DevOps Melbourne Meetup March 28, 2017
PCI and auditors slowing you down? Compliance and security are the next steps in building your software-defined infrastructure. Chef's open-source project InSpec (https://inspec.io) and audit cookbooks provide an accessible pattern for building compliance into your continuous delivery pipelines.
7. SSH Control
"SSH supports two different protocol
versions.The original version, SSHv1, was
subject to a number of security issues.
Please use SSHv2 instead to avoid
these."
9. Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
10. Apache Server Information Leakage
• Description
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OSType of the
Server.
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are
dependent upon specific software versions.
• How toTest
In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
ServerTokens Full
• Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.This tells Apache to only
return "Apache" in the Server header, returned on every page request.
ServerTokens Prod
or
ServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
11. More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
20. Key Trends
• While individual rule compliance
is up, testing of security systems
is down
• Sustainability is low. Fewer than
a third of companies were found
to be still fully compliant less
than a year after successful
validation.
21.
22. Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
49. InSpec
> inspec exec test.rb
Test a machine remotely via SSH
> inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1
Test your machine locally
> inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super
Test Docker Container
> inspec exec test.rb -t docker://5cc8837bb6a8
Test a machine remotely via WinRM
AGENTLESS
50. Operating System & Application Coverage
• Microsoft Windows
• Microsoft Windows Server
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux Enterprise Server
• Oracle Enterprise Linux
• AIX
• HP-UX
• Solaris
• VMware ESXi
• MySQL
• Oracle
• PostgreSQL
• Tomcat
• SQL Server
• IIS
• HTTP request