• Commodity
  • 11 minutes to read

May 2017

Volume 32 Number 5

[DevOps]

Compliance as Lawmaking with InSpec

By Michael Ducy | May 2017

Regulatory compliance is a fact of life for every enter­prise. At the same time, competitive pressures are increasing with the advent of game-changing new technologies and client expectations for digital services. Is it possible for industries to evangelize new products and services at high velocity while nonetheless satisfying their obligations for regulatory compliance?

The answer is aye. The solution is to embed regulatory compliance into the software production line analogously to the mode we embed other qualities, such as frame stiffness in automobiles or circular-trip response time in cyberbanking applications.

Making compliance an integral part of the deployment process is possible when compliance is expressed as code. Just as the configuration of systems has shifted toward infrastructure as code (for case, PowerShell Desired State Configuration or Chef), you tin can manage compliance using a programmatic language.

InSpec is an open source project that lets you define your compliance requirements in a man- and machine-readable linguistic communication. Once y'all've codified your requirements, you lot can run them as automated tests that audit your systems. InSpec provides a local amanuensis, as well every bit total remote testing support.

InSpec supports a diverseness of different platforms, from Windows to Linux. Figure one lists some of the more pop ones. (A full list of supported platforms can be establish on the InSpec Web site at inspec.io.)

Figure 1 Listing of Pop Platforms Supported by InSpec

Platform Versions
AIX 6.i, 7.one, 7.2
Mac Bone Ten 10.nine, 10.10, 10.11
Oracle Enterprise Linux v, 6, 7
Ruby Hat Enterprise Linux (and variants) 5, 6, 7
Solaris 10, 11
Windows vii, eight, eight.ane, 10, 2008, 2008 R2, 2012, 2012 R2, 2016
Ubuntu Linux
SUSE Linux Enterprise Server 11, 12
OpenSUSE thirteen.1, 13.two, 42.1
HP-UX eleven.31

The InSpec broad platform support makes information technology a complete solution for managing compliance across your unabridged infrastructure. Because InSpec is an open up source projection, some Bone vendors have contributed support for their own platforms. For instance, IBM has contributed much of the support for its AIX OS.

Getting Started with InSpec

It's like shooting fish in a barrel to get started with InSpec. InSpec is included in the Chef Devel­opment Kit (Chef DK) or yous tin can download packages for a multifariousness of platforms from the Chef download Spider web site at downloads.chef.io/inspec. Once you've downloaded the package and installed information technology, you tin can begin writing compliance rules. (Annotation that an alternative proper noun for a compliance rule, often used by security teams, is auditing control.)

InSpec rules are elementary to write once y'all understand the format. All rules brainstorm with a resources. A resource is a configuration item you want to test. For case, here'due south an InSpec dominion that uses the windows_feature resources:

              describe windows_feature('DHCP Server') practice   it { should_not be_installed } end

The windows_feature resources declares the name of a Windows feature and tests to come across if it matches a particular configuration. In this example, the rule tests that the DHCP Server is not installed.

There are resources for many standard pieces of your network, such as files, directories, users, groups and registry keys. For a complete list, yous tin refer to the InSpec documentation at bit.ly/2n3ekZe. You can also hands extend InSpec with your ain resources to check configuration items that aren't supported out of the box or that are specific to your particular application.

InSpec lets you include metadata about your compliance rules. Metadata helps you necktie tests to specific regulatory or security requirements. Traditionally, you'd detect compliance requirements published in documents, spreadsheets or some other format that's not actionable. The information in these official compliance documents is important considering it gives administrators context as to why the compliance policy matters, however it'south often not conveniently bachelor.

Figure 2 shows an instance of an InSpec rule that includes this information every bit metadata.

