puppet for security compliance - goscon 2010
DESCRIPTION
Teyo Tyree's slides from GOSCON 2010. He covers the benefits for a modern approach to systems management and compliance and the key advantages of a model-driven approach to configuration management.TRANSCRIPT
Puppet
October 2010
A Modern Approach to Systems Management and Compliance
Wednesday, December 15, 2010
The Compliance Problem
Wednesday, December 15, 2010
The Olde Days
Wednesday, December 15, 2010
The Security Analyst
Wednesday, December 15, 2010
Not Aligned with Business Needs
Wednesday, December 15, 2010
Tools and Custom Scripts
Wednesday, December 15, 2010
The Auditor
Wednesday, December 15, 2010
Networks Grow
Wednesday, December 15, 2010
Networks Grow
Wednesday, December 15, 2010
The Compliance Paradox
Wednesday, December 15, 2010
Puppet: A New Approach
Wednesday, December 15, 2010
Puppet: A New Approach
★ Is a model driven framework to centrally manage IT systems.
Wednesday, December 15, 2010
Puppet: A New Approach
★ Is a model driven framework to centrally manage IT systems.★ Enforces consistent, known secure, configurations of target
systems.
Wednesday, December 15, 2010
Puppet: A New Approach
★ Is a model driven framework to centrally manage IT systems.★ Enforces consistent, known secure, configurations of target
systems.★ Enables cross-functional collaboration within IT.
Wednesday, December 15, 2010
Puppet: A New Approach
★ Is a model driven framework to centrally manage IT systems.★ Enforces consistent, known secure, configurations of target
systems.★ Enables cross-functional collaboration within IT.★ Enables reuse of service configurations across departments
and organizations.
Wednesday, December 15, 2010
Puppet: a framework for configuration management
Wednesday, December 15, 2010
Declarative Configuration Language
Wednesday, December 15, 2010
A Language for Collaboration: DevOps
OS App Config
Puppet = dev/ops/sec
SOX LAMP RAILS
Managed With Puppet
OS App Config
Team OS Team App Team Config
Today: 99% of IT Silo’d
Team Sec
ConfigSecurity
Wednesday, December 15, 2010
Operating System Support
Wednesday, December 15, 2010
Cross Platform Architecture
Wednesday, December 15, 2010
Advantages?
Wednesday, December 15, 2010
★ Puppet enforced policies can be applied over and over again.
Advantages?
Wednesday, December 15, 2010
★ Puppet enforced policies can be applied over and over again.★ Policies can be expressed as the desired state (not how to get
there).
Advantages?
Wednesday, December 15, 2010
★ Puppet enforced policies can be applied over and over again.★ Policies can be expressed as the desired state (not how to get
there).★ Puppet’s enforced policies can be context sensitive.
Advantages?
Wednesday, December 15, 2010
★ Puppet enforced policies can be applied over and over again.★ Policies can be expressed as the desired state (not how to get
there).★ Puppet’s enforced policies can be context sensitive.★ Puppet provides a log history over the lifecycle of a system.
Advantages?
Wednesday, December 15, 2010
★ Puppet enforced policies can be applied over and over again.★ Policies can be expressed as the desired state (not how to get
there).★ Puppet’s enforced policies can be context sensitive.★ Puppet provides a log history over the lifecycle of a system.★ Operates at cloud scale.
Advantages?
Wednesday, December 15, 2010
With Puppet, auditing and remediation is a single automated configuration task.
Wednesday, December 15, 2010
Demo
Wednesday, December 15, 2010
Puppet and SCAP
Wednesday, December 15, 2010
★ Current SCAP tools are auditing only.
Puppet and SCAP
Wednesday, December 15, 2010
★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.
Puppet and SCAP
Wednesday, December 15, 2010
★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.★ Puppet provides auditing and remediation in a single step.
Puppet and SCAP
Wednesday, December 15, 2010
★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.★ Puppet provides auditing and remediation in a single step.★ Puppet is being used for configuration and security management
across government agencies.
Puppet and SCAP
Wednesday, December 15, 2010
★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.★ Puppet provides auditing and remediation in a single step.★ Puppet is being used for configuration and security management
across government agencies.★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X.
Puppet and SCAP
Wednesday, December 15, 2010
★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.★ Puppet provides auditing and remediation in a single step.★ Puppet is being used for configuration and security management
across government agencies.★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X.★ Broadly adopted outside of GOV.
Puppet and SCAP
Wednesday, December 15, 2010
Puppet and OVAL/ORVL
Wednesday, December 15, 2010
Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration
management language.
Wednesday, December 15, 2010
Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration
management language.★ Each managed element is represented as an abstract resource.
Wednesday, December 15, 2010
Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration
management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration
management, security compliance is a subset of overall configuration management.
Wednesday, December 15, 2010
Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration
management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration
management, security compliance is a subset of overall configuration management.
★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system.
Wednesday, December 15, 2010
Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration
management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration
management, security compliance is a subset of overall configuration management.
★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system.
★ Each resource is audited for state and the result of that audit is logged as an event.
Wednesday, December 15, 2010
Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration
management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration
management, security compliance is a subset of overall configuration management.
★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system.
★ Each resource is audited for state and the result of that audit is logged as an event.
★ High level Puppet language is machine readable.
Wednesday, December 15, 2010
Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration
management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration
management, security compliance is a subset of overall configuration management.
★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system.
★ Each resource is audited for state and the result of that audit is logged as an event.
★ High level Puppet language is machine readable.★ Puppet managed resources can be generated from external
datasources.
Wednesday, December 15, 2010
Who is using this approach?
Wednesday, December 15, 2010
★ Los Alamos National Laboratories
Who is using this approach?
Wednesday, December 15, 2010
★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)
Who is using this approach?
Wednesday, December 15, 2010
★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)★ Lockheed Martin
Who is using this approach?
Wednesday, December 15, 2010
★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)★ Lockheed Martin★ Northrup Grumman
Who is using this approach?
Wednesday, December 15, 2010
★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)★ Lockheed Martin★ Northrup Grumman★ SecState (An SCAP audit and remediation tool.)
Who is using this approach?
Wednesday, December 15, 2010
What is next?
Wednesday, December 15, 2010
Puppet as a constraint language.
Wednesday, December 15, 2010
Post Catalog Processing
Wednesday, December 15, 2010
Device Management
Wednesday, December 15, 2010
Zero Day Automated Fixes
Wednesday, December 15, 2010
Supported Compliance Modules in the Puppet Forge
Wednesday, December 15, 2010
★ https://fedorahosted.org/secstate/★ http://scap.nist.gov/specifications/xccdf/★ https://svn.forge.mil/svn/repos/slim/slim/docs/★ https://svn.forge.mil/svn/repos/slim/slim/base/dev/rhel5/rpm/
trunk/channels/x86_64/puppet/★ http://oval.mitre.org/adoption/supporters.html★ http://www.puppetlabs.com/blog/los-alamos-national-laborator-
publishes-puppet-white-paper-for-mac-os-x-configuration-management
★ http://github.com/jamtur01/puppet-hardening★ http://docs.puppetlabs.com/guides/introduction.html
Links
Wednesday, December 15, 2010
Questions?
Wednesday, December 15, 2010
Puppet Labs is [email protected]
twitter: @brainfingeremail: [email protected]
Wednesday, December 15, 2010