gregelin

Managing Compliance Snippets with OpenControl and ComplianceLib

Summary

This post explains how I am using OpenControl and ComplianceLib, a couple of tools from the emerging discipline of supply chain compliance documentation automation, to manage re-usable compliance documentation content applicable to multiple systems at multiple government agencies.

The post shares how the real world example of mapping the 800-53 controls to Drupal projects (e.g., plugins) was solved by documenting the controls once in a publicly available repository using the OpenControl data format and then programmatically generating customized documents private system documentation using the open source ComplianceLib software library and a bit of Python`.

Re-usable compliance content is a blessing

Re-usable, iteratively written compliance content would be a blessing. I write iteratively. I make typographical errors. Others suggest revisions. Documenting and maintaining mappings betweem system components and compliance control

gregelin

# check banned ip address
iptables -L

# check banned ip addresses and rules
iptables -L -n

# check for specific ip address on ban list
iptables -L -n | grep IPADDRESSHERE

gregelin

Post DYN DDoS: Is Government Regulation of the Internet of Things on the Horizon?

Suits and Spooks, Jan 2017

Optional readings. Feel free to attach other suggestions.

Most Noteworthy

Texas Law Review - Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security, and Consent

• Page 117 starts to discuss IoT's 4 problems (paraphrased): (1) unexpected inferences leading to discrimination; (2) difficulty of de-identifying IoT generated data; (3) hacking and security breaches; and (4) privacy policy, notice and choice in small screenless devices generating data.
• p 148 Peppet does not think much federal regulation or a new agency is currently possible but suggests "four messy and imperfect first steps toward regulating the Internet of Things: (1) broadening

gregelin

Postgres Snippets

Backup a django Postgres database

cd /codedata/code/django-study/mysite
# Stop the django surver so database will not be updated
# DBNAME=django_link
DBNAME=databasename
dumpfile=$DBNAME.pg_dump.$(date +%Y-%m-%d-%H:%M:%S).sql
pg_dump $DBNAME > ../databak/$dumpfile

gregelin

Internet Scale Services Checklist

A checklist for designing and developing internet scale services, inspired by James Hamilton's 2007 paper "On Desgining and Deploying Internet-Scale Services."

• http://mvdirona.com/jrh/talksandpapers/jamesrh_lisa.pdf

Basic tenets

• Does the design expect failures to happen regularly and handle them gracefully?
• Have we kept things as simple as possible?

gregelin

BEGIN:VCALENDAR
VERSION:2.0
CALSCALE:GREGORIAN
BEGIN:VEVENT
TRANSP:TRANSPARENT
DTEND;VALUE=DATE:20161021
UID:1D6F8E2E-F907-4185-BEBD-F0C36434FA87
DTSTAMP:20160922T192555Z
LOCATION:2011 Wilson Blvd\nArlington VA 22201\nUnited States
DESCRIPTION:HOLD FOR OPENCONTROL EVENT.\n\nSocial Gathering/Symposium on

gregelin

OpenControl Webinars

We are group of technologists, government staff, contractors and others in regulated fields committed to Compliance-as-Code. We are developing a community and tools at http://open-control.org necessary to align security assessments and authorizations with modern, continuous software development and delivery.

Below are upcoming webinars introducing our current work: OpenControl and Compliance-Masonry.

Introduction to OpenControl & Compliance-Masonry

This webinar will introduce you to OpenControl as a community, data schema and tools to support Compliance-as-Code.

gregelin

# SCAP Security Guide DoD STIG  profile kickstart for Red Hat Enterprise Linux 6 Server
# Version: 0.0.1
# Date: 2015-04-08
# Url: http://people.redhat.com/swells/ssg-rhel6-stig-ks.cfg
#
# Based on:
# http://fedoraproject.org/wiki/Anaconda/Kickstart
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
#

gregelin

This note explains the common issue of "notapplicable" results when running openSCAP and SCAP-Security-Guide on CentOS.

SCAP seems like it should be easy because it is "just XML". Then you dig into looking for a test and it gets confusing fast. So it is good to have some background.

SCAP (Security Content Automation Protocol) is actually a set of multiple standards and specifications that are used together to enable automatically testing hundreds of nerd settings. Let me emphasize that: SCAP is not a single XML specification -- SCAP is multiple standards and specs. Whenever you give "SCAP Content" to a scanner to check a system configurations you are giving the scanner multiple XML files representing multiple standards.

gregelin

def getstatusoutput(cmd): 
    """Return (status, output) of executing cmd in a shell."""
    """This new implementation should work on all platforms."""
    import subprocess
    pipe = subprocess.Popen(cmd, shell=True, universal_newlines=True,
            stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
    output = str.join("", pipe.stdout.readlines()) 
    sts = pipe.wait()
    if sts is None:
        sts = 0