SlideShare a Scribd company logo

DevOpsDays InSpec Workshop

Download as pptx, pdf
Mandi Walls
Mandi Walls

InSpec is an open-source testing framework that allows users to write security and compliance tests. Tests can be written to check configurations, files, and other infrastructure attributes. InSpec includes built-in resources that make it easy to test common services and configurations. Tests are written in a human-readable format and can be executed locally or remotely on servers. InSpec integrates with tools like Chef and Test Kitchen to allow testing as part of development and deployment workflows. The document provides examples of using InSpec to test SSH configuration and other attributes based on security requirements.

Technology
1 of 49
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Building Security Into Your Workflow with InSpec Mandi Walls | mandi@chef.io
HI! • Mandi Walls • Technical Community Manager for Chef, EMEA • mandi@chef.io • @lnxchk • https://inspec.io • https://dev-sec.io/
EVERY business is a software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
What We Have Here Is A Communications Problem
DevOpsDays InSpec Workshop
What Is InSpec
InSpec • Human-readable specification language for tests related to security and compliance • Includes facilities for creating, sharing, and reusing profiles • Extensible language so you can build your own rules for your applications and systems • Command-line tools for plugging into your existing workflows / build servers • Integrates with Test Kitchen for fast-feedback local testing by developers
SSH Example • If your security team sends you a directive: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
How Do You Go About Fixing It? • Identify the file and file location to check your systems • Create a file with a new setting • Push out changes • What’s the plan for the currently used images? Rebuild? Remediate at instantiation? • Did you test it?
Lifecycle • When you get a mandate from security, how often is it checked? • Single big scan, report mailed out with a “due date”? • Yearly or twice-yearly massive scans with remediation projects?
Using InSpec User: chef Pass: dodams2018
Find It! • http://inspec.io/ • Open Source! • The “spec” is a hint • It comes installed as part of the Chef Developer’s Kit, ChefDK, or on its own • It’s on your host which inspec • https://downloads.chef.io/chefdk curl -o chefdk.rpm https://packages.chef.io/files/stable/chefdk/2.3.4/el/7/chefdk-2.3.4- 1.el7.x86_64.rpm sudo rpm -Uhv chefdk.rpm
Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
Resources • InSpec includes built-in resources for common services, system files, and configurations See http://inspec.io/docs/reference/resources/ for the current list! • Built-in resources work on several platforms of Linux. There are also Windows-specifics • A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
• Resources take the “grep for x” out of the testing phase • Parsers included in the InSpec software do the work for you • It’s built off the premises of rSpec, and meant to be human readable
its.... should... • it { should exist } • it { should be_installed } • it { should be_enabled } • its('max_log_file') { should cmp 6 } • its('exit_status') { should eq 0 } • its('gid') { should eq 0 }
Run It • InSpec is command line Installs on your workstation as a ruby gem or as part of the ChefDK • Can be run locally, test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you • Also a REPL https://www.inspec.io/docs/reference/shell/
Create a Basic Test – test.rb • Let’s write a basic test to make sure /tmp is a directory • It also should be owned by root • And its mode should be 01777 – open to all (plus sticky bit!) • Let’s check out the docs for the “file” resource for InSpec
File Resources in InSpec • https://www.inspec.io/docs/reference/resources/file/ • We want: Directory Owner Mode describe file(‘path’) do it { should MATCHER ‘value’ } end
test.rb describe file("/tmp") do it { should exist } its('type') { should cmp 'directory' } its('owner') { should eq 'root' } its('mode') { should cmp '01777' } end
Test Any Target inspec exec test.rb inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://ec2-user@54.152.7.203 inspec exec test.rb -t winrm://Admin@192.168.1.2 -- password super inspec exec test.rb -t docker://3dda08e75838
Execute InSpec [chef@ip-172-31-38-151 ~]$ inspec exec ./test.rb Profile: tests from ./test.rb Version: (not specified) Target: local:// File /tmp ✔ should exist ✔ should be directory ✔ should be owned by "root" ✔ mode should cmp == "01777" Test Summary: 4 successful, 0 failures, 0 skipped
Failures • InSpec runs with failed tests return a non-zero return code Profile Summary: 0 successful, 1 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 1 [chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return code Profile Summary: 1 successful, 0 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 0 [chef@ip-172-31-29-25 ~]$
Profiles • InSpec profiles allow you to package and share sets of InSpec tests for your organization or for a specific application set • Each profile can have multiple test files included • The test files generally test for one required outcome, but can look at different objects to meet requirements • Flexible! Create your own profiles for specific software you use
Hardening with InSpec • Centos 7 host • os-hardening cookbook from https://supermarket.chef.io • /dev-sec/linux-baseline InSpec profile from https://github.com/dev- sec/linux-baseline
What’s in the linux-baseline Profile control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
Use the Profile $ git clone https://github.com/dev-sec/linux-baseline ... $ sudo inspec exec linux-baseline Profile Summary: 26 successful controls, 27 control failures, 1 control skipped Test Summary: 80 successful, 45 failures, 1 skipped $
What’s in the os-hardening Cookbook
Use Chef to Repair the Findings $ chef generate cookbook harden (ignore git's complaints, it's ok)
Edit harden/metadata.rb name 'harden' maintainer 'The Authors' maintainer_email 'you@example.com' license 'All Rights Reserved' description 'Installs/Configures harden' ... ... depends 'os-hardening'
Create a Cookbooks Package $ cd harden $ berks install $ berks package $ cd .. $ tar –xzvf harden/cookbooks-VERSION.tar.gz
Run chef-client to remediate failed tests $ sudo chef-client -r "recipe[os-hardening]" --local-mode
Rerun the Tests $ sudo inspec exec linux-baseline/ ... Profile Summary: 51 successful controls, 2 control failures, 1 control skipped Test Summary: 123 successful, 2 failures, 1 skipped
What’s Still Failing? • Find the controls that aren’t passing • Decide if you want to fix them or forget them • Let’s fix one and forget the others
Error 1: Entropy, os-08 control 'os-08' do impact 1.0 title 'Entropy' desc 'Check system has enough entropy - greater than 1000' describe file('/proc/sys/kernel/random/entropy_avail').content.to_i do it { should >= 1000 } end end https://github.com/dev-sec/linux- baseline/blob/master/controls/os_spec.rb
Fix it with rngd $ vi harden/recipes/default.rb package 'rng-tools' service 'rngd' do action [:start, :enable] end Install the Package Turn on the Service
Berks Update $ cd ~/harden $ berks package
Install new cookbooks and run chef-client $ cd ~ $ tar –xzvf harden/cookbooks-NEWVERSION.tar.gz $ sudo chef-client –r “recipe[harden],recipe[os- hardening]” --local-mode … Recipe: harden::default * yum_package[rng-tools] action install - install version 0:5-13.el7.x86_64 of package rng-tools * service[rngd] action start - start service service[rngd] * service[rngd] action enable (up to date)
Check the InSpec Output Now $ sudo inspec exec linux-baseline ... Profile Summary: 52 successful controls, 1 control failure, 1 control skipped Test Summary: 124 successful, 1 failure, 1 skipped $
Error 2: auditd log setting package-08 control 'package-08' do impact 1.0 title 'Install auditd' desc 'auditd provides extended logging capacities on recent distribution' ... describe auditd_conf do ... its('max_log_file_action') { should cmp 'keep_logs' } ... end end
Maybe We're Ok with the Current Setting • Large InSpec profiles contain lots of rules • You may not want or need all of them for your infrastructure • You can pick and choose which ones you want using your profile • Let's ignore the auditd log file setting for now
Building New Profiles $ inspec init profile my_hardening Create new profile at /home/chef/my_hardening * Create file README.md * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries $
Select the Controls You Want
Including Profiles $ vi my_hardening/inspec.yml name: my_hardening title: InSpec Profile ... version: 0.1.0 depends: - name: linux-baseline git: https://github.com/dev-sec/linux-baseline
Skipping Individual Controls $ rm -f my_hardening/controls/example.rb $ vi my_hardening/controls/default.rb include_controls 'linux-baseline' do skip_control ‘package-08' end
Rerun the InSpec Profile $ sudo inspec exec my_hardening/ ... Profile Summary: 52 successful controls, 0 control failures, 1 control skipped Test Summary: 113 successful, 0 failures, 1 skipped
Other Stuff – Test Kitchen • InSpec also runs as a test suite in Test Kitchen • Test Kitchen is a tool for your team to create fast-feedback loops for development • Add InSpec tests to TK so that any change can also be certified with the security profile before it is pushed to source code repository • More info at http://kitchen.ci/
Resources • https://inspec.io • https://dev-sec.io • https://github.com/chef-training/workshops/ • http://www.anniehedgie.com/inspec-basics-1 • Windows and InSpec: http://datatomix.com/?p=236 • https://blog.chef.io/category/inspec/ • We're hiring! Work on InSpec in Belfast! https://chef.io/careers
DevOpsDays InSpec Workshop

More Related Content

What's hot (19)

PPTX
2019 Chef InSpec Jumpstart Part 2 of 2
Larry Eichenbaum
 
PPTX
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
PDF
AWS ElasticBeanstalk Advanced configuration
Lionel LONKAP TSAMBA
 
PPTX
InSpec Workflow for DevOpsDays Riga 2017
Mandi Walls
 
PPTX
Ingite Slides for InSpec
Mandi Walls
 
PPTX
OSDC2014: Testing Server Infrastructure with #serverspec
Andreas Schmidt
 
KEY
Using Nagios with Chef
Bryan McLellan
 
PDF
Introduction to Chef
kevsmith
 
PDF
Testable Infrastructure with Chef, Test Kitchen, and Docker
Mandi Walls
 
PDF
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
BrentMatlock
 
PPTX
Network Automation Tools
Edwin Beekman
 
PDF
TXLF: Automated Deployment of OpenStack with Chef
Matt Ray
 
PDF
Ansible new paradigms for orchestration
Paolo Tonin
 
PPTX
Compliance Automation with Inspec Part 4
Chef
 
PDF
Compliance as Code
Matt Ray
 
PPTX
Vagrant, Ansible, and OpenStack on your laptop
Lorin Hochstein
 
ODP
Continuous Security
Sysdig
 
PPT
Introduction to JumpStart
Scott McDermott
 
PDF
DevOps Enabling Your Team
GR8Conf
 
2019 Chef InSpec Jumpstart Part 2 of 2
Larry Eichenbaum
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
AWS ElasticBeanstalk Advanced configuration
Lionel LONKAP TSAMBA
 
InSpec Workflow for DevOpsDays Riga 2017
Mandi Walls
 
Ingite Slides for InSpec
Mandi Walls
 
OSDC2014: Testing Server Infrastructure with #serverspec
Andreas Schmidt
 
Using Nagios with Chef
Bryan McLellan
 
Introduction to Chef
kevsmith
 
Testable Infrastructure with Chef, Test Kitchen, and Docker
Mandi Walls
 
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpractices
BrentMatlock
 
Network Automation Tools
Edwin Beekman
 
TXLF: Automated Deployment of OpenStack with Chef
Matt Ray
 
Ansible new paradigms for orchestration
Paolo Tonin
 
Compliance Automation with Inspec Part 4
Chef
 
Compliance as Code
Matt Ray
 
Vagrant, Ansible, and OpenStack on your laptop
Lorin Hochstein
 
Continuous Security
Sysdig
 
Introduction to JumpStart
Scott McDermott
 
DevOps Enabling Your Team
GR8Conf
 

Similar to DevOpsDays InSpec Workshop (20)

PPTX
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon
 
PPTX
Adding Security to Your Workflow With InSpec - SCaLE17x
Mandi Walls
 
PPTX
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
NETWAYS
 
PPTX
InSpec - June 2018 at Open28.be
Mandi Walls
 
PDF
Inspec: Turn your compliance, security, and other policy requirements into au...
Kangaroot
 
PDF
Prescriptive System Security with InSpec
All Things Open
 
PPTX
Prescriptive Security with InSpec - All Things Open 2019
Mandi Walls
 
PPTX
InSpec at DevOps ATL Meetup January 22, 2020
Mandi Walls
 
PPTX
Using Chef InSpec for Infrastructure Security
Mandi Walls
 
PPTX
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
PPTX
Building Security into Your Workflow with InSpec
Mandi Walls
 
