Chef, profile picture
Uploaded byChef
PPTX, PDF1,088 views

Compliance Automation with Inspec Part 2

The document discusses compliance automation and the importance of using SSH version 2 to avoid security risks. It highlights the necessity of configuring Apache server settings to conceal server details and emphasizes the low sustainability of compliance among organizations. Additionally, it introduces Chef Compliance, a tool for identifying compliance issues and creating customizable reports using Inspec for compliance testing.

Embed presentation

Downloaded 42 times
Getting Started with Compliance Automation
SSH Control SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
How will I verify this?
Whip up a one-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
Apache Server Information Leakage – Server Token Directive• Description This Directive Controls weather Server response field is sent back to clients includes a description of Generic OS Type of the Server. This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. • How to Test In order to test for ServerToken configuration, one should check the Apache configuration file. • Misconfiguration ServerTokens Full • Remediation Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request. ServerTokens Prod or ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache
Whip up a one-liner! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Whip up a two-liner! TARGET=2 grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' > /dev/null && echo $TARGET
Two-thirds of organizations did not adequately test the security of all in-scope systems
Key Trends • While individual rule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Infrastructure Code package 'httpd' do action :install end service 'httpd' do action [ :start, :enable ] end
What We Have Here Is A Communications Problem
Security != Compliance
©2016 Chef Software Inc. 2-30 Chef Compliance Identify compliance issues, security risks, and outdated software with customizable reports. Write your own compliance rules in InSpec or get started quickly by using built-in profiles – predefined rule sets for a variety of security frameworks.
©2016 Chef Software Inc. 2-31 Chef Compliance Chef Automate - Compliance Your Infrastructure LAN/WAN
©2016 Chef Software Inc. 2-32 Chef Compliance Chef Compliance can run without any other Chef software installed. The nodes you scan don't even need Chef software on them if you are scanning them for compliance. However, you would need Chef software to create and implement remediation recipes.
©2016 Chef Software Inc. 2-33 Chef Compliance Reports: Chef Compliance can produce reports that indicate risks and issues classified by severity and impact levels. Compliance Profiles: You can get started quickly with pre-built Compliance profiles for scanning Linux and Windows nodes.
©2016 Chef Software Inc. 2-34 Chef Compliance leverages InSpec. InSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure. Turn Compliance into Code control 'cis-3.1' do impact 0.7 title 'Set Daemon umask' desc ' Set the default umask for all processes started at boot time. ' describe file('/etc/sysconfig/init') do its('content') {should match 'umask 027'} end end
©2016 Chef Software Inc. 2-35 InSpec includes a collection of resources to help you write auditing rules quickly and easily using the Compliance DSL. Use InSpec to examine any node in your infrastructure; run the tests locally or remotely. Any detected security, compliance, or policy issues are flagged in a log and in Chef Compliance, displayed in a GUI. Clearly Express Statements of Policy describe port(80) do it { should_not be_listening } end describe port(443) do it { should be_listening } its('protocols') {should include 'tcp'} end
©2016 Chef Software Inc. 2-36 Find Issues Early Execute the compliance tests as part of your local development. Use InSpec as part of the Test Kitchen verification. Check running systems against your Compliance Profiles.
©2016 Chef Software Inc. 2-37 Write code quickly InSpec includes a collection of resources that help you write audit controls quickly and easily.
©2016 Chef Software Inc. 2-38 Write code quickly describe file('/etc/ssh/sshd_config') do its(:content) { should match /Protocol 2/ } end
©2016 Chef Software Inc. 2-39 Write code quickly describe sshd_config do its(:content) { should match /Protocol 2/ } end
©2016 Chef Software Inc. 2-40 Write code quickly describe sshd_config do its('Protocol') { should cmp 2 } end
©2016 Chef Software Inc. 2-41 Available Resources apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond bridge command csv directory etc_group file gem group grub_conf host iis_site inetd_conf ini interface iptables json kernel_module kernel_paramet er limits_conf login_def mount mssql_session mysql mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config passwd pip port postgres postgres_conf postgres_sessi on powershell processes registry_key security_policy service shadow ssh_conf ssl user vbscript windows_feature wmi xinetd yaml yum
©2016 Chef Software Inc. 2-42 Run Code Anywhere Test Locally: $ inspec exec test.rb
©2016 Chef Software Inc. 2-43 Run Code Anywhere Remote via SSH: $ inspec exec test.rb -t ssh://54.163.150.246 --user=chef -- password=chef.io
©2016 Chef Software Inc. 2-44 Run Code Anywhere Remote via WinRM: $ inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super
©2016 Chef Software Inc. 2-45 Run Code Anywhere Docker Container $ inspec exec test.rb -t docker://3dda08e75838
©2016 Chef Software Inc. 2-46 Run Code Anywhere $ inspec exec test.rb $ inspec exec test.rb -i ~/.aws/nathen.pem -t ssh://ec2-user@54.152.7.203 $ inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super $ inspec exec test.rb -t docker://3dda08e75838
©2016 Chef Software Inc. 2-47 Inspect machines, data, & APIs describe host('example.com', port: 80, proto: 'tcp') do it { should be_reachable } end
©2016 Chef Software Inc. 2-48 Inspect machines, data, & APIs describe mysql_conf do its('slow_query_log_file') { should eq 'hostname_slow.log' } its('slow_query_log') { should eq '0' } its('log_queries_not_using_indexes') { should eq '1' } its('long_query_time') { should eq '0.5' } its('min_examined_row_limit') { should eq '100' } end
©2016 Chef Software Inc. 2-49 Inspect machines, data, & APIs control 'sg-1' do impact 1.0 title 'Security Group: No ingress access to CIDR block 0.0.0.0/0' desc 'Security Groups must not allow inbound access from anywhere' Vpc.new(id: ENV['vpc_id']).security_groups.each do |security_group| describe security_group do it { should_not have_ingress_rule().with_source('0.0.0.0/0') } end end end
©2016 Chef Software Inc. 2-50 Compliance profiles exist for many scenarios, such as those created by the Center for Internet Security (CIS) Chef Compliance maintains profiles as a collection of individual controls that comprise a complete audit. You can also create your own custom Compliance profiles. Compliance Profiles
©2016 Chef Software Inc. 2-51 Compliance Web UI The Chef Compliance web UI provides views into compliance scan results as well as views of Chef Compliance profiles. You execute scans via the Compliance web UI as well.
©2016 Chef Software Inc.

