Tuesday 21 July 2015

Securing Windows/Linux machines using OVAL

Keeping windows/linux machines safe and secure is always a daunting task. The problem is further compounded if you have to deal with multiple windows/linux machines with a wide variety of versions (right from Windows XP-SP3 to Window 8, and Linux variants like CentOS,Scientific Linux, RedHat etc). The end-user is careless most of the time and it is duty of system administrators to remind him that some of the settings are not OK from the security point-of-view. Sometimes, users tweak in windows settings for operational reasons. So, it's necessary to do timely system checks and take corrective actions. Since the manual process is always time consuming and error prone, I was looking for vulnerability compliance solution which is free. Of course, there are number of powerful commercial tools for enforcing Windows policy checks from McAfee,TripWire etc and if you can afford them, go for them!!

Because of budget constraints, I decided to stick to free tool - OVAL. Though the tool does not have a polished interface unlike the commercial counterparts, it does a decent job of finding the security state of system. One big advantage is that Ovaldi is cross-platform and can run on both Windows as well as Linux. Running OVAL scans allowed me to automate the scans of many Windows and Linux system and it is possible to achieve consistency and accuracy across different machines.

For detailed information about OVAL, please visit - http://oval.mitre.org

OVAL is a language that describes checks to be made. These checks are usually conditional i.e. whether a particular audit setting exists or not , or if a particular component is installed or not. Further, they can be grouped with operators like AND, OR and NOT.

If you wish to download complete oval database, please visit - http://oval.mitre.org/rep-data/index.html
Whereas, the latest OVAL definitions are here - http://oval.mitre.org/repository/data/updates/latest

There are two open source OVAL interpreters available -
Ovaldi - http://sourceforge.net/projects/ovaldi/
open-scap - http://www.open-scap.org/page/Main_Page

Since open-scap is available only for Linux and its variants and I wanted to investigate security state of a windows machine, I decided to try ovaldi.

Ovaldi installation

Download page for Ovaldi is here. Note that this links will take you to the latest version available at the post publishing time, i.e. 5.10.1. So, if there is a newer version,make use of the latest. Don't forget to change all the references from version 5.10.1 to your version in the text that follows.

Choose the EXE versions for Windows that suit your environment. In my case, it was 32-bit version, but if you have 64-bit version of Windows, download that one instead.

Unzip the file using 7-zip or winzip and and install the files to a directory - say, C:\Program Files\OVAL


Now, Ovaldi is installed!!  Also, add the file path of ovaldi.exe file to windows environment so that you do not have to type full path again and again.

If you encounter error - MSVCR100.dll is missing or

"The program can't start because MSVCR100.dll is missing from your computer. Try reinstalling the program to fix this problem."

Fix it by downloading the file from the following urls:

MSVCR100.dll = Visual C++ 2010 Runtime

32Bit: Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)
http://www.microsoft.com/de-de/download/details.aspx?id=8328

64Bit: Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)
http://www.microsoft.com/en-us/download/details.aspx?id=13523


Now, it is time to log-in to Windows machine as administrator and run ovaldi interpreter.


Download file definitions

Now we have interpreter and we need definitions that will be run by interpreter. Please go the the page-http://oval.mitre.org/rep-data/index.html In the page, you will see section Downloads by Version and Namespace. You need to select class to download based on the version of oval interpreter you have. The following classes are available:

  •     compliance - checks that the installation is compliant with recommended security practices.
  •     inventory - checks that produce results of what is installed.
  •     miscellaneous - misc category
  •     patch - patching status
  •     vulnerability - test that verify if there is a vulnerability present on the machine.

When you click on one of those classes you are presented with a new page that gives you a list of available definitions grouped by different criteria. For example, by clicking on vulnerability class (probably the largest one) you can select the download by platform, family or all.

For the purpose of Windows 7 testing of oval, we can downloaded file microsoft.windows.7.xml through platform/vulnerabilities, and this file was renamed to microsoft.windows.7.vulnerabilities.xml so that I do not get confused at a later stage what these tests contain!! Similarly, it is possible to downloaded equivalent files from compliance and inventory classes and you can name them as microsoft.windows.compliance.xml and microsoft.windows.inventory.xml, respectively.

Running Ovaldi

To run, please enter following command, say:

c:\program files\oval\ovaldi-5.10.1\ovaldi -m -a "c:\program files\oval\ovaldi-5.10.1\xml" -o microsoft.windows.7.vulnerability.xml -r 20150721-result.xml -x 20150721-result.html -d 20150721-system-characteristics.xml

The above command will check vulnerabilities that are present on the system. Of course, only the vulnerabilities defined in the database (microsoft.windows.7.vulnerability.xml) will checked.

An explanation for the other options is given below:
  •     Option -m. Don't check md5 sum of oval definitions file (in this case that is microsoft.windows.7.vulnerability.xml).
  •     Option -a specifies where all the auxiliary files necessary for interpreter are. For example, default style sheet file is there, also, XML definitions and tests are also there. The default value of this option assumes that you are running ovaldi in its base directory (i.e. where it is installed) so it has to be specified in order for everything to work.
  •     Option -o specifies oval definition file to use.
  •     Option -r specifies XML result file. The default value is results.xml and in the case of multiple runs, default file name will be overwritten. So, using this option prevents that from happening.
  •     Option -x specifies HTML result file. This file is generated from XML result file by applying style sheet (XSL) file. Default file is used if none is specified on the command line.
  •     Option -d specifies in which file will be saved system characteristics, i.e. installed options, existing files, etc. used during interpreter run of oval definition file.

Once the ovaldi program is finished, there will be three new files in the directory. When you open results file (20150721-result.html if you used the command given above) then you'll see four section named OVAL Results Generator Information, System Information, OVAL System Characteristics Generator Information and OVAL Definition Results.


Some links of interest related to openscap and ovaldi are given below:
  1. https://www.csiac.org/sites/default/files/vulnerability_assessment.pdf
  2. http://sgros.blogspot.in/2011/10/installing-and-testing-ovaldi-on.html
  3. http://www.vulnerabilityassessment.co.uk/ovaldi.htm

Presentation -
  1. http://nvd.nist.gov/scap/docs/conference%20presentations/workshops/OVAL%20Tutorial%201%20-%20Overview.pdf
  2. http://oval.mitre.org/community/docs/Developer_Days_2013_OVAL_Session_Minutes.pdf
  3. http://www.energy.gov/sites/prod/files/cioprod/documents/SCAP_in_Action_-_Demo_of_SCAP_Capabilities.pdf
  4. http://blog-shawndwells.rhcloud.com/wp-content/uploads/2012/07/2013-03-25-SCAP-Workshop-Coursebook.pdf
Other interesting projects related to openscap and ovaldi:
  1. MITRE course - http://benchmarkdevelopment.mitre.org/course/confirmation.html

  2. Centralized SCAP - http://blog.siphos.be/2013/09/creating-a-poor-man-central-scap-system/
     
  3. https://github.com/cyberxml/cyberxml-django