Chef Automate can help organizations reduce the pain of audits through continuous compliance. It does this by expressing security and compliance requirements as code that can be incorporated directly into the development process. This allows organizations to detect and correct issues early before they reach production. Chef Automate also helps standardize compliance across heterogeneous environments by providing a common language for describing compliance controls. It can then continuously monitor systems to ensure they remain compliant and provide an up-to-date record for audits.

2. Welcome, we’re glad you joined us
● Automation, Audits, and Apps? And Azure?
● Practical solutions to real problems
● Learning from each other

3. Our vision: The most enduring and
transformative companies use Chef to
become fast, efficient, and innovative
software-driven organizations.
Velocity: time from idea to shipIdea Ship
Infrastructure
Automation
Compliance
Automation
Application
Automation

4. Business Value
Time
Digital
Transformation
Post-Digital
Transformation

5. Business Value
Time
Digital
Transformation
Post-Digital
Transformation
Application-centric
Infrastructure-centric

6. My existing (legacy) apps run my
business. How can I get them
moving more quickly?
We hear two concerns from leaders most frequently:
Compliance is slowing us down,
and audits are painful. How can
we move faster while meeting
requirements?

7. My existing (legacy) apps run my
business. How can I get them
moving more quickly?
Your perspective on these two concerns
• Take one minute to think about the legacy apps you manage and the
current and long term impact on your business
• Connect with someone in the room that you don’t know and discuss (you
have 5 minutes)

8. Your perspective on these two concerns
Compliance is slowing us down,
and audits are painful. How can
we move faster while meeting
requirements?
• Take one minute to think about your efforts to stay within compliance, the
work you do to prepare for audits, and the current and long term impact on
your business
• Connect with someone in the room that you don’t know and discuss (you
have 5 minutes)

13. Cloud migration will continue to grow

17. Azure migration experience

18. Customer momentum

19. Confidently migrate your applications, data, and infrastructure to Azure

20. Unified cloud
platform
Data
platform
Security and
management
Azure is the only consistent hybrid cloud

21. Lower your TCO significantly by migrating to Azure
Azure.com/tco

22. Azure migration journey

23. Azure migration journey

24. Choice of tools for every stage and every requirement
Azure security and
management (security, backup,
monitoring, cost management)
Azure Database Migration Service
Azure Site Recovery
Azure Data Box
Assess Migrate Optimize
Data Migration Assistant
Azure Migrate
SQL Server Migration
Assistant
Microsoft
Partners

25. Azure Migrate - GA

26. Summarizing cloud migration strategies
Redeploy as-is to cloud
• Reduce Capex
• Free up datacenter space
• Quick cloud ROI
IaaS
Minimally alter to take
better advantage of
cloud
• Faster, shorter, updates
• Code portability
• Greater cloud efficiency
(resources, speed, cost)
Containers
PaaS
Materially
alter/decompose
application to services
• App scale and agility
• Easier adoption of new
cloud capabilities
• Mix technology stacks
PaaS
Serverless
Microservices
New code written with
cloud native approach
• Accelerate innovation
• Build apps faster
• Reduce operational cost
Description
Drivers
Technologies

27. Migration strategies: Rehost application (i.e., lift & shift)

28. Migration strategies: Refactor application

29. Migration strategies: Rearchitect application

30. Replatform
Migration strategies: Replatform application

31. Confidently migrate all your apps, data, and infrastructure to
Azure

32. Get started today

35. Application Modernization
with Habitat

36. What We Want to Share Today
● Highlights from Chef's 2018 State of
Applications survey: you have company
● Challenges with modernizing legacy
applications
● How Habitat can help you lift, shift and
modernize to adopt cloud and container
technology even for older applications

37. Chef's 2018 State of Application Delivery Survey

38. Survey Insights
How do you measure app
deployment success?
Speed is success for applications - but achieving speed is a big challenge.
Speed*
How long does it take to complete
the app build process?
Days or Longer
How many builds before an app is
deployed to production?
61%
72%
Four or More
55%
* “Time from code to production” or “Time from commit to deploy”
46 45
34

39. Survey Insights
In 2 years, what percent of your apps will be
deployed on container platforms?
1/4 or More
51%
Which approach will you use to transition apps to
new architectures & infrastructures?
Aggressive plans for containerization,
most often by lifting, shifting, and
modernizing applications.
73%
52%
Lift, Shift,
Modernize
Rewrite
Apps
Speed is success for applications - but
achieving speed is a big challenge.

