SlideShare a Scribd company logo

Compliance Automation with InSpec - Chef NYC Meetup - April 2017

Download as PPTX, PDF
A
adamleff

The document discusses compliance automation using InSpec, highlighting its role in streamlining security and compliance processes through automation. It emphasizes the need for improved communication with auditors and showcases how InSpec can help test infrastructure and compliance controls across various platforms. The document also touches on resources like Chef development kits and testing frameworks that assist in validating code and ensuring compliance.

Software
1 of 130
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
Compliance Automation with InSpec Adam Leff - @adamleff
Who's this guy? ‱ Adam Leff (@adamleff) ‱ Technical Community Advocate at Chef ‱ Formerly Senior Software Engineer in Partner Engineering and Core Engineering ‱ Before that, numerous leadership roles at WebMD ‱ Live in Datacenter Alley (Ashburn, VA)
Join Slack Team & Channel ‱ http://community-slack.chef.io ‱ Join us in the #inspec channel #inspec
AUTOMATE ALL THE THINGS
We started with infrastructure automation

Security and compliance slow me down!
Product Ideas and Features
Security and compliance slow me down!
There, I fixed it!
Compliance Officer Jane says
 "Our systems mus be compliant."
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
This is a true story. Auditor: "Communication from your network devices to your authentication server must be encrypted."
This is a true story. Me: "We use BlahBlah TACACS+ server. You can't disable encryption."
This is a true story. Auditor: "Okay. Please show me that encryption is enabled."
This is a true story. Me: "Um
 I can't. I can't disable it, so I can't show you where it's enabled. But I can show you that I'm using BlahBlah TACACS+ server."
This is a true story. Auditor: "Can you show me how you can't disable it?"
This is a true story. Me:
This is a true story. Me: "How about I show you where I configured the encryption key? Is that good enough?"
This is a true story. Auditor:
Why did I tell you this? ‱ This exchange happened at least once a year, sometimes more ‱ What constitutes "compliance" may be open to interpretation ‱ What the auditor was actually looking for can be automated ‱ We REALLY need to automate compliance
OMG so much compliance ‱ PCI-DSS ‱ Dodd-Frank ‱ HITECH ‱ Gramm-Leach-Bliley Act ‱ ISO ‱ HIPAA ‱ Grundschutz ‱ Sarbanes-Oxley ‱ General Data Protection Regulation (GPDR)
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
A Documentation Example SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
I can totally script that

A tale of three personas

A tale of three personas
 ✅❓❌
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
What is InSpec? ‱ Open-source testing framework ‱ Human readable language ‱ Assert status of infrastructure tests and compliance controls ‱ Scan locally or remotely
What is InSpec?
Option #1: Scripting Tools
Option #2: Test a requirement with InSpec
Option #3: Test a control with InSpec
Map Documentation to Controls
One Language ‱ Linux ‱ Windows ‱ BSD ‱ Solaris ‱ AIX ‱ 
 and more
Yup, I said Windows

One Language ‱ Bare Metal ‱ VMs ‱ Containers
Test Locally
Test Remotely
Test Remotely
Test a Docker Container
CIS and SCAP
Center for Internet Security (CIS) ‱ Publish benchmarks for compliance ‱ Red Hat Enterprise Linux, Ubuntu, SUSE, Oracle Linux
 ‱ Microsoft Windows 7, 8, Server 2008, Server 2012
 ‱ IBM AIX, HP-UX, VMware ESXi
 ‱ Oracle MySQL, Apache Tomcat, MS SQL Server, IIS Server
 ‱ 
 so much more, in glorious PDF format!
Security Content Automation Protocol (SCAP) ‱ Method for automating compliance using agreed-upon standards ‱ National Vulnerability Database ‱ Content and Scanners
Source/Copyright: Center for Internet Security
SCAP converted to InSpec
SCAP Control as Native InSpec
Profile Reuse and Inheritance
Profile Reuse and Inheritance
Profile Reuse and Inheritance
Why InSpec? ‱ Break down silos between organizations interested in security/compliance ‱ Codify your compliance agreements and requirements ‱ Share knowledge and code ‱ Safety at velocity
‱ Monday, May 8, 9:30am-2:30pm ‱ CONVENE – 32 Old Slip, NYC ‱ Breakfast and Lunch ‱ Meet CEO Barry Crist and CMO Ken Cheney ‱ Learn about (and get hands-on with) Compliance Automation with Chef Automate ‱ events.chef.io ‱ FREE
★ Workshops & Chef Training ★ DevOps Leadership Summit ★ Community Summit ★ Partner Summit ★ Welcome Reception ★ Customer Dinner ★ Analyst Day ‱ Exhibit Hall Open & Sales suites available ‱ chefconf.chef.io ‱ DAY 1 // MAY 22 ★ Keynotes ★ Technical Sessions ★ Happy Hour ★ Game Night ★ Executive Dinner DAY 2 // MAY 23 ★ Keynotes ★ Technical Sessions ★ Awesome Chef Awards ★ Community Celebration DAY 3 // MAY 24 ★ Hackday DAY 4 // MAY 25
Compliance Automation with InSpec Learning Lab Adam Leff - @adamleff
Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? ssh chef@IP_ADDRESS
Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes ssh chef@IP_ADDRESS
Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '52.54.113.210' (ECDSA) to the list of known hosts. chef@52.54.113.210's password: ssh chef@IP_ADDRESS
Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '52.54.113.210' (ECDSA) to the list of known hosts. chef@52.54.113.210's password: chef ssh chef@IP_ADDRESS
Touch a file with your name touch firstname-lastname
Touch a file with your name touch adam-leff
List your home directory adam-leff cookbooks Berksfile nodes Berksfile.lock config.json ls -t
Verify the installation /opt/chefdk/bin/inspec which inspec
Verify the installation 1.11.0 Your version of InSpec is out of date! The latest version is 1.15.0. inspec version
Verify the installation /opt/chefdk/bin/chef which chef
Verify the installation Chef Development Kit Version: 1.2.22 chef-client version: 12.18.31 delivery version: master (0b746cafed65a9ea1a79de3cc546e7922de9187c) berks version: 5.6.0 kitchen version: 1.15.0 chef --version
Chef DK - The Chef Development Kit ‱ Definitive tooling for local development of Chef code & Infrastructure as Code development â–Ș Validate your Chef code against Chef best practices â–Ș Extend with rules to enforce organizational Chef development best practices â–Ș Enforce compliance & security practices Foodcritic Test Your “Chef Style” â–Ș Validate your Chef code against Ruby best practices â–Ș Identify potential Ruby errors Unclosed strings, etc. â–Ș Identify style/convention that helps write better code Single quotes vs. double quotes CookStyle Validate your Ruby â–Ș Validate your Chef code will run â–Ș Testing for more Chef advanced use cases â–Ș Useful for regression testing ChefSpec Simulate Chef â–Ș Executes your Chef code on an instance or container â–Ș Integrates with Cloud and Virtualization providers â–Ș Validate your Chef code locally before sharing â–Ș Speed development of Chef Cookbooks Test Kitchen Let’s do this (almost) for real â–Ș Assert the intention of your Chef code â–Ș Verify on live systems that your Chef code produced the correct result â–Ș Confirm your Chef code didn’t not produce compliance drift InSpec Verify automation results & ensure compliance FAST INEXPENSIVE TESTING DEEP INTEGRATION TESTING
Go home cd ~
Create a profiles directory mkdir profiles
Go to the profiles directory cd profiles
Create a new profile Create new profile at /home/chef/profiles/my-profile * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries * Create file README.md * Create file libraries/.gitkeep inspec init profile my-profile
Go to our profile cd my-profile
Explore the new profile . ├── README.md ├── controls │ └── example.rb ├── inspec.yml └── libraries tree
Go to the controls directory cd controls
Check out the example # encoding: utf-8 # copyright: 2015, The Authors # license: All rights reserved title 'sample section' # you can also use plain tests describe file('/tmp') do it { should be_directory } end cat example.rb
Create a new control file vi ssh.rb
~/profiles/my-profile/controls/ssh.rb control 'ssh-1' do title 'my title' desc 'my description' impact 1.0 describe sshd_config do its('Protocol') { should cmp 2 } end end Our new control
Go back to the profiles directory cd ~/profiles
Validate our profile Location: my-profile Profile: my-profile Controls: 3 Timestamp: 2017-04-17T15:57:35-04:00 Valid: true No errors or warnings inspec check my-profile
Execute our profile inspec exec my-profile
Go home cd ~
Simple SSH Cookbook ‱ A server recipe to manage the sshd_config file ‱ Local test environment configured
Move to the cookbooks directory cd ~/cookbooks
List cookbooks audit compat_resource ls
Audit Cookbook ‱ Install InSpec ‱ Run InSpec profiles ‱ Report results to Chef Compliance or Chef Visibility
Run with additional parameters [2017-03-10T14:10:34+00:00] INFO: Forking chef instance to converge... Starting Chef Client, version 12.18.31 [2017-03-10T14:10:34+00:00] INFO: *** Chef 12.18.31 *** ... [2017-03-10T14:10:40+00:00] INFO: Chef Run complete in 4.10402964 seconds Running handlers: [2017-03-10T14:10:40+00:00] INFO: Running report handlers [2017-03-10T14:10:40+00:00] WARN: Format is json [2017-03-10T14:10:40+00:00] INFO: Initialize InSpec [2017-03-10T14:10:40+00:00] INFO: Running tests from: [{:name=>"ssh", :path=>"/home/chef/profiles/ssh"}] [2017-03-10T14:10:40+00:00] INFO: Reporting to chef-visibility ... Running handlers complete [2017-03-10T14:10:40+00:00] INFO: Report handlers complete Chef Client finished, 1/2 resources updated in 06 seconds sudo run_chef "recipe[audit::default]"
Compat Resource Cookbook ‱ Adds functionality introduced in the latest chef-client releases to any chef-client from 12.1 onwards. ‱ Includes Custom Resource functionality notification improvements new resources added to core chef ‱ Allows for these new resources in cookbooks without requiring the very latest Chef client release.
Generate an ssh cookbook Generating cookbook ssh - Ensuring correct cookbook file content - Committing cookbook files to git - Ensuring delivery configuration - Ensuring correct delivery build cookbook content - Adding delivery configuration to feature branch - Adding build cookbook to feature branch - Merging delivery content feature branch to master Your cookbook is ready. Type `cd ssh` to enter it. There are several commands you can run to get started locally developing and testing your cookbook. Type `delivery local --help` to see a full list. Why not start by writing a test? Tests for the default recipe are stored at: test/smoke/default/default_test.rb If you'd prefer to dive right in, the default recipe can be found at: recipes/default.rb chef generate cookbook ssh
Add a server recipe to the ssh cookbook Recipe: code_generator::recipe * directory[./ssh/spec/unit/recipes] action create (up to date) * cookbook_file[./ssh/spec/spec_helper.rb] action create_if_missing (up to date) * template[./ssh/spec/unit/recipes/server_spec.rb] action create_if_missing - create new file ./ssh/spec/unit/recipes/server_spec.rb - update content in file ./ssh/spec/unit/recipes/server_spec.rb from none to d14960 (diff output suppressed by config) * directory[./ssh/test/smoke/default] action create (up to date) * template[./ssh/test/smoke/default/server.rb] action create_if_missing - create new file ./ssh/test/smoke/default/server.rb - update content in file ./ssh/test/smoke/default/server.rb from none to aa8bba (diff output suppressed by config) * template[./ssh/recipes/server.rb] action create - create new file ./ssh/recipes/server.rb - update content in file ./ssh/recipes/server.rb from none to 18f24e (diff output suppressed by config) chef generate recipe ssh server
Add a template to the cookbook Recipe: code_generator::template * directory[./ssh/templates/default] action create - create new directory ./ssh/templates/default * file[./ssh/templates/sshd_config.erb] action create - create new file ./ssh/templates/sshd_config.erb - update content in file ./ssh/templates/sshd_config.erb from none to a16b11 (diff output suppressed by config) chef generate template ssh sshd_config -s /etc/ssh/sshd_config
~/cookbooks/ssh/recipes/server.rb template '/etc/ssh/sshd_config' do source 'sshd_config.erb' owner 'root' group 'root' mode '0600' end Server Recipe
Remember
 ‱ Infrastructure policies need testing ↳ Linting ↳ Static Analysis ↳ Unit Testing ↳ Integration Testing ↳ Compliance Testing "Infrastructure as Code" should be tested like ANY other codebase.
Test-Driven Development ‱ Write a test, watch it fail ‱ Write some code ‱ Write and run more tests ‱ Code review ‱ Delivery pipeline to production ‱ Lowered chance of production failure Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
Testing the change
~/cookbooks/ssh/.kitchen.yml --- driver: name: vagrant name: docker ... Test Kitchen Configuration (1 of 3) - +
~/cookbooks/ssh/.kitchen.yml ... platforms: - name: ubuntu-16.04 - name: centos-7.2 - name: centos-7.3 ... Test Kitchen Configuration (2 of 3) - + -
+ ~/cookbooks/ssh/.kitchen.yml suites: - name: default - name: server run_list: - recipe[ssh::default] - recipe[ssh::server] verifier: inspec_tests: - test/smoke/default - /home/chef/profiles/my-profile attributes: Test Kitchen Configuration (3 of 3) + - - + -
Move to the cookbook’s directory cd ~/cookbooks/ssh
List the kitchens Instance Driver Provisioner Verifier Transport Last Action Last Error server-centos-73 Docker ChefZero Inspec Ssh <Not Created> <None> kitchen list
Converge -----> Starting Kitchen (v1.15.0) ... -----> Creating <server-centos-73>... Sending build context to Docker daemon 227.8 kB Sending build context to Docker daemon Step 0 : FROM centos:centos7 ... Running handlers: [2017-03-12T02:26:16+00:00] INFO: Running report handlers Running handlers complete [2017-03-12T02:26:16+00:00] INFO: Report handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <server-centos-73> (0m23.54s). -----> Kitchen is finished. (1m0.39s) kitchen converge
Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
Verify the Kitchen -----> Verifying <server-centos-73>... Loaded Target: ssh://kitchen@localhost:32771 × sshd-1.0: SSH Version 2 ( expected: 2 got: (compared using `cmp` matcher) ) × SSH Configuration Protocol should cmp == 2 expected: 2 got: (compared using `cmp` matcher) Profile Summary: 0 successful, 1 failures, 0 skipped Test Summary: 0 successful, 1 failures, 0 skipped kitchen verify
Test-driven Development Add a test Run the tests Make a little change fail pass
~/cookbooks/ssh/templates/sshd_config.erb #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 Protocol 2 # HostKey for protocol version 1 Edit the SSH Configuration Template + -
Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
Converge -----> Starting Kitchen (v1.15.0) ... -----> Converging <server-centos-73>... ... # The default requires explicit activation of protocol 1 -#Protocol 2 +Protocol 2 # HostKey for protocol version 1 ... Running handlers: [2017-03-12T02:32:32+00:00] INFO: Running report handlers Running handlers complete [2017-03-12T02:32:32+00:00] INFO: Report handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <server-centos-73> (0m16.32s). -----> Kitchen is finished. (0m17.34s) kitchen converge
Verify the Kitchen -----> Starting Kitchen (v1.15.0) ... -----> Verifying <server-centos-73>... Loaded Target: ssh://kitchen@localhost:32771 ✔ sshd-1.0: SSH Version 2 ✔ SSH Configuration Protocol should cmp == 2 Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped Finished verifying <server-centos-73> (0m0.22s). -----> Kitchen is finished. (0m1.27s) kitchen verify
Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
Test the Kitchen (1of 2) -----> Starting Kitchen (v1.15.0) ... -----> Cleaning up any prior instances of <server-centos-73> -----> Destroying <server-centos-73>... ... -----> Testing <server-centos-73> -----> Creating <server-centos-73>... ... -----> Creating <server-centos-73>... ... Finished creating <server-centos-73> (0m0.60s). -----> Converging <server-centos-73>... ... kitchen test
Test the Kitchen (2 of 2) -----> Installing Chef Omnibus (install only if missing) ... -----> Setting up <server-centos-73>... Finished setting up <server-centos-73> (0m0.00s). -----> Verifying <server-centos-73>... ... Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped Finished verifying <server-centos-73> (0m0.51s). -----> Destroying <server-centos-73>... ... -----> Kitchen is finished. (0m25.18s) kitchen test
What’s next? ‱ Test-driven development cycle is complete ‱ Deploy the change
Remediate with Chef [2017-03-10T16:48:02+00:00] INFO: Forking chef instance to converge... Starting Chef Client, version 12.18.31 ... Synchronizing Cookbooks: - ssh (0.1.0) - audit (2.4.0) - compat_resource (12.16.3) ... -#Protocol 2 +Protocol 2 ... [2017-03-10T16:48:05+00:00] INFO: Chef Run complete in 1.248588588 seconds Running handlers: ... [2017-03-10T16:48:05+00:00] INFO: Report handlers complete Chef Client finished, 1/3 resources updated in 03 seconds sudo run_chef "recipe[ssh::server],recipe[audit::default]"
Browse to your node
Browse to your node
Check the converge status in Automate
Verify Compliance Status in Automate
InSpec Shell inspec shell
InSpec Shell [root@5cd20df7bbe9 /]# sudo docker run –it centos:7
InSpec Shell Welcome to the interactive InSpec Shell To find out how to use it, type: help You are currently running on: OS platform: centos OS family: redhat OS release: 7.3.1611 inspec> help Available commands: `[resource]` - run resource on target machine `help resources` - show all available resources that can be used as commands `help [resource]` - information about a specific resource `exit` - exit the InSpec shell You can use resources in this environment to test the target machine. For example: command('uname -a').stdout file('/proc/cpuinfo').content => "value", inspec shell -t docker://5cd20df7bbe9
Trying some resources
 file('/etc/group').content
Trying some resources
 passwd.params
Selecting a single entry passwd.uids(0).params
Using "where" to filter passwd.where { uid.to_i > 5 }.params
describe passwd.where { uid.to_i >= 500 } do its('params.size') { should cmp 0 } end Using filter with some Ruby magic