More Related Content

PPTX
Compliance Automation with Inspec Part 4
byChef
 
PPTX
London Community Summit - Chef at SkyBet
byChef
 
PDF
Intermediate/Compliance training Guide
byChef
 
PPTX
Application Automation with Habitat
byChef
 
PPTX
Achieving DevOps Success with Chef Automate
byChef
 
PPTX
London Community Summit 2016 - Fresh New Chef Stuff
byChef
 
PDF
Nike popup compliance workshop
byChef
 
PDF
Compliance as Code
byMatt Ray
 
Compliance Automation with Inspec Part 4
byChef
 
London Community Summit - Chef at SkyBet
byChef
 
Intermediate/Compliance training Guide
byChef
 
Application Automation with Habitat
byChef
 
Achieving DevOps Success with Chef Automate
byChef
 
London Community Summit 2016 - Fresh New Chef Stuff
byChef
 
Nike popup compliance workshop
byChef
 
Compliance as Code
byMatt Ray
 

What's hot

PDF
Chef Automate Workflow Demo
byChef
 
PPTX
Chef Workflow Demo
byChef
 
PDF
Chef compliance - Intermediate Training
bySarah Hynes Cheney
 
PPTX
Azure handsonlab
byChef
 
PPTX
Compliance Automation with InSpec
byNathen Harvey
 
PPTX
Compliance Automation with Inspec Part 1
byChef
 
PDF
Nike pop up habitat
byChef
 
PDF
Compliance Automation Workshop
byChef
 
PDF
Bay Area Chef Meetup February
byJessica DeVita
 
PPTX
Effective Testing with Ansible and InSpec
byNathen Harvey
 
PDF
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
byMatt Ray
 
PPTX
Compliance Automation with Inspec Part 3
byChef
 
PPTX
Chef Hack Day Denver
byChef
 
PDF
Infrastructure and Compliance Delight with Chef Automate
byMatt Ray
 
PDF
Automating Compliance with InSpec - AWS North Sydney
byMatt Ray
 
PDF
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
bySalim Afiune Maya
 
PPTX
Chef Compliance & Workflow w/Delivery
byChef
 
PDF
Automating AWS Compliance with InSpec
byMatt Ray
 
PPTX
Compliance as Code - Using the Open Source InSpec testing Framework
bySonatype
 
