This is a primer on the implementation of the ROLIE protocol. The purpose of this report is to recommend automated processes for information exchange of various security compliance and vulnerability management assets using the ROLIE protocol and its open source implementation, Golie.
Problem Space
Attainment and maintenance of security compliance are becoming increasingly automated. Compliance officers and IT professionals are being re-trained, and checklist sheets are being replaced with machine-readable recipes often in the form of Security Content Automation Protocol (SCAP). Red Hat and the open source world at large have embraced this trend and as a result, security compliance policies, scanner tools, and vulnerability feeds are readily available.
The National Institute of Standards and Technology (NIST, the organization behind the SCAP standard) has been working towards the next generation of compliance standards: Security Content Automation Protocol (SCAP) Version 2, Open Security Controls Assessment Language (OSCAL), Software Identification (SWID), and the Resource-Oriented Lightweight Information Exchange (ROLIE). These upcoming standards aim to standardize the audit beyond the endpoint, and in effect, they not only create a path for future tools to interoperate with these standards, but they facilitate automation of assessments and consumption of security content in a standardized, machine-readable way. In this blog post, we will take a closer look at the ROLIE protocol.
Introduction to ROLIE protocol
As previously mentioned, ROLIE stands for the Resource-Oriented Lightweight Information Exchange. The ROLIE specification is governed under RFC 8322 and is actively being developed. ROLIE provides a standardized mechanism that allows security automation content to be discovered, syndicated, and exchanged as part of a paid service or open for everyone to consume.
The ROLIE specification has extensions that allow ROLIE to support vulnerability feeds in the form of Common Vulnerability Enumeration (CVE) format, threat intelligence feeds in the form of the Structured Threat Information Expression (STIX) format, software descriptors in the form of Software Identification Tag (SWID Tag) and the Concise SWID (COSWID) formats, and checklist feeds in the form of SCAP.
In other words, ROLIE is a versatile protocol that can be used in a variety of use cases exchanging compliance assets. ROLIE provides a content syndication approach that allows software creators, vulnerability reporters, and configuration setting checklist developers to establish federated repositories of the security content they produce. The key resource for understanding ROLIE’s role in the context of SCAPv2 is NIST.CSWP.09102018.
Looking at the protocol, the well known Atom Syndication Format and the Atom Publication Protocol is used as the base for the ROLIE design. The key building blocks of the Atom protocol are the <feed/>
and <entry/>
elements. ROLIE extends those elements with custom elements that hold compliance-related information.
ROLIE can be formatted as XML or JSON. The following is an illustrative example of a ROLIE checklist feed in JSON with a single entry that advertises to the world the existence of a SCAP 1.3 DataStream for Red Hat Enterprise Linux 8.
{ "feed": { "id": "compliance-as-code", "title": "Rolie feed for the latest SCAP files by ComplianceAsCode", "updated": "2020-08-24T11:11:16Z", "entry": [ { "id": "sds:ssg-rhel8-ds.xml", "title": "SCAP DataStream for Guide to the Secure Configuration of Red Hat Enterprise Linux 8", "link": [ { "href": "https://atopathways.redhatgov.io/compliance-as-code/scap/ssg-rhel8-ds.xml", "length": 16611602 } ], "published": "2020-08-24T11:11:19Z", "updated": "2020-08-22T10:21:30Z", "content": { "type": "application/xml", "src": "https://atopathways.redhatgov.io/compliance-as-code/scap/ssg-rhel8-ds.xml" }, "format": { "schema": "http://scap.nist.gov/schema/scap/source/1.2", "version": "1.3" } } ] } }
Golie - Open Source Implementation of ROLIE and Real World Examples
Red Hat has joined the ROLIE efforts and the initial development with an open source tool called Golie to showcase the capabilities of ROLIE. Golie is a simple tool that can be used to generate and process ROLIE documents. Golie, with its subcommands new
, info
, and clone
- can produce, inspect, and fetch ROLIE resources.
Golie simplifies the creation of new ROLIE feeds from scratch by being able to process existing SCAP files that are already in use. The golie new
command traverses the filesystem, inspecting each SCAP file it finds and parsing it to extract metadata. The products of this operation are ROLIE feed.json
and feed.xml
files. For each SCAP file, there will be one Atom <entry/>
produced.