40. Survey Insights
Aggressive plans for containerization, most often
by lifting, shifting, and modernizing applications.
Which is the most challenging aspect of
the application lifecycle?
Management
44%
What percent of production apps run in
the following environments?
Environments are
heavily
heterogeneous,
and application
management is
most challenging.
Speed is success for applications - but
achieving speed is a big challenge.

41. In search of speed, organizations are moving to the
next platform while carrying legacy weight.
It’s already difficult to manage. It’s going to get harder.
Now is the time to think about a comprehensive
application strategy.

42. The Benefits and Problems of Legacy
Legacy is shorthand for critical business applications with longevity. But it
creates manageability problems:
Windows 2003
MSVC, COM+, etc.
Business App 1
Windows 2008 R2
MS .NET 2.0
Business App 2
Red Hat Linux 5
IBM WebSphere
Business App 3
Red Hat Linux 6
Tomcat 6 / Java 7
Business App 4
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.

43. Heterogeneity is a reality in IT
Heterogeneous applications are the past, present and future.
How could we extract the applications' business value from the underlying
infrastructure to improve its manageability?
Business App 1 Business App 2 Business App 3 Business App 4
89% of respondents desire a cross-environment application packaging solution.
Source: Chef's 2018 State of Application Delivery Survey

44. Habitat enables application teams
to build, deploy, and manage any
application in any environment -
from traditional data centers to
containerized microservices.
Introducing Habitat
1. “Lift & Shift” Legacy Apps to
Modern Platforms
Organizations struggle to move
existing, business critical apps to
modern platforms
2. Deliver on a Cloud-Native
(Cloud/Containers) Strategy
Organizations hit a wall when
adopting and deploying to a cloud-
native platform

45. How does it work?
It splits the platform-independent part of the application from the platform-
dependent part.
BUILD DEPLOY MANAGE
Ring
Supervisor
Platform-Independent Build Export Platform-Dependent Deploy

46. How does it work?
● All of the problems shown previously
are a result of this pattern: building up
from the operating system.
● The entire triangle becomes the
artifact you carry around with you now
and in the future (including sometimes
the VM and the server!)
Libraries
Operating System
Application
Application &
Libraries
● Habitat builds from the application
down
● Embedded supervisor as standard
management interface
● Builds have strict dependency control
Application Libraries
OS

47. Customer Story - Modernizing Legacy Apps
The challenge:
● Large auto manufacturer moving COTS
apps to next generation data center
● Example legacy app: Windows application
written in Borland Delphi in 2003 - in
Portuguese
● Lot of value in the app, painful to rewrite
The solution:
● Package the application and its
dependencies with Habitat
● Enable the application to be deployed to any
environment - next generation datacenter
and beyond
● Manage the application through its lifecycle -
updates, patches, etc.
● Gain manageability benefits in the new
environment and maintain value of the app
without rewriting

48. What They’re Saying
"With Habitat, we have an easier onramp to
packaging our apps in any environment. The
learning curve for our dev teams who are doing
a little bit of ops as well as traditional software
engineering is a lot less steep. The fact that we
can radically simplify deployment processes by
treating every service as an artifact is very powerful.
Adopting Habitat means you have a reproducible,
consistent method for build and deploy, and you
can apply that model to every service or application that
you're running.
Once you've learned how one service is deployed
or managed, you've got everything you need to
figure out the next service after that."
“While the application portability benefits of containers
are widely recognized, lack of consistency in packaging
and orchestration across the application lifecycle has, in
many cases, limited the success of their deployment at
scale, even when using cloud-
native architectures.
Separating packaging, deployment concerns, and
artifacts is one strategy that can empower teams to
deliver on business objectives of delivering software
at speed, with high quality.”
Blake Irvin
Engineer at smartB Energy Management GmbH
Stephen Elliot
Program Vice President at IDC

50. Modernizing Legacy Applications

51. The Benefits and Problems of Legacy
Legacy is shorthand for critical business applications with longevity. But it
creates manageability problems:
Windows 2003
MSVC, COM+, etc.
Business App 1
Windows 2008 R2
MS .NET 2.0
Business App 2
Red Hat Linux 5
IBM WebSphere
Business App 3
Red Hat Linux 6
Tomcat 6 / Java 7
Business App 4
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.