Figure 2 Example of InSpec with Metadata About Compliance Rules

              command 'sshd-8' do   impact 0.6   title 'Server: Configure the service port'   desc '     E'er specify which port the SSH server should listen to.     Foreclose unexpected settings.   '   tag 'ssh','sshd','openssh-server'   tag cce: 'CCE-27072-viii'   ref 'NSA-RH6-STIG - Section 3.v.2.1',     url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'   describe sshd_config do     its('Port') { should eq('22') }   end end

This example is for a dominion (or control) called ssh-8. The bear upon, title, and desc fields define metadata that describes the dominion'due south importance, its purpose, and a clarification. The tag field includes optional information and the ref field references external documents.

The describe field signals the kickoff of the cake that contains the dominion. The resource existence tested is sshd_config, which is the OpenSSH daemon on Linux and Unix platforms. The rule tests to come across if the SSH server listens to port 22.

In that location are three important points to notice. First, without the metadata, the rule would be isolated and lack context. Adjacent, all the pertinent information is included with the rule. Yous don't have to check it against other documents. Finally, the InSpec language is extremely piece of cake to read. Stakeholders such as compliance officers, who may non be programmers, tin understand what the dominion tests and the metadata tells them why the rule exists and what requirements information technology audits. They might even be inclined to contribute their own rules.

Using Open Source Profiles

To brand life easier, InSpec has many open source profiles available that already include all the relevant rules and metadata. For example, there'south a DevSec Linux Baseline profile and a DevSec Apache Baseline profile. You can download these profiles at flake.ly/2mBVXNr.

Many of the open source profiles InSpec provides are based on the industry standard Center for Internet Security (CIS) benchmarks for system security. While the CIS baselines provide a practiced starting point, you might need to modify them to meet your particular compliance needs. InSpec allows you to create your ain profiles and to inherit rules from other profiles. InSpec also lets y'all ignore rules from profiles. This is useful because you lot don't demand to direct modify the open source profiles InSpec provides. You can create your own profiles that inherit the open up source profiles yous demand, then ignore rules that aren't applicative. When new open source profiles are released, you lot can merely update your version of the open up source rules without having to modify your custom rules.

Scanning a Host

InSpec uses a client-server model, which ways that you can audit remote systems from a centralized workstation. There are also options that allow InSpec scans to run as part of a continuous automation system, such as Chef Automate (chef.io/automate). At that place'due south a brief example of this option afterward in this article.

To run a compliance scan, you lot need a target arrangement, which is the server y'all want to exam and a compliance contour, which is the gear up of rules you use to test the target arrangement. For this instance, the target arrangement is a Windows Server, and I'll use the Dev-Sec Windows baseline as defined by CIS, which is stored in a GitHub repo. Figure 3 shows an example of an InSpec run.

Example of an InSpec Run
Effigy 3 Instance of an InSpec Run

If you examine the results, the run shows that there are a number of configuration settings that do non come across the CIS baselines for compliance. Information technology's worth noting that the server being tested is the default Windows Server 2016 image offered by a major cloud provider, so you can immediately encounter how InSpec gives y'all visibility into how well your network conforms to your company's security policies.

If you expect at the actual InSpec rule for the first declining test, cis-­enforce-password-history-1.1.1, you lot tin see how the rule translates into something actionable:

              control 'cis-enforce-password-history-i.1.1' do   affect 0.7   title '1.1.1 Set Enforce password history to 24 or more passwords'   desc 'Set Enforce countersign history to 24 or more passwords'   draw security_policy exercise     its('PasswordHistorySize') { should be >= 24 }   end finish

The exam fails because policy requires that there exist a password history of at least 24 entries, but, in fact, no history is kept at all. Obviously, the current configuration setting needs to be changed to comply with the dominion.

Using InSpec with Automatic Release Pipelines

InSpec can, by itself, assist you manage the compliance of your systems, just InSpec can also run as a serial of automated tests that execute as part of your standard release pipelines. InSpec tests tin can exist easily added to human action as a quality gate for compliance. In this department, I'll utilise InSpec with Chef Automate.

Chef Automate is an integrated solution for managing and deploying infrastructure and applications. Information technology rests on a foundation of open source products that include InSpec and Chef, which is for infrastructure automation. Chef Automate provides an automatic pipeline for change management and includes features for ensuring the visibility of those changes.

