Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Chef Compliance Workshop

Nathen Harvey
December 02, 2015

Chef Compliance Workshop

Beta version of a Chef Compliance Workshop

Nathen Harvey

December 02, 2015
Tweet

More Decks by Nathen Harvey

Other Decks in Technology

Transcript

  1. Objectives By the end of this workshop you will be

    able to: » Describe the capabilities of Chef Compliance » Configure Chef Compliance to scan nodes in your environment » Write custom Compliance policies using InSpec » Upload custom Compliance policies to your Chef Compliance server » Use InSpec-based compliance checks in your cookbook
  2. Chef Compliance - Report Get reports on risks and issues

    classified by severity and impact levels
  3. Lab 1 - Login to Chef Compliance server » Open

    Chef Compliance URL provided » Tell your browser it's OK to trust the untrusted certificate
  4. » Enter the IP address of your node » Enter

    an Environment (use your name)
  5. Using SSH as the access protocol: » set the Username

    » choose to login with a password
  6. Lab 3 - Verify Connectivity » From the Dashboard, select

    your node » Click the 'Connectivity' button
  7. Lab 4 - Scan the SSH configuration » From the

    Dashboard, select your node » Click the 'Scan' button
  8. Chef Compliance - Report Get reports on risks and issues

    classified by severity and impact levels
  9. Lab 6 - Review a Critical Issue Let's look at

    that SSH control. » Navigate to the Compliance profiles » Click on "Basic SSH"
  10. Lab 7 - Remediate the Issue Login to your node

    $ ssh [email protected] [email protected]'s password: Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-48-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Wed Dec 2 04:14:55 UTC 2015 System load: 0.02 Processes: 110 Usage of /: 41.2% of 7.74GB Users logged in: 1 Memory usage: 4% IP address for eth0: 172.31.1.118 Swap usage: 0% IP address for docker0: 172.17.42.1
  11. Generate an SSH cookbook chef@node$ chef generate cookbook ssh Compiling

    Cookbooks... Recipe: code_generator::cookbook * directory[/home/chef/cookbooks/ssh] action create - create new directory /home/chef/cookbooks/ssh * template[/home/chef/cookbooks/ssh/metadata.rb] action create_if_missing - create new file /home/chef/cookbooks/ssh/metadata.rb - update content in file /home/chef/cookbooks/ssh/metadata.rb from none to 279f80 (diff output suppressed by config) * template[/home/chef/cookbooks/ssh/README.md] action create_if_missing - create new file /home/chef/cookbooks/ssh/README.md - update content in file /home/chef/cookbooks/ssh/README.md from none to 16927d (diff output suppressed by config) * cookbook_file[/home/chef/cookbooks/ssh/chefignore] action create - create new file /home/chef/cookbooks/ssh/chefignore - update content in file /home/chef/cookbooks/ssh/chefignore from none to 51b09a
  12. Create a Client recipe chef@node$ chef generate recipe ssh client

    Compiling Cookbooks... Recipe: code_generator::recipe * directory[./ssh/spec/unit/recipes] action create (up to date) * cookbook_file[./ssh/spec/spec_helper.rb] action create_if_missing (up to date) * template[./ssh/spec/unit/recipes/client_spec.rb] action create_if_missing - create new file ./ssh/spec/unit/recipes/client_spec.rb - update content in file ./ssh/spec/unit/recipes/client_spec.rb from none to 51dff0 (diff output suppressed by config) * template[./ssh/recipes/client.rb] action create - create new file ./ssh/recipes/client.rb - update content in file ./ssh/recipes/client.rb from none to 9c811a (diff output suppressed by config)
  13. Create a template file chef@node$ chef generate template ssh \

    ssh_config.erb -s /etc/ssh/ssh_config Compiling Cookbooks... Recipe: code_generator::template * directory[./ssh/templates/default] action create - create new directory ./ssh/templates/default * file[./ssh/templates/default/ssh_config.erb] action create - create new file ./ssh/templates/default/ssh_config.erb - update content in file ./ssh/templates/default/ssh_config.erb from none to 6005ad (diff output suppressed by config)
  14. Write the client recipe Open file: ~/cookbooks/ssh/recipes/client.rb template '/etc/ssh/ssh_config' do

    source 'ssh_config.erb' owner 'root' group 'root' mode '0644' end
  15. Lab 8 - Test Kitchen (1 of 4) Open file:

    ~/cookbooks/ssh/.kitchen.yml --- driver: name: docker use_sudo: false
  16. Lab 8 - Test Kitchen (2 of 4) Open file:

    ~/cookbooks/ssh/.kitchen.yml provisioner: name: chef_zero # Uncomment the following verifier to leverage Inspec instead of Busser (the # default verifier) # verifier: # name: inspec
  17. Lab 8 - Test Kitchen (3 of 4) Open file:

    ~/cookbooks/ssh/.kitchen.yml platforms: - name: ubuntu-14.04 # - name: centos-7.1
  18. Lab 8 - Test Kitchen (4 of 4) Open file:

    ~/cookbooks/ssh/.kitchen.yml suites: - name: client run_list: - recipe[ssh::client] attributes:
  19. -----> Starting Kitchen (v1.4.2) /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.6.0.1/lib/httpclient/webagent-cookie.rb:458: warning: already initialized constant HTTPClient::CookieManager

    /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.6.0.1/lib/httpclient/cookie.rb:8: warning: previous definition of CookieManager was here -----> Creating <client-ubuntu-1404>... Sending build context to Docker daemon 63.49 kB Sending build context to Docker daemon Step 0 : FROM ubuntu:14.04 ---> ca4d7b1b9a51 Step 1 : RUN dpkg-divert --local --rename --add /sbin/initctl ---> Running in 5cd1cebf6812 Leaving 'local diversion of /sbin/initctl to /sbin/initctl.distrib' ---> 10d23f2f5ec2 Removing intermediate container 5cd1cebf6812 Step 2 : RUN ln -sf /bin/true /sbin/initctl ---> Running in 33a8c8ddf8f5 ---> 64fbee7d40c3 Removing intermediate container 33a8c8ddf8f5 Step 3 : ENV DEBIAN_FRONTEND noninteractive ---> Running in f232fdc644fd
  20. Lab 9 - Add InSpec Verification Add an InSpec test

    chef@node$ mkdir -p ~/cookbooks/ssh/test/integration/client/ inspec
  21. 1 of 2 Open file: ~/cookbooks/ssh/test/integration/client/inspec/ client_spec.rb control 'ssh-4' do

    impact 1.0 title 'Client: Set SSH protocol version to 2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore. "
  22. 2 of 2 Open file: ~/cookbooks/ssh/test/integration/client/inspec/ client_spec.rb describe ssh_config do

    its('Protocol') { should eq('2') } end end Copy-and-paste the control from Chef Compliance, we want to test the same thing.
  23. Run InSpec from the Command Line » InSpec is an

    executable application. » InSpec can execute on remote hosts, including docker containers
  24. » What is your docker container id? chef@ndoe$ docker ps

    CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 511b3fcb2777 af3815cee160:latest "/usr/sbin/sshd -D - 10 seconds ago Up 10 seconds 0.0.0.0:32773->22/tcp silly_davinci
  25. chef@node$ inspec exec ~/cookbooks/ssh/test/integration/ client/inspec/client_spec.rb -t docker://88e57e403cd1 F Failures: 1)

    SSH Configuration Protocol should eq "2" Failure/Error: its('Protocol') { should eq('2') } expected: "2" got: nil (compared using ==) # ./test/integration/client/inspec/client_spec.rb:9:in `block (3 levels) in load' Finished in 0.2124 seconds (files took 0.37134 seconds to load) 1 example, 1 failure Failed examples: rspec # SSH Configuration Protocol should eq "2"
  26. Apply the change to the Test Kitchen chef@node$ cd ~/cookbooks/ssh

    chef@node$ kitchen converge -----> Converging <client-ubuntu-1404>... ... Converging 1 resources Recipe: ssh::client * template[/etc/ssh/ssh_config] action create - update content in file /etc/ssh/ssh_config from 6005ad to ed645d --- /etc/ssh/ssh_config 2015-08-18 02:14:14.000000000 +0000 +++ /etc/ssh/.ssh_config20151202-416-1p3jnk3 2015-12-02 07:35:17.734336383 +0000 @@ -37,7 +37,7 @@ # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 -# Protocol 2,1 + Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160 Running handlers: Running handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <client-ubuntu-1404> (0m3.52s). -----> Kitchen is finished. (0m4.20s)
  27. Lab 10 - Apply the new SSH Policy Use chef-client

    to apply the new SSH policy chef@node$ cd ~/
  28. chef@node$ sudo chef-client --local-mode -r 'recipe[ssh::client]' Starting Chef Client, version

    12.5.1 resolving cookbooks for run list: ["ssh::client"] Synchronizing Cookbooks: - ssh (0.1.0) Compiling Cookbooks... Converging 1 resources Recipe: ssh::client * template[/etc/ssh/ssh_config] action create - update content in file /etc/ssh/ssh_config from 6005ad to ed645d --- /etc/ssh/ssh_config 2015-12-02 04:14:38.422336383 +0000 +++ /etc/ssh/.ssh_config20151202-14917-s8hgi2 2015-12-02 07:42:23.330336383 +0000 @@ -37,7 +37,7 @@ # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 -# Protocol 2,1 + Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160 Running handlers: Running handlers complete Chef Client finished, 1/1 resources updated in 01 seconds
  29. Lab 11 - Scan the SSH configuration » From the

    Dashboard, select your node » Click the 'Scan' button
  30. Lab 12 - Review the Compliance Report Verify the 'Client:

    Set SSH protocol version to 2' control is now 'Compliant'
  31. Is it a profile yet? » InSpec includes a command

    to check a profile chef@node mkdir -p USERNAME/tmp_profile_for_USERNAME
  32. chef@node$ inspec check USERNAME/tmp_profile_for_USERNAME E, [2015-12-02T07:58:03.197043 #15448] ERROR -- :

    Can't find metadata file username/tmp_profile_for_USERNAME/metadata.rb /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/targets/folder.rb:23:in `resolve': Don't know how to handle folder username/tmp_profile_for_USERNAME/ (RuntimeError) ...
  33. Create the metadata file chef@node$ touch USERNAME/tmp_profile_for_USERNAME/ metadata.rb chef@node$ inspec

    check USERNAME/tmp_profile_for_USERNAME I, [2015-12-02T08:02:19.171190 #15458] INFO -- : Checking profile in USERNAME/tmp_profile_for_USERNAME E, [2015-12-02T08:02:19.171445 #15458] ERROR -- : No profile name defined W, [2015-12-02T08:02:19.171558 #15458] WARN -- : No version defined W, [2015-12-02T08:02:19.171676 #15458] WARN -- : No title defined W, [2015-12-02T08:02:19.171770 #15458] WARN -- : No maintainer defined /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/profile.rb:104:in `check': undefined method `empty?' for nil:NilClass (NoMethodError)
  34. Address the ERRORs and WARNs Open file: ~/compliance_profiles/USERNAME/ tmp_profile_for_USERNAME/metadata.rb name

    'USERNAME/tmp_profile_for_USERNAME' version '0.1.0' title '/tmp Profile for USERNAME' maintainer 'YOUR NAME'
  35. Open file: ~/compliance_profiles/USERNAME/ tmp_profile_for_USERNAME/test/tmp.rb title '/tmp profile for USERNAME' control

    "tmp-1.0" do # A unique ID for this control impact 0.3 # The criticality, if this control fails. title "Create /tmp directory" # A human-readable title desc "A /tmp directory must exist" describe file('/tmp') do # The actual test it { should be_directory } end end control "tmp-1.1" do impact 0.3 title "/tmp directory is owned by the root user" desc "The /tmp directory must be owned by the root user" describe file('/tmp') do it { should be_owned_by 'root' } end end
  36. chef@node$ inspec check USERNAME/tmp_profile_for_USERNAME I, [2015-12-02T08:42:30.432722 #16567] INFO -- :

    Checking profile in USERNAME/tmp_profile_for_USERNAME I, [2015-12-02T08:42:30.432937 #16567] INFO -- : Metadata OK. D, [2015-12-02T08:42:30.433053 #16567] DEBUG -- : Found 20 rules. D, [2015-12-02T08:42:30.433154 #16567] DEBUG -- : Verify all rules in USERNAME/tmp_profile_for_USERNAME/test/tmp.rb I, [2015-12-02T08:42:30.433256 #16567] INFO -- : Rule definitions OK.
  37. Test the profile locally chef@node$ inspec exec USERNAME/tmp_profile_for_USERNAME/ .. Finished

    in 0.0166 seconds (files took 0.24531 seconds to load) 2 examples, 0 failures
  38. SCP the .zip file to your LOCAL computer $ scp

    chef@IPADDRESS:~/compliance_profiles/USERNAME.zip . [email protected]'s password: USERNAME.zip 100% 1257 1.2KB/s 00:00
  39. Lab 14 - Upload the profile to Chef Compliance »

    From the Compliance page, press the 'Add profile' button
  40. Lab 15 - Scan with the new profile » From

    the Dashboard, select your node » Click the 'Scan' button
  41. Chef Compliance - Report Get reports on risks and issues

    classified by severity and impact levels
  42. Objectives By the end of this workshop you will be

    able to: » Describe the capabilities of Chef Compliance » Configure Chef Compliance to scan nodes in your environment » Write custom Compliance policies using InSpec » Upload custom Compliance policies to your Chef Compliance server » Use InSpec-based compliance checks in your cookbook
  43. What's next? » What questions can I answer for you?

    » Remediate more failures » Add additional tests