PPTX
Devops journey chefpopup-2016.04.26-v2
byChef
 
Chef Automate Workflow Demo
byChef
 
Chef Workflow Demo
byChef
 
Chef compliance - Intermediate Training
bySarah Hynes Cheney
 
Azure handsonlab
byChef
 
Compliance Automation with InSpec
byNathen Harvey
 
Compliance Automation with Inspec Part 1
byChef
 
Nike pop up habitat
byChef
 
Compliance Automation Workshop
byChef
 
Bay Area Chef Meetup February
byJessica DeVita
 
Effective Testing with Ansible and InSpec
byNathen Harvey
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
byMatt Ray
 
Compliance Automation with Inspec Part 3
byChef
 
Chef Hack Day Denver
byChef
 
Infrastructure and Compliance Delight with Chef Automate
byMatt Ray
 
Automating Compliance with InSpec - AWS North Sydney
byMatt Ray
 
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
bySalim Afiune Maya
 
Chef Compliance & Workflow w/Delivery
byChef
 
Automating AWS Compliance with InSpec
byMatt Ray
 
Compliance as Code - Using the Open Source InSpec testing Framework
bySonatype
 
Devops journey chefpopup-2016.04.26-v2
byChef
 

Viewers also liked

PDF
Inspec, or how to translate compliance spreadsheets into code
byMichael Goetz
 
PDF
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
 
PPTX
Introduction to InSpec and 1.0 release update
byAlex Pop
 
KEY
Infrastructure Automation with Chef
byAdam Jacob
 
PDF
Automating secure server baselines with Chef
byChef Software, Inc.
 
PPTX
Vagrant and chef
byNick Ramirez
 
PPTX
Successful Practices for Continuous Delivery CodeCPH
byMandi Walls
 
PDF
Our DevOps Journey - An Exercise in Cultural Change
byChef
 
PDF
Validation driven change
byMichael Goetz
 
PPTX
London Community Summit 2016 - Community Update
byChef
 
PPTX
Learning from Configuration Management
byChef
 
PPTX
London Community Summit 2016 - Adopting Chef Compliance
byChef
 
PPT
UX Team Of One
byguestbf976e
 
PDF
Ficha inscricao aluno_cisja
byamirpajm
 
PPT
大葉簡報
bywcliao21
 
PDF
スペシャルクーポンガチャによって中高生に家計簿の習慣をつけさせる
bystucon
 
PDF
#CannesLions 2014: Day 5 Recap #OgilvyCannes
byOgilvy
 
PPT
煩惱就是菩提
byjuliemonzon88
 
Inspec, or how to translate compliance spreadsheets into code
byMichael Goetz
 
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
 
Introduction to InSpec and 1.0 release update
byAlex Pop
 
Infrastructure Automation with Chef
byAdam Jacob
 
Automating secure server baselines with Chef
byChef Software, Inc.
 
Vagrant and chef
byNick Ramirez
 
Successful Practices for Continuous Delivery CodeCPH
byMandi Walls
 
Our DevOps Journey - An Exercise in Cultural Change
byChef
 
Validation driven change
byMichael Goetz
 
London Community Summit 2016 - Community Update
byChef
 
Learning from Configuration Management
byChef
 
London Community Summit 2016 - Adopting Chef Compliance
byChef
 
UX Team Of One
byguestbf976e
 
Ficha inscricao aluno_cisja
byamirpajm
 
大葉簡報
bywcliao21
 
スペシャルクーポンガチャによって中高生に家計簿の習慣をつけさせる
bystucon
 
#CannesLions 2014: Day 5 Recap #OgilvyCannes
byOgilvy
 
煩惱就是菩提
byjuliemonzon88
 

Similar to Compliance Automation with Inspec Part 2

PDF
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
byMatt Ray
 
PDF
Philly security shell meetup
byNicole Johnson
 
PDF
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
byAgileNZ Conference
 
PPTX
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
PPTX
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
 
