Puppet for Security Compliance - GOSCON 2010

13,397 views

Published on

Teyo Tyree's slides from GOSCON 2010. He covers the benefits for a modern approach to systems management and compliance and the key advantages of a model-driven approach to configuration management.

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
13,397
On SlideShare
0
From Embeds
0
Number of Embeds
6,483
Actions
Shares
0
Downloads
140
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Puppet for Security Compliance - GOSCON 2010

  1. 1. Puppet A Modern Approach to Systems Management and Compliance October 2010Wednesday, December 15, 2010
  2. 2. The Compliance ProblemWednesday, December 15, 2010
  3. 3. The Olde DaysWednesday, December 15, 2010
  4. 4. The Security AnalystWednesday, December 15, 2010
  5. 5. Not Aligned with Business NeedsWednesday, December 15, 2010
  6. 6. Tools and Custom ScriptsWednesday, December 15, 2010
  7. 7. The AuditorWednesday, December 15, 2010
  8. 8. Networks GrowWednesday, December 15, 2010
  9. 9. Networks GrowWednesday, December 15, 2010
  10. 10. The Compliance ParadoxWednesday, December 15, 2010
  11. 11. Puppet: A New ApproachWednesday, December 15, 2010
  12. 12. Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems.Wednesday, December 15, 2010
  13. 13. Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. ★ Enforces consistent, known secure, configurations of target systems.Wednesday, December 15, 2010
  14. 14. Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. ★ Enforces consistent, known secure, configurations of target systems. ★ Enables cross-functional collaboration within IT.Wednesday, December 15, 2010
  15. 15. Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. ★ Enforces consistent, known secure, configurations of target systems. ★ Enables cross-functional collaboration within IT. ★ Enables reuse of service configurations across departments and organizations.Wednesday, December 15, 2010
  16. 16. Puppet: a framework for configuration managementWednesday, December 15, 2010
  17. 17. Declarative Configuration LanguageWednesday, December 15, 2010
  18. 18. A Language for Collaboration: DevOps Today: 99% of IT Silo’d Managed With Puppet Team OS Team App Team Config Team Sec SOX LAMP RAILS Puppet = dev/ops/sec Config OS App Config Security OS App ConfigWednesday, December 15, 2010
  19. 19. Operating System SupportWednesday, December 15, 2010
  20. 20. Cross Platform ArchitectureWednesday, December 15, 2010
  21. 21. Advantages?Wednesday, December 15, 2010
  22. 22. Advantages? ★ Puppet enforced policies can be applied over and over again.Wednesday, December 15, 2010
  23. 23. Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there).Wednesday, December 15, 2010
  24. 24. Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). ★ Puppet’s enforced policies can be context sensitive.Wednesday, December 15, 2010
  25. 25. Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). ★ Puppet’s enforced policies can be context sensitive. ★ Puppet provides a log history over the lifecycle of a system.Wednesday, December 15, 2010
  26. 26. Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). ★ Puppet’s enforced policies can be context sensitive. ★ Puppet provides a log history over the lifecycle of a system. ★ Operates at cloud scale.Wednesday, December 15, 2010
  27. 27. With Puppet, auditing and remediation is a single automated configuration task.Wednesday, December 15, 2010
  28. 28. DemoWednesday, December 15, 2010
  29. 29. Puppet and SCAPWednesday, December 15, 2010
  30. 30. Puppet and SCAP ★ Current SCAP tools are auditing only.Wednesday, December 15, 2010
  31. 31. Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only.Wednesday, December 15, 2010
  32. 32. Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step.Wednesday, December 15, 2010
  33. 33. Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. ★ Puppet is being used for configuration and security management across government agencies.Wednesday, December 15, 2010
  34. 34. Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. ★ Puppet is being used for configuration and security management across government agencies. ★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X.Wednesday, December 15, 2010
  35. 35. Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. ★ Puppet is being used for configuration and security management across government agencies. ★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X. ★ Broadly adopted outside of GOV.Wednesday, December 15, 2010
  36. 36. Puppet and OVAL/ORVLWednesday, December 15, 2010
  37. 37. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language.Wednesday, December 15, 2010
  38. 38. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource.Wednesday, December 15, 2010
  39. 39. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management.Wednesday, December 15, 2010
  40. 40. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system.Wednesday, December 15, 2010
  41. 41. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. ★ Each resource is audited for state and the result of that audit is logged as an event.Wednesday, December 15, 2010
  42. 42. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. ★ Each resource is audited for state and the result of that audit is logged as an event. ★ High level Puppet language is machine readable.Wednesday, December 15, 2010
  43. 43. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. ★ Each resource is audited for state and the result of that audit is logged as an event. ★ High level Puppet language is machine readable. ★ Puppet managed resources can be generated from external datasources.Wednesday, December 15, 2010
  44. 44. Who is using this approach?Wednesday, December 15, 2010
  45. 45. Who is using this approach? ★ Los Alamos National LaboratoriesWednesday, December 15, 2010
  46. 46. Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance)Wednesday, December 15, 2010
  47. 47. Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) ★ Lockheed MartinWednesday, December 15, 2010
  48. 48. Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) ★ Lockheed Martin ★ Northrup GrummanWednesday, December 15, 2010
  49. 49. Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) ★ Lockheed Martin ★ Northrup Grumman ★ SecState (An SCAP audit and remediation tool.)Wednesday, December 15, 2010
  50. 50. What is next?Wednesday, December 15, 2010
  51. 51. Puppet as a constraint language.Wednesday, December 15, 2010
  52. 52. Post Catalog ProcessingWednesday, December 15, 2010
  53. 53. Device ManagementWednesday, December 15, 2010
  54. 54. Zero Day Automated FixesWednesday, December 15, 2010
  55. 55. Supported Compliance Modules in the Puppet ForgeWednesday, December 15, 2010
  56. 56. Links ★ https://fedorahosted.org/secstate/ ★ http://scap.nist.gov/specifications/xccdf/ ★ https://svn.forge.mil/svn/repos/slim/slim/docs/ ★ https://svn.forge.mil/svn/repos/slim/slim/base/dev/rhel5/rpm/ trunk/channels/x86_64/puppet/ ★ http://oval.mitre.org/adoption/supporters.html ★ http://www.puppetlabs.com/blog/los-alamos-national-laborator- publishes-puppet-white-paper-for-mac-os-x-configuration- management ★ http://github.com/jamtur01/puppet-hardening ★ http://docs.puppetlabs.com/guides/introduction.htmlWednesday, December 15, 2010
  57. 57. Questions?Wednesday, December 15, 2010
  58. 58. Puppet Labs is hiring! jobs@puppetlabs.com twitter: @brainfinger email: teyo@puppetlabs.comWednesday, December 15, 2010

×