This document discusses Chef Compliance and how it helps with security and DevOps for organizations that move quickly. It introduces InSpec, an open source framework that allows defining infrastructure compliance and security checks as code. With InSpec, compliance checks can be automated and run continuously alongside infrastructure code. Traditional compliance is time-consuming and separate from development workflows, but defining compliance specifications in InSpec code allows integrating compliance into DevOps pipelines for continuous verification.

1. CHEF COMPLIANCE
SECURITY AND DEVOPS FOR HIGH VELOCITY ORGANIZATIONS

2. $> whoarewe
Christoph Hartmann
Engineering Manager at Chef
 @chri_hartmann
 chris-rock
 chartmann@chef.io
Dominik Richter
Product Manager at Chef
 @arlimus
 arlimus

3.  drichter@chef.io
THE PROMISE OF THE CODED BUSINESS

4. WHAT IS CHEF?

5. DEVOPS AUTOMATION FROM
CONCEPTION TO PRODUCTION.

6. WHAT IS COMPLIANCE?
19:20:08

7. COMPLIANCE AS CODE.

8. WHAT IS IT NOT?
(H)IDS / IPS
Firewall
AntiVirus
Pentesting tool

9. COMPLIANCE AS CODE.

10. TRADITIONAL COMPLIANCE

11. DEV & OPS SET UP AN APP

12. SECURITY MEETS OPERATIONS

18. DOCUMENTATION
SSH supports two different protocol versions. The original
version, SSHv1, was subject to a number of security issues.
Please use SSHv2 instead to avoid these.

19. SCRIPTING TOOLS
> grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
2

20. COMPLIANCE LANGUAGE
describe sshd_config do
its('Protocol') { should cmp 2 }
end

21. INSPEC

22. COMPLIANCE LANGUAGE
control 'ssh-1234' do
impact 1.0
title 'Server: Set protocol version to SSHv2'
desc "
Set the SSH protocol version to 2. Don't use legacy
insecure SSHv1 connections anymore...
"
describe sshd_config do
its('Protocol') { should eq('2') }
end
end

23. ONE LANGUAGE
Linux, Windows, BSD, Solaris, AIX, ...

24. WINDOWS
control 'windows-base-201' do
impact 1.0
title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled'
desc '
@link: http://support.microsoft.com/en-us/kb/823659
'
describe registry_key('HKLMSystemCurrentControlSetControlLsa') do
it { should exist }
its('LmCompatibilityLevel') { should eq 4 }
end
end

25. ONE LANGUAGE
Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers

26. inspec exec test.rb
.
Finished in 0.00228 seconds (files took 1.95 seconds to load)
1 example, 0 failures
TINY HOWTO

27. inspec exec test.rb
inspec exec /path/to/profile
inspec exec github.com/chef/some-profile.git
TINY HOWTO

28. TEST YOUR LOCAL NODE
inspec exec test.rb

29. TEST REMOTE VIA SSH
inspec exec test.rb -i vagrant.key -t ssh://root@172.17.0.1:11022
no Ruby / agent on the node

30. TEST REMOTE VIA WINRM
inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super
no Ruby / agent on the node

31. TEST DOCKER CONTAINER
inspec exec test.rb -t docker://3cc8837bb6a8
no SSH / agent on the container

32. ANATOMY OF A CONTAINER TEST
describe package('wget') do
it { should be_installed }
end
describe file('/fetch-all.sh') do
it { should be_file }
its('owner') { should eq 'root' }
its('mode') { should eq 0640 }
end

33. ANATOMY OF A CONTAINER TEST
inspec exec dtest.rb -t docker://f02e
....
Finished in 0.1537 seconds (files took 1.77 seconds to load)
4 examples, 0 failures

34. ONE LANGUAGE
Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, DBs, Endpoints, APIs (AWS, ...)

35. DB TESTING
describe mysql_session.query("SELECT user, host FROM mysql.user WHERE host = '%'
its(:stdout) { should be empty }
end

36. AWS TESTING
Vpc.new(id: 'vpc_id').security_groups.each do |security_group|
describe security_group do
it { should_not have_ingress_rule().with_source('0.0.0.0/0') }
end
end

37. CIS AND SCAP

38. GREAT SECURITY BENCHMARKS

39. GREAT COVERAGE
Red Hat Enterprise Linux, Ubuntu, SUSE, Oracle Linux, ...
Microsoft Windows 7, 8, Server 2008, 2012
IBM AIX, HP-UX, VMware ESXi
Oracle MySQL, Apache Tomcat, MS SQL Server, MS IIS

40. WRITTEN IN XML
<definition class="compliance" id="oval:org.cisecurity.benchmarks.o_centos_centos:def:1190" version="1">
<metadata>
<title>Set SSH Protocol to 2</title>
<affected family="unix">
<product>CentOS Linux 6</product>
</affected>
<reference ref_id="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" ref_url="http://benchmarks.cisecur
<description>Set SSH Protocol to 2</description>
</reference></metadata>
<criteria operator="AND">
<criterion negate="false" test_ref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10191">
</criterion></criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Protocol' sshd config parame
<ind:object object_ref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10193">
<ind:state state_ref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10084">
</ind:state></ind:object></ind:textfilecontent54_test>
<ind:textfilecontent54_object comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" id="oval:org.cisecurity.b
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^s*Protocols+(S+)s*(?:#.*)?$</ind:pattern>
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" id="oval:org.cisecurity.be
<ind:subexpression datatype="string" operation="equals" var_ref="oval:org.cisecurity.benchmarks.o_centos_centos:var:1190"
</ind:subexpression></ind:textfilecontent54_state>
Source and Copyright: Center for Internet Security

41. CONVERTED TO INSPEC
control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2"
title "Set SSH Protocol to 2"
desc "SSH supports two different and incompatible protocols: SSH1 and SSH2. S
impact 1.0
describe file("/etc/ssh/sshd_config") do
its(:content) { should match /^s*Protocols+(S+)s*(?:#.*)?$/ }
end
file("/etc/ssh/sshd_config").content.to_s.scan(/^s*Protocols+(S+)s*(?:#.*)
describe entry do
it { should eq "2" }
end
end
end

42. NATIVE INSPEC
control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2"
title "Set SSH Protocol to 2"
desc "SSH supports two different and incompatible protocols: SSH1 and SSH2. S
impact 1.0
describe sshd_config do
its('Protocol') { should cmp 2 }
end
end

44. PROFILE FOUNDATION

45. MAKE ADJUSTMENTS

46. NATIVE INSPEC
include_control "cis/cis-centos6-lvl1" do
skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_o
skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_et
control "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do
impact 1.0
end
end
control "my-own-1" ...

47. SPREAD TO OTHER ENVIRONMENTS

48. COMPLIANCE AS CODE.

49. COMPETITIVE ADVANTAGE
BOOK: THE HIGH VELOCITY EDGE - STEVEN J. SPEARS

50. SAFETY AT VELOCITY
Risk reduction when constantly changing your systems
As part of the work ow. Not after, not later.
Test for quality, Test for compliance

51. TRADITIONAL WORKFLOW

52. CREATE NEW ARTIFACTS

53. TO REACH PRODUCTION

55. DEVOPS WORKFLOW

57. CREATE AND TEST EARLY ON

60. TEST CONTINUOUSLY

62. DEPLOY, OPERATE, VERIFY

64. ONE WORKFLOW CYCLE

65. FULL WORKFLOW

66. FIXING THE COMPLIANCE CYCLE

67. COMPLIANCE AS CODE.

68. JOIN INSPEC

GITHUB.COM/CHEF/INSPEC
GITTER.IM/CHEF/INSPEC

69. INSPEC 1.0
Dependencies
Attributes

70. THANK YOU
 @chri_hartmann
 chris-rock
 chartmann@chef.io
 @arlimus
 arlimus
 drichter@chef.io