2016 - Compliance as Code - InSpec

Compliance as Code
DevOpsDays Austin
May 3, 2016

SSH Control
"SSH supports two different protocol
versions.The original version, SSHv1, was
subject to a number of security issues.
Please use SSHv2 instead to avoid
these."

Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

Apache Server Information Leakage – ServerToken Directive
•  Description
  This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OSType of the
Server.
  This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities
are dependent upon specific software versions.
•  How toTest
  In order to test for ServerToken configuration, one should check the Apache configuration file.
•  Misconfiguration
  ServerTokens Full
•  Remediation
  Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.This tells Apache to only
return "Apache" in the Server header, returned on every page request.
  ServerTokens Prod
  or
  ServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache

More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Two-thirds of organizations did
not adequately test the security
of all in-scope systems!

KeyTrends
•  While individual rule compliance
is up, testing of security systems
is down
•  Sustainability is low. Fewer than
a third of companies were found
to be still fully compliant less
than a year after successful
validation.

Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Infrastructure Code
package 'httpd' do
action :install
end
service 'httpd' do
action [ :start, :enable ]
end

What We Have Here Is A Communications Problem

One Language!
Linux,Windows, BSD, Solaris,AIX, ...

Available Resources
apache_conf
apt
audit_policy
auditd_conf
auditd_rules
bond
bridge
csv
command
directory
etc_group
file
gem
group
host
inetd_conf
interface
iptables
kernel_module
kernel_parameter
limits_conf
login_defs
mount
mysql_conf
mysql_session
npm
ntp_conf
oneget
os
os_env
package
parse_config
parse_config_file
passwd
pip
port
postgres_conf
postgres_session
powershell
processes
registry_key
security_policy
service
ssh_config
sshd_config
user
windows_feature
yaml
yum

What is it not?
• IDS / IPS
• Firewall
• Antivirus
• Pentesting tool

One Language!
Bare-metal

One Language!
Bare-metal,VMs

One Language!
Bare-metal,VMs, Containers

Test Locally
$ inspec exec test.rb
.

Finished in 0.00901 seconds (files took 0.98501 seconds to load)
1 example, 0 failures

Test Remote via SSH
$ inspec exec test.rb -i vagrant.key -t ssh://root@172.17.0.1:11022

No Ruby / agent on the node

Test Remote via WinRM
$ inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super

No Ruby / agent on the node

Test Docker Containers
$ inspec exec test.rb -t docker://3dda08e75838
No Ruby / agent on the container

One Language!
Nodes

One Language!
Nodes, GRUB, DBs

One Language!
Nodes, GRUB, DBs, Endpoints,APIs, ...

Operating System and Application Coverage
•  Red Hat Enterprise Linux
•  Ubuntu
•  SUSE
•  Oracle Linux
•  Microsoft Windows 7, 8
•  Microsoft Windows Server 2008,
2012
•  AIX
•  HP-UX
•  VMware ESXi
•  Oracle
•  MySQL
•  ApacheTomcat
•  SQL Server
•  IIS

Setup our test
$ chef generate cookbook ssh
$ cd ssh
$ vim .kitchen.yml
$ kitchen converge
$ rm -rf test/integration/default/*
$ mkdir -p test/integration/default/inspec/
$ vim test/integration/default/inspec/default_spec.rb

SSHVersion Check
describe sshd_config do
its('Protocol') { should cmp 2 }
end

Run the test
$ kitchen verify
Failures:

1) SSH Configuration Protocol should cmp 2
Failure/Error: its('Protocol') { should cmp 2 }

expected: 2
got: 1

Fix the issue (manually)
$ kitchen login
$ sudo vi /etc/ssh/sshd_config
$ exit
$ kitchen verify
Finished in 0.0382 seconds (files took 0.7536 seconds to
load)
1 example, 0 failures

Finished verifying <default-centos-71> (0m0.47s).

Open Source Community
• Test Kitchen
• https://kitchen.io
• https://github.com/test-kitchen
• Kitchen-InSpec
• https://github.com/chef/kitchen-inspec
• Kitchen-Ansible
• https://github.com/neillturner/kitchen-ansible
• Kitchen-Puppet
• https://github.com/neillturner/kitchen-puppet
• Supermarket.chef.io

InSpec
Used with Chef Compliance

Chef Provides a Proven Approach to DevOps
Apps
Runtime
environments
Infrastructure
..
.
Targets/Workloads
Collaborative
Development
Chef Insights
Production
Chef Server
Chef Server
Chef Supermarket
Assessment
Chef Compliance
Search
Audit
Discover
Deploy
Chef Delivery
Local
Development
Model
Build
Test
Chef DK
Chef Client & Cookbooks

Austin, TX | July 11-13
Early Bird Pricing Through April 17th
«  Workshops & Chef Training!
«  Community Summit!
«  Chef Partner Summit!
«  Welcome Reception!
«  Keynotes!
«  Technical Sessions!
«  Happy Hour!
«  Keynotes!
«  Technical Sessions!
«  Awesome Chef Awards!
«  Community Celebration!
ChefConf.com

2016 - Compliance as Code - InSpec

2016 - Compliance as Code - InSpec

More Related Content

What's hot

Viewers also liked

Similar to 2016 - Compliance as Code - InSpec

More from devopsdaysaustin

Recently uploaded

2016 - Compliance as Code - InSpec