Post on 13-Jul-2020
ICD-503 COMPLIANCE FOR CONTAINERIZED APPSUsing Atomic Scan and OpenSCAP with containers
Jason CallawayRed Hat Principal Solutions Architectjcallawa@redhat.com | @jasoncallaway | jasoncallaway.com
ICD-503 COMPLIANCE FOR CONTAINERS2
AGENDA• Slides at https://jasoncallaway.com/icd503-containers.pdf• ICD-503 compliance overview• How to be ICD-503 compliant with Red Hat Enterprise Linux• The container monkey wrench• OpenSCAP• Atomic Scan• Ansible 800-53 role• How it all scales
IGNORE THE WHOLE CONTAINER THING FOR A MOMENT
ICD-503 COMPLIANCE FOR CONTAINERS3
ICD-503 COMPLIANCE FOR CONTAINERS4
E-Government Act of 2002FISMA
Federal Agencies
NVDSCAP
NIST SP800-37NIST SP800-18
FIPS 199
NIST
OMB
CNSSI 1253
CNSS ODNI
ICD 503
OpenSCAPSSG
DISA
STIG
*STILL INCOMPLETE
USGCB
NIST SP800-53FIPS 140
DIACAPDoDRMF
Circular A-130
Making your life harder since 2002...
ICD-503 COMPLIANCE FOR CONTAINERS5
FISMA COMPLIANCE OVERVIEW
RISK-BASED POLICY FOR COST-EFFECTIVE SECURITY
• USG, DoD, and IC users are legally obligated to comply
• More than just the technical implementation, calls for a comprehensive plan (SSP) developed using a Risk Management Framework
• NIST Special Publication 800-53 defines the security control baselines
• Confidentiality• Integrity• Availability
• DISA STIG defines the nerd-knobs
The source of your security controls
ICD-503 COMPLIANCE FOR CONTAINERS6
NIST SP800-53R4
• 4th revision• ~1,500 controls
• Not all controls are technical• “Guys with guns” controls
• Many broken down with enhancements• More like ~1,700
• CIA Triad (not the intelligence agency) overlays• Agency-specific overlays• Getting us closer to 7,000 data points to consider
Your source of nerd knobs
ICD-503 COMPLIANCE FOR CONTAINERS7
SECURITY TECHNICAL IMPLEMENTATION GUIDE• RHEL 7 STIG finally out of draft!• Now shipped as an XCCDF XML document• Can be visualized with STIGViewer
• Pet peeve: no TLS from DISA’s download page• I won’t run this .jar outside a VM due to the
site leaving me vulnerable to a MITM attack on the download
• DISA seems like a high-value target so I don’t trust the .jar because it’s unsigned
• Just because I’m paranoid doesn’t mean they’re not out to get me
The compliance buck stops with the SA
ICD-503 COMPLIANCE FOR CONTAINERS8
SYSTEM ADMINISTRATORS CRITICAL ROLE
SOMEBODY’S GOT TO TURN THOSE NERD KNOBS
• Manual implementation of STIG settings is tedious and error prone
• Configuration drift impacts compliance• 3rd party auditing tools produce false-positives• System Administrators need
• An automated way to apply the security configuration
• Continuous audition and compliance• Canonical source of truth
THERE ARE TOOLS THAT CAN HELP
ICD-503 COMPLIANCE FOR CONTAINERS9
Security policy can be specified at install-time
ICD-503 COMPLIANCE FOR CONTAINERS10
RHEL INSTALLER
http://rhelblog.redhat.com/2015/10/27/configuring-and-applying-scap-policies-during-installation/
You can export an HTML or CSV STIG
ICD-503 COMPLIANCE FOR CONTAINERS11
DISA STIG VIEWER
“Making security measurable”
ICD-503 COMPLIANCE FOR CONTAINERS12
SECURITY CONTENT AUTOMATION PROTOCOL
• Group of standards designed to automate management, assessment, and policy compliance
• Many components such as CVE, CCE, XCCDF, OVAL
• Open source implementation is OpenSCAP (https://open-scap.org)
• SCAP Workbench GUI• RHEL STIG XCCDF profile shipped with
SCAP Security Guide (SSG)
XCCDF isn’t so bad now, is it?