With Chef Automate, you can run your InSpec compliance tests on demand, see the results on the dashboard, and remediate the problem. Y'all tin also generate audit reports whenever you demand them.

For instance, patch direction is one of the most disquisitional aspects of IT security. It'due south of import that you be able to identify out-of-date systems and upgrade them. Nearly regulatory frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS), require information technology. To ensure that your systems are current, y'all can utilize Chef Automate to manage the unabridged process, from the initial identification to remediation.

You tin showtime scan your systems to see if they're in compliance with policy and their software is upward-to-engagement. You'll receive a report telling y'all the condition of your infrastructure. Figure four shows an instance of such a report. It shows the status of the servers in a network, in terms of how well they encounter compliance requirements.

Example of a Compliance Report
Effigy 4 Example of a Compliance Report

Once you take the report, you tin use the Chef DK to build your remediation and then examination it locally before you deploy them to production. Chef DK contains all the tools you need to create and test your lawmaking.

After you're satisfied with the changes, you can send them through the Chef Automate pipeline to deploy the remediation. The pipeline contains stages for testing your changes and making sure they work. Within the pipeline are two transmission gates. Ane of them is for lawmaking review and the other sends the lawmaking to the release environments. You tin can involve compliance and security officers at either or both of these points to make sure they're actively engaged in the release procedure.

Finally, when the changes have passed all the stages in the pipeline, you can transport them to the Chef server. The Chef server can then begin to bring the nodes upward-to-date. Chef Automate gives you lot visibility into everything that's happening in your infrastructure once the changes are deployed.

Automating Compliance with InSpec

One of the largest banks in India has begun using InSpec in its Banking Services segmentation, which is responsible for nigh of the bank'southward transactions. Compliance is especially critical for it. The division has approximately 500 HP-UX servers that make upwardly its development, examination and production environments.

Of course, there are many regulatory and security guidelines the banking company must follow and each calendar month the squad checks to brand sure its servers are compliant. There are around 100 checks and, before InSpec, they were performed manually. The process was very difficult. The team had to log in to each machine, check the configuration settings, provide the results on paper and and so log them. Completing a single check took about v minutes, and then vetting just 1 server took about 8 hours.

When the squad began using automated compliance with InSpec, the impact was evident. It could see the entire browse result in minutes. The team could see how many servers were in compliance, how many weren't in compliance, and based on that it could brand quick decisions. What had taken 500 minutes to perform on i server what could now be performed in 2 minutes.

InSpec also made it much easier to satisfy the banking concern'south auditors. IT auditors sometimes asked to meet the status of a item machine and retrieving the information was slow. Team members had to run scripts manually, get the output and make it suitable for a report. Now, with a single click, the team could instantly bear witness the accountant what checks have been performed.

Too, InSpec is homo readable and easy to acquire. Nigh vendors for security and auditing employ a binary format and the tools are hard to utilise. When the banking squad members saw InSpec, they felt that they could easily learn it within a few days because the learning bend was very small. (Y'all can read about this on the Acquire Chef Web site at bit.ly/2mGthmE.)

Wrapping Up

InSpec is an open source testing language that lets you treat compliance as code. When compliance is lawmaking, rules are unambiguous and can exist understood by everyone on the squad. Developers know what standards they're expected to run into and auditors know exactly what's being tested. With InSpec, you tin supplant documents and manual checklists with programmatic tests that have a clear intent.

You can also integrate your compliance tests into your deployment pipeline and automatically test for adherence to security policies. Run tests every bit often as yous need, starting time testing for compliance on every change and catch problems earlier in the development process, well before you've released to production.

Michael Ducyis manager of Open Source Product Marketing for Chef Software. He's used, managed and advocated for open source software for virtually 20 years. Ducy has held a number of roles in engineering from Linux systems engineer and IT instructor, to presales engineer and more. He'south always interested in engaging with the broader community and tin can be establish on Twitter: @mfdii.

Thank you to the following technical experts for reviewing this article: Bakh Inamov, Adam Leff and Roberta Leibovitz

Hash out this article in the MSDN Magazine forum