puppet for security compliance - goscon 2010

Puppet

October 2010

A Modern Approach to Systems Management and Compliance

Wednesday, December 15, 2010

The Compliance Problem

Wednesday, December 15, 2010

The Olde Days

Wednesday, December 15, 2010

The Security Analyst

Wednesday, December 15, 2010

Not Aligned with Business Needs

Wednesday, December 15, 2010

Tools and Custom Scripts

Wednesday, December 15, 2010

The Auditor

Wednesday, December 15, 2010

Networks Grow

Wednesday, December 15, 2010

Networks Grow

Wednesday, December 15, 2010

The Compliance Paradox

Wednesday, December 15, 2010

Puppet: A New Approach

Wednesday, December 15, 2010

Puppet: A New Approach

★ Is a model driven framework to centrally manage IT systems.

Wednesday, December 15, 2010

Puppet: A New Approach

★ Is a model driven framework to centrally manage IT systems.★ Enforces consistent, known secure, configurations of target

systems.

Wednesday, December 15, 2010

Puppet: A New Approach

★ Is a model driven framework to centrally manage IT systems.★ Enforces consistent, known secure, configurations of target

systems.★ Enables cross-functional collaboration within IT.

Wednesday, December 15, 2010

Puppet: A New Approach

★ Is a model driven framework to centrally manage IT systems.★ Enforces consistent, known secure, configurations of target

systems.★ Enables cross-functional collaboration within IT.★ Enables reuse of service configurations across departments

and organizations.

Wednesday, December 15, 2010

Puppet: a framework for configuration management

Wednesday, December 15, 2010

Declarative Configuration Language

Wednesday, December 15, 2010

A Language for Collaboration: DevOps

OS App Config

Puppet = dev/ops/sec

SOX LAMP RAILS

Managed With Puppet

OS App Config

Team OS Team App Team Config

Today: 99% of IT Silo’d

Team Sec

ConfigSecurity

Wednesday, December 15, 2010

Operating System Support

Wednesday, December 15, 2010

Cross Platform Architecture

Wednesday, December 15, 2010

Advantages?

Wednesday, December 15, 2010

★ Puppet enforced policies can be applied over and over again.

Advantages?

Wednesday, December 15, 2010

★ Puppet enforced policies can be applied over and over again.★ Policies can be expressed as the desired state (not how to get

there).

Advantages?

Wednesday, December 15, 2010

★ Puppet enforced policies can be applied over and over again.★ Policies can be expressed as the desired state (not how to get

there).★ Puppet’s enforced policies can be context sensitive.

Advantages?

Wednesday, December 15, 2010

★ Puppet enforced policies can be applied over and over again.★ Policies can be expressed as the desired state (not how to get

there).★ Puppet’s enforced policies can be context sensitive.★ Puppet provides a log history over the lifecycle of a system.

Advantages?

Wednesday, December 15, 2010

★ Puppet enforced policies can be applied over and over again.★ Policies can be expressed as the desired state (not how to get

there).★ Puppet’s enforced policies can be context sensitive.★ Puppet provides a log history over the lifecycle of a system.★ Operates at cloud scale.

Advantages?

Wednesday, December 15, 2010

With Puppet, auditing and remediation is a single automated configuration task.

Wednesday, December 15, 2010

Demo

Wednesday, December 15, 2010

Puppet and SCAP

Wednesday, December 15, 2010

★ Current SCAP tools are auditing only.

Puppet and SCAP

Wednesday, December 15, 2010

★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.

Puppet and SCAP

Wednesday, December 15, 2010

★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.★ Puppet provides auditing and remediation in a single step.

Puppet and SCAP

Wednesday, December 15, 2010

★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.★ Puppet provides auditing and remediation in a single step.★ Puppet is being used for configuration and security management

across government agencies.

Puppet and SCAP

Wednesday, December 15, 2010

★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.★ Puppet provides auditing and remediation in a single step.★ Puppet is being used for configuration and security management

across government agencies.★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X.

Puppet and SCAP

Wednesday, December 15, 2010

★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.★ Puppet provides auditing and remediation in a single step.★ Puppet is being used for configuration and security management

across government agencies.★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X.★ Broadly adopted outside of GOV.

Puppet and SCAP

Wednesday, December 15, 2010

Puppet and OVAL/ORVL

Wednesday, December 15, 2010

Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration

management language.

Wednesday, December 15, 2010

Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration

management language.★ Each managed element is represented as an abstract resource.

Wednesday, December 15, 2010

Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration

management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration

management, security compliance is a subset of overall configuration management.

Wednesday, December 15, 2010

Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration

management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration

management, security compliance is a subset of overall configuration management.

★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system.

Wednesday, December 15, 2010

Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration

management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration

management, security compliance is a subset of overall configuration management.

★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system.

★ Each resource is audited for state and the result of that audit is logged as an event.

Wednesday, December 15, 2010

Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration

management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration

management, security compliance is a subset of overall configuration management.

★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system.

★ Each resource is audited for state and the result of that audit is logged as an event.

★ High level Puppet language is machine readable.

Wednesday, December 15, 2010

Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration

management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration

management, security compliance is a subset of overall configuration management.

★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system.

★ Each resource is audited for state and the result of that audit is logged as an event.

★ High level Puppet language is machine readable.★ Puppet managed resources can be generated from external

datasources.

Wednesday, December 15, 2010

Who is using this approach?

Wednesday, December 15, 2010

★ Los Alamos National Laboratories

Who is using this approach?

Wednesday, December 15, 2010

★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)

Who is using this approach?

Wednesday, December 15, 2010

★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)★ Lockheed Martin

Who is using this approach?

Wednesday, December 15, 2010

★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)★ Lockheed Martin★ Northrup Grumman

Who is using this approach?

Wednesday, December 15, 2010

★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)★ Lockheed Martin★ Northrup Grumman★ SecState (An SCAP audit and remediation tool.)

Who is using this approach?

Wednesday, December 15, 2010

What is next?

Wednesday, December 15, 2010

Puppet as a constraint language.

Wednesday, December 15, 2010

Post Catalog Processing

Wednesday, December 15, 2010

Device Management

Wednesday, December 15, 2010

Zero Day Automated Fixes

Wednesday, December 15, 2010

Supported Compliance Modules in the Puppet Forge

Wednesday, December 15, 2010

★ https://fedorahosted.org/secstate/★ http://scap.nist.gov/specifications/xccdf/★ https://svn.forge.mil/svn/repos/slim/slim/docs/★ https://svn.forge.mil/svn/repos/slim/slim/base/dev/rhel5/rpm/

trunk/channels/x86_64/puppet/★ http://oval.mitre.org/adoption/supporters.html★ http://www.puppetlabs.com/blog/los-alamos-national-laborator-

publishes-puppet-white-paper-for-mac-os-x-configuration-management

★ http://github.com/jamtur01/puppet-hardening★ http://docs.puppetlabs.com/guides/introduction.html

Links

Wednesday, December 15, 2010

Questions?

Wednesday, December 15, 2010

Puppet Labs is hiring!jobs@puppetlabs.com

twitter: @brainfingeremail: teyo@puppetlabs.com

Wednesday, December 15, 2010