SlideShare a Scribd company logo

BuildStuff.LT 2018 InSpec Workshop

Download as PPTX, PDF
Mandi Walls
Mandi Walls

The document discusses using InSpec to build security into workflows by creating tests to check for compliance. InSpec allows writing tests in a human-readable format to test security configurations and ensure compliance with policies. Tests can be run locally or remotely on servers to check configurations and are integrated with DevOps workflows through profiles and controls.

1 of 65
Download to read offline
Building Security Into Your Workflow with InSpec Mandi Walls | mandi@chef.io
HI! • Mandi Walls • Technical Community Manager for Chef, EMEA • mandi@chef.io • @lnxchk
EVERY business is a software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec Workshop
Shared Goals, Different Languages
BuildStuff.LT 2018 InSpec Workshop
What Is InSpec
InSpec • Human-readable • Test security and compliance • Create, share, and reuse profiles • Extend for your applications and systems • Plug into your existing workflows / build servers • Fast feedback with Test Kitchen
Lifecycle • When you get a mandate from security, how often is it checked? • Single big scan, report mailed out with a “due date”? • Yearly or twice-yearly massive scans with remediation firedrills?
SSH Requirement • If your security team sends you a directive: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
What To Do? • Locate configuration file • Locate correct setting • Schedule a fix and restart • Who fixes OS images? • Do you need to test new settings?
Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
Resources • Resources examine common services, system files, and configurations See http://inspec.io/docs/reference/resources/ for the current list! • Various Linux distros, plus Windows • Check the characteristics of the resource (e.g., file size, owner) • InSpec libraries are Matchers for testing and verifying characteristics
• Resources include where the item is and how to look at it • Included parsers do the work for you • Similar to Ruby testing language rSpec, meant to be human readable
its.... should... • it { should exist } • it { should be_installed } • it { should be_enabled } • its('max_log_file') { should cmp 6 } • its('exit_status') { should eq 0 } • its('gid') { should eq 0 }
SSH Configuration describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end The Resource – built in InSpec will find this in the fil
Run It • InSpec is command line Installs on your workstation as a ruby gem or as part of the ChefDK • Can be run locally, test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you • Also a REPL https://www.inspec.io/docs/reference/shell/
Using InSpec User: chef Pass: BuildStuff2018 What you need to replicate on your own: This version is built using CentOS 7.4 Your user needs to have full sudo access Install git Install ChefDK from https://downloads.chef.io/chefdk/
Find It! • http://inspec.io/ • Open Source, but cool stuff in the server • Looks like other "spec" testing languages • ChefDK or separate from https://downloads.chef.io • It's already installed on your test host $ inspec --version 3.0.12 Your version of InSpec is out of date! The latest version is 3.0.52.
Create a Basic Test – test.rb • Let’s write a basic test to make sure /tmp is a directory • It also should be owned by root • And its mode should be 01777 – open to all (plus sticky bit!) • Let’s check out the docs for the “file” resource for InSpec
File Resources in InSpec • https://www.inspec.io/docs/reference/resources/file/ • We want: Directory Owner Mode describe file(‘path’) do it { should MATCHER ‘value’ } end
test.rb describe file('/tmp') do it { should exist } it { should be_directory } it { should be_owned_by 'root' } its('mode') { should cmp '01777' } end describe file('/tmp/') do it { should exist } its('type') { should eq :directory } it { should_not be_file } its('owner') { should eq 'root' } its('mode') { should cmp '01777' } end
Test Any Target inspec exec test.rb inspec exec test.rb -i ~/.aws/cert.pem -t ssh://ec2- user@192.168.1.2 inspec exec test.rb -t winrm://Admin@192.168.1.2 --password super inspec exec test.rb -t docker://3dda08e75838
Execute InSpec [chef@host ~]$ inspec exec ./test.rb Profile: tests from ./test.rb Version: (not specified) Target: local:// File /tmp ✔ should exist ✔ should be directory ✔ should be owned by "root" ✔ mode should cmp == "01777" Test Summary: 4 successful, 0 failures, 0 skipped
Failures • InSpec runs with failed tests return a non-zero return code Profile Summary: 0 successful, 1 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 1 [chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return code Profile Summary: 1 successful, 0 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 0 [chef@ip-172-31-29-25 ~]$
Security Rule: set ssh login banner • When logging into any machine your organization, display a notification: "Welcome to MyCorp. This is a secure system and all activities are logged. Authorized users only." • The file /etc/ssh/sshd_banner • We want it to exist and have the above content
$ vi banner.rb describe file('/etc/ssh/sshd_banner') do it { should exist } its('content') { should match /Authorized users only/ } end
$ sudo inspec exec banner.rb Profile: tests from banner.rb (tests from banner.rb) Version: (not specified) Target: local:// File /etc/ssh/sshd_banner × should exist expected File /etc/ssh/sshd_banner to exist × content should match /Authorized users only/ expected nil to match /Authorized users only/ Test Summary: 0 successful, 2 failures, 0 skipped
Test-driven Development • We created the test first • We know the feature we need does not exist on the machine • Now we can create the sshd_banner file and re-run our test • This helps us check our assumptions about the state of the system • Create the banner file and run inspec again
$ sudo vi /etc/ssh/sshd_banner Welcome to MyCorp. This is a secure system and all activities are logged. Authorized users only.
$ sudo inspec exec banner.rb Profile: tests from banner.rb (tests from banner.rb) Version: (not specified) Target: local:// File /etc/ssh/sshd_banner ✔ should exist ✔ content should match /Authorized users only/ Test Summary: 2 successful, 0 failures, 0 skipped
$ vi banner.rb ... describe file('/etc/ssh/sshd_config') do its('content') { should match /^Banner /etc/ssh/sshd_banner/ } end
$ sudo inspec exec banner.rb Profile: tests from banner.rb (tests from banner.rb) Version: (not specified) Target: local:// File /etc/ssh/sshd_banner ✔ should exist ✔ content should match /Authorized users only/ File /etc/ssh/sshd_config × content should match /^Banner /etc/ssh/sshd_banner/ expected "#t$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $nn# This is the sshd server system...oncvsn#tX11Forwarding non#tAllowTcpForwarding non#tPermitTTY non#tForceCommand cvs servern" to match /$Banner /etc/ssh/sshd_banner/ Need sudo this time!
$ sudo vi /etc/ssh/sshd_config Find the line for the banner: # no default banner path #Banner none Change to: # add default banner path Banner /etc/ssh/sshd_banner
$ sudo inspec exec banner.rb Profile: tests from banner.rb (tests from banner.rb) Version: (not specified) Target: local:// File /etc/ssh/sshd_banner ✔ should exist ✔ content should match /Authorized users only/ File /etc/ssh/sshd_config ✔ content should match /^Banner /etc/ssh/sshd_banner/ Test Summary: 3 successful, 0 failures, 0 skipped
Add in the Description and Impact • Now that we know our tests are working, add info for other users • Determine the impact of this requirement: 0.0 < 0.01 – Information only 0.01 < 0.4 – LOW impact 0.4 < 0.7 – MEDIUM impact 0.7 < 0.9 – HIGH impact 0.9 – 1.0 – CRITICAL impact • Add a description of the controls
$ vi banner.rb control 'mycorp-sshd-01' do impact 1.0 desc 'Require a warning message to be displayed notifying ssh users of the ownership of the system.' describe file('/etc/ssh/sshd_banner') do it { should exist } its('content') { should match /Authorized users only/ } end describe file('/etc/ssh/sshd_config') do its('content') { should match /^Banner /etc/ssh/sshd_banner/ } end end
Different output: reporters $ sudo inspec exec banner.rb --reporter json $ sudo inspec exec banner.rb --reporter html $ sudo inspec exec banner.rb --reporter documentation
Profiles • InSpec profiles allow you to package and share sets of InSpec tests for your organization or for a specific application set • Profiles are made up of controls • Controls are made up of resources and tests, with priority and metadata Name your controls based on what they do or link them to a written doc • Each profile can have multiple test files included and many controls
Hardening with InSpec • Centos 7 host • os-hardening cookbook from https://supermarket.chef.io • /dev-sec/linux-baseline InSpec profile from https://github.com/dev- sec/linux-baseline
What’s in the linux-baseline Profile on https://dev-sec.io control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
Use the Profile $ git clone https://github.com/dev-sec/linux-baseline ... $ sudo inspec exec linux-baseline Profile Summary: 26 successful controls, 27 control failures, 1 control skipped Test Summary: 80 successful, 45 failures, 1 skipped $
What’s in the os-hardening Cookbook
Use Chef to Fix the Issues • We've detected some issues, now we will correct them using Chef • We'll create a Policyfile for this system that will consume other resources • No Chef Server needed for this method • All required Chef resources will be downloaded from Chef's open source community site, https://supermarket.chef.io/
$ vi Policyfile.rb name 'server-hardening' default_source :supermarket run_list 'os-hardening::default' • This process will create a collection of Chef cookbooks to fix the issues that caused InSpec to fail • We won't need to connect to a Chef server for this method, all the cookbooks will be downloaded locally
Run Commands chef install Policyfile.rb chef export Policyfile.rb harden cd harden sudo chef-client -z Starting Chef Client, version 14.6.47 Using policy 'server-hardening' at revision '…' resolving cookbooks for run list: ["os-hardening::default@3.1.0 (193f7ad)"] Synchronizing Cookbooks: - sysctl (1.0.5) - ohai (5.2.5) - os-hardening (3.1.0) ... Chef Client finished, 141/206 resources updated in 47 seconds
Rerun the Tests $ cd ~ $ sudo inspec exec linux-baseline/ ... Profile Summary: 52 successful controls, 1 control failure, 1 control skipped Test Summary: 124 successful, 1 failure, 1 skipped
Auditd × package-08: Install auditd (1 failed) ✔ System Package audit should be installed ✔ Audit Daemon Config log_file should cmp == "/var/log/audit/audit.log" ✔ Audit Daemon Config log_format should cmp == "raw" ✔ Audit Daemon Config flush should match /^INCREMENTAL|INCREMENTAL_ASYNC$/ × Audit Daemon Config max_log_file_action should cmp == "keep_logs" expected: "keep_logs" got: ROTATE (compared using `cmp` matcher)
What’s Still Failing? • Find the controls that aren’t passing • Decide if you want to fix them or forget them • We'll build a new profile to wrap around linux-baseline And exclude the failing test
BuildStuff.LT 2018 InSpec Workshop
Building New Profiles $ inspec init profile my_hardening Create new profile at /home/chef/my_hardening * Create file README.md * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries This is a new InSpec profile, vs the new Chef cookbook we created earlier.
Including Profiles $ vi my_hardening/inspec.yml name: my_hardening title: InSpec Profile ... version: 0.1.0 depends: - name: linux-baseline path: ../linux-baseline
Profile Dependencies • InSpec will find or retrieve the included profile • You can choose to use all of the profile or pick a few controls • You can also exclude controls that don't meet your needs • Create a new control file to manage the other profile's controls
Skipping Individual Controls $ vi my_hardening/controls/my.rb include_controls 'linux-baseline' do skip_control 'package-08' end We want to run all of the controls from linux-baseline except package-08 • You can also remove the file my_hardening/controls/example.rb if you want to
Rerun the InSpec Profile $ sudo inspec exec my_hardening/ ... Profile Summary: 53 successful controls, 0 control failures, 1 control skipped Test Summary: 115 successful, 0 failures, 1 skipped
Additional Features • Use InSpec to test resources in the Cloud – Azure, AWS, GCP describe aws_s3_bucket('test_bucket') do it { should_not be_public } end • Industry-standard profiles such as CIS available via commercial solutions
Test Kitchen • InSpec also runs as a test suite in Test Kitchen • Test Kitchen is a tool for your team to create fast-feedback loops for development • Add InSpec tests to TK so that any change can also be certified with the security profile before it is pushed to source code repository • More info at http://kitchen.ci/
InSpec and Chef's Automate • InSpec profiles are a component of Chef's Automate server, providing a GUI and metrics collection about compliance across your estate • Additional industry-standard profiles are also available commercially via Automate
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec Workshop
BuildStuff.LT 2018 InSpec Workshop
Resources • https://inspec.io • https://dev-sec.io • http://www.anniehedgie.com/inspec-basics-1 • http://blog.johnray.io/chef-inspec-and-dirty-cow
BuildStuff.LT 2018 InSpec Workshop
Ad

