Chef, profile picture
Uploaded byChef
PPTX, PDF670 views

Compliance Automation with Inspec Part 3

InSpec can be used to automate security and compliance testing by translating compliance policies into code. This allows organizations to find issues early in the development process and continuously test configurations as code is built, tested, and deployed. The document discusses adding nodes to scan from the Chef Compliance dashboard, running compliance scans using built-in profiles, and viewing scan results to identify compliant and non-compliant controls. It also provides instructions for running InSpec tests directly from the command line locally or against remote systems using SSH or Docker.

Embed presentation

Downloaded 39 times
Getting Started with Compliance Automation
Running Scans
InSpec: Turn security and compliance into code ā€¢ Translate compliance into Code ā€¢ Clearly express statements of policy ā€¢ Move risk to build/test from runtime ā€¢ Find issues early ā€¢ Write code quickly ā€¢ Run code anywhere ā€¢ Inspect machines, data and APIs A simple example of an InSpec CIS rule Part of a process of continuous compliance Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify
Ā©2016 Chef Software Inc. 3-4 Objectives After completing this module, you should be able to: ļƒ˜ Add a node to test for compliance. ļƒ˜ Run a Compliance scan. ļƒ˜ Test for compliance with InSpec from the command line interface.
Ā©2016 Chef Software Inc. 3-5 Adding a Node to Scan To add a node you'll need: ā€¢ The IP address or FQDN of the nodes to be tested. ā€¢ Access configuration (ssh or WinRM). ā€¢ The node's username and password OR ā€¢ The node's username plus security key pair.
Ā©2016 Chef Software Inc. 3-6 Objective: Group Lab: Adding a Node to Scan ļ± Add a Linux Node to Scan ļ± Test connectivity Note: In the next module you will perform the same exercises as in this module but using a Windows node as your target node.
Ā©2016 Chef Software Inc. 3-7 GL: Adding a Node to Scan 1. From your Chef Compliance Dashboard, click Add Node.
Ā©2016 Chef Software Inc. 3-8 GL: Adding a Node 2. From the resulting page, enter the node's FQDN or IP address. 3. Leave environment blank. A ā€˜defaultā€™ environment will be used 4. Accept the default SSH Access configuration 5. Type chef in the username field. 6. Click the password link as shown in this illustration.
Ā©2016 Chef Software Inc. 3-9 GL: Adding a Node to Scan 7. Type the password (chef) in the password field. 8. Click the Add 1 node button as shown in this illustration.
Ā©2016 Chef Software Inc. 3-10 GL: Adding a Node to Scan At this point your Compliance Dashboard should list the node you just added.
Ā©2016 Chef Software Inc. 3-11 GL: Testing Connectivity to Your Node 1. Click the check box next to your node and then click the Connectivity button.
Ā©2016 Chef Software Inc. 3-12 GL: Testing Connectivity to Your Node The Status column of you node should now indicate Connection established.
Ā©2016 Chef Software Inc. 3-13 Adding Nodes in Bulk You could add additional nodes by simply repeating the previous steps. You could also add a number of nodes at once by separating each hostname or IP address with a comma or a space, as shown in this illustration. Chef Compliance also supports bulk loading of nodes via API.
Ā©2016 Chef Software Inc. 3-14 Adding Nodes in Bulk via API After class you can go to the following link. The resulting kitchen_sink.rb will step you through how to upload nodes in bulk. https://gist.github.com/alexpop/01b0bba8d259adeee320
