Mandi Walls, profile picture
Uploaded byMandi Walls
PPTX, PDF409 views

DevOpsDays InSpec Workshop

InSpec is an open-source testing framework that allows users to write security and compliance tests. Tests can be written to check configurations, files, and other infrastructure attributes. InSpec includes built-in resources that make it easy to test common services and configurations. Tests are written in a human-readable format and can be executed locally or remotely on servers. InSpec integrates with tools like Chef and Test Kitchen to allow testing as part of development and deployment workflows. The document provides examples of using InSpec to test SSH configuration and other attributes based on security requirements.

Embed presentation

Download to read offline
Building Security Into Your Workflow with InSpec Mandi Walls | mandi@chef.io
HI! • Mandi Walls • Technical Community Manager for Chef, EMEA • mandi@chef.io • @lnxchk • https://inspec.io • https://dev-sec.io/
EVERY business is a software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
What We Have Here Is A Communications Problem
What Is InSpec
InSpec • Human-readable specification language for tests related to security and compliance • Includes facilities for creating, sharing, and reusing profiles • Extensible language so you can build your own rules for your applications and systems • Command-line tools for plugging into your existing workflows / build servers • Integrates with Test Kitchen for fast-feedback local testing by developers
SSH Example • If your security team sends you a directive: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
How Do You Go About Fixing It? • Identify the file and file location to check your systems • Create a file with a new setting • Push out changes • What’s the plan for the currently used images? Rebuild? Remediate at instantiation? • Did you test it?
Lifecycle • When you get a mandate from security, how often is it checked? • Single big scan, report mailed out with a “due date”? • Yearly or twice-yearly massive scans with remediation projects?
Using InSpec User: chef Pass: dodams2018
Find It! • http://inspec.io/ • Open Source! • The “spec” is a hint • It comes installed as part of the Chef Developer’s Kit, ChefDK, or on its own • It’s on your host which inspec • https://downloads.chef.io/chefdk curl -o chefdk.rpm https://packages.chef.io/files/stable/chefdk/2.3.4/el/7/chefdk-2.3.4- 1.el7.x86_64.rpm sudo rpm -Uhv chefdk.rpm
Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
Resources • InSpec includes built-in resources for common services, system files, and configurations See http://inspec.io/docs/reference/resources/ for the current list! • Built-in resources work on several platforms of Linux. There are also Windows-specifics • A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
• Resources take the “grep for x” out of the testing phase • Parsers included in the InSpec software do the work for you • It’s built off the premises of rSpec, and meant to be human readable
its.... should... • it { should exist } • it { should be_installed } • it { should be_enabled } • its('max_log_file') { should cmp 6 } • its('exit_status') { should eq 0 } • its('gid') { should eq 0 }
Run It • InSpec is command line Installs on your workstation as a ruby gem or as part of the ChefDK • Can be run locally, test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you • Also a REPL https://www.inspec.io/docs/reference/shell/
Create a Basic Test – test.rb • Let’s write a basic test to make sure /tmp is a directory • It also should be owned by root • And its mode should be 01777 – open to all (plus sticky bit!) • Let’s check out the docs for the “file” resource for InSpec
File Resources in InSpec • https://www.inspec.io/docs/reference/resources/file/ • We want: Directory Owner Mode describe file(‘path’) do it { should MATCHER ‘value’ } end
test.rb describe file("/tmp") do it { should exist } its('type') { should cmp 'directory' } its('owner') { should eq 'root' } its('mode') { should cmp '01777' } end
Test Any Target inspec exec test.rb inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2-user@54.152.7.203 inspec exec test.rb -t winrm://Admin@192.168.1.2 -- password super inspec exec test.rb -t docker://3dda08e75838
Execute InSpec [chef@ip-172-31-38-151 ~]$ inspec exec ./test.rb Profile: tests from ./test.rb Version: (not specified) Target: local:// File /tmp ✔ should exist ✔ should be directory ✔ should be owned by "root" ✔ mode should cmp == "01777" Test Summary: 4 successful, 0 failures, 0 skipped
Failures • InSpec runs with failed tests return a non-zero return code Profile Summary: 0 successful, 1 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 1 [chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return code Profile Summary: 1 successful, 0 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 0 [chef@ip-172-31-29-25 ~]$
