Bestand wählen
Merken

STIG Automation W/ Chef and Inspec

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
so my name is John right on former 3 CO in the air force for those your prior military might know it that means that you don't it means I was honored when I was in the Air Force announced the winner now on so after I got a military I worked for a bunch of defense contractors and that was really fun and then I became a consultant with shadow soft we option partners were systems integrator and what I do for them in addition to the 80 other thousand has so I have to wear is on the chef technical so what that means is is that I take business problems and figure hunger solve that problem with something based in check so that at an always mean I'm gonna write about Yukos sometimes it means I'm going to do things that are against of that or against best practice because let's face it we're trying to solve an organizational problem there is more than just what's best practice you have to consider so what
that means is I'm a fast and break things so that my clients don't have to write i wanna try out all the new stuff and test things and find something that works even if it's not necessarily the official way to do something so who so
like 4 of us were and I so I'm not a security person but this is the dilemma that we face when trying to implement security if anyone was in Adams talk earlier you saw the IASB the day preventing all of the water from getting through into production right and this is the dilemma that we face in securing compliance world that people just don't really like I am right they go 0 security people they're just here to make things difficult they don't care about our enablement are we can't get along with them because they're archaic and then understand this need about thing anyway and really the funny part is like people just go well which is not really that viable so as not really that big of a deal with it so
services so this is this is the map of the wanna cry out break up a 1 hour usually affect systems that showed up just that we knew about after an hour right so everybody remembers this thing right
several hundred thousand systems were infected 150 countries with the really old Windows vulnerability I guess it has lots of really old Windows systems laying around federal government does right so the on
1 the other things that has old Windows systems are health care companies and on and schools in these kinds of organizations so when this attack hit the NHS in Britain on it shut down parts of the NHS like they had a rear out in your answers and no I'm sorry we're to have to move your surgery to a later date I can't get access to your patient records so sorry we have to delay this appointment right so this is a
map 24 hours later self Facesync spread like everybody was vulnerable written patch because Microsoft released a patch for months ago but we don't scan for these things so
what we have here is a situation that the Internet and computer systems in general have become militarized away the Air Force already classified computer network to the same level as it does it nuclear weapons systems weapon systems in in the airport and so we have to take this seriously we have to say OK well this is a weapons system and exploits or the muscles that we're gonna use here we have to come up with a better way than just being the on that prevents things from getting into production right and so the
challenge here is that things go fast systems change your configurations drift in your boss comes to you know say look here's this new feature I need it yesterday it and in the death of space we tend to do this thing where we take a brand new technology and we go yes let's use that new cool thing I found on get hub who's you know was posted there by Russian 475 it's like yeah let's do that and so we take this idea of acceptable risk and we go OK push this is for the extreme is we can go because we want this velocity we wanna go fast right and so when you talk about securing clients we talk about going fast sometimes it just seems like they're at odds with each other there's nothing we can really
do about that and and so we have to beg the question like or we always going to be the Don that prevents people from getting things to pride and so we have this concept of securities code right and we had infrastructures code and allowed us to produce infrastructure extremely fast pace right it was a repeatable and it was the same every single time so we can blow things away and bring new stuff up so minus a curious code 1 apply the same principles to the security world and so what we find is that there has to be a better way but we can't just continue to be that Don it prevents things
from getting into production is going uses the chef compliance framework for all chef comparable are heard about the compliance server and inspect we had great he notes on it they were great sessions on it earlier on the compliance framework is basically 2 pieces right you have inspect which is the language in which we describe security right and then you have the compliance server itself and the wire server or shove automate now that a lot of these features range of automated provides you with a central location for profile storage for running stands for looking at reports and getting a real good view of your infrastructure and what your security posture is within your infrastructure so the that's great we know we have a problem we know the viruses other we know the foreign agencies trying to attack us we know
we wanna use a chef compliance framework because Schaeffer's also and we wanna be awesome to so we need some
