SlideShare une entreprise Scribd logo

Prescriptive System Security with InSpec

All Things Open
All Things Open

Presented at: All Things Open 2019 Presented by: Mandi Walls, Chef Software Find more by Mandi Walls: https://www.slideshare.net/lnxchk/

Technologie
1  sur  43
Télécharger pour lire hors ligne
Prescriptive System Security with Chef InSpec Mandi Walls | mandi@chef.io | All Things Open 2019
HI! • Mandi Walls • Technical Community Manager for Chef • mandi@chef.io • @lnxchk • 3394 2531 4190 • https://www.chef.io/ • https://www.inspec.io/
EVERY business is a software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
https://www.darkreading.com/attacks-breaches/wannacry-forces-honda-to-take-production-plant-offline-/d/d-id/1329192
https://www.datacenterknowledge.com/archives/2016/10/19/botched-server-install-results-in-2-14-million-hipaa-breach-fine
Different Sources for the Same Goals
Chef InSpec • Human-readable language for tests related to security and compliance • Create, share, and reuse complex profiles • Extensible language - build your own rules • Command-line tools plug into your existing workflow, build, deploy • Test early, test often! • InSpec is an open source project with commercialized distribution The Community distribution is part of the CINC project https://gitlab.com/cinc-project/auditor
Create and Consume • Complex compliance requirements can slow you down • Different information and expertise live in different teams, but need to be used by many • Security and compliance personnel can work with operations and development to create comprehensive profiles
Chef InSpec is Code • Check it into repos, publish as artifacts • Include InSpec steps before code checkin • Include InSpec steps in integration and pre-production • Continue InSpec checks in production to guard against new threats
Network Services • If your security team sends you a directive: Ensure that no legacy network services are installed on all versions of Linux, including inetd, xinetd, telnet, rsh, tftp, and ypserv.
How Do You Go About Checking and Fixing? • Identify the package names on your systems • Remove all packages • Does someone fix your source images? Rebuild? Remediate at launch? • Ensure it doesn't get re-installed by accident at some point in the future
Check for inetd and xinetd control 'package-01' do impact 1.0 title 'Do not run deprecated inetd or xinetd' desc 'rhel5-guide-i731.pdf, Chapter 3.2.1' describe package('inetd') do it { should_not be_installed } end describe package('xinetd') do it { should_not be_installed } end end
Lifecycle – How Often Do You Check Security? • Single big scan, report mailed out with a “due date”? Considered done, not checked again • Yearly or twice-yearly massive scans with remediation firedrills? Common audit cycles, large projects around fixing found issues • Part of the software development lifecycle? “To the left” Regularly part of what is included in builds
Test Regularly with Chef InSpec • Use InSpec before code checkin No changes to allowed services • Use InSpec during integration testing Check transport protocols, port numbers, service configurations • Use InSpec in production Ensure no drift occurs in approved configurations over application lifetime
Chef InSpec Components • Resources • Resource Characteristics • Profiles • Command Line Interface
Resources • Chef InSpec includes built-in resources for common services, system files, and configurations • Built-in resources work on several platforms of Linux. There are also Windows-specifics like registry_key • A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
Sample Resources • System resources: directory, file, user, group, crontab, service, package • Specific services: apache, nginx, rabbitmq, postgresql, IIS • Programming language components: gem, npm, powershell • Network services: port, http, sshd • https://www.inspec.io/docs/reference/resources/
Advanced Resources – Cloud Components • Added as libraries to your InSpec install • AWS – aws_ec2_instance, aws_eks_cluster, aws_elb, aws_iam_role, aws_s3_bucket https://github.com/inspec/inspec-aws • GCP – google_compute_*, google_container_clusters, google_project https://github.com/inspec/inspec-gcp • Azure – azurerm_key_vaults, azurerm_network_security_group, azurerm_virtual_machine https://github.com/inspec/inspec-azure
Characteristic Tests • it { should exist } – files, directories, groups that are present • it { should be_installed } – packages that should be installed • it { should be_enabled } – services that should be running • its('max_log_file') { should cmp 6 } – rotate auditd logs Check inside a config file for a specific setting • its('exit_status') { should eq 0 } – run any arbitrary checks Remediation scripts from upstream and OS vendors often come as shell
Run Chef InSpec • InSpec is command line Installs on your workstation as a ruby gem or as part of the ChefWorkstation • Can be run locally, to test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you
Execute InSpec $ inspec exec ./test.rb Profile: tests from ./test.rb Version: (not specified) Target: local:// File /tmp ✔ should exist ✔ should be directory ✔ should be owned by "root" ✔ mode should cmp == "01777" Test Summary: 4 successful, 0 failures, 0 skipped
Test Any Target Local: inspec exec test.rb SSH Remote: inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2-user@54.152.7.203 WinRM: inspec exec test.rb -t winrm://Admin@192.168.1.2 -- password super Docker Container: inspec exec test.rb -t docker://3dda08e75838
Profiles • Collections of InSpec tests Group by team, by application, by platform • Each profile can have multiple test files included • Flexible! Create your own profiles for specific software you use Use included matcher libraries or write your own – they live in the profile • https://dev-sec.io/ for samples
Sample Profile: linux-baseline control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
Demo • Basic off-the-shelf CentOS system on AWS • Install ChefWorkstation and git • Download and run the linux-baseline profile • Remediate with the corresponding Chef cookbook from https://dev-sec.io
Resources • https://inspec.io • https://blog.chef.io/category/inspec • https://learn.chef.io/ • http://www.anniehedgie.com/inspec-basics-1 • Whitepaper featuring Danske Bank: https://www.chef.io/customers/danske-bank/ • Community Distros https://gitlab.com/cinc-project • Join us on Slack: http://community-slack.chef.io/
Appendix: Demo Outputs
Select CentOS 7 from the Marketplace • Use a small instance - .micro should be fine for this • Tag X-Contact with your name and X-Customer with something like "InSpec Talk Delete after 7/15/19" or similar
Security Group • I use the default all-open security group, as there's nothing running but ssh on this machine. If you have another security group that is more locked down, that's fine, too.
Installs • Install ChefWorkstation from https://downloads.chef.io/chef-workstation/ curl –o cw.rpm <url> sudo yum install -y cw.rpm • Install git via yum sudo yum install -y git
Demo stage 1 – Detect with the linux-baseline profile git clone https://github.com/dev-sec/linux-baseline.git sudo inspec exec linux-baseline/ <<accept the product license here>> You'll have some number of errors; the default installs will always have too many things installed. This version: Profile Summary: 26 successful controls, 27 control failures, 1 control skipped Test Summary: 80 successful, 45 failures, 1 skipped
Demo Stage 2 – Correct with Chef Infrastructure Download the Chef cookbook that matches the linux-baseline profile via a policyfile workflow chef generate policyfile fix-security <<accept the license>> edit fix-security.rb edit-> run_list 'os-hardening::default' chef install fix-security.rb chef export fix-security.rb harden-linux cd harden-linux sudo chef-client -z
Correct with Chef con't ...things happening... Recipe: os-hardening::auditd * yum_package[audit] action install (up to date) Running handlers: Running handlers complete Chef Infra Client finished, 141/206 resources updated in 07 seconds
Demo Stage 3 – Re-check with InSpec cd .. sudo inspec exec linux-baseline ... Profile Summary: 52 successful controls, 1 control failure, 1 control skipped Test Summary: 124 successful, 1 failure, 1 skipped There's almost always at least one failure. Depending on the time you have left, you can work through the next part, creating a wrapper profile and skipping this step, or, conversely, if you audience is already chef-aware, adding an additional recipe to fix whatever it is.
The error in this example: × package-08: Install auditd (1 failed) ✔ System Package audit should be installed ✔ Audit Daemon Config log_file should cmp == "/var/log/audit/audit.log" ✔ Audit Daemon Config log_format should cmp == "raw" ✔ Audit Daemon Config flush should match /^incremental|INCREMENTAL|incremental_async|INCREMENTAL_ASYNC$/ × Audit Daemon Config max_log_file_action should cmp == "keep_logs" expected: "keep_logs" got: "ROTATE" (compared using `cmp` matcher)
Demo stage 4 – prepare for Automate with wrapper profile • Create a wrapper profile: inspec init profile my-hardening • Edit my-hardening/inspec.yml depends: - name: linux-baseline git: https://github.com/dev-sec/linux-baseline • Remove the example rm -f my-hardening/controls/example.rb
Stage 4 Create a new control file: $ vi my-hardening/controls/skip-auditd.rb include_controls 'linux-baseline' do skip_control 'package-08' end
Demo Stage 5 – run the wrapper profile sudo inspec exec my-hardening ... Profile Summary: 52 successful controls, 0 control failures, 1 control skipped Test Summary: 113 successful, 0 failures, 1 skipped
Additional Note - --no-distinct-exit When using InSpec in a build process that relies on non-zero return codes, any intentionally skipped control will generate a return code of 101 $ sudo inspec exec my-hardening/ ... $ echo $? 101 If you want skips to generate 0 so the flow continues, use the flag --no-distinct-exit sudo inspec exec my-hardening/ --no-distinct-exit ... $ echo $? 0
Exit Codes For InSpec in Pipelines https://github.com/inspec/inspec/issues/1825#issuecomment-382650911 0 run okay + all passed: 100 run okay + failures 101 run okay + skipped only Additional discussion around whether to specify in the run output the reason for a skip is also happening. For example, skipping due to platform, skipping due to not- needed, skipping due to fix-coming.
Wrapper Profiles

Recommandé

Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Mandi Walls
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xAdding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xMandi Walls
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityMandi Walls
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017Mandi Walls
 
InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020Mandi Walls
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017Mandi Walls
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
 

Recommandé

Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Mandi Walls
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xAdding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xMandi Walls
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityMandi Walls
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017Mandi Walls
 
InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020Mandi Walls
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017Mandi Walls
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
 
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupMatt Ray
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsNETWAYS
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Mandi Walls
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beMandi Walls
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019Morgan Roman
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecMandi Walls
 
Role of Pipelines in Continuous Delivery
Role of Pipelines in Continuous DeliveryRole of Pipelines in Continuous Delivery
Role of Pipelines in Continuous DeliveryMandi Walls
 
Automated Infrastructure Testing
Automated Infrastructure TestingAutomated Infrastructure Testing
Automated Infrastructure TestingRanjib Dey
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsJohn Smith
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as CodeMatt Ray
 
Testing for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chefTesting for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chefkamalikamj
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeMatt Ray
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecNathen Harvey
 
London Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetLondon Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetChef
 
OSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspecOSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspecAndreas Schmidt
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 
Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Chef
 
Test Driven Development with Chef
Test Driven Development with ChefTest Driven Development with Chef
Test Driven Development with ChefSimone Soldateschi
 
InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017Mandi Walls
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecNETWAYS
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopMandi Walls
 

Contenu connexe

Tendances

Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupMatt Ray
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsNETWAYS
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Mandi Walls
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beMandi Walls
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019Morgan Roman
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecMandi Walls
 
Role of Pipelines in Continuous Delivery
Role of Pipelines in Continuous DeliveryRole of Pipelines in Continuous Delivery
Role of Pipelines in Continuous DeliveryMandi Walls
 
Automated Infrastructure Testing
Automated Infrastructure TestingAutomated Infrastructure Testing
Automated Infrastructure TestingRanjib Dey
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsJohn Smith
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as CodeMatt Ray
 
Testing for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chefTesting for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chefkamalikamj
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeMatt Ray
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecNathen Harvey
 
London Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetLondon Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetChef
 
OSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspecOSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspecAndreas Schmidt
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
 
Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Chef
 
Test Driven Development with Chef
Test Driven Development with ChefTest Driven Development with Chef
Test Driven Development with ChefSimone Soldateschi
 
InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017Mandi Walls
 

Tendances (20)

Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore Meetup
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
 
Role of Pipelines in Continuous Delivery
Role of Pipelines in Continuous DeliveryRole of Pipelines in Continuous Delivery
Role of Pipelines in Continuous Delivery
 
Automated Infrastructure Testing
Automated Infrastructure TestingAutomated Infrastructure Testing
Automated Infrastructure Testing
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The Basics
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as Code
 
Testing for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chefTesting for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chef
 
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeDevOpsDays Singapore - Continuous Auditing with Compliance as Code
DevOpsDays Singapore - Continuous Auditing with Compliance as Code
 
Effective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpecEffective Testing with Ansible and InSpec
Effective Testing with Ansible and InSpec
 
London Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetLondon Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBet
 
OSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspecOSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspec
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4
 
