Automated Compliance With Compliance Engine and Inspec

Back to Listing

12 January 2018


If you’ve ever had to work in an IT shop bound by regulations and policies, you know how much of a hassle it can be to integrate new infrastructure and application components, while maintaining a compliant posture. You may have some applications bound to a NIST policy, some to HIPAA, and others may follow a custom policy your local security officer mandated. With so many regulations, you need a way to enforce compliance, based on multiple environmental factors. Additionally, you want to know your code is compliant before deployment. You find yourself asking, how can I enforce compliance and know I’m compliant on live systems? The SIMP team is proud to provide an answer to that question. We have developed an end-to-end solution for automated system compliance and reporting, made possible with two key developments - compliance parameter enforcement with the SIMP Compliance Engine, and automated framework testing with Inspec. The full announcement was made at PuppetConf 2017.

Some of you may be familiar with the old version of the system, the compliance_markup puppet module. In the past, it served solely as a report generator that mapped Puppet parameters to compliant system values, per NIST, DISA, HIPAA, etc. It would provide users with a .json report, summarizing non-compliant parameters, and recommending their compliant counterparts. Now, the Compliance Engine has the ability to enforce compliant parameters. Like before, users specify a list of compliance profiles, to best suit their site security needs. But now, every puppet run, the Compliance Engine can set the parameters passed to classes on a node to the compliant values defined in the profile. Out of the box, SIMP Community Edition ships with support for NIST 800-53 and the DISA STIG, but the profile framework is extensible, and the Enterprise Edition comes bundled with more compliance profiles.

alt text

Fig 1: An excerpt from an example compliance map. In this example, internal_policy_5 and nist_800_171 will be enforced. Each map contains compliant values for auditd_demo::at_boot, while nist_800_171 also includes auditd_demo::enable

Inspec is a platform-agnostic tool, built on rspec, used to check live systems for policy compliance. Its unique features allow developers to map custom checks on the system directly to policy. Developers can also assign an impact rating for each check.

alt text

Fig 2: A control defined in Inspec. Note that the control maps the nist_800-171 policy ID 3.3.1 to a live system check, ‘auditd should be running’

We have built the beginning of a STIG profile to supplement the Scap Security Guide, and have written custom helpers to run the profiles(s) automatically, as part of an acceptance testing suite. That means developers can work compliance tests into their release pipeline, to ensure their code is compliant before deployment. SIMP currently supports Beaker and Kitchen.ci as testing backends.

alt text

Fig 3: An example of including compliance-test in a GitLab release pipeline

So how do these technologies fit into your workflow to achieve end-to-end compliance? From a risk management perspective, Puppet and the Compliance Engine select and implement security controls, while Inspec assesses security controls. The diagram below illustrates the entire process.

alt text

Fig 4: Fitting Compliance Engine and Inspec into a Risk Management Workflow. Note that you can integrate reporting to further automate the compliance process

About Onyx Point

At Onyx Point, our engineers focus on Security, System Administration, Automation, Dataflow, and DevOps consulting for government and commercial clients. We offer professional services for Puppet, RedHat, SIMP, NiFi, GitLab, and the other solutions in place that keep your systems running securely and efficiently. We offer Open Source Software support and Engineering and Consulting services through GSA IT Schedule 70. As Open Source contributors and advocates, we encourage the use of FOSS products in Government as part of an overarching IT Efficiencies plan to reduce ongoing IT expenditures attributed to software licensing. Our support and contributions to Open Source, are just one of our many guiding principles

  • Customer First.
  • Security in All We Do.
  • Pursue Innovation with Integrity.
  • Communicate Openly and Respectfully.
  • Offer Your Talents, and Appreciate the Talents of Others

simp, compliance engine, automation, security, inspec

Share this story

We work with these Technologies + Partners

puppet
gitlab
simp
beaker
redhat
`
AFCEA
GitHub
FOSSFeb