SlideShare ist ein Scribd-Unternehmen logo
1 von 142
Downloaden Sie, um offline zu lesen
Welcome, we’re glad you joined us
● Automation, Audits, and Apps? And Azure?
● Practical solutions to real problems
● Learning from each other
Our vision: The most enduring and
transformative companies use Chef to
become fast, efficient, and innovative
software-driven organizations.
Velocity: time from idea to shipIdea Ship
Infrastructure
Automation
Compliance
Automation
Application
Automation
Business Value
Time
Digital
Transformation
Post-Digital
Transformation
Business Value
Time
Digital
Transformation
Post-Digital
Transformation
Application-centric
Infrastructure-centric
My existing (legacy) apps run my
business. How can I get them
moving more quickly?
We hear two concerns from leaders most frequently:
Compliance is slowing us down,
and audits are painful. How can
we move faster while meeting
requirements?
My existing (legacy) apps run my
business. How can I get them
moving more quickly?
Your perspective on these two concerns
• Take one minute to think about the legacy apps you manage and the
current and long term impact on your business
• Connect with someone in the room that you don’t know and discuss (you
have 5 minutes)
Your perspective on these two concerns
Compliance is slowing us down,
and audits are painful. How can
we move faster while meeting
requirements?
• Take one minute to think about your efforts to stay within compliance, the
work you do to prepare for audits, and the current and long term impact on
your business
• Connect with someone in the room that you don’t know and discuss (you
have 5 minutes)
Cloud migration will continue to grow
Azure migration experience
Customer momentum
Confidently migrate your applications, data, and infrastructure to Azure
Unified cloud
platform
Data
platform
Security and
management
Azure is the only consistent hybrid cloud
Lower your TCO significantly by migrating to Azure
Azure.com/tco
Azure migration journey
Azure migration journey
Choice of tools for every stage and every requirement
Azure security and
management (security, backup,
monitoring, cost management)
Azure Database Migration Service
Azure Site Recovery
Azure Data Box
Assess Migrate Optimize
Data Migration Assistant
Azure Migrate
SQL Server Migration
Assistant
Microsoft
Partners
Azure Migrate - GA
Summarizing cloud migration strategies
Redeploy as-is to cloud
• Reduce Capex
• Free up datacenter space
• Quick cloud ROI
IaaS
Minimally alter to take
better advantage of
cloud
• Faster, shorter, updates
• Code portability
• Greater cloud efficiency
(resources, speed, cost)
Containers
PaaS
Materially
alter/decompose
application to services
• App scale and agility
• Easier adoption of new
cloud capabilities
• Mix technology stacks
PaaS
Serverless
Microservices
New code written with
cloud native approach
• Accelerate innovation
• Build apps faster
• Reduce operational cost
Description
Drivers
Technologies
Migration strategies: Rehost application (i.e., lift & shift)
Migration strategies: Refactor application
Migration strategies: Rearchitect application
Replatform
Migration strategies: Replatform application
Confidently migrate all your apps, data, and infrastructure to
Azure
Get started today
Application Modernization
with Habitat
What We Want to Share Today
● Highlights from Chef's 2018 State of
Applications survey: you have company
● Challenges with modernizing legacy
applications
● How Habitat can help you lift, shift and
modernize to adopt cloud and container
technology even for older applications
Chef's 2018 State of Application Delivery Survey
Survey Insights
How do you measure app
deployment success?
Speed is success for applications - but achieving speed is a big challenge.
Speed*
How long does it take to complete
the app build process?
Days or Longer
How many builds before an app is
deployed to production?
61%
72%
Four or More
55%
* “Time from code to production” or “Time from commit to deploy”
46 45
34
Survey Insights
In 2 years, what percent of your apps will be
deployed on container platforms?
1/4 or More
51%
Which approach will you use to transition apps to
new architectures & infrastructures?
Aggressive plans for containerization,
most often by lifting, shifting, and
modernizing applications.
73%
52%
Lift, Shift,
Modernize
Rewrite
Apps
Speed is success for applications - but
achieving speed is a big challenge.
Survey Insights
Aggressive plans for containerization, most often
by lifting, shifting, and modernizing applications.
Which is the most challenging aspect of
the application lifecycle?
Management
44%
What percent of production apps run in
the following environments?
Environments are
heavily
heterogeneous,
and application
management is
most challenging.
Speed is success for applications - but
achieving speed is a big challenge.
In search of speed, organizations are moving to the
next platform while carrying legacy weight.
It’s already difficult to manage. It’s going to get harder.
Now is the time to think about a comprehensive
application strategy.
The Benefits and Problems of Legacy
Legacy is shorthand for critical business applications with longevity. But it
creates manageability problems:
Windows 2003
MSVC, COM+, etc.
Business App 1
Windows 2008 R2
MS .NET 2.0
Business App 2
Red Hat Linux 5
IBM WebSphere
Business App 3
Red Hat Linux 6
Tomcat 6 / Java 7
Business App 4
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.
Heterogeneity is a reality in IT
Heterogeneous applications are the past, present and future.
How could we extract the applications' business value from the underlying
infrastructure to improve its manageability?
Business App 1 Business App 2 Business App 3 Business App 4
89% of respondents desire a cross-environment application packaging solution.
Source: Chef's 2018 State of Application Delivery Survey
Habitat enables application teams
to build, deploy, and manage any
application in any environment -
from traditional data centers to
containerized microservices.
Introducing Habitat
1. “Lift & Shift” Legacy Apps to
Modern Platforms
Organizations struggle to move
existing, business critical apps to
modern platforms
2. Deliver on a Cloud-Native
(Cloud/Containers) Strategy
Organizations hit a wall when
adopting and deploying to a cloud-
native platform
How does it work?
It splits the platform-independent part of the application from the platform-
dependent part.
BUILD DEPLOY MANAGE
Ring
Supervisor
Platform-Independent Build Export Platform-Dependent Deploy
How does it work?
● All of the problems shown previously
are a result of this pattern: building up
from the operating system.
● The entire triangle becomes the
artifact you carry around with you now
and in the future (including sometimes
the VM and the server!)
Libraries
Operating System
Application
Application &
Libraries
● Habitat builds from the application
down
● Embedded supervisor as standard
management interface
● Builds have strict dependency control
Application Libraries
OS
Customer Story - Modernizing Legacy Apps
The challenge:
● Large auto manufacturer moving COTS
apps to next generation data center
● Example legacy app: Windows application
written in Borland Delphi in 2003 - in
Portuguese
● Lot of value in the app, painful to rewrite
The solution:
● Package the application and its
dependencies with Habitat
● Enable the application to be deployed to any
environment - next generation datacenter
and beyond
● Manage the application through its lifecycle -
updates, patches, etc.
● Gain manageability benefits in the new
environment and maintain value of the app
without rewriting
What They’re Saying
"With Habitat, we have an easier onramp to
packaging our apps in any environment. The
learning curve for our dev teams who are doing
a little bit of ops as well as traditional software
engineering is a lot less steep. The fact that we
can radically simplify deployment processes by
treating every service as an artifact is very powerful.
Adopting Habitat means you have a reproducible,
consistent method for build and deploy, and you
can apply that model to every service or application that
you're running.
Once you've learned how one service is deployed
or managed, you've got everything you need to
figure out the next service after that."
“While the application portability benefits of containers
are widely recognized, lack of consistency in packaging
and orchestration across the application lifecycle has, in
many cases, limited the success of their deployment at
scale, even when using cloud-
native architectures.
Separating packaging, deployment concerns, and
artifacts is one strategy that can empower teams to
deliver on business objectives of delivering software
at speed, with high quality.”
Blake Irvin
Engineer at smartB Energy Management GmbH
Stephen Elliot
Program Vice President at IDC
Modernizing Legacy Applications
The Benefits and Problems of Legacy
Legacy is shorthand for critical business applications with longevity. But it
creates manageability problems:
Windows 2003
MSVC, COM+, etc.
Business App 1
Windows 2008 R2
MS .NET 2.0
Business App 2
Red Hat Linux 5
IBM WebSphere
Business App 3
Red Hat Linux 6
Tomcat 6 / Java 7
Business App 4
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.
Example Application: sqlwebadmin
Sample application from Microsoft's Codeplex Archive
Last updated in 2008, tightly coupled to Windows 2003
Windows 2003
ASP.NET 2.0
sqlwebadmin
This is frustrating because the business value is in the app. Yet you carry all of
the burden to support it.
Windows Server
2016
ASP.NET 2.0
sqlwebadmin
Building sqlwebadmin
● Habitat collects application details in a plan
● The Habitat Studio provides a 'clean room'
environment in which to build your artifact
● Habitat artifacts can be launched by the
'hab' CLI
Building sqlwebadmin
Demonstration
Deploying sqlwebadmin
● Habitat services can be deployed into
supervisor rings
● SQLServer 2005 is published as a core
plan on bldr.habitat.sh
● Habitat artifacts use service binds to
allow inter-service communication
without hard-coding settings
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
SERVICE
SUPERVISOR
Deploying sqlwebadmin
Demonstration
Managing sqlwebadmin
● Habitat artifacts define configuration
tunables as variables
● Configuration settings can be updated via
CLI or API on running instances or service
groups
● Configuration updates automatically trigger
any required run hooks within each service
ASP.NET 2.0
sqlwebadmin
ASP.NET 2.0
sqlwebadmin
hab config apply
Managing sqlwebadmin
Demonstration
Targeting Modern Runtimes
● Habitat artifacts can be natively exported to container formats like docker
● Exported artifacts can be run with runtime-specific tools (e.g. docker run,
docker-compose up)
● Habitat artifacts behave consistently in servers or containers
Why Are Audits Painful?
… and how can automation help?
Your Name
youremail@chef.io
Who loves an audit?
Nobody!
Audits are...
● Time-consuming: They distract from product development.
● Stressful: Sometimes auditors or compliance personnel see themselves as
the "police" rather than helping the business be successful.
● Overwhelming: Cloud scale plus an increase in regulations leads to
escalating data volume.
Traditional Approaches Exacerbate Audit Pain
Security reviews:
• are often manual (slow);
• generate too much data from scanning-oriented approaches;
• catch problems too late in the development cycle to economically fix;
• don't manage exceptions appropriately.
Least compliant criteria: testing for it
What we have here is a communication problem
Compliance
Security
Dev/Ops
Continuous Compliance Uses a Common Language
control 'ensure_selinux_installed' do
impact 1.0
title 'Ensure SELinux is installed'
desc <<-EOD
SELinux provides Mandatory Access Control
EOD
describe package('libselinux') do
it { should be_installed }
end
end
InSpec helps express security & compliance requirements as code and
incorporate it directly into the delivery process.
Systems shall have a Mandatory
Access Control system installed
and enabled.
Benefits of Continuous Compliance
● Maintain an up-to-date and historical record of compliance status to satisfy
both scheduled and ad-hoc audit requests
● Detect and correct security issues long before they reach production
● Reduce risk while delivering applications faster
Example: Major healthcare services
provider reduced audit cycle times
by 95% by continuously detecting
and remediating compliance errors.
Mapping a Compliance Regime
to InSpec
PCI DSS Example
PCI DSS Overview
● 12 Key Requirements
● Two key requirements (9 and 12) refer to
physical security and are not system-level tests
● CIS (Center for Internet Security) Benchmarks
can be used as the basis of a PCI compliance
policy
● Some customization is necessary. InSpec's
inheritance features allow this to be easily
done.
PCI Requirement 8
Identify and authenticate access to system components. Example control:
Restrict logins to accounts (e.g. system accounts) that do not have a password.
control "cisecurity.benchmarks_rule_5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled" do
title "Ensure SSH PermitEmptyPasswords is disabled"
desc "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts
with empty password strings. Rationale: Disallowing remote shell access to accounts that have an
empty password reduces the probability of unauthorized access to the system"
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.9"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitEmptyPasswords') { should eq 'no' }
end
end
Control Inheritance For Reusability
require_controls 'cis-rhel7-level1-server' do
control
"xccdf_org.cisecurity.benchmarks_rule_3.6.5_Ensure_firewall_rules_exist_for_all_open_
ports"
control
"xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_password_creation_requirements_are
_configured"
control "xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_system_accounts_are_non-
login"
control
"xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_password_fields_are_not_empty"
control
"xccdf_org.cisecurity.benchmarks_rule_5.4.1.4_Ensure_inactive_password_lock_is_30_day
s_or_less"
.
.
.
end
CIS Benchmark for
RHEL7, Level 1
Customer PCI-DSS
Profile
Inheritance and
customization
Chef Automate premium content
Customer-owned
Visualize and Examine Compliance Continuously
Wrap-Up
• Audits can be time-consuming and stressful without automation.
• Existing approaches like scanning or packet capture gather too much data
and don't appropriately manage exceptions or customizations.
• They also leave compliance issues unchecked until too late in the process
when fixing them is expensive.
• To reduce stress, save time, and make systems safer, adopt a continuous
compliance approach to shift compliance left.
• InSpec and Chef Automate break down communication barriers between
groups involved in compliance by introducing a common language for
describing it.
• You can increase speed while decreasing risk with this approach.
Demo: How compliant is this
cloud environment?
Technical Session
Duration 30 minutes
Mapping Generic Profiles to
Industry regulations
CIS maps industry specific requirements
to generic CIS controls
Chef Automate provides automated tests
written in InSpec that conform to the
industry specifications set by regulatory
bodies and many business verticals​
Demos
Demo 1 – Scanning Your Infrastructure
Demo 2 – Scanning a Chef Managed VM
Demo 3 – Configuring and Scanning Azure
Demo 1 Scanning Your Infrastructure
