Karen Kwentus, Sr. Solution Architect at Chef Software: Make the audit status of all your machines an everyday data point available to your InfoSec team. Find out how to implement automated testing of CIS compliance standards as you administrate the desired state of your Windows environments with Chocolatey, InSpec and Chef.
6. WOW CIS
Would pay to do in freetime Would pay to avoid during work hours
7. How to make Compliance go from painful to a daily quest
1. Understand & Capture the desired compliance goal-state
2. Automate the detection of current-state
3. Automate the fix and enforcement of compliant systems
4. Nuture cross team communication
5. Start with the first deployment into development
6. Define the When and Where – manage by exception
8. SERVER
AUTOMATE
Physical, VM, GCP,
AWS, Azure
Config Mgmt, Infrastructure as Code
- Define your desired state
Compliance as Code
- Test the behavior of your infrastructure
Automated
enforcement of
Desired State at Scale
Reporting & Dashboards
Full CIS Profile Suite
Chef Workstation (DK)
- Local Dev & Test
9. Config Mgmt, Infrastructure as Code
- Define your desired state
Chef builds configurations using
Recipes built of Resources
(In an extension of cooking pun, think of
Resources as Ingredients)
Windows is a 1st class citizen with
resources including
- Chocolatey
- Powershell
- DSC
- Security Policy
- Registry Keys
10. 1. Understand & Document the desired compliance goal-state
• Compliance requirements as part of the
everyday discussion. Push it to the left
• Document and source control compliance
requirements as the source of truth using InSpec
11. control 'cis-1.1.4' do
title '(L1) Ensure Minimum password length is 14 or more
character(s)'
desc '
This policy setting determines the least number
of characters that make up a password for a user
account. The recommended state for this setting
is: 14 or more character(s).'
impact 1.0
describe security_policy do
its('MinimumPasswordLength') { should be >= 14 }
end
end
1.1.4: This policy setting
determines the least
number of characters
that make up a password
for a user account.
There ...
14. 4. Nuture Cross-team Communication
Let everyone share in the central view of infrastructure compliance truth
AUTOMATE
15. 5. Start with the first deployment into development
• Code goes in, so does a compliance scan
• Scan != Brutal Enforcement
• Always understand your compliance status, then choose when and where to
16. 6. Define the When and Where – manage by exception
• Define an ‘exception’ process – incorporate whatever CM system you already have
• Use InSpec wrapper profiles and in-project comments to manage exceptions
ex: Don’t run test for it all, lower severity
AUTOMATE
17. How to make Compliance go from painful to a daily quest
1. Understand & Capture the desired compliance goal-state
2. Automate the detection of current-state
3. Automate the fix and enforcement of compliant systems
4. Create a central point of infrastructure compliance truth
5. Start with the first deployment into development
6. Define the When and Where – manage by exception