Matt Ray, profile picture
Uploaded byMatt Ray
PDF, PPTX886 views

Melbourne Chef Meetup: Automating Azure Compliance with InSpec

The document discusses automating compliance in Azure using InSpec and Chef, outlining security vulnerabilities and misconfigurations related to SSH and Apache servers. It highlights the importance of continuous testing and compliance and offers methods for verifying configurations via command line and code examples. Additionally, it includes references to various operating systems and tools for ensuring compliance automation within software development workflows.

Embed presentation

Download as PDF, PPTX
Automating Azure Compliance with InSpec Chef Melbourne June 26, 2017
Matt Ray Manager, Solutions Architect – APJ Chef Software matt@chef.io @mattray
Chef Workflow
SSH Control "SSH supports two different protocol versions.The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
How will I verify this?
Whip up a one-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
Apache Server Information Leakage • Description This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OSType of the Server. This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. • How toTest In order to test for ServerToken configuration, one should check the Apache configuration file. • Misconfiguration ServerTokens Full • Remediation Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.This tells Apache to only return "Apache" in the Server header, returned on every page request. ServerTokens Prod or ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache
More grep and sed! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
C o m p l i a n c e
Two-thirds of organizations did not adequately test the security of all in-scope systems
Key Trends • While individual rule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Infrastructure Code package 'httpd' do action :install end service 'httpd' do action [ :start, :enable ] end
We Have A Communications Problem
Security != Compliance
Secure Compliant
Compliance Language
One Language Linux
One Language Linux,Windows
Windows
One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ...
Examples of Available Resources apache_conf apt audit_policy auditd_conf auditd_rules bond bridge command crontab directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf login_defs mount mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config parse_config_file passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yum
What is it not? • IDS / IPS • Firewall • Antivirus • Pentesting tool
One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal
One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs
One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers
One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes
One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases
DB Testing
One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases,APIs
Cloud Testing
InSpec > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS
Operating System & Application Coverage • Microsoft Windows • Red Hat Enterprise Linux • Ubuntu Linux • SUSE Linux Enterprise Server • Oracle Enterprise Linux • AIX • HP-UX • Solaris • VMware ESXi • MySQL • Oracle • PostgreSQL • Tomcat • SQL Server • IIS • HTTP request
One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases,APIs, Cloud Platforms
One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases,APIs, Cloud Platforms, ...
Open Source Community •InSpec •https://inspec.io •Chef Audit cookbook •https://github.com/chef-cookbooks/audit •Kitchen-InSpec •https://github.com/chef/kitchen-inspec •Supermarket.chef.io •#inspec in
Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify New Workflow
CONTINUOUS COMPLIANCE AUTOMATION InSpec - Part of your InfoSec toolchain FIREWALL ANTIVIRUS INTRUSION DETECTION/ PREVENTION PENETRATION TESTING
The Chef Automate Platform Continuous Automation for High Velocity IT Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪ Package ▪ Test ▪ Approve BUILD ▪ Provision ▪ Configure ▪ Execute ▪ Update DEPLOY ▪ Secure ▪ Comply ▪ Audit ▪ Measure ▪ Log MANAGE Infrastructure Automation Compliance AutomationApplication Automation OSS AUTOMATION ENGINES Increase Speed ▪ Package infrastructure and app configuration as code ▪ Continuously automate infrastructure and app updates Improve Efficiency ▪ Define and execute standard workflows and automation ▪ Audit and measure effectiveness of automation Decrease Risk ▪ Define compliance rules as code ▪ Deliver continuous compliance as part of standard workflow
INSPEC DEMO
InSpec Azure •https://github.com/chef/inspec-azure •Uses Azure Ruby SDK •~/.azure/credentials •http://seththoenen.com/cloud-inspec/getting-started-azure
InSpec Azure azure_resource_group azure_virtual_machine azure_virtual_machine_datadisks
azure_resource_group control 'azure-1' do impact 1.0 title 'Checks that there is only one storage account in the resource group' describe azure_resource_group(name: 'MyResourceGroup').where { type == 'Microsoft.Storage/storageAccounts' }.entries do its('count') { should eq 1 } end end
azure_virtual_machine control 'azure-1' do impact 1.0 title 'Make sure Ubuntu Servers are built from an Ubuntu template' describe azure_virtual_machine(name: '[YOUR VM NAME]', resource_group: '[YOUR RESOURCE GROUP]') do its('sku') { should eq '16.04.0-LTS' } its('publisher') { should eq 'Canonical' } its('offer') { should eq 'UbuntuServer' } end end
Melbourne Chef Meetup: Automating Azure Compliance with InSpec

