2016 - Compliance as Code - InSpec

Compliance as CodeDevOpsDays Austin

May 3, 2016

Chef Workflow

SSH Control

"SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."

How will I verify this?

Whip up a one-liner!

grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

Apache Server Information Leakage – Server Token Directive

•  Description

  This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.

  This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.

•  How to Test

  In order to test for ServerToken configuration, one should check the Apache configuration file.

•  Misconfiguration

  ServerTokensFull

•  Remediation

  Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.

  ServerTokensProd   or

  ServerTokensProductOnly

https://www.owasp.org/index.php/SCG_WS_Apache

More grep and sed!

grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

C o mp l i a n c e

Two-thirds of organizations did not adequately test the security of all in-scope systems!

Key Trends

•  While individual rule compliance is up, testing of security systems is down

•  Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.

Shell Scripts

grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Infrastructure Code

package 'httpd' do action :installend

service 'httpd' do action [ :start, :enable ]end

What We Have Here Is A Communications Problem

Security != Compliance

Compliance Language

One Language !Linux

One Language !Linux, Windows

Windows

One Language !Linux, Windows, BSD, Solaris, AIX, ...

Available Resourcesapache_confapt

audit_policy

auditd_conf

auditd_rules

bond

bridge

csv

command

directory

etc_group

file

gemgroup

host

inetd_conf

interface

iptables

kernel_module

kernel_parameter

limits_conf

login_defs

mount

mysql_conf

mysql_sessionnpm

ntp_conf

oneget

os

os_env

package

parse_config

parse_config_file

passwd

pip

port

postgres_confpostgres_session

powershell

processes

registry_key

security_policy

service

ssh_config

sshd_config

user

windows_feature

yaml

yum

What is it not?

•  IDS / IPS• Firewall• Antivirus• Pentesting tool

One Language !Linux, Windows, BSD, Solaris, AIX, ...

Bare-metal

One Language !Linux, Windows, BSD, Solaris, AIX, ...

Bare-metal, VMs

One Language !Linux, Windows, BSD, Solaris, AIX, ...

Bare-metal, VMs, Containers

Test Locally

$ inspecexectest.rb. Finished in 0.00901 seconds (files took 0.98501 seconds to load) 1 example, 0 failures

Test Remote via SSH

$ inspecexectest.rb-ivagrant.key-tssh://root@172.17.0.1:11022

No Ruby / agent on the node

Test Remote via WinRM

$ inspecexectest.rb-twinrm://Admin@192.168.1.2--passwordsuper

No Ruby / agent on the node

Test Docker Containers

$ inspecexectest.rb-tdocker://3dda08e75838

No Ruby / agent on the container

One Language !Linux, Windows, BSD, Solaris, AIX, ...

Bare-metal, VMs, Containers

Nodes

One Language !Linux, Windows, BSD, Solaris, AIX, ...

Bare-metal, VMs, Containers

Nodes, GRUB, DBs

DB Testing

One Language !Linux, Windows, BSD, Solaris, AIX, ...

Bare-metal, VMs, Containers

Nodes, GRUB, DBs, Endpoints, APIs, ...

Cloud Testing

Operating System and Application Coverage

• Red Hat Enterprise Linux• Ubuntu•  SUSE• Oracle Linux• Microsoft Windows 7, 8• Microsoft Windows Server 2008,

2012• AIX

• HP-UX• VMware ESXi• Oracle • MySQL• Apache Tomcat•  SQL Server•  IIS

InSpeckitchen-inspec

56 1-

©2016 Chef Software Inc.

Test Kitchen

Setup our test

$ chef generate cookbook ssh $ cd ssh $ vim .kitchen.yml $ kitchen converge $ rm -rf test/integration/default/* $ mkdir -p test/integration/default/inspec/ $ vim test/integration/default/inspec/default_spec.rb

SSH Version Check

describe sshd_config do its('Protocol'){shouldcmp2}end

Run the test

$kitchenverifyFailures: 1) SSH Configuration Protocol should cmp 2 Failure/Error: its('Protocol') { should cmp 2 } expected: 2 got: 1

Fix the issue (manually)

$kitchenlogin$sudovi/etc/ssh/sshd_config$exit$kitchenverifyFinished in 0.0382 seconds (files took 0.7536 seconds to load) 1 example, 0 failures Finished verifying <default-centos-71> (0m0.47s).

Open Source Community

• Test Kitchen

• https://kitchen.io

• https://github.com/test-kitchen

• Kitchen-InSpec

• https://github.com/chef/kitchen-inspec• Kitchen-Ansible

• https://github.com/neillturner/kitchen-ansible

• Kitchen-Puppet

• https://github.com/neillturner/kitchen-puppet

• Supermarket.chef.io

InSpecUsed with Chef Compliance

Compliance as Code. !

New Workflow

Chef Provides a Proven Approach to DevOps

Apps

Runtime environments

Infrastructure

..

.

Targets/Workloads

Collaborative Development

Chef Insights

Production

Chef Server

Chef Server

Chef Supermarket

Assessment

Chef Compliance

Search

Audit

Discover

Deploy

Chef Delivery

Local Development

Model

Build

Test

Chef DK

Chef Client & Cookbooks

Austin, TX | July 11-13

Early Bird Pricing Through April 17th

«  Workshops & Chef Training !

«  Community Summit !

«  Chef Partner Summit !

«  Welcome Reception!

«  Keynotes!

«  Technical Sessions!

«  Happy Hour!

«  Keynotes!

«  Technical Sessions!

«  Awesome Chef Awards!

«  Community Celebration!

ChefConf.com