Recommended

InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018
Mandi Walls
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec Workshop
Mandi Walls
 
InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017InSpec Workshop DevSecCon 2017
InSpec Workshop DevSecCon 2017
Mandi Walls
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
Mandi Walls
 
2019 Chef InSpec Jumpstart Part 2 of 2
2019 Chef InSpec Jumpstart Part 2 of 22019 Chef InSpec Jumpstart Part 2 of 2
2019 Chef InSpec Jumpstart Part 2 of 2
Larry Eichenbaum
 
2019 Chef InSpec Jumpstart Part 1 of 2
2019 Chef InSpec Jumpstart Part 1 of 22019 Chef InSpec Jumpstart Part 1 of 2
2019 Chef InSpec Jumpstart Part 1 of 2
Larry Eichenbaum
 
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore Meetup
Matt Ray
 
Adding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17xAdding Security to Your Workflow With InSpec - SCaLE17x
Adding Security to Your Workflow With InSpec - SCaLE17x
Mandi Walls
 
Compliance as Code with InSpec - DevOps Melbourne 2017
Compliance as Code with InSpec - DevOps Melbourne 2017Compliance as Code with InSpec - DevOps Melbourne 2017
Compliance as Code with InSpec - DevOps Melbourne 2017
Matt Ray
 
OSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspecOSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspec
Andreas Schmidt
 
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
Philly security shell meetup
Philly security shell meetupPhilly security shell meetup
Philly security shell meetup
Nicole Johnson
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with Ansible
Bas Meijer
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
DevOps.com
 
Security and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsSecurity and dev ops for high velocity organizations
Security and dev ops for high velocity organizations
Chef
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as Code
Matt Ray
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
Bas Meijer
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
Bas Meijer
 
Ansible not only for Dummies
Ansible not only for DummiesAnsible not only for Dummies
Ansible not only for Dummies
Łukasz Proszek
 
Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)
Ivan Rossi
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
Delve Labs
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
IkiArif1
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
Carlos Sanchez
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi WallsDevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon
 
Ingite Slides for InSpec
Ingite Slides for InSpecIngite Slides for InSpec
Ingite Slides for InSpec
Mandi Walls
 
Ad

More Related Content

What's hot (20)

Compliance as Code with InSpec - DevOps Melbourne 2017
Compliance as Code with InSpec - DevOps Melbourne 2017Compliance as Code with InSpec - DevOps Melbourne 2017
Compliance as Code with InSpec - DevOps Melbourne 2017
Matt Ray
 
OSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspecOSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspec
Andreas Schmidt
 
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
Philly security shell meetup
Philly security shell meetupPhilly security shell meetup
Philly security shell meetup
Nicole Johnson
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with Ansible
Bas Meijer
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
DevOps.com
 
Security and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsSecurity and dev ops for high velocity organizations
Security and dev ops for high velocity organizations
Chef
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as Code
Matt Ray
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
Bas Meijer
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
Bas Meijer
 
Ansible not only for Dummies
Ansible not only for DummiesAnsible not only for Dummies
Ansible not only for Dummies
Łukasz Proszek
 
Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)
Ivan Rossi
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
Delve Labs
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
IkiArif1
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
Carlos Sanchez
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 
Compliance as Code with InSpec - DevOps Melbourne 2017
Compliance as Code with InSpec - DevOps Melbourne 2017Compliance as Code with InSpec - DevOps Melbourne 2017
Compliance as Code with InSpec - DevOps Melbourne 2017
Matt Ray
 
OSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspecOSDC2014: Testing Server Infrastructure with #serverspec
OSDC2014: Testing Server Infrastructure with #serverspec
Andreas Schmidt
 
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios Conference 2014 - Mike Weber - Expanding NRDS Capabilities on Linux Sy...
Nagios
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
Philly security shell meetup
Philly security shell meetupPhilly security shell meetup
Philly security shell meetup
Nicole Johnson
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
Testing with Ansible
Testing with AnsibleTesting with Ansible
Testing with Ansible
Bas Meijer
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
DevOps.com
 
Security and dev ops for high velocity organizations
Security and dev ops for high velocity organizationsSecurity and dev ops for high velocity organizations
Security and dev ops for high velocity organizations
Chef
 
Compliance as Code
Compliance as CodeCompliance as Code
Compliance as Code
Matt Ray
 
Ansible, best practices
Ansible, best practicesAnsible, best practices
Ansible, best practices
Bas Meijer
 
docker build with Ansible
docker build with Ansibledocker build with Ansible
docker build with Ansible
Bas Meijer
 
Ansible not only for Dummies
Ansible not only for DummiesAnsible not only for Dummies
Ansible not only for Dummies
Łukasz Proszek
 
Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)Introduction to Ansible (Pycon7 2016)
Introduction to Ansible (Pycon7 2016)
Ivan Rossi
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
Delve Labs
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
IkiArif1
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
Carlos Sanchez
 
Automation with ansible
Automation with ansibleAutomation with ansible
Automation with ansible
Khizer Naeem
 

Similar to BuildStuff.LT 2018 InSpec Workshop (20)

DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi WallsDevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon
 
Ingite Slides for InSpec
Ingite Slides for InSpecIngite Slides for InSpec
Ingite Slides for InSpec
Mandi Walls
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
Alex Pop
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
Mandi Walls
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)
Mandi Walls
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
NETWAYS
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
NETWAYS
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
Mandi Walls
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
Mandi Walls
 
Prescriptive System Security with InSpec
Prescriptive System Security with InSpecPrescriptive System Security with InSpec
Prescriptive System Security with InSpec
All Things Open
 
Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019
Mandi Walls
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Alert Logic
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
Mandi Walls
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020
Mandi Walls
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpec
Matt Ray
 
Ansible as configuration management tool for devops
Ansible as configuration management tool for devopsAnsible as configuration management tool for devops
Ansible as configuration management tool for devops
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Matt Ray
 
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi WallsDevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon London 2017: Inspec workshop by Mandi Walls
DevSecCon
 
Ingite Slides for InSpec
Ingite Slides for InSpecIngite Slides for InSpec
Ingite Slides for InSpec
Mandi Walls
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
Alex Pop
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
Mandi Walls
 
Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)Adding Security to Your Workflow with InSpec (MAY 2017)
Adding Security to Your Workflow with InSpec (MAY 2017)
Mandi Walls
 
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspecOSDC 2017 - Mandi Walls - Building security into your workflow with inspec
OSDC 2017 - Mandi Walls - Building security into your workflow with inspec
NETWAYS
 
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsOSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi Walls
NETWAYS
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
Mandi Walls
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
Mandi Walls
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
Mandi Walls
 
Prescriptive System Security with InSpec
Prescriptive System Security with InSpecPrescriptive System Security with InSpec
Prescriptive System Security with InSpec
All Things Open
 
Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019
Mandi Walls
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Alert Logic
 
Building Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpecBuilding Security into Your Workflow with InSpec
Building Security into Your Workflow with InSpec
Mandi Walls
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020
Mandi Walls
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpec
Matt Ray
 
Ansible as configuration management tool for devops
Ansible as configuration management tool for devopsAnsible as configuration management tool for devops
Ansible as configuration management tool for devops
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpecMelbourne Chef Meetup: Automating Azure Compliance with InSpec
Melbourne Chef Meetup: Automating Azure Compliance with InSpec
Matt Ray
 
