SlideShare a Scribd company logo

Puppet for Security Compliance - GOSCON 2010

Puppet
Puppet

Teyo Tyree's slides from GOSCON 2010. He covers the benefits for a modern approach to systems management and compliance and the key advantages of a model-driven approach to configuration management.

1 of 58
Download to read offline
Puppet A Modern Approach to Systems Management and Compliance October 2010 Wednesday, December 15, 2010
The Compliance Problem Wednesday, December 15, 2010
The Olde Days Wednesday, December 15, 2010
The Security Analyst Wednesday, December 15, 2010
Not Aligned with Business Needs Wednesday, December 15, 2010
Tools and Custom Scripts Wednesday, December 15, 2010
The Auditor Wednesday, December 15, 2010
Networks Grow Wednesday, December 15, 2010
Networks Grow Wednesday, December 15, 2010
The Compliance Paradox Wednesday, December 15, 2010
Puppet: A New Approach Wednesday, December 15, 2010
Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. Wednesday, December 15, 2010
Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. ★ Enforces consistent, known secure, configurations of target systems. Wednesday, December 15, 2010
Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. ★ Enforces consistent, known secure, configurations of target systems. ★ Enables cross-functional collaboration within IT. Wednesday, December 15, 2010
Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. ★ Enforces consistent, known secure, configurations of target systems. ★ Enables cross-functional collaboration within IT. ★ Enables reuse of service configurations across departments and organizations. Wednesday, December 15, 2010
Puppet: a framework for configuration management Wednesday, December 15, 2010
Declarative Configuration Language Wednesday, December 15, 2010
A Language for Collaboration: DevOps Today: 99% of IT Silo’d Managed With Puppet Team OS Team App Team Config Team Sec SOX LAMP RAILS Puppet = dev/ops/sec Config OS App Config Security OS App Config Wednesday, December 15, 2010
Operating System Support Wednesday, December 15, 2010
Cross Platform Architecture Wednesday, December 15, 2010
Advantages? Wednesday, December 15, 2010
Advantages? ★ Puppet enforced policies can be applied over and over again. Wednesday, December 15, 2010
Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). Wednesday, December 15, 2010
Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). ★ Puppet’s enforced policies can be context sensitive. Wednesday, December 15, 2010
Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). ★ Puppet’s enforced policies can be context sensitive. ★ Puppet provides a log history over the lifecycle of a system. Wednesday, December 15, 2010
Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). ★ Puppet’s enforced policies can be context sensitive. ★ Puppet provides a log history over the lifecycle of a system. ★ Operates at cloud scale. Wednesday, December 15, 2010
With Puppet, auditing and remediation is a single automated configuration task. Wednesday, December 15, 2010
Demo Wednesday, December 15, 2010
Puppet and SCAP Wednesday, December 15, 2010
Puppet and SCAP ★ Current SCAP tools are auditing only. Wednesday, December 15, 2010
Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. Wednesday, December 15, 2010
Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. Wednesday, December 15, 2010
Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. ★ Puppet is being used for configuration and security management across government agencies. Wednesday, December 15, 2010
Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. ★ Puppet is being used for configuration and security management across government agencies. ★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X. Wednesday, December 15, 2010
Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. ★ Puppet is being used for configuration and security management across government agencies. ★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X. ★ Broadly adopted outside of GOV. Wednesday, December 15, 2010
Puppet and OVAL/ORVL Wednesday, December 15, 2010
Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. Wednesday, December 15, 2010
Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. Wednesday, December 15, 2010
Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. Wednesday, December 15, 2010
Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. Wednesday, December 15, 2010
Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. ★ Each resource is audited for state and the result of that audit is logged as an event. Wednesday, December 15, 2010
Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. ★ Each resource is audited for state and the result of that audit is logged as an event. ★ High level Puppet language is machine readable. Wednesday, December 15, 2010
Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. ★ Each resource is audited for state and the result of that audit is logged as an event. ★ High level Puppet language is machine readable. ★ Puppet managed resources can be generated from external datasources. Wednesday, December 15, 2010
Who is using this approach? Wednesday, December 15, 2010
Who is using this approach? ★ Los Alamos National Laboratories Wednesday, December 15, 2010
Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) Wednesday, December 15, 2010
Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) ★ Lockheed Martin Wednesday, December 15, 2010
Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) ★ Lockheed Martin ★ Northrup Grumman Wednesday, December 15, 2010
Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) ★ Lockheed Martin ★ Northrup Grumman ★ SecState (An SCAP audit and remediation tool.) Wednesday, December 15, 2010
What is next? Wednesday, December 15, 2010
Puppet as a constraint language. Wednesday, December 15, 2010
Post Catalog Processing Wednesday, December 15, 2010
Device Management Wednesday, December 15, 2010
Zero Day Automated Fixes Wednesday, December 15, 2010
Supported Compliance Modules in the Puppet Forge Wednesday, December 15, 2010
Links ★ https://fedorahosted.org/secstate/ ★ http://scap.nist.gov/specifications/xccdf/ ★ https://svn.forge.mil/svn/repos/slim/slim/docs/ ★ https://svn.forge.mil/svn/repos/slim/slim/base/dev/rhel5/rpm/ trunk/channels/x86_64/puppet/ ★ http://oval.mitre.org/adoption/supporters.html ★ http://www.puppetlabs.com/blog/los-alamos-national-laborator- publishes-puppet-white-paper-for-mac-os-x-configuration- management ★ http://github.com/jamtur01/puppet-hardening ★ http://docs.puppetlabs.com/guides/introduction.html Wednesday, December 15, 2010
Questions? Wednesday, December 15, 2010
Puppet Labs is hiring! jobs@puppetlabs.com twitter: @brainfinger email: teyo@puppetlabs.com Wednesday, December 15, 2010

