SlideShare a Scribd company logo
1 of 77
Download to read offline
Compliance and auditing with Puppet@petersouter
Peter Souter
Senior Professional Services Engineer | Puppet
@petersouter
Compliance and auditing
with Puppet
Compliance and auditing with Puppet@petersouter
2
Who
am I?
@petersouter
Senior Professional
Services Engineer
5 years using Puppet
2 years @ Puppet Inc
Help customers deploy
Puppet
Teach Puppet classes
Contribute to the
community and
open-source
petems
IRC/Slack/GitHub
Compliance and auditing with Puppet@petersouter
Warning: I speak quickly
And I have a different accent...
3
Compliance and auditing with Puppet@petersouter
Warning: I am not a lawyer or auditor
Always go speak to one of them before implementing
some of the stuff I’m talking about!
4
Compliance and auditing with Puppet@petersouter
So, why are we here?
(This room specifically, listening to this talk...)
5
Compliance and auditing with Puppet@petersouter
Show of hands in the room
Who has to deal with IT compliance or auditing in their
current role?
6
Compliance and auditing with Puppet@petersouter
What does it mean?
So what is compliance?
7
Compliance and auditing with Puppet@petersouter
“Many organisations in the public sector and the regulated
industries, such as utilities and legal or financial services,
have to demonstrate an information security policy that
proves they have a range of steps and measures in
place...If these policies are not adhered to, the
regulators reserve the right to prosecute”
- http://www.computerweekly.com/feature/Information-security-The-route-to-compliance
8
Compliance and auditing with Puppet@petersouter
Compliance is not security!
Sidebar: Important distinction
9
Compliance and auditing with Puppet@petersouter
It’s the ops equivalent of planning permission, zoning laws,
building guidelines etc.
“Compliance is the discipline of
verification at scale”
10
Compliance and auditing with Puppet@petersouter
How could you ever check every single one of them, and
what should you be prioritising?
Think about how many files, scripts,
artifacts and services make up your estate
11
Compliance and auditing with Puppet@petersouter
● Who’s responsible?
● Who runs the scans?
● Who fixes things when they go wrong?
This means compliance straddles an
awkward organisational line
12
Compliance and auditing with Puppet@petersouter
Regardless: Someone has told you you
need to follow the rules
Either for best practise or legal reasons...
13
Compliance and auditing with Puppet@petersouter
Alphabet Soup
Control Objectives for Information and related Technology (COBIT)
Defense Information Systems Agency (DISA) STIGs
Federal Information Security Management Act (FISMA)
Federal Desktop Core Configuration (FDCC)
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
ISO 27002/17799 Security Standards
Information Technology Information Library (ITIL)
National Institute of Standards (NIST) configuration guidelines
National Security Agency (NSA) configuration guidelines
Payment Card Industry Data Security Standards (PCI DSS)
Sarbanes-Oxley (SOX)
Site Data Protection (SDP)
United States Government Configuration Baseline (USGCB)
California’s Security Breach Notification Act - SB 1386
14
Compliance and auditing with Puppet@petersouter
You might have your own hardening policies
Removing non-essential users etc.
15
Compliance and auditing with Puppet@petersouter
16
● Founded in October, 2000
● It is composed of roughly 180
members from 17 different countries.
● Wide range of entities, including
academia and the government
● Kind of a non-government fork of the
STIG standards
“Enhance the cyber security readiness and response of public and private sector entities, with a
commitment to excellence through collaboration”
Center for Internet Security (CIS)
Compliance and auditing with Puppet@petersouter
17
CIS standard exist for a lot of applications and tools:
Amazon Linux, Amazon Web Services
Apache Tomcat, Apache HTTP Server Assessment Tool
Apple iOS, Apple OSX, Apple Safari, Benchmark Mappings: Medical Device Security Standards
CentOS Linux, CheckPoint Firewall, Cisco Device
Debian Linux, Distribution Independent Linux, Docker, FreeBSD, FreeRadius, Google Android,
Google Chrome, HP-UX, IBM AIX, IBM DB2, IBM DB2 Benchmark Archive
ISC BIND, Juniper Device, Kerberos, LDAP, Microsoft Exchange Server, Microsoft IIS, Microsoft
Internet Explorer, Microsoft MS SQL Server, Microsoft Office, Microsoft SharePoint Server,
Microsoft Windows 10, Microsoft Windows 7, Microsoft Windows 8, Microsoft Windows NT,
Microsoft Windows Server 2000, Microsoft Windows Server 2003, Microsoft Windows Server
2008, Microsoft Windows Server 2012, Microsoft Windows XP, Mozilla Firefox, MySQL
Novell Netware, Opera, Oracle Database Server, Oracle Database Server Assessment Tool
Oracle Linux, Oracle Solaris, Red Hat Linux, Slackware Linux, SuSE Linux, Sybase ASE, Ubuntu
VMware, Wireless Network Devices, Xen
Compliance and auditing with Puppet@petersouter
A lot of the time, you have to dig through a lot of
legalese to get to an engineerable problem
18
And whether your engineering solution actually succeeds
in it’s goal is entirely up to the discretion of your auditor
Compliance and auditing with Puppet@petersouter
An example: HIPAA
Health Insurance Portability and Accountability Act of 1996
19
Compliance and auditing with Puppet@petersouter
The HIPAA Security Rule establishes national standards to
protect individuals’ electronic personal health information
that is created, received, used, or maintained by a covered
entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure
the confidentiality, integrity, and security of electronic
protected health information.
The Security Rule is located at 45 CFR Part 160 and
Subparts A and C of Part 164.
- https://www.hhs.gov/hipaa/for-professionals/security/index.html
20
Compliance and auditing with Puppet@petersouter
Ok, let's go digging
Let's look for 45 CFR Part 160 and Subparts A and C of 164
21
Compliance and auditing with Puppet@petersouter
PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS
Contents
Subpart A—General Provisions
§160.101 Statutory basis and purpose.
§160.102 Applicability.
§160.103 Definitions.
§160.104 Modifications.
§160.105 Compliance dates for implementation of new or modified standards and implementation
specifications.
Subpart B—Preemption of State Law
§160.201 Statutory basis.
§160.202 Definitions.
§160.203 General rule and exceptions.
§160.204 Process for requesting exception determinations.
§160.205 Duration of effectiveness of exception determinations.
Subpart C—Compliance and Investigations
§160.300 Applicability.
§160.302 [Reserved]
§160.304 Principles for achieving compliance.
§160.306 Complaints to the Secretary.
§160.308 Compliance reviews.
§160.310 Responsibilities of covered entities and business associates.
§160.312 Secretarial action regarding complaints and compliance reviews.
§160.314 Investigational subpoenas and inquiries.
§160.316 Refraining from intimidation or retaliation.
Subpart D—Imposition of Civil Money Penalties
§160.400 Applicability.
§160.401 Definitions.
§160.402 Basis for a civil money penalty.
§160.404 Amount of a civil money penalty.
§160.406 Violations of an identical requirement or prohibition.
§160.408 Factors considered in determining the amount of a civil money penalty.
§160.410 Affirmative defenses.
§160.412 Waiver.
§160.414 Limitations.
§160.416 Authority to settle.
§160.418 Penalty not exclusive.
§160.420 Notice of proposed determination.
§160.422 Failure to request a hearing.
§160.424 Collection of penalty.
§160.426 Notification of the public and other agencies.
Subpart E—Procedures for Hearings
45 CFR Part 164, Subpart C - Security
Standards for the Protection of Electronic
Protected Health Information
§ 164.302 — Applicability.
§ 164.304 — Definitions.
§ 164.306 — Security standards: General
rules.
§ 164.308 — Administrative safeguards.
§ 164.310 — Physical safeguards.
§ 164.312 — Technical safeguards.
§ 164.314 — Organizational requirements.
§ 164.316 — Policies and procedures and
documentation requirements.
§ 164.318 — Compliance dates for the initial
implementation of the security standards.
22
Compliance and auditing with Puppet@petersouter
PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS
Contents
Subpart A—General Provisions
§160.101 Statutory basis and purpose.
§160.102 Applicability.
§160.103 Definitions.
§160.104 Modifications.
§160.105 Compliance dates for implementation of new or modified standards and implementation
specifications.
Subpart B—Preemption of State Law
§160.201 Statutory basis.
§160.202 Definitions.
§160.203 General rule and exceptions.
§160.204 Process for requesting exception determinations.
§160.205 Duration of effectiveness of exception determinations.
Subpart C—Compliance and Investigations
§160.300 Applicability.
§160.302 [Reserved]
§160.304 Principles for achieving compliance.
§160.306 Complaints to the Secretary.
§160.308 Compliance reviews.
§160.310 Responsibilities of covered entities and business associates.
§160.312 Secretarial action regarding complaints and compliance reviews.
§160.314 Investigational subpoenas and inquiries.
§160.316 Refraining from intimidation or retaliation.
Subpart D—Imposition of Civil Money Penalties
§160.400 Applicability.
§160.401 Definitions.
§160.402 Basis for a civil money penalty.
§160.404 Amount of a civil money penalty.
§160.406 Violations of an identical requirement or prohibition.
§160.408 Factors considered in determining the amount of a civil money penalty.
§160.410 Affirmative defenses.
§160.412 Waiver.
§160.414 Limitations.
§160.416 Authority to settle.
§160.418 Penalty not exclusive.
§160.420 Notice of proposed determination.
§160.422 Failure to request a hearing.
§160.424 Collection of penalty.
§160.426 Notification of the public and other agencies.
Subpart E—Procedures for Hearings
45 CFR Part 164, Subpart C - Security
Standards for the Protection of Electronic
Protected Health Information
§ 164.302 — Applicability.
§ 164.304 — Definitions.
§ 164.306 — Security standards: General
rules.
§ 164.308 — Administrative safeguards.
§ 164.310 — Physical safeguards.
§ 164.312 — Technical safeguards.
§ 164.314 — Organizational requirements.
§ 164.316 — Policies and procedures and
documentation requirements.
§ 164.318 — Compliance dates for the initial
implementation of the security standards.
23
Compliance and auditing with Puppet@petersouter
Technical Safeguards!
Finally we’re getting somewhere...
24
Compliance and auditing with Puppet@petersouter
§ 164.312 Technical safeguards.
A covered entity or business associate must, in accordance with § 164.306:
(a)
(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain
electronic protected health information to allow access only to those persons or software programs that have been granted access
rights as specified in § 164.308(a)(4).
(2) Implementation specifications:
(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.
(ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary
electronic protected health information during an emergency.
(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a
predetermined time of inactivity.
(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health
information.
(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in
information systems that contain or use electronic protected health information.
25
Compliance and auditing with Puppet@petersouter
The pain of compliance will be directly correlated
to the relationship with your auditors
Ultimately, they are the ones that you need to prove that
you are in compliance too
26
Compliance and auditing with Puppet@petersouter
● Emails
● PDFs
● Dead trees
● Humans
27
Unfortunately, this is often a manual process
Compliance and auditing with Puppet@petersouter
There’s got to be a better way!
If only there was something better...
28
Compliance and auditing with Puppet@petersouter
A series of rules for systems that need to
be enforced and reported on
What is IT compliance?
29
Compliance and auditing with Puppet@petersouter
A series of rules for systems that need to
be enforced and reported on
What is Puppet?
30
Compliance and auditing with Puppet@petersouter
Great, let's use Puppet!
31
But...what’s so great about using Puppet to enforce these
standards?
Compliance and auditing with Puppet@petersouter
Reduce cost and time per release
32
Pre-existing code for known standards often available
Compliance and auditing with Puppet@petersouter
Potential for sharing and reuse
33
Share within your company or with the public
Compliance and auditing with Puppet@petersouter
Single Source of Truth
34
Your infrastructure as code repository becomes your one
place to look for compliance code
Compliance and auditing with Puppet@petersouter
Less arguments about semantics
35
Agreed upon Puppet DSL means closer collaboration
between policymakers and practitioners
Compliance and auditing with Puppet@petersouter
Make time for the things that can’t be automated
36
Not everything can be automated, like physical safeguards
Compliance and auditing with Puppet@petersouter
Let’s pick a really basic example
How does this look like in action?
37
Compliance and auditing with Puppet@petersouter
38
- https://benchmarks.cisecurity.org/tools2/linux/CIS_CentOS_Linux_7_Benchmark_v1.1.0.pdf
Compliance and auditing with Puppet@petersouter
1.2.3 Verify that gpgcheck is Globally Activated
- Profile Applicability: Level 1
- Description: The gpgcheck option, found in the main section of the /etc/yum.conf file
determines if an RPM package's signature is always checked prior to its installation.
- Rationale: It is important to ensure that an RPM's package signature is always checked
prior to installation to ensure that the software is obtained from a trusted source.
- Audit: Run the following command to verify that gpgcheck is set to 1 in all occurrences
of the /etc/yum.conf file:
$ grep gpgcheck /etc/yum.conf gpgcheck=1
- Remediation: Edit the /etc/yum.conf file and set the gpgcheck to 1 as follows:
gpgcheck=1
An example from CIS CentOS 7 Standards
39
Compliance and auditing with Puppet@petersouter
Reflected in Puppet
# 1.2.3 - Verify that gpgcheck is globally Activated (Scored)
file { '/etc/yum.conf':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
}
file_line { '(1.2.3) /etc/yum.conf contains gpgcheck=1':
ensure => present,
path => '/etc/yum.conf',
line => 'gpgcheck=1',
}
40
Compliance and auditing with Puppet@petersouter
Dedicated modules for compliance?
Use existing code and enforce standards?
Dry run modes when silo’d or change frozen?
A few different design approaches
available here...
41
Compliance and auditing with Puppet@petersouter
Dedicated modules for compliance
42
class cis_rhel7::rule::rule_1_2_3 {
# includes Rules:
# 1.2.3 - Verify that gpgcheck is Globally Activated (Scored)
file { '/etc/yum.conf':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
}
file_line { '(1.2.3) /etc/yum.conf contains gpgcheck=1':
ensure => present,
path => '/etc/yum.conf',
line => 'gpgcheck=1',
}
} #EOF
https://forge.puppet.com/perfecto25/cis_rhel7
Compliance and auditing with Puppet@petersouter
Use existing module and enforce standards
43
class { 'yum':
gpgcheck => true,
}
Compliance and auditing with Puppet@petersouter
Personally, I think you should use existing modules
44
However: dedicated compliance modules can work if
compliance is the primary use case or you have silo’d
teams
Compliance and auditing with Puppet@petersouter
baseline_compliance
45
- https://forge.puppet.com/ccaum/baseline_compliance
Compliance and auditing with Puppet@petersouter
Baseline compliance example
46
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: Compiled catalog for master.vm in environment production in 8.78 seconds
Notice: Compiled catalog for master.vm in environment baseline in 0.03 seconds
Info: Adding baseline Notify[message] resource to catalog
Warning: Resource File[/tmp/example]'s parameter 'group' value of 'pe-puppet' is overwriting baseline value of
'0'
Info: Adding baseline parameter 'mode' with value '0755' to resource File[/tmp/example]
Info: Caching catalog for master.vm
Info: Applying configuration version '1468390945'
Compliance and auditing with Puppet@petersouter
There’s a lot of prior art for this work
Remember when we talked about
sharing and reuse?
47
Compliance and auditing with Puppet@petersouter
DEV-SEC.IO
48
Compliance and auditing with Puppet@petersouter
SIMP - System Integrity Management Platform
49
- https://simp-project.com/
Compliance and auditing with Puppet@petersouter
SIMP - Compliance Mapper
50
- https://github.com/simp/pupmod-simp-compliance_markup
Compliance and auditing with Puppet@petersouter
Puppet Forge and Github
Check the community hubs
51
Compliance and auditing with Puppet@petersouter
52
Compliance and auditing with Puppet@petersouter
However there are two parts to IT compliance
53
1. Enforcement
2. Reporting
Compliance and auditing with Puppet@petersouter
Custom facts can be used to show compliance
54
They’re generally better at the enforcing bit
Compliance and auditing with Puppet@petersouter
Custom facts for compliance checking
55
Facter.add(:cis) do
confine :osfamily => "RedHat"
confine :operatingsystemmajrelease => '7'
cishash = {}
setcode do
returnval = Facter::Core::Execution.exec('egrep
'^[[:space:]]*[^#]*[[:space:]]*gpgcheck[[:space:]]*=[[:space:]]*1' /etc/yum.conf')
if returnval.include? 'gpgcheck'
cishash['1.2.3'] = true
else
cishash['1.2.3'] = false
end
cishash
end
end
Compliance and auditing with Puppet@petersouter
There’s normally an approval process or tool to
get something signed off as a scanner for a
particular standard
56
eg. PCI, there are ASV (Approved Scanning Vendors)
Compliance and auditing with Puppet@petersouter
There’s a bunch of scanning tools out there
57
Nessus, QualysGuard, Nexpose etc
Compliance and auditing with Puppet@petersouter
You want to ensure correctness is part of your
processes
58
You want multiple levels of checking
Compliance and auditing with Puppet@petersouter
● SCAP is U.S. standard maintained
by National Institute of Standards
and Technology (NIST)
● The OpenSCAP project is a
collection of open source tools for
implementing and enforcing the
standard
● Lots of existing profiles for various
OS’s and compliance standards (PCI
DSS, FISMA)
● Existing integrations with various
tools and projects
OpenSCAP
59
Compliance and auditing with Puppet@petersouter
oscap
60
$ yum install openscap-utils scap-security-guide -y
$ oscap xccdf eval --profile common --report 
/vagrant/report.html --results /vagrant/results.xml 
--cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml 
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Compliance and auditing with Puppet@petersouter
61
Compliance and auditing with Puppet@petersouter
Lets see it in action
62
And hope the live demo fairies are nice!
Compliance and auditing with Puppet@petersouter
SCAP Workbench
- https://www.open-scap.org/resources/documentation/make-a-rhel7-server-compliant-with-pci-dss/
63
Compliance and auditing with Puppet@petersouter
Foreman/Satellite Integration
- https://www.theforeman.org/plugins/foreman_openscap/0.6/
64
Compliance and auditing with Puppet@petersouter
● Hashicorp tool
● Image management
● Provisioners for config management
tools and shell scripts
● Some compliance steps can be hard
to change on a running system
● Werner Buck had a great talk about
compliance standards with Packer:
http://wernerb.github.io/hashiconf-har
dening/
Bake your compliance steps into your base images
Packer
65
Compliance and auditing with Puppet@petersouter
Domain Specific Languages to test system correctness
System Testing DSL’s
66
Compliance and auditing with Puppet@petersouter
Serverspec
67
Compliance and auditing with Puppet@petersouter
Serverspec
describe 'cis_level_1' do
describe file('/etc/yum.conf') do
it { should be_file }
its(:content) { should match /*gpgcheck=1/ }
it { should be_file }
it { should be_mode 644 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
end
end
68
Compliance and auditing with Puppet@petersouter
● goss - https://github.com/aelsabbahy/goss - Inspired by serverspec,
but written in golang
● infrataster - http://infrataster.net/ - Has specific methods and
keywords for http, mysql etc
● testinfra - https://github.com/philpep/testinfra - Python version of
serverspec
● gauntlt - http://gauntlt.org/ - BDD wrappers around common security
tools (nmap, sslyze etc)
● bddsecurity - http://bbdsecurity.com - Similar BDD focussed security
tool
A number of similar and inspired projects
69
Compliance and auditing with Puppet@petersouter
Summary
70
What have we learnt?
Compliance and auditing with Puppet@petersouter
Compliance is enforcement of standards
71
It’s not security, it’s standards for scaling security
Compliance and auditing with Puppet@petersouter
Compliance responsibility can be tricky
72
Try to bring into teams if possible, move security left!
Compliance and auditing with Puppet@petersouter
Puppet is a great fit for compliance
73
It fits the model of enforcing rules in a defined way
Compliance and auditing with Puppet@petersouter
There’s lots of pre-existing work
74
“Stand on the shoulders of giants”
Compliance and auditing with Puppet@petersouter
Enforcement is just one part of the puzzle
75
Reporting is the other half
Compliance and auditing with Puppet@petersouter
Want to know more?
76
● A Year in Open Source Automated Compliance With Puppet – Trevor Vaughan at
PuppetConf 2016
https://www.youtube.com/watch?v=a270uDh8muE
● Compliance Is Not Security. Compliance Scales Security.
https://medium.com/compliance-at-velocity/compliance-is-not-security-compliance-scal
es-security-50846e7a47c2#.k63bpravl
● Prove it! The Last Mile for DevOps in Regulated Organizations - DOES15 - Bill
Shinn
https://www.youtube.com/watch?v=gg8gGisl4zM
● The Technical Practises of Integrating Information Security, Change Management
and Compliance
Kim, Gene. 2016. The Devops Handbook: How to Create World-Class Agility,
Reliability, and Security in Technology Organizations. Portland: IT Revolution Press
Compliance and auditing with Puppet@petersouter
Q&A
77

More Related Content

What's hot

香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩vlymfb
 
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security SolutionsBad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security SolutionsVincent Tan
 
2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security Automation2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security AutomationShawn Wells
 
Introduction to Devops (Melbourne University)
Introduction to Devops (Melbourne University)Introduction to Devops (Melbourne University)
Introduction to Devops (Melbourne University)Javier Turégano Molina
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...Asuka Nakajima
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Honeywell
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made EasyShawn Wells
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionRiscure
 
TDC2017 - Embedded Linux - Deploy Software Update for Linux Devices
TDC2017 - Embedded Linux - Deploy Software Update for Linux DevicesTDC2017 - Embedded Linux - Deploy Software Update for Linux Devices
TDC2017 - Embedded Linux - Deploy Software Update for Linux DevicesCaio Pereira
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Slides from IPv6 Threats
Slides from IPv6 ThreatsSlides from IPv6 Threats
Slides from IPv6 ThreatsCyren, Inc
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyHoneywell
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...PROIDEA
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald..."Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...PROIDEA
 

What's hot (20)

Fortify dev ops (002)
Fortify   dev ops (002)Fortify   dev ops (002)
Fortify dev ops (002)
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security SolutionsBad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
Bad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions
 
2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security Automation2016-08-29 AFITC Security Automation
2016-08-29 AFITC Security Automation
 
Introduction to Devops (Melbourne University)
Introduction to Devops (Melbourne University)Introduction to Devops (Melbourne University)
Introduction to Devops (Melbourne University)
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
[AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure a...
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
 
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
2015-06-25 Red Hat Summit 2015 - Security Compliance Made Easy
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Bypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault InjectionBypassing Secure Boot using Fault Injection
Bypassing Secure Boot using Fault Injection
 
TDC2017 - Embedded Linux - Deploy Software Update for Linux Devices
TDC2017 - Embedded Linux - Deploy Software Update for Linux DevicesTDC2017 - Embedded Linux - Deploy Software Update for Linux Devices
TDC2017 - Embedded Linux - Deploy Software Update for Linux Devices
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Slides from IPv6 Threats
Slides from IPv6 ThreatsSlides from IPv6 Threats
Slides from IPv6 Threats
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on..." Breaking Extreme Networks WingOS: How to own millions of devices running on...
" Breaking Extreme Networks WingOS: How to own millions of devices running on...
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald..."Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...
 

Similar to Compliance and auditing with Puppet

Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesDavid Shepherd
 
DOES15 - Bill Shinn - Prove it! The Last Mile for DevOps in Regulated Organiz...
DOES15 - Bill Shinn - Prove it! The Last Mile for DevOps in Regulated Organiz...DOES15 - Bill Shinn - Prove it! The Last Mile for DevOps in Regulated Organiz...
DOES15 - Bill Shinn - Prove it! The Last Mile for DevOps in Regulated Organiz...Gene Kim
 
Elexes medical consulting webinar- 510(k) Submissions
Elexes medical consulting webinar- 510(k) SubmissionsElexes medical consulting webinar- 510(k) Submissions
Elexes medical consulting webinar- 510(k) SubmissionsJenniferGantt
 
Cube mgmt-15-mt-book
Cube mgmt-15-mt-bookCube mgmt-15-mt-book
Cube mgmt-15-mt-bookicns01
 
Getting started
Getting startedGetting started
Getting startedrovan21
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)Peter GEELEN ✔
 
Requirements - Overweight or Anorexia?
Requirements - Overweight or Anorexia?Requirements - Overweight or Anorexia?
Requirements - Overweight or Anorexia?Mike Eckersley
 
Understanding firewall-policies-their-effectiveness-in-defending-against-netw...
Understanding firewall-policies-their-effectiveness-in-defending-against-netw...Understanding firewall-policies-their-effectiveness-in-defending-against-netw...
Understanding firewall-policies-their-effectiveness-in-defending-against-netw...ManageEngine, Zoho Corporation
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 
Information Security in the eDiscovery Process
Information Security in the eDiscovery ProcessInformation Security in the eDiscovery Process
Information Security in the eDiscovery ProcessDaegis
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operatorjaormx
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
Solution to Help Companies Patent their Inventions, License Technologies, and...
Solution to Help Companies Patent their Inventions, License Technologies, and...Solution to Help Companies Patent their Inventions, License Technologies, and...
Solution to Help Companies Patent their Inventions, License Technologies, and...Dr. Haxel Consult
 
Chef: Compliance @ Velocity
Chef: Compliance @ VelocityChef: Compliance @ Velocity
Chef: Compliance @ VelocityChef
 
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Amazon Web Services
 
Team Ruby Final Presentation Slides R7
Team Ruby Final Presentation Slides R7Team Ruby Final Presentation Slides R7
Team Ruby Final Presentation Slides R7Kevin Jones
 

Similar to Compliance and auditing with Puppet (20)

Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile Devices
 
DOES15 - Bill Shinn - Prove it! The Last Mile for DevOps in Regulated Organiz...
DOES15 - Bill Shinn - Prove it! The Last Mile for DevOps in Regulated Organiz...DOES15 - Bill Shinn - Prove it! The Last Mile for DevOps in Regulated Organiz...
DOES15 - Bill Shinn - Prove it! The Last Mile for DevOps in Regulated Organiz...
 
Elexes medical consulting webinar- 510(k) Submissions
Elexes medical consulting webinar- 510(k) SubmissionsElexes medical consulting webinar- 510(k) Submissions
Elexes medical consulting webinar- 510(k) Submissions
 
Cube mgmt-15-mt-book
Cube mgmt-15-mt-bookCube mgmt-15-mt-book
Cube mgmt-15-mt-book
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and Tricks
 
IPC-7095C(L).pdf
IPC-7095C(L).pdfIPC-7095C(L).pdf
IPC-7095C(L).pdf
 
Getting started
Getting startedGetting started
Getting started
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
 
Requirements - Overweight or Anorexia?
Requirements - Overweight or Anorexia?Requirements - Overweight or Anorexia?
Requirements - Overweight or Anorexia?
 
Understanding firewall-policies-their-effectiveness-in-defending-against-netw...
Understanding firewall-policies-their-effectiveness-in-defending-against-netw...Understanding firewall-policies-their-effectiveness-in-defending-against-netw...
Understanding firewall-policies-their-effectiveness-in-defending-against-netw...
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
Information Security in the eDiscovery Process
Information Security in the eDiscovery ProcessInformation Security in the eDiscovery Process
Information Security in the eDiscovery Process
 
Dev confus.2020 compliance operator
Dev confus.2020 compliance operatorDev confus.2020 compliance operator
Dev confus.2020 compliance operator
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
Solution to Help Companies Patent their Inventions, License Technologies, and...
Solution to Help Companies Patent their Inventions, License Technologies, and...Solution to Help Companies Patent their Inventions, License Technologies, and...
Solution to Help Companies Patent their Inventions, License Technologies, and...
 
Chef: Compliance @ Velocity
Chef: Compliance @ VelocityChef: Compliance @ Velocity
Chef: Compliance @ Velocity
 
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
 
comptia_objectives
comptia_objectivescomptia_objectives
comptia_objectives
 
Team Ruby Final Presentation Slides R7
Team Ruby Final Presentation Slides R7Team Ruby Final Presentation Slides R7
Team Ruby Final Presentation Slides R7
 

More from Peter Souter

Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Peter Souter
 
I don't know what I'm Doing: A newbie guide for Golang for DevOps
I don't know what I'm Doing: A newbie guide for Golang for DevOpsI don't know what I'm Doing: A newbie guide for Golang for DevOps
I don't know what I'm Doing: A newbie guide for Golang for DevOpsPeter Souter
 
Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Peter Souter
 
Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018Peter Souter
 
Maintaining Layer 8
Maintaining Layer 8Maintaining Layer 8
Maintaining Layer 8Peter Souter
 
Knee deep in the undef - Tales from refactoring old Puppet codebases
Knee deep in the undef  - Tales from refactoring old Puppet codebasesKnee deep in the undef  - Tales from refactoring old Puppet codebases
Knee deep in the undef - Tales from refactoring old Puppet codebasesPeter Souter
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Peter Souter
 
Puppet module anti patterns
Puppet module anti patternsPuppet module anti patterns
Puppet module anti patternsPeter Souter
 
Little Puppet Tools To Make Your Life Better
Little Puppet Tools To Make Your Life BetterLittle Puppet Tools To Make Your Life Better
Little Puppet Tools To Make Your Life BetterPeter Souter
 
Testing servers like software
Testing servers like softwareTesting servers like software
Testing servers like softwarePeter Souter
 

More from Peter Souter (11)

Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020Head in the Clouds: Testing Infra as Code - Config Management 2020
Head in the Clouds: Testing Infra as Code - Config Management 2020
 
I don't know what I'm Doing: A newbie guide for Golang for DevOps
I don't know what I'm Doing: A newbie guide for Golang for DevOpsI don't know what I'm Doing: A newbie guide for Golang for DevOps
I don't know what I'm Doing: A newbie guide for Golang for DevOps
 
Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018
 
Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018Monitoring a Vault and Consul cluster - 24th May 2018
Monitoring a Vault and Consul cluster - 24th May 2018
 
Maintaining Layer 8
Maintaining Layer 8Maintaining Layer 8
Maintaining Layer 8
 
Knee deep in the undef - Tales from refactoring old Puppet codebases
Knee deep in the undef  - Tales from refactoring old Puppet codebasesKnee deep in the undef  - Tales from refactoring old Puppet codebases
Knee deep in the undef - Tales from refactoring old Puppet codebases
 
Lock it down
Lock it downLock it down
Lock it down
 
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
 
Puppet module anti patterns
Puppet module anti patternsPuppet module anti patterns
Puppet module anti patterns
 
Little Puppet Tools To Make Your Life Better
Little Puppet Tools To Make Your Life BetterLittle Puppet Tools To Make Your Life Better
Little Puppet Tools To Make Your Life Better
 
Testing servers like software
Testing servers like softwareTesting servers like software
Testing servers like software
 

Recently uploaded

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 

Recently uploaded (20)

