Policy compliance for systems has been a hot topic for 2017. The Puppet ecosystem provides an excellent set of tools for both automating the initial security and compliance foundation of your systems and, more importantly, ensuring that they stay compliant over time. This talk will pull from the experience that we have gained while developing the SIMP Project and provide both guidelines, and examples, for keeping your systems in compliance with both public and internal policies. This presentation will cover:
* Translating policy from source to intent
* Mapping class and defined type parameters to policy
* Detecting parameter deviation from policy
* Enforcing framework-level compliance from Hiera
* Compliance evaluation during test
* Compliance evaluation after deployment
* Correlation and reporting
The audience should leave with an understanding of how they can both implement a compliant infrastructure as well as working with their internal security personnel to ensure that the compliance status of their infrastructure is well understood and enforced.
1. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Trevor Vaughan
VP Engineering - Onyx Point, Inc.
Product Lead
B.S. Computer Engineering,
M. S. Information Assurance
RHCE, PCP, PCD
Automated System Compliance
From the Inside Out
All trademarks are property of their respective owners. All company, product and service names used in this presentation are for
identification purposes only. Use of these names, logos, and brands does not imply endorsement.
2. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
● Automation, Security, and Compliance
− Consulting and Contracting since 2009
Puppet Gold Partners
GitLab Partners
RHEL, CentOS, and SuSE
Cloud Infrastructure
Distributed Data Flow Architectures
DevOps Workflow
Test Automation
● Maintainers of
7. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Systems Engineering Body of Knowledge - System Realization
8.
9. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
NIST 800-171
§3.3.1: Create, protect, and retain information system audit records to
the extent needed to enable the monitoring, analysis, investigation, and
reporting of unlawful, unauthorized, or inappropriate information system
activity.
Requirement Enable the auditd service
Specification
1. Install auditd
2. Enable auditd
3. Ensure auditd started at boot time
10. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
class auditd (
Boolean $enable = false,
Boolean $at_boot = true
) {
package { 'audit': ensure => 'installed' }
service { 'auditd': enable => $enable }
$kernel_enable = $enable ? { true => '1', default => '0' }
kernel_parameter { 'audit': value => $kernel_enable }
}
1. Install auditd
2. Enable auditd
3. Ensure auditd started at boot time
18. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
control 'V-72079' do
title 'Enable the audit daemon'
desc 'The audit daemon must be running to collect audit logs'
impact 0.7
tag 'nist_800-171', ['3.3.1’]
tag 'subsystems', '[“audit”, “auditd”]'
describe service('auditd') do
it { should be_running }
end
end
19. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
auditd_demo/spec/acceptance/suites/default
├── 00_default_spec.rb
├── 10_inspec_failing_spec.rb
├── 20_enforce_spec.rb
└── 30_inspec_passing_spec.rb
Default System
Config
Compliance Fail
Enforce From
Hiera
Compliance Pass
20. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Default System
Config
Compliance Fail
21. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Default System
Config
Compliance Fail
22. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Profile: Auditd demo checks for EL 7 (auditd_demo)
Version: 0.0.1
Target: local://
✔ audit at boot: Auditing should be enabled at system boot time
✔ Command cat /proc/cmdline stdout should match /(S+s+)audit=1/
Profile: InSpec Profile (disa_stig-el7)
Version: 0.1.0
Target: local://
× V-72079: Enable the audit daemon (expected that `Service auditd` is running)
× Service auditd should be running
expected that `Service auditd` is running
Profile Summary: 1 successful, 1 failures, 0 skipped
Test Summary: 1 successful, 1 failures, 0 skipped
INHERITANCE!
24. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Default System
Config
Compliance Fail
Enforce From
Hiera
Compliance Pass
---
compliance_markup::compliance_map:
version : '1.0.1'
nist_800_171:
auditd_demo::enable:
identifiers :
- '3.3.1'
value : true
auditd_demo::at_boot:
identifiers :
- '3.3.1'
value : true
---
# Enforcement Selection Hieradata
compliance_markup::enforcement:
- nist_800_171
25. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Default System
Config
Compliance Fail
Enforce From
Hiera
Compliance Pass
26. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Default System
Config
Compliance Fail
Enforce From
Hiera
Compliance Pass
27. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Profile: Auditd demo checks for EL 7 (auditd_demo)
Version: 0.0.1
Target: local://
✔ audit at boot: Auditing should be enabled at system boot time
✔ Command cat /proc/cmdline stdout should match /(S+s+)audit=1/
Profile: InSpec Profile (disa_stig-el7)
Version: 0.1.0
Target: local://
✔ V-72079: Enable the audit daemon
✔ Service auditd should be running
Profile Summary: 2 successful, 0 failures, 0 skipped
Test Summary: 2 successful, 0 failures, 0 skipped
36. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
SEE ALSO
ABOUT ME
Trevor Vaughan
VP Engineering - Onyx Point, Inc.
tvaughan@onyxpoint.com
@peiriannydd OR @onyxpoint
PROJECT WEBSITE
https://simp-project.com
CONSULTING + TRAINING
http://www.onyxpoint.com
Puppet(8), GitLab(8), Automation(7), DevOps(2), Linux(8)
0.0.1
TVAUGHAN(6) Presentation Info TVAUGHAN(6)
2017-01-19 TVAUGHAN(6)