Compliance as Code: Velocity with Security - Fraser Pollock, Chef
-
Upload
alert-logic -
Category
Technology
-
view
84 -
download
2
Transcript of Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance at VelocityFraser Pollock
Fraser Pollock• Solutions Architect at Chef• Spread the delightfulness of Chef
• https://www.linkedin.com/in/fraser-pollock-33974231
About CHEF
• Based in Seattle with offices in London, San Francisco• Leader in infrastructure, compliance and application automation for DevOps• 25+ million open source downloads, 1000+ customers, 70,000+ contributing Chefs• > 70% of revenue from Global 2000
Dev QA Stage Prod
SSH Control
SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to
avoid these.
Dev QA Stage Prod
Dev QA Stage Security Review Prod
Dev QA Stage Prod
Dev QA Stage Prod
"Scanning"
InSpec is compliance as code – a human-readable language for
automating the continuous testing and compliance auditing of your entire
infrastructure.
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do title 'Set SSH Protocol to 2'
end
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do title 'Set SSH Protocol to 2' desc " SSH supports two different ... "
end
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do title 'Set SSH Protocol to 2' desc " SSH supports two different ... "
describe sshd_config do its('Protocol') { should cmp('2') } endend
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do impact 1.0 title 'Set SSH Protocol to 2' desc " SSH supports two different ... "
describe sshd_config do its('Protocol') { should cmp('2') } endend
Run Locally
✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"
Profile Summary: 1 successful, 0 failures, 0 skipped
$ inspec exec ssh-621.rb
Run Remote via ssh
✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"
Profile Summary: 1 successful, 0 failures, 0 skipped
$ inspec exec ssh-621.rb –i my.pem –t ssh://someremotehost
Run Remote via WinRM
✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"
Profile Summary: 1 successful, 0 failures, 0 skipped
$ inspec exec ssh-621.rb –t winrm://Admin@someremotehost
Test a Docker Container
Target: docker://8eb7760bd9db046cfc826f36a6997b02a1cd884684870b78cede0ab03b62571a ✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"
Profile Summary: 1 successful, 0 failures, 0 skipped
$ inspec exec ssh-621.rb –t docker://8eb7760bd9db
Stand Alone Usage
$ inspec exec test.rb$ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022$ inspec exec test.rb -t winrm://[email protected] --password super$ inspec exec test.rb -t docker://3cc8837bb6a8
describe sshd_config do its('Protocol') { should cmp 2 }end
InSpecWindows Support• Windows 2016 / Nano
Support• Windows-specific
Resources• PowerShell remoting
protocol with NTLM support
Chef Ecosystem• Included in ChefDK package• Kitchen support• audit cookbook
Mechanisms for Policy Definitions• Profile Inheritance• Attributes• Custom Resources
Native Packages• Windows• macOS• Redhat & Ubuntu
Patch Management• windows-patch-benchmark (dev-sec.io)• linux-patch-benchmark (dev-sec.io)
Remote and agent-based execution• Custom sudo commands• more ssh options
InSpec Profiles
Windows PatchProfile
OS Hardening
Profile
SSH Hardening
Profile
Linux PatchProfile
InSpec Profiles
Windows PatchProfile
OS Hardening
Profile
SSH Hardening
Profile
Linux PatchProfile
InSpec Profilesinclude_controls 'os-hardening' do skip_control 'os-06'
control 'os-02' do impact 0.7 endend
include_controls 'ssh-hardening'
Demo• Apply the compliance profile -
https://github.com/nathenharvey/acme-inspec-profile/• Remediate the issues with cookbooks from the Supermarket
InSpec is compliance as code – a human-readable language for
automating the continuous testing and compliance auditing of your entire
infrastructure.
InSpec: Turn security and compliance into code
• Translate compliance into Code
• Clearly express statements of policy
• Move risk to build/test from runtime
• Find issues early• Write code quickly• Run code anywhere• Inspect machines, data and
APIs
A simple example of an InSpec CIS rule
Part of a process of continuous compliance
Scan for Compliance
Build & Test Locally
Build & Test CI/CD Remediate Verify
Available Resourcesapacheapache_confaptaudit_policyauditd_confauditd_rulesbashbondbridgecommandcsvdirectory
etc_groupfilegemgroupgrub_confhostiis_siteinetd_confiniinterfaceiptablesjson
kernel_modulekernel_parameterlimits_conflogin_defmountmssql_sessionmysqlmysql_confmysql_sessionnpmntp_confoneget
osos_envpackageparse_configpasswdpipportpostgrespostgres_confpostgres_sessionpowershellprocesses
registry_keysecurity_policyserviceshadowssh_confssluservbscriptwindows_featurewmixinetdyamlyum
Further Resources
inspec.io• Hands on tutorials• Extensive documentation• Code examples
learn.chef.io• More tutorials about
Compliance and Inspec
Chef Automate
Infrastructure Automation
Application Automation
Compliance Automation
Workflow
VisibilityCom
pliance
Chef Automate
AWS and Chef Better Together
AWS OpsWorks for Chef Automate gives all the features of Chef Automate and Chef server running on a single EC2 instance.
–Deploy in 10 minutes or less, directly from the AWS Console. All you need is an AWS account.–Receive 30 nodes free per month to get you started with additional usage billed by the hour, based on the number of nodes under management–Take advantage of automatic backup/restore and software upgrades
Chef Server on AWS Marketplace AMI lets you automate your infrastructure, manage scale and complexity, and gain a deep understanding of your infrastructure.
–Allows you to manage upgrade and back-up strategy–AMI is preconfigured with Chef server as well as Chef Analytics, the Chef management console, and Chef reporting
Chef & Alert Logic – Better Together • Use Alert Logic’s cloud-native vulnerability detection to find threats
early and remidiate with Chef• Enhance Inspec with Vulnerability Assessment and Scanning from
Alert Logic to ensure full coverage of your cloud applications• Monitor intrusions with Alert Logic and close holes with Chef• Use Chef to bake Alert Logic agents into your development pipeline
and move faster with more confidence!