52. Example Application: sqlwebadmin
Sample application from Microsoft's Codeplex Archive
Last updated in 2008, tightly coupled to Windows 2003
Windows 2003
ASP.NET 2.0
sqlwebadmin
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.
Windows Server
2016
ASP.NET 2.0
sqlwebadmin

53. Building sqlwebadmin
● Habitat collects application details in a plan
● The Habitat Studio provides a 'clean room'
environment in which to build your artifact
● Habitat artifacts can be launched by the
'hab' CLI

54. Building sqlwebadmin
Demonstration

55. Deploying sqlwebadmin
● Habitat services can be deployed into
supervisor rings
● SQLServer 2005 is published as a core
plan on bldr.habitat.sh
● Habitat artifacts use service binds to
allow inter-service communication
without hard-coding settings
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR

56. Deploying sqlwebadmin
Demonstration

57. Managing sqlwebadmin
● Habitat artifacts define configuration
tunables as variables
● Configuration settings can be updated via
CLI or API on running instances or service
groups
● Configuration updates automatically trigger
any required run hooks within each service
ASP.NET 2.0
sqlwebadmin
ASP.NET 2.0
sqlwebadmin
hab config apply

58. Managing sqlwebadmin
Demonstration

59. Targeting Modern Runtimes
● Habitat artifacts can be natively exported to container formats like docker
● Exported artifacts can be run with runtime-specific tools (e.g. docker run,
docker-compose up)
● Habitat artifacts behave consistently in servers or containers

61. Why Are Audits Painful?
… and how can automation help?
Your Name
youremail@chef.io

62. Who loves an audit?
Nobody!

63. Audits are...
● Time-consuming: They distract from product development.
● Stressful: Sometimes auditors or compliance personnel see themselves as
the "police" rather than helping the business be successful.
● Overwhelming: Cloud scale plus an increase in regulations leads to
escalating data volume.

64. Traditional Approaches Exacerbate Audit Pain
Security reviews:
• are often manual (slow);
• generate too much data from scanning-oriented approaches;
• catch problems too late in the development cycle to economically fix;
• don't manage exceptions appropriately.

67. Least compliant criteria: testing for it

69. What we have here is a communication problem
Compliance
Security
Dev/Ops

70. Continuous Compliance Uses a Common Language
control 'ensure_selinux_installed' do
impact 1.0
title 'Ensure SELinux is installed'
desc <<-EOD
SELinux provides Mandatory Access Control
EOD
describe package('libselinux') do
it { should be_installed }
end
end
InSpec helps express security & compliance requirements as code and
incorporate it directly into the delivery process.
Systems shall have a Mandatory
Access Control system installed
and enabled.

71. Benefits of Continuous Compliance
● Maintain an up-to-date and historical record of compliance status to satisfy
both scheduled and ad-hoc audit requests
● Detect and correct security issues long before they reach production
● Reduce risk while delivering applications faster
Example: Major healthcare services
provider reduced audit cycle times
by 95% by continuously detecting
and remediating compliance errors.

72. Mapping a Compliance Regime
to InSpec
PCI DSS Example

73. PCI DSS Overview
● 12 Key Requirements
● Two key requirements (9 and 12) refer to
physical security and are not system-level tests
● CIS (Center for Internet Security) Benchmarks
can be used as the basis of a PCI compliance
policy
● Some customization is necessary. InSpec's
inheritance features allow this to be easily
done.

