Automating AWS Compliance with InSpec

Automating Compliance with InSpec
Sydney AWS Security Meetup
August 10, 2017

Matt Ray
Manager, Solutions Architect – APJ
Chef Software
matt@chef.io
@mattray

SSH Control
"SSH supports two different protocol
versions.The original version, SSHv1, was
subject to a number of security issues.
Please use SSHv2 instead to avoid
these."

Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

Apache Server Information Leakage
• Description
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OSType of the
Server.
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are
dependent upon specific software versions.
• How toTest
In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
ServerTokens Full
• Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.This tells Apache to only
return "Apache" in the Server header, returned on every page request.
ServerTokens Prod
or
ServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache

More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Two-thirds of organizations did
not adequately test the security
of all in-scope systems

Key Trends
• While individual rule compliance
is up, testing of security systems
is down
• Sustainability is low. Fewer than
a third of companies were found
to be still fully compliant less
than a year after successful
validation.

Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Infrastructure Code
package 'httpd' do
action :install
end
service 'httpd' do
action [ :start, :enable ]
end

We Have A Communications Problem

One Language
Linux,Windows, BSD, Solaris,AIX, HP-UX, ...

Examples of Available Resources
apache_conf
apt
audit_policy
auditd_conf
auditd_rules
bond
bridge
command
crontab
directory
etc_group
file
gem
group
host
inetd_conf
interface
iptables
kernel_module
kernel_parameter
limits_conf
login_defs
mount
mysql_conf
mysql_session
npm
ntp_conf
oneget
os
os_env
package
parse_config
parse_config_file
passwd
pip
port
postgres_conf
postgres_session
powershell
processes
registry_key
security_policy
service
ssh_config
sshd_config
user
windows_feature
yum

What is it not?
• IDS / IPS
• Firewall
• Antivirus
• Pentesting tool

One Language
Bare-metal

One Language
Bare-metal,VMs

One Language
Bare-metal,VMs, Containers

One Language
Nodes

One Language
Nodes, Databases

One Language
Nodes, Databases,APIs

InSpec
> inspec exec test.rb
Test a machine remotely via SSH
> inspec exec test.rb -i identity.key -t ssh://root@172.17.0.1
Test your machine locally
> inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super
Test Docker Container
> inspec exec test.rb -t docker://5cc8837bb6a8
Test a machine remotely via WinRM
AGENTLESS

Operating System & Application Coverage
• Microsoft Windows
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux Enterprise Server
• Oracle Enterprise Linux
• AIX
• HP-UX
• Solaris
• VMware ESXi
• MySQL
• Oracle
• PostgreSQL
• Tomcat
• SQL Server
• IIS
• HTTP request

One Language
Nodes, Databases,APIs, Cloud Platforms, ...

Open Source Community
•https://inspec.io
•https://github.com/chef/inspec
•https://supermarket.chef.io
•https://learn.chef.io
•#inspec in https://chefcommunity.slack.com

CONTINUOUS COMPLIANCE AUTOMATION
InSpec - Part of your InfoSec toolchain
FIREWALL ANTIVIRUS
INTRUSION
DETECTION/
PREVENTION
PENETRATION
TESTING

Continuous Workflow
Detect
Correct

The Chef Automate Platform
Continuous Automation for High Velocity IT
Workflow • Local development • Integration • Tooling (APIs & SDKs)
COLLABORATE
▪ Package
▪ Test
▪ Approve
BUILD
▪ Provision
▪ Configure
▪ Execute
▪ Update
DEPLOY
▪ Secure
▪ Comply
▪ Audit
▪ Measure
▪ Log
MANAGE
Infrastructure Automation Compliance AutomationApplication Automation
OSS AUTOMATION ENGINES
Increase Speed
▪ Package infrastructure and app
configuration as code
▪ Continuously automate
infrastructure and app updates
Improve Efficiency
▪ Define and execute standard
workflows and automation
▪ Audit and measure effectiveness of
automation
Decrease Risk
▪ Define compliance rules as code
▪ Deliver continuous compliance as
part of standard workflow

AWS OpsWorks for Chef Automate
Native Amazon Service
Managed Chef Server
▪ Utilizes RDS and other native
services
▪ May be externally accessible
AWS Native
▪ Auto Scaling in your VPC
▪ Automatic backups and upgrades
OpsWorks Stacks
▪ New name for previous version of
OpsWorks
● Partnership between Amazon and Chef, jointly
developed and maintained
● Fully managed AWS service with frequent updates
● Fully compatible with open source Chef
● Amazon is your support and billing
● All Chef Automate features will be supported
○ Visibility and Workflow today
○ Compliance soon
○ Currently Northern Virginia, Oregon & Ireland
with more planned

InSpec-AWS
• https://github.com/chef/inspec-aws

Dig into the new way of learning about
Chef, Automation, and DevOps.
Self-paced training on Linux and Windows and much more!
learn.chef.io

Automating AWS Compliance with InSpec

Recommended

More Related Content

What's hot (20)

Similar to Automating AWS Compliance with InSpec (20)

More from Matt Ray (18)

Recently uploaded (20)

Automating AWS Compliance with InSpec