Test Driven Development with Chef
Test Driven Development with ChefTest Driven Development with Chef
Test Driven Development with Chef
 
InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017
 

Similaire à Prescriptive System Security with InSpec

OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecNETWAYS
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopMandi Walls
 
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi WallsDevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi WallsDevSecCon
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018Mandi Walls
 
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopBuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopMandi Walls
 
Fluo CICD OpenStack Summit
Fluo CICD OpenStack SummitFluo CICD OpenStack Summit
Fluo CICD OpenStack SummitMiguel Zuniga
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
DCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityDCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityGeoff Harcourt
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017adamleff
 
Achieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateAchieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateChef
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-wayRobert Lujo
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
Ingite Slides for InSpec
Ingite Slides for InSpecIngite Slides for InSpec
Ingite Slides for InSpecMandi Walls
 
Deploying software at Scale
Deploying software at ScaleDeploying software at Scale
Deploying software at ScaleKris Buytaert
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMatt Ray
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017AgileNZ Conference
 
Version Control and Continuous Integration
Version Control and Continuous IntegrationVersion Control and Continuous Integration
Version Control and Continuous IntegrationGeff Henderson Chang
 
Automatize everything
Automatize everythingAutomatize everything
Automatize everythingBoris Bucha
 
Continuous Integration & Development with Gitlab
Continuous Integration & Development with GitlabContinuous Integration & Development with Gitlab
Continuous Integration & Development with GitlabAyush Sharma
 

Similaire à Prescriptive System Security with InSpec (20)

OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec Workshop
 
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi WallsDevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi Walls
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018
 
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec WorkshopBuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec Workshop
 
Fluo CICD OpenStack Summit
Fluo CICD OpenStack SummitFluo CICD OpenStack Summit
Fluo CICD OpenStack Summit
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
DCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityDCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production Parity
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
 
Achieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateAchieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef Automate
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-way
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Ingite Slides for InSpec
Ingite Slides for InSpecIngite Slides for InSpec
Ingite Slides for InSpec
 
Deploying software at Scale
Deploying software at ScaleDeploying software at Scale
Deploying software at Scale
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
 
Version Control and Continuous Integration
Version Control and Continuous IntegrationVersion Control and Continuous Integration
Version Control and Continuous Integration
 
Automatize everything
Automatize everythingAutomatize everything
Automatize everything
 
Continuous Integration & Development with Gitlab
Continuous Integration & Development with GitlabContinuous Integration & Development with Gitlab
Continuous Integration & Development with Gitlab
 

Plus de All Things Open

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityAll Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best PracticesAll Things Open
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public PolicyAll Things Open
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...All Things Open
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashAll Things Open
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptAll Things Open
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?All Things Open
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractAll Things Open
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlowAll Things Open
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and SuccessAll Things Open
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with BackgroundAll Things Open
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblyAll Things Open
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksAll Things Open
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptAll Things Open
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramAll Things Open
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceAll Things Open
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamAll Things Open
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in controlAll Things Open
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsAll Things Open
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...All Things Open
 

Plus de All Things Open (20)

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of Observability
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best Practices
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public Policy
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil Nash
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScript
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart Contract
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and Success
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with Background
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssembly
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in Haystacks
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit Intercept
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship Program
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open Source
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache Beam
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in control
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
 

Dernier

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Dernier (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Prescriptive System Security with InSpec