Ā©2016 Chef Software Inc. 3-15 Private Keys In the workplace, using a security key would be a more secure method for connecting to nodes than using the password method. By clicking Settings > Add Private Key you will see where to paste a private key.
Ā©2016 Chef Software Inc. 3-16 Running Compliance Scans You can run Compliance scans on demand or schedule them to run at a later time. Chef Compliance maintains profiles as a collection of individual controls that comprise a complete audit. As mentioned previously, Chef Compliance comes with a few reference profiles of various compliance policies that you can leverage or use as examples to create your own.
Ā©2016 Chef Software Inc. 3-17 Compliance Profiles Used in Scans This image shows the default Compliance Profiles as accessed from the Scan Nodes page. You should be thoughtful with which profiles choose. Notice how you can also choose to run a scan on demand or schedule a scan.
Ā©2016 Chef Software Inc. 3-18 Objective: Group Lab: Running a Scan ļ± Run a Compliance scan. ļ± View the output of a scan.
Ā©2016 Chef Software Inc. 3-19 GL: Running a Scan 1. Click the check box next to your node and then click the Scan button.
Ā©2016 Chef Software Inc. 3-20 GL: Running a Scan 2. From the resulting page, check the base/ssh profile and uncheck any other check boxes. 3. Click the Scan now button.
Ā©2016 Chef Software Inc. 3-21 Scan Results A Compliance Report should now display and your scan results should be similar to that shown here. Notice how in the upper Summary section in this example, 10 tests were compliant and 6 tests show critical issues with ssh.
Ā©2016 Chef Software Inc. 3-22 Scan Results The bottom half of the Compliance Report shown here has a table of details of test results. These are sorted by severity. If you click an issue as shown here, a bit more information about the issue displays.
Ā©2016 Chef Software Inc. 3-23 GL: Profile To view the InSpec code that comprises this profile, do the following: 1. Click the Compliance button. 2. Click the relevant profile (Basic SSH). 3. Scroll down and click the `Set SSH protocol version to 2` profile.
Ā©2016 Chef Software Inc. 3-24 Discussion: InSpec Profile Code Let's discuss what this profile is doing. The `impact` of 1.0 indicates this is a Critical issue. The `title` is what populates the Compliance Report issue title.
Ā©2016 Chef Software Inc. 3-25 Discussion: InSpec Profile Code The desc is typically human- readable description sourced from the CIS or source doc. The `describe` section is the actual test that is executed.
Ā©2016 Chef Software Inc. 3-26 Compliance Profile Severity Mapping The table below shows the current mapping of Compliance Profile impact numbering to severity. Impact Numbering Severity Designation 0.7 - 1.0 Critical Issues 0.4 - <0.7 Major Issues 0 - <0.4 Minor Issues https://nvd.nist.gov/cvss.cfm
Ā©2016 Chef Software Inc. 3-27 Run InSpec from the Command Line control 'sshd-11' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore. " describe sshd_config do its('Protocol') { should eq('2') } end end
Ā©2016 Chef Software Inc. 3-28 Run InSpec from the Command Line Test Locally: $ inspec exec test.rb
Ā©2016 Chef Software Inc. 3-29 Run InSpec from the Command Line Remote via SSH: $ inspec exec test.rb -t ssh://54.163.150.246 --user=chef -- password=chef.io
Ā©2016 Chef Software Inc. 3-30 Run InSpec from the Command Line Docker Container $ inspec exec test.rb -t docker://3dda08e75838
Running Scans

