Automation has always been a crucial mission of computing. In fact, that’s all computers do. They automate our tasks and turn what used to be lengthy and boring activities into a few clicks, on in our case today, a few keystrokes. (One may ask, why “a few” clicks? Why not “a single click”, or even “no clicking at all”? That’s a question I will attempt to elaborate on later.) This article describes our attempt to automate the periodical assessment of a system against newly found vulnerabilities using two of the few freely available SCAP tools: SCAP Sync and jOVAL.
We at SCAP Sync have tried hard to unite publicly available, yet widely distributed SCAP contents in the security community. (In case you haven’t heard of SCAP Sync, please read our previous posts here.) That alone keeps our hands full as we crawl 24/7 to capture, cache, sync, and diff all available contents out there. We need developers to join us in putting these contents to good use.
To promote that idea, our team hastried hard to make SCAP Sync developer-friendly. We provide output in JSON and XML formats. We even introduced an API! What we need is pioneering developers who toy with our baby in order to truly appreciate (and kindly spread the word about) what we’ve created and contributed to the security community. That’s where jOVAL comes into play.
What is OVAL?
Excerpt from https://oval.mitre.org/about/.
Open Vulnerability and Assessment Language (OVAL®) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language. [Emphasis added]
In short, think of OVAL as an open source language for writing signatures that can be used for a number of different purposes: asset inventory, vulnerability detection, and configuration compliance. SCAP Sync collects OVAL signatures from vendors all across the web, including MITRE, RedHat, Debian, and Cisco so that you don’t have to go hunting for them!
What is jOVAL?
Excerpt from http://joval.org/.
jOVAL is an embeddable library for both /scanning/ and processing of SCAP document formats, particularly OVAL and XCCDF. jOVAL is capable of processing virtually all publicly and privately-available SCAP content, including USGCB content from NIST, automated STIG content from DISA and the NSA, content from the Secpod repository, and much more.
jOVAL is awesome! Check it out and you won’t disagree.
And… SCAP Sync
However, there is still a gap to fill in before SCAP Sync and jOVAL can seamlessly work together. The latest release of SCAP Sync (0.7.0) is a step in that direction: getting SCAP Sync prepared for integration with other products.
First of all, we introduced a system to manage users and API tokens (more details here). Then we created a new resource type “complete oval definition” that embeds all nested oval definitions, tests, objects, and states into a single XML output. Coupled with the content feed we introduced last year, we believe we’re ready to go.
Step 1: From (SCAP Sync) Resource to (jOVAL) Result
The core process is simple:
- Use curl to fetch a complete oval definition from SCAP Sync into a local XML file.
- Use jOVAL to interpret that file and scan your system.
We’ve recorded a short screencast (https://s3.amazonaws.com/scapsync/demo_2013-09-18_113915.wmv) to demonstrate the idea. Here are a few things we want to highlight:
- The demo was done during the development phase of SCAP Sync 0.7.0 and therefore referred to http://dev.scansync.com:5000. Since 0.7.0 has been released, you should now access https://scapsync.com instead.
- Request headers (provided via curl -H): “Accept: text/xml” tells SCAP Sync to spit out XML results (as opposed to HTML or JSON), and “X-API-Token” authenticates the request to SCAP Sync.
- Resource link: “/oval-definition/complete/” tells SCAP Sync to return the new “complete oval definition” resource type. (In contrast, if you requested /oval-definition/, you would only get the definition itself, without any of its dependencies.)
- The result XML describes an assessment check. In this case (https://scapsync.com/oval_definition/oval:org.mitre.oval:def:15990), it assesses whether your current operating system is Oracle Linux 4. Such assessment may seems meaningless on its own, but when used in a chain, it will become relevant. For example, if the operating system is indeed Oracle Linux 4, continue to perform this set of assessments; otherwise, perform this other set of assessments.
Step 2: Fetch and Interpret Newly Created or Updated Contents Daily
This part requires some scripting. We put together a sample NodeJS script (https://github.com/lunarline/scapsync-joval), but any scripting language that supports JSON or XML will do as well. The core concept is again very simple:
- Fetch the content feed from SCAP Sync at http://scapsync.com/feed/today. (The trick is to use request header “Accept: application/json”.)
- The returned JSON object may or may not contain an “oval_definition” array. Iterate that to pick out the ID’s of newly updated or created oval definitions.
- For each found ID, request the complete definition and feed it to jOVAL.
Step 3: Full Automation
At this point, I’d like to return to the question at the beginning of this article: why not a single click? Because there’s a balance between automation and control. The more fine-grained you want to control the process, the more involved you’d have to be (more clicks). That being said, if all you need is automation, you can simply schedule the script from step 2 to run every night. Simple and sweet!
The road to full integration between SCAP Sync and jOVAL has been quite smooth so far, thanks to enthusiastic support and collaboration from jOVAL’s developers and the open standards that we’re both using. We really hope that with SCAP Sync 0.7.0, more and more developers will follow suit and work with us, because our imagination is the only limit to SCAP Sync’s potential.