A Challenge ‱ The username of the passwd entry with UID 5 should be X ‱ Create a control in your profile that checks that key for the proper value.
Another Challenge ‱ YAML configuration file at /var/tmp/workshop.yml ‱ There's a key called "lupo_status" ‱ There's another key there too
 ‱ Create a control in your profile that checks each key for the proper value. ‱ Use InSpec shell to look at the file content if needed ‱ My machine's IP: 35.166.172.16 ‱ No SSH'ing into my machine directly! Disqualified if you do! ‱ inspec shell / inspec exec ONLY!
Community Resources ‱ InSpec Website, includes tutorials and docs - http://inspec.io/ ‱ #inspec channel of the Chef Community Slack - http://community-slack.chef.io/ ‱ InSpec category of the Chef Mailing List - https://discourse.chef.io/c/inspec ‱ Compliance Profiles on the Supermarket - https://supermarket.chef.io/tools?type=compliance_profile ‱ Open Source Project - https://github.com/chef/inspec
Join Slack Team & Channel ‱ http://community-slack.chef.io ‱ Join us in the #inspec channel #inspec
‱ Monday, May 8, 9:30am-2:30pm ‱ CONVENE – 32 Old Slip, NYC ‱ Breakfast and Lunch ‱ Meet CEO Barry Crist and CMO Ken Cheney ‱ Learn about (and get hands-on with) Compliance Automation with Chef Automate ‱ events.chef.io ‱ FREE
★ Workshops & Chef Training ★ DevOps Leadership Summit ★ Community Summit ★ Partner Summit ★ Welcome Reception ★ Customer Dinner ★ Analyst Day ‱ Exhibit Hall Open & Sales suites available ‱ chefconf.chef.io ‱ DAY 1 // MAY 22 ★ Keynotes ★ Technical Sessions ★ Happy Hour ★ Game Night ★ Executive Dinner DAY 2 // MAY 23 ★ Keynotes ★ Technical Sessions ★ Awesome Chef Awards ★ Community Celebration DAY 3 // MAY 24 ★ Hackday DAY 4 // MAY 25

More Related Content

PDF
Automating Compliance with InSpec - Chef Singapore Meetup
Matt Ray
 
PPTX
Using Chef InSpec for Infrastructure Security
Mandi Walls
 
PPTX
Adding Security to Your Workflow With InSpec - SCaLE17x
Mandi Walls
 
PDF
Compliance as Code
Matt Ray
 
PPTX
Prescriptive Security with InSpec - All Things Open 2019
Mandi Walls
 
PPTX
Compliance Automation with Inspec Part 4
Chef
 
PPTX
Banfootguns devseccon 2019
Morgan Roman
 
PPTX
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
Automating Compliance with InSpec - Chef Singapore Meetup
Matt Ray
 
Using Chef InSpec for Infrastructure Security
Mandi Walls
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Mandi Walls
 
Compliance as Code
Matt Ray
 
Prescriptive Security with InSpec - All Things Open 2019
Mandi Walls
 
Compliance Automation with Inspec Part 4
Chef
 
Banfootguns devseccon 2019
Morgan Roman
 
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 

What's hot (20)

PPTX
InSpec Workshop DevSecCon 2017
Mandi Walls
 
PPTX
2019 Chef InSpec Jumpstart Part 1 of 2
Larry Eichenbaum
 
PDF
Prescriptive System Security with InSpec
All Things Open
 
PPTX
Automated Infrastructure Testing
Ranjib Dey
 
PPTX
Compliance Automation with Inspec Part 2
Chef
 
PPTX
Azure handsonlab
Chef
 
PPTX
Chef Workflow Demo
Chef
 
PDF
DCEU 18: How To Build Your Containerization Strategy
Docker, Inc.
 
PDF
Automating AWS Compliance with InSpec
Matt Ray
 
PPTX
Jenkins and Chef: Infrastructure CI and Automated Deployment
Dan Stine
 
PPTX
Testing for infra code using test-kitchen,docker,chef
kamalikamj
 
PPTX
PASS 24HOP Linux Scripting Tips and Tricks
Kellyn Pot'Vin-Gorman
 
PDF
Test Driven Development with Chef
Simone Soldateschi
 
PDF
Choosing the Right Framework for Running Docker Containers in Prod
Josh Padnick
 
PPTX
Chef Hack Day Denver
Chef
 
PDF
DevOPS training - Day 2/2
Vincent Mercier
 
PDF
System Hardening Using Ansible
Sonatype
 
PPTX
InSpec For DevOpsDays Amsterdam 2017
Mandi Walls
 
PDF
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Clark Everetts
 
PDF
Intermediate/Compliance training Guide
Chef
 
InSpec Workshop DevSecCon 2017
Mandi Walls
 
2019 Chef InSpec Jumpstart Part 1 of 2
Larry Eichenbaum
 
Prescriptive System Security with InSpec
All Things Open
 
Automated Infrastructure Testing
Ranjib Dey
 
Compliance Automation with Inspec Part 2
Chef
 
Azure handsonlab
Chef
 
Chef Workflow Demo
Chef
 
DCEU 18: How To Build Your Containerization Strategy
Docker, Inc.
 
Automating AWS Compliance with InSpec
Matt Ray
 
Jenkins and Chef: Infrastructure CI and Automated Deployment
Dan Stine
 
Testing for infra code using test-kitchen,docker,chef
kamalikamj
 
PASS 24HOP Linux Scripting Tips and Tricks
Kellyn Pot'Vin-Gorman
 
Test Driven Development with Chef
Simone Soldateschi
 
Choosing the Right Framework for Running Docker Containers in Prod
Josh Padnick
 
Chef Hack Day Denver
Chef
 
DevOPS training - Day 2/2
Vincent Mercier
 
System Hardening Using Ansible
Sonatype
 
InSpec For DevOpsDays Amsterdam 2017
Mandi Walls
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Clark Everetts
 
Intermediate/Compliance training Guide
Chef
 
Ad

Similar to Compliance Automation with InSpec - Chef NYC Meetup - April 2017 (20)

PDF
Inspec: Turn your compliance, security, and other policy requirements into au...
Kangaroot
 
PPTX
InSpec - June 2018 at Open28.be
Mandi Walls
 
PPTX
InSpec Workshop at Velocity London 2018
Mandi Walls
 
PDF
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
NETWAYS
 
PPTX
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
NETWAYS
 
PPTX
Adding Security to Your Workflow with InSpec (MAY 2017)
Mandi Walls
 
PPTX
InSpec at DevOps ATL Meetup January 22, 2020
Mandi Walls
 
PPTX
DevOpsDays InSpec Workshop
Mandi Walls
 
PDF
Philly security shell meetup
Nicole Johnson
 
PPTX
BuildStuff.LT 2018 InSpec Workshop
Mandi Walls
 
PPTX
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon
 
PPTX
Building Security into Your Workflow with InSpec
Mandi Walls
 
PPTX
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
PPTX
InSpec Workflow for DevOpsDays Riga 2017
Mandi Walls
 
PDF
Bay Area Chef Meetup February
Jessica DeVita
 
PPTX
Ingite Slides for InSpec
Mandi Walls
 
PPTX
Compliance Automation with InSpec
Nathen Harvey
 
PPTX
Introduction to InSpec and 1.0 release update
Alex Pop
 
PDF
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Matt Ray
 
PPTX
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Alert Logic
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Kangaroot
 
InSpec - June 2018 at Open28.be
Mandi Walls
 
InSpec Workshop at Velocity London 2018
Mandi Walls
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
NETWAYS
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
NETWAYS
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Mandi Walls
 
InSpec at DevOps ATL Meetup January 22, 2020
Mandi Walls
 
DevOpsDays InSpec Workshop
Mandi Walls
 
Philly security shell meetup
Nicole Johnson
 
BuildStuff.LT 2018 InSpec Workshop
Mandi Walls
 
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon
 
Building Security into Your Workflow with InSpec
Mandi Walls
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
InSpec Workflow for DevOpsDays Riga 2017
Mandi Walls
 
Bay Area Chef Meetup February
Jessica DeVita
 
Ingite Slides for InSpec
Mandi Walls
 
Compliance Automation with InSpec
Nathen Harvey
 
Introduction to InSpec and 1.0 release update
Alex Pop
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Matt Ray
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Alert Logic
 
Ad

Recently uploaded (20)

PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
System and Network Administraation Chapter 3
jaramharo
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Transform Your Business with a Software ERP System
Canada Software Company
 

Compliance Automation with InSpec - Chef NYC Meetup - April 2017

  • 1. Compliance Automation with InSpec Adam Leff - @adamleff
  • 2. Who's this guy? ‱ Adam Leff (@adamleff) ‱ Technical Community Advocate at Chef ‱ Formerly Senior Software Engineer in Partner Engineering and Core Engineering ‱ Before that, numerous leadership roles at WebMD ‱ Live in Datacenter Alley (Ashburn, VA)
  • 3. Join Slack Team & Channel ‱ http://community-slack.chef.io ‱ Join us in the #inspec channel #inspec
  • 5. We started with infrastructure automation

  • 6. Security and compliance slow me down!
  • 7. Product Ideas and Features
  • 8. Security and compliance slow me down!
  • 10. Compliance Officer Jane says
 "Our systems mus be compliant."
  • 13. This is a true story. Auditor: "Communication from your network devices to your authentication server must be encrypted."
  • 14. This is a true story. Me: "We use BlahBlah TACACS+ server. You can't disable encryption."
  • 15. This is a true story. Auditor: "Okay. Please show me that encryption is enabled."
  • 16. This is a true story. Me: "Um
 I can't. I can't disable it, so I can't show you where it's enabled. But I can show you that I'm using BlahBlah TACACS+ server."
  • 17. This is a true story. Auditor: "Can you show me how you can't disable it?"
  • 18. This is a true story. Me:
  • 19. This is a true story. Me: "How about I show you where I configured the encryption key? Is that good enough?"
  • 20. This is a true story. Auditor:
  • 21. Why did I tell you this? ‱ This exchange happened at least once a year, sometimes more ‱ What constitutes "compliance" may be open to interpretation ‱ What the auditor was actually looking for can be automated ‱ We REALLY need to automate compliance
  • 22. OMG so much compliance ‱ PCI-DSS ‱ Dodd-Frank ‱ HITECH ‱ Gramm-Leach-Bliley Act ‱ ISO ‱ HIPAA ‱ Grundschutz ‱ Sarbanes-Oxley ‱ General Data Protection Regulation (GPDR)
  • 25. A Documentation Example SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
  • 26. I can totally script that

  • 27. A tale of three personas

  • 28. A tale of three personas
 ✅❓❌
  • 30. What is InSpec? ‱ Open-source testing framework ‱ Human readable language ‱ Assert status of infrastructure tests and compliance controls ‱ Scan locally or remotely
  • 33. Option #2: Test a requirement with InSpec
  • 34. Option #3: Test a control with InSpec
  • 36. One Language ‱ Linux ‱ Windows ‱ BSD ‱ Solaris ‱ AIX ‱ 
 and more
  • 37. Yup, I said Windows

  • 38. One Language ‱ Bare Metal ‱ VMs ‱ Containers
  • 42. Test a Docker Container
  • 44. Center for Internet Security (CIS) ‱ Publish benchmarks for compliance ‱ Red Hat Enterprise Linux, Ubuntu, SUSE, Oracle Linux
 ‱ Microsoft Windows 7, 8, Server 2008, Server 2012
 ‱ IBM AIX, HP-UX, VMware ESXi
 ‱ Oracle MySQL, Apache Tomcat, MS SQL Server, IIS Server
 ‱ 
 so much more, in glorious PDF format!
  • 45. Security Content Automation Protocol (SCAP) ‱ Method for automating compliance using agreed-upon standards ‱ National Vulnerability Database ‱ Content and Scanners
  • 46. Source/Copyright: Center for Internet Security
  • 48. SCAP Control as Native InSpec
  • 49. Profile Reuse and Inheritance
  • 50. Profile Reuse and Inheritance
  • 51. Profile Reuse and Inheritance
  • 52. Why InSpec? ‱ Break down silos between organizations interested in security/compliance ‱ Codify your compliance agreements and requirements ‱ Share knowledge and code ‱ Safety at velocity
  • 53. ‱ Monday, May 8, 9:30am-2:30pm ‱ CONVENE – 32 Old Slip, NYC ‱ Breakfast and Lunch ‱ Meet CEO Barry Crist and CMO Ken Cheney ‱ Learn about (and get hands-on with) Compliance Automation with Chef Automate ‱ events.chef.io ‱ FREE
  • 54. ★ Workshops & Chef Training ★ DevOps Leadership Summit ★ Community Summit ★ Partner Summit ★ Welcome Reception ★ Customer Dinner ★ Analyst Day ‱ Exhibit Hall Open & Sales suites available ‱ chefconf.chef.io ‱ DAY 1 // MAY 22 ★ Keynotes ★ Technical Sessions ★ Happy Hour ★ Game Night ★ Executive Dinner DAY 2 // MAY 23 ★ Keynotes ★ Technical Sessions ★ Awesome Chef Awards ★ Community Celebration DAY 3 // MAY 24 ★ Hackday DAY 4 // MAY 25
  • 55. Compliance Automation with InSpec Learning Lab Adam Leff - @adamleff
  • 56. Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? ssh chef@IP_ADDRESS
  • 57. Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes ssh chef@IP_ADDRESS
  • 58. Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '52.54.113.210' (ECDSA) to the list of known hosts. chef@52.54.113.210's password: ssh chef@IP_ADDRESS
  • 59. Login to remote workstation The authenticity of host '52.54.113.210 (52.54.113.210)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '52.54.113.210' (ECDSA) to the list of known hosts. chef@52.54.113.210's password: chef ssh chef@IP_ADDRESS
  • 60. Touch a file with your name touch firstname-lastname
  • 61. Touch a file with your name touch adam-leff
  • 62. List your home directory adam-leff cookbooks Berksfile nodes Berksfile.lock config.json ls -t
  • 64. Verify the installation 1.11.0 Your version of InSpec is out of date! The latest version is 1.15.0. inspec version
  • 66. Verify the installation Chef Development Kit Version: 1.2.22 chef-client version: 12.18.31 delivery version: master (0b746cafed65a9ea1a79de3cc546e7922de9187c) berks version: 5.6.0 kitchen version: 1.15.0 chef --version
  • 67. Chef DK - The Chef Development Kit ‱ Definitive tooling for local development of Chef code & Infrastructure as Code development â–Ș Validate your Chef code against Chef best practices â–Ș Extend with rules to enforce organizational Chef development best practices â–Ș Enforce compliance & security practices Foodcritic Test Your “Chef Style” â–Ș Validate your Chef code against Ruby best practices â–Ș Identify potential Ruby errors Unclosed strings, etc. â–Ș Identify style/convention that helps write better code Single quotes vs. double quotes CookStyle Validate your Ruby â–Ș Validate your Chef code will run â–Ș Testing for more Chef advanced use cases â–Ș Useful for regression testing ChefSpec Simulate Chef â–Ș Executes your Chef code on an instance or container â–Ș Integrates with Cloud and Virtualization providers â–Ș Validate your Chef code locally before sharing â–Ș Speed development of Chef Cookbooks Test Kitchen Let’s do this (almost) for real â–Ș Assert the intention of your Chef code â–Ș Verify on live systems that your Chef code produced the correct result â–Ș Confirm your Chef code didn’t not produce compliance drift InSpec Verify automation results & ensure compliance FAST INEXPENSIVE TESTING DEEP INTEGRATION TESTING
  • 69. Create a profiles directory mkdir profiles
  • 70. Go to the profiles directory cd profiles
  • 71. Create a new profile Create new profile at /home/chef/profiles/my-profile * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries * Create file README.md * Create file libraries/.gitkeep inspec init profile my-profile
  • 72. Go to our profile cd my-profile
  • 73. Explore the new profile . ├── README.md ├── controls │ └── example.rb ├── inspec.yml └── libraries tree
  • 74. Go to the controls directory cd controls
  • 75. Check out the example # encoding: utf-8 # copyright: 2015, The Authors # license: All rights reserved title 'sample section' # you can also use plain tests describe file('/tmp') do it { should be_directory } end cat example.rb
  • 76. Create a new control file vi ssh.rb
  • 77. ~/profiles/my-profile/controls/ssh.rb control 'ssh-1' do title 'my title' desc 'my description' impact 1.0 describe sshd_config do its('Protocol') { should cmp 2 } end end Our new control
  • 78. Go back to the profiles directory cd ~/profiles
  • 79. Validate our profile Location: my-profile Profile: my-profile Controls: 3 Timestamp: 2017-04-17T15:57:35-04:00 Valid: true No errors or warnings inspec check my-profile
  • 80. Execute our profile inspec exec my-profile
  • 82. Simple SSH Cookbook ‱ A server recipe to manage the sshd_config file ‱ Local test environment configured
  • 83. Move to the cookbooks directory cd ~/cookbooks
  • 85. Audit Cookbook ‱ Install InSpec ‱ Run InSpec profiles ‱ Report results to Chef Compliance or Chef Visibility
  • 86. Run with additional parameters [2017-03-10T14:10:34+00:00] INFO: Forking chef instance to converge... Starting Chef Client, version 12.18.31 [2017-03-10T14:10:34+00:00] INFO: *** Chef 12.18.31 *** ... [2017-03-10T14:10:40+00:00] INFO: Chef Run complete in 4.10402964 seconds Running handlers: [2017-03-10T14:10:40+00:00] INFO: Running report handlers [2017-03-10T14:10:40+00:00] WARN: Format is json [2017-03-10T14:10:40+00:00] INFO: Initialize InSpec [2017-03-10T14:10:40+00:00] INFO: Running tests from: [{:name=>"ssh", :path=>"/home/chef/profiles/ssh"}] [2017-03-10T14:10:40+00:00] INFO: Reporting to chef-visibility ... Running handlers complete [2017-03-10T14:10:40+00:00] INFO: Report handlers complete Chef Client finished, 1/2 resources updated in 06 seconds sudo run_chef "recipe[audit::default]"
  • 87. Compat Resource Cookbook ‱ Adds functionality introduced in the latest chef-client releases to any chef-client from 12.1 onwards. ‱ Includes Custom Resource functionality notification improvements new resources added to core chef ‱ Allows for these new resources in cookbooks without requiring the very latest Chef client release.
  • 88. Generate an ssh cookbook Generating cookbook ssh - Ensuring correct cookbook file content - Committing cookbook files to git - Ensuring delivery configuration - Ensuring correct delivery build cookbook content - Adding delivery configuration to feature branch - Adding build cookbook to feature branch - Merging delivery content feature branch to master Your cookbook is ready. Type `cd ssh` to enter it. There are several commands you can run to get started locally developing and testing your cookbook. Type `delivery local --help` to see a full list. Why not start by writing a test? Tests for the default recipe are stored at: test/smoke/default/default_test.rb If you'd prefer to dive right in, the default recipe can be found at: recipes/default.rb chef generate cookbook ssh