PPTX
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
adamleff
 
PPTX
Introduction to InSpec and 1.0 release update
Alex Pop
 
PDF
What did you inspec?
Gratien D'haese
 
PPTX
Effective Testing with Ansible and InSpec
Nathen Harvey
 
PPTX
Compliance Automation with InSpec
Nathen Harvey
 
PPTX
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Alert Logic
 
PDF
2016 - Compliance as Code - InSpec
devopsdaysaustin
 
PDF
Philly security shell meetup
Nicole Johnson
 
PPTX
Effective Testing with Ansible and InSpec
Nathen Harvey
 
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Mandi Walls
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
NETWAYS
 
InSpec - June 2018 at Open28.be
Mandi Walls
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Kangaroot
 
Prescriptive System Security with InSpec
All Things Open
 
Prescriptive Security with InSpec - All Things Open 2019
Mandi Walls
 
InSpec at DevOps ATL Meetup January 22, 2020
Mandi Walls
 
Using Chef InSpec for Infrastructure Security
Mandi Walls
 
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
Building Security into Your Workflow with InSpec
Mandi Walls
 
Compliance Automation with InSpec - Chef NYC Meetup - April 2017
adamleff
 
Introduction to InSpec and 1.0 release update
Alex Pop
 
What did you inspec?
Gratien D'haese
 
Effective Testing with Ansible and InSpec
Nathen Harvey
 
Compliance Automation with InSpec
Nathen Harvey
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Alert Logic
 
2016 - Compliance as Code - InSpec
devopsdaysaustin
 
Philly security shell meetup
Nicole Johnson
 
Effective Testing with Ansible and InSpec
Nathen Harvey
 
Ad

More from Mandi Walls (16)

PDF
DOD Raleigh Gamedays with Chaos Engineering.pdf
Mandi Walls
 
PDF
Addo reducing trauma in organizations with SLOs and chaos engineering
Mandi Walls
 
PDF
Full Service Ownership
Mandi Walls
 
PDF
PagerDuty: Best Practices for On Call Teams
Mandi Walls
 
PPTX
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Mandi Walls
 
PPTX
habitat at docker bud
Mandi Walls
 
PPTX
Habitat at LinuxLab IT
Mandi Walls
 
PPTX
Habitat Workshop at Velocity London 2017
Mandi Walls
 
PDF
Habitat at SRECon
Mandi Walls
 
PPTX
Containerdays Intro to Habitat
Mandi Walls
 
PPTX
Configuration Management is Old and Boring
Mandi Walls
 
PPTX
Habitat Overview
Mandi Walls
 
PPTX
Lessons Learned From Cloud Migrations
Mandi Walls
 
PPTX
Lessons Learned from Continuous Delivery
Mandi Walls
 
PPTX
Community in a box
Mandi Walls
 
PPTX
Role of Pipelines in Continuous Delivery
Mandi Walls
 
DOD Raleigh Gamedays with Chaos Engineering.pdf
Mandi Walls
 
Addo reducing trauma in organizations with SLOs and chaos engineering
Mandi Walls
 
Full Service Ownership
Mandi Walls
 
PagerDuty: Best Practices for On Call Teams
Mandi Walls
 
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Mandi Walls
 
habitat at docker bud
Mandi Walls
 
Habitat at LinuxLab IT
Mandi Walls
 
Habitat Workshop at Velocity London 2017
Mandi Walls
 
Habitat at SRECon
Mandi Walls
 
Containerdays Intro to Habitat
Mandi Walls
 
Configuration Management is Old and Boring
Mandi Walls
 
Habitat Overview
Mandi Walls
 
Lessons Learned From Cloud Migrations
Mandi Walls
 
Lessons Learned from Continuous Delivery
Mandi Walls
 
Community in a box
Mandi Walls
 
Role of Pipelines in Continuous Delivery
Mandi Walls
 
Ad

Recently uploaded (20)

PPTX
Practical Applications of AI in Local Government
OnBoard
 
PDF
99 Bottles of Trust on the Wall — Operational Principles for Trust in Cyber C...
treyka
 
PDF
DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdf
CyberPro Magazine
 
PDF
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
PDF
The Future of Product Management in AI ERA.pdf
Alyona Owens
 
PPTX
Mastering Authorization: Integrating Authentication and Authorization Data in...
Hitachi, Ltd. OSS Solution Center.
 
