3. Digital Transformation is taking over IT
71%
DevOps
adoption
IT Professionals
think InfoSec
inhibits speed
81%
77%
InfoSec experts
believe this too!
Rightscale, State of Cloud
Gartner, How to seamlessly integrate
Security into DevOps
8. Documentation
SSH supports two different protocol versions. The original
version, SSHv1, was subject to a number of security issues.
Please use SSHv2 instead to avoid these.
10. Compliance Language
control 'sshd-10' do
impact 1.0
title 'Server: Specify protocol version 2'
desc "Only SSH protocol version 2 connections
should be permitted. Version 1 of the
protocol contains security vulnerabilities.
Don't use legacy insecure SSHv1 connections
anymore."
describe sshd_config do
its('Protocol') { should eq('2') }
end
end
14. Built-in Resources
apache apache_conf apt audit_policy
auditd_conf auditd_rules bash bond
bridge bsd_service command crontab
csv dh_params directory docker
docker_container docker_image etc_group file
gem group groups grub_conf
host http iis_site iis_website
inetd_conf ini interface iptables
json kernel_module kernel_parameter key_rsa
launchd_service limits_conf login_defs mount
mssql_session mysql mysql_conf mysql_session
npm ntp_conf oneget oracledb_session
os os_env package packages
parse_config parse_config_file passwd pip
port postgres postgres_conf postgres_session
powershell ppa processes rabbitmq_config
registry_key runit_service script security_policy
service shadow ssh_config sshd_config
ssl sys_info systemd_service sysv_service
upstart_service user users vbscript
windows_feature windows_registry_key windows_task wmi
x509_certificate xinetd_conf yaml yum
yumrepo zfs_dataset zfs_pool
https://www.inspec.io/docs/reference/resources/
15. Operating Systems Support
Amazon Linux
2014.09 / 2015.03
CentOS
6 / 7
HP UX
11i
IBM AIX
5.3 / 6.1 / 7.1
RHEL
6 / 7
SLES
11 / 12
Ubuntu Server
12.04 / 14.04 /
16.04
Windows
7 / 8 / 10 /
2012 / 2012R2 /
2016 / Nano
16. Database Testing
control 'postgres-05' do
impact 1.0
title 'Set a password for each user'
desc 'It tests for usernames which
does not set a password.'
describe postgres_session(USER, PASSWORD).query(
'SELECT count(*) FROM pg_shadow WHERE passwd IS NULL;')
do
its('output') { should eq '0' }
end
end
17. Intelliment Security
control 'nw03' do
title 'All internet connections must be terminated
in the DMZ'
describe(internet_connections.where {
destination['network']['name'] !~ /dmz/i }) do
it { should be_empty }
end
end
intellimentsec.com
19. Docker Support
CIS Docker Baseline available at: github.com/dev-sec/cis-docker-benchmark
# returns all running container ids
docker.containers.running?.ids.each do |id|
# retrieve detailed container information
describe docker.object(id) do
its('HostConfig.Privileged') { should cmp false }
end
end
23. The InSpec AWS contributors at D2L: Alex Bedley, Miles
Tjandrawidjaja, Jeff Lyons, Chris Redekop, Viktor
Yakovlyev, Steffanie Freeman, Simon Varlow
“With InSpec for AWS, we can verify
that our AWS environment is as we
expect and that our resources are
secure. Our AWS controls integrate
with InSpec to provide a holistic view
of our infrastructure. That’s why we
contribute to InSpec AWS.”
InSpec for Platforms
24. InSpec for AWS
describe aws_iam_user(’iam_user') do
its('has_mfa_enabled?') { should be false }
its('has_console_password?') { should be false }
end
25. InSpec for Azure
describe azure_virtual_machine(name: 'Linux-
Internal-VM', resource_group: 'Inspec-Azure') do
its('sku') { should eq '16.04.0-LTS' }
its('publisher') { should eq 'Canonical' }
its('offer') { should eq 'UbuntuServer' }
its('size') { should eq 'Standard_DS2_v2' }
its('location') { should eq 'westeurope' }
its('admin_username') { should eq 'azure' }
end
26. InSpec for VmWare
control 'vmware-7.3.3' do
impact 0.7
title 'Ensure that the vSwitch Promiscuous
Mode policy is set to reject.'
describe vmhost_vswitch(datacenter: 'vm001',
host: 'localhost.localdomain',vswitch:
'vSwitch0') do
its('allowPromiscuous') { should be false }
end
end