security baseline automation with ansible history … · 2 genesis, c. 2006 ## version 0.4 13...
TRANSCRIPT
SECURITY BASELINE AUTOMATION WITH ANSIBLEHISTORY AND FUTURE
Justin [email protected] 2019
2
GENESIS, c. 2006
## Version 0.4 13 September 2006 ### Date Created : 2006-09-12 10:08:03.0
installtextnetwork --bootproto dhcpcdromlang en_USlangsupport --default en_US en_USkeyboard usmouse nonezerombr yesclearpart --allpart pv.1 --size=0 --grow --ondisk=hdapart /boot --fstype "ext3" --size=128 --ondisk=hdavolgroup VolGroup00 pv.1logvol /usr --fstype ext3 --name=usrVol --vgname=VolGroup00 --size=5120logvol / --fstype ext3 --name=rootVol --vgname=VolGroup00 --size=3096logvol swap --fstype swap --name=swapVol --vgname=VolGroup00 --size=512logvol /home --fstype ext3 --name=homeVol --vgname=VolGroup00 --size=10240logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=2048logvol /var --fstype ext3 --name=varVol --vgname=VolGroup00 --size=4096bootloader --location mbr --password redhattimezone --utc America/New_Yorkauth --enablemd5 --enableshadowrootpw --iscrypted $1$0oW4m7zs$.KSvVMjzxr.W688YXs4Rh.selinux --enforcingrebootfirewall --enabled --trust lo --sshfirstboot --enablexconfig --videoram 8192 --hsync 31.5-37.9 --vsync 50-70 --resolution 1024x768 --depth 32 --startxonboot --defaultdesktop gnome
%packages --resolvedeps
%post --nochrootmkdir /mnt/sysimage/tmp/ks-tree-copyif [ -d /oldtmp/ks-tree-shadow ]; thencp -fa /oldtmp/ks-tree-shadow/* /mnt/sysimage/tmp/ks-tree-copyelif [ -d /tmp/ks-tree-shadow ]; thencp -fa /tmp/ks-tree-shadow/* /mnt/sysimage/tmp/ks-tree-copyficp /etc/resolv.conf /mnt/sysimage/etc/resolv.conf
%post( # Log %post errors # --General RHN-based stuff--rpm --import /usr/share/rhn/RPM-GPG-KEY
mkdir -p /etc/sysconfig/rhn/allowed-actions/scripttouch /etc/sysconfig/rhn/allowed-actions/script/allmkdir -p /etc/sysconfig/rhn/allowed-actions/configfilestouch /etc/sysconfig/rhn/allowed-actions/configfiles/all
# now copy from the ks-tree we saved in the non-chroot checkoutcp -fav /tmp/ks-tree-copy/* /rm -Rf /tmp/ks-tree-copy# --End RHN command section--
## -- BEGIN STIG SCRIPT -- ###!/bin/bash
# to give us a way in, because root is screwed!useradd redhatecho "redhat" | passwd --stdin redhatusermod -g wheel redhat
# G001, G002, G003, L224echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
# G004perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
3
BACKSTORY
Solaris Admin - Startup
HPC Admin - Government
Consultant, SA, Services Lead - Red Hat 2004-2010
Startup
Startup
Startup (Ansible)
GM Ansible - Red Hat 2015-2019
MPG
4
CAN I USE ANSIBLE TO STIG MY SERVERS?
Wasn’t this problem solved 10 years ago?
5
WE ARE STILL TRYING TO SOLVE THE SAME SECURITY PROBLEMS
6
7
IT’S NOT A TOOL PROBLEM...
8
9
DEV + SEC + OPS
10
HOW DO YOU COMMUNICATE?
11
IT STARTED HERE
## Version 0.4 13 September 2006 ### Date Created : 2006-09-12 10:08:03.0
installtextnetwork --bootproto dhcpcdromlang en_USlangsupport --default en_US en_USkeyboard usmouse nonezerombr yesclearpart --allpart pv.1 --size=0 --grow --ondisk=hdapart /boot --fstype "ext3" --size=128 --ondisk=hdavolgroup VolGroup00 pv.1logvol /usr --fstype ext3 --name=usrVol --vgname=VolGroup00 --size=5120logvol / --fstype ext3 --name=rootVol --vgname=VolGroup00 --size=3096logvol swap --fstype swap --name=swapVol --vgname=VolGroup00 --size=512logvol /home --fstype ext3 --name=homeVol --vgname=VolGroup00 --size=10240logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=2048logvol /var --fstype ext3 --name=varVol --vgname=VolGroup00 --size=4096bootloader --location mbr --password redhattimezone --utc America/New_Yorkauth --enablemd5 --enableshadowrootpw --iscrypted $1$0oW4m7zs$.KSvVMjzxr.W688YXs4Rh.selinux --enforcingrebootfirewall --enabled --trust lo --sshfirstboot --enablexconfig --videoram 8192 --hsync 31.5-37.9 --vsync 50-70 --resolution 1024x768 --depth 32 --startxonboot --defaultdesktop gnome
%packages --resolvedeps
%post --nochrootmkdir /mnt/sysimage/tmp/ks-tree-copyif [ -d /oldtmp/ks-tree-shadow ]; thencp -fa /oldtmp/ks-tree-shadow/* /mnt/sysimage/tmp/ks-tree-copyelif [ -d /tmp/ks-tree-shadow ]; thencp -fa /tmp/ks-tree-shadow/* /mnt/sysimage/tmp/ks-tree-copyficp /etc/resolv.conf /mnt/sysimage/etc/resolv.conf
%post( # Log %post errors # --General RHN-based stuff--rpm --import /usr/share/rhn/RPM-GPG-KEY
mkdir -p /etc/sysconfig/rhn/allowed-actions/scripttouch /etc/sysconfig/rhn/allowed-actions/script/allmkdir -p /etc/sysconfig/rhn/allowed-actions/configfilestouch /etc/sysconfig/rhn/allowed-actions/configfiles/all
# now copy from the ks-tree we saved in the non-chroot checkoutcp -fav /tmp/ks-tree-copy/* /rm -Rf /tmp/ks-tree-copy# --End RHN command section--
## -- BEGIN STIG SCRIPT -- ###!/bin/bash
# to give us a way in, because root is screwed!useradd redhatecho "redhat" | passwd --stdin redhatusermod -g wheel redhat
# G001, G002, G003, L224echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
# G004perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
12
THEN THIS
<Group id="V-71939">
<title>SRG-OS-000106-GPOS-00053</title>
<description><GroupDescription></GroupDescription></description>
<Rule id="SV-86563r2_rule" severity="high" weight="10.0">
<version>RHEL-07-010300</version>
<title>The SSH daemon must not allow authentication using an empty
password.</title>
<description><VulnDiscussion>Configuring this setting for the SSH
daemon provides additional assurance that remote logon via SSH will require a
password, even in the event of misconfiguration
elsewhere.</VulnDiscussion><FalsePositives></FalsePositives>&l
t;FalseNegatives></FalseNegatives><Documentable>false</Documen
table><Mitigations></Mitigations><SeverityOverrideGuidance>
</SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts&g
t;<ThirdPartyTools></ThirdPartyTools><MitigationControl></M
itigationControl><Responsibility></Responsibility><IAControls&
gt;</IAControls></description>
<reference>
<dc:title>DPMS Target Red Hat 7</dc:title>
<dc:publisher>DISA</dc:publisher>
<dc:type>DPMS Target</dc:type>
<dc:subject>Red Hat 7</dc:subject>
<dc:identifier>2777</dc:identifier>
</reference>
<ident system="http://iase.disa.mil/cci">CCI-000766</ident>
<fixtext fixref="F-78291r2_fix">To explicitly disallow remote logon from
accounts with empty passwords, add or correct the following line in
"/etc/ssh/sshd_config":
PermitEmptyPasswords no
The SSH service must be restarted for changes to take effect. Any accounts with
empty passwords should be disabled immediately, and PAM configuration should
prevent users from being able to assign themselves empty passwords.</fixtext>
<fix id="F-78291r2_fix"/>
<check system="C-72171r2_chk">
<check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml"/>
<check-content>To determine how the SSH daemon's "PermitEmptyPasswords"
option is set, run the following command:
# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
PermitEmptyPasswords no
If no line, a commented line, or a line indicating the value "no" is returned,
the required value is set.
If the required value is not set, this is a finding.</check-content>
</check>
</Rule>
</Group>
13
TO THIS
14
IT’S A LOT TO KEEP TRACK OF
PLATFORM CONTROLS
RHEL 7 STIG 243
RHEL 6 STIG 264
Ubuntu 16.04 230
Windows 2k12 Domain Controller 371
Windows 2k12 Server 373
15
BUT WAIT, THERE’S MORE!
PLATFORM CONTROLS
IIS 7 24
SQL Server 28
Exchange 2013 168
Cisco IOS 64
F5 Big IP 76
16
THIS ISN’T YOUR PRIMARY ROLE
17
MITIGATING OR COMPENSATING CONTROLS
ORIGINAL CONTROLPasswords must be encrypted
CHALLENGEAn aged but critical internal app doesn’t support encrypted passwords
MITIGATING CONTROLMulti-factor authentication or Single-use passwords
HOW THESE COMPENSATESSufficiently restricts ability to gain access through password re-use
18
SECURITY BASELINES ARE FOUNDATIONAL TO YOUR CYBERSECURITY POSTURE
Automating these requires teamwork and an expert-level understanding of security policy
19
+
ansiblelockdown
20
BUILDING BLOCKS
21
ansiblelockdownENTERPRISE
22
ANSIBLE LOCKDOWN ENTERPRISE
Automation content stream
Certified by experts
Service-level agreement
ansiblelockdownENTERPRISE
Support and assistance
Mitigating controls
Unlimited hosts
23
HOW DO I START?
LEARN MORE
ansiblelockdown.iomindpointgroup.com/automation