Upload File

super security - nasa...super security automated scap security compliance and common vulnerabilities...

  • Home
  • Documents
  • Super Security - NASA...Super Security Automated SCAP Security Compliance and Common Vulnerabilities Evaluation Jordan A. Caraballo-Vega1, George Rumney2, John Jasen2 1University of
1
Super Security Automated SCAP Security Compliance and Common Vulnerabilities Evaluation Jordan A. Caraballo-Vega 1 , George Rumney 2 , John Jasen 2 1 University of Puerto Rico at Humacao, Department of Mathematics 2 High Performance Computing, NASA Goddard Space Flight Center, Mail Code 606.2 Objectives It is NASA’s responsibility to secure and protect its computer systems and enormous amounts of data. Therefore, in order to enhance the security for the NASA Center for Climate Simulation (NCCS), tools to continuously monitor our High Performance Computing systems were implemented. Our aim is to: compare the efficiency of different assessment tools, keep a time trending record of the results, identify specific rules that need to be addressed urgently, and expand the use of this automated SCAP through all NCCS operational systems. Background Common Vulnerabilities and Exposures (CVE)- unique identifiers that enable data exchange between security products; specifically cybersecurity vulnerabilities. OpenSCAP CIS-CAT Figure 1. NCCS High Performance Computational Environment. Figure 2. Nagios Score Format SCAP – protocol developed by NIST designed to audit and assess a target system with a defined set of configuration requirements and rules. The two main components developed during this work are the Baseline and Vulnerabilities audits. Software Method Common Configuration Enumeration (CCE) - unique identifiers to security-related system configuration issues used in baseline audits. Figure 3. Acronyms of files used to execute SCAP They both include: Identifier Number – specific rule id CCE-2715-1/ CVE-1999-0067 Description – human readable description References – points sections of the documents Figure 4. Example of an html CVE description Extensible Configuration Checklist Description Format (XCCDF) - a structured collection of security configuration rules for some set of target systems. Open Vulnerability and Assessment Language (OVAL)- an effort to standardize how to assess and report upon the machine state of computer systems. Figure 5. Example of an html CVSS description Common Vulnerability Scoring System (CVSS)- a quantitative model to ensure repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Perl scripts were written in order to execute and automate the audit process. Bash scripts were implemented in order to report to Nagios, while Python scripts were developed to produce the graphs. Nagios is a passive check service that provides monitoring of all mission- critical infrastructure components including applications, services, operating systems, network protocols, systems metrics, and network infrastructure. The data sent to Nagios include the score and the pass/failure of priority rules (identified by the administrator of the system), and trend analysis of results over time. Figure 8. Diagram of Nagios infrastructure. At first, servers send the info to be processed by Nagios. Date is processed and then delivered to the internet interface References • National Institute of Standards and Technology (2009). The Security Content Automation Protocol (SCAP). Retrieved on June , 2016 from https://scap.nist.gov/ • National Vulnerability Database. Retrieved on June, 2016 from https://nvd.nist.gov/ • Open Vulnerability and Assessment Language. Retrieved on June, 2016 from http://oval.mitre.org/ • OpenSCAP. Retrieved on June, 2016 from https://www.open-scap.org/ • Center for Internet Security. Retrieved on June, 2016 from https://benchmarks.cisecurity.org/ Acknowledgments • NASA Minority University Research and Education Scholarship • Thanks to George Rumney (mentor), John E. Jasen (mentor), Bennett Samowich, Maximiliano Guillen, and Zed Pobre from the NASA Center for Climate Simulations, for their continuous help during this work. • Special thanks to Julie Rivera (Puerto Rican’s Advisor) and Stephen Shinn (Chief Financial Officer) for their assistance. Future Work Future work will include the implementation of a database (PostgreSQL) to organize the view of all the NCCS High Performance Computing systems behavior, and also the expansion of this method to a wider environment within the NCCS. Currently we are manually installing the package of scripts in each operating system; so next step would be developing Puppet rules in order to generalize the installation method of the scripts depending on the environment. OpenSCAP is an auditing tool that utilizes the Extensible Configuration Checklist Description Format (XCCDF). It is based on a framework of libraries to improve the accessibility of SCAP and enhance the usability of the information it represents. CIS-CAT tool to perform assessments of target systems according to CIS Benchmark rules. By discovering any lack of conformance to CIS Benchmarks, CIS-CAT offers a powerful tool for analyzing and monitoring the effectiveness of internal security processes. OpenSCAP Baseline Audit CIS-CAT Vulnerabilities Audit RHEL, SLES, Debian, and Ubuntu files work properly without any changes. However, to audit CentOS, RHEL feed must be heavily modified. Previous work done by Summer Intern Graham Mosley prove that this is possible by replacing the file with the corresponding CentOS version, changing the platform information, and signing keys to the CentOS equivalent on RHEL feed. OpenSCAP is the auditing tool used to asses the vulnerability profiles for every operating system used in this work. OVAL files for RHEL, SLES, Ubuntu, and Solaris were found. Debian files are very recent, so further tests need to be performed in order to prove their accuracy. After the audit is done, severities (from low to high) are taken from the resulting xml, or the online CVSS principal page. OpenSCAP CIS-CAT Not supported in all distributions Needs Java to run Faster Slower Lacks of Benchmark files Does not have severities information Open source Not free Figure 6 and 7. Comparison between OpenSCAP vs. CIS-CAT For Baseline tests OpenSCAP supports RHEL 6/7 and CentOS 6/7. On the other hand, CIS-Cat tool supports SLES 11/12, CentOS 6/7, RHEL 6/7, FreeBSD, Ubuntu 14/16, Solaris and Debian 8. Figure 9. Operating systems supported by OpenSCAP based on the availability of benchmark files: CentOS and RHEL. Figure 10. Operating systems supported by CIS- CAT from upper center to right: SLES, CentOS, Debian, FreeBSD, Solaris, Ubuntu, and RHEL. OpenSCAP Figure 11. Operating systems logos of found OVAL files: SLES, Debian, Solaris, and Ubuntu. CentOS uses RHEL modified feed General Procedure Results & Conclusions • Create Directories • Search for files • Parse config file Validate • Select Tool • Select OS • Run command Assess • Parse XML file • Search for severities • Create and edit report files Report Figure 12. Diagram of script procedures • Sum failed tests and severities • Check critical CCE/CVE result • Get total score • Produce Last Run File • Edit/Create State File • Store date and result on Trend File Nagios Procedure Method A bash script named CopyFiles is executed in order to locate files in their respective folders. This will set in place the cron job that was previously configured to assess the system daily. After this is done, a check script is executed to verify the results of the file age function, score, and identified critical rules. Scores are reported to the Nagios interface. Operating Systems Tested Figure 14 (A) Table summarizes the stage of the work for each OS. Green for ready, yellow for on going, red for further needs. Figure 14 (B) shows the Nagios HTML interface. B A Figure 15 (A) shows the behavior of Centos 6 Baseline audit with and without auditing rules; while Figure 15 (B) represents a Vulnerabilities audit before and after updating the system. The higher the score in the baseline audit, the safer the system is. However, vulnerabilities audits state that the higher the result, the more vulnerable the system will be. A B As it is shown in the graphs, scores can change dramatically, and for that reason systems need to be assessed continuously. Therefore, this method will facilitate systems administrators effort to maintain their server secure and monitored through time. Figure 13. Diagram of Nagios Procedure

Upload: others

Post on 30-Sep-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Super Security - NASA...Super Security Automated SCAP Security Compliance and Common Vulnerabilities Evaluation Jordan A. Caraballo-Vega1, George Rumney2, John Jasen2 1University of

Super SecurityAutomated SCAP Security Compliance and Common

Vulnerabilities EvaluationJordan A. Caraballo-Vega1, George Rumney2, John Jasen2

1University of Puerto Rico at Humacao, Department of Mathematics2High Performance Computing, NASA Goddard Space Flight Center, Mail Code 606.2

Objectives

It is NASA’s responsibility to secure andprotect its computer systems andenormous amounts of data. Therefore,in order to enhance the security for theNASA Center for Climate Simulation(NCCS), tools to continuously monitorour High Performance Computingsystems were implemented.

Our aim is to: compare the efficiency ofdifferent assessment tools, keep a timetrending record of the results, identifyspecific rules that need to be addressedurgently, and expand the use of thisautomated SCAP through all NCCSoperational systems.

Background

Common Vulnerabilities and Exposures (CVE)- uniqueidentifiers that enable data exchange between security products; specifically cybersecurity vulnerabilities.

OpenSCAP CIS-CAT

Figure 1. NCCS High Performance Computational Environment.

Figure 2. Nagios Score Format

SCAP – protocol developed by NISTdesigned to audit and assess atarget system with a defined set ofconfiguration requirements andrules. The two main componentsdeveloped during this work are theBaseline and Vulnerabilities audits.

Software

Method

Common Configuration Enumeration (CCE) - uniqueidentifiers to security-related system configurationissues used in baseline audits.

Figure 3. Acronyms of files used to execute SCAP

They both include:• Identifier Number – specific rule id

CCE-2715-1/ CVE-1999-0067• Description – human readable description• References – points sections of the documents

Figure 4. Example of an html CVE description

Extensible Configuration Checklist Description Format (XCCDF) - a structured collection of security configuration rules for some set of target systems.

Open Vulnerability and Assessment Language (OVAL)- an effort to standardize how to assess and report upon the machine state of computer systems.

Figure 5. Example of an html CVSS description

Common Vulnerability Scoring System(CVSS)- a quantitative model to ensure repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores.

Perl scripts were written in order to execute and automate the audit process.Bash scripts were implemented in order to report to Nagios, while Pythonscripts were developed to produce the graphs.

Nagios is a passive check service that provides monitoring of all mission-critical infrastructure components including applications, services, operatingsystems, network protocols, systems metrics, and network infrastructure. Thedata sent to Nagios include the score and the pass/failure of priority rules(identified by the administrator of the system), and trend analysis of resultsover time.

Figure 8. Diagram of Nagios infrastructure. At first, servers send the info to be processed by Nagios. Date is processed and then delivered to the internet interface

References

• National Institute of Standards and Technology (2009). The Security Content Automation Protocol (SCAP). Retrieved on June , 2016 from https://scap.nist.gov/

• National Vulnerability Database. Retrieved on June, 2016 from https://nvd.nist.gov/• Open Vulnerability and Assessment Language. Retrieved on June, 2016 from

http://oval.mitre.org/• OpenSCAP. Retrieved on June, 2016 from https://www.open-scap.org/• Center for Internet Security. Retrieved on June, 2016 from

https://benchmarks.cisecurity.org/

Acknowledgments

• NASA Minority University Research and Education Scholarship• Thanks to George Rumney (mentor), John E. Jasen (mentor), Bennett Samowich, Maximiliano Guillen, and Zed Pobre from the NASA Center for Climate Simulations, for their continuous help during this work.• Special thanks to Julie Rivera (Puerto Rican’s Advisor) and Stephen Shinn (Chief Financial Officer) for their assistance.

Future Work

Future work will include the implementation of a database (PostgreSQL)to organize the view of all the NCCS High Performance Computingsystems behavior, and also the expansion of this method to a widerenvironment within the NCCS. Currently we are manually installing thepackage of scripts in each operating system; so next step would bedeveloping Puppet rules in order to generalize the installation methodof the scripts depending on the environment.

OpenSCAP is an auditing tool that utilizes the ExtensibleConfiguration Checklist Description Format (XCCDF). It is basedon a framework of libraries to improve the accessibility of SCAPand enhance the usability of the information it represents.

CIS-CAT tool to perform assessments of target systems accordingto CIS Benchmark rules. By discovering any lack of conformanceto CIS Benchmarks, CIS-CAT offers a powerful tool for analyzingand monitoring the effectiveness of internal security processes.

OpenSCAP

Baseline Audit

CIS-CAT

Vulnerabilities Audit

RHEL, SLES, Debian, and Ubuntu files work properly without any changes.However, to audit CentOS, RHEL feed must be heavily modified. Previous workdone by Summer Intern Graham Mosley prove that this is possible byreplacing the file with the corresponding CentOS version, changing theplatform information, and signing keys to the CentOS equivalent on RHELfeed.

