2. $> whoarewe
Christoph Hartmann
Engineering Manager at Chef
@chri_hartmann
chris-rock
chartmann@chef.io
Dominik Richter
Product Manager at Chef
@arlimus
arlimus
18. DOCUMENTATION
SSH supports two different protocol versions. The original
version, SSHv1, was subject to a number of security issues.
Please use SSHv2 instead to avoid these.
22. COMPLIANCE LANGUAGE
control 'ssh-1234' do
impact 1.0
title 'Server: Set protocol version to SSHv2'
desc "
Set the SSH protocol version to 2. Don't use legacy
insecure SSHv1 connections anymore...
"
describe sshd_config do
its('Protocol') { should eq('2') }
end
end
24. WINDOWS
control 'windows-base-201' do
impact 1.0
title 'Strong Windows NTLMv2 Authentication Enabled; Weak LM Disabled'
desc '
@link: http://support.microsoft.com/en-us/kb/823659
'
describe registry_key('HKLMSystemCurrentControlSetControlLsa') do
it { should exist }
its('LmCompatibilityLevel') { should eq 4 }
end
end
32. ANATOMY OF A CONTAINER TEST
describe package('wget') do
it { should be_installed }
end
describe file('/fetch-all.sh') do
it { should be_file }
its('owner') { should eq 'root' }
its('mode') { should eq 0640 }
end
33. ANATOMY OF A CONTAINER TEST
inspec exec dtest.rb -t docker://f02e
....
Finished in 0.1537 seconds (files took 1.77 seconds to load)
4 examples, 0 failures
34. ONE LANGUAGE
Linux, Windows, BSD, Solaris, AIX, ...
Bare-metal, VMs, Containers
Nodes, DBs, Endpoints, APIs (AWS, ...)
39. GREAT COVERAGE
Red Hat Enterprise Linux, Ubuntu, SUSE, Oracle Linux, ...
Microsoft Windows 7, 8, Server 2008, 2012
IBM AIX, HP-UX, VMware ESXi
Oracle MySQL, Apache Tomcat, MS SQL Server, MS IIS
40. WRITTEN IN XML
<definition class="compliance" id="oval:org.cisecurity.benchmarks.o_centos_centos:def:1190" version="1">
<metadata>
<title>Set SSH Protocol to 2</title>
<affected family="unix">
<product>CentOS Linux 6</product>
</affected>
<reference ref_id="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" ref_url="http://benchmarks.cisecur
<description>Set SSH Protocol to 2</description>
</reference></metadata>
<criteria operator="AND">
<criterion negate="false" test_ref="oval:org.cisecurity.benchmarks.o_centos_centos:tst:10191">
</criterion></criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Protocol' sshd config parame
<ind:object object_ref="oval:org.cisecurity.benchmarks.o_centos_centos:obj:10193">
<ind:state state_ref="oval:org.cisecurity.benchmarks.o_centos_centos:ste:10084">
</ind:state></ind:object></ind:textfilecontent54_test>
<ind:textfilecontent54_object comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" id="oval:org.cisecurity.b
<ind:filepath>/etc/ssh/sshd_config</ind:filepath>
<ind:pattern operation="pattern match">^s*Protocols+(S+)s*(?:#.*)?$</ind:pattern>
<ind:instance datatype="int" operation="equals">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state comment="Ensure 'Protocol' sshd config parameter equals 2 (string)" id="oval:org.cisecurity.be
<ind:subexpression datatype="string" operation="equals" var_ref="oval:org.cisecurity.benchmarks.o_centos_centos:var:1190"
</ind:subexpression></ind:textfilecontent54_state>
Source and Copyright: Center for Internet Security
41. CONVERTED TO INSPEC
control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2"
title "Set SSH Protocol to 2"
desc "SSH supports two different and incompatible protocols: SSH1 and SSH2. S
impact 1.0
describe file("/etc/ssh/sshd_config") do
its(:content) { should match /^s*Protocols+(S+)s*(?:#.*)?$/ }
end
file("/etc/ssh/sshd_config").content.to_s.scan(/^s*Protocols+(S+)s*(?:#.*)
describe entry do
it { should eq "2" }
end
end
end
46. NATIVE INSPEC
include_control "cis/cis-centos6-lvl1" do
skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_o
skip_control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_et
control "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do
impact 1.0
end
end
control "my-own-1" ...
50. SAFETY AT VELOCITY
Risk reduction when constantly changing your systems
As part of the work ow. Not after, not later.
Test for quality, Test for compliance