Ad

More from Mandi Walls (16)

DOD Raleigh Gamedays with Chaos Engineering.pdf
DOD Raleigh Gamedays with Chaos Engineering.pdfDOD Raleigh Gamedays with Chaos Engineering.pdf
DOD Raleigh Gamedays with Chaos Engineering.pdf
Mandi Walls
 
Addo reducing trauma in organizations with SLOs and chaos engineering
Addo reducing trauma in organizations with SLOs and chaos engineeringAddo reducing trauma in organizations with SLOs and chaos engineering
Addo reducing trauma in organizations with SLOs and chaos engineering
Mandi Walls
 
Full Service Ownership
Full Service OwnershipFull Service Ownership
Full Service Ownership
Mandi Walls
 
PagerDuty: Best Practices for On Call Teams
PagerDuty: Best Practices for On Call TeamsPagerDuty: Best Practices for On Call Teams
PagerDuty: Best Practices for On Call Teams
Mandi Walls
 
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Mandi Walls
 
habitat at docker bud
habitat at docker budhabitat at docker bud
habitat at docker bud
Mandi Walls
 
Habitat at LinuxLab IT
Habitat at LinuxLab ITHabitat at LinuxLab IT
Habitat at LinuxLab IT
Mandi Walls
 
Habitat Workshop at Velocity London 2017
Habitat Workshop at Velocity London 2017Habitat Workshop at Velocity London 2017
Habitat Workshop at Velocity London 2017
Mandi Walls
 
Habitat at SRECon
Habitat at SREConHabitat at SRECon
Habitat at SRECon
Mandi Walls
 
Containerdays Intro to Habitat
Containerdays Intro to HabitatContainerdays Intro to Habitat
Containerdays Intro to Habitat
Mandi Walls
 
Configuration Management is Old and Boring
Configuration Management is Old and BoringConfiguration Management is Old and Boring
Configuration Management is Old and Boring
Mandi Walls
 
Habitat Overview
Habitat OverviewHabitat Overview
Habitat Overview
Mandi Walls
 
Lessons Learned From Cloud Migrations
Lessons Learned From Cloud MigrationsLessons Learned From Cloud Migrations
Lessons Learned From Cloud Migrations
Mandi Walls
 
Lessons Learned from Continuous Delivery
Lessons Learned from Continuous DeliveryLessons Learned from Continuous Delivery
Lessons Learned from Continuous Delivery
Mandi Walls
 
Community in a box
Community in a boxCommunity in a box
Community in a box
Mandi Walls
 
Role of Pipelines in Continuous Delivery
Role of Pipelines in Continuous DeliveryRole of Pipelines in Continuous Delivery
Role of Pipelines in Continuous Delivery
Mandi Walls
 
DOD Raleigh Gamedays with Chaos Engineering.pdf
DOD Raleigh Gamedays with Chaos Engineering.pdfDOD Raleigh Gamedays with Chaos Engineering.pdf
DOD Raleigh Gamedays with Chaos Engineering.pdf
Mandi Walls
 
Addo reducing trauma in organizations with SLOs and chaos engineering
Addo reducing trauma in organizations with SLOs and chaos engineeringAddo reducing trauma in organizations with SLOs and chaos engineering
Addo reducing trauma in organizations with SLOs and chaos engineering
Mandi Walls
 
Full Service Ownership
Full Service OwnershipFull Service Ownership
Full Service Ownership
Mandi Walls
 
PagerDuty: Best Practices for On Call Teams
PagerDuty: Best Practices for On Call TeamsPagerDuty: Best Practices for On Call Teams
PagerDuty: Best Practices for On Call Teams
Mandi Walls
 
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018
Mandi Walls
 
habitat at docker bud
habitat at docker budhabitat at docker bud
habitat at docker bud
Mandi Walls
 
Habitat at LinuxLab IT
Habitat at LinuxLab ITHabitat at LinuxLab IT
Habitat at LinuxLab IT
Mandi Walls
 
Habitat Workshop at Velocity London 2017
Habitat Workshop at Velocity London 2017Habitat Workshop at Velocity London 2017
Habitat Workshop at Velocity London 2017
Mandi Walls
 
Habitat at SRECon
Habitat at SREConHabitat at SRECon
Habitat at SRECon
Mandi Walls
 
Containerdays Intro to Habitat
Containerdays Intro to HabitatContainerdays Intro to Habitat
Containerdays Intro to Habitat
Mandi Walls
 
Configuration Management is Old and Boring
Configuration Management is Old and BoringConfiguration Management is Old and Boring
Configuration Management is Old and Boring
Mandi Walls
 
Habitat Overview
Habitat OverviewHabitat Overview
Habitat Overview
Mandi Walls
 
Lessons Learned From Cloud Migrations
Lessons Learned From Cloud MigrationsLessons Learned From Cloud Migrations
Lessons Learned From Cloud Migrations
Mandi Walls
 
Lessons Learned from Continuous Delivery
Lessons Learned from Continuous DeliveryLessons Learned from Continuous Delivery
Lessons Learned from Continuous Delivery
Mandi Walls
 
Community in a box
Community in a boxCommunity in a box
Community in a box
Mandi Walls
 
Role of Pipelines in Continuous Delivery
Role of Pipelines in Continuous DeliveryRole of Pipelines in Continuous Delivery
Role of Pipelines in Continuous Delivery
Mandi Walls
 
Ad

Recently uploaded (20)

Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 

BuildStuff.LT 2018 InSpec Workshop

  • 1. Building Security Into Your Workflow with InSpec Mandi Walls | [email protected]
  • 2. HI! • Mandi Walls • Technical Community Manager for Chef, EMEA • [email protected] • @lnxchk
  • 3. EVERY business is a software business We’re going to be a software company with airplanes. – CIO, Alaska Airlines
  • 9. InSpec • Human-readable • Test security and compliance • Create, share, and reuse profiles • Extend for your applications and systems • Plug into your existing workflows / build servers • Fast feedback with Test Kitchen
  • 10. Lifecycle • When you get a mandate from security, how often is it checked? • Single big scan, report mailed out with a “due date”? • Yearly or twice-yearly massive scans with remediation firedrills?
  • 11. SSH Requirement • If your security team sends you a directive: SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. All systems must use SSHv2 instead to avoid these issues.
  • 12. What To Do? • Locate configuration file • Locate correct setting • Schedule a fix and restart • Who fixes OS images? • Do you need to test new settings?
  • 13. Check that sshd_config describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end
  • 14. Resources • Resources examine common services, system files, and configurations See http://inspec.io/docs/reference/resources/ for the current list! • Various Linux distros, plus Windows • Check the characteristics of the resource (e.g., file size, owner) • InSpec libraries are Matchers for testing and verifying characteristics
  • 15. • Resources include where the item is and how to look at it • Included parsers do the work for you • Similar to Ruby testing language rSpec, meant to be human readable
  • 16. its.... should... • it { should exist } • it { should be_installed } • it { should be_enabled } • its('max_log_file') { should cmp 6 } • its('exit_status') { should eq 0 } • its('gid') { should eq 0 }
  • 17. SSH Configuration describe sshd_config do impact 1.0 title 'SSH Version 2' desc <<-EOF SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these. EOF its('Protocol') { should cmp 2 } end The Resource – built in InSpec will find this in the fil
  • 18. Run It • InSpec is command line Installs on your workstation as a ruby gem or as part of the ChefDK • Can be run locally, test the machine it is executing on • Or remotely InSpec will log into the target and run the tests for you • Also a REPL https://www.inspec.io/docs/reference/shell/
  • 19. Using InSpec User: chef Pass: BuildStuff2018 What you need to replicate on your own: This version is built using CentOS 7.4 Your user needs to have full sudo access Install git Install ChefDK from https://downloads.chef.io/chefdk/
  • 20. Find It! • http://inspec.io/ • Open Source, but cool stuff in the server • Looks like other "spec" testing languages • ChefDK or separate from https://downloads.chef.io • It's already installed on your test host $ inspec --version 3.0.12 Your version of InSpec is out of date! The latest version is 3.0.52.
  • 21. Create a Basic Test – test.rb • Let’s write a basic test to make sure /tmp is a directory • It also should be owned by root • And its mode should be 01777 – open to all (plus sticky bit!) • Let’s check out the docs for the “file” resource for InSpec
  • 22. File Resources in InSpec • https://www.inspec.io/docs/reference/resources/file/ • We want: Directory Owner Mode describe file(‘path’) do it { should MATCHER ‘value’ } end
  • 23. test.rb describe file('/tmp') do it { should exist } it { should be_directory } it { should be_owned_by 'root' } its('mode') { should cmp '01777' } end describe file('/tmp/') do it { should exist } its('type') { should eq :directory } it { should_not be_file } its('owner') { should eq 'root' } its('mode') { should cmp '01777' } end
  • 24. Test Any Target inspec exec test.rb inspec exec test.rb -i ~/.aws/cert.pem -t ssh://ec2- [email protected] inspec exec test.rb -t winrm://[email protected] --password super inspec exec test.rb -t docker://3dda08e75838
  • 25. Execute InSpec [chef@host ~]$ inspec exec ./test.rb Profile: tests from ./test.rb Version: (not specified) Target: local:// File /tmp ✔ should exist ✔ should be directory ✔ should be owned by "root" ✔ mode should cmp == "01777" Test Summary: 4 successful, 0 failures, 0 skipped
  • 26. Failures • InSpec runs with failed tests return a non-zero return code Profile Summary: 0 successful, 1 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 1 [chef@ip-172-31-29-25 ~]$ • Passing tests have 0 return code Profile Summary: 1 successful, 0 failures, 0 skipped [chef@ip-172-31-29-25 ~]$ echo $? 0 [chef@ip-172-31-29-25 ~]$
