Log in / Register Account

This is a primer on the implementation of the ROLIE protocol. The purpose of this report is to recommend automated processes for information exchange of various security compliance and vulnerability management assets using the ROLIE protocol and its open source implementation, Golie.

Problem Space

Attainment and maintenance of security compliance are becoming increasingly automated. Compliance officers and IT professionals are being re-trained, and checklist sheets are being replaced with machine-readable recipes often in the form of Security Content Automation Protocol (SCAP). Red Hat and the open source world at large have embraced this trend and as a result, security compliance policies, scanner tools, and vulnerability feeds are readily available.

The National Institute of Standards and Technology (NIST, the organization behind the SCAP standard) has been working towards the next generation of compliance standards: Security Content Automation Protocol (SCAP) Version 2, Open Security Controls Assessment Language (OSCAL), Software Identification (SWID), and the Resource-Oriented Lightweight Information Exchange (ROLIE). These upcoming standards aim to standardize the audit beyond the endpoint, and in effect, they not only create a path for future tools to interoperate with these standards, but they facilitate automation of assessments and consumption of security content in a standardized, machine-readable way. In this blog post, we will take a closer look at the ROLIE protocol.

Introduction to ROLIE protocol

As previously mentioned, ROLIE stands for the Resource-Oriented Lightweight Information Exchange. The ROLIE specification is governed under RFC 8322 and is actively being developed. ROLIE provides a standardized mechanism that allows security automation content to be discovered, syndicated, and exchanged as part of a paid service or open for everyone to consume. 

The ROLIE specification has extensions that allow ROLIE to support vulnerability feeds in the form of Common Vulnerability Enumeration (CVE) format, threat intelligence feeds in the form of the Structured Threat Information Expression (STIX) format, software descriptors in the form of Software Identification Tag (SWID Tag) and the Concise SWID (COSWID) formats, and checklist feeds in the form of SCAP. 

In other words, ROLIE is a versatile protocol that can be used in a variety of use cases exchanging compliance assets. ROLIE provides a content syndication approach that allows software creators, vulnerability reporters, and configuration setting checklist developers to establish federated repositories of the security content they produce. The key resource for understanding ROLIE’s role in the context of SCAPv2 is NIST.CSWP.09102018

Looking at the protocol, the well known Atom Syndication Format and the Atom Publication Protocol is used as the base for the ROLIE design. The key building blocks of the Atom protocol are the <feed/> and <entry/> elements. ROLIE extends those elements with custom elements that hold compliance-related information. 

ROLIE can be formatted as XML or JSON. The following is an illustrative example of a ROLIE checklist feed in JSON with a single entry that advertises to the world the existence of a SCAP 1.3 DataStream for Red Hat Enterprise Linux 8.

{
  "feed": {
    "id": "compliance-as-code",
    "title": "Rolie feed for the latest SCAP files by ComplianceAsCode",
    "updated": "2020-08-24T11:11:16Z",
    "entry": [
      {
        "id": "sds:ssg-rhel8-ds.xml",
        "title": "SCAP DataStream for Guide to the Secure Configuration of Red Hat Enterprise Linux 8",
        "link": [
          {
            "href": "https://atopathways.redhatgov.io/compliance-as-code/scap/ssg-rhel8-ds.xml",
            "length": 16611602
          }
        ],
        "published": "2020-08-24T11:11:19Z",
        "updated": "2020-08-22T10:21:30Z",
        "content": {
          "type": "application/xml",
          "src": "https://atopathways.redhatgov.io/compliance-as-code/scap/ssg-rhel8-ds.xml"
        },
        "format": {
          "schema": "http://scap.nist.gov/schema/scap/source/1.2",
          "version": "1.3"
        }
      }
    ]
  }
}

Golie - Open Source Implementation of ROLIE and Real World Examples

Red Hat has joined the ROLIE efforts and the initial development with an open source tool called Golie to showcase the capabilities of ROLIE. Golie is a simple tool that can be used to generate and process ROLIE documents. Golie, with its subcommands new, info, and clone - can produce, inspect, and fetch ROLIE resources. 

Golie simplifies the creation of new ROLIE feeds from scratch by being able to process existing SCAP files that are already in use. The golie new command traverses the filesystem, inspecting each SCAP file it finds and parsing it to extract metadata. The products of this operation are ROLIE feed.json and feed.xml files. For each SCAP file, there will be one Atom <entry/> produced.

