Save your crash dummies!

A Test-driven Infrastructure

$> whoami

Christoph Hartmann

Engineering Lead at Chef

Acme Retail Inc. designs and markets apparel and accessories, and home furnishings. Its collections are available at more than 10,000 retail locations worldwide. It aims to become a leading online fashion store.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
Development Staging Production
Chef Chef Chef
Test Kitchen CI/CD Chef Server
Serverspec ChefSpec
Rubocop		 Security Tool

Checklist

  • 🗹verify CIS benchmark
  • 🗹apply CIS hardening
  • 🗹verify TLS 1.2 ports
  • 🗹migrate nginx to TLS 1.2

Chef Compliance ships with profiles for:

Amazon Linux
2014.09 / 2015.03 		CentOS
6 / 7 		HP UX
11i 		IBM AIX
5.3 / 6.1 / 7.1
RHEL
6 / 7 		SLES
11 / 12 		Ubuntu Server
12.04 / 14.04 		Windows
2012 R2 (coming soon)

CIS audit with Chef Compliance

Verify CIS compliance

CIS audit with InSpec

InSpec HowTo


$ inspec
Commands:
  inspec archive PATH                # archive a profile to tar.gz (default) or zip
  inspec check PATH                  # verify all tests at the specified PATH
  inspec compliance SUBCOMMAND ...   # Chef Compliance commands
  inspec detect                      # detect the target OS
  inspec exec PATHS                  # run all test files at the specified PATH.
  inspec help [COMMAND]              # Describe available commands or one specific c...
  inspec init TEMPLATE ...           # Scaffolds a new project
  inspec json PATH                   # read all tests in PATH and generate a JSON su...
  inspec shell                       # open an interactive debugging shell
  inspec supermarket SUBCOMMAND ...  # Supermarket commands
  inspec version                     # prints the version of this tool

Options:
  [--diagnose], [--no-diagnose]  # Show diagnostics (versions, configurations)

Test your local node

						
describe sshd_config do
  its('Protocol') { should cmp 2 }
end
						
					

inspec exec test.rb

 

Compliance language

						
control 'ssh-1234' do
  impact 1.0
  title 'Server: Set protocol version to SSHv2'
  desc "
    Set the SSH protocol version to 2. Don't use legacy
    insecure SSHv1 connections anymore...
  "

  describe sshd_config do
    its('Protocol') { should cmp 2 }
  end
end

Test remote via SSH


inspec exec test.rb -i vagrant.key -t ssh://root@172.17.0.1:11022

no Ruby / agent on the node

Test remote via WinRM


inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super

no Ruby / agent on the node

Test Docker Container


inspec exec test.rb -t docker://3cc8837bb6a8

no SSH / agent on the container

Verify CIS compliance

Checklist

  • verify CIS benchmark
  • 🗹apply CIS hardening
  • 🗹verify TLS 1.2 ports
  • 🗹migrate nginx to TLS 1.2

CIS server hardening


Vagrant.configure("2") do |config|
  config.vm.box = "centos/7"
  config.vm.network 'private_network', ip: '192.168.34.101'

  config.berkshelf.enabled = true
  config.vm.provision "chef_solo" do |chef|
    chef.add_recipe("cis-el7-l1-hardening")
  end
end
chef-cookbooks/cis-el7-l1-hardening
USGS-CIDA/stig

CIS-hardening with Chef

CIS-hardening with verification

Test-Kitchen + Chef + InSpec


---
driver:
  name: vagrant
provisioner:
  name: chef_solo
platforms:
  - name: centos/7
verifier:
  name: inspec
  sudo: true
suites:
  - name: default
    run_list:
      - recipe[cis-el7-l1-hardening::default]
    attributes:
    verifier:
      inspec_tests:
        - compliance://cis/cis-centos7-level1

Test-Kitchen + Chef + InSpec

Checklist

  • verify CIS benchmark
  • apply CIS hardening
  • 🗹verify TLS 1.2 ports
  • 🗹migrate nginx to TLS 1.2

Custom Resources


control 'tls1.2' do
  title 'Run TLS 1.2 whenever SSL is active on a port'
  impact 0.5
  port.protocols(/tcp/).entries.each do |socket|
    describe ssl(port: socket.port).protocols('tls1.2') do
      it { should be_enabled }
    end
  end
end

control 'ssl2' do
  title 'Disable SSL2 from all exposed SSL ports.'
  impact 1.0
  port.protocols(/tcp/).entries.each do |socket|
    describe ssl(port: socket).protocols('ssl2') do
      it { should_not be_enabled }
    end
  end
end

Custom Resources


class SSL < Inspec.resource(1)
  name 'ssl'

  desc "
    SSL test resource
  "

  def initialize(opts = {})
    @host = opts[:host]
    @port = opts[:port]
    ...
  end

  def enabled?
    res = SSLShake.hello(@host, protocol: 'tcp', port: @port)
    res['success']
  end
end

InSpec Profiles


$ inspec init profile my-newprofile
Create new profile at /Users/chris/my-newprofile
 * Create directory controls
 * Create file controls/example.rb
 * Create file inspec.yml
 * Create directory libraries
 * Create file README.md
 * Create file libraries/.gitkeep

$ inspec exec my-newprofile

Profile: InSpec Profile (my-newprofile)
Version: 0.1.0
Target:  local://

  ✔  File /tmp should be directory
  ✔  tmp-1.0: Create /tmp directory

Summary: 2 successful, 0 failures, 0 skipped
Annie Hedgpeth: InSpec Tutorial: Day 5 - Creating a Profile
dev-sec.io

TLS 1.2 Nginx verification + correction

Verify TLS/SSL Configuration

Vagrant + Chef + InSpec

Continuous TLS/SSL Compliance

Test-Kitchen + Chef + InSpec

Continuous TLS/SSL Compliance

Chef Compliance

Checklist

  • verify CIS benchmark
  • apply CIS hardening
  • verify TLS 1.2 ports
  • migrate nginx to TLS 1.2
Development Staging Production
Chef Chef Chef
Test Kitchen CI/CD Chef Server
InSpec InSpec InSpec

Compliance as Code.

Same stack and workflow

One workflow cycle

Compliance Workflow
continuous

Thank you

Resources: