Policy compliance for systems has been a hot topic for 2017. The Puppet ecosystem provides an excellent set of tools for both automating the initial security and compliance foundation of your systems and, more importantly, ensuring that they stay compliant over time. This talk will pull from the experience that we have gained while developing the SIMP Project and provide both guidelines, and examples, for keeping your systems in compliance with both public and internal policies. This presentation will cover: * Translating policy from source to intent * Mapping class and defined type parameters to policy * Detecting parameter deviation from policy * Enforcing framework-level compliance from Hiera * Compliance evaluation during test * Compliance evaluation after deployment * Correlation and reporting The audience should leave with an understanding of how they can both implement a compliant infrastructure as well as working with their internal security personnel to ensure that the compliance status of their infrastructure is well understood and enforced.

1. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Trevor Vaughan
VP Engineering - Onyx Point, Inc.
Product Lead
B.S. Computer Engineering,
M. S. Information Assurance
RHCE, PCP, PCD
Automated System Compliance
From the Inside Out
All trademarks are property of their respective owners. All company, product and service names used in this presentation are for
identification purposes only. Use of these names, logos, and brands does not imply endorsement.

2. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
● Automation, Security, and Compliance
− Consulting and Contracting since 2009
Puppet Gold Partners
GitLab Partners
RHEL, CentOS, and SuSE
Cloud Infrastructure
Distributed Data Flow Architectures
DevOps Workflow
Test Automation
● Maintainers of

3. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Source: Gears of War

4. TRANSLATING
POLICY

5. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
PROVABLE DISPROVABLE
SECURITY X ✔
COMPLIANCE ✔ ✔

6. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

7. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Systems Engineering Body of Knowledge - System Realization

9. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
NIST 800-171
§3.3.1: Create, protect, and retain information system audit records to
the extent needed to enable the monitoring, analysis, investigation, and
reporting of unlawful, unauthorized, or inappropriate information system
activity.
Requirement Enable the auditd service
Specification
1. Install auditd
2. Enable auditd
3. Ensure auditd started at boot time

10. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
class auditd (
Boolean $enable = false,
Boolean $at_boot = true
) {
package { 'audit': ensure => 'installed' }
service { 'auditd': enable => $enable }
$kernel_enable = $enable ? { true => '1', default => '0' }
kernel_parameter { 'audit': value => $kernel_enable }
}
1. Install auditd
2. Enable auditd
3. Ensure auditd started at boot time

12. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
COMPLIANCE MODULE

13. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
---
compliance_markup::compliance_map:
version : '1.0.1'
nist_800_171:
auditd_demo::enable:
identifiers :
- '3.3.1'
value : true
auditd_demo::at_boot:
identifiers :
- '3.3.1'
value : true
~ 750
Parameters Mapped

14. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
# /opt/puppetlabs/server/data/puppetserver/simp/compliance_reports
{ "version": "1.0.1",
"fqdn": "el7.int.localdomain",
"puppetserver_info": "local_compile",
"compliance_profiles": {
"nist_800_171": {
"non_compliant": {
"Class[Auditd]": {
"parameters": {
"enable": {
"identifiers": [ "3.3.1" ],
"compliant_value": true,
"system_value": false } } } } } } } } } } }

15. COMPLIANCE
EVALUATION

17. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

18. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
control 'V-72079' do
title 'Enable the audit daemon'
desc 'The audit daemon must be running to collect audit logs'
impact 0.7
tag 'nist_800-171', ['3.3.1’]
tag 'subsystems', '[“audit”, “auditd”]'
describe service('auditd') do
it { should be_running }
end
end

19. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
auditd_demo/spec/acceptance/suites/default
├── 00_default_spec.rb
├── 10_inspec_failing_spec.rb
├── 20_enforce_spec.rb
└── 30_inspec_passing_spec.rb
Default System
Config
Compliance Fail
Enforce From
Hiera
Compliance Pass

20. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Default System
Config
Compliance Fail

21. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Default System
Config
Compliance Fail

22. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Profile: Auditd demo checks for EL 7 (auditd_demo)
Version: 0.0.1
Target: local://
✔ audit at boot: Auditing should be enabled at system boot time
✔ Command cat /proc/cmdline stdout should match /(S+s+)audit=1/
Profile: InSpec Profile (disa_stig-el7)
Version: 0.1.0
Target: local://
× V-72079: Enable the audit daemon (expected that `Service auditd` is running)
× Service auditd should be running
expected that `Service auditd` is running
Profile Summary: 1 successful, 1 failures, 0 skipped
Test Summary: 1 successful, 1 failures, 0 skipped
INHERITANCE!

23. COMPLIANCE
PARAMETER
ENFORCEMENT

24. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Default System
Config
Compliance Fail
Enforce From
Hiera
Compliance Pass
---
compliance_markup::compliance_map:
version : '1.0.1'
nist_800_171:
auditd_demo::enable:
identifiers :
- '3.3.1'
value : true
auditd_demo::at_boot:
identifiers :
- '3.3.1'
value : true
---
# Enforcement Selection Hieradata
compliance_markup::enforcement:
- nist_800_171

25. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Default System
Config
Compliance Fail
Enforce From
Hiera
Compliance Pass

26. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Default System
Config
Compliance Fail
Enforce From
Hiera
Compliance Pass

27. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
Profile: Auditd demo checks for EL 7 (auditd_demo)
Version: 0.0.1
Target: local://
✔ audit at boot: Auditing should be enabled at system boot time
✔ Command cat /proc/cmdline stdout should match /(S+s+)audit=1/
Profile: InSpec Profile (disa_stig-el7)
Version: 0.1.0
Target: local://
✔ V-72079: Enable the audit daemon
✔ Service auditd should be running
Profile Summary: 2 successful, 0 failures, 0 skipped
Test Summary: 2 successful, 0 failures, 0 skipped

28. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

29. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
---
# Enforcement Selection Hieradata
compliance_markup::enforcement:
- internal_policy_5
- nist_800_171
---
# Compliance Map
compliance_markup::compliance_map:
version : '1.0.1'
nist_800_171:
auditd_demo::enable:
identifiers :
- '3.3.1'
value : true
auditd_demo::at_boot:
identifiers :
- '3.3.1'
value : true
---
# Compliance Map
compliance_markup::compliance_map:
version : '1.0.1'
internal_policy_5:
auditd_demo::at_boot:
identifiers :
- 'IP-1337.1'
value : false

30. CORRELATION
AND REPORTING

32. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

33. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

34. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

35. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
COMPLIANCE MODULE

36. Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point
SEE ALSO
ABOUT ME
Trevor Vaughan
VP Engineering - Onyx Point, Inc.
tvaughan@onyxpoint.com
@peiriannydd OR @onyxpoint
PROJECT WEBSITE
https://simp-project.com
CONSULTING + TRAINING
http://www.onyxpoint.com
Puppet(8), GitLab(8), Automation(7), DevOps(2), Linux(8)
0.0.1
TVAUGHAN(6) Presentation Info TVAUGHAN(6)
2017-01-19 TVAUGHAN(6)