Ansible para DevSecops (2020)

Transcript

1. Webinar series: por Agustin Celano @ar_devsecops Martes 2020.07.14 19hs UTC-3

2. Acerca del Ponente • Baite C& S (baite.com.ar) • 10

   años de experiencia en Ciberseguridad • Últimos 3 años enfocado en Security-as-Code • 5 años de experiencia dictando capacitaciones • Instructor Cisco • Instructor DevOps Institute • Cursos propios • DevOps Institute Ambassador & REP /agustincelano @agustincelano /celagus [email protected] AGUSTIN CELANO CISSP | DSOE | DOL | PCAP | CCNP

3. • Proyecto creado con el objetivo de difundir contenido de

   interés para la comunidad DevSecOps • 100% comunitario y vendorless. No participa, ni financia, ni se recomienda algún vendor en particular. El mantenimiento es en base al esfuerzo de tod@s! • Contenido: • Información general • Noticias • Webinars • Tutoriales • Lecturas • Cursos • Certificaciones disponibles • Tools • Etc… Proyecto DSOC-Hub [email protected] Si crees en la información libre y queres crecer y hacer crecer a otros…

4. Tópicos • Introducción a Ansible • Fortalezas de Ansible •

   Arquitectura • Tower y AWX • Demo

5. ¿Qué es Ansible? Originalmente pensada para Configuration Management Al día

   de hoy se ha convertido en una muy completa plataforma de automatización open source PROVISIONING CONF MGMT ORCHESTRATION COMPLIANCE- AS-CODE TASK AUTOMATION IAM AUTOMATON

6. YAML JINJA

7. None
8. None

9. IaC

10. None
11. None
12. None
13. None

14. Resultados ok → la tarea corrió y no se detectaron

    desvíos changed → la tarea corrió y se detectaron desvíos skipping → la tarea se excluyó debido a condicionales failed → la tarea no se ejecutó debido a errores Unreachable → el host no es alcanzable

15. Roles • Estructura que permite ordenar y portar tareas de

    Ansible con sus respectivos templates y variables para ser importadas en otros entornos. • Se pueden compartir y utilizar roles de terceros a través de Ansible Galaxy https://galaxy.ansible.com
16. None
17. None

18. ¡Demo time!

19. Modo Adhoc Playbook Ejemplo de Instrucciones Simples Adhoc vs Playbook

    cmd$ ansible LINUX -m command -a “cat /etc/os-release” --- - hosts: LINUX tasks: - name: Ejecutar comando command: cat /etc/os-release register: OUT - name: Debug OUT debug: msg={{ OUT.stdout_lines }} cmd$ ansible-playbook command.yml

20. Logging NIST Cybersecurity Framework v1.1 ISO 27002:2013 CIS v7.1 PCI-DSS

    v3.2.1 SWIFT CSP 2020 Protective Technology (PR.PT): PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy Anomalies and Events (DE.AE): DE.AE-2: Detected events are analysed to understand attack targets and methods Logging and monitoring (12.4) 12.4.1: Event logging Control 6. Maintenance, Monitoring and Analysis of Audit Logs Subcontrol(s): 6.2, 6.5 Requirement 10: Track and monitor all access to network resources and cardholder data Applicable Subsection(s): 10.2, 10.6 6.4 Logging and Monitoring Record security events and detect anomalous actions and operations within the local SWIFT environment.

21. Patching NIST Cybersecurity Framework v1.1 ISO 27002:2013 CIS v7.1 PCI-DSS

    v3.2.1 SWIFT CSP 2020 Information Protection Processes and Procedures (PR.IP) PR.IP-12: A vulnerability management plan is developed and implemented RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organisation from internal and external sources (e.g. internal testing, security bulletins, or security researchers) Technical vulnerability management (12.6) 12.6.1: Management of technical vulnerabilities Control 3. Continuous Vulnerability Management Subcontrol(s): 3.4 Control 18. Application Software Security Subcontrol(s): 18.7 Requirement 6: Develop and maintain secure systems and applications Applicable Subsection(s): 6.2 2.2 Security Updates Minimize the occurrence of known technical vulnerabilities within the local SWIFT infrastructure by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk.

22. Vulnerability Management NIST Cybersecurity Framework v1.1 ISO 27002:2013 CIS v7.1

    PCI-DSS v3.2.1 SWIFT CSP 2020 Continuous Monitoring (DE.CM) DE.CM-8: Vulnerability scans are performed ID.RA-1: Asset vulnerabilities are identified and documented RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organisation from internal and external sources Technical vulnerability management 12.6.1: Management of technical vulnerabilities Control 3. Continuous Vulnerability Management Subcontrol(s): 3.1, 3.2 Requirement 11: Regularly test security systems and processes Applicable Subsection(s): 11.2 2.7. Vulnerability Scanning Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process.

23. Hardening & Baseline Management NIST Cybersecurity Framework v1.1 ISO 27002:2013

    CIS v7.1 PCI-DSS v3.2.1 SWIFT CSP 2020 Information Protection Processes and Procedures (PR.IP) PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained Security requirements of information systems (14.1) 14.1.1: Information security requirements analysis and specification Control 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers Subcontrol(s): 5.1, 5.4, 5.5 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Applicable Subsection(s): 2.2, 2.5 2.3 System Hardening Reduce the cyber attack surface of SWIFT-related components by performing system hardening.

24. Identity & Access Management NIST Cybersecurity Framework v1.1 ISO 27002:2013

    CIS v7.1 PCI-DSS v3.2.1 SWIFT CSP 2020 Access Control (PR.AC) PR.AC-1: Identities and credentials are managed for authorized devices and users PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties User access management (9.2) 9.2.3: Management of privileged access rights Control 16. Account Monitoring and Control Subcontrol(s): 16.7 Requirement 8: Identify and authenticate access to system components Applicable Subsection(s): 8.1, 8.5 1.2 Operating System Privileged Account Control Restrict and control the allocation and usage of administrator-level operating system accounts.
25. None