melbourne infracoders: compliance as code with inspec

$: Melbourne Infracoders: Compliance as Code with InSpec$
Compliance as CodeMelbourne Infrastructure Coders

November 8, 2016

Chef Workflow

SSH Control

"SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."

How will I verify this?

Whip up a one-liner!

grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

Apache Server Information Leakage - Server Token Directive

• Description

This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.

This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.

• How to Test

In order to test for ServerToken configuration, one should check the Apache configuration file.

• Misconfiguration

ServerTokens Full

• Remediation

Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.

ServerTokens ProdorServerTokens ProductOnly

https://www.owasp.org/index.php/SCG_WS_Apache

More grep and sed!

grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Compliance

“two-thirds of organizations did not adequately test the security of all in-scope systems”

Key Trends

• While individual rule compliance is up, testing of security systems is down

• Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.

Shell Scripts

grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Infrastructure Code

package 'httpd' doaction :install

end

service 'httpd' doaction [ :start, :enable ]

end

What We Have Here Is A Communications Problem

Security != Compliance

Compliance Language

One LanguageLinux

One LanguageLinux, Windows

Windows

One LanguageLinux, Windows, BSD, Unixes, ...

Available Resourcesapache_confapt

audit_policy

auditd_conf

auditd_rules

bondbridge

csv

command

directory

etc_groupfile

gemgroup

host

inetd_conf

interface

iptableskernel_module

kernel_parameter

limits_conf

login_defs

mountmysql_conf

mysql_sessionnpm

ntp_conf

oneget

os

os_envpackage

parse_config

parse_config_file

passwd

pipport

postgres_confpostgres_session

powershell

processes

registry_key

security_policyservice

ssh_config

sshd_config

user

windows_featureyaml

yum

What is it not?

• IDS / IPS• Firewall• Antivirus• Pentesting tool


Bare-metal


Bare-metal, VMs


Bare-metal, VMs, Containers

Test Locally

$ inspec exec test.rb.

Finished in 0.00901 seconds (files took 0.98501 seconds to load)1 example, 0 failures

Test Remote via SSH

$ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022

No Ruby / agent on the node

Test Remote via WinRM

$ inspec exec test.rb -t winrm://[email protected] --password super

No Ruby / agent on the node

Test Docker Containers

$ inspec exec test.rb -t docker://3dda08e75838

No Ruby / agent on the container



Nodes



Nodes, GRUB, DBs

DB Testing



Nodes, GRUB, DBs, Endpoints, APIs, ...

Cloud Testing

Operating System and Application Coverage

• Red Hat Enterprise Linux• Ubuntu• SUSE• Oracle Linux• Microsoft Windows 7, 8• Microsoft Windows Server 2008,

2012• AIX• HP-UX

• VMware ESXi• Oracle • MySQL• Apache Tomcat• SQL Server• IIS• AWS

Compliance as Code.

Open Source Community

•InSpec•https://inspec.io•Chef Audit cookbook•https://github.com/chef-cookbooks/audit•Kitchen-InSpec•https://github.com/chef/kitchen-inspec•Supermarket.chef.io

New Workflow

melbourne infracoders: compliance as code with inspec

Technology