Bay Area Chef Meetup February
-
Upload
jessica-devita -
Category
Technology
-
view
57 -
download
0
Transcript of Bay Area Chef Meetup February
The Chef Automate PlatformContinuous Automation for High Velocity IT
Workflow • Local development • Integration • Tooling (APIs & SDKs)
COLLABORATE
▪ Package▪ Test▪ Approve
BUILD
▪ Provision▪ Configure▪ Execute▪ Update
DEPLOY
▪ Secure▪ Comply▪ Audit▪ Measure▪ Log
MANAGE
Infrastructure Automation Compliance AutomationApplication Automation
OSS AUTOMATION ENGINES
Increase Speed
▪ Package infrastructure and app configuration as code
▪ Continuously automate infrastructure and app updates
Improve Efficiency
▪ Define and execute standard workflows and automation
▪ Audit and measure effectiveness of automation
Decrease Risk
▪ Define compliance rules as code
▪ Deliver continuous compliance as part of standard workflow
CHEF AUTOMATE: Jumpstart your automation● A complete suite of enterprise
capabilities for workflow, visibility and compliance
● Workflow: A pipeline for continuous delivery of infrastructure and applications
● Compliance: Customizable analytics to identify compliance issues, security risks and outdated software
● Visibility: Gives you views into operational, compliance and workflow process events
Velocity: time from idea to ship
Software success metricsQuantifying outcomes to deliver software at speed
Deployment frequency
Time fromcommit to deploy
Mean timeto resolve
Time deploying remediation
Change failurerate
SPEEDMeasure of rate
of software change
EFFICIENCYMeasure of effectiveness
of software change
RISKMeasure of qualityof software change
Compliance testing coverage
Idea Ship
Standard Bank pushes ideas from commit to deploy in 18 minutes with Chef
Focus on SpeedMeasuring the rate of software change
HIGH ITPERFORMERS
MEDIUM IT PERFORMERS
LOW ITPERFORMERS
On-demand Week - MonthMonth – 6
Month
< 1 Hour Week - Month Month - 6 month
USE CASES INCLUDE:▪ Application Delivery
▪ Build Pipelines
DEPLOYMENT FREQUENCY
TIME FROM COMMIT TO DEPLOY
Intuit reduced change failure rate by 90% with Chef
Focus on EfficiencyMeasuring the effectiveness of software change
HIGH ITPERFORMERS
MEDIUM IT PERFORMERS
LOW ITPERFORMERS
0-15% 16-30% 31-45%
< 1 Hour < 1 Day < 1 Day
USE CASES INCLUDE:▪ Configuration Management
▪ Server Drift
CHANGE FAILURE RATE
MEAN TIME TO RESOLVE
Equifax easily scans and maintains security policies with Chef
Focus on RiskMeasuring the quality of software change
HIGH ITPERFORMERS
MEDIUM IT PERFORMERS
LOW ITPERFORMERS
95%+ 25%-95% 0-25%
< 1 Hour Week - Month Month - 6 Months
USE CASES INCLUDE:▪ Compliance Automation
▪ Compliance Coverage
COMPLIANCE TESTING COVERAGE
TIME DEPLOYING REMEDIATION
Chef
▪ Manages deployment and on-going automation
▪ Define reusable resources and infrastructure state as code
▪ Scale elegantly from one to tens of thousands of managed nodes across multiple complex environments
▪ Community, Certified Partner, and Chef supported content available for all common automation tasks
Infrastructure automation and delivery at scale
windows_feature ‘IIS-WebServerRole’ doaction :install
end
windows_feature ‘IIS-ASPNET’ doaction :install
end
iis_pool FooBarPool doruntime_version “4.0”action :add
end
package "apache" doaction :install
end
template “/etc/httpd/https.conf” dosource “httpd.conf.erb”mode 0075owner “root”group “root”
end
service “apache2” doaction :start
end
Habitat
▪ Ease the burden of managing microservice apps and bring benefits of apps architected for microservices to traditional applications
▪ Gain consistent management of new and traditional applications across their lifecycle
▪ Provides application portability for new and traditional apps
▪ Autonomous nodes self-manage runtime state of application based upon policy you define
▪ APIs expose application behaviors as data for better management
▪ Works in tandem with infrastructure automation
