Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Trevor Vaughan, Onyx Point
X
Trevor Vaughan, Onyx Point
X
Trevor Vaughan
VP Engineering, Onyx Point
SIMP Product Lead
B.S....
Trevor Vaughan, Onyx Point
X
Trevor Vaughan, Onyx Point
X
The presentation that you are about to see is not, in any
way, r...
Trevor Vaughan, Onyx Point
X
About Onyx Point, Inc.
● Consulting and Federal Contracting Since 2009
○ DevOps
○ Infrastruct...
Trevor Vaughan, Onyx Point
X
WHAT IS
YOUR
STUFF
OUR
EXPERTISE
Trevor Vaughan, Onyx Point
X
SIMP Stack
Trevor Vaughan, Onyx Point
X
Goals
● 100% FOSS Core
● Full Scope Red Hat/CentOS Systems Management
○ Puppet for Automation...
Trevor Vaughan, Onyx Point
X
ONE YEAR
FOSSCOMPLIANCE
AUTOMATION1 MAY 2015 - PRESENT
OF
Trevor Vaughan, Onyx Point
X
Trevor Vaughan, Onyx Point
X
TESTING
Trevor Vaughan, Onyx Point
X
Test Coverage
Type # Modules # Tests OS OS Version Total
Rspec (Unit) 88 6,472
RHEL
CentOS
6....
Trevor Vaughan, Onyx Point
X
Multi-Node Acceptance Tests
rsyslog/spec/acceptance/
├── class_spec.rb
├── client_server_no_t...
Trevor Vaughan, Onyx Point
X
Test Suites
nfs/spec/acceptance/
├── nodesets
│ └── default.yml
└── suites
├── default
│ ├── ...
Trevor Vaughan, Onyx Point
X
COMPLIANCE
MAPPER
Trevor Vaughan, Onyx Point
X
Trevor Vaughan, Onyx Point
X
700+
Variables Mapped
NIST 800-53
NIST 800-171
DISA STIG
ISO/IEC 27001
Trevor Vaughan, Onyx Point
X
Trevor Vaughan, Onyx Point
X
A Glimpse of the Future
---
version: "1.0.0"
compliance_profiles:
test_profile:
compliant:
"C...
Trevor Vaughan, Onyx Point
X
SecCONOP
Trevor Vaughan, Onyx Point
X
NIST Special Publication 800-137
Trevor Vaughan, Onyx Point
X
SecCONOP
● Completely Updated
● A Kickstart Toward Certification and Accreditation
● Built-in...
Trevor Vaughan, Onyx Point
X
1.2
IMA
+ TPM
Trevor Vaughan, Onyx Point
X
Integrity Management Architecture (IMA)
● Automated!
○ https://github.com/simp/pupmod-simp-tp...
Trevor Vaughan, Onyx Point
X
Trusted Platform Module (TPM) 1.2
● Integrated
○ https://github.com/simp/pupmod-simp-tpm
● Ow...
Trevor Vaughan, Onyx Point
X
IPSEC
Trevor Vaughan, Onyx Point
X
Libreswan
● Integrated for EL7
● Feature Request in for RHS ‘any’
● Goal
○ Full X.509-based O...
Trevor Vaughan, Onyx Point
X
ELG
Trevor Vaughan, Onyx Point
X
ELG
● Completely Updated
● Same Basic Architecture
● Replaced Kibana With Grafana
○ Multi-Ten...
Trevor Vaughan, Onyx Point
X
LESSONS
LEARNED
Trevor Vaughan, Onyx Point
X
GOVERNMENT
+ OPEN SOURCE
Trevor Vaughan, Onyx Point
X
Contracts
Contracts
Trevor Vaughan, Onyx Point
X
GOVERNMENT
+ OPEN SOURCE
Trevor Vaughan, Onyx Point
X
COMMUNITY
EXPECTATIONS
(2015 © NBC)
Trevor Vaughan, Onyx Point
X
Our Expectations
(2007 © Warner Brothers)
Trevor Vaughan, Onyx Point
X
Reality
(2001 © New Line Cinema)
Trevor Vaughan, Onyx Point
X
Experiences
(1965 © DC Comics)
● Many environments stuck on one-time apply
● “Will this help ...
Trevor Vaughan, Onyx Point
X
Seriously...
(1999 © 20th Century Fox)
Trevor Vaughan, Onyx Point
X
TESTING
A TALE OF WOE
+ SORROW
Trevor Vaughan, Onyx Point
X
What Worked
● All Tests Must Be Able to Be Run by Hand
○ ‘rake spec’, ‘rake beaker:suites’, e...
Trevor Vaughan, Onyx Point
X
What Worked
● Beaker + Vagrant
○ Docker was erratic on different systems
■ Aufs + Docker == /...
Trevor Vaughan, Onyx Point
X
What Didn’t Work
Trevor Vaughan, Onyx Point
X
Where We’re Heading
Trevor Vaughan, Onyx Point
X
FUTURE
THE
(1985 © Universal Studios)
Trevor Vaughan, Onyx Point
X
Upcoming Features
● TPM
○ Automated Trusted Boot
○ Credential Protection
○ PKCS11
■ Hook in E...
Trevor Vaughan, Onyx Point
X
Upcoming Features
● FreeIPA
○ Easier Management
● Seamless Puppet Enterprise
● Puppet AIO
○ P...
Trevor Vaughan, Onyx Point
X
LESSONS
LEARNED
Trevor Vaughan- VP
Engineering, Onyx Point
tvaughan@onyxpoint.com
@peiriannydd
Upcoming SlideShare
Loading in …5
×

PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

238 views

Published on

Here are the slides from – Trevor Vaughan's PuppetConf 2016 presentation called A Year in Open Source: Automated Compliance With Puppet. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa

Published in: Technology
  • Be the first to comment

  • Be the first to like this

PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

  1. 1. Trevor Vaughan, Onyx Point X Trevor Vaughan, Onyx Point X Trevor Vaughan VP Engineering, Onyx Point SIMP Product Lead B.S. Comp Eng, M. S. IA RHCE, PCP, PCD One Year in Open Source All trademarks are property of their respective owners. All company, product and service names used in this presentation are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.
  2. 2. Trevor Vaughan, Onyx Point X Trevor Vaughan, Onyx Point X The presentation that you are about to see is not, in any way, representative of, or endorsed by, the National Security Agency or the Government of the United States of America. As stated in their press release, the NSA, in releasing the code to the public, is attempting to reduce any duplication of effort surrounding the general goals of the SIMP project. Disclaimer
  3. 3. Trevor Vaughan, Onyx Point X About Onyx Point, Inc. ● Consulting and Federal Contracting Since 2009 ○ DevOps ○ Infrastructure Automation ○ Security Compliance ● Community Maintainers of ○ First FOSS Stewardship CRADA with the NSA ● Red Hat Partners ● Puppet Service Provider Gold Partners ● Puppet-Certified Trainers
  4. 4. Trevor Vaughan, Onyx Point X WHAT IS YOUR STUFF OUR EXPERTISE
  5. 5. Trevor Vaughan, Onyx Point X SIMP Stack
  6. 6. Trevor Vaughan, Onyx Point X Goals ● 100% FOSS Core ● Full Scope Red Hat/CentOS Systems Management ○ Puppet for Automation ○ Does not preclude other systems ● Reduce Complexity of Technical Compliance ● Focus on Mission and Business ○ Enhance Security and Compliance ○ Understand Your Environment ● Leverage and Enhance the Open Source Community
  7. 7. Trevor Vaughan, Onyx Point X ONE YEAR FOSSCOMPLIANCE AUTOMATION1 MAY 2015 - PRESENT OF
  8. 8. Trevor Vaughan, Onyx Point X
  9. 9. Trevor Vaughan, Onyx Point X TESTING
  10. 10. Trevor Vaughan, Onyx Point X Test Coverage Type # Modules # Tests OS OS Version Total Rspec (Unit) 88 6,472 RHEL CentOS 6.8 7.2 2,278,144 Beaker (Acceptance) 43 1,989 RHEL CentOS 6.8 7.2 342,108 ~30 OS Bugs Discovered ● Rsyslog Encryption ● ‘i_version’ Kernel Panic ● Kickstart ‘curl’ FIPS Fail ● ‘krb5kdc’ SELinux Policy Issues ● Auditd Syscall Translation ● ‘cancel-path’ for Libvirt ● GDM Fail with ‘noexec /var/tmp’ ● ‘Systemctl’ Returns 0 on Mask
  11. 11. Trevor Vaughan, Onyx Point X Multi-Node Acceptance Tests rsyslog/spec/acceptance/ ├── class_spec.rb ├── client_server_no_tls_spec.rb ├── client_server_udp_spec.rb ├── client_server_using_tls_spec.rb ├── failover_no_tls_spec.rb ├── failover_using_tls_spec.rb └── nodesets └── default.yml
  12. 12. Trevor Vaughan, Onyx Point X Test Suites nfs/spec/acceptance/ ├── nodesets │ └── default.yml └── suites ├── default │ ├── 00_basic_test_spec.rb │ ├── 02_krb5_test_spec.rb │ └── nodesets -> ../../nodesets └── stunnel ├── 00_basic_test_spec.rb ├── 03_stunnel_test_spec.rb ├── metadata.yml └── nodesets -> ../../nodesets
  13. 13. Trevor Vaughan, Onyx Point X COMPLIANCE MAPPER
  14. 14. Trevor Vaughan, Onyx Point X
  15. 15. Trevor Vaughan, Onyx Point X 700+ Variables Mapped NIST 800-53 NIST 800-171 DISA STIG ISO/IEC 27001
  16. 16. Trevor Vaughan, Onyx Point X
  17. 17. Trevor Vaughan, Onyx Point X A Glimpse of the Future --- version: "1.0.0" compliance_profiles: test_profile: compliant: "Class[Test2::Test3]": parameters: arg3_1: Identifiers: [“ID1.2”] compliant_value: foo3_1 system_value: foo3_1 non_compliant: {} documented_missing_resources: - unmapped1 - "unmapped1::subclass" documented_missing_parameters: - "test2::test3::ref_miss1"
  18. 18. Trevor Vaughan, Onyx Point X SecCONOP
  19. 19. Trevor Vaughan, Onyx Point X NIST Special Publication 800-137
  20. 20. Trevor Vaughan, Onyx Point X SecCONOP ● Completely Updated ● A Kickstart Toward Certification and Accreditation ● Built-in NIST 800-53 References ● Designed for Flexibility ○ Provide your own updates in the build ● Currently 49 pages ● http://simp.readthedocs.io/en/5.2.0-0/security_conop
  21. 21. Trevor Vaughan, Onyx Point X 1.2 IMA + TPM
  22. 22. Trevor Vaughan, Onyx Point X Integrity Management Architecture (IMA) ● Automated! ○ https://github.com/simp/pupmod-simp-tpm ● Tested! ● Not Recommended for Production! ○ Unable to Restrict Memory Usage ○ Unable to Update Policy Without Reboot ○ Some Issues with DoS via Valid Policies
  23. 23. Trevor Vaughan, Onyx Point X Trusted Platform Module (TPM) 1.2 ● Integrated ○ https://github.com/simp/pupmod-simp-tpm ● Ownership Automated ● Facter Facts Created ● In Progress ○ Trusted Boot ○ PKCS11 Interface Automation
  24. 24. Trevor Vaughan, Onyx Point X IPSEC
  25. 25. Trevor Vaughan, Onyx Point X Libreswan ● Integrated for EL7 ● Feature Request in for RHS ‘any’ ● Goal ○ Full X.509-based Opportunistic IPSec ○ Everything except DNS and Puppet
  26. 26. Trevor Vaughan, Onyx Point X ELG
  27. 27. Trevor Vaughan, Onyx Point X ELG ● Completely Updated ● Same Basic Architecture ● Replaced Kibana With Grafana ○ Multi-Tenant Support ○ LDAP Support ○ Safer Default Usage ● SIMP Dashboards in Progress!
  28. 28. Trevor Vaughan, Onyx Point X LESSONS LEARNED
  29. 29. Trevor Vaughan, Onyx Point X GOVERNMENT + OPEN SOURCE
  30. 30. Trevor Vaughan, Onyx Point X Contracts Contracts
  31. 31. Trevor Vaughan, Onyx Point X GOVERNMENT + OPEN SOURCE
  32. 32. Trevor Vaughan, Onyx Point X COMMUNITY EXPECTATIONS (2015 © NBC)
  33. 33. Trevor Vaughan, Onyx Point X Our Expectations (2007 © Warner Brothers)
  34. 34. Trevor Vaughan, Onyx Point X Reality (2001 © New Line Cinema)
  35. 35. Trevor Vaughan, Onyx Point X Experiences (1965 © DC Comics) ● Many environments stuck on one-time apply ● “Will this help me DevOps?!” ● Technology is not the problem ○ Undertrained and Understaffed ■ “How do I ‘vi’ a file?” - Senior Administrator
  36. 36. Trevor Vaughan, Onyx Point X Seriously... (1999 © 20th Century Fox)
  37. 37. Trevor Vaughan, Onyx Point X TESTING A TALE OF WOE + SORROW
  38. 38. Trevor Vaughan, Onyx Point X What Worked ● All Tests Must Be Able to Be Run by Hand ○ ‘rake spec’, ‘rake beaker:suites’, etc… ○ The ‘travish’ Ruby gem is very useful here
  39. 39. Trevor Vaughan, Onyx Point X What Worked ● Beaker + Vagrant ○ Docker was erratic on different systems ■ Aufs + Docker == /var death ○ Can’t test FIPS and non-FIPS in Docker ○ Can’t validate external protections (IPTables, etc…) in Docker
  40. 40. Trevor Vaughan, Onyx Point X What Didn’t Work
  41. 41. Trevor Vaughan, Onyx Point X Where We’re Heading
  42. 42. Trevor Vaughan, Onyx Point X FUTURE THE (1985 © Universal Studios)
  43. 43. Trevor Vaughan, Onyx Point X Upcoming Features ● TPM ○ Automated Trusted Boot ○ Credential Protection ○ PKCS11 ■ Hook in Everything! ● IPSec ○ Opportunistic IPSec ■ X.509 is the Target ● Hashicorp Vault ○ Secret Storage ○ Good for HIPAA...and TPMs? ● Compliance Mapper 1.0 ○ Report on compliant and non-compliant entries ○ Less code modification
  44. 44. Trevor Vaughan, Onyx Point X Upcoming Features ● FreeIPA ○ Easier Management ● Seamless Puppet Enterprise ● Puppet AIO ○ Puppet 3 EOL - Dec 31, 2016 ● Fapolicyd ○ Thanks to Steve Grubb! ● OpenSCAP Suites ○ Targeted Tests in Modules ● Full Stack KRB5 Integration ○ PAM ○ SSH ● Immediate Remediation ○ Based on last Puppet Catalog
  45. 45. Trevor Vaughan, Onyx Point X LESSONS LEARNED Trevor Vaughan- VP Engineering, Onyx Point tvaughan@onyxpoint.com @peiriannydd

×