Profiles • InSpec profiles allow you to package and share sets of InSpec tests for your organization or for a specific application set • Each profile can have multiple test files included • The test files generally test for one required outcome, but can look at different objects to meet requirements • Flexible! Create your own profiles for specific software you use
Hardening with InSpec • Centos 7 host • os-hardening cookbook from https://supermarket.chef.io • /dev-sec/linux-baseline InSpec profile from https://github.com/dev- sec/linux-baseline
What’s in the linux-baseline Profile control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
Use the Profile $ git clone https://github.com/dev-sec/linux-baseline ... $ sudo inspec exec linux-baseline Profile Summary: 26 successful controls, 27 control failures, 1 control skipped Test Summary: 80 successful, 45 failures, 1 skipped $
What’s in the os-hardening Cookbook
Use Chef to Repair the Findings $ chef generate cookbook harden (ignore git's complaints, it's ok)
Edit harden/metadata.rb name 'harden' maintainer 'The Authors' maintainer_email 'you@example.com' license 'All Rights Reserved' description 'Installs/Configures harden' ... ... depends 'os-hardening'
Create a Cookbooks Package $ cd harden $ berks install $ berks package $ cd .. $ tar –xzvf harden/cookbooks-VERSION.tar.gz
Run chef-client to remediate failed tests $ sudo chef-client -r "recipe[os-hardening]" --local-mode
Rerun the Tests $ sudo inspec exec linux-baseline/ ... Profile Summary: 51 successful controls, 2 control failures, 1 control skipped Test Summary: 123 successful, 2 failures, 1 skipped
What’s Still Failing? • Find the controls that aren’t passing • Decide if you want to fix them or forget them • Let’s fix one and forget the others
Error 1: Entropy, os-08 control 'os-08' do impact 1.0 title 'Entropy' desc 'Check system has enough entropy - greater than 1000' describe file('/proc/sys/kernel/random/entropy_avail').content.to_i do it { should >= 1000 } end end https://github.com/dev-sec/linux- baseline/blob/master/controls/os_spec.rb
Fix it with rngd $ vi harden/recipes/default.rb package 'rng-tools' service 'rngd' do action [:start, :enable] end Install the Package Turn on the Service
Berks Update $ cd ~/harden $ berks package
Install new cookbooks and run chef-client $ cd ~ $ tar –xzvf harden/cookbooks-NEWVERSION.tar.gz $ sudo chef-client –r “recipe[harden],recipe[os- hardening]” --local-mode … Recipe: harden::default * yum_package[rng-tools] action install - install version 0:5-13.el7.x86_64 of package rng-tools * service[rngd] action start - start service service[rngd] * service[rngd] action enable (up to date)
Check the InSpec Output Now $ sudo inspec exec linux-baseline ... Profile Summary: 52 successful controls, 1 control failure, 1 control skipped Test Summary: 124 successful, 1 failure, 1 skipped $
Error 2: auditd log setting package-08 control 'package-08' do impact 1.0 title 'Install auditd' desc 'auditd provides extended logging capacities on recent distribution' ... describe auditd_conf do ... its('max_log_file_action') { should cmp 'keep_logs' } ... end end
Maybe We're Ok with the Current Setting • Large InSpec profiles contain lots of rules • You may not want or need all of them for your infrastructure • You can pick and choose which ones you want using your profile • Let's ignore the auditd log file setting for now
Building New Profiles $ inspec init profile my_hardening Create new profile at /home/chef/my_hardening * Create file README.md * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries $
Select the Controls You Want
Including Profiles $ vi my_hardening/inspec.yml name: my_hardening title: InSpec Profile ... version: 0.1.0 depends: - name: linux-baseline git: https://github.com/dev-sec/linux-baseline
Skipping Individual Controls $ rm -f my_hardening/controls/example.rb $ vi my_hardening/controls/default.rb include_controls 'linux-baseline' do skip_control ‘package-08' end
Rerun the InSpec Profile $ sudo inspec exec my_hardening/ ... Profile Summary: 52 successful controls, 0 control failures, 1 control skipped Test Summary: 113 successful, 0 failures, 1 skipped
Other Stuff – Test Kitchen • InSpec also runs as a test suite in Test Kitchen • Test Kitchen is a tool for your team to create fast-feedback loops for development • Add InSpec tests to TK so that any change can also be certified with the security profile before it is pushed to source code repository • More info at http://kitchen.ci/
Resources • https://inspec.io • https://dev-sec.io • https://github.com/chef-training/workshops/ • http://www.anniehedgie.com/inspec-basics-1 • Windows and InSpec: http://datatomix.com/?p=236 • https://blog.chef.io/category/inspec/ • We're hiring! Work on InSpec in Belfast! https://chef.io/careers
DevOpsDays InSpec Workshop

