Page tree
Skip to end of metadata
Go to start of metadata

Project description:

Security Scanning, is a project to insure security compliance and vulnerability checks , as part of an automated CI / CD platform delivery process and as a standalone application. 

The project makes use of the existing SCAP format to perform deep scanning of NFVi nodes, to insure they are hardened and free of known CVE reported vulnerabilities. 

The SCAP content itself, is then consumed and run using an upstream opensource tool known as OpenSCAP

Project Scope

There are two main work areas that will be developed and coordinated by the OPNFV Security Group:

Work Item 1: Scan CI / CD integration 

The OPNFV Security Group have developed the code that will called by the OPNFV Jenkins build platform and perform a complete scan.

The current work flow is as follows

  1. Jenkins Build Initiated  
  2. security_scan script is called, and a profile (see config file) is passed to the script.
  3. An action will be performed to gather the IP addresses of each NFVi node, for example the nova.server API will be called to gather then IP addresses of each node on the Apex installer
  4. A scan profile is matched to the node type (see config file)
  5. The OpenSCAP application is remotely installed onto each target node gathered on step 3, using upstream packaging (rpm and .deb)
  6. A scan is made against each node gathered within step 3. 
  7. HTML Reports are downloaded for rendering on a dashboard
  8. If the config file value 'clean' is set to 'True' then the application installed at step 5 is removed, and all reports created at step 6 are deleted (this insures an unobtrusive scan)

config file

The tool itself uses a easily configurable system, to make it easier to customise the scan type etc to a specific host profile (compute, control). This file will evolve over time from its current design:

[controller]
user = heat-admin
scantype = xccdf
secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
profile = stig-rhel7-server-upstream
report = report.hmtl
results = results.xml
reports_dir=/home/opnfv/functest/results/security_scan/
clean = True

[compute]
user = heat-admin
scantype = xccdf
secpolicy = /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
cpe = /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
profile = sstig-rhel7-server-upstream
report = report.hmtl
results = results.xml
reports_dir=/home/opnfv/functest/results/security_scan/
clean = True

Work Item 2: SCAP content authoring

The OPNFV Security group, will work upstream to help develop and maintain the SCAP content that is needed to scan any given host OS or application.

Expected areas are around OpenStack Security Specifics and SDN controller SCAP profiles.

SCAP authoring performed by the security group, may be staged in the OPNFV Security scanning repository, but the ultimate goal is to upstream to the OpenSCAP Security Guide repository so that it can be packaged by the various distributions

The current formats are supported by OpenScap

  • XCCDF: The Extensible Configuration Checklist Description Format (ver. 1.2)
  • OVAL®: Open Vulnerability and Assessment Language (ver. 5.10.1)
  • Asset Identification (ver. 1.1)
  • ARF: Asset Reporting Format (ver. 1.1)
  • CCE™: Common Configuration Enumeration (ver. 5.0)
  • CPE™: Common Platform Enumeration (ver. 2.3)
  • CVE®: Common Vulnerabilities and Exposures
  • CVSS: Common Vulnerability Scoring System (ver. 2.0)

Work Item 3: Standalone, CI / CD integration and functest support.

Security Scanning should support both use in the functest project, part of a CI / CD environment, and as a standalone application.

This will results in the project being 'deploy-able' on its own, using installation scripts and documentation. 

Continued support for the functest project, by means of documentation and functest specific attributes (docker support, functest env vars (such as INSTALLER_IP).

Testability:

  • The project will perform security scan tests to insure a hardened, vulnerability free enviroment
  • The project is already integrated as a test for Colorado, as part of functest.

Documentation:

Dependencies:

  • No other projects in OPNFV currently cover the same scope
  • Dependency on OpenSCAP upstream project
  • No additional hardware requirements

Planned deliverable's:

Colorado:

Inclusion in functest for the Apex Installer

D-release:

    • Apex Newton OpenStack Support
    • OpenDayLight SCAP Scan Profile
    • Code Refactor
    • Container (run environment) Support
    • Setuptools

Key Project Facts

Project Name: Security Scanning
Repo name: securityscanning
Lifecycle State: 
Primary Contact:  Luke Hinds (lhinds@redhat.com)
Project Lead: Luke Hinds (lhinds@redhat.com)
Jira Project Name: securityscanning
Jira Project Prefix: secscan
mailing list tag opnfv-sec
Committers: 

*Link to TSC approval: Example http://meetbot.opnfv.org/meetings/opnfv-meeting/2015/opnfv-meeting.2015-03-03-15.01.html* 
Link to approval of additional submitters: Example http://meetbot.opnfv.org/meetings/opnfv-meeting/2015/opnfv-meeting.2015-03-03-15.01.html

COPR repositories

 
https://copr.fedorainfracloud.org/coprs/openscapmaint/openscap-latest/ 

Fedora:

dnf copr enable user/project # needs dnf-plugins-core

CentOS:

yum copr enable user/project # needs  yum-plugin-copr

 

OpenDayLight SCAP Work

  • No labels