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 

Compliance and auditing with Puppet

  • 1. Compliance and auditing with Puppet@petersouter Peter Souter Senior Professional Services Engineer | Puppet @petersouter Compliance and auditing with Puppet
  • 2. Compliance and auditing with Puppet@petersouter 2 Who am I? @petersouter Senior Professional Services Engineer 5 years using Puppet 2 years @ Puppet Inc Help customers deploy Puppet Teach Puppet classes Contribute to the community and open-source petems IRC/Slack/GitHub
  • 3. Compliance and auditing with Puppet@petersouter Warning: I speak quickly And I have a different accent... 3
  • 4. Compliance and auditing with Puppet@petersouter Warning: I am not a lawyer or auditor Always go speak to one of them before implementing some of the stuff I’m talking about! 4
  • 5. Compliance and auditing with Puppet@petersouter So, why are we here? (This room specifically, listening to this talk...) 5
  • 6. Compliance and auditing with Puppet@petersouter Show of hands in the room Who has to deal with IT compliance or auditing in their current role? 6
  • 7. Compliance and auditing with Puppet@petersouter What does it mean? So what is compliance? 7
  • 8. Compliance and auditing with Puppet@petersouter “Many organisations in the public sector and the regulated industries, such as utilities and legal or financial services, have to demonstrate an information security policy that proves they have a range of steps and measures in place...If these policies are not adhered to, the regulators reserve the right to prosecute” - http://www.computerweekly.com/feature/Information-security-The-route-to-compliance 8
  • 9. Compliance and auditing with Puppet@petersouter Compliance is not security! Sidebar: Important distinction 9
  • 10. Compliance and auditing with Puppet@petersouter It’s the ops equivalent of planning permission, zoning laws, building guidelines etc. “Compliance is the discipline of verification at scale” 10
  • 11. Compliance and auditing with Puppet@petersouter How could you ever check every single one of them, and what should you be prioritising? Think about how many files, scripts, artifacts and services make up your estate 11
  • 12. Compliance and auditing with Puppet@petersouter ● Who’s responsible? ● Who runs the scans? ● Who fixes things when they go wrong? This means compliance straddles an awkward organisational line 12
  • 13. Compliance and auditing with Puppet@petersouter Regardless: Someone has told you you need to follow the rules Either for best practise or legal reasons... 13
  • 14. Compliance and auditing with Puppet@petersouter Alphabet Soup Control Objectives for Information and related Technology (COBIT) Defense Information Systems Agency (DISA) STIGs Federal Information Security Management Act (FISMA) Federal Desktop Core Configuration (FDCC) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) ISO 27002/17799 Security Standards Information Technology Information Library (ITIL) National Institute of Standards (NIST) configuration guidelines National Security Agency (NSA) configuration guidelines Payment Card Industry Data Security Standards (PCI DSS) Sarbanes-Oxley (SOX) Site Data Protection (SDP) United States Government Configuration Baseline (USGCB) California’s Security Breach Notification Act - SB 1386 14
  • 15. Compliance and auditing with Puppet@petersouter You might have your own hardening policies Removing non-essential users etc. 15
  • 16. Compliance and auditing with Puppet@petersouter 16 ● Founded in October, 2000 ● It is composed of roughly 180 members from 17 different countries. ● Wide range of entities, including academia and the government ● Kind of a non-government fork of the STIG standards “Enhance the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration” Center for Internet Security (CIS)
  • 17. Compliance and auditing with Puppet@petersouter 17 CIS standard exist for a lot of applications and tools: Amazon Linux, Amazon Web Services Apache Tomcat, Apache HTTP Server Assessment Tool Apple iOS, Apple OSX, Apple Safari, Benchmark Mappings: Medical Device Security Standards CentOS Linux, CheckPoint Firewall, Cisco Device Debian Linux, Distribution Independent Linux, Docker, FreeBSD, FreeRadius, Google Android, Google Chrome, HP-UX, IBM AIX, IBM DB2, IBM DB2 Benchmark Archive ISC BIND, Juniper Device, Kerberos, LDAP, Microsoft Exchange Server, Microsoft IIS, Microsoft Internet Explorer, Microsoft MS SQL Server, Microsoft Office, Microsoft SharePoint Server, Microsoft Windows 10, Microsoft Windows 7, Microsoft Windows 8, Microsoft Windows NT, Microsoft Windows Server 2000, Microsoft Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Server 2012, Microsoft Windows XP, Mozilla Firefox, MySQL Novell Netware, Opera, Oracle Database Server, Oracle Database Server Assessment Tool Oracle Linux, Oracle Solaris, Red Hat Linux, Slackware Linux, SuSE Linux, Sybase ASE, Ubuntu VMware, Wireless Network Devices, Xen
  • 18. Compliance and auditing with Puppet@petersouter A lot of the time, you have to dig through a lot of legalese to get to an engineerable problem 18 And whether your engineering solution actually succeeds in it’s goal is entirely up to the discretion of your auditor
  • 19. Compliance and auditing with Puppet@petersouter An example: HIPAA Health Insurance Portability and Accountability Act of 1996 19
  • 20. Compliance and auditing with Puppet@petersouter The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. - https://www.hhs.gov/hipaa/for-professionals/security/index.html 20
  • 21. Compliance and auditing with Puppet@petersouter Ok, let's go digging Let's look for 45 CFR Part 160 and Subparts A and C of 164 21
  • 22. Compliance and auditing with Puppet@petersouter PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS Contents Subpart A—General Provisions §160.101 Statutory basis and purpose. §160.102 Applicability. §160.103 Definitions. §160.104 Modifications. §160.105 Compliance dates for implementation of new or modified standards and implementation specifications. Subpart B—Preemption of State Law §160.201 Statutory basis. §160.202 Definitions. §160.203 General rule and exceptions. §160.204 Process for requesting exception determinations. §160.205 Duration of effectiveness of exception determinations. Subpart C—Compliance and Investigations §160.300 Applicability. §160.302 [Reserved] §160.304 Principles for achieving compliance. §160.306 Complaints to the Secretary. §160.308 Compliance reviews. §160.310 Responsibilities of covered entities and business associates. §160.312 Secretarial action regarding complaints and compliance reviews. §160.314 Investigational subpoenas and inquiries. §160.316 Refraining from intimidation or retaliation. Subpart D—Imposition of Civil Money Penalties §160.400 Applicability. §160.401 Definitions. §160.402 Basis for a civil money penalty. §160.404 Amount of a civil money penalty. §160.406 Violations of an identical requirement or prohibition. §160.408 Factors considered in determining the amount of a civil money penalty. §160.410 Affirmative defenses. §160.412 Waiver. §160.414 Limitations. §160.416 Authority to settle. §160.418 Penalty not exclusive. §160.420 Notice of proposed determination. §160.422 Failure to request a hearing. §160.424 Collection of penalty. §160.426 Notification of the public and other agencies. Subpart E—Procedures for Hearings 45 CFR Part 164, Subpart C - Security Standards for the Protection of Electronic Protected Health Information § 164.302 — Applicability. § 164.304 — Definitions. § 164.306 — Security standards: General rules. § 164.308 — Administrative safeguards. § 164.310 — Physical safeguards. § 164.312 — Technical safeguards. § 164.314 — Organizational requirements. § 164.316 — Policies and procedures and documentation requirements. § 164.318 — Compliance dates for the initial implementation of the security standards. 22