More Related Content

PPTX
InSpec Workshop DevSecCon 2017
byMandi Walls
 
PPTX
InSpec Workshop at Velocity London 2018
byMandi Walls
 
PPTX
BuildStuff.LT 2018 InSpec Workshop
byMandi Walls
 
PPTX
InSpec For DevOpsDays Amsterdam 2017
byMandi Walls
 
PPTX
Adding Security to Your Workflow with InSpec (MAY 2017)
byMandi Walls
 
PDF
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
byNETWAYS
 
PDF
Automating Compliance with InSpec - Chef Singapore Meetup
byMatt Ray
 
PPTX
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
 
InSpec Workshop DevSecCon 2017
byMandi Walls
 
InSpec Workshop at Velocity London 2018
byMandi Walls
 
BuildStuff.LT 2018 InSpec Workshop
byMandi Walls
 
InSpec For DevOpsDays Amsterdam 2017
byMandi Walls
 
Adding Security to Your Workflow with InSpec (MAY 2017)
byMandi Walls
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
byNETWAYS
 
Automating Compliance with InSpec - Chef Singapore Meetup
byMatt Ray
 
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
 

What's hot

PPTX
Ingite Slides for InSpec
byMandi Walls
 
PPTX
2019 Chef InSpec Jumpstart Part 2 of 2
byLarry Eichenbaum
 
PDF
AWS ElasticBeanstalk Advanced configuration
byLionel LONKAP TSAMBA
 
PDF
Testable Infrastructure with Chef, Test Kitchen, and Docker
byMandi Walls
 
ODP
Continuous Security
bySysdig
 
PDF
Compliance as Code
byMatt Ray
 
PDF
TXLF: Automated Deployment of OpenStack with Chef
byMatt Ray
 
PPT
Introduction to JumpStart
byScott McDermott
 
PDF
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
byBrentMatlock
 
PPTX
Vagrant, Ansible, and OpenStack on your laptop
byLorin Hochstein
 
PPTX
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
byDevOpsDays Riga
 
PPTX
InSpec Workflow for DevOpsDays Riga 2017
byMandi Walls
 
PDF
Introduction to Chef
bykevsmith
 
PDF
Ansible new paradigms for orchestration
byPaolo Tonin
 
PPTX
Compliance Automation with Inspec Part 4
byChef
 
PDF
DevOps Enabling Your Team
byGR8Conf
 
PPTX
Network Automation Tools
byEdwin Beekman
 
KEY
Using Nagios with Chef
byBryan McLellan
 
PPTX
OSDC2014: Testing Server Infrastructure with #serverspec
byAndreas Schmidt
 
Ingite Slides for InSpec
byMandi Walls
 
2019 Chef InSpec Jumpstart Part 2 of 2
byLarry Eichenbaum
 
AWS ElasticBeanstalk Advanced configuration
byLionel LONKAP TSAMBA
 
Testable Infrastructure with Chef, Test Kitchen, and Docker
byMandi Walls
 
Continuous Security
bySysdig
 
Compliance as Code
byMatt Ray
 
TXLF: Automated Deployment of OpenStack with Chef
byMatt Ray
 
Introduction to JumpStart
byScott McDermott
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
byBrentMatlock
 