  • 27. Security Rule: set ssh login banner • When logging into any machine your organization, display a notification: "Welcome to MyCorp. This is a secure system and all activities are logged. Authorized users only." • The file /etc/ssh/sshd_banner • We want it to exist and have the above content
  • 28. $ vi banner.rb describe file('/etc/ssh/sshd_banner') do it { should exist } its('content') { should match /Authorized users only/ } end
  • 29. $ sudo inspec exec banner.rb Profile: tests from banner.rb (tests from banner.rb) Version: (not specified) Target: local:// File /etc/ssh/sshd_banner × should exist expected File /etc/ssh/sshd_banner to exist × content should match /Authorized users only/ expected nil to match /Authorized users only/ Test Summary: 0 successful, 2 failures, 0 skipped
  • 30. Test-driven Development • We created the test first • We know the feature we need does not exist on the machine • Now we can create the sshd_banner file and re-run our test • This helps us check our assumptions about the state of the system • Create the banner file and run inspec again
  • 31. $ sudo vi /etc/ssh/sshd_banner Welcome to MyCorp. This is a secure system and all activities are logged. Authorized users only.
  • 32. $ sudo inspec exec banner.rb Profile: tests from banner.rb (tests from banner.rb) Version: (not specified) Target: local:// File /etc/ssh/sshd_banner ✔ should exist ✔ content should match /Authorized users only/ Test Summary: 2 successful, 0 failures, 0 skipped
  • 33. $ vi banner.rb ... describe file('/etc/ssh/sshd_config') do its('content') { should match /^Banner /etc/ssh/sshd_banner/ } end
  • 34. $ sudo inspec exec banner.rb Profile: tests from banner.rb (tests from banner.rb) Version: (not specified) Target: local:// File /etc/ssh/sshd_banner ✔ should exist ✔ content should match /Authorized users only/ File /etc/ssh/sshd_config × content should match /^Banner /etc/ssh/sshd_banner/ expected "#t$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $nn# This is the sshd server system...oncvsn#tX11Forwarding non#tAllowTcpForwarding non#tPermitTTY non#tForceCommand cvs servern" to match /$Banner /etc/ssh/sshd_banner/ Need sudo this time!
  • 35. $ sudo vi /etc/ssh/sshd_config Find the line for the banner: # no default banner path #Banner none Change to: # add default banner path Banner /etc/ssh/sshd_banner
  • 36. $ sudo inspec exec banner.rb Profile: tests from banner.rb (tests from banner.rb) Version: (not specified) Target: local:// File /etc/ssh/sshd_banner ✔ should exist ✔ content should match /Authorized users only/ File /etc/ssh/sshd_config ✔ content should match /^Banner /etc/ssh/sshd_banner/ Test Summary: 3 successful, 0 failures, 0 skipped
  • 37. Add in the Description and Impact • Now that we know our tests are working, add info for other users • Determine the impact of this requirement: 0.0 < 0.01 – Information only 0.01 < 0.4 – LOW impact 0.4 < 0.7 – MEDIUM impact 0.7 < 0.9 – HIGH impact 0.9 – 1.0 – CRITICAL impact • Add a description of the controls
  • 38. $ vi banner.rb control 'mycorp-sshd-01' do impact 1.0 desc 'Require a warning message to be displayed notifying ssh users of the ownership of the system.' describe file('/etc/ssh/sshd_banner') do it { should exist } its('content') { should match /Authorized users only/ } end describe file('/etc/ssh/sshd_config') do its('content') { should match /^Banner /etc/ssh/sshd_banner/ } end end
  • 39. Different output: reporters $ sudo inspec exec banner.rb --reporter json $ sudo inspec exec banner.rb --reporter html $ sudo inspec exec banner.rb --reporter documentation
  • 40. Profiles • InSpec profiles allow you to package and share sets of InSpec tests for your organization or for a specific application set • Profiles are made up of controls • Controls are made up of resources and tests, with priority and metadata Name your controls based on what they do or link them to a written doc • Each profile can have multiple test files included and many controls
  • 41. Hardening with InSpec • Centos 7 host • os-hardening cookbook from https://supermarket.chef.io • /dev-sec/linux-baseline InSpec profile from https://github.com/dev- sec/linux-baseline
  • 42. What’s in the linux-baseline Profile on https://dev-sec.io control 'os-02' do impact 1.0 title 'Check owner and permissions for /etc/shadow' desc 'Check periodically the owner and permissions for /etc/shadow' describe file('/etc/shadow') do it { should exist } it { should be_file } it { should be_owned_by 'root' } its('group') { should eq shadow_group } it { should_not be_executable } it { should be_writable.by('owner') } ...
  • 43. Use the Profile $ git clone https://github.com/dev-sec/linux-baseline ... $ sudo inspec exec linux-baseline Profile Summary: 26 successful controls, 27 control failures, 1 control skipped Test Summary: 80 successful, 45 failures, 1 skipped $
  • 44. What’s in the os-hardening Cookbook
  • 45. Use Chef to Fix the Issues • We've detected some issues, now we will correct them using Chef • We'll create a Policyfile for this system that will consume other resources • No Chef Server needed for this method • All required Chef resources will be downloaded from Chef's open source community site, https://supermarket.chef.io/