  • 23. Compliance and auditing with Puppet@petersouter PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS Contents Subpart A—General Provisions §160.101 Statutory basis and purpose. §160.102 Applicability. §160.103 Definitions. §160.104 Modifications. §160.105 Compliance dates for implementation of new or modified standards and implementation specifications. Subpart B—Preemption of State Law §160.201 Statutory basis. §160.202 Definitions. §160.203 General rule and exceptions. §160.204 Process for requesting exception determinations. §160.205 Duration of effectiveness of exception determinations. Subpart C—Compliance and Investigations §160.300 Applicability. §160.302 [Reserved] §160.304 Principles for achieving compliance. §160.306 Complaints to the Secretary. §160.308 Compliance reviews. §160.310 Responsibilities of covered entities and business associates. §160.312 Secretarial action regarding complaints and compliance reviews. §160.314 Investigational subpoenas and inquiries. §160.316 Refraining from intimidation or retaliation. Subpart D—Imposition of Civil Money Penalties §160.400 Applicability. §160.401 Definitions. §160.402 Basis for a civil money penalty. §160.404 Amount of a civil money penalty. §160.406 Violations of an identical requirement or prohibition. §160.408 Factors considered in determining the amount of a civil money penalty. §160.410 Affirmative defenses. §160.412 Waiver. §160.414 Limitations. §160.416 Authority to settle. §160.418 Penalty not exclusive. §160.420 Notice of proposed determination. §160.422 Failure to request a hearing. §160.424 Collection of penalty. §160.426 Notification of the public and other agencies. Subpart E—Procedures for Hearings 45 CFR Part 164, Subpart C - Security Standards for the Protection of Electronic Protected Health Information § 164.302 — Applicability. § 164.304 — Definitions. § 164.306 — Security standards: General rules. § 164.308 — Administrative safeguards. § 164.310 — Physical safeguards. § 164.312 — Technical safeguards. § 164.314 — Organizational requirements. § 164.316 — Policies and procedures and documentation requirements. § 164.318 — Compliance dates for the initial implementation of the security standards. 23
  • 24. Compliance and auditing with Puppet@petersouter Technical Safeguards! Finally we’re getting somewhere... 24
  • 25. Compliance and auditing with Puppet@petersouter § 164.312 Technical safeguards. A covered entity or business associate must, in accordance with § 164.306: (a) (1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). (2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. (ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. 25
  • 26. Compliance and auditing with Puppet@petersouter The pain of compliance will be directly correlated to the relationship with your auditors Ultimately, they are the ones that you need to prove that you are in compliance too 26
  • 27. Compliance and auditing with Puppet@petersouter ● Emails ● PDFs ● Dead trees ● Humans 27 Unfortunately, this is often a manual process
  • 28. Compliance and auditing with Puppet@petersouter There’s got to be a better way! If only there was something better... 28
  • 29. Compliance and auditing with Puppet@petersouter A series of rules for systems that need to be enforced and reported on What is IT compliance? 29
  • 30. Compliance and auditing with Puppet@petersouter A series of rules for systems that need to be enforced and reported on What is Puppet? 30
  • 31. Compliance and auditing with Puppet@petersouter Great, let's use Puppet! 31 But...what’s so great about using Puppet to enforce these standards?
  • 32. Compliance and auditing with Puppet@petersouter Reduce cost and time per release 32 Pre-existing code for known standards often available
  • 33. Compliance and auditing with Puppet@petersouter Potential for sharing and reuse 33 Share within your company or with the public
  • 34. Compliance and auditing with Puppet@petersouter Single Source of Truth 34 Your infrastructure as code repository becomes your one place to look for compliance code
  • 35. Compliance and auditing with Puppet@petersouter Less arguments about semantics 35 Agreed upon Puppet DSL means closer collaboration between policymakers and practitioners
  • 36. Compliance and auditing with Puppet@petersouter Make time for the things that can’t be automated 36 Not everything can be automated, like physical safeguards
  • 37. Compliance and auditing with Puppet@petersouter Let’s pick a really basic example How does this look like in action? 37
  • 38. Compliance and auditing with Puppet@petersouter 38 - https://benchmarks.cisecurity.org/tools2/linux/CIS_CentOS_Linux_7_Benchmark_v1.1.0.pdf
  • 39. Compliance and auditing with Puppet@petersouter 1.2.3 Verify that gpgcheck is Globally Activated - Profile Applicability: Level 1 - Description: The gpgcheck option, found in the main section of the /etc/yum.conf file determines if an RPM package's signature is always checked prior to its installation. - Rationale: It is important to ensure that an RPM's package signature is always checked prior to installation to ensure that the software is obtained from a trusted source. - Audit: Run the following command to verify that gpgcheck is set to 1 in all occurrences of the /etc/yum.conf file: $ grep gpgcheck /etc/yum.conf gpgcheck=1 - Remediation: Edit the /etc/yum.conf file and set the gpgcheck to 1 as follows: gpgcheck=1 An example from CIS CentOS 7 Standards 39
  • 40. Compliance and auditing with Puppet@petersouter Reflected in Puppet # 1.2.3 - Verify that gpgcheck is globally Activated (Scored) file { '/etc/yum.conf': ensure => file, owner => 'root', group => 'root', mode => '0644', } file_line { '(1.2.3) /etc/yum.conf contains gpgcheck=1': ensure => present, path => '/etc/yum.conf', line => 'gpgcheck=1', } 40
  • 41. Compliance and auditing with Puppet@petersouter Dedicated modules for compliance? Use existing code and enforce standards? Dry run modes when silo’d or change frozen? A few different design approaches available here... 41
  • 42. Compliance and auditing with Puppet@petersouter Dedicated modules for compliance 42 class cis_rhel7::rule::rule_1_2_3 { # includes Rules: # 1.2.3 - Verify that gpgcheck is Globally Activated (Scored) file { '/etc/yum.conf': ensure => file, owner => 'root', group => 'root', mode => '0644', } file_line { '(1.2.3) /etc/yum.conf contains gpgcheck=1': ensure => present, path => '/etc/yum.conf', line => 'gpgcheck=1', } } #EOF https://forge.puppet.com/perfecto25/cis_rhel7