PDF
Compliance as Code with InSpec - DevOps Melbourne 2017
byMatt Ray
 
PPTX
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
 
PDF
Security and dev ops for high velocity organizations
byChef
 
PPTX
InSpec at DevOps ATL Meetup January 22, 2020
byMandi Walls
 
PDF
Melbourne Infracoders: Compliance as Code with InSpec
byMatt Ray
 
PDF
Introduction To Continuous Compliance & Remediation
byNicole Johnson
 
PDF
Inspec one tool to rule them all
byKimball Johnson
 
PDF
Prescriptive System Security with InSpec
byAll Things Open
 
PPTX
Prescriptive Security with InSpec - All Things Open 2019
byMandi Walls
 
PPTX
Adding Security to Your Workflow With InSpec - SCaLE17x
byMandi Walls
 
PPTX
Using Chef InSpec for Infrastructure Security
byMandi Walls
 
PDF
Mitigate potential compliance risks
byJürgen Brüder
 
PDF
Compliance as Code Everywhere
byMatt Ray
 
PPTX
InSpec Workshop at Velocity London 2018
byMandi Walls
 
PPTX
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
byMatt Ray
 
Philly security shell meetup
byNicole Johnson
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
byAgileNZ Conference
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
 
Compliance as Code with InSpec - DevOps Melbourne 2017
byMatt Ray
 
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
 
Security and dev ops for high velocity organizations
byChef
 
InSpec at DevOps ATL Meetup January 22, 2020
byMandi Walls
 
Melbourne Infracoders: Compliance as Code with InSpec
byMatt Ray
 
Introduction To Continuous Compliance & Remediation
byNicole Johnson
 
Inspec one tool to rule them all
byKimball Johnson
 
Prescriptive System Security with InSpec
byAll Things Open
 
Prescriptive Security with InSpec - All Things Open 2019
byMandi Walls
 
Adding Security to Your Workflow With InSpec - SCaLE17x
byMandi Walls
 
Using Chef InSpec for Infrastructure Security
byMandi Walls
 
Mitigate potential compliance risks
byJürgen Brüder
 
Compliance as Code Everywhere
byMatt Ray
 
InSpec Workshop at Velocity London 2018
byMandi Walls
 
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 

More from Chef

PPTX
Habitat Managed Chef
byChef
 
PPTX
Automation, Audits, and Apps Tour
byChef
 
PPTX
Automation, Audits, and Apps Tour
byChef
 
PPTX
London Community Summit - From Contribution to Authorship
byChef
 
PPTX
London Community Summit 2016 - Chef Automate
byChef
 
PPTX
London Community Summit 2016 - Habitat
byChef
 
PDF
The caseforawesome
byChef
 
PDF
Netflix's Could Migration
byChef
 
PDF
Alaska Airlines DevOps Journey
byChef
 
PDF
And The Slow Suffer What They Must
byChef
 
PDF
Visualizing your journey with chef
byChef
 
PDF
The New IT Game
byChef
 
PPTX
How to Accelerate Agile, Lean and DevOps Adoption Across Your Organization
byChef
 
PPTX
Chef andwindows reactor
byChef
 
Habitat Managed Chef
byChef
 
Automation, Audits, and Apps Tour
byChef
 
Automation, Audits, and Apps Tour
byChef
 
London Community Summit - From Contribution to Authorship
byChef
 
London Community Summit 2016 - Chef Automate
byChef
 
London Community Summit 2016 - Habitat
byChef
 
The caseforawesome
byChef
 
Netflix's Could Migration
byChef
 
Alaska Airlines DevOps Journey
byChef
 
And The Slow Suffer What They Must
byChef
 
Visualizing your journey with chef
byChef
 
The New IT Game
byChef
 
How to Accelerate Agile, Lean and DevOps Adoption Across Your Organization
byChef
 
Chef andwindows reactor
byChef
 

Recently uploaded

PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PDF
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...
bywintari3
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 

