Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Infrastructure and Security Testing with InSpec

Christoph Hartmann
June 29, 2016
Technology
0
190

Infrastructure and Security Testing with InSpec

Testing, Infrastructure, Security, Compliance, InSpec, Chef, Ansible, Puppet

Christoph Hartmann

June 29, 2016
Tweet

More Decks by Christoph Hartmann

See All by Christoph Hartmann
The death of security as we know it: Platform and Security Engineering join forces to build more secure and robust applications
chrisrock
0
16
Testing Cloud Provisioning with Terraform and InSpec
chrisrock
2
600
DevSec: Continuous Patch and Security Assessment with InSpec
chrisrock
0
200
Chef Summit London: InSpec Keynote
chrisrock
0
240
AllDayDevOps 2017: Continuous Patch and Security Assessment with InSpec
chrisrock
0
140
DevSecCon London: Christoph Hartmann - DevSec: continuous compliance
chrisrock
0
200
ChefConf 2017 InSpec 2 Announcement
chrisrock
0
140
Compliance-Driven Infrastructure
chrisrock
0
140

Other Decks in Technology

See All in Technology
2023.06.01_LangChain/Llamaindex/Whisperを使ったアプリケーション開発のまとめと展望
pharma_x_tech
0
540
ChatGPTをどう使うか?(JJUGナイトセミナー5/23)
shin_higuchi
0
760
Google I:O 2023 Androidの自動テストアップデートまとめ / Google I:O 2023 Android Testing Update Recap
tkmnzm
0
190
ABEMAのRenderScript Intrinsics Replacement Toolkit 導入事例
takahana
0
270
LLMの普及による機械学習の民主化とMLPdMの重要性 / democratization-of-ml-and-importance-of-mlpdm-by-llm
yuya4
2
2.4k
20230525_経営者・マーケティング担当必見!ChatGPTがもたらすマーケティング革命(45min版)_v1.02_共有用・後半パート.pdf
doradora09
0
170
CDK + ecspressoでお手軽コンテナ3分クッキング
yoyoyopg
0
110
プロデュ―サーさん、今日も安全運転でよろしくね☆~OBD2を用いた速度・回転数検知ツールの開発~
hato3isfriend
0
130
KEDAで始めるイベント駆動システム #k8snovice / keda-tutorial
chmikata
1
130
これから始める継続的インテグレーション - GitHub Actions編
devops_vtj
0
150
ハンズオンで学ぶ! Instana基礎
daihiraoka
1
130
Security-JAWS#29 AWS Summit Tokyo 2023 オンデマンド配信を楽しむためのセキュリティ関連トピックご紹介
kthrtty
1
230

Featured

See All Featured
The Invisible Side of Design
smashingmag
292
49k
Three Pipe Problems
jasonvnalue
89
9.1k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
3
540
A better future with KSS
kneath
230
16k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
Mobile First: as difficult as doing things right
swwweet
213
8k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
GitHub's CSS Performance
jonrohan
1022
430k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
13
1.4k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.5k
Learning to Love Humans: Emotional Interface Design
aarron
264
38k

Transcript

  1. INFRASTRUCTURE & SECURITY TESTING WITH INSPEC

    View Slide

  2. $> whoami
    Christoph Hartmann
    Engineering Manager at Chef
    @chri_hartmann
    chris-rock
    [email protected]

    View Slide

  3. WHAT IS CHEF?

    View Slide

  4. DEVOPS AUTOMATION FROM
    CONCEPTION TO PRODUCTION.

    View Slide

  5. COMPETITIVE ADVANTAGE
    BOOK: THE HIGH VELOCITY EDGE - STEVEN J. SPEARS

    View Slide

  6. INFRASTRUCTURE & SECURITY TESTING
    WITH INSPEC

    View Slide

  7. SAFETY AT VELOCITY
    Quality
    Security
    14:47:46

    View Slide

  8. COMPLIANCE AS CODE.
    14:47:46

    View Slide

  9. DEV & OPS SET UP AN APP

    View Slide

  10. SECURITY MEETS OPERATIONS

    View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. DOCUMENTATION
    SSH supports two different protocol versions. The original
    version, SSHv1, was subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  17. SCRIPTING TOOLS
    > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
    2

    View Slide

  18. COMPLIANCE LANGUAGE
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  19. INSPEC

    View Slide

  20. COMPLIANCE LANGUAGE
    control 'ssh-1234' do
    impact 1.0
    title 'Server: Set protocol version to SSHv2'
    desc "
    Set the SSH protocol version to 2. Don't use legacy
    insecure SSHv1 connections anymore...
    "
    describe sshd_config do
    its('Protocol') { should eq('2') }
    end
    end

    View Slide

  21. ONE LANGUAGE
    Linux, Windows, BSD, Solaris, AIX, ...

    View Slide

  22. WINDOWS
    control 'windows-base-201' do
    impact 1.0
    title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled'
    desc '
    @link: http://support.microsoft.com/en-us/kb/823659
    '
    describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do
    it { should exist }
    its('LmCompatibilityLevel') { should eq 4 }
    end
    end

    View Slide

  23. ONE LANGUAGE
    Linux, Windows, BSD, Solaris, AIX, ...
    Bare-metal, VMs, Containers

    View Slide

  24. TEST YOUR LOCAL NODE
    inspec exec test.rb

    View Slide

  25. TEST REMOTE VIA SSH
    inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022
    no Ruby / agent on the node

    View Slide

  26. TEST REMOTE VIA WINRM
    inspec exec test.rb -t winrm://[email protected] --password super
    no Ruby / agent on the node

    View Slide

  27. TEST DOCKER CONTAINER
    inspec exec test.rb -t docker://3cc8837bb6a8
    no SSH / agent on the container

    View Slide

  28. ONE LANGUAGE
    Linux, Windows, BSD, Solaris, AIX, ...
    Bare-metal, VMs, Containers
    Nodes, DBs, Endpoints, APIs (AWS, Azure, ...)

    View Slide

  29. DB TESTING
    describe mysql_session.query("SELECT user, host FROM mysql.user WHERE host = '%'"
    its(:stdout) { should be empty }
    end

    View Slide

  30. CLOUD TESTING
    Vpc.new(id: 'my_vpc_id').security_groups.each do |security_group|
    describe security_group do
    it { should_not have_ingress_rule().with_source('0.0.0.0/0') }
    end
    end

    View Slide

  31. PROFILE FOUNDATION

    View Slide

  32. MAKE ADJUSTMENTS

    View Slide

  33. NATIVE INSPEC
    include_control "cis/cis-centos6-lvl1" do
    skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_et
    skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_etcgru
    control "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do
    impact 1.0
    end
    end
    control "my-own-1" ...

    View Slide

  34. SPREAD TO OTHER ENVIRONMENTS

    View Slide

  35. COMPLIANCE AS CODE.

    View Slide

  36. DEVOPS WORKFLOW

    View Slide

  37. View Slide

  38. CREATE AND TEST EARLY ON

    View Slide

  39. View Slide

  40. View Slide

  41. TEST CONTINUOUSLY

    View Slide

  42. View Slide

  43. DEPLOY, OPERATE, VERIFY

    View Slide

  44. View Slide

  45. ONE WORKFLOW CYCLE

    View Slide

  46. FULL WORKFLOW

    View Slide

  47. COMPLIANCE AS CODE.

    View Slide

  48. JOIN INSPEC

    GITHUB.COM/CHEF/INSPEC
    GITTER.IM/CHEF/INSPEC

    View Slide

  49. INSPEC 1.0
    Dependencies
    Attributes

    View Slide

  50. THANK YOU
    @chri_hartmann
    chris-rock
    [email protected]

    View Slide