This could be a long post...I could write a book about this based on what I have been doing recently.
Let's start with the concept of "System Hardening" on Linux.
Most people are familiar with SELinux (SE = System Enforcing, I believe). The NSA came up with this originally, and it is now part of mainstream Linux distributions (Centos, Ubuntu, RHEL, et al). It is centered around policy files that are written and loaded, and these essentially govern what an application is allowed to do, and not to do.
Above and beyond this, some additional frameworks such as SCAP have been established.
https://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
The open source implementation of this protocol is OpenSCAP
https://www.open-scap.org/
So what is this protocol about, SCAP? These are markup-language driven policies that bring a system into a compliance level for security and hardening.
There are two primary packages you need to run this:
1. scap-security-guide
2. scap-workbench
The first package does install some dependency packages, so it is best to use yum or a repository-based install method, or you will be installing a bunch of rpms in succession. The scap-security-guide is the package that "drives" the interpretation of policies, authoring, compilation or customization of existing policies, etc.
The second package is a graphical front-end of the scap-security-guide package. Everything you can do with the GUI can be done on command line, but the GUI does add some value.
For instance:
- You get some nice graphical graphs of compliancy percentages.
- You get a listing of policy rules and descriptions
- You can run or test policies in various manners (Dry Run, Full Mode)
With this stated, let's say that you have 100 Linux systems, and you have a policy. For instance, let's say the policy is for a CentOS7 Minimal Install system and that policy has 211 rules.
Let's assume that a baseline CentOS7 system is 80% compliant to these rules out of the box after installation, but that you, as an administrator, bring it up to 90% compliancy with some post-installation steps.
Then, as you deploy this baseline image onto 200 servers, you check it periodically to find that the compliancy level keeps dropping due to system administrators installing packages or whatever.
You can run a "Remediate" feature in SCAP that can 'pull' those systems back into Compliancy per the baseline. The Remediate feature allows for bash, Ansible or Puppet scripts to be run.
NOTE: In my initial testing, using bash, this did not work. But I have not played with it much.
In order to run the baselines, it is best to install these scap packages FIRST on your systems, and take your initial baseline. Then, periodically after additional changes to the system, you can run it again and compare the results to the baseline.
Okay - this is my first introduction on this topic.
No comments:
Post a Comment