  • 89. Add a server recipe to the ssh cookbook Recipe: code_generator::recipe * directory[./ssh/spec/unit/recipes] action create (up to date) * cookbook_file[./ssh/spec/spec_helper.rb] action create_if_missing (up to date) * template[./ssh/spec/unit/recipes/server_spec.rb] action create_if_missing - create new file ./ssh/spec/unit/recipes/server_spec.rb - update content in file ./ssh/spec/unit/recipes/server_spec.rb from none to d14960 (diff output suppressed by config) * directory[./ssh/test/smoke/default] action create (up to date) * template[./ssh/test/smoke/default/server.rb] action create_if_missing - create new file ./ssh/test/smoke/default/server.rb - update content in file ./ssh/test/smoke/default/server.rb from none to aa8bba (diff output suppressed by config) * template[./ssh/recipes/server.rb] action create - create new file ./ssh/recipes/server.rb - update content in file ./ssh/recipes/server.rb from none to 18f24e (diff output suppressed by config) chef generate recipe ssh server
  • 90. Add a template to the cookbook Recipe: code_generator::template * directory[./ssh/templates/default] action create - create new directory ./ssh/templates/default * file[./ssh/templates/sshd_config.erb] action create - create new file ./ssh/templates/sshd_config.erb - update content in file ./ssh/templates/sshd_config.erb from none to a16b11 (diff output suppressed by config) chef generate template ssh sshd_config -s /etc/ssh/sshd_config
  • 91. ~/cookbooks/ssh/recipes/server.rb template '/etc/ssh/sshd_config' do source 'sshd_config.erb' owner 'root' group 'root' mode '0600' end Server Recipe
  • 92. Remember
 ‱ Infrastructure policies need testing ↳ Linting ↳ Static Analysis ↳ Unit Testing ↳ Integration Testing ↳ Compliance Testing "Infrastructure as Code" should be tested like ANY other codebase.
  • 93. Test-Driven Development ‱ Write a test, watch it fail ‱ Write some code ‱ Write and run more tests ‱ Code review ‱ Delivery pipeline to production ‱ Lowered chance of production failure Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
  • 96. ~/cookbooks/ssh/.kitchen.yml ... platforms: - name: ubuntu-16.04 - name: centos-7.2 - name: centos-7.3 ... Test Kitchen Configuration (2 of 3) - + -
  • 97. + ~/cookbooks/ssh/.kitchen.yml suites: - name: default - name: server run_list: - recipe[ssh::default] - recipe[ssh::server] verifier: inspec_tests: - test/smoke/default - /home/chef/profiles/my-profile attributes: Test Kitchen Configuration (3 of 3) + - - + -
  • 98. Move to the cookbook’s directory cd ~/cookbooks/ssh
  • 99. List the kitchens Instance Driver Provisioner Verifier Transport Last Action Last Error server-centos-73 Docker ChefZero Inspec Ssh <Not Created> <None> kitchen list
  • 100. Converge -----> Starting Kitchen (v1.15.0) ... -----> Creating <server-centos-73>... Sending build context to Docker daemon 227.8 kB Sending build context to Docker daemon Step 0 : FROM centos:centos7 ... Running handlers: [2017-03-12T02:26:16+00:00] INFO: Running report handlers Running handlers complete [2017-03-12T02:26:16+00:00] INFO: Report handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <server-centos-73> (0m23.54s). -----> Kitchen is finished. (1m0.39s) kitchen converge
  • 101. Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
  • 102. Verify the Kitchen -----> Verifying <server-centos-73>... Loaded Target: ssh://kitchen@localhost:32771 × sshd-1.0: SSH Version 2 ( expected: 2 got: (compared using `cmp` matcher) ) × SSH Configuration Protocol should cmp == 2 expected: 2 got: (compared using `cmp` matcher) Profile Summary: 0 successful, 1 failures, 0 skipped Test Summary: 0 successful, 1 failures, 0 skipped kitchen verify
  • 103. Test-driven Development Add a test Run the tests Make a little change fail pass
  • 104. ~/cookbooks/ssh/templates/sshd_config.erb #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 Protocol 2 # HostKey for protocol version 1 Edit the SSH Configuration Template + -
  • 105. Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
  • 106. Converge -----> Starting Kitchen (v1.15.0) ... -----> Converging <server-centos-73>... ... # The default requires explicit activation of protocol 1 -#Protocol 2 +Protocol 2 # HostKey for protocol version 1 ... Running handlers: [2017-03-12T02:32:32+00:00] INFO: Running report handlers Running handlers complete [2017-03-12T02:32:32+00:00] INFO: Report handlers complete Chef Client finished, 1/1 resources updated in 01 seconds Finished converging <server-centos-73> (0m16.32s). -----> Kitchen is finished. (0m17.34s) kitchen converge
  • 107. Verify the Kitchen -----> Starting Kitchen (v1.15.0) ... -----> Verifying <server-centos-73>... Loaded Target: ssh://kitchen@localhost:32771 ✔ sshd-1.0: SSH Version 2 ✔ SSH Configuration Protocol should cmp == 2 Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped Finished verifying <server-centos-73> (0m0.22s). -----> Kitchen is finished. (0m1.27s) kitchen verify
  • 108. Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
  • 109. Test the Kitchen (1of 2) -----> Starting Kitchen (v1.15.0) ... -----> Cleaning up any prior instances of <server-centos-73> -----> Destroying <server-centos-73>... ... -----> Testing <server-centos-73> -----> Creating <server-centos-73>... ... -----> Creating <server-centos-73>... ... Finished creating <server-centos-73> (0m0.60s). -----> Converging <server-centos-73>... ... kitchen test
  • 110. Test the Kitchen (2 of 2) -----> Installing Chef Omnibus (install only if missing) ... -----> Setting up <server-centos-73>... Finished setting up <server-centos-73> (0m0.00s). -----> Verifying <server-centos-73>... ... Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped Finished verifying <server-centos-73> (0m0.51s). -----> Destroying <server-centos-73>... ... -----> Kitchen is finished. (0m25.18s) kitchen test
  • 111. What’s next? ‱ Test-driven development cycle is complete ‱ Deploy the change
  • 112. Remediate with Chef [2017-03-10T16:48:02+00:00] INFO: Forking chef instance to converge... Starting Chef Client, version 12.18.31 ... Synchronizing Cookbooks: - ssh (0.1.0) - audit (2.4.0) - compat_resource (12.16.3) ... -#Protocol 2 +Protocol 2 ... [2017-03-10T16:48:05+00:00] INFO: Chef Run complete in 1.248588588 seconds Running handlers: ... [2017-03-10T16:48:05+00:00] INFO: Report handlers complete Chef Client finished, 1/3 resources updated in 03 seconds sudo run_chef "recipe[ssh::server],recipe[audit::default]"
  • 113. Browse to your node
  • 114. Browse to your node
  • 115. Check the converge status in Automate
  • 116. Verify Compliance Status in Automate
  • 118. InSpec Shell [root@5cd20df7bbe9 /]# sudo docker run –it centos:7
  • 119. InSpec Shell Welcome to the interactive InSpec Shell To find out how to use it, type: help You are currently running on: OS platform: centos OS family: redhat OS release: 7.3.1611 inspec> help Available commands: `[resource]` - run resource on target machine `help resources` - show all available resources that can be used as commands `help [resource]` - information about a specific resource `exit` - exit the InSpec shell You can use resources in this environment to test the target machine. For example: command('uname -a').stdout file('/proc/cpuinfo').content => "value", inspec shell -t docker://5cd20df7bbe9
  • 122. Selecting a single entry passwd.uids(0).params
  • 123. Using "where" to filter passwd.where { uid.to_i > 5 }.params
  • 124. describe passwd.where { uid.to_i >= 500 } do its('params.size') { should cmp 0 } end Using filter with some Ruby magic

  • 125. A Challenge ‱ The username of the passwd entry with UID 5 should be X ‱ Create a control in your profile that checks that key for the proper value.
  • 126. Another Challenge ‱ YAML configuration file at /var/tmp/workshop.yml ‱ There's a key called "lupo_status" ‱ There's another key there too
 ‱ Create a control in your profile that checks each key for the proper value. ‱ Use InSpec shell to look at the file content if needed ‱ My machine's IP: 35.166.172.16 ‱ No SSH'ing into my machine directly! Disqualified if you do! ‱ inspec shell / inspec exec ONLY!
  • 127. Community Resources ‱ InSpec Website, includes tutorials and docs - http://inspec.io/ ‱ #inspec channel of the Chef Community Slack - http://community-slack.chef.io/ ‱ InSpec category of the Chef Mailing List - https://discourse.chef.io/c/inspec ‱ Compliance Profiles on the Supermarket - https://supermarket.chef.io/tools?type=compliance_profile ‱ Open Source Project - https://github.com/chef/inspec
  • 128. Join Slack Team & Channel ‱ http://community-slack.chef.io ‱ Join us in the #inspec channel #inspec
  • 129. ‱ Monday, May 8, 9:30am-2:30pm ‱ CONVENE – 32 Old Slip, NYC ‱ Breakfast and Lunch ‱ Meet CEO Barry Crist and CMO Ken Cheney ‱ Learn about (and get hands-on with) Compliance Automation with Chef Automate ‱ events.chef.io ‱ FREE
  • 130. ★ Workshops & Chef Training ★ DevOps Leadership Summit ★ Community Summit ★ Partner Summit ★ Welcome Reception ★ Customer Dinner ★ Analyst Day ‱ Exhibit Hall Open & Sales suites available ‱ chefconf.chef.io ‱ DAY 1 // MAY 22 ★ Keynotes ★ Technical Sessions ★ Happy Hour ★ Game Night ★ Executive Dinner DAY 2 // MAY 23 ★ Keynotes ★ Technical Sessions ★ Awesome Chef Awards ★ Community Celebration DAY 3 // MAY 24 ★ Hackday DAY 4 // MAY 25

Editor's Notes

  • #4: >>> INSTRUCTOR NOTE – Update the slack channel name