Security and dev ops for high velocity organizations
•
2 likes•1,087 views
Presented by Christoph Hartmann and Dominik Richter April 2016
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Security and dev ops for high velocity organizations
Similar to Security and dev ops for high velocity organizations (20)
More from Chef
More from Chef (20)
Recently uploaded
Recently uploaded (20)
Security and dev ops for high velocity organizations
- 1. CHEF COMPLIANCE SECURITY AND DEVOPS FOR HIGH VELOCITY ORGANIZATIONS
- 2. $> whoarewe Christoph Hartmann Engineering Manager at Chef @chri_hartmann chris-rock chartmann@chef.io Dominik Richter Product Manager at Chef @arlimus arlimus
- 3. drichter@chef.io THE PROMISE OF THE CODED BUSINESS
- 5. DEVOPS AUTOMATION FROM CONCEPTION TO PRODUCTION.
- 8. WHAT IS IT NOT? (H)IDS / IPS Firewall AntiVirus Pentesting tool
- 11. DEV & OPS SET UP AN APP
- 18. DOCUMENTATION SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these.
- 19. SCRIPTING TOOLS > grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //' 2
- 20. COMPLIANCE LANGUAGE describe sshd_config do its('Protocol') { should cmp 2 } end
- 21. INSPEC
- 22. COMPLIANCE LANGUAGE control 'ssh-1234' do impact 1.0 title 'Server: Set protocol version to SSHv2' desc " Set the SSH protocol version to 2. Don't use legacy insecure SSHv1 connections anymore... " describe sshd_config do its('Protocol') { should eq('2') } end end
- 23. ONE LANGUAGE Linux, Windows, BSD, Solaris, AIX, ...
- 24. WINDOWS control 'windows-base-201' do impact 1.0 title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled' desc ' @link: http://support.microsoft.com/en-us/kb/823659 ' describe registry_key('HKLMSystemCurrentControlSetControlLsa') do it { should exist } its('LmCompatibilityLevel') { should eq 4 } end end
- 25. ONE LANGUAGE Linux, Windows, BSD, Solaris, AIX, ... Bare-metal, VMs, Containers
- 26. inspec exec test.rb . Finished in 0.00228 seconds (files took 1.95 seconds to load) 1 example, 0 failures TINY HOWTO
- 27. inspec exec test.rb inspec exec /path/to/profile inspec exec github.com/chef/some-profile.git TINY HOWTO
- 28. TEST YOUR LOCAL NODE inspec exec test.rb
- 29. TEST REMOTE VIA SSH inspec exec test.rb -i vagrant.key -t ssh://root@172.17.0.1:11022 no Ruby / agent on the node
- 30. TEST REMOTE VIA WINRM inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super no Ruby / agent on the node
- 31. TEST DOCKER CONTAINER inspec exec test.rb -t docker://3cc8837bb6a8 no SSH / agent on the container
- 32. ANATOMY OF A CONTAINER TEST describe package('wget') do it { should be_installed } end describe file('/fetch-all.sh') do it { should be_file } its('owner') { should eq 'root' } its('mode') { should eq 0640 } end
- 33. ANATOMY OF A CONTAINER TEST inspec exec dtest.rb -t docker://f02e .... Finished in 0.1537 seconds (files took 1.77 seconds to load) 4 examples, 0 failures
- 34. ONE LANGUAGE Linux, Windows, BSD, Solaris, AIX, ... Bare-metal, VMs, Containers Nodes, DBs, Endpoints, APIs (AWS, ...)
- 35. DB TESTING describe mysql_session.query("SELECT user, host FROM mysql.user WHERE host = '%' its(:stdout) { should be empty } end
- 36. AWS TESTING Vpc.new(id: 'vpc_id').security_groups.each do |security_group| describe security_group do it { should_not have_ingress_rule().with_source('0.0.0.0/0') } end end
- 37. CIS AND SCAP
- 39. GREAT COVERAGE Red Hat Enterprise Linux, Ubuntu, SUSE, Oracle Linux, ... Microsoft Windows 7, 8, Server 2008, 2012 IBM AIX, HP-UX, VMware ESXi Oracle MySQL, Apache Tomcat, MS SQL Server, MS IIS
- 40. WRITTEN IN XML <definition class="compliance" id="oval:org.cisecurity.benchmarks.o_centos_centos:def:1190" version="1"> <metadata> <title>Set SSH Protocol to 2</title> <affected family="unix"> <product>CentOS Linux 6</product> </affected> <reference ref_id="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" ref_url="http://benchmarks.cisecur <description>Set SSH Protocol to 2</description> </reference></metadata> <criteria operator="AND"> <criterion negate="false" test_ref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10191"> </criterion></criteria> </definition> <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Protocol' sshd config parame <ind:object object_ref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10193"> <ind:state state_ref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10084"> </ind:state></ind:object></ind:textfilecontent54_test> <ind:textfilecontent54_object comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" id="oval:org.cisecurity.b <ind:filepath>/etc/ssh/sshd_config</ind:filepath> <ind:pattern operation="pattern match">^s*Protocols+(S+)s*(?:#.*)?$</ind:pattern> <ind:instance datatype="int" operation="equals">1</ind:instance> </ind:textfilecontent54_object> <ind:textfilecontent54_state comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" id="oval:org.cisecurity.be <ind:subexpression datatype="string" operation="equals" var_ref="oval:org.cisecurity.benchmarks.o_centos_centos:var:1190" </ind:subexpression></ind:textfilecontent54_state> Source and Copyright: Center for Internet Security
- 41. CONVERTED TO INSPEC control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" title "Set SSH Protocol to 2" desc "SSH supports two different and incompatible protocols: SSH1 and SSH2. S impact 1.0 describe file("/etc/ssh/sshd_config") do its(:content) { should match /^s*Protocols+(S+)s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^s*Protocols+(S+)s*(?:#.*) describe entry do it { should eq "2" } end end end
- 42. NATIVE INSPEC control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" title "Set SSH Protocol to 2" desc "SSH supports two different and incompatible protocols: SSH1 and SSH2. S impact 1.0 describe sshd_config do its('Protocol') { should cmp 2 } end end
- 45. MAKE ADJUSTMENTS
- 46. NATIVE INSPEC include_control "cis/cis-centos6-lvl1" do skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_o skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_et control "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do impact 1.0 end end control "my-own-1" ...
- 47. SPREAD TO OTHER ENVIRONMENTS
- 49. COMPETITIVE ADVANTAGE BOOK: THE HIGH VELOCITY EDGE - STEVEN J. SPEARS
- 50. SAFETY AT VELOCITY Risk reduction when constantly changing your systems As part of the work ow. Not after, not later. Test for quality, Test for compliance
- 55. DEVOPS WORKFLOW
- 57. CREATE AND TEST EARLY ON
- 65. FULL WORKFLOW
- 66. FIXING THE COMPLIANCE CYCLE
- 70. THANK YOU @chri_hartmann chris-rock chartmann@chef.io @arlimus arlimus drichter@chef.io