Transcript
Page 1: InSpec For DevOpsDays Amsterdam 2017

Building Security Into Your Workflow with InSpec

Mandi Walls | [email protected]

Page 2: InSpec For DevOpsDays Amsterdam 2017

HI!

• Mandi Walls

• Technical Community Manager for Chef

[email protected]

• @lnxchk

• Adam Leff – Community Lead for Inspec @adamleff

Page 3: InSpec For DevOpsDays Amsterdam 2017

Who Is Chef

• Configuration Management, System Automation

• Based in Seattle, USA with offices in San Francisco, London,

and Berlin

Page 4: InSpec For DevOpsDays Amsterdam 2017

EVERY business is a software business

We’re going to be a software

company with airplanes.– CIO, Alaska Airlines

Page 5: InSpec For DevOpsDays Amsterdam 2017
Page 6: InSpec For DevOpsDays Amsterdam 2017

Motivation

Page 7: InSpec For DevOpsDays Amsterdam 2017
Page 8: InSpec For DevOpsDays Amsterdam 2017

Product Ideas and Features

Security Review

Production

Page 9: InSpec For DevOpsDays Amsterdam 2017
Page 10: InSpec For DevOpsDays Amsterdam 2017

Afterthought Scanning

Page 11: InSpec For DevOpsDays Amsterdam 2017

http://mspmentor.net/msp-mentor/botched-server-install-results-214-million-hipaa-breach-fine

Page 12: InSpec For DevOpsDays Amsterdam 2017

https://www.darkreading.com/attacks-breaches/wannacry-forces-honda-to-take-production-plant-offline-/d/d-id/1329192

Page 13: InSpec For DevOpsDays Amsterdam 2017

Integrate with Test Kitchen

suites:

- name: default

run_list:

- recipe[dodams::default]

verifier:

inspec_tests:

- test/smoke/default

- supermarket://adamleff/wannacry-exploit

attributes:

Page 14: InSpec For DevOpsDays Amsterdam 2017

hotfixes = %w{ KB4012212 KB4012213 KB4012214 KB4012215 KB4012216 KB4012217 KB4012219 KB4013429 KB4015217 KB4015438 KB4015549 KB4015550 KB4015551 KB4015553 KB4015554 KB4022720 KB4016635 KB4016871 KB4018466 KB4019215 KB4019216 KB4019264 KB4019472 }

describe.one do hotfixes.each do |hotfix|

filter = "HotFixID = '" + hotfix + "'"

describe wmi({

class: 'win32_quickfixengineering',

filter: filter,

}) do

its( 'InstalledOn' ) { should_not eq nil }

end

end

Page 15: InSpec For DevOpsDays Amsterdam 2017

$ inspec exec https://github.com/lnxchk/inspec-profile-wannacry-

exploit/archive/master.tar.gz --target winrm://[email protected]

--password OMGNewPassw0rd

Profile: WannaCry Exploit Mitigation Status (wannacry-exploit)

Version: 0.2.0

Target: winrm://Administrator@http://52.212.108.149:5985/wsman:3389

✔ WannaCry Vulnerability Check: Hot-fix mitigation check for WannaCry

Ransomware vulnerability

✔ WMI with {:class=>"win32_quickfixengineering", :filter=>"HotFixID =

'KB4022720'"} InstalledOn should not eq nil

Profile Summary: 1 successful, 0 failures, 0 skipped

Test Summary: 1 successful, 0 failures, 0 skipped

Page 16: InSpec For DevOpsDays Amsterdam 2017

What We Have Here Is A Communications Problem

Page 17: InSpec For DevOpsDays Amsterdam 2017
Page 18: InSpec For DevOpsDays Amsterdam 2017

What Is InSpec

Page 19: InSpec For DevOpsDays Amsterdam 2017

InSpec

• Human-readable specification language for tests related to security and

compliance

• Includes facilities for creating, sharing, and reusing profiles

• Extensible language so you can build your own rules for your applications and

systems

• Command-line tools for plugging into your existing workflows / build servers

• Integrates with Test Kitchen for fast-feedback local testing by developers

Page 20: InSpec For DevOpsDays Amsterdam 2017

SSH Example

• From your security team:

SSH supports two different protocol versions. The

original version, SSHv1, was subject to a number

of security issues. All systems must use SSHv2

instead to avoid these issues.

