Automating Security Compliance with Ease

Organizations today are seeking to increase productivity, flexibility and innovation to deliver services faster without sacrificing security, stability and performance. As hybrid IT environments continue to expand and evolve, security must be automated to scale and mitigate risks to achieve compliance and meet the needs of the business.

Why should security and compliance be automated? According to the 2017 Verizon Data Breach Report, “81% of hacking-related breaches leveraged either stolen and/or weak passwords”. Ensuring protection against stolen and/or weak passwords is preventable by defining and implementing strong password policies using automation. In this article by Gartner, “99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident”.  Automation can help enforce and ensure security and compliance and help protect against security vulnerabilities and security breaches.

Red Hat Enterprise Linux provides security technologies, certifications, and the ongoing support of the Product Security team to combat vulnerabilities, protect your data, and meet regulatory compliance. You can automate regulatory compliance and security configuration remediation across your systems and within containers with OpenSCAP, Red Hat’s National Institute of Standards and Technology (NIST)-certified scanner that checks and remediates against vulnerabilities and configuration security baselines, including against National Checklist content for PCI-DSS, DISA STIG, and more. Additionally, centralize and scale out configuration remediation across your entire hybrid environment with the broader Red Hat management portfolio.

OpenSCAP is a family of open source SCAP tools and content that help users create standard security checklists for enterprise systems. Natively shipping in Red Hat Enterprise Linux and Red Hat Satellite, OpenSCAP provides practical security hardening advice for Red Hat technologies and links to compliance requirements, making deployment activities like certifications and accreditations easier. OpenSCAP allows you to perform both vulnerability and security compliance checks in a fully automated way.

To better meet the varied security needs of hybrid computing, Red Hat Enterprise Linux 7.5 provides enhanced software security automation to mitigate risk through the integration of OpenSCAP with Red Hat Ansible Automation. This enables the creation of Ansible playbooks directly from OpenSCAP scans which can then be used to implement remediations more rapidly and consistently across a hybrid IT environment. The remediations are generated in the form of Ansible playbooks, either based on profiles or based on scan results.

A playbook based on a SCAP Security Guide (SSG) profile contains fixes for all rules, and the system is remediated according to the profile regardless of the state of the machine. On the other hand, playbooks based on scan results contain only fixes for rules that failed during an evaluation.

In Red Hat Enterprise Linux 7.5, Red Hat provides pre-built Ansible playbooks for many compliance profiles. The playbooks are stored in the /usr/share/scap-security-guide/ansible/ directory. You can apply the pre-generated Ansible playbooks provided by the scap-security-guide in this directory on your host.

Alternatively, to generate an Ansible playbook based on a profile (for example, the DISA STIG profile for Red Hat Enterprise Linux 7), enter the following command:

$ oscap xccdf generate fix --fix-type ansible \
--profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa \
--output stig-rhel7-role.yml \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

To generate an Ansible playbook based on the results of a scan, enter the following command:

$ oscap xccdf generate fix --fix-type ansible \
--result-id "" \
--output stig-playbook-result.yml \
results.xml

where the results.xml file contains results of the scan obtained when scanning with the --results option and the result-id option contains an ID of the TestResult component in the file with results. In the example, above, we are using empty result-id. This is a trick to avoid specifying the full result ID.

To apply the Ansible playbook, enter the following command:

$ ansible-playbook -i inventory.ini stig-playbook-result.yml

Note that the ansible-playbook command is provided by the ansible package. See the ansible-playbook(1) man page and the Ansible Tower User Guide for more information.

The atomic scan command enables users to use OpenSCAP scanning capabilities to scan docker-formatted container images and containers on the system. It is possible to scan for known CVE vulnerabilities or for configuration compliance. Additionally, users can remediate docker-formatted container images to the specified policy.

The OpenSCAP scanner and SCAP content are provided in a container image that allows for easier updating and and deployment of the scanning tools.  The `atomic scan` command enables the evaluation of Red Hat Enterprise Linux based container images and running containers against any provided SCAP profile.

For example, here is how to scan the container for configuration compliance to the RHEL 7 DISA STIG profile.

$ sudo atomic scan --scan_type configuration_compliance \
 --scaner_args profile=stig-rhel7-disa, report registry.access.redhat.com/rhel7:latest

To remediate docker-formatted container images to the specified policy, you need to add the --remediate option to the atomic scan command when scanning for configuration compliance. The following command builds a new remediated container image compliant with the DISA STIG policy from the Red Hat Enterprise Linux 7 container image:

$ sudo atomic scan --remediate --scan_type configuration_compliance \
--scanner_args profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa,report \
registry.access.redhat.com/rhel7:latest

Finally, in order to automate security and compliance at scale for hybrid environments, you will need an automation strategy that includes products and tools that will help you scan and remediate more than a single machine at a time. For example, you can use OpenSCAP with a combination of Red Hat’s Management Portfolio, which includes Red Hat CloudForms, Red Hat Ansible Automation, Red Hat Satellite , and Red Hat Insights. Using OpenSCAP with these Red Hat Management portfolio projects, you can automate security and compliance at scale for your hybrid environment.

The built-in security automation capabilities of Red Hat Enterprise Linux with the integration of OpenSCAP with Red Hat Ansible Automation gives you the flexibility and ease of automating security compliance. This integration also provides the secure foundation to do security automation at scale by extending these built-in capabilities with Red Hat’s management portfolio.

Learn more in this webcast: Automating Security Compliance with Ease.