PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

Trevor Vaughan, Onyx Point
X
X
Trevor Vaughan
VP Engineering, Onyx Point
SIMP Product Lead
B.S. Comp Eng, M. S. IA
RHCE, PCP, PCD
One Year in Open Source
All trademarks are property of their respective owners. All company, product and service names used in this presentation are for identification purposes
only. Use of these names, logos, and brands does not imply endorsement.

X
X
The presentation that you are about to see is not, in any
way, representative of, or endorsed by, the National
Security Agency or the Government of the United States
of America. As stated in their press release, the NSA, in
releasing the code to the public, is attempting to reduce
any duplication of effort surrounding the general goals of
the SIMP project.
Disclaimer

X
About Onyx Point, Inc.
● Consulting and Federal Contracting Since 2009
○ DevOps
○ Infrastructure Automation
○ Security Compliance
● Community Maintainers of
○ First FOSS Stewardship CRADA with the NSA
● Red Hat Partners
● Puppet Service Provider Gold Partners
● Puppet-Certified Trainers

X
WHAT IS
YOUR
STUFF
OUR
EXPERTISE

X
SIMP Stack

X
Goals
● 100% FOSS Core
● Full Scope Red Hat/CentOS Systems Management
○ Puppet for Automation
○ Does not preclude other systems
● Reduce Complexity of Technical Compliance
● Focus on Mission and Business
○ Enhance Security and Compliance
○ Understand Your Environment
● Leverage and Enhance the Open Source Community

X
ONE YEAR
FOSSCOMPLIANCE
AUTOMATION1 MAY 2015 - PRESENT
OF

X
TESTING

X
Test Coverage
Type # Modules # Tests OS OS Version Total
Rspec (Unit) 88 6,472
RHEL
CentOS
6.8
7.2
2,278,144
Beaker (Acceptance) 43 1,989
RHEL
CentOS
6.8
7.2
342,108
~30 OS Bugs Discovered
● Rsyslog Encryption
● ‘i_version’ Kernel Panic
● Kickstart ‘curl’ FIPS Fail
● ‘krb5kdc’ SELinux Policy Issues
● Auditd Syscall Translation
● ‘cancel-path’ for Libvirt
● GDM Fail with ‘noexec /var/tmp’
● ‘Systemctl’ Returns 0 on Mask

X
Multi-Node Acceptance Tests
rsyslog/spec/acceptance/
├── class_spec.rb
├── client_server_no_tls_spec.rb
├── client_server_udp_spec.rb
├── client_server_using_tls_spec.rb
├── failover_no_tls_spec.rb
├── failover_using_tls_spec.rb
└── nodesets
└── default.yml

X
Test Suites
nfs/spec/acceptance/
├── nodesets
│ └── default.yml
└── suites
├── default
│ ├── 00_basic_test_spec.rb
│ ├── 02_krb5_test_spec.rb
│ └── nodesets -> ../../nodesets
└── stunnel
├── 00_basic_test_spec.rb
├── 03_stunnel_test_spec.rb
├── metadata.yml
└── nodesets -> ../../nodesets

X
COMPLIANCE
MAPPER

X
700+
Variables Mapped
NIST 800-53
NIST 800-171
DISA STIG
ISO/IEC 27001

X
A Glimpse of the Future
---
version: "1.0.0"
compliance_profiles:
test_profile:
compliant:
"Class[Test2::Test3]":
parameters:
arg3_1:
Identifiers: [“ID1.2”]
compliant_value: foo3_1
system_value: foo3_1
non_compliant: {}
documented_missing_resources:
- unmapped1
- "unmapped1::subclass"
documented_missing_parameters:
- "test2::test3::ref_miss1"

X
SecCONOP

X
NIST Special Publication 800-137

X
SecCONOP
● Completely Updated
● A Kickstart Toward Certification and Accreditation
● Built-in NIST 800-53 References
● Designed for Flexibility
○ Provide your own updates in the build
● Currently 49 pages
● http://simp.readthedocs.io/en/5.2.0-0/security_conop

X
1.2
IMA
+ TPM

X
Integrity Management Architecture (IMA)
● Automated!
○ https://github.com/simp/pupmod-simp-tpm
● Tested!
● Not Recommended for Production!
○ Unable to Restrict Memory Usage
○ Unable to Update Policy Without Reboot
○ Some Issues with DoS via Valid Policies

X
Trusted Platform Module (TPM) 1.2
● Integrated
○ https://github.com/simp/pupmod-simp-tpm
● Ownership Automated
● Facter Facts Created
● In Progress
○ Trusted Boot
○ PKCS11 Interface Automation

X
IPSEC

X
Libreswan
● Integrated for EL7
● Feature Request in for RHS ‘any’
● Goal
○ Full X.509-based Opportunistic IPSec
○ Everything except DNS and Puppet

X
ELG

X
ELG
● Completely Updated
● Same Basic Architecture
● Replaced Kibana With Grafana
○ Multi-Tenant Support
○ LDAP Support
○ Safer Default Usage
● SIMP Dashboards in Progress!

X
LESSONS
LEARNED

X
GOVERNMENT
+ OPEN SOURCE

X
Contracts
Contracts

X
COMMUNITY
EXPECTATIONS
(2015 © NBC)

X
Experiences
(1965 © DC Comics)
● Many environments stuck on one-time apply
● “Will this help me DevOps?!”
● Technology is not the problem
○ Undertrained and Understaffed
■ “How do I ‘vi’ a file?” - Senior Administrator

X
TESTING
A TALE OF WOE
+ SORROW

X
What Worked
● All Tests Must Be Able to Be Run by Hand
○ ‘rake spec’, ‘rake beaker:suites’, etc…
○ The ‘travish’ Ruby gem is very useful here

X
What Worked
● Beaker + Vagrant
○ Docker was erratic on different systems
■ Aufs + Docker == /var death
○ Can’t test FIPS and non-FIPS in Docker
○ Can’t validate external protections (IPTables, etc…) in Docker

X
What Didn’t Work

X
Where We’re Heading

X
Upcoming Features
● TPM
○ Automated Trusted Boot
○ Credential Protection
○ PKCS11
■ Hook in Everything!
● IPSec
○ Opportunistic IPSec
■ X.509 is the Target
● Hashicorp Vault
○ Secret Storage
○ Good for HIPAA...and TPMs?
● Compliance Mapper 1.0
○ Report on compliant and
non-compliant entries
○ Less code modification

X
Upcoming Features
● FreeIPA
○ Easier Management
● Seamless Puppet Enterprise
● Puppet AIO
○ Puppet 3 EOL - Dec 31, 2016
● Fapolicyd
○ Thanks to Steve Grubb!
● OpenSCAP Suites
○ Targeted Tests in Modules
● Full Stack KRB5 Integration
○ PAM
○ SSH
● Immediate Remediation
○ Based on last Puppet
Catalog

X
LESSONS
LEARNED
Trevor Vaughan- VP
Engineering, Onyx Point
tvaughan@onyxpoint.com
@peiriannydd

PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.

More Related Content

Similar to PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc. (20)

More from Puppet (20)

Recently uploaded (20)

PuppetConf 2016: A Year in Open Source: Automated Compliance With Puppet – Trevor Vaughan, Onyx Point, Inc.