$30 off During Our Annual Pro Sale. View Details »

Infrastructure and Security Testing with InSpec

Christoph Hartmann
June 29, 2016
Technology
0
190

Infrastructure and Security Testing with InSpec

Testing, Infrastructure, Security, Compliance, InSpec, Chef, Ansible, Puppet

Christoph Hartmann

June 29, 2016
Tweet

More Decks by Christoph Hartmann

See All by Christoph Hartmann
Security vs. Dev Experience: Threat … or Opportunity?
chrisrock
0
8
The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications
chrisrock
0
35
Testing Cloud Provisioning with Terraform and InSpec
chrisrock
2
630
DevSec: Continuous Patch and Security Assessment with InSpec
chrisrock
0
220
Chef Summit London: InSpec Keynote
chrisrock
0
270
AllDayDevOps 2017: Continuous Patch and Security Assessment with InSpec
chrisrock
0
160
DevSecCon London: Christoph Hartmann - DevSec: continuous compliance
chrisrock
0
220
ChefConf 2017 InSpec 2 Announcement
chrisrock
0
170
Compliance-Driven Infrastructure
chrisrock
0
170

Other Decks in Technology

See All in Technology
Data-Centric AI - 関連する学術分野と実践例 -
kzykmyzw
4
1.4k
第21回Ques シフトレフトにおけるシナリオテストの適用事例
moritamasami
1
330
FRONTEND CONFERENCE OKINAWA 2023 スポンサーセッション発表スライド/frontend-okinawa
nikkei_engineer_recruiting
1
2k
イベント企画設計における「フロントエンド」な考え方とその魅力
kgsi
1
1.8k
昨年のre:Invent目玉? Amazon VPC Latticeって結局いつ使えばいいのか考察してみた
minorun365
PRO
4
280
Making your Kubernetes-based log collection reliable & durable with Vector
palark
0
190
ナレコム CULTURE DECK
kc_nakanishi
0
230
技術的負債あるある早く言いたい〜/RookiesLT-link-and-motivation
lmi
0
1.4k
[2023년 11월 세미나] 마케팅 성과 분석의 모든 것 (feat. GA4)
datarian
0
310
Exceptionハンドリングの基本と新しい手法について【JJUG CCC 2023 fall】
toranoana
2
130
Kuma UIのこれまでとこれから
poteboy
5
2.9k
Railsアプリをコスパよく読むための環境整備
ikumatadokoro
1
130

Featured

See All Featured
Making the Leap to Tech Lead
cromwellryan
120
8.2k
For a Future-Friendly Web
brad_frost
168
8.4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.2k
Git: the NoSQL Database
bkeepers
PRO
420
62k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
Atom: Resistance is Futile
akmur
257
24k
[RailsConf 2023] Rails as a piece of cake
palkan
16
3.1k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k

Transcript

  1. INFRASTRUCTURE & SECURITY TESTING WITH INSPEC

    View Slide

  2. $> whoami
    Christoph Hartmann
    Engineering Manager at Chef
    @chri_hartmann
    chris-rock
    [email protected]

    View Slide

  3. WHAT IS CHEF?

    View Slide

  4. DEVOPS AUTOMATION FROM
    CONCEPTION TO PRODUCTION.

    View Slide

  5. COMPETITIVE ADVANTAGE
    BOOK: THE HIGH VELOCITY EDGE - STEVEN J. SPEARS

    View Slide

  6. INFRASTRUCTURE & SECURITY TESTING
    WITH INSPEC

    View Slide

  7. SAFETY AT VELOCITY
    Quality
    Security
    14:47:46

    View Slide

  8. COMPLIANCE AS CODE.
    14:47:46

    View Slide

  9. DEV & OPS SET UP AN APP

    View Slide

  10. SECURITY MEETS OPERATIONS

    View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. DOCUMENTATION
    SSH supports two different protocol versions. The original
    version, SSHv1, was subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  17. SCRIPTING TOOLS
    > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
    2

    View Slide

  18. COMPLIANCE LANGUAGE
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  19. INSPEC

    View Slide

  20. COMPLIANCE LANGUAGE
    control 'ssh-1234' do
    impact 1.0
    title 'Server: Set protocol version to SSHv2'
    desc "
    Set the SSH protocol version to 2. Don't use legacy
    insecure SSHv1 connections anymore...
    "
    describe sshd_config do
    its('Protocol') { should eq('2') }
    end
    end

    View Slide

  21. ONE LANGUAGE
    Linux, Windows, BSD, Solaris, AIX, ...

    View Slide

  22. WINDOWS
    control 'windows-base-201' do
    impact 1.0
    title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled'
    desc '
    @link: http://support.microsoft.com/en-us/kb/823659
    '
    describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do
    it { should exist }
    its('LmCompatibilityLevel') { should eq 4 }
    end
    end

    View Slide

  23. ONE LANGUAGE
    Linux, Windows, BSD, Solaris, AIX, ...
    Bare-metal, VMs, Containers

    View Slide

  24. TEST YOUR LOCAL NODE
    inspec exec test.rb

    View Slide

  25. TEST REMOTE VIA SSH
    inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022
    no Ruby / agent on the node

    View Slide

  26. TEST REMOTE VIA WINRM
    inspec exec test.rb -t winrm://[email protected] --password super
    no Ruby / agent on the node

    View Slide

  27. TEST DOCKER CONTAINER
    inspec exec test.rb -t docker://3cc8837bb6a8
    no SSH / agent on the container

    View Slide

  28. ONE LANGUAGE
    Linux, Windows, BSD, Solaris, AIX, ...
    Bare-metal, VMs, Containers
    Nodes, DBs, Endpoints, APIs (AWS, Azure, ...)

    View Slide

  29. DB TESTING
    describe mysql_session.query("SELECT user, host FROM mysql.user WHERE host = '%'"
    its(:stdout) { should be empty }
    end

    View Slide

  30. CLOUD TESTING
    Vpc.new(id: 'my_vpc_id').security_groups.each do |security_group|
    describe security_group do
    it { should_not have_ingress_rule().with_source('0.0.0.0/0') }
    end
    end

    View Slide

  31. PROFILE FOUNDATION

    View Slide

  32. MAKE ADJUSTMENTS

    View Slide

  33. NATIVE INSPEC
    include_control "cis/cis-centos6-lvl1" do
    skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_et
    skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_etcgru
    control "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do
    impact 1.0
    end
    end
    control "my-own-1" ...

    View Slide

  34. SPREAD TO OTHER ENVIRONMENTS

    View Slide

  35. COMPLIANCE AS CODE.

    View Slide

  36. DEVOPS WORKFLOW

    View Slide

  37. View Slide

  38. CREATE AND TEST EARLY ON

    View Slide

  39. View Slide

  40. View Slide

  41. TEST CONTINUOUSLY

    View Slide

  42. View Slide

  43. DEPLOY, OPERATE, VERIFY

    View Slide

  44. View Slide

  45. ONE WORKFLOW CYCLE

    View Slide

  46. FULL WORKFLOW

    View Slide

  47. COMPLIANCE AS CODE.

    View Slide

  48. JOIN INSPEC

    GITHUB.COM/CHEF/INSPEC
    GITTER.IM/CHEF/INSPEC

    View Slide

  49. INSPEC 1.0
    Dependencies
    Attributes

    View Slide

  50. THANK YOU
    @chri_hartmann
    chris-rock
    [email protected]

    View Slide