PDF
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
PDF
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
PDF
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
PDF
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
PDF
LLM Search Readiness Audit - Dentsu x SEO Square - June 2025.pdf
Nick Samuel
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
TrustArc Webinar - Navigating APAC Data Privacy Laws: Compliance & Challenges
TrustArc
 
PDF
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
 
PDF
ArcGIS Utility Network Migration - The Hunter Water Story
Safe Software
 
PDF
Understanding AI Optimization AIO, LLMO, and GEO
CoDigital
 
PDF
Enhancing Environmental Monitoring with Real-Time Data Integration: Leveragin...
Safe Software
 
PDF
Plugging AI into everything: Model Context Protocol Simplified.pdf
Abati Adewale
 
PDF
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
PDF
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 
Practical Applications of AI in Local Government
OnBoard
 
99 Bottles of Trust on the Wall — Operational Principles for Trust in Cyber C...
treyka
 
DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdf
CyberPro Magazine
 
Java 25 and Beyond - A Roadmap of Innovations
Ana-Maria Mihalceanu
 
The Future of Product Management in AI ERA.pdf
Alyona Owens
 
Mastering Authorization: Integrating Authentication and Authorization Data in...
Hitachi, Ltd. OSS Solution Center.
 
Dev Dives: Accelerating agentic automation with Autopilot for Everyone
UiPathCommunity
 
Optimizing the trajectory of a wheel loader working in short loading cycles
Reno Filla
 
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
Pipeline Industry IoT - Real Time Data Monitoring
Safe Software
 
LLM Search Readiness Audit - Dentsu x SEO Square - June 2025.pdf
Nick Samuel
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
TrustArc Webinar - Navigating APAC Data Privacy Laws: Compliance & Challenges
TrustArc
 
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
 
ArcGIS Utility Network Migration - The Hunter Water Story
Safe Software
 
Understanding AI Optimization AIO, LLMO, and GEO
CoDigital
 
Enhancing Environmental Monitoring with Real-Time Data Integration: Leveragin...
Safe Software
 
