SlideShare a Scribd company logo

2016-08-29 AFITC Security Automation

S
Shawn Wells

2016-08-29 AFITC Security Automation

Software
1 of 29
Download to read offline
Security Automation: RHEL7 DoD STIG Update Shawn Wells (shawn@redhat.com) Chief Security Strategist & Upstream Maintainer, OpenSCAP Red Hat Public Sector Ted Brunell (tbrunell@redhat.com) Chief Architect, DoD Programs Red Hat Public Sector
45 MINUTES, 3 GOALS (+15MIN Q&A) 1. Detail Security Automation Technology & Initiatives ○ Security Automation development initiatives (Red Hat + NSA + NIST) ○ RHEL7 STIG and DoD Secure Host Baseline Status 2. Live Demos ○ Demo #1 i. Deploying Directly into STIG Compliance ii. Any other profiles available, like C2S? iii. What C&A paperwork can be automatically generated? ○ Demo #2 i. Configuration Compliance Scanning (RHEL7 STIG) ii. Customized Compliance baselines with OpenSCAP Workbench iii. Certification/Accreditation Paperwork Generation 3. Roadmap Discussion Intermixed (Gov’t Plans, Packaging, Future Profiles)
MOTIVATION: Red Hat Enterprise Linux 5 STIG ● 587 compliance checks ● No published automation, check everything by hand ● Released 1,988 days after RHEL 5.0! Average time to configure and verify control # controls Total time per RHEL instance 1 minute * 587 9.7 hours 3 minutes * 587 29.4 hours 5 minutes * 587 48.9 hours
Common Criteria tells the government software can be “trusted”
Common Criteria tells the government software can be “trusted” Agencies select and refine NIST 800-53 controls they agree with (“NSA secure passwords must be 14 characters, 2 upper, 2 lower”)
Common Criteria tells the government software can be “trusted” Agencies select and refine NIST 800-53 controls they agree with (“NSA secure passwords must be 14 characters, 2 upper, 2 lower”) Technology-specific baseline guidance created (e.g. DoD STIGs for RHEL)
Common Criteria tells the government software can be “trusted” Agencies select and refine NIST 800-53 controls they agree with (“NSA secure passwords must be 14 characters, 2 upper, 2 lower”) Baseline guidance approved by CxO office (DoD DSAWG) Technology-specific baseline guidance created (e.g. DoD STIGs for RHEL)
Common Criteria tells the government software can be “trusted” Agencies select and refine NIST 800-53 controls they agree with (“NSA secure passwords must be 14 characters, 2 upper, 2 lower”) Baseline guidance approved by CxO office (DoD DSAWG) 2010-AUG-11 through 2012-OCT-29 (810 days) Technology-specific baseline guidance created (e.g. DoD STIGs for RHEL) DISA Operating System SRG (updated approx. ~3 years) 0 days (done in parallel with common criteria) 122 days RHEL6 Process
DISA Red Hat Enterprise Linux 5 STIG ● 587 compliance checks ● No published automation, check everything by hand ● Released 1,988 days after RHEL 5.0! DISA Red Hat Enterprise Linux 6 STIG ● 260 compliance checks ● Fully automated checking base off SCAP ● Released 932 days after RHEL 6.0!
Red Hat Enterprise Linux 5 STIG ● 587 compliance checks ● No published automation, check everything by hand ● Released 1,988 days after RHEL 5.0! Red Hat Enterprise Linux 6 STIG ● 260 compliance checks ● Fully automated checking base off SCAP ● Released 932 days after RHEL 6.0! 5.5 years → 2.5 years (55% faster) 587 checks → 260 checks (56% smaller)
Moving towards fully automated compliance baselines + “0 day STIGs”
OpenSCAP & SCAP Security Guide Project: http://openscap.io Code: http://github.com/OpenSCAP
● 12,109 commits from 155 contributors across all government sectors (including system integrators!) ● 1,967,097 lines of code! ● Averages 10.1 commits per day, releases average every 90 days ○ Average 79.9 code contributions per author ○ Up from average of 13 in 2015! ● Red Hat sponsors NIST Configuration & Compliance certifications https://nvd.nist.gov/SCAP-Validated-Tools/ OpenSCAP BY THE NUMBERS . . .
NEW REQUIREMENTS AROUND SELINUX Making The World a Safer Place Background: ● “SELinux is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).” - wikipedia ● A type is a way of classifying an application or resource. Type enforcement is the enforcement of access control on that type. All files, processes, network resources, etc on an SELinux system have a label, and one of the components of that label is the "type”. ● Much of the kernel work has been done by the NSA and Red Hat SELinux must be enabled and in enforcing mode - CAT I finding.
WHAT SHOULD I DO WHILE I WAIT FOR DISA TO RELEASE THEIR STIG CONTENT? http://iase.disa.mil/stigs/Pages/faqs.aspx#STIG
● How can we deploy directly into STIG compliance? ○ GUI ○ Kickstart ● Any other profiles available, like C2S? ● What C&A paperwork can be automatically generated? DEMO #1: DEPLOYING INTO STIG COMPLIANCE
● How do we tailor the baseline, enabling/disabling certain rules? ● How do we refine values, such as password length? ● Is remediation possible? DEMO #2: CONTINUOUS MONITORING
20 THANK YOU youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNewslinkedin.com/company/red-hat twitter.com/RedHatGov
Backup Slides
WHERE ARE SUPPLEMENTARY MATERIALS: KICKSTARTS, SCRIPTS, NIST MAPPINGS and OTHER ITEMS Insert paragraph of copy here. Do not exceed 40 words. ● Bullet ● Bullet ● Bullet
TAILORING THE BASELINE SCAP WORKBENCH ● Bullet ● Bullet ● Bullet
AUTOMATING COMPLIANCE BOTH AT PROVISIONING and FOR CONTINUOUS COMPLIANCE During manual installation New “security” option in the installer ● Secure RHEL during provisioning ● Specify the profile at installation time ● Supports vendor content and web-based content
AUTOMATING COMPLIANCE BOTH AT PROVISIONING and FOR CONTINUOUS COMPLIANCE Supplied Content RHEL 6 ● C2S: Collaboration with CIA and Amazon, derived from CIS ● STIG: Official RHEL6 STIG baseline, derived from OS SRG ● CSCF: Cross domain, derived from CNSSI 1253 CDS Overlay RHEL 7 ● PCI: Commercial baseline for financial services ● STIG: Vendor STIG submission ● OSPP: NIAP and NIST 800-53 derived
AUTOMATING COMPLIANCE BOTH AT PROVISIONING and FOR CONTINUOUS COMPLIANCE Automated Kickstart configuration ● New %addon section ○ Content location - included or web based ○ Profile to apply
AUTOMATING COMPLIANCE BOTH AT PROVISIONING and FOR CONTINUOUS COMPLIANCE Satellite Server Integration ● Periodic scans from Satellite ● Run remotely ● Provide results for all RHEL systems within the GUI ● Easily deploy and track compliance
● 39x CAT I ● 242x CAT II ● 14x CAT III NEW CAT I, II, and III FINDINGS Click to add subtitle Insert paragraph of copy here. Do not exceed 40 words.
DIFFERENCES: VENDOR SUPPLIED CONTENT vs DISA CONTENT Insert paragraph of copy here. Do not exceed 40 words. ● Bullet ● Bullet ● Bullet

