inspec for devopsdays amsterdam 2017

Download InSpec For DevOpsDays Amsterdam 2017

Post on 29-Jan-2018

159 views

Category:

Software

3 download

Embed Size (px)

TRANSCRIPT

  1. 1. Building Security Into Your Workflow with InSpec Mandi Walls | mandi@chef.io
  2. 2. HI! Mandi Walls Technical Community Manager for Chef mandi@chef.io @lnxchk Adam Leff Community Lead for Inspec @adamleff
  3. 3. Who Is Chef Configuration Management, System Automation Based in Seattle, USA with offices in San Francisco, London, and Berlin
  4. 4. EVERY business is a software business Were going to be a software company with airplanes. CIO, Alaska Airlines
  5. 5. Motivation
  6. 6. Product Ideas and Features Security Review Production
  7. 7. Afterthought Scanning
  8. 8. http://mspmentor.net/msp-mentor/botched-server-install-results-214-million-hipaa-breach-fine
  9. 9. https://www.darkreading.com/attacks-breaches/wannacry-forces-honda-to-take-production-plant-offline-/d/d-id/1329192
  10. 10. Integrate with Test Kitchen suites: - name: default run_list: - recipe[dodams::default] verifier: inspec_tests: - test/smoke/default - supermarket://adamleff/wannacry-exploit attributes:
  11. 11. hotfixes = %w{ KB4012212 KB4012213 KB4012214 KB4012215 KB4012216 KB4012217 KB4012219 KB4013429 KB4015217 KB4015438 KB4015549 KB4015550 KB4015551 KB4015553 KB4015554 KB4022720 KB4016635 KB4016871 KB4018466 KB4019215 KB4019216 KB4019264 KB4019472 } describe.one do hotfixes.each do |hotfix| filter = "HotFixID = '" + hotfix + "'" describe wmi({ class: 'win32_quickfixengineering', filter: filter, }) do its( 'InstalledOn' ) { should_not eq nil } end end
  12. 12. $ inspec exec https://github.com/lnxchk/inspec-profile-wannacry- exploit/archive/master.tar.gz --target winrm://Administrator@52.212.108.149 --password OMGNewPassw0rd Profile: WannaCry Exploit Mitigation Status (wannacry-exploit) Version: 0.2.0 Target: winrm://Administrator@http://52.212.108.149:5985/wsman:3389 WannaCry Vulnerability Check: Hot-fix mitigation check for WannaCry Ransomware vulnerability WMI with {:class=>"win32_quickfixengineering", :filter=>"HotFixID = 'KB4022720'"} InstalledOn should not eq nil Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped
  13. 13. What We Have Here Is A Communications Problem
  14. 14. What Is InSpec
  15. 15. InSpec Human-readable specification language for tests related to security and compliance Includes facilities for creating, sharing, and reusing profiles Extensible language so you can build your own rules for your applications and systems Command-line tools for plugging into your existing workflows / build servers Integrates with Test Kitchen for fast-feedback local testing by developers
  16. 16. SSH Example From your security team: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
  17. 17. Remediation Identify the file and file location to check your systems Figure out some sort of incantation Do we check it first or just push a new one everywhere? Whats the plan for the currently used images? Rebuild? Remediate at instantiation? Youre likely using a configuration management solution for these types of changes?
  18. 18. Lifecycle When you get a mandate from security, how often is it checked? Single big scan, report mailed out with a due date? Yearly or twice-yearly massive scans with remediation firedrills?
  19. 19. Using InSpec
  20. 20. Find It! http://inspec.io/ Open Source! The spec is a hint
  21. 21. Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc >> ------Exception------- >>>>>> Class: Kitchen::ActionFailed >>>>>> Message: 1 actions failed. >>>>>> Verify failed on instance . Please see .kitchen/logs/default-centos-72.log for more details >>>>>> ---------------------- >>>>>> Please see .kitchen/logs/kitchen.log for more details >>>>>> Also try running `kitchen diagnose --all` for configuration
  22. 39. Run kitchen test With Hardening Profile Summary: 50 successful, 0 failures, 1 skipped Test Summary: 116 successful, 0 failures, 3 skipped Finished verifying (0m11.07s). -----> Destroying ... ==> default: Forcing shutdown of VM... ==> default: Destroying VM and associated drives... Vagrant instance destroyed. Finished destroying (0m4.97s). Finished testing (2m37.89s). -----> Kitchen is finished. (2m39.44s)
  23. 40. Whats in the linux-baseline Profile control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
  24. 41. Over Time Build a Comprehensive Set of Checks for Your Systems Run Them Every Time Someone Needs to Make a Change Make it EASY for Everyone to Use
  25. 42. Resources https://inspec.io https://github.com/chef-training/workshops/ https://blog.chef.io/2017/05/15/detecting-wannacry-exploit-inspec/ http://www.anniehedgie.com/inspec-basics-1 http://blog.johnray.io/chef-inspec-and-dirty-cow https://blog.chef.io/2017/05/23/inspec-launches-support-cloud-platform- assessments/
  26. 43. October 10 11, 2017 etc.venues Fenchurch St London https://chef.io/summits