compliance as code: velocity with security - fraser pollock, chef
TRANSCRIPT
![Page 1: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/1.jpg)
Compliance at VelocityFraser Pollock
![Page 2: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/2.jpg)
Fraser Pollock• Solutions Architect at Chef• Spread the delightfulness of Chef
• https://www.linkedin.com/in/fraser-pollock-33974231
![Page 3: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/3.jpg)
About CHEF
• Based in Seattle with offices in London, San Francisco• Leader in infrastructure, compliance and application automation for DevOps• 25+ million open source downloads, 1000+ customers, 70,000+ contributing Chefs• > 70% of revenue from Global 2000
![Page 4: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/4.jpg)
Dev QA Stage Prod
![Page 5: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/5.jpg)
![Page 6: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/6.jpg)
SSH Control
SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to
avoid these.
![Page 7: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/7.jpg)
Dev QA Stage Prod
![Page 8: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/8.jpg)
Dev QA Stage Security Review Prod
![Page 9: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/9.jpg)
![Page 10: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/10.jpg)
Dev QA Stage Prod
![Page 11: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/11.jpg)
Dev QA Stage Prod
"Scanning"
![Page 12: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/12.jpg)
InSpec is compliance as code – a human-readable language for
automating the continuous testing and compliance auditing of your entire
infrastructure.
![Page 13: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/13.jpg)
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do title 'Set SSH Protocol to 2'
end
![Page 14: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/14.jpg)
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do title 'Set SSH Protocol to 2' desc " SSH supports two different ... "
end
![Page 15: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/15.jpg)
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do title 'Set SSH Protocol to 2' desc " SSH supports two different ... "
describe sshd_config do its('Protocol') { should cmp('2') } endend
![Page 16: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/16.jpg)
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do impact 1.0 title 'Set SSH Protocol to 2' desc " SSH supports two different ... "
describe sshd_config do its('Protocol') { should cmp('2') } endend
![Page 17: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/17.jpg)
Run Locally
✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"
Profile Summary: 1 successful, 0 failures, 0 skipped
$ inspec exec ssh-621.rb
![Page 18: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/18.jpg)
Run Remote via ssh
✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"
Profile Summary: 1 successful, 0 failures, 0 skipped
$ inspec exec ssh-621.rb –i my.pem –t ssh://someremotehost
![Page 19: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/19.jpg)
Run Remote via WinRM
✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"
Profile Summary: 1 successful, 0 failures, 0 skipped
$ inspec exec ssh-621.rb –t winrm://Admin@someremotehost
![Page 20: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/20.jpg)
Test a Docker Container
Target: docker://8eb7760bd9db046cfc826f36a6997b02a1cd884684870b78cede0ab03b62571a ✔ ssh-6.2.1: Set SSH Protocol to 2 ✔ SSH Configuration Protocol should eq "2"
Profile Summary: 1 successful, 0 failures, 0 skipped
$ inspec exec ssh-621.rb –t docker://8eb7760bd9db
![Page 21: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/21.jpg)
Stand Alone Usage
$ inspec exec test.rb$ inspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022$ inspec exec test.rb -t winrm://[email protected] --password super$ inspec exec test.rb -t docker://3cc8837bb6a8
describe sshd_config do its('Protocol') { should cmp 2 }end
![Page 22: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/22.jpg)
InSpecWindows Support• Windows 2016 / Nano
Support• Windows-specific
Resources• PowerShell remoting
protocol with NTLM support
Chef Ecosystem• Included in ChefDK package• Kitchen support• audit cookbook
Mechanisms for Policy Definitions• Profile Inheritance• Attributes• Custom Resources
Native Packages• Windows• macOS• Redhat & Ubuntu
Patch Management• windows-patch-benchmark (dev-sec.io)• linux-patch-benchmark (dev-sec.io)
Remote and agent-based execution• Custom sudo commands• more ssh options
![Page 23: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/23.jpg)
InSpec Profiles
Windows PatchProfile
OS Hardening
Profile
SSH Hardening
Profile
Linux PatchProfile
![Page 24: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/24.jpg)
InSpec Profiles
Windows PatchProfile
OS Hardening
Profile
SSH Hardening
Profile
Linux PatchProfile
![Page 25: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/25.jpg)
InSpec Profilesinclude_controls 'os-hardening' do skip_control 'os-06'
control 'os-02' do impact 0.7 endend
include_controls 'ssh-hardening'
![Page 26: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/26.jpg)
Demo• Apply the compliance profile -
https://github.com/nathenharvey/acme-inspec-profile/• Remediate the issues with cookbooks from the Supermarket
![Page 27: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/27.jpg)
InSpec is compliance as code – a human-readable language for
automating the continuous testing and compliance auditing of your entire
infrastructure.
![Page 28: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/28.jpg)
InSpec: Turn security and compliance into code
• Translate compliance into Code
• Clearly express statements of policy
• Move risk to build/test from runtime
• Find issues early• Write code quickly• Run code anywhere• Inspect machines, data and
APIs
A simple example of an InSpec CIS rule
Part of a process of continuous compliance
Scan for Compliance
Build & Test Locally
Build & Test CI/CD Remediate Verify
![Page 29: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/29.jpg)
Available Resourcesapacheapache_confaptaudit_policyauditd_confauditd_rulesbashbondbridgecommandcsvdirectory
etc_groupfilegemgroupgrub_confhostiis_siteinetd_confiniinterfaceiptablesjson
kernel_modulekernel_parameterlimits_conflogin_defmountmssql_sessionmysqlmysql_confmysql_sessionnpmntp_confoneget
osos_envpackageparse_configpasswdpipportpostgrespostgres_confpostgres_sessionpowershellprocesses
registry_keysecurity_policyserviceshadowssh_confssluservbscriptwindows_featurewmixinetdyamlyum
![Page 30: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/30.jpg)
Further Resources
inspec.io• Hands on tutorials• Extensive documentation• Code examples
learn.chef.io• More tutorials about
Compliance and Inspec
![Page 31: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/31.jpg)
Chef Automate
Infrastructure Automation
Application Automation
Compliance Automation
Workflow
VisibilityCom
pliance
![Page 32: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/32.jpg)
Chef Automate
![Page 33: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/33.jpg)
AWS and Chef Better Together
AWS OpsWorks for Chef Automate gives all the features of Chef Automate and Chef server running on a single EC2 instance.
–Deploy in 10 minutes or less, directly from the AWS Console. All you need is an AWS account.–Receive 30 nodes free per month to get you started with additional usage billed by the hour, based on the number of nodes under management–Take advantage of automatic backup/restore and software upgrades
Chef Server on AWS Marketplace AMI lets you automate your infrastructure, manage scale and complexity, and gain a deep understanding of your infrastructure.
–Allows you to manage upgrade and back-up strategy–AMI is preconfigured with Chef server as well as Chef Analytics, the Chef management console, and Chef reporting
![Page 34: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/34.jpg)
Chef & Alert Logic – Better Together • Use Alert Logic’s cloud-native vulnerability detection to find threats
early and remidiate with Chef• Enhance Inspec with Vulnerability Assessment and Scanning from
Alert Logic to ensure full coverage of your cloud applications• Monitor intrusions with Alert Logic and close holes with Chef• Use Chef to bake Alert Logic agents into your development pipeline
and move faster with more confidence!
![Page 35: Compliance as Code: Velocity with Security - Fraser Pollock, Chef](https://reader034.vdocuments.mx/reader034/viewer/2022051709/586fdf391a28ab18428b6ed7/html5/thumbnails/35.jpg)