Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ChefConf 2017 InSpec 2 Announcement

140

ChefConf 2017 InSpec 2 Announcement

InSpec's announcement slides as presented by Christoph Hartmann in Adam Jacob's keynote.

Christoph Hartmann

May 23, 2017
Tweet

Transcript

  1. InSpec Update

    View Slide

  2. Compliance
    Automation

    View Slide

  3. Digital Transformation is taking over IT
    71%
    DevOps
    adoption
    IT Professionals
    think InfoSec
    inhibits speed
    81%
    77%
    InfoSec experts
    believe this too!
    Rightscale, State of Cloud
    Gartner, How to seamlessly integrate
    Security into DevOps

    View Slide

  4. Know your security stance
    Faulty assumptions

    View Slide

  5. View Slide

  6. • Prevent insecure production env.
    • Report and alert continuously
    • Provide proof
    Know your security stance
    Faulty assumptions

    View Slide

  7. InSpec turns infrastructure testing, compliance
    and security requirements into code

    View Slide

  8. Documentation
    SSH supports two different protocol versions. The original
    version, SSHv1, was subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  9. describe sshd_config do
    its('Protocol') { should eq('2') }
    end
    Test a requirement

    View Slide

  10. Compliance Language
    control 'sshd-10' do
    impact 1.0
    title 'Server: Specify protocol version 2'
    desc "Only SSH protocol version 2 connections
    should be permitted. Version 1 of the
    protocol contains security vulnerabilities.
    Don't use legacy insecure SSHv1 connections
    anymore."
    describe sshd_config do
    its('Protocol') { should eq('2') }
    end
    end

    View Slide

  11. SECURITY
    DEVOPS
    COMPLIANCE
    Shared Tooling & Language

    View Slide

  12. Achievements

    View Slide

  13. Project Health
    119 releases
    (once a week)
    19 days
    Issue resolution time
    108 Contributors 657 Stars

    View Slide

  14. Built-in Resources
    apache apache_conf apt audit_policy
    auditd_conf auditd_rules bash bond
    bridge bsd_service command crontab
    csv dh_params directory docker
    docker_container docker_image etc_group file
    gem group groups grub_conf
    host http iis_site iis_website
    inetd_conf ini interface iptables
    json kernel_module kernel_parameter key_rsa
    launchd_service limits_conf login_defs mount
    mssql_session mysql mysql_conf mysql_session
    npm ntp_conf oneget oracledb_session
    os os_env package packages
    parse_config parse_config_file passwd pip
    port postgres postgres_conf postgres_session
    powershell ppa processes rabbitmq_config
    registry_key runit_service script security_policy
    service shadow ssh_config sshd_config
    ssl sys_info systemd_service sysv_service
    upstart_service user users vbscript
    windows_feature windows_registry_key windows_task wmi
    x509_certificate xinetd_conf yaml yum
    yumrepo zfs_dataset zfs_pool
    https://www.inspec.io/docs/reference/resources/

    View Slide

  15. Operating Systems Support
    Amazon Linux
    2014.09 / 2015.03
    CentOS
    6 / 7
    HP UX
    11i
    IBM AIX
    5.3 / 6.1 / 7.1
    RHEL
    6 / 7
    SLES
    11 / 12
    Ubuntu Server
    12.04 / 14.04 /
    16.04
    Windows
    7 / 8 / 10 /
    2012 / 2012R2 /
    2016 / Nano

    View Slide

  16. Database Testing
    control 'postgres-05' do
    impact 1.0
    title 'Set a password for each user'
    desc 'It tests for usernames which
    does not set a password.'
    describe postgres_session(USER, PASSWORD).query(
    'SELECT count(*) FROM pg_shadow WHERE passwd IS NULL;')
    do
    its('output') { should eq '0' }
    end
    end

    View Slide

  17. Intelliment Security
    control 'nw03' do
    title 'All internet connections must be terminated in the DMZ'
    describe(internet_connections.where {
    destination['network']['name'] !~ /dmz/i }) do
    it { should be_empty }
    end
    end
    intellimentsec.com

    View Slide

  18. InSpec Profile Management
    CIS Benchmark
    Acme Inc
    CIS Benchmark
    include_controls ’cis-benchmark’
    depends:
    - name: linux-patch-baseline

    View Slide

  19. Docker Support
    CIS Docker Baseline available at: github.com/dev-sec/cis-docker-benchmark
    # returns all running container ids
    docker.containers.running?.ids.each do |id|
    # retrieve detailed container information
    describe docker.object(id) do
    its('HostConfig.Privileged') { should cmp false }
    end
    end

    View Slide

  20. InSpec
    Outlook

    View Slide

  21. Infrastructure

    View Slide

  22. chef/inspec-vmware
    chef/inspec-azure chef/inspec-aws
    InSpec for Platforms

    View Slide

  23. The InSpec AWS contributors at D2L: Alex Bedley, Miles
    Tjandrawidjaja, Jeff Lyons, Chris Redekop, Viktor
    Yakovlyev, Steffanie Freeman, Simon Varlow
    “With InSpec for AWS, we can verify
    that our AWS environment is as we
    expect and that our resources are
    secure. Our AWS controls integrate
    with InSpec to provide a holistic view
    of our infrastructure. That’s why we
    contribute to InSpec AWS.”
    InSpec for Platforms

    View Slide

  24. InSpec for AWS
    describe aws_iam_user(’iam_user') do
    its('has_mfa_enabled?') { should be false }
    its('has_console_password?') { should be false }
    end

    View Slide

  25. InSpec for Azure
    describe azure_virtual_machine(name: 'Linux-Internal-VM',
    resource_group: 'Inspec-Azure') do
    its('sku') { should eq '16.04.0-LTS' }
    its('publisher') { should eq 'Canonical' }
    its('offer') { should eq 'UbuntuServer' }
    its('size') { should eq 'Standard_DS2_v2' }
    its('location') { should eq 'westeurope' }
    its('admin_username') { should eq 'azure' }
    end

    View Slide

  26. InSpec for VmWare
    control 'vmware-7.3.3' do
    impact 0.7
    title 'Ensure that the vSwitch Promiscuous
    Mode policy is set to reject.'
    describe vmhost_vswitch(datacenter: 'vm001',
    host: 'localhost.localdomain',vswitch:
    'vSwitch0') do
    its('allowPromiscuous') { should be false }
    end
    end

    View Slide

  27. InSpec
    Community

    View Slide

  28. InSpec Supermarket
    $ inspec supermarket profiles
    == Available profiles:
    * apache2-compliance-test-tthompson
    thompsontelmate/apache2-compliance-test-tthompson
    * Apache DISA STIG som3guy/apache-disa-stig
    * chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql
    * chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat
    * chef-client-hardening sliim/chef-client-hardening
    * CIS Docker Benchmark dev-sec/cis-docker-benchmark
    * CVE-2016-5195 ndobson/cve-2016-5195
    * DevSec Apache Baseline dev-sec/apache-baseline
    * DevSec Linux Baseline dev-sec/linux-baseline

    View Slide

  29. DevSec Project
    dev-sec.io
    • Linux Baseline
    • Windows Baseline
    • Linux Patch
    Baseline
    • Windows Patch
    Baseline
    • SSL / TLS Baseline
    • SSH Baseline
    • Apache Baseline
    • Nginx Baseline
    • MySQL Baseline
    • Postgres Baseline
    • OpenStack Baseline

    View Slide

  30. Join
    github.com/chef/inspec
    Get Involved!

    View Slide

  31. View Slide