Infrastructure and Security Testing with InSpec

Slide 1

Slide 1 text

INFRASTRUCTURE & SECURITY TESTING WITH INSPEC

Slide 2

Slide 2 text

$> whoami Christoph Hartmann Engineering Manager at Chef @chri_hartmann chris-rock [email protected]

Slide 3

Slide 3 text

WHAT IS CHEF?

Slide 4

Slide 4 text

DEVOPS AUTOMATION FROM CONCEPTION TO PRODUCTION.

Slide 5

Slide 5 text

COMPETITIVE ADVANTAGE BOOK: THE HIGH VELOCITY EDGE - STEVEN J. SPEARS

Slide 6

Slide 6 text

INFRASTRUCTURE & SECURITY TESTING WITH INSPEC

Slide 7

Slide 7 text

SAFETY AT VELOCITY Quality Security 14:47:46

Slide 8

Slide 8 text

COMPLIANCE AS CODE. 14:47:46

Slide 9

Slide 9 text

DEV & OPS SET UP AN APP

Slide 10

Slide 10 text

SECURITY MEETS OPERATIONS

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

DOCUMENTATION SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.

Slide 17

Slide 17 text

SCRIPTING TOOLS > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2

Slide 18

Slide 18 text

COMPLIANCE LANGUAGE describe sshd_config do its('Protocol') { should cmp 2 } end

Slide 19

Slide 19 text

INSPEC

Slide 20

Slide 20 text

COMPLIANCE LANGUAGE control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq('2') } end end

Slide 21

Slide 21 text

ONE LANGUAGE Linux, Windows, BSD, Solaris, AIX, ...

Slide 22

Slide 22 text

WINDOWS control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end

Slide 23

Slide 23 text

ONE LANGUAGE Linux, Windows, BSD, Solaris, AIX, ... Bare-metal, VMs, Containers

Slide 24

Slide 24 text

TEST YOUR LOCAL NODE inspec exec test.rb

Slide 25

Slide 25 text

TEST REMOTE VIA SSH inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022 no Ruby / agent on the node

Slide 26

Slide 26 text

TEST REMOTE VIA WINRM inspec exec test.rb -t winrm://[email protected] --password super no Ruby / agent on the node

Slide 27

Slide 27 text

TEST DOCKER CONTAINER inspec exec test.rb -t docker://3cc8837bb6a8 no SSH / agent on the container

Slide 28

Slide 28 text

ONE LANGUAGE Linux, Windows, BSD, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, DBs, Endpoints, APIs (AWS, Azure, ...)

Slide 29

Slide 29 text

DB TESTING describe mysql_session.query("SELECT user, host FROM mysql.user WHERE host = '%'" its(:stdout) { should be empty } end

Slide 30

Slide 30 text

CLOUD TESTING Vpc.new(id: 'my_vpc_id').security_groups.each do |security_group| describe security_group do it { should_not have_ingress_rule().with_source('0.0.0.0/0') } end end

Slide 31

Slide 31 text

PROFILE FOUNDATION

Slide 32

Slide 32 text

MAKE ADJUSTMENTS

Slide 33

Slide 33 text

NATIVE INSPEC include_control "cis/cis-centos6-lvl1" do skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_et skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_etcgru control "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do impact 1.0 end end control "my-own-1" ...

Slide 34

Slide 34 text

SPREAD TO OTHER ENVIRONMENTS

Slide 35

Slide 35 text

COMPLIANCE AS CODE.

Slide 36

Slide 36 text

DEVOPS WORKFLOW

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

CREATE AND TEST EARLY ON

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

TEST CONTINUOUSLY

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

DEPLOY, OPERATE, VERIFY

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

ONE WORKFLOW CYCLE

Slide 46

Slide 46 text

FULL WORKFLOW

Slide 47

Slide 47 text

COMPLIANCE AS CODE.

Slide 48

Slide 48 text

JOIN INSPEC GITHUB.COM/CHEF/INSPEC GITTER.IM/CHEF/INSPEC

Slide 49

Slide 49 text

INSPEC 1.0 Dependencies Attributes

Slide 50

Slide 50 text

THANK YOU @chri_hartmann chris-rock [email protected]