OpenShift Security & Compliance Operators How Red Hat is automating security and regulatory compliance Kirsten Newcomer Director, Cloud and DevSecOps Strategy OpenShift Product Management October 2020
OpenShift 4 Security: Dramatically simplified for The Hybrid Cloud 3 Machines are complex for ops Make machines easy (like containers) Machines Config change is risky Make config management and config change easy and safe Configuration Software lifecycle is hard Automate software lifecycle on Kube Lifecycle
Openshift Machine Config Operator: Monitor for Configuration Drift = Install, upgrade, reconcile, config Describe intent with declarative config Monitor, scale, troubleshoot, backup Maintain Observe apiVersion: machineconfiguration.openshift.io/v1 kind: ContainerRuntimeConfig metadata: name: set-log-and-pid spec: machineConfigPoolSelector: matchLabels: debug-crio: config-log-and-pid containerRuntimeConfig: pidsLimit: 2048 logLevel: debug 2 Red Hat curates MachineConfigs to meet security best practices 1 A user requests a new cluster 3 The Machine Config Operator delivers the secure machine config you need Metrics are sent to Red Hat Insights for analysis via secured HTTPS. 4
A Complex Set of Compliance Regulations and Recommendations 8 A lot of rules to create for risk-based policy and cost effective security strategy ▸ PCI-DSS ▸ ISO 27001 ▸ HIPAA ▸ FISMA / FedRAMP ▸ NIST 800-53 ▸ NIST 800-190 ▸ CIS benchmarks ▸ ANSSI ▸ Essential 8 ▸ Need specific expertise to understand the jargon and translate the requirements to implementation
A Complex Process 9 Determining compliance is a multi step, custom process for everyone IMPLEMENT CONTROLS ASSESS CONTROLS Security control assessors carrying 400+ page three ring binders. Manual control assessment. AUTHORIZE SYSTEM Disagreement over which controls apply to which system components. How many ways are there to configure password policies? Which one is best? Differing interpretations between DoD, Intel, Civ, SLED. Given variance of prior processes, no deterministic way to make risk assessment. SELECT CONTROLS CATEGORIZE SYSTEM MONITOR CONTROLS IT shifting towards DevOps, need to continuously monitor security.
OPENSHIFT IS SECURITY AUTOMATION Red Hat Compliance Content Automation 10 Red Hat builds the pieces needed to drive the process, executed by the Compliance Operator IMPLEMENT CONTROLS ASSESS CONTROLS AUTHORIZE SYSTEM (US Gov) SELECT CONTROLS CATEGORIZE SYSTEM MONITOR CONTROLS
Compliance operator The compliance operator runs in the OpenShift cluster to scan the cluster nodes and the OpenShift platform itself Builds on existing and proven technologies that are accepted by the industry and used in the RHEL world. The operator lets the administrator describe the desired compliance state of a cluster and provides them with an overview of gaps and ways to remediate the gaps. The operator itself NIST-certified tool to scan and enforce security policies provided by the content. OpenSCAP The compliance checks themselves are delivered through SCAP content, with a lifecycle independent from the operator or the OpenSCAP scanner Compliance Profile Content Declarative Security Compliance
Openshift Compliance Operator: Declarative Security Compliance = Install, upgrade, reconcile, config Describe intent with declarative config Monitor, scale, troubleshoot, backup Summarize Observe ComplianceSuite Scan (results) 1 A compliance profile is selected 2 The operator runs the scan for the profile against nodes, collect results, and (optionally) performs remeditations 3 Accreditors or Auditors can examine the scan results for compliance status, After review, if desired, remediations can be manually applied by the cluster-admin. ComplianceCheckResult ComplianceRemediations OCP 4.6 With 4.6, a limited set of RHCOS checks will be implemented. Additional compliance checks will be delivered roughly every 2 months.