Recommended

Auditing/Security with Puppet - PuppetConf 2014
Auditing/Security with Puppet - PuppetConf 2014Auditing/Security with Puppet - PuppetConf 2014
Auditing/Security with Puppet - PuppetConf 2014Puppet
 
Automating OpenSCAP with Foreman
Automating OpenSCAP with ForemanAutomating OpenSCAP with Foreman
Automating OpenSCAP with Foremanszadok
 
Drupal In The Cloud
Drupal In The CloudDrupal In The Cloud
Drupal In The CloudChapter Three
 
PuppetConf track overview: Puppet 4
PuppetConf track overview: Puppet 4PuppetConf track overview: Puppet 4
PuppetConf track overview: Puppet 4Puppet
 
Flutter not yet another mobile cross-platform framework - i ox-kl19
Flutter not yet another mobile cross-platform framework - i ox-kl19Flutter not yet another mobile cross-platform framework - i ox-kl19
Flutter not yet another mobile cross-platform framework - i ox-kl19oradoe
 
PuppetConf track overview: Puppet Applied
PuppetConf track overview: Puppet AppliedPuppetConf track overview: Puppet Applied
PuppetConf track overview: Puppet AppliedPuppet
 
Apple IT Managing Containers
Apple IT Managing Containers Apple IT Managing Containers
Apple IT Managing Containers Claire Priester Papas
 
PuppetConf track overview: Inside Puppet
PuppetConf track overview: Inside PuppetPuppetConf track overview: Inside Puppet
PuppetConf track overview: Inside PuppetPuppet
 

Recommended

Auditing/Security with Puppet - PuppetConf 2014
Auditing/Security with Puppet - PuppetConf 2014Auditing/Security with Puppet - PuppetConf 2014
Auditing/Security with Puppet - PuppetConf 2014Puppet
 
Automating OpenSCAP with Foreman
Automating OpenSCAP with ForemanAutomating OpenSCAP with Foreman
Automating OpenSCAP with Foremanszadok
 
