Drupal and FISMA Compliance BoF at Drupalcon LA

Events happening in the community are now at Drupal community events on www.drupal.org.
owen barton's picture
Posted by owen barton on May 12, 2015 at 6:41pm
Start: 
2015-05-14 14:15 - 15:15 America/Los_Angeles
Organizers: 
owen barton
Event type: 
DrupalCon

https://events.drupal.org/losangeles2015/bofs/drupal-and-fisma-compliance

This session is for sharing of best practices and tools with respect to the FISMA federal compliance framework, as well as discussing ways to automate compliance checking of Drupal (and it's environment) using FISMA certified open source tools like OpenSCAP.

Comments

What room?

Posted by pwolanin on May 12, 2015 at 8:10pm
pwolanin's picture

What room?

time and room is in the post

Posted by bendygirl on May 12, 2015 at 9:20pm
bendygirl's picture

it's in the link he posted, but just in case, here it is again https://events.drupal.org/losangeles2015/bofs/drupal-and-fisma-compliance
and it's in 410 on Thursday.

Just a minor kind of drupal geeky girl and for the US government no less!

Wish I could be there

Posted by fen on May 13, 2015 at 3:14am
fen's picture

This is very exciting stuff. Only recently did I learn about security scanning (and I still have a lot to learn) but I'm already a convert: open source security scanning tools and the content that drives them promise to greatly increase the ease and effectiveness of security devops on every scale.

OpenSCAP 1.2.3 has been compiled for a RHEL7 testbed and I plan to share RPMs soon. (We want to offer the same tool set for AWS and Ubuntu soon.) The next step is enhancing/expanding the STIG/SCAP content to include apps like Drupal, Apache/Nginx and Mysql.

Plug: I'll be talking about some of this work on the other coast at DevOpsDays DC next month.

(Not sure why the links aren't working. Here they are bare: https://github.com/OpenSCAP and https://devopsdaysdc2015.busyconf.com/proposals/552f23ec42517cc87a000007)

Session notes

Posted by owen barton on May 15, 2015 at 12:55am
owen barton's picture

There are a lot of efforts getting Drupal sites compliant, and there are benefits in working together to get help each other make this process more efficient.

  • Federal Information Security Management Act (FISMA) – a federal act that outlines compliance, and has a group of families that outline controls driven by risk analysis and finding ways to mitigate the risk.
  • National Institute of Standards and Technology (NIST) a Cybersecurity Framework. FISMA is a NIST Standard that is Open Source.

Greg Elin has been working on a project called GovReady - see http://www.govready.org/. This makes it easier to get started with OpenSCAP, an open source NIST certified continuous compliance scanning tool: http://www.open-scap.org/page/Main_Page.

Audience poll: 50% in attendance working on side of securing Drupal, remainder mainly working on the hosting/infrastructure layer, and a few focusing mainly on documentation efforts.

Looking at the Drupal Layer of FISMA:

  • Discussion on how are people certifying / assessing the Drupal application layer
  • Outline best practices to start automatic checking for standards. Starting with OpenSCAP that calls against the Security Review module.
  • There are a number of other Drupal module and other software (like OSSIM) that are Open Source and check for security.
  • Tenable NESSUS is now a closed source/licensed, but OpenVAS could be considered an Open Source alternative. But NESSUS is not that expensive, but there are often a number of updates to make it work with checking what is needed.
  • http://www.cisecurity.org/ was also mentioned as a source for checks/hardened-config for Apache/MySQL.
  • OpenSCAP developers are interested in getting it working on Ubuntu.
  • Is there a place / format where we can share the language we use and discover?
    • Groups.drupal.org - security group (and cross post to the compliance group).
    • Perhaps pick one of the security focused distributions to use as a module/configuration reference, add compliance checks/tests and include templated documentation for controls with each check.
  • Clarifying the boundaries of where Drupal security level exists
  • You can build a suite to test and give you repeatability. Writing content for scanning.
  • Your automated tests need to be well written and  be checked for coverage
  • Documenting these processes is going to be crucial for helping others get compliant .
  • Companies becoming compliant will likely see a change in company policies and processes (things like idle time-outs, increased time training on security).

FISMA Compliance Shortcuts

  • There are not many ways to shortcut this process.
  • Application layer can be secured (drupal modules to automate)
    • But you can break it with poor site building/code even after the initial security work
    • Environment layer can be secured (secure hosting suppliers)
    • Documentation layer can’t be shortcut as easily

Reference Links

Drupal Modules

  • Paranoia
  • Security Review
  • Security Kit
  • Automated Logout
  • Username Enumeration Prevention
  • Session Limit
  • Honeypot/CAPTCHA/reCAPTCHA
  • Password Policy
  • Secure Permissions
  • Permission Watchdog

Distributions

  • Guardr
  • Hardened Drupal
  • Openpublic (v2) mentions having been reviewed for FISMA

Where can we continue this discussion? Security Group or Compliance Group on Drupal.org. Security Group seems the best fit - cross-post to Compliance group as relevant (note we originally decided on Compliance group, but afterwards realized it was still pending moderation and seemed to have very few members).**

Thanks to @akaroleff for the

Posted by owen barton on May 15, 2015 at 12:58am
owen barton's picture

Thanks to @akaroleff for the fantastic notes and for everyone for contributing to a great discussion!

Please note that after some further discussions, we realized that the Security group was probably a better bet than the Compliance group for further discussion, at least for the time being (feel free to cross-post as appropriate, of course).

Looks like it was a great session!

Posted by fen on May 15, 2015 at 3:02am
fen's picture

Has anyone started writing SCAP content for testing current compliance of Drupal, Apache/Nginx, MySQL? E.g., tests that private files are secure, that password policies are set, etc. Much of this is done in the Security Review (and other modules listed above), but automated access to the reports is needed. (RESTful API access would be awesome!)

Note that Security Review has

Posted by owen barton on May 16, 2015 at 1:09am
owen barton's picture

Note that Security Review has Drush integration, and many of the others could be checked with Drush pm-list and vget.

I believe security_review

Posted by greggles on May 16, 2015 at 4:38pm
greggles's picture

I believe security_review module is extensible directly or that the maintainer would accept patches to add relevant features ;)

knaddison blog | Morris Animal Foundation

Security Review def looks like a good start

Posted by fen on May 16, 2015 at 3:20am
fen's picture

I have remote scanning working now. Next steps are remote (ansible-based) hardening, simplifying the front end, installing a test Drupal site and experimenting with drush commands for security/compliance. I'll post when I have something useful to share (hopefully next week).

GovReady

Posted by opratr on June 5, 2016 at 10:15pm
opratr's picture

I think the govready.org URL is broke. Should it be http://govready.com/ ? Same thing?

-Andre

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: