SlideShare una empresa de Scribd logo

An Approach to Building & Maintaining a STIG'D RHEL Server

Joshua L. Davis
Joshua L. Davis

Aaron Prayther LCE

Tecnología
1 de 22
Descargar para leer sin conexión
An Approach to Building &  Maintaining a STIG’D RHEL Server Red Hat Satellite Server Forge.mil (https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux Management Wiki) Kickstart Puppet Tresys CLIP Aaron Prayther aprayther@lce.com 843 218 2178 Mil‐OSS WG2 2ND‐5TH AUGUST 2010 – WASHINGTON D.C.
1)Checklist 2)Relation 3)Application  4)Assessment 5)Maintenance 1 UNIX  2 Security  Checklist IAVA 3 CVE RED HAT Kickstart 4 YUM Puppet Reporting? SRR 5 Oval Satellite Satellite Forge.mil 2
Creating a more manageable and  reproducible STIG’D RHEL server • There are some tools to help STIG a box • There is an image that can be copied • Nothing that is very reproducible over the long term • We can create STIG’D servers and maintain them. • The infrastructure, Satellite Server, is not a STIG  compliant server in the environment I work in • Google: “STIG”  – The Stig is the name given to the racing driver character on  the BBC Television show Top Gear. – Security Technical Implementation Guides 3
1. UNIX Security Checklist Is there an easier or better way? UNIX Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 4
Unix Security Checklist (634 GEN, UNIX  & IAVA items) 5
2. IAVA / CVE / Red Hat Security Advisory A way to relate IAVA to patches UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 6
Satellite Flags Errata 7
Satellite references CVE 8
3. Kickstart, YUM & Puppet “Applying” UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 9
Apply the Checklist 10
Tresys CLIP Puppet content class lnx00160 { ## (LNX00160: CAT II) (Previously ‐ L074)  The SA will ensure the grub.conf ## file has permissions of 600, or more  restrictive. file { "/boot/grub/grub.conf": mode => 600  } } 11
4. Satellite & Forge.mil Custom software repositories UNIX  Security  Checklist IAVA CVE RED HAT Kickstart Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 12
Assessment 13
Confirm ongoing compliance • Oval seems to have a lot of potential – Evaluating Oval and how to integrate • Evaluating using SRR scripts in a cron job • Satellite does a pretty good job of reporting  on CVE’s • Would ultimately want to have a way of just  getting the interesting information for  hundreds (thousands) of servers 14
5. Reporting Confirm compliancy through life of server UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Satellite Oval Forge.mil Satellite 15
Maintain 16
Automating provisioning & maintenance is  an evolutionary process… • Long messy kickstart file but a good  source of information • Need to finish a “baseline” and modify  build process accordingly • Need to move the vast majority of the  kickstart content to puppet server • Disclaimers out of the way… 17
What it does today • It does build a consistent server from scratch (you  can reverse engineer the entire build process and  know every configuration change made) • This is not an image • It utilizes controlled software repositories in  Satellite so that you can have a release process. • It does setup the ability to manage compliance  over the life cycle of the server • It has backups, centralized audit and log server  functionality 18
Use Forge.mil to collaborate • https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux Management Wiki • This brief is located there • Some instructions on howto use what is  available today are there. • Contacts are being added so you know who to  consult with about different pieces, like Red  Hat Satellite Server 19
Forge.mil / Satellite 20
Summary • Build a reproducible RHEL server, bare metal  or virtual. • Build process results in something very close  to a STIG compliant (IA will say it’s compliant)  RHEL server • The beginnings, of a server life cycle that  maintains & confirms compliance • Currently functioning at a single project level  in an R&D environment 21
References • https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux  Management Wiki • spawar‐dodbastile@software.Forge.mil SPAWAR Linux  Management Discussion email • https://software.forge.mil/sf/discussion/do/listTopics/proje cts.dodbastile/discussion.spawar_linux_managment SPAWAR Linux Management Discussion page • https://software.forge.mil/sf/docman/do/listDocuments/pr ojects.dodbastile/docman.root.spawarlinuxmanagement SPAWAR Linux Management Documents • https://software.forge.mil/sf/docman/do/downloadDocum ent/projects.dodbastile/docman.root.spawarlinuxmanage ment/doc7520 SPAWAR Linux Management this brief Aaron Prayther aprayther@lce.com 843 218 2178 22

Recomendados

Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD EnterprisesImportance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Joshua L. Davis
 
Rich prada overview original
Rich prada overview originalRich prada overview original
Rich prada overview original
Tony Herlambang
 
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
mbateh20
 
Syllabus for 3rd and 4th grade
Syllabus for 3rd and 4th gradeSyllabus for 3rd and 4th grade
Syllabus for 3rd and 4th grade
Caresse Mathews
 
