SlideShare a Scribd company logo

An Approach to Building & Maintaining a STIG'D RHEL Server

Joshua L. Davis
Joshua L. Davis

Aaron Prayther LCE

Technology
1 of 22
Download to read offline
An Approach to Building &  Maintaining a STIG’D RHEL Server Red Hat Satellite Server Forge.mil (https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux Management Wiki) Kickstart Puppet Tresys CLIP Aaron Prayther aprayther@lce.com 843 218 2178 Mil‐OSS WG2 2ND‐5TH AUGUST 2010 – WASHINGTON D.C.
1)Checklist 2)Relation 3)Application  4)Assessment 5)Maintenance 1 UNIX  2 Security  Checklist IAVA 3 CVE RED HAT Kickstart 4 YUM Puppet Reporting? SRR 5 Oval Satellite Satellite Forge.mil 2
Creating a more manageable and  reproducible STIG’D RHEL server • There are some tools to help STIG a box • There is an image that can be copied • Nothing that is very reproducible over the long term • We can create STIG’D servers and maintain them. • The infrastructure, Satellite Server, is not a STIG  compliant server in the environment I work in • Google: “STIG”  – The Stig is the name given to the racing driver character on  the BBC Television show Top Gear. – Security Technical Implementation Guides 3
1. UNIX Security Checklist Is there an easier or better way? UNIX Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 4
Unix Security Checklist (634 GEN, UNIX  & IAVA items) 5
2. IAVA / CVE / Red Hat Security Advisory A way to relate IAVA to patches UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 6
Satellite Flags Errata 7
Satellite references CVE 8
3. Kickstart, YUM & Puppet “Applying” UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 9
Apply the Checklist 10
Tresys CLIP Puppet content class lnx00160 { ## (LNX00160: CAT II) (Previously ‐ L074)  The SA will ensure the grub.conf ## file has permissions of 600, or more  restrictive. file { "/boot/grub/grub.conf": mode => 600  } } 11
4. Satellite & Forge.mil Custom software repositories UNIX  Security  Checklist IAVA CVE RED HAT Kickstart Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 12
Assessment 13
Confirm ongoing compliance • Oval seems to have a lot of potential – Evaluating Oval and how to integrate • Evaluating using SRR scripts in a cron job • Satellite does a pretty good job of reporting  on CVE’s • Would ultimately want to have a way of just  getting the interesting information for  hundreds (thousands) of servers 14
5. Reporting Confirm compliancy through life of server UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Satellite Oval Forge.mil Satellite 15
Maintain 16
Automating provisioning & maintenance is  an evolutionary process… • Long messy kickstart file but a good  source of information • Need to finish a “baseline” and modify  build process accordingly • Need to move the vast majority of the  kickstart content to puppet server • Disclaimers out of the way… 17
What it does today • It does build a consistent server from scratch (you  can reverse engineer the entire build process and  know every configuration change made) • This is not an image • It utilizes controlled software repositories in  Satellite so that you can have a release process. • It does setup the ability to manage compliance  over the life cycle of the server • It has backups, centralized audit and log server  functionality 18
Use Forge.mil to collaborate • https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux Management Wiki • This brief is located there • Some instructions on howto use what is  available today are there. • Contacts are being added so you know who to  consult with about different pieces, like Red  Hat Satellite Server 19
Forge.mil / Satellite 20
Summary • Build a reproducible RHEL server, bare metal  or virtual. • Build process results in something very close  to a STIG compliant (IA will say it’s compliant)  RHEL server • The beginnings, of a server life cycle that  maintains & confirms compliance • Currently functioning at a single project level  in an R&D environment 21
References • https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux  Management Wiki • spawar‐dodbastile@software.Forge.mil SPAWAR Linux  Management Discussion email • https://software.forge.mil/sf/discussion/do/listTopics/proje cts.dodbastile/discussion.spawar_linux_managment SPAWAR Linux Management Discussion page • https://software.forge.mil/sf/docman/do/listDocuments/pr ojects.dodbastile/docman.root.spawarlinuxmanagement SPAWAR Linux Management Documents • https://software.forge.mil/sf/docman/do/downloadDocum ent/projects.dodbastile/docman.root.spawarlinuxmanage ment/doc7520 SPAWAR Linux Management this brief Aaron Prayther aprayther@lce.com 843 218 2178 22

Recommended

Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD EnterprisesImportance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Joshua L. Davis
 
Rich prada overview original
Rich prada overview originalRich prada overview original
Rich prada overview original
Tony Herlambang
 
