puppet for security compliance - goscon 2010

Puppet

October 2010

A Modern Approach to Systems Management and Compliance

Wednesday, December 15, 2010

The Compliance Problem


The Olde Days


The Security Analyst


Not Aligned with Business Needs


Tools and Custom Scripts


The Auditor


Networks Grow


The Compliance Paradox


Puppet: A New Approach



★ Is a model driven framework to centrally manage IT systems.



★ Is a model driven framework to centrally manage IT systems.★ Enforces consistent, known secure, configurations of target

systems.




systems.★ Enables cross-functional collaboration within IT.




systems.★ Enables cross-functional collaboration within IT.★ Enables reuse of service configurations across departments

and organizations.


Puppet: a framework for configuration management


Declarative Configuration Language


A Language for Collaboration: DevOps

OS App Config

Puppet = dev/ops/sec

SOX LAMP RAILS

Managed With Puppet

OS App Config

Team OS Team App Team Config

Today: 99% of IT Silo’d

Team Sec

ConfigSecurity


Operating System Support


Cross Platform Architecture


Advantages?


★ Puppet enforced policies can be applied over and over again.

Advantages?


★ Puppet enforced policies can be applied over and over again.★ Policies can be expressed as the desired state (not how to get

there).

Advantages?



there).★ Puppet’s enforced policies can be context sensitive.

Advantages?



there).★ Puppet’s enforced policies can be context sensitive.★ Puppet provides a log history over the lifecycle of a system.

Advantages?



there).★ Puppet’s enforced policies can be context sensitive.★ Puppet provides a log history over the lifecycle of a system.★ Operates at cloud scale.

Advantages?


With Puppet, auditing and remediation is a single automated configuration task.


Demo


Puppet and SCAP


★ Current SCAP tools are auditing only.

Puppet and SCAP


★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.

Puppet and SCAP


★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.★ Puppet provides auditing and remediation in a single step.

Puppet and SCAP


★ Current SCAP tools are auditing only.★ Remediation tools are Windows only.★ Puppet provides auditing and remediation in a single step.★ Puppet is being used for configuration and security management

across government agencies.

Puppet and SCAP



across government agencies.★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X.

Puppet and SCAP



across government agencies.★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X.★ Broadly adopted outside of GOV.

Puppet and SCAP


Puppet and OVAL/ORVL


Puppet and OVAL/ORVL★ Puppet provides a high level auditing and configuration

management language.



management language.★ Each managed element is represented as an abstract resource.



management language.★ Each managed element is represented as an abstract resource.★ Puppet is well suited and widely deployed for configuration

management, security compliance is a subset of overall configuration management.





★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system.






★ Each resource is audited for state and the result of that audit is logged as an event.







★ High level Puppet language is machine readable.







★ High level Puppet language is machine readable.★ Puppet managed resources can be generated from external

datasources.


Who is using this approach?


★ Los Alamos National Laboratories



★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)



★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)★ Lockheed Martin



★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)★ Lockheed Martin★ Northrup Grumman



★ Los Alamos National Laboratories★ SPAWAR (STIG compliance)★ Lockheed Martin★ Northrup Grumman★ SecState (An SCAP audit and remediation tool.)



What is next?


Puppet as a constraint language.


Post Catalog Processing


Device Management


Zero Day Automated Fixes


Supported Compliance Modules in the Puppet Forge


★ https://fedorahosted.org/secstate/★ http://scap.nist.gov/specifications/xccdf/★ https://svn.forge.mil/svn/repos/slim/slim/docs/★ https://svn.forge.mil/svn/repos/slim/slim/base/dev/rhel5/rpm/

trunk/channels/x86_64/puppet/★ http://oval.mitre.org/adoption/supporters.html★ http://www.puppetlabs.com/blog/los-alamos-national-laborator-

publishes-puppet-white-paper-for-mac-os-x-configuration-management

★ http://github.com/jamtur01/puppet-hardening★ http://docs.puppetlabs.com/guides/introduction.html

Links


https://fedorahosted.org/secstate/

https://fedorahosted.org/secstate/

http://scap.nist.gov/specifications/xccdf/

http://scap.nist.gov/specifications/xccdf/

https://svn.forge.mil/svn/repos/slim/slim/docs/

https://svn.forge.mil/svn/repos/slim/slim/docs/

https://svn.forge.mil/svn/repos/slim/slim/base/dev/rhel5/rpm/trunk/channels/x86_64/puppet/




http://oval.mitre.org/adoption/supporters.html

http://oval.mitre.org/adoption/supporters.html

http://www.puppetlabs.com/blog/los-alamos-national-laborator-publishes-puppet-white-paper-for-mac-os-x-configuration-management








http://docs.puppetlabs.com/guides/introduction.html

http://docs.puppetlabs.com/guides/introduction.html

Questions?


Puppet Labs is [email protected]

twitter: @brainfingeremail: [email protected]


mailto:[email protected]

mailto:[email protected]

puppet for security compliance - goscon 2010

Documents