More Related Content

PDF
Machine learning services with SQL Server 2017
byMark Tabladillo
 
PPTX
Extending Windows Admin Center to manage your applications and infrastructure...
byMicrosoft Tech Community
 
PDF
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
byLeighton Nelson
 
PPTX
Bootcamp 2017 - SQL Server on Linux
byMaximiliano Accotto
 
PPTX
Improvements in Hadoop Security
byDataWorks Summit
 
PPTX
Nordic infrastructure Conference 2017 - SQL Server on Linux Overview
byTravis Wright
 
PPTX
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
byKevin Minder
 
PPTX
Apache Knox - Hadoop Security Swiss Army Knife
byDataWorks Summit
 
Machine learning services with SQL Server 2017
byMark Tabladillo
 
Extending Windows Admin Center to manage your applications and infrastructure...
byMicrosoft Tech Community
 
Database-as-a-Service with Oracle Enterprise Manager Cloud Control 12c and Or...
byLeighton Nelson
 
Bootcamp 2017 - SQL Server on Linux
byMaximiliano Accotto
 
Improvements in Hadoop Security
byDataWorks Summit
 
Nordic infrastructure Conference 2017 - SQL Server on Linux Overview
byTravis Wright
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
byKevin Minder
 
Apache Knox - Hadoop Security Swiss Army Knife
byDataWorks Summit
 

What's hot

PPTX
Breaching the 100TB Mark with SQL Over Hadoop
byDataWorks Summit
 
PPTX
Overview of HDFS Transparent Encryption
byCloudera, Inc.
 
PPTX
Oracle database 12c_and_DevOps
byMaria Colgan
 
PPTX
Pass Summit Linux Scripting for the Microsoft Professional
byKellyn Pot'Vin-Gorman
 
PDF
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
byvasuballa
 
PDF
Database Provisioning in EM12c: Provision me a Database Now!
byMaaz Anjum
 
PPTX
PASS Summit 2020
byKellyn Pot'Vin-Gorman
 
PPTX
Data Analytics Using Container Persistence Through SMACK - Manny Rodriguez-Pe...
by{code} by Dell EMC
 
PPTX
Open Source Security Tools for Big Data
byRommel Garcia
 
PDF
Mysql Enterprise Edition Feature and Tools
byjones4u
 
PPT
Hadoop Security Architecture
byOwen O'Malley
 
PPTX
Managing enterprise users in Hadoop ecosystem
byDataWorks Summit
 
PDF
Nl HUG 2016 Feb Hadoop security from the trenches
byBolke de Bruin
 
PDF
Keep remote desktop power users productive with Dell EMC PowerEdge R840 serve...
byPrincipled Technologies
 
PPTX
Hdp security overview
byHortonworks
 
PPTX
Hadoop REST API Security with Apache Knox Gateway
byDataWorks Summit
 
PPT
Deploying Big-Data-as-a-Service (BDaaS) in the Enterprise
byBig-Data-as-a-Service (BDaaS) Meetup
 
PDF
TriHUG October: Apache Ranger
bytrihug
 
PPTX
Hadoop security
byShivaji Dutta
 
PPTX
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
bySteve Loughran
 
Breaching the 100TB Mark with SQL Over Hadoop
byDataWorks Summit
 
Overview of HDFS Transparent Encryption
byCloudera, Inc.
 
Oracle database 12c_and_DevOps
byMaria Colgan
 
Pass Summit Linux Scripting for the Microsoft Professional
byKellyn Pot'Vin-Gorman
 
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
byvasuballa
 
Database Provisioning in EM12c: Provision me a Database Now!
byMaaz Anjum
 
PASS Summit 2020
byKellyn Pot'Vin-Gorman
 
Data Analytics Using Container Persistence Through SMACK - Manny Rodriguez-Pe...
by{code} by Dell EMC
 
Open Source Security Tools for Big Data
byRommel Garcia
 
Mysql Enterprise Edition Feature and Tools
byjones4u
 
Hadoop Security Architecture
byOwen O'Malley
 
Managing enterprise users in Hadoop ecosystem
byDataWorks Summit
 
Nl HUG 2016 Feb Hadoop security from the trenches
byBolke de Bruin
 
Keep remote desktop power users productive with Dell EMC PowerEdge R840 serve...
byPrincipled Technologies
 
Hdp security overview
byHortonworks
 
Hadoop REST API Security with Apache Knox Gateway
byDataWorks Summit
 
Deploying Big-Data-as-a-Service (BDaaS) in the Enterprise
byBig-Data-as-a-Service (BDaaS) Meetup
 
TriHUG October: Apache Ranger
bytrihug
 
Hadoop security
byShivaji Dutta
 
Hadoop and Kerberos: the Madness Beyond the Gate: January 2016 edition
bySteve Loughran
 

Similar to Melbourne Chef Meetup: Automating Azure Compliance with InSpec

PDF
Automating AWS Compliance with InSpec
byMatt Ray
 
PDF
Automating Compliance with InSpec - AWS North Sydney
byMatt Ray
 
PDF
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
byAgileNZ Conference
 
PPTX
Compliance Automation with Inspec Part 2
byChef
 
PDF
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
byMatt Ray
 
PDF
Bay Area Chef Meetup February
byJessica DeVita
 
PDF
Philly security shell meetup
byNicole Johnson
 
PDF
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
 
PDF
Compliance as Code
byMatt Ray
 
PDF
Compliance as Code with InSpec - DevOps Melbourne 2017
byMatt Ray
 
PPTX
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
 
PPTX
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
PDF
Compliance as Code Everywhere
byMatt Ray
 
PPTX
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
PPTX
InSpec - June 2018 at Open28.be
byMandi Walls
 
PDF
Inspec: Turn your compliance, security, and other policy requirements into au...
byKangaroot
 
PPTX
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
 
PPTX
InSpec at DevOps ATL Meetup January 22, 2020
byMandi Walls
 
PDF
Automating Compliance with InSpec - Chef Singapore Meetup
byMatt Ray
 
PDF
Melbourne Infracoders: Compliance as Code with InSpec
byMatt Ray
 
Automating AWS Compliance with InSpec
byMatt Ray
 
Automating Compliance with InSpec - AWS North Sydney
byMatt Ray
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
byAgileNZ Conference
 
Compliance Automation with Inspec Part 2
byChef
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
byMatt Ray
 
Bay Area Chef Meetup February
byJessica DeVita
 
Philly security shell meetup
byNicole Johnson
 
2016 - Compliance as Code - InSpec
bydevopsdaysaustin
 
Compliance as Code
byMatt Ray
 
Compliance as Code with InSpec - DevOps Melbourne 2017
byMatt Ray
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
byadamleff
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
byAlert Logic
 
Compliance as Code Everywhere
byMatt Ray
 
Adding Security and Compliance to Your Workflow with InSpec
byMandi Walls
 
InSpec - June 2018 at Open28.be
byMandi Walls
 
Inspec: Turn your compliance, security, and other policy requirements into au...
byKangaroot
 
2019 Chef InSpec Jumpstart Part 1 of 2
byLarry Eichenbaum
 
InSpec at DevOps ATL Meetup January 22, 2020
byMandi Walls
 
Automating Compliance with InSpec - Chef Singapore Meetup
byMatt Ray
 
Melbourne Infracoders: Compliance as Code with InSpec
byMatt Ray
 

More from Matt Ray

PDF
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
byMatt Ray
 
PDF
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
byMatt Ray
 
PDF
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
byMatt Ray
 
PDF
HashiTalks 2020 - Chef Tools & Terraform: Better Together
byMatt Ray
 
PDF
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
byMatt Ray
 
PDF
Wellington DevOps: Bringing Your Applications into the Future with Habitat
byMatt Ray
 
