[RFC] Defense in Depth 2014

In June 2013, Red Hat sponsored a day-long event which consisted of technical workshops. This ended up being called the ‘Defense in Depth’ day, and our old webpage is still live:


And as a refresher, last years ‘save the date’ announcement:

Dan Walsh flew in to speak on SELinux, Steve Grubb on Linux Audit and Common Criteria, Bob Buckley on Storage, and a session on SCAP / STIG. Members from NSA IAD, NIST and DISA FSO were on hand to answer policy questions. Many of the workshops were hands on, requiring attendees to bring a laptop to participate. Some 250-300 people registered within a day of posting on gov-sec. We had ~95% attendance rate from those who registered (which is unheard of!).

At this point we’re targeting Apr/May, with one day definitely held in Northern Virginia. If there’s interest, it’s likely we’ll be able to host a second day somewhere on the west coast (San Diego? San Fran? Seal Beach? Ideas welcome!).

The agenda last year was fully driven by the gov-sec and Mil-OSS communities. We’re now starting to plan the 2014 event and would like to engage everyone in the process. A very, very targeted push is to ensure sessions are delivered as demos or hands-on workshops.  For reference, the workbook used for the SCAP workshop can be found here:

So then, what session topics would the community find interesting? Things should relate back to Red Hat, though need not be specific to us. If you’re a system integrator/vendor/partner or just have an interesting idea, please sound off! Feel free to EMail me off-list if you’re a partner and have an idea you’d like to present.

To get the conversation started, some initial thoughts:

MLS Operation Workshop: Step through deploying the RHEL6 common criteria baseline. How does role based access control work on RHEL? What are the roles, how do I create my own? What about labeled networking? What is data poly-instantiation, and how do I configure it? A (continously evolving) table of contents is available here:

We’re developing the coursebook via Public Domain license on GitHub: https://github.com/RedHatGov/MLS-Workbook. Patches & forks welcome.

STIG Workflow: Government baselines, particularly USGCB and DoD STIG, are published as SCAP content. Step through the SCAP Security Guide project, from which DISA FSO derives the STIG, to learn how to run a STIG compliance scan. Extended from last years edition, we’ll also cover third party tooling. Specifically:
* By request of an Intelligence Community partner, import SCAP content into Tenable Nessus (the technology behind ACAS). Centrally scan a group of systems. Export the results into Telos Xacta for centralized reporting;
* Run jOVAL, a cross platform SCAP interpreter, to centrally scan both RHEL and Windows hosts against USGCB profiles;
* Utilize RHN Satellite to centrally manage SCAP content delivery and perform centralized security compliance scans

Intended as a strictly hands-on workshop with no prior experience needed. Last years workbook posted online, which will be significantly updated:

What’s new in RHEL7?: Linux containers. Cross-realm kerberos trust. Performance co-pilot. tuned, tuna, and numa affinity. Virtualized 3d graphic drivers. Elliptical Curve Crypto. VFIO. In-place upgrades. GNOME 3. Systemd. OpenLMI. Firewalld. Labelled NFS. 40G ethernet. Lions, tigers, and bears. Oh my.

Virtualization, Cross Domain, and Security: Can they coexist?: This concept was originally presented by Boyd Fletcher (NSA IAD) at the 2010 HAP conference. Since that time, KVM has undergone Common Criteria certification and has been wrapped by sVirt, a special SELinux policy for the KVM hypervisor. New challenges — both technology and policy — arise as we progress down the cross domain virtualization path. We’ll step through our work with a U.S. Intelligence agency in virtualizing a cross domain data transfer application: the security controls applied to meet NIST 800-53 High/High/High and the CNSSI 12-53 CDS overlay, operational concerns, items within our POA&M, and general thoughts on progress to date.

Linux Container Deep Dive: Docker is available for RHEL on EPEL. Let’s step through an installation and see what all this container buzz is actually about.

Red Hat & Hadoop: Integration with Hortonworks Data Platform: On 10-FEB, Hortonworks and Red Hat announced a strengthened partnership to develop an OpenStack-ready, HDFS compatible architecture. We’ll step through a component level understanding of this architecture [ref: http://hortonworks.com/blog/red-hat-hortonworks-deepen-strategic-alliance/]

Cisco+OpenShift: Enterprise PaaS: On 28-JAN, Red Hat and Cisco launched a Cisco Validated Design for Cisco UCS + Red Hat OpenShift. We’ll step through the underlying components and deploy a simple application to OpenShift.

OpenStack Security:  We’ll step through lessons learned from deploying two Intelligence Community programs into Red Hat’s OpenStack Platform. What was the deployment architecture, operational procedures, and how did we mitigate the shortcomings of the factory technology capabilities? Talk through experiences gained by undergoing a NIST RMF accreditation process.

So then, in closing, are the above topics interesting? What else should we cover? Ideas most welcome! Sound off on the Government Users mailing list, gov-sec!