In this presentation we will talk about how to use an Image Bakery pattern to lock down an operating system with the CIS Benchmark using Ansible & Packer, and how to start down the path of getting the rest of the way there for compliance purposes. We will describe the CIS Benchmark in context, describe the approach, and show how we can improve our compliance with GitHub pull-request driven development, having Jenkins bake the images and perform a compliance scan. We will show a sample compliance matrix and show strategies to map issues requiring remediation to issues for tracking purposes. Viewers should leave with a solid strategy for dealing with sticky compliance issues where some open ended work might be required to fully remediate the situation.
Presented at NYC DevOps on June 18, 2018: https://www.meetup.com/nycdevops/events/fmgjmnyxjbzb
1. Applying the CIS
Benchmark using
Ansible & Packer
http://bit.ly/cisbakery
June 19, 2018
Richard Bullington-McGuire
Principal Architect, Modus Create
richard@moduscreate.com
@obscurerichard
4. Compliance Frameworks for regulated
systems
DISA STIG
● Defense systems
PCI
● Credit card processing systems
CIS Benchmark
● General purpose computing
US Gov. Commercial Cloud
Services (C2S)
● Cloud-based servers for feds
● Derived in part from CIS
Many, many others
● HIPAA, CJIS, NIST 800-171, etc
5. Barriers to Adoption
Manual compliance: slow & stupidly expensive
● Imagine a sysadmin manually tweaking every server
Automated tools: incomplete & mostly expensive
● Tools may not be mature for the target benchmark
● Or they may be expensive
● Infrastructure as Code practices make this less awful
6. How does this work in practice?
Ask your security officer if you are not sure!
1. Start with the standards document
2. Build a compliance matrix
3. Decide on what items are critical
4. Check compliance with each item
5. Remediate & recheck & ask ISO to re-evaluate criticality
8. Compliance Matrix
● Derived from table of contents of CIS Benchmark doc
○ Can’t share doc due to license (non-commercial)
● Track:
○ Section numbering & title
○ Applicability
○ Status
○ Issue link
○ Notes
9. Barriers to CIS Experimentation - Uh oh!
● CIS Benchmarks available for free with CC license -
○ Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
○ Commercial derivatives require membership & licensing
● CIS Membership is expensive - thousands of
● CIS-Cat Lite - free w/ limited features, use restrictions
● CIS-Cat Pro - members only
● CIS Benchmark XCDDF & Oval files - members only
● Commercial Scanners like Nessus - also expensive
10. Alternative path for demo
● Show proof of concept for image bakery
○ Vagrant + Ansible + Packer + Jenkins
● Use OpenSCAP to scan with C2S benchmark
○ C2S is a close relative of CIS
○ CIS SCAP files files could be substituted for C2S
■ (assuming you pay CIS for membership)
11. Sane approach to compliance
Automate everything & use Open Source when possible
● Image Bakery Pattern - remediate baseline image
○ Reduce need to remediate each item on each server
● Packer - bake baseline image
● Ansible - provision image with CIS baseline playbook
● OpenSCAP - Scan baked image for compliance
● GitHub & Vagrant & Jenkins - Orchestrate build & test
15. Alternative path for demo
● Show proof of concept for image bakery
○ Code in GitHub with pull request workflow
○ Jenkins automation with AWS, GitHub integration
○ Packer run via Docker running Ansible
○ OpenSCAP scan with C2S benchmark
■ C2S is a close relative of CIS
● Original plan: use CIS-Cat or Nessus through Jenkins
○ Abandoned due to automation & cost barriers
17. Step By Step
● Get scan working:
○ Vagrant / Ansible / OpenSCAP
○ yields security report & guide in XML & HTML
● Get AMI building with Packer & Docker
○ Run same scripts as before, but on AWS EC2
● Get Jenkins running Packer
○ Run on every commit / pull request
○ Show process
18. Lessons Learned
● Just run ansible via shell script
○ Packer and Vagrant ansible provisoners rely on
/tmp
● Reduce cycles by using Vagrant to run ansible locally
○ Put new roles at the top of the Ansible file!
● Some manual work will always be needed
○ Be smart about automating away the easy things
● Prioritize remediations - use an issue tracking system
19. Extending IaC Compliance Further
● Use Nessus to scan for CIS Benchmark
○ Install Nessus agent via Ansible
○ Would have to register host, scan, and remove host
● Use OpenSCAP to scan with CIS Benchmark files
○ CIS XCDDF & Oval files could be used instead
■ (assuming you pay CIS for membership)
● Get Jenkins to fail build on scan failure
○ Analyze report for % threshold / get clean scan first