Secant is security assessment tool. Used to evaluate the security defenses of OS images uploaded by users of IaaS cloud.
How it works The assessment process consists of performing a set of steps:
1. Create virtual machine from image and run it in isolated environment (without internet connection).
2. Run external tests. These are tests which do not need access to the system. For example port scanning.
3. Run internal tests. For this type of tests SSH connection is needed because they run on the virtual machine itself. As a consequence they are not run on Windows images.
4. Report status of security scan.
5. Make assessment using report and predefined rules.
During the entire assessment process details about the process are stored in a log file (path can be specified in secant.conf). When the process is successfully ended, findings can be find in a report file and assessment results in a result file.
– nmap_test – scan ports with Nmap. Ports which should be closed can be specified in assessment.conf
– ssh_authentication_test – check if SSH password authentication is allowed. If yes, test ends unsuccessfully.
– lynis_test – upload Lynis (security auditing tool) to a virtual machine. Lynis scans the system and generate a report. Which Lynis warnings or suggestions will be considered as critical, can be specified in secant.conf. If some of these critical warnings or suggestions appear, test ends unsuccessfully.
– pakiti_test – test the system against Pakiti3(https://github.com/CESNET/pakiti3) to find packages with critical vulnerabilities.
+ Preparing Secant Host Secant host manage all assessment processes. Secant is supposed to run on a Debian operating system and have two network interfaces. First interface with public ip address is used for internet connection and second interface with private ip is connected to the isolated enviroment where tested images will be instantiated.
+ You’ll also need to create secant user in IaaS with enough permissions to instantiate templates from images which are waiting for analysis. You also need to ensure that secant user is able to access IaaS throgh command line. Instructions for MetaCloud can be found here.
git clone https://github.com/CESNET/secant && cd secant
sudo mkdir -p /etc/secant
sudo cp assessment.conf /etc/secant
sudo cp secant.conf /etc/secant