SlideShare a Scribd company logo

Ansible meetup june 2018

Download as PPTX, PDF
Michael Calizo
Michael Calizo

Credits to: Talor Halloway of Red Hat AU for preparing the whole slides. I merely uploaded this to share to the Wellington Meetup Group Members

Technology
1 of 24
Security goodness with Ansible Ansible Meetup Mike Calizo Red Hat Senior TAM June 2018
Agenda (besides beer and pizza consumption) Recap AWX Custom Credentials scap-security-guide 1 2 3 What’s AWX again? When you need a credential type that is not provided today It has ansible now?
$BFY18 Addressable Automation Opportunity - How do you *really* manage credentials? - Are you using automation to improve your organisation’s security posture? - Hopefully this presentation will give you some ideas to try out for yourself. Fit for purpose security practises?
Recap: What’s AWX again?
$BFY18 Addressable Automation Opportunity - Upstream project for Ansible Tower by Red Hat - Adds Features on top of Ansible required in Enterprise IT - Web based user interface - RBAC - Credential Management - Auditing / logging / alerting - Multi-tenancy - Git Integration - Job and workflow management - Enhanced inventory management - Many others... What is AWX?
$BFY18 Addressable Automation Opportunity
Custom Credentials in AWX
CLOUD VIRT & CONTAINER WINDOWS NETWORK CHAT MONITORING ANSIBLE AUTOMATES TECHNOLOGIES YOU USE OVER 1200 INTEGRATIONS AWS Azure CenturyLink Digital Ocean Google OpenStack Rackspace +more Atomic CloudStack OpenStack OpenShift RHEV VMware +more ACLs Files Packages IIS Regedits Shares Services Configs Users Domains +more Arista A10 Cumulus Bigswitch Cisco Cumulus Dell F5 Juniper Palo Alto OpenSwitch +more Email HipChat IRC Jabber Rocketchat Sendgrid Slack Twilio +more Airbrake BigPanda Datadog LogicMonitor Monit Nagios New Relic PagerDuty Sensu StackDriver Zabbix +more How are you managing your credentials to authenticate?
$BFY18 Addressable Automation Opportunity - Amazon Web Services - Ansible Tower - Google Compute Engine - Insights - Machine - Microsoft Azure Resource Manager - Network - OpenStack - Red Hat CloudForms - Red Hat Satellite 6 - Red Hat Virtualization - Source Control - Vault - VMware vCenter Pre-Canned Credential Types
$BFY18 Addressable Automation Opportunity Custom Credentials - What? - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: admin url_password: p4ssw0rd url: http://localhost:8888 - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: “{{ jenkins_username }}” url_password: !vault | $ANSIBLE_VAULT;1.1;AES256 62313365396662343061393464336163383764373764613633653634306231386433626436623361 6134333665353966363534333632666535333761666131620a663537646436643839616531643561 63396265333966386166373632626539326166353965363262633030333630313338646335303630 3438626666666137650a353638643435666633633964366338633066623234616432373231333331 6564 url: http://localhost:8888 - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: “{{ jenkins_username }}” url_password: “{{ jenkins_password }}” url: http://localhost:8888 Vault Encrypt String Custom Credential Passed as Variable from AWX
$BFY18 Addressable Automation Opportunity - Defined in AWX user interface - Stored encrypted in the AWX database - Once defined can use it as if it was any other credential - Needs two things: - Input (What I am asking for - username, password,token?) - Injector (What I am passing back to the playbook at runtime) Custom Credentials - How?
$BFY18 Addressable Automation Opportunity Custom Credentials - How? fields: - type: string id: username label: “Give me yo username!” - type: string id: password label: "Give me yo password!" secret: True required: - username - password Input extra_vars: jenkins_password: '{{ password }}' jenkins_username: '{{ username }}' Injector
$BFY18 Addressable Automation Opportunity Custom Credentials - How?
$BFY18 Addressable Automation Opportunity - Simple to use, no need to vault encrypt an entire playbook or a string - You can vault encrypt a password, but what if different people want to use their own credentials when running the playbook - eg run as my tholloway account rather than a service account. - Multiple users can create their own credential of the custom credential type you create - Playbooks can still run outside of AWX - The extra_vars that the injector puts in can be passed as normal extra_vars - Can come from a vaulted vars file when running outside of AWX Custom Credentials - Why?
$BFY18 Addressable Automation Opportunity - Create custom credential for jenkins in AWS - Kick off a workflow with the following credentials - AWS (for EC2) - Machine (for SSH) - Custom (Jenkins) - Playbooks will (hopefully…) - New EC2 Instance (using AWS Cred) - Install Jenkins (using Machine Cred) - Install Jenkins Plugins (using Custom Cred) - Ansible - Ansible Tower (New!) Quick Demo
Ansible integration in OpenSCAP
$BFY18 Addressable Automation Opportunity ● SCAP Stands for “Security Content Automation Protocol" ● SCAP is a standardized compliance checking solution ● It is a line of specifications maintained by the National Institute of Standards and Technology (NIST) for maintaining system security for IT systems. ● OpenSCAP is the open source implementation What is OpenSCAP?
$BFY18 Addressable Automation Opportunity ● XCCDF: Extensible Configuration Checklist Description Format. Used for security Policies. OVAL: Open Vulnerability and Assessment Language. Vulnerability and Patch Detection. ● CVE: Common Vulnerabilities and Exposures. Tracks systems against configuration requirements. ● CCE: Common Configuration Enumeration. More configuration Checks. Fun Acronyms
$BFY18 Addressable Automation Opportunity ● Package that provides guidance for applying security baselines ● Bridges the gap between generalised policy requirements and specific implementation guidelines ● Automated policy enforcement and remediation ● Baselines include PCI-DSS, DISA-STIG etc What is scap-security-guide?
$BFY18 Addressable Automation Opportunity OpenSCAP Integration with Ansible Automation ● Define and tailor security policies via profiles ● Scan and apply security policies via Ansible Automation ● Assert security policy at build with Ansible Automation or Anaconda ● Shipped National Checklist profiles include: DISA STIG PCI - DSS NIST USGCB OpenSCAP PCI-DSS USGCB STIG SCAP security guide
$BFY18 Addressable Automation Opportunity HTML Report against scan
$BFY18 Addressable Automation Opportunity Remediation
How to SCAN a system (C2S example) yum -y install openscap scap-workbench scap-security-guide ansible ls /usr/share/scap-security-guide/ansible oscap info "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" ansible-playbook /usr/share/scap-security-guide/ansible/ssg-rhel7-role-C2S.yml oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_C2S --fetch-remote-resources --results scan-C2S.results.xml --report scan-C2S-results.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Upstream Project: https://github.com/OpenSCAP/scap-security-guide Install packages List Remediation Playbooks List Available Profiles Run a Scan Automagically Remediate
$BFY18 Addressable Automation Opportunity Thank You.