Page 21: InSpec For DevOpsDays Amsterdam 2017

Remediation

• Identify the file and file location to check your systems

• Figure out some sort of incantation

Do we check it first or just push a new one everywhere?

• What’s the plan for the currently used images?

Rebuild?

Remediate at instantiation?

• You’re likely using a configuration management solution for these types of

changes?

Page 22: InSpec For DevOpsDays Amsterdam 2017

Lifecycle

• When you get a mandate from security, how often is it checked?

• Single big scan, report mailed out with a “due date”?

• Yearly or twice-yearly massive scans with remediation firedrills?

Page 23: InSpec For DevOpsDays Amsterdam 2017

Using InSpec

Page 24: InSpec For DevOpsDays Amsterdam 2017

Find It!

• http://inspec.io/

• Open Source!

• The “spec” is a hint

Page 25: InSpec For DevOpsDays Amsterdam 2017

Check that sshd_config

describe sshd_config do

impact 1.0

title 'SSH Version 2'

desc <<-EOF

SSH supports two different protocol versions. The original version, SSHv1, was subject to a

number of security issues. Please use SSHv2 instead to avoid these.

EOF

its('Protocol') { should cmp 2 }

end

Page 26: InSpec For DevOpsDays Amsterdam 2017

Resources

• Inspec includes built-in resources for common services, system

files, and configurations

See http://inspec.io/docs/reference/resources/ for the current list!

• Built-in resources work on several platforms of Linux. There are

also Windows-specifics

• A resource has characteristics that can be verified for your

requirements, and Matchers that work with those characteristics

Page 27: InSpec For DevOpsDays Amsterdam 2017

Check that sshd_config

describe sshd_config do

impact 1.0

title 'SSH Version 2'

desc <<-EOF

SSH supports two different protocol versions. The original version, SSHv1, was subject to a

number of security issues. Please use SSHv2 instead to avoid these.

EOF

its('Protocol') { should cmp 2 }

end

Page 28: InSpec For DevOpsDays Amsterdam 2017

• Resources take the “grep for x” out of the testing phase

• Parsers included in the InSpec software do the work for you

• It’s built off the premises of rSpec, and meant to be human

readable

Page 29: InSpec For DevOpsDays Amsterdam 2017

its.... should...

• it { should exist }

• it { should be_installed }

• it { should be_enabled }

• its('max_log_file') { should cmp 6 }

• its('exit_status') { should eq 0 }

• its('gid') { should eq 0 }

Page 30: InSpec For DevOpsDays Amsterdam 2017

More Complex Built Ins

• Example: limits.conf

grantmc hard nofile 63536

^^^^^^^ ^^^^ ^^^^^^ ^^^^^

domain type item value

• Match on the categories

• its('domain') { should eq ['type', 'item', 'value'] }

• its('ftp') { should eq ['hard', 'nproc', '0'] }

Page 31: InSpec For DevOpsDays Amsterdam 2017

Run It

• InSpec is command line

Installs as a ruby gem or as part of the ChefDK

• Can be run locally, test the machine it is executing on

• Or remotely

InSpec will log into the target and run the tests for you

• Also a REPL

https://www.inspec.io/docs/reference/shell/

Page 32: InSpec For DevOpsDays Amsterdam 2017

Test Any Target

inspec exec test.rb

inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2-

[email protected]

inspec exec test.rb -t winrm://[email protected] --password

super

inspec exec test.rb -t docker://3dda08e75838

Page 33: InSpec For DevOpsDays Amsterdam 2017

Failures

• InSpec runs with failed tests return a non-zero return code

Profile Summary: 0 successful, 1 failures, 0 skipped

[chef@ip-172-31-29-25 ~]$ echo $?

1

[chef@ip-172-31-29-25 ~]$

• Passing tests have 0 return code

Profile Summary: 1 successful, 0 failures, 0 skipped

[chef@ip-172-31-29-25 ~]$ echo $?

0

[chef@ip-172-31-29-25 ~]$

Page 34: InSpec For DevOpsDays Amsterdam 2017

Test Kitchen

• InSpec also runs as an included tester in TK

• https://www.inspec.io/docs/reference/plugin_kitchen_inspec/

Page 35: InSpec For DevOpsDays Amsterdam 2017

Including Profiles

Page 36: InSpec For DevOpsDays Amsterdam 2017

Profiles

• InSpec profiles allow you to package and share sets of InSpec

tests for your organization or for a specific application set

• Each profile can have multiple test files included

• The test files generally test for one required outcome, but can

look at different objects to meet requirements

• Flexible!

