Compliance Automation with Inspec Part 2
•Descargar como PPTX, PDF•
2 recomendaciones•1,080 vistas
Part 2 of Compliance Automation with Inspec Overview presented on 9/29 at TSA DevOps Transformation Day
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (18)
Similar a Compliance Automation with Inspec Part 2
Similar a Compliance Automation with Inspec Part 2 (20)
Más de Chef
Más de Chef (14)
Último
Último (20)
Compliance Automation with Inspec Part 2
- 1. Getting Started with Compliance Automation
- 5. SSH Control SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
- 6. How will I verify this?
- 7. Whip up a one-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
- 8. Apache Server Information Leakage – Server Token Directive• Description This Directive Controls weather Server response field is sent back to clients includes a description of Generic OS Type of the Server. This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. • How to Test In order to test for ServerToken configuration, one should check the Apache configuration file. • Misconfiguration ServerTokens Full • Remediation Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request. ServerTokens Prod or ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache
- 9. Whip up a one-liner! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
- 11. Whip up a two-liner! TARGET=2 grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' > /dev/null && echo $TARGET
- 17. Two-thirds of organizations did not adequately test the security of all in-scope systems
- 18. Key Trends • While individual rule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
- 20. Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
- 21. Infrastructure Code package 'httpd' do action :install end service 'httpd' do action [ :start, :enable ] end
- 22. What We Have Here Is A Communications Problem
- 30. ©2016 Chef Software Inc. 2-30 Chef Compliance Identify compliance issues, security risks, and outdated software with customizable reports. Write your own compliance rules in InSpec or get started quickly by using built-in profiles – predefined rule sets for a variety of security frameworks.
- 31. ©2016 Chef Software Inc. 2-31 Chef Compliance Chef Automate - Compliance Your Infrastructure LAN/WAN
- 32. ©2016 Chef Software Inc. 2-32 Chef Compliance Chef Compliance can run without any other Chef software installed. The nodes you scan don't even need Chef software on them if you are scanning them for compliance. However, you would need Chef software to create and implement remediation recipes.
- 33. ©2016 Chef Software Inc. 2-33 Chef Compliance Reports: Chef Compliance can produce reports that indicate risks and issues classified by severity and impact levels. Compliance Profiles: You can get started quickly with pre-built Compliance profiles for scanning Linux and Windows nodes.
- 34. ©2016 Chef Software Inc. 2-34 Chef Compliance leverages InSpec. InSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure. Turn Compliance into Code control 'cis-3.1' do impact 0.7 title 'Set Daemon umask' desc ' Set the default umask for all processes started at boot time. ' describe file('/etc/sysconfig/init') do its('content') {should match 'umask 027'} end end
- 35. ©2016 Chef Software Inc. 2-35 InSpec includes a collection of resources to help you write auditing rules quickly and easily using the Compliance DSL. Use InSpec to examine any node in your infrastructure; run the tests locally or remotely. Any detected security, compliance, or policy issues are flagged in a log and in Chef Compliance, displayed in a GUI. Clearly Express Statements of Policy describe port(80) do it { should_not be_listening } end describe port(443) do it { should be_listening } its('protocols') {should include 'tcp'} end
- 36. ©2016 Chef Software Inc. 2-36 Find Issues Early Execute the compliance tests as part of your local development. Use InSpec as part of the Test Kitchen verification. Check running systems against your Compliance Profiles.
- 37. ©2016 Chef Software Inc. 2-37 Write code quickly InSpec includes a collection of resources that help you write audit controls quickly and easily.
- 38. ©2016 Chef Software Inc. 2-38 Write code quickly describe file('/etc/ssh/sshd_config') do its(:content) { should match /Protocol 2/ } end
- 39. ©2016 Chef Software Inc. 2-39 Write code quickly describe sshd_config do its(:content) { should match /Protocol 2/ } end
- 40. ©2016 Chef Software Inc. 2-40 Write code quickly describe sshd_config do its('Protocol') { should cmp 2 } end
- 41. ©2016 Chef Software Inc. 2-41 Available Resources apache apache_conf apt audit_policy auditd_conf auditd_rules bash bond bridge command csv directory etc_group file gem group grub_conf host iis_site inetd_conf ini interface iptables json kernel_module kernel_paramet er limits_conf login_def mount mssql_session mysql mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config passwd pip port postgres postgres_conf postgres_sessi on powershell processes registry_key security_policy service shadow ssh_conf ssl user vbscript windows_feature wmi xinetd yaml yum
- 42. ©2016 Chef Software Inc. 2-42 Run Code Anywhere Test Locally: $ inspec exec test.rb
- 43. ©2016 Chef Software Inc. 2-43 Run Code Anywhere Remote via SSH: $ inspec exec test.rb -t ssh://54.163.150.246 --user=chef -- password=chef.io
- 44. ©2016 Chef Software Inc. 2-44 Run Code Anywhere Remote via WinRM: $ inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super
- 45. ©2016 Chef Software Inc. 2-45 Run Code Anywhere Docker Container $ inspec exec test.rb -t docker://3dda08e75838
- 46. ©2016 Chef Software Inc. 2-46 Run Code Anywhere $ inspec exec test.rb $ inspec exec test.rb -i ~/.aws/nathen.pem -t ssh://ec2-user@54.152.7.203 $ inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super $ inspec exec test.rb -t docker://3dda08e75838
- 47. ©2016 Chef Software Inc. 2-47 Inspect machines, data, & APIs describe host('example.com', port: 80, proto: 'tcp') do it { should be_reachable } end
- 48. ©2016 Chef Software Inc. 2-48 Inspect machines, data, & APIs describe mysql_conf do its('slow_query_log_file') { should eq 'hostname_slow.log' } its('slow_query_log') { should eq '0' } its('log_queries_not_using_indexes') { should eq '1' } its('long_query_time') { should eq '0.5' } its('min_examined_row_limit') { should eq '100' } end
- 49. ©2016 Chef Software Inc. 2-49 Inspect machines, data, & APIs control 'sg-1' do impact 1.0 title 'Security Group: No ingress access to CIDR block 0.0.0.0/0' desc 'Security Groups must not allow inbound access from anywhere' Vpc.new(id: ENV['vpc_id']).security_groups.each do |security_group| describe security_group do it { should_not have_ingress_rule().with_source('0.0.0.0/0') } end end end
- 50. ©2016 Chef Software Inc. 2-50 Compliance profiles exist for many scenarios, such as those created by the Center for Internet Security (CIS) Chef Compliance maintains profiles as a collection of individual controls that comprise a complete audit. You can also create your own custom Compliance profiles. Compliance Profiles
- 51. ©2016 Chef Software Inc. 2-51 Compliance Web UI The Chef Compliance web UI provides views into compliance scan results as well as views of Chef Compliance profiles. You execute scans via the Compliance web UI as well.
- 52. ©2016 Chef Software Inc.
Notas del editor
- I’m an application developer! When I build apps, they go through various stages to get to my production environment.
- I heard we were going to be audited. The auditor showed up and wanted to audit our environment. I was a little nervous also self-assured. I was managing my infrastructure on AWS, everything is automated with Chef, how bad could it be.
- The auditor handed me a list of controls to verify.
- The auditor handed me a list of controls to verify.
- This took forever…but once it was done I took solace in the fact that the auditors wouldn’t return for at least another six months. We could get back to our normal development process.
- “Not so fast!” said our security team. We had to introduce a Security Review phase to our delivery.
- This is how I think of “security reviews” – they slow down the flow and change backs up. The more changes back up, the more we need to “expedite” or “force” things through the dam in order to satisfy LoB needs. Which leads to…
- Ok, so we still need to assure ourselves that things are "secure", right? So what we do is replace this security 'gate" with "scanning" At some later date Not with the same cadence as we're flowing changes through the system Usually only when the auditors are on site Which is why the sustainability is low – same thing as mentioned in the PCI report from Verizon
- How many of you are in regulated industries? It's so bad that you don't have to go past the first page of this report…
- 80% of companies still fail at interim assessment CAGR of 66% in security incidents since 2009.
