settings • Test locally to reduce risk, and ensure compliance • Commit to Source Code • Automated Testing through Continuous Integration • Automatically promote across environments BUILD DEPLOY MANAGE • Easily deploy new configurations in a matter of minutes. • Continuously verify and repair misconfigured systems
some code • Write and run more unit tests • Run some integration/acceptance tests • Code review • Delivery pipeline to production • Lowered chance of production failure Test-Driven Development Add a test Run the tests Make a little change Run the tests pass [development continues] fail fail pass pass [development stops]
time manual tests automated GUI tests integration tests unit tests quantity less time more time manual session based tests automated GUI tests automated API tests automated unit tests automated integration tests automated component tests Testing builds safety through feedback loops Inexpensive experiments to provide validation Reduces risk Optimize Testing: Do more of the inexpensive testing first!
{ should be_installed } end describe service 'httpd' do it { should be_running } it { should be_enabled } end describe port(80) do it { should be_listening } end Add a test Run the tests Make a little change Run the tests pass [development continues] fail fail pass pass [development stops]
:install end service 'httpd' do action [ :start, :enable ] end Add a test Run the tests Make a little change Run the tests pass [development continues] fail fail pass pass [development stops]
INFRASTRUCTURE AS CODE POLICY AS CODE PRACTICE AS CODE Separate certification & testing Common language for describing & applying policy Compliance at velocity Compliance at Velocity Manual Compliance Reactive engagement Proactive engagement Checking implementations by hand Expressing policy as testable code Short term compliance Long term process improvement One language, One workflow
| sed 's/Protocol //' 2 DOCUMENTATION SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. describe sshd_config do its('Protocol') { should eq 2 } end control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq 2 } end end SCRIPTING TOOLS COMPLIANCE LANGUAGE COMPLIANCE LANGUAGE
1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key ('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end
a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://[email protected] Test your machine locally > inspec exec test.rb -t winrm://[email protected] --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM No ruby/agent on the node No ruby/agent on the node no SSH/agent in the container
endpoints (e.g. cloud) InSpec Database Testing describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty } end Cloud Provider Testing security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } end end ONE LANGUAGE
Build & Test Locally Build & Test CI/CD Remediate Verify A SIMPLE EXAMPLE OF AN INSPEC CIS RULE InSpec ▪ Translate compliance into Code ▪ Clearly express statements of policy ▪ Move risk to build/test from runtime ▪ Find issues early ▪ Write code quickly ▪ Run code anywhere ▪ Inspect machines, data, and APIs Turn security and compliance into code control ‘cis-1.4.1’ do title ‘1.4.1 Enable SELinux in /etc/grub.conf’ desc ‘ Do not disable SELinux and enforcing in your GRUB configuration. These are important security features that prevent attackers from escalating their access to your systems. For reference see … ‘ impact 1.0 expect(grub_conf.param ‘selinux’).to_not eq ‘0’ expect(grub_conf.param ‘enforcing’).to_not eq ‘0’ end
and compliance Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪ Package ▪ Test ▪ Approve BUILD ▪ Provision ▪ Configure ▪ Execute ▪ Update DEPLOY ▪ Secure ▪ Comply ▪ Audit ▪ Measure ▪ Log MANAGE “Continuous configuration automation tools (aka infrastructure as code) are foundational to DevOps initiatives. —Gartner, Inc. Market Guide for Continuous Configuration Automation Tools, Dec 2016 “ How..? CAN YOU DELIVER SOFTWARE AT SPEED FOR YOUR BUSINESS
outcomes to deliver software at speed Deployment frequency Time from commit to deploy Mean time to resolve Time deploying remediation Change failure rate SPEED Measure of rate of software change EFFICIENCY Measure of effectiveness of software change RISK Measure of quality of software change Compliance testing coverage Idea Ship
minutes with Chef Focus on Speed Measuring the rate of software change HIGH IT PERFORMERS MEDIUM IT PERFORMERS LOW IT PERFORMERS On-demand Week - Month Month – 6 Month < 1 Hour Week - Month Month - 6 month USE CASES INCLUDE: ▪ Application Delivery ▪ Build Pipelines DEPLOYMENT FREQUENCY TIME FROM COMMIT TO DEPLOY
on Efficiency Measuring the effectiveness of software change HIGH IT PERFORMERS MEDIUM IT PERFORMERS LOW IT PERFORMERS 0-15% 16-30% 31-45% < 1 Hour < 1 Day < 1 Day USE CASES INCLUDE: ▪ Configuration Management ▪ Server Drift CHANGE FAILURE RATE MEAN TIME TO RESOLVE
on Risk Measuring the quality of software change HIGH IT PERFORMERS MEDIUM IT PERFORMERS LOW IT PERFORMERS 95%+ 25%-95% 0-25% < 1 Hour Week - Month Month - 6 Months USE CASES INCLUDE: ▪ Compliance Automation ▪ Compliance Coverage COMPLIANCE TESTING COVERAGE TIME DEPLOYING REMEDIATION
tool. While Ohai’s primary purpose is setting up the context of a chef-client run by discovering and setting system attributes, it can be used in many custom applications. Chef-client includes Ohai data during every run. Chef can take action based on attributes detected and set by Ohai. Test-kitchen is a test harness tool to execute your configuration code on one or more platforms in isolation. It allows you to quickly model and test proposed changes on non-critical systems. All Chef cookbooks should be setup with test-kitchen verifications embedded in them. InSpec is a human- readable language for automated testing and compliance auditing of your entire infrastructure. These tests are useful for verifying that your servers and applications are configured correctly. InSpec tests are extensible with metadata that leverages the compliance features of Chef Automate to assist with continuous compliance reporting. Chef-client & Ohai Test-kitchen InSpec & Chef Automate Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪ Package ▪ Test BUILD Infrastructure Automation Compliance Automation Application Automation ▪ Secure ▪ Comply MANAGE OSS AUTOMATION ENGINES ▪ Provision ▪ Configure DEPLOY
nathenharvey
wa6sn
kenjikondobai
abemii
takumiogawa
isaoshimizu
salaboy
rrreeeyyy
oracle4engineer
yoshidashingo
sinsoku
iotengineer22
kidooonn
bkeepers
hatefulcrawdad
erikaheidi
eileencodes
jeffersonlam
chriscoyier
garrettdimon
csswizardry
pedronauck
jakevdp
moore
colly