Vagrant, Ansible, and OpenStack on your laptop
byLorin Hochstein
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
byDevOpsDays Riga
 
InSpec Workflow for DevOpsDays Riga 2017
byMandi Walls
 
Introduction to Chef
bykevsmith
 
Ansible new paradigms for orchestration
byPaolo Tonin
 
Compliance Automation with Inspec Part 4
byChef
 
DevOps Enabling Your Team
byGR8Conf
 
Network Automation Tools
byEdwin Beekman
 
Using Nagios with Chef
byBryan McLellan
 
OSDC2014: Testing Server Infrastructure with #serverspec
byAndreas Schmidt
 

Similar to DevOpsDays InSpec Workshop

PDF
Prescriptive System Security with InSpec
byAll Things Open
 
PDF
Inspec: Turn your compliance, security, and other policy requirements into au...
byKangaroot
 
PPTX
Using Chef InSpec for Infrastructure Security
byMandi Walls
 
PPTX
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
PPTX
Effective Testing with Ansible and InSpec
byNathen Harvey
 
PPTX
Effective Testing with Ansible and InSpec
byNathen Harvey
 
PPTX
DevSecCon London 2017: Inspec workshop by Mandi Walls
byDevSecCon
 
PPTX
Adding Security to Your Workflow With InSpec - SCaLE17x
byMandi Walls
 
PPTX
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
byNETWAYS
 
PPTX
Introduction to InSpec and 1.0 release update
byAlex Pop
 
PPTX
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
PPTX
InSpec - June 2018 at Open28.be
byMandi Walls
 
PPTX
Prescriptive Security with InSpec - All Things Open 2019
byMandi Walls
 
PPTX
Building Security into Your Workflow with InSpec
byMandi Walls
 
PPTX
InSpec at DevOps ATL Meetup January 22, 2020
byMandi Walls
 
PDF
Philly security shell meetup
byNicole Johnson
 
PPTX
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
 
PDF
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
 
PDF
What did you inspec?
byGratien D'haese
 
PPTX
Compliance Automation with InSpec
byNathen Harvey
 
Prescriptive System Security with InSpec
byAll Things Open
 
Inspec: Turn your compliance, security, and other policy requirements into au...
byKangaroot
 
Using Chef InSpec for Infrastructure Security
byMandi Walls
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
Effective Testing with Ansible and InSpec
byNathen Harvey
 
Effective Testing with Ansible and InSpec
byNathen Harvey
 
DevSecCon London 2017: Inspec workshop by Mandi Walls
byDevSecCon
 
Adding Security to Your Workflow With InSpec - SCaLE17x
byMandi Walls
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
byNETWAYS
 
Introduction to InSpec and 1.0 release update
byAlex Pop
 
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
InSpec - June 2018 at Open28.be
byMandi Walls
 
Prescriptive Security with InSpec - All Things Open 2019
byMandi Walls
 
Building Security into Your Workflow with InSpec
byMandi Walls
 
InSpec at DevOps ATL Meetup January 22, 2020
byMandi Walls
 
Philly security shell meetup
byNicole Johnson
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
 
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
 
What did you inspec?
byGratien D'haese
 
Compliance Automation with InSpec
byNathen Harvey
 

More from Mandi Walls

PPTX
habitat at docker bud
byMandi Walls
 
PPTX
Habitat Overview
byMandi Walls
 
PDF
Habitat at SRECon
byMandi Walls
 
PDF
Full Service Ownership
byMandi Walls
 
PPTX
Lessons Learned From Cloud Migrations
byMandi Walls
 
PDF
PagerDuty: Best Practices for On Call Teams
byMandi Walls
 
PDF
DOD Kansas City 2025 - Managing Vendor Incidents.pdf
byMandi Walls
 
PPTX
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
byMandi Walls
 
PPTX
Community in a box
byMandi Walls
 
PDF
DOD Raleigh Gamedays with Chaos Engineering.pdf
byMandi Walls
 
PPTX
Habitat Workshop at Velocity London 2017
byMandi Walls
 
PPTX
Containerdays Intro to Habitat
byMandi Walls
 
PPTX
Habitat at LinuxLab IT
byMandi Walls
 
PPTX
Lessons Learned from Continuous Delivery
byMandi Walls
 
PPTX
Configuration Management is Old and Boring
byMandi Walls
 
PDF
Addo reducing trauma in organizations with SLOs and chaos engineering
byMandi Walls
 
