Ansible for compliance controls; FedRAMP is a pain.

Transcript

1. For Compliance Controls; FedRAMP is a Pain Jonathan I. Davila

   @DEFIONSCODE DAVILA.IO

2. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Consultant #2 @

   Ansible Bartender Engineer @ Startups Principal Architect @ RedHat Automation Freelancer Army Veteran Open Source Developer Who Am I? Present Past Engineering Manager @MindPointGroup Ansible Maintainer (AWS)

3. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group My Automation Story

   How we met …5 years and running… I security automation ansiblelockdown.io

4. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group This is for

   humans that… Deal With <insert compliance body> Prefer Automation over Manual Labor Want more time to do fun stuff Dislike spreadsheets Enjoy Ansible

5. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group One Rule DO

   NOT STRESS TRYING TO REMEMBER OR PHOTOGRAPH ANYTHING IN THIS PRESENTATION. —————————————————————————————————— I WILL HOOK YOU UP WITH SOLID REFERENCE MATERIAL AT THE END.

6. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group FedRAMP Let’s Talk

7. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group What is FedRAMP?

   Over 400 Controls. Split into ‘families’ For *aaS providers that want to sell to Feds. Physical Security ==> Configuration Mgmt Security Compliance 1 year-ish in best case scenarios EXPENSIVE!!! fedramp.gov

8. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group PAINFUL

9. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group There is H

   pe SPOILER: It’s Ansible

10. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Prove It

11. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Access Control AC-2(1)

    The organization employs automated mechanisms to support the management of information system accounts.

12. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Example Solution Part

    1 ProTip: You should only do this when AD/LDAP or similar tech is unavailable. AC -2 (1) https://github.com/AutoLogicTechnology/autologic-users

13. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group AC -2 (1)

    Manage Accounts By Group ===> Groups that get sudo ===> Users (supports system accounts too) ===> Auto creates groups if needed ===> Exam ple Solution Part 2

14. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group AC -2 (1)

    Exam ple Solution Part 3

15. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group AC -2 (1)

    DEMO TIME

16. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group AC -2 (1)

    Accounts in the information system are managed through Ansible. The logic of which is stored in the git repository. The code is executed using [Ansible Tower/AWX]. The logic operates off a variables file, also in version control and living along side the execution logic itself. The variable file declares the user accounts that must be created or removed. This also includes whether they account should have elevated access or not and what groups a particular user account should be associated with. Example Solution Part 3 The Documentation ProTip: You should probably only do this when AD/LDAP or similar tech is unavailable.

17. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Configuration Management CM-6

    (1) The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].

18. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Example Solution Part

    1 C M -6 (1) https://galaxy.ansible.com/geerlingguy/nginx

19. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group C M -6

    (1) DEMO TIME

20. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group The system's baseline

    configuration is maintained by a number of Ansible Tower jobs. These Tower jobs are backed by source code which is periodically reviewed and updated in accordance with CM policies. The baselines configurations which are automatically configured include [EXAMPLES], Images for Virtual Machine creation located at , NACLs , User Accounts of X services , Network Topology for AWS/Google Cloud/Azure , Firewalls , Network Devices , Load Balancers , Cloud Resources (S3, Lamba functions, API gateways, etc) . Example Solution Part 2 The Documentation C M -6 (1)

21. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Incident Response IR-4

    (1) The organization employs automated mechanisms to support the incident handling process.

22. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Example Solution Part

    1 IR-4 (1) Defined via —extra-vars because run time config is needed

23. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Example Solution Part

    2 IR-4 (1)

24. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group IR-4 (1) DEMO

    TIME

25. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group IR-4 (1) Example

    Solution Part 3 The Documentation Analysis and Containment - Ansible content exists that is capable of cutting off all inbound and outbound network access to a compromised VM, subsequently snapshotting the aforementioned compute node and making the resultant image available for further analysis and forensics. This code is stored and versioned in our source control repository.

26. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Wrapping Up •

    Ansible can do a lot • Universal Glue • Almost nobody enjoys compliance • Ansible can make it less painful • Do not forget the docs! • Entry for DevSecOps?

27. Jonathan I. Davila @DefionsCode #AnsibleFest2018 MindPoint Group Q&A Slide Deck


    https://a.davila.io/deck18 MOAR Doc snippets (docs + lab)
 https://a.davila.io/festlab Ansible Lockdown
 https://ansiblelockdown.io Me
 https://davila.io MindPoint Group
 https://mindpointgroup.com