Mandi Walls, profile picture
Uploaded byMandi Walls
PPTX, PDF331 views

InSpec Workshop DevSecCon 2017

The document discusses how to integrate security into workflows using InSpec, a human-readable specification language for security and compliance testing. It includes instructions on creating and running tests, managing profiles, and using InSpec with configuration management solutions like Chef. The document also emphasizes the importance of regular checks and remediation processes to maintain compliance and security across systems.

Software
Related topics:
Information Security

Embed presentation

Download to read offline
Building Security Into Your Workflow with InSpec Mandi Walls | mandi@chef.io
HI! • Mandi Walls • Technical Community Manager for Chef, EMEA • mandi@chef.io • @lnxchk • Adam Leff – Community Lead for InSpec @adamleff
EVERY business is a software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
What We Have Here Is A Communications Problem
What Is InSpec
InSpec • Human-readable specification language for tests related to security and compliance • Includes facilities for creating, sharing, and reusing profiles • Extensible language so you can build your own rules for your applications and systems • Command-line tools for plugging into your existing workflows / build servers • Integrates with Test Kitchen for fast-feedback local testing by developers
SSH Example • If your security team sends you a directive: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
How Do You Go About Fixing It? • Identify the file and file location to check your systems • Figure out some sort of incantation Do we check it first or just push a new one everywhere? • What’s the plan for the currently used images? Rebuild? Remediate at instantiation? • Maybe you’re using a configuration management solution for these types of changes? Did your change get tested before it goes to all your systems?
Lifecycle • When you get a mandate from security, how often is it checked? • Single big scan, report mailed out with a “due date”? • Yearly or twice-yearly massive scans with remediation firedrills?
Using InSpec User: chef Pass: devseccon2017 User: velocity Pass: London2017
Find It! • http://inspec.io/ • Open Source! • The “spec” is a hint • It comes installed as part of the Chef Developer’s Kit, ChefDK, or on its own • https://downloads.chef.io/chefdk curl -o chefdk.rpm https://packages.chef.io/files/stable/chefdk/2.3.4/el/7/chefdk- 2.3.4-1.el7.x86_64.rpm sudo rpm -Uhv chefdk.rpm
Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
Resources • InSpec includes built-in resources for common services, system files, and configurations See http://inspec.io/docs/reference/resources/ for the current list! • Built-in resources work on several platforms of Linux. There are also Windows-specifics • A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
• Resources take the “grep for x” out of the testing phase • Parsers included in the InSpec software do the work for you • It’s built off the premises of rSpec, and meant to be human readable
its.... should... • it { should exist } • it { should be_installed } • it { should be_enabled } • its('max_log_file') { should cmp 6 } • its('exit_status') { should eq 0 } • its('gid') { should eq 0 }
Run It • InSpec is command line Installs on your workstation as a ruby gem or as part of the ChefDK • Can be run locally, test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you • Also a REPL https://www.inspec.io/docs/reference/shell/
Create a Basic Test – test.rb • Let’s write a basic test to make sure /tmp is a directory • It also should be owned by root • And its mode should be 01777 – open to all (plus sticky bit!) • Let’s check out the docs for the “file” resource for InSpec:w
File Resources in InSpec • https://www.inspec.io/docs/reference/resources/file/ • We want: Directory Owner Mode describe file(‘path’) do it { should MATCHER ‘value’ } end
test.rb describe file("/tmp") do it { should exist } it { should be_directory } it { should be_owned_by 'root' } its('mode') { should cmp '01777' } end
