SlideShare a Scribd company logo

Ansible meetup june 2018

Download as PPTX, PDF
Michael Calizo
Michael Calizo

Credits to: Talor Halloway of Red Hat AU for preparing the whole slides. I merely uploaded this to share to the Wellington Meetup Group Members

Technology
1 of 24
Security goodness with Ansible Ansible Meetup Mike Calizo Red Hat Senior TAM June 2018
Agenda (besides beer and pizza consumption) Recap AWX Custom Credentials scap-security-guide 1 2 3 What’s AWX again? When you need a credential type that is not provided today It has ansible now?
$BFY18 Addressable Automation Opportunity - How do you *really* manage credentials? - Are you using automation to improve your organisation’s security posture? - Hopefully this presentation will give you some ideas to try out for yourself. Fit for purpose security practises?
Recap: What’s AWX again?
$BFY18 Addressable Automation Opportunity - Upstream project for Ansible Tower by Red Hat - Adds Features on top of Ansible required in Enterprise IT - Web based user interface - RBAC - Credential Management - Auditing / logging / alerting - Multi-tenancy - Git Integration - Job and workflow management - Enhanced inventory management - Many others... What is AWX?
$BFY18 Addressable Automation Opportunity
Custom Credentials in AWX
CLOUD VIRT & CONTAINER WINDOWS NETWORK CHAT MONITORING ANSIBLE AUTOMATES TECHNOLOGIES YOU USE OVER 1200 INTEGRATIONS AWS Azure CenturyLink Digital Ocean Google OpenStack Rackspace +more Atomic CloudStack OpenStack OpenShift RHEV VMware +more ACLs Files Packages IIS Regedits Shares Services Configs Users Domains +more Arista A10 Cumulus Bigswitch Cisco Cumulus Dell F5 Juniper Palo Alto OpenSwitch +more Email HipChat IRC Jabber Rocketchat Sendgrid Slack Twilio +more Airbrake BigPanda Datadog LogicMonitor Monit Nagios New Relic PagerDuty Sensu StackDriver Zabbix +more How are you managing your credentials to authenticate?
$BFY18 Addressable Automation Opportunity - Amazon Web Services - Ansible Tower - Google Compute Engine - Insights - Machine - Microsoft Azure Resource Manager - Network - OpenStack - Red Hat CloudForms - Red Hat Satellite 6 - Red Hat Virtualization - Source Control - Vault - VMware vCenter Pre-Canned Credential Types
$BFY18 Addressable Automation Opportunity Custom Credentials - What? - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: admin url_password: p4ssw0rd url: http://localhost:8888 - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: “{{ jenkins_username }}” url_password: !vault | $ANSIBLE_VAULT;1.1;AES256 62313365396662343061393464336163383764373764613633653634306231386433626436623361 6134333665353966363534333632666535333761666131620a663537646436643839616531643561 63396265333966386166373632626539326166353965363262633030333630313338646335303630 3438626666666137650a353638643435666633633964366338633066623234616432373231333331 6564 url: http://localhost:8888 - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: “{{ jenkins_username }}” url_password: “{{ jenkins_password }}” url: http://localhost:8888 Vault Encrypt String Custom Credential Passed as Variable from AWX
$BFY18 Addressable Automation Opportunity - Defined in AWX user interface - Stored encrypted in the AWX database - Once defined can use it as if it was any other credential - Needs two things: - Input (What I am asking for - username, password,token?) - Injector (What I am passing back to the playbook at runtime) Custom Credentials - How?
$BFY18 Addressable Automation Opportunity Custom Credentials - How? fields: - type: string id: username label: “Give me yo username!” - type: string id: password label: "Give me yo password!" secret: True required: - username - password Input extra_vars: jenkins_password: '{{ password }}' jenkins_username: '{{ username }}' Injector
$BFY18 Addressable Automation Opportunity Custom Credentials - How?
$BFY18 Addressable Automation Opportunity - Simple to use, no need to vault encrypt an entire playbook or a string - You can vault encrypt a password, but what if different people want to use their own credentials when running the playbook - eg run as my tholloway account rather than a service account. - Multiple users can create their own credential of the custom credential type you create - Playbooks can still run outside of AWX - The extra_vars that the injector puts in can be passed as normal extra_vars - Can come from a vaulted vars file when running outside of AWX Custom Credentials - Why?
$BFY18 Addressable Automation Opportunity - Create custom credential for jenkins in AWS - Kick off a workflow with the following credentials - AWS (for EC2) - Machine (for SSH) - Custom (Jenkins) - Playbooks will (hopefully…) - New EC2 Instance (using AWS Cred) - Install Jenkins (using Machine Cred) - Install Jenkins Plugins (using Custom Cred) - Ansible - Ansible Tower (New!) Quick Demo
Ansible integration in OpenSCAP
$BFY18 Addressable Automation Opportunity ● SCAP Stands for “Security Content Automation Protocol" ● SCAP is a standardized compliance checking solution ● It is a line of specifications maintained by the National Institute of Standards and Technology (NIST) for maintaining system security for IT systems. ● OpenSCAP is the open source implementation What is OpenSCAP?
$BFY18 Addressable Automation Opportunity ● XCCDF: Extensible Configuration Checklist Description Format. Used for security Policies. OVAL: Open Vulnerability and Assessment Language. Vulnerability and Patch Detection. ● CVE: Common Vulnerabilities and Exposures. Tracks systems against configuration requirements. ● CCE: Common Configuration Enumeration. More configuration Checks. Fun Acronyms
$BFY18 Addressable Automation Opportunity ● Package that provides guidance for applying security baselines ● Bridges the gap between generalised policy requirements and specific implementation guidelines ● Automated policy enforcement and remediation ● Baselines include PCI-DSS, DISA-STIG etc What is scap-security-guide?
$BFY18 Addressable Automation Opportunity OpenSCAP Integration with Ansible Automation ● Define and tailor security policies via profiles ● Scan and apply security policies via Ansible Automation ● Assert security policy at build with Ansible Automation or Anaconda ● Shipped National Checklist profiles include: DISA STIG PCI - DSS NIST USGCB OpenSCAP PCI-DSS USGCB STIG SCAP security guide
$BFY18 Addressable Automation Opportunity HTML Report against scan
$BFY18 Addressable Automation Opportunity Remediation
How to SCAN a system (C2S example) yum -y install openscap scap-workbench scap-security-guide ansible ls /usr/share/scap-security-guide/ansible oscap info "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" ansible-playbook /usr/share/scap-security-guide/ansible/ssg-rhel7-role-C2S.yml oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_C2S --fetch-remote-resources --results scan-C2S.results.xml --report scan-C2S-results.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Upstream Project: https://github.com/OpenSCAP/scap-security-guide Install packages List Remediation Playbooks List Available Profiles Run a Scan Automagically Remediate
$BFY18 Addressable Automation Opportunity Thank You.