Compliance Automation with Inspec Part 2

  • 1.
    Getting Started withCompliance Automation
  • 5.
    SSH Control SSH supportstwo different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
  • 6.
    How will Iverify this?
  • 7.
    Whip up aone-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
  • 8.
    Apache Server InformationLeakage – Server Token Directive• Description This Directive Controls weather Server response field is sent back to clients includes a description of Generic OS Type of the Server. This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. • How to Test In order to test for ServerToken configuration, one should check the Apache configuration file. • Misconfiguration ServerTokens Full • Remediation Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request. ServerTokens Prod or ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache
  • 9.
    Whip up aone-liner! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
  • 11.
    Whip up atwo-liner! TARGET=2 grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' > /dev/null && echo $TARGET
  • 17.
    Two-thirds of organizations didnot adequately test the security of all in-scope systems
  • 18.
    Key Trends • Whileindividual rule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
  • 20.
    Shell Scripts grep "^Protocol"/etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
  • 21.
    Infrastructure Code package 'httpd'do action :install end service 'httpd' do action [ :start, :enable ] end
  • 22.
    What We HaveHere Is A Communications Problem
  • 24.
  • 30.
    ©2016 Chef SoftwareInc. 2-30 Chef Compliance Identify compliance issues, security risks, and outdated software with customizable reports. Write your own compliance rules in InSpec or get started quickly by using built-in profiles – predefined rule sets for a variety of security frameworks.
  • 31.
    ©2016 Chef SoftwareInc. 2-31 Chef Compliance Chef Automate - Compliance Your Infrastructure LAN/WAN
  • 32.
    ©2016 Chef SoftwareInc. 2-32 Chef Compliance Chef Compliance can run without any other Chef software installed. The nodes you scan don't even need Chef software on them if you are scanning them for compliance. However, you would need Chef software to create and implement remediation recipes.
  • 33.
    ©2016 Chef SoftwareInc. 2-33 Chef Compliance Reports: Chef Compliance can produce reports that indicate risks and issues classified by severity and impact levels. Compliance Profiles: You can get started quickly with pre-built Compliance profiles for scanning Linux and Windows nodes.
  • 34.
    ©2016 Chef SoftwareInc. 2-34 Chef Compliance leverages InSpec. InSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure. Turn Compliance into Code control 'cis-3.1' do impact 0.7 title 'Set Daemon umask' desc ' Set the default umask for all processes started at boot time. ' describe file('/etc/sysconfig/init') do its('content') {should match 'umask 027'} end end
  • 35.
    ©2016 Chef SoftwareInc. 2-35 InSpec includes a collection of resources to help you write auditing rules quickly and easily using the Compliance DSL. Use InSpec to examine any node in your infrastructure; run the tests locally or remotely. Any detected security, compliance, or policy issues are flagged in a log and in Chef Compliance, displayed in a GUI. Clearly Express Statements of Policy describe port(80) do it { should_not be_listening } end describe port(443) do it { should be_listening } its('protocols') {should include 'tcp'} end
  • 36.