ICD-503 COMPLIANCE FOR CONTAINERS13
NATIVE SUPPORT IN SCAP WORKBENCH
https://access.redhat.com/labsinfo/securitydataapi
ICD-503 COMPLIANCE FOR CONTAINERS14
RED HAT SECURITY API
• Still in beta• Programmatic access
to:• CVRF• CVE• OVAL• IAVA
• Hugely helpful for scripting
[{
"cvelist": [
"CVE-2016-2178","CVE-2016-2183","CVE-2016-5983","CVE-2016-5986","CVE-2016-6042","CVE-2016-6303","CVE-2016-6304","CVE-2016-6306”
],"number": "2017-A-0047","resource_url": "https://access.redhat.com/labs/securitydataapi/iava/2017-A-0047.json","severity": "CAT II","title": "Multiple Vulnerabilities in IBM Security AppScan Enterprise”
},
curl -X GET "https://access.redhat.com/labs/securitydataapi/iava.json" | python -m json.tool
Python and YAML automation and CM framework
ICD-503 COMPLIANCE FOR CONTAINERS15
ANSIBLE
• Automate compliance with Ansible• Ansible Core is FOSS and can be
installed from EPEL• Red Hat Gov GitHub has an 800-53
role that you can use to apply STIG settings
• https://github.com/RedHatGov/ansible-role-800-53
• Configuration drift? No problem. Rerun the playbook for continuous compliance
Demo available at https://youtu.be/phKQXzbU61E
ICD-503 COMPLIANCE FOR CONTAINERS16
LET’S STIG A RHEL INSTANCE WITH ANSIBLE
BACK TO CONTAINERS
ICD-503 COMPLIANCE FOR CONTAINERS17
ICD-503 COMPLIANCE FOR CONTAINERS18
CONTAINERS VS VMS
Virtualization• Virtual hardware boundaries• Hypervisor• One OS instance per VM• IaaS paradigm
ICD-503 COMPLIANCE FOR CONTAINERS19
CONTAINERS VS VMS
Containerization• Horizontal segmentation• Container API• Single OS instance• Multi-tenancy• Bare metal, virtual, cloud
ICD-503 COMPLIANCE FOR CONTAINERS20
COMPLIANCE IN CONTAINERS
So how do we do that when:• There’s no ssh (or shouldn’t be)• There’s no GUI• Many file systems are missing• And it ha to be DevOps-y
Next generation container-optimized OS
ICD-503 COMPLIANCE FOR CONTAINERS21
PROJECT ATOMIC
• Runs only essential container services
• systemd• etcd• Open Container runtime
• Everything else is a container• Whole-filesystem updates with rpm-
ostree• GUI management with Cockpit• Same secure supply chain as RHEL
https://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-container-vulnerability-detection/
ICD-503 COMPLIANCE FOR CONTAINERS22
ATOMIC SCAN
Demo available at https://youtu.be/keN7mSqa0q0
ICD-503 COMPLIANCE FOR CONTAINERS23
USING ATOMIC SCAN
HOW DOES THIS WORK AT SCALE?
ICD-503 COMPLIANCE FOR CONTAINERS24
ICD-503 COMPLIANCE FOR CONTAINERS25
CONTROL
SIMPLE POWERFUL AGENTLESS
KNOWLEDGE DELEGATION
AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE.
Scheduled andcentralized jobs
Visibility and compliance
Role-based access and self-service
Everyone speaks thesame language
Designed for multi-tier deployments
Predictable, reliable,and secure
ICD-503 COMPLIANCE FOR CONTAINERS26
• Role-based access control keeps environments secure, and teams efficient.
• Non-privileged users can safely deploy entire applications with push-button deploymentaccess.
• All Ansible automations are centrally logged, ensuring complete auditability and compliance.
Ansible tower is an enterprise framework for controlling, securing and managing your Ansible automation – with a UI and restful API.
