Download as PDF, PPTX
![Infrastructure Code
package 'httpd' do
action :install
end
service 'httpd' do
action [ :start, :enable ]
end](https://image.slidesharecdn.com/complianceascode-inspec-160503165610/75/Compliance-as-Code-24-2048.jpg)
Uploaded byMatt Ray
Compliance as Code
The document discusses security compliance in DevOps, emphasizing the importance of using secure SSH protocols and the need for proper server token configuration in Apache to protect against information leakage. It highlights a trend where organizations are inadequately testing their security systems, leading to decreased compliance over time. The document also presents a workflow for compliance as code using Chef tools and offers insights into testing various infrastructures and platforms.
More Related Content
Compliance as Code
- 1. Compliance as Code DevOpsDaysAustin May 3, 2016
- 5.
- 8. SSH Control "SSH supportstwo different protocol versions.The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
- 9. How will Iverify this?
- 10. Whip up aone-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
- 11. Apache Server InformationLeakage – ServerToken Directive • Description This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OSType of the Server. This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. • How toTest In order to test for ServerToken configuration, one should check the Apache configuration file. • Misconfiguration ServerTokens Full • Remediation Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.This tells Apache to only return "Apache" in the Server header, returned on every page request. ServerTokens Prod or ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache
- 12. More grep andsed! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
- 18.
- 20. Two-thirds of organizationsdid not adequately test the security of all in-scope systems!
- 21. KeyTrends • While individualrule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
- 23. Shell Scripts grep "^Protocol"/etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
- 24. Infrastructure Code package 'httpd'do action :install end service 'httpd' do action [ :start, :enable ] end
- 25. What We HaveHere Is A Communications Problem
- 27.
- 35.
- 36.
- 37.
- 38.
- 39. One Language! Linux,Windows, BSD,Solaris,AIX, ...
- 40.
- 41. What is itnot? • IDS / IPS • Firewall • Antivirus • Pentesting tool
- 42. One Language! Linux,Windows, BSD,Solaris,AIX, ... Bare-metal
- 43. One Language! Linux,Windows, BSD,Solaris,AIX, ... Bare-metal,VMs
- 44. One Language! Linux,Windows, BSD,Solaris,AIX, ... Bare-metal,VMs, Containers
- 45. Test Locally $ inspec exec test.rb . Finishedin 0.00901 seconds (files took 0.98501 seconds to load) 1 example, 0 failures
- 46. Test Remote viaSSH $ inspec exec test.rb -i vagrant.key -t ssh://root@172.17.0.1:11022 No Ruby / agent on the node
- 47. Test Remote viaWinRM $ inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super No Ruby / agent on the node
- 48. Test Docker Containers $inspec exec test.rb -t docker://3dda08e75838 No Ruby / agent on the container
- 49. One Language! Linux,Windows, BSD,Solaris,AIX, ... Bare-metal,VMs, Containers Nodes
- 50. One Language! Linux,Windows, BSD,Solaris,AIX, ... Bare-metal,VMs, Containers Nodes, GRUB, DBs
- 51.
- 52. One Language! Linux,Windows, BSD,Solaris,AIX, ... Bare-metal,VMs, Containers Nodes, GRUB, DBs, Endpoints,APIs, ...
- 53.
- 54. Operating System andApplication Coverage • Red Hat Enterprise Linux • Ubuntu • SUSE • Oracle Linux • Microsoft Windows 7, 8 • Microsoft Windows Server 2008, 2012 • AIX • HP-UX • VMware ESXi • Oracle • MySQL • ApacheTomcat • SQL Server • IIS
- 55.
- 56. ©2016 Chef SoftwareInc. Test Kitchen
- 57. Setup our test $chef generate cookbook ssh $ cd ssh $ vim .kitchen.yml $ kitchen converge $ rm -rf test/integration/default/* $ mkdir -p test/integration/default/inspec/ $ vim test/integration/default/inspec/default_spec.rb
- 58. SSHVersion Check describe sshd_configdo its('Protocol') { should cmp 2 } end
- 59. Run the test $ kitchen verify Failures: 1)SSH Configuration Protocol should cmp 2 Failure/Error: its('Protocol') { should cmp 2 } expected: 2 got: 1
- 60. Fix the issue(manually) $ kitchen login $ sudo vi /etc/ssh/sshd_config $ exit $ kitchen verify Finished in 0.0382 seconds (files took 0.7536 seconds to load) 1 example, 0 failures Finished verifying <default-centos-71> (0m0.47s).
- 61. Open Source Community • TestKitchen • https://kitchen.io • https://github.com/test-kitchen • Kitchen-InSpec • https://github.com/chef/kitchen-inspec • Kitchen-Ansible • https://github.com/neillturner/kitchen-ansible • Kitchen-Puppet • https://github.com/neillturner/kitchen-puppet • Supermarket.chef.io
- 62. InSpec Used with ChefCompliance
- 65.
- 66.
- 67. Chef Provides aProven Approach to DevOps Apps Runtime environments Infrastructure .. . Targets/Workloads Collaborative Development Chef Insights Production Chef Server Chef Server Chef Supermarket Assessment Chef Compliance Search Audit Discover Deploy Chef Delivery Local Development Model Build Test Chef DK Chef Client & Cookbooks
- 69. Austin, TX |July 11-13 Early Bird Pricing Through April 17th « Workshops & Chef Training! « Community Summit! « Chef Partner Summit! « Welcome Reception! « Keynotes! « Technical Sessions! « Happy Hour! « Keynotes! « Technical Sessions! « Awesome Chef Awards! « Community Celebration! ChefConf.com