security blankets - triangle infosecon · ansible remediation playbooks provided (new with rhel...
TRANSCRIPT
![Page 1: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/1.jpg)
Security BlanketsCompliance is hard, but consistent system deployment shouldn’t be
Amy FarleyProduct Manager
Mike RalphTechnical Account Manager
![Page 2: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/2.jpg)
#redhat #rhsummit
/whois Amy Farley
● Red Hat ○ Product Manager - Identity
● Love/hate relationship with tech from an early age
● Avid geek/infosec nerd● Teacher● Customer Experience Test Monkey● Connect smart people together for
answers
![Page 3: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/3.jpg)
● Red Hat○ Technical Account Manager - Public Sector
● Unix Systems Admin - too many years to admit ● InfoSec Nerd
/whois Mike Ralph
Photo by Etty Fidele on Unsplash
Photo by Kevin Horvat on Unsplash
● These photos are not me
![Page 4: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/4.jpg)
Outline● Choose framework (STIG)
○ HIPAA, C2S, PCI-DSS, etc...● Have a repeatable deployment system (Satellite 6.5+)
○ VMWare, cloud providers● Verification system (OpenSCAP)
○● Remediation system (Ansible)
○ Other options are Chef, Puppet, Salt, manual (ie scripting)● Demo
● Cloud.redhat.com overview
![Page 5: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/5.jpg)
A computer lets you make more mistakes faster than any invention
in human history - with the possible exceptions of handguns and
tequila. — Mitch Ratliff
![Page 6: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/6.jpg)
We need to have “the talk” about Security
introduction
Photo by Ben White on Unsplash Photo by Jeremy Beadle on Unsplash
"We can evade reality but we cannot evade the consequences of evading reality."
–Ayn Rand
![Page 7: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/7.jpg)
Why Does it Matter???
WHY DOES THIS PRESENTATION MATTER?
CIOCEO DEV MANAGER OPERATIONS MANAGER● I don’t want to end
up on the news.● I want root and I
want it now!● yum -y install *
● My Security Officer keeps talking about a STIG or something.
● Does your Security Officer annoy you? Ask me how to make them go away today!
![Page 8: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/8.jpg)
“Who are the Victims?”
Why Does it Matter???
2019 Verizon DBIR report
Size doesn’t matter…
● 16% Public Sector Entities● 15% Healthcare Organizations● 10% FSI● 43% Small Businesses
No one is too big or too little to fail...
Photo by Icons8 team on Unsplash
![Page 9: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/9.jpg)
“What Tactics?”
Why Does it Matter???
2019 Verizon DBIR report
Everything is automated…
● 52% Hacking● 33% Social Attacks● 28% Malware● 21% Errors● 15% Authorized User Misuse● 4% Physical Actions
Why should your hackers be the only ones that benefit?
Image by B_A from Pixabay
![Page 10: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/10.jpg)
● Depending on your industry, you might be tied to a specific framework.
Choose your framework
NIST, STIG, HIPAA… Which to choose?
Image by Arek Socha from Pixabay
● If your industry does not have one that is required, choose one that fits your requirements.
Image by Arek Socha from Pixabay
![Page 11: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/11.jpg)
Security and Compliance Mangement
![Page 12: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/12.jpg)
Repeatability is key, if you cannot repeat the process reliably then you will just end up causing more work for yourself.
![Page 13: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/13.jpg)
Provision and Secure @ Build-time
![Page 14: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/14.jpg)
If you cannot verify your systems comply with the framework why have it?You should verify compliance on a regular basis for insight into your environment to ensure nothing has changed.
![Page 15: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/15.jpg)
Security Automation with OpenSCAP
● NIST validated and certified Security Content Automation Protocol (SCAP) scanner by Red Hat
● Scans systems and containers for:○ known vulnerabilities = unpatched software○ compliance with security policies (PCI-DSS, US Gov baselines,
etc)● Ansible remediation playbooks provided (new with RHEL 7.5)● Included in Red Hat Enterprise Linux base repository
![Page 16: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/16.jpg)
Security Automation with OpenSCAP
● Red Hat natively ships NIST validated National Checklist content● SCAP Workbench
○ GUI front end tool for OpenSCAP that serves as an SCAP scanner
○ Local scanning of a single machine○ Provides tailoring functionality for SCAP content
![Page 17: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/17.jpg)
SCAP Workbench
● Found here: ● Runs on a network-connected
server● Runs scans locally or via ssh● Can create mitigation (tailoring)
files (ansible, bash, puppet)● Reporting● Documentation
![Page 18: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/18.jpg)
COMPLIANCE REQUIREMENTS
Lightweight Assessment
SOE
BaselineMetrics
PROVISIONING
CONFIGURE / AUTOMATE
REUSABLE
MIGRATIONS
INTEGRATED
OpenSCAP Everywhere
![Page 19: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/19.jpg)
Portfolio CapabilitiesUse-case
I want to scan a single systemI want to remediate a single systemI want to author a new PolicyI want to modify an existing Policy
I want to scan groups of systemsI want to delegate scanning OR reporting to an external identityI want to ensure a standard, secure SOE to build the foundation for DevOPS
I want to delegate and automate remediationI want to ensure compliance at build time across my entire RHEL-estateI want to empower my Organization to become more independent
![Page 20: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/20.jpg)
Automated Provisioning with Satellite 6
![Page 21: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/21.jpg)
Responsive SOE with Red Hat SatelliteEstablish the core to manage change
● Provisioningbare metal, virtual, and public or private clouds
● Configurationanalyze and automatically remediate configuration drift and enforce desired host state
● Software Managementsystematic process to apply content, including patches, to deployed systems in all stages, from development to production
● Subscription Managementreport and map Red Hat-purchased products to registered systems for end-to-end subscription consumption visibility.
21
![Page 22: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/22.jpg)
Satellite 6.6
![Page 23: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/23.jpg)
![Page 24: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/24.jpg)
![Page 25: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/25.jpg)
![Page 26: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/26.jpg)
![Page 27: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/27.jpg)
![Page 28: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/28.jpg)
![Page 29: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/29.jpg)
Demo
![Page 30: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/30.jpg)
Questions?
![Page 31: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/31.jpg)
Demo time
Resources
SCAP workbench:● https://www.open-scap.org/tools/scap-workbench/ ● https://static.open-scap.org/scap-workbench-1.1/#_obtain_scap_content
Security Guide:● https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/
security_guide/sect-using_scap_workbench
![Page 33: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/33.jpg)
Resources
● Alternate Content Sources and You (or How to rebuild your Satellite and not have to download all the content from the CDN again) http://www.outsidaz.org/2017/12/21/alternate-content-sources-and-you-or-how-to-rebuild-your-satellite-and-not-have-to-download-all-the-content-from-the-cdn-again/
● Satellite 6: sync repository from an alternate / local content source https://access.redhat.com/articles/1531833
● Addressing CVE-2015-7547, CVE-2015-5229, and any other scary errata via Red Hat Satellite 6.1 - https://access.redhat.com/blogs/1169563/posts/2171601
![Page 34: Security Blankets - Triangle InfoSeCon · Ansible remediation playbooks provided (new with RHEL 7.5) ... secure SOE to build the foundation for DevOPS I want to delegate and automate](https://reader035.vdocument.in/reader035/viewer/2022071502/6122213341acc400096f60cd/html5/thumbnails/34.jpg)
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
THANK YOU