PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx...
-
Upload
puppet -
Category
Technology
-
view
83 -
download
1
Transcript of PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx...
Trevor Vaughan, Onyx PointX
Trevor Vaughan, Onyx PointX
Trevor VaughanVP Engineering, Onyx Point
SIMP Product LeadB.S. Comp Eng, M. S. IA
RHCE, PCP, PCD
One Year in Open Source
All trademarks are property of their respective owners. All company, product and service names used in this presentation are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.
Trevor Vaughan, Onyx PointX
Trevor Vaughan, Onyx PointX
The presentation that you are about to see is not, in any way, representative of, or endorsed by, the National
Security Agency or the Government of the United States of America. As stated in their press release, the NSA, in
releasing the code to the public, is attempting to reduce any duplication of effort surrounding the general goals of
the SIMP project.
Disclaimer
Trevor Vaughan, Onyx PointX
About Onyx Point, Inc.● Consulting and Federal Contracting Since 2009
○ DevOps○ Infrastructure Automation○ Security Compliance
● Community Maintainers of ○ First FOSS Stewardship CRADA with the NSA
● Red Hat Partners● Puppet Service Provider Gold Partners● Puppet-Certified Trainers
Trevor Vaughan, Onyx PointX
WHAT IS
YOURSTUFF
OUREXPERTISE
Trevor Vaughan, Onyx PointX
SIMP Stack
Trevor Vaughan, Onyx PointX
Goals● 100% FOSS Core● Full Scope Red Hat/CentOS Systems Management
○ Puppet for Automation○ Does not preclude other systems
● Reduce Complexity of Technical Compliance● Focus on Mission and Business
○ Enhance Security and Compliance○ Understand Your Environment
● Leverage and Enhance the Open Source Community
Trevor Vaughan, Onyx PointX
ONE YEAR
FOSSCOMPLIANCEAUTOMATION1
MAY 2015 - PRESENT
OF
Trevor Vaughan, Onyx PointX
Trevor Vaughan, Onyx PointX
TESTING
Trevor Vaughan, Onyx PointX
Test CoverageType # Modules # Tests OS OS Version Total
Rspec (Unit) 88 6,472 RHELCentOS
6.87.2 2,278,144
Beaker (Acceptance) 43 1,989 RHELCentOS
6.87.2 342,108
~30 OS Bugs Discovered● Rsyslog Encryption
● ‘i_version’ Kernel Panic
● Kickstart ‘curl’ FIPS Fail
● ‘krb5kdc’ SELinux Policy Issues
● Auditd Syscall Translation
● ‘cancel-path’ for Libvirt
● GDM Fail with ‘noexec /var/tmp’
● ‘Systemctl’ Returns 0 on Mask
Trevor Vaughan, Onyx PointX
Multi-Node Acceptance Tests
rsyslog/spec/acceptance/├── class_spec.rb├── client_server_no_tls_spec.rb├── client_server_udp_spec.rb├── client_server_using_tls_spec.rb├── failover_no_tls_spec.rb├── failover_using_tls_spec.rb└── nodesets └── default.yml
Trevor Vaughan, Onyx PointX
Test Suitesnfs/spec/acceptance/├── nodesets│ └── default.yml└── suites ├── default │ ├── 00_basic_test_spec.rb │ ├── 02_krb5_test_spec.rb │ └── nodesets -> ../../nodesets └── stunnel ├── 00_basic_test_spec.rb ├── 03_stunnel_test_spec.rb ├── metadata.yml └── nodesets -> ../../nodesets
Trevor Vaughan, Onyx PointX
COMPLIANCE
MAPPER
Trevor Vaughan, Onyx PointX
Trevor Vaughan, Onyx PointX
700+Variables Mapped
NIST 800-53NIST 800-171DISA STIGISO/IEC 27001
Trevor Vaughan, Onyx PointX
Trevor Vaughan, Onyx PointX
A Glimpse of the Future---
version: "1.0.0"
compliance_profiles:
test_profile:
compliant:
"Class[Test2::Test3]":
parameters:
arg3_1:
Identifiers: [“ID1.2”]
compliant_value: foo3_1
system_value: foo3_1
non_compliant: {}
documented_missing_resources:
- unmapped1
- "unmapped1::subclass"
documented_missing_parameters:
- "test2::test3::ref_miss1"
Trevor Vaughan, Onyx PointX
SecCONOP
Trevor Vaughan, Onyx PointX
NIST Special Publication 800-137
Trevor Vaughan, Onyx PointX
SecCONOP● Completely Updated
● A Kickstart Toward Certification and Accreditation
● Built-in NIST 800-53 References
● Designed for Flexibility
○ Provide your own updates in the build
● Currently 49 pages
● http://simp.readthedocs.io/en/5.2.0-0/security_conop
Trevor Vaughan, Onyx PointX
1.2
IMA + TPM
Trevor Vaughan, Onyx PointX
Integrity Management Architecture (IMA)● Automated!