75. PCI Requirement 8
Identify and authenticate access to system components. Example control:
Restrict logins to accounts (e.g. system accounts) that do not have a password.
control "cisecurity.benchmarks_rule_5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled" do
title "Ensure SSH PermitEmptyPasswords is disabled"
desc "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts
with empty password strings. Rationale: Disallowing remote shell access to accounts that have an
empty password reduces the probability of unauthorized access to the system"
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.9"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitEmptyPasswords') { should eq 'no' }
end
end

76. Control Inheritance For Reusability
require_controls 'cis-rhel7-level1-server' do
control
"xccdf_org.cisecurity.benchmarks_rule_3.6.5_Ensure_firewall_rules_exist_for_all_open_
ports"
control
"xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_password_creation_requirements_are
_configured"
control "xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_system_accounts_are_non-
login"
control
"xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_password_fields_are_not_empty"
control
"xccdf_org.cisecurity.benchmarks_rule_5.4.1.4_Ensure_inactive_password_lock_is_30_day
s_or_less"
.
.
.
end
CIS Benchmark for
RHEL7, Level 1
Customer PCI-DSS
Profile
Inheritance and
customization
Chef Automate premium content
Customer-owned

77. Visualize and Examine Compliance Continuously

78. Wrap-Up
• Audits can be time-consuming and stressful without automation.
• Existing approaches like scanning or packet capture gather too much data
and don't appropriately manage exceptions or customizations.
• They also leave compliance issues unchecked until too late in the process
when fixing them is expensive.
• To reduce stress, save time, and make systems safer, adopt a continuous
compliance approach to shift compliance left.
• InSpec and Chef Automate break down communication barriers between
groups involved in compliance by introducing a common language for
describing it.
• You can increase speed while decreasing risk with this approach.

80. Demo: How compliant is this
cloud environment?
Technical Session
Duration 30 minutes

81. Mapping Generic Profiles to
Industry regulations
CIS maps industry specific requirements
to generic CIS controls
Chef Automate provides automated tests
written in InSpec that conform to the
industry specifications set by regulatory
bodies and many business verticals​

82. Demos
Demo 1 – Scanning Your Infrastructure
Demo 2 – Scanning a Chef Managed VM
Demo 3 – Configuring and Scanning Azure

83. Demo 1 Scanning Your Infrastructure
➔In the first demo we're going to use Chef Automate to perform a scan of a
RHEL7 virtual machine that is running in Azure. We’ll use a PCI DSS specific
profile
We will then view the scan results within the Chef Automate dashboard
➔Note:
• This virtual machine is NOT managed by Chef​
• There is no Chef client on the machine - all Chef Automate needs is
SSH/WinRM access​

84. Demo 2 Scanning a Chef Managed VM
➔In the second demo we're going to bootstrap a RHEL7 virtual machine that is
running in Azure to be managed by Chef
➔This VM will have a special 'Audit Cookbook' in its run-list, so the PCI_DSS
profile executes periodically each time Chef runs and posts the results to
Chef Automate, giving us Continuous Compliance
Once the bootstrap is complete, we will view the scan results within the Chef
Automate dashboard

85. ➔One key aspect of Chef Automate is its ability to not only scan virtual
machines running in a cloud, but also its ability to scan the cloud
infrastructure itself, for example: subscriptions, networking, and storage etc
➔In our third demo we will scan your Azure environment for compliance
against the 'CIS Azure Foundations Benchmark' profile
Demo 3 Scanning Your Azure Cloud

86. Conclusion
➔The InSpec profiles allow you to define Compliance as Code
➔Chef Automate includes a subscription to an extensive profile library
that is supported and maintained by Chef
➔With Chef Automate you can
• Continuously evaluate compliance of your infrastructure
• Scan unmanaged infrastructure if you have SSH/WinRM access
• View real-time and historical compliance reports so you can evaluate
your infrastructures adherence to compliance over time
• Scan your cloud infrastructure

87. Next Steps
Try Chef Automate LearnChef Rally module
https://learn.chef.io/modules/try-chef-automate#/
Integrated Compliance LearnChef RallyTrack
https://learn.chef.io/tracks/integrated-compliance#/
I would also recommend the Chef Automate Compliance public training
https://training.chef.io/instructor-led-training/chef-automate-compliance