Prideofthe irish
Prideofthe irishPrideofthe irish
Prideofthe irish
emcmackin06
 
Catalogo de venta
Catalogo de ventaCatalogo de venta
Catalogo de venta
marescu2
 
Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel Exploitation
Scio Security
 
Spinnaker 파트 1
Spinnaker 파트 1Spinnaker 파트 1
Spinnaker 파트 1
Steven Shim
 

Recomendados

Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD EnterprisesImportance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Joshua L. Davis
 
Rich prada overview original
Rich prada overview originalRich prada overview original
Rich prada overview original
Tony Herlambang
 
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
Bateh, Meredith, Rosewood Case, Busi760.Ppt [Lecture Seule]
mbateh20
 
Syllabus for 3rd and 4th grade
Syllabus for 3rd and 4th gradeSyllabus for 3rd and 4th grade
Syllabus for 3rd and 4th grade
Caresse Mathews
 
Prideofthe irish
Prideofthe irishPrideofthe irish
Prideofthe irish
emcmackin06
 
Catalogo de venta
Catalogo de ventaCatalogo de venta
Catalogo de venta
marescu2
 
Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel Exploitation
Scio Security
 
Spinnaker 파트 1
Spinnaker 파트 1Spinnaker 파트 1
Spinnaker 파트 1
Steven Shim
 
Open stack@ebay
Open stack@ebayOpen stack@ebay
Open stack@ebay
Subbu Allamaraju
 
Multisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the GapMultisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the Gap
Dimitri Mazmanov
 
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
Gna Phetsarath
 
Zebra 2.0 in Hybrid Cloud Era
Zebra 2.0 in Hybrid Cloud EraZebra 2.0 in Hybrid Cloud Era
Zebra 2.0 in Hybrid Cloud Era
Kentaro Ebisawa
 
Grow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM StackGrow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM Stack
KeitaSugiyama1
 
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Akihiro Suda
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
ortegaalfredo
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Arpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofingArpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofing
Ammar WK
 
Network Telemetry: Pushing Boundaries
Network Telemetry: Pushing BoundariesNetwork Telemetry: Pushing Boundaries
Network Telemetry: Pushing Boundaries
Ram (Ramki) Krishnan
 
Sun Spot Talk
Sun Spot TalkSun Spot Talk
Sun Spot Talk
vittalp88
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
amiable_indian
 
Horizon quantum-integration-grizzly
Horizon quantum-integration-grizzlyHorizon quantum-integration-grizzly
Horizon quantum-integration-grizzly
Akihiro Motoki
 
Horizon Quantum Integration grizzly
Horizon Quantum Integration grizzlyHorizon Quantum Integration grizzly
Horizon Quantum Integration grizzly
Akihiro Motoki
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
ir. Carmelo Zaccone
 
Solaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentationSolaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentation
xKinAnx
 
OpenStack & OpenContrail in Production
OpenStack & OpenContrail in ProductionOpenStack & OpenContrail in Production
OpenStack & OpenContrail in Production
Edgar Magana
 
Nvp deep dive_session_cee-day
Nvp deep dive_session_cee-dayNvp deep dive_session_cee-day
Nvp deep dive_session_cee-day
yfauser
 
Timothy J Cash Career Portfolio
Timothy J Cash Career PortfolioTimothy J Cash Career Portfolio
Timothy J Cash Career Portfolio
Timothy Cash
 
RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009
eCommConf
 
Innovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsInnovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source Solutions
Joshua L. Davis
 
The Open Source Movement
The Open Source MovementThe Open Source Movement
The Open Source Movement
Joshua L. Davis
 

Más contenido relacionado

Similar a An Approach to Building & Maintaining a STIG'D RHEL Server

Multisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the GapMultisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the Gap
Dimitri Mazmanov
 
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
Gna Phetsarath
 
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Akihiro Suda
 
Arpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofingArpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofing
Ammar WK
 
Horizon quantum-integration-grizzly
Horizon quantum-integration-grizzlyHorizon quantum-integration-grizzly
Horizon quantum-integration-grizzly
Akihiro Motoki
 
Horizon Quantum Integration grizzly
Horizon Quantum Integration grizzlyHorizon Quantum Integration grizzly
Horizon Quantum Integration grizzly
Akihiro Motoki
 
Solaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentationSolaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentation
xKinAnx
 
Nvp deep dive_session_cee-day
Nvp deep dive_session_cee-dayNvp deep dive_session_cee-day
Nvp deep dive_session_cee-day
yfauser
 
RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009
eCommConf
 

Similar a An Approach to Building & Maintaining a STIG'D RHEL Server (20)

Open stack@ebay
Open stack@ebayOpen stack@ebay
Open stack@ebay
 
Multisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the GapMultisite OpenStack for NFV: Bridging the Gap
Multisite OpenStack for NFV: Bridging the Gap
 
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
New York Storm Users Group 2014-01-28 - Using Storm with MapR M7 for Real-Tim...
 