habitat at docker bud
byMandi Walls
 
Habitat Overview
byMandi Walls
 
Habitat at SRECon
byMandi Walls
 
Full Service Ownership
byMandi Walls
 
Lessons Learned From Cloud Migrations
byMandi Walls
 
PagerDuty: Best Practices for On Call Teams
byMandi Walls
 
DOD Kansas City 2025 - Managing Vendor Incidents.pdf
byMandi Walls
 
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
byMandi Walls
 
Community in a box
byMandi Walls
 
DOD Raleigh Gamedays with Chaos Engineering.pdf
byMandi Walls
 
Habitat Workshop at Velocity London 2017
byMandi Walls
 
Containerdays Intro to Habitat
byMandi Walls
 
Habitat at LinuxLab IT
byMandi Walls
 
Lessons Learned from Continuous Delivery
byMandi Walls
 
Configuration Management is Old and Boring
byMandi Walls
 
Addo reducing trauma in organizations with SLOs and chaos engineering
byMandi Walls
 

Recently uploaded

PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PDF
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PDF
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
PPTX
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
PDF
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PCCC25(設立25年記念PCクラスタシンポジウム):エヌビディア合同会社 テーマ2「NVIDIA BlueField-4 DPU」
byPC Cluster Consortium
 
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 

DevOpsDays InSpec Workshop

  • 1.
    Building Security IntoYour Workflow with InSpec Mandi Walls | mandi@chef.io
  • 2.
    HI! • Mandi Walls •Technical Community Manager for Chef, EMEA • mandi@chef.io • @lnxchk • https://inspec.io • https://dev-sec.io/
  • 3.
    EVERY business isa software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
  • 4.
    What We HaveHere Is A Communications Problem
  • 6.
  • 7.
    InSpec • Human-readable specificationlanguage for tests related to security and compliance • Includes facilities for creating, sharing, and reusing profiles • Extensible language so you can build your own rules for your applications and systems • Command-line tools for plugging into your existing workflows / build servers • Integrates with Test Kitchen for fast-feedback local testing by developers
  • 8.
    SSH Example • Ifyour security team sends you a directive: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
  • 9.
    How Do YouGo About Fixing It? • Identify the file and file location to check your systems • Create a file with a new setting • Push out changes • What’s the plan for the currently used images? Rebuild? Remediate at instantiation? • Did you test it?
  • 10.
    Lifecycle • When youget a mandate from security, how often is it checked? • Single big scan, report mailed out with a “due date”? • Yearly or twice-yearly massive scans with remediation projects?
  • 11.
  • 12.
    Find It! • http://inspec.io/ •Open Source! • The “spec” is a hint • It comes installed as part of the Chef Developer’s Kit, ChefDK, or on its own • It’s on your host which inspec • https://downloads.chef.io/chefdk curl -o chefdk.rpm https://packages.chef.io/files/stable/chefdk/2.3.4/el/7/chefdk-2.3.4- 1.el7.x86_64.rpm sudo rpm -Uhv chefdk.rpm
  • 13.
    Check that sshd_config describesshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
  • 14.
    Resources • InSpec includesbuilt-in resources for common services, system files, and configurations See http://inspec.io/docs/reference/resources/ for the current list! • Built-in resources work on several platforms of Linux. There are also Windows-specifics • A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
  • 15.
    • Resources takethe “grep for x” out of the testing phase • Parsers included in the InSpec software do the work for you • It’s built off the premises of rSpec, and meant to be human readable
  • 16.
    its.... should... • it{ should exist } • it { should be_installed } • it { should be_enabled } • its('max_log_file') { should cmp 6 } • its('exit_status') { should eq 0 } • its('gid') { should eq 0 }
  • 17.
    Run It • InSpecis command line Installs on your workstation as a ruby gem or as part of the ChefDK • Can be run locally, test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you • Also a REPL https://www.inspec.io/docs/reference/shell/
