2. Agenda (besides beer and pizza consumption)
Recap AWX Custom Credentials scap-security-guide
1 2 3
What’s AWX again? When you need a credential type
that is not provided today
It has ansible now?
3. $BFY18 Addressable
Automation Opportunity
- How do you *really* manage
credentials?
- Are you using automation to improve
your organisation’s security posture?
- Hopefully this presentation will give
you some ideas to try out for yourself.
Fit for purpose security practises?
5. $BFY18 Addressable
Automation Opportunity
- Upstream project for Ansible Tower by Red Hat
- Adds Features on top of Ansible required in Enterprise IT
- Web based user interface
- RBAC
- Credential Management
- Auditing / logging / alerting
- Multi-tenancy
- Git Integration
- Job and workflow management
- Enhanced inventory management
- Many others...
What is AWX?
11. $BFY18 Addressable
Automation Opportunity
- Defined in AWX user interface
- Stored encrypted in the AWX database
- Once defined can use it as if it was any other credential
- Needs two things:
- Input (What I am asking for - username, password,token?)
- Injector (What I am passing back to the playbook at runtime)
Custom Credentials - How?
14. $BFY18 Addressable
Automation Opportunity
- Simple to use, no need to vault encrypt an entire playbook or a string
- You can vault encrypt a password, but what if different people want to use
their own credentials when running the playbook - eg run as my tholloway
account rather than a service account.
- Multiple users can create their own credential of the custom credential
type you create
- Playbooks can still run outside of AWX
- The extra_vars that the injector puts in can be passed as normal
extra_vars
- Can come from a vaulted vars file when running outside of AWX
Custom Credentials - Why?
15. $BFY18 Addressable
Automation Opportunity
- Create custom credential for jenkins in AWS
- Kick off a workflow with the following credentials
- AWS (for EC2)
- Machine (for SSH)
- Custom (Jenkins)
- Playbooks will (hopefully…)
- New EC2 Instance (using AWS Cred)
- Install Jenkins (using Machine Cred)
- Install Jenkins Plugins (using Custom Cred)
- Ansible
- Ansible Tower (New!)
Quick Demo
17. $BFY18 Addressable
Automation Opportunity
● SCAP Stands for “Security Content Automation Protocol"
● SCAP is a standardized compliance checking solution
● It is a line of specifications maintained by the National
Institute of Standards and Technology (NIST) for maintaining
system security for IT systems.
● OpenSCAP is the open source implementation
What is OpenSCAP?
18. $BFY18 Addressable
Automation Opportunity
● XCCDF: Extensible Configuration Checklist Description Format.
Used for security Policies.
OVAL: Open Vulnerability and Assessment Language.
Vulnerability and Patch Detection.
● CVE: Common Vulnerabilities and Exposures.
Tracks systems against configuration requirements.
● CCE: Common Configuration Enumeration.
More configuration Checks.
Fun Acronyms
19. $BFY18 Addressable
Automation Opportunity
● Package that provides guidance for applying security
baselines
● Bridges the gap between generalised policy requirements and
specific implementation guidelines
● Automated policy enforcement and remediation
● Baselines include PCI-DSS, DISA-STIG etc
What is scap-security-guide?
20. $BFY18 Addressable
Automation Opportunity
OpenSCAP Integration with Ansible Automation
● Define and tailor security policies via
profiles
● Scan and apply security policies via
Ansible Automation
● Assert security policy at build with
Ansible Automation or Anaconda
● Shipped National Checklist profiles
include:
DISA STIG
PCI - DSS
NIST USGCB
OpenSCAP
PCI-DSS USGCB STIG
SCAP
security guide
23. How to SCAN a system (C2S example)
yum -y install openscap scap-workbench scap-security-guide ansible
ls /usr/share/scap-security-guide/ansible
oscap info "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml"
ansible-playbook /usr/share/scap-security-guide/ansible/ssg-rhel7-role-C2S.yml
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_C2S
--fetch-remote-resources --results scan-C2S.results.xml
--report scan-C2S-results.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Upstream Project: https://github.com/OpenSCAP/scap-security-guide
Install
packages
List
Remediation
Playbooks
List Available
Profiles
Run a Scan
Automagically
Remediate