STIG Compliance and Remediation with Ansible April 2015.

Slides:



Advertisements
Similar presentations
Easily retrieve data from the Baan database
Advertisements

Modern app development Continuous value delivery and rapid response to change.
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
MyCloudIT Removes the Complexity of Moving Cloud Customers’ Entire IT Infrastructures to Microsoft Azure – Including the Desktop MICROSOFT AZURE ISV: MYCLOUDIT.
DevOps and Private Cloud Automation 23 April 2015 Hal Clark.
Configurations Management System Chris Boyd.  Time consuming task of provisioning a number of systems with STIG compliance  Managing a number of systems.
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
CONTINUOUS DELIVERY / CONTINUOUS INTEGRATION. IDEAS -> SOLUTIONS Time.
CONTINUOUS INTEGRATION, DELIVERY & DEPLOYMENT ONE CLICK DELIVERY.
Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.
Findly Leads the World in Talent Innovation with Its Enterprise-Cloud for Global Talent Acquisition COMPANY PROFILE: FINDLY Findly is a SaaS ISV founded.
Cloud as a Service Chetan Shinde Column Software Technologies Pvt. Ltd.
Office 365 Platform Flexible Tools Understand different provisioning options and their advantages and disadvantages…
Model a Container Runtime environment on Your Mac with VMware AppCatalyst VMworld Fabio Rapposelli
Presented by: Alicia Goodwin
Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 LANL-stor and the Challenges of Evolutionary Development Managing.
Techcello Provides SaaS Lifecycle Management Solution to “SaaS-ify” Your Application Efficiently on the Powerful Microsoft Azure Cloud Platform MICROSOFT.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Microsoft Virtual Academy. STANDARDIZATION SELF SERVICEAUTOMATION Give Customers of IT services the ability to identify, access and request services.
Ansible with vCloud Air Workshop
Securely Synchronize and Share Enterprise Files across Desktops, Web, and Mobile with EasiShare on the Powerful Microsoft Azure Cloud Platform MICROSOFT.
DEPLOYMENT AUTOMATION & CONTINUOUS DEPLOYMENT Szymon Pobiega.
Accumulus Delivers Enterprise Class Subscription Billing and Automation Solutions for Gaming, Retail, and More on the Scalable Microsoft Azure Platform.
AUTOMATING DAAS DESKTOPS WITH CITRIX CORTEX Tony Sanchez WW Alliances Solutions Architecture Citrix Systems Inc SESSION CODE: CLI415 (c) 2011 Microsoft.
Microsoft Management Seminar Series SMS 2003 Change Management.
SONIC-3: Creating Large Scale Installations & Deployments Andrew S. Neumann Principal Engineer Progress Sonic.
Corent’s SurPaaS Transforms Your Software into Scalable SaaS on Windows Azure – in Days! COMPANY PROFILE: CORENT TECHNOLOGY INC. Corent’s SurPaaS is a.
Optimal Pipeline Using Perforce, Jenkins & Puppet Nitin Pathak Works on
Built on the Powerful Microsoft Azure Platform, Mproof’s Clientele ITSM Provides Companies with a Complete Software Suite to Manage Services MICROSOFT.
TACTIC | Workflow: Project Management OSS on Microsoft Azure Helps Enterprises to Create Streamline, Manage, and Track Digital Content MICROSOFT AZURE.
Azure Automation Tao Yang & Pete Zerger ARC311 Microsoft Ignite 2015
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Infrastructure as code. “Enable the reconstruction of the business from nothing but a source code repository, an application data backup, and bare metal.
Boost Developer Productivity with a 360- Degree View of Every Software Change by Using FinditEZ, Certified Microsoft Platform Ready for SQL Azure MICROSOFT.
DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.
Microsoft Azure and ServiceNow: Extending IT Best Practices to the Microsoft Cloud to Give Enterprises Total Control of Their Infrastructure MICROSOFT.
Introduction to Avaya’s SDN Architecture February 2015.
Ansible and Ansible Tower 1 A simple IT automation platform November 2015 Leandro Fernandez and Blaž Zupanc.
Sponsored by the National Science Foundation Systematic Experimentation Sarah Edwards GENI Project Office.
GameChanger’s Rate Quote Issue Solution is Deployed to Microsoft Azure for a Fast, Flexible Direct to Consumer Insurance Sales Solution MICROSOFT AZURE.
Introduction to Ansible
Some thoughts on Automation ________________________________________ Andy Davidson Allegro Networks (an IIX on twitter Monday 20 th April.
Canonical Ubuntu management tool gets hefty upgrade.
Configuration Management, Continuous Integration, Continuous Delivery Revealed.
If it’s not automated, it’s broken!
Pulling the Galaxy’s Strings
Building ARM IaaS Application Environment
Configuration Management using Ansible
Site Administration Tools: Ansible
Modernize Your Operations
Easily retrieve data from the Baan database
Introduction to Ansible
Docker Birthday #3.
Trial.iO Makes it Easy to Provision Software Trials, Demos and Training Environments in the Azure Cloud in One Click, Without Any IT Involvement MICROSOFT.
Logo here Module 3 Microsoft Azure Web App. Logo here Module Overview Introduction to App Service Overview of Web Apps Hosting Web Applications in Azure.
4th Forum How to easily offer your application as a self-service template by using OpenShift and GitLab-CI 4th Forum Alberto.
IT Atoumation / Conf. Mgmt...
Ansible and Zabbix Rushikesh Prabhune (Software Technical Consultant)
X in [Integration, Delivery, Deployment]
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
CloneManager® Helps Users Harness the Power of Microsoft Azure to Clone and Migrate Systems into the Cloud Cost-Effectively and Securely MICROSOFT AZURE.
Introduction to Ansible
Presented By - Avinash Pawar
GBIF CESP Workshop, Madrid 2018 Dave Martin
In this session… Introduce what we’re talking about
Configuration management suite
DEVOPS & THE FUTURE OF TESTING
Securing IaaS in the cloud
Airskiff: Your on-ramp to Airship Development
Presentation transcript:

