devopsdays singapore - continuous auditing with compliance as code
TRANSCRIPT
Continuous Auditing with Compliance as Code
DevOpsDays SingaporeOctober 26, 2017
Matt RayManager/Solutions Architect – APJChef [email protected]
@mattraySoftware Defined Talk
Chef Workflow
SSH Control
"SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
How will I verify this?
Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
Apache Server Information Leakage
• DescriptionThis Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.
• How to TestIn order to test for ServerToken configuration, one should check the Apache configuration file.
• MisconfigurationServerTokens Full
• RemediationConfigure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.ServerTokens ProdorServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
More grep and sed!grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Passed the Audit
Compliance
“Two-thirds of organizations did not adequately test the security of all in-scope systems”
Key Trends• While individual rule
compliance is up, testing of security systems is down
• Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
Security != Compliance
Security Theater
Shell Scriptsgrep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Infrastructure Code
package 'httpd' doaction :install
end
service 'httpd' doaction [ :start, :enable ]
end
We Have A Communications Problem
Compliance Language
One LanguageLinux, Windows
Windows
One LanguageLinux, Windows, MacOS, Solaris, AIX, ...
Examples of Available Resourcesapache_conf
apt
audit_policy
auditd_conf
auditd_rules
bond
bridge
command
crontab
directory
etc_group
file
gem
group
host
inetd_conf
interface
iptables
kernel_module
kernel_parameter
limits_conf
login_defs
mount
mysql_conf
mysql_session
npm
ntp_conf
oneget
os
os_env
package
parse_config
parse_config_file
passwd
pip
port
postgres_conf
postgres_session
powershell
processes
registry_key
security_policy
service
ssh_config
sshd_config
user
windows_feature
yum
What is it not?
• IDS / IPS• Firewall• Antivirus• Pentesting tool
One LanguageLinux, Windows, MacOS, Solaris, AIX, ...
Bare-metal, VMs, Containers
One LanguageLinux, Windows, MacOS, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, Databases
DB Testing
One LanguageLinux, Windows, MacOS, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, Databases, APIs
Cloud Testing
InSpec
> inspec exec test.rb
Test a machine remotely via SSH
> inspec exec test.rb -i identity.key -t ssh://[email protected]
Test your machine locally
> inspec exec test.rb -t winrm://[email protected] --password super
Test Docker Container
> inspec exec test.rb -t docker://5cc8837bb6a8
Test a machine remotely via WinRM AG
ENTLESS
One LanguageLinux, Windows, MacOS, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, Databases, APIs, Cloud Platforms, ...
Open Source Community
•https://inspec.io•https://github.com/chef/inspec•https://supermarket.chef.io•https://learn.chef.io•#inspec in https://chefcommunity.slack.com
This Year
•408 Pull Requests•116 from non-Chef employees!•89 PR contributors•61 non-Chef employees!•23 new core resources added•12 from non-Chef employees!
55%
Step one: DetectGain visibility into current status to satisfy audits and drive decision-making
of organizations do compliance assessments inconsistently or not at all.
Apply policies and gain a complete view across the fleet
▪ Accurately assess risk
▪ Prioritize remediation actions
▪ Maintain audit readiness
▪ Create and adjust policies
”
Continuous visibility means that you enter into audits knowing the outcome.Jon Williams, NIU
? ? ? ?
? ? ? ?
? ? ? ?
? ? ? ?
� � �
� � � �
� � �
� � �
� � �
� � � �
� � �
� � �
Step two: CorrectRemediate issues to improve performance and security
▪ Prioritize actions based on impact
▪ Improve application performance
▪ Close security holes
▪ Prove policy compliance
Web & Media Giant
Can patch 250,000 nodes within 6 hours of a patch being made available
Develop, test, and deploy remediation to address issues across the fleet
� � �
� � � �
� � �
� � �
�
�
�
of organizations need days or longer to remediate issues.58%
59%
Step three: AutomateDeploy applications faster and manage risk continuously
▪ Increase speed while reducing risk
▪ Improve software change efficiency
▪ Maintain security and compliance
▪ Align DevOps and InfoSec
Every resource and app in HPC environment automatically qualified as compliant with FDA standards before deployment
� � �
� � � �
� � �
� � �
�
�
�
of organizations do not assess for compliance until code is running in production.
Deploy applications with confidence
The journey to continuous compliance
Detect
Correct
Automate
1. Detect Gain visibility and develop baselines
2. Correct Remediate priority issues
3. Automate Continuously detect & correct
Chef Automate enables the entire journey
Detect
▪ Test against industry benchmarks
▪ Report and address audit needs
Correct
▪ Close detect/correct loop in one platform
▪ Develop baselines for automation
Automate
▪ Detect and correct before production
▪ Single language across DevOps, InfoSec
Chef Automate is a single platform to support the entire journey
Dig into the new way of learning about Chef, Automation, and DevOps.
Self-paced training on Linux and Windows and much more!
learn.chef.io
Thanks!
Matt [email protected]@mattray