Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Compliance as Code

Compliance as Code

Compliance is an important part of IT systems. It is often performed only as a regular annual audit. The auditors pick up samples of data to check. They can’t check all the data.

I went through classical audits, where you fill tens of excel sheets and then consult with internal audit what and how to improve etc. As SRE (Site Reliability Engineer) deals with monitoring and automation, there is also depriving people of manual work. I have seen how the problem is solved on a large scale (cloud providers). I have experience with Oracle Cloud Infrastructure (OCI) and Amazon Web Services (AWS). I’ll show you how to move from Excel to an automatic, near real-time compliance check solution using Chef Inspec Framework.

Ladislav Prskavec

January 23, 2020
Tweet

More Decks by Ladislav Prskavec

Other Decks in Technology

Transcript

  1. Who Am I 4 Senior Manager in Oracle Cloud Infrastructure

    4 Twitter: @abtris 4 Blog and talks: https://blog.prskavec.net/ Ladislav Prskavec - itSMF, 23. 1. 2020 2
  2. 6.2.1 Set SSH Protocol to 2 (Scored) Profile Applicability: -

    Level 1 Description: SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure. Rationale: SSH v1 suffers from insecurities that do not affect SSH v2. Audit: To verify the correct SSH setting, run the following command and verify that the output is as shown: # grep "^Protocol" /etc/ssh/sshd_config Protocol 2 Remediation: Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2 Ladislav Prskavec - itSMF, 23. 1. 2020 11
  3. control 'ssh-04' do impact 1.0 title 'Client: Specify protocol version

    2' desc "Only SSH protocol version 2 connections should be permitted..." describe ssh_config do its('Protocol') { should eq('2') } end end 4 ssh_spec.rb Ladislav Prskavec - itSMF, 23. 1. 2020 12
  4. Compliance as Code 4 Defining Policies Upfront 4 Automated Gates

    and Checks 4 Managing Changes in Continuous Delivery 4 Separation of Duties in the DevOps Audit Toolkit 4 Using the Audit Defense Toolkit 4 Code Instead of Paperwork Ladislav Prskavec - itSMF, 23. 1. 2020 13
  5. Metrics # HELP inspec_checks_total Number of inspec checks # TYPE

    inspec_checks_total gauge inspec_checks_total{profile="ssl-baseline",status="passed"} 6 inspec_checks_total{profile="ssl-baseline",status="failed"} 0 inspec_checks_total{profile="ssl-baseline",status="skipped"} 0 4 prometheus_inspec_exporter by Dave Cadwallader Ladislav Prskavec - itSMF, 23. 1. 2020 27
  6. Summary 4 Why Compliance? 4 Why Compliance as code? 4

    Why Automated audit? Ladislav Prskavec - itSMF, 23. 1. 2020 29