Recommended

2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
Shawn Wells
 
2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook
Shawn Wells
 
2014-07-30 defense in depth scap workbook
2014-07-30 defense in depth scap workbook2014-07-30 defense in depth scap workbook
2014-07-30 defense in depth scap workbook
Shawn Wells
 
2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap
Shawn Wells
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 
2014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 20142014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 2014
Shawn Wells
 
2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update
Shawn Wells
 
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
Shawn Wells
 

Recommended

2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
Shawn Wells
 
2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook2016 -11-18 OpenSCAP Workshop Coursebook
2016 -11-18 OpenSCAP Workshop Coursebook
Shawn Wells
 
2014-07-30 defense in depth scap workbook
2014-07-30 defense in depth scap workbook2014-07-30 defense in depth scap workbook
2014-07-30 defense in depth scap workbook
Shawn Wells
 
2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap2014-07-31 customer convergence applied scap
2014-07-31 customer convergence applied scap
Shawn Wells
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 
2014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 20142014 04-17 Applied SCAP, Red Hat Summit 2014
2014 04-17 Applied SCAP, Red Hat Summit 2014
Shawn Wells
 
2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update2016-08-18 Red Hat Partner Security Update
2016-08-18 Red Hat Partner Security Update
Shawn Wells
 
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...
Shawn Wells
 
Red Hat Openstack Certification Program
Red Hat Openstack Certification ProgramRed Hat Openstack Certification Program
Red Hat Openstack Certification Program
Alessandro Silva
 
SafeLogic is Better than Open Source Encryption - The Top 10 Reasons
SafeLogic is Better than Open Source Encryption - The Top 10 ReasonsSafeLogic is Better than Open Source Encryption - The Top 10 Reasons
SafeLogic is Better than Open Source Encryption - The Top 10 Reasons
Walter Paley
 
2013-04-03 Open Source Framework to Catch the Bad Guys
2013-04-03 Open Source Framework to Catch the Bad Guys2013-04-03 Open Source Framework to Catch the Bad Guys
2013-04-03 Open Source Framework to Catch the Bad Guys
Shawn Wells
 
Compliance As Code
Compliance As CodeCompliance As Code
Compliance As Code
Ebru Cucen Çüçen
 
Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019
Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019
Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019
MichaelaIorgaPhD
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
RootedCON
 
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for DevelopersDEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
Cisco DevNet
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
Quantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPQuantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAP
Roy Blackstone
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
Patricia Aas
 
Hardening solaris
Hardening solarisHardening solaris
Hardening solaris
Femi Adeyemi
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
Priyanka Aash
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
Priyanka Aash
 
Securing the Pipeline
Securing the PipelineSecuring the Pipeline
Securing the Pipeline
Thoughtworks
 
System Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationSystem Event Monitoring for Active Authentication
System Event Monitoring for Active Authentication
Coveros, Inc.
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through Standards
Arthur Hicken
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
Priyanka Aash
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
abend_cve_9999_0001
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
Informix 12.10.xC7 MQTT listener - june2016
Informix 12.10.xC7 MQTT listener - june2016Informix 12.10.xC7 MQTT listener - june2016
Informix 12.10.xC7 MQTT listener - june2016
Shawn Moe
 
Planning and executing a DB2 11 for z/OS Migration by Ian Cook
Planning and executing a DB2 11 for z/OS Migration by Ian Cook Planning and executing a DB2 11 for z/OS Migration by Ian Cook
Planning and executing a DB2 11 for z/OS Migration by Ian Cook
Surekha Parekh
 

More Related Content

What's hot

Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019
Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019
Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019
MichaelaIorgaPhD
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon
 
Securing the Pipeline
Securing the PipelineSecuring the Pipeline
Securing the Pipeline
Thoughtworks
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
Priyanka Aash
 

What's hot (20)

Red Hat Openstack Certification Program
Red Hat Openstack Certification ProgramRed Hat Openstack Certification Program
Red Hat Openstack Certification Program
 
SafeLogic is Better than Open Source Encryption - The Top 10 Reasons
SafeLogic is Better than Open Source Encryption - The Top 10 ReasonsSafeLogic is Better than Open Source Encryption - The Top 10 Reasons
SafeLogic is Better than Open Source Encryption - The Top 10 Reasons
 
2013-04-03 Open Source Framework to Catch the Bad Guys
2013-04-03 Open Source Framework to Catch the Bad Guys2013-04-03 Open Source Framework to Catch the Bad Guys
2013-04-03 Open Source Framework to Catch the Bad Guys
 
Compliance As Code
Compliance As CodeCompliance As Code
Compliance As Code
 
Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019
Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019
Open Security Controls Assessment Language (OSCAL) - 1st Workshop, Nov 5-7, 2019
 
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]
 
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for DevelopersDEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
DEVNET-1148 Leveraging Cisco OpenStack Private Cloud for Developers
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
Quantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPQuantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAP
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
 
Hardening solaris
Hardening solarisHardening solaris
Hardening solaris
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
 
Securing the Pipeline
Securing the PipelineSecuring the Pipeline
Securing the Pipeline
 
System Event Monitoring for Active Authentication
System Event Monitoring for Active AuthenticationSystem Event Monitoring for Active Authentication
System Event Monitoring for Active Authentication
 
EuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through StandardsEuroSPI 2016 - Software Safety and Security Through Standards
EuroSPI 2016 - Software Safety and Security Through Standards
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
 

Viewers also liked

Hybrid Security Network for Cloud Information Centre (HSNIC)
Hybrid Security Network for Cloud Information Centre (HSNIC)Hybrid Security Network for Cloud Information Centre (HSNIC)
Hybrid Security Network for Cloud Information Centre (HSNIC)
Peace Asukwo
 
Securing the Automation of Application Deployment with UrbanCode Deploy
Securing the Automation of Application Deployment with UrbanCode DeploySecuring the Automation of Application Deployment with UrbanCode Deploy
Securing the Automation of Application Deployment with UrbanCode Deploy
IBM UrbanCode Products
 
Here For Good Report 2016 - Ganesh
Here For Good Report 2016 - GaneshHere For Good Report 2016 - Ganesh
Here For Good Report 2016 - Ganesh
ganeshMIT
 
DB2 Data Sharing Performance for Beginners
DB2 Data Sharing Performance for BeginnersDB2 Data Sharing Performance for Beginners
DB2 Data Sharing Performance for Beginners
Martin Packer
 
どテック名古屋20161127カモシカスライド
どテック名古屋20161127カモシカスライドどテック名古屋20161127カモシカスライド
どテック名古屋20161127カモシカスライド
kamo4ka3
 

Viewers also liked (20)

Informix 12.10.xC7 MQTT listener - june2016
Informix 12.10.xC7 MQTT listener - june2016Informix 12.10.xC7 MQTT listener - june2016
Informix 12.10.xC7 MQTT listener - june2016
 
Planning and executing a DB2 11 for z/OS Migration by Ian Cook
Planning and executing a DB2 11 for z/OS Migration by Ian Cook Planning and executing a DB2 11 for z/OS Migration by Ian Cook
Planning and executing a DB2 11 for z/OS Migration by Ian Cook
 
Hybrid Security Network for Cloud Information Centre (HSNIC)
Hybrid Security Network for Cloud Information Centre (HSNIC)Hybrid Security Network for Cloud Information Centre (HSNIC)
Hybrid Security Network for Cloud Information Centre (HSNIC)
 
2013-06-12 Compliance Made Easy, Red Hat Summit 2013
2013-06-12 Compliance Made Easy, Red Hat Summit 20132013-06-12 Compliance Made Easy, Red Hat Summit 2013
2013-06-12 Compliance Made Easy, Red Hat Summit 2013
 
Securing the Automation of Application Deployment with UrbanCode Deploy
Securing the Automation of Application Deployment with UrbanCode DeploySecuring the Automation of Application Deployment with UrbanCode Deploy
Securing the Automation of Application Deployment with UrbanCode Deploy
 
Security automation
Security automationSecurity automation
Security automation
 
Here For Good Report 2016 - Ganesh
Here For Good Report 2016 - GaneshHere For Good Report 2016 - Ganesh
Here For Good Report 2016 - Ganesh
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
 
DB2 Data Sharing Performance for Beginners
DB2 Data Sharing Performance for BeginnersDB2 Data Sharing Performance for Beginners
DB2 Data Sharing Performance for Beginners
 
Practical Security Automation
Practical Security AutomationPractical Security Automation
Practical Security Automation
 
2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at Twitter2012: Putting your robots to work: security automation at Twitter
2012: Putting your robots to work: security automation at Twitter
 
Careers in Security
Careers in SecurityCareers in Security
Careers in Security
 
Achieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security AutomationAchieving Continuous Monitoring with Security Automation
Achieving Continuous Monitoring with Security Automation
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security Automation
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
Pirámide según la constitución política 1993
Pirámide según la constitución política 1993Pirámide según la constitución política 1993
Pirámide según la constitución política 1993
 
どテック名古屋20161127カモシカスライド
どテック名古屋20161127カモシカスライドどテック名古屋20161127カモシカスライド
どテック名古屋20161127カモシカスライド
 
Bb
BbBb
Bb
 
Education can help women to achieve, planet 50 50 by 2030 - humana people to ...
Education can help women to achieve, planet 50 50 by 2030 - humana people to ...Education can help women to achieve, planet 50 50 by 2030 - humana people to ...
Education can help women to achieve, planet 50 50 by 2030 - humana people to ...
 

