InSpec For DevOpsDays Amsterdam 2017
Download as PPTX, PDF0 likes392 views
InSpec is a tool that allows users to write security and compliance tests as human-readable code (or "profiles") that can be run on systems to check configurations and identify issues. Profiles can test for things like required SSH settings, file permissions, and package/patch levels. Profiles are run using the InSpec command line tool and can test local systems or remote targets like Linux servers. When profiles detect failures, they return non-zero exit codes to fail automation jobs. This allows InSpec to integrate with configuration management and infrastructure as code tools for continuous compliance monitoring.
![Integrate with Test Kitchen
suites:
- name: default
run_list:
- recipe[dodams::default]
verifier:
inspec_tests:
- test/smoke/default
- supermarket://adamleff/wannacry-exploit
attributes:](https://image.slidesharecdn.com/walls-dodams2017-inspec-170630142148/85/InSpec-For-DevOpsDays-Amsterdam-2017-13-320.jpg)
![More Complex Built Ins
• Example: limits.conf
grantmc hard nofile 63536
^^^^^^^ ^^^^ ^^^^^^ ^^^^^
domain type item value
• Match on the categories
• its('domain') { should eq ['type', 'item', 'value'] }
• its('ftp') { should eq ['hard', 'nproc', '0'] }](https://image.slidesharecdn.com/walls-dodams2017-inspec-170630142148/85/InSpec-For-DevOpsDays-Amsterdam-2017-30-320.jpg)
![Failures
• InSpec runs with failed tests return a non-zero return code
Profile Summary: 0 successful, 1 failures, 0 skipped
[chef@ip-172-31-29-25 ~]$ echo $?
1
[chef@ip-172-31-29-25 ~]$
• Passing tests have 0 return code
Profile Summary: 1 successful, 0 failures, 0 skipped
[chef@ip-172-31-29-25 ~]$ echo $?
0
[chef@ip-172-31-29-25 ~]$](https://image.slidesharecdn.com/walls-dodams2017-inspec-170630142148/85/InSpec-For-DevOpsDays-Amsterdam-2017-33-320.jpg)
![The Cookbook and the InSpec Profile Work Together
suites:
- name: default
run_list:
- recipe[osdc-inspec-talk::default]
- recipe[os-hardening]
verifier:
inspec_tests:
- test/smoke/default
- https://github.com/dev-sec/linux-baseline
attributes:](https://image.slidesharecdn.com/walls-dodams2017-inspec-170630142148/85/InSpec-For-DevOpsDays-Amsterdam-2017-40-320.jpg)
InSpec For DevOpsDays Amsterdam 2017
- 1. Building Security Into Your Workflow with InSpec Mandi Walls | mandi@chef.io
- 2. HI! • Mandi Walls • Technical Community Manager for Chef • mandi@chef.io • @lnxchk • Adam Leff – Community Lead for Inspec @adamleff
- 3. Who Is Chef • Configuration Management, System Automation • Based in Seattle, USA with offices in San Francisco, London, and Berlin
- 4. EVERY business is a software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
- 6. Motivation
- 8. Product Ideas and Features Security Review Production
- 13. Integrate with Test Kitchen suites: - name: default run_list: - recipe[dodams::default] verifier: inspec_tests: - test/smoke/default - supermarket://adamleff/wannacry-exploit attributes:
- 14. hotfixes = %w{ KB4012212 KB4012213 KB4012214 KB4012215 KB4012216 KB4012217 KB4012219 KB4013429 KB4015217 KB4015438 KB4015549 KB4015550 KB4015551 KB4015553 KB4015554 KB4022720 KB4016635 KB4016871 KB4018466 KB4019215 KB4019216 KB4019264 KB4019472 } describe.one do hotfixes.each do |hotfix| filter = "HotFixID = '" + hotfix + "'" describe wmi({ class: 'win32_quickfixengineering', filter: filter, }) do its( 'InstalledOn' ) { should_not eq nil } end end
- 15. $ inspec exec https://github.com/lnxchk/inspec-profile-wannacry- exploit/archive/master.tar.gz --target winrm://Administrator@52.212.108.149 --password OMGNewPassw0rd Profile: WannaCry Exploit Mitigation Status (wannacry-exploit) Version: 0.2.0 Target: winrm://Administrator@http://52.212.108.149:5985/wsman:3389 ✔ WannaCry Vulnerability Check: Hot-fix mitigation check for WannaCry Ransomware vulnerability ✔ WMI with {:class=>"win32_quickfixengineering", :filter=>"HotFixID = 'KB4022720'"} InstalledOn should not eq nil Profile Summary: 1 successful, 0 failures, 0 skipped Test Summary: 1 successful, 0 failures, 0 skipped
- 16. What We Have Here Is A Communications Problem
- 18. What Is InSpec
- 19. InSpec • Human-readable specification language for tests related to security and compliance • Includes facilities for creating, sharing, and reusing profiles • Extensible language so you can build your own rules for your applications and systems • Command-line tools for plugging into your existing workflows / build servers • Integrates with Test Kitchen for fast-feedback local testing by developers
- 20. SSH Example • From your security team: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
- 21. Remediation • Identify the file and file location to check your systems • Figure out some sort of incantation Do we check it first or just push a new one everywhere? • What’s the plan for the currently used images? Rebuild? Remediate at instantiation? • You’re likely using a configuration management solution for these types of changes?