    ©2016 Chef SoftwareInc. 2-36 Find Issues Early Execute the compliance tests as part of your local development. Use InSpec as part of the Test Kitchen verification. Check running systems against your Compliance Profiles.
  • 37.
    ©2016 Chef SoftwareInc. 2-37 Write code quickly InSpec includes a collection of resources that help you write audit controls quickly and easily.
  • 38.
    ©2016 Chef SoftwareInc. 2-38 Write code quickly describe file('/etc/ssh/sshd_config') do its(:content) { should match /Protocol 2/ } end
  • 39.
    ©2016 Chef SoftwareInc. 2-39 Write code quickly describe sshd_config do its(:content) { should match /Protocol 2/ } end
  • 40.
    ©2016 Chef SoftwareInc. 2-40 Write code quickly describe sshd_config do its('Protocol') { should cmp 2 } end
  • 41.
    ©2016 Chef SoftwareInc. 2-41 Available Resources apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond bridge command csv directory etc_group file gem group grub_conf host iis_site inetd_conf ini interface iptables json kernel_module kernel_paramet er limits_conf login_def mount mssql_session mysql mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config passwd pip port postgres postgres_conf postgres_sessi on powershell processes registry_key security_policy service shadow ssh_conf ssl user vbscript windows_feature wmi xinetd yaml yum
  • 42.
    ©2016 Chef SoftwareInc. 2-42 Run Code Anywhere Test Locally: $ inspec exec test.rb
  • 43.
    ©2016 Chef SoftwareInc. 2-43 Run Code Anywhere Remote via SSH: $ inspec exec test.rb -t ssh://54.163.150.246 --user=chef -- password=chef.io
  • 44.
    ©2016 Chef SoftwareInc. 2-44 Run Code Anywhere Remote via WinRM: $ inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super
  • 45.
    ©2016 Chef SoftwareInc. 2-45 Run Code Anywhere Docker Container $ inspec exec test.rb -t docker://3dda08e75838
  • 46.
    ©2016 Chef SoftwareInc. 2-46 Run Code Anywhere $ inspec exec test.rb $ inspec exec test.rb -i ~/.aws/nathen.pem -t ssh://ec2-user@54.152.7.203 $ inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super $ inspec exec test.rb -t docker://3dda08e75838
  • 47.
    ©2016 Chef SoftwareInc. 2-47 Inspect machines, data, & APIs describe host('example.com', port: 80, proto: 'tcp') do it { should be_reachable } end
  • 48.
    ©2016 Chef SoftwareInc. 2-48 Inspect machines, data, & APIs describe mysql_conf do its('slow_query_log_file') { should eq 'hostname_slow.log' } its('slow_query_log') { should eq '0' } its('log_queries_not_using_indexes') { should eq '1' } its('long_query_time') { should eq '0.5' } its('min_examined_row_limit') { should eq '100' } end
  • 49.
    ©2016 Chef SoftwareInc. 2-49 Inspect machines, data, & APIs control 'sg-1' do impact 1.0 title 'Security Group: No ingress access to CIDR block 0.0.0.0/0' desc 'Security Groups must not allow inbound access from anywhere' Vpc.new(id: ENV['vpc_id']).security_groups.each do |security_group| describe security_group do it { should_not have_ingress_rule().with_source('0.0.0.0/0') } end end end
  • 50.
    ©2016 Chef SoftwareInc. 2-50 Compliance profiles exist for many scenarios, such as those created by the Center for Internet Security (CIS) Chef Compliance maintains profiles as a collection of individual controls that comprise a complete audit. You can also create your own custom Compliance profiles. Compliance Profiles
  • 51.
    ©2016 Chef SoftwareInc. 2-51 Compliance Web UI The Chef Compliance web UI provides views into compliance scan results as well as views of Chef Compliance profiles. You execute scans via the Compliance web UI as well.
  • 52.

