Infrastructure and Security Testing with InSpec

Transcript

1. INFRASTRUCTURE & SECURITY TESTING WITH INSPEC

2. $> whoami Christoph Hartmann Engineering Manager at Chef  @chri_hartmann

    chris-rock
   [email protected]

3. WHAT IS CHEF?

4. DEVOPS AUTOMATION FROM CONCEPTION TO PRODUCTION.

5. COMPETITIVE ADVANTAGE BOOK: THE HIGH VELOCITY EDGE - STEVEN J.

   SPEARS

6. INFRASTRUCTURE & SECURITY TESTING WITH INSPEC

7. SAFETY AT VELOCITY Quality Security 14:47:46

8. COMPLIANCE AS CODE. 14:47:46

9. DEV & OPS SET UP AN APP

10. SECURITY MEETS OPERATIONS

11. None
12. None
13. None
14. None
15. None

16. DOCUMENTATION SSH supports two different protocol versions. The original version,

    SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

17. SCRIPTING TOOLS > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

    2

18. COMPLIANCE LANGUAGE describe sshd_config do its('Protocol') { should cmp 2

    } end

19. INSPEC

20. COMPLIANCE LANGUAGE control 'ssh-1234' do impact 1.0 title 'Server: Set

    protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq('2') } end end

21. ONE LANGUAGE Linux, Windows, BSD, Solaris, AIX, ...

22. WINDOWS control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2

    Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end

23. ONE LANGUAGE Linux, Windows, BSD, Solaris, AIX, ... Bare-metal, VMs,

    Containers

24. TEST YOUR LOCAL NODE inspec exec test.rb

25. TEST REMOTE VIA SSH inspec exec test.rb -i vagrant.key -t

    ssh://[email protected]:11022 no Ruby / agent on the node

26. TEST REMOTE VIA WINRM inspec exec test.rb -t winrm://[email protected] --password

    super no Ruby / agent on the node

27. TEST DOCKER CONTAINER inspec exec test.rb -t docker://3cc8837bb6a8 no SSH

    / agent on the container

28. ONE LANGUAGE Linux, Windows, BSD, Solaris, AIX, ... Bare-metal, VMs,

    Containers Nodes, DBs, Endpoints, APIs (AWS, Azure, ...)

29. DB TESTING describe mysql_session.query("SELECT user, host FROM mysql.user WHERE host

    = '%'" its(:stdout) { should be empty } end

30. CLOUD TESTING Vpc.new(id: 'my_vpc_id').security_groups.each do |security_group| describe security_group do it

    { should_not have_ingress_rule().with_source('0.0.0.0/0') } end end

31. PROFILE FOUNDATION

32. MAKE ADJUSTMENTS

33. NATIVE INSPEC include_control "cis/cis-centos6-lvl1" do skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_et skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_etcgru control

    "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do impact 1.0 end end control "my-own-1" ...

34. SPREAD TO OTHER ENVIRONMENTS

35. COMPLIANCE AS CODE.

36. DEVOPS WORKFLOW

37. None

38. CREATE AND TEST EARLY ON

39. None
40. None

41. TEST CONTINUOUSLY

42. None

43. DEPLOY, OPERATE, VERIFY

44. None

45. ONE WORKFLOW CYCLE

46. FULL WORKFLOW

47. COMPLIANCE AS CODE.

48. JOIN INSPEC  GITHUB.COM/CHEF/INSPEC GITTER.IM/CHEF/INSPEC

49. INSPEC 1.0 Dependencies Attributes

50. THANK YOU  @chri_hartmann  chris-rock
    [email protected]