Upload
devopsdaysaustin
View
490
Download
0
Embed Size (px)
Citation preview
Compliance as CodeDevOpsDays Austin
May 3, 2016
Chef Workflow
SSH Control
"SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
How will I verify this?
Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
Apache Server Information Leakage – Server Token Directive
• Description
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.
• How to Test
In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
ServerTokensFull
• Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.
ServerTokensProd or
ServerTokensProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
C o mp l i a n c e
Two-thirds of organizations did not adequately test the security of all in-scope systems!
Key Trends
• While individual rule compliance is up, testing of security systems is down
• Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Infrastructure Code
package 'httpd' do action :installend
service 'httpd' do action [ :start, :enable ]end
What We Have Here Is A Communications Problem
Security != Compliance
Compliance Language
One Language !Linux
One Language !Linux, Windows
Windows
One Language !Linux, Windows, BSD, Solaris, AIX, ...
Available Resourcesapache_confapt
audit_policy
auditd_conf
auditd_rules
bond
bridge
csv
command
directory
etc_group
file
gemgroup
host
inetd_conf
interface
iptables
kernel_module
kernel_parameter
limits_conf
login_defs
mount
mysql_conf
mysql_sessionnpm
ntp_conf
oneget
os
os_env
package
parse_config
parse_config_file
passwd
pip
port
postgres_confpostgres_session
powershell
processes
registry_key
security_policy
service
ssh_config
sshd_config
user
windows_feature
yaml
yum
What is it not?
• IDS / IPS• Firewall• Antivirus• Pentesting tool
One Language !Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal
One Language !Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs
One Language !Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Test Locally
$ inspecexectest.rb. Finished in 0.00901 seconds (files took 0.98501 seconds to load) 1 example, 0 failures
Test Remote via SSH
$ inspecexectest.rb-ivagrant.key-tssh://[email protected]:11022
No Ruby / agent on the node
Test Docker Containers
$ inspecexectest.rb-tdocker://3dda08e75838
No Ruby / agent on the container
One Language !Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes
One Language !Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, GRUB, DBs
DB Testing
One Language !Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, GRUB, DBs, Endpoints, APIs, ...
Cloud Testing
Operating System and Application Coverage
• Red Hat Enterprise Linux• Ubuntu• SUSE• Oracle Linux• Microsoft Windows 7, 8• Microsoft Windows Server 2008,
2012• AIX
• HP-UX• VMware ESXi• Oracle • MySQL• Apache Tomcat• SQL Server• IIS
InSpeckitchen-inspec
56 1-
©2016 Chef Software Inc.
Test Kitchen
Setup our test
$ chef generate cookbook ssh $ cd ssh $ vim .kitchen.yml $ kitchen converge $ rm -rf test/integration/default/* $ mkdir -p test/integration/default/inspec/ $ vim test/integration/default/inspec/default_spec.rb
SSH Version Check
describe sshd_config do its('Protocol'){shouldcmp2}end
Run the test
$kitchenverifyFailures: 1) SSH Configuration Protocol should cmp 2 Failure/Error: its('Protocol') { should cmp 2 } expected: 2 got: 1
Fix the issue (manually)
$kitchenlogin$sudovi/etc/ssh/sshd_config$exit$kitchenverifyFinished in 0.0382 seconds (files took 0.7536 seconds to load) 1 example, 0 failures Finished verifying <default-centos-71> (0m0.47s).
Open Source Community
• Test Kitchen
• https://kitchen.io
• https://github.com/test-kitchen
• Kitchen-InSpec
• https://github.com/chef/kitchen-inspec• Kitchen-Ansible
• https://github.com/neillturner/kitchen-ansible
• Kitchen-Puppet
• https://github.com/neillturner/kitchen-puppet
• Supermarket.chef.io
InSpecUsed with Chef Compliance
Compliance as Code. !
New Workflow
Chef Provides a Proven Approach to DevOps
Apps
Runtime environments
Infrastructure
..
.
Targets/Workloads
Collaborative Development
Chef Insights
Production
Chef Server
Chef Server
Chef Supermarket
Assessment
Chef Compliance
Search
Audit
Discover
Deploy
Chef Delivery
Local Development
Model
Build
Test
Chef DK
Chef Client & Cookbooks
Austin, TX | July 11-13
Early Bird Pricing Through April 17th
« Workshops & Chef Training !
« Community Summit !
« Chef Partner Summit !
« Welcome Reception!
« Keynotes!
« Technical Sessions!
« Happy Hour!
« Keynotes!
« Technical Sessions!
« Awesome Chef Awards!
« Community Celebration!
ChefConf.com