FISMA COMPLIANCE FOR CONTAINERIZED APPS

Transcription

1 FISMA COMPLIANCE FOR CONTAINERIZED APPS Using Atomic Scan and OpenSCAP with containers Jason Callaway Red Hat Principal Solutions jasoncallaway.com

2 AGENDA Slides at FISMA compliance overview How to be FISMA compliant with Red Hat Enterprise Linux The container monkey wrench OpenSCAP Atomic Scan Ansible role How it all scales 2

3 IGNORE THE WHOLE CONTAINER THING FOR A MOMENT 3

4 E-Government Act of 2002 Federal Agencies CNSS ODNI DISA ICD 503 USGCB FISMA NIST OMB *STILL INCOMPLETE Circular A-130 NIST SP NIST SP FIPS CNSSI 1253 STIG OpenSCAP SSG DIACAP DoDRMF NVD SCAP NIST SP FIPS 140

5 FISMA COMPLIANCE OVERVIEW Making your life harder since RISK-BASED POLICY FOR COST-EFFECTIVE SECURITY USG, DoD, and IC users are legally obligated to comply More than just the technical implementation, calls for a comprehensive plan (SSP) developed using a Risk Management Framework NIST Special Publication defines the security control baselines Confidentiality Integrity Availability DISA STIG defines the nerd-knobs 5

6 NIST SP800-53R4 The source of your security controls 4 th revision ~1,500 controls Not all controls are technical Guys with guns controls Many broken down with enhancements More like ~1,700 CIA Triad (not the intelligence agency) overlays Agency-specific overlays Getting us closer to 7,000 data points to consider 6

7 SECURITY TECHNICAL IMPLEMENTATION GUIDE Your source of nerd knobs RHEL 7 STIG finally out of draft! Now shipped as an XCCDF XML document Can be visualized with STIGViewer Pet peeve: no TLS from DISA s download page I won t run this.jar outside a VM due to the site leaving me vulnerable to a MITM attack on the download DISA seems like a high-value target so I don t trust the.jar because it s unsigned Just because I m paranoid doesn t mean they re not out to get me 7

8 SYSTEM ADMINISTRATORS CRITICAL ROLE The FISMA buck stops with the SA Manual implementation of STIG settings is tedious and error prone Configuration drift impacts compliance 3 rd party auditing tools produce false-positives System Administrators need An automated way to apply the security configuration Continuous audition and compliance Canonical source of truth SOMEBODY S GOT TO TURN THOSE NERD KNOBS 8

9 THERE ARE TOOLS THAT CAN HELP 9

10 RHEL INSTALLER Security policy can be specified at install-time 10

11 DISA STIG VIEWER You can export an HTML or CSV STIG 11

12 SECURITY CONTENT AUTOMATION PROTOCOL Making security measurable Group of standards designed to automate management, assessment, and policy compliance Many components such as CVE, CCE, XCCDF, OVAL Open source implementation is OpenSCAP ( SCAP Workbench GUI RHEL STIG XCCDF profile shipped with SCAP Security Guide (SSG) 12

13 NATIVE SUPPORT IN SCAP WORKBENCH XCCDF isn t so bad now, is it? 13

14 RED HAT SECURITY API curl -X GET " python -m json.tool Still in beta Programmatic access to: CVRF CVE OVAL IAVA Hugely helpful for scripting [ { }, "cvelist": [ ], "CVE ", "CVE ", "CVE ", "CVE ", "CVE ", "CVE ", "CVE ", "CVE "number": "2017-A-0047", "resource_url": " "severity": "CAT II", "title": "Multiple Vulnerabilities in IBM Security AppScan Enterprise 14

15 ANSIBLE Python and YAML automation and CM framework Automate compliance with Ansible Ansible Core is FOSS and can be installed from EPEL Red Hat Gov GitHub has an role that you can use to apply STIG settings /ansible-role Configuration drift? No problem. Rerun the playbook for continuous compliance 15