guidance right like how do we actually do this and so the Government world we get
these fun things called the Stig right end this digs all our
documents that described for you what a computer system is supposed to look like in the federal states but not only that things like systems architecture like how your system is actually configured is only part of it so the stakes themselves cover of vast variety of things so you have the various Linux distributions they get covered by this stage you have simple things like Firefox and Chrome which also have technical things we have controls that say you will have a patching procedure In of control like they don't tell you how or what you're actually supposed to do there's nothing there the stakes common complication
is all these different classification levels and security levels and you know are we gonna do 1 classified we worried about just kept 3 using cat ones like do we really care about that you know
we have a viability discussions and we have relied ideas and we have no hey you should actually do this to a system and we have things that say hey I suggest that you document your users OK that's not really helpful is that so
what we have learned is is that when you have a big huge process like this like highlights secure my entire environment and implement the stated what you find is is that you can break things down into smaller pieces and if you break things down into smaller pieces what you end up with is a framework for your developers in your i 18th your management to work with them to ensure that you're able to secure your systems are velocity and so these are the
6 things that we're gonna break this huge problem down into OK we're going ingest new data we're triage that data within our organization we're gonna write a specification for that data the model right code and this doesn't have to just be remediation code this can be the actual application code the actual installation her that were there right which chef right on water develop that code we're tests that code everywhere not just for those chef do what I think it should do but does just do what I think it should do and is that in the context of my security profile and finally as an 18 that we have to build a certified that what we did is this true right when the orders come in on your client comes in and says prove it to me you have to be able to prove that kind of thing so what we mean we say and just what we
mean there's where you get data from where mistakes come from on what was the result of my last security profile right what are the new Seabees that have come out what are the new technical limitations that I know about from the last time I did this process right so
fortunately exhaustive read you find if you guys have been out to the site here on we can go out and grab it states we can grab scat data if it if you're familiar with that you can read that data as well on beta released quarterly ish and so
we gavellers data we have collected it from our various monitoring systems and what not now to triage any when we triage
stuff we don't mean go through the stages and decide which ones we care about the most what we actually mean is that you have to go in through every single control and you have to figure out how does this even apply to me but not only does it apply to you but how does it apply to you right so what happens is you have to involve your
stakeholders it's not good enough for you to just be the IAEA team and show up and say you will secure that's not good enough because what happens when you say 0 the installation directory for product why must have the following permissions what happens when your organization goes well that's great we don't install prop why there we installed some other place the right so what happens there is that if you don't involve your Oracle database team your WebLogic team your operating system deployment team you don't involve those teams then you're never going to be able to adhere to the spirit of the rule and even though you would technically past and all right you're still actually vorable you still failing here so this triage process is super super important the next thing we have to do is we have to write
specifications so there are purposes a specification is the result of ingesting data from all different various sources that we have to ingest data from triaging that data
within our organization with all the stakeholders to make sure that we don't pay ourselves architecturally into a corner or to make sure that in specially in legacy on groups where you have a databases that have been deployed for extremely long time then someone comes along says 0 we're going to stick the systems now in your engineers go no there's no way we can do that because we literally designed a system that will allow that right you don't wanna pay people in all corners you have to triage it in your organization and then have to write a specification for and so
what we're gonna use for specifications Reshef compliant aware and compliance profile that's gonna describe for us exactly what we mean by security within organizations so shifted a really good job of providing for US some baseline profiles to look at some examples of controls but what you'll notice is none of this says Dessau or Stig or federal or anything government lies on and so the since we don't have any of that really laid out for us all we have is a hammer reference material really so where we start here
