How to write a policy to fix DROWN Vulnerability

In this post, we are going to demonstrate how to create a policy in CloudForms in order to solve the latest vulnerability in sslv2

Please note that this is valid for RHEL 6.5, 7.0 and 7.1 only

By default CloudForms doesn´t have any policy or policy profiles, so you need to create both. You will start by creating the policy:

Screen-Shot-2016-03-02-at-15-29-30

Since we want to check that a VM has this vulnerability, we will create a VM Compliance Policy

Control ⇒ Policies ⇒ Vm Compliance Policies + Add a New Vm Compliance Policy

Then we add the relevant information:

Make sure you check the box on the scope before clicking on Add

Screen-Shot-2016-03-02-at-15-32-46

Your policy should be like this:

Screen-Shot-2016-03-02-at-15-34-21

Now, we have to create a condition

Control ⇒ Conditions ⇒ All VM and Instance Conditions + Add a New VM Condition

  • Description: DROWN Vulnerability
  • Expression: ( VM and Instance.Guest Applications : Name CONTAINS "openssl" AND FIND VM and Instance.Guest Applications : Version = "1.0.1e" CHECK ALL Release REGULAR EXPRESSION MATCHES "" )

Screen-Shot-2016-03-02-at-16-47-47

Now you have to assign your new condition to the policy

Control ⇒ Policies ⇒ Vm Compliance Policies ⇒ DROWN Vulnerability ⇒ Configuration ⇒ Edit this Policy´s Condition assignments

We can have multiple conditions in a policy, and a condition can be part of several policies

Screen-Shot-2016-03-02-at-17-06-41

Now, you have to specify which events you want in your policy, so click on events

Screen-Shot-2016-03-02-at-17-53-12

Edit actions for this policy event and specify which actions you want to take:

Screen-Shot-2016-03-02-at-17-56-53

Remember that you can create new actions, like sending an email to the security team in the Actions tab

Click save

Now, you have your policy, your condition and you have specified which actions you want to take. The final step is to assign the policy to a Policy Profile. As CloudForms doesn´t provide any out of the box, we will create one:

Control ⇒ Policy Profiles + Add a New Policy Profile

  • Description: Linux Security
  • Select the policy you already created

Screen-Shot-2016-03-02-at-18-06-47

You can download the policy and the profile from the github repository.

Now, you are ready to check your VMs with the Policy. You need to go to

Infrastructure ⇒ Virtual Machines

Then, select all the VMs you want to verify and click Policy ⇒ Manage Policies and assign the Profile you already created

Screen-Shot-2016-03-03-at-11-00-15

At the last step, make sure you execute Check compliance of Last Known Configuration by clicking in the VMs again and then

Policy ⇒ Check Compliance of Last Known Configuration

Screen-Shot-2016-03-03-at-11-00-55