5. Our vision: The most enduring and
transformative companies use Chef to
become fast, efficient, and innovative
software-driven organizations.
Velocity: time from idea to shipIdea Ship
Infrastructure
Automation
Compliance
Automation
Application
Automation
8. My existing (legacy) apps run my
business. How can I get them
moving more quickly?
We hear two concerns from leaders most frequently:
Compliance is slowing us down,
and audits are painful. How can
we move faster while meeting
requirements?
18. Choice of tools for every stage and every requirement
Azure security and
management (security, backup,
monitoring, cost management)
Azure Database Migration Service
Azure Site Recovery
Azure Data Box
Assess Migrate Optimize
Data Migration Assistant
Azure Migrate
SQL Server Migration
Assistant
Microsoft
Partners
20. Summarizing cloud migration strategies
Redeploy as-is to cloud
• Reduce Capex
• Free up datacenter space
• Quick cloud ROI
IaaS
Minimally alter to take
better advantage of
cloud
• Faster, shorter, updates
• Code portability
• Greater cloud efficiency
(resources, speed, cost)
Containers
PaaS
Materially
alter/decompose
application to services
• App scale and agility
• Easier adoption of new
cloud capabilities
• Mix technology stacks
PaaS
Serverless
Microservices
New code written with
cloud native approach
• Accelerate innovation
• Build apps faster
• Reduce operational cost
Description
Drivers
Technologies
21. When to use which migration strategy (and tech)
Objective Rehost Refactor Rearchitect Rebuild Primary
technology
Achieve rapid time to cloud IaaS, DBaaS
Migration with minimal architectural and code impact IaaS, DBaaS
Free up data center space quickly IaaS, DBaaS
Reduce capital expenditure of existing applications IaaS, DBaaS
Leverage existing investments IaaS, PaaS,
Containers
Meet scalability requirements of existing apps more cost effectively PaaS,
Containers
Enable business agility with continuous innovation PaaS,
Containers
More easily integrate with other web and cloud apps PaaS,
Serverless
Enable multichannel access, including mobile and IoT PaaS,
Serverless
Deliver new and breakthrough capabilities faster PaaS,
Serverless
23. Azure Site Recovery (ASR) – GA
Migrate applications and VMs to Azure IaaS with confidence
Zero application data loss during migration
Near-zero application downtime during migration
Broad coverage for hypervisors, applications, operating
systems, and Azure features
No-impact application testing in Azure
Free usage during migration
24. Rehost Windows Server on Azure
Sample annual cost comparison of two D2V3 Windows Server VMs. Savings based two D2V3 VMs in US West 2 Region running 744 hours/month for 12 months; Base compute rate at SUSE Linux Enterprise rate for US West 2. Azure pricing as of 04/24/2018. AWS pricing as of 04/24.2018. Price subject to change.
25. Confidently rehost your databases with Azure Database
Migration Service – now generally available
Source Target Status
SQL Server Azure SQL Database (single/elastic) Generally
Available
SQL Server Azure SQL Database Managed Instance In preview
SQL Server SQL Server in Azure VMs In preview
MySQL Azure Database for MySQL In preview
PostgreSQL Azure Database for PostgreSQL In preview
Oracle SQL Server in Azure VMs
Azure SQL Database
In preview
https://datamigration.microsoft.com/
34. : Stay secure, well managed, and cost-efficient
after your move
Optimize
35. Protect your data
in the cloud
Azure Backup
Secure your
cloud resources
Azure Security Center
Monitor your
cloud health
Azure Log Analytics
Steps to start securing and managing your cloud
39. Lower your TCO significantly by migrating to Azure
Azure.com/tco
40. Get started at no cost: Built-in tools at each stage
Azure Site Recovery
During migration
Azure Migrate
Pre-migration
Azure cost management
Post-migration
45. What We Want to Share Today
● Highlights from Chef's 2018 State of
Applications survey: you have company
● Challenges with modernizing legacy
applications
● How Habitat can help you lift, shift, and
modernize to adopt cloud and container
technology even for older applications
47. Survey Insights
How do you measure app
deployment success?
Speed is success for applications - but achieving speed is a big challenge.
Speed*
How long does it take to complete
the app build process?
Days or Longer
How many builds before an app is
deployed to production?
61%
72%
Four or More
55%
* “Time from code to production” or “Time from commit to deploy”
46 45
34
48. Survey Insights
In 2 years, what percent of your apps will be
deployed on container platforms?
1/4 or More
51%
Which approach will you use to transition apps to
new architectures & infrastructures?
Aggressive plans for containerization,
most often by lifting, shifting, and
modernizing applications.
73%
52%
Lift, Shift,
Modernize
Rewrite
Apps
Speed is success for applications - but
achieving speed is a big challenge.
49. Survey Insights
Aggressive plans for containerization, most often
by lifting, shifting, and modernizing applications.
Which is the most challenging aspect of
the application lifecycle?
Management
44%
What percent of production apps run in
the following environments?
Environments are
heavily
heterogeneous,
and application
management is
most challenging.
Speed is success for applications - but
achieving speed is a big challenge.
50. In search of speed, organizations are moving to the
next platform while carrying legacy weight.
It’s already difficult to manage. It’s going to get harder.
Now is the time to think about a comprehensive
application strategy.
51. The Benefits and Problems of Legacy
Legacy is shorthand for critical business applications with longevity. But it
creates manageability problems:
Windows 2003
MSVC, COM+, etc.
Business App 1
Windows 2008 R2
MS .NET 2.0
Business App 2
Red Hat Linux 5
IBM WebSphere
Business App 3
Red Hat Linux 6
Tomcat 6 / Java 7
Business App 4
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.
52. Heterogeneity is a reality in IT
Heterogeneous applications are the past, present and future.
How could we extract the applications' business value from the underlying
infrastructure to improve its manageability?
Business App 1 Business App 2 Business App 3 Business App 4
89% of respondents desire a cross-environment application packaging solution.
Source: Chef's 2018 State of Application Delivery Survey
53. Habitat enables application teams
to build, deploy, and manage any
application in any environment -
from traditional data centers to
containerized microservices.
Introducing Habitat
1. “Lift & Shift” Legacy Apps to
Modern Platforms
Organizations struggle to move
existing, business critical apps to
modern platforms
2. Deliver on a Cloud-Native
(Cloud/Containers) Strategy
Organizations hit a wall when
adopting and deploying to a cloud-
native platform
54. How does it work?
It splits the platform-independent part of the application from the platform-
dependent part.
BUILD DEPLOY MANAGE
Ring
Supervisor
Platform-Independent Build Export Platform-Dependent Deploy
55. How does it work?
● All of the problems shown previously
are a result of this pattern: building up
from the operating system.
● The entire triangle becomes the
artifact you carry around with you now
and in the future (including sometimes
the VM and the server!)
Libraries
Operating System
Application
Application &
Libraries
● Habitat builds from the application
down
● Embedded supervisor as standard
management interface
● Builds have strict dependency control
Application Libraries
OS
56. Customer Story - Modernizing Legacy Apps
The challenge:
● Large auto manufacturer moving COTS
apps to next generation data center
● Example legacy app: Windows application
written in Borland Delphi in 2003 - in
Portuguese
● Lot of value in the app, painful to rewrite
The solution:
● Package the application and its
dependencies with Habitat
● Enable the application to be deployed to any
environment - next generation datacenter
and beyond
● Manage the application through its lifecycle -
updates, patches, etc.
● Gain manageability benefits in the new
environment and maintain value of the app
without rewriting
57. What They’re Saying
"With Habitat, we have an easier onramp to
packaging our apps in any environment. The
learning curve for our dev teams who are doing
a little bit of ops as well as traditional software
engineering is a lot less steep. The fact that we
can radically simplify deployment processes by
treating every service as an artifact is very powerful.
Adopting Habitat means you have a reproducible,
consistent method for build and deploy, and you
can apply that model to every service or application that
you're running.
Once you've learned how one service is deployed
or managed, you've got everything you need to
figure out the next service after that."
“While the application portability benefits of containers
are widely recognized, lack of consistency in packaging
and orchestration across the application lifecycle has, in
many cases, limited the success of their deployment at
scale, even when using cloud-
native architectures.
Separating packaging, deployment concerns, and
artifacts is one strategy that can empower teams to
deliver on business objectives of delivering software
at speed, with high quality.”