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
mbateh20
 
Syllabus for 3rd and 4th grade
Syllabus for 3rd and 4th gradeSyllabus for 3rd and 4th grade
Syllabus for 3rd and 4th grade
Caresse Mathews
 
Prideofthe irish
Prideofthe irishPrideofthe irish
Prideofthe irish
emcmackin06
 
Catalogo de venta
Catalogo de ventaCatalogo de venta
Catalogo de venta
marescu2
 
Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel Exploitation
Scio Security
 
Spinnaker 파트 1
Spinnaker 파트 1Spinnaker 파트 1
Spinnaker 파트 1
Steven Shim
 

Recommended

Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD EnterprisesImportance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Joshua L. Davis
 
Rich prada overview original
Rich prada overview originalRich prada overview original
Rich prada overview original
Tony Herlambang
 
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
mbateh20
 
Syllabus for 3rd and 4th grade
Syllabus for 3rd and 4th gradeSyllabus for 3rd and 4th grade
Syllabus for 3rd and 4th grade
Caresse Mathews
 
Prideofthe irish
Prideofthe irishPrideofthe irish
Prideofthe irish
emcmackin06
 
Catalogo de venta
Catalogo de ventaCatalogo de venta
Catalogo de venta
marescu2
 
Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel Exploitation
Scio Security
 
Spinnaker 파트 1
Spinnaker 파트 1Spinnaker 파트 1
Spinnaker 파트 1
Steven Shim
 
Open stack@ebay
Open stack@ebayOpen stack@ebay
Open stack@ebay
Subbu Allamaraju
 
Multisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the GapMultisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the Gap
Dimitri Mazmanov
 
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
Gna Phetsarath
 
Zebra 2.0 in Hybrid Cloud Era
Zebra 2.0 in Hybrid Cloud EraZebra 2.0 in Hybrid Cloud Era
Zebra 2.0 in Hybrid Cloud Era
Kentaro Ebisawa
 
Grow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM StackGrow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM Stack
KeitaSugiyama1
 
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Akihiro Suda
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
ortegaalfredo
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Arpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofingArpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofing
Ammar WK
 
Network Telemetry: Pushing Boundaries
Network Telemetry: Pushing BoundariesNetwork Telemetry: Pushing Boundaries
Network Telemetry: Pushing Boundaries
Ram (Ramki) Krishnan
 
Sun Spot Talk
Sun Spot TalkSun Spot Talk
Sun Spot Talk
vittalp88
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
amiable_indian
 
Horizon quantum-integration-grizzly
Horizon quantum-integration-grizzlyHorizon quantum-integration-grizzly
Horizon quantum-integration-grizzly
Akihiro Motoki
 
Horizon Quantum Integration grizzly
Horizon Quantum Integration grizzlyHorizon Quantum Integration grizzly
Horizon Quantum Integration grizzly
Akihiro Motoki
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
ir. Carmelo Zaccone
 
Solaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentationSolaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentation
xKinAnx
 
OpenStack & OpenContrail in Production
OpenStack & OpenContrail in ProductionOpenStack & OpenContrail in Production
OpenStack & OpenContrail in Production
Edgar Magana
 
Nvp deep dive_session_cee-day
Nvp deep dive_session_cee-dayNvp deep dive_session_cee-day
Nvp deep dive_session_cee-day
yfauser
 
Timothy J Cash Career Portfolio
Timothy J Cash Career PortfolioTimothy J Cash Career Portfolio
Timothy J Cash Career Portfolio
Timothy Cash
 
RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009
eCommConf
 
Innovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsInnovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source Solutions
Joshua L. Davis
 
The Open Source Movement
The Open Source MovementThe Open Source Movement
The Open Source Movement
Joshua L. Davis
 

More Related Content

Similar to An Approach to Building & Maintaining a STIG'D RHEL Server

Multisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the GapMultisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the Gap
Dimitri Mazmanov
 
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
Gna Phetsarath
 
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Akihiro Suda
 
Arpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofingArpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofing
Ammar WK
 
Horizon quantum-integration-grizzly
Horizon quantum-integration-grizzlyHorizon quantum-integration-grizzly
Horizon quantum-integration-grizzly
Akihiro Motoki
 
Horizon Quantum Integration grizzly
Horizon Quantum Integration grizzlyHorizon Quantum Integration grizzly
Horizon Quantum Integration grizzly
Akihiro Motoki
 
Solaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentationSolaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentation
xKinAnx
 
Nvp deep dive_session_cee-day
Nvp deep dive_session_cee-dayNvp deep dive_session_cee-day
Nvp deep dive_session_cee-day
yfauser
 
RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009
eCommConf
 

Similar to An Approach to Building & Maintaining a STIG'D RHEL Server (20)

Open stack@ebay
Open stack@ebayOpen stack@ebay
Open stack@ebay
 
Multisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the GapMultisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the Gap
 
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
 
Zebra 2.0 in Hybrid Cloud Era
Zebra 2.0 in Hybrid Cloud EraZebra 2.0 in Hybrid Cloud Era
Zebra 2.0 in Hybrid Cloud Era
 
Grow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM StackGrow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM Stack
 
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Arpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofingArpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofing
 
Network Telemetry: Pushing Boundaries
Network Telemetry: Pushing BoundariesNetwork Telemetry: Pushing Boundaries
Network Telemetry: Pushing Boundaries
 
Sun Spot Talk
Sun Spot TalkSun Spot Talk
Sun Spot Talk
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
 
Horizon quantum-integration-grizzly
Horizon quantum-integration-grizzlyHorizon quantum-integration-grizzly
Horizon quantum-integration-grizzly
 
Horizon Quantum Integration grizzly
Horizon Quantum Integration grizzlyHorizon Quantum Integration grizzly
Horizon Quantum Integration grizzly
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
 
Solaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentationSolaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentation
 
OpenStack & OpenContrail in Production
OpenStack & OpenContrail in ProductionOpenStack & OpenContrail in Production
OpenStack & OpenContrail in Production
 
Nvp deep dive_session_cee-day
Nvp deep dive_session_cee-dayNvp deep dive_session_cee-day
Nvp deep dive_session_cee-day
 
Timothy J Cash Career Portfolio
Timothy J Cash Career PortfolioTimothy J Cash Career Portfolio
Timothy J Cash Career Portfolio
 
RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009
 

More from Joshua L. Davis

Innovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsInnovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source Solutions
Joshua L. Davis
 
Mil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC ConventionMil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC Convention
Joshua L. Davis
 

More from Joshua L. Davis (20)

Innovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsInnovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source Solutions
 
The Open Source Movement
The Open Source MovementThe Open Source Movement
The Open Source Movement
 
Mil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC ConventionMil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC Convention
 
The Next Generation Open IDS Engine Suricata and Emerging Threats
The Next Generation Open IDS Engine Suricata and Emerging ThreatsThe Next Generation Open IDS Engine Suricata and Emerging Threats
The Next Generation Open IDS Engine Suricata and Emerging Threats
 
DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)
 
Ignite: Hackin' Excel with Ruby
Ignite: Hackin' Excel with RubyIgnite: Hackin' Excel with Ruby
Ignite: Hackin' Excel with Ruby
 
Ignite: YSANAOYOA
Ignite: YSANAOYOAIgnite: YSANAOYOA
Ignite: YSANAOYOA
 
Ignite: Improving Performance on Federal Contracts Using Scrum & Agile
Ignite: Improving Performance on Federal Contracts Using Scrum & AgileIgnite: Improving Performance on Federal Contracts Using Scrum & Agile
Ignite: Improving Performance on Federal Contracts Using Scrum & Agile
 
Ignite: Devops - Why Should You Care
Ignite: Devops - Why Should You CareIgnite: Devops - Why Should You Care
Ignite: Devops - Why Should You Care
 
Using the Joomla CMI in the Army Hosting Environment
Using the Joomla CMI in the Army Hosting EnvironmentUsing the Joomla CMI in the Army Hosting Environment
Using the Joomla CMI in the Army Hosting Environment
 
Senior Leaders Adapting to Social Technologies
Senior Leaders Adapting to Social TechnologiesSenior Leaders Adapting to Social Technologies
Senior Leaders Adapting to Social Technologies
 
Barcamp: Open Source and Security
Barcamp: Open Source and SecurityBarcamp: Open Source and Security
Barcamp: Open Source and Security
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and Security
 
SOSCOE Overview
SOSCOE OverviewSOSCOE Overview
SOSCOE Overview
 
milSuite
milSuitemilSuite
milSuite
 
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSSOZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
 
Title TBD: "18 hundred seconds"
Title TBD: "18 hundred seconds"Title TBD: "18 hundred seconds"
Title TBD: "18 hundred seconds"
 