Plugging AI into everything: Model Context Protocol Simplified.pdf
Abati Adewale
 
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical Universes
Saikat Basu
 

DevOpsDays InSpec Workshop

  • 1. Building Security Into Your Workflow with InSpec Mandi Walls | [email protected]
  • 2. HI! • Mandi Walls • Technical Community Manager for Chef, EMEA • [email protected] • @lnxchk • https://inspec.io • https://dev-sec.io/
  • 3. EVERY business is a software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
  • 4. What We Have Here Is A Communications Problem
  • 7. InSpec • Human-readable specification language for tests related to security and compliance • Includes facilities for creating, sharing, and reusing profiles • Extensible language so you can build your own rules for your applications and systems • Command-line tools for plugging into your existing workflows / build servers • Integrates with Test Kitchen for fast-feedback local testing by developers
  • 8. SSH Example • If your security team sends you a directive: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
  • 9. How Do You Go About Fixing It? • Identify the file and file location to check your systems • Create a file with a new setting • Push out changes • What’s the plan for the currently used images? Rebuild? Remediate at instantiation? • Did you test it?
  • 10. Lifecycle • When you get a mandate from security, how often is it checked? • Single big scan, report mailed out with a “due date”? • Yearly or twice-yearly massive scans with remediation projects?
  • 12. Find It! • http://inspec.io/ • Open Source! • The “spec” is a hint • It comes installed as part of the Chef Developer’s Kit, ChefDK, or on its own • It’s on your host which inspec • https://downloads.chef.io/chefdk curl -o chefdk.rpm https://packages.chef.io/files/stable/chefdk/2.3.4/el/7/chefdk-2.3.4- 1.el7.x86_64.rpm sudo rpm -Uhv chefdk.rpm
  • 13. Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
  • 14. Resources • InSpec includes built-in resources for common services, system files, and configurations See http://inspec.io/docs/reference/resources/ for the current list! • Built-in resources work on several platforms of Linux. There are also Windows-specifics • A resource has characteristics that can be verified for your requirements, and Matchers that work with those characteristics
  • 15. • Resources take the “grep for x” out of the testing phase • Parsers included in the InSpec software do the work for you • It’s built off the premises of rSpec, and meant to be human readable
  • 16. its.... should... • it { should exist } • it { should be_installed } • it { should be_enabled } • its('max_log_file') { should cmp 6 } • its('exit_status') { should eq 0 } • its('gid') { should eq 0 }
  • 17. Run It • InSpec is command line Installs on your workstation as a ruby gem or as part of the ChefDK • Can be run locally, test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you • Also a REPL https://www.inspec.io/docs/reference/shell/
  • 18. Create a Basic Test – test.rb • Let’s write a basic test to make sure /tmp is a directory • It also should be owned by root • And its mode should be 01777 – open to all (plus sticky bit!) • Let’s check out the docs for the “file” resource for InSpec
  • 19. File Resources in InSpec • https://www.inspec.io/docs/reference/resources/file/ • We want: Directory Owner Mode describe file(‘path’) do it { should MATCHER ‘value’ } end
  • 20. test.rb describe file("/tmp") do it { should exist } its('type') { should cmp 'directory' } its('owner') { should eq 'root' } its('mode') { should cmp '01777' } end
  • 21. Test Any Target inspec exec test.rb inspec exec test.rb -i ~/.aws/mandi_eu.pem -t ssh://[email protected] inspec exec test.rb -t winrm://[email protected] -- password super inspec exec test.rb -t docker://3dda08e75838
  • 22. Execute InSpec [chef@ip-172-31-38-151 ~]$ inspec exec ./test.rb Profile: tests from ./test.rb Version: (not specified) Target: local:// File /tmp ✔ should exist ✔ should be directory ✔ should be owned by "root" ✔ mode should cmp == "01777" Test Summary: 4 successful, 0 failures, 0 skipped
  • 23. Failures • InSpec runs with failed tests return a non-zero return code Profile Summary: 0 successful, 1 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 1 [chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return code Profile Summary: 1 successful, 0 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 0 [chef@ip-172-31-29-25 ~]$
  • 24. Profiles • InSpec profiles allow you to package and share sets of InSpec tests for your organization or for a specific application set • Each profile can have multiple test files included • The test files generally test for one required outcome, but can look at different objects to meet requirements • Flexible! Create your own profiles for specific software you use
  • 25. Hardening with InSpec • Centos 7 host • os-hardening cookbook from https://supermarket.chef.io • /dev-sec/linux-baseline InSpec profile from https://github.com/dev- sec/linux-baseline
  • 26. What’s in the linux-baseline Profile control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
  • 27. Use the Profile $ git clone https://github.com/dev-sec/linux-baseline ... $ sudo inspec exec linux-baseline Profile Summary: 26 successful controls, 27 control failures, 1 control skipped Test Summary: 80 successful, 45 failures, 1 skipped $
  • 28. What’s in the os-hardening Cookbook
