SlideShare une entreprise Scribd logo

Compliance Automation with InSpec - Chef NYC Meetup - April 2017

Télécharger en tant que PPTX, PDF
A
adamleff

Presented at the Chef NYC meetup on April 20, 2017, this presentation reviews how to automate compliance scanning and reporting with InSpec by Chef and wrapped up with a hands-on workshop.

Logiciels
1  sur  130
Compliance Automation with InSpec Adam Leff - @adamleff
Who's this guy? • Adam Leff (@adamleff) • Technical Community Advocate at Chef • Formerly Senior Software Engineer in Partner Engineering and Core Engineering • Before that, numerous leadership roles at WebMD • Live in Datacenter Alley (Ashburn, VA)
Join Slack Team & Channel • http://community-slack.chef.io • Join us in the #inspec channel #inspec
AUTOMATE ALL THE THINGS
We started with infrastructure automation…
Security and compliance slow me down!
Product Ideas and Features
Security and compliance slow me down!
There, I fixed it!
Compliance Officer Jane says… "Our systems mus be compliant."
This is a true story. Auditor: "Communication from your network devices to your authentication server must be encrypted."
This is a true story. Me: "We use BlahBlah TACACS+ server. You can't disable encryption."
This is a true story. Auditor: "Okay. Please show me that encryption is enabled."
This is a true story. Me: "Um… I can't. I can't disable it, so I can't show you where it's enabled. But I can show you that I'm using BlahBlah TACACS+ server."
This is a true story. Auditor: "Can you show me how you can't disable it?"
This is a true story. Me:
This is a true story. Me: "How about I show you where I configured the encryption key? Is that good enough?"
This is a true story. Auditor:
Why did I tell you this? • This exchange happened at least once a year, sometimes more • What constitutes "compliance" may be open to interpretation • What the auditor was actually looking for can be automated • We REALLY need to automate compliance
OMG so much compliance • PCI-DSS • Dodd-Frank • HITECH • Gramm-Leach-Bliley Act • ISO • HIPAA • Grundschutz • Sarbanes-Oxley • General Data Protection Regulation (GPDR)
A Documentation Example SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
I can totally script that…
A tale of three personas…
A tale of three personas… ✅❓❌
What is InSpec? • Open-source testing framework • Human readable language • Assert status of infrastructure tests and compliance controls • Scan locally or remotely
What is InSpec?
Option #1: Scripting Tools
Option #2: Test a requirement with InSpec
Option #3: Test a control with InSpec
Map Documentation to Controls
One Language • Linux • Windows • BSD • Solaris • AIX • … and more
Yup, I said Windows…
One Language • Bare Metal • VMs • Containers
Test Locally
Test Remotely
Test Remotely
Test a Docker Container
CIS and SCAP
Center for Internet Security (CIS) • Publish benchmarks for compliance • Red Hat Enterprise Linux, Ubuntu, SUSE, Oracle Linux… • Microsoft Windows 7, 8, Server 2008, Server 2012… • IBM AIX, HP-UX, VMware ESXi… • Oracle MySQL, Apache Tomcat, MS SQL Server, IIS Server… • … so much more, in glorious PDF format!
Security Content Automation Protocol (SCAP) • Method for automating compliance using agreed-upon standards • National Vulnerability Database • Content and Scanners
Source/Copyright: Center for Internet Security
SCAP converted to InSpec
SCAP Control as Native InSpec
Profile Reuse and Inheritance
Profile Reuse and Inheritance
Profile Reuse and Inheritance
Why InSpec? • Break down silos between organizations interested in security/compliance • Codify your compliance agreements and requirements • Share knowledge and code • Safety at velocity
• Monday, May 8, 9:30am-2:30pm • CONVENE – 32 Old Slip, NYC • Breakfast and Lunch • Meet CEO Barry Crist and CMO Ken Cheney • Learn about (and get hands-on with) Compliance Automation with Chef Automate • events.chef.io • FREE
★ Workshops & Chef Training ★ DevOps Leadership Summit ★ Community Summit ★ Partner Summit ★ Welcome Reception ★ Customer Dinner ★ Analyst Day • Exhibit Hall Open & Sales suites available • chefconf.chef.io • DAY 1 // MAY 22 ★ Keynotes ★ Technical Sessions ★ Happy Hour ★ Game Night ★ Executive Dinner DAY 2 // MAY 23 ★ Keynotes ★ Technical Sessions ★ Awesome Chef Awards ★ Community Celebration DAY 3 // MAY 24 ★ Hackday DAY 4 // MAY 25
Compliance Automation with InSpec Learning Lab Adam Leff - @adamleff
Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? ssh chef@IP_ADDRESS
Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes ssh chef@IP_ADDRESS
Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '52.54.113.210' (ECDSA) to the list of known hosts. chef@52.54.113.210's password: ssh chef@IP_ADDRESS
Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '52.54.113.210' (ECDSA) to the list of known hosts. chef@52.54.113.210's password: chef ssh chef@IP_ADDRESS
Touch a file with your name touch firstname-lastname
Touch a file with your name touch adam-leff
List your home directory adam-leff cookbooks Berksfile nodes Berksfile.lock config.json ls -t
Verify the installation /opt/chefdk/bin/inspec which inspec
Verify the installation 1.11.0 Your version of InSpec is out of date! The latest version is 1.15.0. inspec version
Verify the installation /opt/chefdk/bin/chef which chef
Verify the installation Chef Development Kit Version: 1.2.22 chef-client version: 12.18.31 delivery version: master (0b746cafed65a9ea1a79de3cc546e7922de9187c) berks version: 5.6.0 kitchen version: 1.15.0 chef --version
Chef DK - The Chef Development Kit • Definitive tooling for local development of Chef code & Infrastructure as Code development ▪ Validate your Chef code against Chef best practices ▪ Extend with rules to enforce organizational Chef development best practices ▪ Enforce compliance & security practices Foodcritic Test Your “Chef Style” ▪ Validate your Chef code against Ruby best practices ▪ Identify potential Ruby errors Unclosed strings, etc. ▪ Identify style/convention that helps write better code Single quotes vs. double quotes CookStyle Validate your Ruby ▪ Validate your Chef code will run ▪ Testing for more Chef advanced use cases ▪ Useful for regression testing ChefSpec Simulate Chef ▪ Executes your Chef code on an instance or container ▪ Integrates with Cloud and Virtualization providers ▪ Validate your Chef code locally before sharing ▪ Speed development of Chef Cookbooks Test Kitchen Let’s do this (almost) for real ▪ Assert the intention of your Chef code ▪ Verify on live systems that your Chef code produced the correct result ▪ Confirm your Chef code didn’t not produce compliance drift InSpec Verify automation results & ensure compliance FAST INEXPENSIVE TESTING DEEP INTEGRATION TESTING
Go home cd ~
Create a profiles directory mkdir profiles
Go to the profiles directory cd profiles
Create a new profile Create new profile at /home/chef/profiles/my-profile * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries * Create file README.md * Create file libraries/.gitkeep inspec init profile my-profile
Go to our profile cd my-profile
Explore the new profile . ├── README.md ├── controls │ └── example.rb ├── inspec.yml └── libraries tree
Go to the controls directory cd controls
Check out the example # encoding: utf-8 # copyright: 2015, The Authors # license: All rights reserved title 'sample section' # you can also use plain tests describe file('/tmp') do it { should be_directory } end cat example.rb
Create a new control file vi ssh.rb
~/profiles/my-profile/controls/ssh.rb control 'ssh-1' do title 'my title' desc 'my description' impact 1.0 describe sshd_config do its('Protocol') { should cmp 2 } end end Our new control
Go back to the profiles directory cd ~/profiles
Validate our profile Location: my-profile Profile: my-profile Controls: 3 Timestamp: 2017-04-17T15:57:35-04:00 Valid: true No errors or warnings inspec check my-profile
Execute our profile inspec exec my-profile
Go home cd ~
Simple SSH Cookbook • A server recipe to manage the sshd_config file • Local test environment configured
Move to the cookbooks directory cd ~/cookbooks
List cookbooks audit compat_resource ls
Audit Cookbook • Install InSpec • Run InSpec profiles • Report results to Chef Compliance or Chef Visibility
Run with additional parameters [2017-03-10T14:10:34+00:00] INFO: Forking chef instance to converge... Starting Chef Client, version 12.18.31 [2017-03-10T14:10:34+00:00] INFO: *** Chef 12.18.31 *** ... [2017-03-10T14:10:40+00:00] INFO: Chef Run complete in 4.10402964 seconds Running handlers: [2017-03-10T14:10:40+00:00] INFO: Running report handlers [2017-03-10T14:10:40+00:00] WARN: Format is json [2017-03-10T14:10:40+00:00] INFO: Initialize InSpec [2017-03-10T14:10:40+00:00] INFO: Running tests from: [{:name=>"ssh", :path=>"/home/chef/profiles/ssh"}] [2017-03-10T14:10:40+00:00] INFO: Reporting to chef-visibility ... Running handlers complete [2017-03-10T14:10:40+00:00] INFO: Report handlers complete Chef Client finished, 1/2 resources updated in 06 seconds sudo run_chef "recipe[audit::default]"
Compat Resource Cookbook • Adds functionality introduced in the latest chef-client releases to any chef-client from 12.1 onwards. • Includes Custom Resource functionality notification improvements new resources added to core chef • Allows for these new resources in cookbooks without requiring the very latest Chef client release.
Generate an ssh cookbook Generating cookbook ssh - Ensuring correct cookbook file content - Committing cookbook files to git - Ensuring delivery configuration - Ensuring correct delivery build cookbook content - Adding delivery configuration to feature branch - Adding build cookbook to feature branch - Merging delivery content feature branch to master Your cookbook is ready. Type `cd ssh` to enter it. There are several commands you can run to get started locally developing and testing your cookbook. Type `delivery local --help` to see a full list. Why not start by writing a test? Tests for the default recipe are stored at: test/smoke/default/default_test.rb If you'd prefer to dive right in, the default recipe can be found at: recipes/default.rb chef generate cookbook ssh
Add a server recipe to the ssh cookbook Recipe: code_generator::recipe * directory[./ssh/spec/unit/recipes] action create (up to date) * cookbook_file[./ssh/spec/spec_helper.rb] action create_if_missing (up to date) * template[./ssh/spec/unit/recipes/server_spec.rb] action create_if_missing - create new file ./ssh/spec/unit/recipes/server_spec.rb - update content in file ./ssh/spec/unit/recipes/server_spec.rb from none to d14960 (diff output suppressed by config) * directory[./ssh/test/smoke/default] action create (up to date) * template[./ssh/test/smoke/default/server.rb] action create_if_missing - create new file ./ssh/test/smoke/default/server.rb - update content in file ./ssh/test/smoke/default/server.rb from none to aa8bba (diff output suppressed by config) * template[./ssh/recipes/server.rb] action create - create new file ./ssh/recipes/server.rb - update content in file ./ssh/recipes/server.rb from none to 18f24e (diff output suppressed by config) chef generate recipe ssh server
Add a template to the cookbook Recipe: code_generator::template * directory[./ssh/templates/default] action create - create new directory ./ssh/templates/default * file[./ssh/templates/sshd_config.erb] action create - create new file ./ssh/templates/sshd_config.erb - update content in file ./ssh/templates/sshd_config.erb from none to a16b11 (diff output suppressed by config) chef generate template ssh sshd_config -s /etc/ssh/sshd_config
~/cookbooks/ssh/recipes/server.rb template '/etc/ssh/sshd_config' do source 'sshd_config.erb' owner 'root' group 'root' mode '0600' end Server Recipe
Remember… • Infrastructure policies need testing ↳ Linting ↳ Static Analysis ↳ Unit Testing ↳ Integration Testing ↳ Compliance Testing "Infrastructure as Code" should be tested like ANY other codebase.
Test-Driven Development • Write a test, watch it fail • Write some code • Write and run more tests • Code review • Delivery pipeline to production • Lowered chance of production failure Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
Testing the change
~/cookbooks/ssh/.kitchen.yml --- driver: name: vagrant name: docker ... Test Kitchen Configuration (1 of 3) - +
~/cookbooks/ssh/.kitchen.yml ... platforms: - name: ubuntu-16.04 - name: centos-7.2 - name: centos-7.3 ... Test Kitchen Configuration (2 of 3) - + -
+ ~/cookbooks/ssh/.kitchen.yml suites: - name: default - name: server run_list: - recipe[ssh::default] - recipe[ssh::server] verifier: inspec_tests: - test/smoke/default - /home/chef/profiles/my-profile attributes: Test Kitchen Configuration (3 of 3) + - - + -
Move to the cookbook’s directory cd ~/cookbooks/ssh
List the kitchens Instance Driver Provisioner Verifier Transport Last Action Last Error server-centos-73 Docker ChefZero Inspec Ssh <Not Created> <None> kitchen list
Converge -----> Starting Kitchen (v1.15.0) ... -----> Creating <server-centos-73>... Sending build context to Docker daemon 227.8 kB Sending build context to Docker daemon Step 0 : FROM centos:centos7 ... Running handlers: [2017-03-12T02:26:16+00:00] INFO: Running report handlers Running handlers complete [2017-03-12T02:26:16+00:00] INFO: Report handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <server-centos-73> (0m23.54s). -----> Kitchen is finished. (1m0.39s) kitchen converge
Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
Verify the Kitchen -----> Verifying <server-centos-73>... Loaded Target: ssh://kitchen@localhost:32771 × sshd-1.0: SSH Version 2 ( expected: 2 got: (compared using `cmp` matcher) ) × SSH Configuration Protocol should cmp == 2 expected: 2 got: (compared using `cmp` matcher) Profile Summary: 0 successful, 1 failures, 0 skipped Test Summary: 0 successful, 1 failures, 0 skipped kitchen verify
Test-driven Development Add a test Run the tests Make a little change fail pass
~/cookbooks/ssh/templates/sshd_config.erb #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 Protocol 2 # HostKey for protocol version 1 Edit the SSH Configuration Template + -
Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
Converge -----> Starting Kitchen (v1.15.0) ... -----> Converging <server-centos-73>... ... # The default requires explicit activation of protocol 1 -#Protocol 2 +Protocol 2 # HostKey for protocol version 1 ... Running handlers: [2017-03-12T02:32:32+00:00] INFO: Running report handlers Running handlers complete [2017-03-12T02:32:32+00:00] INFO: Report handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <server-centos-73> (0m16.32s). -----> Kitchen is finished. (0m17.34s) kitchen converge
Verify the Kitchen -----> Starting Kitchen (v1.15.0) ... -----> Verifying <server-centos-73>... Loaded Target: ssh://kitchen@localhost:32771 ✔ sshd-1.0: SSH Version 2 ✔ SSH Configuration Protocol should cmp == 2 Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped Finished verifying <server-centos-73> (0m0.22s). -----> Kitchen is finished. (0m1.27s) kitchen verify
Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
Test the Kitchen (1of 2) -----> Starting Kitchen (v1.15.0) ... -----> Cleaning up any prior instances of <server-centos-73> -----> Destroying <server-centos-73>... ... -----> Testing <server-centos-73> -----> Creating <server-centos-73>... ... -----> Creating <server-centos-73>... ... Finished creating <server-centos-73> (0m0.60s). -----> Converging <server-centos-73>... ... kitchen test
Test the Kitchen (2 of 2) -----> Installing Chef Omnibus (install only if missing) ... -----> Setting up <server-centos-73>... Finished setting up <server-centos-73> (0m0.00s). -----> Verifying <server-centos-73>... ... Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped Finished verifying <server-centos-73> (0m0.51s). -----> Destroying <server-centos-73>... ... -----> Kitchen is finished. (0m25.18s) kitchen test
What’s next? • Test-driven development cycle is complete • Deploy the change
Remediate with Chef [2017-03-10T16:48:02+00:00] INFO: Forking chef instance to converge... Starting Chef Client, version 12.18.31 ... Synchronizing Cookbooks: - ssh (0.1.0) - audit (2.4.0) - compat_resource (12.16.3) ... -#Protocol 2 +Protocol 2 ... [2017-03-10T16:48:05+00:00] INFO: Chef Run complete in 1.248588588 seconds Running handlers: ... [2017-03-10T16:48:05+00:00] INFO: Report handlers complete Chef Client finished, 1/3 resources updated in 03 seconds sudo run_chef "recipe[ssh::server],recipe[audit::default]"
Browse to your node
Browse to your node
Check the converge status in Automate
Verify Compliance Status in Automate
InSpec Shell inspec shell
InSpec Shell [root@5cd20df7bbe9 /]# sudo docker run –it centos:7
InSpec Shell Welcome to the interactive InSpec Shell To find out how to use it, type: help You are currently running on: OS platform: centos OS family: redhat OS release: 7.3.1611 inspec> help Available commands: `[resource]` - run resource on target machine `help resources` - show all available resources that can be used as commands `help [resource]` - information about a specific resource `exit` - exit the InSpec shell You can use resources in this environment to test the target machine. For example: command('uname -a').stdout file('/proc/cpuinfo').content => "value", inspec shell -t docker://5cd20df7bbe9
Trying some resources… file('/etc/group').content
Trying some resources… passwd.params
Selecting a single entry passwd.uids(0).params
Using "where" to filter passwd.where { uid.to_i > 5 }.params
describe passwd.where { uid.to_i >= 500 } do its('params.size') { should cmp 0 } end Using filter with some Ruby magic…
A Challenge • The username of the passwd entry with UID 5 should be X • Create a control in your profile that checks that key for the proper value.
Another Challenge • YAML configuration file at /var/tmp/workshop.yml • There's a key called "lupo_status" • There's another key there too… • Create a control in your profile that checks each key for the proper value. • Use InSpec shell to look at the file content if needed • My machine's IP: 35.166.172.16 • No SSH'ing into my machine directly! Disqualified if you do! • inspec shell / inspec exec ONLY!
Community Resources • InSpec Website, includes tutorials and docs - http://inspec.io/ • #inspec channel of the Chef Community Slack - http://community-slack.chef.io/ • InSpec category of the Chef Mailing List - https://discourse.chef.io/c/inspec • Compliance Profiles on the Supermarket - https://supermarket.chef.io/tools?type=compliance_profile • Open Source Project - https://github.com/chef/inspec
Join Slack Team & Channel • http://community-slack.chef.io • Join us in the #inspec channel #inspec
• Monday, May 8, 9:30am-2:30pm • CONVENE – 32 Old Slip, NYC • Breakfast and Lunch • Meet CEO Barry Crist and CMO Ken Cheney • Learn about (and get hands-on with) Compliance Automation with Chef Automate • events.chef.io • FREE
★ Workshops & Chef Training ★ DevOps Leadership Summit ★ Community Summit ★ Partner Summit ★ Welcome Reception ★ Customer Dinner ★ Analyst Day • Exhibit Hall Open & Sales suites available • chefconf.chef.io • DAY 1 // MAY 22 ★ Keynotes ★ Technical Sessions ★ Happy Hour ★ Game Night ★ Executive Dinner DAY 2 // MAY 23 ★ Keynotes ★ Technical Sessions ★ Awesome Chef Awards ★ Community Celebration DAY 3 // MAY 24 ★ Hackday DAY 4 // MAY 25