  • 46. $ vi Policyfile.rb name 'server-hardening' default_source :supermarket run_list 'os-hardening::default' • This process will create a collection of Chef cookbooks to fix the issues that caused InSpec to fail • We won't need to connect to a Chef server for this method, all the cookbooks will be downloaded locally
  • 47. Run Commands chef install Policyfile.rb chef export Policyfile.rb harden cd harden sudo chef-client -z Starting Chef Client, version 14.6.47 Using policy 'server-hardening' at revision '…' resolving cookbooks for run list: ["os-hardening::[email protected] (193f7ad)"] Synchronizing Cookbooks: - sysctl (1.0.5) - ohai (5.2.5) - os-hardening (3.1.0) ... Chef Client finished, 141/206 resources updated in 47 seconds
  • 48. Rerun the Tests $ cd ~ $ sudo inspec exec linux-baseline/ ... Profile Summary: 52 successful controls, 1 control failure, 1 control skipped Test Summary: 124 successful, 1 failure, 1 skipped
  • 49. Auditd × package-08: Install auditd (1 failed) ✔ System Package audit should be installed ✔ Audit Daemon Config log_file should cmp == "/var/log/audit/audit.log" ✔ Audit Daemon Config log_format should cmp == "raw" ✔ Audit Daemon Config flush should match /^INCREMENTAL|INCREMENTAL_ASYNC$/ × Audit Daemon Config max_log_file_action should cmp == "keep_logs" expected: "keep_logs" got: ROTATE (compared using `cmp` matcher)
  • 50. What’s Still Failing? • Find the controls that aren’t passing • Decide if you want to fix them or forget them • We'll build a new profile to wrap around linux-baseline And exclude the failing test
  • 52. Building New Profiles $ inspec init profile my_hardening Create new profile at /home/chef/my_hardening * Create file README.md * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries This is a new InSpec profile, vs the new Chef cookbook we created earlier.
  • 53. Including Profiles $ vi my_hardening/inspec.yml name: my_hardening title: InSpec Profile ... version: 0.1.0 depends: - name: linux-baseline path: ../linux-baseline
  • 54. Profile Dependencies • InSpec will find or retrieve the included profile • You can choose to use all of the profile or pick a few controls • You can also exclude controls that don't meet your needs • Create a new control file to manage the other profile's controls
  • 55. Skipping Individual Controls $ vi my_hardening/controls/my.rb include_controls 'linux-baseline' do skip_control 'package-08' end We want to run all of the controls from linux-baseline except package-08 • You can also remove the file my_hardening/controls/example.rb if you want to
  • 56. Rerun the InSpec Profile $ sudo inspec exec my_hardening/ ... Profile Summary: 53 successful controls, 0 control failures, 1 control skipped Test Summary: 115 successful, 0 failures, 1 skipped
  • 57. Additional Features • Use InSpec to test resources in the Cloud – Azure, AWS, GCP describe aws_s3_bucket('test_bucket') do it { should_not be_public } end • Industry-standard profiles such as CIS available via commercial solutions
  • 58. Test Kitchen • InSpec also runs as a test suite in Test Kitchen • Test Kitchen is a tool for your team to create fast-feedback loops for development • Add InSpec tests to TK so that any change can also be certified with the security profile before it is pushed to source code repository • More info at http://kitchen.ci/
  • 59. InSpec and Chef's Automate • InSpec profiles are a component of Chef's Automate server, providing a GUI and metrics collection about compliance across your estate • Additional industry-standard profiles are also available commercially via Automate
  • 64. Resources • https://inspec.io • https://dev-sec.io • http://www.anniehedgie.com/inspec-basics-1 • http://blog.johnray.io/chef-inspec-and-dirty-cow

Editor's Notes

  • #7: Compliance requirements are often set out in flat documents. Sometimes PDFs, sometimes other formats, but they have a tendency to be a huge list of characteristics and checkboxes to be investigated and potentially remediated. Security tools may be somewhat more flexible, encoded into a set of shell scripts that check and verify the systems after they are built. But what if it was easy to build these checks into the workflow while the systems are being built and applications installed.
  • #8: For the purposes of compliance, we actually wanted a common language, in code, that would allow all audiences – compliance, security, and devops – to collaborate on. And this code will then act on systems. This is whyInSpec was developed.
  • #11: For bits like the ssh configuration that are considered more infrastructure than application, these practices are common, changes are periodically rolled into the source images for new hosts (or containers) and the old configurations are eventually purged from production. It’s a herd-immunity approach. But what happens if the thing to be tested is affected by a continuously developed application? Like run time configurations for java, or your databases. Can you count on every team to always know all of the requirements?
  • #27: Plug InSpec into whatever command set you are already using
  • #33: Check if it is a good time for the break.