- The auditor handed me a list of controls to verify.
- I think we need to stop whatever we’re doing and go back to first principles for a second.
- First I want to start defining security and compliance. These are not the same thing, although obviously they are related. Up until now we have been primarily concerned with compliance activities. Actually in many cases you could be “compliant” without achieving the intended aims of standards, which is to assure security. The objective isn't to pass the compliance audit, the objective is to actually make our systems more secure. You can spend a lot of time negotiating with auditors and getting them to accept "compensating controls" and the like in order to pass a compliance audit, but this is what Jez Humble would call "compliance theatre". How much can you pull the wool over the eyes of your auditors while still having a company that still has huge risks?
- Before you can be compliant, you first have to truly be secure. Compliance is about: Don’t get hacked Don’t lose data Compliance activities aren’t just about “making auditors go away” which is how we’ve treated them.
- We always talk about how in DevOps it's not about the tools, it's about the culture. But you want to choose tools that will help you reinforce the culture you want. I've spent the first part of this presentation talking about how that it's the culture and mindset of how to do security and compliance culture that are problematic these days. Now I'll talk about how you can use tools and processes to help get to the culture you want, which is to build in security as part of the quality of getting a thing to production.
- One of our beliefs is that the world of humans acting directly on computers is over – it’s not scalable, it’s not reproducible, it’s not testable
- So the future is clearly humans acting on code, and code acting on machines – that’s the era that Chef grew up in.
- For the purposes of compliance, we actually wanted a common language, in code, that would allow all audiences – compliance, security, and devops – to collaborate on. And this code will then act on systems. And for this I’d like to turn it over to my colleague Galen Emery to show you Chef Compliance, and that language we invented, called InSpec.
- By now you are probably aware of how Chef automates the configuration and management of your infrastructure. But what about risks and compliance issues of your infrastructure? Regulatory compliance is a fact of life for every enterprise. With Chef Compliance you can scan for risks and compliance issues with easy-to-understand, customizable reports and visualization. You can then use Chef to automate the remediation of issues and use Chef Compliance to implement a continuous audit of applications and infrastructure.
- The Chef Compliance server is a centralized location from which all aspects of the state or your infrastructure’s compliance can be managed. With Chef Compliance you can test any node in your infrastructure, including all of the common UNIX and Linux platforms and most versions of Microsoft Windows. Chef Compliance can continuously test any node against the goals of your organization’s security management lifecycle for risks and compliance issues.
- Chef Compliance can run without any other Chef software installed on the Chef Compliance server machine. The nodes you scan don't even need Chef software on them if you are scanning them for compliance. However, you would need Chef software to create and implement remediation recipes if you choose to use recipes to remediate compliance issues.
- Chef Compliance leverages InSpec. InSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure. The InSpec name refers to “infrastructure specification InSpec includes a collection of resources to help you write auditing rules quickly and easily using the Compliance DSL. Use InSpec to examine any node in your infrastructure; run the tests locally or remotely. Any detected security, compliance, or policy issues are flagged in a log and displayed in reports. The InSpec audit resource framework is fully compatible with Chef Compliance. Instructor note: InSpec is similar to ServerSpec but learners who have no experience with Serverspec may be confused by the reference.
- This works but is sub-optimal. The location of the sshd_config file must be known A regular expression (RegEx) is used
- This works but is sub-optimal. The location of the sshd_config file must be known – InSpec knows the default location for this file A regular expression (RegEx) is used
- This works but is sub-optimal. The location of the sshd_config file must be known – InSpec knows the default location for this file A regular expression (RegEx) is used – InSpec understands how this file works, it’s a set of keys and values
- Compliance profiles exist for many scenarios, such as those created by the Center for Internet Security (CIS), a non-profit organization that is focused on enhancing the cyber security readiness and response of public and private sector entities. Chef Compliance maintains profiles as a collection of individual controls that comprise a complete audit. For example, CIS benchmark 8.1.1.1 recommends testing for the maximum size of the audit log. You can also create your own custom Compliance profiles.