Blake Irvin
Engineer at smartB Energy Management GmbH
Stephen Elliot
Program Vice President at IDC
59. The Benefits and Problems of Legacy
Legacy is shorthand for critical business applications with longevity. But it
creates manageability problems:
Windows 2003
MSVC, COM+, etc.
Business App 1
Windows 2008 R2
MS .NET 2.0
Business App 2
Red Hat Linux 5
IBM WebSphere
Business App 3
Red Hat Linux 6
Tomcat 6 / Java 7
Business App 4
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.
60. Example Application: sqlwebadmin
Sample application from Microsoft's Codeplex Archive
Last updated in 2008, tightly coupled to Windows 2003
Windows 2003
ASP.NET 2.0
sqlwebadmin
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.
Windows Server
2016
ASP.NET 2.0
sqlwebadmin
61. Building sqlwebadmin
● Habitat collects application details in a plan
● The Habitat Studio provides a 'clean room'
environment in which to build your artifact
● Habitat artifacts can be launched by the
'hab' CLI
63. Deploying sqlwebadmin
● Habitat services can be deployed into
supervisor rings
● SQLServer 2005 is published as a core
plan on bldr.habitat.sh
● Habitat artifacts use service binds to
allow inter-service communication
without hard-coding settings
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
65. Managing sqlwebadmin
● Habitat artifacts define configuration
tunables as variables
● Configuration settings can be updated via
CLI or API on running instances or service
groups
● Configuration updates automatically trigger
any required run hooks within each service
ASP.NET 2.0
sqlwebadmin
ASP.NET 2.0
sqlwebadmin
hab config apply
67. Targeting Modern Runtimes
● Habitat artifacts can be natively exported to container formats like docker
● Exported artifacts can be run with runtime-specific tools (e.g. docker run,
docker-compose up)
● Habitat artifacts behave consistently in servers or containers
70. Audits are...
● Time-consuming: They distract from product development.
● Stressful: Sometimes auditors or compliance personnel see themselves as
the "police" rather than helping the business be successful.
● Overwhelming: Cloud scale plus an increase in regulations leads to
escalating data volume.
71. Traditional Approaches Exacerbate Audit Pain
Security reviews:
• are often manual (slow);
• generate too much data from scanning-oriented approaches;
• catch problems too late in the development cycle to economically fix;
• don't manage exceptions appropriately.
76. What we have here is a communication problem
Compliance
Security
Dev/Ops
77. Continuous Compliance Uses a Common Language
control 'ensure_selinux_installed' do
impact 1.0
title 'Ensure SELinux is installed'
desc <<-EOD
SELinux provides Mandatory Access Control
EOD
describe package('libselinux') do
it { should be_installed }
end
end
InSpec helps express security & compliance requirements as code and
incorporate it directly into the delivery process.
Systems shall have a Mandatory
Access Control system installed
and enabled.
78. Benefits of Continuous Compliance
● Maintain an up-to-date and historical record of compliance status to satisfy
both scheduled and ad-hoc audit requests
● Detect and correct security issues long before they reach production
● Reduce risk while delivering applications faster
Example: Major healthcare services
provider reduced audit cycle times
by 95% by continuously detecting
and remediating compliance errors.
80. PCI DSS Overview
● 12 Key Requirements
● Two key requirements (9 and 12) refer to
physical security and are not system-level tests
● CIS (Center for Internet Security) Benchmarks
can be used as the basis of a PCI compliance
policy
● Some customization is necessary. InSpec's
inheritance features allow this to be easily
done.
81.
82. PCI Requirement 8
Identify and authenticate access to system components. Example control:
Restrict logins to accounts (e.g. system accounts) that do not have a password.
control "cisecurity.benchmarks_rule_5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled" do
title "Ensure SSH PermitEmptyPasswords is disabled"
desc "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts
with empty password strings. Rationale: Disallowing remote shell access to accounts that have an
empty password reduces the probability of unauthorized access to the system"
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.9"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitEmptyPasswords') { should eq 'no' }
end
end
83. Control Inheritance For Reusability
require_controls 'cis-rhel7-level1-server' do
control
"xccdf_org.cisecurity.benchmarks_rule_3.6.5_Ensure_firewall_rules_exist_for_all_open_
ports"
control
"xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_password_creation_requirements_are
_configured"
control "xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_system_accounts_are_non-
login"
control
"xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_password_fields_are_not_empty"
control
"xccdf_org.cisecurity.benchmarks_rule_5.4.1.4_Ensure_inactive_password_lock_is_30_day
s_or_less"
.
.
.
end
CIS Benchmark for
RHEL7, Level 1
Customer PCI-DSS
Profile
Inheritance and
customization
Chef Automate premium content
Customer-owned
86. Wrap-Up
• Audits can be time-consuming and stressful without automation.
• Existing approaches like scanning or packet capture gather too much data
and don't appropriately manage exceptions or customizations.
• They also leave compliance issues unchecked until too late in the process
when fixing them is expensive.
• To reduce stress, save time, and make systems safer, adopt a continuous
compliance approach to shift compliance left.
• InSpec and Chef Automate break down communication barriers between
groups involved in compliance by introducing a common language for
describing it.
• You can increase speed while decreasing risk with this approach.
87. Demo: How compliant is this
cloud environment?
Technical Session
Duration: 30 minutes
88. Mapping Generic Profiles to
Industry regulations
CIS maps industry specific requirements
to generic CIS controls
Chef Automate provides automated tests
written in InSpec that conform to the
industry specifications set by regulatory
bodies and many business verticals
89. Demo Flow
Demo 1 – Scanning Your Infrastructure
Demo 2 – Scanning a Chef Managed VM
Demo 3 – Configuring and Scanning Azure
90. Demo 1 Scanning Your Infrastructure
➔In the first demo we're going to use Chef Automate to perform a scan of a
RHEL7 virtual machine that is running in Azure. We’ll use a PCI DSS specific
profile
We will then view the scan results within the Chef Automate dashboard
➔Note:
• This virtual machine is NOT managed by Chef
• There is no Chef client on the machine - all Chef Automate needs is
SSH/WinRM access
91. Demo 2 Scanning a Chef Managed VM
➔In the second demo we're going to bootstrap a RHEL7 virtual machine that is
running in Azure to be managed by Chef
➔This VM will have a special 'Audit Cookbook' in its run-list, so the PCI_DSS
profile executes periodically each time Chef runs and posts the results to
Chef Automate, giving us Continuous Compliance
Once the bootstrap is complete, we will view the scan results within the Chef
Automate dashboard
92. ➔One key aspect of Chef Automate is its ability to not only scan virtual
machines running in a cloud, but also its ability to scan the cloud
infrastructure itself, for example: subscriptions, networking, and storage etc
➔In our third demo we will scan your Azure environment for compliance
against the 'CIS Azure Foundations Benchmark' profile
Demo 3 Scanning Your Azure Cloud
93. Conclusion
➔The InSpec profiles allow you to define Compliance as Code
➔Chef Automate includes a subscription to an extensive profile library
that is supported and maintained by Chef
➔With Chef Automate you can
• Continuously evaluate compliance of your infrastructure
• Scan unmanaged infrastructure if you have SSH/WinRM access
• View real-time and historical compliance reports so you can evaluate
your infrastructures adherence to compliance over time
• Scan your cloud infrastructure
94. Next Steps
Try Chef Automate Learn Chef Rally module
https://learn.chef.io/modules/try-chef-automate#/
Integrated Compliance Learn Chef Rally Track
https://learn.chef.io/tracks/integrated-compliance#/
We also recommend the Chef Automate Compliance public training
https://training.chef.io/instructor-led-training/chef-automate-compliance
96. Shared Responsibility Model in Azure
● Cloud Providers take on an increasing
role in Security as you adopt
○ Physical Security
○ Host Infrastructure
○ Network Controls
● Azure provides many Security
Certifications
○ ISO/IEC
○ CSA/CCM
○ ITAR
○ HIPAA
○ And many more...
