Security Automation for Linux: Are Humans Still Needed?
Security automation for Linux: Are humans still needed?
The problem with humans is that they are smart yet slow at the same time. They can’t react to simultaneous events and aren’t always working. Besides that, they make mistakes, have to deal with budgets and internal company politics. Information security is impacted by these effects as well.
As you might have guessed the solution is in automation. SCAP (Security Content Automation Protocol) is one of the answers. Especially the automation part is interesting, as it can improve quality, decrease time efforts and remove the “boring” work.
SCAP is using predefined templates, stating how a machine should look like. Not only can SCAP check a state of a configuration item, it can also push the preferred value. The problem of unsecured systems is over, right? Not really…
Automation is key, especially in this time where every minute equals a lot of money. SCAP is one option to automate as much as possible. Together with your configuration automation (e.g. Ansible, Cfengine, or Puppet), it can form a great team.
SCAP already uses a predefined consensus of what is “secure”, reducing the amount of preparation work. System administrators now only have to activate the related template, run the SCAP toolkit and they are done.
Standards like SCAP also provide a better security awareness for companies. After all, they are the experts who think about the subject and share it with the world. In this case the people from NIST and the contributors to the CIS Benchmarks.
Unfortunately, SCAP is not mature enough. It isn’t well known at the stage. The templates to check (and harden) systems are very specific and will only work for those operating systems, including the specific version. When running a different version, you will have to change things manually, or wait for an update.
So if your company is not the government, you will run most likely the newest versions of Linux. The policy writers of CIS and SCAP can’t keep up with that demand, as they have to research and discuss the advised best practices. They have to come to a consensus before they can draft a hardening proposal. With all the differences between Linux distributions, it is hard to come up with a clear template which works for all of them.
Dealing with exceptions
Not all machines are the same, which usually results in exceptions. Such an exception might be needed due to the role a system has, the particular business owner or application running on the system. Full automation (including alteration) is not always preferred, as it might break business critical machines. That is unfortunate, as these systems benefit the most from hardening. And it are exactly these machines that need the most protection. A less intrusive tool like Lynis might be of great help here.
Security automation is great, but we will always need people. One of the protocols to implement security automation, SCAP, is not matured enough. Right now, the combination of a good auditing tool, together with a configuration automation tool is much stronger. It saves you from the hassle of waiting for new templates, gives you ultimate flexibility and still uses a lot of automation. Combining the automation of these tools with the intellect of people and you have a much better solution.