IMPLEMENTING COMPLIANCE CONTROLS Implementing controls with OCP 15 Red Hat building best practices into SCAP content, with technical implementations for assessment and remediation where possible ▸ Within Red Hat, our goal is to look across relevant security frameworks and codify compliance for the common controls. ▸ Provide as much technical and system level compliance as possible -- minimize manual effort PODS_JSON=$(oc get pods -n openshift-kube-apiserver -l app=openshift-kube-apiserver -ojson) REVISION=$(echo $PODS_JSON | jq -r .items[0].metadata.labels.revision) for i in $(echo $PODS_JSON | jq -r .items[].metadata.name); do oc exec -n openshift-kube-apiserver -c kube-apiserver-$REVISION $i -- stat -c %a /etc/kubernetes/static-pod-resources/kube-a piserver-pod.yaml ; done
Under the hood 16 How the Compliance Operator does its work ComplianceRemediations ComplianceSuite ComplianceScan MachinePool ComplianceScan Scan Scan Scan Results Scan Results ComplianceRemediations ComplianceCheckResult ComplianceCheckResult
How OpenSCAP Works 17 NIST 800-53 Compliance as Code Project SCAP Datastream Content DISA SRG XML (profile dependent) Mitre CVE Program National Vulnerability Database Red Hat Security Team Red Hat CVE Feed COMPLIANCE SCANNING VULNERABILITY SCANNING Compliance Report Vulnerability Report Roadmap OCP 4.6
18 ## CHOOSE THE PROFILE TO SCAN $ sudo oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml Document type: Source Data Stream Imported: 2020-02-06T09:36:38 ... Checklists: ... Generated: 2020-02-06 Resolved: true Profiles: Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 8 Id: xccdf_org.ssgproject.content_profile_stig ... Dictionaries: Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml ## PERFORM AN INITIAL SCAN AND SAVE THE REPORT AS scan.html $ oscap xccdf eval --report scan.html \ --profile xccdf_org.ssgproject.content_profile_stig \ /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ... Title Uninstall nfs-utils Package Rule xccdf_org.ssgproject.content_rule_package_nfs-utils_removed Ident CCE-82932-5 Result fail Title Enable the Hardware RNG Entropy Gatherer Service Rule xccdf_org.ssgproject.content_rule_service_rngd_enabled Ident CCE-82831-9 Result pass ## SCAN WITH THE REMEDIATE OPTION AND SAVE A REPORT AS remediated.html $ oscap xccdf eval --report remediated.html --remediate \ --profile xccdf_org.ssgproject.content_profile_stig \ /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml ... Title Uninstall nfs-utils Package Rule xccdf_org.ssgproject.content_rule_package_nfs-utils_removed Ident CCE-82932-5 Result fixed
RH ACM and Compliance = Install, upgrade, reconcile, config Describe intent with declarative config Monitor, scale, troubleshoot, backup Maintain Observe apiVersion: machineconfiguration.openshift.io/v1 kind: ContainerRuntimeConfig metadata: name: set-log-and-pid spec: machineConfigPoolSelector: matchLabels: debug-crio: config-log-and-pid containerRuntimeConfig: pidsLimit: 2048 logLevel: debug 2 Red Hat curates cluster configs, including RHCOS configs to meet security profiles, like CIS or NIST-800-53 1 A user requests a new cluster 3 OpenShift operators apply updates; he Machine Config Operator applies the selected secure machine config for RHCOS updates Metrics are sent to Red Hat Insights for analysis via secured HTTPS. 4 Roadmap
CONFIDENTIAL Designator linkedin.com/company/red-hat youtube.com/user/RedHatVideo s facebook.com/redhatinc twitter.com/RedHat Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you 23
The compliance-operator uses several custom resources to allow you to configure what you need to comply with and how in a declarative manner. 24 compliance-operator Custom Resources Profiles TailoredProfiles ProfileBundle ScanSettings ScanSetting Binding Compliance Suite Compliance Scan(s) Compliance Remediation(s) Compliance Check Result(s) Raw results
The compliance-operator uses several custom resources to allow you to configure what do you need to comply with and how in a declarative manner. 25 compliance-operator Custom Resources Profiles TailoredProfiles ScanSettings ScanSetting Binding Compliance Suite Compliance Remediation(s) Compliance Check Result(s) Raw results
What do you need to comply with? Select a policy or create a tailored one that fits your needs. What’s the organization’s policy on scanning and monitoring systems? 26 compliance-operator Figure out your policies Profiles TailoredProfiles ScanSettings ScanSetting Binding Compliance Suite Compliance Remediation(s) Compliance Check Result(s) Raw results
Pressures and costs 27 Increase Pressures Preserve Capital Support Federal Programs Cloud Infrastructure Accelerate Digital Delivery Costs Development Security and Compliance Decrease Maintain Lending Ability Maintain Regulatory Requirements
