Schutz gegen die unnachgiebigen und adaptiven Cyber-Bedrohungen von heute erfordert dauerhafte Monitoring der Netzwerke und Systeme. Foreman und OpenSCAP gehen diese Herausforderung mittels eines zentralgesteuerten Security Managements, Configuration Scanning, Monitoring und Ausbesserung an.
In diesem Talk werden wir diskutieren wie Foreman und Open SCAP automatisch nach Sicherheitslücken, Schwächen und nicht-genehmigten Änderungen suchen, und die Probleme überwachen und beheben um die Sicherheitskontrollen Ihrer bestehenden Sicherheits- Konfiguration wieder herzustellen
10. Provisioning
Provision new machines or containers to (almost)
anything:
Bare metal, oVirt, libvirt, VMware, Docker, EC2, Rackspace,
Digital Ocean, OpenStack, etc.
* If we don't support it today, we can via new plugins
11. Configuration
● Puppet
● Via plugins:
✔ Chef
✔ Salt
✔ Ansible
● Automatic registration & setup of
clients, including autosigning
certs/keys
● Defining:
● Classes / states
● Parameters / pillars
● Inventory data:
● Facts / Grains
● results of configuration runs
12. Monitoring
● Generic API with graphs/trends:
✔ System Inventories
✔ Reports from runs
✔ Generic reports: ABRT, OpenSCAP
● Context sensitive search:
✔ Not full-text (SQL level)
✔ Keyword completion
✔ Works across whole application
13. SCAP
Security Content Automation Protocol
Define security and audit rulez
Scan you systems and test if the rules apply
Report scan results, decide if compliant or not
17. Foreman OpenSCAP - flow
● Assign policy to host(group)
● Puppet installs foreman_scap_client,
and configures it
● SCAP content is downloaded to host
● `oscap` scanner runs, and generates Report
● Report parsed and uploaded to Foreman