Drupal In The Cloud
Drupal In The CloudDrupal In The Cloud
Drupal In The CloudChapter Three
 
PuppetConf track overview: Puppet 4
PuppetConf track overview: Puppet 4PuppetConf track overview: Puppet 4
PuppetConf track overview: Puppet 4Puppet
 
Flutter not yet another mobile cross-platform framework - i ox-kl19
Flutter not yet another mobile cross-platform framework - i ox-kl19Flutter not yet another mobile cross-platform framework - i ox-kl19
Flutter not yet another mobile cross-platform framework - i ox-kl19oradoe
 
PuppetConf track overview: Puppet Applied
PuppetConf track overview: Puppet AppliedPuppetConf track overview: Puppet Applied
PuppetConf track overview: Puppet AppliedPuppet
 
Apple IT Managing Containers
Apple IT Managing Containers Apple IT Managing Containers
Apple IT Managing Containers Claire Priester Papas
 
PuppetConf track overview: Inside Puppet
PuppetConf track overview: Inside PuppetPuppetConf track overview: Inside Puppet
PuppetConf track overview: Inside PuppetPuppet
 
PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...
PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...
PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...Puppet
 
UX Terror. Know your rights. (Front Trends 2015)
UX Terror. Know your rights. (Front Trends 2015)UX Terror. Know your rights. (Front Trends 2015)
UX Terror. Know your rights. (Front Trends 2015)Natalia Rozycka
 
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...Amazon Web Services
 
GoLightly: Building VM-based language runtimes in Go
GoLightly: Building VM-based language runtimes in GoGoLightly: Building VM-based language runtimes in Go
GoLightly: Building VM-based language runtimes in GoEleanor McHugh
 
CrossMark Sneak Peek 2010 CrossRef Workshops
CrossMark Sneak Peek 2010 CrossRef WorkshopsCrossMark Sneak Peek 2010 CrossRef Workshops
CrossMark Sneak Peek 2010 CrossRef WorkshopsCrossref
 
Make it or Break It: Evolutionary or Throwaway Prototyping
Make it or Break It: Evolutionary or Throwaway PrototypingMake it or Break It: Evolutionary or Throwaway Prototyping
Make it or Break It: Evolutionary or Throwaway Prototypingjsokohl
 
Continous Delivery of your Infrastructure
Continous Delivery of your InfrastructureContinous Delivery of your Infrastructure
Continous Delivery of your InfrastructureKris Buytaert
 
GT Logiciel Libre - Convention Systematic 2011
GT Logiciel Libre - Convention Systematic 2011GT Logiciel Libre - Convention Systematic 2011
GT Logiciel Libre - Convention Systematic 2011Stefane Fermigier
 
Open Source Monitoring in 2015
Open Source Monitoring in 2015Open Source Monitoring in 2015
Open Source Monitoring in 2015Kris Buytaert
 
Phingified ci and deployment strategies ipc 2012
Phingified ci and deployment strategies ipc 2012Phingified ci and deployment strategies ipc 2012
Phingified ci and deployment strategies ipc 2012TEQneers GmbH & Co. KG
 
Run stuff, Deploy Stuff
Run stuff, Deploy StuffRun stuff, Deploy Stuff
Run stuff, Deploy StuffKris Buytaert
 
Agile Enterprise Devops and Cloud - Interop 2010 NYC
Agile Enterprise Devops and Cloud - Interop 2010 NYCAgile Enterprise Devops and Cloud - Interop 2010 NYC
Agile Enterprise Devops and Cloud - Interop 2010 NYCChef Software, Inc.
 
Agile metteg 9(agile tooling)-draft-v1.0
Agile metteg 9(agile tooling)-draft-v1.0Agile metteg 9(agile tooling)-draft-v1.0
Agile metteg 9(agile tooling)-draft-v1.0APjrousset
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionKris Buytaert
 
Functional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsFunctional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsMovel
 
Understanding the DevOps Tooling Landscape
Understanding the DevOps Tooling LandscapeUnderstanding the DevOps Tooling Landscape
Understanding the DevOps Tooling LandscapeXebiaLabs
 
Watching Somebody Else's Computer: Cloud Native Observability
Watching Somebody Else's Computer: Cloud Native ObservabilityWatching Somebody Else's Computer: Cloud Native Observability
Watching Somebody Else's Computer: Cloud Native ObservabilityRonald McCollam
 
PuppetConf track overview: Windows
PuppetConf track overview: WindowsPuppetConf track overview: Windows
PuppetConf track overview: WindowsPuppet
 
Journey over Destination: creating an effective framework with UX tools
Journey over Destination: creating an effective framework with UX toolsJourney over Destination: creating an effective framework with UX tools
Journey over Destination: creating an effective framework with UX toolsstephtroeth
 
Scaling with Postgres (Robert Treat)
Scaling with Postgres (Robert Treat)Scaling with Postgres (Robert Treat)
Scaling with Postgres (Robert Treat)Ontico
 
Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyamlPuppet
 

More Related Content

Similar to Puppet for Security Compliance - GOSCON 2010

PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...
PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...
PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...Puppet
 
UX Terror. Know your rights. (Front Trends 2015)
UX Terror. Know your rights. (Front Trends 2015)UX Terror. Know your rights. (Front Trends 2015)
UX Terror. Know your rights. (Front Trends 2015)Natalia Rozycka
 
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...Amazon Web Services
 
GoLightly: Building VM-based language runtimes in Go
GoLightly: Building VM-based language runtimes in GoGoLightly: Building VM-based language runtimes in Go
GoLightly: Building VM-based language runtimes in GoEleanor McHugh
 
CrossMark Sneak Peek 2010 CrossRef Workshops
CrossMark Sneak Peek 2010 CrossRef WorkshopsCrossMark Sneak Peek 2010 CrossRef Workshops
CrossMark Sneak Peek 2010 CrossRef WorkshopsCrossref
 
Make it or Break It: Evolutionary or Throwaway Prototyping
Make it or Break It: Evolutionary or Throwaway PrototypingMake it or Break It: Evolutionary or Throwaway Prototyping
Make it or Break It: Evolutionary or Throwaway Prototypingjsokohl
 
Continous Delivery of your Infrastructure
Continous Delivery of your InfrastructureContinous Delivery of your Infrastructure
Continous Delivery of your InfrastructureKris Buytaert
 
GT Logiciel Libre - Convention Systematic 2011
GT Logiciel Libre - Convention Systematic 2011GT Logiciel Libre - Convention Systematic 2011
GT Logiciel Libre - Convention Systematic 2011Stefane Fermigier
 
Open Source Monitoring in 2015
Open Source Monitoring in 2015Open Source Monitoring in 2015
Open Source Monitoring in 2015Kris Buytaert
 
Phingified ci and deployment strategies ipc 2012
Phingified ci and deployment strategies ipc 2012Phingified ci and deployment strategies ipc 2012
Phingified ci and deployment strategies ipc 2012TEQneers GmbH & Co. KG
 
Run stuff, Deploy Stuff
Run stuff, Deploy StuffRun stuff, Deploy Stuff
Run stuff, Deploy StuffKris Buytaert
 
Agile Enterprise Devops and Cloud - Interop 2010 NYC
Agile Enterprise Devops and Cloud - Interop 2010 NYCAgile Enterprise Devops and Cloud - Interop 2010 NYC
Agile Enterprise Devops and Cloud - Interop 2010 NYCChef Software, Inc.
 
