the analyst& SCA% 'ailoring $ile 'he ScannerCentralizationCentralization penSCA%4":@ validated :CA* s!anner b+ %ed Eathttps011n#d.nist.$o#1s!approdu!ts.!fm 'he Centrali9ation "or#$lo* :se R%Ms Scanning hosts Scan list Scan detail -i$$ results -i$$ to any( Change some de$aults -etailed Report Scanning groups *ith SSM Scanning groups *ith SSM Ad5anced searchesCVE-2014-%2&1 System built a$ter scans Cron F :atellite #-*Gse with a diHerent change managerhttp011$ithub.!om1nzwul;n1rhsummit1'Automation )rom 'ailoring to %ro$ile :pload -atastream Create scan pro$ile Create scan pro$ile Create scan pro$ile Create scan pro$ile Create scan pro$ile Create scan pro$ile Reporting Reporting Reporting Reporting Install tools on client Matt MiceneSolution Architect, DLT Solutions@cleverbeard@nzwulfin Resources;ohn on -/* $eport)*+, 3alidated +/#- tools