compliance as code with inspec - devops melbourne 2017

Compliance as CodeDevOps Melbourne

March 28, 2017

Chef Workflow

SSH Control

"SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."

How will I verify this?

Whip up a one-liner!

grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

Apache Server Information Leakage

• Description

This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.

This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.

• How to Test

In order to test for ServerToken configuration, one should check the Apache configuration file.

• Misconfiguration

ServerTokens Full

• Remediation

Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.

ServerTokens ProdorServerTokens ProductOnly

https://www.owasp.org/index.php/SCG_WS_Apache

More grep and sed!

grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Compliance

Two-thirds of organizations did not adequately test the security of all in-scope systems

Key Trends

• While individual rule compliance is up, testing of security systems is down

• Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.

Shell Scripts

grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Infrastructure Code

package 'httpd' doaction :install

end

service 'httpd' doaction [ :start, :enable ]

end

We Have A Communications Problem

Security != Compliance

Secure

Compliant

Compliance Language

One LanguageLinux

One LanguageLinux, Windows

Windows

One LanguageLinux, Windows, BSD, Solaris, AIX, ...

Examples of Available Resourcesapache_conf

apt

audit_policy

auditd_conf

auditd_rules

bond

bridge

Command

crontab

directory

etc_group

file

gem

group

host

inetd_conf

interface

iptables

kernel_module

kernel_parameter

limits_conf

login_defs

mount

mysql_conf

mysql_session

npm

ntp_conf

oneget

os

os_env

package

parse_config

parse_config_file

passwd

pip

port

postgres_conf

postgres_session

powershell

processes

registry_key

security_policy

service

ssh_config

sshd_config

user

windows_feature

yum

What is it not?

• IDS / IPS• Firewall• Antivirus• Pentesting tool

One LanguageLinux, Windows, BSD, Solaris, AIX, ...

Bare-metal

One LanguageLinux, Windows, BSD, Solaris, AIX, ...

Bare-metal, VMs

One LanguageLinux, Windows, BSD, Solaris, AIX, ...

Bare-metal, VMs, Containers

One LanguageLinux, Windows, BSD, Solaris, AIX, ...

Bare-metal, VMs, Containers

Nodes

One LanguageLinux, Windows, BSD, Solaris, AIX, ...

Bare-metal, VMs, Containers

Nodes, GRUB, DBs

DB Testing

One LanguageLinux, Windows, BSD, Solaris, AIX, ...

Bare-metal, VMs, Containers

Nodes, GRUB, DBs, Endpoints, APIs, ...

Cloud Testing

InSpec

> inspec exec test.rb

Test a machine remotely via SSH

> inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1

Test your machine locally

> inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super

Test Docker Container

> inspec exec test.rb -t docker://5cc8837bb6a8

Test a machine remotely via WinRM AG

EN

TL

ESS

Operating System & Application Coverage

• Microsoft Windows• Microsoft Windows Server• Red Hat Enterprise Linux• Ubuntu Linux• SUSE Linux Enterprise Server• Oracle Enterprise Linux• AIX• HP-UX• Solaris

• VMware ESXi• MySQL• Oracle • PostgreSQL• Tomcat• SQL Server• IIS• HTTP request

Scan for Compliance

Build & Test Locally

Build & Test CI/CD Remediate Verify

New Workflow

Detect Correct

Continuous Workflow

CONTINUOUS COMPLIANCE AUTOMATION

InSpec - Part of your InfoSec toolchain

FIREWALL ANTIVIRUS

INTRUSION DETECTION/PREVENTION

PENETRATIONTESTING

Open Source Community

•InSpec•https://inspec.io•Chef Audit cookbook•https://github.com/chef-cookbooks/audit•Kitchen-InSpec•https://github.com/chef/kitchen-inspec•Supermarket.chef.io

The Chef Automate PlatformContinuous Automation for High Velocity IT

Workflow • Local development • Integration • Tooling (APIs & SDKs)

COLLABORATE

▪ Package▪ Test▪ Approve

BUILD▪ Provision▪ Configure▪ Execute▪ Update

DEPLOY▪ Secure▪ Comply▪ Audit▪ Measure▪ Log

MANAGE

Infrastructure Automation Compliance AutomationApplication Automation

OSS AUTOMATION ENGINES

Increase Speed

▪ Package infrastructure and app configuration as code

▪ Continuously automate infrastructure and app updates

Improve Efficiency

▪ Define and execute standard workflows and automation

▪ Audit and measure effectiveness of automation

Decrease Risk

▪ Define compliance rules as code

▪ Deliver continuous compliance as part of standard workflow