Compliance at VelocityFraser Pollock

Fraser Pollock• Solutions Architect at Chef• Spread the delightfulness of Chef

• https://www.linkedin.com/in/fraser-pollock-33974231

• fpollock@chef.io

  

About CHEF

• Based in Seattle with offices in London, San Francisco• Leader in infrastructure, compliance and application automation for DevOps• 25+ million open source downloads, 1000+ customers, 70,000+ contributing Chefs• > 70% of revenue from Global 2000

Dev QA Stage Prod

SSH Control

SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to

avoid these.

Dev QA Stage Prod

Dev QA Stage Security Review Prod

Dev QA Stage Prod

Dev QA Stage Prod

"Scanning"

InSpec is compliance as code – a human-readable language for

automating the continuous testing and compliance auditing of your entire

infrastructure.

Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do title 'Set SSH Protocol to 2'

end

Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do title 'Set SSH Protocol to 2' desc " SSH supports two different ... "

end

Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do title 'Set SSH Protocol to 2' desc " SSH supports two different ... "

describe sshd_config do its('Protocol') { should cmp('2') } endend

Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do impact 1.0 title 'Set SSH Protocol to 2' desc " SSH supports two different ... "

describe sshd_config do its('Protocol') { should cmp('2') } endend

Run Locally

✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"

Profile Summary: 1 successful, 0 failures, 0 skipped

$ inspec exec ssh-621.rb

Run Remote via ssh

✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"

Profile Summary: 1 successful, 0 failures, 0 skipped

$ inspec exec ssh-621.rb –i my.pem –t ssh://someremotehost

Run Remote via WinRM

✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"

Profile Summary: 1 successful, 0 failures, 0 skipped

$ inspec exec ssh-621.rb –t winrm://Admin@someremotehost

Test a Docker Container

Target: docker://8eb7760bd9db046cfc826f36a6997b02a1cd884684870b78cede0ab03b62571a ✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"

Profile Summary: 1 successful, 0 failures, 0 skipped

$ inspec exec ssh-621.rb –t docker://8eb7760bd9db

Stand Alone Usage

$ inspec exec test.rb$ inspec exec test.rb -i vagrant.key -t ssh://root@172.17.0.1:11022$ inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super$ inspec exec test.rb -t docker://3cc8837bb6a8

describe sshd_config do its('Protocol') { should cmp 2 }end

InSpecWindows Support• Windows 2016 / Nano

Support• Windows-specific

Resources• PowerShell remoting

protocol with NTLM support

Chef Ecosystem• Included in ChefDK package• Kitchen support• audit cookbook

Mechanisms for Policy Definitions• Profile Inheritance• Attributes• Custom Resources

Native Packages• Windows• macOS• Redhat & Ubuntu

Patch Management• windows-patch-benchmark (dev-sec.io)• linux-patch-benchmark (dev-sec.io)

Remote and agent-based execution• Custom sudo commands• more ssh options

InSpec Profiles

Windows PatchProfile

OS Hardening

Profile

SSH Hardening

Profile

Linux PatchProfile

InSpec Profiles

Windows PatchProfile

OS Hardening

Profile

SSH Hardening

Profile

Linux PatchProfile

InSpec Profilesinclude_controls 'os-hardening' do skip_control 'os-06'

control 'os-02' do impact 0.7 endend

include_controls 'ssh-hardening'

Demo• Apply the compliance profile -

https://github.com/nathenharvey/acme-inspec-profile/• Remediate the issues with cookbooks from the Supermarket

InSpec is compliance as code – a human-readable language for

automating the continuous testing and compliance auditing of your entire

infrastructure.

InSpec: Turn security and compliance into code

• Translate compliance into Code

• Clearly express statements of policy

• Move risk to build/test from runtime

• Find issues early• Write code quickly• Run code anywhere• Inspect machines, data and

APIs

A simple example of an InSpec CIS rule

Part of a process of continuous compliance

Scan for Compliance

Build & Test Locally

Build & Test CI/CD Remediate Verify

Available Resourcesapacheapache_confaptaudit_policyauditd_confauditd_rulesbashbondbridgecommandcsvdirectory

etc_groupfilegemgroupgrub_confhostiis_siteinetd_confiniinterfaceiptablesjson

kernel_modulekernel_parameterlimits_conflogin_defmountmssql_sessionmysqlmysql_confmysql_sessionnpmntp_confoneget

osos_envpackageparse_configpasswdpipportpostgrespostgres_confpostgres_sessionpowershellprocesses

registry_keysecurity_policyserviceshadowssh_confssluservbscriptwindows_featurewmixinetdyamlyum

Further Resources

inspec.io• Hands on tutorials• Extensive documentation• Code examples

learn.chef.io• More tutorials about

Compliance and Inspec

Chef Automate

Infrastructure Automation

Application Automation

Compliance Automation

Workflow

VisibilityCom

pliance

Chef Automate

AWS and Chef Better Together

AWS OpsWorks for Chef Automate gives all the features of Chef Automate and Chef server running on a single EC2 instance.

–Deploy in 10 minutes or less, directly from the AWS Console. All you need is an AWS account.–Receive 30 nodes free per month to get you started with additional usage billed by the hour, based on the number of nodes under management–Take advantage of automatic backup/restore and software upgrades

Chef Server on AWS Marketplace AMI lets you automate your infrastructure, manage scale and complexity, and gain a deep understanding of your infrastructure.

–Allows you to manage upgrade and back-up strategy–AMI is preconfigured with Chef server as well as Chef Analytics, the Chef management console, and Chef reporting

Chef & Alert Logic – Better Together • Use Alert Logic’s cloud-native vulnerability detection to find threats

early and remidiate with Chef• Enhance Inspec with Vulnerability Assessment and Scanning from

Alert Logic to ensure full coverage of your cloud applications• Monitor intrusions with Alert Logic and close holes with Chef• Use Chef to bake Alert Logic agents into your development pipeline

and move faster with more confidence!