ICD503 compliance for containerized apps-20170324...COST-EFFECTIVE SECURITY • USG, DoD, and IC...

ICD-503 COMPLIANCE FOR CONTAINERIZED APPSUsing Atomic Scan and OpenSCAP with containers

Jason CallawayRed Hat Principal Solutions [email protected] | @jasoncallaway | jasoncallaway.com

ICD-503 COMPLIANCE FOR CONTAINERS2

AGENDA• Slides at https://jasoncallaway.com/icd503-containers.pdf• ICD-503 compliance overview• How to be ICD-503 compliant with Red Hat Enterprise Linux• The container monkey wrench• OpenSCAP• Atomic Scan• Ansible 800-53 role• How it all scales

IGNORE THE WHOLE CONTAINER THING FOR A MOMENT



E-Government Act of 2002FISMA

Federal Agencies

NVDSCAP

NIST SP800-37NIST SP800-18

FIPS 199

NIST

OMB

CNSSI 1253

CNSS ODNI

ICD 503

OpenSCAPSSG

DISA

STIG

*STILL INCOMPLETE

USGCB

NIST SP800-53FIPS 140

DIACAPDoDRMF

Circular A-130

Making your life harder since 2002...


FISMA COMPLIANCE OVERVIEW

RISK-BASED POLICY FOR COST-EFFECTIVE SECURITY

• USG, DoD, and IC users are legally obligated to comply

• More than just the technical implementation, calls for a comprehensive plan (SSP) developed using a Risk Management Framework

• NIST Special Publication 800-53 defines the security control baselines

• Confidentiality• Integrity• Availability

• DISA STIG defines the nerd-knobs

The source of your security controls


NIST SP800-53R4

• 4th revision• ~1,500 controls

• Not all controls are technical• “Guys with guns” controls

• Many broken down with enhancements• More like ~1,700

• CIA Triad (not the intelligence agency) overlays• Agency-specific overlays• Getting us closer to 7,000 data points to consider

Your source of nerd knobs


SECURITY TECHNICAL IMPLEMENTATION GUIDE• RHEL 7 STIG finally out of draft!• Now shipped as an XCCDF XML document• Can be visualized with STIGViewer

• Pet peeve: no TLS from DISA’s download page• I won’t run this .jar outside a VM due to the

site leaving me vulnerable to a MITM attack on the download

• DISA seems like a high-value target so I don’t trust the .jar because it’s unsigned

• Just because I’m paranoid doesn’t mean they’re not out to get me

The compliance buck stops with the SA


SYSTEM ADMINISTRATORS CRITICAL ROLE

SOMEBODY’S GOT TO TURN THOSE NERD KNOBS

• Manual implementation of STIG settings is tedious and error prone

• Configuration drift impacts compliance• 3rd party auditing tools produce false-positives• System Administrators need

• An automated way to apply the security configuration

• Continuous audition and compliance• Canonical source of truth

THERE ARE TOOLS THAT CAN HELP


Security policy can be specified at install-time


RHEL INSTALLER

http://rhelblog.redhat.com/2015/10/27/configuring-and-applying-scap-policies-during-installation/

You can export an HTML or CSV STIG


DISA STIG VIEWER

“Making security measurable”


SECURITY CONTENT AUTOMATION PROTOCOL

• Group of standards designed to automate management, assessment, and policy compliance

• Many components such as CVE, CCE, XCCDF, OVAL

• Open source implementation is OpenSCAP (https://open-scap.org)

• SCAP Workbench GUI• RHEL STIG XCCDF profile shipped with

SCAP Security Guide (SSG)

XCCDF isn’t so bad now, is it?


NATIVE SUPPORT IN SCAP WORKBENCH

https://access.redhat.com/labsinfo/securitydataapi


RED HAT SECURITY API

• Still in beta• Programmatic access

to:• CVRF• CVE• OVAL• IAVA

• Hugely helpful for scripting

[{

"cvelist": [

"CVE-2016-2178","CVE-2016-2183","CVE-2016-5983","CVE-2016-5986","CVE-2016-6042","CVE-2016-6303","CVE-2016-6304","CVE-2016-6306”

],"number": "2017-A-0047","resource_url": "https://access.redhat.com/labs/securitydataapi/iava/2017-A-0047.json","severity": "CAT II","title": "Multiple Vulnerabilities in IBM Security AppScan Enterprise”

},

curl -X GET "https://access.redhat.com/labs/securitydataapi/iava.json" | python -m json.tool

Python and YAML automation and CM framework


ANSIBLE

• Automate compliance with Ansible• Ansible Core is FOSS and can be

installed from EPEL• Red Hat Gov GitHub has an 800-53

role that you can use to apply STIG settings

• https://github.com/RedHatGov/ansible-role-800-53

• Configuration drift? No problem. Rerun the playbook for continuous compliance

Demo available at https://youtu.be/phKQXzbU61E


LET’S STIG A RHEL INSTANCE WITH ANSIBLE

BACK TO CONTAINERS



CONTAINERS VS VMS

Virtualization• Virtual hardware boundaries• Hypervisor• One OS instance per VM• IaaS paradigm