Similar to 2016-08-29 AFITC Security Automation

Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
Bosnia Agile
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
 

Similar to 2016-08-29 AFITC Security Automation (20)

(Micro)chips and SLSA: Securing the Software Supply Chain
(Micro)chips and SLSA: Securing the Software Supply Chain(Micro)chips and SLSA: Securing the Software Supply Chain
(Micro)chips and SLSA: Securing the Software Supply Chain
 
2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management2013-08-22 NSA System Security & Management
2013-08-22 NSA System Security & Management
 
NIST_Ignyte_OSCALWorkshop_2022.pdf
NIST_Ignyte_OSCALWorkshop_2022.pdfNIST_Ignyte_OSCALWorkshop_2022.pdf
NIST_Ignyte_OSCALWorkshop_2022.pdf
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Talking TUF: Securing Software Distribution
Talking TUF: Securing Software DistributionTalking TUF: Securing Software Distribution
Talking TUF: Securing Software Distribution
 
IoT and M2M Safety and Security
IoT and M2M Safety and Security IoT and M2M Safety and Security
IoT and M2M Safety and Security
 
2017 02-17 rsac 2017 tech-f02
2017 02-17 rsac 2017 tech-f022017 02-17 rsac 2017 tech-f02
2017 02-17 rsac 2017 tech-f02
 
stackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsstackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutions
 
Agile Secure Development
Agile Secure DevelopmentAgile Secure Development
Agile Secure Development
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
Devops phase-1
Devops phase-1Devops phase-1
Devops phase-1
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
AzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementAzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release Management
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures2008 08-12 SELinux: A Key Component in Secure Infrastructures
2008 08-12 SELinux: A Key Component in Secure Infrastructures
 
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System z
 
The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007The State of Security Enhanced Linux - FOSS.IN/2007
The State of Security Enhanced Linux - FOSS.IN/2007
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
 

More from Shawn Wells

More from Shawn Wells (19)

2017-10-10 AUSA 2017: Repeatable DCO Platforms
2017-10-10 AUSA 2017: Repeatable DCO Platforms2017-10-10 AUSA 2017: Repeatable DCO Platforms
2017-10-10 AUSA 2017: Repeatable DCO Platforms
 
2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security2017-07-12 GovLoop: New Era of Digital Security
2017-07-12 GovLoop: New Era of Digital Security
 
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
2017-02-21 AFCEA West Building Continuous Integration & Deployment (CI/CD) Pi...
 
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
2016-08-24 FedInsider Webinar with Jennifer Kron - Securing Intelligence in a...
 
2015-11-15 - Supercomputing 2015 - Applied Cross Domain
2015-11-15 - Supercomputing 2015 - Applied Cross Domain2015-11-15 - Supercomputing 2015 - Applied Cross Domain
2015-11-15 - Supercomputing 2015 - Applied Cross Domain
 
2015-10-05 Fermilabs DevOps Alone in the Dark
2015-10-05 Fermilabs DevOps Alone in the Dark2015-10-05 Fermilabs DevOps Alone in the Dark
2015-10-05 Fermilabs DevOps Alone in the Dark
 
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
2015 06-12 DevOpsDC 2015 - Consumer to Collaborator
 
2015-01-27 ssa opening remarks
2015-01-27 ssa opening remarks2015-01-27 ssa opening remarks
2015-01-27 ssa opening remarks
 
2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers2014-12-16 defense news - shutdown the hackers
2014-12-16 defense news - shutdown the hackers
 
2014-05-08 IT Craftsmanship to IT Manufacturing
2014-05-08 IT Craftsmanship to IT Manufacturing2014-05-08 IT Craftsmanship to IT Manufacturing
2014-05-08 IT Craftsmanship to IT Manufacturing
 
2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement2014-04-28 cloud security frameworks and enforcement
2014-04-28 cloud security frameworks and enforcement
 
2014 04-03 xyratex event
2014 04-03 xyratex event2014 04-03 xyratex event
2014 04-03 xyratex event
 
2013-07-21 MITRE Developer Days - Red Hat SCAP Remediation
2013-07-21 MITRE Developer Days - Red Hat SCAP Remediation2013-07-21 MITRE Developer Days - Red Hat SCAP Remediation
2013-07-21 MITRE Developer Days - Red Hat SCAP Remediation
 
