SlideShare a Scribd company logo

Compliance Automation with Inspec Part 4

Download as PPTX, PDF
Chef
Chef

Compliance Automation presentation given on 9/29 at TSA DevOps Transformation Day.

Technology
1 of 39
Getting Started with Compliance Automation
Remediation
InSpec: Turn security and compliance into code • Translate compliance into Code • Clearly express statements of policy • Move risk to build/test from runtime • Find issues early • Write code quickly • Run code anywhere • Inspect machines, data and APIs A simple example of an InSpec CIS rule Part of a process of continuous compliance Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify
©2016 Chef Software Inc. 3-4 Objectives After completing this module, you should be able to:  Remediate a compliance issue.  Test your remediation locally.  Test for compliance with InSpec from the CLI  Rescan the node and ensure compliance.
©2016 Chef Software Inc. 3-5 Let's Remediate the Issue Now that we've identified the ssh version issue, let's write a recipe on the target node to remediate the issue. Then we'll run the compliance scan again to see if we successfully remediated the issue. Note: In this course we will write a recipe directly on the node that we're running scans on. Of course in a production environment you will likely write such recipes locally and upload them to Chef Server. Then the nodes would convergence the recipes on their next chef-client run.
©2016 Chef Software Inc. 3-6 Objective: GL: Remediating the Issue  Start writing a remediation recipe on that node.  Test the recipe locally.  Test for compliance with InSpec from the command line interface (CLI)  Converge the recipe.  Rescan the node and ensure compliance.
©2016 Chef Software Inc. 3-7 GL: Remediating the Issue Log in to your target node (not your compliance server node) using ssh and ensure you are in the home directory. Note: emacs, nano, and vim/vi are installed on your Linux nodes. Some tips for using them can be found below in your participant guide.
©2016 Chef Software Inc. 3-8 $ mkdir -p cookbooks $ cd cookbooks GL: Create and Change to a ‘cookbooks’ Directory From the home directory, create a `cookbooks` directory and navigate into it.
©2016 Chef Software Inc. 3-9 Generating cookbook ssh - Ensuring correct cookbook file content - Committing cookbook files to git - Ensuring delivery configuration - Ensuring correct delivery build cookbook content - Adding delivery configuration to feature branch - Adding build cookbook to feature branch - Merging delivery content feature branch to master Your cookbook is ready. Type `cd ssh` to enter it. … $ chef generate cookbook ssh GL: Create an SSH Cookbook
©2016 Chef Software Inc. 3-10 Recipe: code_generator::recipe * directory[./ssh/spec/unit/recipes] action create (up to date) * cookbook_file[./ssh/spec/spec_helper.rb] action create_if_missing (up to date) * template[./ssh/spec/unit/recipes/server_spec.rb] action create_if_missing - create new file ./ssh/spec/unit/recipes/server_spec.rb - update content in file ./ssh/spec/unit/recipes/server_spec.rb from none to 301b96 (diff output suppressed by config) * directory[./ssh/test/recipes] action create (up to date) * template[./ssh/test/recipes/server.rb] action create_if_missing - create new file ./ssh/test/recipes/server.rb - update content in file ./ssh/test/recipes/server.rb from none to e2c349 (diff output suppressed by config) * template[./ssh/recipes/server.rb] action create - create new file ./ssh/recipes/server.rb - update content in file ./ssh/recipes/server.rb from none to adc474 (diff output suppressed by config) $ chef generate recipe ssh server GL: Create an SSH Server Recipe
©2016 Chef Software Inc. 3-11 Recipe: code_generator::template * directory[./ssh/templates/default] action create - create new directory ./ssh/templates/default * file[./ssh/templates/sshd_config.erb] action create - create new file ./ssh/templates/sshd_config.erb - update content in file ./ssh/templates/sshd_config.erb from none to 1c625d (diff output suppressed by config) $ chef generate template ssh sshd_config.erb -s /etc/ssh/sshd_config GL: Create an SSH Config Template
©2016 Chef Software Inc. 3-12 GL: Write the Server Recipe # # Cookbook Name:: ssh # Recipe:: server # # Copyright (c) 2016 The Authors, All Rights Reserved. template '/etc/ssh/sshd_config' do source 'sshd_config.erb' owner 'root' group 'root' mode '0644' end $ ~/cookbooks/ssh/recipes/server.rb
©2016 Chef Software Inc. 3-13 Objective: GL: Testing the Recipe  Write a remediation recipe on that node.  Test the recipe locally.  Test for compliance with InSpec from the command line interface (CLI)  Converge the recipe.  Rescan the node and ensure compliance.
©2016 Chef Software Inc. 3-14 $ cd ~/cookbooks/ssh/ GL: Navigate to your SSH Cookbook
©2016 Chef Software Inc. 3-15 GL: Edit your .kitchen.yml -- Part 1 --- driver: name: docker provisioner: name: chef_zero ~/cookbooks/ssh/.kitchen.yml
©2016 Chef Software Inc. 3-16 GL: Edit your .kitchen.yml -- Part 2 platforms: # - name: ubuntu-14.04 - name: centos-7.2 suites: - name: default run_list: - recipe[ssh::default] attributes: ~/cookbooks/ssh/.kitchen.yml
©2016 Chef Software Inc. 3-17 GL: Edit your .kitchen.yml -- Part 3 platforms: # - name: ubuntu-14.04 - name: centos-7.2 suites: - name: server run_list: - recipe[ssh::server] attributes: ~/cookbooks/ssh/.kitchen.yml +
©2016 Chef Software Inc. 3-18 Instance Driver Provisioner Verifier Transport Last Action server-centos-72 Docker ChefZero Inspec Ssh <Not Created> $ kitchen list GL: Run `kitchen list` from ~/cookbooks/ssh/
©2016 Chef Software Inc. 3-19 Chef Delivery Running Deploy Phase -----> Starting Kitchen (v1.11.1) -----> Creating <server-centos-72>... Sending build context to Docker daemon 200.2 kB Sending build context to Docker daemon Step 0 : FROM centos:centos7 ---> d83a55af4e75 … Running handlers: Running handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <server-centos-72> (0m15.50s). -----> Kitchen is finished. (0m18.12s) $ delivery local deploy GL: Run `delivery local deploy`
©2016 Chef Software Inc. 3-20 What We've Done So Far In the preceding exercises, we began writing a remediation recipe on our target node. We also tested the recipe locally. But have we even addressed the "Set the SSH protocol version to 2" issue?
©2016 Chef Software Inc. 3-21 Objective: GL: Using InSpec for Verification  Write a remediation recipe on that node.  Test the recipe locally.  Test for compliance with InSpec from the command line interface (CLI)  Converge the recipe .  Rescan the node and ensure compliance.
©2016 Chef Software Inc. 3-22 InSpec Test control 'sshd-11' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore. " describe sshd_config do its('Protocol') { should eq('2') } end end ~/cookbooks/ssh/test/recipes/server.rb
©2016 Chef Software Inc. 3-23 Example of Creating the 'server.rb' file One handy way to populate the preceding 'server.rb' is to use the Compliance Web UI and copy the InSpec code found in the relevant Compliance profile: Compliance > Base SSH > Server: Set protocol version to SSHv2
©2016 Chef Software Inc. 3-24 Running InSpec from the Command Line Interface (CLI) InSpec is an executable application. InSpec can execute on remote hosts, including docker containers. You can use 'inspec exec' to run tests at a specified path.
©2016 Chef Software Inc. 3-26 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5b51a4237437 d5b8fd3299b4 "/usr/sbin/sshd -D - 41 minutes ago Up 41 minutes 0.0.0.0:32768->22/tcp grave_davinci $ sudo docker ps GL: What is your Docker ID?
©2016 Chef Software Inc. 3-27 Target: docker://b5813235642a3bb61912cf5cda47a02b2297d40c4ec4d62407580f1138acee 5b ✖ sshd-11: Server: Set protocol version to SSHv2 ( expected: "2" got: nil (compared using ==) ) Summary: 0 successful, 1 failures, 0 skipped $ inspec exec ~/cookbooks/ssh/test/recipes/server.rb -t docker://b5813235642a GL: Running InSpec from the CLI
©2016 Chef Software Inc. 3-28 GL: Update the Template # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 # Protocol 2 Protocol 2 ~/cookbooks/ssh/templates/sshd_config.erb
©2016 Chef Software Inc. 3-29 $ cd ~/cookbooks/ssh GL: Ensure you are in ~/cookbooks/ssh
©2016 Chef Software Inc. 3-30 ... Recipe: ssh::server * template[/etc/ssh/sshd_config] action create - update content in file /etc/ssh/sshd_config from 1c625d to 9a55f5 --- /etc/ssh/sshd_config 2016-08-23 09:36:11.709616840 +0000 +++ /etc/ssh/.chef-sshd_config20160823-542-9zyy0 2016-08-23 09:51:29.745616840 +0000 @@ -18,7 +18,7 @@ # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 -# Protocol 2,1 +Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key $ delivery local deploy GL: Run `delivery local deploy`
©2016 Chef Software Inc. 3-31 Target: docker://b5813235642a3bb61912cf5cda47a02b2297d40c4e c4d62407580f1138acee5b ✔ sshd-11: Server: Set protocol version to SSHv2 Summary: 1 successful, 0 failures, 0 skipped $ inspec exec ~/cookbooks/ssh/test/recipes/server.rb -t docker://CONTAINER_ID GL: Running InSpec from the CLI
©2016 Chef Software Inc. 3-32 Chef Delivery Running Smoke Phase -----> Starting Kitchen (v1.11.1) -----> Setting up <server-centos-72>... $$$$$$ Running legacy setup for 'Docker' Driver Finished setting up <server-centos-72> (0m0.00s). -----> Verifying <server-centos-72>... Use `/home/chef/cookbooks/ssh/test/recipes/server` for testing Target: ssh://kitchen@localhost:32770 ✔ sshd-11: Server: Set protocol version to SSHv2 ○ User root should exist; User root This is an example test, r... (1 skipped) This is an example test, replace with your own test. ○ Port 80 should not be listening; Port 80 This is an example ... (1 skipped) This is an example test, replace with your own test. Summary: 3 successful, 0 failures, 2 skipped Finished verifying <server-centos-72> (0m0.35s). -----> Kitchen is finished. (0m0.93s) $ delivery local smoke Smoke test with delivery
©2016 Chef Software Inc. 3-33 ... +++ /etc/ssh/.ssh_config20151209-10413-hlk9ow 2015-12-09 20:37:07.621689137 +0000 @@ -37,7 +37,7 @@ # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 -# Protocol 2,1 +Protocol 2 # Cipher 3desesources updated in 3.29477735 seconds $ sudo chef-client --local-mode -r 'recipe[ssh::server]' GL: Apply the New SSH Recipe
©2016 Chef Software Inc. 3-34 GL: Re-run the Compliance Scan Return to the Compliance Web UI and re-run the scan on your target node. Be sure to run only the base/ssh scan as shown on the next slide.
©2016 Chef Software Inc. 3-35 GL: Re-run the Compliance Scan Run only the base/ssh scan.
©2016 Chef Software Inc. 3-36 GL: Results of this Exercise Your scan should show that the ssh protocol issue is now complaint.
©2016 Chef Software Inc. 3-37 Conclusion  Log in to your target node.  Write a remediation recipe on that node.  Test the recipe locally.  Test for compliance with InSpec from the CLI  Converge the recipe.  Rescan the node and ensure compliance.
©2016 Chef Software Inc. 3-38 Review Questions 1. When adding a node to the Compliance server's dashboard, should you use the node's FQDN or just its IP address? 2. What can `inspec exec` be used for? 3. How are compliance severities defined? 4. Using the image on the right, what section is the actual test?
©2016 Chef Software Inc. 3-39 Review Questions 5. If a compliance scan tells you that a node is unreachable, what might you use to troubleshoot the connection? 6. What language is used to define controls?
©2016 Chef Software Inc.