so 1 the cool things about inspecting virgin inspector comes with compliance specially is that has this plugin called sketch the inspects gap plugin allows you to read that data and convert it into an inspect control this is really cool he basically download your scat data you stick it in a directory and you're gonna run inspects gap convert and you're going to give it a path to where your scattered is now here we remember that thing too complicated this is the kind of thing you have to figure out during your triage process where of what to what level are we supposed to be classified the system right that's that's what that processes for so we're gonna tell it we want mission-critical classified profile here and this is what you get the which is kind of a mess really on so these specs gap command does a really admirable job of giving you a pretty good convergence to about 75 85 % on there are certain things that as cat just can't do it can describe in this language is so we can convert that but the other promises we get all these XML artifacts and we get an impact of 10 which doesn't exist in inspect so but and we also get these things these these really crazy regular expressions that can give you lots of false positives so this is great but really and truly is is not helpful to us because if I ran this it would work but the report that I would get back would be garbage and I could show an order this report right so we have to write well written controls so what we need here we talk about
writing a well written control what we're talking about this 4 main things it has to be clear I should you look at the control and know exactly what and why I'm I even writing this code on it should be informative it should have the appropriate amount of metadata so that I can go look at it and I can index it in my system we should also provide information that program-specific specific so if you install Dobel into a different directory then we have to know that rights were controls need to be informative are controls the to be portable just because it works in environment a that's in the Benetton we pick it up and move it to the Supernet environment b now it doesn't work anymore so that's not helpful we need to make sure that the controls that we are able to be used in all the different environments that we have so it prevents us from having to rewrite code of of again the other thing is it has to provide traceability and traceability is a is a common interesting thing so a lot of times you will be in a situation where your client is going to ask you to prove why you did something so traceability is this idea that you have to be able to trace your code back to a requirement or a source document so I have to be a trace this control back to either the steak it came from or to a requirement that the customer may have given me right so really
quickly naming conventions is allow argument about should we combined control should we are not combined controls how we named things on it is my opinion that when you create a profile your profile should be the name of your state that you're mediating for so if you are a mediating for the REL 68 you name your profile 68 is no point making a complicated when you name your controls menu controls by state ID yes this means that you're going to write some code because this means that for SSH for instance that has 80 different controls you're gonna have 8 different controls for SSH right the reason you do this is because of the amount of metadata that we're going to include in the control I would dictate that you would have to split out your controls individually anyway yeah and if you write all of your controls in something called SSH that are being you can't look at that and know what it means you have no idea what that means is so now you have to maintain an additional document that shows the mappings between Stig's and special naming convention you've come up with so for the sake of ease and so that lots of people can do this this is how a guy named things so the 1st thing you get a profile
as an inspector him on if you're not going in updating your expect that young we're doing it wrong and this is because again we have to revive traceability we keep track of version numbers for things so the top stuff is pretty standard this description field literally came off the front page of the state document self down to the version release information from that document so by reading this I have contact information for this so I have the exact version of the document that I looked at to generate the stuff and we have all our version and this is important because when you update controls you update your profile and somebody goes all the scanners and scan it with the old version of the profile and they might catch things so it's important keep that updated just like your metadata that are be in your chef recipes
so all control start with the title fortunately all states also have a title so we can literally rip and replace so we're gonna grab the title straight out of the rule and we're putting into our control so the top title as your long description OK this is a so these sections matter for how the report looks in compliance the top sections
your long title high these is the state ID followed by the title a title my controlled by state ID you remember there's a short title inside interesting ideas well and you'll see that I just take the same information and copy it down on
the next 2 years an impact the so impact is great we had a 10 impact on our converted scattering which has mean very much to its so impacts actually and ah have 0 do with impact and everything to do with a criticality level within chef compliance the way that shift compliance reports on whether something is a major problem a minor problem or a 0 my god should shut everything down in Texas right now problems so it's a float number we have these
real weird mappings and for us what we're gonna do is we're going to ignore all this summer and that these 2 seconds so very occurs category 1 2 and 3 it's really really easy to 0 . 4 cat 3 . 4 . 7 kept 2 . 7 2 1 cat 1 but that's even kind a complicated in and of itself so we can make it easier for your use 3 numbers you use 0 . 5 and 1 that that is no reason use any other numbers but those because there's only 3 levels of criticality within compliance so we have a good impact analysis the category 3 of issue and on so we can marker impact is 0 here the next piece of a
lowered control is a description description is very important because it provides people with a on a very succinct way to see what were we doing and why we doing this thank I need to know and I need to know what I'll be able to go look at the state document rights were included description fortunately stakes also include descriptions so we can again literally rip and replace at the stake and provide this information to on to our orders for developers to the rest of the teams to look at this and say why are we why we doing this right so that's these lower control PAGs tagish super important because they allow you to be very specific in your control and to add sections that don't exist so were used to saying control impact on title description official things exist within compliance with tags you can make up things you can say PAG Muppet Elmo both but you don't have to and restrict yourself to just what compliant offers you there and tags kit on B done in either a key value key form and so you can say like tagger tag prod you can also say tag remediation colon where your mediation so these are important also because they get indexed shift are compliance service so when you run your reports you'll see these tags information you can search for things like tags and you can say I show me all controls that have SSH and have just the prod controls or only controls that and have category 3 issues right so we tag things we're gonna do a certain set of tags and again the come straight out of the state we're map these things and when a tag the vulnerability the rule ID the severity of the state ID and mediation were mediation is incredibly important because this tells me as an order or as an I a person or somebody who just notice that this term red where this is remediated where in my system i am I gonna go to remediate this right so this is my mapping here where I say 0 look this issue is fixed in the rel 16 in although at that are beer right there's words fix psychological find that and look at it I of so the next thing a reference references are special pieces of metadata on they refer to external documents so with a reference sugary putting a URL here on this URL can be something like the actual location of the state document it can be the location of your own personal internal our security document if you want to be on but
what's cool about these references is again in chef compliance they actually show up as clickable hyperlinks so you can go click on it and go find the document so it that that really really helpful when you're running around going 0 look I should have a patent policy where's where's my patent policy click and we can go find it so there's 2 other tags that we're going to put in here sign to like tags but we put to other tags and here there are 2 other sections in any state control barely content section any fixed text section they do exactly what you think they do not own tells you what you're supposed to check for no 1 tells you how you're supposed to fix it so it had these into our controls and the reason that we're gonna add these is because this is what tells you developer we're writing or whoever's going right you're mediation code what they're supposed to look for and how they're supposed to fix it the these sections will change when you triage in your organization because suddenly the way you fix something becomes different and where you look for something becomes different and this data is what your development team is going use to write the remediation for these things so it needs to be accurate so I helped a lot right we
have we wanna have titles that are very clear in descriptive very straightforward we wanna be able to map our impacts to certain of set codes right we would have very clear descriptions and clear metadata that we have on that in a of our development team to actually write through mediation for these things and enables traceability everyone write some checks now when we write checks we had this idea of portability
what people write familiars idea portability for us what we care about is how can my profile go to different places and now so this isn't necessarily about
states which really cool I wanna talk about anyway so you can ingest data from other sources outside of inspect so In this
example I'm reading a flat file that had a list of mount point and and feeding that to control inspect and what this enables
me to do is it lets me keep up but lists of things outside of inspect you can put it in the red S or consul or wherever your configuration management databases if you want to write because because inspectors based in Ruby it really frees you up to do a lot of really cool things on so we can read things like
