2 min read

Applying compliance frameworks with Chef InSpec on Azure Government

2-minute read + video
In government, compliance and security are critical components of our job function. The current state of compliance frameworks are bulky and unwieldy for those inexperienced with OpenSCAP/XML. The Microsoft Azure Government cloud and Chef InSpec are designed to provide a common language for security, compliance, and automation teams to converge around.
Microsoft Azure Government is designed to solve your compliance needs all the way up to the systems you manage. That’s where Chef Automate and InSpec take over for that ”last mile.” Chef Automate and InSpec help you view compliance controls in a human-readable, easily digestible format.
The below example is the DISA STIG RHEL6 Control, pertaining to which protocol version of SSH your system runs. This is just one of hundreds of controls published by DISA for managing RedHat systems. The value of InSpec over traditional testing and compliance frameworks is that InSpec includes all the context we need to understand not only the actual code check itself, but also all of the other information we need to understand why we’re checking for this setting. Chef Automate includes profiles for DISA STIGs and CIS Benchmarks out of the box.

 title 'RHEL-06-000227: The SSH daemon must be configured to use only the SSHv2 protocol.'
control 'RHEL-06-000227' do
 impact 1.0
 title 'The SSH daemon must be configured to use only the SSHv2 protocol.'
 desc 'SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.'
 tag group: 'SRG-OS-000112'
 tag vulid: 'V-38607'
 tag ruleid: 'SV-50408r1_rule'
 tag severity: 'CAT I'
 tag stigid: 'RHEL-06-000227'
 tag cci: 'CCI-000774'
 tag fixtext: 'Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2'
 tag checkcontent: 'To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 If it is not, this is a finding.'
 tag remediation: ''
 ref 'http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R15_STIG.zip'
describe sshd_config do
 its('Protocol') { should eq('2') }
 end
 end

By using these InSpec profiles in conjunction with Microsoft Azure Government, we can simplify and reduce the effort it takes to provide compliance in an environment. Recently, we presented a live webinar on this topic with Microsoft’s Technical Solutions Specialist, Derrick Schwartz, to show how our technologies work together to achieve this goal. You can watch a recording of the webinar below.

Learn More: