PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx...

45
Trevor Vaughan, Onyx Point X Trevor Vaughan, Onyx Point X Trevor Vaughan VP Engineering, Onyx Point SIMP Product Lead B.S. Comp Eng, M. S. IA RHCE, PCP, PCD One Year in Open Source All trademarks are property of their respective owners. All company, product and service names used in this presentation are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

Transcript of PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx...

Page 1: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Trevor Vaughan, Onyx PointX

Trevor VaughanVP Engineering, Onyx Point

SIMP Product LeadB.S. Comp Eng, M. S. IA

RHCE, PCP, PCD

One Year in Open Source

All trademarks are property of their respective owners. All company, product and service names used in this presentation are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

Page 2: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Trevor Vaughan, Onyx PointX

The presentation that you are about to see is not, in any way, representative of, or endorsed by, the National

Security Agency or the Government of the United States of America. As stated in their press release, the NSA, in

releasing the code to the public, is attempting to reduce any duplication of effort surrounding the general goals of

the SIMP project.

Disclaimer

Page 3: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

About Onyx Point, Inc.● Consulting and Federal Contracting Since 2009

○ DevOps○ Infrastructure Automation○ Security Compliance

● Community Maintainers of ○ First FOSS Stewardship CRADA with the NSA

● Red Hat Partners● Puppet Service Provider Gold Partners● Puppet-Certified Trainers

Page 4: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

WHAT IS

YOURSTUFF

OUREXPERTISE

Page 5: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

SIMP Stack

Page 6: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Goals● 100% FOSS Core● Full Scope Red Hat/CentOS Systems Management

○ Puppet for Automation○ Does not preclude other systems

● Reduce Complexity of Technical Compliance● Focus on Mission and Business

○ Enhance Security and Compliance○ Understand Your Environment

● Leverage and Enhance the Open Source Community

Page 7: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

ONE YEAR

FOSSCOMPLIANCEAUTOMATION1

MAY 2015 - PRESENT

OF

Page 8: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Page 9: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

TESTING

Page 10: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Test CoverageType # Modules # Tests OS OS Version Total

Rspec (Unit) 88 6,472 RHELCentOS

6.87.2 2,278,144

Beaker (Acceptance) 43 1,989 RHELCentOS

6.87.2 342,108

~30 OS Bugs Discovered● Rsyslog Encryption

● ‘i_version’ Kernel Panic

● Kickstart ‘curl’ FIPS Fail

● ‘krb5kdc’ SELinux Policy Issues

● Auditd Syscall Translation

● ‘cancel-path’ for Libvirt

● GDM Fail with ‘noexec /var/tmp’

● ‘Systemctl’ Returns 0 on Mask

Page 11: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Multi-Node Acceptance Tests

rsyslog/spec/acceptance/├── class_spec.rb├── client_server_no_tls_spec.rb├── client_server_udp_spec.rb├── client_server_using_tls_spec.rb├── failover_no_tls_spec.rb├── failover_using_tls_spec.rb└── nodesets └── default.yml

Page 12: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Test Suitesnfs/spec/acceptance/├── nodesets│ └── default.yml└── suites ├── default │ ├── 00_basic_test_spec.rb │ ├── 02_krb5_test_spec.rb │ └── nodesets -> ../../nodesets └── stunnel ├── 00_basic_test_spec.rb ├── 03_stunnel_test_spec.rb ├── metadata.yml └── nodesets -> ../../nodesets

Page 13: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

COMPLIANCE

MAPPER

Page 14: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Page 15: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

700+Variables Mapped

NIST 800-53NIST 800-171DISA STIGISO/IEC 27001

Page 16: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Page 17: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

A Glimpse of the Future---

version: "1.0.0"

compliance_profiles:

test_profile:

compliant:

"Class[Test2::Test3]":

parameters:

arg3_1:

Identifiers: [“ID1.2”]

compliant_value: foo3_1

system_value: foo3_1

non_compliant: {}

documented_missing_resources:

- unmapped1

- "unmapped1::subclass"

documented_missing_parameters:

- "test2::test3::ref_miss1"

Page 18: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

SecCONOP

Page 19: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

NIST Special Publication 800-137

Page 20: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

SecCONOP● Completely Updated

● A Kickstart Toward Certification and Accreditation

● Built-in NIST 800-53 References

● Designed for Flexibility

○ Provide your own updates in the build

● Currently 49 pages

● http://simp.readthedocs.io/en/5.2.0-0/security_conop

Page 21: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

1.2

IMA + TPM

Page 22: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Integrity Management Architecture (IMA)● Automated!

