AUTOMATED OPERATIONS BROADEST APPLICATION SUPPORT SECURITY & COMPLIANCE Edge Datacenter Multi-Cloud Public Cloud What makes an effective hybrid cloud platform?
Machines are complex for ops Make machines easy (like containers) Machines Config change is risky Make config management and config change easy and safe Configuration Software lifecycle is hard Automate software lifecycle on Kube Lifecycle
upgrade, reconcile, config Describe intent with declarative config Monitor, scale, troubleshoot, backup Maintain Observe apiVersion: machineconfiguration.openshift.io/v1 kind: ContainerRuntimeConfig metadata: name: set-log-and-pid spec: machineConfigPoolSelector: matchLabels: debug-crio: config-log-and-pid containerRuntimeConfig: pidsLimit: 2048 logLevel: debug 2 Red Hat curates MachineConfigs to meet security best practices 1 A user requests a new cluster 3 The Machine Config Operator delivers the secure machine config you need Metrics are sent to Red Hat Insights for analysis via secured HTTPS. 4
config Describe intent with declarative config Monitor, scale, troubleshoot, backup Summarize Observe Red Hat Consolidated Vulnerability Feed 2 1 User adds the Container Security Operator to watch containers for vulnerabilities Continuous Quay and Claire Scans 3
lot of rules to create for risk-based policy and cost effective security strategy ▸ PCI-DSS ▸ ISO 27001 ▸ HIPAA ▸ FISMA / FedRAMP ▸ NIST 800-53 ▸ NIST 800-190 ▸ CIS benchmarks ▸ ANSSI ▸ Essential 8 ▸ Need specific expertise to understand the jargon and translate the requirements to implementation
custom process for everyone IMPLEMENT CONTROLS ASSESS CONTROLS Security control assessors carrying 400+ page three ring binders. Manual control assessment. AUTHORIZE SYSTEM Disagreement over which controls apply to which system components. How many ways are there to configure password policies? Which one is best? Differing interpretations between DoD, Intel, Civ, SLED. Given variance of prior processes, no deterministic way to make risk assessment. SELECT CONTROLS CATEGORIZE SYSTEM MONITOR CONTROLS IT shifting towards DevOps, need to continuously monitor security.
Red Hat builds the pieces needed to drive the process, executed by the Compliance Operator IMPLEMENT CONTROLS ASSESS CONTROLS AUTHORIZE SYSTEM (US Gov) SELECT CONTROLS CATEGORIZE SYSTEM MONITOR CONTROLS
to scan the cluster nodes and the OpenShift platform itself Builds on existing and proven technologies that are accepted by the industry and used in the RHEL world. The operator lets the administrator describe the desired compliance state of a cluster and provides them with an overview of gaps and ways to remediate the gaps. The operator itself NIST-certified tool to scan and enforce security policies provided by the content. OpenSCAP The compliance checks themselves are delivered through SCAP content, with a lifecycle independent from the operator or the OpenSCAP scanner Compliance Profile Content Declarative Security Compliance
config Describe intent with declarative config Monitor, scale, troubleshoot, backup Summarize Observe ComplianceSuite Scan (results) 1 A compliance profile is selected 2 The operator runs the scan for the profile against nodes, collect results, and (optionally) performs remeditations 3 Accreditors or Auditors can examine the scan results for compliance status, After review, if desired, remediations can be manually applied by the cluster-admin. ComplianceCheckResult ComplianceRemediations OCP 4.6 With 4.6, a limited set of RHCOS checks will be implemented. Additional compliance checks will be delivered roughly every 2 months.
building best practices into SCAP content, with technical implementations for assessment and remediation where possible ▸ Within Red Hat, our goal is to look across relevant security frameworks and codify compliance for the common controls. ▸ Provide as much technical and system level compliance as possible -- minimize manual effort PODS_JSON=$(oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -ojson) REVISION=$(echo $PODS_JSON | jq -r .items[0].metadata.labels.revision) for i in $(echo $PODS_JSON | jq -r .items[].metadata.name); do oc exec -n openshift-kube-apiserver -c kube-apiserver-$REVISION $i -- stat -c %a /etc/kubernetes/static-pod-resources/kube-a piserver-pod.yaml ; done
SCAP Datastream Content DISA SRG XML (profile dependent) Mitre CVE Program National Vulnerability Database Red Hat Security Team Red Hat CVE Feed COMPLIANCE SCANNING VULNERABILITY SCANNING Compliance Report Vulnerability Report Roadmap OCP 4.6
info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml Document type: Source Data Stream Imported: 2020-02-06T09:36:38 ... Checklists: ... Generated: 2020-02-06 Resolved: true Profiles: Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_stig ... Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml ## PERFORM AN INITIAL SCAN AND SAVE THE REPORT AS scan.html $ oscap xccdf eval --report scan.html \ --profile xccdf_org.ssgproject.content_profile_stig \ /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ... Title Uninstall nfs-utils Package Rule xccdf_org.ssgproject.content_rule_package_nfs-utils_removed Ident CCE-82932-5 Result fail Title Enable the Hardware RNG Entropy Gatherer Service Rule xccdf_org.ssgproject.content_rule_service_rngd_enabled Ident CCE-82831-9 Result pass ## SCAN WITH THE REMEDIATE OPTION AND SAVE A REPORT AS remediated.html $ oscap xccdf eval --report remediated.html --remediate \ --profile xccdf_org.ssgproject.content_profile_stig \ /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ... Title Uninstall nfs-utils Package Rule xccdf_org.ssgproject.content_rule_package_nfs-utils_removed Ident CCE-82932-5 Result fixed
Summarize Observe AIDE AIDE Configuration Scan Nodes 1 The operator scans the selected nodes to populate the AIDE database 2 Repeat scans collect results, and check against the AIDE database. 3 Admins can examine the scan results for status Deploy AIDE Pods Notification (fileIntegrityNodeStatus) OCP 4.6