Recommandé

Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupMatt Ray
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityMandi Walls
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xAdding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xMandi Walls
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as CodeMatt Ray
 
Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Mandi Walls
 
Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Chef
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019Morgan Roman
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
 

Recommandé

Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupMatt Ray
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityMandi Walls
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xAdding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xMandi Walls
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as CodeMatt Ray
 
Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Mandi Walls
 
Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Chef
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019Morgan Roman
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
 
InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017Mandi Walls
 
2019 Chef InSpec Jumpstart Part 1 of 2
2019 Chef InSpec Jumpstart Part 1 of 22019 Chef InSpec Jumpstart Part 1 of 2
2019 Chef InSpec Jumpstart Part 1 of 2Larry Eichenbaum
 
Prescriptive System Security with InSpec
Prescriptive System Security with InSpecPrescriptive System Security with InSpec
Prescriptive System Security with InSpecAll Things Open
 
Automated Infrastructure Testing
Automated Infrastructure TestingAutomated Infrastructure Testing
Automated Infrastructure TestingRanjib Dey
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Chef
 
Azure handsonlab
Azure handsonlabAzure handsonlab
Azure handsonlabChef
 
Chef Workflow Demo
Chef Workflow DemoChef Workflow Demo
Chef Workflow DemoChef
 
DCEU 18: How To Build Your Containerization Strategy
DCEU 18: How To Build Your Containerization StrategyDCEU 18: How To Build Your Containerization Strategy
DCEU 18: How To Build Your Containerization StrategyDocker, Inc.
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Matt Ray
 
Jenkins and Chef: Infrastructure CI and Automated Deployment
Jenkins and Chef: Infrastructure CI and Automated DeploymentJenkins and Chef: Infrastructure CI and Automated Deployment
Jenkins and Chef: Infrastructure CI and Automated DeploymentDan Stine
 
Testing for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chefTesting for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chefkamalikamj
 
PASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and TricksPASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and TricksKellyn Pot'Vin-Gorman
 
Test Driven Development with Chef
Test Driven Development with ChefTest Driven Development with Chef
Test Driven Development with ChefSimone Soldateschi
 
Choosing the Right Framework for Running Docker Containers in Prod
Choosing the Right Framework for Running Docker Containers in ProdChoosing the Right Framework for Running Docker Containers in Prod
Choosing the Right Framework for Running Docker Containers in ProdJosh Padnick
 
Chef Hack Day Denver
Chef Hack Day Denver Chef Hack Day Denver
Chef Hack Day Denver Chef
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2Vincent Mercier
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017Mandi Walls
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Clark Everetts
 
Intermediate/Compliance training Guide
Intermediate/Compliance training GuideIntermediate/Compliance training Guide
Intermediate/Compliance training GuideChef
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecNETWAYS
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Mandi Walls
 

Contenu connexe

Tendances

InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017Mandi Walls
 
2019 Chef InSpec Jumpstart Part 1 of 2
2019 Chef InSpec Jumpstart Part 1 of 22019 Chef InSpec Jumpstart Part 1 of 2
2019 Chef InSpec Jumpstart Part 1 of 2Larry Eichenbaum
 
Prescriptive System Security with InSpec
Prescriptive System Security with InSpecPrescriptive System Security with InSpec
Prescriptive System Security with InSpecAll Things Open
 
Automated Infrastructure Testing
Automated Infrastructure TestingAutomated Infrastructure Testing
Automated Infrastructure TestingRanjib Dey
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Chef
 
Azure handsonlab
Azure handsonlabAzure handsonlab
Azure handsonlabChef
 
Chef Workflow Demo
Chef Workflow DemoChef Workflow Demo
Chef Workflow DemoChef
 
DCEU 18: How To Build Your Containerization Strategy
DCEU 18: How To Build Your Containerization StrategyDCEU 18: How To Build Your Containerization Strategy
DCEU 18: How To Build Your Containerization StrategyDocker, Inc.
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Matt Ray
 
Jenkins and Chef: Infrastructure CI and Automated Deployment
Jenkins and Chef: Infrastructure CI and Automated DeploymentJenkins and Chef: Infrastructure CI and Automated Deployment
Jenkins and Chef: Infrastructure CI and Automated DeploymentDan Stine
 
Testing for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chefTesting for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chefkamalikamj
 
PASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and TricksPASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and TricksKellyn Pot'Vin-Gorman
 
Test Driven Development with Chef
Test Driven Development with ChefTest Driven Development with Chef
Test Driven Development with ChefSimone Soldateschi
 
Choosing the Right Framework for Running Docker Containers in Prod
Choosing the Right Framework for Running Docker Containers in ProdChoosing the Right Framework for Running Docker Containers in Prod
Choosing the Right Framework for Running Docker Containers in ProdJosh Padnick
 
Chef Hack Day Denver
Chef Hack Day Denver Chef Hack Day Denver
Chef Hack Day Denver Chef
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2Vincent Mercier
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017Mandi Walls
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Clark Everetts
 
Intermediate/Compliance training Guide
Intermediate/Compliance training GuideIntermediate/Compliance training Guide
Intermediate/Compliance training GuideChef
 

Tendances (20)

InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017
 
2019 Chef InSpec Jumpstart Part 1 of 2
2019 Chef InSpec Jumpstart Part 1 of 22019 Chef InSpec Jumpstart Part 1 of 2
2019 Chef InSpec Jumpstart Part 1 of 2
 
Prescriptive System Security with InSpec
Prescriptive System Security with InSpecPrescriptive System Security with InSpec
Prescriptive System Security with InSpec
 
Automated Infrastructure Testing
Automated Infrastructure TestingAutomated Infrastructure Testing
Automated Infrastructure Testing
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
 
Azure handsonlab
Azure handsonlabAzure handsonlab
Azure handsonlab
 
Chef Workflow Demo
Chef Workflow DemoChef Workflow Demo
Chef Workflow Demo
 
DCEU 18: How To Build Your Containerization Strategy
DCEU 18: How To Build Your Containerization StrategyDCEU 18: How To Build Your Containerization Strategy
DCEU 18: How To Build Your Containerization Strategy
 
Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec Automating AWS Compliance with InSpec
Automating AWS Compliance with InSpec
 
Jenkins and Chef: Infrastructure CI and Automated Deployment
Jenkins and Chef: Infrastructure CI and Automated DeploymentJenkins and Chef: Infrastructure CI and Automated Deployment
Jenkins and Chef: Infrastructure CI and Automated Deployment
 
Testing for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chefTesting for infra code using test-kitchen,docker,chef
Testing for infra code using test-kitchen,docker,chef
 
PASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and TricksPASS 24HOP Linux Scripting Tips and Tricks
PASS 24HOP Linux Scripting Tips and Tricks
 
Test Driven Development with Chef
Test Driven Development with ChefTest Driven Development with Chef
Test Driven Development with Chef
 
Choosing the Right Framework for Running Docker Containers in Prod
Choosing the Right Framework for Running Docker Containers in ProdChoosing the Right Framework for Running Docker Containers in Prod
Choosing the Right Framework for Running Docker Containers in Prod
 
Chef Hack Day Denver
Chef Hack Day Denver Chef Hack Day Denver
Chef Hack Day Denver
 
DevOPS training - Day 2/2
DevOPS training - Day 2/2DevOPS training - Day 2/2
DevOPS training - Day 2/2
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
 
Intermediate/Compliance training Guide
Intermediate/Compliance training GuideIntermediate/Compliance training Guide
Intermediate/Compliance training Guide
 

Similaire à Compliance Automation with InSpec - Chef NYC Meetup - April 2017

OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecNETWAYS
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Mandi Walls
 
Achieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateAchieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateChef
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsNETWAYS
 
Compliance Automation with InSpec
Compliance Automation with InSpec Compliance Automation with InSpec
Compliance Automation with InSpec Nathen Harvey
 
Introduction to Chef - Techsuperwomen Summit
Introduction to Chef - Techsuperwomen SummitIntroduction to Chef - Techsuperwomen Summit
Introduction to Chef - Techsuperwomen SummitJennifer Davis
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
 
Quality code in wordpress
Quality code in wordpressQuality code in wordpress
Quality code in wordpressRan Bar-Zik
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefAlert Logic
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017AgileNZ Conference
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017Mandi Walls
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beMandi Walls
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAmazon Web Services
 
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi WallsDevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi WallsDevSecCon
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMatt Ray
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecMandi Walls
 
InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020Mandi Walls
 

Similaire à Compliance Automation with InSpec - Chef NYC Meetup - April 2017 (20)

OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)
 
Achieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef AutomateAchieving DevOps Success with Chef Automate
Achieving DevOps Success with Chef Automate
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
 
Compliance Automation with InSpec
Compliance Automation with InSpec Compliance Automation with InSpec
Compliance Automation with InSpec
 
Introduction to Chef - Techsuperwomen Summit
Introduction to Chef - Techsuperwomen SummitIntroduction to Chef - Techsuperwomen Summit
Introduction to Chef - Techsuperwomen Summit
 
Chef Cookbook Workflow
Chef Cookbook WorkflowChef Cookbook Workflow
Chef Cookbook Workflow
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
 
Quality code in wordpress
Quality code in wordpressQuality code in wordpress
Quality code in wordpress
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
 
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
DevSec Delight with Compliance as Code - Matt Ray - AgileNZ 2017
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
 
AWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for DevelopersAWS Summit Auckland - Application Delivery Patterns for Developers
AWS Summit Auckland - Application Delivery Patterns for Developers
 
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi WallsDevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi Walls
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
 
InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020
 

Dernier

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...masabamasaba
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburgmasabamasaba
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2
 

Dernier (20)

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 

Compliance Automation with InSpec - Chef NYC Meetup - April 2017

  • 1. Compliance Automation with InSpec Adam Leff - @adamleff
  • 2. Who's this guy? • Adam Leff (@adamleff) • Technical Community Advocate at Chef • Formerly Senior Software Engineer in Partner Engineering and Core Engineering • Before that, numerous leadership roles at WebMD • Live in Datacenter Alley (Ashburn, VA)
  • 3. Join Slack Team & Channel • http://community-slack.chef.io • Join us in the #inspec channel #inspec
  • 5. We started with infrastructure automation…
  • 6. Security and compliance slow me down!
  • 7. Product Ideas and Features
  • 8. Security and compliance slow me down!
  • 10. Compliance Officer Jane says… "Our systems mus be compliant."
  • 11.
  • 12.
  • 13. This is a true story. Auditor: "Communication from your network devices to your authentication server must be encrypted."
  • 14. This is a true story. Me: "We use BlahBlah TACACS+ server. You can't disable encryption."
  • 15. This is a true story. Auditor: "Okay. Please show me that encryption is enabled."
  • 16. This is a true story. Me: "Um… I can't. I can't disable it, so I can't show you where it's enabled. But I can show you that I'm using BlahBlah TACACS+ server."
  • 17. This is a true story. Auditor: "Can you show me how you can't disable it?"
  • 18. This is a true story. Me:
  • 19. This is a true story. Me: "How about I show you where I configured the encryption key? Is that good enough?"
  • 20. This is a true story. Auditor:
  • 21. Why did I tell you this? • This exchange happened at least once a year, sometimes more • What constitutes "compliance" may be open to interpretation • What the auditor was actually looking for can be automated • We REALLY need to automate compliance
  • 22. OMG so much compliance • PCI-DSS • Dodd-Frank • HITECH • Gramm-Leach-Bliley Act • ISO • HIPAA • Grundschutz • Sarbanes-Oxley • General Data Protection Regulation (GPDR)
  • 23.
  • 24.
  • 25. A Documentation Example SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
  • 26. I can totally script that…
  • 27. A tale of three personas…
  • 28. A tale of three personas… ✅❓❌
  • 29.
  • 30. What is InSpec? • Open-source testing framework • Human readable language • Assert status of infrastructure tests and compliance controls • Scan locally or remotely
  • 33. Option #2: Test a requirement with InSpec
  • 34. Option #3: Test a control with InSpec
  • 36. One Language • Linux • Windows • BSD • Solaris • AIX • … and more
  • 37. Yup, I said Windows…
  • 38. One Language • Bare Metal • VMs • Containers
  • 42. Test a Docker Container
  • 44. Center for Internet Security (CIS) • Publish benchmarks for compliance • Red Hat Enterprise Linux, Ubuntu, SUSE, Oracle Linux… • Microsoft Windows 7, 8, Server 2008, Server 2012… • IBM AIX, HP-UX, VMware ESXi… • Oracle MySQL, Apache Tomcat, MS SQL Server, IIS Server… • … so much more, in glorious PDF format!
  • 45. Security Content Automation Protocol (SCAP) • Method for automating compliance using agreed-upon standards • National Vulnerability Database • Content and Scanners
  • 46. Source/Copyright: Center for Internet Security
  • 48. SCAP Control as Native InSpec
  • 49. Profile Reuse and Inheritance
  • 50. Profile Reuse and Inheritance
  • 51. Profile Reuse and Inheritance
  • 52. Why InSpec? • Break down silos between organizations interested in security/compliance • Codify your compliance agreements and requirements • Share knowledge and code • Safety at velocity
  • 53. • Monday, May 8, 9:30am-2:30pm • CONVENE – 32 Old Slip, NYC • Breakfast and Lunch • Meet CEO Barry Crist and CMO Ken Cheney • Learn about (and get hands-on with) Compliance Automation with Chef Automate • events.chef.io • FREE
  • 54. ★ Workshops & Chef Training ★ DevOps Leadership Summit ★ Community Summit ★ Partner Summit ★ Welcome Reception ★ Customer Dinner ★ Analyst Day • Exhibit Hall Open & Sales suites available • chefconf.chef.io • DAY 1 // MAY 22 ★ Keynotes ★ Technical Sessions ★ Happy Hour ★ Game Night ★ Executive Dinner DAY 2 // MAY 23 ★ Keynotes ★ Technical Sessions ★ Awesome Chef Awards ★ Community Celebration DAY 3 // MAY 24 ★ Hackday DAY 4 // MAY 25
  • 55. Compliance Automation with InSpec Learning Lab Adam Leff - @adamleff
  • 56. Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? ssh chef@IP_ADDRESS
  • 57. Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes ssh chef@IP_ADDRESS
  • 58. Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '52.54.113.210' (ECDSA) to the list of known hosts. chef@52.54.113.210's password: ssh chef@IP_ADDRESS
  • 59. Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '52.54.113.210' (ECDSA) to the list of known hosts. chef@52.54.113.210's password: chef ssh chef@IP_ADDRESS
  • 60. Touch a file with your name touch firstname-lastname
  • 61. Touch a file with your name touch adam-leff
  • 62. List your home directory adam-leff cookbooks Berksfile nodes Berksfile.lock config.json ls -t
  • 64. Verify the installation 1.11.0 Your version of InSpec is out of date! The latest version is 1.15.0. inspec version
  • 66. Verify the installation Chef Development Kit Version: 1.2.22 chef-client version: 12.18.31 delivery version: master (0b746cafed65a9ea1a79de3cc546e7922de9187c) berks version: 5.6.0 kitchen version: 1.15.0 chef --version
  • 67. Chef DK - The Chef Development Kit • Definitive tooling for local development of Chef code & Infrastructure as Code development ▪ Validate your Chef code against Chef best practices ▪ Extend with rules to enforce organizational Chef development best practices ▪ Enforce compliance & security practices Foodcritic Test Your “Chef Style” ▪ Validate your Chef code against Ruby best practices ▪ Identify potential Ruby errors Unclosed strings, etc. ▪ Identify style/convention that helps write better code Single quotes vs. double quotes CookStyle Validate your Ruby ▪ Validate your Chef code will run ▪ Testing for more Chef advanced use cases ▪ Useful for regression testing ChefSpec Simulate Chef ▪ Executes your Chef code on an instance or container ▪ Integrates with Cloud and Virtualization providers ▪ Validate your Chef code locally before sharing ▪ Speed development of Chef Cookbooks Test Kitchen Let’s do this (almost) for real ▪ Assert the intention of your Chef code ▪ Verify on live systems that your Chef code produced the correct result ▪ Confirm your Chef code didn’t not produce compliance drift InSpec Verify automation results & ensure compliance FAST INEXPENSIVE TESTING DEEP INTEGRATION TESTING