More Related Content

PDF
Chef compliance - Intermediate Training
bySarah Hynes Cheney
Ā 
PPTX
Compliance Automation with Inspec Part 1
byChef
Ā 
PPTX
Compliance as Code - Using the Open Source InSpec testing Framework
bySonatype
Ā 
PDF
Intermediate/Compliance training Guide
byChef
Ā 
PPTX
Achieving DevOps Success with Chef Automate
byChef
Ā 
PPTX
Compliance Automation with InSpec
byNathen Harvey
Ā 
PPTX
Compliance Automation with Inspec Part 2
byChef
Ā 
PPTX
Application Automation with Habitat
byChef
Ā 
Chef compliance - Intermediate Training
bySarah Hynes Cheney
Ā 
Compliance Automation with Inspec Part 1
byChef
Ā 
Compliance as Code - Using the Open Source InSpec testing Framework
bySonatype
Ā 
Intermediate/Compliance training Guide
byChef
Ā 
Achieving DevOps Success with Chef Automate
byChef
Ā 
Compliance Automation with InSpec
byNathen Harvey
Ā 
Compliance Automation with Inspec Part 2
byChef
Ā 
Application Automation with Habitat
byChef
Ā 

What's hot

PPTX
Compliance Automation with Inspec Part 4
byChef
Ā 
PPTX
London Community Summit - Chef at SkyBet
byChef
Ā 
PDF
Cooking Up Windows with Chef Automate
byMatt Ray
Ā 
PDF
Infrastructure and Compliance Delight with Chef Automate
byMatt Ray
Ā 
PDF
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
bySalim Afiune Maya
Ā 
PDF
Bay Area Chef Meetup February
byJessica DeVita
Ā 
PPTX
Chef Compliance & Workflow w/Delivery
byChef
Ā 
PDF
Compliance as Code
byMatt Ray
Ā 
PPTX
Chef Workflow Demo
byChef
Ā 
PDF
Compliance Automation Workshop
byChef
Ā 
PDF
Automating Compliance with InSpec - AWS North Sydney
byMatt Ray
Ā 
PPTX
Devops journey chefpopup-2016.04.26-v2
byChef
Ā 
PDF
Automating AWS Compliance with InSpec
byMatt Ray
Ā 
PPTX
Chef Hack Day Denver
byChef
Ā 
PDF
KKBOX WWDC17 Performance and Testing - Hokila
byLiyao Chen
Ā 
PPTX
Habitat Managed Chef
byChef
Ā 
PDF
Delivery pipelines at Symphony Talent - Present and Future
byNathan Jones
Ā 
PDF
Chef Automate - Wellington DevOps August 2, 2017
byMatt Ray
Ā 
PPTX
Azure handsonlab
byChef
Ā 
PPTX
How to work with Selenium Grid: a quick walkthrough
byNoam Zakai
Ā 
Compliance Automation with Inspec Part 4
byChef
Ā 
London Community Summit - Chef at SkyBet
byChef
Ā 
Cooking Up Windows with Chef Automate
byMatt Ray
Ā 
Infrastructure and Compliance Delight with Chef Automate
byMatt Ray
Ā 
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
bySalim Afiune Maya
Ā 
Bay Area Chef Meetup February
byJessica DeVita
Ā 
Chef Compliance & Workflow w/Delivery
byChef
Ā 
Compliance as Code
byMatt Ray
Ā 
Chef Workflow Demo
byChef
Ā 
Compliance Automation Workshop
byChef
Ā 
Automating Compliance with InSpec - AWS North Sydney
byMatt Ray
Ā 
Devops journey chefpopup-2016.04.26-v2
byChef
Ā 
Automating AWS Compliance with InSpec
byMatt Ray
Ā 
Chef Hack Day Denver
byChef
Ā 
KKBOX WWDC17 Performance and Testing - Hokila
byLiyao Chen
Ā 
Habitat Managed Chef
byChef
Ā 
Delivery pipelines at Symphony Talent - Present and Future
byNathan Jones
Ā 
Chef Automate - Wellington DevOps August 2, 2017
byMatt Ray
Ā 
Azure handsonlab
byChef
Ā 
How to work with Selenium Grid: a quick walkthrough
byNoam Zakai
Ā 

Viewers also liked

PDF
Inspec, or how to translate compliance spreadsheets into code
byMichael Goetz
Ā 
PDF
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
Ā 
KEY
Infrastructure Automation with Chef
byAdam Jacob
Ā 
PPTX
London Community Summit 2016 - Community Update
byChef
Ā 
PPTX
Learning from Configuration Management
byChef
Ā 
PPTX
London Community Summit 2016 - Adopting Chef Compliance
byChef
Ā 
PPTX
London Community Summit 2016 - Fresh New Chef Stuff
byChef
Ā 
PDF
Introduction to Chef: Automate Your Infrastructure by Modeling It In Code
byJosh Padnick
Ā 
PPTX
Vagrant and chef
byNick Ramirez
Ā 
PPTX
Successful Practices for Continuous Delivery CodeCPH
byMandi Walls
Ā 
PDF
Our DevOps Journey - An Exercise in Cultural Change
byChef
Ā 
PDF
Nike popup compliance workshop
byChef
Ā 
PDF
Validation driven change
byMichael Goetz
Ā 
PDF
Chef Automate Workflow Demo
byChef
Ā 
PDF
Modern Infrastructure Automation
bySonatype
Ā 
PPTX
Introduction to InSpec and 1.0 release update
byAlex Pop
Ā 
PPTX
London Community Summit 2016 - Chef Automate
byChef
Ā 
PPTX
London Community Summit - From Contribution to Authorship
byChef
Ā 
PPT
vBACD - Introduction to Puppet, Configuration Management and IT Automation So...
byCloudStack - Open Source Cloud Computing Project
Ā 
PPTX
London Community Summit 2016 - Habitat
byChef
Ā 
Inspec, or how to translate compliance spreadsheets into code
byMichael Goetz
Ā 
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
Ā 
Infrastructure Automation with Chef
byAdam Jacob
Ā 
London Community Summit 2016 - Community Update
byChef
Ā 
Learning from Configuration Management
byChef
Ā 
London Community Summit 2016 - Adopting Chef Compliance
byChef
Ā 
London Community Summit 2016 - Fresh New Chef Stuff
byChef
Ā 
Introduction to Chef: Automate Your Infrastructure by Modeling It In Code
byJosh Padnick
Ā 
Vagrant and chef
byNick Ramirez
Ā 
Successful Practices for Continuous Delivery CodeCPH
byMandi Walls
Ā 
Our DevOps Journey - An Exercise in Cultural Change
byChef
Ā 
Nike popup compliance workshop
byChef
Ā 
Validation driven change
byMichael Goetz
Ā 
Chef Automate Workflow Demo
byChef
Ā 
Modern Infrastructure Automation
bySonatype
Ā 
Introduction to InSpec and 1.0 release update
byAlex Pop
Ā 
London Community Summit 2016 - Chef Automate
byChef
Ā 
London Community Summit - From Contribution to Authorship
byChef
Ā 
vBACD - Introduction to Puppet, Configuration Management and IT Automation So...
byCloudStack - Open Source Cloud Computing Project
Ā 
London Community Summit 2016 - Habitat
byChef
Ā 

Similar to Compliance Automation with Inspec Part 3

PDF
Introduction To Continuous Compliance & Remediation
byNicole Johnson
Ā 
PPTX
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
Ā 
PPTX
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
Ā 
PPTX
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
Ā 
PDF
Philly security shell meetup
byNicole Johnson
Ā 
PPTX
InSpec at DevOps ATL Meetup January 22, 2020
byMandi Walls
Ā 
PPTX
Prescriptive Security with InSpec - All Things Open 2019
byMandi Walls
Ā 
PDF
Prescriptive System Security with InSpec
byAll Things Open
Ā 
PDF
Introduction to Chef - Techsuperwomen Summit
byJennifer Davis
Ā 
PDF
Chef Fundamentals Training Series Module 3: Setting up Nodes and Cookbook Aut...
byChef Software, Inc.
Ā 
PDF
Node setup, resource, and recipes - Fundamentals Webinar Series Part 2
byChef
Ā 
PPTX
Using Chef InSpec for Infrastructure Security
byMandi Walls
Ā 
PDF
Compliance Automation
byInfralovers
Ā 
PPTX
Adding Security to Your Workflow With InSpec - SCaLE17x
byMandi Walls
Ā 
PPTX
Chef
byMohanRaviRohitth
Ā 
PDF
Ignite Talk on Chef
byBob Nowadly
Ā 
PDF
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
byMatt Ray
Ā 
PDF
Introduction to Chef - April 22 2015
byJennifer Davis
Ā 
PDF
Node object and roles - Fundamentals Webinar Series Part 3
byChef
Ā 
PPTX
Chef onlinuxonpower
byMoya Brannan
Ā 
Introduction To Continuous Compliance & Remediation
byNicole Johnson
Ā 
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
Ā 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
Ā 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
Ā 
Philly security shell meetup
byNicole Johnson
Ā 
InSpec at DevOps ATL Meetup January 22, 2020
byMandi Walls
Ā 
Prescriptive Security with InSpec - All Things Open 2019
byMandi Walls
Ā 
Prescriptive System Security with InSpec
byAll Things Open
Ā 
Introduction to Chef - Techsuperwomen Summit
byJennifer Davis
Ā 
Chef Fundamentals Training Series Module 3: Setting up Nodes and Cookbook Aut...
byChef Software, Inc.
Ā 
Node setup, resource, and recipes - Fundamentals Webinar Series Part 2
byChef
Ā 
Using Chef InSpec for Infrastructure Security
byMandi Walls
Ā 
Compliance Automation
byInfralovers
Ā 
Adding Security to Your Workflow With InSpec - SCaLE17x
byMandi Walls
Ā 
Chef
byMohanRaviRohitth
Ā 
Ignite Talk on Chef
byBob Nowadly
Ā 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
byMatt Ray
Ā 
Introduction to Chef - April 22 2015
byJennifer Davis
Ā 
Node object and roles - Fundamentals Webinar Series Part 3
byChef
Ā 
Chef onlinuxonpower
byMoya Brannan
Ā 

More from Chef

PPTX
Automation, Audits, and Apps Tour
byChef
Ā 
PPTX
Automation, Audits, and Apps Tour
byChef
Ā 
PDF
Nike pop up habitat
byChef
Ā 
PDF
The caseforawesome
byChef
Ā 
PDF
Netflix's Could Migration
byChef
Ā 
PDF
Alaska Airlines DevOps Journey
byChef
Ā 
PDF
And The Slow Suffer What They Must
byChef
Ā 
PDF
Visualizing your journey with chef
byChef
Ā 
PDF
The New IT Game
byChef
Ā 
PPTX
How to Accelerate Agile, Lean and DevOps Adoption Across Your Organization
byChef
Ā 
PPTX
Chef andwindows reactor
byChef
Ā 
Automation, Audits, and Apps Tour
byChef
Ā 
Automation, Audits, and Apps Tour
byChef
Ā 
Nike pop up habitat
byChef
Ā 
The caseforawesome
byChef
Ā 
Netflix's Could Migration
byChef
Ā 
Alaska Airlines DevOps Journey
byChef
Ā 
And The Slow Suffer What They Must
byChef
Ā 
Visualizing your journey with chef
byChef
Ā 
The New IT Game
byChef
Ā 
How to Accelerate Agile, Lean and DevOps Adoption Across Your Organization
byChef
Ā 
Chef andwindows reactor
byChef
Ā 

Recently uploaded

PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
Ā 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
Ā 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
Ā 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
Ā 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
Ā 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
Ā 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
Ā 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
Ā 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
Ā 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
Ā 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
Ā 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
Ā 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
Ā 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
Ā 
PDF
Logical Optimal Actions ā€“ Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
Ā 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
Ā 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
Ā 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
Ā 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
Ā 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
Ā 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
Ā 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
Ā 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
Ā 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
Ā 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
Ā 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
Ā 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
Ā 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
Ā 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
Ā 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
Ā 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
Ā 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
Ā 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
Ā 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
Ā 
Logical Optimal Actions ā€“ Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
Ā 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
Ā 
PPTX game guess the logo with a twistppt
byAdrianAnig
Ā 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
Ā 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
Ā 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
Ā 