gambling J. side as well so given the following day some structure which is has some packages in their version numbers I can pass that and go through and figure out not only is something and solve but what it's version is right so the the the the hopeful things that on when you're writing your control something you can think about because sometimes new things come out new Seabees new problems come out there aren't necessarily Stig related but as security teams we still care about right so yeah I know that there is a single a technical control which is actually to do something and is a non-technical control these are suggestions these are they should document this these are so I think you might wanna do this in the open a lot to interpretation you can actually still right controls for your non-technical controls so that you can still report on you're not required to write a check when you write a control yes In speckle scream at you and go hey there are no checks here but it's still the and the reason that you're gonna do this to you the creek sections you're include all the applicable metadata so they control that tells you you have to have a of a document describing your pattern a methodology you can have a control with all of that metadata there so that you can go find it you can when you report runs in your order goes hey where's your documentation it's right there Mr. our this is important because your profile it needs to be a single source of truth document for security within your organization I should not have to go look at 40 documents in a binder to be able to prove that I'm and securing things properly I should look in 1 place 1 wrong report look at 1 dashboard to show me my security posture so we have written this incredible
specification and now we need to write some code so who was had situations where you can't manage the whole file and you have to do an individual line and in check In my air cover people it's annoying isn't a super annoying so
the when you implement mistakes right there's 2 ways to do this kind of thing the 1st way is that that the at death of or environment owners are the ones who are going to do the remediation right you're developers so this be the other way is that the team is gonna write a remediation cookbook right both laser right I'd everybody can agree that we expect the security teams to write these Austin specifications for but it's give take as to who's gonna remediation there's nothing wrong when you're just starting your DevOps during the with having your Radev teams that being handed a specification and having them right the security as they write the installation cookbook in a really large organizations that is super hard to do it almost always the i 18 is going to end up being responsible for writing the remediation for this stuff so
when we write remediation right chef cookbooks on traceability is still important we still care about that and so while we're gonna write an individual control Per Stig where combine those in check where combine all the SNB things into 1 chef recipe were to combine all the SSH things in wondrous be aware provide traceability by making sure that we document all the real ideas enroll titles in the comments of the chef recipes so back to the
it's totally horrible have to manage the whole file thing will you don't have to and sometimes you can't so sometimes you're enterprise organization in your job is to stay in a box and provide that box to someone else and they're going to continue to use your work security profiles to make sure that the security baselines maintain their but they may have to make changes to the Suez file or to some art files and see you can't know what the settings are going to be and so there's no way you're just gonna be all right simpler to manage the whole file right it's it's hard is complex and we really don't need to do so chef as a cool thing
called the chef file Archer feudal file and on that a bunch of really methods that let you go in and hand and it's so speak a file so we'll look at a couple of these on for the 1st 1 is certain replace I has a bunch of minute but model at a certain place so when you use the file edit utilities you have to remember that it's a Ruby lock and so because really block you have to write your own and potency stuff for on but basically what we do here is we're going to open a file where search in this file for a regular expression we're gonna replace what we find there although we're asking is say if there are unwritten changes right then were good but if there's not unwritten changes something other than that means we have made a change is an insert something or insert something in this file right so that I write my file out and here again you have to make sure that you have a little bit of dirty and potency on so that you can get these there are at all time right because you don't want things to repeatedly in certain things and files so here is the same thing we're going to find a match murder insert something after this match right in here we're using the Basque are interpreted as opposed to using routine so that matter what God turbary when used to so long as you use 1 please around hearing another block so this is fun because we're actually reading a chef of attribute that has which key value pairs in it and we're looking for each of those key value pairs to replace with a file to make sure that the Set correctly so are the folks over at the chefs have taken a lot of these and turned into a cookbook line cookbook that takes a lot of on not all but a pretty good bet of these on methods and turns in and shift resources so if you wanna play with this stuff but you're not really in the Ruby thing and you don't wanna go there go check out the line cookbook because it will provide you a really great starting point for that so we've done all this
investing in specification triaging in development in cunningly test stuff
