Automating Compliance with InSpec - AWS North Sydney
-
Upload
matt-ray -
Category
Technology
-
view
103 -
download
6
Transcript of Automating Compliance with InSpec - AWS North Sydney
![Page 1: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/1.jpg)
Automating Compliance with InSpecNorth Sydney AWS Meetup
August 23 2017
![Page 2: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/2.jpg)
Matt RayManager, Solutions Architect – APJChef [email protected]@mattray
![Page 3: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/3.jpg)
![Page 4: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/4.jpg)
Chef Workflow
![Page 5: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/5.jpg)
![Page 6: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/6.jpg)
![Page 7: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/7.jpg)
SSH Control
"SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
![Page 8: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/8.jpg)
How will I verify this?
![Page 9: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/9.jpg)
Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
![Page 10: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/10.jpg)
Apache Server Information Leakage
• Description
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.
• How to Test
In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
ServerTokens Full
• Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.
ServerTokens ProdorServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
![Page 11: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/11.jpg)
More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
![Page 12: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/12.jpg)
![Page 13: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/13.jpg)
![Page 14: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/14.jpg)
![Page 15: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/15.jpg)
![Page 16: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/16.jpg)
![Page 17: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/17.jpg)
Compliance
![Page 18: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/18.jpg)
![Page 19: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/19.jpg)
![Page 20: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/20.jpg)
Two-thirds of organizations did not adequately test the security of all in-scope systems
![Page 21: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/21.jpg)
Key Trends
• While individual rule compliance is up, testing of security systems is down
• Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
![Page 22: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/22.jpg)
Security != Compliance
![Page 23: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/23.jpg)
![Page 24: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/24.jpg)
Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
![Page 25: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/25.jpg)
Infrastructure Code
package 'httpd' doaction :install
end
service 'httpd' doaction [ :start, :enable ]
end
![Page 26: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/26.jpg)
We Have A Communications Problem
![Page 27: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/27.jpg)
![Page 28: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/28.jpg)
![Page 29: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/29.jpg)
![Page 30: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/30.jpg)
![Page 31: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/31.jpg)
![Page 32: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/32.jpg)
Compliance Language
![Page 33: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/33.jpg)
One LanguageLinux, Windows
![Page 34: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/34.jpg)
Windows
![Page 35: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/35.jpg)
One LanguageLinux, Windows, BSD, Solaris, AIX, HP-UX, ...
![Page 36: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/36.jpg)
Examples of Available Resourcesapache_conf
apt
audit_policy
auditd_conf
auditd_rules
bond
bridge
command
crontab
directory
etc_group
file
gem
group
host
inetd_conf
interface
iptables
kernel_module
kernel_parameter
limits_conf
login_defs
mount
mysql_conf
mysql_session
npm
ntp_conf
oneget
os
os_env
package
parse_config
parse_config_file
passwd
pip
port
postgres_conf
postgres_session
powershell
processes
registry_key
security_policy
service
ssh_config
sshd_config
user
windows_feature
yum
![Page 37: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/37.jpg)
What is it not?
• IDS / IPS• Firewall• Antivirus• Pentesting tool
![Page 38: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/38.jpg)
One LanguageLinux, Windows, BSD, Solaris, AIX, HP-UX, ...
Bare-metal, VMs, Containers
![Page 39: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/39.jpg)
One LanguageLinux, Windows, BSD, Solaris, AIX, HP-UX, ...
Bare-metal, VMs, Containers
Nodes, Databases
![Page 40: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/40.jpg)
DB Testing
![Page 41: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/41.jpg)
One LanguageLinux, Windows, BSD, Solaris, AIX, HP-UX, ...
Bare-metal, VMs, Containers
Nodes, Databases, APIs
![Page 42: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/42.jpg)
Cloud Testing
![Page 43: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/43.jpg)
InSpec
> inspec exec test.rb
Test a machine remotely via SSH
> inspec exec test.rb -i identity.key -t ssh://[email protected]
Test your machine locally
> inspec exec test.rb -t winrm://[email protected] --password super
Test Docker Container
> inspec exec test.rb -t docker://5cc8837bb6a8
Test a machine remotely via WinRM AGENTLESS
![Page 44: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/44.jpg)
Operating System & Application Coverage
• Microsoft Windows• Red Hat Enterprise Linux• Ubuntu Linux• SUSE Linux Enterprise Server• Oracle Enterprise Linux• AIX• HP-UX• Solaris
• VMware ESXi• MySQL• Oracle • PostgreSQL• Tomcat• SQL Server• IIS• HTTP request
![Page 45: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/45.jpg)
One LanguageLinux, Windows, BSD, Solaris, AIX, HP-UX, ...
Bare-metal, VMs, Containers
Nodes, Databases, APIs, Cloud Platforms, ...
![Page 46: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/46.jpg)
InSpec-AWS
• https://github.com/chef/inspec-aws
![Page 47: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/47.jpg)
aws_ec2
![Page 48: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/48.jpg)
aws_iam_access_key
![Page 49: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/49.jpg)
aws_iam_password_policy
![Page 50: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/50.jpg)
aws_iam_root_user
![Page 51: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/51.jpg)
aws_iam_user
![Page 52: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/52.jpg)
aws_iam_users
![Page 53: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/53.jpg)
Open Source Community
•https://inspec.io•https://github.com/chef/inspec•https://supermarket.chef.io•https://learn.chef.io•#inspec in https://chefcommunity.slack.com
![Page 54: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/54.jpg)
InSpec Demohttps://github.com/mattray/inspec-workshop
![Page 55: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/55.jpg)
Continuous Workflow
Detect
Correct
![Page 56: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/56.jpg)
The Chef Automate PlatformContinuous Automation for High Velocity IT
Workflow • Local development • Integration • Tooling (APIs & SDKs)
COLLABORATE
▪ Package▪ Test▪ Approve
BUILD
▪ Provision▪ Configure▪ Execute▪ Update
DEPLOY
▪ Secure▪ Comply▪ Audit▪ Measure▪ Log
MANAGE
Infrastructure Automation Compliance AutomationApplication Automation
OSS AUTOMATION ENGINES
Increase Speed
▪ Package infrastructure and app configuration as code
▪ Continuously automate infrastructure and app updates
Improve Efficiency
▪ Define and execute standard workflows and automation
▪ Audit and measure effectiveness of automation
Decrease Risk
▪ Define compliance rules as code
▪ Deliver continuous compliance as part of standard workflow
![Page 57: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/57.jpg)
AWS OpsWorks for Chef AutomateNative Amazon Service
Managed Chef Server
▪ Utilizes RDS and other native services
▪ May be externally accessible
AWS Native
▪ Auto Scaling in your VPC
▪ Automatic backups and upgrades
OpsWorks Stacks
▪ New name for previous version of OpsWorks
● Partnership between Amazon and Chef, jointly developed and maintained
● Fully managed AWS service with frequent updates
● Fully compatible with open source Chef
● Amazon is your support and billing
● All Chef Automate features will be supported
○ Visibility and Workflow today
○ Compliance soon
○ Currently Northern Virginia, Oregon & Ireland with more planned
![Page 58: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/58.jpg)
Dig into the new way of learning about Chef, Automation, and DevOps.
Self-paced training on Linux and Windows and much more!
learn.chef.io
![Page 59: Automating Compliance with InSpec - AWS North Sydney](https://reader033.fdocuments.in/reader033/viewer/2022050900/5a65558d7f8b9a5b558b6d23/html5/thumbnails/59.jpg)