Reaching It's Potential: How to Make Government-Developed OSS A Major Player
Reaching It's Potential: How to Make Government-Developed OSS A Major PlayerReaching It's Potential: How to Make Government-Developed OSS A Major Player
Reaching It's Potential: How to Make Government-Developed OSS A Major Player
 
Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)
 
USIP Open Simulation Platform
USIP Open Simulation PlatformUSIP Open Simulation Platform
USIP Open Simulation Platform
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

An Approach to Building & Maintaining a STIG'D RHEL Server

  • 1. An Approach to Building &  Maintaining a STIG’D RHEL Server Red Hat Satellite Server Forge.mil (https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux Management Wiki) Kickstart Puppet Tresys CLIP Aaron Prayther aprayther@lce.com 843 218 2178 Mil‐OSS WG2 2ND‐5TH AUGUST 2010 – WASHINGTON D.C.
  • 2. 1)Checklist 2)Relation 3)Application  4)Assessment 5)Maintenance 1 UNIX  2 Security  Checklist IAVA 3 CVE RED HAT Kickstart 4 YUM Puppet Reporting? SRR 5 Oval Satellite Satellite Forge.mil 2
  • 3. Creating a more manageable and  reproducible STIG’D RHEL server • There are some tools to help STIG a box • There is an image that can be copied • Nothing that is very reproducible over the long term • We can create STIG’D servers and maintain them. • The infrastructure, Satellite Server, is not a STIG  compliant server in the environment I work in • Google: “STIG”  – The Stig is the name given to the racing driver character on  the BBC Television show Top Gear. – Security Technical Implementation Guides 3
  • 4. 1. UNIX Security Checklist Is there an easier or better way? UNIX Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 4
  • 6. 2. IAVA / CVE / Red Hat Security Advisory A way to relate IAVA to patches UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 6
  • 9. 3. Kickstart, YUM & Puppet “Applying” UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 9
  • 11. Tresys CLIP Puppet content class lnx00160 { ## (LNX00160: CAT II) (Previously ‐ L074)  The SA will ensure the grub.conf ## file has permissions of 600, or more  restrictive. file { "/boot/grub/grub.conf": mode => 600  } } 11
  • 12. 4. Satellite & Forge.mil Custom software repositories UNIX  Security  Checklist IAVA CVE RED HAT Kickstart Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 12
  • 14. Confirm ongoing compliance • Oval seems to have a lot of potential – Evaluating Oval and how to integrate • Evaluating using SRR scripts in a cron job • Satellite does a pretty good job of reporting  on CVE’s • Would ultimately want to have a way of just  getting the interesting information for  hundreds (thousands) of servers 14
  • 15. 5. Reporting Confirm compliancy through life of server UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Satellite Oval Forge.mil Satellite 15
  • 16. Maintain 16
  • 17. Automating provisioning & maintenance is  an evolutionary process… • Long messy kickstart file but a good  source of information • Need to finish a “baseline” and modify  build process accordingly • Need to move the vast majority of the  kickstart content to puppet server • Disclaimers out of the way… 17
  • 18. What it does today • It does build a consistent server from scratch (you  can reverse engineer the entire build process and  know every configuration change made) • This is not an image • It utilizes controlled software repositories in  Satellite so that you can have a release process. • It does setup the ability to manage compliance  over the life cycle of the server • It has backups, centralized audit and log server  functionality 18
  • 19. Use Forge.mil to collaborate • https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux Management Wiki • This brief is located there • Some instructions on howto use what is  available today are there. • Contacts are being added so you know who to  consult with about different pieces, like Red  Hat Satellite Server 19
  • 21. Summary • Build a reproducible RHEL server, bare metal  or virtual. • Build process results in something very close  to a STIG compliant (IA will say it’s compliant)  RHEL server • The beginnings, of a server life cycle that  maintains & confirms compliance • Currently functioning at a single project level  in an R&D environment 21
  • 22. References • https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux  Management Wiki • spawar‐dodbastile@software.Forge.mil SPAWAR Linux  Management Discussion email • https://software.forge.mil/sf/discussion/do/listTopics/proje cts.dodbastile/discussion.spawar_linux_managment SPAWAR Linux Management Discussion page • https://software.forge.mil/sf/docman/do/listDocuments/pr ojects.dodbastile/docman.root.spawarlinuxmanagement SPAWAR Linux Management Documents • https://software.forge.mil/sf/docman/do/downloadDocum ent/projects.dodbastile/docman.root.spawarlinuxmanage ment/doc7520 SPAWAR Linux Management this brief Aaron Prayther aprayther@lce.com 843 218 2178 22