Compliance Automation
0 likes408 views
This document discusses using InSpec and Chef Automate to automate compliance testing. It provides an overview of how InSpec works by translating compliance policies into testable code. It then discusses how Chef Automate can be used to integrate InSpec scans into continuous workflows to enable continuous compliance testing across infrastructure as code. The document concludes with demos of using InSpec with infrastructure provisioned on AWS and compliance testing on Windows systems.
Compliance Automation
- 1. Compliance Automation with InSpec and Chef Automate Infracoders/ DevOps / CloudNativeMeetup GRAZ - 11th September, 2018
- 2. Agenda 19:00-20:00 Talk • Do you know all your IT-vulnerabilities? • Edmund Haselwanter,CEO @ Infralovers 20:00-21:00 Networking • At the bar in the front www.infralovers.com
- 3. A little bit of History • Client: Can we automate our Compliance Profiles? > YES, we can! • Prototype with Serverspec for Compliance Check Automation and Chef and Puppet for Infrastructure Automation • Opensourced at https://dev-sec.io www.infralovers.com
- 7. A little bit of History II • Birth of InSpec (https://inspec.io) ✓ Inspired by Serverspec ✓ Compliance Primitives (Profiles, Weight, Description, ..) ✓ Better Transport Options (SSH/WinRM/Docker) ✓ A lot more Resources • InSpec 2.0 Supports Cloud Platforms like AWS, Azure, … www.infralovers.com
- 9. PART OF A PROCESS OF CONTINUOUS COMPLIANCE Scan for Compliance Build & Test Locally Build & Test CI/CD Remediate Verify A SIMPLE EXAMPLE OF AN INSPEC CIS RULE InSpec ▪ Translate compliance into Code ▪ Clearly express statements of policy ▪ Move risk to build/test from runtime ▪ Find issues early ▪ Write code quickly ▪ Run code anywhere ▪ Inspect machines, data and APIs Turn security and compliance into code control ‘cis-1.4.1’ do title ‘1.4.1 Enable SELinux in /etc/grub.conf’ desc ‘ Do not disable SELinux and enforcing in your GRUB configuration. These are important security features that prevent attackers from escalating their access to your systems. For reference see … ‘ impact 1.0 expect(grub_conf.param ‘selinux’).to_not eq ‘0’ expect(grub_conf.param ‘enforcing’).to_not eq ‘0’ end
- 11. Compliance as Code ROLE OF THE COMPLIANCE OFFICERACCELERATED CYCLE INFRASTRUCTURE AS CODE POLICY AS CODE PRACTICE AS CODE Separate certificatio n & testing Common language for describing & applying policy Compliance at velocity Compliance at VelocityManual Compliance Reactive engagement Proactive engagement Checking implementations by hand Expressing policy as testable code Short term compliance Long term process improvement One language, One workflow
- 12. Linux Demo https://kitchen.ci + InSpec for Infracode Testing
- 13. Windows Demo Detect: InSpec Correct: Ansible
- 14. AWS Demo Provision: Terraform Detect: InSpec www.infralovers.com
- 15. Chef Automate • Commercial Offeringfrom Chef Inc • Comes with readymade Compliance Profiles • Supports Notifications(e.g. Slack/ServiceNow/Custom) • Shiny Web UI to gain Visibility into current State www.infralovers.com
- 16. The Chef Automate Platform Continuous Automation for High Velocity IT Workflow • Local development • Integration • Tooling (APIs & SDKs) COLLABORATE ▪ Package ▪ Test ▪ Approve BUILD ▪ Provision ▪ Configure ▪ Execute ▪ Update DEPLOY ▪ Secure ▪ Comply ▪ Audit ▪ Measure ▪ Log MANAGE Infrastructure Automation Compliance AutomationApplication Automation OSS AUTOMATION ENGINES Increase Speed ▪ Package infrastructure and app configuration as code ▪ Continuously automate infrastructure and app updates Improve Efficiency ▪ Define and execute standard workflows and automation ▪ Audit and measure effectiveness of automation Decrease Risk ▪ Define compliance rules as code ▪ Deliver continuous compliance as part of standard workflow
- 17. Jumpstart your compliance test coverage Compliance in production Amazon Linux 2014.09 / 2015.03 CentOS 6 / 7 HP UX 11i IBM AIX 5.3 / 6.1 / 7.1 RHEL 6 / 7 SLES 11 / 12 Ubuntu Server 12.04 / 14.04 Windows 7 / 8 / 10 / 2012 / 2012R2 Chef Automate ships with profiles for:
- 18. Visibility into the real-time compliance of your entire fleet Compliance in production
- 20. Automate Demo Windows Example www.infralovers.com SLACK Alert