Add Nessus + Hardening scripts for Bosh and Docker boxes

cloud-gov / cg-atlas

Repository hosting issues and artifacts related to operations of the cloud.gov platform

Creative Commons Zero v1.0 Universal

3 stars 1 forks source link

Add Nessus + Hardening scripts for Bosh and Docker boxes #62

Closed dlapiduz closed 8 years ago

dlapiduz commented 8 years ago

In order to meet requirements for both GSA and FedRAMP, we want the scanning agent to be deployed on every VM that Bosh deploys.

Acceptance Criteria

The following VMs are shown to be running the host scanning jobs (fisma, tripwire, awslogs, nessus-agent, and newrelic) in staging and production

[x] bosh deployments
- [x] ~~tooling~~ ( see #116 , #117 )
- [x] ~~staging~~ ( see tooling )
- [x] ~~production~~ ( see tooling )
- [ ] ~~master~~ ( see #118 )
[ ] docker swarm

mogul commented 8 years ago

Can you groom this one a bit so I know what to do with it?

dlapiduz commented 8 years ago

copied from #57

mogul commented 8 years ago

@sharms didn't you say at stand-up today that you were working on this? If so can you put it In Progress?

rogeruiz commented 8 years ago

frsfx commented 8 years ago

@rogeruiz let me know when you're online. I'd like to work with you on this.

mogul commented 8 years ago

Roger's update in Slack today:

finishing up cg-atlas-62 with PRs for updated secretes on cg-deploy-docker-swarm and cg-deploy-bosh. Once the scripts are updated in s3 and Concourse, I’ll refly the necessary pipelines in concourse, and the PRs should trigger a build once they’re merged in

LinuxBozo commented 8 years ago

There will be a somewhat intermediate problem as we currently rely on DNS resolution for the riemann/collectd server instance. This DNS resolution is provided by BOSH itself for all it's deployments, so anything deployed with staging BOSH knows about 0.monitoring.monitoring.monitoring-staging.bosh. Staging BOSH itself will not know anything about this, since it's own DNS is pointed to tooling BOSH. This means that riemann would have to exist in tooling VPC (see #116). The bigger problem then is tooling BOSH, since it is deployed with master BOSH, and then again master BOSH itself. Neither will know how to resolve the tooling riemann server. Workaround for now could be to use hardcoded IPs.

mogul commented 8 years ago

Currently blocked on #116 #117 #118

jmcarp commented 8 years ago

We're now provisioning a tooling riemann in deploy-monitoring and uploading hardening releases to master-bosh in deploy-bosh. I think this should be unblocked now.

mogul commented 8 years ago

@rogeruiz can you give us an idea of what state this one is in?

rogeruiz commented 8 years ago

@mogul Sorry about that, I was out yesterday. This just needs updated secrets uploaded with the riemann server URL for staging / master / tooling and then work that @sharms 18F/cg-deploy-bosh#9 did should be good to be merged in.

rogeruiz commented 8 years ago

Docker swarm may be missing releases. need to verify.