DevOpsDays Austin 2016 talk. Compliance and security are the next steps after Infrastructure as Code and Test-Driven Infrastructure in expanding your DevOps workflow. Chef's open-source InSpec and audit cookbooks provide an accessible pattern for building compliance into your continuous delivery pipelines.
8. SSH Control
"SSH supports two different protocol
versions.The original version, SSHv1, was
subject to a number of security issues.
Please use SSHv2 instead to avoid
these."
10. Whip up a one-liner!
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
11. Apache Server Information Leakage – ServerToken Directive
• Description
This Directive Controls wheather Server response field is sent back to clients includes a description of Generic OSType of the
Server.
This allows attackers to identify web servers details greatly and increases the efficiency of any attack,as security vulnerabilities
are dependent upon specific software versions.
• How toTest
In order to test for ServerToken configuration, one should check the Apache configuration file.
• Misconfiguration
ServerTokens Full
• Remediation
Configure the ServerTokens directive in the Apache configuration to value of Prod or ProductOnly.This tells Apache to only
return "Apache" in the Server header, returned on every page request.
ServerTokens Prod
or
ServerTokens ProductOnly
https://www.owasp.org/index.php/SCG_WS_Apache
12. More grep and sed!
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
21. KeyTrends
• While individual rule compliance
is up, testing of security systems
is down
• Sustainability is low. Fewer than
a third of companies were found
to be still fully compliant less
than a year after successful
validation.
22.
23. Shell Scripts
grep "^Protocol" /etc/ssh/sshd_config | sed 's/Protocol //'
grep "^ServerTokens" /etc/httpd/conf/httpd.conf | sed 's/ServerTokens //'
54. Operating System and Application Coverage
• Red Hat Enterprise Linux
• Ubuntu
• SUSE
• Oracle Linux
• Microsoft Windows 7, 8
• Microsoft Windows Server 2008,
2012
• AIX
• HP-UX
• VMware ESXi
• Oracle
• MySQL
• ApacheTomcat
• SQL Server
• IIS
67. Chef Provides a Proven Approach to DevOps
Apps
Runtime
environments
Infrastructure
..
.
Targets/Workloads
Collaborative
Development
Chef Insights
Production
Chef Server
Chef Server
Chef Supermarket
Assessment
Chef Compliance
Search
Audit
Discover
Deploy
Chef Delivery
Local
Development
Model
Build
Test
Chef DK
Chef Client & Cookbooks
68.
69. Austin, TX | July 11-13
Early Bird Pricing Through April 17th
« Workshops & Chef Training!
« Community Summit!
« Chef Partner Summit!
« Welcome Reception!
« Keynotes!
« Technical Sessions!
« Happy Hour!
« Keynotes!
« Technical Sessions!
« Awesome Chef Awards!
« Community Celebration!
ChefConf.com