Compliance Automation with Inspec Part 3

  • 1.
    Getting Started withCompliance Automation
  • 2.
  • 3.
    InSpec: Turn securityand compliance into code ā€¢ Translate compliance into Code ā€¢ Clearly express statements of policy ā€¢ Move risk to build/test from runtime ā€¢ Find issues early ā€¢ Write code quickly ā€¢ Run code anywhere ā€¢ Inspect machines, data and APIs A simple example of an InSpec CIS rule Part of a process of continuous compliance Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify
  • 4.
    Ā©2016 Chef SoftwareInc. 3-4 Objectives After completing this module, you should be able to: ļƒ˜ Add a node to test for compliance. ļƒ˜ Run a Compliance scan. ļƒ˜ Test for compliance with InSpec from the command line interface.
  • 5.
    Ā©2016 Chef SoftwareInc. 3-5 Adding a Node to Scan To add a node you'll need: ā€¢ The IP address or FQDN of the nodes to be tested. ā€¢ Access configuration (ssh or WinRM). ā€¢ The node's username and password OR ā€¢ The node's username plus security key pair.
  • 6.
    Ā©2016 Chef SoftwareInc. 3-6 Objective: Group Lab: Adding a Node to Scan ļ± Add a Linux Node to Scan ļ± Test connectivity Note: In the next module you will perform the same exercises as in this module but using a Windows node as your target node.
  • 7.
    Ā©2016 Chef SoftwareInc. 3-7 GL: Adding a Node to Scan 1. From your Chef Compliance Dashboard, click Add Node.
  • 8.
    Ā©2016 Chef SoftwareInc. 3-8 GL: Adding a Node 2. From the resulting page, enter the node's FQDN or IP address. 3. Leave environment blank. A ā€˜defaultā€™ environment will be used 4. Accept the default SSH Access configuration 5. Type chef in the username field. 6. Click the password link as shown in this illustration.
  • 9.
    Ā©2016 Chef SoftwareInc. 3-9 GL: Adding a Node to Scan 7. Type the password (chef) in the password field. 8. Click the Add 1 node button as shown in this illustration.
  • 10.
    Ā©2016 Chef SoftwareInc. 3-10 GL: Adding a Node to Scan At this point your Compliance Dashboard should list the node you just added.
  • 11.
    Ā©2016 Chef SoftwareInc. 3-11 GL: Testing Connectivity to Your Node 1. Click the check box next to your node and then click the Connectivity button.
  • 12.
    Ā©2016 Chef SoftwareInc. 3-12 GL: Testing Connectivity to Your Node The Status column of you node should now indicate Connection established.
  • 13.
    Ā©2016 Chef SoftwareInc. 3-13 Adding Nodes in Bulk You could add additional nodes by simply repeating the previous steps. You could also add a number of nodes at once by separating each hostname or IP address with a comma or a space, as shown in this illustration. Chef Compliance also supports bulk loading of nodes via API.
  • 14.
    Ā©2016 Chef SoftwareInc. 3-14 Adding Nodes in Bulk via API After class you can go to the following link. The resulting kitchen_sink.rb will step you through how to upload nodes in bulk. https://gist.github.com/alexpop/01b0bba8d259adeee320
  • 15.
    Ā©2016 Chef SoftwareInc. 3-15 Private Keys In the workplace, using a security key would be a more secure method for connecting to nodes than using the password method. By clicking Settings > Add Private Key you will see where to paste a private key.
  • 16.
