DEVOPS
Compliance as Code
with InSpec
Michael Ducy
Regulatory compliance is a fact of life for every enter­ prise. At the same time, competitive pressures are increasing with the advent of game­changing new technologies and customer expectations for digital services. Is it possible for industries to deliver new products and services at high velocity while still satis­ fying their obligations for regulatory compliance?
The answer is yes. The solution is to embed regulatory compli­ ance into the software production line analogously to the way we embed other qualities, such as frame stiffness in automobiles or round­trip response time in banking applications.
Making compliance an integral part of the deployment process is possible when compliance is expressed as code. Just as the con­ figuration of systems has shifted toward infrastructure as code (for example, PowerShell Desired State Configuration or Chef ), you can manage compliance using a programmatic language.
InSpec is an open source project that lets you define your com­ pliance requirements in a human­ and machine­readable language. Once you’ve codified your requirements, you can run them as auto­ mated tests that audit your systems. InSpec provides a local agent, as well as full remote testing support.
InSpec supports a variety of different platforms, from Windows to Linux. Figure 1 lists some of the more popular ones. (A full list of supported platforms can be found on the InSpec Web site at inspec.io.)
The InSpec broad platform support makes it a complete solu­ tion for managing compliance across your entire infrastructure. Because InSpec is an open source project, some OS vendors have contributed support for their own platforms. For instance, IBM has contributed much of the support for its AIX OS.
Getting Started with InSpec
It’s easy to get started with InSpec. InSpec is included in the Chef Devel­ opment Kit (Chef DK) or you can download packages for a variety of platforms from the Chef download Web site at downloads.chef.io/ inspec. Once you’ve downloaded the package and installed it, you can begin writing compliance rules. (Note that an alternative name for a compliance rule, often used by security teams, is auditing control.)
InSpec rules are simple to write once you understand the format. All rules begin with a resource. A resource is a configuration item you want to test. For instance, here’s an InSpec rule that uses the windows_feature resource:
describe windows_feature('DHCP Server') do it { should_not be_installed }
end
This article discusses:
• Continuous delivery
• DevOps
• Infrastructure compliance • Regulatory compliance
• Security compliance Technologies discussed:
Windows Server, Linux, Unix, InSpec, Continuous Delivery/Release Pipelines
28 msdn magazine