Automating AWS Compliance with InSpec

Automating Compliance with InSpecSydney AWS Security Meetup

August 10, 2017

Matt RayManager, Solutions Architect – APJChef [email protected]@mattray

SSH Control

"SSH supports two different protocol versions. The original version, SSHv1, was subject to a number of security issues. Please use SSHv2 instead to avoid these."

How will I verify this?

Whip up a one-liner!

grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'

Apache Server Information Leakage

• Description

This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OS Type of the Server.

This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities are dependent upon specific software versions.

• How to Test

In order to test for ServerToken configuration, one should check the Apache configuration file.

• Misconfiguration

ServerTokens Full

• Remediation

Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly. This tells Apache to only return "Apache" in the Server header, returned on every page request.

ServerTokens ProdorServerTokens ProductOnly

https://www.owasp.org/index.php/SCG_WS_Apache

More grep and sed!

grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Compliance

Two-thirds of organizations did not adequately test the security of all in-scope systems

Key Trends

• While individual rule compliance is up, testing of security systems is down

• Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.

Shell Scripts

grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'

Infrastructure Code

package 'httpd' doaction :install

end

service 'httpd' doaction [ :start, :enable ]

end

We Have A Communications Problem

Security != Compliance

Compliance Language

One LanguageLinux

One LanguageLinux, Windows

Windows

One LanguageLinux, Windows, BSD, Solaris, AIX, HP-UX, ...

Examples of Available Resourcesapache_conf

apt

audit_policy

auditd_conf

auditd_rules

bond

bridge

command

crontab

directory

etc_group

file

gem

group

host

inetd_conf

interface

iptables

kernel_module

kernel_parameter

limits_conf

login_defs

mount

mysql_conf

mysql_session

npm

ntp_conf

oneget

os

os_env

package

parse_config

parse_config_file

passwd

pip

port

postgres_conf

postgres_session

powershell

processes

registry_key

security_policy

service

ssh_config

sshd_config

user

windows_feature

yum

What is it not?

• IDS / IPS• Firewall• Antivirus• Pentesting tool


Bare-metal


Bare-metal, VMs


Bare-metal, VMs, Containers



Nodes



Nodes, Databases

DB Testing



Nodes, Databases, APIs

Cloud Testing

InSpec

> inspec exec test.rb

Test a machine remotely via SSH

> inspec exec test.rb -i identity.key -t ssh://[email protected]

Test your machine locally

> inspec exec test.rb -t winrm://[email protected] --password super

Test Docker Container

> inspec exec test.rb -t docker://5cc8837bb6a8

Test a machine remotely via WinRM AG

EN

TL

ESS

Operating System & Application Coverage

• Microsoft Windows• Red Hat Enterprise Linux• Ubuntu Linux• SUSE Linux Enterprise Server• Oracle Enterprise Linux• AIX• HP-UX• Solaris

• VMware ESXi• MySQL• Oracle • PostgreSQL• Tomcat• SQL Server• IIS• HTTP request



Nodes, Databases, APIs, Cloud Platforms, ...

Open Source Community

•https://inspec.io•https://github.com/chef/inspec•https://supermarket.chef.io•https://learn.chef.io•#inspec in https://chefcommunity.slack.com

CONTINUOUS COMPLIANCE AUTOMATION

InSpec - Part of your InfoSec toolchain

FIREWALL ANTIVIRUS

INTRUSION DETECTION/PREVENTION

PENETRATIONTESTING

Continuous Workflow

Detect

Correct

The Chef Automate PlatformContinuous Automation for High Velocity IT

Workflow • Local development • Integration • Tooling (APIs & SDKs)

COLLABORATE

▪ Package▪ Test▪ Approve

BUILD

▪ Provision▪ Configure▪ Execute▪ Update

DEPLOY

▪ Secure▪ Comply▪ Audit▪ Measure▪ Log

MANAGE

Infrastructure Automation Compliance AutomationApplication Automation

OSS AUTOMATION ENGINES

Increase Speed

▪ Package infrastructure and app configuration as code

▪ Continuously automate infrastructure and app updates

Improve Efficiency

▪ Define and execute standard workflows and automation

▪ Audit and measure effectiveness of automation

Decrease Risk

▪ Define compliance rules as code

▪ Deliver continuous compliance as part of standard workflow

AWS OpsWorks for Chef AutomateNative Amazon Service

Managed Chef Server

▪ Utilizes RDS and other native services

▪ May be externally accessible

AWS Native

▪ Auto Scaling in your VPC

▪ Automatic backups and upgrades

OpsWorks Stacks

▪ New name for previous version of OpsWorks

● Partnership between Amazon and Chef, jointly developed and maintained

● Fully managed AWS service with frequent updates

● Fully compatible with open source Chef

● Amazon is your support and billing

● All Chef Automate features will be supported

○ Visibility and Workflow today

○ Compliance soon

○ Currently Northern Virginia, Oregon & Ireland with more planned

InSpec-AWS

• https://github.com/chef/inspec-aws

aws_ec2

aws_iam_access_key

aws_iam_password_policy

aws_iam_root_user

aws_iam_user

aws_iam_users

Dig into the new way of learning about Chef, Automation, and DevOps.

Self-paced training on Linux and Windows and much more!

learn.chef.io

Automating AWS Compliance with InSpec

Technology