- 22. Lifecycle • When you get a mandate from security, how often is it checked? • Single big scan, report mailed out with a “due date”? • Yearly or twice-yearly massive scans with remediation firedrills?
- 23. Using InSpec
- 24. Find It! • http://inspec.io/ • Open Source! • The “spec” is a hint
- 25. Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
- 26. Resources • Inspec includes built-in resources for common services, system files, and configurations See http://inspec.io/docs/reference/resources/ for the current list! • Built-in resources work on several platforms of Linux. There are also Windows-specifics • A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
- 27. Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
- 28. • Resources take the “grep for x” out of the testing phase • Parsers included in the InSpec software do the work for you • It’s built off the premises of rSpec, and meant to be human readable
- 29. its.... should... • it { should exist } • it { should be_installed } • it { should be_enabled } • its('max_log_file') { should cmp 6 } • its('exit_status') { should eq 0 } • its('gid') { should eq 0 }
- 30. More Complex Built Ins • Example: limits.conf grantmc hard nofile 63536 ^^^^^^^ ^^^^ ^^^^^^ ^^^^^ domain type item value • Match on the categories • its('domain') { should eq ['type', 'item', 'value'] } • its('ftp') { should eq ['hard', 'nproc', '0'] }
- 31. Run It • InSpec is command line Installs as a ruby gem or as part of the ChefDK • Can be run locally, test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you • Also a REPL https://www.inspec.io/docs/reference/shell/
- 32. Test Any Target inspec exec test.rb inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2- user@54.152.7.203 inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super inspec exec test.rb -t docker://3dda08e75838
- 33. Failures • InSpec runs with failed tests return a non-zero return code Profile Summary: 0 successful, 1 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 1 [chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return code Profile Summary: 1 successful, 0 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 0 [chef@ip-172-31-29-25 ~]$
- 34. Test Kitchen • InSpec also runs as an included tester in TK • https://www.inspec.io/docs/reference/plugin_kitchen_inspec/
- 36. Profiles • InSpec profiles allow you to package and share sets of InSpec tests for your organization or for a specific application set • Each profile can have multiple test files included • The test files generally test for one required outcome, but can look at different objects to meet requirements • Flexible! Create your own profiles for specific software you use
- 37. Profiles $ inspec init profile companyprofile_01 Create new profile at /home/chef/companyprofile_01 * Create directory libraries * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create file README.md Add more InSpec test files to the controls director
- 38. Profile Commands inspec check companyprofile_01/ inspec exec companyprofile_01/
- 39. Example – Basic Hardening • Centos 7.2 host • Test Kitchen • os-hardening cookbook from https://supermarket.chef.io • /dev-sec/linux-baseline InSpec profile from https://supermarket.chef.io
- 40. The Cookbook and the InSpec Profile Work Together suites: - name: default run_list: - recipe[osdc-inspec-talk::default] - recipe[os-hardening] verifier: inspec_tests: - test/smoke/default - https://github.com/dev-sec/linux-baseline attributes:
- 41. What’s in the os-hardening Cookbook
- 42. Run kitchen test Without Hardening Profile Summary: 25 successful, 25 failures, 1 skipped Test Summary: 77 successful, 39 failures, 3 skipped >>>>>> ------Exception------- >>>>>> Class: Kitchen::ActionFailed >>>>>> Message: 1 actions failed. >>>>>> Verify failed on instance <default-centos-72>. Please see .kitchen/logs/default-centos-72.log for more details >>>>>> ---------------------- >>>>>> Please see .kitchen/logs/kitchen.log for more details >>>>>> Also try running `kitchen diagnose --all` for configuration
- 43. Run kitchen test With Hardening Profile Summary: 50 successful, 0 failures, 1 skipped Test Summary: 116 successful, 0 failures, 3 skipped Finished verifying <default-centos-72> (0m11.07s). -----> Destroying <default-centos-72>... ==> default: Forcing shutdown of VM... ==> default: Destroying VM and associated drives... Vagrant instance <default-centos-72> destroyed. Finished destroying <default-centos-72> (0m4.97s). Finished testing <default-centos-72> (2m37.89s). -----> Kitchen is finished. (2m39.44s)
- 44. What’s in the linux-baseline Profile control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
- 45. Over Time Build a Comprehensive Set of Checks for Your Systems Run Them Every Time Someone Needs to Make a Change Make it EASY for Everyone to Use
- 46. Resources • https://inspec.io • https://github.com/chef-training/workshops/ • https://blog.chef.io/2017/05/15/detecting-wannacry-exploit-inspec/ • http://www.anniehedgie.com/inspec-basics-1 • http://blog.johnray.io/chef-inspec-and-dirty-cow • https://blog.chef.io/2017/05/23/inspec-launches-support-cloud-platform- assessments/
- 47. October 10 – 11, 2017 etc.venues Fenchurch St London https://chef.io/summits