➔In the first demo we're going to use Chef Automate to perform a scan of a
RHEL7 virtual machine that is running in Azure. We’ll use a PCI DSS specific
profile
We will then view the scan results within the Chef Automate dashboard
➔Note:
• This virtual machine is NOT managed by Chef​
• There is no Chef client on the machine - all Chef Automate needs is
SSH/WinRM access​
Demo 2 Scanning a Chef Managed VM
➔In the second demo we're going to bootstrap a RHEL7 virtual machine that is
running in Azure to be managed by Chef
➔This VM will have a special 'Audit Cookbook' in its run-list, so the PCI_DSS
profile executes periodically each time Chef runs and posts the results to
Chef Automate, giving us Continuous Compliance
Once the bootstrap is complete, we will view the scan results within the Chef
Automate dashboard
➔One key aspect of Chef Automate is its ability to not only scan virtual
machines running in a cloud, but also its ability to scan the cloud
infrastructure itself, for example: subscriptions, networking, and storage etc
➔In our third demo we will scan your Azure environment for compliance
against the 'CIS Azure Foundations Benchmark' profile
Demo 3 Scanning Your Azure Cloud
Conclusion
➔The InSpec profiles allow you to define Compliance as Code
➔Chef Automate includes a subscription to an extensive profile library
that is supported and maintained by Chef
➔With Chef Automate you can
• Continuously evaluate compliance of your infrastructure
• Scan unmanaged infrastructure if you have SSH/WinRM access
• View real-time and historical compliance reports so you can evaluate
your infrastructures adherence to compliance over time
• Scan your cloud infrastructure
Next Steps
Try Chef Automate LearnChef Rally module
https://learn.chef.io/modules/try-chef-automate#/
Integrated Compliance LearnChef RallyTrack
https://learn.chef.io/tracks/integrated-compliance#/
I would also recommend the Chef Automate Compliance public training
https://training.chef.io/instructor-led-training/chef-automate-compliance
Shared Responsibility
Your Part in Securing Your Azure Deployments
Understand the Azure Shared Responsibility
● Cloud Providers take on an increasing
role in Security as you adopt
○ Physical Security
○ Host Infrastructure
○ Network Controls
● Azure provides many Security
Certifications
○ ISO/IEC
○ CSA/CCM
○ ITAR
○ HIPAA
○ And many more...
Learn More About Shared Responsibility for Cloud Computing
aka.ms/sharedresponsibility
How Responsibility is Divided
● You still own critical portions of your
Cloud Security
○ IaaS OS
○ Application Level
○ Identity
○ Data
● Ensuring compliance against your
standards is critical
○ CIS Standards
○ PCI Standards
○ DISA STIGs
Learn More About Shared Responsibility for Cloud Computing
aka.ms/sharedresponsibility
In Closing
● Get familiar with the Azure Shared Responsibility Model
● aka.ms/sharedresponsibility
● Create an inventory and plan for coverage of the your responsibility
● Look for areas to apply automation for continuous detection and remediation
● Download the Chef Automate Guide to PCI Compliance with InSpec whitepaper at:
https://www.chef.io/resource_category/white-paper/
● Remediate any non-compliant systems
● Set up a scanning schedule to ensure ongoing compliance
● Fine-tune profiles to your exact requirements
Reach out to your Chef team with any questions; they’ll be happy to help!
Workshop: The InSpec language for
practitioners
Technical session
Duration: 75 minutes
Objectives
In this workshop we will
1. Get a workstation to play on
2. Identify a specific regulatory control and establish the corresponding technical
requirements
3. Create the appropriate InSpec profile and control, and run it locally and on
another student's workstation and observer its not compliant
4. Run the profile again locally but report to Chef Automate
5. Use Chef to make local workstation compliant
6. Rerun the InSpec profile locally again and report to Chef Automate showing its
compliant
Find your Workstation IP Address
● http://link/to/ip/addresses
TASK
The authenticity of host 12.34.56.78 (12.34.56.78)' can't be established.
ECDSA key fingerprint is
SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '12.34.56.78' (ECDSA) to the list of known
hosts.
chef@12.34.56.78's password: My-12-Char-Password
Task: Log in to your workstation
ssh azureuser@12.34.56.78
TASK
firstname-lastname reporter.json profiles
Task: Ensure You're in the Correct VM
touch firstname-lastname
ls -t
Everyone seeing JUST
their own name?
InSpec DSL and Compliance
Regulations
InSpec DSL & CIS Profiles
InSpec and Compliance
Many industries are bound by regulations maintained by
external bodies
• Sarbanes-Oxley – Financial Regulations
• PCI – Payment Card Industry Regulations
• HIPAA – Healthcare Regulations
• GDPR – General Data Protection Regulations
• STIG – Security Protocol Regulations
• etc
Many of these rules relate to technical requirements in their
application and infrastructure that they must comply with
Center for Internet Security
Center for Internet Security provides
benchmarks for secure configuration of
many platforms and applications
e.g. https://tinyurl.com/CIS-RHEL7
These rules can be referred to when
creating InSpec rules for Regulatory
bodys' guidelines
See https://tinyurl.com/CIS-Poster
"The Chef Automate Guide to PCI DSS Compliance"
Whitepaper
Lets look at a specific requirement from the whitepaper
Requirement 7: Restrict access to cardholder data by business
need to know
1. …
2.Ensure SSH root login is disabled
"Disallowing root logins over SSH requires system admins to
authenticate using their own individual account, then escalating to root
only via sudo (if you’ve disabled access to "su" as in the control above).
This restriction limits opportunity for non-repudiation and provides a clear
audit trail in the event of a security incident. The PermitRootLogin
parameter specifies if the root user can login using ssh."
TASK
#PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
Task: Check if SSH root login is disabled
sudo grep PermitRootLogin /etc/ssh/sshd_config
 This requirement maps directly to a check you can perform on the system
 Of course we can check a node manually, but this isn't practical when you
have 100's, or even 1000's, of nodes
 The InSpec DSL is specifically designed to run such tests
No Consistency in Commands
● PermitRootLogin Configured?
● SSH v2 Configured?
● Using TLS or SSL?
● Does user 'foo' have sudo access?
● Does user 'foo' have write access to /etc?
• No consistency on command
structure, syntax, & command
line switches
• All configuration files are
proprietary
• They're platform specific
(RHEL, Debian, Windows, …)
What is InSpec?
InSpec provides consistent DSL that is platform agnostic to check
status of any component
 packages
 files
 users
 …
Complex implementation code abstracted out
Many InSpec profiles exist in the community and Chef supplies,
maintains and supports 100+ profiles aligned to industry specific
compliance regulations
TASK
Commands:
inspec archive PATH # archive a profile to tar.gz (default) or zip
inspec artifact SUBCOMMAND ... # Sign, verify and install artifacts
inspec check PATH # verify all tests at the specified PATH
inspec compliance SUBCOMMAND ... # Chef Compliance commands
inspec detect # detect the target OS
inspec env # Output shell-appropriate completion configuration
inspec exec PATHS # run all test files at the specified PATH.
inspec habitat SUBCOMMAND ... # Commands for InSpec + Habitat Integration
inspec help [COMMAND] # Describe available commands or one specific command
...
The InSpec Command Line Interface
inspec --help
inspec init creates a profile
inspec check verifies the compliance profile code
inspec exec runs the tests against a system
TASK
Create new profile at /home/azureuser/profiles/ssh
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create directory libraries
Task: Create an InSpec Profile for SSH
inspec init profile ~/profiles/ssh
TASK
Create new profile at /home/azureuser/profiles/ssh
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create directory libraries
Task: Create an InSpec Profile for SSH
inspec init profile ~/profiles/ssh
Use the
'inspec'
command To initialise (i.e.
create) a profile
Called 'ssh'
In the '~/profiles'
directory
TASK
/home/azureuser/profiles/ssh
├── controls
│ └── example.rb
├── inspec.yml
├── libraries
└── README.md
2 directories, 3 files
Task: View InSpec Profile Structure
tree ~/profiles/ssh
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
# encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
# encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
# encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
○ describe statements may be grouped within
control statements
# encoding: utf-8
# copyright: 2018, The Authors
title 'sample section'
describe file('/tmp') do
it { should be_directory }
end
control 'tmp-1.0' do
tag 'tmp',
tag dir: '/tmp'
ref 'NSA-RH6 - Section 3.5.2.1'
impact 0.7
title 'Create /tmp directory'
desc 'An optional description...'
describe file('/tmp') do
it { should be_directory }
end
end
The Anatomy of a Control File
● A control file within a profile
contains
○ Some boilerplate information and a title
○ One or more describe statements, each
containing one or more tests
○ describe statements may be grouped within
control statements
○ control statements may include extra
metadata defining for example
■ a unique ID for this control
■ the criticality, if this control fails.
■ a human-readable title and description
■ reference documentation
TASK
Task: Remove example controls file
rm /home/azureuser/profiles/ssh/controls/example.rb
Bit of housekeeping – we don’t need the default controls file
TASK
vi ~/profiles/ssh/controls/PermitRootLogin.rb
control "cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Task: Create Controls File 'PermitRootLogin.rb'
Even Cheatier
cp ~/.PermitRootLogin.rb ~/profiles/ssh/controls/PermitRootLogin.rb
Cheat Sheet
https://goo.gl/38AFhn
Click ⌘+a, ⌘+c
Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
Each control statement relates to a specific
compliance regulation.
Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
Mapping Compliance Documents to InSpec
control "cisecurity.benchmarks_rule_5.2.8…" do
title "Ensure SSH root login is disabled"
desc "The PermitRootLogin parameter ..."
impact 1.0
tag "cis-rhel7-2.1.1": "5.2.8"
tag "level": "1"
tag "type": ["Server", "Workstation"]
describe sshd_config do
its('PermitRootLogin') { should eq 'no' }
end
end
Requirement InSpec Control
CIS doc even gives details for a remediation
cookbook! More on this later.
Executing our code
● We now need to execute our InSpec profile
● We will use inspec exec command to do this
TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: local://
× cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root
login is disabled
× SSHD Configuration PermitRootLogin should eq "no"
expected: "no"
got: nil
(compared using ==)
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped
Task: Run profile locally with InSpec command
sudo inspec exec profiles/ssh
Find Another Student's Workstation IP Address
● http://link/to/ip/addresses
TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: ssh://azureuser@40.114.121.121:22
× cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root
login is disabled
× SSHD Configuration PermitRootLogin should eq "no"
expected: "no"
got: nil
(compared using ==)
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped
Task: Execute your profile on the remote target
inspec exec ~/profiles/ssh -t ssh://azureuser@104.211.54.213
--password My-12-Char-Password --sudo
Note the 'Target' is specified in the output
Note the 'Target' is specified in the output
InSpec and Chef Automate
● InSpec and Chef Automate go hand-in-hand to detect and report on
compliance issues
● InSpec profiles can be executed 'ad hoc' or at the end of each chef-
client run and a report back to Chef Automate
TASK
{
"reporter": {
"automate" : {
"stdout" : false,
"url" : "https://your-automante-server/data-collector/v0/",
"token" : SEhb7CkB_U9FiHFBWaTMW-3eyTQ=,
"insecure" : true,
"node_name" : "nodename-1",
"environment" : "dev"
}
}
}
InSpec Chef Automate integration
cat reporter.json
TASK
Run InSpec and Send Results to Chef Automate
sudo inspec exec ~/profiles/ssh --json-config reporter.json
Note, if you're using Chef on your nodes InSpec can be invoked on every chef-client run
and report sent back to Chef Automate to ensure continuous compliance
Results Posted to Chef Automate
Key Takeaways
● The format of the InSpec DSL fits neatly with the documents created
by industry-specific compliance regulatory bodies
● InSpec allows you to write those specifications as platform agnostic
code
What's next…?
• In the next section we'll look at how you can use Chef to correct your
infrastructure
Remediation
Detect and Correct
● Chef Automate not only allows you to invoke compliance scans
across your estate but it also facilitates remediation
● Chef builds out remediation cookbooks for all InSpec profiles on Chef
Automate
● For simplicity now we will run a simple remediation cookbook for our
SSH InSpec Profile on the local node
TASK
.chef/
└── cookbooks
└── ssh-remediation
├── Berksfile
├── CHANGELOG.md
├── chefignore
├── LICENSE
├── metadata.rb
├── README.md
├── recipes
│ └── default.rb
├── templates
│ └── sshd_config.erb
...
10 directories, 11 files
For expediency, the Cookbook is Already on the
Workstationtree .chef
TASK
...
template '/etc/ssh/ssh_config' do
source 'ssh_config.erb'
end
View the Chef Recipe and Template File
cat .chef/cookbooks/ssh-remediation/recipes/default.rb
...
#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
...
cat .chef/cookbooks/ssh-remediation/templates/sshd_config.erb -n
Line 50
TASK
[✔] Packaging cookbook... done!
[✔] Generating local policyfile... exporting... done!
[✔] Applying ssh-remediation::default from /home/azureuser/.chef/cookbooks/ssh-remediation to target.
└── [✔] [localhost] Successfully converged ssh-remediation::default.
Run the cookbook on the local machine
chef-run azureuser@localhost ssh-remediation::default --password My-12-Char-
Password --config .chef-workstation/config.toml
This will execute the remediation recipe and send an event to Chef Automate – you will
see this in the 'Client Runs' tab
View Chef Run
We will see details of the Chef client run in the 'Client Runs' tab of Chef
Automate
TASK
Profile: InSpec Profile (ssh)
Version: 0.1.0
Target: local://
✔ cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH
root login is disabled
✔ SSHD Configuration PermitRootLogin should eq "no"
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 1 successful, 0 failures, 0 skipped
Rerun the InSpec Test
sudo inspec exec profiles/ssh
TASK
Post Results in Chef Automate
sudo inspec exec profiles/ssh/ --json-config reporter.json
View Scan History
● Click the 'Scan History' button to see
a compliance history for this node
● The corresponding 'Event Feed' for
this node will identify what changes
occurred on a node to bring it into, or
out of, compliance
Next Steps
LearnChef Rally
● Try Chef Automate module
https://learn.chef.io/modules/try-chef-automate#/
● Integrated Compliance Track
https://learn.chef.io/tracks/integrated-compliance#/
● Compliance Automation with InSpec Track
https://learn.chef.io/tracks/compliance-automation#/
Also, Chef Automate Compliance public training
https://training.chef.io/instructor-led-training/chef-automate-compliance
Automation, Audits, and Apps Tour

Weitere ähnliche Inhalte

Was ist angesagt?

Chef compliance - Intermediate Training
Chef compliance - Intermediate TrainingChef compliance - Intermediate Training
Chef compliance - Intermediate TrainingSarah Hynes Cheney
 
Intermediate/Compliance training Guide
Intermediate/Compliance training GuideIntermediate/Compliance training Guide
Intermediate/Compliance training GuideChef
 
Product Overview: The New IBM UrbanCode Deploy 6.0
Product Overview: The New IBM UrbanCode Deploy 6.0Product Overview: The New IBM UrbanCode Deploy 6.0
Product Overview: The New IBM UrbanCode Deploy 6.0IBM UrbanCode Products
 
Automating and Accelerating Application Deployments to IBM WebSphere without ...
Automating and Accelerating Application Deployments to IBM WebSphere without ...Automating and Accelerating Application Deployments to IBM WebSphere without ...
Automating and Accelerating Application Deployments to IBM WebSphere without ...XebiaLabs
 
Compliance Automation with InSpec
Compliance Automation with InSpecCompliance Automation with InSpec
Compliance Automation with InSpec Nathen Harvey
 
Compliance Automation Workshop
Compliance Automation WorkshopCompliance Automation Workshop
Compliance Automation WorkshopChef
 
Azure handsonlab
Azure handsonlabAzure handsonlab
Azure handsonlabChef
 
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...cornelia davis
 
DevOps at Amazon: A Look at Our Tools and Processes
DevOps at Amazon: A Look at Our Tools and ProcessesDevOps at Amazon: A Look at Our Tools and Processes
DevOps at Amazon: A Look at Our Tools and ProcessesAmazon Web Services
 
Enterprise Cloud with IBM & Chef (ChefConf 2013)
Enterprise Cloud with IBM & Chef (ChefConf 2013)Enterprise Cloud with IBM & Chef (ChefConf 2013)
Enterprise Cloud with IBM & Chef (ChefConf 2013)Michael Elder
 
Measuring ROI and Driving Adoption of TAS in an Enterprise
Measuring ROI and Driving Adoption of TAS in an EnterpriseMeasuring ROI and Driving Adoption of TAS in an Enterprise
Measuring ROI and Driving Adoption of TAS in an EnterpriseVMware Tanzu
 
Ensuring Security and Feature Freshness with VMware Tanzu Observability
Ensuring Security and Feature Freshness with VMware Tanzu ObservabilityEnsuring Security and Feature Freshness with VMware Tanzu Observability
Ensuring Security and Feature Freshness with VMware Tanzu ObservabilityVMware Tanzu
 
DevOps in the Cloud with Microsoft Azure
DevOps in the Cloud with Microsoft AzureDevOps in the Cloud with Microsoft Azure
DevOps in the Cloud with Microsoft Azuregjuljo
 
Chef vs Puppet vs Ansible vs Saltstack | Configuration Management Tools | Dev...
Chef vs Puppet vs Ansible vs Saltstack | Configuration Management Tools | Dev...Chef vs Puppet vs Ansible vs Saltstack | Configuration Management Tools | Dev...
Chef vs Puppet vs Ansible vs Saltstack | Configuration Management Tools | Dev...Simplilearn
 
DOO-009_Powering High Velocity Development for your Infrastructure
DOO-009_Powering High Velocity Development for your InfrastructureDOO-009_Powering High Velocity Development for your Infrastructure
DOO-009_Powering High Velocity Development for your Infrastructuredecode2016
 
Cloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a CacheCloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a Cachecornelia davis
 
Troubleshooting App Health and Performance with PCF Metrics 1.2
Troubleshooting App Health and Performance with PCF Metrics 1.2Troubleshooting App Health and Performance with PCF Metrics 1.2
Troubleshooting App Health and Performance with PCF Metrics 1.2VMware Tanzu
 
UrbanCode Deploy and Docker Containers Connect the Dots
UrbanCode Deploy and Docker Containers Connect the DotsUrbanCode Deploy and Docker Containers Connect the Dots
UrbanCode Deploy and Docker Containers Connect the DotsIBM UrbanCode Products
 
Devops: Who Does What? - Devops Enterprise Summit 2016
Devops: Who Does What? - Devops Enterprise Summit 2016Devops: Who Does What? - Devops Enterprise Summit 2016
Devops: Who Does What? - Devops Enterprise Summit 2016cornelia davis
 
CI/CD - A strategy for success (North Africa Dreamin' Prez)
CI/CD - A strategy for success (North Africa Dreamin' Prez)CI/CD - A strategy for success (North Africa Dreamin' Prez)
CI/CD - A strategy for success (North Africa Dreamin' Prez)Yassine ELQANDILI ☁
 

Was ist angesagt? (20)

Chef compliance - Intermediate Training
Chef compliance - Intermediate TrainingChef compliance - Intermediate Training
Chef compliance - Intermediate Training
 
Intermediate/Compliance training Guide
Intermediate/Compliance training GuideIntermediate/Compliance training Guide
Intermediate/Compliance training Guide
 
Product Overview: The New IBM UrbanCode Deploy 6.0
Product Overview: The New IBM UrbanCode Deploy 6.0Product Overview: The New IBM UrbanCode Deploy 6.0
Product Overview: The New IBM UrbanCode Deploy 6.0
 
Automating and Accelerating Application Deployments to IBM WebSphere without ...
Automating and Accelerating Application Deployments to IBM WebSphere without ...Automating and Accelerating Application Deployments to IBM WebSphere without ...
Automating and Accelerating Application Deployments to IBM WebSphere without ...
 
Compliance Automation with InSpec
Compliance Automation with InSpecCompliance Automation with InSpec
Compliance Automation with InSpec
 
Compliance Automation Workshop
Compliance Automation WorkshopCompliance Automation Workshop
Compliance Automation Workshop
 
Azure handsonlab
Azure handsonlabAzure handsonlab
Azure handsonlab
 
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
12 Factor, or Cloud Native Apps – What EXACTLY Does that Mean for Spring Deve...
 
DevOps at Amazon: A Look at Our Tools and Processes
DevOps at Amazon: A Look at Our Tools and ProcessesDevOps at Amazon: A Look at Our Tools and Processes
DevOps at Amazon: A Look at Our Tools and Processes
 
Enterprise Cloud with IBM & Chef (ChefConf 2013)
Enterprise Cloud with IBM & Chef (ChefConf 2013)Enterprise Cloud with IBM & Chef (ChefConf 2013)
Enterprise Cloud with IBM & Chef (ChefConf 2013)
 
Measuring ROI and Driving Adoption of TAS in an Enterprise
Measuring ROI and Driving Adoption of TAS in an EnterpriseMeasuring ROI and Driving Adoption of TAS in an Enterprise
Measuring ROI and Driving Adoption of TAS in an Enterprise
 
Ensuring Security and Feature Freshness with VMware Tanzu Observability
Ensuring Security and Feature Freshness with VMware Tanzu ObservabilityEnsuring Security and Feature Freshness with VMware Tanzu Observability
Ensuring Security and Feature Freshness with VMware Tanzu Observability
 
DevOps in the Cloud with Microsoft Azure
DevOps in the Cloud with Microsoft AzureDevOps in the Cloud with Microsoft Azure
DevOps in the Cloud with Microsoft Azure
 
Chef vs Puppet vs Ansible vs Saltstack | Configuration Management Tools | Dev...
Chef vs Puppet vs Ansible vs Saltstack | Configuration Management Tools | Dev...Chef vs Puppet vs Ansible vs Saltstack | Configuration Management Tools | Dev...
Chef vs Puppet vs Ansible vs Saltstack | Configuration Management Tools | Dev...
 
DOO-009_Powering High Velocity Development for your Infrastructure
DOO-009_Powering High Velocity Development for your InfrastructureDOO-009_Powering High Velocity Development for your Infrastructure
DOO-009_Powering High Velocity Development for your Infrastructure
 
Cloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a CacheCloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a Cache
 
Troubleshooting App Health and Performance with PCF Metrics 1.2
Troubleshooting App Health and Performance with PCF Metrics 1.2Troubleshooting App Health and Performance with PCF Metrics 1.2
Troubleshooting App Health and Performance with PCF Metrics 1.2
 
UrbanCode Deploy and Docker Containers Connect the Dots
UrbanCode Deploy and Docker Containers Connect the DotsUrbanCode Deploy and Docker Containers Connect the Dots
UrbanCode Deploy and Docker Containers Connect the Dots
 
Devops: Who Does What? - Devops Enterprise Summit 2016
Devops: Who Does What? - Devops Enterprise Summit 2016Devops: Who Does What? - Devops Enterprise Summit 2016
Devops: Who Does What? - Devops Enterprise Summit 2016
 
CI/CD - A strategy for success (North Africa Dreamin' Prez)
CI/CD - A strategy for success (North Africa Dreamin' Prez)CI/CD - A strategy for success (North Africa Dreamin' Prez)
CI/CD - A strategy for success (North Africa Dreamin' Prez)
 

Ähnlich wie Automation, Audits, and Apps Tour

Automation, Audits, and Apps Tour
Automation, Audits, and Apps TourAutomation, Audits, and Apps Tour
Automation, Audits, and Apps TourChef
 
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...Matt Ray
 
A research on- Sales force Project- documentation
A research on- Sales force Project- documentationA research on- Sales force Project- documentation
A research on- Sales force Project- documentationPasupathi Ganesan
 
Application Modernization With Cloud Native Approach_ An in-depth Guide.pdf
Application Modernization With Cloud Native Approach_ An in-depth Guide.pdfApplication Modernization With Cloud Native Approach_ An in-depth Guide.pdf
Application Modernization With Cloud Native Approach_ An in-depth Guide.pdfbasilmph
 
Wellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with HabitatWellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with HabitatMatt Ray
 
Managing Complexity at Velocity
Managing Complexity at VelocityManaging Complexity at Velocity
Managing Complexity at VelocityMatt Ray
 
How to modernize legacy application infrastructure?
How to modernize legacy application infrastructure?How to modernize legacy application infrastructure?
How to modernize legacy application infrastructure?Cygnet Infotech
 
Are your cloud applications performing? How Application Performance Managemen...
Are your cloud applications performing? How Application Performance Managemen...Are your cloud applications performing? How Application Performance Managemen...
Are your cloud applications performing? How Application Performance Managemen...DevOps.com
 
How Can Your Organization Benefit From Application Modernization_.pdf
How Can Your Organization Benefit From Application Modernization_.pdfHow Can Your Organization Benefit From Application Modernization_.pdf
How Can Your Organization Benefit From Application Modernization_.pdfAnil
 
whitepaper_workday_technology_platform_devt_process
whitepaper_workday_technology_platform_devt_processwhitepaper_workday_technology_platform_devt_process
whitepaper_workday_technology_platform_devt_processEric Saraceno
 
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...Matt Ray
 
Choose The Right Application Modernization Strategy For Your Business
Choose The Right Application Modernization Strategy For Your BusinessChoose The Right Application Modernization Strategy For Your Business
Choose The Right Application Modernization Strategy For Your BusinessAmzur Technologies Inc
 
Technology insights: Decision Science Platform
Technology insights: Decision Science PlatformTechnology insights: Decision Science Platform
Technology insights: Decision Science PlatformDecision Science Community
 
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a StartupDevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a StartupDevOps for Enterprise Systems
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Apigee | Google Cloud
 
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...Make A Stress Free Move To The Cloud: Application Modernization and Managemen...
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...Dell World
 
DeveloperWeek 2020: Cloud-Native and Microservices Accelerate Process Improve...
DeveloperWeek 2020: Cloud-Native and Microservices Accelerate Process Improve...DeveloperWeek 2020: Cloud-Native and Microservices Accelerate Process Improve...
DeveloperWeek 2020: Cloud-Native and Microservices Accelerate Process Improve...Shahir Daya
 
Infrastructure migration to azure cloud
Infrastructure migration to azure cloudInfrastructure migration to azure cloud
Infrastructure migration to azure cloudAlletec
 
7 Essential Steps to Cloud Adoption.pdf
7 Essential Steps to Cloud Adoption.pdf7 Essential Steps to Cloud Adoption.pdf
7 Essential Steps to Cloud Adoption.pdfAnil
 

Ähnlich wie Automation, Audits, and Apps Tour (20)

Automation, Audits, and Apps Tour
Automation, Audits, and Apps TourAutomation, Audits, and Apps Tour
Automation, Audits, and Apps Tour
 
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
Cloud Expo Asia 20181010 - Bringing Your Applications into the Future with Ha...
 
A research on- Sales force Project- documentation
A research on- Sales force Project- documentationA research on- Sales force Project- documentation
A research on- Sales force Project- documentation
 
Application Modernization With Cloud Native Approach_ An in-depth Guide.pdf
Application Modernization With Cloud Native Approach_ An in-depth Guide.pdfApplication Modernization With Cloud Native Approach_ An in-depth Guide.pdf
Application Modernization With Cloud Native Approach_ An in-depth Guide.pdf
 
Wellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with HabitatWellington DevOps: Bringing Your Applications into the Future with Habitat
Wellington DevOps: Bringing Your Applications into the Future with Habitat
 
Managing Complexity at Velocity
Managing Complexity at VelocityManaging Complexity at Velocity
Managing Complexity at Velocity
 
How to modernize legacy application infrastructure?
How to modernize legacy application infrastructure?How to modernize legacy application infrastructure?
How to modernize legacy application infrastructure?
 
Application Modernization
Application ModernizationApplication Modernization
Application Modernization
 
Are your cloud applications performing? How Application Performance Managemen...
Are your cloud applications performing? How Application Performance Managemen...Are your cloud applications performing? How Application Performance Managemen...
Are your cloud applications performing? How Application Performance Managemen...
 
How Can Your Organization Benefit From Application Modernization_.pdf
How Can Your Organization Benefit From Application Modernization_.pdfHow Can Your Organization Benefit From Application Modernization_.pdf
How Can Your Organization Benefit From Application Modernization_.pdf
 
whitepaper_workday_technology_platform_devt_process
whitepaper_workday_technology_platform_devt_processwhitepaper_workday_technology_platform_devt_process
whitepaper_workday_technology_platform_devt_process
 
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
DevOps Days Singapore 2018 Ignite - Bringing Your Applications into the Futur...
 
Choose The Right Application Modernization Strategy For Your Business
Choose The Right Application Modernization Strategy For Your BusinessChoose The Right Application Modernization Strategy For Your Business
Choose The Right Application Modernization Strategy For Your Business
 
Technology insights: Decision Science Platform
Technology insights: Decision Science PlatformTechnology insights: Decision Science Platform
Technology insights: Decision Science Platform
 
DevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a StartupDevOps for Enterprise Systems : Innovate like a Startup
DevOps for Enterprise Systems : Innovate like a Startup
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...Make A Stress Free Move To The Cloud: Application Modernization and Managemen...
Make A Stress Free Move To The Cloud: Application Modernization and Managemen...
 
DeveloperWeek 2020: Cloud-Native and Microservices Accelerate Process Improve...
DeveloperWeek 2020: Cloud-Native and Microservices Accelerate Process Improve...DeveloperWeek 2020: Cloud-Native and Microservices Accelerate Process Improve...
DeveloperWeek 2020: Cloud-Native and Microservices Accelerate Process Improve...
 
Infrastructure migration to azure cloud
Infrastructure migration to azure cloudInfrastructure migration to azure cloud
Infrastructure migration to azure cloud
 
7 Essential Steps to Cloud Adoption.pdf
7 Essential Steps to Cloud Adoption.pdf7 Essential Steps to Cloud Adoption.pdf
7 Essential Steps to Cloud Adoption.pdf
 

Mehr von Chef

London Community Summit 2016 - Adopting Chef Compliance
London Community Summit 2016 - Adopting Chef ComplianceLondon Community Summit 2016 - Adopting Chef Compliance
London Community Summit 2016 - Adopting Chef ComplianceChef
 
Learning from Configuration Management
Learning from Configuration Management Learning from Configuration Management
Learning from Configuration Management Chef
 
London Community Summit 2016 - Fresh New Chef Stuff
London Community Summit 2016 - Fresh New Chef StuffLondon Community Summit 2016 - Fresh New Chef Stuff
London Community Summit 2016 - Fresh New Chef StuffChef
 
London Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetLondon Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetChef
 
London Community Summit - From Contribution to Authorship
London Community Summit - From Contribution to AuthorshipLondon Community Summit - From Contribution to Authorship
London Community Summit - From Contribution to AuthorshipChef
 
London Community Summit 2016 - Chef Automate
London Community Summit 2016 - Chef AutomateLondon Community Summit 2016 - Chef Automate
London Community Summit 2016 - Chef AutomateChef
 
London Community Summit 2016 - Community Update
London Community Summit 2016 - Community UpdateLondon Community Summit 2016 - Community Update
London Community Summit 2016 - Community UpdateChef
 
London Community Summit 2016 - Habitat
London Community Summit 2016 -  HabitatLondon Community Summit 2016 -  Habitat
London Community Summit 2016 - HabitatChef
 
Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Chef
 
Compliance Automation with Inspec Part 3
Compliance Automation with Inspec Part 3Compliance Automation with Inspec Part 3
Compliance Automation with Inspec Part 3Chef
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Chef
 
Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1Chef
 
Application Automation with Habitat
Application Automation with HabitatApplication Automation with Habitat
Application Automation with HabitatChef
 
Nike pop up habitat
Nike pop up   habitatNike pop up   habitat
Nike pop up habitatChef
 
Nike popup compliance workshop
Nike popup compliance workshopNike popup compliance workshop
Nike popup compliance workshopChef
 
Chef Automate Workflow Demo
Chef Automate Workflow DemoChef Automate Workflow Demo
Chef Automate Workflow DemoChef
 
The caseforawesome
The caseforawesomeThe caseforawesome
The caseforawesomeChef
 
Netflix's Could Migration
Netflix's Could MigrationNetflix's Could Migration
Netflix's Could MigrationChef
 
Alaska Airlines DevOps Journey
Alaska Airlines DevOps JourneyAlaska Airlines DevOps Journey
Alaska Airlines DevOps JourneyChef
 
And The Slow Suffer What They Must
And The Slow Suffer What They MustAnd The Slow Suffer What They Must
And The Slow Suffer What They MustChef
 

Mehr von Chef (20)

London Community Summit 2016 - Adopting Chef Compliance
London Community Summit 2016 - Adopting Chef ComplianceLondon Community Summit 2016 - Adopting Chef Compliance
London Community Summit 2016 - Adopting Chef Compliance
 
Learning from Configuration Management
Learning from Configuration Management Learning from Configuration Management
Learning from Configuration Management
 
London Community Summit 2016 - Fresh New Chef Stuff
London Community Summit 2016 - Fresh New Chef StuffLondon Community Summit 2016 - Fresh New Chef Stuff
London Community Summit 2016 - Fresh New Chef Stuff
 
London Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBetLondon Community Summit - Chef at SkyBet
London Community Summit - Chef at SkyBet
 
London Community Summit - From Contribution to Authorship
London Community Summit - From Contribution to AuthorshipLondon Community Summit - From Contribution to Authorship
London Community Summit - From Contribution to Authorship
 
London Community Summit 2016 - Chef Automate
London Community Summit 2016 - Chef AutomateLondon Community Summit 2016 - Chef Automate
London Community Summit 2016 - Chef Automate
 
London Community Summit 2016 - Community Update
London Community Summit 2016 - Community UpdateLondon Community Summit 2016 - Community Update
London Community Summit 2016 - Community Update
 
London Community Summit 2016 - Habitat
London Community Summit 2016 -  HabitatLondon Community Summit 2016 -  Habitat
London Community Summit 2016 - Habitat
 
Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4Compliance Automation with Inspec Part 4
Compliance Automation with Inspec Part 4
 
Compliance Automation with Inspec Part 3
Compliance Automation with Inspec Part 3Compliance Automation with Inspec Part 3
Compliance Automation with Inspec Part 3
 
Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2Compliance Automation with Inspec Part 2
Compliance Automation with Inspec Part 2
 
Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1Compliance Automation with Inspec Part 1
Compliance Automation with Inspec Part 1
 
Application Automation with Habitat
Application Automation with HabitatApplication Automation with Habitat
Application Automation with Habitat
 
Nike pop up habitat
Nike pop up   habitatNike pop up   habitat
Nike pop up habitat
 
Nike popup compliance workshop
Nike popup compliance workshopNike popup compliance workshop
Nike popup compliance workshop
 
Chef Automate Workflow Demo
Chef Automate Workflow DemoChef Automate Workflow Demo
Chef Automate Workflow Demo
 
The caseforawesome
The caseforawesomeThe caseforawesome
The caseforawesome
 
Netflix's Could Migration
Netflix's Could MigrationNetflix's Could Migration
Netflix's Could Migration
 
Alaska Airlines DevOps Journey
Alaska Airlines DevOps JourneyAlaska Airlines DevOps Journey
Alaska Airlines DevOps Journey
 
And The Slow Suffer What They Must
And The Slow Suffer What They MustAnd The Slow Suffer What They Must
And The Slow Suffer What They Must
 

Kürzlich hochgeladen

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 

Kürzlich hochgeladen (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 

Automation, Audits, and Apps Tour

  • 1.
  • 2. Welcome, we’re glad you joined us ● Automation, Audits, and Apps? And Azure? ● Practical solutions to real problems ● Learning from each other
  • 3. Our vision: The most enduring and transformative companies use Chef to become fast, efficient, and innovative software-driven organizations. Velocity: time from idea to shipIdea Ship Infrastructure Automation Compliance Automation Application Automation
  • 6. My existing (legacy) apps run my business. How can I get them moving more quickly? We hear two concerns from leaders most frequently: Compliance is slowing us down, and audits are painful. How can we move faster while meeting requirements?
  • 7. My existing (legacy) apps run my business. How can I get them moving more quickly? Your perspective on these two concerns • Take one minute to think about the legacy apps you manage and the current and long term impact on your business • Connect with someone in the room that you don’t know and discuss (you have 5 minutes)
  • 8. Your perspective on these two concerns Compliance is slowing us down, and audits are painful. How can we move faster while meeting requirements? • Take one minute to think about your efforts to stay within compliance, the work you do to prepare for audits, and the current and long term impact on your business • Connect with someone in the room that you don’t know and discuss (you have 5 minutes)
  • 9.
  • 10.
  • 11.
  • 12.
  • 13. Cloud migration will continue to grow
  • 14.
  • 15.
  • 16.
  • 19. Confidently migrate your applications, data, and infrastructure to Azure
  • 21. Lower your TCO significantly by migrating to Azure Azure.com/tco
  • 24. Choice of tools for every stage and every requirement Azure security and management (security, backup, monitoring, cost management) Azure Database Migration Service Azure Site Recovery Azure Data Box Assess Migrate Optimize Data Migration Assistant Azure Migrate SQL Server Migration Assistant Microsoft Partners
  • 26. Summarizing cloud migration strategies Redeploy as-is to cloud • Reduce Capex • Free up datacenter space • Quick cloud ROI IaaS Minimally alter to take better advantage of cloud • Faster, shorter, updates • Code portability • Greater cloud efficiency (resources, speed, cost) Containers PaaS Materially alter/decompose application to services • App scale and agility • Easier adoption of new cloud capabilities • Mix technology stacks PaaS Serverless Microservices New code written with cloud native approach • Accelerate innovation • Build apps faster • Reduce operational cost Description Drivers Technologies
  • 27. Migration strategies: Rehost application (i.e., lift & shift)
  • 31. Confidently migrate all your apps, data, and infrastructure to Azure
  • 33.
  • 34.
  • 36. What We Want to Share Today ● Highlights from Chef's 2018 State of Applications survey: you have company ● Challenges with modernizing legacy applications ● How Habitat can help you lift, shift and modernize to adopt cloud and container technology even for older applications
  • 37. Chef's 2018 State of Application Delivery Survey
  • 38. Survey Insights How do you measure app deployment success? Speed is success for applications - but achieving speed is a big challenge. Speed* How long does it take to complete the app build process? Days or Longer How many builds before an app is deployed to production? 61% 72% Four or More 55% * “Time from code to production” or “Time from commit to deploy” 46 45 34
  • 39. Survey Insights In 2 years, what percent of your apps will be deployed on container platforms? 1/4 or More 51% Which approach will you use to transition apps to new architectures & infrastructures? Aggressive plans for containerization, most often by lifting, shifting, and modernizing applications. 73% 52% Lift, Shift, Modernize Rewrite Apps Speed is success for applications - but achieving speed is a big challenge.
  • 40. Survey Insights Aggressive plans for containerization, most often by lifting, shifting, and modernizing applications. Which is the most challenging aspect of the application lifecycle? Management 44% What percent of production apps run in the following environments? Environments are heavily heterogeneous, and application management is most challenging. Speed is success for applications - but achieving speed is a big challenge.
  • 41. In search of speed, organizations are moving to the next platform while carrying legacy weight. It’s already difficult to manage. It’s going to get harder. Now is the time to think about a comprehensive application strategy.
  • 42. The Benefits and Problems of Legacy Legacy is shorthand for critical business applications with longevity. But it creates manageability problems: Windows 2003 MSVC, COM+, etc. Business App 1 Windows 2008 R2 MS .NET 2.0 Business App 2 Red Hat Linux 5 IBM WebSphere Business App 3 Red Hat Linux 6 Tomcat 6 / Java 7 Business App 4 This is frustrating because the business value is in the app. Yet you carry all of the burden to support it.
  • 43. Heterogeneity is a reality in IT Heterogeneous applications are the past, present and future. How could we extract the applications' business value from the underlying infrastructure to improve its manageability? Business App 1 Business App 2 Business App 3 Business App 4 89% of respondents desire a cross-environment application packaging solution. Source: Chef's 2018 State of Application Delivery Survey
  • 44. Habitat enables application teams to build, deploy, and manage any application in any environment - from traditional data centers to containerized microservices. Introducing Habitat 1. “Lift & Shift” Legacy Apps to Modern Platforms Organizations struggle to move existing, business critical apps to modern platforms 2. Deliver on a Cloud-Native (Cloud/Containers) Strategy Organizations hit a wall when adopting and deploying to a cloud- native platform
  • 45. How does it work? It splits the platform-independent part of the application from the platform- dependent part. BUILD DEPLOY MANAGE Ring Supervisor Platform-Independent Build Export Platform-Dependent Deploy
  • 46. How does it work? ● All of the problems shown previously are a result of this pattern: building up from the operating system. ● The entire triangle becomes the artifact you carry around with you now and in the future (including sometimes the VM and the server!) Libraries Operating System Application Application & Libraries ● Habitat builds from the application down ● Embedded supervisor as standard management interface ● Builds have strict dependency control Application Libraries OS
  • 47. Customer Story - Modernizing Legacy Apps The challenge: ● Large auto manufacturer moving COTS apps to next generation data center ● Example legacy app: Windows application written in Borland Delphi in 2003 - in Portuguese ● Lot of value in the app, painful to rewrite The solution: ● Package the application and its dependencies with Habitat ● Enable the application to be deployed to any environment - next generation datacenter and beyond ● Manage the application through its lifecycle - updates, patches, etc. ● Gain manageability benefits in the new environment and maintain value of the app without rewriting
  • 48. What They’re Saying "With Habitat, we have an easier onramp to packaging our apps in any environment. The learning curve for our dev teams who are doing a little bit of ops as well as traditional software engineering is a lot less steep. The fact that we can radically simplify deployment processes by treating every service as an artifact is very powerful. Adopting Habitat means you have a reproducible, consistent method for build and deploy, and you can apply that model to every service or application that you're running. Once you've learned how one service is deployed or managed, you've got everything you need to figure out the next service after that." “While the application portability benefits of containers are widely recognized, lack of consistency in packaging and orchestration across the application lifecycle has, in many cases, limited the success of their deployment at scale, even when using cloud- native architectures. Separating packaging, deployment concerns, and artifacts is one strategy that can empower teams to deliver on business objectives of delivering software at speed, with high quality.” Blake Irvin Engineer at smartB Energy Management GmbH Stephen Elliot Program Vice President at IDC
  • 49.
  • 51. The Benefits and Problems of Legacy Legacy is shorthand for critical business applications with longevity. But it creates manageability problems: Windows 2003 MSVC, COM+, etc. Business App 1 Windows 2008 R2 MS .NET 2.0 Business App 2 Red Hat Linux 5 IBM WebSphere Business App 3 Red Hat Linux 6 Tomcat 6 / Java 7 Business App 4 This is frustrating because the business value is in the app. Yet you carry all of the burden to support it.
  • 52. Example Application: sqlwebadmin Sample application from Microsoft's Codeplex Archive Last updated in 2008, tightly coupled to Windows 2003 Windows 2003 ASP.NET 2.0 sqlwebadmin This is frustrating because the business value is in the app. Yet you carry all of the burden to support it. Windows Server 2016 ASP.NET 2.0 sqlwebadmin
  • 53. Building sqlwebadmin ● Habitat collects application details in a plan ● The Habitat Studio provides a 'clean room' environment in which to build your artifact ● Habitat artifacts can be launched by the 'hab' CLI
  • 55. Deploying sqlwebadmin ● Habitat services can be deployed into supervisor rings ● SQLServer 2005 is published as a core plan on bldr.habitat.sh ● Habitat artifacts use service binds to allow inter-service communication without hard-coding settings SERVICE SUPERVISOR SERVICE SUPERVISOR SERVICE SUPERVISOR SERVICE SUPERVISOR SERVICE SUPERVISOR SERVICE SUPERVISOR
  • 57. Managing sqlwebadmin ● Habitat artifacts define configuration tunables as variables ● Configuration settings can be updated via CLI or API on running instances or service groups ● Configuration updates automatically trigger any required run hooks within each service ASP.NET 2.0 sqlwebadmin ASP.NET 2.0 sqlwebadmin hab config apply
  • 59. Targeting Modern Runtimes ● Habitat artifacts can be natively exported to container formats like docker ● Exported artifacts can be run with runtime-specific tools (e.g. docker run, docker-compose up) ● Habitat artifacts behave consistently in servers or containers
  • 60.
  • 61. Why Are Audits Painful? … and how can automation help? Your Name youremail@chef.io
  • 62. Who loves an audit? Nobody!
  • 63. Audits are... ● Time-consuming: They distract from product development. ● Stressful: Sometimes auditors or compliance personnel see themselves as the "police" rather than helping the business be successful. ● Overwhelming: Cloud scale plus an increase in regulations leads to escalating data volume.
  • 64. Traditional Approaches Exacerbate Audit Pain Security reviews: • are often manual (slow); • generate too much data from scanning-oriented approaches; • catch problems too late in the development cycle to economically fix; • don't manage exceptions appropriately.
  • 65.
  • 66.
  • 67. Least compliant criteria: testing for it
  • 68.
  • 69. What we have here is a communication problem Compliance Security Dev/Ops
  • 70. Continuous Compliance Uses a Common Language control 'ensure_selinux_installed' do impact 1.0 title 'Ensure SELinux is installed' desc <<-EOD SELinux provides Mandatory Access Control EOD describe package('libselinux') do it { should be_installed } end end InSpec helps express security & compliance requirements as code and incorporate it directly into the delivery process. Systems shall have a Mandatory Access Control system installed and enabled.
  • 71. Benefits of Continuous Compliance ● Maintain an up-to-date and historical record of compliance status to satisfy both scheduled and ad-hoc audit requests ● Detect and correct security issues long before they reach production ● Reduce risk while delivering applications faster Example: Major healthcare services provider reduced audit cycle times by 95% by continuously detecting and remediating compliance errors.
  • 72. Mapping a Compliance Regime to InSpec PCI DSS Example
  • 73. PCI DSS Overview ● 12 Key Requirements ● Two key requirements (9 and 12) refer to physical security and are not system-level tests ● CIS (Center for Internet Security) Benchmarks can be used as the basis of a PCI compliance policy ● Some customization is necessary. InSpec's inheritance features allow this to be easily done.
  • 74.
  • 75. PCI Requirement 8 Identify and authenticate access to system components. Example control: Restrict logins to accounts (e.g. system accounts) that do not have a password. control "cisecurity.benchmarks_rule_5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled" do title "Ensure SSH PermitEmptyPasswords is disabled" desc "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings. Rationale: Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" impact 1.0 tag "cis-rhel7-2.1.1": "5.2.9" tag "level": "1" tag "type": ["Server", "Workstation"] describe sshd_config do its('PermitEmptyPasswords') { should eq 'no' } end end
  • 76. Control Inheritance For Reusability require_controls 'cis-rhel7-level1-server' do control "xccdf_org.cisecurity.benchmarks_rule_3.6.5_Ensure_firewall_rules_exist_for_all_open_ ports" control "xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_password_creation_requirements_are _configured" control "xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_system_accounts_are_non- login" control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_password_fields_are_not_empty" control "xccdf_org.cisecurity.benchmarks_rule_5.4.1.4_Ensure_inactive_password_lock_is_30_day s_or_less" . . . end CIS Benchmark for RHEL7, Level 1 Customer PCI-DSS Profile Inheritance and customization Chef Automate premium content Customer-owned
  • 77. Visualize and Examine Compliance Continuously
  • 78. Wrap-Up • Audits can be time-consuming and stressful without automation. • Existing approaches like scanning or packet capture gather too much data and don't appropriately manage exceptions or customizations. • They also leave compliance issues unchecked until too late in the process when fixing them is expensive. • To reduce stress, save time, and make systems safer, adopt a continuous compliance approach to shift compliance left. • InSpec and Chef Automate break down communication barriers between groups involved in compliance by introducing a common language for describing it. • You can increase speed while decreasing risk with this approach.
  • 79.
  • 80. Demo: How compliant is this cloud environment? Technical Session Duration 30 minutes
  • 81. Mapping Generic Profiles to Industry regulations CIS maps industry specific requirements to generic CIS controls Chef Automate provides automated tests written in InSpec that conform to the industry specifications set by regulatory bodies and many business verticals​
  • 82. Demos Demo 1 – Scanning Your Infrastructure Demo 2 – Scanning a Chef Managed VM Demo 3 – Configuring and Scanning Azure
  • 83. Demo 1 Scanning Your Infrastructure ➔In the first demo we're going to use Chef Automate to perform a scan of a RHEL7 virtual machine that is running in Azure. We’ll use a PCI DSS specific profile We will then view the scan results within the Chef Automate dashboard ➔Note: • This virtual machine is NOT managed by Chef​ • There is no Chef client on the machine - all Chef Automate needs is SSH/WinRM access​
  • 84. Demo 2 Scanning a Chef Managed VM ➔In the second demo we're going to bootstrap a RHEL7 virtual machine that is running in Azure to be managed by Chef ➔This VM will have a special 'Audit Cookbook' in its run-list, so the PCI_DSS profile executes periodically each time Chef runs and posts the results to Chef Automate, giving us Continuous Compliance Once the bootstrap is complete, we will view the scan results within the Chef Automate dashboard
  • 85. ➔One key aspect of Chef Automate is its ability to not only scan virtual machines running in a cloud, but also its ability to scan the cloud infrastructure itself, for example: subscriptions, networking, and storage etc ➔In our third demo we will scan your Azure environment for compliance against the 'CIS Azure Foundations Benchmark' profile Demo 3 Scanning Your Azure Cloud
  • 86. Conclusion ➔The InSpec profiles allow you to define Compliance as Code ➔Chef Automate includes a subscription to an extensive profile library that is supported and maintained by Chef ➔With Chef Automate you can • Continuously evaluate compliance of your infrastructure • Scan unmanaged infrastructure if you have SSH/WinRM access • View real-time and historical compliance reports so you can evaluate your infrastructures adherence to compliance over time • Scan your cloud infrastructure
  • 87. Next Steps Try Chef Automate LearnChef Rally module https://learn.chef.io/modules/try-chef-automate#/ Integrated Compliance LearnChef RallyTrack https://learn.chef.io/tracks/integrated-compliance#/ I would also recommend the Chef Automate Compliance public training https://training.chef.io/instructor-led-training/chef-automate-compliance
  • 88.
  • 89. Shared Responsibility Your Part in Securing Your Azure Deployments
  • 90. Understand the Azure Shared Responsibility ● Cloud Providers take on an increasing role in Security as you adopt ○ Physical Security ○ Host Infrastructure ○ Network Controls ● Azure provides many Security Certifications ○ ISO/IEC ○ CSA/CCM ○ ITAR ○ HIPAA ○ And many more... Learn More About Shared Responsibility for Cloud Computing aka.ms/sharedresponsibility
  • 91. How Responsibility is Divided ● You still own critical portions of your Cloud Security ○ IaaS OS ○ Application Level ○ Identity ○ Data ● Ensuring compliance against your standards is critical ○ CIS Standards ○ PCI Standards ○ DISA STIGs Learn More About Shared Responsibility for Cloud Computing aka.ms/sharedresponsibility
  • 92. In Closing ● Get familiar with the Azure Shared Responsibility Model ● aka.ms/sharedresponsibility ● Create an inventory and plan for coverage of the your responsibility ● Look for areas to apply automation for continuous detection and remediation ● Download the Chef Automate Guide to PCI Compliance with InSpec whitepaper at: https://www.chef.io/resource_category/white-paper/ ● Remediate any non-compliant systems ● Set up a scanning schedule to ensure ongoing compliance ● Fine-tune profiles to your exact requirements Reach out to your Chef team with any questions; they’ll be happy to help!
  • 93.
  • 94. Workshop: The InSpec language for practitioners Technical session Duration: 75 minutes
  • 95. Objectives In this workshop we will 1. Get a workstation to play on 2. Identify a specific regulatory control and establish the corresponding technical requirements 3. Create the appropriate InSpec profile and control, and run it locally and on another student's workstation and observer its not compliant 4. Run the profile again locally but report to Chef Automate 5. Use Chef to make local workstation compliant 6. Rerun the InSpec profile locally again and report to Chef Automate showing its compliant
  • 96. Find your Workstation IP Address ● http://link/to/ip/addresses
  • 97. TASK The authenticity of host 12.34.56.78 (12.34.56.78)' can't be established. ECDSA key fingerprint is SHA256:zAtoeO29XbhRNvwg542cuh4qsKCEaX8hNIlEOCbgd3I. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '12.34.56.78' (ECDSA) to the list of known hosts. chef@12.34.56.78's password: My-12-Char-Password Task: Log in to your workstation ssh azureuser@12.34.56.78
  • 98. TASK firstname-lastname reporter.json profiles Task: Ensure You're in the Correct VM touch firstname-lastname ls -t
  • 100. InSpec DSL and Compliance Regulations InSpec DSL & CIS Profiles
  • 101. InSpec and Compliance Many industries are bound by regulations maintained by external bodies • Sarbanes-Oxley – Financial Regulations • PCI – Payment Card Industry Regulations • HIPAA – Healthcare Regulations • GDPR – General Data Protection Regulations • STIG – Security Protocol Regulations • etc Many of these rules relate to technical requirements in their application and infrastructure that they must comply with
  • 102. Center for Internet Security Center for Internet Security provides benchmarks for secure configuration of many platforms and applications e.g. https://tinyurl.com/CIS-RHEL7 These rules can be referred to when creating InSpec rules for Regulatory bodys' guidelines See https://tinyurl.com/CIS-Poster
  • 103. "The Chef Automate Guide to PCI DSS Compliance" Whitepaper Lets look at a specific requirement from the whitepaper Requirement 7: Restrict access to cardholder data by business need to know 1. … 2.Ensure SSH root login is disabled "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root only via sudo (if you’ve disabled access to "su" as in the control above). This restriction limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident. The PermitRootLogin parameter specifies if the root user can login using ssh."
  • 104. TASK #PermitRootLogin yes # the setting of "PermitRootLogin without-password". Task: Check if SSH root login is disabled sudo grep PermitRootLogin /etc/ssh/sshd_config  This requirement maps directly to a check you can perform on the system  Of course we can check a node manually, but this isn't practical when you have 100's, or even 1000's, of nodes  The InSpec DSL is specifically designed to run such tests
  • 105. No Consistency in Commands ● PermitRootLogin Configured? ● SSH v2 Configured? ● Using TLS or SSL? ● Does user 'foo' have sudo access? ● Does user 'foo' have write access to /etc? • No consistency on command structure, syntax, & command line switches • All configuration files are proprietary • They're platform specific (RHEL, Debian, Windows, …)
  • 106. What is InSpec? InSpec provides consistent DSL that is platform agnostic to check status of any component  packages  files  users  … Complex implementation code abstracted out Many InSpec profiles exist in the community and Chef supplies, maintains and supports 100+ profiles aligned to industry specific compliance regulations
  • 107. TASK Commands: inspec archive PATH # archive a profile to tar.gz (default) or zip inspec artifact SUBCOMMAND ... # Sign, verify and install artifacts inspec check PATH # verify all tests at the specified PATH inspec compliance SUBCOMMAND ... # Chef Compliance commands inspec detect # detect the target OS inspec env # Output shell-appropriate completion configuration inspec exec PATHS # run all test files at the specified PATH. inspec habitat SUBCOMMAND ... # Commands for InSpec + Habitat Integration inspec help [COMMAND] # Describe available commands or one specific command ... The InSpec Command Line Interface inspec --help inspec init creates a profile inspec check verifies the compliance profile code inspec exec runs the tests against a system