OpenSCAP is the auditing tool usedto asses the vulnerability profiles forevery operating system used in thiswork. OVAL files for RHEL, SLES,Ubuntu, and Solaris were found.Debian files are very recent, sofurther tests need to be performedin order to prove their accuracy.After the audit is done, severities(from low to high) are taken fromthe resulting xml, or the online CVSSprincipal page.

OpenSCAP CIS-CATNot supported in all

distributionsNeeds Java to run

Faster Slower

Lacks of Benchmark files Does not have severities information

Open source Not free

Figure 6 and 7. Comparison between OpenSCAP vs. CIS-CAT

For Baseline tests OpenSCAP supportsRHEL 6/7 and CentOS 6/7. On the otherhand, CIS-Cat tool supports SLES 11/12,CentOS 6/7, RHEL 6/7, FreeBSD, Ubuntu14/16, Solaris and Debian 8.

Figure 9. Operating systems supported by OpenSCAP based on the availability of benchmark files: CentOS and RHEL.

Figure 10. Operating systems supported by CIS-CAT from upper center to right: SLES, CentOS, Debian, FreeBSD, Solaris, Ubuntu, and RHEL.

OpenSCAP

Figure 11. Operating systems logos of found OVALfiles: SLES, Debian, Solaris, and Ubuntu. CentOSuses RHEL modified feed

General Procedure

Results & Conclusions

• Create Directories

• Search for files

• Parse config file

Validate

• Select Tool

• Select OS

• Run command

Assess• Parse XML file

• Search for severities

• Create and edit report files

Report

Figure 12. Diagram of script procedures

• Sum failed tests and severities• Check critical CCE/CVE result• Get total score• Produce Last Run File• Edit/Create State File• Store date and result on Trend File

Nagios Procedure

Method

A bash script named CopyFiles is executed in order to locate files in theirrespective folders. This will set in place the cron job that was previouslyconfigured to assess the system daily. After this is done, a check script isexecuted to verify the results of the file age function, score, andidentified critical rules. Scores are reported to the Nagios interface.

Operating Systems Tested

Figure 14 (A) Table summarizes the stage of the work for each OS. Green for ready, yellow for on going, red for further needs. Figure 14 (B) shows

the Nagios HTML interface.

BA

Figure 15 (A) shows the behavior of Centos 6 Baseline audit with and without auditing rules; while Figure 15 (B) represents a Vulnerabilities audit before and after updating the system. The

higher the score in the baseline audit, the safer the system is. However, vulnerabilities audits state that the higher the result, the more vulnerable the system will be.

A B

As it is shown in the graphs, scores can change dramatically, and for thatreason systems need to be assessed continuously. Therefore, this methodwill facilitate systems administrators effort to maintain their server secureand monitored through time.

Figure 13. Diagram of Nagios Procedure

RESEARCH Open Access Developing GM super cassava for … · 2017-08-28 · RESEARCH Open Access Developing GM super cassava for improved health and food security: future challenges

Advances in adaptive learning methods for disruption prediction … · 2019. 6. 23. · Advances in adaptive learning methods for disruption prediction in JET J. Vega1, A. Murari2,

Super Wide-Angle Security Camera

Women’s Economic Security Act Presented by: Mike Bourgon and Michelle Super

Developing Single Nucleotide Polymorphism … et al...Developing Single Nucleotide Polymorphism (SNP) Markers for the Identification of Coffee Germplasm Lin Zhou1,2 & Fernando E. Vega1

super sensitive security system

2MP & 5MP Super HD Video Security DVR System User Manual

SUPER SAFE SUPER EXPERIENCED SUPER RELIABLE SUPER QUALIFIED · SUPER SAFE SUPER EXPERIENCED SUPER RELIABLE SUPER QUALIFIED As a nationally recognized turnaround and construction contractor

Super yacht flagging, - Quaynote Communications · Super yacht flagging, safety and security Ivan Sammut Registrar General of Shipping and Seamen . The choice of flag has, over the