2013-05-22 RedHatGov Partner Event
2013-05-22 RedHatGov Partner Event2013-05-22 RedHatGov Partner Event
2013-05-22 RedHatGov Partner Event
 
2013-03-25 SCAP Workshop Workbook
2013-03-25 SCAP Workshop Workbook2013-03-25 SCAP Workshop Workbook
2013-03-25 SCAP Workshop Workbook
 
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
 
2012-08-21 NRO GED Industry Day
2012-08-21 NRO GED Industry Day2012-08-21 NRO GED Industry Day
2012-08-21 NRO GED Industry Day
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
2011-12-08 Red Hat Enterprise Virtualization for Desktops (RHEV VDI) with Cis...
2011-12-08 Red Hat Enterprise Virtualization for Desktops (RHEV VDI) with Cis...2011-12-08 Red Hat Enterprise Virtualization for Desktops (RHEV VDI) with Cis...
2011-12-08 Red Hat Enterprise Virtualization for Desktops (RHEV VDI) with Cis...
 

Recently uploaded

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Recently uploaded (20)

10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

2016-08-29 AFITC Security Automation

  • 1. Security Automation: RHEL7 DoD STIG Update Shawn Wells (shawn@redhat.com) Chief Security Strategist & Upstream Maintainer, OpenSCAP Red Hat Public Sector Ted Brunell (tbrunell@redhat.com) Chief Architect, DoD Programs Red Hat Public Sector
  • 2. 45 MINUTES, 3 GOALS (+15MIN Q&A) 1. Detail Security Automation Technology & Initiatives ○ Security Automation development initiatives (Red Hat + NSA + NIST) ○ RHEL7 STIG and DoD Secure Host Baseline Status 2. Live Demos ○ Demo #1 i. Deploying Directly into STIG Compliance ii. Any other profiles available, like C2S? iii. What C&A paperwork can be automatically generated? ○ Demo #2 i. Configuration Compliance Scanning (RHEL7 STIG) ii. Customized Compliance baselines with OpenSCAP Workbench iii. Certification/Accreditation Paperwork Generation 3. Roadmap Discussion Intermixed (Gov’t Plans, Packaging, Future Profiles)
  • 3. MOTIVATION: Red Hat Enterprise Linux 5 STIG ● 587 compliance checks ● No published automation, check everything by hand ● Released 1,988 days after RHEL 5.0! Average time to configure and verify control # controls Total time per RHEL instance 1 minute * 587 9.7 hours 3 minutes * 587 29.4 hours 5 minutes * 587 48.9 hours
  • 4.
  • 5. Common Criteria tells the government software can be “trusted”
  • 6. Common Criteria tells the government software can be “trusted” Agencies select and refine NIST 800-53 controls they agree with (“NSA secure passwords must be 14 characters, 2 upper, 2 lower”)
  • 7. Common Criteria tells the government software can be “trusted” Agencies select and refine NIST 800-53 controls they agree with (“NSA secure passwords must be 14 characters, 2 upper, 2 lower”) Technology-specific baseline guidance created (e.g. DoD STIGs for RHEL)
  • 8. Common Criteria tells the government software can be “trusted” Agencies select and refine NIST 800-53 controls they agree with (“NSA secure passwords must be 14 characters, 2 upper, 2 lower”) Baseline guidance approved by CxO office (DoD DSAWG) Technology-specific baseline guidance created (e.g. DoD STIGs for RHEL)
  • 9. Common Criteria tells the government software can be “trusted” Agencies select and refine NIST 800-53 controls they agree with (“NSA secure passwords must be 14 characters, 2 upper, 2 lower”) Baseline guidance approved by CxO office (DoD DSAWG) 2010-AUG-11 through 2012-OCT-29 (810 days) Technology-specific baseline guidance created (e.g. DoD STIGs for RHEL) DISA Operating System SRG (updated approx. ~3 years) 0 days (done in parallel with common criteria) 122 days RHEL6 Process
  • 10. DISA Red Hat Enterprise Linux 5 STIG ● 587 compliance checks ● No published automation, check everything by hand ● Released 1,988 days after RHEL 5.0! DISA Red Hat Enterprise Linux 6 STIG ● 260 compliance checks ● Fully automated checking base off SCAP ● Released 932 days after RHEL 6.0!
