$30 off During Our Annual Pro Sale. View Details »

Infrastructure and Security Testing with InSpec

Infrastructure and Security Testing with InSpec

Testing, Infrastructure, Security, Compliance, InSpec, Chef, Ansible, Puppet

Christoph Hartmann

June 29, 2016
Tweet

More Decks by Christoph Hartmann

Other Decks in Technology

Transcript

  1. INFRASTRUCTURE & SECURITY TESTING WITH INSPEC

    View Slide

  2. $> whoami
    Christoph Hartmann
    Engineering Manager at Chef
    @chri_hartmann
    chris-rock
    [email protected]

    View Slide

  3. WHAT IS CHEF?

    View Slide

  4. DEVOPS AUTOMATION FROM
    CONCEPTION TO PRODUCTION.

    View Slide

  5. COMPETITIVE ADVANTAGE
    BOOK: THE HIGH VELOCITY EDGE - STEVEN J. SPEARS

    View Slide

  6. INFRASTRUCTURE & SECURITY TESTING
    WITH INSPEC

    View Slide

  7. SAFETY AT VELOCITY
    Quality
    Security
    14:47:46

    View Slide

  8. COMPLIANCE AS CODE.
    14:47:46

    View Slide

  9. DEV & OPS SET UP AN APP

    View Slide

  10. SECURITY MEETS OPERATIONS

    View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. DOCUMENTATION
    SSH supports two different protocol versions. The original
    version, SSHv1, was subject to a number of security issues.
    Please use SSHv2 instead to avoid these.

    View Slide

  17. SCRIPTING TOOLS
    > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
    2

    View Slide

  18. COMPLIANCE LANGUAGE
    describe sshd_config do
    its('Protocol') { should cmp 2 }
    end

    View Slide

  19. INSPEC

    View Slide

  20. COMPLIANCE LANGUAGE
    control 'ssh-1234' do
    impact 1.0
    title 'Server: Set protocol version to SSHv2'
    desc "
    Set the SSH protocol version to 2. Don't use legacy
    insecure SSHv1 connections anymore...
    "
    describe sshd_config do
    its('Protocol') { should eq('2') }
    end
    end

    View Slide

  21. ONE LANGUAGE
    Linux, Windows, BSD, Solaris, AIX, ...

    View Slide

  22. WINDOWS
    control 'windows-base-201' do
    impact 1.0
    title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled'
    desc '
    @link: http://support.microsoft.com/en-us/kb/823659
    '
    describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do
    it { should exist }
    its('LmCompatibilityLevel') { should eq 4 }
    end
    end

    View Slide

  23. ONE LANGUAGE
    Linux, Windows, BSD, Solaris, AIX, ...
    Bare-metal, VMs, Containers

    View Slide

  24. TEST YOUR LOCAL NODE
    inspec exec test.rb

    View Slide

  25. TEST REMOTE VIA SSH
    inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022
    no Ruby / agent on the node

    View Slide

  26. TEST REMOTE VIA WINRM
    inspec exec test.rb -t winrm://[email protected] --password super
    no Ruby / agent on the node

    View Slide

  27. TEST DOCKER CONTAINER
    inspec exec test.rb -t docker://3cc8837bb6a8
    no SSH / agent on the container

    View Slide

  28. ONE LANGUAGE
    Linux, Windows, BSD, Solaris, AIX, ...
    Bare-metal, VMs, Containers
    Nodes, DBs, Endpoints, APIs (AWS, Azure, ...)

    View Slide

  29. DB TESTING
    describe mysql_session.query("SELECT user, host FROM mysql.user WHERE host = '%'"
    its(:stdout) { should be empty }
    end

    View Slide

  30. CLOUD TESTING
    Vpc.new(id: 'my_vpc_id').security_groups.each do |security_group|
    describe security_group do
    it { should_not have_ingress_rule().with_source('0.0.0.0/0') }
    end
    end

    View Slide

  31. PROFILE FOUNDATION

    View Slide

  32. MAKE ADJUSTMENTS

    View Slide

  33. NATIVE INSPEC
    include_control "cis/cis-centos6-lvl1" do
    skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_et
    skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_etcgru
    control "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do
    impact 1.0
    end
    end
    control "my-own-1" ...

    View Slide

  34. SPREAD TO OTHER ENVIRONMENTS

    View Slide

  35. COMPLIANCE AS CODE.

    View Slide

  36. DEVOPS WORKFLOW

    View Slide

  37. View Slide

  38. CREATE AND TEST EARLY ON

    View Slide

  39. View Slide

  40. View Slide

  41. TEST CONTINUOUSLY

    View Slide

  42. View Slide

  43. DEPLOY, OPERATE, VERIFY

    View Slide

  44. View Slide

  45. ONE WORKFLOW CYCLE

    View Slide

  46. FULL WORKFLOW

    View Slide

  47. COMPLIANCE AS CODE.

    View Slide

  48. JOIN INSPEC

    GITHUB.COM/CHEF/INSPEC
    GITTER.IM/CHEF/INSPEC

    View Slide

  49. INSPEC 1.0
    Dependencies
    Attributes

    View Slide

  50. THANK YOU
    @chri_hartmann
    chris-rock
    [email protected]

    View Slide