Plug-in OpenSCAP :: Security compliance reports

Hello Foreman community!

OpenSCAP is a toolkit for security compliance automation build on top of
SCAP standard. OpenSCAP ecosystem includes low-level C library,
command-line scanner, graphical interface (scap-workbench), hardening
guidances (scap-security-guide), Anaconda installer add-on, and
integration with Spacewalk project.

Now, we have started OpenSCAP integration with Foreman. Here are the UI
mock-ups:

http://isimluk.livejournal.com/5628.html

And here is a few words about architecture:

http://isimluk.livejournal.com/5202.html

There are multiple sub-projects for the integration. I have tried to
follow Foreman's coding conventions and each project includes a spec
file. So, the RPMs can be easily built.

The integration is not yet finished, but my Foreman test instance can
already collect OpenSCAP reports. The target set of
features&requirements can be perhaps best understood after reading through:

http://isimluk.livejournal.com/4908.html

Is this something of interest to Foreman community?

Best regards,

>
> Hello Foreman community!
>
> OpenSCAP is a toolkit for security compliance automation build on top of
> SCAP standard. OpenSCAP ecosystem includes low-level C library,
> command-line scanner, graphical interface (scap-workbench), hardening
> guidances (scap-security-guide), Anaconda installer add-on, and
> integration with Spacewalk project.
>
> Now, we have started OpenSCAP integration with Foreman. Here are the UI
> mock-ups:
>
> http://isimluk.livejournal.com/5628.html

I am a little confused about the compliance report table. The table seems
to represent all compliance reports against all hosts? If this is the case
then it will be too unwieldy to be of use. I would like to see the table
organized by host, not by compliance report. Each row is dedicated to a
single host. The Columns indicate the following items: Date of Latest Scan,
Number of successful scans, Number of unsuccessful scans, Rule roll up from
last successful scan (pass/fail counts as separate columns), Severity
breakdown (high/medium/low counts as separate columns), and total score.

The operator can then sort the columns to see which hosts are in need of
attention.

Additionally I would like to see roll up reports by Host Collections.

When the operator selects a single row and clicks on the host name, they
are delivered the full report (with either local data in the postgres, or
redirected to the actual client)

The advantage of the sorting and host-collection roll up is the ability to
respond with a bulk action by issuing a new scan, installing a package(s),
decommissioning the host(s), etc.

Hey Dave,

Thanks for the feedback. I plan to add the views as you suggested. This
is just an early mock up.

This is quite interesting, I would recommend cross-posting to foreman-users
where you could get a bit more feedback from the community,
https://groups.google.com/forum/#!forum/foreman-users.

If you are interested, it'd benefit both Foreman and you to make the plugin
official, as we provide an official rpm and deb repository, help and
infrastructure for packaging, etc… check out:
http://projects.theforeman.org/projects/foreman/wiki/How_to_Create_a_Plugin#Making-your-plugin-official

Major congrats!

Hi Simon

Your mock-ups looks promising, I'm really looking forward to see this in my
Installation.

one question, are there any Plans to have a Trigger if a scan fails for
host ? As example raise a email or better connect to a Ticketing Tool ?
So then this could be used as Vulnerability Management (according to ISO
27002 http://www.iso27001security.com/html/27002.html#Section12)

thanks Mike

Thank You for your kind words Daniel!

There has been OpenSCAP 1.2.0 upstream release. Hence, we will be able
to move forward and package whole plug-in set.

I have managed to build all the rpms and the dependencies in my COPR repo:

 https://copr.fedoraproject.org/coprs/isimluk/OpenSCAP/

It is not that easy as with other plug-ins, there are multiple packages
needed. Here is a list:

RHEL6 repository needs to include

openscap-1.2.0+
ruby193-rubygem-openscap
ruby193-rubygem-scaptimony
ruby193-rubygem-foreman_openscap

RHEL7 repository needs to include

openscap-1.2.0+
ruby193-rubygem-rake-compiler
ruby193-rubygem-ffi
ruby193-rubygem-openscap
ruby193-rubygem-scaptimony
ruby193-rubygem-foreman_openscap

Fedora 19 repository needs to include

rubygem-scaptimony
rubygem-foreman_openscap

I haven't yet had a time to create Debian counterparts. Hence, I haven't
proceed with a pull request against foreman-packaging. But if anybody is
interested, there are rpm-specfiles already for all the projects.

Kind regards,

That would be highly beneficial and this feature has been requested by
multiple source. From very beginning of SCAPtimony project this feature
has been on the roadmap.

Here is a problem however. The e-mail sending would be better developed
as a async, background job (like taskomatic). I have been told 3 weeks
ago that Foreman currently does not have a scheduling daemon, that would
serve as a provision for writing such background jobs.