  • 11. Red Hat Enterprise Linux 5 STIG ● 587 compliance checks ● No published automation, check everything by hand ● Released 1,988 days after RHEL 5.0! Red Hat Enterprise Linux 6 STIG ● 260 compliance checks ● Fully automated checking base off SCAP ● Released 932 days after RHEL 6.0! 5.5 years → 2.5 years (55% faster) 587 checks → 260 checks (56% smaller)
  • 12. Moving towards fully automated compliance baselines + “0 day STIGs”
  • 13. OpenSCAP & SCAP Security Guide Project: http://openscap.io Code: http://github.com/OpenSCAP
  • 14.
  • 15. ● 12,109 commits from 155 contributors across all government sectors (including system integrators!) ● 1,967,097 lines of code! ● Averages 10.1 commits per day, releases average every 90 days ○ Average 79.9 code contributions per author ○ Up from average of 13 in 2015! ● Red Hat sponsors NIST Configuration & Compliance certifications https://nvd.nist.gov/SCAP-Validated-Tools/ OpenSCAP BY THE NUMBERS . . .
  • 16. NEW REQUIREMENTS AROUND SELINUX Making The World a Safer Place Background: ● “SELinux is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).” - wikipedia ● A type is a way of classifying an application or resource. Type enforcement is the enforcement of access control on that type. All files, processes, network resources, etc on an SELinux system have a label, and one of the components of that label is the "type”. ● Much of the kernel work has been done by the NSA and Red Hat SELinux must be enabled and in enforcing mode - CAT I finding.
  • 17. WHAT SHOULD I DO WHILE I WAIT FOR DISA TO RELEASE THEIR STIG CONTENT? http://iase.disa.mil/stigs/Pages/faqs.aspx#STIG
  • 18. ● How can we deploy directly into STIG compliance? ○ GUI ○ Kickstart ● Any other profiles available, like C2S? ● What C&A paperwork can be automatically generated? DEMO #1: DEPLOYING INTO STIG COMPLIANCE
  • 19. ● How do we tailor the baseline, enabling/disabling certain rules? ● How do we refine values, such as password length? ● Is remediation possible? DEMO #2: CONTINUOUS MONITORING
  • 22. WHERE ARE SUPPLEMENTARY MATERIALS: KICKSTARTS, SCRIPTS, NIST MAPPINGS and OTHER ITEMS Insert paragraph of copy here. Do not exceed 40 words. ● Bullet ● Bullet ● Bullet
  • 23. TAILORING THE BASELINE SCAP WORKBENCH ● Bullet ● Bullet ● Bullet
  • 24. AUTOMATING COMPLIANCE BOTH AT PROVISIONING and FOR CONTINUOUS COMPLIANCE During manual installation New “security” option in the installer ● Secure RHEL during provisioning ● Specify the profile at installation time ● Supports vendor content and web-based content
  • 25. AUTOMATING COMPLIANCE BOTH AT PROVISIONING and FOR CONTINUOUS COMPLIANCE Supplied Content RHEL 6 ● C2S: Collaboration with CIA and Amazon, derived from CIS ● STIG: Official RHEL6 STIG baseline, derived from OS SRG ● CSCF: Cross domain, derived from CNSSI 1253 CDS Overlay RHEL 7 ● PCI: Commercial baseline for financial services ● STIG: Vendor STIG submission ● OSPP: NIAP and NIST 800-53 derived
  • 26. AUTOMATING COMPLIANCE BOTH AT PROVISIONING and FOR CONTINUOUS COMPLIANCE Automated Kickstart configuration ● New %addon section ○ Content location - included or web based ○ Profile to apply
  • 27. AUTOMATING COMPLIANCE BOTH AT PROVISIONING and FOR CONTINUOUS COMPLIANCE Satellite Server Integration ● Periodic scans from Satellite ● Run remotely ● Provide results for all RHEL systems within the GUI ● Easily deploy and track compliance
  • 28. ● 39x CAT I ● 242x CAT II ● 14x CAT III NEW CAT I, II, and III FINDINGS Click to add subtitle Insert paragraph of copy here. Do not exceed 40 words.
  • 29. DIFFERENCES: VENDOR SUPPLIED CONTENT vs DISA CONTENT Insert paragraph of copy here. Do not exceed 40 words. ● Bullet ● Bullet ● Bullet