Test Any Target inspec exec test.rb inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2- user@54.152.7.203 inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super inspec exec test.rb -t docker://3dda08e75838
Execute InSpec [chef@ip-172-31-38-151 ~]$ inspec exec ./test.rb Profile: tests from ./test.rb Version: (not specified) Target: local:// File /tmp ✔ should exist ✔ should be directory ✔ should be owned by "root" ✔ mode should cmp == "01777" Test Summary: 4 successful, 0 failures, 0 skipped
Failures • InSpec runs with failed tests return a non-zero return code Profile Summary: 0 successful, 1 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 1 [chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return code Profile Summary: 1 successful, 0 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 0 [chef@ip-172-31-29-25 ~]$
Profiles • InSpec profiles allow you to package and share sets of InSpec tests for your organization or for a specific application set • Each profile can have multiple test files included • The test files generally test for one required outcome, but can look at different objects to meet requirements • Flexible! Create your own profiles for specific software you use
Hardening with InSpec • Centos 7 host • os-hardening cookbook from https://supermarket.chef.io • /dev-sec/linux-baseline InSpec profile from https://github.com/dev- sec/linux-baseline
What’s in the linux-baseline Profile control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
Use the Profile $ git clone https://github.com/dev-sec/linux-baseline ... $ sudo inspec exec linux-baseline Profile Summary: 23 successful controls, 28 control failures, 2 controls skipped Test Summary: 60 successful, 60 failures, 2 skipped $
What’s in the os-hardening Cookbook
Use Chef to Repair the Findings $ chef generate cookbook harden
Edit harden/metadata.rb name 'harden' maintainer 'The Authors' maintainer_email 'you@example.com' license 'All Rights Reserved' description 'Installs/Configures harden' ... ... depends 'os-hardening'
Create a Cookbooks Package $ cd harden $ berks install $ berks package $ cd .. $ tar –xzvf harden/cookbooks-VERSION.tar.gz
Run chef-client to remediate failed tests $ sudo chef-client -r "recipe[os-hardening]" --local-mode
Rerun the Tests $ inspec exec linux-baseline/ ... Profile Summary: 50 successful controls, 2 control failures, 1 control skipped Test Summary: 103 successful, 19 failures, 1 skipped
What’s Still Failing? • Find the controls that aren’t passing • Decide if you want to fix them or forget them • Let’s fix one and forget the others
Fix rngd $ cat harden/recipes/default.rb package 'rng-tools' service 'rngd' do action [:start, :enable] end
Berks Update $ berks package
Install new cookbooks and run chef-client $ cd ~ $ tar –xzvf harden/cookbooks-VERSION.tar.gz $ sudo chef-client –r “recipe[harden],recipe[os-hardening]” --local-mode
Building New Profiles inspec init profile my_hardening
Including Profiles $ cat my_hardening/inspec.yml name: my_hardening title: InSpec Profile ... version: 0.1.0 depends: - name: linux-baseline path: ../linux-baseline
Skipping Individual Controls $ cat my_hardening/controls/my.rb include_controls 'linux-baseline' do skip_control 'os-10’ skip_control 'os-08’ skip_control ‘package-08' skip_control 'sysctl-14' end
Rerun the InSpec Profile $ inspec exec my_hardening/ ... Profile Summary: 51 successful controls, 0 control failures, 1 control skipped Test Summary: 104 successful, 0 failures, 1 skipped
Other Stuff – Test Kitchen • InSpec also runs as a test suite in Test Kitchen • Test Kitchen is a tool for your team to create fast-feedback loops for development • Add InSpec tests to TK so that any change can also be certified with the security profile before it is pushed to source code repository • More info at http://kitchen.ci/
Resources • https://inspec.io • https://github.com/chef-training/workshops/ • http://www.anniehedgie.com/inspec-basics-1 • http://blog.johnray.io/chef-inspec-and-dirty-cow • https://blog.chef.io/2017/05/23/inspec-launches-support-cloud-platform- assessments/ • https://github.com/lnxchk/inspec_fivemins
InSpec Workshop DevSecCon 2017

More Related Content

PPTX
DevOpsDays InSpec Workshop
byMandi Walls
 
PPTX
BuildStuff.LT 2018 InSpec Workshop
byMandi Walls
 
PPTX
InSpec Workshop at Velocity London 2018
byMandi Walls
 
PPTX
Adding Security to Your Workflow with InSpec (MAY 2017)
byMandi Walls
 
PPTX
InSpec For DevOpsDays Amsterdam 2017
byMandi Walls
 
PDF
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
byNETWAYS
 
PPTX
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
byDevOpsDays Riga
 
PDF
Automating Compliance with InSpec - Chef Singapore Meetup
byMatt Ray
 
DevOpsDays InSpec Workshop
byMandi Walls
 
BuildStuff.LT 2018 InSpec Workshop
byMandi Walls
 
InSpec Workshop at Velocity London 2018
byMandi Walls
 
Adding Security to Your Workflow with InSpec (MAY 2017)
byMandi Walls
 
InSpec For DevOpsDays Amsterdam 2017
byMandi Walls
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
byNETWAYS
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
byDevOpsDays Riga
 
Automating Compliance with InSpec - Chef Singapore Meetup
byMatt Ray
 

What's hot

PPTX
InSpec Workflow for DevOpsDays Riga 2017
byMandi Walls
 
PPTX
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
 
PPTX
2019 Chef InSpec Jumpstart Part 2 of 2
byLarry Eichenbaum
 
PDF
Testable Infrastructure with Chef, Test Kitchen, and Docker
byMandi Walls
 
KEY
Using Nagios with Chef
byBryan McLellan
 
PDF
Introduction to Chef
bykevsmith
 
PPTX
Network Automation Tools
byEdwin Beekman
 
PPTX
OSDC2014: Testing Server Infrastructure with #serverspec
byAndreas Schmidt
 
PPTX
Compliance Automation with Inspec Part 4
byChef
 
PDF
AWS ElasticBeanstalk Advanced configuration
byLionel LONKAP TSAMBA
 
PDF
Test Driven Development with Chef
bySimone Soldateschi
 
PDF
Compliance as Code
byMatt Ray
 
PDF
Chef - industrialize and automate your infrastructure
byMichaël Lopez
 
PPTX
How to Write Chef Cookbook
bydevopsjourney
 
PPTX
Verifying your Ansible Roles using Docker, Test Kitchen and Serverspec
byEdmund Dipple
 
PDF
FreeBSD: Dev to Prod
bySean Chittenden
 
ODP
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
byNagios
 
PPTX
Application Automation with Habitat
byChef
 
PDF
Introduction to Chef - April 22 2015
byJennifer Davis
 
InSpec Workflow for DevOpsDays Riga 2017
byMandi Walls
 
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
 
2019 Chef InSpec Jumpstart Part 2 of 2
byLarry Eichenbaum
 
Testable Infrastructure with Chef, Test Kitchen, and Docker
byMandi Walls
 
Using Nagios with Chef
byBryan McLellan
 
Introduction to Chef
bykevsmith
 
Network Automation Tools
byEdwin Beekman
 
OSDC2014: Testing Server Infrastructure with #serverspec
byAndreas Schmidt
 
Compliance Automation with Inspec Part 4
byChef
 
AWS ElasticBeanstalk Advanced configuration
byLionel LONKAP TSAMBA
 
Test Driven Development with Chef
bySimone Soldateschi
 
Compliance as Code
byMatt Ray
 
Chef - industrialize and automate your infrastructure
byMichaël Lopez
 
How to Write Chef Cookbook
bydevopsjourney
 
Verifying your Ansible Roles using Docker, Test Kitchen and Serverspec
byEdmund Dipple
 
FreeBSD: Dev to Prod
bySean Chittenden
 
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
byNagios
 
Application Automation with Habitat
byChef
 
Introduction to Chef - April 22 2015
byJennifer Davis
 

Similar to InSpec Workshop DevSecCon 2017

PPTX
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
byNETWAYS
 
PPTX
Adding Security to Your Workflow With InSpec - SCaLE17x
byMandi Walls
 
PPTX
InSpec - June 2018 at Open28.be
byMandi Walls
 
PDF
Inspec: Turn your compliance, security, and other policy requirements into au...
byKangaroot
 
PPTX
Prescriptive Security with InSpec - All Things Open 2019
byMandi Walls
 
PDF
Prescriptive System Security with InSpec
byAll Things Open
 
PPTX
InSpec at DevOps ATL Meetup January 22, 2020
byMandi Walls
 
PPTX
Building Security into Your Workflow with InSpec
byMandi Walls
 
PPTX
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
PPTX
Using Chef InSpec for Infrastructure Security
byMandi Walls
 
PPTX
Introduction to InSpec and 1.0 release update
byAlex Pop
 
PPTX
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
 
PPTX
Ingite Slides for InSpec
byMandi Walls
 
PPTX
Effective Testing with Ansible and InSpec
byNathen Harvey
 
PDF
What did you inspec?
byGratien D'haese
 
PPTX
Compliance Automation with InSpec
byNathen Harvey
 
PPTX
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
PDF
Philly security shell meetup
byNicole Johnson
 
PDF
Introduction To Continuous Compliance & Remediation
byNicole Johnson
 
PDF
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
byNETWAYS
 
Adding Security to Your Workflow With InSpec - SCaLE17x
byMandi Walls
 
InSpec - June 2018 at Open28.be
byMandi Walls
 
Inspec: Turn your compliance, security, and other policy requirements into au...
byKangaroot
 
Prescriptive Security with InSpec - All Things Open 2019
byMandi Walls
 
Prescriptive System Security with InSpec
byAll Things Open
 
InSpec at DevOps ATL Meetup January 22, 2020
byMandi Walls
 
Building Security into Your Workflow with InSpec
byMandi Walls
 
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
Using Chef InSpec for Infrastructure Security
byMandi Walls
 
Introduction to InSpec and 1.0 release update
byAlex Pop
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
 
Ingite Slides for InSpec
byMandi Walls
 
Effective Testing with Ansible and InSpec
byNathen Harvey
 
What did you inspec?
byGratien D'haese
 
Compliance Automation with InSpec
byNathen Harvey
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
Philly security shell meetup
byNicole Johnson
 
Introduction To Continuous Compliance & Remediation
byNicole Johnson
 
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
 

More from Mandi Walls

PDF
DOD Kansas City 2025 - Managing Vendor Incidents.pdf
byMandi Walls
 
PDF
DOD Raleigh Gamedays with Chaos Engineering.pdf
byMandi Walls
 
PDF
Addo reducing trauma in organizations with SLOs and chaos engineering
byMandi Walls
 
PDF
Full Service Ownership
byMandi Walls
 
PDF
PagerDuty: Best Practices for On Call Teams
byMandi Walls
 
PPTX
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
byMandi Walls
 
PPTX
habitat at docker bud
byMandi Walls
 
PPTX
Habitat at LinuxLab IT
byMandi Walls
 
PPTX
Habitat Workshop at Velocity London 2017
byMandi Walls
 
PDF
Habitat at SRECon
byMandi Walls
 
PPTX
Containerdays Intro to Habitat
byMandi Walls
 
PPTX
Configuration Management is Old and Boring
byMandi Walls
 
PPTX
Habitat Overview
byMandi Walls
 
PPTX
Lessons Learned From Cloud Migrations
byMandi Walls
 
PPTX
Lessons Learned from Continuous Delivery
byMandi Walls
 
PPTX
Community in a box
byMandi Walls
 
DOD Kansas City 2025 - Managing Vendor Incidents.pdf
byMandi Walls
 
DOD Raleigh Gamedays with Chaos Engineering.pdf
byMandi Walls
 
Addo reducing trauma in organizations with SLOs and chaos engineering
byMandi Walls
 
Full Service Ownership
byMandi Walls
 
PagerDuty: Best Practices for On Call Teams
byMandi Walls
 
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
byMandi Walls
 
habitat at docker bud
byMandi Walls
 
Habitat at LinuxLab IT
byMandi Walls
 
Habitat Workshop at Velocity London 2017
byMandi Walls
 
Habitat at SRECon
byMandi Walls
 
Containerdays Intro to Habitat
byMandi Walls
 
Configuration Management is Old and Boring
byMandi Walls
 
Habitat Overview
byMandi Walls
 
Lessons Learned From Cloud Migrations
byMandi Walls
 
Lessons Learned from Continuous Delivery
byMandi Walls
 
Community in a box
byMandi Walls
 

Recently uploaded

PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PPTX
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Ecommerce Website Development Services - Web Panel Solutions.pdf
byWEB PANEL SOLUTIONS
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
SAP ERP to SAP S_4HANA Cloud Private Edition Delta Scope
bychuck78
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 

InSpec Workshop DevSecCon 2017

  • 1.
    Building Security IntoYour Workflow with InSpec Mandi Walls | mandi@chef.io
  • 2.
    HI! • Mandi Walls •Technical Community Manager for Chef, EMEA • mandi@chef.io • @lnxchk • Adam Leff – Community Lead for InSpec @adamleff
  • 3.
    EVERY business isa software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
  • 4.
    What We HaveHere Is A Communications Problem
  • 6.
  • 7.
    InSpec • Human-readable specificationlanguage for tests related to security and compliance • Includes facilities for creating, sharing, and reusing profiles • Extensible language so you can build your own rules for your applications and systems • Command-line tools for plugging into your existing workflows / build servers • Integrates with Test Kitchen for fast-feedback local testing by developers
  • 8.
    SSH Example • Ifyour security team sends you a directive: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
  • 9.
    How Do YouGo About Fixing It? • Identify the file and file location to check your systems • Figure out some sort of incantation Do we check it first or just push a new one everywhere? • What’s the plan for the currently used images? Rebuild? Remediate at instantiation? • Maybe you’re using a configuration management solution for these types of changes? Did your change get tested before it goes to all your systems?
  • 10.
    Lifecycle • When youget a mandate from security, how often is it checked? • Single big scan, report mailed out with a “due date”? • Yearly or twice-yearly massive scans with remediation firedrills?
  • 11.
    Using InSpec User: chef Pass:devseccon2017 User: velocity Pass: London2017
  • 12.
    Find It! • http://inspec.io/ •Open Source! • The “spec” is a hint • It comes installed as part of the Chef Developer’s Kit, ChefDK, or on its own • https://downloads.chef.io/chefdk curl -o chefdk.rpm https://packages.chef.io/files/stable/chefdk/2.3.4/el/7/chefdk- 2.3.4-1.el7.x86_64.rpm sudo rpm -Uhv chefdk.rpm
  • 13.
    Check that sshd_config describesshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
  • 14.
    Resources • InSpec includesbuilt-in resources for common services, system files, and configurations See http://inspec.io/docs/reference/resources/ for the current list! • Built-in resources work on several platforms of Linux. There are also Windows-specifics • A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
  • 15.
    • Resources takethe “grep for x” out of the testing phase • Parsers included in the InSpec software do the work for you • It’s built off the premises of rSpec, and meant to be human readable
  • 16.
    its.... should... • it{ should exist } • it { should be_installed } • it { should be_enabled } • its('max_log_file') { should cmp 6 } • its('exit_status') { should eq 0 } • its('gid') { should eq 0 }
  • 17.
    Run It • InSpecis command line Installs on your workstation as a ruby gem or as part of the ChefDK • Can be run locally, test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you • Also a REPL https://www.inspec.io/docs/reference/shell/
  • 18.
    Create a BasicTest – test.rb • Let’s write a basic test to make sure /tmp is a directory • It also should be owned by root • And its mode should be 01777 – open to all (plus sticky bit!) • Let’s check out the docs for the “file” resource for InSpec:w
  • 19.
    File Resources inInSpec • https://www.inspec.io/docs/reference/resources/file/ • We want: Directory Owner Mode describe file(‘path’) do it { should MATCHER ‘value’ } end
  • 20.
    test.rb describe file("/tmp") do it{ should exist } it { should be_directory } it { should be_owned_by 'root' } its('mode') { should cmp '01777' } end
  • 21.
    Test Any Target inspecexec test.rb inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2- user@54.152.7.203 inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super inspec exec test.rb -t docker://3dda08e75838
  • 22.
    Execute InSpec [chef@ip-172-31-38-151 ~]$inspec exec ./test.rb Profile: tests from ./test.rb Version: (not specified) Target: local:// File /tmp ✔ should exist ✔ should be directory ✔ should be owned by "root" ✔ mode should cmp == "01777" Test Summary: 4 successful, 0 failures, 0 skipped
  • 23.
    Failures • InSpec runswith failed tests return a non-zero return code Profile Summary: 0 successful, 1 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 1 [chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return code Profile Summary: 1 successful, 0 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 0 [chef@ip-172-31-29-25 ~]$
  • 24.