Zebra 2.0 in Hybrid Cloud Era
Zebra 2.0 in Hybrid Cloud EraZebra 2.0 in Hybrid Cloud Era
Zebra 2.0 in Hybrid Cloud Era
 
Grow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM StackGrow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM Stack
 
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...Tackling non-determinism in Hadoop - Testing and debugging distributed system...
Tackling non-determinism in Hadoop - Testing and debugging distributed system...
 
Deep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slidesDeep submicron-backdoors-ortega-syscan-2014-slides
Deep submicron-backdoors-ortega-syscan-2014-slides
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Arpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofingArpwall - protect from ARP spoofing
Arpwall - protect from ARP spoofing
 
Network Telemetry: Pushing Boundaries
Network Telemetry: Pushing BoundariesNetwork Telemetry: Pushing Boundaries
Network Telemetry: Pushing Boundaries
 
Sun Spot Talk
Sun Spot TalkSun Spot Talk
Sun Spot Talk
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
 
Horizon quantum-integration-grizzly
Horizon quantum-integration-grizzlyHorizon quantum-integration-grizzly
Horizon quantum-integration-grizzly
 
Horizon Quantum Integration grizzly
Horizon Quantum Integration grizzlyHorizon Quantum Integration grizzly
Horizon Quantum Integration grizzly
 
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...
 
Solaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentationSolaris cluster roadshow day 1 technical presentation
Solaris cluster roadshow day 1 technical presentation
 
OpenStack & OpenContrail in Production
OpenStack & OpenContrail in ProductionOpenStack & OpenContrail in Production
OpenStack & OpenContrail in Production
 
Nvp deep dive_session_cee-day
Nvp deep dive_session_cee-dayNvp deep dive_session_cee-day
Nvp deep dive_session_cee-day
 
Timothy J Cash Career Portfolio
Timothy J Cash Career PortfolioTimothy J Cash Career Portfolio
Timothy J Cash Career Portfolio
 
RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009RJ's Presentation at eComm 2009
RJ's Presentation at eComm 2009
 

Más de Joshua L. Davis

Innovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsInnovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source Solutions
Joshua L. Davis
 
Mil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC ConventionMil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC Convention
Joshua L. Davis
 

Más de Joshua L. Davis (20)

Innovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsInnovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source Solutions
 
The Open Source Movement
The Open Source MovementThe Open Source Movement
The Open Source Movement
 
Mil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC ConventionMil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC Convention
 
The Next Generation Open IDS Engine Suricata and Emerging Threats
The Next Generation Open IDS Engine Suricata and Emerging ThreatsThe Next Generation Open IDS Engine Suricata and Emerging Threats
The Next Generation Open IDS Engine Suricata and Emerging Threats
 
DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)
 
Ignite: Hackin' Excel with Ruby
Ignite: Hackin' Excel with RubyIgnite: Hackin' Excel with Ruby
Ignite: Hackin' Excel with Ruby
 
Ignite: YSANAOYOA
Ignite: YSANAOYOAIgnite: YSANAOYOA
Ignite: YSANAOYOA
 
Ignite: Improving Performance on Federal Contracts Using Scrum & Agile
Ignite: Improving Performance on Federal Contracts Using Scrum & AgileIgnite: Improving Performance on Federal Contracts Using Scrum & Agile
Ignite: Improving Performance on Federal Contracts Using Scrum & Agile
 
Ignite: Devops - Why Should You Care
Ignite: Devops - Why Should You CareIgnite: Devops - Why Should You Care
Ignite: Devops - Why Should You Care
 
Using the Joomla CMI in the Army Hosting Environment
Using the Joomla CMI in the Army Hosting EnvironmentUsing the Joomla CMI in the Army Hosting Environment
Using the Joomla CMI in the Army Hosting Environment
 
Senior Leaders Adapting to Social Technologies
Senior Leaders Adapting to Social TechnologiesSenior Leaders Adapting to Social Technologies
Senior Leaders Adapting to Social Technologies
 
Barcamp: Open Source and Security
Barcamp: Open Source and SecurityBarcamp: Open Source and Security
Barcamp: Open Source and Security
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and Security
 
SOSCOE Overview
SOSCOE OverviewSOSCOE Overview
SOSCOE Overview
 
milSuite
milSuitemilSuite
milSuite
 
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSSOZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
 
Title TBD: "18 hundred seconds"
Title TBD: "18 hundred seconds"Title TBD: "18 hundred seconds"
Title TBD: "18 hundred seconds"
 
