If you’ve ever had to work in an IT shop bound by regulations and policies,
you know how much of a hassle it can be to integrate new infrastructure and
application components, while maintaining a compliant posture. You may have
some applications bound to a NIST policy, some to HIPAA, and others may follow
a custom policy your local security officer mandated. With so many regulations,
you need a way to enforce compliance, based on multiple environmental factors.
Additionally, you want to know your code is compliant before deployment. You
find yourself asking, how can I enforce compliance and know I’m compliant on
live systems? The SIMP team is proud to provide an answer to that question. We
have developed an end-to-end solution for automated system compliance and
reporting, made possible with two key developments - compliance parameter
enforcement with the SIMP Compliance Engine, and automated framework
testing with Inspec. The full announcement was made at PuppetConf 2017.
Some of you may be familiar with the old version of the system, the
compliance_markup puppet module. In the past, it served solely as a report
generator that mapped Puppet parameters to compliant system values, per NIST,
DISA, HIPAA, etc. It would provide users with a
.json report, summarizing
non-compliant parameters, and recommending their compliant counterparts. Now,
the Compliance Engine has the ability to enforce compliant parameters. Like
before, users specify a list of compliance profiles, to best suit their site
security needs. But now, every puppet run, the Compliance Engine can set the
parameters passed to classes on a node to the compliant values defined in the
profile. Out of the box, SIMP Community Edition ships with support for
NIST 800-53 and the
DISA STIG, but the profile framework is extensible,
and the Enterprise Edition comes bundled with more compliance profiles.
Fig 1: An excerpt from an example compliance map. In this example,
internal_policy_5 and nist_800_171 will be enforced. Each map contains
compliant values for auditd_demo::at_boot, while nist_800_171 also includes
Inspec is a platform-agnostic tool, built on rspec, used to check live
systems for policy compliance. Its unique features allow developers to map
custom checks on the system directly to policy. Developers can also assign an
impact rating for each check.
Fig 2: A control defined in Inspec. Note that the control maps the
nist_800-171 policy ID 3.3.1 to a live system check, ‘auditd should be running’
We have built the beginning of a STIG profile to supplement the
Scap Security Guide, and have written custom helpers to run the profiles(s)
automatically, as part of an acceptance testing suite. That means developers
can work compliance tests into their release pipeline, to ensure their code is
compliant before deployment. SIMP currently supports Beaker and
Kitchen.ci as testing backends.
Fig 3: An example of including compliance-test in a GitLab release pipeline
So how do these technologies fit into your workflow to achieve end-to-end
compliance? From a risk management perspective, Puppet and the Compliance
Engine select and implement security controls, while Inspec assesses
security controls. The diagram below illustrates the entire process.
Fig 4: Fitting Compliance Engine and Inspec into a Risk Management Workflow.
Note that you can integrate reporting to further automate the compliance
At Onyx Point, our engineers focus on Security, System
Administration, Automation, Dataflow, and DevOps consulting for
government and commercial clients. We offer professional
services for Puppet, RedHat, SIMP, NiFi, GitLab, and the other
solutions in place that keep your systems running securely and
efficiently. We offer Open Source Software support and
Engineering and Consulting services through GSA IT Schedule 70.
As Open Source contributors and advocates, we encourage the use
of FOSS products in Government as part of an overarching IT
Efficiencies plan to reduce ongoing IT expenditures attributed
to software licensing. Our support and contributions to Open
Source, are just one of our many guiding principles
- Customer First.
- Security in All We Do.
- Pursue Innovation with Integrity.
- Communicate Openly and Respectfully.
- Offer Your Talents, and Appreciate the Talents of Others