Date post: | 11-Apr-2017 |
Category: |
Technology |
Upload: | matt-ray |
View: | 113 times |
Download: | 2 times |
Compliance as CodeDevOps Melbourne
March 28, 2017
Chef Workflow
SSH Control
"SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."
How will I verify this?
Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
Apache Server Information Leakage
• Description
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.
• How to Test
In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
ServerTokens Full
• Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.
ServerTokens ProdorServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Compliance
Two-thirds of organizations did not adequately test the security of all in-scope systems
Key Trends
• While individual rule compliance is up, testing of security systems is down
• Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
Infrastructure Code
package 'httpd' doaction :install
end
service 'httpd' doaction [ :start, :enable ]
end
We Have A Communications Problem
Security != Compliance
Secure
Compliant
Compliance Language
One LanguageLinux
One LanguageLinux, Windows
Windows
One LanguageLinux, Windows, BSD, Solaris, AIX, ...
Examples of Available Resourcesapache_conf
apt
audit_policy
auditd_conf
auditd_rules
bond
bridge
Command
crontab
directory
etc_group
file
gem
group
host
inetd_conf
interface
iptables
kernel_module
kernel_parameter
limits_conf
login_defs
mount
mysql_conf
mysql_session
npm
ntp_conf
oneget
os
os_env
package
parse_config
parse_config_file
passwd
pip
port
postgres_conf
postgres_session
powershell
processes
registry_key
security_policy
service
ssh_config
sshd_config
user
windows_feature
yum
What is it not?
• IDS / IPS• Firewall• Antivirus• Pentesting tool
One LanguageLinux, Windows, BSD, Solaris, AIX, ...
Bare-metal
One LanguageLinux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs
One LanguageLinux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
One LanguageLinux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes
One LanguageLinux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, GRUB, DBs
DB Testing
One LanguageLinux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, GRUB, DBs, Endpoints, APIs, ...
Cloud Testing
InSpec
> inspec exec test.rb
Test a machine remotely via SSH
> inspec exec test.rb -i identity.key -t ssh://[email protected]
Test your machine locally
> inspec exec test.rb -t winrm://[email protected] --password super
Test Docker Container
> inspec exec test.rb -t docker://5cc8837bb6a8
Test a machine remotely via WinRM AG
EN
TL
ESS
Operating System & Application Coverage
• Microsoft Windows• Microsoft Windows Server• Red Hat Enterprise Linux• Ubuntu Linux• SUSE Linux Enterprise Server• Oracle Enterprise Linux• AIX• HP-UX• Solaris
• VMware ESXi• MySQL• Oracle • PostgreSQL• Tomcat• SQL Server• IIS• HTTP request
Scan for Compliance
Build & Test Locally
Build & Test CI/CD Remediate Verify
New Workflow
Detect Correct
Continuous Workflow
CONTINUOUS COMPLIANCE AUTOMATION
InSpec - Part of your InfoSec toolchain
FIREWALL ANTIVIRUS
INTRUSION DETECTION/PREVENTION
PENETRATIONTESTING
Open Source Community
•InSpec•https://inspec.io•Chef Audit cookbook•https://github.com/chef-cookbooks/audit•Kitchen-InSpec•https://github.com/chef/kitchen-inspec•Supermarket.chef.io
The Chef Automate PlatformContinuous Automation for High Velocity IT
Workflow • Local development • Integration • Tooling (APIs & SDKs)
COLLABORATE
▪ Package▪ Test▪ Approve
BUILD▪ Provision▪ Configure▪ Execute▪ Update
DEPLOY▪ Secure▪ Comply▪ Audit▪ Measure▪ Log
MANAGE
Infrastructure Automation Compliance AutomationApplication Automation
OSS AUTOMATION ENGINES
Increase Speed
▪ Package infrastructure and app configuration as code
▪ Continuously automate infrastructure and app updates
Improve Efficiency
▪ Define and execute standard workflows and automation
▪ Audit and measure effectiveness of automation
Decrease Risk
▪ Define compliance rules as code
▪ Deliver continuous compliance as part of standard workflow