  • 1. Prescriptive System Security with Chef InSpec Mandi Walls | mandi@chef.io | All Things Open 2019
  • 2. HI! • Mandi Walls • Technical Community Manager for Chef • mandi@chef.io • @lnxchk • 3394 2531 4190 • https://www.chef.io/ • https://www.inspec.io/
  • 3. EVERY business is a software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
  • 6. Different Sources for the Same Goals
  • 7.
  • 8. Chef InSpec • Human-readable language for tests related to security and compliance • Create, share, and reuse complex profiles • Extensible language - build your own rules • Command-line tools plug into your existing workflow, build, deploy • Test early, test often! • InSpec is an open source project with commercialized distribution The Community distribution is part of the CINC project https://gitlab.com/cinc-project/auditor
  • 9. Create and Consume • Complex compliance requirements can slow you down • Different information and expertise live in different teams, but need to be used by many • Security and compliance personnel can work with operations and development to create comprehensive profiles
  • 10. Chef InSpec is Code • Check it into repos, publish as artifacts • Include InSpec steps before code checkin • Include InSpec steps in integration and pre-production • Continue InSpec checks in production to guard against new threats
  • 11. Network Services • If your security team sends you a directive: Ensure that no legacy network services are installed on all versions of Linux, including inetd, xinetd, telnet, rsh, tftp, and ypserv.
  • 12. How Do You Go About Checking and Fixing? • Identify the package names on your systems • Remove all packages • Does someone fix your source images? Rebuild? Remediate at launch? • Ensure it doesn't get re-installed by accident at some point in the future
  • 13. Check for inetd and xinetd control 'package-01' do impact 1.0 title 'Do not run deprecated inetd or xinetd' desc 'rhel5-guide-i731.pdf, Chapter 3.2.1' describe package('inetd') do it { should_not be_installed } end describe package('xinetd') do it { should_not be_installed } end end
  • 14. Lifecycle – How Often Do You Check Security? • Single big scan, report mailed out with a “due date”? Considered done, not checked again • Yearly or twice-yearly massive scans with remediation firedrills? Common audit cycles, large projects around fixing found issues • Part of the software development lifecycle? “To the left” Regularly part of what is included in builds
  • 15. Test Regularly with Chef InSpec • Use InSpec before code checkin No changes to allowed services • Use InSpec during integration testing Check transport protocols, port numbers, service configurations • Use InSpec in production Ensure no drift occurs in approved configurations over application lifetime
  • 16. Chef InSpec Components • Resources • Resource Characteristics • Profiles • Command Line Interface
  • 17. Resources • Chef InSpec includes built-in resources for common services, system files, and configurations • Built-in resources work on several platforms of Linux. There are also Windows-specifics like registry_key • A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
  • 18. Sample Resources • System resources: directory, file, user, group, crontab, service, package • Specific services: apache, nginx, rabbitmq, postgresql, IIS • Programming language components: gem, npm, powershell • Network services: port, http, sshd • https://www.inspec.io/docs/reference/resources/
  • 19. Advanced Resources – Cloud Components • Added as libraries to your InSpec install • AWS – aws_ec2_instance, aws_eks_cluster, aws_elb, aws_iam_role, aws_s3_bucket https://github.com/inspec/inspec-aws • GCP – google_compute_*, google_container_clusters, google_project https://github.com/inspec/inspec-gcp • Azure – azurerm_key_vaults, azurerm_network_security_group, azurerm_virtual_machine https://github.com/inspec/inspec-azure
  • 20. Characteristic Tests • it { should exist } – files, directories, groups that are present • it { should be_installed } – packages that should be installed • it { should be_enabled } – services that should be running • its('max_log_file') { should cmp 6 } – rotate auditd logs Check inside a config file for a specific setting • its('exit_status') { should eq 0 } – run any arbitrary checks Remediation scripts from upstream and OS vendors often come as shell
  • 21. Run Chef InSpec • InSpec is command line Installs on your workstation as a ruby gem or as part of the ChefWorkstation • Can be run locally, to test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you
  • 22. Execute InSpec $ inspec exec ./test.rb Profile: tests from ./test.rb Version: (not specified) Target: local:// File /tmp ✔ should exist ✔ should be directory ✔ should be owned by "root" ✔ mode should cmp == "01777" Test Summary: 4 successful, 0 failures, 0 skipped
  • 23. Test Any Target Local: inspec exec test.rb SSH Remote: inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2-user@54.152.7.203 WinRM: inspec exec test.rb -t winrm://Admin@192.168.1.2 -- password super Docker Container: inspec exec test.rb -t docker://3dda08e75838
  • 24. Profiles • Collections of InSpec tests Group by team, by application, by platform • Each profile can have multiple test files included • Flexible! Create your own profiles for specific software you use Use included matcher libraries or write your own – they live in the profile • https://dev-sec.io/ for samples
  • 25. Sample Profile: linux-baseline control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
  • 26. Demo • Basic off-the-shelf CentOS system on AWS • Install ChefWorkstation and git • Download and run the linux-baseline profile • Remediate with the corresponding Chef cookbook from https://dev-sec.io
  • 27. Resources • https://inspec.io • https://blog.chef.io/category/inspec • https://learn.chef.io/ • http://www.anniehedgie.com/inspec-basics-1 • Whitepaper featuring Danske Bank: https://www.chef.io/customers/danske-bank/ • Community Distros https://gitlab.com/cinc-project • Join us on Slack: http://community-slack.chef.io/
  • 28.
  • 30. Select CentOS 7 from the Marketplace • Use a small instance - .micro should be fine for this • Tag X-Contact with your name and X-Customer with something like "InSpec Talk Delete after 7/15/19" or similar
  • 31. Security Group • I use the default all-open security group, as there's nothing running but ssh on this machine. If you have another security group that is more locked down, that's fine, too.
  • 32. Installs • Install ChefWorkstation from https://downloads.chef.io/chef-workstation/ curl –o cw.rpm <url> sudo yum install -y cw.rpm • Install git via yum sudo yum install -y git
  • 33. Demo stage 1 – Detect with the linux-baseline profile git clone https://github.com/dev-sec/linux-baseline.git sudo inspec exec linux-baseline/ <<accept the product license here>> You'll have some number of errors; the default installs will always have too many things installed. This version: Profile Summary: 26 successful controls, 27 control failures, 1 control skipped Test Summary: 80 successful, 45 failures, 1 skipped
  • 34. Demo Stage 2 – Correct with Chef Infrastructure Download the Chef cookbook that matches the linux-baseline profile via a policyfile workflow chef generate policyfile fix-security <<accept the license>> edit fix-security.rb edit-> run_list 'os-hardening::default' chef install fix-security.rb chef export fix-security.rb harden-linux cd harden-linux sudo chef-client -z
  • 35. Correct with Chef con't ...things happening... Recipe: os-hardening::auditd * yum_package[audit] action install (up to date) Running handlers: Running handlers complete Chef Infra Client finished, 141/206 resources updated in 07 seconds
  • 36. Demo Stage 3 – Re-check with InSpec cd .. sudo inspec exec linux-baseline ... Profile Summary: 52 successful controls, 1 control failure, 1 control skipped Test Summary: 124 successful, 1 failure, 1 skipped There's almost always at least one failure. Depending on the time you have left, you can work through the next part, creating a wrapper profile and skipping this step, or, conversely, if you audience is already chef-aware, adding an additional recipe to fix whatever it is.
  • 37. The error in this example: × package-08: Install auditd (1 failed) ✔ System Package audit should be installed ✔ Audit Daemon Config log_file should cmp == "/var/log/audit/audit.log" ✔ Audit Daemon Config log_format should cmp == "raw" ✔ Audit Daemon Config flush should match /^incremental|INCREMENTAL|incremental_async|INCREMENTAL_ASYNC$/ × Audit Daemon Config max_log_file_action should cmp == "keep_logs" expected: "keep_logs" got: "ROTATE" (compared using `cmp` matcher)
  • 38. Demo stage 4 – prepare for Automate with wrapper profile • Create a wrapper profile: inspec init profile my-hardening • Edit my-hardening/inspec.yml depends: - name: linux-baseline git: https://github.com/dev-sec/linux-baseline • Remove the example rm -f my-hardening/controls/example.rb
  • 39. Stage 4 Create a new control file: $ vi my-hardening/controls/skip-auditd.rb include_controls 'linux-baseline' do skip_control 'package-08' end
  • 40. Demo Stage 5 – run the wrapper profile sudo inspec exec my-hardening ... Profile Summary: 52 successful controls, 0 control failures, 1 control skipped Test Summary: 113 successful, 0 failures, 1 skipped
  • 41. Additional Note - --no-distinct-exit When using InSpec in a build process that relies on non-zero return codes, any intentionally skipped control will generate a return code of 101 $ sudo inspec exec my-hardening/ ... $ echo $? 101 If you want skips to generate 0 so the flow continues, use the flag --no-distinct-exit sudo inspec exec my-hardening/ --no-distinct-exit ... $ echo $? 0
  • 42. Exit Codes For InSpec in Pipelines https://github.com/inspec/inspec/issues/1825#issuecomment-382650911 0 run okay + all passed: 100 run okay + failures 101 run okay + skipped only Additional discussion around whether to specify in the run output the reason for a skip is also happening. For example, skipping due to platform, skipping due to not- needed, skipping due to fix-coming.