Friday, October 02, 2015

Oracle Linux - detect security issues

When operating a large landscape of Linux machines, in our case a large landscape of Oracle Linux machines security is one of the vital things to keep in mind. In an ideal world all your Linux deployments would be of exactly the same version and contain exactly the same level of patching. In an ideal world no machine would differ from another machine and in this same ideal world you would be able to run a yum update command on all machines and would never face any issue nor would you be required to talk to end-customers or other tech team. However, even though in some situations you are able to maintain such a situation, commonly it is seen that a landscape of servers is equally patched and in some cases servers are not patched for a long period of time. This is not necessarily due to bad maintenance by the Linux administrators, commonly it is related to pressure from the business not to change the systems or not getting approval from a change advisory board.

When it comes down to new or improved functionality which can come with a Linux patch this might be acceptable. However, in case of missing a security patch this might be much more serious. Oracle Enterprise Manager provides, in combination with Yum a solution to show which patches need to be applied on which system. However, also a different solution can be used specifically to identify which security issues have not been addressed in a specific system.

To get an overview of which security vulnerabilities are on your system you can use OpenSCAP. OpenSCAP is based upon SCAP is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

Oracle provides a OVAL®: Open Vulnerability and Assessment Language XML file which you can use in combination with OpenSCAP to run against your Oracle Linux deployement to get a quick overview of what needs attention on your system and what looks to be correct. If you refer to the Oracle Linux security guide you can find more information around this subject.

After you have installed the needed components with using a Yum command you will have to download the Oracle Linux specific components, or in more detail, the Oracle Linux ELSA file in OVAL format. Oracle provides this file in year files where each year file contains the information on security issues found during that year. As an example, if you wanted to run an audit against the ELSA file of 2015 you need to perform the following steps:

1) Download the ELSA information in the OVAL format and extract it from the bz2 file
wget http://linux.oracle.com/security/oval/com.oracle.elsa-2015.xml.bz2
bzip2 -d com.oracle.elsa-2015.xml.bz2

2) Run the audit. In this case we send both the XML result as well as the HTML report to /tmp however you are free to select any location you want.
oscap oval eval --results /tmp/elsa-results-oval-2015.xml --report /tmp/elsa-report-2015.html ./com.oracle.elsa-2015.xml

This will produce a rather large output to the screen which provides some quick information however the more valuable information can be found in both the XML result as well as in the HTML report which we have send to /tmp . For references the below is the shell output of the audit on the 2015 file which I ran against a Oracle Linux 3.8.13-98.2.2.el7uek.x86_64 implementation:
[root@localhost oscap]# oscap oval eval --results /tmp/elsa-results-oval-2015.xml --report /tmp/elsa-report-2015.html ./com.oracle.elsa-2015.xml
Definition oval:com.oracle.elsa:def:20153073: false
Definition oval:com.oracle.elsa:def:20153072: false
Definition oval:com.oracle.elsa:def:20153071: true

//------------ SNIP SNIP ------------//

Definition oval:com.oracle.elsa:def:20150166: false
Definition oval:com.oracle.elsa:def:20150165: false
Definition oval:com.oracle.elsa:def:201501641: false
Definition oval:com.oracle.elsa:def:20150164: false
Definition oval:com.oracle.elsa:def:20150118: false
Definition oval:com.oracle.elsa:def:20150102: true
Definition oval:com.oracle.elsa:def:20150100: false
Definition oval:com.oracle.elsa:def:20150092: false
Definition oval:com.oracle.elsa:def:20150090: false
Definition oval:com.oracle.elsa:def:20150087: false
Definition oval:com.oracle.elsa:def:20150085: false
Definition oval:com.oracle.elsa:def:20150074: false
Definition oval:com.oracle.elsa:def:20150069: false
Definition oval:com.oracle.elsa:def:20150068: false
Definition oval:com.oracle.elsa:def:20150067: false
Definition oval:com.oracle.elsa:def:20150066: false
Definition oval:com.oracle.elsa:def:20150047: false
Definition oval:com.oracle.elsa:def:20150046: false
Definition oval:com.oracle.elsa:def:20150016: false
Definition oval:com.oracle.elsa:def:20150008: false
Evaluation done.
[root@localhost oscap]# 

3) Review the results (and take action)
You will have to review the results, which can be done by looking at the HTML report or you can run a parser against the XML output to do a more automated way of checking the results. In case you run a large number of Oracle Linux machines and you like to use the oscap way of checking parts of your security you most likely want to have the xml files somewhere in a central location so you do not need to connect all your machines to the public internet and you most likley want to run this in a scheduled form and interpret the results in a automated manner. The HTML file is usable for human reading, however, the XML file is something you would like to parse and use in case you have more then x servers. 

No comments: