5. SSH Control
SSH supports two different protocol
versions. The original version,
SSHv1, was subject to a number of
security issues. Please use SSHv2
instead to avoid these.
7. Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
8. Apache Server Information Leakage – Server Token
Directive• Description
This Directive Controls weather Server response field is sent back to clients includes a description of Generic OS Type
of the Server.
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security
vulnerabilities are dependent upon specific software versions.
• How to Test
In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
ServerTokens Full
• Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to
only return "Apache" in the Server header, returned on every page request.
ServerTokens Prod
or
ServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
9. Whip up a one-liner!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
10.
11. Whip up a two-liner!
TARGET=2
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
> /dev/null && echo $TARGET
18. Key Trends
• While individual rule
compliance is up, testing of
security systems is down
• Sustainability is low. Fewer
than a third of companies
were found to be still fully
compliant less than a year
after successful validation.
19.
20. Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
I’m an application developer! When I build apps, they go through various stages to get to my production environment.
I heard we were going to be audited. The auditor showed up and wanted to audit our environment.
I was a little nervous also self-assured. I was managing my infrastructure on AWS, everything is automated with Chef, how bad could it be.
The auditor handed me a list of controls to verify.
The auditor handed me a list of controls to verify.
This took forever…but once it was done I took solace in the fact that the auditors wouldn’t return for at least another six months. We could get back to our normal development process.
“Not so fast!” said our security team. We had to introduce a Security Review phase to our delivery.
This is how I think of “security reviews” – they slow down the flow and change backs up. The more changes back up, the more we need to “expedite” or “force” things through the dam in order to satisfy LoB needs. Which leads to…
Ok, so we still need to assure ourselves that things are "secure", right? So what we do is replace this security 'gate" with "scanning"
At some later date
Not with the same cadence as we're flowing changes through the system
Usually only when the auditors are on site
Which is why the sustainability is low – same thing as mentioned in the PCI report from Verizon
How many of you are in regulated industries?
It's so bad that you don't have to go past the first page of this report…
80% of companies still fail at interim assessment
CAGR of 66% in security incidents since 2009.
The auditor handed me a list of controls to verify.
I think we need to stop whatever we’re doing and go back to first principles for a second.
First I want to start defining security and compliance. These are not the same thing, although obviously they are related.
Up until now we have been primarily concerned with compliance activities. Actually in many cases you could be “compliant” without achieving the intended aims of standards, which is to assure security.
The objective isn't to pass the compliance audit, the objective is to actually make our systems more secure.
You can spend a lot of time negotiating with auditors and getting them to accept "compensating controls" and the like in order to pass a compliance audit, but this is what Jez Humble would call "compliance theatre". How much can you pull the wool over the eyes of your auditors while still having a company that still has huge risks?
Before you can be compliant, you first have to truly be secure.
Compliance is about:
Don’t get hacked
Don’t lose data
Compliance activities aren’t just about “making auditors go away” which is how we’ve treated them.
We always talk about how in DevOps it's not about the tools, it's about the culture. But you want to choose tools that will help you reinforce the culture you want. I've spent the first part of this presentation talking about how that it's the culture and mindset of how to do security and compliance culture that are problematic these days. Now I'll talk about how you can use tools and processes to help get to the culture you want, which is to build in security as part of the quality of getting a thing to production.
One of our beliefs is that the world of humans acting directly on computers is over – it’s not scalable, it’s not reproducible, it’s not testable
So the future is clearly humans acting on code, and code acting on machines – that’s the era that Chef grew up in.
For the purposes of compliance, we actually wanted a common language, in code, that would allow all audiences – compliance, security, and devops – to collaborate on. And this code will then act on systems.
And for this I’d like to turn it over to my colleague Galen Emery to show you Chef Compliance, and that language we invented, called InSpec.
By now you are probably aware of how Chef automates the configuration and management of your infrastructure. But what about risks and compliance issues of your infrastructure?
Regulatory compliance is a fact of life for every enterprise. With Chef Compliance you can scan for risks and compliance issues with easy-to-understand, customizable reports and visualization.
You can then use Chef to automate the remediation of issues and use Chef Compliance to implement a continuous audit of applications and infrastructure.
The Chef Compliance server is a centralized location from which all aspects of the state or your infrastructure’s compliance can be managed.
With Chef Compliance you can test any node in your infrastructure, including all of the common UNIX and Linux platforms and most versions of Microsoft Windows.
Chef Compliance can continuously test any node against the goals of your organization’s security management lifecycle for risks and compliance issues.
Chef Compliance can run without any other Chef software installed on the Chef Compliance server machine.
The nodes you scan don't even need Chef software on them if you are scanning them for compliance.
However, you would need Chef software to create and implement remediation recipes if you choose to use recipes to remediate compliance issues.
Chef Compliance leverages InSpec.
InSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure. The InSpec name refers to “infrastructure specification
InSpec includes a collection of resources to help you write auditing rules quickly and easily using the Compliance DSL.
Use InSpec to examine any node in your infrastructure; run the tests locally or remotely.
Any detected security, compliance, or policy issues are flagged in a log and displayed in reports.
The InSpec audit resource framework is fully compatible with Chef Compliance.
Instructor note: InSpec is similar to ServerSpec but learners who have no experience with Serverspec may be confused by the reference.
This works but is sub-optimal.
The location of the sshd_config file must be known
A regular expression (RegEx) is used
This works but is sub-optimal.
The location of the sshd_config file must be known – InSpec knows the default location for this file
A regular expression (RegEx) is used
This works but is sub-optimal.
The location of the sshd_config file must be known – InSpec knows the default location for this file
A regular expression (RegEx) is used – InSpec understands how this file works, it’s a set of keys and values
Compliance profiles exist for many scenarios, such as those created by the Center for Internet Security (CIS), a non-profit organization that is focused on enhancing the cyber security readiness and response of public and private sector entities.
Chef Compliance maintains profiles as a collection of individual controls that comprise a complete audit. For example, CIS benchmark 8.1.1.1 recommends testing for the maximum size of the audit log.
You can also create your own custom Compliance profiles.