Agile metteg 9(agile tooling)-draft-v1.0
Agile metteg 9(agile tooling)-draft-v1.0Agile metteg 9(agile tooling)-draft-v1.0
Agile metteg 9(agile tooling)-draft-v1.0APjrousset
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionKris Buytaert
 
Functional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsFunctional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsMovel
 
Understanding the DevOps Tooling Landscape
Understanding the DevOps Tooling LandscapeUnderstanding the DevOps Tooling Landscape
Understanding the DevOps Tooling LandscapeXebiaLabs
 
Watching Somebody Else's Computer: Cloud Native Observability
Watching Somebody Else's Computer: Cloud Native ObservabilityWatching Somebody Else's Computer: Cloud Native Observability
Watching Somebody Else's Computer: Cloud Native ObservabilityRonald McCollam
 
PuppetConf track overview: Windows
PuppetConf track overview: WindowsPuppetConf track overview: Windows
PuppetConf track overview: WindowsPuppet
 
Journey over Destination: creating an effective framework with UX tools
Journey over Destination: creating an effective framework with UX toolsJourney over Destination: creating an effective framework with UX tools
Journey over Destination: creating an effective framework with UX toolsstephtroeth
 
Scaling with Postgres (Robert Treat)
Scaling with Postgres (Robert Treat)Scaling with Postgres (Robert Treat)
Scaling with Postgres (Robert Treat)Ontico
 

Similar to Puppet for Security Compliance - GOSCON 2010 (20)

PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...
PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...
PuppetConf 2016: Successful Puppet Implementation in Large Organizations – Ja...
 
UX Terror. Know your rights. (Front Trends 2015)
UX Terror. Know your rights. (Front Trends 2015)UX Terror. Know your rights. (Front Trends 2015)
UX Terror. Know your rights. (Front Trends 2015)
 
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
Telco: Voice-Command Personal Agent Service with AWS Cloud (MBL202) | AWS re:...
 
GoLightly: Building VM-based language runtimes in Go
GoLightly: Building VM-based language runtimes in GoGoLightly: Building VM-based language runtimes in Go
GoLightly: Building VM-based language runtimes in Go
 
CrossMark Sneak Peek 2010 CrossRef Workshops
CrossMark Sneak Peek 2010 CrossRef WorkshopsCrossMark Sneak Peek 2010 CrossRef Workshops
CrossMark Sneak Peek 2010 CrossRef Workshops
 
Make it or Break It: Evolutionary or Throwaway Prototyping
Make it or Break It: Evolutionary or Throwaway PrototypingMake it or Break It: Evolutionary or Throwaway Prototyping
Make it or Break It: Evolutionary or Throwaway Prototyping
 
Continous Delivery of your Infrastructure
Continous Delivery of your InfrastructureContinous Delivery of your Infrastructure
Continous Delivery of your Infrastructure
 
GT Logiciel Libre - Convention Systematic 2011
GT Logiciel Libre - Convention Systematic 2011GT Logiciel Libre - Convention Systematic 2011
GT Logiciel Libre - Convention Systematic 2011
 
Open Source Monitoring in 2015
Open Source Monitoring in 2015Open Source Monitoring in 2015
Open Source Monitoring in 2015
 
Phingified ci and deployment strategies ipc 2012
Phingified ci and deployment strategies ipc 2012Phingified ci and deployment strategies ipc 2012
Phingified ci and deployment strategies ipc 2012
 
Run stuff, Deploy Stuff
Run stuff, Deploy StuffRun stuff, Deploy Stuff
Run stuff, Deploy Stuff
 
Agile Enterprise Devops and Cloud - Interop 2010 NYC
Agile Enterprise Devops and Cloud - Interop 2010 NYCAgile Enterprise Devops and Cloud - Interop 2010 NYC
Agile Enterprise Devops and Cloud - Interop 2010 NYC
 
Agile metteg 9(agile tooling)-draft-v1.0
Agile metteg 9(agile tooling)-draft-v1.0Agile metteg 9(agile tooling)-draft-v1.0
Agile metteg 9(agile tooling)-draft-v1.0
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 Edition
 
