1 / 20

LANL-stor and the Challenges of Evolutionary Development

Managing the evolutionary development of a system hardening “script”. LANL-stor and the Challenges of Evolutionary Development. Overview . What is LANL-stor. Themes in the evolution of LANL-stor. Origins. Mid-life crisis. Current status. Future directions. Lessons learned.

nyx
Download Presentation

LANL-stor and the Challenges of Evolutionary Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Managing the evolutionary development of a system hardening “script”. LANL-stor and the Challenges of Evolutionary Development

  2. Overview What is LANL-stor. Themes in the evolution of LANL-stor. Origins. Mid-life crisis. Current status. Future directions. Lessons learned

  3. RHEL Security Triangle Red Hat Network Satellite Server (RHUS). Patch management capabilities. LANL ExpressWay Red Hat. Network based installation tool. LANL Security Tool On Red-Hat (STOR). Secure configuration. Configuration compliance reporting

  4. STOR Current version is 4.0. System hardening tool for Red Hat Enterprise Linux. Based on: The Center for Internet Security (RHEL 4 & 5 Benchmarks). The NSA Guide to the Secure Configuration of RHEL 5. The DISA UNIX STIG and Checklist. NIST. MITRE CCE List for RHEL 5. Internal requirements.

  5. STOR - Development Source documents are reviewed for applicability, automation potential, correctness and deployment impact. Field team feedback from previous versions is considered. Informal requirements outline generated (developer use only). New actions are unit tested then integrated into the main program(s). The main program is tested on virtual machines representing all supported versions ( currently 3 - 5). CSD Standards and R&D Team members test during an internal alpha test period.

  6. STOR – Development cont. Internal review meeting held prior to CCB. Change Control Board reviews changes in guidance and program functionality. Makes recommendations. CCB changes are integrated into program. Internal beta test period. Public beta test period. Production.

  7. Themes Evolution in source material (CIS, NIST, NSA, DISA). Evolution in internal requirements. Continuous change in program architecture. Growing complexity: Variances between RHEL versions. Additional features. Special cases.

  8. STOR – Origins Early years (versions 0.1 - 1.12). Simple run once bash script. No customization without altering the script. Intolerant of use on anything but a fresh install. < 2000 lines. Mostly cut and paste from early CIS Benchmark scripts. Very incomplete implementation of CIS Benchmark.

  9. STOR – Origins Growing up (versions 2.x-3.0). More focus on being able to run repeatedly without breakage. More flexible about preserving local configurations. Tuneable via a configuration file. Improved coverage of CIS Benchmark. With config file added optional hardening actions. Undo function. > 6,500 lines by 3.0.

  10. STOR – Origins Mid Life Crisis (v. 3.1). Audit and reporting functions. Support for RHEL 3 - 5. Optional GUI. > 9,300 lines.

  11. STOR – Origins Optional GUI (ver. 3.1).

  12. STOR – Origins Mid-Life Crisis (v. 3.1) Issues. Huge code base of shell code difficult to manage. Lack of advanced data-types and language features limited development process. Performance – Required run time with all features turned on had become very long. Limited ability to integrate main code with GUI. Limited ability to handle errors in a predictable way.

  13. STOR – Current Welcome to 4.0! Completely re-written in Python. More new hardening features. All new GUI. Can now execute single rules for easier debugging and targeted fixes. Initial port cut STOR line count from ~ 9K to ~7K. Current line count ~ 13,600 (9892 core, 3699 GUI).

  14. STOR – Current Why Python? Previous STOR GUI was written in Py-QT. Flexible. Readable. Faster than shell. Speed of development. Batteries included. Easier integration with the GUI layer. Natively object oriented without forcing object oriented development. Good native exception handling capabilities. Native to Red Hat yet available cross-platform

  15. STOR – Origins New GUI

  16. STOR – Origins GUI Configuration Tool

  17. STOR – Origins Online Help

  18. STOR – Future Plans Tighter integration with the GUI without breaking command line function. Extend to cover additional Operating Systems. Solaris Ubuntu Mac? Move to full object oriented development. Develop automated testing harness

  19. Lessons Learned Don't fear the re-write! Take chances, fortune favors those who are in the right place at the right time. Challenge assumptions. Document your code – the sanity you save may be your own. Upfront planning = faster development. Talk to your customers. Don't skimp on testing.

  20. Questions? LANL-stor author: David Kennel Departmental Computing Services Central Services and Development Team dkennel@lanl.gov LANL-stor and the Challenges of Evolutionary Development

More Related