Red Hat System Security & Management

A presentation at NSA Red Hat Symposium in August 2013 in Fort Meade, MD, USA by Shawn Wells

Slide 1

Slide 1

SYSTEM SECURITY & MANAGEMENT SHAWN WELLS DIRECTOR, INNOVATION PROGRAMS unclass: shawn@redhat.com (+1) 443-534-0130 UNCLASSIFIED 1

Slide 2

Slide 2

60 MINUTES, 3 GOALS 1. Review compliance tech + initiatives spanning I4, TS13, DISA, NIST, and Red Hat 2. 3. • SCAP Security Guide • Security Baselines (CS2, STIG, etc) • Emerging Tech

Slide 3

Slide 3

60 MINUTES, 3 GOALS 1. Review compliance tech + initiatives spanning I4, TS13, DISA, NIST, and Red Hat • SCAP Security Guide • Security Baselines (CS2, STIG, etc) • Emerging Tech 2. T3 ATO’d System Management Framework 3. • System Provisioning, Patch Management, Monitoring, Conf Mgmt • Sponsored by T3 (“go redhat-support”)

Slide 4

Slide 4

60 MINUTES, 3 GOALS 1. Review compliance tech + initiatives spanning I4, TS13, DISA, NIST, and Red Hat • SCAP Security Guide • Security Baselines (CS2, STIG, etc) • Emerging Tech 2. T3 ATO’d System Management Framework • System Provisioning, Patch Management, Monitoring, Conf Mgmt • Sponsored by T3 (“go redhat-support”) 3. Demonstrate current capabilities

Slide 5

Slide 5

NSA C63 (aka NIAP) & Red Hat: where we’ve been… and next stop

Slide 6

Slide 6

Slide 7

Slide 7

Slide 8

Slide 8

SCAP Security Guide FSO I43, I411, TS13, T3 NVD U.S. Federal AUS Federal AppSec Engineering

Slide 9

Slide 9

RHEL5 STIG Delay: 1,988 days RHEL6 STIG Delay: 932 days

Slide 10

Slide 10

STIG Version 1, Release 2, Section 1.1: “The consensus content was developed using an open source project called SCAP Security Guide. The project’s website is https:// fedorahosted.org/scap-security-guide/. Except for differences in formatting to accommodate the DISA STIG publising process, the content of the RHEL6 STIG should mirror the SCAP Security Guide content with only minor divergences as updates from multiple sources work through the consensus process”

Slide 11

Slide 11

Slide 12

Slide 12

Slide 13

Slide 13

Slide 14

Slide 14

SCAP Security Guide • Guidance broken into profiles: • RHEL6 STIG • CS2 • NIST NVD (JBoss only) • FISMA Moderate (in progress)

Slide 15

Slide 15

Slide 16

Slide 16

Slide 17

Slide 17

<fix system=”urn:xccdf:fix:script:sh”> yum -y install aide </fix>

Slide 18

Slide 18

SYSTEMS MANAGEMENT 18

Slide 19

Slide 19

T3 SYSTEM MANAGEMENT CAPABILITIES

Slide 20

Slide 20

T3 SYSTEM MANAGEMENT CAPABILITIES

Slide 21

Slide 21

Slide 22

Slide 22

Slide 23

Slide 23

Slide 24

Slide 24

T3 SYSTEM MANAGEMENT CAPABILITIES

Slide 25

Slide 25

T3 SYSTEM MANAGEMENT CAPABILITIES

Slide 26

Slide 26

Slide 27

Slide 27

Slide 28

Slide 28

Slide 29

Slide 29

Slide 30

Slide 30

Slide 31

Slide 31

T3 SYSTEM MANAGEMENT CAPABILITIES

Slide 32

Slide 32

T3 SYSTEM MANAGEMENT CAPABILITIES

Slide 33

Slide 33

T3 SYSTEM MANAGEMENT CAPABILITIES

Slide 34

Slide 34

T3 SYSTEM MANAGEMENT CAPABILITIES

Slide 35

Slide 35

T3 RHN Satellite v6: Launching in 2014 • An entirely new Satellite system • Puppet for Configuration • Foreman for Provisioning • Katello for Content Management • Pulp for Repo Management • Candlepin for Subscription Management

Slide 36

Slide 36

T3 RHN Satellite v6: Workflow

Slide 37

Slide 37

T3 RHN Satellite v6: Workflow

Slide 38

Slide 38

T3 RHN Satellite v6: Workflow

Slide 39

Slide 39

Slide 40

Slide 40

Slide 41

Slide 41

Slide 42

Slide 42

Slide 43

Slide 43

Slide 44

Slide 44

Slide 45

Slide 45

THANK YOU! 45