Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ChefConf 2017 InSpec 2 Announcement


ChefConf 2017 InSpec 2 Announcement

InSpec's announcement slides as presented by Christoph Hartmann in Adam Jacob's keynote.

Christoph Hartmann

May 23, 2017

More Decks by Christoph Hartmann


  1. Digital Transformation is taking over IT 71% DevOps adoption IT

    Professionals think InfoSec inhibits speed 81% 77% InfoSec experts believe this too! Rightscale, State of Cloud Gartner, How to seamlessly integrate Security into DevOps
  2. • Prevent insecure production env. • Report and alert continuously

    • Provide proof Know your security stance Faulty assumptions
  3. Documentation SSH supports two different protocol versions. The original version,

    SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
  4. Compliance Language control 'sshd-10' do impact 1.0 title 'Server: Specify

    protocol version 2' desc "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore." describe sshd_config do its('Protocol') { should eq('2') } end end
  5. Project Health 119 releases (once a week) 19 days Issue

    resolution time 108 Contributors 657 Stars
  6. Built-in Resources apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond

    bridge bsd_service command crontab csv dh_params directory docker docker_container docker_image etc_group file gem group groups grub_conf host http iis_site iis_website inetd_conf ini interface iptables json kernel_module kernel_parameter key_rsa launchd_service limits_conf login_defs mount mssql_session mysql mysql_conf mysql_session npm ntp_conf oneget oracledb_session os os_env package packages parse_config parse_config_file passwd pip port postgres postgres_conf postgres_session powershell ppa processes rabbitmq_config registry_key runit_service script security_policy service shadow ssh_config sshd_config ssl sys_info systemd_service sysv_service upstart_service user users vbscript windows_feature windows_registry_key windows_task wmi x509_certificate xinetd_conf yaml yum yumrepo zfs_dataset zfs_pool https://www.inspec.io/docs/reference/resources/
  7. Operating Systems Support Amazon Linux 2014.09 / 2015.03 CentOS 6

    / 7 HP UX 11i IBM AIX 5.3 / 6.1 / 7.1 RHEL 6 / 7 SLES 11 / 12 Ubuntu Server 12.04 / 14.04 / 16.04 Windows 7 / 8 / 10 / 2012 / 2012R2 / 2016 / Nano
  8. Database Testing control 'postgres-05' do impact 1.0 title 'Set a

    password for each user' desc 'It tests for usernames which does not set a password.' describe postgres_session(USER, PASSWORD).query( 'SELECT count(*) FROM pg_shadow WHERE passwd IS NULL;') do its('output') { should eq '0' } end end
  9. Intelliment Security control 'nw03' do title 'All internet connections must

    be terminated in the DMZ' describe(internet_connections.where { destination['network']['name'] !~ /dmz/i }) do it { should be_empty } end end intellimentsec.com
  10. InSpec Profile Management CIS Benchmark Acme Inc CIS Benchmark include_controls

    ’cis-benchmark’ depends: - name: linux-patch-baseline
  11. Docker Support CIS Docker Baseline available at: github.com/dev-sec/cis-docker-benchmark # returns

    all running container ids docker.containers.running?.ids.each do |id| # retrieve detailed container information describe docker.object(id) do its('HostConfig.Privileged') { should cmp false } end end
  12. The InSpec AWS contributors at D2L: Alex Bedley, Miles Tjandrawidjaja,

    Jeff Lyons, Chris Redekop, Viktor Yakovlyev, Steffanie Freeman, Simon Varlow “With InSpec for AWS, we can verify that our AWS environment is as we expect and that our resources are secure. Our AWS controls integrate with InSpec to provide a holistic view of our infrastructure. That’s why we contribute to InSpec AWS.” InSpec for Platforms
  13. InSpec for AWS describe aws_iam_user(’iam_user') do its('has_mfa_enabled?') { should be

    false } its('has_console_password?') { should be false } end
  14. InSpec for Azure describe azure_virtual_machine(name: 'Linux-Internal-VM', resource_group: 'Inspec-Azure') do its('sku')

    { should eq '16.04.0-LTS' } its('publisher') { should eq 'Canonical' } its('offer') { should eq 'UbuntuServer' } its('size') { should eq 'Standard_DS2_v2' } its('location') { should eq 'westeurope' } its('admin_username') { should eq 'azure' } end
  15. InSpec for VmWare control 'vmware-7.3.3' do impact 0.7 title 'Ensure

    that the vSwitch Promiscuous Mode policy is set to reject.' describe vmhost_vswitch(datacenter: 'vm001', host: 'localhost.localdomain',vswitch: 'vSwitch0') do its('allowPromiscuous') { should be false } end end
  16. InSpec Supermarket $ inspec supermarket profiles == Available profiles: *

    apache2-compliance-test-tthompson thompsontelmate/apache2-compliance-test-tthompson * Apache DISA STIG som3guy/apache-disa-stig * chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql * chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat * chef-client-hardening sliim/chef-client-hardening * CIS Docker Benchmark dev-sec/cis-docker-benchmark * CVE-2016-5195 ndobson/cve-2016-5195 * DevSec Apache Baseline dev-sec/apache-baseline * DevSec Linux Baseline dev-sec/linux-baseline
  17. DevSec Project dev-sec.io • Linux Baseline • Windows Baseline •

    Linux Patch Baseline • Windows Patch Baseline • SSL / TLS Baseline • SSH Baseline • Apache Baseline • Nginx Baseline • MySQL Baseline • Postgres Baseline • OpenStack Baseline