▪ Makes applications running on containers, PaaS, virtual machines, bare metal, … better
Automation that travels with the app
PART OF A PROCESS OF CONTINUOUS COMPLIANCE
Scan for Compliance
Build & Test Locally
Build & Test CI/CD Remediate Verify
A SIMPLE EXAMPLE OF AN INSPEC CIS RULE
InSpec
▪ Translate compliance into Code
▪ Clearly express statements of policy
▪ Move risk to build/test from runtime
▪ Find issues early
▪ Write code quickly
▪ Run code anywhere
▪ Inspect machines, data and APIs
Turn security and compliance into code
control ‘cis-1.4.1’ dotitle ‘1.4.1 Enable SELinux in /etc/grub.conf’desc ‘
Do not disable SELinux and enforcing in your GRUB configuration. These are important security features that prevent attackers from escalating their access to your systems. For reference see …
‘impact 1.0expect(grub_conf.param ‘selinux’).to_not eq ‘0’expect(grub_conf.param ‘enforcing’).to_not eq ‘0’
end
Deliver on ComplianceReduce risk through automation of security and compliance management
COMPLIANCE TEST COVERAGE
▪ Package compliance as Code
▪ Automate compliance testing
▪ Log and audit policy failures for compliance remediation
Workflow • Local development • Integration • Tooling (APIs & SDKs)
COLLABORATE
▪ Package▪ Test▪ Approve
BUILD
▪ Provision▪ Configure▪ Execute▪ Update
DEPLOY
▪ Secure▪ Comply▪ Audit▪ Measure▪ Log
MANAGE
Infrastructure Automation Compliance AutomationApplication Automation
OSS AUTOMATION ENGINES
Compliance as CodeROLE OF THE COMPLIANCE OFFICERACCELERATED CYCLE
INFRASTRUCTURE AS CODE
POLICY AS CODE
PRACTICE AS CODE
Separate certification
& testing
Common language for describing &
applying policy
Compliance at velocity
Compliance at VelocityManual Compliance
Reactive engagement
Proactive engagement
Checking implementations by hand
Expressing policy as testable code
Short term compliance
Long term process improvement
One language, One workflow
InSpec - Security meets Operations
Each team uses separate tools
SECURITY
DEVOPS
COMPLIANCE
Unified language
SECURITY DEVOPS
COMPLIANCE
REGULATORY COMPLIANCE
PCI-DSS Gramm-Leach-Bliley Act HIPAA
Dodd-Frank ISO Sarbanes-Oxley
HITECH Grundschutz European Central Bank Regulations
Chef Compliance ships with profiles for:
Amazon Linux2014.09 / 2015.03
CentOS6 / 7
HP UX11i
IBM AIX5.3 / 6.1 / 7.1
RHEL6 / 7
SLES11 / 12
Ubuntu Server12.04 / 14.04
Windows2012 R2
SSH Control
SSH supports two different protocol versions. The original
version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
Whip up a two-liner!
TARGET=2
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' > /dev/null && echo $TARGET
Shell Scriptsgrep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Differences in verifying compliance policy
> grep "^Protocol"
/etc/ssh/sshd_config | sed
's/Protocol //'
2
DOCUMENTATIONSSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
describe sshd_config do
its('Protocol') { should eq 2 }
end
control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... "
describe sshd_config do its('Protocol') { should eq 2 } endend
SCRIPTING TOOLS
COMPLIANCE LANGUAGE
COMPLIANCE LANGUAGE
ONE LANGUAGE
InSpec
InSpec for Windows
control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM
Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 '
describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do
it { should exist } its('LmCompatibilityLevel') { should eq 4 } endend
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do
title 'Set SSH Protocol to 2'
desc "
SSH supports two different ...
"
end
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do
title 'Set SSH Protocol to 2'
desc "
SSH supports two different ...
"
describe sshd_config do
its('Protocol') { should cmp('2') }
end
end
Mapping Compliance Document to InSpeccontrol 'ssh-6.2.1' do
impact 1.0
title 'Set SSH Protocol to 2'
desc "
SSH supports two different ...
