Compliance

• Security Content Automation Protocol (SCAP)

SCAP is an acronym for Security Content Automation Protocol.
Its purpose is to apply an already-accepted security standard to organizations that don't currently have one or that have weak implementations.
it allows security administrators to scan computers, software, and other devices based on a predetermined security baseline to determine if the configuration and software patches are implemented to the standard that they are being compared to.

The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.

Some security standards similar to SCAP include
SACM (Security Automation and Continuous Monitoring),
CC (Common Criteria),
SWID (Software Identification) tags, and
FIPS (Federal Information Processing Standards).

There are two main parts to the Security Content Automation Protocol — SCAP content and SCAP scanners.

https://www.lifewire.com/what-is-scap-2487459

• Compliance and Vulnerability Scanning with OpenSCAP

A compliance audit is a process of figuring out whether a given object follows all the rules written out in a compliance policy. The compliance policy is defined by security professionals who specify required settings, often in the form of a checklist, that are to be used in the computing environment

SCAP Workbench — The scap-workbench graphical utility is designed to perform configuration and vulnerability scans on a single local or remote system. It can be also used to generate security reports based on these scans and evaluations.

OpenSCAP — The oscap command-line utility is designed to perform configuration and vulnerability scans on a local system, to validate security compliance content, and to generate reports and guides based on these scans and evaluations.

Script Check Engine (SCE) — SCE is an extension to the SCAP protocol that allows administrators to write their security content using a scripting language, such as Bash, Python, or Ruby. The SCE extension is provided in the openscap-engine-sce package.

SCAP Security Guide (SSG) — The scap-security-guide package provides the latest collection of security policies for Linux systems. The guidance consists of a catalog of practical hardening advice, linked to government requirements where applicable

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-compliance_and_vulnerability_scanning

• SCAP Scanner And Tailoring Graphical User Interface

SCAP Workbench is a GUI tool that provides scanning, tailoring and validation functionality for SCAP content. It uses openscap library to access SCAP functionalities.
Those operating on Fedora, Red Hat Enterprise Linux, CentOS, or Scientific Linux can install the OpenSCAP Workbench as a GUI to run scans on virtual machines, containers, and images
https://github.com/OpenSCAP/scap-workbench

• Using OpenSCAP with Docker

Scanning Docker-formatted Images and Containers for Vulnerabilities

The oscap-docker command provides two ways to scan images and containers for vulnerabilities:
The image-cve or container-cve sub-commands determine the version of the operating system, download the CVE stream applicable to the given system, and run a vulnerability scan
Another, more flexible way, enables you to specify OVAL definitions when checking for vulnerabilities. Use the image or container sub-command together with oscap arguments for an OVAL evaluation.

Scanning Configuration Compliance of Docker-formatted Images and Containers
To scan for configuration compliance, use the SCAP content provided by the SCAP Security Guide (SSG)

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sect-using_openscap_with_docker

• Using OpenSCAP with Ansible

To assist with integrating configuration compliance into your existing Ansible workflow, OpenSCAP generates remediations for use with Ansible. The remediations are generated in a form of Ansible playbooks, either based on profiles or based on scan results.
A playbook based on a SCAP Security Guide (SSG) profile contains fixes for all rules, and the system is remediated according to the profile regardless of the state of the machine.
On the other hand, playbooks based on scan results contain only fixes for rules that failed during an evaluation.

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sect-using_openscap_with_ansible

Linux Security Hardening with OpenSCAP and Ansible
Linux systems are audited for security compliance by an external auditor.
Remediating the findings and making the systems compliant used to be a matter of manually applying changes or running monolithic scripts.
Today, remediation can be fully automated with Ansible, and security compliance can be checked before the auditor arrives with OpenSCAP

Security Technical Implementation Guides

the CIS Security Benchmarks. These are human-readable documents with information about each security vulnerability, commands to check if the system is configured correctly, and commands to set the right configuration if it is not

The Security Technical Implementation Guides (STIG) published by the Defense Information Systems Agency (DISA) contain similar information in machine-readable format
There is a graphical utility to view the STIG content, and an OpenSCAP policy to audit a system against the list of vulnerabilities.
Vulnerabilities are divided into three severities (CAT I to III)

OpenSCAP Auditing
Ansible Remediation Playbook
Most of the STIG vulnerabilities can be automatically fixed by the Ansible playbook
The repository contains the remediation tasks, but no playbook to execute them.
A simple playbook can be created by putting this into stig.yml on the same directory level as the roles directory
Create an Ansible inventory file listing the hosts you want to apply the changes to.
Note that the playbook modifies configuration settings on these hosts and might break installed applications and system services
For example, you will no longer be able to log in as root via SSH (STIG V-38613).
Apply the playbook to all hosts in the inventory file
Ansible is done, re-run the oscap command
you should see a higher compliance score and less failed OpenSCAP rules.
Given the number of tasks in the playbook, checking the output on the command line can be a bit overwhelming.
Importing the playbook into Ansible Tower is easy though, and gives you a nice graphical overview when you run the playbook:
https://clasohm.com/wp/2016/08/16/linux-security-hardening-with-openscap-and-ansible/

• ANSIBLE SECURITY AUTOMATION

INTERNAL STANDARDS

Change root password every 60 days

INCIDENT RESPONSE - LOGS

Gather log files from remote systems

REMEDIATION

Patch Linux systems against Meltdown and Spectre

Protect againstMacOS High Sierra root bug

Protect against CVE-2018-5390 | CVE-2018-5391

Payment Card Industry Data Security Standard (PCI DSS) 

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.

Security Technical Implementation Guides (STIG)  - WINDOWS

Anonymous enumeration of shares must be restricted.

The network element must only allow management connections for administrative access from hosts residing in to the management network

Security Technical Implementation Guides (STIG)  - LINUX

the operating system must implement address space layout randomization to protect its memory from unauthorized code execution

Rule Title: The SSH daemon must not allow authentication using an empty password

https://www.ansible.com/hubfs/2018_Content/AA%20NYC%202018%20Slides/Security%20Automation%20with%20Ansible_MichellePerz-NYCAutomates.pdf

• Automate securely 

Writing automation content to secure your systems doesn’t help if you don’t have a secure automation framework to begin with. Ansible’s agentless nature means you don’t need a separate security policy for your automation. There’s no ports to open, no additional policy to write - Ansible works with your existing SSH and WinRM infrastructure.

Ansible Tower adds secure storage of all your credentials for machines and cloud systems, and a powerful role-based access control engine that allows you to easily set policies on who can run what automation in what environments, ensuring that only the proper people have the ability to access machines and apply configuration.

Trust, yet verify compliance

Once you’ve defined your security configuration, you need to be able to verify it and verify it on a consistent basis. Ansible’s idempotent nature means you can repeatedly apply the same configuration, and it will only make the necessary changes to put the system back into compliance. 

If you want to verify your automation outside of your automation, Ansible’s task-based nature makes it easy to write content using tools such as OpenSCAP and STIGMA to verify your automation. And Ansible Tower’s fact gathering can be directly integrated with common logging and analytics providers to build a wealth of data on your infrastructure, allowing you to simply see any deviations in your systems.

https://www.ansible.com/use-cases/security-and-compliance

• Ansible Lockdown is a collection of Ansible roles related to security automation.

The initial effort is for the development of roles centered around STIG and CIS benchmark baselines.

https://github.com/ansible/ansible-lockdown

• Ansible Lockdown is an open source project with one principal focus; to make it easy for anyone to conduct security operations in a way that is safe, maintainable, and automated.

https://ansiblelockdown.io/

• AUTOMATE STIG COMPLIANCE WITH ANSIBLE

a  tested and trusted Ansible Role for the DISA STIG. With this Role, IT admins can easily:

    Deploy new systems that are compliant to the DISA STIG

    Audit and validate DISA STIG compliance on existing systems

    Coupled with Ansible Tower, schedule routine checks across entire server inventories

Free and Open - Like Ansible Core, the STIG role is provided free-of-charge, however many customers find that the STIG role plus Ansible Tower provide unprecedented benefits and capabilities when applying and managing STIG compliance across a large set of systems

Results of the Role application are run through an automated testing gauntlet involving the use of OpenSCAP and STIGMA

https://www.ansible.com/security-stig

• Docker standards and compliance

Container-Specific Publications:

    NIST Special Publication (SP) 800-190 - Application Container Security Guide

    NIST Interagency Report (NISTIR) 8176 - Security Assurance Requirements for Linux Application Container Deployments

    NIST Information Technology Laboratory (ITL) Bulletin October 2017 - NIST Guidance on Application Container Security

Benchmarks:

    CIS Docker EE Benchmark (In Development)

    CIS Docker CE Benchmark

    CIS Kubernetes Benchmark

https://docs.docker.com/compliance

• The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security automation community ensures the broadest possible range of use cases is reflected in SCAP functionality.

https://csrc.nist.gov/projects/security-content-automation-protocol/

• The Security Technical Implementation Guides (STIGs)

The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems
https://iase.disa.mil/stigs/Pages/index.aspx

• UNCLASSIFIED DISA FSO STIG List

https://www.stigviewer.com/stigs

• NIST Special Publication 800-series General Information 

Publications in NIST’s Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.
SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems.
https://www.nist.gov/itl/nist-special-publication-800-series-general-information