operational compliance rhce, pcp, pcd m. s. information ... · rhce, pcp, pcd operational...

45
Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point Trevor Vaughan VP Engineering - Onyx Point, Inc. Product Lead B.S. Computer Engineering, M. S. Information Assurance RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners. All company, product and service names used in this presentation are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

Upload: others

Post on 29-Oct-2019

8 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Trevor VaughanVP Engineering - Onyx Point, Inc.

Product LeadB.S. Computer Engineering,M. S. Information Assurance

RHCE, PCP, PCD

Operational ComplianceFrom Requirements to Reality

All trademarks are property of their respective owners. All company, product and service names used in this presentation are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

Page 2: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

● Automation, Security, and Compliance− Consulting and Contracting since 2009

■ Government and Commercial■ Cloud Infrastructure■ Distributed Data Flow Architectures■ DevOps Workflow■ Test Automation■ Focus on Compliance

● Maintainers of

Page 3: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 4: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

WARNING This content is highly opinionated

Page 5: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 6: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 7: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 8: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

BUT WAIT!DID YOU NOTIFY…

Page 9: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 10: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 11: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Relax They’re JustRequirements

Page 12: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

PROVABLE DISPROVABLE

SECURITY X ✔

COMPLIANCE ✔ ✔

Page 13: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 14: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 15: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

SP 800-171SP 800-53

§ 2.2 - Industry Accepted Hardening Standard

§ 2.2.3 - Secure Insecure Daemons SP 800-52

SP 800-57§ 3.6.4 - Cryptographic Key Changes

§ 8.2.3 - Password Complexity

SP 800-63

Page 16: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Risk ManagementFramework

Page 17: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

DevOps

Page 18: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 19: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

● Development Team− Must Ensure Business Functions

● Operations Team− First Line of Deployment− Last Line of Defense

● Must Respond to External Threats● Must Ensure Business Availability

● Security Team− Must Ensure Compliance− Should Ensure Security

Page 20: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

We are here to meet policies, not random scanners

Page 21: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

● SCAP Security Guide− NIST 800-126 (SCAP)− https://open-scap.org

● Inspec− Ruby DSL− https://www.inspec.io

Page 22: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Title Ensure gpgcheck Enabled In Main Yum ConfigurationRule xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activatedIdent Result pass

Title Record Events that Modify the System's Discretionary Access Controls - lchownRule xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchownIdent Result fail

Page 23: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Security Automation for Containers and VMs with OpenSCAP

Friday, Nov 32:00 - 3:30pm

Seacliff Room

Page 24: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Profile: Auditd demo checks for EL 7 (auditd_demo)Version: 0.0.1Target: local://

✔ audit at boot: Auditing should be enabled at system boot time ✔ Command cat /proc/cmdline stdout should match /(\S+\s+)audit=1/

Profile: InSpec Profile (disa_stig-el7)Version: 0.1.0Target: local://

× V-72079: Enable the audit daemon (expected that `Service auditd` is running) × Service auditd should be running expected that `Service auditd` is running

Profile Summary: 1 successful, 1 failures, 0 skippedTest Summary: 1 successful, 1 failures, 0 skipped

Page 25: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

The Security Team must be part of the CI process

Page 26: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 27: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 28: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 29: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Security Teams are NOT outside of the policies and procedures

Page 30: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 31: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Red Teaming is Good!

© Marvel Comics

Page 32: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Weakening The System to run Security Tools is Bad

Page 33: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Security Teams must NOT install independent command and control

utilities on your systems

Page 34: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

© DC Comics

Page 35: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 36: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Security Teams should NOT dump requirements stacks on other teams

Page 37: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 38: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Ops and Dev need to play nice with Security

Page 39: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 40: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Page 41: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Default System Config

Compliance Fail

Enforce From Data

Compliance Pass

Page 42: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Default System Config

Compliance Fail

Enforce From Data

Compliance Pass

Page 43: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

Infrastructure as Code Compliance as Code

Page 44: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

How do we operationalize security?

● Remember that policy == requirements● Itegrate the security team into the full workflow● Keep the workflow consistent● Help, and watch, each other● Remember availability

Page 45: Operational Compliance RHCE, PCP, PCD M. S. Information ... · RHCE, PCP, PCD Operational Compliance From Requirements to Reality All trademarks are property of their respective owners

Start Compliant. Stay Compliant. Trevor Vaughan, Onyx Point

SEE ALSO

ABOUT ME

Trevor Vaughan

VP Engineering - Onyx Point, Inc.

[email protected]

@peiriannydd

PROJECT WEBSITE

https://simp-project.com

CONSULTING + TRAINING

http://www.onyxpoint.com

Puppet(8), GitLab(8), Automation(7), DevOps(2), RedHat(8)

0.0.1

TVAUGHAN(6) Presentation Info TVAUGHAN(6)

2017-01-19 TVAUGHAN(6)