Download - InSpec For DevOpsDays Amsterdam 2017
Building Security Into Your Workflow with InSpec
Mandi Walls | [email protected]
HI!
• Mandi Walls
• Technical Community Manager for Chef
• @lnxchk
• Adam Leff – Community Lead for Inspec @adamleff
Who Is Chef
• Configuration Management, System Automation
• Based in Seattle, USA with offices in San Francisco, London,
and Berlin
EVERY business is a software business
We’re going to be a software
company with airplanes.– CIO, Alaska Airlines
Motivation
Product Ideas and Features
Security Review
Production
Afterthought Scanning
http://mspmentor.net/msp-mentor/botched-server-install-results-214-million-hipaa-breach-fine
https://www.darkreading.com/attacks-breaches/wannacry-forces-honda-to-take-production-plant-offline-/d/d-id/1329192
Integrate with Test Kitchen
suites:
- name: default
run_list:
- recipe[dodams::default]
verifier:
inspec_tests:
- test/smoke/default
- supermarket://adamleff/wannacry-exploit
attributes:
hotfixes = %w{ KB4012212 KB4012213 KB4012214 KB4012215 KB4012216 KB4012217 KB4012219 KB4013429 KB4015217 KB4015438 KB4015549 KB4015550 KB4015551 KB4015553 KB4015554 KB4022720 KB4016635 KB4016871 KB4018466 KB4019215 KB4019216 KB4019264 KB4019472 }
describe.one do hotfixes.each do |hotfix|
filter = "HotFixID = '" + hotfix + "'"
describe wmi({
class: 'win32_quickfixengineering',
filter: filter,
}) do
its( 'InstalledOn' ) { should_not eq nil }
end
end
$ inspec exec https://github.com/lnxchk/inspec-profile-wannacry-
exploit/archive/master.tar.gz --target winrm://[email protected]
--password OMGNewPassw0rd
Profile: WannaCry Exploit Mitigation Status (wannacry-exploit)
Version: 0.2.0
Target: winrm://Administrator@http://52.212.108.149:5985/wsman:3389
✔ WannaCry Vulnerability Check: Hot-fix mitigation check for WannaCry
Ransomware vulnerability
✔ WMI with {:class=>"win32_quickfixengineering", :filter=>"HotFixID =
'KB4022720'"} InstalledOn should not eq nil
Profile Summary: 1 successful, 0 failures, 0 skipped
Test Summary: 1 successful, 0 failures, 0 skipped
What We Have Here Is A Communications Problem
What Is InSpec
InSpec
• Human-readable specification language for tests related to security and
compliance
• Includes facilities for creating, sharing, and reusing profiles
• Extensible language so you can build your own rules for your applications and
systems
• Command-line tools for plugging into your existing workflows / build servers
• Integrates with Test Kitchen for fast-feedback local testing by developers
SSH Example
• From your security team:
SSH supports two different protocol versions. The
original version, SSHv1, was subject to a number
of security issues. All systems must use SSHv2
instead to avoid these issues.
Remediation
• Identify the file and file location to check your systems
• Figure out some sort of incantation
Do we check it first or just push a new one everywhere?
• What’s the plan for the currently used images?
Rebuild?
Remediate at instantiation?
• You’re likely using a configuration management solution for these types of
changes?
Lifecycle
• When you get a mandate from security, how often is it checked?
• Single big scan, report mailed out with a “due date”?
• Yearly or twice-yearly massive scans with remediation firedrills?
Using InSpec
Check that sshd_config
describe sshd_config do
impact 1.0
title 'SSH Version 2'
desc <<-EOF
SSH supports two different protocol versions. The original version, SSHv1, was subject to a
number of security issues. Please use SSHv2 instead to avoid these.
EOF
its('Protocol') { should cmp 2 }
end
Resources
• Inspec includes built-in resources for common services, system
files, and configurations
See http://inspec.io/docs/reference/resources/ for the current list!
• Built-in resources work on several platforms of Linux. There are
also Windows-specifics
• A resource has characteristics that can be verified for your
requirements, and Matchers that work with those characteristics
Check that sshd_config
describe sshd_config do
impact 1.0
title 'SSH Version 2'
desc <<-EOF
SSH supports two different protocol versions. The original version, SSHv1, was subject to a
number of security issues. Please use SSHv2 instead to avoid these.
EOF
its('Protocol') { should cmp 2 }
end
• Resources take the “grep for x” out of the testing phase
• Parsers included in the InSpec software do the work for you
• It’s built off the premises of rSpec, and meant to be human
readable
its.... should...