Super simple application security with Apache Shiro

Super billing computer ethics, privacy and security

The Op New Blood Super Secret Security Handbook

Super Teacher Worksheets -  · Super Teacher Worksheets - . Super Teacher Worksheets - . Super Teacher Worksheets -

Mobile Security Apps - AV-TEST · PDF fileTesting mobile security Apps ... ESET MobileSecurity Norton Mobile Security QuickHeal Mobile Security Super Security Trend Micro Mobile Security

arXiv:1610.08529v2 [quant-ph] 16 Nov 2016authors.library.caltech.edu/81726/2/1610.08529.pdfContextuality as a resource for qubit quantum computation Juan Bermejo-Vega1 ;2, Nicolas

ALL-NEW SUPER DUTY · 2013-02-10 · ALL-NEW SUPER DUTY ® fordvehicles.com ... Windshield wipers — Intermittent SAFETY & SECURITY 4-wheel power disc brakes with Anti-lock Brake

PCI DATA SECURITY STANDARDS VERSION 3 - … DATA SECURITY STANDARDS VERSION 3.2 What's Next? ... are expanded to all administrative/super user access to ... • FireEye • WebSense

Super strong. Super small. Super cool

Super Citanje, Super Ucenje, Super Pamcenje

REQUEST FOR PROPOSAL for Redesigning / Security Audit of ... PCDA NC Website.pdf · 5,000/. Envelope should be super-scribed “Bid Security: Redesigning of PCDA (NC) Jammu Website”

o o } ] } vlarge.stanford.edu/courses/2016/ph240/vega1/docs/ritr-2015.pdfReal-time communication ecosystem. Communications bandwidth, especially for wireless communication, must grow

WLQ D H - BioOne · A mysterious wing spine in male coffee berry borers (Coleoptera: Curculionidae: Scolytinae) Fernando E. Vega1*, ... disappearance of the spine is perhaps due to

Super HD Security Camera - Free Instruction ManualsFor more information on this product visit every detail in rich, super HD • State-of-the-art security camera with outstanding 4

María Fernanda Carrillo-Vega1, Guillermo Salinas-Escudero2, … · 2020-05-11 · María Fernanda Carrillo-Vega1, Guillermo Salinas-Escudero2, Carmen García-Peña3, Luis Miguel

THE SUPER 70 - Digital Guardian · critical technology. Emerging cloud-centric security vendors, such as CloudPassage, Dome9 Security, and vARMOUR, have experienced sharp demand,

estimates of Biomass and Fixed carbon at a Rainforest in ... · estimates of Biomass and Fixed carbon at a Rainforest in panama Reinhardt Pinzón1, José Fábrega1, David Vega1, erick

Super Bowl LII: Security Assessment · superbowl/ Super Bowl® LII: Security Assessment ... Event rates around U.S. Bank Stadium will only be in effect on gameday. Skyway The Minneapolis

JVC PROFESSIONAL SECURITY AND SURVEILLANCE Super LoLux … Reference Guide Jan20… · JVC professional LCD displays are perfect for security control room use, where reliability,

Super Bowl Security Oops

Vega1 Serviss - Capability Statement

SUPER X5DA8 SUPER X5DAE SUPER X5DAL-G SUPER X5DAL-TG2 · SUPER X5DA8 SUPER X5DAE SUPER X5DAL-G SUPER X5DAL-TG2 USER’S MANUAL Revision 1.1c SUPER. The information in this User’s

Super Barcode Training Camp - Motorola AirDefense Wireless Security Presentation

Super HD Security Camera - GfK Etilize · Congratulations on your purchase of this Swann Super HD Security Camera with Power Over Ethernet. You’ve made a fine choice for keeping

 · daiwa cctv super vision ccd camera scanning system for security ... 2012.7 super ccd camera scanning system for security . wdrŽ se-wd600s ¥130,000 ¥136,500)

NATIONAL SECURITY CUTTER - dcms.uscg.mil PDFs/Factsheets/NSC.pdfNATIONAL SECURITY CUTTER ... • One Mk 160 gun fire-control system ... • Two Mk 36 Super Rapid Blooming Offboard