    Ā©2016 Chef SoftwareInc. 3-16 Running Compliance Scans You can run Compliance scans on demand or schedule them to run at a later time. Chef Compliance maintains profiles as a collection of individual controls that comprise a complete audit. As mentioned previously, Chef Compliance comes with a few reference profiles of various compliance policies that you can leverage or use as examples to create your own.
  • 17.
    Ā©2016 Chef SoftwareInc. 3-17 Compliance Profiles Used in Scans This image shows the default Compliance Profiles as accessed from the Scan Nodes page. You should be thoughtful with which profiles choose. Notice how you can also choose to run a scan on demand or schedule a scan.
  • 18.
    Ā©2016 Chef SoftwareInc. 3-18 Objective: Group Lab: Running a Scan ļ± Run a Compliance scan. ļ± View the output of a scan.
  • 19.
    Ā©2016 Chef SoftwareInc. 3-19 GL: Running a Scan 1. Click the check box next to your node and then click the Scan button.
  • 20.
    Ā©2016 Chef SoftwareInc. 3-20 GL: Running a Scan 2. From the resulting page, check the base/ssh profile and uncheck any other check boxes. 3. Click the Scan now button.
  • 21.
    Ā©2016 Chef SoftwareInc. 3-21 Scan Results A Compliance Report should now display and your scan results should be similar to that shown here. Notice how in the upper Summary section in this example, 10 tests were compliant and 6 tests show critical issues with ssh.
  • 22.
    Ā©2016 Chef SoftwareInc. 3-22 Scan Results The bottom half of the Compliance Report shown here has a table of details of test results. These are sorted by severity. If you click an issue as shown here, a bit more information about the issue displays.
  • 23.
    Ā©2016 Chef SoftwareInc. 3-23 GL: Profile To view the InSpec code that comprises this profile, do the following: 1. Click the Compliance button. 2. Click the relevant profile (Basic SSH). 3. Scroll down and click the `Set SSH protocol version to 2` profile.
  • 24.
    Ā©2016 Chef SoftwareInc. 3-24 Discussion: InSpec Profile Code Let's discuss what this profile is doing. The `impact` of 1.0 indicates this is a Critical issue. The `title` is what populates the Compliance Report issue title.
  • 25.
    Ā©2016 Chef SoftwareInc. 3-25 Discussion: InSpec Profile Code The desc is typically human- readable description sourced from the CIS or source doc. The `describe` section is the actual test that is executed.
  • 26.
    Ā©2016 Chef SoftwareInc. 3-26 Compliance Profile Severity Mapping The table below shows the current mapping of Compliance Profile impact numbering to severity. Impact Numbering Severity Designation 0.7 - 1.0 Critical Issues 0.4 - <0.7 Major Issues 0 - <0.4 Minor Issues https://nvd.nist.gov/cvss.cfm
  • 27.
    Ā©2016 Chef SoftwareInc. 3-27 Run InSpec from the Command Line control 'sshd-11' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore. " describe sshd_config do its('Protocol') { should eq('2') } end end
  • 28.
    Ā©2016 Chef SoftwareInc. 3-28 Run InSpec from the Command Line Test Locally: $ inspec exec test.rb
  • 29.
    Ā©2016 Chef SoftwareInc. 3-29 Run InSpec from the Command Line Remote via SSH: $ inspec exec test.rb -t ssh://54.163.150.246 --user=chef -- password=chef.io
  • 30.
    Ā©2016 Chef SoftwareInc. 3-30 Run InSpec from the Command Line Docker Container $ inspec exec test.rb -t docker://3dda08e75838
  • 31.

