security and dev ops for high velocity organizations
TRANSCRIPT
CHEF COMPLIANCESECURITY AND DEVOPS FOR HIGH VELOCITY ORGANIZATIONS
$> whoareweChristoph Hartmann
Engineering Manager at Chef
@chri_hartmann
chris-rock
Dominik Richter
Product Manager at Chef
@arlimus
arlimus
WHAT IS CHEF?
DEVOPS AUTOMATION FROMCONCEPTION TO PRODUCTION.
WHAT IS COMPLIANCE?19:20:08
COMPLIANCE AS CODE.
WHAT IS IT NOT?(H)IDS / IPS
Firewall
AntiVirus
Pentesting tool
COMPLIANCE AS CODE.
TRADITIONAL COMPLIANCE
DEV & OPS SET UP AN APP
SECURITY MEETS OPERATIONS
DOCUMENTATIONSSH supports two different protocol versions. The originalversion, SSHv1, was subject to a number of security issues.
Please use SSHv2 instead to avoid these.
SCRIPTING TOOLS
> grep "̂Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2
COMPLIANCE LANGUAGE
describe sshd_config do its('Protocol') { should cmp 2 } end
INSPEC
COMPLIANCE LANGUAGE
control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... "
describe sshd_config do its('Protocol') { should eq('2') } end end
ONE LANGUAGE
Linux, Windows, BSD, Solaris, AIX, ...
WINDOWS
control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end
ONE LANGUAGE
Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
inspec exec test.rb
.
Finished in 0.00228 seconds (files took 1.95 seconds to load) 1 example, 0 failures
TINY HOWTO
inspec exec test.rb
inspec exec /path/to/profile
inspec exec github.com/chef/some-profile.git
TINY HOWTO
TEST YOUR LOCAL NODEinspec exec test.rb
TEST REMOTE VIA SSHinspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022
no Ruby / agent on the node
TEST REMOTE VIA WINRMinspec exec test.rb -t winrm://[email protected] --password super
no Ruby / agent on the node
TEST DOCKER CONTAINERinspec exec test.rb -t docker://3cc8837bb6a8
no SSH / agent on the container
ANATOMY OF A CONTAINER TESTdescribe package('wget') do it { should be_installed } end
describe file('/fetch-all.sh') do it { should be_file } its('owner') { should eq 'root' } its('mode') { should eq 0640 } end
ANATOMY OF A CONTAINER TESTinspec exec dtest.rb -t docker://f02e x1
....
Finished in 0.1537 seconds (files took 1.77 seconds to load) 4 examples, 0 failures
ONE LANGUAGE
Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, DBs, Endpoints, APIs (AWS, ...)
DB TESTINGdescribe mysql_session.query("SELECT user, host FROM mysql.user WHERE host = '%'" its(:stdout) { should be empty } end
AWS TESTINGVpc.new(id: 'vpc_id').security_groups.each do |security_group| describe security_group do it { should_not have_ingress_rule().with_source('0.0.0.0/0') } end end
CIS AND SCAP
GREAT SECURITY BENCHMARKS
GREAT COVERAGE
Red Hat Enterprise Linux, Ubuntu, SUSE, Oracle Linux, ...
Microsoft Windows 7, 8, Server 2008, 2012
IBM AIX, HP-UX, VMware ESXi
Oracle MySQL, Apache Tomcat, MS SQL Server, MS IIS
WRITTEN IN XML
<definition class="compliance" id="oval:org.cisecurity.benchmarks.o_centos_centos:def:1190" version="1"> <metadata> <title>Set SSH Protocol to 2</title> <affected family="unix"> <product>CentOS Linux 6</product> </affected> <reference ref_id="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" ref_url="http://benchmarks.cisecurity.org" <description>Set SSH Protocol to 2</description> </reference></metadata> <criteria operator="AND"> <criterion negate="false" test_ref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10191"> </criterion></criteria> </definition>
<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" <ind:object object_ref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10193"> <ind:state state_ref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10084"> </ind:state></ind:object></ind:textfilecontent54_test>
<ind:textfilecontent54_object comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" id="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10193" <ind:filepath>/etc/ssh/sshd_config</ind:filepath> <ind:pattern operation="pattern match">̂\s*Protocol\s+(\S+)\s*(?:#.*)?$</ind:pattern> <ind:instance datatype="int" operation="equals">1</ind:instance> </ind:textfilecontent54_object>
<ind:textfilecontent54_state comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" id="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10084" <ind:subexpression datatype="string" operation="equals" var_ref="oval:org.cisecurity.benchmarks.o_centos_centos:var:1190"</ind:subexpression></ind:textfilecontent54_state>
Source and Copyright: Center for Internet Security
CONVERTED TO INSPEC
control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" title "Set SSH Protocol to 2" desc "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." impact 1.0 describe file("/etc/ssh/sshd_config") do its(:content) { should match /̂\s*Protocol\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/̂\s*Protocol\s+(\S+)\s*(?:#.*)?$/ describe entry do it { should eq "2" } end end end
NATIVE INSPEC
control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" title "Set SSH Protocol to 2" desc "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." impact 1.0 describe sshd_config do its('Protocol') { should cmp 2 } end end
PROFILE FOUNDATION
MAKE ADJUSTMENTS
NATIVE INSPEC
include_control "cis/cis-centos6-lvl1" do skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_etcgrub.conf" skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_etcgrub.conf"
control "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do impact 1.0 end end
control "my-own-1" ...
SPREAD TO OTHER ENVIRONMENTS
COMPLIANCE AS CODE.
COMPETITIVE ADVANTAGE
BOOK: THE HIGH VELOCITY EDGE - STEVEN J. SPEARS
SAFETY AT VELOCITYRisk reduction when constantly changing your systems
As part of the work�ow. Not after, not later.
Test for quality, Test for compliance
TRADITIONAL WORKFLOW
CREATE NEW ARTIFACTS
TO REACH PRODUCTION
DEVOPS WORKFLOW
CREATE AND TEST EARLY ON
TEST CONTINUOUSLY
DEPLOY, OPERATE, VERIFY
ONE WORKFLOW CYCLE
FULL WORKFLOW
FIXING THE COMPLIANCE CYCLE
COMPLIANCE AS CODE.
JOIN INSPEC
GITHUB.COM/CHEF/INSPEC
GITTER.IM/CHEF/INSPEC
INSPEC 1.0Dependencies
Attributes
THANK YOU
@chri_hartmann
chris-rock
@arlimus
arlimus