89. Shared Responsibility
Your Part in Securing Your Azure Deployments

90. Understand the Azure Shared Responsibility
● Cloud Providers take on an increasing
role in Security as you adopt
○ Physical Security
○ Host Infrastructure
○ Network Controls
● Azure provides many Security
Certifications
○ ISO/IEC
○ CSA/CCM
○ ITAR
○ HIPAA
○ And many more...
Learn More About Shared Responsibility for Cloud Computing
aka.ms/sharedresponsibility

91. How Responsibility is Divided
● You still own critical portions of your
Cloud Security
○ IaaS OS
○ Application Level
○ Identity
○ Data
● Ensuring compliance against your
standards is critical
○ CIS Standards
○ PCI Standards
○ DISA STIGs
Learn More About Shared Responsibility for Cloud Computing
aka.ms/sharedresponsibility

92. In Closing
● Get familiar with the Azure Shared Responsibility Model
● aka.ms/sharedresponsibility
● Create an inventory and plan for coverage of the your responsibility
● Look for areas to apply automation for continuous detection and remediation
● Download the Chef Automate Guide to PCI Compliance with InSpec whitepaper at:
https://www.chef.io/resource_category/white-paper/
● Remediate any non-compliant systems
● Set up a scanning schedule to ensure ongoing compliance
● Fine-tune profiles to your exact requirements
Reach out to your Chef team with any questions; they’ll be happy to help!

94. Workshop: The InSpec language for
practitioners
Technical session
Duration: 75 minutes

95. Objectives
In this workshop we will
1. Get a workstation to play on
2. Identify a specific regulatory control and establish the corresponding technical
requirements
3. Create the appropriate InSpec profile and control, and run it locally and on
another student's workstation and observer its not compliant
4. Run the profile again locally but report to Chef Automate
5. Use Chef to make local workstation compliant
6. Rerun the InSpec profile locally again and report to Chef Automate showing its
compliant

96. Find your Workstation IP Address
● http://link/to/ip/addresses

97. TASK
The authenticity of host 12.34.56.78 (12.34.56.78)' can't be established.
ECDSA key fingerprint is
SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '12.34.56.78' (ECDSA) to the list of known
hosts.
chef@12.34.56.78's password: My-12-Char-Password
Task: Log in to your workstation
ssh azureuser@12.34.56.78

98. TASK
firstname-lastname reporter.json profiles
Task: Ensure You're in the Correct VM
touch firstname-lastname
ls -t

99. Everyone seeing JUST
their own name?

100. InSpec DSL and Compliance
Regulations
InSpec DSL & CIS Profiles

101. InSpec and Compliance
Many industries are bound by regulations maintained by
external bodies
• Sarbanes-Oxley – Financial Regulations
• PCI – Payment Card Industry Regulations
• HIPAA – Healthcare Regulations
• GDPR – General Data Protection Regulations
• STIG – Security Protocol Regulations
• etc
Many of these rules relate to technical requirements in their
application and infrastructure that they must comply with

102. Center for Internet Security
Center for Internet Security provides
benchmarks for secure configuration of
many platforms and applications
e.g. https://tinyurl.com/CIS-RHEL7
These rules can be referred to when
creating InSpec rules for Regulatory
bodys' guidelines
See https://tinyurl.com/CIS-Poster

103. "The Chef Automate Guide to PCI DSS Compliance"
Whitepaper
Lets look at a specific requirement from the whitepaper
Requirement 7: Restrict access to cardholder data by business
need to know
1. …
2.Ensure SSH root login is disabled
"Disallowing root logins over SSH requires system admins to
authenticate using their own individual account, then escalating to root
only via sudo (if you’ve disabled access to "su" as in the control above).
This restriction limits opportunity for non-repudiation and provides a clear
audit trail in the event of a security incident. The PermitRootLogin
parameter specifies if the root user can login using ssh."

