Figure 3 Example of an InSpec Run
compliance. It’s worth noting that the server being tested is the default Windows Server 2016 image offered by a major cloud provider, so you can immediately see how InSpec gives you visibility into how well your network conforms to your company’s security policies.
If you look at the actual InSpec rule for the first failing test,
cis­enforce­password­history­1.1.1, you can see how the rule trans­
lates into something actionable:
control 'cis-enforce-password-history-1.1.1' do
impact 0.7
title '1.1.1 Set Enforce password history to 24 or more passwords' desc 'Set Enforce password history to 24 or more passwords' describe security_policy do
its('PasswordHistorySize') { should be >= 24 } end
end
The test fails because policy requires that there be a password history of at least 24 entries, but, in fact, no history is kept at all. Obviously, the current configuration setting needs to be changed to comply with the rule.
Using InSpec with Automated Release Pipelines
InSpec can, by itself, help you manage the compliance of your sys­ tems, but InSpec can also run as a series of automated tests that execute as part of your standard release pipelines. InSpec tests can be easily added to act as a quality gate for compliance. In this section, I’ll use InSpec with Chef Automate.
Chef Automate is an integrated solution for managing and deploy­ ing infrastructure and applications. It rests on a foundation of open
source products that include InSpec and Chef, which is for infrastruc­ ture automation. Chef Automate provides an automated pipeline for change management and includes features for ensuring the visibility of those changes.
With Chef Automate, you can run your InSpec compliance tests on demand, see the results on the dashboard, and remediate the prob­ lem. You can also generate audit reports whenever you need them.
For example, patch management is one of the most critical aspects of IT security. It’s important that you be able to identify out­of­date systems and upgrade them. Most regulatory frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS), require it. To ensure that your sys­ tems are current, you can use Chef Automate to manage the entire pro­ cess, from the initial identification to remediation.
You can first scan your systems to see if they’re in compliance with policy and their software is up­to­ date. You’ll receive a report telling
you the status of your infrastructure. Figure 4 shows an example of such a report. It shows the status of the servers in a network, in terms of how well they meet compliance requirements.
Once you have the report, you can use the Chef DK to build your remediation and then test it locally before you deploy them to production. Chef DK contains all the tools you need to create and test your code.
Chef Automate is an integrated solution for managing and deploying infrastructure and applications.
After you’re satisfied with the changes, you can send them through the Chef Automate pipeline to deploy the remediation. The pipeline contains stages for testing your changes and making sure they work. Within the pipeline are two manual gates. One of them is for code review and the other sends the code to the release environments. You can involve compliance and security officers at either or both of these points to make sure they’re actively engaged in the release process.
30 msdn magazine
DevOps