"
describe sshd_config do
its('Protocol') { should cmp('2') }
end
end
CONTINUOUS COMPLIANCE AUTOMATION
InSpec - Part of your InfoSec toolchain
FIREWALL ANTIVIRUS
INTRUSION DETECTION/PREVENTION
PENETRATIONTESTING
What InSpec is not
• Intrusion Detection System• Intrusion Prevention System• Firewall• Antivirus• Penetration Testing Tool
InSpec
● Baremetal● VMs● Containers
ONE LANGUAGE > inspec exec test.rb
Test a machine remotely via SSH
> inspec exec test.rb -i identity.key -t ssh://[email protected]
Test your machine locally
> inspec exec test.rb -t winrm://[email protected] --password super
Test Docker Container
> inspec exec test.rb -t docker://5cc8837bb6a8
Test a machine remotely via WinRM AG
EN
TL
ES
S
InSpec
Database Testing
describe mysql_session.query("SELECT user,host FROM mysql.user WHERE host = '%'") do its(:stdout) { should be empty }end
Cloud Provider Testing
security_groups.each do |security_group| describe security_group do it { should_not have_inbound_rule().with_source('0.0.0.0/0') } endend
ONE LANGUAGE
● Databases ● API endpoints
(e.g. cloud)● Baremetal● VMs● Containers
Infrastructure policies need testing
↳ Linting ↳ Static Analysis ↳ Unit Testing ↳ Integration Testing↳ Compliance Testing
Remember…
“Infrastructure as Code” should be tested like ANY other codebase.
● Write a unit test, watch it fail
● Write some code
● Write and run more unit tests
● Run some integration/acceptance tests
● Code review
● Delivery pipeline to production
● Lowered chance of production failure
Test-Driven Development
Add a test
Run the tests
Make a little change
Run the tests
pass[development continues]fail
fail
pass
pass[development stops]
Chef DK - The Chef Development Kit
▪ Validate your Chef code against Chef best practices
▪ Extend with rules to enforce organizational Chef development best practices
▪ Enforce compliance & security practices
FoodcriticTest Your “Chef Style”
▪ Validate your Chef code against Ruby best practices
▪ Identify potential Ruby errorsUnclosed strings, etc.
▪ Identify style/convention that helps write better code
Single quotes vs. double quotes
CookStyleValidate your Ruby
▪ Validate your Chef code will run
▪ Testing for more Chef advanced use cases
▪ Useful for regression testing
ChefSpecSimulate Chef
▪ Executes your Chef code on an instance or container
▪ Integrates with Cloud and Virtualization providers
▪ Validate your Chef code locally before sharing
▪ Speed development of Chef Cookbooks
Test KitchenLet’s do this (almost) for real
▪ Assert the intention of your Chef code
▪ Verify on live systems that your Chef code produced the correct result
▪ Confirm your Chef code didn’t not produce compliance drift
InSpecVerify automation results & ensure compliance
FAST INEXPENSIVE TESTING
DEEP INTEGRATION TESTING
Definitive tooling for local development of Chef code & Infrastructure as Code development
Integration Testing – Add tests
describe package 'httpd' do
it { should be_installed }
end
describe service 'httpd' do
it { should be_running }
it { should be_enabled }
end
describe port(80) do
it { should be_listening }
end
Add a test
Run the tests
Make a little change
Run the tests
pass[development continues]fail
fail
pass
pass[development stops]
Integration Testing - Run the tests
Add a test
Run the tests
Make a little change
Run the tests
pass[development continues]fail
fail
pass
pass[development stops]
Integration Testing – Make a change
package 'httpd' do action :installend
service 'httpd' do action [ :start, :enable ]end
Add a test
Run the tests
Make a little change
Run the tests
pass[development continues]fail
fail
pass
pass[development stops]
Integration Testing – Apply the change
Add a test
Run the tests
Make a little change
Run the tests
pass[development continues]fail
fail
pass
pass[development stops]
Integration Testing – Run the tests
Add a test
Run the tests
Make a little change
Run the tests
pass[development continues]fail
fail
pass
pass[development stops]
GL: Adding a Node
2. From the resulting page, enter the node's FQDN or IP address.
3. Leave environment blank. A ‘default’ environment will be used
4. Accept the default SSH Access configuration
5. Type chef in the username field.
6. Click the password link as shown in this illustration.
Compliance Profiles Used in ScansThis image shows the default Compliance Profiles as accessed from the Scan Nodes page.
You should be thoughtful with which profiles choose.
Notice how you can also choose to run a scan on demand or schedule a scan.
Scan Results
A Compliance Report should now display and your scan results should be similar to that shown here.
Notice how in the upper Summary section in this example, 10 tests were compliant and 6 tests show critical issues with ssh.
Compliance Profile Severity Mapping
The table below shows the current mapping of Compliance Profile impact numberingto severity.
Impact Numbering Severity Designation
0.7 - 1.0 Critical Issues0.4 - <0.7 Major Issues0 - <0.4 Minor Issues
https://nvd.nist.gov/cvss.cfm
SPREAD TO OTHER ENVIRONMENTS
Dev
Production
Test
My CIS L1(inspec overlay)
CIS Lvl1(xml base profile)