  • 108. TASK Create new profile at /home/azureuser/profiles/ssh * Create file README.md * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries Task: Create an InSpec Profile for SSH inspec init profile ~/profiles/ssh
  • 109. TASK Create new profile at /home/azureuser/profiles/ssh * Create file README.md * Create directory controls * Create file controls/example.rb * Create file inspec.yml * Create directory libraries Task: Create an InSpec Profile for SSH inspec init profile ~/profiles/ssh Use the 'inspec' command To initialise (i.e. create) a profile Called 'ssh' In the '~/profiles' directory
  • 110. TASK /home/azureuser/profiles/ssh ├── controls │ └── example.rb ├── inspec.yml ├── libraries └── README.md 2 directories, 3 files Task: View InSpec Profile Structure tree ~/profiles/ssh
  • 111. The Anatomy of a Control File ● A control file within a profile contains ○ Some boilerplate information and a title # encoding: utf-8 # copyright: 2018, The Authors title 'sample section' describe file('/tmp') do it { should be_directory } end control 'tmp-1.0' do tag 'tmp', tag dir: '/tmp' ref 'NSA-RH6 - Section 3.5.2.1' impact 0.7 title 'Create /tmp directory' desc 'An optional description...' describe file('/tmp') do it { should be_directory } end end
  • 112. # encoding: utf-8 # copyright: 2018, The Authors title 'sample section' describe file('/tmp') do it { should be_directory } end control 'tmp-1.0' do tag 'tmp', tag dir: '/tmp' ref 'NSA-RH6 - Section 3.5.2.1' impact 0.7 title 'Create /tmp directory' desc 'An optional description...' describe file('/tmp') do it { should be_directory } end end The Anatomy of a Control File ● A control file within a profile contains ○ Some boilerplate information and a title ○ One or more describe statements, each containing one or more tests
  • 113. # encoding: utf-8 # copyright: 2018, The Authors title 'sample section' describe file('/tmp') do it { should be_directory } end control 'tmp-1.0' do tag 'tmp', tag dir: '/tmp' ref 'NSA-RH6 - Section 3.5.2.1' impact 0.7 title 'Create /tmp directory' desc 'An optional description...' describe file('/tmp') do it { should be_directory } end end The Anatomy of a Control File ● A control file within a profile contains ○ Some boilerplate information and a title ○ One or more describe statements, each containing one or more tests ○ describe statements may be grouped within control statements
  • 114. # encoding: utf-8 # copyright: 2018, The Authors title 'sample section' describe file('/tmp') do it { should be_directory } end control 'tmp-1.0' do tag 'tmp', tag dir: '/tmp' ref 'NSA-RH6 - Section 3.5.2.1' impact 0.7 title 'Create /tmp directory' desc 'An optional description...' describe file('/tmp') do it { should be_directory } end end The Anatomy of a Control File ● A control file within a profile contains ○ Some boilerplate information and a title ○ One or more describe statements, each containing one or more tests ○ describe statements may be grouped within control statements ○ control statements may include extra metadata defining for example ■ a unique ID for this control ■ the criticality, if this control fails. ■ a human-readable title and description ■ reference documentation
  • 115. TASK Task: Remove example controls file rm /home/azureuser/profiles/ssh/controls/example.rb Bit of housekeeping – we don’t need the default controls file
  • 116. TASK vi ~/profiles/ssh/controls/PermitRootLogin.rb control "cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled" do title "Ensure SSH root login is disabled" desc "The PermitRootLogin parameter ..." impact 1.0 tag "cis-rhel7-2.1.1": "5.2.8" tag "level": "1" tag "type": ["Server", "Workstation"] describe sshd_config do its('PermitRootLogin') { should eq 'no' } end end Task: Create Controls File 'PermitRootLogin.rb' Even Cheatier cp ~/.PermitRootLogin.rb ~/profiles/ssh/controls/PermitRootLogin.rb Cheat Sheet https://goo.gl/38AFhn Click ⌘+a, ⌘+c
  • 117. Mapping Compliance Documents to InSpec control "cisecurity.benchmarks_rule_5.2.8…" do title "Ensure SSH root login is disabled" desc "The PermitRootLogin parameter ..." impact 1.0 tag "cis-rhel7-2.1.1": "5.2.8" tag "level": "1" tag "type": ["Server", "Workstation"] describe sshd_config do its('PermitRootLogin') { should eq 'no' } end end Requirement InSpec Control Each control statement relates to a specific compliance regulation.
  • 118. Mapping Compliance Documents to InSpec control "cisecurity.benchmarks_rule_5.2.8…" do title "Ensure SSH root login is disabled" desc "The PermitRootLogin parameter ..." impact 1.0 tag "cis-rhel7-2.1.1": "5.2.8" tag "level": "1" tag "type": ["Server", "Workstation"] describe sshd_config do its('PermitRootLogin') { should eq 'no' } end end Requirement InSpec Control
  • 119. Mapping Compliance Documents to InSpec control "cisecurity.benchmarks_rule_5.2.8…" do title "Ensure SSH root login is disabled" desc "The PermitRootLogin parameter ..." impact 1.0 tag "cis-rhel7-2.1.1": "5.2.8" tag "level": "1" tag "type": ["Server", "Workstation"] describe sshd_config do its('PermitRootLogin') { should eq 'no' } end end Requirement InSpec Control
  • 120. Mapping Compliance Documents to InSpec control "cisecurity.benchmarks_rule_5.2.8…" do title "Ensure SSH root login is disabled" desc "The PermitRootLogin parameter ..." impact 1.0 tag "cis-rhel7-2.1.1": "5.2.8" tag "level": "1" tag "type": ["Server", "Workstation"] describe sshd_config do its('PermitRootLogin') { should eq 'no' } end end Requirement InSpec Control
  • 121. Mapping Compliance Documents to InSpec control "cisecurity.benchmarks_rule_5.2.8…" do title "Ensure SSH root login is disabled" desc "The PermitRootLogin parameter ..." impact 1.0 tag "cis-rhel7-2.1.1": "5.2.8" tag "level": "1" tag "type": ["Server", "Workstation"] describe sshd_config do its('PermitRootLogin') { should eq 'no' } end end Requirement InSpec Control
  • 122. Mapping Compliance Documents to InSpec control "cisecurity.benchmarks_rule_5.2.8…" do title "Ensure SSH root login is disabled" desc "The PermitRootLogin parameter ..." impact 1.0 tag "cis-rhel7-2.1.1": "5.2.8" tag "level": "1" tag "type": ["Server", "Workstation"] describe sshd_config do its('PermitRootLogin') { should eq 'no' } end end Requirement InSpec Control CIS doc even gives details for a remediation cookbook! More on this later.
  • 123. Executing our code ● We now need to execute our InSpec profile ● We will use inspec exec command to do this
  • 124. TASK Profile: InSpec Profile (ssh) Version: 0.1.0 Target: local:// × cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root login is disabled × SSHD Configuration PermitRootLogin should eq "no" expected: "no" got: nil (compared using ==) Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 0 successful, 1 failure, 0 skipped Task: Run profile locally with InSpec command sudo inspec exec profiles/ssh
  • 125. Find Another Student's Workstation IP Address ● http://link/to/ip/addresses
  • 126. TASK Profile: InSpec Profile (ssh) Version: 0.1.0 Target: ssh://azureuser@40.114.121.121:22 × cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root login is disabled × SSHD Configuration PermitRootLogin should eq "no" expected: "no" got: nil (compared using ==) Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 0 successful, 1 failure, 0 skipped Task: Execute your profile on the remote target inspec exec ~/profiles/ssh -t ssh://azureuser@104.211.54.213 --password My-12-Char-Password --sudo Note the 'Target' is specified in the output Note the 'Target' is specified in the output
  • 127. InSpec and Chef Automate ● InSpec and Chef Automate go hand-in-hand to detect and report on compliance issues ● InSpec profiles can be executed 'ad hoc' or at the end of each chef- client run and a report back to Chef Automate
  • 128. TASK { "reporter": { "automate" : { "stdout" : false, "url" : "https://your-automante-server/data-collector/v0/", "token" : SEhb7CkB_U9FiHFBWaTMW-3eyTQ=, "insecure" : true, "node_name" : "nodename-1", "environment" : "dev" } } } InSpec Chef Automate integration cat reporter.json
  • 129. TASK Run InSpec and Send Results to Chef Automate sudo inspec exec ~/profiles/ssh --json-config reporter.json Note, if you're using Chef on your nodes InSpec can be invoked on every chef-client run and report sent back to Chef Automate to ensure continuous compliance
  • 130. Results Posted to Chef Automate
  • 131. Key Takeaways ● The format of the InSpec DSL fits neatly with the documents created by industry-specific compliance regulatory bodies ● InSpec allows you to write those specifications as platform agnostic code What's next…? • In the next section we'll look at how you can use Chef to correct your infrastructure
  • 133. Detect and Correct ● Chef Automate not only allows you to invoke compliance scans across your estate but it also facilitates remediation ● Chef builds out remediation cookbooks for all InSpec profiles on Chef Automate ● For simplicity now we will run a simple remediation cookbook for our SSH InSpec Profile on the local node
  • 134. TASK .chef/ └── cookbooks └── ssh-remediation ├── Berksfile ├── CHANGELOG.md ├── chefignore ├── LICENSE ├── metadata.rb ├── README.md ├── recipes │ └── default.rb ├── templates │ └── sshd_config.erb ... 10 directories, 11 files For expediency, the Cookbook is Already on the Workstationtree .chef
  • 135. TASK ... template '/etc/ssh/ssh_config' do source 'ssh_config.erb' end View the Chef Recipe and Template File cat .chef/cookbooks/ssh-remediation/recipes/default.rb ... #LoginGraceTime 2m #PermitRootLogin yes PermitRootLogin no #StrictModes yes ... cat .chef/cookbooks/ssh-remediation/templates/sshd_config.erb -n Line 50
  • 136. TASK [✔] Packaging cookbook... done! [✔] Generating local policyfile... exporting... done! [✔] Applying ssh-remediation::default from /home/azureuser/.chef/cookbooks/ssh-remediation to target. └── [✔] [localhost] Successfully converged ssh-remediation::default. Run the cookbook on the local machine chef-run azureuser@localhost ssh-remediation::default --password My-12-Char- Password --config .chef-workstation/config.toml This will execute the remediation recipe and send an event to Chef Automate – you will see this in the 'Client Runs' tab
  • 137. View Chef Run We will see details of the Chef client run in the 'Client Runs' tab of Chef Automate
  • 138. TASK Profile: InSpec Profile (ssh) Version: 0.1.0 Target: local:// ✔ cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_root_login_is_disabled: Ensure SSH root login is disabled ✔ SSHD Configuration PermitRootLogin should eq "no" Profile Summary: 1 successful control, 0 control failures, 0 controls skipped Test Summary: 1 successful, 0 failures, 0 skipped Rerun the InSpec Test sudo inspec exec profiles/ssh
  • 139. TASK Post Results in Chef Automate sudo inspec exec profiles/ssh/ --json-config reporter.json
  • 140. View Scan History ● Click the 'Scan History' button to see a compliance history for this node ● The corresponding 'Event Feed' for this node will identify what changes occurred on a node to bring it into, or out of, compliance
  • 141. Next Steps LearnChef Rally ● Try Chef Automate module https://learn.chef.io/modules/try-chef-automate#/ ● Integrated Compliance Track https://learn.chef.io/tracks/integrated-compliance#/ ● Compliance Automation with InSpec Track https://learn.chef.io/tracks/compliance-automation#/ Also, Chef Automate Compliance public training https://training.chef.io/instructor-led-training/chef-automate-compliance