1. Introduction to
dev-sec.io
@attachmentgenie

2. Yes, its works in practice, but will it workYes, its works in practice, but will it work
in theoryin theory

3. $client_package$client_package == 'openssh-client''openssh-client'
package {package { 'openssh-client''openssh-client'::
ensure =>ensure => $package_version$package_version,,
name =>name => $client_package$client_package,,
}}
requirerequire 'spec_helper''spec_helper'
describedescribe 'ssh::client''ssh::client',, typetype:: :class:class dodo
on_os_under_test.eachon_os_under_test.each dodo ||osos,, factsfacts||
contextcontext "on"on #{#{osos}}"" dodo
letlet((:facts:facts) {) { factsfacts }}
contextcontext 'with defaults for all parameters''with defaults for all parameters' dodo
itit { is_expected.to contain_class({ is_expected.to contain_class('ssh::client''ssh::client') }) }
itit { is_expected.to contain_class({ is_expected.to contain_class('ssh::params''ssh::params') }) }
itit dodo
is_expected.to contain_package(is_expected.to contain_package('openssh-client''openssh-client').with().with(
'ensure''ensure' =>=> 'present''present'
))
endend

4. InSpec is an open-source testingInSpec is an open-source testing
framework for infrastructure with aframework for infrastructure with a
human-readable language for specifyinghuman-readable language for specifying
compliance, security and other policycompliance, security and other policy
requirements.requirements.

5. controlcontrol 'client 01''client 01' dodo
impactimpact 1.01.0
titletitle 'Verify ssh client''Verify ssh client'
descdesc 'Ensures ssh client should be installed''Ensures ssh client should be installed'
client_packageclient_package == 'openssh-client''openssh-client'
client_packageclient_package == 'openssh-clients''openssh-clients' ifif os[os[:family:family]] ====
'redhat''redhat'
describedescribe package(package(client_packageclient_package)) dodo
itit { is_expected.to be_installed }{ is_expected.to be_installed }
endend

6. Profile: tests fromProfile: tests from
{:path=>"/home/attachmentgenie/Devshed/Projects/attachmentgenie/attachme{:path=>"/home/attachmentgenie/Devshed/Projects/attachmentgenie/attachme
ntgenie-ssh/test/integration/default"} (tests fromntgenie-ssh/test/integration/default"} (tests from
{:path=>".home.attachmentgenie.Devshed.Projects.attachmentgenie.attachmen{:path=>".home.attachmentgenie.Devshed.Projects.attachmentgenie.attachmen
tgenie-ssh.test.integration.default"})tgenie-ssh.test.integration.default"})
Version: (not specified)Version: (not specified)
Target: ssh://vagrant@127.0.0.1:2200Target: ssh://vagrant@127.0.0.1:2200
✔✔ client 01: Verify ssh clientclient 01: Verify ssh client
✔✔ System Package openssh-client should be installedSystem Package openssh-client should be installed
✔✔ server 01: Verify ssh serviceserver 01: Verify ssh service
✔✔ Service ssh should be enabledService ssh should be enabled
✔✔ Service ssh should be installedService ssh should be installed
✔✔ Service ssh should be runningService ssh should be running
× keys 01: Verify authorized keys for user vagrant (1 failed)× keys 01: Verify authorized keys for user vagrant (1 failed)
✔✔ File /home/vagrant/.ssh/authorized_keys should existFile /home/vagrant/.ssh/authorized_keys should exist
✔✔ File /home/vagrant/.ssh/authorized_keys should be fileFile /home/vagrant/.ssh/authorized_keys should be file

7. The intern just “solved” the problem withThe intern just “solved” the problem with
$product by “fixing” the SSH config$product by “fixing” the SSH config

8. Obfuscated CodeObfuscated Code

9. InspecInspec
controlcontrol 'sshd-06''sshd-06' dodo
impactimpact 1.01.0
titletitle 'Server: Do not permit root-based login or do not allow'Server: Do not permit root-based login or do not allow
password and keyboard-interactive authentication'password and keyboard-interactive authentication'
descdesc 'Reduce the potential risk to gain full privileges access of'Reduce the potential risk to gain full privileges access of
the system because of weak password and keyboard-interactivethe system because of weak password and keyboard-interactive
authentication, do not allow logging in as the root user or withauthentication, do not allow logging in as the root user or with
password authentication.'password authentication.'
describedescribe sshd_configsshd_config dodo
itsits(('PermitRootLogin''PermitRootLogin') {) { shouldshould matchmatch((//no|without-passwordno|without-password//) }) }
endend
endend

10. SOX, PCI, HIPAA, CISSOX, PCI, HIPAA, CIS

11. InSpec supports the creation ofInSpec supports the creation of
complex test and compliance profiles,complex test and compliance profiles,
which organize controls to supportwhich organize controls to support
dependency management and codedependency management and code
reusereuse

12. Dev-sec.io Inspec ProfilesDev-sec.io Inspec Profiles
OSOS
SSHSSH
MysqlMysql
PostgresqlPostgresql
NginxNginx
ApacheApache
CIS DockerCIS Docker

13. InspecInspec
------
driver:driver:
name:name: vagrantvagrant
provisioner:provisioner:
manifest:manifest: init.ppinit.pp
manifests_path:manifests_path: examplesexamples
name:name: puppet_applypuppet_apply
require_chef_for_busser:require_chef_for_busser: falsefalse
require_puppet_omnibus:require_puppet_omnibus: truetrue
verifier:verifier:
name:name: inspecinspec
suite_name:suite_name: defaultdefault
inspec_tests:inspec_tests:
- https://github.com/dev-sec/ssh-baseline/archive/2.2.0.zip- https://github.com/dev-sec/ssh-baseline/archive/2.2.0.zip
platforms:platforms:
-- name:name: ubuntu-14.04ubuntu-14.04
-- name:name: ubuntu-16.04ubuntu-16.04
-- name:name: debian-7.11debian-7.11
-- name:name: debian-8.8debian-8.8
-- name:name: centos-6.9centos-6.9
-- name:name: centos-7.3centos-7.3

14. Sample HardeningSample Hardening
implementationsimplementations
OSOS
SSHSSH
MysqlMysql
PostgresqlPostgresql
NginxNginx

15. All the tools, like Ansible, Chef andAll the tools, like Ansible, Chef and
PuppetPuppet

16. CommunityCommunity
http://dev-sec.io/http://dev-sec.io/
@DevSecIO@DevSecIO
https://github.com/dev-sechttps://github.com/dev-sec
https://gitter.im/dev-sec/homehttps://gitter.im/dev-sec/home
https://supermarket.chef.io/tools?q=devsechttps://supermarket.chef.io/tools?q=devsec
https://supermarket.chef.io/cookbooks?q=hardeninghttps://supermarket.chef.io/cookbooks?q=hardening
https://galaxy.ansible.com/dev-sec/https://galaxy.ansible.com/dev-sec/
https://forge.puppet.com/hardeninghttps://forge.puppet.com/hardening