  • 69. Create a profiles directory mkdir profiles
  • 70. Go to the profiles directory cd profiles
  • 71. Create a new profile Create new profile at /home/chef/profiles/my-profile * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries * Create file README.md * Create file libraries/.gitkeep inspec init profile my-profile
  • 72. Go to our profile cd my-profile
  • 73. Explore the new profile . ├── README.md ├── controls │ └── example.rb ├── inspec.yml └── libraries tree
  • 74. Go to the controls directory cd controls
  • 75. Check out the example # encoding: utf-8 # copyright: 2015, The Authors # license: All rights reserved title 'sample section' # you can also use plain tests describe file('/tmp') do it { should be_directory } end cat example.rb
  • 76. Create a new control file vi ssh.rb
  • 77. ~/profiles/my-profile/controls/ssh.rb control 'ssh-1' do title 'my title' desc 'my description' impact 1.0 describe sshd_config do its('Protocol') { should cmp 2 } end end Our new control
  • 78. Go back to the profiles directory cd ~/profiles
  • 79. Validate our profile Location: my-profile Profile: my-profile Controls: 3 Timestamp: 2017-04-17T15:57:35-04:00 Valid: true No errors or warnings inspec check my-profile
  • 80. Execute our profile inspec exec my-profile
  • 82. Simple SSH Cookbook • A server recipe to manage the sshd_config file • Local test environment configured
  • 83. Move to the cookbooks directory cd ~/cookbooks
  • 85. Audit Cookbook • Install InSpec • Run InSpec profiles • Report results to Chef Compliance or Chef Visibility
  • 86. Run with additional parameters [2017-03-10T14:10:34+00:00] INFO: Forking chef instance to converge... Starting Chef Client, version 12.18.31 [2017-03-10T14:10:34+00:00] INFO: *** Chef 12.18.31 *** ... [2017-03-10T14:10:40+00:00] INFO: Chef Run complete in 4.10402964 seconds Running handlers: [2017-03-10T14:10:40+00:00] INFO: Running report handlers [2017-03-10T14:10:40+00:00] WARN: Format is json [2017-03-10T14:10:40+00:00] INFO: Initialize InSpec [2017-03-10T14:10:40+00:00] INFO: Running tests from: [{:name=>"ssh", :path=>"/home/chef/profiles/ssh"}] [2017-03-10T14:10:40+00:00] INFO: Reporting to chef-visibility ... Running handlers complete [2017-03-10T14:10:40+00:00] INFO: Report handlers complete Chef Client finished, 1/2 resources updated in 06 seconds sudo run_chef "recipe[audit::default]"
  • 87. Compat Resource Cookbook • Adds functionality introduced in the latest chef-client releases to any chef-client from 12.1 onwards. • Includes Custom Resource functionality notification improvements new resources added to core chef • Allows for these new resources in cookbooks without requiring the very latest Chef client release.
  • 88. Generate an ssh cookbook Generating cookbook ssh - Ensuring correct cookbook file content - Committing cookbook files to git - Ensuring delivery configuration - Ensuring correct delivery build cookbook content - Adding delivery configuration to feature branch - Adding build cookbook to feature branch - Merging delivery content feature branch to master Your cookbook is ready. Type `cd ssh` to enter it. There are several commands you can run to get started locally developing and testing your cookbook. Type `delivery local --help` to see a full list. Why not start by writing a test? Tests for the default recipe are stored at: test/smoke/default/default_test.rb If you'd prefer to dive right in, the default recipe can be found at: recipes/default.rb chef generate cookbook ssh
  • 89. Add a server recipe to the ssh cookbook Recipe: code_generator::recipe * directory[./ssh/spec/unit/recipes] action create (up to date) * cookbook_file[./ssh/spec/spec_helper.rb] action create_if_missing (up to date) * template[./ssh/spec/unit/recipes/server_spec.rb] action create_if_missing - create new file ./ssh/spec/unit/recipes/server_spec.rb - update content in file ./ssh/spec/unit/recipes/server_spec.rb from none to d14960 (diff output suppressed by config) * directory[./ssh/test/smoke/default] action create (up to date) * template[./ssh/test/smoke/default/server.rb] action create_if_missing - create new file ./ssh/test/smoke/default/server.rb - update content in file ./ssh/test/smoke/default/server.rb from none to aa8bba (diff output suppressed by config) * template[./ssh/recipes/server.rb] action create - create new file ./ssh/recipes/server.rb - update content in file ./ssh/recipes/server.rb from none to 18f24e (diff output suppressed by config) chef generate recipe ssh server
  • 90. Add a template to the cookbook Recipe: code_generator::template * directory[./ssh/templates/default] action create - create new directory ./ssh/templates/default * file[./ssh/templates/sshd_config.erb] action create - create new file ./ssh/templates/sshd_config.erb - update content in file ./ssh/templates/sshd_config.erb from none to a16b11 (diff output suppressed by config) chef generate template ssh sshd_config -s /etc/ssh/sshd_config
  • 91. ~/cookbooks/ssh/recipes/server.rb template '/etc/ssh/sshd_config' do source 'sshd_config.erb' owner 'root' group 'root' mode '0600' end Server Recipe
  • 92. Remember… • Infrastructure policies need testing ↳ Linting ↳ Static Analysis ↳ Unit Testing ↳ Integration Testing ↳ Compliance Testing "Infrastructure as Code" should be tested like ANY other codebase.
  • 93. Test-Driven Development • Write a test, watch it fail • Write some code • Write and run more tests • Code review • Delivery pipeline to production • Lowered chance of production failure Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
  • 96. ~/cookbooks/ssh/.kitchen.yml ... platforms: - name: ubuntu-16.04 - name: centos-7.2 - name: centos-7.3 ... Test Kitchen Configuration (2 of 3) - + -
  • 97. + ~/cookbooks/ssh/.kitchen.yml suites: - name: default - name: server run_list: - recipe[ssh::default] - recipe[ssh::server] verifier: inspec_tests: - test/smoke/default - /home/chef/profiles/my-profile attributes: Test Kitchen Configuration (3 of 3) + - - + -
  • 98. Move to the cookbook’s directory cd ~/cookbooks/ssh
  • 99. List the kitchens Instance Driver Provisioner Verifier Transport Last Action Last Error server-centos-73 Docker ChefZero Inspec Ssh <Not Created> <None> kitchen list