CONFIDENTIAL Designator 43% of Cybercrimes attacks target the financial industry1 ● Overall Cybercrime cost $600 Billion Annually 0.8% of Global GDP2 ● Cost to the Global financial industry $270B3 28 1 Celent, Neil Katkov, PHD - Mitigating Cyber Threats on Banking with Next Generation Platforms. 2 Celent, Joan McGowan - Combating Financial Crime at Scale, October 2018 3 International Banker Cost of Compliance Nov 7 2018 - https://internationalbanker.com/technology/the-cost-of-compliance/
1. International Banker Cost of Compliance Nov 7 2018 - https://internationalbanker.com/technology/the-cost-of-compliance/ 2. Cost of Compliance with the Dodd-Frank Act, Rice University Baker Institute for Public Policy Issue Brief 09-06-1029 - https://www.bakerinstitute.org/media/files/files/0febf883/bi-brief-090619-cpf-doddfrank.pdf ● Compliance cost is 10% of Operating Budget1 ● Legal fees, data processing and staff2 ● 26% increase of full time compliance and audit employees since Dodd-Frank was introduced in 20102 29 Annual Compliance Cost impact to the financial industry $270 Billion1
The OpenShift Security Guide is Available ● OpenShift Security Guide is released on Amazon (Kindle format) ● Also available to our customers via the customer portal - here ● We are working on a page not requiring Red Hat login for download ● Amazon Print On Demand option coming soon Product Manager: Kirsten Newcomer
Optional section marker or title Workflow from the admin’s point of view 32 In order to check the cluster, an administrator creates a Kubernetes object of type ComplianceSuite. The operator then schedules scans and creates a ComplianceRemediation per found issue. ● The ComplianceSuite is a collection of scans, typically one scan per machine config pool ● Each scan defines what machines to check, with what content and what profile ● ComplianceRemediations are created per issue, the admin then has the chance to review and apply them apiVersion: complianceoperator.compliance.openshift.io/v1alpha1 kind: ComplianceSuite metadata: name: example-compliancesuite spec: scans: - name: workers-scan profile: xccdf_org.ssgproject.content_profile_coreos-ncp content: ssg-ocp4-ds.xml contentImage: quay.io/jhrozek/ocp4-openscap-content:remediation_demo nodeSelector: node-role.kubernetes.io/worker: ""
Compliance operator Current state 33 Compliance-operator is a fairly new project. While many features already work, some are still under development. Here’s what currently works: ● The operator can be installed with the usual OLM workflow ● The scans can be defined, they can scan the CoreOS nodes, gather remediations and the remediations can be applied ● Results are available either in XCCDF results format or as an ARF report ● A lot of work has been done on actually triaging and assessing the compliance controls in order to create the actual content
Compliance operator Future work 34 We still need to add some features before the operator would be feature complete: ● Scanning and checking the k8s cluster as opposed to the cluster nodes (requires OpenSCAP enhancements) ● Better content coverage ● Continuous scans to alert the administrator if the cluster diverges from the compliant state ● UI/UX enhancements
ALL ABOUT OPERATORS Kubernetes Operator Framework 39 A way manage application instances on Kubernetes in an effective, automated and scalable way. Installation Upgrade Backup Failure recovery Metrics & insights Tuning AUTOMATED LIFECYCLE MANAGEMENT
What is an Operator = Install, upgrade, reconcile, config Monitor, scale, troubleshoot, backup Maintain Observe A method of packaging, deploying and managing a Kubernetes application. A Kubernetes application is an application that is both deployed on Kubernetes and managed using the Kubernetes APIs and kubectl tooling. To be able to make the most of Kubernetes, you need a set of cohesives APIs to extend in order to service and manage your applications that run on Kubernetes. A runtime that manages a specific type of application on Kubernetes. ALL ABOUT OPERATORS
A Complex Compliance Regime to achieve ATO 44 A lot of rules to create for risk-based policy and cost effective security strategy ▸ Applicable laws authored in 2002 ▸ Multi-year development/production cycles were common & acceptable ▸ Pre GovCloud, C2S, MilCloud ▸ Waterfall dominant ▸ Infrastructure focus ▸ Need specific expertise to understand the jargon, processes, and tools
DoD STIG. Criminal Justice. HIPAA. .... .... AC-2: Account Management AT-2: Security Awareness Training AU-8: Time Stamps AU-9: Protection of Audit Information CA-7: Plan of Action & Milestones CM-10: Software Usage Restrictions CP-2: Contingency Plan IA-5: Authenticator Management IA-2(12): Acceptance of PIV Credentials IR-8: Incident Response Plan MA-4: Nonlocal Maintenance SELECTING YOUR COMPLIANCE PROFILE 45
redhatlivestreaming
torounit
picardparis
hirosatogamo
yayoi_dd
egmc
sansantech
nagiss
no24oka
miyake
k_koheyi
devopstaiwan
oracle4engineer
keathley
palkan
aleyda
geeforr
revolveconf
pedronauck
carmenintech
lauravandoore
stephaniewalter
andyhume
zakiwarfel
zenorocha