Example:
$ golie new ./existing_SCAP_files/
Furthermore, the Golie tool provides a simple way to gain insights into what is included in a given ROLIE resource. The golie info
command takes a file path or URL and prints summary information found.
$ golie info ./existing_SCAP_files/feed.json Document Type: ROLIE Feed Title: Red Hat Vulnerabilities OVAL Updated: 2020-08-20T12:37:43Z Contains 229 entries. - OVAL Miscellaneous Definitions (oval:RHEL5/amq-clients-1.oval.xml.bz2) - OVAL Patch Definitions (oval:RHEL5/jboss-eap-6.oval.xml.bz2) - OVAL Miscellaneous Definitions (oval:RHEL5/satellite-tools-6.2.oval.xml.bz2) - OVAL Patch Definitions (oval:RHEL5/satellite-tools-6.3.oval.xml.bz2) - OVAL Patch Definitions (oval:RHEL5/satellite-tools-6.4.oval.xml.bz2) - OVAL Patch Definitions (oval:RHEL5/satellite-tools-6.5.oval.xml.bz2) (...)
Lastly, Golie allows users to download ROLIE feeds and any entry the feed contains such as a SCAP checklist inventory. The golie clone
command takes a URL to a remote ROLIE feed and a command-line option --filter
can be used to download only a subset of the inventory. Subsequent runs of the command will download only those items that have changed based on the timestamp entry in the updated
element.
$ golie clone --loglevel=info --filter OpenShift.*4 \ https://atopathways.redhatgov.io/compliance-as-code/scap/feed.json INFO Downloading https://atopathways.redhatgov.io/compliance-as-code/scap/feed.json INFO Downloading https://atopathways.redhatgov.io/compliance-as-code/scap/ssg-ocp4-xccdf.xml INFO Downloading https://atopathways.redhatgov.io/compliance-as-code/scap/ssg-ocp4-ds-1.2.xml INFO Downloading https://atopathways.redhatgov.io/compliance-as-code/scap/ssg-ocp4-ds.xml
Note: The ROLIE standard is still in its early stages of development; therefore, the golie
tool is currently only available in Fedora and EPEL repositories. Anyone who is interested can get involved in the direction of the ROLIE standard and/or golie tool. Involvement and Feedback are both encouraged and wanted!
ROLIE Inventory Services for Red Hat Products
Red Hat Product Security has adopted the ROLIE protocol to publish vulnerability (CVE) information. This service is available for both OVAL vulnerability Feeds in JSON and XML formats and SCAP DataStream Vulnerability Feeds in JSON and XML formats.
Red Hat is also working on providing ROLIE feeds for the upstream ComplianceAsCode project. This upstream project provides a rich variety of compliance guidelines in the form of SCAP benchmarks which will eventually find their way into the scap-security-guide package provided in RHEL. The ROLIE feed representing compliance checklists from upstream ComplianceAsCode has been made available in JSON and XML formats.
Wrap up
The ROLIE standard helps to discover and consume security content in a standard and automated way. A ROLIE implementation like the golie tool can be used by security vendors or regular users to consume vendor provided CVE content. It can be used as a way to submit checklists to benchmark validation organizations, or it can be used to host subscription-model services around security content.
Have ideas on where else the ROLIE standard or the golie tool can be used or enhanced? Want to get involved in the project? Please provide your input and ideas at the GitHub project. It is very important to note that the vision of the project and tooling is to be multi-platform and multi-vendor. Contributions in any way are always and very welcomed!
Note: The ROLIE standard is still in its early stages of development, and the format may change should the standard change.
저자 소개
Šimon Lukašík is member of technical staff, Office of the Chief Technologist, Red Hat Public Sector. He has made contributions across whole Red Hat product portfolio, ensuring government readiness of Red Hat products, authoring technical primers, collaboration with outside standard authorities on next generation of security and compliance standards. He is serving as OVAL Board member and works on design, development and integration of open source tools in the realm of security. He is a founding member of OpenSCAP and GoComply projects.
Gabriel Alford is a Member of the Technical Staff in Red Hat's Public Sector's CTO office where he works on security technologies such as OpenSCAP, SCAP Security Guide, ComplianceAsCode, and OpenControl to enable Government Readiness across the Red Hat portfolio.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.