Applying Compliance on Azure Government with InSpec

In government, compliance and security are a critical component of our job function. The current state of compliance frameworks are bulky and unwieldy for those inexperienced with OpenSCAP/XML. Microsoft Azure Government cloud and InSpec are designed to provide a common language for security, compliance, and automation teams to converge around.

Azure Government is designed to solve your compliance needs all the way up to the systems you manage. That’s where Chef Automate and InSpec take over for that ‘last mile’. Chef Automate and InSpec allow us to view compliance controls in a human-readable, easily digestible format.

title 'RHEL-06-000227: The SSH daemon must be configured to use only the SSHv2 protocol.'

control 'RHEL-06-000227' do
 impact 1.0
 title 'The SSH daemon must be configured to use only the SSHv2 protocol.'
 desc 'SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.'
 tag group: 'SRG-OS-000112'
 tag vulid: 'V-38607'
 tag ruleid: 'SV-50408r1_rule'
 tag severity: 'CAT I'
 tag stigid: 'RHEL-06-000227'
 tag cci: 'CCI-000774'
 tag fixtext: 'Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2'
 tag checkcontent: 'To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 If it is not, this is a finding.'
 tag remediation: ''
 ref 'http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R15_STIG.zip'

 describe sshd_config do
   its('Protocol') { should eq('2') }
 end
end

The above control is the DISA STIG RHEL6 Control pertaining to which protocol version of SSH your system runs. This is just one of hundreds of controls published by DISA for managing RedHat systems. The value of InSpec over traditional testing and compliance frameworks is that InSpec includes all the context we need to understand not just the actual code check itself, but all of the other information we need to understand why we’re checking for this setting. Chef Automate includes profiles for DISA STIGs and CIS Benchmarks out of the box.

By using these InSpec profiles in conjunction with Azure Government, we can simplify and reduce the effort it takes to prove compliance in our environment. Recently, I presented a live webinar on this topic with Microsoft’s Technical Solutions Specialist, Derrick Schwartz, to show how our technologies work together to achieve this goal. You can watch a recording of the webinar below.

 

Learn More

Galen Emery

I am Galen, the Lead Compliance and Security Architect for Chef. My professional life has been built upon automating everything I can, and am responsible for helping security and compliance teams understand how to secure systems within the DevOps model. I currently live in San Diego, CA but am originally from Seattle, WA with time spent in DC working with the federal government. I have extensive experience in Windows, Cloud Migrations, Chef, Compliance and Security. I hold an active CISSP.