  • 43. Compliance and auditing with Puppet@petersouter Use existing module and enforce standards 43 class { 'yum': gpgcheck => true, }
  • 44. Compliance and auditing with Puppet@petersouter Personally, I think you should use existing modules 44 However: dedicated compliance modules can work if compliance is the primary use case or you have silo’d teams
  • 45. Compliance and auditing with Puppet@petersouter baseline_compliance 45 - https://forge.puppet.com/ccaum/baseline_compliance
  • 46. Compliance and auditing with Puppet@petersouter Baseline compliance example 46 Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Notice: Compiled catalog for master.vm in environment production in 8.78 seconds Notice: Compiled catalog for master.vm in environment baseline in 0.03 seconds Info: Adding baseline Notify[message] resource to catalog Warning: Resource File[/tmp/example]'s parameter 'group' value of 'pe-puppet' is overwriting baseline value of '0' Info: Adding baseline parameter 'mode' with value '0755' to resource File[/tmp/example] Info: Caching catalog for master.vm Info: Applying configuration version '1468390945'
  • 47. Compliance and auditing with Puppet@petersouter There’s a lot of prior art for this work Remember when we talked about sharing and reuse? 47
  • 48. Compliance and auditing with Puppet@petersouter DEV-SEC.IO 48
  • 49. Compliance and auditing with Puppet@petersouter SIMP - System Integrity Management Platform 49 - https://simp-project.com/
  • 50. Compliance and auditing with Puppet@petersouter SIMP - Compliance Mapper 50 - https://github.com/simp/pupmod-simp-compliance_markup
  • 51. Compliance and auditing with Puppet@petersouter Puppet Forge and Github Check the community hubs 51
  • 52. Compliance and auditing with Puppet@petersouter 52
  • 53. Compliance and auditing with Puppet@petersouter However there are two parts to IT compliance 53 1. Enforcement 2. Reporting
  • 54. Compliance and auditing with Puppet@petersouter Custom facts can be used to show compliance 54 They’re generally better at the enforcing bit
  • 55. Compliance and auditing with Puppet@petersouter Custom facts for compliance checking 55 Facter.add(:cis) do confine :osfamily => "RedHat" confine :operatingsystemmajrelease => '7' cishash = {} setcode do returnval = Facter::Core::Execution.exec('egrep '^[[:space:]]*[^#]*[[:space:]]*gpgcheck[[:space:]]*=[[:space:]]*1' /etc/yum.conf') if returnval.include? 'gpgcheck' cishash['1.2.3'] = true else cishash['1.2.3'] = false end cishash end end
  • 56. Compliance and auditing with Puppet@petersouter There’s normally an approval process or tool to get something signed off as a scanner for a particular standard 56 eg. PCI, there are ASV (Approved Scanning Vendors)
  • 57. Compliance and auditing with Puppet@petersouter There’s a bunch of scanning tools out there 57 Nessus, QualysGuard, Nexpose etc
  • 58. Compliance and auditing with Puppet@petersouter You want to ensure correctness is part of your processes 58 You want multiple levels of checking
  • 59. Compliance and auditing with Puppet@petersouter ● SCAP is U.S. standard maintained by National Institute of Standards and Technology (NIST) ● The OpenSCAP project is a collection of open source tools for implementing and enforcing the standard ● Lots of existing profiles for various OS’s and compliance standards (PCI DSS, FISMA) ● Existing integrations with various tools and projects OpenSCAP 59
  • 60. Compliance and auditing with Puppet@petersouter oscap 60 $ yum install openscap-utils scap-security-guide -y $ oscap xccdf eval --profile common --report /vagrant/report.html --results /vagrant/results.xml --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
  • 61. Compliance and auditing with Puppet@petersouter 61
  • 62. Compliance and auditing with Puppet@petersouter Lets see it in action 62 And hope the live demo fairies are nice!
  • 63. Compliance and auditing with Puppet@petersouter SCAP Workbench - https://www.open-scap.org/resources/documentation/make-a-rhel7-server-compliant-with-pci-dss/ 63
  • 64. Compliance and auditing with Puppet@petersouter Foreman/Satellite Integration - https://www.theforeman.org/plugins/foreman_openscap/0.6/ 64
  • 65. Compliance and auditing with Puppet@petersouter ● Hashicorp tool ● Image management ● Provisioners for config management tools and shell scripts ● Some compliance steps can be hard to change on a running system ● Werner Buck had a great talk about compliance standards with Packer: http://wernerb.github.io/hashiconf-har dening/ Bake your compliance steps into your base images Packer 65
  • 66. Compliance and auditing with Puppet@petersouter Domain Specific Languages to test system correctness System Testing DSL’s 66
  • 67. Compliance and auditing with Puppet@petersouter Serverspec 67
  • 68. Compliance and auditing with Puppet@petersouter Serverspec describe 'cis_level_1' do describe file('/etc/yum.conf') do it { should be_file } its(:content) { should match /*gpgcheck=1/ } it { should be_file } it { should be_mode 644 } it { should be_owned_by 'root' } it { should be_grouped_into 'root' } end end 68
  • 69. Compliance and auditing with Puppet@petersouter ● goss - https://github.com/aelsabbahy/goss - Inspired by serverspec, but written in golang ● infrataster - http://infrataster.net/ - Has specific methods and keywords for http, mysql etc ● testinfra - https://github.com/philpep/testinfra - Python version of serverspec ● gauntlt - http://gauntlt.org/ - BDD wrappers around common security tools (nmap, sslyze etc) ● bddsecurity - http://bbdsecurity.com - Similar BDD focussed security tool A number of similar and inspired projects 69
  • 70. Compliance and auditing with Puppet@petersouter Summary 70 What have we learnt?
  • 71. Compliance and auditing with Puppet@petersouter Compliance is enforcement of standards 71 It’s not security, it’s standards for scaling security
  • 72. Compliance and auditing with Puppet@petersouter Compliance responsibility can be tricky 72 Try to bring into teams if possible, move security left!
  • 73. Compliance and auditing with Puppet@petersouter Puppet is a great fit for compliance 73 It fits the model of enforcing rules in a defined way
  • 74. Compliance and auditing with Puppet@petersouter There’s lots of pre-existing work 74 “Stand on the shoulders of giants”
  • 75. Compliance and auditing with Puppet@petersouter Enforcement is just one part of the puzzle 75 Reporting is the other half
  • 76. Compliance and auditing with Puppet@petersouter Want to know more? 76 ● A Year in Open Source Automated Compliance With Puppet – Trevor Vaughan at PuppetConf 2016 https://www.youtube.com/watch?v=a270uDh8muE ● Compliance Is Not Security. Compliance Scales Security. https://medium.com/compliance-at-velocity/compliance-is-not-security-compliance-scal es-security-50846e7a47c2#.k63bpravl ● Prove it! The Last Mile for DevOps in Regulated Organizations - DOES15 - Bill Shinn https://www.youtube.com/watch?v=gg8gGisl4zM ● The Technical Practises of Integrating Information Security, Change Management and Compliance Kim, Gene. 2016. The Devops Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations. Portland: IT Revolution Press
  • 77. Compliance and auditing with Puppet@petersouter Q&A 77