DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with InSpec
0 likes116 views
This document discusses using InSpec to build security checks into development workflows. It provides an example of using InSpec to check that an SSH configuration is using version 2. InSpec makes it possible to write tests against system configurations and services in a human-readable format. Tests can be packaged into shareable profiles and run during development and deployment to automate compliance checking.
![Failures
• InSpec runs with failed tests return a non-zero return code
Profile Summary: 0 successful, 1 failures, 0 skipped
[chef@ip-172-31-29-25 ~]$ echo $?
1
[chef@ip-172-31-29-25 ~]$
• Passing tests have 0 return code
Profile Summary: 1 successful, 0 failures, 0 skipped
[chef@ip-172-31-29-25 ~]$ echo $?
0
[chef@ip-172-31-29-25 ~]$](https://image.slidesharecdn.com/walls-dodriga2017-inspec-171106110513/85/DevOpsDaysRiga-2017-Mandi-Walls-Building-security-into-your-workflow-with-InSpec-29-320.jpg)
![The Cookbook and the InSpec Profile Work Together
suites:
- name: default
run_list:
- recipe[osdc-inspec-talk::default]
- recipe[os-hardening]
verifier:
inspec_tests:
- test/smoke/default
- https://github.com/dev-sec/linux-baseline
attributes:](https://image.slidesharecdn.com/walls-dodriga2017-inspec-171106110513/85/DevOpsDaysRiga-2017-Mandi-Walls-Building-security-into-your-workflow-with-InSpec-33-320.jpg)
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with InSpec
- 1. Building Security Into Your Workflow with InSpec Mandi Walls | mandi@chef.io
- 2. HI! • Mandi Walls • Technical Community Manager for Chef, EMEA • mandi@chef.io • @lnxchk • Adam Leff – Community Lead for InSpec @adamleff
- 3. EVERY business is a software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
- 5. Motivation
- 7. Product Ideas and Features Security Review Production
- 12. Equifax "This vulnerability was disclosed back in March. There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly.” - Bas van Schaik, a product manager and researcher at Semmle, an analytics security firm, via Wired https://www.wired.com/story/equifax-breach-no-excuse/
- 13. What We Have Here Is A Communications Problem
- 15. What Is InSpec
- 16. InSpec • Human-readable specification language for tests related to security and compliance • Includes facilities for creating, sharing, and reusing profiles • Extensible language so you can build your own rules for your applications and systems • Command-line tools for plugging into your existing workflows / build servers • Integrates with Test Kitchen for fast-feedback local testing by developers
- 17. SSH Example • From your security team: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
- 18. Remediation • Identify the file and file location to check your systems • Figure out some sort of incantation Do we check it first or just push a new one everywhere? • What’s the plan for the currently used images? Rebuild? Remediate at instantiation? • You’re likely using a configuration management solution for these types of changes?
- 19. Lifecycle • When you get a mandate from security, how often is it checked? • Single big scan, report mailed out with a “due date”? • Yearly or twice-yearly massive scans with remediation firedrills?
- 20. Using InSpec
- 21. Find It! • http://inspec.io/ • Open Source! • The “spec” is a hint
- 22. Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
- 23. Resources • Inspec includes built-in resources for common services, system files, and configurations See http://inspec.io/docs/reference/resources/ for the current list! • Built-in resources work on several platforms of Linux. There are also Windows-specifics • A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
- 24. Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
- 25. • Resources take the “grep for x” out of the testing phase • Parsers included in the InSpec software do the work for you • It’s built off the premises of rSpec, and meant to be human readable
- 26. its.... should... • it { should exist } • it { should be_installed } • it { should be_enabled } • its('max_log_file') { should cmp 6 } • its('exit_status') { should eq 0 } • its('gid') { should eq 0 }
- 27. Run It • InSpec is command line Installs as a ruby gem or as part of the ChefDK • Can be run locally, test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you • Also a REPL https://www.inspec.io/docs/reference/shell/
- 28. Test Any Target inspec exec test.rb inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2- user@54.152.7.203 inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super inspec exec test.rb -t docker://3dda08e75838
- 29. Failures • InSpec runs with failed tests return a non-zero return code Profile Summary: 0 successful, 1 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 1 [chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return code Profile Summary: 1 successful, 0 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 0 [chef@ip-172-31-29-25 ~]$
- 30. Test Kitchen • InSpec also runs as an included tester in TK • https://www.inspec.io/docs/reference/plugin_kitchen_inspec/
- 31. Profiles • InSpec profiles allow you to package and share sets of InSpec tests for your organization or for a specific application set • Each profile can have multiple test files included • The test files generally test for one required outcome, but can look at different objects to meet requirements • Flexible! Create your own profiles for specific software you use
- 32. Example – Basic Hardening • Centos 7.2 host • Test Kitchen • os-hardening cookbook from https://supermarket.chef.io • /dev-sec/linux-baseline InSpec profile from https://supermarket.chef.io
- 33. The Cookbook and the InSpec Profile Work Together suites: - name: default run_list: - recipe[osdc-inspec-talk::default] - recipe[os-hardening] verifier: inspec_tests: - test/smoke/default - https://github.com/dev-sec/linux-baseline attributes:
- 34. What’s in the os-hardening Cookbook
- 35. Run kitchen test Without Hardening Profile Summary: 25 successful, 25 failures, 1 skipped Test Summary: 77 successful, 39 failures, 3 skipped >>>>>> ------Exception------- >>>>>> Class: Kitchen::ActionFailed >>>>>> Message: 1 actions failed. >>>>>> Verify failed on instance <default-centos-72>. Please see .kitchen/logs/default-centos-72.log for more details >>>>>> ---------------------- >>>>>> Please see .kitchen/logs/kitchen.log for more details >>>>>> Also try running `kitchen diagnose --all` for configuration
- 36. Run kitchen test With Hardening Profile Summary: 50 successful, 0 failures, 1 skipped Test Summary: 116 successful, 0 failures, 3 skipped Finished verifying <default-centos-72> (0m11.07s). -----> Destroying <default-centos-72>... ==> default: Forcing shutdown of VM... ==> default: Destroying VM and associated drives... Vagrant instance <default-centos-72> destroyed. Finished destroying <default-centos-72> (0m4.97s). Finished testing <default-centos-72> (2m37.89s). -----> Kitchen is finished. (2m39.44s)
- 37. What’s in the linux-baseline Profile control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
- 38. Over Time Build a Comprehensive Set of Checks for Your Systems Run Them Every Time Someone Needs to Make a Change Make it EASY for Everyone to Use
- 39. Resources • https://inspec.io • https://github.com/chef-training/workshops/ • http://www.anniehedgie.com/inspec-basics-1 • http://blog.johnray.io/chef-inspec-and-dirty-cow • https://blog.chef.io/2017/05/23/inspec-launches-support-cloud-platform- assessments/
- 40. October 10 – 11, 2017 etc.venues Fenchurch St London https://chef.io/summits