Here are the slides from Bill Weiss' PuppetConf 2016 presentation called Puppet as Security Tooling. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa
2. 2
I’m Bill Weiss
@BillWeiss almost everywhere
bv@puppet.com
Sr. Manager of SREs
Former wearer of monochrome hats
3. Puppet as Security Tooling
Agenda
Housekeeping
Definitions
Building security in
Controlling access
Show that you did the thing
Patch management
Compromises happen
3
13. Get security + compliance involved early
Call your security friends and have them
tell you what they need.
Invite compliance to the party as well.
Input early >> input at the end
13
18. NSA STIG with SIMP
I know, that’s a lot of acronym.
NSA: National Security Agency
STIG: Secure Technical Implementation
Guide
SIMP: System Integrity Management
Platform
18
WHITE PAPER
Continuous STIG
Enforcement with
Puppet Enterprise &
the NSA Modules
19. NSA STIG with SIMP
Covers NIST 800-53 and DISA STIG
Optionally enforces FIPS 140-2 mode
19
WHITE PAPER
Continuous STIG
Enforcement with
Puppet Enterprise &
the NSA Modules
46. 1. Build more robust systems from the beginning.
2. Maintain tighter access controls.
3. Keep compliance happy by being able to show your work.
4. Keep on top of your patches.
5. Gain visibility into your running system.
6. Be able to rebuild quickly without breaking things.
46
Recap
47. 47
I can’t drop the mic, but I’ll close my Hello
Kitty phone.
Thank you