building security into your workflow with inspec
TRANSCRIPT
![Page 1: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/1.jpg)
Building Security into Your Workflow with
InSpecMandi Walls | [email protected] | Velocity Europe 2016
![Page 2: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/2.jpg)
HI!• Mandi Walls• Technical Community Manager for Chef• [email protected]• @lnxchk
![Page 3: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/3.jpg)
Who Is Chef• Configuration Management, System Automation• Based in Seattle, USA with offices in San Francisco, London, and Berlin
![Page 4: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/4.jpg)
EVERY business is a software business
We’re going to be a software company with airplanes.
– CIO, Alaska Airlines
![Page 5: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/5.jpg)
![Page 6: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/6.jpg)
Motivation
![Page 7: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/7.jpg)
Dev QA Stage Security Review Prod
![Page 8: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/8.jpg)
Product Ideas and Features
Security Review
Production
![Page 9: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/9.jpg)
Dev QA Stage Prod
![Page 10: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/10.jpg)
Dev QA Stage Prod
"Scanning"
Afterthought Scanning
Too Late!
![Page 11: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/11.jpg)
http://mspmentor.net/msp-mentor/botched-server-install-results-214-million-hipaa-breach-fine
![Page 12: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/12.jpg)
What We Have Here Is A Communications Problem
![Page 13: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/13.jpg)
![Page 14: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/14.jpg)
https://www.flickr.com/photos/hndrk/1148504768/in/dateposted/
![Page 15: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/15.jpg)
What Is InSpec
![Page 16: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/16.jpg)
InSpec• Human-readable specification language for tests related to security
and compliance• Includes facilities for creating, sharing, and reusing profiles• Extensible language so you can build your own rules for your
applications and systems• Command-line tools for plugging into your existing workflows / build
servers• Integrates with Test Kitchen for fast-feedback local testing by
developers
![Page 17: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/17.jpg)
SSH Example• From your security team:
SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
![Page 18: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/18.jpg)
Remediation• Identify the file and file location to check your systems• Figure out some sort of incantation
Do we check it first or just push a new one everywhere?• What’s the plan for the currently used images?
Rebuild? Remediate at instantiation?
• You’re likely using a configuration management solution for these types of changes?
![Page 19: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/19.jpg)
Lifecycle• When you get a mandate from security, how often is it checked?• Single big scan, report mailed out with a “due date”?• Yearly or twice-yearly massive scans with remediation firedrills?
![Page 20: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/20.jpg)
Using InSpec
Now Version
1.0!
![Page 22: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/22.jpg)
Check that sshd_configdescribe sshd_config do impact 1.0
title 'SSH Version 2'
desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF
its('Protocol') { should cmp 2 }end
![Page 23: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/23.jpg)
Resources• Inspec includes built-in resources for common services, system files,
and configurations ssh_config, sshd_config, gem, bash, ntp_conf, pip, powershell, npm, yum, auitd,
etc files, …. See http://inspec.io/docs/reference/resources/ for the current list!
• Built-in resources work on several platforms of Linux. There are also Windows-specifics
• A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
![Page 24: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/24.jpg)
Check that sshd_configdescribe sshd_config do impact 1.0
title 'SSH Version 2'
desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF
its('Protocol') { should cmp 2 }end
![Page 25: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/25.jpg)
• Resources take the “grep for x” out of the testing phase• Parsers included in the InSpec software do the work for you• It’s built off the premises of rSpec, and meant to be human readable
![Page 26: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/26.jpg)
its.... should...• it { should exist } • it { should be_installed }• it { should be_enabled }• its('max_log_file') { should cmp 6 }• its('exit_status') { should eq 0 }• its('gid') { should eq 0 }
![Page 27: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/27.jpg)
More Complex Built Ins• Example: limits.confgrantmc hard nofile 63536 ^^^^^^^ ^^^^ ^^^^^^ ^^^^^ domain type item value• Match on the categories• its('domain') { should eq ['type', 'item', 'value'] }• its('ftp') { should eq ['hard', 'nproc', '0'] }
![Page 28: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/28.jpg)
Run It• InSpec is command line
Installs as a ruby gem or as part of the ChefDK• Can be run locally, test the machine it is executing on• Or remotely
InSpec will log into the target and run the tests for you
![Page 29: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/29.jpg)
Test Any Targetinspec exec test.rb
inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://[email protected]
inspec exec test.rb -t winrm://[email protected] --password super
inspec exec test.rb -t docker://3dda08e75838
![Page 30: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/30.jpg)
Failures• InSpec runs with failed tests return a non-zero return codeProfile Summary: 0 successful, 1 failures, 0 skipped[chef@ip-172-31-29-25 ~]$ echo $?1[chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return codeProfile Summary: 1 successful, 0 failures, 0 skipped[chef@ip-172-31-29-25 ~]$ echo $?0[chef@ip-172-31-29-25 ~]$
![Page 31: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/31.jpg)
Test Kitchen• InSpec also runs as an included tester in TK
![Page 32: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/32.jpg)
Including Profiles
![Page 33: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/33.jpg)
Profiles• InSpec profiles allow you to package and share sets of InSpec tests for
your organization or for a specific application set• Each profile can have multiple test files included• The test files generally test for one required outcome, but can look at
different objects to meet requirements• Middleware profile
java.rb – test versions, locations, included libraries ports.rb – verify listening ports are correct services.rb – look for service accounts, started / stopped, logs, etc
• Flexible!
![Page 34: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/34.jpg)
Profiles$ inspec init profile companyprofile_01Create new profile at /home/chef/companyprofile_01 * Create directory libraries * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create file README.md
Add more InSpec test files to the controls directory
![Page 35: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/35.jpg)
Profile Commandsinspec check companyprofile_01/inspec exec companyprofile_01/
![Page 36: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/36.jpg)
Extending InSpec
![Page 37: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/37.jpg)
Custom Resources Travel In Profiles• In the libraries folder• Regular ruby classes, inherit from Inspec.resource class• These classes handle how InSpec reads the file and compiles
information Can be complicated, full of matchers and parsers
• Build for what you need COTS configurations Home-grown configurations Connections to / configs for backend services
![Page 38: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/38.jpg)
Over TimeBuild a Comprehensive Set of Checks for Your Systems
Run Them Every Time Someone Needs to Make a Change
Make it EASY for Everyone to Use
![Page 39: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/39.jpg)
Resources• https://inspec.io• https://github.com/chef-training/workshops/• http://www.anniehedgie.com/inspec-basics-1
![Page 40: Building Security into Your Workflow with InSpec](https://reader035.vdocuments.site/reader035/viewer/2022081605/58f045e71a28ab524f8b4585/html5/thumbnails/40.jpg)