Ansible is an incredibly easy way to manage infrastructure and configuration. But what's the best way to ensure the changes to your Ansible playbooks have the intended outcome and do not introduce unwanted changes? And how can you verify your your playbook changes do not negatively impact the compliance status of your infrastructure?
In this session, we will learn about InSpec and how it's incredibly easy-to-read language allows for integration and compliance requirements to be expressed as code. We will look at how Test Kitchen and InSpec can be used to validate your Ansible playbooks and empower developers to test for compliance earlier in the development cycle. Additionally, we will also explore how to use and modify InSpec profiles created by others.
27. @nathenharvey
Verify the Site with InSpec
describe service('apache2') do
it {should be_running }
end
describe port(80) do
it { should be_listening }
end
describe http('http://localhost', enable_remote_worker: true) do
its('status') { should cmp 200 }
its('body') { should match /Configuration Management Camp/ }
end
39. @nathenharvey
InSpec to Detect Policy Violations
• InSpec is great for integration testing
• But it can also be used for security or compliance checks
41. Map Documentation to Controls
control 'sox-404.3.5' do
title 'Network Device to Central Auth Encryption'
impact 1.0
desc "
All communication between network devices and
central auth must be encrypted. Our TACACS+ servers
encrypt all the time and the presence of a
pre-shared key proves it."
describe ini('/etc/tac_plus/tac_plus.conf') do
its('key') { should_not be_nil }
end
end
404.3.5:
Communication
between network
devices and central
authentication systems
must be encrypted at
all times.
42. Share Context
control 'sox-404.3.5' do
title 'Network Device to Central Auth Encryption'
impact 1.0
desc "
All communication between network devices and
central auth must be encrypted. Our TACACS+ servers
encrypt all the time and the presence of a
pre-shared key proves it."
describe ini('/etc/tac_plus/tac_plus.conf') do
its('key') { should_not be_nil }
end
end
404.3.5:
Communication
between network
devices and central
authentication systems
must be encrypted at
all times.
43. Automate Test Execution
control 'sox-404.3.5' do
title 'Network Device to Central Auth Encryption'
impact 1.0
desc "
All communication between network devices and
central auth must be encrypted. Our TACACS+ servers
encrypt all the time and the presence of a
pre-shared key proves it."
describe ini('/etc/tac_plus/tac_plus.conf') do
its('key') { should_not be_nil }
end
end
404.3.5:
Communication
between network
devices and central
authentication systems
must be encrypted at
all times.
67. PART OF A PROCESS OF CONTINUOUS COMPLIANCE
Scan for
Compliance
Build & Test
Locally
Build & Test
CI/CD Remediate Verify
A SIMPLE EXAMPLE OF AN INSPEC CIS RULE
InSpec
▪ Translate compliance into Code
▪ Clearly express statements of policy
▪ Move risk to build/test from runtime
▪ Find issues early
▪ Write code quickly
▪ Run code anywhere
▪ Inspect machines, data and APIs
Turn security and
compliance into code
control ‘cis-1.4.1’ do
title ‘1.4.1 Enable SELinux in /etc/grub.conf’
desc ‘
Do not disable SELinux and enforcing in your
GRUB configuration. These are important security features that
prevent attackers from escalating their access to your systems.
For reference see …
‘
impact 1.0
expect(grub_conf.param ‘selinux’).to_not eq ‘0’
expect(grub_conf.param ‘enforcing’).to_not eq ‘0’
end
68. @nathenharvey
Get Started with InSpec
• Install Chef Development Kit - https://downloads.chef.io/chefdk
Test Kitchen
InSpec
• Install Ansible Provisioner
chef gem install kitchen-ansible
• Install Driver Requirements
Vagrant – VirtualBox & Vagrant
Docker – Docker
EC2 – None, but you need an AWS account
69. @nathenharvey
Use, Share, Contribute!
• dev-sec.io - https://github.com/dev-sec/
• InSpec – https://github.com/chef/inspec
• Supermarket - https://supermarket.chef.io/tools?type=compliance_profile
• Test Kitchen - https://github.com/test-kitchen
• Test Kitchen Ansible Provisioner - https://github.com/neillturner/kitchen-ansible
• Code from this presentation - https://github.com/nathenharvey/testing-ansible-
with-inspec
70. Join us on Slack
• http://community-slack.chef.io
• #general (for Chef stuff)
• #inspec
• #test-kitchen
The Chef community
believes that diversity is one
of our biggest strengths!
Ansible users are more than
welcome here!