Digital Transformation is taking over IT 71% DevOps adoption IT Professionals think InfoSec inhibits speed 81% 77% InfoSec experts believe this too! Rightscale, State of Cloud Gartner, How to seamlessly integrate Security into DevOps
Documentation SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
Compliance Language control 'sshd-10' do impact 1.0 title 'Server: Specify protocol version 2' desc "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore." describe sshd_config do its('Protocol') { should eq('2') } end end
Database Testing control 'postgres-05' do impact 1.0 title 'Set a password for each user' desc 'It tests for usernames which does not set a password.' describe postgres_session(USER, PASSWORD).query( 'SELECT count(*) FROM pg_shadow WHERE passwd IS NULL;') do its('output') { should eq '0' } end end
Intelliment Security control 'nw03' do title 'All internet connections must be terminated in the DMZ' describe(internet_connections.where { destination['network']['name'] !~ /dmz/i }) do it { should be_empty } end end intellimentsec.com
Docker Support CIS Docker Baseline available at: github.com/dev-sec/cis-docker-benchmark # returns all running container ids docker.containers.running?.ids.each do |id| # retrieve detailed container information describe docker.object(id) do its('HostConfig.Privileged') { should cmp false } end end
The InSpec AWS contributors at D2L: Alex Bedley, Miles Tjandrawidjaja, Jeff Lyons, Chris Redekop, Viktor Yakovlyev, Steffanie Freeman, Simon Varlow “With InSpec for AWS, we can verify that our AWS environment is as we expect and that our resources are secure. Our AWS controls integrate with InSpec to provide a holistic view of our infrastructure. That’s why we contribute to InSpec AWS.” InSpec for Platforms
InSpec for VmWare control 'vmware-7.3.3' do impact 0.7 title 'Ensure that the vSwitch Promiscuous Mode policy is set to reject.' describe vmhost_vswitch(datacenter: 'vm001', host: 'localhost.localdomain',vswitch: 'vSwitch0') do its('allowPromiscuous') { should be false } end end