Is such thing on a roadmap for Foreman upstream?

>> This is quite interesting, I would recommend cross-posting to
>> foreman-users where you could get a bit more feedback from the
>> community, https://groups.google.com/forum/#!forum/foreman-users.
>>
>> If you are interested, it'd benefit both Foreman and you to make the
>> plugin official, as we provide an official rpm and deb repository, help
>> and infrastructure for packaging, etc… check out:
>> How to Create a Plugin - Foreman
>>
>> Major congrats!
>>
>
> Thank You for your kind words Daniel!
>
>
> There has been OpenSCAP 1.2.0 upstream release. Hence, we will be able
> to move forward and package whole plug-in set.
>
> I have managed to build all the rpms and the dependencies in my COPR repo:
>
> https://copr.fedoraproject.org/coprs/isimluk/OpenSCAP/
>
> It is not that easy as with other plug-ins, there are multiple packages
> needed. Here is a list:
>
> RHEL6 repository needs to include
>
> openscap-1.2.0+

We wouldn't ship this, it would probably come from the distribution or a
third party repository.

> ruby193-rubygem-openscap
> ruby193-rubygem-scaptimony
> ruby193-rubygem-foreman_openscap
>
> RHEL7 repository needs to include
>
> openscap-1.2.0+
> ruby193-rubygem-rake-compiler
> ruby193-rubygem-ffi

I've actually just targeted this spec file to be removed in an open PR,
but it can be moved to the plugin repo and built for EL7 too if you plan
to use it.

> ruby193-rubygem-openscap
> ruby193-rubygem-scaptimony
> ruby193-rubygem-foreman_openscap
>
> Fedora 19 repository needs to include
>
> rubygem-scaptimony
> rubygem-foreman_openscap
>
> I haven't yet had a time to create Debian counterparts. Hence, I haven't
> proceed with a pull request against foreman-packaging. But if anybody is
> interested, there are rpm-specfiles already for all the projects.

A PR to foreman-packaging would be either against rpm/develop or
deb/develop, so you don't need to do RPMs and Debian packages at the
same time. If you'd like to put this in the plugin repos, please go
ahead and begin the PR and review process.

>>> This is quite interesting, I would recommend cross-posting to
>>> foreman-users where you could get a bit more feedback from the
>>> community, https://groups.google.com/forum/#!forum/foreman-users.
>>>
>>> If you are interested, it'd benefit both Foreman and you to make the
>>> plugin official, as we provide an official rpm and deb repository, help
>>> and infrastructure for packaging, etc… check out:
>>> http://projects.theforeman.org/projects/foreman/wiki/How_to_Create_a_Plugin#Making-your-plugin-official
>>>
>>> Major congrats!
>>>
>>
>> Thank You for your kind words Daniel!
>>
>>
>> There has been OpenSCAP 1.2.0 upstream release. Hence, we will be able
>> to move forward and package whole plug-in set.
>>
>> I have managed to build all the rpms and the dependencies in my COPR repo:
>>
>> https://copr.fedoraproject.org/coprs/isimluk/OpenSCAP/
>>
>> It is not that easy as with other plug-ins, there are multiple packages
>> needed. Here is a list:
>>
>> RHEL6 repository needs to include
>>
>> openscap-1.2.0+
>
> We wouldn't ship this, it would probably come from the distribution or a
> third party repository.
>

Hello Dominic,

OpenSCAP base package is in all distribution channels.

The problems is that I have added a lot of new functionality in OpenSCAP
only because of Foreman integration. Now the foreman_openscap requires
the latest version: openscap-1.2.0.

It will take some time before OpenSCAP 1.2.0 propagates to RHEL6 (It
will be next week in Fedoras) In the mean time, I though it should be
possible to include openscap-1.2.0 package in foreman-plugins.

>> ruby193-rubygem-openscap
>> ruby193-rubygem-scaptimony
>> ruby193-rubygem-foreman_openscap
>>
>> RHEL7 repository needs to include
>>
>> openscap-1.2.0+
>> ruby193-rubygem-rake-compiler
>> ruby193-rubygem-ffi
>
> I've actually just targeted this spec file to be removed in an open PR,
> but it can be moved to the plugin repo and built for EL7 too if you plan
> to use it.
>

I see. That's pity.

I wonder why ruby193-rubygem-ffi is not in SCL.el7 anyway.

>> ruby193-rubygem-openscap
>> ruby193-rubygem-scaptimony
>> ruby193-rubygem-foreman_openscap
>>
>> Fedora 19 repository needs to include
>>
>> rubygem-scaptimony
>> rubygem-foreman_openscap
>>
>> I haven't yet had a time to create Debian counterparts. Hence, I haven't
>> proceed with a pull request against foreman-packaging. But if anybody is
>> interested, there are rpm-specfiles already for all the projects.
>
> A PR to foreman-packaging would be either against rpm/develop or
> deb/develop, so you don't need to do RPMs and Debian packages at the
> same time. If you'd like to put this in the plugin repos, please go
> ahead and begin the PR and review process.
>

Ok. I will create the PR later on, currently I have other priorities.

Thanks!

>
>> Hi Simon
>>
>> Your mock-ups looks promising, I'm really looking forward to see this in
>> my Installation.
>>
>> one question, are there any Plans to have a Trigger if a scan fails for
>> host ? As example raise a email or better connect to a Ticketing Tool ?
>> So then this could be used as Vulnerability Management (according to ISO
>> 27002 http://www.iso27001security.com/html/27002.html#Section12)
>>
>> thanks Mike
>>
>>
> That would be highly beneficial and this feature has been requested by
> multiple source. From very beginning of SCAPtimony project this feature has
> been on the roadmap.
>
> Here is a problem however. The e-mail sending would be better developed as
> a async, background job (like taskomatic). I have been told 3 weeks ago
> that Foreman currently does not have a scheduling daemon, that would serve
> as a provision for writing such background jobs.
>
> Is such thing on a roadmap for Foreman upstream?

there are two things to know:

1. I dont assume its a big deal to send a mail in sync, as based on the
   implementation of foreman-scap, the reports are queued on the proxy anyway.
   (so its kind of async from the user pov)
2. there is foreman-tasks which allows to perform async operations, but is
   currently not installed by default.

Ohad

>>>> This is quite interesting, I would recommend cross-posting to
>>>> foreman-users where you could get a bit more feedback from the
>>>> community, https://groups.google.com/forum/#!forum/foreman-users.
>>>>
>>>> If you are interested, it'd benefit both Foreman and you to make the
>>>> plugin official, as we provide an official rpm and deb repository, help
>>>> and infrastructure for packaging, etc… check out:
>>>> How to Create a Plugin - Foreman
>>>>
>>>> Major congrats!
>>>>
>>>
>>> Thank You for your kind words Daniel!
>>>
>>>
>>> There has been OpenSCAP 1.2.0 upstream release. Hence, we will be able
>>> to move forward and package whole plug-in set.
>>>
>>> I have managed to build all the rpms and the dependencies in my COPR repo:
>>>
>>> https://copr.fedoraproject.org/coprs/isimluk/OpenSCAP/
>>>
>>> It is not that easy as with other plug-ins, there are multiple packages
>>> needed. Here is a list:
>>>
>>> RHEL6 repository needs to include
>>>
>>> openscap-1.2.0+
>>
>> We wouldn't ship this, it would probably come from the distribution or a
>> third party repository.
>>
>
> Hello Dominic,
>
> OpenSCAP base package is in all distribution channels.
>
> The problems is that I have added a lot of new functionality in OpenSCAP
> only because of Foreman integration. Now the foreman_openscap requires
> the latest version: openscap-1.2.0.
>
> It will take some time before OpenSCAP 1.2.0 propagates to RHEL6 (It
> will be next week in Fedoras) In the mean time, I though it should be
> possible to include openscap-1.2.0 package in foreman-plugins.

Perhaps we can look at the actual detail when this is proposed, but my
general concerns would be that:

a) packages in our repos shouldn't replace distribution components
unless we have good reason and are happy it won't break things.
Sometimes we have replaced packages, and not always with great success,
sometimes destabilising a stable distro. (Once bitten, twice shy…)

b) maintenance burden, since if it's in our repos, we have to maintain
it. If it's being rebased in RHEL 6 and we can remove our package in
the near future, that's fine.

>>> RHEL7 repository needs to include
>>>
>>> openscap-1.2.0+
>>> ruby193-rubygem-rake-compiler
>>> ruby193-rubygem-ffi
>>
>> I've actually just targeted this spec file to be removed in an open PR,
>> but it can be moved to the plugin repo and built for EL7 too if you plan
>> to use it.
>>
>
> I see. That's pity.

No worries, I might remove it from my PR for now. We built a non-SCL
version of it before EPEL7 was available, and so we didn't have another
use of the spec file until now.

> I wonder why ruby193-rubygem-ffi is not in SCL.el7 anyway.

The ruby/ror SCLs are pretty minimalistic - they aim to provide the Ruby
runtime and Rails stacks with very little else. Unless it was an
indirect dependency of Rails, you probably won't find it in there.

That's the reason we carry so many additional packages… it would be
handy in theory if there was a general repo of miscellaneous rubygems,
but versioning would be a nightmare.

I indeed understand these issues.

So, I will maintain my copr repo until the OpenSCAP 1.2.0 is standard
everywhere.