Recommended

Application Automation with Habitat
Application Automation with HabitatApplication Automation with Habitat
Application Automation with HabitatChef
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Chef
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as CodeMatt Ray
 
Intermediate/Compliance training Guide
Intermediate/Compliance training GuideIntermediate/Compliance training Guide
Intermediate/Compliance training GuideChef
 
London Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetLondon Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetChef
 
London Community Summit 2016 - Fresh New Chef Stuff
London Community Summit 2016 - Fresh New Chef StuffLondon Community Summit 2016 - Fresh New Chef Stuff
London Community Summit 2016 - Fresh New Chef StuffChef
 
Achieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateAchieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateChef
 
Nike popup compliance workshop
Nike popup compliance workshopNike popup compliance workshop
Nike popup compliance workshopChef
 

Recommended

Application Automation with Habitat
Application Automation with HabitatApplication Automation with Habitat
Application Automation with HabitatChef
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Chef
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as CodeMatt Ray
 
Intermediate/Compliance training Guide
Intermediate/Compliance training GuideIntermediate/Compliance training Guide
Intermediate/Compliance training GuideChef
 
London Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetLondon Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetChef
 
London Community Summit 2016 - Fresh New Chef Stuff
London Community Summit 2016 - Fresh New Chef StuffLondon Community Summit 2016 - Fresh New Chef Stuff
London Community Summit 2016 - Fresh New Chef StuffChef
 
Achieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateAchieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateChef
 
Nike popup compliance workshop
Nike popup compliance workshopNike popup compliance workshop
Nike popup compliance workshopChef
 
Chef Workflow Demo
Chef Workflow DemoChef Workflow Demo
Chef Workflow DemoChef
 
Chef Automate Workflow Demo
Chef Automate Workflow DemoChef Automate Workflow Demo
Chef Automate Workflow DemoChef
 
Chef Hack Day Denver
Chef Hack Day Denver Chef Hack Day Denver
Chef Hack Day Denver Chef
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeMatt Ray
 
Azure handsonlab
Azure handsonlabAzure handsonlab
Azure handsonlabChef
 
How to Write Chef Cookbook
How to Write Chef CookbookHow to Write Chef Cookbook
How to Write Chef Cookbookdevopsjourney
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Matt Ray
 
Nike pop up habitat
Nike pop up habitatNike pop up habitat
Nike pop up habitatChef
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup FebruaryJessica DeVita
 
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyAutomating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyMatt Ray
 
Chef compliance - Intermediate Training
Chef compliance - Intermediate TrainingChef compliance - Intermediate Training
Chef compliance - Intermediate TrainingSarah Hynes Cheney
 
Chef Compliance & Workflow w/Delivery
Chef Compliance & Workflow w/Delivery Chef Compliance & Workflow w/Delivery
Chef Compliance & Workflow w/Delivery Chef
 
Compliance Automation Workshop
Compliance Automation WorkshopCompliance Automation Workshop
Compliance Automation WorkshopChef
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecNathen Harvey
 
Devops journey chefpopup-2016.04.26-v2
Devops journey chefpopup-2016.04.26-v2Devops journey chefpopup-2016.04.26-v2
Devops journey chefpopup-2016.04.26-v2Chef
 
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteDevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteMatt Ray
 
Compliance Automation with InSpec
Compliance Automation with InSpec Compliance Automation with InSpec
Compliance Automation with InSpec Nathen Harvey
 
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 GentUsing Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 GentSalim Afiune Maya
 
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateInfrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateMatt Ray
 
Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1Chef
 
2016 - Compliance as Code - InSpec
2016 - Compliance as Code - InSpec2016 - Compliance as Code - InSpec
2016 - Compliance as Code - InSpecdevopsdaysaustin
 
Inspec, or how to translate compliance spreadsheets into code
Inspec, or how to translate compliance spreadsheets into codeInspec, or how to translate compliance spreadsheets into code
Inspec, or how to translate compliance spreadsheets into codeMichael Goetz
 

More Related Content

What's hot

Chef Workflow Demo
Chef Workflow DemoChef Workflow Demo
Chef Workflow DemoChef
 
Chef Automate Workflow Demo
Chef Automate Workflow DemoChef Automate Workflow Demo
Chef Automate Workflow DemoChef
 
Chef Hack Day Denver
Chef Hack Day Denver Chef Hack Day Denver
Chef Hack Day Denver Chef
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeMatt Ray
 
Azure handsonlab
Azure handsonlabAzure handsonlab
Azure handsonlabChef
 
How to Write Chef Cookbook
How to Write Chef CookbookHow to Write Chef Cookbook
How to Write Chef Cookbookdevopsjourney
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Matt Ray
 
Nike pop up habitat
Nike pop up habitatNike pop up habitat
Nike pop up habitatChef
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup FebruaryJessica DeVita
 
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyAutomating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyMatt Ray
 
Chef compliance - Intermediate Training
Chef compliance - Intermediate TrainingChef compliance - Intermediate Training
Chef compliance - Intermediate TrainingSarah Hynes Cheney
 
Chef Compliance & Workflow w/Delivery
Chef Compliance & Workflow w/Delivery Chef Compliance & Workflow w/Delivery
Chef Compliance & Workflow w/Delivery Chef
 
Compliance Automation Workshop
Compliance Automation WorkshopCompliance Automation Workshop
Compliance Automation WorkshopChef
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecNathen Harvey
 
Devops journey chefpopup-2016.04.26-v2
Devops journey chefpopup-2016.04.26-v2Devops journey chefpopup-2016.04.26-v2
Devops journey chefpopup-2016.04.26-v2Chef
 
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteDevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteMatt Ray
 
Compliance Automation with InSpec
Compliance Automation with InSpec Compliance Automation with InSpec
Compliance Automation with InSpec Nathen Harvey
 
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 GentUsing Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 GentSalim Afiune Maya
 
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateInfrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateMatt Ray
 
Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1Chef
 

What's hot (20)

Chef Workflow Demo
Chef Workflow DemoChef Workflow Demo
Chef Workflow Demo
 
Chef Automate Workflow Demo
Chef Automate Workflow DemoChef Automate Workflow Demo
Chef Automate Workflow Demo
 
Chef Hack Day Denver
Chef Hack Day Denver Chef Hack Day Denver
Chef Hack Day Denver
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
 
Azure handsonlab
Azure handsonlabAzure handsonlab
Azure handsonlab
 
How to Write Chef Cookbook
How to Write Chef CookbookHow to Write Chef Cookbook
How to Write Chef Cookbook
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
 
Nike pop up habitat
Nike pop up habitatNike pop up habitat
Nike pop up habitat
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup February
 
Automating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North SydneyAutomating Compliance with InSpec - AWS North Sydney
Automating Compliance with InSpec - AWS North Sydney
 
Chef compliance - Intermediate Training
Chef compliance - Intermediate TrainingChef compliance - Intermediate Training
Chef compliance - Intermediate Training
 
Chef Compliance & Workflow w/Delivery
Chef Compliance & Workflow w/Delivery Chef Compliance & Workflow w/Delivery
Chef Compliance & Workflow w/Delivery
 
Compliance Automation Workshop
Compliance Automation WorkshopCompliance Automation Workshop
Compliance Automation Workshop
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpec
 
Devops journey chefpopup-2016.04.26-v2
Devops journey chefpopup-2016.04.26-v2Devops journey chefpopup-2016.04.26-v2
Devops journey chefpopup-2016.04.26-v2
 
DevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat IgniteDevOpsDays Singapore Habitat Ignite
DevOpsDays Singapore Habitat Ignite
 
Compliance Automation with InSpec
Compliance Automation with InSpec Compliance Automation with InSpec
Compliance Automation with InSpec
 
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 GentUsing Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
Using Habitat to Unify Dev to CI to Production - Configmgmt Camp Feb/2018 Gent
 
Infrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef AutomateInfrastructure and Compliance Delight with Chef Automate
Infrastructure and Compliance Delight with Chef Automate
 
Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1
 

Viewers also liked

2016 - Compliance as Code - InSpec
2016 - Compliance as Code - InSpec2016 - Compliance as Code - InSpec
2016 - Compliance as Code - InSpecdevopsdaysaustin
 
Inspec, or how to translate compliance spreadsheets into code
Inspec, or how to translate compliance spreadsheets into codeInspec, or how to translate compliance spreadsheets into code
Inspec, or how to translate compliance spreadsheets into codeMichael Goetz
 
Compliance Automation with Inspec Part 3
Compliance Automation with Inspec Part 3Compliance Automation with Inspec Part 3
Compliance Automation with Inspec Part 3Chef
 
Infrastructure Automation with Chef
Infrastructure Automation with ChefInfrastructure Automation with Chef
Infrastructure Automation with ChefAdam Jacob
 
Validation driven change
Validation driven changeValidation driven change
Validation driven changeMichael Goetz
 
London Community Summit 2016 - Community Update
London Community Summit 2016 - Community UpdateLondon Community Summit 2016 - Community Update
London Community Summit 2016 - Community UpdateChef
 
Introduction to Chef: Automate Your Infrastructure by Modeling It In Code
Introduction to Chef: Automate Your Infrastructure by Modeling It In CodeIntroduction to Chef: Automate Your Infrastructure by Modeling It In Code
Introduction to Chef: Automate Your Infrastructure by Modeling It In CodeJosh Padnick
 
Successful Practices for Continuous Delivery CodeCPH
Successful Practices for Continuous Delivery CodeCPHSuccessful Practices for Continuous Delivery CodeCPH
Successful Practices for Continuous Delivery CodeCPHMandi Walls
 
Compliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkCompliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkSonatype
 
자동화된 인프라구축 - 2009년 자료
자동화된 인프라구축 - 2009년 자료자동화된 인프라구축 - 2009년 자료
자동화된 인프라구축 - 2009년 자료태준 문
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateAlex Pop
 
London Community Summit 2016 - Chef Automate
London Community Summit 2016 - Chef AutomateLondon Community Summit 2016 - Chef Automate
London Community Summit 2016 - Chef AutomateChef
 
London Community Summit - From Contribution to Authorship
London Community Summit - From Contribution to AuthorshipLondon Community Summit - From Contribution to Authorship
London Community Summit - From Contribution to AuthorshipChef
 
The caseforawesome
The caseforawesomeThe caseforawesome
The caseforawesomeChef
 
London Community Summit 2016 - Habitat
London Community Summit 2016 - HabitatLondon Community Summit 2016 - Habitat
London Community Summit 2016 - HabitatChef
 
Chef for beginners module 1
Chef for beginners module 1Chef for beginners module 1
Chef for beginners module 1Chef
 
Learning from Configuration Management
Learning from Configuration Management Learning from Configuration Management
Learning from Configuration Management Chef
 
Netflix's Could Migration
Netflix's Could MigrationNetflix's Could Migration
Netflix's Could MigrationChef
 

Viewers also liked (20)

2016 - Compliance as Code - InSpec
2016 - Compliance as Code - InSpec2016 - Compliance as Code - InSpec
2016 - Compliance as Code - InSpec
 
Inspec, or how to translate compliance spreadsheets into code
Inspec, or how to translate compliance spreadsheets into codeInspec, or how to translate compliance spreadsheets into code
Inspec, or how to translate compliance spreadsheets into code
 
Compliance Automation with Inspec Part 3
Compliance Automation with Inspec Part 3Compliance Automation with Inspec Part 3
Compliance Automation with Inspec Part 3
 
Infrastructure Automation with Chef
Infrastructure Automation with ChefInfrastructure Automation with Chef
Infrastructure Automation with Chef
 
Validation driven change
Validation driven changeValidation driven change
Validation driven change
 
London Community Summit 2016 - Community Update
London Community Summit 2016 - Community UpdateLondon Community Summit 2016 - Community Update
London Community Summit 2016 - Community Update
 
Introduction to Chef: Automate Your Infrastructure by Modeling It In Code
Introduction to Chef: Automate Your Infrastructure by Modeling It In CodeIntroduction to Chef: Automate Your Infrastructure by Modeling It In Code
Introduction to Chef: Automate Your Infrastructure by Modeling It In Code
 
Vagrant and chef
Vagrant and chefVagrant and chef
Vagrant and chef
 
Successful Practices for Continuous Delivery CodeCPH
Successful Practices for Continuous Delivery CodeCPHSuccessful Practices for Continuous Delivery CodeCPH
Successful Practices for Continuous Delivery CodeCPH
 
Compliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkCompliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing Framework
 
자동화된 인프라구축 - 2009년 자료
자동화된 인프라구축 - 2009년 자료자동화된 인프라구축 - 2009년 자료
자동화된 인프라구축 - 2009년 자료
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
London Community Summit 2016 - Chef Automate
London Community Summit 2016 - Chef AutomateLondon Community Summit 2016 - Chef Automate
London Community Summit 2016 - Chef Automate
 
London Community Summit - From Contribution to Authorship
London Community Summit - From Contribution to AuthorshipLondon Community Summit - From Contribution to Authorship
London Community Summit - From Contribution to Authorship
 
The caseforawesome
The caseforawesomeThe caseforawesome
The caseforawesome
 
London Community Summit 2016 - Habitat
London Community Summit 2016 - HabitatLondon Community Summit 2016 - Habitat
London Community Summit 2016 - Habitat
 
vBACD - Introduction to Puppet, Configuration Management and IT Automation So...
vBACD - Introduction to Puppet, Configuration Management and IT Automation So...vBACD - Introduction to Puppet, Configuration Management and IT Automation So...
vBACD - Introduction to Puppet, Configuration Management and IT Automation So...
 
Chef for beginners module 1
Chef for beginners module 1Chef for beginners module 1
Chef for beginners module 1
 
Learning from Configuration Management
Learning from Configuration Management Learning from Configuration Management
Learning from Configuration Management
 
Netflix's Could Migration
Netflix's Could MigrationNetflix's Could Migration
Netflix's Could Migration
 

Similar to Compliance Automation with Inspec Part 4

Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefAlert Logic
 
Philly security shell meetup
Philly security shell meetupPhilly security shell meetup
Philly security shell meetupNicole Johnson
 
Introduction to Chef
Introduction to ChefIntroduction to Chef
Introduction to ChefKnoldus Inc.
 
Introduction To Continuous Compliance & Remediation
Introduction To Continuous Compliance & RemediationIntroduction To Continuous Compliance & Remediation
Introduction To Continuous Compliance & RemediationNicole Johnson
 
Automating Infrastructure with Chef
Automating Infrastructure with ChefAutomating Infrastructure with Chef
Automating Infrastructure with ChefJennifer Davis
 
DevOps Interview Questions Part - 2 | Devops Interview Questions And Answers ...
DevOps Interview Questions Part - 2 | Devops Interview Questions And Answers ...DevOps Interview Questions Part - 2 | Devops Interview Questions And Answers ...
DevOps Interview Questions Part - 2 | Devops Interview Questions And Answers ...Simplilearn
 
Linecook - A Chef Alternative
Linecook - A Chef AlternativeLinecook - A Chef Alternative
Linecook - A Chef Alternativethinkerbot
 
Cloud Automation with Opscode Chef
Cloud Automation with Opscode ChefCloud Automation with Opscode Chef
Cloud Automation with Opscode ChefSri Ram
 
Kickstarter - Chef Opswork
Kickstarter - Chef OpsworkKickstarter - Chef Opswork
Kickstarter - Chef OpsworkHamza Waqas
 
Testing Your Automation Code (Vagrant Version)
Testing Your Automation Code (Vagrant Version)Testing Your Automation Code (Vagrant Version)
Testing Your Automation Code (Vagrant Version)Mischa Taylor
 
Continuous Integration With Jenkins Docker SQL Server
Continuous Integration With Jenkins Docker SQL ServerContinuous Integration With Jenkins Docker SQL Server
Continuous Integration With Jenkins Docker SQL ServerChris Adkin
 
Testing your-automation-code (vagrant version) v0.2
Testing your-automation-code (vagrant version) v0.2Testing your-automation-code (vagrant version) v0.2
Testing your-automation-code (vagrant version) v0.2Sylvain Tissot
 
Test Driven Development with Chef
Test Driven Development with ChefTest Driven Development with Chef
Test Driven Development with ChefSimone Soldateschi
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMatt Ray
 
High Productivity Web Development Workflow
High Productivity Web Development WorkflowHigh Productivity Web Development Workflow
High Productivity Web Development WorkflowVũ Nguyễn
 
High productivity web development workflow - JavaScript Meetup Saigon 2014
High productivity web development workflow - JavaScript Meetup Saigon 2014High productivity web development workflow - JavaScript Meetup Saigon 2014
High productivity web development workflow - JavaScript Meetup Saigon 2014Oliver N
 
Testable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and DockerTestable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and DockerMandi Walls
 

Similar to Compliance Automation with Inspec Part 4 (20)

Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
 
Philly security shell meetup
Philly security shell meetupPhilly security shell meetup
Philly security shell meetup
 
Introduction to Chef
Introduction to ChefIntroduction to Chef
Introduction to Chef
 
The Berkshelf Way
The Berkshelf WayThe Berkshelf Way
The Berkshelf Way
 
Chef training Day4
Chef training Day4Chef training Day4
Chef training Day4
 
Introduction To Continuous Compliance & Remediation
Introduction To Continuous Compliance & RemediationIntroduction To Continuous Compliance & Remediation
Introduction To Continuous Compliance & Remediation
 
Automating Infrastructure with Chef
Automating Infrastructure with ChefAutomating Infrastructure with Chef
Automating Infrastructure with Chef
 
DevOps Interview Questions Part - 2 | Devops Interview Questions And Answers ...
DevOps Interview Questions Part - 2 | Devops Interview Questions And Answers ...DevOps Interview Questions Part - 2 | Devops Interview Questions And Answers ...
DevOps Interview Questions Part - 2 | Devops Interview Questions And Answers ...
 
Linecook - A Chef Alternative
Linecook - A Chef AlternativeLinecook - A Chef Alternative
Linecook - A Chef Alternative
 
Cloud Automation with Opscode Chef
Cloud Automation with Opscode ChefCloud Automation with Opscode Chef
Cloud Automation with Opscode Chef
 
Kickstarter - Chef Opswork
Kickstarter - Chef OpsworkKickstarter - Chef Opswork
Kickstarter - Chef Opswork
 
Testing Your Automation Code (Vagrant Version)
Testing Your Automation Code (Vagrant Version)Testing Your Automation Code (Vagrant Version)
Testing Your Automation Code (Vagrant Version)
 
Continuous Integration With Jenkins Docker SQL Server
Continuous Integration With Jenkins Docker SQL ServerContinuous Integration With Jenkins Docker SQL Server
Continuous Integration With Jenkins Docker SQL Server
 
Testing your-automation-code (vagrant version) v0.2
Testing your-automation-code (vagrant version) v0.2Testing your-automation-code (vagrant version) v0.2
Testing your-automation-code (vagrant version) v0.2
 
Test Driven Development with Chef
Test Driven Development with ChefTest Driven Development with Chef
Test Driven Development with Chef
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
 
Chef introduction
Chef introductionChef introduction
Chef introduction
 
High Productivity Web Development Workflow
High Productivity Web Development WorkflowHigh Productivity Web Development Workflow
High Productivity Web Development Workflow
 
High productivity web development workflow - JavaScript Meetup Saigon 2014
High productivity web development workflow - JavaScript Meetup Saigon 2014High productivity web development workflow - JavaScript Meetup Saigon 2014
High productivity web development workflow - JavaScript Meetup Saigon 2014
 
Testable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and DockerTestable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and Docker
 

More from Chef

Habitat Managed Chef
Habitat Managed ChefHabitat Managed Chef
Habitat Managed ChefChef
 
Automation, Audits, and Apps Tour
Automation, Audits, and Apps TourAutomation, Audits, and Apps Tour
Automation, Audits, and Apps TourChef
 
Automation, Audits, and Apps Tour
Automation, Audits, and Apps TourAutomation, Audits, and Apps Tour
Automation, Audits, and Apps TourChef
 
London Community Summit 2016 - Adopting Chef Compliance
London Community Summit 2016 - Adopting Chef ComplianceLondon Community Summit 2016 - Adopting Chef Compliance
London Community Summit 2016 - Adopting Chef ComplianceChef
 
Alaska Airlines DevOps Journey
Alaska Airlines DevOps JourneyAlaska Airlines DevOps Journey
Alaska Airlines DevOps JourneyChef
 
And The Slow Suffer What They Must
And The Slow Suffer What They MustAnd The Slow Suffer What They Must
And The Slow Suffer What They MustChef
 
Visualizing your journey with chef
Visualizing your journey with chefVisualizing your journey with chef
Visualizing your journey with chefChef
 
The New IT Game
The New IT GameThe New IT Game
The New IT GameChef
 
How to Accelerate Agile, Lean and DevOps Adoption Across Your Organization
How to Accelerate Agile, Lean and DevOps Adoption Across Your OrganizationHow to Accelerate Agile, Lean and DevOps Adoption Across Your Organization
How to Accelerate Agile, Lean and DevOps Adoption Across Your OrganizationChef
 
Our DevOps Journey - An Exercise in Cultural Change
Our DevOps Journey - An Exercise in Cultural ChangeOur DevOps Journey - An Exercise in Cultural Change
Our DevOps Journey - An Exercise in Cultural ChangeChef
 
Chef andwindows reactor
Chef andwindows reactorChef andwindows reactor
Chef andwindows reactorChef
 

More from Chef (11)

Habitat Managed Chef
Habitat Managed ChefHabitat Managed Chef
Habitat Managed Chef
 
Automation, Audits, and Apps Tour
Automation, Audits, and Apps TourAutomation, Audits, and Apps Tour
Automation, Audits, and Apps Tour
 
Automation, Audits, and Apps Tour
Automation, Audits, and Apps TourAutomation, Audits, and Apps Tour
Automation, Audits, and Apps Tour
 
London Community Summit 2016 - Adopting Chef Compliance
London Community Summit 2016 - Adopting Chef ComplianceLondon Community Summit 2016 - Adopting Chef Compliance
London Community Summit 2016 - Adopting Chef Compliance
 
Alaska Airlines DevOps Journey
Alaska Airlines DevOps JourneyAlaska Airlines DevOps Journey
Alaska Airlines DevOps Journey
 
And The Slow Suffer What They Must
And The Slow Suffer What They MustAnd The Slow Suffer What They Must
And The Slow Suffer What They Must
 
Visualizing your journey with chef
Visualizing your journey with chefVisualizing your journey with chef
Visualizing your journey with chef
 
The New IT Game
The New IT GameThe New IT Game
The New IT Game
 
How to Accelerate Agile, Lean and DevOps Adoption Across Your Organization
How to Accelerate Agile, Lean and DevOps Adoption Across Your OrganizationHow to Accelerate Agile, Lean and DevOps Adoption Across Your Organization
How to Accelerate Agile, Lean and DevOps Adoption Across Your Organization
 
Our DevOps Journey - An Exercise in Cultural Change
Our DevOps Journey - An Exercise in Cultural ChangeOur DevOps Journey - An Exercise in Cultural Change
Our DevOps Journey - An Exercise in Cultural Change
 
Chef andwindows reactor
Chef andwindows reactorChef andwindows reactor
Chef andwindows reactor
 

Recently uploaded

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Compliance Automation with Inspec Part 4

  • 1. Getting Started with Compliance Automation
  • 3. InSpec: Turn security and compliance into code • Translate compliance into Code • Clearly express statements of policy • Move risk to build/test from runtime • Find issues early • Write code quickly • Run code anywhere • Inspect machines, data and APIs A simple example of an InSpec CIS rule Part of a process of continuous compliance Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify
  • 4. ©2016 Chef Software Inc. 3-4 Objectives After completing this module, you should be able to:  Remediate a compliance issue.  Test your remediation locally.  Test for compliance with InSpec from the CLI  Rescan the node and ensure compliance.
  • 5. ©2016 Chef Software Inc. 3-5 Let's Remediate the Issue Now that we've identified the ssh version issue, let's write a recipe on the target node to remediate the issue. Then we'll run the compliance scan again to see if we successfully remediated the issue. Note: In this course we will write a recipe directly on the node that we're running scans on. Of course in a production environment you will likely write such recipes locally and upload them to Chef Server. Then the nodes would convergence the recipes on their next chef-client run.
  • 6. ©2016 Chef Software Inc. 3-6 Objective: GL: Remediating the Issue  Start writing a remediation recipe on that node.  Test the recipe locally.  Test for compliance with InSpec from the command line interface (CLI)  Converge the recipe.  Rescan the node and ensure compliance.
  • 7. ©2016 Chef Software Inc. 3-7 GL: Remediating the Issue Log in to your target node (not your compliance server node) using ssh and ensure you are in the home directory. Note: emacs, nano, and vim/vi are installed on your Linux nodes. Some tips for using them can be found below in your participant guide.
  • 8. ©2016 Chef Software Inc. 3-8 $ mkdir -p cookbooks $ cd cookbooks GL: Create and Change to a ‘cookbooks’ Directory From the home directory, create a `cookbooks` directory and navigate into it.
  • 9. ©2016 Chef Software Inc. 3-9 Generating cookbook ssh - Ensuring correct cookbook file content - Committing cookbook files to git - Ensuring delivery configuration - Ensuring correct delivery build cookbook content - Adding delivery configuration to feature branch - Adding build cookbook to feature branch - Merging delivery content feature branch to master Your cookbook is ready. Type `cd ssh` to enter it. … $ chef generate cookbook ssh GL: Create an SSH Cookbook
  • 10. ©2016 Chef Software Inc. 3-10 Recipe: code_generator::recipe * directory[./ssh/spec/unit/recipes] action create (up to date) * cookbook_file[./ssh/spec/spec_helper.rb] action create_if_missing (up to date) * template[./ssh/spec/unit/recipes/server_spec.rb] action create_if_missing - create new file ./ssh/spec/unit/recipes/server_spec.rb - update content in file ./ssh/spec/unit/recipes/server_spec.rb from none to 301b96 (diff output suppressed by config) * directory[./ssh/test/recipes] action create (up to date) * template[./ssh/test/recipes/server.rb] action create_if_missing - create new file ./ssh/test/recipes/server.rb - update content in file ./ssh/test/recipes/server.rb from none to e2c349 (diff output suppressed by config) * template[./ssh/recipes/server.rb] action create - create new file ./ssh/recipes/server.rb - update content in file ./ssh/recipes/server.rb from none to adc474 (diff output suppressed by config) $ chef generate recipe ssh server GL: Create an SSH Server Recipe
  • 11. ©2016 Chef Software Inc. 3-11 Recipe: code_generator::template * directory[./ssh/templates/default] action create - create new directory ./ssh/templates/default * file[./ssh/templates/sshd_config.erb] action create - create new file ./ssh/templates/sshd_config.erb - update content in file ./ssh/templates/sshd_config.erb from none to 1c625d (diff output suppressed by config) $ chef generate template ssh sshd_config.erb -s /etc/ssh/sshd_config GL: Create an SSH Config Template
  • 12. ©2016 Chef Software Inc. 3-12 GL: Write the Server Recipe # # Cookbook Name:: ssh # Recipe:: server # # Copyright (c) 2016 The Authors, All Rights Reserved. template '/etc/ssh/sshd_config' do source 'sshd_config.erb' owner 'root' group 'root' mode '0644' end $ ~/cookbooks/ssh/recipes/server.rb
  • 13. ©2016 Chef Software Inc. 3-13 Objective: GL: Testing the Recipe  Write a remediation recipe on that node.  Test the recipe locally.  Test for compliance with InSpec from the command line interface (CLI)  Converge the recipe.  Rescan the node and ensure compliance.
  • 14. ©2016 Chef Software Inc. 3-14 $ cd ~/cookbooks/ssh/ GL: Navigate to your SSH Cookbook
  • 15. ©2016 Chef Software Inc. 3-15 GL: Edit your .kitchen.yml -- Part 1 --- driver: name: docker provisioner: name: chef_zero ~/cookbooks/ssh/.kitchen.yml
  • 16. ©2016 Chef Software Inc. 3-16 GL: Edit your .kitchen.yml -- Part 2 platforms: # - name: ubuntu-14.04 - name: centos-7.2 suites: - name: default run_list: - recipe[ssh::default] attributes: ~/cookbooks/ssh/.kitchen.yml
  • 17. ©2016 Chef Software Inc. 3-17 GL: Edit your .kitchen.yml -- Part 3 platforms: # - name: ubuntu-14.04 - name: centos-7.2 suites: - name: server run_list: - recipe[ssh::server] attributes: ~/cookbooks/ssh/.kitchen.yml +
  • 18. ©2016 Chef Software Inc. 3-18 Instance Driver Provisioner Verifier Transport Last Action server-centos-72 Docker ChefZero Inspec Ssh <Not Created> $ kitchen list GL: Run `kitchen list` from ~/cookbooks/ssh/
  • 19. ©2016 Chef Software Inc. 3-19 Chef Delivery Running Deploy Phase -----> Starting Kitchen (v1.11.1) -----> Creating <server-centos-72>... Sending build context to Docker daemon 200.2 kB Sending build context to Docker daemon Step 0 : FROM centos:centos7 ---> d83a55af4e75 … Running handlers: Running handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <server-centos-72> (0m15.50s). -----> Kitchen is finished. (0m18.12s) $ delivery local deploy GL: Run `delivery local deploy`
  • 20. ©2016 Chef Software Inc. 3-20 What We've Done So Far In the preceding exercises, we began writing a remediation recipe on our target node. We also tested the recipe locally. But have we even addressed the "Set the SSH protocol version to 2" issue?
  • 21. ©2016 Chef Software Inc. 3-21 Objective: GL: Using InSpec for Verification  Write a remediation recipe on that node.  Test the recipe locally.  Test for compliance with InSpec from the command line interface (CLI)  Converge the recipe .  Rescan the node and ensure compliance.
  • 22. ©2016 Chef Software Inc. 3-22 InSpec Test control 'sshd-11' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore. " describe sshd_config do its('Protocol') { should eq('2') } end end ~/cookbooks/ssh/test/recipes/server.rb
  • 23. ©2016 Chef Software Inc. 3-23 Example of Creating the 'server.rb' file One handy way to populate the preceding 'server.rb' is to use the Compliance Web UI and copy the InSpec code found in the relevant Compliance profile: Compliance > Base SSH > Server: Set protocol version to SSHv2
  • 24. ©2016 Chef Software Inc. 3-24 Running InSpec from the Command Line Interface (CLI) InSpec is an executable application. InSpec can execute on remote hosts, including docker containers. You can use 'inspec exec' to run tests at a specified path.
  • 25. ©2016 Chef Software Inc. 3-26 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5b51a4237437 d5b8fd3299b4 "/usr/sbin/sshd -D - 41 minutes ago Up 41 minutes 0.0.0.0:32768->22/tcp grave_davinci $ sudo docker ps GL: What is your Docker ID?
  • 26. ©2016 Chef Software Inc. 3-27 Target: docker://b5813235642a3bb61912cf5cda47a02b2297d40c4ec4d62407580f1138acee 5b ✖ sshd-11: Server: Set protocol version to SSHv2 ( expected: "2" got: nil (compared using ==) ) Summary: 0 successful, 1 failures, 0 skipped $ inspec exec ~/cookbooks/ssh/test/recipes/server.rb -t docker://b5813235642a GL: Running InSpec from the CLI
  • 27. ©2016 Chef Software Inc. 3-28 GL: Update the Template # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 # Protocol 2 Protocol 2 ~/cookbooks/ssh/templates/sshd_config.erb
  • 28. ©2016 Chef Software Inc. 3-29 $ cd ~/cookbooks/ssh GL: Ensure you are in ~/cookbooks/ssh
  • 29. ©2016 Chef Software Inc. 3-30 ... Recipe: ssh::server * template[/etc/ssh/sshd_config] action create - update content in file /etc/ssh/sshd_config from 1c625d to 9a55f5 --- /etc/ssh/sshd_config 2016-08-23 09:36:11.709616840 +0000 +++ /etc/ssh/.chef-sshd_config20160823-542-9zyy0 2016-08-23 09:51:29.745616840 +0000 @@ -18,7 +18,7 @@ # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 -# Protocol 2,1 +Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key $ delivery local deploy GL: Run `delivery local deploy`
  • 30. ©2016 Chef Software Inc. 3-31 Target: docker://b5813235642a3bb61912cf5cda47a02b2297d40c4e c4d62407580f1138acee5b ✔ sshd-11: Server: Set protocol version to SSHv2 Summary: 1 successful, 0 failures, 0 skipped $ inspec exec ~/cookbooks/ssh/test/recipes/server.rb -t docker://CONTAINER_ID GL: Running InSpec from the CLI
  • 31. ©2016 Chef Software Inc. 3-32 Chef Delivery Running Smoke Phase -----> Starting Kitchen (v1.11.1) -----> Setting up <server-centos-72>... $$$$$$ Running legacy setup for 'Docker' Driver Finished setting up <server-centos-72> (0m0.00s). -----> Verifying <server-centos-72>... Use `/home/chef/cookbooks/ssh/test/recipes/server` for testing Target: ssh://kitchen@localhost:32770 ✔ sshd-11: Server: Set protocol version to SSHv2 ○ User root should exist; User root This is an example test, r... (1 skipped) This is an example test, replace with your own test. ○ Port 80 should not be listening; Port 80 This is an example ... (1 skipped) This is an example test, replace with your own test. Summary: 3 successful, 0 failures, 2 skipped Finished verifying <server-centos-72> (0m0.35s). -----> Kitchen is finished. (0m0.93s) $ delivery local smoke Smoke test with delivery
  • 32. ©2016 Chef Software Inc. 3-33 ... +++ /etc/ssh/.ssh_config20151209-10413-hlk9ow 2015-12-09 20:37:07.621689137 +0000 @@ -37,7 +37,7 @@ # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 -# Protocol 2,1 +Protocol 2 # Cipher 3desesources updated in 3.29477735 seconds $ sudo chef-client --local-mode -r 'recipe[ssh::server]' GL: Apply the New SSH Recipe
  • 33. ©2016 Chef Software Inc. 3-34 GL: Re-run the Compliance Scan Return to the Compliance Web UI and re-run the scan on your target node. Be sure to run only the base/ssh scan as shown on the next slide.
  • 34. ©2016 Chef Software Inc. 3-35 GL: Re-run the Compliance Scan Run only the base/ssh scan.
  • 35. ©2016 Chef Software Inc. 3-36 GL: Results of this Exercise Your scan should show that the ssh protocol issue is now complaint.
  • 36. ©2016 Chef Software Inc. 3-37 Conclusion  Log in to your target node.  Write a remediation recipe on that node.  Test the recipe locally.  Test for compliance with InSpec from the CLI  Converge the recipe.  Rescan the node and ensure compliance.
  • 37. ©2016 Chef Software Inc. 3-38 Review Questions 1. When adding a node to the Compliance server's dashboard, should you use the node's FQDN or just its IP address? 2. What can `inspec exec` be used for? 3. How are compliance severities defined? 4. Using the image on the right, what section is the actual test?
  • 38. ©2016 Chef Software Inc. 3-39 Review Questions 5. If a compliance scan tells you that a node is unreachable, what might you use to troubleshoot the connection? 6. What language is used to define controls?