right so array of her attested in development probably at this point the ideas you write tests then you write code that matches up to the test in the interim we write code until all the tests work was so what's really cool about chef compliance is you're compliance profile is all your test you literally already written all of your test specifications right there so you've done the test-driven development because you've written your entire specification and so you can use things like that kitten but you can tell test kitchen to
right to read inspect controls from other places and you can bring those into your test the so what school years you can write remediation comes tested as you go on results
is cool thing call the i cookbook and so what's cool about the out cookbook is it lets you run inspect profiles as part of a chef-client run so what's great about this is throughout your entire pipelines when ever chef-client runs you can run profile so that means that when you and then have you have your profile running when you're test you ever scared profile running when you're broader profiles running so you can catch things in different places so the
last part of this is the ability to be honest certify what you've done and so for our purposes of what we had to do was we had a requirement that we actually had to sign these profiles and so 1st I was like OK will do in the 5 sounds and will just match those of because we're air gap in this stuff intuitive environment and and it's important right we had to prove to the client that the thing that I gave them was the thing that I packaged before
so inspectors has this kind of sort of honest and supported feature inspect artifact on a you played with that
inspect artifact allows you create a hoop assign profile so it's artifact allows you to use of generate a answer key pair it allows you to sign that profile with the Aussie key pair and produce a dot IAF artifact and it allows you to them validate I can verify that profile with the public key which means I can ship my Iife artifact in the public key and people can validate that yes this is the thing it says it is and then you can install it so the compliant server does actually support the ships you can install and I have signed profiled your compliant server but as part of your pipeline you can unpack this so you can you can take the artifact to the place that you need to install it you can validated you can unpack it and then you can upload that on artifact up to the up to shatter and so when we think about I don't wanna be that damn to production anymore we want to
be involved we want to help and we want to do it in this low friction kind away we we're gonna break down this thing into these processes right we're going ingest data from not only from these days but also from or feedback loops our previous execution runs we're going to triage this data within our organization because it's vital to make sure that all the stakeholders are involved so that we'll pain ourselves into a corner somewhere the mother right specifications whereas specifications that are clear and informative portable and traceable and these specifications are gonna serve as the basis for testing and development with an organization on we have to remember that
there are lots of ways to implement the states and you should choose the way that best aligns with where you are in your current Dev journey and sometimes you can't manage the whole file and that's OK you have to manage the whole file shall provide you away to not have to do that and you have to remember that you should be able to certify your results throughout your entire pipeline all the way from the developer's workstation to production and need to be able to prove that these things are the way they are because after all the
mantle of any good security engineers that security is my product it is a process and that's what we all have to get together and understand so thank you a therapy and soon ramified its request is in the presence of light to remind my son's just because the
set concerning what the relationship between our serious benchmarks in the states in a scatter power so the CIS benchmarks are produced by nest and in a lot of ways they very very similar to a stick so if you think about it a state is the public sector version of on a CIS benchmark right the CS benchmarks are a little bit more involved that a lot more and on and on but that kind words that relationship is in his 1st stab gap is concerned but also maintained by NIST and on it was they they they were way ahead of their time on scattered around for quite some time Europeiska products of project has been around for a while and what they were trying to accomplish is what we're doing with inspect and with compliance with producing language that you could then automate the remediation of things and so it's XML-based which is a little annoying for some people and so that's why people kind of gravitated toward other projects it from the diversity of what is this like to minus secrets in the injuries fusions sample isolated room that this is due to showing the same fossils home home on alright OK so the password thing right so on so this is something I talked to donec about and they're actually going to produce integrations with things like Walt so you can store your secrets in separate places because inspect is Ruby based on I've actually I've got a demo call red cluster for stuff and so so long as there is a region to call out to on conjuror or a vault whatever you need you can actually can hack your way into that now and manage their secrets outside you can use profile attributes and there's a school single profile attributes and inspect where you have like again a file and you have a username password there's still