16 LET S STIG A RHEL INSTANCE WITH ANSIBLE Demo available at 16

17 BACK TO CONTAINERS 17

18 CONTAINERS VS VMS Virtualization Virtual hardware boundaries Hypervisor One OS instance per VM IaaS paradigm 18

19 CONTAINERS VS VMS Containerization Horizontal segmentation Container API Single OS instance Multi-tenancy Bare metal, virtual, cloud 19

20 COMPLIANCE IN CONTAINERS So how do we do that when: There s no ssh (or shouldn t be) There s no GUI Many file systems are missing And it ha to be DevOps-y 20

21 PROJECT ATOMIC Next generation container-optimized OS Runs only essential container services systemd etcd Open Container runtime Everything else is a container Whole-filesystem updates with rpm-ostree GUI management with Cockpit Same secure supply chain as RHEL 21

22 ATOMIC SCAN 22

23 USING ATOMIC SCAN Demo available at 23

24 HOW DOES THIS WORK AT SCALE? 24

25 CONTROL Scheduled and centralized jobs KNOWLEDGE Visibility and compliance DELEGATION Role-based access and self-service SIMPLE POWERFUL AGENTLESS Everyone speaks the same language Designed for multi-tier deployments Predictable, reliable, and secure AT ANSIBLE S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE. 25

26 Ansible tower is an enterprise framework for controlling, securing and managing your Ansible automation with a UI and restful API. Role-based access control keeps environments secure, and teams efficient. Non-privileged users can safely deploy entire applications with push-button deployment access. All Ansible automations are centrally logged, ensuring complete auditability and compliance. 26

27 27

28 CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER CONTAINER ORCHESTRATION CLUSTER SERVICES NETWORKING STORAGE REGISTRY TELEMETRY SECURITY ATOMIC AUTOMATION ATOMIC COCKPIT CONTAINER RUNTIME & PACKAGING ATOMIC HOST RED HAT ENTERPRISE LINUX PHYSICAL INFRASTRUCTURE 28

29 CONTAINER CONTAINER CONTAINER CONTAINER OPENSHIFT SELF-SERVICE CONTAINER MIDDLEWARE + DATA SERVICES BUILD AUTOMATION SERVICE CATALOG DEPLOYMENT AUTOMATION OPENSHIFT APPLICATION LIFECYCLE MANAGEMENT CONTAINER ORCHESTRATION CLUSTER SERVICES NETWORKING STORAGE REGISTRY TELEMETRY SECURITY ATOMIC AUTOMATION ATOMIC COCKPIT CONTAINER RUNTIME & PACKAGING ATOMIC HOST RED HAT ENTERPRISE LINUX PHYSICAL INFRASTRUCTURE 29

30 30

31 OPEN SOURCE A&A BODY OF EVIDENCE 31

32 32

33 33

34 WHAT S IN THE COMPLIANCE GUIDE? 1. Reference Architecture (Security Concept of Operations (CONOPS)) 2. Security Controls Procedurally generated from the Security Control Traceability Matrix (SCTM) spreadsheet 3. Customer Responsibility Matrix (CRM) 4. Ansible Automation Note: Certification and Accreditation (C&A) terminology replaced by Assessment and Authorization (A&A) in new DoD Information Assurance Risk Management Framework (DIARMF) (cf. NIST SP800-37r1). 34

35 REFERENCE ARCHITECTURE 35

36 36

37 37

38 38

39 39

40 40

41 Role Description Number Responsible Organization A control that is satisfied by the hosting organization. This includes enterprise services such as LDAP, the Audit and Logging solution, etc. 423 IaaS OpenShift Landlord A control that is satisfied by the Organization s Infrastructure as a Service implementation. In the Security CONOPS reference architecture, this is AWS, or the Landlord s Landlord. Container Platform s implementation. This includes tools such as Ansible Tower and OpenSCAP OpenShift Tenant Controls that need to be implemented by the programs hosted on the OpenShift Container Platform. These controls are listed in the Customer Responsibility Matrix. Total unique controls All unique technical controls tracked by this guide

42 SECURITY CONTROLS 42

43 Workaround example: Banner JavaScript Actual OCP Web Console iframe 43

44 CUSTOMER RESPONSIBILITY MATRIX 44

45 45

46 46

47 47

48 QUESTIONS? 48

49 THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvideos