ChefConf 2017 InSpec 2 Announcement

Transcript

1. InSpec Update

2. Compliance Automation

3. Digital Transformation is taking over IT 71% DevOps adoption IT

   Professionals think InfoSec inhibits speed 81% 77% InfoSec experts believe this too! Rightscale, State of Cloud Gartner, How to seamlessly integrate Security into DevOps

4. Know your security stance Faulty assumptions

5. None

6. • Prevent insecure production env. • Report and alert continuously

   • Provide proof Know your security stance Faulty assumptions

7. InSpec turns infrastructure testing, compliance and security requirements into code

8. Documentation SSH supports two different protocol versions. The original version,

   SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

9. describe sshd_config do its('Protocol') { should eq('2') } end Test

   a requirement

10. Compliance Language control 'sshd-10' do impact 1.0 title 'Server: Specify

    protocol version 2' desc "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore." describe sshd_config do its('Protocol') { should eq('2') } end end

11. SECURITY DEVOPS COMPLIANCE Shared Tooling & Language

12. Achievements

13. Project Health 119 releases (once a week) 19 days Issue

    resolution time 108 Contributors 657 Stars

14. Built-in Resources apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond

    bridge bsd_service command crontab csv dh_params directory docker docker_container docker_image etc_group file gem group groups grub_conf host http iis_site iis_website inetd_conf ini interface iptables json kernel_module kernel_parameter key_rsa launchd_service limits_conf login_defs mount mssql_session mysql mysql_conf mysql_session npm ntp_conf oneget oracledb_session os os_env package packages parse_config parse_config_file passwd pip port postgres postgres_conf postgres_session powershell ppa processes rabbitmq_config registry_key runit_service script security_policy service shadow ssh_config sshd_config ssl sys_info systemd_service sysv_service upstart_service user users vbscript windows_feature windows_registry_key windows_task wmi x509_certificate xinetd_conf yaml yum yumrepo zfs_dataset zfs_pool https://www.inspec.io/docs/reference/resources/

15. Operating Systems Support Amazon Linux 2014.09 / 2015.03 CentOS 6

    / 7 HP UX 11i IBM AIX 5.3 / 6.1 / 7.1 RHEL 6 / 7 SLES 11 / 12 Ubuntu Server 12.04 / 14.04 / 16.04 Windows 7 / 8 / 10 / 2012 / 2012R2 / 2016 / Nano

16. Database Testing control 'postgres-05' do impact 1.0 title 'Set a

    password for each user' desc 'It tests for usernames which does not set a password.' describe postgres_session(USER, PASSWORD).query( 'SELECT count(*) FROM pg_shadow WHERE passwd IS NULL;') do its('output') { should eq '0' } end end

17. Intelliment Security control 'nw03' do title 'All internet connections must

    be terminated in the DMZ' describe(internet_connections.where { destination['network']['name'] !~ /dmz/i }) do it { should be_empty } end end intellimentsec.com

18. InSpec Profile Management CIS Benchmark Acme Inc CIS Benchmark include_controls

    ’cis-benchmark’ depends: - name: linux-patch-baseline

19. Docker Support CIS Docker Baseline available at: github.com/dev-sec/cis-docker-benchmark # returns

    all running container ids docker.containers.running?.ids.each do |id| # retrieve detailed container information describe docker.object(id) do its('HostConfig.Privileged') { should cmp false } end end

20. InSpec Outlook

21. Infrastructure

22. chef/inspec-vmware chef/inspec-azure chef/inspec-aws InSpec for Platforms

23. The InSpec AWS contributors at D2L: Alex Bedley, Miles Tjandrawidjaja,

    Jeff Lyons, Chris Redekop, Viktor Yakovlyev, Steffanie Freeman, Simon Varlow “With InSpec for AWS, we can verify that our AWS environment is as we expect and that our resources are secure. Our AWS controls integrate with InSpec to provide a holistic view of our infrastructure. That’s why we contribute to InSpec AWS.” InSpec for Platforms

24. InSpec for AWS describe aws_iam_user(’iam_user') do its('has_mfa_enabled?') { should be

    false } its('has_console_password?') { should be false } end

25. InSpec for Azure describe azure_virtual_machine(name: 'Linux-Internal-VM', resource_group: 'Inspec-Azure') do its('sku')

    { should eq '16.04.0-LTS' } its('publisher') { should eq 'Canonical' } its('offer') { should eq 'UbuntuServer' } its('size') { should eq 'Standard_DS2_v2' } its('location') { should eq 'westeurope' } its('admin_username') { should eq 'azure' } end

26. InSpec for VmWare control 'vmware-7.3.3' do impact 0.7 title 'Ensure

    that the vSwitch Promiscuous Mode policy is set to reject.' describe vmhost_vswitch(datacenter: 'vm001', host: 'localhost.localdomain',vswitch: 'vSwitch0') do its('allowPromiscuous') { should be false } end end

27. InSpec Community

28. InSpec Supermarket $ inspec supermarket profiles == Available profiles: *

    apache2-compliance-test-tthompson thompsontelmate/apache2-compliance-test-tthompson * Apache DISA STIG som3guy/apache-disa-stig * chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql * chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat * chef-client-hardening sliim/chef-client-hardening * CIS Docker Benchmark dev-sec/cis-docker-benchmark * CVE-2016-5195 ndobson/cve-2016-5195 * DevSec Apache Baseline dev-sec/apache-baseline * DevSec Linux Baseline dev-sec/linux-baseline

29. DevSec Project dev-sec.io • Linux Baseline • Windows Baseline •

    Linux Patch Baseline • Windows Patch Baseline • SSL / TLS Baseline • SSH Baseline • Apache Baseline • Nginx Baseline • MySQL Baseline • Postgres Baseline • OpenStack Baseline

30. Join github.com/chef/inspec Get Involved!

31. None