  • 18.
    Create a BasicTest – test.rb • Let’s write a basic test to make sure /tmp is a directory • It also should be owned by root • And its mode should be 01777 – open to all (plus sticky bit!) • Let’s check out the docs for the “file” resource for InSpec
  • 19.
    File Resources inInSpec • https://www.inspec.io/docs/reference/resources/file/ • We want: Directory Owner Mode describe file(‘path’) do it { should MATCHER ‘value’ } end
  • 20.
    test.rb describe file("/tmp") do it{ should exist } its('type') { should cmp 'directory' } its('owner') { should eq 'root' } its('mode') { should cmp '01777' } end
  • 21.
    Test Any Target inspecexec test.rb inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2-user@54.152.7.203 inspec exec test.rb -t winrm://Admin@192.168.1.2 -- password super inspec exec test.rb -t docker://3dda08e75838
  • 22.
    Execute InSpec [chef@ip-172-31-38-151 ~]$inspec exec ./test.rb Profile: tests from ./test.rb Version: (not specified) Target: local:// File /tmp ✔ should exist ✔ should be directory ✔ should be owned by "root" ✔ mode should cmp == "01777" Test Summary: 4 successful, 0 failures, 0 skipped
  • 23.
    Failures • InSpec runswith failed tests return a non-zero return code Profile Summary: 0 successful, 1 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 1 [chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return code Profile Summary: 1 successful, 0 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 0 [chef@ip-172-31-29-25 ~]$
  • 24.
    Profiles • InSpec profilesallow you to package and share sets of InSpec tests for your organization or for a specific application set • Each profile can have multiple test files included • The test files generally test for one required outcome, but can look at different objects to meet requirements • Flexible! Create your own profiles for specific software you use
  • 25.
    Hardening with InSpec •Centos 7 host • os-hardening cookbook from https://supermarket.chef.io • /dev-sec/linux-baseline InSpec profile from https://github.com/dev- sec/linux-baseline
  • 26.
    What’s in thelinux-baseline Profile control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
  • 27.
    Use the Profile $git clone https://github.com/dev-sec/linux-baseline ... $ sudo inspec exec linux-baseline Profile Summary: 26 successful controls, 27 control failures, 1 control skipped Test Summary: 80 successful, 45 failures, 1 skipped $
  • 28.
    What’s in theos-hardening Cookbook
  • 29.
    Use Chef toRepair the Findings $ chef generate cookbook harden (ignore git's complaints, it's ok)
  • 30.
    Edit harden/metadata.rb name 'harden' maintainer'The Authors' maintainer_email 'you@example.com' license 'All Rights Reserved' description 'Installs/Configures harden' ... ... depends 'os-hardening'
  • 31.
    Create a CookbooksPackage $ cd harden $ berks install $ berks package $ cd .. $ tar –xzvf harden/cookbooks-VERSION.tar.gz
  • 32.
    Run chef-client toremediate failed tests $ sudo chef-client -r "recipe[os-hardening]" --local-mode
  • 33.
    Rerun the Tests $sudo inspec exec linux-baseline/ ... Profile Summary: 51 successful controls, 2 control failures, 1 control skipped Test Summary: 123 successful, 2 failures, 1 skipped
  • 34.
    What’s Still Failing? •Find the controls that aren’t passing • Decide if you want to fix them or forget them • Let’s fix one and forget the others
  • 35.
    Error 1: Entropy,os-08 control 'os-08' do impact 1.0 title 'Entropy' desc 'Check system has enough entropy - greater than 1000' describe file('/proc/sys/kernel/random/entropy_avail').content.to_i do it { should >= 1000 } end end https://github.com/dev-sec/linux- baseline/blob/master/controls/os_spec.rb
  • 36.
    Fix it withrngd $ vi harden/recipes/default.rb package 'rng-tools' service 'rngd' do action [:start, :enable] end Install the Package Turn on the Service
  • 37.
    Berks Update $ cd~/harden $ berks package
  • 38.
    Install new cookbooksand run chef-client $ cd ~ $ tar –xzvf harden/cookbooks-NEWVERSION.tar.gz $ sudo chef-client –r “recipe[harden],recipe[os- hardening]” --local-mode … Recipe: harden::default * yum_package[rng-tools] action install - install version 0:5-13.el7.x86_64 of package rng-tools * service[rngd] action start - start service service[rngd] * service[rngd] action enable (up to date)
  • 39.
    Check the InSpecOutput Now $ sudo inspec exec linux-baseline ... Profile Summary: 52 successful controls, 1 control failure, 1 control skipped Test Summary: 124 successful, 1 failure, 1 skipped $
  • 40.
    Error 2: auditdlog setting package-08 control 'package-08' do impact 1.0 title 'Install auditd' desc 'auditd provides extended logging capacities on recent distribution' ... describe auditd_conf do ... its('max_log_file_action') { should cmp 'keep_logs' } ... end end
  • 41.
    Maybe We're Okwith the Current Setting • Large InSpec profiles contain lots of rules • You may not want or need all of them for your infrastructure • You can pick and choose which ones you want using your profile • Let's ignore the auditd log file setting for now
  • 42.
    Building New Profiles $inspec init profile my_hardening Create new profile at /home/chef/my_hardening * Create file README.md * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries $
  • 43.
  • 44.
    Including Profiles $ vimy_hardening/inspec.yml name: my_hardening title: InSpec Profile ... version: 0.1.0 depends: - name: linux-baseline git: https://github.com/dev-sec/linux-baseline
  • 45.
    Skipping Individual Controls $rm -f my_hardening/controls/example.rb $ vi my_hardening/controls/default.rb include_controls 'linux-baseline' do skip_control ‘package-08' end
  • 46.
    Rerun the InSpecProfile $ sudo inspec exec my_hardening/ ... Profile Summary: 52 successful controls, 0 control failures, 1 control skipped Test Summary: 113 successful, 0 failures, 1 skipped
  • 47.
    Other Stuff –Test Kitchen • InSpec also runs as a test suite in Test Kitchen • Test Kitchen is a tool for your team to create fast-feedback loops for development • Add InSpec tests to TK so that any change can also be certified with the security profile before it is pushed to source code repository • More info at http://kitchen.ci/
  • 48.
    Resources • https://inspec.io • https://dev-sec.io •https://github.com/chef-training/workshops/ • http://www.anniehedgie.com/inspec-basics-1 • Windows and InSpec: http://datatomix.com/?p=236 • https://blog.chef.io/category/inspec/ • We're hiring! Work on InSpec in Belfast! https://chef.io/careers

Editor's Notes

  • #5 Compliance requirements are often set out in flat documents. Sometimes PDFs, sometimes other formats, but they have a tendency to be a huge list of characteristics and checkboxes to be investigated and potentially remediated. Security tools may be somewhat more flexible, encoded into a set of shell scripts that check and verify the systems after they are built. But what if it was easy to build these checks into the workflow while the systems are being built and applications installed.
  • #6 For the purposes of compliance, we actually wanted a common language, in code, that would allow all audiences – compliance, security, and devops – to collaborate on. And this code will then act on systems. This is whyInSpec was developed.
  • #11 For bits like the ssh configuration that are considered more infrastructure than application, these practices are common, changes are periodically rolled into the source images for new hosts (or containers) and the old configurations are eventually purged from production. It’s a herd-immunity approach. But what happens if the thing to be tested is affected by a continuously developed application? Like run time configurations for java, or your databases. Can you count on every team to always know all of the requirements?
  • #24 Plug InSpec into whatever command set you are already using
  • #48 If there is time, run a short InSpec and Kitchen demo.