Accrediting OpenShift

A presentation at SPAWAR Red Hat Day in October 2014 in Charleston, SC, USA by Shawn Wells

Slide 1

Slide 1

Accrediting OpenShift SHAWN WELLS Director, Innovation Programs U.S. Public Sector unclass: shawn@redhat.com JWICS: sdwell2@nsa.ic.gov (+1) 443-534-0130 UNCLASSIFIED 1

Slide 2

Slide 2

30 MINUTES, 3 GOALS 1. Review OpenShift Multi-Tenancy • sVirt • MCS & Type Enforcement 2. Current compliance tech + initiatives • U.S. Army Configuration, SCAP Security Guide (SSG) • Host/Tenant Security Boundary Model 3. Future Plans (discussion) • OpenShift NIST Baseline • OpenShift STIG, hardened cartridges 2

Slide 3

Slide 3

OpenShift Multi-tenancy • Think of the gears as boxes, nodes as the truck • We don’t care what’s inside the box, it’s just cargo 3

Slide 4

Slide 4

OpenShift Multi-tenancy RHEL HYPERVISOR (RHEV, OpenStack, KVM…) 4

Slide 5

Slide 5

OpenShift Multi-tenancy system_u:system_r:svirt_t:s0:c379,c680 system_u:system_r:svirt_t:s0:c41,c368 RHEL HYPERVISOR (RHEV, OpenStack, KVM…) 5

Slide 6

Slide 6

OpenShift Multi-tenancy 6

Slide 7

Slide 7

Collaboration with NSA C63 (aka NIAP): where we’ve been… and next stop 7

Slide 8

Slide 8

Red Hat Enterprise Linux 6 with KVM Certification Date IBM z/VM Red Hat Version 5 Enterprise Release 3 (for Linux 5.6 with IBM System z KVM Mainframes) VMWare VMWare vSphere 5.0 ESXi 4.1 Microsoft Windows Server 2008 Hyper-V Role with HotFix KB950050 2012-10-08 2012-04-20 2008-08-06 2012-05-18 2010-12-15 2009-07-24 EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ EAP4+ CAPP YES YES YES NO NO NO RBAC YES YES NO NO NO NO LSPP YES YES YES NO NO NO EAL Level CAPP: Users control data access’ RBAC: Users classified into roles (“BackupAdm,” “AuditAdm”…) LSPP: Compartmentalizes users and applications from each other. Enables MLS. Source: http://www.commoncriteriaportal.org/ 8

Slide 9

Slide 9

Slide 10

Slide 10

10

Slide 11

Slide 11

Beta Programs + Customer Advisory Panels FIPS Certs docs.redhat.com Value of Red Hat Atsec 11

Slide 12

Slide 12

Common Criteria != Compliance Policy 12

Slide 13

Slide 13

STIG == Compliance Policy 13

Slide 14

Slide 14

SCAP Security Guide Project (SSG) 14

Slide 15

Slide 15

SCAP Security Guide 15

Slide 16

Slide 16

Community In a Nutshell: … has had 7,149 commits from 104 contributors, representing 1,641,075 lines of source … has become upstream for all Red Hat DISA FSO (aka, STIG) content, all Red Hat NIST baselines, all Red Hat USGCB content, NSA and CIA RHEL baselines, OpenShift work just beginning … As of October 2014, ships natively in RHEL 6.6 and 7.1

Slide 17

Slide 17

17

Slide 18

Slide 18

18

Slide 19

Slide 19

Shawn Wells shawn@redhat.com || sdwell2@nsa.ic.gov 443-534-0130 UNCLASSIFIED 19