intent with declarative config Monitor, scale, troubleshoot, backup Maintain Observe apiVersion: machineconfiguration.openshift.io/v1 kind: ContainerRuntimeConfig metadata: name: set-log-and-pid spec: machineConfigPoolSelector: matchLabels: debug-crio: config-log-and-pid containerRuntimeConfig: pidsLimit: 2048 logLevel: debug 2 Red Hat curates cluster configs, including RHCOS configs to meet security profiles, like CIS or NIST-800-53 1 A user requests a new cluster 3 OpenShift operators apply updates; he Machine Config Operator applies the selected secure machine config for RHCOS updates Metrics are sent to Red Hat Insights for analysis via secured HTTPS. 4 Roadmap
the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you 23
configure what you need to comply with and how in a declarative manner. 24 compliance-operator Custom Resources Profiles TailoredProfiles ProfileBundle ScanSettings ScanSetting Binding Compliance Suite Compliance Scan(s) Compliance Remediation(s) Compliance Check Result(s) Raw results
configure what do you need to comply with and how in a declarative manner. 25 compliance-operator Custom Resources Profiles TailoredProfiles ScanSettings ScanSetting Binding Compliance Suite Compliance Remediation(s) Compliance Check Result(s) Raw results
or create a tailored one that fits your needs. What’s the organization’s policy on scanning and monitoring systems? 26 compliance-operator Figure out your policies Profiles TailoredProfiles ScanSettings ScanSetting Binding Compliance Suite Compliance Remediation(s) Compliance Check Result(s) Raw results
• Overall Cybercrime cost $600 Billion Annually 0.8% of Global GDP2 • Cost to the Global financial industry $270B3 28 1 Celent, Neil Katkov, PHD - Mitigating Cyber Threats on Banking with Next Generation Platforms. 2 Celent, Joan McGowan - Combating Financial Crime at Scale, October 2018 3 International Banker Cost of Compliance Nov 7 2018 - https://internationalbanker.com/technology/the-cost-of-compliance/
https://internationalbanker.com/technology/the-cost-of-compliance/ 2. Cost of Compliance with the Dodd-Frank Act, Rice University Baker Institute for Public Policy Issue Brief 09-06-1029 - https://www.bakerinstitute.org/media/files/files/0febf883/bi-brief-090619-cpf-doddfrank.pdf • Compliance cost is 10% of Operating Budget1 • Legal fees, data processing and staff2 • 26% increase of full time compliance and audit employees since Dodd-Frank was introduced in 20102 29 Annual Compliance Cost impact to the financial industry $270 Billion1
is released on Amazon (Kindle format) • Also available to our customers via the customer portal - here • We are working on a page not requiring Red Hat login for download • Amazon Print On Demand option coming soon Product Manager: Kirsten Newcomer
of view 32 In order to check the cluster, an administrator creates a Kubernetes object of type ComplianceSuite. The operator then schedules scans and creates a ComplianceRemediation per found issue. • The ComplianceSuite is a collection of scans, typically one scan per machine config pool • Each scan defines what machines to check, with what content and what profile • ComplianceRemediations are created per issue, the admin then has the chance to review and apply them apiVersion: complianceoperator.compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: name: example-compliancesuite spec: scans: - name: workers-scan profile: xccdf_org.ssgproject.content_profile_coreos-ncp content: ssg-ocp4-ds.xml contentImage: quay.io/jhrozek/ocp4-openscap-content:remediation_demo nodeSelector: node-role.kubernetes.io/worker: ""
project. While many features already work, some are still under development. Here’s what currently works: • The operator can be installed with the usual OLM workflow • The scans can be defined, they can scan the CoreOS nodes, gather remediations and the remediations can be applied • Results are available either in XCCDF results format or as an ARF report • A lot of work has been done on actually triaging and assessing the compliance controls in order to create the actual content
some features before the operator would be feature complete: • Scanning and checking the k8s cluster as opposed to the cluster nodes (requires OpenSCAP enhancements) • Better content coverage • Continuous scans to alert the administrator if the cluster diverges from the compliant state • UI/UX enhancements
scale, troubleshoot, backup Maintain Observe A method of packaging, deploying and managing a Kubernetes application. A Kubernetes application is an application that is both deployed on Kubernetes and managed using the Kubernetes APIs and kubectl tooling. To be able to make the most of Kubernetes, you need a set of cohesives APIs to extend in order to service and manage your applications that run on Kubernetes. A runtime that manages a specific type of application on Kubernetes. ALL ABOUT OPERATORS
of rules to create for risk-based policy and cost effective security strategy ▸ Applicable laws authored in 2002 ▸ Multi-year development/production cycles were common & acceptable ▸ Pre GovCloud, C2S, MilCloud ▸ Waterfall dominant ▸ Infrastructure focus ▸ Need specific expertise to understand the jargon, processes, and tools
AT-2: Security Awareness Training AU-8: Time Stamps AU-9: Protection of Audit Information CA-7: Plan of Action & Milestones CM-10: Software Usage Restrictions CP-2: Contingency Plan IA-5: Authenticator Management IA-2(12): Acceptance of PIV Credentials IR-8: Incident Response Plan MA-4: Nonlocal Maintenance SELECTING YOUR COMPLIANCE PROFILE 45
redhatlivestreaming
koichiotomo
negi111111
tubone24
eventhub
ryomrt
salaboy
nikkei_engineer_recruiting
tenshoku_draft
sansantech
shujisado
lycorp_recruit_jp
minorun365
iamctodd
eileencodes
quramy
ufuk
bryan
jrom
geoffreycrofte
mojombo
carmenintech
sachag
sugarenia