Learn More About Shared Responsibility for Cloud Computing
aka.ms/sharedresponsibility
97. Shared Responsibility Model in Azure
● You still own critical portions of your
Cloud Security
○ IaaS OS
○ Application Level
○ Identity
○ Data
● Ensuring compliance against your
standards is critical
○ CIS Standards
○ PCI Standards
○ DISA STIGs
Learn More About Shared Responsibility for Cloud Computing
aka.ms/sharedresponsibility
98. PCI Shared Responsibility
Microsoft Azure maintains a PCI DSS validation using an approved Qualified
Security Assessor (QSA) and is certified as compliant under PCI DSS version 3.2
at Service Provider Level 1.
Azure PCI DSS compliance status does not automatically translate to PCI DSS
validation for the services that customers build or host on the Azure platform.
Customers are responsible for ensuring that they achieve compliance with
PCI DSS requirements.
See the Azure PCI Responsibility Matrix at:
aka.ms/pciresponsibilitymatrix
99. PCI DSS Requirement 2
Do not user vendor-supplied defaults for system passwords and other
parameters
2.2 Develop configuration standards for all system components. Assure that these
standards address all known security vulnerabilities and are consistent with
industry-accepted system hardening standards.
Sources of industry-accepted system hardening standards may include, but
are not limited to:
- Center for Internet Security (CIS)
- International Organization for Standardization (ISO)
- SysAdmin Audit Network Security (SANS) Institute
- National Institute of Standards Technology (NIST).
See the Azure PCI Responsibility Matrix at:
aka.ms/pciresponsibilitymatrix
100. PCI DSS Requirement 2.2 Azure Responsibilities
For Microsoft Azure, the Security Services team develops security configuration
standards for systems in the Microsoft Azure environment that are consistent with
industry-accepted hardening standards. These configurations are documented in
system baselines and relevant configuration changes are communicated to
impacted teams (e.g., IPAK team).
Procedures are implemented to monitor for compliance against the security
configuration standards. The security configuration standards for systems in
the Microsoft Azure environment are consistent with industry-accepted
hardening standards and are reviewed at least annually.
See the Azure PCI Responsibility Matrix at:
aka.ms/pciresponsibilitymatrix
101. PCI DSS Requirement 2.2 Customer Responsibilities
Customers are responsible for developing configuration standards for all in-scope
PaaS services. Hardening standards should follow guidelines published by
Microsoft Azure.
Customers are responsible for developing configuration standards for all
IaaS instance builds. Additional controls for this requirement include the use of
standard image file templates for server builds along with a clearly defined
configuration standard. Hardening standards should follow guidelines from
well-known organizations like CIS, ISO, NIST and SANS.
See the Azure PCI Responsibility Matrix at:
aka.ms/pciresponsibilitymatrix
102. Leveraging InSpec to Enforce Compliance
Beyond PCI DSS 2.2, there are many other controls in PCI that are based on CIS
controls.
InSpec lets your teams perform scans as frequently as you need to ensure
your systems remain compliant with your standards. Helping you maintain
your portion of the responsibility matrix.
Download the Chef Automate Guide to PCI Compliance with InSpec
whitepaper at:
https://www.chef.io/resource_category/white-paper/
103. Next Steps
● Install Chef Automate trial
○ automate.chef.io
● Install an InSpec profile from the profile store
● Scan your systems with Chef Automate
● Remediate any non-compliant systems
● Set up a scanning schedule to ensure ongoing compliance
● Fine-tune profiles to your exact requirements
Reach out to your Chef team with any questions; they’ll be happy to help!
104. Workshop: The InSpec language for
practitioners
Technical session
Duration: 75 minutes
105. Objectives
In this workshop we will
1. Get a workstation to play on
2. Identify a specific regulatory control and establish the corresponding technical
requirements
3. Create the appropriate InSpec profile and control, and run it locally and on
another student's workstation and observer its not compliant
4. Run the profile again locally but report to Chef Automate
5. Use Chef to make local workstation compliant
6. Rerun the InSpec profile locally again and report to Chef Automate showing its
compliant
107. TASK
The authenticity of host 12.34.56.78 (12.34.56.78)' can't be established.