○ https://github.com/simp/pupmod-simp-tpm
● Tested!
● Not Recommended for Production!
○ Unable to Restrict Memory Usage
○ Unable to Update Policy Without Reboot
○ Some Issues with DoS via Valid Policies
Trevor Vaughan, Onyx PointX
Trusted Platform Module (TPM) 1.2● Integrated
○ https://github.com/simp/pupmod-simp-tpm
● Ownership Automated
● Facter Facts Created
● In Progress
○ Trusted Boot
○ PKCS11 Interface Automation
Trevor Vaughan, Onyx PointX
IPSEC
Trevor Vaughan, Onyx PointX
Libreswan● Integrated for EL7
● Feature Request in for RHS ‘any’
● Goal
○ Full X.509-based Opportunistic IPSec
○ Everything except DNS and Puppet
Trevor Vaughan, Onyx PointX
ELG
Trevor Vaughan, Onyx PointX
ELG● Completely Updated
● Same Basic Architecture
● Replaced Kibana With Grafana
○ Multi-Tenant Support
○ LDAP Support
○ Safer Default Usage
● SIMP Dashboards in Progress!
Trevor Vaughan, Onyx PointX
LESSONS
LEARNED
Trevor Vaughan, Onyx PointX
GOVERNMENT+ OPEN SOURCE
Trevor Vaughan, Onyx PointX
Contracts
Contracts
Trevor Vaughan, Onyx PointX
GOVERNMENT+ OPEN SOURCE
Trevor Vaughan, Onyx PointX
COMMUNITYEXPECTATIONS
(2015 © NBC)
Trevor Vaughan, Onyx PointX
Our Expectations
(2007 © Warner Brothers)
Trevor Vaughan, Onyx PointX
Reality
(2001 © New Line Cinema)
Trevor Vaughan, Onyx PointX
Experiences
(1965 © DC Comics)
● Many environments stuck on one-time apply
● “Will this help me DevOps?!”
● Technology is not the problem
○ Undertrained and Understaffed
■ “How do I ‘vi’ a file?” - Senior Administrator
Trevor Vaughan, Onyx PointX
Seriously...
(1999 © 20th Century Fox)
Trevor Vaughan, Onyx PointX
TESTINGA TALE OF WOE
+ SORROW
Trevor Vaughan, Onyx PointX
What Worked● All Tests Must Be Able to Be Run by Hand
○ ‘rake spec’, ‘rake beaker:suites’, etc…
○ The ‘travish’ Ruby gem is very useful here
Trevor Vaughan, Onyx PointX
What Worked● Beaker + Vagrant
○ Docker was erratic on different systems
■ Aufs + Docker == /var death
○ Can’t test FIPS and non-FIPS in Docker
○ Can’t validate external protections (IPTables, etc…) in Docker
Trevor Vaughan, Onyx PointX
What Didn’t Work
Trevor Vaughan, Onyx PointX
Where We’re Heading
Trevor Vaughan, Onyx PointX
FUTURETHE
(1985 © Universal Studios)
Trevor Vaughan, Onyx PointX
Upcoming Features● TPM
○ Automated Trusted Boot
○ Credential Protection
○ PKCS11
■ Hook in Everything!
● IPSec
○ Opportunistic IPSec
■ X.509 is the Target
● Hashicorp Vault
○ Secret Storage
○ Good for HIPAA...and TPMs?
● Compliance Mapper 1.0
○ Report on compliant and non-compliant entries
○ Less code modification
Trevor Vaughan, Onyx PointX
Upcoming Features● FreeIPA
○ Easier Management
● Seamless Puppet Enterprise
● Puppet AIO
○ Puppet 3 EOL - Dec 31, 2016
● Fapolicyd
○ Thanks to Steve Grubb!
● OpenSCAP Suites
○ Targeted Tests in Modules
● Full Stack KRB5 Integration
○ PAM
○ SSH
● Immediate Remediation
○ Based on last Puppet Catalog
Trevor Vaughan, Onyx PointX
LESSONS
LEARNEDTrevor Vaughan- VP
Engineering, Onyx [email protected]
@peiriannydd