• it { should exist }
• it { should be_installed }
• it { should be_enabled }
• its('max_log_file') { should cmp 6 }
• its('exit_status') { should eq 0 }
• its('gid') { should eq 0 }
More Complex Built Ins
• Example: limits.conf
grantmc hard nofile 63536
^^^^^^^ ^^^^ ^^^^^^ ^^^^^
domain type item value
• Match on the categories
• its('domain') { should eq ['type', 'item', 'value'] }
• its('ftp') { should eq ['hard', 'nproc', '0'] }
Run It
• InSpec is command line
Installs as a ruby gem or as part of the ChefDK
• Can be run locally, test the machine it is executing on
• Or remotely
InSpec will log into the target and run the tests for you
• Also a REPL
https://www.inspec.io/docs/reference/shell/
Test Any Target
inspec exec test.rb
inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2-
inspec exec test.rb -t winrm://[email protected] --password
super
inspec exec test.rb -t docker://3dda08e75838
Failures
• InSpec runs with failed tests return a non-zero return code
Profile Summary: 0 successful, 1 failures, 0 skipped
[chef@ip-172-31-29-25 ~]$ echo $?
1
[chef@ip-172-31-29-25 ~]$
• Passing tests have 0 return code
Profile Summary: 1 successful, 0 failures, 0 skipped
[chef@ip-172-31-29-25 ~]$ echo $?
0
[chef@ip-172-31-29-25 ~]$
Test Kitchen
• InSpec also runs as an included tester in TK
• https://www.inspec.io/docs/reference/plugin_kitchen_inspec/
Including Profiles
Profiles
• InSpec profiles allow you to package and share sets of InSpec
tests for your organization or for a specific application set
• Each profile can have multiple test files included
• The test files generally test for one required outcome, but can
look at different objects to meet requirements
• Flexible!
Create your own profiles for specific software you use
Profiles
$ inspec init profile companyprofile_01
Create new profile at /home/chef/companyprofile_01
* Create directory libraries
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create file README.md
Add more InSpec test files to the controls directory
Profile Commands
inspec check companyprofile_01/
inspec exec companyprofile_01/
Example – Basic Hardening
• Centos 7.2 host
• Test Kitchen
• os-hardening cookbook from https://supermarket.chef.io
• /dev-sec/linux-baseline InSpec profile from https://supermarket.chef.io
The Cookbook and the InSpec Profile Work Together
suites:
- name: default
run_list:
- recipe[osdc-inspec-talk::default]
- recipe[os-hardening]
verifier:
inspec_tests:
- test/smoke/default
- https://github.com/dev-sec/linux-baseline
attributes:
What’s in the os-hardening Cookbook
Run kitchen test Without Hardening
Profile Summary: 25 successful, 25 failures, 1 skipped
Test Summary: 77 successful, 39 failures, 3 skipped
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>> Verify failed on instance <default-centos-72>. Pleasesee .kitchen/logs/default-centos-72.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration
Run kitchen test With Hardening
Profile Summary: 50 successful, 0 failures, 1 skipped
Test Summary: 116 successful, 0 failures, 3 skipped
Finished verifying <default-centos-72> (0m11.07s).
-----> Destroying <default-centos-72>...
==> default: Forcing shutdown of VM...
==> default: Destroying VM and associated drives...
Vagrant instance <default-centos-72> destroyed.
Finished destroying <default-centos-72> (0m4.97s).
Finished testing <default-centos-72> (2m37.89s).
-----> Kitchen is finished. (2m39.44s)
What’s in the linux-baseline Profile
control 'os-02' do
impact 1.0
title 'Check owner and permissions for /etc/shadow'
desc 'Check periodically the owner and permissions for /etc/shadow'
describe file('/etc/shadow') do
it { should exist }
it { should be_file }
it { should be_owned_by 'root' }
its('group') { should eq shadow_group }
it { should_not be_executable }
it { should be_writable.by('owner') }
...
Over Time
Build a Comprehensive Set of Checks for Your Systems
Run Them Every Time Someone Needs to Make a Change
Make it EASY for Everyone to Use
Resources
• https://inspec.io
• https://github.com/chef-training/workshops/
• https://blog.chef.io/2017/05/15/detecting-wannacry-exploit-inspec/
• http://www.anniehedgie.com/inspec-basics-1
• http://blog.johnray.io/chef-inspec-and-dirty-cow
• https://blog.chef.io/2017/05/23/inspec-launches-support-cloud-platform-
assessments/