    Profiles • InSpec profilesallow you to package and share sets of InSpec tests for your organization or for a specific application set • Each profile can have multiple test files included • The test files generally test for one required outcome, but can look at different objects to meet requirements • Flexible! Create your own profiles for specific software you use
  • 25.
    Hardening with InSpec •Centos 7 host • os-hardening cookbook from https://supermarket.chef.io • /dev-sec/linux-baseline InSpec profile from https://github.com/dev- sec/linux-baseline
  • 26.
    What’s in thelinux-baseline Profile control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
  • 27.
    Use the Profile $git clone https://github.com/dev-sec/linux-baseline ... $ sudo inspec exec linux-baseline Profile Summary: 23 successful controls, 28 control failures, 2 controls skipped Test Summary: 60 successful, 60 failures, 2 skipped $
  • 28.
    What’s in theos-hardening Cookbook
  • 29.
    Use Chef toRepair the Findings $ chef generate cookbook harden
  • 30.
    Edit harden/metadata.rb name 'harden' maintainer'The Authors' maintainer_email 'you@example.com' license 'All Rights Reserved' description 'Installs/Configures harden' ... ... depends 'os-hardening'
  • 31.
    Create a CookbooksPackage $ cd harden $ berks install $ berks package $ cd .. $ tar –xzvf harden/cookbooks-VERSION.tar.gz
  • 32.
    Run chef-client toremediate failed tests $ sudo chef-client -r "recipe[os-hardening]" --local-mode
  • 33.
    Rerun the Tests $inspec exec linux-baseline/ ... Profile Summary: 50 successful controls, 2 control failures, 1 control skipped Test Summary: 103 successful, 19 failures, 1 skipped
  • 34.
    What’s Still Failing? •Find the controls that aren’t passing • Decide if you want to fix them or forget them • Let’s fix one and forget the others
  • 35.
    Fix rngd $ catharden/recipes/default.rb package 'rng-tools' service 'rngd' do action [:start, :enable] end
  • 36.
  • 37.
    Install new cookbooksand run chef-client $ cd ~ $ tar –xzvf harden/cookbooks-VERSION.tar.gz $ sudo chef-client –r “recipe[harden],recipe[os-hardening]” --local-mode
  • 38.
    Building New Profiles inspecinit profile my_hardening
  • 39.
    Including Profiles $ catmy_hardening/inspec.yml name: my_hardening title: InSpec Profile ... version: 0.1.0 depends: - name: linux-baseline path: ../linux-baseline
  • 40.
    Skipping Individual Controls $cat my_hardening/controls/my.rb include_controls 'linux-baseline' do skip_control 'os-10’ skip_control 'os-08’ skip_control ‘package-08' skip_control 'sysctl-14' end
  • 41.
    Rerun the InSpecProfile $ inspec exec my_hardening/ ... Profile Summary: 51 successful controls, 0 control failures, 1 control skipped Test Summary: 104 successful, 0 failures, 1 skipped
  • 42.
    Other Stuff –Test Kitchen • InSpec also runs as a test suite in Test Kitchen • Test Kitchen is a tool for your team to create fast-feedback loops for development • Add InSpec tests to TK so that any change can also be certified with the security profile before it is pushed to source code repository • More info at http://kitchen.ci/
  • 43.
    Resources • https://inspec.io • https://github.com/chef-training/workshops/ •http://www.anniehedgie.com/inspec-basics-1 • http://blog.johnray.io/chef-inspec-and-dirty-cow • https://blog.chef.io/2017/05/23/inspec-launches-support-cloud-platform- assessments/ • https://github.com/lnxchk/inspec_fivemins

Editor's Notes

  • #5 Compliance requirements are often set out in flat documents. Sometimes PDFs, sometimes other formats, but they have a tendency to be a huge list of characteristics and checkboxes to be investigated and potentially remediated. Security tools may be somewhat more flexible, encoded into a set of shell scripts that check and verify the systems after they are built. But what if it was easy to build these checks into the workflow while the systems are being built and applications installed.
  • #6 For the purposes of compliance, we actually wanted a common language, in code, that would allow all audiences – compliance, security, and devops – to collaborate on. And this code will then act on systems. This is whyInSpec was developed.
  • #11 For bits like the ssh configuration that are considered more infrastructure than application, these practices are common, changes are periodically rolled into the source images for new hosts (or containers) and the old configurations are eventually purged from production. It’s a herd-immunity approach. But what happens if the thing to be tested is affected by a continuously developed application? Like run time configurations for java, or your databases. Can you count on every team to always know all of the requirements?
  • #24 Plug InSpec into whatever command set you are already using