Successfully reported this slideshow.
Your SlideShare is downloading. ×

PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaughan, Onyx Point, Inc.

PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaughan, Onyx Point, Inc.

Download to read offline

Today there's a multitude of ways to get up and running with Kubernetes in the Cloud. In this talk we'll look at how easy it is to operationalize your K8s cluster deployments using the new gcontainer puppet module for Google Container Engine (GKE), Google’s Managed Kubernetes service. We'll walk you through an end to end deployment of a demo application using the gcontainer puppet module and the kubernetes module. We'll also take a deep dive into the unique value proposition that GKE brings to Kubernetes deployments, including security, scaling, federation, automated container builds, integrated private container registry and GPUs.

Today there's a multitude of ways to get up and running with Kubernetes in the Cloud. In this talk we'll look at how easy it is to operationalize your K8s cluster deployments using the new gcontainer puppet module for Google Container Engine (GKE), Google’s Managed Kubernetes service. We'll walk you through an end to end deployment of a demo application using the gcontainer puppet module and the kubernetes module. We'll also take a deep dive into the unique value proposition that GKE brings to Kubernetes deployments, including security, scaling, federation, automated container builds, integrated private container registry and GPUs.

Advertisement
Advertisement

More Related Content

Advertisement

PuppetConf 2017: Automated System Compliance from the Inside Out- Trevor Vaughan, Onyx Point, Inc.

  1. 1. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Trevor Vaughan VP Engineering - Onyx Point, Inc. Product Lead B.S. Computer Engineering, M. S. Information Assurance RHCE, PCP, PCD Automated System Compliance From the Inside Out All trademarks are property of their respective owners. All company, product and service names used in this presentation are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.
  2. 2. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point ● Automation, Security, and Compliance − Consulting and Contracting since 2009 Puppet Gold Partners GitLab Partners RHEL, CentOS, and SuSE Cloud Infrastructure Distributed Data Flow Architectures DevOps Workflow Test Automation ● Maintainers of
  3. 3. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Source: Gears of War
  4. 4. TRANSLATING POLICY
  5. 5. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point PROVABLE DISPROVABLE SECURITY X ✔ COMPLIANCE ✔ ✔
  6. 6. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
  7. 7. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Systems Engineering Body of Knowledge - System Realization
  8. 8. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point NIST 800-171 §3.3.1: Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Requirement Enable the auditd service Specification 1. Install auditd 2. Enable auditd 3. Ensure auditd started at boot time
  9. 9. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point class auditd ( Boolean $enable = false, Boolean $at_boot = true ) { package { 'audit': ensure => 'installed' } service { 'auditd': enable => $enable } $kernel_enable = $enable ? { true => '1', default => '0' } kernel_parameter { 'audit': value => $kernel_enable } } 1. Install auditd 2. Enable auditd 3. Ensure auditd started at boot time
  10. 10. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point COMPLIANCE MODULE
  11. 11. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point --- compliance_markup::compliance_map: version : '1.0.1' nist_800_171: auditd_demo::enable: identifiers : - '3.3.1' value : true auditd_demo::at_boot: identifiers : - '3.3.1' value : true ~ 750 Parameters Mapped
  12. 12. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point # /opt/puppetlabs/server/data/puppetserver/simp/compliance_reports { "version": "1.0.1", "fqdn": "el7.int.localdomain", "puppetserver_info": "local_compile", "compliance_profiles": { "nist_800_171": { "non_compliant": { "Class[Auditd]": { "parameters": { "enable": { "identifiers": [ "3.3.1" ], "compliant_value": true, "system_value": false } } } } } } } } } } }
  13. 13. COMPLIANCE EVALUATION
  14. 14. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
  15. 15. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point control 'V-72079' do title 'Enable the audit daemon' desc 'The audit daemon must be running to collect audit logs' impact 0.7 tag 'nist_800-171', ['3.3.1’] tag 'subsystems', '[“audit”, “auditd”]' describe service('auditd') do it { should be_running } end end
  16. 16. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point auditd_demo/spec/acceptance/suites/default ├── 00_default_spec.rb ├── 10_inspec_failing_spec.rb ├── 20_enforce_spec.rb └── 30_inspec_passing_spec.rb Default System Config Compliance Fail Enforce From Hiera Compliance Pass
  17. 17. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Default System Config Compliance Fail
  18. 18. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Default System Config Compliance Fail
  19. 19. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Profile: Auditd demo checks for EL 7 (auditd_demo) Version: 0.0.1 Target: local:// ✔ audit at boot: Auditing should be enabled at system boot time ✔ Command cat /proc/cmdline stdout should match /(S+s+)audit=1/ Profile: InSpec Profile (disa_stig-el7) Version: 0.1.0 Target: local:// × V-72079: Enable the audit daemon (expected that `Service auditd` is running) × Service auditd should be running expected that `Service auditd` is running Profile Summary: 1 successful, 1 failures, 0 skipped Test Summary: 1 successful, 1 failures, 0 skipped INHERITANCE!
  20. 20. COMPLIANCE PARAMETER ENFORCEMENT
  21. 21. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Default System Config Compliance Fail Enforce From Hiera Compliance Pass --- compliance_markup::compliance_map: version : '1.0.1' nist_800_171: auditd_demo::enable: identifiers : - '3.3.1' value : true auditd_demo::at_boot: identifiers : - '3.3.1' value : true --- # Enforcement Selection Hieradata compliance_markup::enforcement: - nist_800_171
  22. 22. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Default System Config Compliance Fail Enforce From Hiera Compliance Pass
  23. 23. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Default System Config Compliance Fail Enforce From Hiera Compliance Pass
  24. 24. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Profile: Auditd demo checks for EL 7 (auditd_demo) Version: 0.0.1 Target: local:// ✔ audit at boot: Auditing should be enabled at system boot time ✔ Command cat /proc/cmdline stdout should match /(S+s+)audit=1/ Profile: InSpec Profile (disa_stig-el7) Version: 0.1.0 Target: local:// ✔ V-72079: Enable the audit daemon ✔ Service auditd should be running Profile Summary: 2 successful, 0 failures, 0 skipped Test Summary: 2 successful, 0 failures, 0 skipped
  25. 25. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
  26. 26. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point --- # Enforcement Selection Hieradata compliance_markup::enforcement: - internal_policy_5 - nist_800_171 --- # Compliance Map compliance_markup::compliance_map: version : '1.0.1' nist_800_171: auditd_demo::enable: identifiers : - '3.3.1' value : true auditd_demo::at_boot: identifiers : - '3.3.1' value : true --- # Compliance Map compliance_markup::compliance_map: version : '1.0.1' internal_policy_5: auditd_demo::at_boot: identifiers : - 'IP-1337.1' value : false
  27. 27. CORRELATION AND REPORTING
  28. 28. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
  29. 29. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
  30. 30. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
  31. 31. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point COMPLIANCE MODULE
  32. 32. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point SEE ALSO ABOUT ME Trevor Vaughan VP Engineering - Onyx Point, Inc. tvaughan@onyxpoint.com @peiriannydd OR @onyxpoint PROJECT WEBSITE https://simp-project.com CONSULTING + TRAINING http://www.onyxpoint.com Puppet(8), GitLab(8), Automation(7), DevOps(2), Linux(8) 0.0.1 TVAUGHAN(6) Presentation Info TVAUGHAN(6) 2017-01-19 TVAUGHAN(6)

×