OpenShift Security

A presentation at Worldwide Technology (WWT) Security Day in January 2014 in Denver, CO, USA by Shawn Wells

Slide 1

Slide 1

OpenShift Security SHAWN WELLS Chief Information Security Officer U.S. Public Sector unclass: shawn@redhat.com JWICS: sdwell2@nsa.ic.gov (+1) 443-534-0130 UNCLASSIFIED 1

Slide 2

Slide 2

45 MINUTES, 3 GOALS 1. Review OpenShift Security Framework • sVirt • MCS & Type Enforcement 2. 3. 2

Slide 3

Slide 3

45 MINUTES, 3 GOALS 1. Review OpenShift Security Framework • sVirt • MCS & Type Enforcement 2. Review compliance tech + initiatives • Upstream: SCAP Security Guide (SSG) • Downstream: NSA SNAC Guides & STIGs 3. 3

Slide 4

Slide 4

45 MINUTES, 3 GOALS 1. Review OpenShift Security Framework • sVirt • MCS & Type Enforcement 2. Review compliance tech + initiatives • Upstream: SCAP Security Guide (SSG) • Downstream: NSA SNAC Guides & STIGs 3. SCAP Demo • OpenSCAP + SSG • C&A Document Generation 4

Slide 5

Slide 5

OpenShift Multi-tenancy • Think of the gears as boxes, nodes as the truck • We don’t care what’s inside the box, it’s just cargo 5

Slide 6

Slide 6

OpenShift Multi-tenancy RHEL HYPERVISOR (RHEV, OpenStack, KVM…) 6

Slide 7

Slide 7

OpenShift Multi-tenancy system_u:system_r:svirt_t:s0:c379,c680 system_u:system_r:svirt_t:s0:c41,c368 RHEL HYPERVISOR (RHEV, OpenStack, KVM…) 7

Slide 8

Slide 8

OpenShift Multi-tenancy 8

Slide 9

Slide 9

NSA C63 (aka NIAP) & Red Hat: where we’ve been… and next stop 9

Slide 10

Slide 10

Red Hat Enterprise Linux 6 with KVM Certification Date IBM z/VM Red Hat Version 5 Enterprise Release 3 (for Linux 5.6 with IBM System z KVM Mainframes) VMWare VMWare vSphere 5.0 ESXi 4.1 Microsoft Windows Server 2008 Hyper-V Role with HotFix KB950050 2012-10-08 2012-04-20 2008-08-06 2012-05-18 2010-12-15 2009-07-24 EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ CAPP YES YES YES NO NO NO RBAC YES YES NO NO NO NO LSPP YES YES YES NO NO NO EAL Level CAPP: Users control data access’ RBAC: Users classified into roles (“BackupAdm,” “AuditAdm”…) LSPP: Compartmentalizes users and applications from each other. Enables MLS. 10

Slide 11

Slide 11

11

Slide 12

Slide 12

Beta Programs + Customer Advisory Panels 12

Slide 13

Slide 13

FIPS Certs 13

Slide 14

Slide 14

docs.redhat.com 14

Slide 15

Slide 15

“Core” Red Hat Subscription Value 15

Slide 16

Slide 16

Atsec 16

Slide 17

Slide 17

Common Criteria != Compliance Policy 17

Slide 18

Slide 18

STIG == Compliance Policy 18

Slide 19

Slide 19

SCAP Security Guide Project (SSG) 19

Slide 20

Slide 20

SCAP Security Guide 20

Slide 21

Slide 21

In a Nutshell, SCAP Security Guide: … has had 1,943 commits from 24 contributors, representing 164,355 lines of source … took an estimated 43 years of effort (COCOMO model) … has become upstream for DISA RHEL6 STIG, NIST NVD for JBoss EAP, NSA SNAC guide in progress

Slide 22

Slide 22

RHEL5 STIG Delay: 1,988 days 22

Slide 23

Slide 23

RHEL5 STIG Delay: 1,988 days RHEL6 STIG Delay: 932 days 23

Slide 24

Slide 24

STIG Version 1, Release 2, Section 1.1: “The consensus content was developed using an open source project called SCAP Security Guide. The project’s website is https:// fedorahosted.org/scap-security-guide/. Except for differences in formatting to accommodate the DISA STIG publising process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process” 24

Slide 25

Slide 25

25

Slide 26

Slide 26

SCAP Security Guide • Guidance broken into profiles: • RHEL6 STIG • CS2 • NIST NVD (JBoss only) 26

Slide 27

Slide 27

27

Slide 28

Slide 28

28

Slide 29

Slide 29

29

Slide 30

Slide 30

Slide 31

Slide 31

Slide 32

Slide 32

Remediation During Provisioning