  • 29. Use Chef to Repair the Findings $ chef generate cookbook harden (ignore git's complaints, it's ok)
  • 30. Edit harden/metadata.rb name 'harden' maintainer 'The Authors' maintainer_email '[email protected]' license 'All Rights Reserved' description 'Installs/Configures harden' ... ... depends 'os-hardening'
  • 31. Create a Cookbooks Package $ cd harden $ berks install $ berks package $ cd .. $ tar –xzvf harden/cookbooks-VERSION.tar.gz
  • 32. Run chef-client to remediate failed tests $ sudo chef-client -r "recipe[os-hardening]" --local-mode
  • 33. Rerun the Tests $ sudo inspec exec linux-baseline/ ... Profile Summary: 51 successful controls, 2 control failures, 1 control skipped Test Summary: 123 successful, 2 failures, 1 skipped
  • 34. What’s Still Failing? • Find the controls that aren’t passing • Decide if you want to fix them or forget them • Let’s fix one and forget the others
  • 35. Error 1: Entropy, os-08 control 'os-08' do impact 1.0 title 'Entropy' desc 'Check system has enough entropy - greater than 1000' describe file('/proc/sys/kernel/random/entropy_avail').content.to_i do it { should >= 1000 } end end https://github.com/dev-sec/linux- baseline/blob/master/controls/os_spec.rb
  • 36. Fix it with rngd $ vi harden/recipes/default.rb package 'rng-tools' service 'rngd' do action [:start, :enable] end Install the Package Turn on the Service
  • 37. Berks Update $ cd ~/harden $ berks package
  • 38. Install new cookbooks and run chef-client $ cd ~ $ tar –xzvf harden/cookbooks-NEWVERSION.tar.gz $ sudo chef-client –r “recipe[harden],recipe[os- hardening]” --local-mode … Recipe: harden::default * yum_package[rng-tools] action install - install version 0:5-13.el7.x86_64 of package rng-tools * service[rngd] action start - start service service[rngd] * service[rngd] action enable (up to date)
  • 39. Check the InSpec Output Now $ sudo inspec exec linux-baseline ... Profile Summary: 52 successful controls, 1 control failure, 1 control skipped Test Summary: 124 successful, 1 failure, 1 skipped $
  • 40. Error 2: auditd log setting package-08 control 'package-08' do impact 1.0 title 'Install auditd' desc 'auditd provides extended logging capacities on recent distribution' ... describe auditd_conf do ... its('max_log_file_action') { should cmp 'keep_logs' } ... end end
  • 41. Maybe We're Ok with the Current Setting • Large InSpec profiles contain lots of rules • You may not want or need all of them for your infrastructure • You can pick and choose which ones you want using your profile • Let's ignore the auditd log file setting for now
  • 42. Building New Profiles $ inspec init profile my_hardening Create new profile at /home/chef/my_hardening * Create file README.md * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries $
  • 44. Including Profiles $ vi my_hardening/inspec.yml name: my_hardening title: InSpec Profile ... version: 0.1.0 depends: - name: linux-baseline git: https://github.com/dev-sec/linux-baseline
  • 45. Skipping Individual Controls $ rm -f my_hardening/controls/example.rb $ vi my_hardening/controls/default.rb include_controls 'linux-baseline' do skip_control ‘package-08' end
  • 46. Rerun the InSpec Profile $ sudo inspec exec my_hardening/ ... Profile Summary: 52 successful controls, 0 control failures, 1 control skipped Test Summary: 113 successful, 0 failures, 1 skipped
  • 47. Other Stuff – Test Kitchen • InSpec also runs as a test suite in Test Kitchen • Test Kitchen is a tool for your team to create fast-feedback loops for development • Add InSpec tests to TK so that any change can also be certified with the security profile before it is pushed to source code repository • More info at http://kitchen.ci/
  • 48. Resources • https://inspec.io • https://dev-sec.io • https://github.com/chef-training/workshops/ • http://www.anniehedgie.com/inspec-basics-1 • Windows and InSpec: http://datatomix.com/?p=236 • https://blog.chef.io/category/inspec/ • We're hiring! Work on InSpec in Belfast! https://chef.io/careers

Editor's Notes

  • #5: Compliance requirements are often set out in flat documents. Sometimes PDFs, sometimes other formats, but they have a tendency to be a huge list of characteristics and checkboxes to be investigated and potentially remediated. Security tools may be somewhat more flexible, encoded into a set of shell scripts that check and verify the systems after they are built. But what if it was easy to build these checks into the workflow while the systems are being built and applications installed.
  • #6: For the purposes of compliance, we actually wanted a common language, in code, that would allow all audiences – compliance, security, and devops – to collaborate on. And this code will then act on systems. This is whyInSpec was developed.
  • #11: For bits like the ssh configuration that are considered more infrastructure than application, these practices are common, changes are periodically rolled into the source images for new hosts (or containers) and the old configurations are eventually purged from production. It’s a herd-immunity approach. But what happens if the thing to be tested is affected by a continuously developed application? Like run time configurations for java, or your databases. Can you count on every team to always know all of the requirements?
  • #24: Plug InSpec into whatever command set you are already using
  • #48: If there is time, run a short InSpec and Kitchen demo.