Recommended

Ansible Melbourne Meetup June 2018
Ansible Melbourne Meetup June 2018Ansible Melbourne Meetup June 2018
Ansible Melbourne Meetup June 2018
Talor Holloway
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffe
ajessup
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity
 

Recommended

Ansible Melbourne Meetup June 2018
Ansible Melbourne Meetup June 2018Ansible Melbourne Meetup June 2018
Ansible Melbourne Meetup June 2018
Talor Holloway
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
Prabath Siriwardena
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
Building trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffeBuilding trust between modern distributed systems with spiffe
Building trust between modern distributed systems with spiffe
ajessup
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
Stormpath
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
Prabath Siriwardena
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity
 
Fiware Developers Week IoT Agents (Advanced)
Fiware Developers Week IoT Agents (Advanced)Fiware Developers Week IoT Agents (Advanced)
Fiware Developers Week IoT Agents (Advanced)
dmoranj
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vault
Henrik Høegh
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
CheapSSLsecurity
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
DataStax Academy
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Claire Hunsaker
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
Rudy De Busscher
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
Rudy De Busscher
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)
dmoranj
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
Pawel Krawczyk
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Ansible nice-pdf-copy-for-pres
Ansible nice-pdf-copy-for-presAnsible nice-pdf-copy-for-pres
Ansible nice-pdf-copy-for-pres
Manmohan Singh
 
Awx
AwxAwx
Awx
Scott van Kalken
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
DoiT International
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
Amazon Web Services
 

More Related Content

What's hot

Fiware Developers Week IoT Agents (Advanced)
Fiware Developers Week IoT Agents (Advanced)Fiware Developers Week IoT Agents (Advanced)
Fiware Developers Week IoT Agents (Advanced)
dmoranj
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vault
Henrik Høegh
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
CheapSSLsecurity
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
DataStax Academy
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
Claire Hunsaker
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
Rudy De Busscher
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
Rudy De Busscher
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
Stormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
CA API Management
 
IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)
dmoranj
 

What's hot (10)

Fiware Developers Week IoT Agents (Advanced)
Fiware Developers Week IoT Agents (Advanced)Fiware Developers Week IoT Agents (Advanced)
Fiware Developers Week IoT Agents (Advanced)
 
Introduction to vault
Introduction to vaultIntroduction to vault
Introduction to vault
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started Java EE Security API - JSR375: Getting Started
Java EE Security API - JSR375: Getting Started
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
The Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API SecurityThe Ultimate Guide to Mobile API Security
The Ultimate Guide to Mobile API Security
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
 
IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)
 

Similar to Ansible meetup june 2018

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
Pawel Krawczyk
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Ansible nice-pdf-copy-for-pres
Ansible nice-pdf-copy-for-presAnsible nice-pdf-copy-for-pres
Ansible nice-pdf-copy-for-pres
Manmohan Singh
 
Awx
AwxAwx
Awx
Scott van Kalken
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
DoiT International
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
Amazon Web Services
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
confluent
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
The Lifecycle of an AWS IoT Thing
The Lifecycle of an AWS IoT ThingThe Lifecycle of an AWS IoT Thing
The Lifecycle of an AWS IoT Thing
Amazon Web Services
 
Red hat ansible automation technical deck
Red hat ansible automation technical deckRed hat ansible automation technical deck
Red hat ansible automation technical deck
Juraj Hantak
 
AWS Serverless API Management - Meetup
AWS Serverless API Management - MeetupAWS Serverless API Management - Meetup
AWS Serverless API Management - Meetup
Samuel Vandecasteele
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
DefconRussia
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
Amazon Web Services
 

Similar to Ansible meetup june 2018 (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
Ansible nice-pdf-copy-for-pres
Ansible nice-pdf-copy-for-presAnsible nice-pdf-copy-for-pres
Ansible nice-pdf-copy-for-pres
 
Awx
AwxAwx
Awx
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
 
New Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQLNew Approaches for Fraud Detection on Apache Kafka and KSQL
New Approaches for Fraud Detection on Apache Kafka and KSQL
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
The Lifecycle of an AWS IoT Thing
The Lifecycle of an AWS IoT ThingThe Lifecycle of an AWS IoT Thing
The Lifecycle of an AWS IoT Thing
 
Red hat ansible automation technical deck
Red hat ansible automation technical deckRed hat ansible automation technical deck
Red hat ansible automation technical deck
 
AWS Serverless API Management - Meetup
AWS Serverless API Management - MeetupAWS Serverless API Management - Meetup
AWS Serverless API Management - Meetup
 
Alexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implementAlexey Sintsov- SDLC - try me to implement
Alexey Sintsov- SDLC - try me to implement
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 

Recently uploaded

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 

Recently uploaded (20)

