Automating Compliance with InSpec - Chef Singapore Meetup

1. Automating Compliance with InSpec Chef Meetup Singapore July 24, 2017

2. Matt Ray Manager, Solutions Architect – APJ Chef Software matt@chef.io @mattray

3. Chef Workflow

4. SSH Control "SSH supports two different protocol versions.The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."

5. How will I verify this?

6. Whip up a one-liner! grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

7. Apache Server Information Leakage • Description This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OSType of the Server. This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions. • How toTest In order to test for ServerToken configuration, one should check the Apache configuration file. • Misconfiguration ServerTokens Full • Remediation Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.This tells Apache to only return "Apache" in the Server header, returned on every page request. ServerTokens Prod or ServerTokens ProductOnly https://www.owasp.org/index.php/SCG_WS_Apache

8. More grep and sed! grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

9. C o m p l i a n c e

10. Two-thirds of organizations did not adequately test the security of all in-scope systems

11. Key Trends • While individual rule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.

12. Shell Scripts grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

13. Infrastructure Code package 'httpd' do action :install end service 'httpd' do action [ :start, :enable ] end

14. We Have A Communications Problem

15. Security != Compliance

16. Secure Compliant

17. Compliance Language

18. One Language Linux

19. One Language Linux,Windows

20. Windows

21. One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ...

22. Examples of Available Resources apache_conf apt audit_policy auditd_conf auditd_rules bond bridge command crontab directory etc_group file gem group host inetd_conf interface iptables kernel_module kernel_parameter limits_conf login_defs mount mysql_conf mysql_session npm ntp_conf oneget os os_env package parse_config parse_config_file passwd pip port postgres_conf postgres_session powershell processes registry_key security_policy service ssh_config sshd_config user windows_feature yum

23. What is it not? • IDS / IPS • Firewall • Antivirus • Pentesting tool

24. One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal

25. One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs

26. One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers

27. One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes

28. One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases

29. DB Testing

30. One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases,APIs

31. Cloud Testing

32. InSpec > inspec exec test.rb Test a machine remotely via SSH > inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1 Test your machine locally > inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super Test Docker Container > inspec exec test.rb -t docker://5cc8837bb6a8 Test a machine remotely via WinRM AGENTLESS

33. Operating System & Application Coverage • Microsoft Windows • Red Hat Enterprise Linux • Ubuntu Linux • SUSE Linux Enterprise Server • Oracle Enterprise Linux • AIX • HP-UX • Solaris • VMware ESXi • MySQL • Oracle • PostgreSQL • Tomcat • SQL Server • IIS • HTTP request

34. One Language Linux,Windows, BSD, Solaris,AIX, HP-UX, ... Bare-metal,VMs, Containers Nodes, Databases,APIs, Cloud Platforms, ...

35. Open Source Community •https://inspec.io •https://github.com/chef/inspec •https://supermarket.chef.io •https://learn.chef.io •#inspec in https://chefcommunity.slack.com

36. Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify New Workflow

37. CONTINUOUS COMPLIANCE AUTOMATION InSpec - Part of your InfoSec toolchain FIREWALL ANTIVIRUS INTRUSION DETECTION/ PREVENTION PENETRATION TESTING

38. The Chef Automate Platform Continuous Automation for High Velocity IT Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪ Package ▪ Test ▪ Approve BUILD ▪ Provision ▪ Configure ▪ Execute ▪ Update DEPLOY ▪ Secure ▪ Comply ▪ Audit ▪ Measure ▪ Log MANAGE Infrastructure Automation Compliance AutomationApplication Automation OSS AUTOMATION ENGINES Increase Speed ▪ Package infrastructure and app configuration as code ▪ Continuously automate infrastructure and app updates Improve Efficiency ▪ Define and execute standard workflows and automation ▪ Audit and measure effectiveness of automation Decrease Risk ▪ Define compliance rules as code ▪ Deliver continuous compliance as part of standard workflow

39. InSpec Workshop • https://github.com/mattray/inspec-workshop • CentOS 7.3 • https://github.com/dev-sec/linux-patch-baseline • Windows 2012r2 • https://github.com/adamleff/inspec-profile-wannacry-exploit

40. InSpec Workshop – Test Kitchen • http://kitchen.ci/docs/getting-started/installing • Chef Development Kit https://downloads.chef.io/chef-dk • VirtualBox • Vagrant