Recommended

Ansible Melbourne Meetup June 2018
Ansible Melbourne Meetup June 2018Ansible Melbourne Meetup June 2018
Ansible Melbourne Meetup June 2018
Talor Holloway
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffe
ajessup
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity
 

Recommended

Ansible Melbourne Meetup June 2018
Ansible Melbourne Meetup June 2018Ansible Melbourne Meetup June 2018
Ansible Melbourne Meetup June 2018
Talor Holloway
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffe
ajessup
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity
 
Fiware Developers Week IoT Agents (Advanced)
Fiware Developers Week IoT Agents (Advanced)Fiware Developers Week IoT Agents (Advanced)
Fiware Developers Week IoT Agents (Advanced)
dmoranj
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vault
Henrik Høegh
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
CheapSSLsecurity
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
DataStax Academy
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Claire Hunsaker
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
Rudy De Busscher
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
Rudy De Busscher
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)
dmoranj
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
Pawel Krawczyk
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Ansible nice-pdf-copy-for-pres
Ansible nice-pdf-copy-for-presAnsible nice-pdf-copy-for-pres
Ansible nice-pdf-copy-for-pres
Manmohan Singh
 
Awx
AwxAwx
Awx
Scott van Kalken
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
DoiT International
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
Amazon Web Services
 

More Related Content

What's hot

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 

What's hot (10)

Fiware Developers Week IoT Agents (Advanced)
Fiware Developers Week IoT Agents (Advanced)Fiware Developers Week IoT Agents (Advanced)
Fiware Developers Week IoT Agents (Advanced)
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vault
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)
 

Similar to Ansible meetup june 2018

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
confluent
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Red hat ansible automation technical deck
Red hat ansible automation technical deckRed hat ansible automation technical deck
Red hat ansible automation technical deck
Juraj Hantak
 

Similar to Ansible meetup june 2018 (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
Ansible nice-pdf-copy-for-pres
Ansible nice-pdf-copy-for-presAnsible nice-pdf-copy-for-pres
Ansible nice-pdf-copy-for-pres
 
Awx
AwxAwx
Awx
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
The Lifecycle of an AWS IoT Thing
The Lifecycle of an AWS IoT ThingThe Lifecycle of an AWS IoT Thing
The Lifecycle of an AWS IoT Thing
 
Red hat ansible automation technical deck
Red hat ansible automation technical deckRed hat ansible automation technical deck
Red hat ansible automation technical deck
 
AWS Serverless API Management - Meetup
AWS Serverless API Management - MeetupAWS Serverless API Management - Meetup
AWS Serverless API Management - Meetup
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 

Recently uploaded

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 

Recently uploaded (20)

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 

Ansible meetup june 2018

  • 1. Security goodness with Ansible Ansible Meetup Mike Calizo Red Hat Senior TAM June 2018
  • 2. Agenda (besides beer and pizza consumption) Recap AWX Custom Credentials scap-security-guide 1 2 3 What’s AWX again? When you need a credential type that is not provided today It has ansible now?
  • 3. $BFY18 Addressable Automation Opportunity - How do you *really* manage credentials? - Are you using automation to improve your organisation’s security posture? - Hopefully this presentation will give you some ideas to try out for yourself. Fit for purpose security practises?
  • 5. $BFY18 Addressable Automation Opportunity - Upstream project for Ansible Tower by Red Hat - Adds Features on top of Ansible required in Enterprise IT - Web based user interface - RBAC - Credential Management - Auditing / logging / alerting - Multi-tenancy - Git Integration - Job and workflow management - Enhanced inventory management - Many others... What is AWX?
  • 8. CLOUD VIRT & CONTAINER WINDOWS NETWORK CHAT MONITORING ANSIBLE AUTOMATES TECHNOLOGIES YOU USE OVER 1200 INTEGRATIONS AWS Azure CenturyLink Digital Ocean Google OpenStack Rackspace +more Atomic CloudStack OpenStack OpenShift RHEV VMware +more ACLs Files Packages IIS Regedits Shares Services Configs Users Domains +more Arista A10 Cumulus Bigswitch Cisco Cumulus Dell F5 Juniper Palo Alto OpenSwitch +more Email HipChat IRC Jabber Rocketchat Sendgrid Slack Twilio +more Airbrake BigPanda Datadog LogicMonitor Monit Nagios New Relic PagerDuty Sensu StackDriver Zabbix +more How are you managing your credentials to authenticate?
  • 9. $BFY18 Addressable Automation Opportunity - Amazon Web Services - Ansible Tower - Google Compute Engine - Insights - Machine - Microsoft Azure Resource Manager - Network - OpenStack - Red Hat CloudForms - Red Hat Satellite 6 - Red Hat Virtualization - Source Control - Vault - VMware vCenter Pre-Canned Credential Types
  • 10. $BFY18 Addressable Automation Opportunity Custom Credentials - What? - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: admin url_password: p4ssw0rd url: http://localhost:8888 - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: “{{ jenkins_username }}” url_password: !vault | $ANSIBLE_VAULT;1.1;AES256 62313365396662343061393464336163383764373764613633653634306231386433626436623361 6134333665353966363534333632666535333761666131620a663537646436643839616531643561 63396265333966386166373632626539326166353965363262633030333630313338646335303630 3438626666666137650a353638643435666633633964366338633066623234616432373231333331 6564 url: http://localhost:8888 - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: “{{ jenkins_username }}” url_password: “{{ jenkins_password }}” url: http://localhost:8888 Vault Encrypt String Custom Credential Passed as Variable from AWX
  • 11. $BFY18 Addressable Automation Opportunity - Defined in AWX user interface - Stored encrypted in the AWX database - Once defined can use it as if it was any other credential - Needs two things: - Input (What I am asking for - username, password,token?) - Injector (What I am passing back to the playbook at runtime) Custom Credentials - How?
  • 12. $BFY18 Addressable Automation Opportunity Custom Credentials - How? fields: - type: string id: username label: “Give me yo username!” - type: string id: password label: "Give me yo password!" secret: True required: - username - password Input extra_vars: jenkins_password: '{{ password }}' jenkins_username: '{{ username }}' Injector
  • 14. $BFY18 Addressable Automation Opportunity - Simple to use, no need to vault encrypt an entire playbook or a string - You can vault encrypt a password, but what if different people want to use their own credentials when running the playbook - eg run as my tholloway account rather than a service account. - Multiple users can create their own credential of the custom credential type you create - Playbooks can still run outside of AWX - The extra_vars that the injector puts in can be passed as normal extra_vars - Can come from a vaulted vars file when running outside of AWX Custom Credentials - Why?
  • 15. $BFY18 Addressable Automation Opportunity - Create custom credential for jenkins in AWS - Kick off a workflow with the following credentials - AWS (for EC2) - Machine (for SSH) - Custom (Jenkins) - Playbooks will (hopefully…) - New EC2 Instance (using AWS Cred) - Install Jenkins (using Machine Cred) - Install Jenkins Plugins (using Custom Cred) - Ansible - Ansible Tower (New!) Quick Demo
  • 17. $BFY18 Addressable Automation Opportunity ● SCAP Stands for “Security Content Automation Protocol" ● SCAP is a standardized compliance checking solution ● It is a line of specifications maintained by the National Institute of Standards and Technology (NIST) for maintaining system security for IT systems. ● OpenSCAP is the open source implementation What is OpenSCAP?
  • 18. $BFY18 Addressable Automation Opportunity ● XCCDF: Extensible Configuration Checklist Description Format. Used for security Policies. OVAL: Open Vulnerability and Assessment Language. Vulnerability and Patch Detection. ● CVE: Common Vulnerabilities and Exposures. Tracks systems against configuration requirements. ● CCE: Common Configuration Enumeration. More configuration Checks. Fun Acronyms
  • 19. $BFY18 Addressable Automation Opportunity ● Package that provides guidance for applying security baselines ● Bridges the gap between generalised policy requirements and specific implementation guidelines ● Automated policy enforcement and remediation ● Baselines include PCI-DSS, DISA-STIG etc What is scap-security-guide?
  • 20. $BFY18 Addressable Automation Opportunity OpenSCAP Integration with Ansible Automation ● Define and tailor security policies via profiles ● Scan and apply security policies via Ansible Automation ● Assert security policy at build with Ansible Automation or Anaconda ● Shipped National Checklist profiles include: DISA STIG PCI - DSS NIST USGCB OpenSCAP PCI-DSS USGCB STIG SCAP security guide
  • 23. How to SCAN a system (C2S example) yum -y install openscap scap-workbench scap-security-guide ansible ls /usr/share/scap-security-guide/ansible oscap info "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" ansible-playbook /usr/share/scap-security-guide/ansible/ssg-rhel7-role-C2S.yml oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_C2S --fetch-remote-resources --results scan-C2S.results.xml --report scan-C2S-results.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Upstream Project: https://github.com/OpenSCAP/scap-security-guide Install packages List Remediation Playbooks List Available Profiles Run a Scan Automagically Remediate