20200204 - CfgMgmtCamp - One tool to rule them all, Infrastructure Testing and Compliance with Chef Inspec, Kimball Johnson

by Thierry de Pauw on

#cfgmgmtcamp

One tool to rule them all, Infrastructure Testing and Compliance with Chef Inspec, Kimball Johnson

Developer Advocate at Chef

Software testing is an investigation conducted to provide stakeholders with information about the quality of the software product or service under test, Cem Kaner

The reason Chef Inspect is well adapted for software testing is it is designed to be much more human-readable.

Purposes of software testing:

  • Validate Assumptions: like which is the default shell? bash, zsh?
  • Highlight regressions
  • Consistency
  • Reduce Friction

Example Chef InSpec tests:
```
describe file('') do
it { should exist }
its('mode') { should cmp 0644 }
end

describe apache_conf do
its('Listen') { should cmp 8080}
end

describe port(8080) do
it { should be_listening }
end
```

Compliance and Audit

Compliance

the fact of obeying a particular law or rule, or of acting according to an agreement. -- Cambridge Dictionary


control 'sshd-8' do
impact 0.6 #particular level of risk
title ''
desc ''
desc ''
Requires Chef InSpec >=2.3.4
tag 'ssh', 'sshd'
tag cce: 'CCE-27072-8'
# reference to a rule of why this test should be present
ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/...'
describe
...
end
end

Extensibility

ability to create custom resources

example: run tests against a JSON file

```
class ExampleConfig < Inspec.resource(1)
name 'example_config'
def initialize()
@path = '/tmp/example/config.yml'
@file = Inspec.exists(@path)
end

def exists?

end
end

describe exampleconfif do
it {should
exist}
its('version') { ... }
end
```

Dow Jones, July 2017: 2.2 Million Records of PII - Misconfigured S3 Bucket
Accenture, October 2017 - 40.000 passwors, encryption & API keys - Misconfigured S3 bucket
Imperva, October 2018 - Customer data - Misconfigured RDS held AWS API key

```
describe awss3bucket('testbucket') do
it { should
not be_public }
end

describe aswsecuritygroup(group_name: '') do
it { should allow ...}
end
```

Plugins

inspec-vault: if you use Vault for secrets

train plugins: all the connections that are supported
- aws
- digitalocean
- ...