text because in acridity yet right but on so there definitely working on different ways to do that the hacky wasted and download the German for whatever thing that you're used to maintain your secrets and just get Adam that way but I would use the same with pushing adoption of this is what it is we got into is he finds inspect from this legal that's fine coal shown as vertical tect show a necessary and so have you been in of concept so there's a couple things 1st messes is kind of pricey unnecessary also super slope any can run an all time and production it takes hours and hours and hours and take systems down and we talk about can tenuous compliance is a very good use case there as adoption grows with inspect more and more organizations are going to gravitate toward that on the other problem with NASA's is that they don't really keep up very well with held to remediate things and even some of the checks accounting terrible is on their helpful but there are a large organization will lie demands on their time whereas with compliance on something like a dirty copy-on-write when it came out I wrote remediation for that day and put it online so that's the kind of benefit you get when you go with compliance or something like that and as organizations start to move more towards yes we're accepting and yes we want open source tools you'll find that it's easier and easier to get in there the other thing is like being it was scan on all the time in Delphi because nobody wants to go install Nessus in death and run this askance and deathly nobody wants to do that and so like I have a client that has both Inspec and necessary missus and prawn inspector wrote where you documents on the easy sorry we used to control and it doesn't apply for you use smaller and require of us to use of where you see the look at it so as part of the triage process you're going have to create documentation right you're have because there's a thing like sometimes you're going to have to like do a poem or something and that like a sorry I can I do this right so when you triage stuff what you come out with in your profile or the things that you say you're gonna apply so the delta between what you stake says and what your compliance profile says represents the things that you have said know these don't apply to me or or they don't apply with the way that I'm doing something a sense of in so for our purposes right for what I tell my clients is that on what's in the specification is what you're doing and it's not in the specification you're not doing it right so on when you triage though every single time the new stuff comes out tree or you can go back and look at that and say OK are we doing this now because if form and we are now we have to add that to a profile for not we can continue it all are very recent in this session is all right but not the
Addition
Forcing
Rechter Winkel
Systemintegration
EDV-Beratung
Abschattung
Figurierte Zahl
Konfiguration <Informatik>
Gefangenendilemma
Softwaretest
Client
Rechter Winkel
Wasserdampftafel
Computersicherheit
Mereologie
Implementierung
Biprodukt
Cybersex
Mereologie
Selbst organisierendes System
Physikalisches System
Mapping <Computergraphik>
Systemprogrammierung
Dienst <Informatik>
Datensatz
Chirurgie <Mathematik>
Datenverarbeitungssystem
Rechter Winkel
Softwareschwachstelle
Bildschirmfenster
Mereologie
Kontrollstruktur
Mapping <Computergraphik>
Patch <Software>
Datennetz
Datenverarbeitungssystem
Rechter Winkel
Cyberspace
Nuklearer Raum
Biprodukt
Exploit
Internetworking
Übergang
Geschwindigkeit
Computersicherheit
Physikalisches System
CIL
Raum-Zeit
Code
Teilmenge
Client
Benutzerschnittstellenverwaltungssystem
Rechter Winkel
Code
Computersicherheit
MIDI <Musikelektronik>
Extreme programming
Konfigurationsraum
Brennen <Datenverarbeitung>
Zentralisator
Computervirus
Sichtenkonzept
Kontrollstruktur
Computersicherheit
Formale Sprache
Profil <Aerodynamik>
Biprodukt
Framework <Informatik>
Spannweite <Stochastik>
Rechter Winkel
Server
URL
Mini-Disc
Speicher <Informatik>
Verkehrsinformation
Patch <Software>
Distributionstheorie
Datenverarbeitungssystem
Rechter Winkel
Mereologie
Gamecontroller
Benutzerführung
Computerarchitektur
Physikalisches System
Algorithmische Programmiersprache
Überlagerung <Mathematik>
Aggregatzustand
Varietät <Mathematik>
Geschwindigkeit
Subtraktion
Prozess <Physik>
Computersicherheit
Physikalisches System
Framework <Informatik>
Schlussregel
Übergang
Eins
Datenmanagement
Gruppenkeim
Computerunterstützte Übersetzung
Softwareentwickler
Resultante
Umwandlungsenthalpie
Softwaretest
Prozess <Physik>
Prozess <Informatik>
Selbst organisierendes System
Wasserdampftafel
Computersicherheit
Speicher <Informatik>
Profil <Aerodynamik>
Kartesische Koordinaten
Kontextbezogenes System
Code
Programmfehler
Client
Informationsmodellierung
Rechter Winkel
Inverser Limes
Ordnung <Mathematik>
Web Site
Prozess <Informatik>
Content <Internet>
Physikalisches System
Programmierumgebung
Information
Dateiformat
Programmfehler
Eins
Systemprogrammierung
Auswahlaxiom
Computersicherheit
Gamecontroller
Protokoll <Datenverarbeitungssystem>
Lesen <Datenverarbeitung>
Umwandlungsenthalpie
Resultante
Prozess <Physik>
Web log
Rechter Winkel
Selbst organisierendes System
Datenhaltung
Netzbetriebssystem
Schlussregel
Quellcode
Biprodukt
Verzeichnisdienst
Programmfehler
Umwandlungsenthalpie
Selbst organisierendes System
Datenhaltung
Computersicherheit
Gruppenkeim
Content <Internet>
Profil <Aerodynamik>
Physikalisches System
Kontextbezogenes System
Programmfehler
Standardabweichung
Rechter Winkel
Prozess <Informatik>
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Gamecontroller
Prozess <Physik>
Kontrollstruktur
Ortsoperator