Editor's Notes

  1. Integrate compliance and security requirements into your automated deployment pipeline. The InSpec language lets you specify those requirements as code. When compliance is code, you can identify issues during development and not after the fact. Test large-scale environments while still moving at velocity.    Translate compliance into code. InSpec is an open-source testing framework with a human- and machine-readable language for specifying compliance, security and policy requirements. When compliance is expressed as code, you can integrate it into your deployment pipeline and automatically test for adherence to security policies.   Clearly express statements of policy. When compliance is code, rules are unambiguous and can be understood by everyone on the team. Developers know what standards they're expected to meet and auditors know exactly what is being tested. Replace spreadsheets filled with abstract descriptions with tangible tests that have a clear intent.   Find issues early. Automated compliance tests can start at the beginning of the development cycle. You'll detect any issues well before your code goes into production, when problems are expensive and time consuming to fix.   Write code quickly. The InSpec language includes a collection of resources that help you write audit controls quickly and easily. You can also create custom resources for your own particular situations. Run code anywhere. InSpec code can run in multiple platforms. You can execute the same set of tests locally, with remote commands that use SSH or WinRM, or with external mechanisms such as the Docker API.   Inspect machines, data, and APIs. Knowing that your physical servers are in compliance is, of course, essential. But your applications rely on more than just server configurations. With InSpec, you can assess data in a database or inspect the configuration of virtual resources by using their API. For example, you can check security group settings on your IaaS infrastructure. Compliance as Code The speed and collaboration of DevOps for security & compliance Security documents as executable code Compliance is assured from the start of the development cycle Security-focused framework DSL that helps you get started writing audit controls quickly & easily Inspec works the same way everywhere: locally, remotely, or executed via API Tailored to the needs of security professionals Flexible and extensible Easily create custom resources, if needed Create and share profiles for code reuse and modularity Inspect machine state, data state, and API configurations
  2. Emacs: (Emacs is fairly straightforward for editing files.) OPEN FILE $ emacs FILENAME WRITE FILE ctrl+x, ctrl+w EXIT ctrl+x, ctrl+c Nano: (Nano is usually touted as the easiest editor to get started with editing through the command-line.) OPEN FILE $ nano FILENAME WRITE (When exiting) ctrl+x, y, ENTER EXIT ctrl+x VIM: (Vim, like vi, is more complex because of its different modes. ) OPEN FILE $ vim FILENAME START EDITING i WRITE FILE ESC, :w EXIT ESC, :q EXIT (don't write) ESC, :q!
  3. In this step, we want to create a template file to manage our `sshd_config` file. The `-s` option in this command takes the contents of the current `/etc/ssh/sshd_config` file and places it in the `sshd_config.erb` file. Instructor Note: At this time you might want to show the class the contents of `/home/chef/cookbooks/ssh/templates/default/sshd_config.erb` to illustrate how the contents of the current `/etc/ssh/sshd_config` file is now in the `sshd_config.erb` file.
  4. Edit the `~/cookbooks/ssh/recipes/server.rb` file and add the contents shown here.
  5. To test your recipe, first navigate to where the recipe lives.
  6. Edit your `.kitchen.yml` as shown here and on the following slide. Because our node is an EC2 AWS instance, we need to change the driver from vagrant to docker. docker should already be installed on the EC2 AWS training instances.
  7. Also comment the ubuntu platform line and change the centos platform to `centos-7.2', which should be the version running on the training instance. To confirm the centos release, you could execute `more /etc/*-release` :::::::::::::: /etc/centos-release :::::::::::::: CentOS release 7.2 (Final)
  8. Finally, change the suites name to `server' and the run_list recipe name to `ssh:server`. run_list: - recipe[ssh::server]
  9. Now run `kitchen list` from the ~/cookbooks/ssh directory. This command will tell you if you have a typo in your `.kitchen.yml`.
  10. Now run `delivery local deploy` from the ~/cookbooks/ssh directory. `delivery local deploye` will: Launch a docker container. Place the cookbook into the docker container. Install chef-client in the docker container. Run chef zero (i.e., chef-client in local mode) across the server recipe. The end result will be that it should write out the ssh_conf to the appropriate location (i.e., /etc/ssh/ssh_config). It could take a couple minutes or so for this command to complete.
  11. In the preceding exercises we began writing a remediation recipe on our target node. We also tested the recipe locally. But have we even addressed the "Set the SSH protocol version to 2" issue? If you answered "no", you are correct. In a little while we will modify our recipe to address the "Set the SSH protocol version to 2" issue.
  12. One handy way to populate the preceding `server.rb' is to use the Compliance Web UI and copy the InSpec control code found in the relevant Compliance profile. Then you can paste it into the `server.rb' file to save yourself some typing. Instructor Note: It could also be good for the instructor to demonstrate using the InSpec verifier in test kitchen locally with Vagrant to show the students that it can be done.
  13. First, we need to run this command because we are using Docker solely for testing and placing it in this configuration is not secure. We are doing it here because it is necessary if we do not want to prefix `sudo` in front of the commands we execute. So it’s done here namely for speed and ease of training so you can focus on Compliance. On your local system you may use vagrant, ec2, or the azure driver and those will not have the same concern that we are experiencing here. Instructor Note: This command is done in order to put the chef user in the dockerroot group and make /var/run/docker.sock's group dockerroot. This change would not persist when making part of the AMI so we run the command here.
  14. Below is an example of the details of the `sudo docker ps` command. This shows one docker container running. You should only have only one docker container running too. You'll need the Container ID for the next step so copy your Container ID, which is the first value that is not a header. CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5b51a4237437 d5b8fd3299b4 "/usr/sbin/sshd -D - 41 minutes ago Up 41 minutes 0.0.0.0:32768->22/tcp grave_davinci
  15. Run this inspec command using the container ID you just copied, replacing CONTAINER_ID in the example. `inspec exec ~/cookbooks/ssh/test/recipes/server.rb -t docker:/CONTAINER_ID` Running InSpec in this way can uncover more complex issues than the basic issue we are remediating in this module. Key parts of the output is here: Failures: 1) SSH Configuration Protocol should eq "2" Failure/Error: its('Protocol') { should eq('2') } expected: "2" got: nil ... Failed examples: rspec # SSH Configuration Protocol should eq "2"
  16. Edit the ~/cookbooks/ssh/templates/default/ssh_config.erb file. Uncomment the `# Protocol 2,1` line. Change the protocol version to `2` only.
  17. Change to ~/cookbooks/ssh if not there already.
  18. You should now see that only Protocol version 2 is currently set in test kitchen. - update content in file /etc/ssh/ssh_config from 86eb9b to 065f90 --- /etc/ssh/ssh_config 2015-08-13 09:58:26.000000000 +0000 +++ /etc/ssh/.ssh_config20151209-412-cf7gd7 2015-12-09 20:35:29.734689138 +0000 @@ -37,7 +37,7 @@ # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 -# Protocol 2,1 +Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc Running handlers: Chef Client finished, 3/3 resources updated in 03 seconds Finished converging <client-centos-67> (0m8.22s).
  19. Run this inspec command again using the container ID you copied previously, replacing CONTAINER_ID in the example. `inspec exec ~/cookbooks/ssh/test/integration/client/inspec/client_spec.rb -t docker://CONTAINER_ID` You should now see that the test has passed. In addition to the output text that says there were 0 failures, the single dot at the top-left of the output means there was one test made and that it passed.
  20. Now we need to actually apply the change to the node. We'll do this using chef-client in local mode. You should then see that only Protocol version 2 is currently set on the node. Of course in a production environment chef-client would most likely be set to run automatically to download and converge these changes from Chef Server.
  21. In this module we scanned a node for compliance issues. We identified an issue and then wrote a remediation recipe directly on the node scanned. We also tested our recipe locally. As mentioned previously, in a production environment, you will likely write such recipes locally, add them to the node's run list, and then upload them to Chef Server. Then the nodes would download the recipes from Chef Server on their next chef-client run and also convergence the recipes.
  22. Instructor Note Answers: 1. It doesn't matter...you could use the node's FQDN or just its IP address. 2. `inspec exec` can be used to test a compliance profile against remote hosts, including docker containers. 3. The `impact` value in a Compliance Profile/control defines severity. See slide 3-22 through slide 3-24 for examples. 4. The `describe` section is the actual test.
  23. Instructor Note Answers: 5. You could use the Dashboard's "check the connectivity" test, ssh into the target, and/or check the node's configuration in the Web UI (IP address, login credentials.) 6. InSpec.