Example:

$ golie new ./existing_SCAP_files/ 

Furthermore, the Golie tool provides a simple way to gain insights into what is included in a given ROLIE resource. The golie info command takes a file path or URL and prints summary information found.

$ golie info ./existing_SCAP_files/feed.json
Document Type: ROLIE Feed
Title: Red Hat Vulnerabilities OVAL
Updated: 2020-08-20T12:37:43Z
Contains 229 entries.
    - OVAL Miscellaneous Definitions (oval:RHEL5/amq-clients-1.oval.xml.bz2)
    - OVAL Patch Definitions (oval:RHEL5/jboss-eap-6.oval.xml.bz2)
    - OVAL Miscellaneous Definitions (oval:RHEL5/satellite-tools-6.2.oval.xml.bz2)
    - OVAL Patch Definitions (oval:RHEL5/satellite-tools-6.3.oval.xml.bz2)
    - OVAL Patch Definitions (oval:RHEL5/satellite-tools-6.4.oval.xml.bz2)
    - OVAL Patch Definitions (oval:RHEL5/satellite-tools-6.5.oval.xml.bz2)
(...)

Lastly, Golie allows users to download ROLIE feeds and any entry the feed contains such as a SCAP checklist inventory.  The golie clone command takes a URL to a remote ROLIE feed and a command-line option --filter can be used to download only a subset of the inventory. Subsequent runs of the command will download only those items that have changed based on the timestamp entry in the updated element.

$ golie clone --loglevel=info --filter OpenShift.*4 \
             https://atopathways.redhatgov.io/compliance-as-code/scap/feed.json
INFO Downloading https://atopathways.redhatgov.io/compliance-as-code/scap/feed.json
INFO Downloading https://atopathways.redhatgov.io/compliance-as-code/scap/ssg-ocp4-xccdf.xml
INFO Downloading https://atopathways.redhatgov.io/compliance-as-code/scap/ssg-ocp4-ds-1.2.xml
INFO Downloading https://atopathways.redhatgov.io/compliance-as-code/scap/ssg-ocp4-ds.xml

Note: The ROLIE standard is still in its early stages of development; therefore, the golie tool is currently only available in Fedora and EPEL repositories. Anyone who is interested can get involved in the direction of the ROLIE standard and/or golie tool. Involvement and Feedback are both encouraged and wanted!

ROLIE Inventory Services for Red Hat Products

Red Hat Product Security has adopted the ROLIE protocol to publish vulnerability (CVE) information. This service is available for both OVAL vulnerability Feeds in JSON and XML formats and SCAP DataStream Vulnerability Feeds in JSON and XML formats.

Red Hat is also working on providing ROLIE feeds for the upstream ComplianceAsCode project. This upstream project provides a rich variety of compliance guidelines in the form of SCAP benchmarks which will eventually find their way into the scap-security-guide package provided in RHEL. The ROLIE feed representing compliance checklists from upstream ComplianceAsCode has been made available in JSON and XML formats.

Wrap up

The ROLIE standard helps to discover and consume security content in a standard and automated way. A ROLIE implementation like the golie tool can be used by security vendors or regular users to consume vendor provided CVE content. It can be used as a way to submit checklists to benchmark validation organizations, or it can be used to host subscription-model services around security content.

Have ideas on where else the ROLIE standard or the golie tool can be used or enhanced? Want to get involved in the project? Please provide your input and ideas at the GitHub project. It is very important to note that the vision of the project and tooling is to be multi-platform and multi-vendor. Contributions in any way are always and very welcomed!

Note: The ROLIE standard is still in its early stages of development, and the format may change should the standard change.


About the authors

Šimon Lukašík is member of technical staff, Office of the Chief Technologist, Red Hat Public Sector. He has made contributions across whole Red Hat product portfolio, ensuring government readiness of Red Hat products, authoring technical primers, collaboration with outside standard authorities on next generation of security and compliance standards.

Gabriel Alford is a Member of the Technical Staff in Red Hat's Public Sector's CTO office where he works on security technologies such as OpenSCAP, SCAP Security Guide, ComplianceAsCode, and OpenControl to enable Government Readiness across the Red Hat portfolio.

Of interest

News to note—just for you