Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

Transcription

1 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA

2 Jovial about Joval LANL s latest SCAP Adventure Angelo Ortiz May 22, 2018 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA LA-UR

3 Overview What is SCAP? Why SCAP? SCAP at LANL Scope What is Joval? Installation, Configuration, and Deployment Integration with Host Continuous Monitoring Integration with RSA Archer Pros and Cons Now what? Questions SCAP is Security Content Automation Protocol LA-UR /13/2018 3

4 What is SCAP? Security Content Automation Protocol SCAP is a suite of specifications that standardize the format and nomenclature by which security software products communicate software flaw and security configuration information. - NIST SP SCAP is a methodology SCAP is a protocol SCAP is content Checklists Identifiers LA-UR /13/2018 4

5 Why SCAP? Support Continuous Monitoring efforts Local and NNSA Continuous monitoring of system compliance with security configuration baselines DISA STIGs USGCB LANL must comply with high level requirements Federal Information Security Management Act (FISMA) RSA Archer LA-UR /13/2018 5

6 SCAP at LANL SCC LA-UR /13/2018 6

7 Scope Windows, Mac, RHEL Windows 10 RHEL7 macos Connected to Yellow unclassified network DISA STIGs SCAP content LA-UR /13/2018 7

8 What is Joval? Java + OVAL = Joval Java-based Command line, no GUI Host based and agentless sensor SCAP compliance assessment tool Natively processes OVAL, XCCDF, and other standards + = LA-UR /13/2018 8

9 Installation, Configuration, and Deployment LANLize the content Disable/enable checks Change values Test content Create wrapper and Windows Service RunJoval service Runs SCAP assessment every 4 hours JSON file <select idref="v-63377" selected="true" /> <select idref="v-63379" selected="false" /> <select idref="v-63381" selected="true" /> <select idref="v-63383" selected="true" /> <select idref="v-63385" selected="true" /> <select idref="v-63387" selected="false" /> <select idref="v-63389" selected="true" /> <select idref="v-63391" selected="false" /> <select idref="v-63395" selected="false" /> Create installer Deploy to pilot group via SCCM Deploy labwide LA-UR /13/2018 9

10 LA-UR /13/

11 Integration with Host Continuous Monitoring Hostname: AngeloHost1 IP: PN#: Last seen: 5/7/ :00AM OS: Windows 10 Enterprise Security Plan: Level 2 OU: Desktops Overall Score: Grade: A- Owner: Angelo Ortiz Scan date: 5/7/2018 SEP: Healthy: last scan: 5/7/2018 SCCM (Patch agent): Healthy: last scan: 5/7/2018 SCCM (Software agent): Healthy: last scan: 5/7/2018 Missing patches: 0.00 Missing software: 0.00 CVE score: 0.00 Compliance Violations: Score -CCI : Minimum password length must be 14 characters CCI : Maximum password age must be 60 days or less (but not zero) CCI : Password must meet complexity requirements is enabled LA-UR /13/

12 Integration with RSA Archer Pull from Host CM Populate GRC More accurate risk picture of hosts Continuous Authorization and Accreditation LA-UR /13/

13 Pros Cross platform Fast Minimal performance impact Minimal false positives Good customer support Cons Another agent Manage Java Manage content Some custom development required LA-UR /13/

14 Now what? Complete Joval testing on RHEL Continue testing on Windows Different guidance (CIS, NIST, etc) SCAP content for Mac? Keep the content fresh, LANLized LA-UR /13/

15 Questions? Angelo Ortiz (505) (505) Joval jovalcm.com LA-UR /13/