Create your own profiles for specific software you use

Page 37: InSpec For DevOpsDays Amsterdam 2017

Profiles

$ inspec init profile companyprofile_01

Create new profile at /home/chef/companyprofile_01

* Create directory libraries

* Create directory controls

* Create file controls/example.rb

* Create file inspec.yml

* Create file README.md

Add more InSpec test files to the controls directory

Page 38: InSpec For DevOpsDays Amsterdam 2017

Profile Commands

inspec check companyprofile_01/

inspec exec companyprofile_01/

Page 39: InSpec For DevOpsDays Amsterdam 2017

Example – Basic Hardening

• Centos 7.2 host

• Test Kitchen

• os-hardening cookbook from https://supermarket.chef.io

• /dev-sec/linux-baseline InSpec profile from https://supermarket.chef.io

Page 40: InSpec For DevOpsDays Amsterdam 2017

The Cookbook and the InSpec Profile Work Together

suites:

- name: default

run_list:

- recipe[osdc-inspec-talk::default]

- recipe[os-hardening]

verifier:

inspec_tests:

- test/smoke/default

- https://github.com/dev-sec/linux-baseline

attributes:

Page 41: InSpec For DevOpsDays Amsterdam 2017

What’s in the os-hardening Cookbook

Page 42: InSpec For DevOpsDays Amsterdam 2017

Run kitchen test Without Hardening

Profile Summary: 25 successful, 25 failures, 1 skipped

Test Summary: 77 successful, 39 failures, 3 skipped

>>>>>> ------Exception-------

>>>>>> Class: Kitchen::ActionFailed

>>>>>> Message: 1 actions failed.

>>>>>> Verify failed on instance <default-centos-72>. Pleasesee .kitchen/logs/default-centos-72.log for more details

>>>>>> ----------------------

>>>>>> Please see .kitchen/logs/kitchen.log for more details

>>>>>> Also try running `kitchen diagnose --all` for configuration

Page 43: InSpec For DevOpsDays Amsterdam 2017

Run kitchen test With Hardening

Profile Summary: 50 successful, 0 failures, 1 skipped

Test Summary: 116 successful, 0 failures, 3 skipped

Finished verifying <default-centos-72> (0m11.07s).

-----> Destroying <default-centos-72>...

==> default: Forcing shutdown of VM...

==> default: Destroying VM and associated drives...

Vagrant instance <default-centos-72> destroyed.

Finished destroying <default-centos-72> (0m4.97s).

Finished testing <default-centos-72> (2m37.89s).

-----> Kitchen is finished. (2m39.44s)

Page 44: InSpec For DevOpsDays Amsterdam 2017

What’s in the linux-baseline Profile

control 'os-02' do

impact 1.0

title 'Check owner and permissions for /etc/shadow'

desc 'Check periodically the owner and permissions for /etc/shadow'

describe file('/etc/shadow') do

it { should exist }

it { should be_file }

it { should be_owned_by 'root' }

its('group') { should eq shadow_group }

it { should_not be_executable }

it { should be_writable.by('owner') }

...

Page 45: InSpec For DevOpsDays Amsterdam 2017

Over Time

Build a Comprehensive Set of Checks for Your Systems

Run Them Every Time Someone Needs to Make a Change

Make it EASY for Everyone to Use

Page 46: InSpec For DevOpsDays Amsterdam 2017

Resources

• https://inspec.io

• https://github.com/chef-training/workshops/

• https://blog.chef.io/2017/05/15/detecting-wannacry-exploit-inspec/

• http://www.anniehedgie.com/inspec-basics-1

• http://blog.johnray.io/chef-inspec-and-dirty-cow

• https://blog.chef.io/2017/05/23/inspec-launches-support-cloud-platform-

assessments/

Page 47: InSpec For DevOpsDays Amsterdam 2017

October 10 – 11, 2017etc.venues Fenchurch St London

https://chef.io/summits

Page 48: InSpec For DevOpsDays Amsterdam 2017

Top Related