Development of the TOSS 4 STIG

Transcript

1. LLNL-PRES-846169
   This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under contract DE-
   AC52-07NA27344. Lawrence Livermore National Security, LLC
   Development of the TOSS 4 STIG
   Session: RMF Development, Implementation, and Assessment
   Ian Lee
   HPC Security Architect
   2023-03-15
   

   View Slide

2. 2
   LLNL-PRES-846169
   § A common operating system and computing environment for HPC clusters
   — Based on RHEL operating system
   — Modified RHEL Kernel
   § Methodology for building, quality assurance, integration,
   and configuration management
   § Add in customization for HPC specific needs
   — Consistent source and software across architectures: Intel, PowerPC, and ARM
   — High speed interconnect
   — Very large filesystems
   Tri-Lab Operating System Stack (TOSS)
   

   View Slide

3. 3
   LLNL-PRES-846169
   § Security requirements often quite prescriptive
   — STIG > CIS Benchmark > Vendor Guideline > generic NIST 800-53 controls
   § Developed a STIG for the TOSS operation system with DISA
   — Largely based on the RHEL 8 STIG, which TOSS 4 is derived from
   — Small tweaks: adjust some DoD specific language to make compatible for other Gov agencies
   — Larger requests: no explicit allow-listing of software on TOSS, being a software development OS
   — HPC specific: RHEL STIG says 10 concurrent sessions for DOS reasons, TOSS STIG allows 256
   Security Baseline
   

   View Slide

4. 4
   LLNL-PRES-846169
   § 2020 December – Initial reach out to DISA
   § 2021 January
   — Connected to Risk Management Executive
   — Provided demo of TOSS to DISA
   — Submitted “Vendor Intent” form
   • “Marketing material, product website address, product usage in DoD"
   § 2021 February
   — Approved to continue on process to write STIG
   — Vendor orientation call with DISA
   Timeline - Getting Started
   

   View Slide

5. 5
   LLNL-PRES-846169
   § 2021 March
   — Start of “Phase 1” in development process for TOSS STIG
   — DISA SME reviews submissions via Excel spreadsheet every 2 weeks
   — First submission had hidden unfilled rows, caused issues
   § 2021 April
   — Continued work on spreadsheet
   — Questions for the SME can only be submitted via the spreadsheet
   — “Completion of Development Stage 1”
   § 2021 May
   — Ian out on paternity leave
   § 2021 June – July
   — “Completion of Development Stage 2” and “Completion of Development Stage 3”
   § 2021 August - December
   — Development stages 4 and 5
   — DISA requests resubmission to work details of controls
   — Several rounds of back and forth
   Timeline - Development
   

   View Slide

6. 6
   LLNL-PRES-846169
   

   View Slide

7. 7
   LLNL-PRES-846169
   § 2021 December 15
   — Vendor Transition Meeting / Start of Validation Phase
   § 2022 January - May
   — Provide remote access to DISA SME for validation
   — Awesome person to work with, very technical, good discussions back and forth
   § 2022 June
   — STIG published to PKI only side of cyber.mil (… but we don’t have access)
   Timeline - Validation
   

   View Slide

8. 8
   LLNL-PRES-846169
   § 2022 May
   — Get word that DISA AO is hesitant to publish on public.cyber.mil
   § 2022 June
   — Send justification about why should be public
   — DISA AO agrees to publish if our AO requests
   § 2022 June – December
   — Working with our local cyber security folks and AO to get concurrence
   — Dec 12: LLNL AO concurs with publishing publicly
   § 2022 December 29
   — STIG finally published to public.cyber.mil !
   Timeline - Going Public
   

   View Slide

9. 9
   LLNL-PRES-846169
   Announcement
   

   View Slide

10. 10
    LLNL-PRES-846169
    

    View Slide

11. 11
    LLNL-PRES-846169
    

    View Slide

12. 12
    LLNL-PRES-846169
    § Development of automation process
    — Python validation script (?)
    — Ansible Playbook
    — OpenSCAP profile
    § https://github.com/llnl/toss-stig
    — Contributions and merge requests welcome!
    Going Forward
    

    View Slide

13. Disclaimer
    This document was prepared as an account of work sponsored by an agency of the United States government. Neither the United
    States government nor Lawrence Livermore National Security, LLC, nor any of their employees makes any warranty, expressed or
    implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus,
    product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific
    commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or
    imply its endorsement, recommendation, or favoring by the United States government or Lawrence Livermore National Security, LLC.
    The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States government or
    Lawrence Livermore National Security, LLC, and shall not be used for advertising or product endorsement purposes.
    Thank you!
    Looking forward to the discussion coming up.
    [email protected]
    @IanLee1521
    

    View Slide