ICD-503 COMPLIANCE FOR CONTAINERS27
ICD-503 COMPLIANCE FOR CONTAINERS28
CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER
PHYSICAL INFRASTRUCTURE
REDHATENTERPRISELINUX
CONTAINERRUNTIME&PACKAGING
ATOMICHOST
NETWORKING SECURITYSTORAGE REGISTRY TELEMETRY
CONTAINERORCHESTRATION CLUSTERSERVICES
ATOMICAUTOMATION ATOMICCOCKPIT
ICD-503 COMPLIANCE FOR CONTAINERS29
PHYSICAL INFRASTRUCTURE
REDHATENTERPRISELINUX
CONTAINERRUNTIME&PACKAGING
ATOMICHOST
NETWORKING SECURITYSTORAGE REGISTRY TELEMETRY
CONTAINERORCHESTRATION CLUSTERSERVICES
MIDDLEWARE+DATASERVICES SERVICECATALOG
OPENSHIFTSELF-SERVICE
OPENSHIFTAPPLICATIONLIFECYCLEMANAGEMENT
BUILDAUTOMATION DEPLOYMENTAUTOMATION
ATOMICAUTOMATION ATOMICCOCKPIT
CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER
ICD-503 COMPLIANCE FOR CONTAINERS30
OPEN SOURCE A&A BODY OF EVIDENCE
ICD-503 COMPLIANCE FOR CONTAINERS31
ICD-503 COMPLIANCE FOR CONTAINERS32
ICD-503 COMPLIANCE FOR CONTAINERS33
http://tinyurl.com/ocpcg
ICD-503 COMPLIANCE FOR CONTAINERS34
WHAT’S IN THE COMPLIANCE GUIDE?1. Reference Architecture (Security Concept of Operations (CONOPS))2. Security Controls
• Procedurally generated from the Security Control Traceability Matrix (SCTM) spreadsheet
3. Customer Responsibility Matrix (CRM)4. Ansible Automation
Note: Certification and Accreditation (C&A) terminology replaced by Assessment and Authorization (A&A) in new DoD Information Assurance Risk Management Framework (DIARMF) (cf. NIST SP800-37r1).
REFERENCE ARCHITECTURE
ICD-503 COMPLIANCE FOR CONTAINERS35
ICD-503 COMPLIANCE FOR CONTAINERS36
ICD-503 COMPLIANCE FOR CONTAINERS37
ICD-503 COMPLIANCE FOR CONTAINERS38
ICD-503 COMPLIANCE FOR CONTAINERS39
ICD-503 COMPLIANCE FOR CONTAINERS40
ICD-503 COMPLIANCE FOR CONTAINERS41
Role Description Number Responsible
OrganizationA control that is satisfied by the hosting
organization. This includes enterprise services such as LDAP, the Audit and Logging solution, etc.
423
IaaSA control that is satisfied by the Organization’s
Infrastructure as a Service implementation. In the Security CONOPS reference architecture, this is
AWS, or the Landlord’s Landlord.11
OpenShift Landlord Container Platform’s implementation. This includes tools such as Ansible Tower and OpenSCAP. 187
OpenShift TenantControls that need to be implemented by the programs hosted on the OpenShift Container
Platform. These controls are listed in the Customer Responsibility Matrix.
73
Total unique controls All unique technical controls tracked by this guide. 658
SECURITY CONTROLS
ICD-503 COMPLIANCE FOR CONTAINERS42
ICD-503 COMPLIANCE FOR CONTAINERS43
Workaroundexample:
ActualOCPWebConsoleJavaScript
Banner
iframe
CUSTOMER RESPONSIBILITY MATRIX
ICD-503 COMPLIANCE FOR CONTAINERS44
ICD-503 COMPLIANCE FOR CONTAINERS45
ICD-503 COMPLIANCE FOR CONTAINERS46
ICD-503 COMPLIANCE FOR CONTAINERS47
QUESTIONS?
ICD-503 COMPLIANCE FOR CONTAINERS48
plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews
THANK YOU