Accrediting OpenShift

A presentation at SPAWAR Red Hat Day in October 2014 in Charleston, SC, USA by Shawn Wells

Accrediting OpenShift SHAWN WELLS Director, Innovation Programs U.S. Public Sector unclass: shawn@redhat.com JWICS: sdwell2@nsa.ic.gov (+1) 443-534-0130 UNCLASSIFIED 1

30 MINUTES, 3 GOALS 1. Review OpenShift Multi-Tenancy • sVirt • MCS & Type Enforcement 2. Current compliance tech + initiatives • U.S. Army Configuration, SCAP Security Guide (SSG) • Host/Tenant Security Boundary Model 3. Future Plans (discussion) • OpenShift NIST Baseline • OpenShift STIG, hardened cartridges 2

OpenShift Multi-tenancy • Think of the gears as boxes, nodes as the truck • We don’t care what’s inside the box, it’s just cargo 3

OpenShift Multi-tenancy RHEL HYPERVISOR (RHEV, OpenStack, KVM…) 4

OpenShift Multi-tenancy system_u:system_r:svirt_t:s0:c379,c680 system_u:system_r:svirt_t:s0:c41,c368 RHEL HYPERVISOR (RHEV, OpenStack, KVM…) 5

OpenShift Multi-tenancy 6

Collaboration with NSA C63 (aka NIAP): where we’ve been… and next stop 7

Red Hat Enterprise Linux 6 with KVM Certification Date IBM z/VM Red Hat Version 5 Enterprise Release 3 (for Linux 5.6 with IBM System z KVM Mainframes) VMWare VMWare vSphere 5.0 ESXi 4.1 Microsoft Windows Server 2008 Hyper-V Role with HotFix KB950050 2012-10-08 2012-04-20 2008-08-06 2012-05-18 2010-12-15 2009-07-24 EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ CAPP YES YES YES NO NO NO RBAC YES YES NO NO NO NO LSPP YES YES YES NO NO NO EAL Level CAPP: Users control data access’ RBAC: Users classified into roles (“BackupAdm,” “AuditAdm”…) LSPP: Compartmentalizes users and applications from each other. Enables MLS. Source: http://www.commoncriteriaportal.org/ 8

10

Beta Programs + Customer Advisory Panels FIPS Certs docs.redhat.com Value of Red Hat Atsec 11

Common Criteria != Compliance Policy 12

STIG == Compliance Policy 13

SCAP Security Guide Project (SSG) 14

SCAP Security Guide 15

Community In a Nutshell: … has had 7,149 commits from 104 contributors, representing 1,641,075 lines of source … has become upstream for all Red Hat DISA FSO (aka, STIG) content, all Red Hat NIST baselines, all Red Hat USGCB content, NSA and CIA RHEL baselines, OpenShift work just beginning … As of October 2014, ships natively in RHEL 6.6 and 7.1

17

18

Shawn Wells shawn@redhat.com || sdwell2@nsa.ic.gov 443-534-0130 UNCLASSIFIED 19

Shawn Wells
@shawndwells

1 / 19

Asked to present at the joint SPAWAR and NSA technology day. Discussed:

OpenShift Multi-Tenancy via sVirt, MCS and Type Enforcement
Current compliance technologies and initiatives within the U.S. Army
Future Plans such as the OpenShift NIST Baseline and STIG hardened images