PDF
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
byMatt Ray
 
PDF
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
byMatt Ray
 
PDF
DevOpsDays Jakarta: State of DevOps 2018
byMatt Ray
 
PDF
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
byMatt Ray
 
PDF
Infrastructure and Compliance Delight with Chef Automate
byMatt Ray
 
PDF
Cooking Up Windows with Chef Automate
byMatt Ray
 
PDF
DevOpsDays Singapore Habitat Ignite
byMatt Ray
 
PDF
Chef Automate - Azure Sydney User Group
byMatt Ray
 
PDF
Automating Applications with Habitat - Sydney Cloud Native Meetup
byMatt Ray
 
PDF
Chef Automate - Infracoders Canberra August 8, 2017
byMatt Ray
 
PDF
OpsWorks for Chef Automate - Auckland AWS
byMatt Ray
 
PDF
Chef Automate - Wellington DevOps August 2, 2017
byMatt Ray
 
PDF
Compliance as Code: Shifting Compliance Left in Continuous Delivery
byMatt Ray
 
PDF
DevOps Sydney: Chef Automate
byMatt Ray
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
byMatt Ray
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
byMatt Ray
 
SCaLE 20X: Kubernetes Cloud Cost Monitoring with OpenCost & Optimization Stra...
byMatt Ray
 
HashiTalks 2020 - Chef Tools & Terraform: Better Together
byMatt Ray
 
EmacsConf 2019: Interactive Remote Debugging and Development with TRAMP Mode
byMatt Ray
 
Wellington DevOps: Bringing Your Applications into the Future with Habitat
byMatt Ray
 
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
byMatt Ray
 
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
byMatt Ray
 
DevOpsDays Jakarta: State of DevOps 2018
byMatt Ray
 
DevOps Talks Melbourne 2018: Whales, Cats and Kubernetes
byMatt Ray
 
Infrastructure and Compliance Delight with Chef Automate
byMatt Ray
 
Cooking Up Windows with Chef Automate
byMatt Ray
 
DevOpsDays Singapore Habitat Ignite
byMatt Ray
 
Chef Automate - Azure Sydney User Group
byMatt Ray
 
Automating Applications with Habitat - Sydney Cloud Native Meetup
byMatt Ray
 
Chef Automate - Infracoders Canberra August 8, 2017
byMatt Ray
 
OpsWorks for Chef Automate - Auckland AWS
byMatt Ray
 
Chef Automate - Wellington DevOps August 2, 2017
byMatt Ray
 
Compliance as Code: Shifting Compliance Left in Continuous Delivery
byMatt Ray
 
DevOps Sydney: Chef Automate
byMatt Ray
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
The year in review - MarvelClient in 2025
bypanagenda
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
The Landscape of Computer Software Development Companies
byYash Singh
 