Functional Prototyping For Mobile Apps
Functional Prototyping For Mobile AppsFunctional Prototyping For Mobile Apps
Functional Prototyping For Mobile Apps
 
Understanding the DevOps Tooling Landscape
Understanding the DevOps Tooling LandscapeUnderstanding the DevOps Tooling Landscape
Understanding the DevOps Tooling Landscape
 
Watching Somebody Else's Computer: Cloud Native Observability
Watching Somebody Else's Computer: Cloud Native ObservabilityWatching Somebody Else's Computer: Cloud Native Observability
Watching Somebody Else's Computer: Cloud Native Observability
 
PuppetConf track overview: Windows
PuppetConf track overview: WindowsPuppetConf track overview: Windows
PuppetConf track overview: Windows
 
Journey over Destination: creating an effective framework with UX tools
Journey over Destination: creating an effective framework with UX toolsJourney over Destination: creating an effective framework with UX tools
Journey over Destination: creating an effective framework with UX tools
 
Scaling with Postgres (Robert Treat)
Scaling with Postgres (Robert Treat)Scaling with Postgres (Robert Treat)
Scaling with Postgres (Robert Treat)
 

More from Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyamlPuppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)Puppet
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscodePuppet
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twentiesPuppet
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codePuppet
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approachPuppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationPuppet
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliancePuppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowPuppet
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Puppet
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppetPuppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkPuppet
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping groundPuppet
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy SoftwarePuppet
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User GroupPuppet
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsPuppet
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyPuppet
 

More from Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Puppet for Security Compliance - GOSCON 2010