Editor's Notes

  • #4Ā  Integrate compliance and security requirements into your automated deployment pipeline. The InSpec language lets you specify those requirements as code. When compliance is code, you can identify issues during development and not after the fact. Test large-scale environments while still moving at velocity.Ā  Ā  Translate compliance into code. InSpec is an open-source testing framework with a human- and machine-readable language for specifying compliance, security and policy requirements. When compliance is expressed as code, you can integrate it into your deployment pipeline and automatically test for adherence to security policies. Ā  Clearly express statements of policy. When compliance is code, rules are unambiguous and can be understood by everyone on the team. Developers know what standards they're expected to meet and auditors know exactly what is being tested. Replace spreadsheets filled with abstract descriptions with tangible tests that have a clear intent. Ā  Find issues early. Automated compliance tests can start at the beginning of the development cycle. You'll detect any issues well before your code goes into production, when problems are expensive and time consuming to fix. Ā  Write code quickly. The InSpec language includes a collection of resources that help you write audit controls quickly and easily. You can also create custom resources for your own particular situations. Run code anywhere. InSpec code can run in multiple platforms. You can execute the same set of tests locally, with remote commands that use SSH or WinRM, or with external mechanisms such as the Docker API. Ā  Inspect machines, data, and APIs. Knowing that your physical servers are in compliance is, of course, essential. But your applications rely on more than just server configurations. With InSpec, you can assess data in a database or inspect the configuration of virtual resources by using their API. For example, you can check security group settings on your IaaS infrastructure. Compliance as Code The speed and collaboration of DevOps for security & compliance Security documents as executable code Compliance is assured from the start of the development cycle Security-focused framework DSL that helps you get started writing audit controls quickly & easily Inspec works the same way everywhere: locally, remotely, or executed via API Tailored to the needs of security professionals Flexible and extensible Easily create custom resources, if needed Create and share profiles for code reuse and modularity Inspect machine state, data state, and API configurations
  • #9Ā Be sure you are using the hostname of the target node that you noted previously in class. In the workplace, the target node's username and password will likely be different than shown in this example. We'll discuss using key pair access later in the module.
  • #10Ā Instructor Note: If a Linux target node's image has /etc/sudoers Ā `Defaults Ā  Ā requiretty` uncommented, then the Compliance server won't be able to connect to the target node unless we disable sudo on this page. Once the issue is fixed it should not matter if the target node /etc/sudoers Ā `Defaults Ā  requiretty` is uncommented. The Linux AMI used in this course has /etc/sudoers Ā `Defaults Ā  Ā requiretty` commented so no worries."
  • #13Ā If your Status column does not indicate `Connection established`, please notify the instructor.
  • #14Ā As you may have noticed, you could add additional nodes by simply repeating the previous steps. You could also add a number of nodes at once by separating each hostname or IP address with a comma or a space, as shown in this illustration. Chef Compliance also supports bulk loading of nodes via API.
  • #15Ā  Instructor Note: If you have extra time, you can walk the participants through this file.
  • #16Ā In the workplace, using security key pairs would be a more secure method for connecting to nodes than using the password method we are using in class. By clicking `Settings > Add New Key Pair` you will see where to paste your private key.
  • #18Ā This image shows the default Compliance Profiles as accessed from the Scan Nodes page. This page displays when you select nodes to scan and then click the Scan button. You'll access the profiles in a moment. These profiles determine what will be scanned on your nodes. You should be thoughtful with which profiles choose since the more you choose to run, the longer it will take to execute the scan. Notice how you can also choose to run a scan on demand (Scan now) or schedule a scan to run at a later time.
  • #22Ā There are also 6 critical issues related to ssh on the target node. Your results may be slightly different than this example. Instructor Note: This and the following slide should be used for a discussion of the scan results. The group exercise continues after that.
  • #23Ā The bottom half of the Compliance Report has a table of details of test results. These are sorted by severity so the critical issues are listed at the top and the compliant items are at the bottom of the list. If you click an issue as shown here, a bit more information about the issue displays, but that's not really telling us much.
  • #24Ā Instructor Note: Now we continue the group Lab but you should stop as needed to explain what this code means.
  • #25Ā Let's discuss what this profile is doing. The impact of 1.0 indicates this is a critical issue if it the scanned node violates what is in this code. We'll discuss severity mapping in a moment.
  • #26Ā The desc is typically human-readable description sourced from the CIS or source doc. The describe value is the actual test. In this case, this is saying the protocol for `ssh_config` Protocol should be `2`. If the actual value from the node is not Protocol 2, the Critical issue is reported as in this case. So when you run a scan, the Compliance Server connects to the node using the configuration we specified, in this case ssh, and then it will run this set of code, this InSpec control, on that node. The Compliance Server translates the InSpec code into ssh commands when it transmits across the wire. No agent or client is required to be running on the target node for this work.
  • #27Ā Here is the current mapping of Compliance Profile impact numbering to severity. The image at the top-right shows a Compliance Profile's impact numbering. The table at the bottom-left shows the current mapping of Compliance Profile impact numbering to severity. The image at the bottom-right is an example of the severities listed in the reports in the Compliance web UI. The mapping is currently analogous to the Common Vulnerability Scoring System (CVSS) framework, which can be viewed via the link at the bottom of this slide. This mapping will be made configurable in the future.