Editor's Notes

  • #3 I’m an application developer! When I build apps, they go through various stages to get to my production environment.
  • #4 I heard we were going to be audited. The auditor showed up and wanted to audit our environment. I was a little nervous also self-assured. I was managing my infrastructure on AWS, everything is automated with Chef, how bad could it be.
  • #5 The auditor handed me a list of controls to verify.
  • #11 The auditor handed me a list of controls to verify.
  • #13 This took forever…but once it was done I took solace in the fact that the auditors wouldn’t return for at least another six months. We could get back to our normal development process.
  • #14 “Not so fast!” said our security team. We had to introduce a Security Review phase to our delivery.
  • #15 This is how I think of “security reviews” – they slow down the flow and change backs up. The more changes back up, the more we need to “expedite” or “force” things through the dam in order to satisfy LoB needs. Which leads to…
  • #17 Ok, so we still need to assure ourselves that things are "secure", right? So what we do is replace this security 'gate" with "scanning" At some later date Not with the same cadence as we're flowing changes through the system Usually only when the auditors are on site Which is why the sustainability is low – same thing as mentioned in the PCI report from Verizon
  • #18 How many of you are in regulated industries? It's so bad that you don't have to go past the first page of this report…
  • #19 80% of companies still fail at interim assessment CAGR of 66% in security incidents since 2009.
  • #20 The auditor handed me a list of controls to verify.
  • #24 I think we need to stop whatever we’re doing and go back to first principles for a second.
  • #25 First I want to start defining security and compliance. These are not the same thing, although obviously they are related. Up until now we have been primarily concerned with compliance activities. Actually in many cases you could be “compliant” without achieving the intended aims of standards, which is to assure security. The objective isn't to pass the compliance audit, the objective is to actually make our systems more secure. You can spend a lot of time negotiating with auditors and getting them to accept "compensating controls" and the like in order to pass a compliance audit, but this is what Jez Humble would call "compliance theatre". How much can you pull the wool over the eyes of your auditors while still having a company that still has huge risks?
  • #26 Before you can be compliant, you first have to truly be secure. Compliance is about: Don’t get hacked Don’t lose data Compliance activities aren’t just about “making auditors go away” which is how we’ve treated them.
  • #27 We always talk about how in DevOps it's not about the tools, it's about the culture. But you want to choose tools that will help you reinforce the culture you want. I've spent the first part of this presentation talking about how that it's the culture and mindset of how to do security and compliance culture that are problematic these days. Now I'll talk about how you can use tools and processes to help get to the culture you want, which is to build in security as part of the quality of getting a thing to production.
  • #28 One of our beliefs is that the world of humans acting directly on computers is over – it’s not scalable, it’s not reproducible, it’s not testable
  • #29 So the future is clearly humans acting on code, and code acting on machines – that’s the era that Chef grew up in.
  • #30 For the purposes of compliance, we actually wanted a common language, in code, that would allow all audiences – compliance, security, and devops – to collaborate on. And this code will then act on systems. And for this I’d like to turn it over to my colleague Galen Emery to show you Chef Compliance, and that language we invented, called InSpec.
  • #31 By now you are probably aware of how Chef automates the configuration and management of your infrastructure. But what about risks and compliance issues of your infrastructure? Regulatory compliance is a fact of life for every enterprise. With Chef Compliance you can scan for risks and compliance issues with easy-to-understand, customizable reports and visualization. You can then use Chef to automate the remediation of issues and use Chef Compliance to implement a continuous audit of applications and infrastructure.
  • #32 The Chef Compliance server is a centralized location from which all aspects of the state or your infrastructure’s compliance can be managed. With Chef Compliance you can test any node in your infrastructure, including all of the common UNIX and Linux platforms and most versions of Microsoft Windows. Chef Compliance can continuously test any node against the goals of your organization’s security management lifecycle for risks and compliance issues.
  • #33 Chef Compliance can run without any other Chef software installed on the Chef Compliance server machine. The nodes you scan don't even need Chef software on them if you are scanning them for compliance. However, you would need Chef software to create and implement remediation recipes if you choose to use recipes to remediate compliance issues.
  • #35 Chef Compliance leverages InSpec. InSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure. The InSpec name refers to “infrastructure specification InSpec includes a collection of resources to help you write auditing rules quickly and easily using the Compliance DSL. Use InSpec to examine any node in your infrastructure; run the tests locally or remotely. Any detected security, compliance, or policy issues are flagged in a log and displayed in reports. The InSpec audit resource framework is fully compatible with Chef Compliance. Instructor note: InSpec is similar to ServerSpec but learners who have no experience with Serverspec may be confused by the reference.
  • #39 This works but is sub-optimal. The location of the sshd_config file must be known A regular expression (RegEx) is used
  • #40 This works but is sub-optimal. The location of the sshd_config file must be known – InSpec knows the default location for this file A regular expression (RegEx) is used
  • #41 This works but is sub-optimal. The location of the sshd_config file must be known – InSpec knows the default location for this file A regular expression (RegEx) is used – InSpec understands how this file works, it’s a set of keys and values
  • #51 Compliance profiles exist for many scenarios, such as those created by the Center for Internet Security (CIS), a non-profit organization that is focused on enhancing the cyber security readiness and response of public and private sector entities. Chef Compliance maintains profiles as a collection of individual controls that comprise a complete audit. For example, CIS benchmark 8.1.1.1 recommends testing for the maximum size of the audit log.  You can also create your own custom Compliance profiles.