Post on 14-Jan-2017
Compliance as CodeMelbourne Infrastructure Coders
November 8, 2016
Chef Workflow
SSH Control
"SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
How will I verify this?
Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
Apache Server Information Leakage - Server Token Directive
• Description
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.
• How to Test
In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
ServerTokens Full
• Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.
ServerTokens ProdorServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Compliance
“two-thirds of organizations did not adequately test the security of all in-scope systems”
Key Trends
• While individual rule compliance is up, testing of security systems is down
• Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Infrastructure Code
package 'httpd' doaction :install
end
service 'httpd' doaction [ :start, :enable ]
end
What We Have Here Is A Communications Problem
Security != Compliance
Compliance Language
One LanguageLinux
One LanguageLinux, Windows
Windows
One LanguageLinux, Windows, BSD, Unixes, ...
Available Resourcesapache_confapt
audit_policy
auditd_conf
auditd_rules
bondbridge
csv
command
directory
etc_groupfile
gemgroup
host
inetd_conf
interface
iptableskernel_module
kernel_parameter
limits_conf
login_defs
mountmysql_conf
mysql_sessionnpm
ntp_conf
oneget
os
os_envpackage
parse_config
parse_config_file
passwd
pipport
postgres_confpostgres_session
powershell
processes
registry_key
security_policyservice
ssh_config
sshd_config
user
windows_featureyaml
yum
What is it not?
• IDS / IPS• Firewall• Antivirus• Pentesting tool
One LanguageLinux, Windows, BSD, Unixes, ...
Bare-metal
One LanguageLinux, Windows, BSD, Unixes, ...
Bare-metal, VMs
One LanguageLinux, Windows, BSD, Unixes, ...
Bare-metal, VMs, Containers
Test Locally
$ inspec exec test.rb.
Finished in 0.00901 seconds (files took 0.98501 seconds to load)1 example, 0 failures
Test Remote via SSH
$ inspec exec test.rb -i vagrant.key -t ssh://root@172.17.0.1:11022
No Ruby / agent on the node
Test Remote via WinRM
$ inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super
No Ruby / agent on the node
Test Docker Containers
$ inspec exec test.rb -t docker://3dda08e75838
No Ruby / agent on the container
One LanguageLinux, Windows, BSD, Unixes, ...
Bare-metal, VMs, Containers
Nodes
One LanguageLinux, Windows, BSD, Unixes, ...
Bare-metal, VMs, Containers
Nodes, GRUB, DBs
DB Testing
One LanguageLinux, Windows, BSD, Unixes, ...
Bare-metal, VMs, Containers
Nodes, GRUB, DBs, Endpoints, APIs, ...
Cloud Testing
Operating System and Application Coverage
• Red Hat Enterprise Linux• Ubuntu• SUSE• Oracle Linux• Microsoft Windows 7, 8• Microsoft Windows Server 2008,
2012• AIX• HP-UX
• VMware ESXi• Oracle • MySQL• Apache Tomcat• SQL Server• IIS• AWS
Compliance as Code.
Open Source Community
•InSpec•https://inspec.io•Chef Audit cookbook•https://github.com/chef-cookbooks/audit•Kitchen-InSpec•https://github.com/chef/kitchen-inspec•Supermarket.chef.io
New Workflow