41. InSpec Workshop – Windows • Vagrant vagrant plugin install vagrant-winrm vagrant box add windows-2012r2 windows2012r2min-virtualbox.box • Kitchen Windows setup http://www.hurryupandwait.io/blog/creating-windows-base-images-for- virtualbox-and-hyper-v-using-packer-boxstarter-and-vagrant packer build -force -only virtualbox-iso vbox-2012r2.json

42. .kitchen.yml 1/3 --- driver: name: vagrant provisioner: name: chef_zero always_update_cookbooks: true verifier: name: inspec platforms: - name: centos-7.3 - name: windows-2012r2

43. .kitchen.yml 2/3 suites: - name: patchlinux run_list: - recipe[inspec-workshop::rhel7] verifier: inspec_tests: - git: git://github.com/dev-sec/linux-patch-baseline attributes: excludes: - windows-2012r2

44. .kitchen.yml 3/3 - name: wannacry run_list: - recipe[inspec-workshop::win2012r2] verifier: inspec_tests: - git: git://github.com/adamleff/inspec-profile-wannacry-exploit attributes: excludes: - centos-7.3

45. kitchen converge $ kitchen converge linux -----> Starting Kitchen (v1.16.0) -----> Converging <patchlinux-centos-73>... Preparing files for transfer Preparing dna.json Resolving cookbook dependencies with Berkshelf 6.2.0... Removing non-cookbook files before transfer Preparing validation.pem Preparing client.rb …

46. kitchen verify $ kitchen verify linux -----> Starting Kitchen (v1.16.0) -----> Setting up <patchlinux-centos-73>... Finished setting up <patchlinux-centos-73> (0m0.00s). -----> Verifying <patchlinux-centos-73>... Loaded linux-patch-baseline

47. linux-patch-baseline profile $ kitchen converge $ kitchen verify … ✔ verify-patches: Operating system is up-to-date ✔ Linux Update should be uptodate ↺ patches: All operating system updates are installed ↺ Skipped control due to only_if condition.

48. inspec-profile-wannacry-exploit profile $ kitchen verify … ✔ WannaCry Vulnerability Check: Hot-fix mitigation check for WannaCry Ransomware vulnerability ✔ WMI with {:class=>"win32_quickfixengineering", :filter=>"HotFixID = 'KB4019215'"} InstalledOn should not eq nil Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped

49. Test Remotely $ kitchen login $ inspec exec https://github.com/dev-sec/linux-baseline -t ssh://vagrant@127.0.0.1:2222 -i .kitchen/kitchen-vagrant/kitchen-inspec- workshop-rhel7-centos- 73/.vagrant/machines/default/virtualbox/private_key $ inspec exec https://github.com/adamleff/inspec-profile-wannacry- exploit -t winrm://vagrant@http://127.0.0.1:3389/wsman --password vagrant

50. InSpec Workshop - Azure • Chef Development Kit https://downloads.chef.io/chef-dk • Kitchen-Azurem https://github.com/test-kitchen/kitchen-azurerm

51. .kitchen.local.yml 1/2 --- driver: name: azurerm driver_config: subscription_id: 'ba2d2a18-74e5-472d-82c4-6793c3e18738' location: 'Australia East' machine_size: 'Standard_D1' transport: ssh_key: ~/.ssh/id_kitchen-azurerm

52. .kitchen.local.yml 2/2 platforms: - name: centos-7.3 driver_config: image_urn: OpenLogic:CentOS:7.3:latest - name: windows-2012r2 driver_config: image_urn: MicrosoftWindowsServer:WindowsServer:2012-R2- Datacenter:latest transport: name: winrm

53. Automate/Compliance DEMO

54. Chef Automate Compliance Features • Configuration management and compliance status together • Dashboards and reporting providing real-time and historical views into fleet wide compliance status • Full audit trail available via native data storage and reporting • Premium compliance profiles assessing common industry benchmarks • Profile management via Chef Automate GUI • Management of agentless scans & API assessments via GUI

Automating Compliance with InSpec - Chef Singapore Meetup

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

Automating Compliance with InSpec - Chef Singapore Meetup

Plus De Contenu Connexe

Diaporamas pour vous (19)

Similaire à Automating Compliance with InSpec - Chef Singapore Meetup (20)

Plus par Matt Ray (20)

Plus récents (20)