  • 100. Converge -----> Starting Kitchen (v1.15.0) ... -----> Creating <server-centos-73>... Sending build context to Docker daemon 227.8 kB Sending build context to Docker daemon Step 0 : FROM centos:centos7 ... Running handlers: [2017-03-12T02:26:16+00:00] INFO: Running report handlers Running handlers complete [2017-03-12T02:26:16+00:00] INFO: Report handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <server-centos-73> (0m23.54s). -----> Kitchen is finished. (1m0.39s) kitchen converge
  • 101. Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
  • 102. Verify the Kitchen -----> Verifying <server-centos-73>... Loaded Target: ssh://kitchen@localhost:32771 × sshd-1.0: SSH Version 2 ( expected: 2 got: (compared using `cmp` matcher) ) × SSH Configuration Protocol should cmp == 2 expected: 2 got: (compared using `cmp` matcher) Profile Summary: 0 successful, 1 failures, 0 skipped Test Summary: 0 successful, 1 failures, 0 skipped kitchen verify
  • 103. Test-driven Development Add a test Run the tests Make a little change fail pass
  • 104. ~/cookbooks/ssh/templates/sshd_config.erb #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 Protocol 2 # HostKey for protocol version 1 Edit the SSH Configuration Template + -
  • 105. Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
  • 106. Converge -----> Starting Kitchen (v1.15.0) ... -----> Converging <server-centos-73>... ... # The default requires explicit activation of protocol 1 -#Protocol 2 +Protocol 2 # HostKey for protocol version 1 ... Running handlers: [2017-03-12T02:32:32+00:00] INFO: Running report handlers Running handlers complete [2017-03-12T02:32:32+00:00] INFO: Report handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <server-centos-73> (0m16.32s). -----> Kitchen is finished. (0m17.34s) kitchen converge
  • 107. Verify the Kitchen -----> Starting Kitchen (v1.15.0) ... -----> Verifying <server-centos-73>... Loaded Target: ssh://kitchen@localhost:32771 ✔ sshd-1.0: SSH Version 2 ✔ SSH Configuration Protocol should cmp == 2 Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped Finished verifying <server-centos-73> (0m0.22s). -----> Kitchen is finished. (0m1.27s) kitchen verify
  • 108. Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
  • 109. Test the Kitchen (1of 2) -----> Starting Kitchen (v1.15.0) ... -----> Cleaning up any prior instances of <server-centos-73> -----> Destroying <server-centos-73>... ... -----> Testing <server-centos-73> -----> Creating <server-centos-73>... ... -----> Creating <server-centos-73>... ... Finished creating <server-centos-73> (0m0.60s). -----> Converging <server-centos-73>... ... kitchen test
  • 110. Test the Kitchen (2 of 2) -----> Installing Chef Omnibus (install only if missing) ... -----> Setting up <server-centos-73>... Finished setting up <server-centos-73> (0m0.00s). -----> Verifying <server-centos-73>... ... Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped Finished verifying <server-centos-73> (0m0.51s). -----> Destroying <server-centos-73>... ... -----> Kitchen is finished. (0m25.18s) kitchen test
  • 111. What’s next? • Test-driven development cycle is complete • Deploy the change
  • 112. Remediate with Chef [2017-03-10T16:48:02+00:00] INFO: Forking chef instance to converge... Starting Chef Client, version 12.18.31 ... Synchronizing Cookbooks: - ssh (0.1.0) - audit (2.4.0) - compat_resource (12.16.3) ... -#Protocol 2 +Protocol 2 ... [2017-03-10T16:48:05+00:00] INFO: Chef Run complete in 1.248588588 seconds Running handlers: ... [2017-03-10T16:48:05+00:00] INFO: Report handlers complete Chef Client finished, 1/3 resources updated in 03 seconds sudo run_chef "recipe[ssh::server],recipe[audit::default]"
  • 113. Browse to your node
  • 114. Browse to your node
  • 115. Check the converge status in Automate
  • 116. Verify Compliance Status in Automate
  • 118. InSpec Shell [root@5cd20df7bbe9 /]# sudo docker run –it centos:7
  • 119. InSpec Shell Welcome to the interactive InSpec Shell To find out how to use it, type: help You are currently running on: OS platform: centos OS family: redhat OS release: 7.3.1611 inspec> help Available commands: `[resource]` - run resource on target machine `help resources` - show all available resources that can be used as commands `help [resource]` - information about a specific resource `exit` - exit the InSpec shell You can use resources in this environment to test the target machine. For example: command('uname -a').stdout file('/proc/cpuinfo').content => "value", inspec shell -t docker://5cd20df7bbe9
  • 122. Selecting a single entry passwd.uids(0).params
  • 123. Using "where" to filter passwd.where { uid.to_i > 5 }.params
  • 124. describe passwd.where { uid.to_i >= 500 } do its('params.size') { should cmp 0 } end Using filter with some Ruby magic…
  • 125. A Challenge • The username of the passwd entry with UID 5 should be X • Create a control in your profile that checks that key for the proper value.
  • 126. Another Challenge • YAML configuration file at /var/tmp/workshop.yml • There's a key called "lupo_status" • There's another key there too… • Create a control in your profile that checks each key for the proper value. • Use InSpec shell to look at the file content if needed • My machine's IP: 35.166.172.16 • No SSH'ing into my machine directly! Disqualified if you do! • inspec shell / inspec exec ONLY!
  • 127. Community Resources • InSpec Website, includes tutorials and docs - http://inspec.io/ • #inspec channel of the Chef Community Slack - http://community-slack.chef.io/ • InSpec category of the Chef Mailing List - https://discourse.chef.io/c/inspec • Compliance Profiles on the Supermarket - https://supermarket.chef.io/tools?type=compliance_profile • Open Source Project - https://github.com/chef/inspec
  • 128. Join Slack Team & Channel • http://community-slack.chef.io • Join us in the #inspec channel #inspec
  • 129. • Monday, May 8, 9:30am-2:30pm • CONVENE – 32 Old Slip, NYC • Breakfast and Lunch • Meet CEO Barry Crist and CMO Ken Cheney • Learn about (and get hands-on with) Compliance Automation with Chef Automate • events.chef.io • FREE
  • 130. ★ Workshops & Chef Training ★ DevOps Leadership Summit ★ Community Summit ★ Partner Summit ★ Welcome Reception ★ Customer Dinner ★ Analyst Day • Exhibit Hall Open & Sales suites available • chefconf.chef.io • DAY 1 // MAY 22 ★ Keynotes ★ Technical Sessions ★ Happy Hour ★ Game Night ★ Executive Dinner DAY 2 // MAY 23 ★ Keynotes ★ Technical Sessions ★ Awesome Chef Awards ★ Community Celebration DAY 3 // MAY 24 ★ Hackday DAY 4 // MAY 25

Notes de l'éditeur

  1. >>> INSTRUCTOR NOTE – Update the slack channel name