ECDSA key fingerprint is
SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '12.34.56.78' (ECDSA) to the list of known
hosts.
chef@12.34.56.78's password: My-12-Char-Password
Task: Log in to your workstation
ssh azureuser@12.34.56.78
111. InSpec and Compliance
Many industries are bound by regulations maintained by
external bodies
• Sarbanes-Oxley – Financial Regulations
• PCI – Payment Card Industry Regulations
• HIPAA – Healthcare Regulations
• GDPR – General Data Protection Regulations
• STIG – Security Protocol Regulations
• etc
Many of these rules relate to technical requirements in their application
and infrastructure that they must comply with
112. Center for Internet Security
Center for Internet Security provides
benchmarks for secure configuration
of many platforms and applications
e.g. https://tinyurl.com/CIS-RHEL7
These rules can be referred to when
creating InSpec rules for Regulatory
bodys' guidelines
See https://tinyurl.com/CIS-Poster
113. "The Chef Automate Guide to PCI DSS Compliance"
Whitepaper
Lets look at a specific requirement from the whitepaper
Requirement 7: Restrict access to cardholder data by business
need to know
1. …
2.Ensure SSH root login is disabled
"Disallowing root logins over SSH requires system admins to
authenticate using their own individual account, then escalating to root
only via sudo (if you’ve disabled access to "su" as in the control above).
This restriction limits opportunity for non-repudiation and provides a clear
audit trail in the event of a security incident. The PermitRootLogin
parameter specifies if the root user can login using ssh."
114. TASK
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
Task: Check if SSH root login is disabled
sudo grep PermitRootLogin /etc/ssh/sshd_config
This requirement maps directly to a check you can perform on the system
Of course we can check a node manually, but this isn't practical when you
have 100's, or even 1000's, of nodes
The InSpec DSL is specifically designed to run such tests
115. No Consistency in Commands
● PermitRootLogin Configured?
● SSH v2 Configured?
● Using TLS or SSL?
● Does user 'foo' have sudo access?
● Does user 'foo' have write access to /etc?
• No consistency on command
structure, syntax, & command
line switches
• All configuration files are
proprietary
• They're platform specific
(RHEL, Debian, Windows, …)
116. What is InSpec?
InSpec provides consistent DSL that is platform agnostic to check status of
any component
packages
files
users
…
Complex implementation code abstracted out
Many InSpec profiles exist in the community and Chef supplies, maintains and
supports 100+ profiles aligned to industry specific compliance regulations
117. TASK
Commands:
inspec archive PATH # archive a profile to tar.gz (default) or zip
inspec artifact SUBCOMMAND ... # Sign, verify and install artifacts
inspec check PATH # verify all tests at the specified PATH
inspec compliance SUBCOMMAND ... # Chef Compliance commands
inspec detect # detect the target OS
inspec env # Output shell-appropriate completion configuration
inspec exec PATHS # run all test files at the specified PATH.
inspec habitat SUBCOMMAND ... # Commands for InSpec + Habitat Integration
inspec help [COMMAND] # Describe available commands or one specific command
...
The InSpec Command Line Interface
inspec --help
inspec init creates a profile
inspec check verifies the compliance profile code that you write
inspec exec will run the tests against a system
118. TASK
Create new profile at /home/azureuser/profiles/ssh
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create directory libraries
Task: Create an InSpec Profile for SSH
inspec init profile ~/profiles/ssh
119. TASK
Create new profile at /home/azureuser/profiles/ssh
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create directory libraries
Task: Create an InSpec Profile for SSH
inspec init profile ~/profiles/ssh
Use the
'inspec'
command To initialise (i.e.
create) a profile
Called 'ssh'
In the '~/profiles'
directory
121. The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
# encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
122. # encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
123. # encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
○ describe statements may be grouped within
control statements
124. # encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
○ describe statements may be grouped within
control statements
○ control statements may include extra metadata
defining for example
■ a unique ID for this control
■ the criticality, if this control fails.
■ a human-readable title and description
■ reference documentation
125. TASK
Task: Remove example controls file
rm /home/azureuser/profiles/ssh/controls/example.rb
Bit of housekeeping – we don’t need the default controls file
126. TASK
vi ~/profiles/ssh/controls/PermitRootLogin.rb
control "cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Task: Create Controls File 'PermitRootLogin.rb'
Even Cheatier
cp ~/.PermitRootLogin.rb ~/profiles/ssh/controls/PermitRootLogin.rb
Cheat Sheet
https://goo.gl/38AFhn
Click ⌘+a, ⌘+c
127. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
Each control statement relates to a specific
compliance regulation.
128. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
129. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
130. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
131. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
132. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
CIS doc even gives details for a remediation
cookbook! More on this later.
133. Executing our code
● We now need to execute our InSpec profile
● We will use inspec exec command to do this
134. TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: local://
× cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root
login is disabled
× SSHD Configuration PermitRootLogin should eq "no"
expected: "no"
got: nil
(compared using ==)
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped
Task: Run profile locally with InSpec command
sudo inspec exec profiles/ssh
136. TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: ssh://azureuser@40.114.121.121:22
× cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root
login is disabled
× SSHD Configuration PermitRootLogin should eq "no"
expected: "no"
got: nil
(compared using ==)
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped
Task: Execute your profile on the remote target
inspec exec ~/profiles/ssh -t ssh://azureuser@104.211.54.213
--password My-12-Char-Password --sudo
Note the 'Target' is specified in the output
Note the 'Target' is specified in the output
137. InSpec and Chef Automate
● InSpec and Chef Automate go hand-in-hand to detect and report on
compliance issues
● InSpec profiles can be executed 'ad hoc' or at the end of each chef-client run
and a report back to Chef Automate
139. TASK
Run InSpec and Send Results to Chef Automate
sudo inspec exec ~/profiles/ssh --json-config reporter.json
Note, if you're using Chef on your nodes InSpec can be invoked on every chef-client run and report sent back to Chef Automate to ensure continuous compliance
141. Key Takeaways
● The format of the InSpec DSL fits neatly with the documents created by
industry-specific compliance regulatory bodies
● InSpec allows you to write those specifications as platform agnostic code
What's next…?
• In the next section we'll look at how you can use Chef to correct your
infrastructure
143. Detect and Correct
● Chef Automate not only allows you to invoke compliance scans across your
estate but it also facilitates remediation
● Chef builds out remediation cookbooks for all InSpec profiles on Chef
Automate
● For simplicity now we will run a simple remediation cookbook for our SSH
InSpec Profile on the local node
144. TASK
.chef/
└── cookbooks
└── ssh-remediation
├── Berksfile
├── CHANGELOG.md
├── chefignore
├── LICENSE
├── metadata.rb
├── README.md
├── recipes
│ └── default.rb
├── templates
│ └── sshd_config.erb
...
10 directories, 11 files
For expediency, the Cookbook is Already on the Workstation
tree .chef
145. TASK
...
template '/etc/ssh/ssh_config' do
source 'ssh_config.erb'
end
View the Chef Recipe and Template File
cat .chef/cookbooks/ssh-remediation/recipes/default.rb
...
#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
...
cat .chef/cookbooks/ssh-remediation/templates/sshd_config.erb -n
Line 50
146. TASK
[✔] Packaging cookbook... done!
[✔] Generating local policyfile... exporting... done!
[✔] Applying ssh-remediation::default from /home/azureuser/.chef/cookbooks/ssh-remediation to target.
└── [✔] [localhost] Successfully converged ssh-remediation::default.
Run the cookbook on the local machine
chef-run azureuser@localhost ssh-remediation::default --password My-12-Char-
Password
147. TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: local://
✔ cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH
root login is disabled
✔ SSHD Configuration PermitRootLogin should eq "no"
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 1 successful, 0 failures, 0 skipped
Rerun the InSpec Test
sudo inspec exec profiles/ssh
148. TASK
Post Results in Chef Automate
sudo inspec exec profiles/ssh/ --json-config reporter.json
149. View Scan History
● Click the 'Scan History' button to see
a compliance history for this node
● The corresponding 'Event Feed' for
this node will identify what changes
occurred on a node to bring it into, or
out of, compliance
150. Next Steps
LearnChef Rally
● Try Chef Automate module
https://learn.chef.io/modules/try-chef-automate#/
● Integrated Compliance Track
https://learn.chef.io/tracks/integrated-compliance#/
● Compliance Automation with InSpec Track
https://learn.chef.io/tracks/compliance-automation#/
Also, Chef Automate Compliance public training
https://training.chef.io/instructor-led-training/chef-automate-compliance