Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Compliance as Code

Ladislav Prskavec
January 23, 2020
Technology
0
430

Compliance as Code

Compliance is an important part of IT systems. It is often performed only as a regular annual audit. The auditors pick up samples of data to check. They can’t check all the data.

I went through classical audits, where you fill tens of excel sheets and then consult with internal audit what and how to improve etc. As SRE (Site Reliability Engineer) deals with monitoring and automation, there is also depriving people of manual work. I have seen how the problem is solved on a large scale (cloud providers). I have experience with Oracle Cloud Infrastructure (OCI) and Amazon Web Services (AWS). I’ll show you how to move from Excel to an automatic, near real-time compliance check solution using Chef Inspec Framework.

Ladislav Prskavec

January 23, 2020
Tweet

More Decks by Ladislav Prskavec

See All by Ladislav Prskavec
From Small Terraform Projects to Terralith
abtris
0
10
Build nice terminal UI with Bubble Tea
abtris
1
180
How to make own observability solution?
abtris
0
190
OpenTelemetry as best way how to instrument your CICD pipeline
abtris
0
220
Prague Go Meetup #12 Introductions
abtris
0
35
How we run stateful services for customers in Kubernetes
abtris
0
310
Go Release 1.20
abtris
0
170
CI pipelines should be code! Dagger Go SDK
abtris
1
310
Getting started with fuzzing
abtris
0
300

Other Decks in Technology

See All in Technology
QA/SDETの現在と、これからの挑戦
imtnd
0
150
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
1
310
更新系と状態
uhyo
8
1.9k
3D生成AIのための画像生成
kosukeito
2
300
AIと共に乗り越える、 入社後2ヶ月の苦労と学習の軌跡
sai_kaneko
0
120
彩の国で始めよう。おっさんエンジニアから共有したい、当たり前のことを当たり前にする技術
otsuki
0
160
勝手に!深堀り!Cloud Run worker pools / Deep dive Cloud Run worker pools
iselegant
4
510
Cursor AgentによるパーソナルAIアシスタント育成入門―業務のプロンプト化・MCPの活用
os1ma
15
5.8k
Microsoft の SSE の現在地
skmkzyk
0
170
C++26アップデート 2025-03
faithandbrave
0
1.1k
AWSのマルチアカウント管理 ベストプラクティス最新版 2025 / Multi-Account management on AWS best practice 2025
ohmura
4
320
「経験の点」の位置を意識したキャリア形成 / Career development with an awareness of the “point of experience” position
pauli
4
110

Featured

See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
81
8.9k
A better future with KSS
kneath
239
17k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
227
22k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
KATA
mclloyd
29
14k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
9
760
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
178
53k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Become a Pro
speakerdeck
PRO
27
5.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
21k

Transcript

  1. Compliance as Code Ladislav Prskavec Ladislav Prskavec - itSMF, 23.

    1. 2020 1

  2. Who Am I 4 Senior Manager in Oracle Cloud Infrastructure

    4 Twitter: @abtris 4 Blog and talks: https://blog.prskavec.net/ Ladislav Prskavec - itSMF, 23. 1. 2020 2

  3. Compliance Ladislav Prskavec - itSMF, 23. 1. 2020 3

  4. Ladislav Prskavec - itSMF, 23. 1. 2020 4

  5. Automating Away the Regulatory Compliance Myth Ladislav Prskavec - itSMF,

    23. 1. 2020 5

  6. Regulatory Compliance Ladislav Prskavec - itSMF, 23. 1. 2020 6

  7. Ladislav Prskavec - itSMF, 23. 1. 2020 7

  8. Ladislav Prskavec - itSMF, 23. 1. 2020 8

  9. Ladislav Prskavec - itSMF, 23. 1. 2020 9

  10. Language is key Ladislav Prskavec - itSMF, 23. 1. 2020

    10

  11. 6.2.1 Set SSH Protocol to 2 (Scored) Profile Applicability: -

    Level 1 Description: SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure. Rationale: SSH v1 suffers from insecurities that do not affect SSH v2. Audit: To verify the correct SSH setting, run the following command and verify that the output is as shown: # grep "^Protocol" /etc/ssh/sshd_config Protocol 2 Remediation: Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2 Ladislav Prskavec - itSMF, 23. 1. 2020 11

  12. control 'ssh-04' do impact 1.0 title 'Client: Specify protocol version

    2' desc "Only SSH protocol version 2 connections should be permitted..." describe ssh_config do its('Protocol') { should eq('2') } end end 4 ssh_spec.rb Ladislav Prskavec - itSMF, 23. 1. 2020 12

  13. Compliance as Code 4 Defining Policies Upfront 4 Automated Gates

    and Checks 4 Managing Changes in Continuous Delivery 4 Separation of Duties in the DevOps Audit Toolkit 4 Using the Audit Defense Toolkit 4 Code Instead of Paperwork Ladislav Prskavec - itSMF, 23. 1. 2020 13

  14. Chef Inspec framework www.inspec.io - 1.0 Sep 2016 Ladislav Prskavec

    - itSMF, 23. 1. 2020 14

  15. Ladislav Prskavec - itSMF, 23. 1. 2020 15

  16. Define policies Ladislav Prskavec - itSMF, 23. 1. 2020 16

  17. How to start Ladislav Prskavec - itSMF, 23. 1. 2020

    17

  18. DevSec Hardening Framework Baselines Ladislav Prskavec - itSMF, 23. 1.

    2020 18

  19. Ladislav Prskavec - itSMF, 23. 1. 2020 19

  20. Ladislav Prskavec - itSMF, 23. 1. 2020 20

  21. Ladislav Prskavec - itSMF, 23. 1. 2020 21

  22. Ladislav Prskavec - itSMF, 23. 1. 2020 22

  23. Ladislav Prskavec - itSMF, 23. 1. 2020 23

  24. Ladislav Prskavec - itSMF, 23. 1. 2020 24

  25. Ladislav Prskavec - itSMF, 23. 1. 2020 25

  26. Automate audit Ladislav Prskavec - itSMF, 23. 1. 2020 26

  27. Metrics # HELP inspec_checks_total Number of inspec checks # TYPE

    inspec_checks_total gauge inspec_checks_total{profile="ssl-baseline",status="passed"} 6 inspec_checks_total{profile="ssl-baseline",status="failed"} 0 inspec_checks_total{profile="ssl-baseline",status="skipped"} 0 4 prometheus_inspec_exporter by Dave Cadwallader Ladislav Prskavec - itSMF, 23. 1. 2020 27

  28. Ladislav Prskavec - itSMF, 23. 1. 2020 28

  29. Summary 4 Why Compliance? 4 Why Compliance as code? 4

    Why Automated audit? Ladislav Prskavec - itSMF, 23. 1. 2020 29

  30. Q & A Or ask on twitter: @abtris Ladislav Prskavec

    - itSMF, 23. 1. 2020 30