Melbourne Chef Meetup: Automating Azure Compliance with InSpec

  • 1.
    Automating Azure Compliancewith InSpec Chef Melbourne June 26, 2017
  • 2.
    Matt Ray Manager, SolutionsArchitect – APJ Chef Software matt@chef.io @mattray
  • 4.
  • 7.
    SSH Control "SSH supportstwo different protocol versions.The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
  • 8.
    How will Iverify this?
  • 9.
    Whip up aone-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
  • 10.
    Apache Server InformationLeakage • Description This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OSType of the Server. This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. • How toTest In order to test for ServerToken configuration, one should check the Apache configuration file. • Misconfiguration ServerTokens Full • Remediation Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.This tells Apache to only return "Apache" in the Server header, returned on every page request. ServerTokens Prod or ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache
  • 11.
    More grep andsed! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
  • 17.
  • 19.
    Two-thirds of organizationsdid not adequately test the security of all in-scope systems
  • 20.
    Key Trends • Whileindividual rule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
  • 22.
    Shell Scripts grep "^Protocol"/etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
  • 23.
    Infrastructure Code package 'httpd'do action :install end service 'httpd' do action [ :start, :enable ] end
  • 24.
    We Have ACommunications Problem
  • 26.
  • 27.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
    One Language Linux,Windows, BSD,Solaris,AIX, HP-UX, ...
  • 39.
    Examples of AvailableResources apache_conf apt audit_policy auditd_conf auditd_rules bond bridge command crontab directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf login_defs mount mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config parse_config_file passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yum
  • 40.
    What is itnot? • IDS / IPS • Firewall • Antivirus • Pentesting tool
  • 41.
    One Language Linux,Windows, BSD,Solaris,AIX, HP-UX, ... Bare-metal
  • 42.
    One Language Linux,Windows, BSD,Solaris,AIX, HP-UX, ... Bare-metal,VMs
  • 43.
    One Language Linux,Windows, BSD,Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers
  • 44.
    One Language Linux,Windows, BSD,Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes
  • 45.
    One Language Linux,Windows, BSD,Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases
  • 46.
  • 47.
    One Language Linux,Windows, BSD,Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases,APIs
  • 48.
  • 49.
    InSpec > inspec exectest.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS
  • 50.
    Operating System &Application Coverage • Microsoft Windows • Red Hat Enterprise Linux • Ubuntu Linux • SUSE Linux Enterprise Server • Oracle Enterprise Linux • AIX • HP-UX • Solaris • VMware ESXi • MySQL • Oracle • PostgreSQL • Tomcat • SQL Server • IIS • HTTP request
  • 51.
    One Language Linux,Windows, BSD,Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases,APIs, Cloud Platforms
  • 52.
    One Language Linux,Windows, BSD,Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases,APIs, Cloud Platforms, ...
  • 53.
    Open Source Community •InSpec •https://inspec.io •ChefAudit cookbook •https://github.com/chef-cookbooks/audit •Kitchen-InSpec •https://github.com/chef/kitchen-inspec •Supermarket.chef.io •#inspec in
  • 54.
    Scan for Compliance Build &Test Locally Build & Test CI/CD Remediate Verify New Workflow
  • 55.
    CONTINUOUS COMPLIANCE AUTOMATION InSpec- Part of your InfoSec toolchain FIREWALL ANTIVIRUS INTRUSION DETECTION/ PREVENTION PENETRATION TESTING
  • 56.
    The Chef AutomatePlatform Continuous Automation for High Velocity IT Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪ Package ▪ Test ▪ Approve BUILD ▪ Provision ▪ Configure ▪ Execute ▪ Update DEPLOY ▪ Secure ▪ Comply ▪ Audit ▪ Measure ▪ Log MANAGE Infrastructure Automation Compliance AutomationApplication Automation OSS AUTOMATION ENGINES Increase Speed ▪ Package infrastructure and app configuration as code ▪ Continuously automate infrastructure and app updates Improve Efficiency ▪ Define and execute standard workflows and automation ▪ Audit and measure effectiveness of automation Decrease Risk ▪ Define compliance rules as code ▪ Deliver continuous compliance as part of standard workflow
  • 58.
  • 59.
    InSpec Azure •https://github.com/chef/inspec-azure •Uses AzureRuby SDK •~/.azure/credentials •http://seththoenen.com/cloud-inspec/getting-started-azure
  • 60.
  • 61.
    azure_resource_group control 'azure-1' do impact1.0 title 'Checks that there is only one storage account in the resource group' describe azure_resource_group(name: 'MyResourceGroup').where { type == 'Microsoft.Storage/storageAccounts' }.entries do its('count') { should eq 1 } end end
  • 62.
    azure_virtual_machine control 'azure-1' do impact1.0 title 'Make sure Ubuntu Servers are built from an Ubuntu template' describe azure_virtual_machine(name: '[YOUR VM NAME]', resource_group: '[YOUR RESOURCE GROUP]') do its('sku') { should eq '16.04.0-LTS' } its('publisher') { should eq 'Canonical' } its('offer') { should eq 'UbuntuServer' } end end