Reaching It's Potential: How to Make Government-Developed OSS A Major Player
Reaching It's Potential: How to Make Government-Developed OSS A Major PlayerReaching It's Potential: How to Make Government-Developed OSS A Major Player
Reaching It's Potential: How to Make Government-Developed OSS A Major Player
 
Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)
 
USIP Open Simulation Platform
USIP Open Simulation PlatformUSIP Open Simulation Platform
USIP Open Simulation Platform
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

An Approach to Building & Maintaining a STIG'D RHEL Server

  • 1. An Approach to Building &  Maintaining a STIG’D RHEL Server Red Hat Satellite Server Forge.mil (https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux Management Wiki) Kickstart Puppet Tresys CLIP Aaron Prayther aprayther@lce.com 843 218 2178 Mil‐OSS WG2 2ND‐5TH AUGUST 2010 – WASHINGTON D.C.
  • 2. 1)Checklist 2)Relation 3)Application  4)Assessment 5)Maintenance 1 UNIX  2 Security  Checklist IAVA 3 CVE RED HAT Kickstart 4 YUM Puppet Reporting? SRR 5 Oval Satellite Satellite Forge.mil 2
  • 3. Creating a more manageable and  reproducible STIG’D RHEL server • There are some tools to help STIG a box • There is an image that can be copied • Nothing that is very reproducible over the long term • We can create STIG’D servers and maintain them. • The infrastructure, Satellite Server, is not a STIG  compliant server in the environment I work in • Google: “STIG”  – The Stig is the name given to the racing driver character on  the BBC Television show Top Gear. – Security Technical Implementation Guides 3
  • 4. 1. UNIX Security Checklist Is there an easier or better way? UNIX Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 4
  • 6. 2. IAVA / CVE / Red Hat Security Advisory A way to relate IAVA to patches UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 6
  • 9. 3. Kickstart, YUM & Puppet “Applying” UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 9
  • 11. Tresys CLIP Puppet content class lnx00160 { ## (LNX00160: CAT II) (Previously ‐ L074)  The SA will ensure the grub.conf ## file has permissions of 600, or more  restrictive. file { "/boot/grub/grub.conf": mode => 600  } } 11
  • 12. 4. Satellite & Forge.mil Custom software repositories UNIX  Security  Checklist IAVA CVE RED HAT Kickstart Puppet Reporting? SRR Oval Satellite Satellite Forge.mil 12
  • 14. Confirm ongoing compliance • Oval seems to have a lot of potential – Evaluating Oval and how to integrate • Evaluating using SRR scripts in a cron job • Satellite does a pretty good job of reporting  on CVE’s • Would ultimately want to have a way of just  getting the interesting information for  hundreds (thousands) of servers 14
  • 15. 5. Reporting Confirm compliancy through life of server UNIX  Security  Checklist IAVA CVE RED HAT Kickstart YUM Puppet Reporting? SRR Satellite Oval Forge.mil Satellite 15
  • 16. Maintain 16
  • 17. Automating provisioning & maintenance is  an evolutionary process… • Long messy kickstart file but a good  source of information • Need to finish a “baseline” and modify  build process accordingly • Need to move the vast majority of the  kickstart content to puppet server • Disclaimers out of the way… 17
  • 18. What it does today • It does build a consistent server from scratch (you  can reverse engineer the entire build process and  know every configuration change made) • This is not an image • It utilizes controlled software repositories in  Satellite so that you can have a release process. • It does setup the ability to manage compliance  over the life cycle of the server • It has backups, centralized audit and log server  functionality 18
  • 19. Use Forge.mil to collaborate • https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux Management Wiki • This brief is located there • Some instructions on howto use what is  available today are there. • Contacts are being added so you know who to  consult with about different pieces, like Red  Hat Satellite Server 19
  • 21. Summary • Build a reproducible RHEL server, bare metal  or virtual. • Build process results in something very close  to a STIG compliant (IA will say it’s compliant)  RHEL server • The beginnings, of a server life cycle that  maintains & confirms compliance • Currently functioning at a single project level  in an R&D environment 21
  • 22. References • https://software.forge.mil/sf/go/wiki3316 SPAWAR Linux  Management Wiki • spawar‐dodbastile@software.Forge.mil SPAWAR Linux  Management Discussion email • https://software.forge.mil/sf/discussion/do/listTopics/proje cts.dodbastile/discussion.spawar_linux_managment SPAWAR Linux Management Discussion page • https://software.forge.mil/sf/docman/do/listDocuments/pr ojects.dodbastile/docman.root.spawarlinuxmanagement SPAWAR Linux Management Documents • https://software.forge.mil/sf/docman/do/downloadDocum ent/projects.dodbastile/docman.root.spawarlinuxmanage ment/doc7520 SPAWAR Linux Management this brief Aaron Prayther aprayther@lce.com 843 218 2178 22