  • 1. Puppet A Modern Approach to Systems Management and Compliance October 2010 Wednesday, December 15, 2010
  • 3. The Olde Days Wednesday, December 15, 2010
  • 5. Not Aligned with Business Needs Wednesday, December 15, 2010
  • 6. Tools and Custom Scripts Wednesday, December 15, 2010
  • 11. Puppet: A New Approach Wednesday, December 15, 2010
  • 12. Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. Wednesday, December 15, 2010
  • 13. Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. ★ Enforces consistent, known secure, configurations of target systems. Wednesday, December 15, 2010
  • 14. Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. ★ Enforces consistent, known secure, configurations of target systems. ★ Enables cross-functional collaboration within IT. Wednesday, December 15, 2010
  • 15. Puppet: A New Approach ★ Is a model driven framework to centrally manage IT systems. ★ Enforces consistent, known secure, configurations of target systems. ★ Enables cross-functional collaboration within IT. ★ Enables reuse of service configurations across departments and organizations. Wednesday, December 15, 2010
  • 16. Puppet: a framework for configuration management Wednesday, December 15, 2010
  • 18. A Language for Collaboration: DevOps Today: 99% of IT Silo’d Managed With Puppet Team OS Team App Team Config Team Sec SOX LAMP RAILS Puppet = dev/ops/sec Config OS App Config Security OS App Config Wednesday, December 15, 2010
  • 22. Advantages? ★ Puppet enforced policies can be applied over and over again. Wednesday, December 15, 2010
  • 23. Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). Wednesday, December 15, 2010
  • 24. Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). ★ Puppet’s enforced policies can be context sensitive. Wednesday, December 15, 2010
  • 25. Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). ★ Puppet’s enforced policies can be context sensitive. ★ Puppet provides a log history over the lifecycle of a system. Wednesday, December 15, 2010
  • 26. Advantages? ★ Puppet enforced policies can be applied over and over again. ★ Policies can be expressed as the desired state (not how to get there). ★ Puppet’s enforced policies can be context sensitive. ★ Puppet provides a log history over the lifecycle of a system. ★ Operates at cloud scale. Wednesday, December 15, 2010
  • 27. With Puppet, auditing and remediation is a single automated configuration task. Wednesday, December 15, 2010
  • 29. Puppet and SCAP Wednesday, December 15, 2010
  • 30. Puppet and SCAP ★ Current SCAP tools are auditing only. Wednesday, December 15, 2010
  • 31. Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. Wednesday, December 15, 2010
  • 32. Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. Wednesday, December 15, 2010
  • 33. Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. ★ Puppet is being used for configuration and security management across government agencies. Wednesday, December 15, 2010
  • 34. Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. ★ Puppet is being used for configuration and security management across government agencies. ★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X. Wednesday, December 15, 2010
  • 35. Puppet and SCAP ★ Current SCAP tools are auditing only. ★ Remediation tools are Windows only. ★ Puppet provides auditing and remediation in a single step. ★ Puppet is being used for configuration and security management across government agencies. ★ Puppet currently support AIX, HP-UX, LINUX, Mac OS X. ★ Broadly adopted outside of GOV. Wednesday, December 15, 2010
  • 36. Puppet and OVAL/ORVL Wednesday, December 15, 2010
  • 37. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. Wednesday, December 15, 2010
  • 38. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. Wednesday, December 15, 2010
  • 39. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. Wednesday, December 15, 2010
  • 40. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. Wednesday, December 15, 2010
  • 41. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. ★ Each resource is audited for state and the result of that audit is logged as an event. Wednesday, December 15, 2010
  • 42. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. ★ Each resource is audited for state and the result of that audit is logged as an event. ★ High level Puppet language is machine readable. Wednesday, December 15, 2010
  • 43. Puppet and OVAL/ORVL ★ Puppet provides a high level auditing and configuration management language. ★ Each managed element is represented as an abstract resource. ★ Puppet is well suited and widely deployed for configuration management, security compliance is a subset of overall configuration management. ★ Puppet Language is machine parse-able and the compiled catalog of resources cleanly represents the desired state of each resource on a system. ★ Each resource is audited for state and the result of that audit is logged as an event. ★ High level Puppet language is machine readable. ★ Puppet managed resources can be generated from external datasources. Wednesday, December 15, 2010
  • 44. Who is using this approach? Wednesday, December 15, 2010
  • 45. Who is using this approach? ★ Los Alamos National Laboratories Wednesday, December 15, 2010
  • 46. Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) Wednesday, December 15, 2010
  • 47. Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) ★ Lockheed Martin Wednesday, December 15, 2010
  • 48. Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) ★ Lockheed Martin ★ Northrup Grumman Wednesday, December 15, 2010
  • 49. Who is using this approach? ★ Los Alamos National Laboratories ★ SPAWAR (STIG compliance) ★ Lockheed Martin ★ Northrup Grumman ★ SecState (An SCAP audit and remediation tool.) Wednesday, December 15, 2010
  • 50. What is next? Wednesday, December 15, 2010
  • 51. Puppet as a constraint language. Wednesday, December 15, 2010
  • 54. Zero Day Automated Fixes Wednesday, December 15, 2010
  • 55. Supported Compliance Modules in the Puppet Forge Wednesday, December 15, 2010
  • 56. Links ★ https://fedorahosted.org/secstate/ ★ http://scap.nist.gov/specifications/xccdf/ ★ https://svn.forge.mil/svn/repos/slim/slim/docs/ ★ https://svn.forge.mil/svn/repos/slim/slim/base/dev/rhel5/rpm/ trunk/channels/x86_64/puppet/ ★ http://oval.mitre.org/adoption/supporters.html ★ http://www.puppetlabs.com/blog/los-alamos-national-laborator- publishes-puppet-white-paper-for-mac-os-x-configuration- management ★ http://github.com/jamtur01/puppet-hardening ★ http://docs.puppetlabs.com/guides/introduction.html Wednesday, December 15, 2010
  • 58. Puppet Labs is hiring! jobs@puppetlabs.com twitter: @brainfinger email: teyo@puppetlabs.com Wednesday, December 15, 2010