104. TASK
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
Task: Check if SSH root login is disabled
sudo grep PermitRootLogin /etc/ssh/sshd_config
 This requirement maps directly to a check you can perform on the system
 Of course we can check a node manually, but this isn't practical when you
have 100's, or even 1000's, of nodes
 The InSpec DSL is specifically designed to run such tests

105. No Consistency in Commands
● PermitRootLogin Configured?
● SSH v2 Configured?
● Using TLS or SSL?
● Does user 'foo' have sudo access?
● Does user 'foo' have write access to /etc?
• No consistency on command
structure, syntax, & command
line switches
• All configuration files are
proprietary
• They're platform specific
(RHEL, Debian, Windows, …)

106. What is InSpec?
InSpec provides consistent DSL that is platform agnostic to check
status of any component
 packages
 files
 users
 …
Complex implementation code abstracted out
Many InSpec profiles exist in the community and Chef supplies,
maintains and supports 100+ profiles aligned to industry specific
compliance regulations

107. TASK
Commands:
inspec archive PATH # archive a profile to tar.gz (default) or zip
inspec artifact SUBCOMMAND ... # Sign, verify and install artifacts
inspec check PATH # verify all tests at the specified PATH
inspec compliance SUBCOMMAND ... # Chef Compliance commands
inspec detect # detect the target OS
inspec env # Output shell-appropriate completion configuration
inspec exec PATHS # run all test files at the specified PATH.
inspec habitat SUBCOMMAND ... # Commands for InSpec + Habitat Integration
inspec help [COMMAND] # Describe available commands or one specific command
...
The InSpec Command Line Interface
inspec --help
inspec init creates a profile
inspec check verifies the compliance profile code
inspec exec runs the tests against a system

108. TASK
Create new profile at /home/azureuser/profiles/ssh
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create directory libraries
Task: Create an InSpec Profile for SSH
inspec init profile ~/profiles/ssh

109. TASK
Create new profile at /home/azureuser/profiles/ssh
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create directory libraries
Task: Create an InSpec Profile for SSH
inspec init profile ~/profiles/ssh
Use the
'inspec'
command To initialise (i.e.
create) a profile
Called 'ssh'
In the '~/profiles'
directory

110. TASK
/home/azureuser/profiles/ssh
├── controls
│ └── example.rb
├── inspec.yml
├── libraries
└── README.md
2 directories, 3 files
Task: View InSpec Profile Structure
tree ~/profiles/ssh

111. The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
# encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end

112. # encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests

113. # encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
○ describe statements may be grouped within
control statements

114. # encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile
contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
○ describe statements may be grouped within
control statements
○ control statements may include extra
metadata defining for example
■ a unique ID for this control
■ the criticality, if this control fails.
■ a human-readable title and description
■ reference documentation

115. TASK
Task: Remove example controls file
rm /home/azureuser/profiles/ssh/controls/example.rb
Bit of housekeeping – we don’t need the default controls file

116. TASK
vi ~/profiles/ssh/controls/PermitRootLogin.rb
control "cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Task: Create Controls File 'PermitRootLogin.rb'
Even Cheatier
cp ~/.PermitRootLogin.rb ~/profiles/ssh/controls/PermitRootLogin.rb
Cheat Sheet
https://goo.gl/38AFhn
Click ⌘+a, ⌘+c

117. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
Each control statement relates to a specific
compliance regulation.

118. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control

119. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control

120. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control

121. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control

122. Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
CIS doc even gives details for a remediation
cookbook! More on this later.

123. Executing our code
● We now need to execute our InSpec profile
● We will use inspec exec command to do this

124. TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: local://
× cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root
login is disabled
× SSHD Configuration PermitRootLogin should eq "no"
expected: "no"
got: nil
(compared using ==)
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped
Task: Run profile locally with InSpec command
sudo inspec exec profiles/ssh

125. Find Another Student's Workstation IP Address
● http://link/to/ip/addresses

126. TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: ssh://azureuser@40.114.121.121:22
× cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root
login is disabled
× SSHD Configuration PermitRootLogin should eq "no"
expected: "no"
got: nil
(compared using ==)
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped
Task: Execute your profile on the remote target
inspec exec ~/profiles/ssh -t ssh://azureuser@104.211.54.213
--password My-12-Char-Password --sudo
Note the 'Target' is specified in the output
Note the 'Target' is specified in the output

127. InSpec and Chef Automate
● InSpec and Chef Automate go hand-in-hand to detect and report on
compliance issues
● InSpec profiles can be executed 'ad hoc' or at the end of each chef-
client run and a report back to Chef Automate

128. TASK
{
"reporter": {
"automate" : {
"stdout" : false,
"url" : "https://your-automante-server/data-collector/v0/",
"token" : SEhb7CkB_U9FiHFBWaTMW-3eyTQ=,
"insecure" : true,
"node_name" : "nodename-1",
"environment" : "dev"
}
}
}
InSpec Chef Automate integration
cat reporter.json

129. TASK
Run InSpec and Send Results to Chef Automate
sudo inspec exec ~/profiles/ssh --json-config reporter.json
Note, if you're using Chef on your nodes InSpec can be invoked on every chef-client run
and report sent back to Chef Automate to ensure continuous compliance

130. Results Posted to Chef Automate

131. Key Takeaways
● The format of the InSpec DSL fits neatly with the documents created
by industry-specific compliance regulatory bodies
● InSpec allows you to write those specifications as platform agnostic
code
What's next…?
• In the next section we'll look at how you can use Chef to correct your
infrastructure

132. Remediation

133. Detect and Correct
● Chef Automate not only allows you to invoke compliance scans
across your estate but it also facilitates remediation
● Chef builds out remediation cookbooks for all InSpec profiles on Chef
Automate
● For simplicity now we will run a simple remediation cookbook for our
SSH InSpec Profile on the local node

134. TASK
.chef/
└── cookbooks
└── ssh-remediation
├── Berksfile
├── CHANGELOG.md
├── chefignore
├── LICENSE
├── metadata.rb
├── README.md
├── recipes
│ └── default.rb
├── templates
│ └── sshd_config.erb
...
10 directories, 11 files
For expediency, the Cookbook is Already on the
Workstationtree .chef

135. TASK
...
template '/etc/ssh/ssh_config' do
source 'ssh_config.erb'
end
View the Chef Recipe and Template File
cat .chef/cookbooks/ssh-remediation/recipes/default.rb
...
#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
...
cat .chef/cookbooks/ssh-remediation/templates/sshd_config.erb -n
Line 50

136. TASK
[✔] Packaging cookbook... done!
[✔] Generating local policyfile... exporting... done!
[✔] Applying ssh-remediation::default from /home/azureuser/.chef/cookbooks/ssh-remediation to target.
└── [✔] [localhost] Successfully converged ssh-remediation::default.
Run the cookbook on the local machine
chef-run azureuser@localhost ssh-remediation::default --password My-12-Char-
Password --config .chef-workstation/config.toml
This will execute the remediation recipe and send an event to Chef Automate – you will
see this in the 'Client Runs' tab

137. View Chef Run
We will see details of the Chef client run in the 'Client Runs' tab of Chef
Automate

138. TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: local://
✔ cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH
root login is disabled
✔ SSHD Configuration PermitRootLogin should eq "no"
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 1 successful, 0 failures, 0 skipped
Rerun the InSpec Test
sudo inspec exec profiles/ssh

139. TASK
Post Results in Chef Automate
sudo inspec exec profiles/ssh/ --json-config reporter.json

140. View Scan History
● Click the 'Scan History' button to see
a compliance history for this node
● The corresponding 'Event Feed' for
this node will identify what changes
occurred on a node to bring it into, or
out of, compliance

141. Next Steps
LearnChef Rally
● Try Chef Automate module
https://learn.chef.io/modules/try-chef-automate#/
● Integrated Compliance Track
https://learn.chef.io/tracks/integrated-compliance#/
● Compliance Automation with InSpec Track
https://learn.chef.io/tracks/compliance-automation#/
Also, Chef Automate Compliance public training
https://training.chef.io/instructor-led-training/chef-automate-compliance