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 

Ansible meetup june 2018

  • 1. Security goodness with Ansible Ansible Meetup Mike Calizo Red Hat Senior TAM June 2018
  • 2. Agenda (besides beer and pizza consumption) Recap AWX Custom Credentials scap-security-guide 1 2 3 What’s AWX again? When you need a credential type that is not provided today It has ansible now?
  • 3. $BFY18 Addressable Automation Opportunity - How do you *really* manage credentials? - Are you using automation to improve your organisation’s security posture? - Hopefully this presentation will give you some ideas to try out for yourself. Fit for purpose security practises?
  • 5. $BFY18 Addressable Automation Opportunity - Upstream project for Ansible Tower by Red Hat - Adds Features on top of Ansible required in Enterprise IT - Web based user interface - RBAC - Credential Management - Auditing / logging / alerting - Multi-tenancy - Git Integration - Job and workflow management - Enhanced inventory management - Many others... What is AWX?
  • 8. CLOUD VIRT & CONTAINER WINDOWS NETWORK CHAT MONITORING ANSIBLE AUTOMATES TECHNOLOGIES YOU USE OVER 1200 INTEGRATIONS AWS Azure CenturyLink Digital Ocean Google OpenStack Rackspace +more Atomic CloudStack OpenStack OpenShift RHEV VMware +more ACLs Files Packages IIS Regedits Shares Services Configs Users Domains +more Arista A10 Cumulus Bigswitch Cisco Cumulus Dell F5 Juniper Palo Alto OpenSwitch +more Email HipChat IRC Jabber Rocketchat Sendgrid Slack Twilio +more Airbrake BigPanda Datadog LogicMonitor Monit Nagios New Relic PagerDuty Sensu StackDriver Zabbix +more How are you managing your credentials to authenticate?
  • 9. $BFY18 Addressable Automation Opportunity - Amazon Web Services - Ansible Tower - Google Compute Engine - Insights - Machine - Microsoft Azure Resource Manager - Network - OpenStack - Red Hat CloudForms - Red Hat Satellite 6 - Red Hat Virtualization - Source Control - Vault - VMware vCenter Pre-Canned Credential Types
  • 10. $BFY18 Addressable Automation Opportunity Custom Credentials - What? - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: admin url_password: p4ssw0rd url: http://localhost:8888 - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: “{{ jenkins_username }}” url_password: !vault | $ANSIBLE_VAULT;1.1;AES256 62313365396662343061393464336163383764373764613633653634306231386433626436623361 6134333665353966363534333632666535333761666131620a663537646436643839616531643561 63396265333966386166373632626539326166353965363262633030333630313338646335303630 3438626666666137650a353638643435666633633964366338633066623234616432373231333331 6564 url: http://localhost:8888 - name: Install plugin jenkins_plugin: name: build-pipeline-plugin url_username: “{{ jenkins_username }}” url_password: “{{ jenkins_password }}” url: http://localhost:8888 Vault Encrypt String Custom Credential Passed as Variable from AWX
  • 11. $BFY18 Addressable Automation Opportunity - Defined in AWX user interface - Stored encrypted in the AWX database - Once defined can use it as if it was any other credential - Needs two things: - Input (What I am asking for - username, password,token?) - Injector (What I am passing back to the playbook at runtime) Custom Credentials - How?
  • 12. $BFY18 Addressable Automation Opportunity Custom Credentials - How? fields: - type: string id: username label: “Give me yo username!” - type: string id: password label: "Give me yo password!" secret: True required: - username - password Input extra_vars: jenkins_password: '{{ password }}' jenkins_username: '{{ username }}' Injector
  • 14. $BFY18 Addressable Automation Opportunity - Simple to use, no need to vault encrypt an entire playbook or a string - You can vault encrypt a password, but what if different people want to use their own credentials when running the playbook - eg run as my tholloway account rather than a service account. - Multiple users can create their own credential of the custom credential type you create - Playbooks can still run outside of AWX - The extra_vars that the injector puts in can be passed as normal extra_vars - Can come from a vaulted vars file when running outside of AWX Custom Credentials - Why?
  • 15. $BFY18 Addressable Automation Opportunity - Create custom credential for jenkins in AWS - Kick off a workflow with the following credentials - AWS (for EC2) - Machine (for SSH) - Custom (Jenkins) - Playbooks will (hopefully…) - New EC2 Instance (using AWS Cred) - Install Jenkins (using Machine Cred) - Install Jenkins Plugins (using Custom Cred) - Ansible - Ansible Tower (New!) Quick Demo
  • 17. $BFY18 Addressable Automation Opportunity ● SCAP Stands for “Security Content Automation Protocol" ● SCAP is a standardized compliance checking solution ● It is a line of specifications maintained by the National Institute of Standards and Technology (NIST) for maintaining system security for IT systems. ● OpenSCAP is the open source implementation What is OpenSCAP?
  • 18. $BFY18 Addressable Automation Opportunity ● XCCDF: Extensible Configuration Checklist Description Format. Used for security Policies. OVAL: Open Vulnerability and Assessment Language. Vulnerability and Patch Detection. ● CVE: Common Vulnerabilities and Exposures. Tracks systems against configuration requirements. ● CCE: Common Configuration Enumeration. More configuration Checks. Fun Acronyms
  • 19. $BFY18 Addressable Automation Opportunity ● Package that provides guidance for applying security baselines ● Bridges the gap between generalised policy requirements and specific implementation guidelines ● Automated policy enforcement and remediation ● Baselines include PCI-DSS, DISA-STIG etc What is scap-security-guide?
  • 20. $BFY18 Addressable Automation Opportunity OpenSCAP Integration with Ansible Automation ● Define and tailor security policies via profiles ● Scan and apply security policies via Ansible Automation ● Assert security policy at build with Ansible Automation or Anaconda ● Shipped National Checklist profiles include: DISA STIG PCI - DSS NIST USGCB OpenSCAP PCI-DSS USGCB STIG SCAP security guide
  • 23. How to SCAN a system (C2S example) yum -y install openscap scap-workbench scap-security-guide ansible ls /usr/share/scap-security-guide/ansible oscap info "/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml" ansible-playbook /usr/share/scap-security-guide/ansible/ssg-rhel7-role-C2S.yml oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_C2S --fetch-remote-resources --results scan-C2S.results.xml --report scan-C2S-results.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Upstream Project: https://github.com/OpenSCAP/scap-security-guide Install packages List Remediation Playbooks List Available Profiles Run a Scan Automagically Remediate