Compliance Made Easy

A presentation at Red Hat Webinar in December 2013 in McLean, VA, USA by Shawn Wells

Slide 1

Slide 1

COMPLIANCE MADE EASY SHAWN WELLS unclass: shawn@redhat.com JWICS: wellsha@nro.ic.gov NSA: sdwell2@nsa.ic.gov (+1) 443-534-0130 UNCLASSIFIED 1

Slide 2

Slide 2

60 MINUTES, 2 GOALS 1. Review compliance tech + initiatives • Upstream: SCAP Security Guide (SSG) • Downstream: NSA SNAC Guides & STIGs 2. SCAP Demo • OpenSCAP + SSG • C&A Document Generation 2

Slide 3

Slide 3

NSA C63 (aka NIAP) & Red Hat: where we’ve been… and next stop 3

Slide 4

Slide 4

Microsoft Windows Server 2008 Hyper-V Role with HotFix KB950050 Red Hat Enterprise Linux 6 with KVM Red Hat Enterprise Linux 5.6 with KVM IBM z/VM Version 5 Release 3 (for IBM System z Mainframes) 2012-10-08 2012-04-20 2008-08-06 2012-05-18 2010-12-15 2009-07-24 EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ CAPP YES YES YES NO NO NO RBAC YES YES NO NO NO NO LSPP YES YES YES NO NO NO Certification Date EAL Level VMWare vSphere 5.0 VMWare ESXi 4.1 CAPP: Users control data access’ RBAC: Users classified into roles (“BackupAdm,” “AuditAdm”…) LSPP: Compartmentalizes users and applications from each other. Enables MLS. 4

Slide 5

Slide 5

5

Slide 6

Slide 6

Beta Programs + Customer Advisory Panels 6

Slide 7

Slide 7

FIPS Certs 7

Slide 8

Slide 8

docs.redhat.com 8

Slide 9

Slide 9

“Core” Red Hat Subscription Value 9

Slide 10

Slide 10

Atsec 10

Slide 11

Slide 11

Common Criteria != Compliance Policy 11

Slide 12

Slide 12

STIG == Compliance Policy 12

Slide 13

Slide 13

SCAP Security Guide Project (SSG) 13

Slide 14

Slide 14

SCAP Security Guide 14

Slide 15

Slide 15

In a Nutshell, SCAP Security Guide: … has had 1,943 commits from 24 contributors, representing 164,355 lines of source … took an estimated 43 years of effort (COCOMO model) … has become upstream for DISA RHEL6 STIG, NIST NVD for JBoss EAP, NSA SNAC guide in progress

Slide 16

Slide 16

RHEL5 STIG Delay: 1,988 days 16

Slide 17

Slide 17

RHEL5 STIG Delay: 1,988 days RHEL6 STIG Delay: 932 days 17

Slide 18

Slide 18

STIG Version 1, Release 2, Section 1.1: “The consensus content was developed using an open source project called SCAP Security Guide. The project’s website is https://fedorahosted.org/scapsecurity-guide/. Except for differences in formatting to accommodate the DISA STIG publising process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process” 18

Slide 19

Slide 19

19

Slide 20

Slide 20

SCAP Security Guide • Guidance broken into profiles: • RHEL6 STIG • CS2 • NIST NVD (JBoss only) 20

Slide 21

Slide 21

21

Slide 22

Slide 22

22

Slide 23

Slide 23

23

Slide 24

Slide 24

Slide 25

Slide 25

Slide 26

Slide 26

Remediation During Provisioning