CONTAINERS VS VMS

Containerization• Horizontal segmentation• Container API• Single OS instance• Multi-tenancy• Bare metal, virtual, cloud


COMPLIANCE IN CONTAINERS

So how do we do that when:• There’s no ssh (or shouldn’t be)• There’s no GUI• Many file systems are missing• And it ha to be DevOps-y

Next generation container-optimized OS


PROJECT ATOMIC

• Runs only essential container services

• systemd• etcd• Open Container runtime

• Everything else is a container• Whole-filesystem updates with rpm-

ostree• GUI management with Cockpit• Same secure supply chain as RHEL

https://developers.redhat.com/blog/2016/05/02/introducing-atomic-scan-container-vulnerability-detection/


ATOMIC SCAN

Demo available at https://youtu.be/keN7mSqa0q0


USING ATOMIC SCAN

HOW DOES THIS WORK AT SCALE?



CONTROL

SIMPLE POWERFUL AGENTLESS

KNOWLEDGE DELEGATION

AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE.

Scheduled andcentralized jobs

Visibility and compliance

Role-based access and self-service

Everyone speaks thesame language

Designed for multi-tier deployments

Predictable, reliable,and secure


• Role-based access control keeps environments secure, and teams efficient.

• Non-privileged users can safely deploy entire applications with push-button deploymentaccess.

• All Ansible automations are centrally logged, ensuring complete auditability and compliance.

Ansible tower is an enterprise framework for controlling, securing and managing your Ansible automation – with a UI and restful API.


CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER

PHYSICAL INFRASTRUCTURE

REDHATENTERPRISELINUX

CONTAINERRUNTIME&PACKAGING

ATOMICHOST

NETWORKING SECURITYSTORAGE REGISTRY TELEMETRY

CONTAINERORCHESTRATION CLUSTERSERVICES

ATOMICAUTOMATION ATOMICCOCKPIT


PHYSICAL INFRASTRUCTURE

REDHATENTERPRISELINUX

CONTAINERRUNTIME&PACKAGING

ATOMICHOST

NETWORKING SECURITYSTORAGE REGISTRY TELEMETRY

CONTAINERORCHESTRATION CLUSTERSERVICES

MIDDLEWARE+DATASERVICES SERVICECATALOG

OPENSHIFTSELF-SERVICE

OPENSHIFTAPPLICATIONLIFECYCLEMANAGEMENT

BUILDAUTOMATION DEPLOYMENTAUTOMATION

ATOMICAUTOMATION ATOMICCOCKPIT

CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER

OPEN SOURCE A&A BODY OF EVIDENCE



http://tinyurl.com/ocpcg


WHAT’S IN THE COMPLIANCE GUIDE?1. Reference Architecture (Security Concept of Operations (CONOPS))2. Security Controls

• Procedurally generated from the Security Control Traceability Matrix (SCTM) spreadsheet

3. Customer Responsibility Matrix (CRM)4. Ansible Automation

Note: Certification and Accreditation (C&A) terminology replaced by Assessment and Authorization (A&A) in new DoD Information Assurance Risk Management Framework (DIARMF) (cf. NIST SP800-37r1).

REFERENCE ARCHITECTURE



Role Description Number Responsible

OrganizationA control that is satisfied by the hosting

organization. This includes enterprise services such as LDAP, the Audit and Logging solution, etc.

423

IaaSA control that is satisfied by the Organization’s

Infrastructure as a Service implementation. In the Security CONOPS reference architecture, this is

AWS, or the Landlord’s Landlord.11

OpenShift Landlord Container Platform’s implementation. This includes tools such as Ansible Tower and OpenSCAP. 187

OpenShift TenantControls that need to be implemented by the programs hosted on the OpenShift Container

Platform. These controls are listed in the Customer Responsibility Matrix.

73

Total unique controls All unique technical controls tracked by this guide. 658

SECURITY CONTROLS



Workaroundexample:

ActualOCPWebConsoleJavaScript

Banner

iframe

CUSTOMER RESPONSIBILITY MATRIX


QUESTIONS?


plus.google.com/+RedHat

linkedin.com/company/red-hat

youtube.com/user/RedHatVideos

facebook.com/redhatinc

twitter.com/RedHatNews

THANK YOU

ICD503 compliance for containerized apps-20170324...COST-EFFECTIVE SECURITY • USG, DoD, and IC...

Documents

Transcript of ICD503 compliance for containerized apps-20170324...COST-EFFECTIVE SECURITY • USG, DoD, and IC...