Formale Sprache
Computerunterstützte Übersetzung
Dienst <Informatik>
Code
Service provider
Übergang
Physikalisches System
Metadaten
Client
Prozess <Informatik>
Datennetz
Computersicherheit
Modul
Mathematisierung
Profil <Aerodynamik>
Plug in
Physikalisches System
Quellcode
Inverser Limes
Programmfehler
Portscanner
Benutzerprofil
Regulärer Ausdruck
Rechter Winkel
Automatische Indexierung
Gamecontroller
Mini-Disc
Computerunterstützte Übersetzung
Ordnung <Mathematik>
Verzeichnisdienst
Programmierumgebung
Verkehrsinformation
Subtraktion
Punkt
Versionsverwaltung
Zahlenbereich
E-Mail
Information
Code
Homepage
Unternehmensarchitektur
Metadaten
Deskriptive Statistik
Systemprogrammierung
Weg <Topologie>
Adressraum
Softwarewartung
Computersicherheit
Implementierung
Parametersystem
Benutzerfreundlichkeit
Elektronischer Programmführer
Profil <Aerodynamik>
Abschattung
Mapping <Computergraphik>
Datenfeld
Gamecontroller
Information
Versionsverwaltung
Aggregatzustand
Instantiierung
Physikalisches System
Deskriptive Statistik
Gruppenkeim
Gamecontroller
Computerunterstützte Übersetzung
Garbentheorie
Versionsverwaltung
Prozessautomation
Verkehrsinformation
Schlussregel
Aggregatzustand
Kategorie <Mathematik>
Streuung
Zwei
Güte der Anpassung
Zahlenbereich
Inverser Limes
Übergang
Grundsätze ordnungsmäßiger Datenverarbeitung
Schwimmkörper
Computerunterstützte Übersetzung
Verkehrsinformation
Verschiebungsoperator
Analysis
Selbst organisierendes System
Schreiben <Datenverarbeitung>
Term
Code
Hypermedia
Metadaten
Deskriptive Statistik
Bildschirmmaske
Vorzeichen <Mathematik>
Softwareschwachstelle
Softwareentwickler
Verschiebungsoperator
Kategorie <Mathematik>
Computersicherheit
Default
Konfigurationsraum
Web Site
Schlussregel
Physikalisches System
Software Development Kit
Programmfehler
Mapping <Computergraphik>
Dienst <Informatik>
Menge
Hyperlink
Softwareschwachstelle
Rechter Winkel
Ablöseblase
Gamecontroller
Garbentheorie
Wort <Informatik>
URL
Information
Ordnung <Mathematik>
Schlüsselverwaltung
Verkehrsinformation
Aggregatzustand
Metadaten
Deskriptive Statistik
Codierung
Profil <Aerodynamik>
Softwareentwickler
Mobiles Endgerät
Konfigurationsverwaltung
Mailing-Liste
Quellcode
Elektronische Publikation
Aggregatzustand
Umwandlungsenthalpie
Interpretierer
Prozess <Informatik>
Selbst organisierendes System
Computersicherheit
Versionsverwaltung
Profil <Aerodynamik>
Einfache Genauigkeit
Zahlenbereich
Computer
Quellcode
Elektronische Publikation
Optimierung
Code
Überlagerung <Mathematik>
Metadaten
Software
Softwaretest
Framework <Informatik>
Mustersprache
Gamecontroller
Garbentheorie
Biprodukt
Ordnung <Mathematik>
Datenstruktur
Gerade
Verkehrsinformation
Bildauflösung
Umwandlungsenthalpie
Selbst organisierendes System
Rechter Winkel
Computersicherheit
Gamecontroller
Softwareentwickler
Programmierumgebung
Eins
Einfügungsdämpfung
Bit
Punkt
Quader
Selbst organisierendes System
Mathematisierung
Informationsmodellierung
Prozess <Informatik>
Passwort
Gerade
Attributierte Grammatik
Elektronische Publikation
Matching <Graphentheorie>
Computersicherheit
Softwarewerkzeug
Profil <Aerodynamik>
p-Block
Elektronische Publikation
Regulärer Ausdruck
Menge
Rechter Winkel
Grundsätze ordnungsmäßiger Datenverarbeitung
Client
p-Block
Schlüsselverwaltung
Unternehmensarchitektur
Umwandlungsenthalpie
Softwaretest
Softwaretest
Punkt
Profil <Aerodynamik>
Softwareentwickler
Code
Softwaretest
Resultante
Subtraktion
Softwaretest
Mereologie
Gamecontroller
Profil <Aerodynamik>
Lesen <Datenverarbeitung>
Client
Prozess <Informatik>
Rechter Winkel
Mereologie
Profil <Aerodynamik>
Programmierumgebung
Quick-Sort
Public-Key-Kryptosystem
Umwandlungsenthalpie
Softwaretest
Rückkopplung
Prozess <Physik>
Sampler <Musikinstrument>
Selbst organisierendes System
Reibungskraft
Profil <Aerodynamik>
Biprodukt
Programmfehler
Rechter Winkel
Mereologie
Basisvektor
Server
Softwareentwickler
Resultante
Prozess <Physik>
Prozess <Informatik>
Computersicherheit
Güte der Anpassung
Kryptologie
Strömungsrichtung
Elektronische Publikation
Biprodukt
CIL
Physikalisches System
Ganze Funktion
Arbeitsplatzcomputer
Computersicherheit
Biprodukt
Softwareentwickler
Aggregatzustand
Bit
Demo <Programm>
Prozess <Physik>
Selbst organisierendes System
Formale Sprache
Versionsverwaltung
Netzwerktopologie
Bildschirmmaske
Client
Stichprobenumfang
Passwort
Installation <Informatik>
Attributierte Grammatik
Benchmark
Leistung <Physik>
Trennungsaxiom
Umwandlungsenthalpie
Open Source
Streuung
Güte der Anpassung
Systemaufruf
Einfache Genauigkeit
Profil <Aerodynamik>
Physikalisches System
Elektronische Publikation
Biprodukt
Integral
Programmfehler
Modallogik
Menge
Rechter Winkel
Mereologie
Projektive Ebene
Wort <Informatik>
Aggregatzustand

Metadaten

Formale Metadaten

Titel STIG Automation W/ Chef and Inspec
Serientitel Chef Conf 2017
Autor Ray, John
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/34605
Herausgeber Confreaks, LLC
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract The DoD's Security Technical Implementation Guides (STIGs) are the baseline for a vast majority of companies, But with 9 different profiles, and hundreds of individual action items how do you even begin? Join me as we look at how to use InSpec to ingest STIG data, how to read and determine what STIGs apply to you, and how to remediate those STIGs with Chef. We will explore the anatomy of a well written InSpec control and some of the more complex Chef and Ruby resources that allow you to successfully implement security hardening. Learn how to edit files in place, search and replace documents, and lessons learned from implementing the RHEL 6 STIG in both on premise and cloud environments.

Ähnliche Filme

Loading...
Feedback