200 likes | 347 Views
Managing the evolutionary development of a system hardening “script”. LANL-stor and the Challenges of Evolutionary Development. Overview . What is LANL-stor. Themes in the evolution of LANL-stor. Origins. Mid-life crisis. Current status. Future directions. Lessons learned.
E N D
Managing the evolutionary development of a system hardening “script”. LANL-stor and the Challenges of Evolutionary Development
Overview What is LANL-stor. Themes in the evolution of LANL-stor. Origins. Mid-life crisis. Current status. Future directions. Lessons learned
RHEL Security Triangle Red Hat Network Satellite Server (RHUS). Patch management capabilities. LANL ExpressWay Red Hat. Network based installation tool. LANL Security Tool On Red-Hat (STOR). Secure configuration. Configuration compliance reporting
STOR Current version is 4.0. System hardening tool for Red Hat Enterprise Linux. Based on: The Center for Internet Security (RHEL 4 & 5 Benchmarks). The NSA Guide to the Secure Configuration of RHEL 5. The DISA UNIX STIG and Checklist. NIST. MITRE CCE List for RHEL 5. Internal requirements.
STOR - Development Source documents are reviewed for applicability, automation potential, correctness and deployment impact. Field team feedback from previous versions is considered. Informal requirements outline generated (developer use only). New actions are unit tested then integrated into the main program(s). The main program is tested on virtual machines representing all supported versions ( currently 3 - 5). CSD Standards and R&D Team members test during an internal alpha test period.
STOR – Development cont. Internal review meeting held prior to CCB. Change Control Board reviews changes in guidance and program functionality. Makes recommendations. CCB changes are integrated into program. Internal beta test period. Public beta test period. Production.
Themes Evolution in source material (CIS, NIST, NSA, DISA). Evolution in internal requirements. Continuous change in program architecture. Growing complexity: Variances between RHEL versions. Additional features. Special cases.
STOR – Origins Early years (versions 0.1 - 1.12). Simple run once bash script. No customization without altering the script. Intolerant of use on anything but a fresh install. < 2000 lines. Mostly cut and paste from early CIS Benchmark scripts. Very incomplete implementation of CIS Benchmark.
STOR – Origins Growing up (versions 2.x-3.0). More focus on being able to run repeatedly without breakage. More flexible about preserving local configurations. Tuneable via a configuration file. Improved coverage of CIS Benchmark. With config file added optional hardening actions. Undo function. > 6,500 lines by 3.0.
STOR – Origins Mid Life Crisis (v. 3.1). Audit and reporting functions. Support for RHEL 3 - 5. Optional GUI. > 9,300 lines.
STOR – Origins Optional GUI (ver. 3.1).
STOR – Origins Mid-Life Crisis (v. 3.1) Issues. Huge code base of shell code difficult to manage. Lack of advanced data-types and language features limited development process. Performance – Required run time with all features turned on had become very long. Limited ability to integrate main code with GUI. Limited ability to handle errors in a predictable way.
STOR – Current Welcome to 4.0! Completely re-written in Python. More new hardening features. All new GUI. Can now execute single rules for easier debugging and targeted fixes. Initial port cut STOR line count from ~ 9K to ~7K. Current line count ~ 13,600 (9892 core, 3699 GUI).
STOR – Current Why Python? Previous STOR GUI was written in Py-QT. Flexible. Readable. Faster than shell. Speed of development. Batteries included. Easier integration with the GUI layer. Natively object oriented without forcing object oriented development. Good native exception handling capabilities. Native to Red Hat yet available cross-platform
STOR – Origins New GUI
STOR – Origins GUI Configuration Tool
STOR – Origins Online Help
STOR – Future Plans Tighter integration with the GUI without breaking command line function. Extend to cover additional Operating Systems. Solaris Ubuntu Mac? Move to full object oriented development. Develop automated testing harness
Lessons Learned Don't fear the re-write! Take chances, fortune favors those who are in the right place at the right time. Challenge assumptions. Document your code – the sanity you save may be your own. Upfront planning = faster development. Talk to your customers. Don't skimp on testing.
Questions? LANL-stor author: David Kennel Departmental Computing Services Central Services and Development Team dkennel@lanl.gov LANL-stor and the Challenges of Evolutionary Development