Security and dev ops for high velocity organizations
-
Upload
chef -
Category
Technology
-
view
591 -
download
2
Transcript of Security and dev ops for high velocity organizations
![Page 1: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/1.jpg)
CHEF COMPLIANCESECURITY AND DEVOPS FOR HIGH VELOCITY ORGANIZATIONS
![Page 2: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/2.jpg)
$> whoareweChristoph Hartmann
Engineering Manager at Chef
@chri_hartmann
chris-rock
Dominik Richter
Product Manager at Chef
@arlimus
arlimus
![Page 4: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/4.jpg)
WHAT IS CHEF?
![Page 5: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/5.jpg)
DEVOPS AUTOMATION FROMCONCEPTION TO PRODUCTION.
![Page 6: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/6.jpg)
WHAT IS COMPLIANCE?19:20:08
![Page 7: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/7.jpg)
COMPLIANCE AS CODE.
![Page 8: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/8.jpg)
WHAT IS IT NOT?(H)IDS / IPS
Firewall
AntiVirus
Pentesting tool
![Page 9: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/9.jpg)
COMPLIANCE AS CODE.
![Page 10: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/10.jpg)
TRADITIONAL COMPLIANCE
![Page 11: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/11.jpg)
DEV & OPS SET UP AN APP
![Page 12: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/12.jpg)
SECURITY MEETS OPERATIONS
![Page 13: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/13.jpg)
![Page 14: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/14.jpg)
![Page 15: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/15.jpg)
![Page 16: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/16.jpg)
![Page 17: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/17.jpg)
![Page 18: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/18.jpg)
DOCUMENTATIONSSH supports two different protocol versions. The originalversion, SSHv1, was subject to a number of security issues.
Please use SSHv2 instead to avoid these.
![Page 19: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/19.jpg)
SCRIPTING TOOLS
> grep "̂Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2
![Page 20: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/20.jpg)
COMPLIANCE LANGUAGE
describe sshd_config do its('Protocol') { should cmp 2 } end
![Page 21: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/21.jpg)
INSPEC
![Page 22: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/22.jpg)
COMPLIANCE LANGUAGE
control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... "
describe sshd_config do its('Protocol') { should eq('2') } end end
![Page 23: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/23.jpg)
ONE LANGUAGE
Linux, Windows, BSD, Solaris, AIX, ...
![Page 24: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/24.jpg)
WINDOWS
control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end
![Page 25: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/25.jpg)
ONE LANGUAGE
Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
![Page 26: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/26.jpg)
inspec exec test.rb
.
Finished in 0.00228 seconds (files took 1.95 seconds to load) 1 example, 0 failures
TINY HOWTO
![Page 27: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/27.jpg)
inspec exec test.rb
inspec exec /path/to/profile
inspec exec github.com/chef/some-profile.git
TINY HOWTO
![Page 28: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/28.jpg)
TEST YOUR LOCAL NODEinspec exec test.rb
![Page 29: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/29.jpg)
TEST REMOTE VIA SSHinspec exec test.rb -i vagrant.key -t ssh://[email protected]:11022
no Ruby / agent on the node
![Page 30: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/30.jpg)
TEST REMOTE VIA WINRMinspec exec test.rb -t winrm://[email protected] --password super
no Ruby / agent on the node
![Page 31: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/31.jpg)
TEST DOCKER CONTAINERinspec exec test.rb -t docker://3cc8837bb6a8
no SSH / agent on the container
![Page 32: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/32.jpg)
ANATOMY OF A CONTAINER TESTdescribe package('wget') do it { should be_installed } end
describe file('/fetch-all.sh') do it { should be_file } its('owner') { should eq 'root' } its('mode') { should eq 0640 } end
![Page 33: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/33.jpg)
ANATOMY OF A CONTAINER TESTinspec exec dtest.rb -t docker://f02e x1
....
Finished in 0.1537 seconds (files took 1.77 seconds to load) 4 examples, 0 failures
![Page 34: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/34.jpg)
ONE LANGUAGE
Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, DBs, Endpoints, APIs (AWS, ...)
![Page 35: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/35.jpg)
DB TESTINGdescribe mysql_session.query("SELECT user, host FROM mysql.user WHERE host = '%'" its(:stdout) { should be empty } end
![Page 36: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/36.jpg)
AWS TESTINGVpc.new(id: 'vpc_id').security_groups.each do |security_group| describe security_group do it { should_not have_ingress_rule().with_source('0.0.0.0/0') } end end
![Page 37: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/37.jpg)
CIS AND SCAP
![Page 38: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/38.jpg)
GREAT SECURITY BENCHMARKS
![Page 39: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/39.jpg)
GREAT COVERAGE
Red Hat Enterprise Linux, Ubuntu, SUSE, Oracle Linux, ...
Microsoft Windows 7, 8, Server 2008, 2012
IBM AIX, HP-UX, VMware ESXi
Oracle MySQL, Apache Tomcat, MS SQL Server, MS IIS
![Page 40: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/40.jpg)
WRITTEN IN XML
<definition class="compliance" id="oval:org.cisecurity.benchmarks.o_centos_centos:def:1190" version="1"> <metadata> <title>Set SSH Protocol to 2</title> <affected family="unix"> <product>CentOS Linux 6</product> </affected> <reference ref_id="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" ref_url="http://benchmarks.cisecurity.org" <description>Set SSH Protocol to 2</description> </reference></metadata> <criteria operator="AND"> <criterion negate="false" test_ref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10191"> </criterion></criteria> </definition>
<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" <ind:object object_ref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10193"> <ind:state state_ref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10084"> </ind:state></ind:object></ind:textfilecontent54_test>
<ind:textfilecontent54_object comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" id="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10193" <ind:filepath>/etc/ssh/sshd_config</ind:filepath> <ind:pattern operation="pattern match">̂\s*Protocol\s+(\S+)\s*(?:#.*)?$</ind:pattern> <ind:instance datatype="int" operation="equals">1</ind:instance> </ind:textfilecontent54_object>
<ind:textfilecontent54_state comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" id="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10084" <ind:subexpression datatype="string" operation="equals" var_ref="oval:org.cisecurity.benchmarks.o_centos_centos:var:1190"</ind:subexpression></ind:textfilecontent54_state>
Source and Copyright: Center for Internet Security
![Page 41: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/41.jpg)
CONVERTED TO INSPEC
control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" title "Set SSH Protocol to 2" desc "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." impact 1.0 describe file("/etc/ssh/sshd_config") do its(:content) { should match /̂\s*Protocol\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/̂\s*Protocol\s+(\S+)\s*(?:#.*)?$/ describe entry do it { should eq "2" } end end end
![Page 42: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/42.jpg)
NATIVE INSPEC
control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" title "Set SSH Protocol to 2" desc "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." impact 1.0 describe sshd_config do its('Protocol') { should cmp 2 } end end
![Page 43: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/43.jpg)
![Page 44: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/44.jpg)
PROFILE FOUNDATION
![Page 45: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/45.jpg)
MAKE ADJUSTMENTS
![Page 46: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/46.jpg)
NATIVE INSPEC
include_control "cis/cis-centos6-lvl1" do skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_etcgrub.conf" skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_etcgrub.conf"
control "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do impact 1.0 end end
control "my-own-1" ...
![Page 47: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/47.jpg)
SPREAD TO OTHER ENVIRONMENTS
![Page 48: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/48.jpg)
COMPLIANCE AS CODE.
![Page 49: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/49.jpg)
COMPETITIVE ADVANTAGE
BOOK: THE HIGH VELOCITY EDGE - STEVEN J. SPEARS
![Page 50: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/50.jpg)
SAFETY AT VELOCITYRisk reduction when constantly changing your systems
As part of the work�ow. Not after, not later.
Test for quality, Test for compliance
![Page 51: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/51.jpg)
TRADITIONAL WORKFLOW
![Page 52: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/52.jpg)
CREATE NEW ARTIFACTS
![Page 53: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/53.jpg)
TO REACH PRODUCTION
![Page 54: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/54.jpg)
![Page 55: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/55.jpg)
DEVOPS WORKFLOW
![Page 56: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/56.jpg)
![Page 57: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/57.jpg)
CREATE AND TEST EARLY ON
![Page 58: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/58.jpg)
![Page 59: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/59.jpg)
![Page 60: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/60.jpg)
TEST CONTINUOUSLY
![Page 61: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/61.jpg)
![Page 62: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/62.jpg)
DEPLOY, OPERATE, VERIFY
![Page 63: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/63.jpg)
![Page 64: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/64.jpg)
ONE WORKFLOW CYCLE
![Page 65: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/65.jpg)
FULL WORKFLOW
![Page 66: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/66.jpg)
FIXING THE COMPLIANCE CYCLE
![Page 67: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/67.jpg)
COMPLIANCE AS CODE.
![Page 68: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/68.jpg)
JOIN INSPEC
GITHUB.COM/CHEF/INSPEC
GITTER.IM/CHEF/INSPEC
![Page 69: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/69.jpg)
INSPEC 1.0Dependencies
Attributes
![Page 70: Security and dev ops for high velocity organizations](https://reader030.fdocuments.us/reader030/viewer/2022032711/58f045f51a28ab953f8b46b9/html5/thumbnails/70.jpg)
THANK YOU
@chri_hartmann
chris-rock
@arlimus
arlimus