○ https://github.com/simp/pupmod-simp-tpm

● Tested!

● Not Recommended for Production!

○ Unable to Restrict Memory Usage

○ Unable to Update Policy Without Reboot

○ Some Issues with DoS via Valid Policies

Page 23: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Trusted Platform Module (TPM) 1.2● Integrated

○ https://github.com/simp/pupmod-simp-tpm

● Ownership Automated

● Facter Facts Created

● In Progress

○ Trusted Boot

○ PKCS11 Interface Automation

Page 24: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

IPSEC

Page 25: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Libreswan● Integrated for EL7

● Feature Request in for RHS ‘any’

● Goal

○ Full X.509-based Opportunistic IPSec

○ Everything except DNS and Puppet

Page 26: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

ELG

Page 27: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

ELG● Completely Updated

● Same Basic Architecture

● Replaced Kibana With Grafana

○ Multi-Tenant Support

○ LDAP Support

○ Safer Default Usage

● SIMP Dashboards in Progress!

Page 28: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

LESSONS

LEARNED

Page 29: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

GOVERNMENT+ OPEN SOURCE

Page 30: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Contracts

Contracts

Page 31: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

GOVERNMENT+ OPEN SOURCE

Page 32: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

COMMUNITYEXPECTATIONS

(2015 © NBC)

Page 33: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Our Expectations

(2007 © Warner Brothers)

Page 34: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Reality

(2001 © New Line Cinema)

Page 35: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Experiences

(1965 © DC Comics)

● Many environments stuck on one-time apply

● “Will this help me DevOps?!”

● Technology is not the problem

○ Undertrained and Understaffed

■ “How do I ‘vi’ a file?” - Senior Administrator

Page 36: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Seriously...

(1999 © 20th Century Fox)

Page 37: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

TESTINGA TALE OF WOE

+ SORROW

Page 38: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

What Worked● All Tests Must Be Able to Be Run by Hand

○ ‘rake spec’, ‘rake beaker:suites’, etc…

○ The ‘travish’ Ruby gem is very useful here

Page 39: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

What Worked● Beaker + Vagrant

○ Docker was erratic on different systems

■ Aufs + Docker == /var death

○ Can’t test FIPS and non-FIPS in Docker

○ Can’t validate external protections (IPTables, etc…) in Docker

Page 40: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

What Didn’t Work

Page 41: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Where We’re Heading

Page 42: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

FUTURETHE

(1985 © Universal Studios)

Page 43: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Upcoming Features● TPM

○ Automated Trusted Boot

○ Credential Protection

○ PKCS11

■ Hook in Everything!

● IPSec

○ Opportunistic IPSec

■ X.509 is the Target

● Hashicorp Vault

○ Secret Storage

○ Good for HIPAA...and TPMs?

● Compliance Mapper 1.0

○ Report on compliant and non-compliant entries

○ Less code modification

Page 44: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

Upcoming Features● FreeIPA

○ Easier Management

● Seamless Puppet Enterprise

● Puppet AIO

○ Puppet 3 EOL - Dec 31, 2016

● Fapolicyd

○ Thanks to Steve Grubb!

● OpenSCAP Suites

○ Targeted Tests in Modules

● Full Stack KRB5 Integration

○ PAM

○ SSH

● Immediate Remediation

○ Based on last Puppet Catalog

Page 45: PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx PointX

LESSONS

LEARNEDTrevor Vaughan- VP

Engineering, Onyx [email protected]

@peiriannydd