STIG Compliance and Remediation with Ansible April 2015

PRESENTERS DAN SHEPHERD // MINDPOINT GROUP o IT security Consultant o Helps USG and commercial customers respond to difficult IT security challenges JUSTIN NEMMERS // ANSIBLE GOVERNMENT o IT architect and (recovering) sysadmin o 15 years of USG experience o Wrote first STIG Kickstarts w/ DISA for RHEL 3 and 4

ORGANIZATIONS MINDPOINT GROUP o IT security consultancy o Helps customers consistently meet stringent security requirements o Well-versed in Ansible ANSIBLE o Simplest way to automate IT o Fastest growing IT automation platform o Simple, agentless, powerful

WEBCAST GOALS Learn about Ansible Get started with Ansible and the STIG role Install the STIG role Apply role and remediate findings Fully automate compliance with Ansible Tower

Ansible Enterprise Automation Simple.Agentless. Powerful. Control. Security.Delegation. /Uses OpenSSH /No extra code to manage /Ready for cloud-scale /Uses YAML for playbooks /No special coding skills needed /Fast learning curve /App deployment /Orchestration /Configuration management /Role-Based Access Control /Delegation of credentials/keys /Audit trail for automation /Centralized job runs /Job scheduling /Automation dashboard /Push-button job execution /Portal mode for delegation /REST API for integration Ansible Open Source Ansible Tower

ANSIBLE IS COMPLETE AUTOMATION Ansible was written to automate complex multi-tier deployments, including: o Configuration management o App deployment o Provisioning o Servers & network devices o Cloud management & VMs o Zero-downtime rolling upgrades o Ad-hoc patches & updates

ANSIBLE: THE LANGUAGE OF ENTERPRISE IT o Ansible is the first “infrastructure-as-code” that can be read and written across IT… from sys-admins to developers to managers o Ansible is the only automation engine that can automate the entire application lifecycle & continuous delivery pipeline DEV/TES T Q/AOPERATIONSMANAGEMENTINFRASTRUCTU RE Ansible Playbook From development…to production.

HISTORY OF BASELINES GOLD DISK o Infrequent, time consuming, and error prone o Inconsistent, relies on staff’s capability o No ongoing remediation or validation SEMI-AUTOMATION o Shell scripts, other tooling o Brittle. Changes really, really hurt o No ongoing remediation or compliance validation

And both of these options suck. And how do you keep up with changes?

ANSIBLE AND SECURITY BASELINES REPEAT o Same process every time REMEDIATE o Apply STIG whenever desired VALIDATE o Confirm compliance IDEMPOTENT o Run and re-run over and over

HOW MINDPOINT GROUP o Trusted o Capable RHEL 6.x (and variants) o Very common DISA STIG o Significant pain points for USG customers o SCAP for easy validation

STIG ROLE COVERAGE CAT 1 (HIGH): 100% CAT 2 (MEDIUM): 91% CAT 3 (LOW): 82% We don’t automatically correct every finding, as some are not always safe to run on live systems (i.e. partitioning).

PLAYBOOK EXAMPLE Apply-stig.yml name: Apply STIG to a RHEL 6.x System hosts: all sudo: yes vars: rhel6stig_cat1: true rhel6stig_cat2: true rhel6stig_cat3: true rhel6stig_fullauto: true roles: - rhel6stig

CAT 1 ROLE EXAMPLE PLAY cat1.yml --- # CAT I Findings - name: V High The snmpd service must not use a default password replace: backup=yes dest=/etc/snmp/snmpd.conf regexp=(^com2sec.*default\s+)public replace=\1{{ rhel6stig_snmp_community }} ignore_errors: yes when: snmpconf_test.stat.exists notify: restart snmpd tags: [ 'cat1', 'V-38653', 'snmp' ] - name: V High There must be no hosts.equiv file on the system file: state=absent dest=/etc/hosts.equiv tags: [ 'cat1', 'V-38491', 'hosts_equiv' ] - name: V High There must be no.rhosts files on the system file: state=absent dest=~{{ item }}/.rhosts with_items: users.stdout_lines tags: [ 'cat1', 'V-38491', 'rhosts' ]

GET THE STIG ROLE $ ansible-galaxy install $ ansible-galaxy install -r requirements.yml requirements.yml - src: name: rhel6-stig $ git clone

APPLY STIG ROLE FROM CLI Requires Ansible version >= 1.8 $ ansible-playbook -i hosts apply-stig.yml

CLI RESULTS Skipping Conditional caused test to be skipped (OK) Changed Role made a change on the system OK No action required

Demo of the STIG role + Ansible Tower

MORE ROLE INFO INFORMATION AND STATUS GALAXY galaxy.ansible.com/list#/roles/2955 GITHUB github.com/ansible/ansible-lockdown github.com/MindPointGroup/RHEL6-STIG

OUR COMMUNITY FOLLOW US OR CONTRIBUTE o github.com/ansible/ansible-lockdown SEE SOMETHING THAT NEEDS FIXING? o Let us know, and help fix it! NEED HELP? o Paying customer? o MindPoint Group Services o groups.google.com/forum/#!forum/ansible- project

MindPoint Group Ansible CONTACT US