Compliance as Code - Speaker Deck

Slide 1

Slide 1 text

Compliance as Code Ladislav Prskavec Ladislav Prskavec - itSMF, 23. 1. 2020 1

Slide 2

Slide 2 text

Who Am I 4 Senior Manager in Oracle Cloud Infrastructure 4 Twitter: @abtris 4 Blog and talks: https://blog.prskavec.net/ Ladislav Prskavec - itSMF, 23. 1. 2020 2

Slide 3

Slide 3 text

Compliance Ladislav Prskavec - itSMF, 23. 1. 2020 3

Slide 4

Slide 4 text

Ladislav Prskavec - itSMF, 23. 1. 2020 4

Slide 5

Slide 5 text

Automating Away the Regulatory Compliance Myth Ladislav Prskavec - itSMF, 23. 1. 2020 5

Slide 6

Slide 6 text

Regulatory Compliance Ladislav Prskavec - itSMF, 23. 1. 2020 6

Slide 7

Slide 7 text

Ladislav Prskavec - itSMF, 23. 1. 2020 7

Slide 8

Slide 8 text

Ladislav Prskavec - itSMF, 23. 1. 2020 8

Slide 9

Slide 9 text

Ladislav Prskavec - itSMF, 23. 1. 2020 9

Slide 10

Slide 10 text

Language is key Ladislav Prskavec - itSMF, 23. 1. 2020 10

Slide 11

Slide 11 text

6.2.1 Set SSH Protocol to 2 (Scored) Profile Applicability: - Level 1 Description: SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure. Rationale: SSH v1 suffers from insecurities that do not affect SSH v2. Audit: To verify the correct SSH setting, run the following command and verify that the output is as shown: # grep "^Protocol" /etc/ssh/sshd_config Protocol 2 Remediation: Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2 Ladislav Prskavec - itSMF, 23. 1. 2020 11

Slide 12

Slide 12 text

control 'ssh-04' do impact 1.0 title 'Client: Specify protocol version 2' desc "Only SSH protocol version 2 connections should be permitted..." describe ssh_config do its('Protocol') { should eq('2') } end end 4 ssh_spec.rb Ladislav Prskavec - itSMF, 23. 1. 2020 12

Slide 13

Slide 13 text

Compliance as Code 4 Defining Policies Upfront 4 Automated Gates and Checks 4 Managing Changes in Continuous Delivery 4 Separation of Duties in the DevOps Audit Toolkit 4 Using the Audit Defense Toolkit 4 Code Instead of Paperwork Ladislav Prskavec - itSMF, 23. 1. 2020 13

Slide 14

Slide 14 text

Chef Inspec framework www.inspec.io - 1.0 Sep 2016 Ladislav Prskavec - itSMF, 23. 1. 2020 14

Slide 15

Slide 15 text

Ladislav Prskavec - itSMF, 23. 1. 2020 15

Slide 16

Slide 16 text

Define policies Ladislav Prskavec - itSMF, 23. 1. 2020 16

Slide 17

Slide 17 text

How to start Ladislav Prskavec - itSMF, 23. 1. 2020 17

Slide 18

Slide 18 text

DevSec Hardening Framework Baselines Ladislav Prskavec - itSMF, 23. 1. 2020 18

Slide 19

Slide 19 text

Ladislav Prskavec - itSMF, 23. 1. 2020 19

Slide 20

Slide 20 text

Ladislav Prskavec - itSMF, 23. 1. 2020 20

Slide 21

Slide 21 text

Ladislav Prskavec - itSMF, 23. 1. 2020 21

Slide 22

Slide 22 text

Ladislav Prskavec - itSMF, 23. 1. 2020 22

Slide 23

Slide 23 text

Ladislav Prskavec - itSMF, 23. 1. 2020 23

Slide 24

Slide 24 text

Ladislav Prskavec - itSMF, 23. 1. 2020 24

Slide 25

Slide 25 text

Ladislav Prskavec - itSMF, 23. 1. 2020 25

Slide 26

Slide 26 text

Automate audit Ladislav Prskavec - itSMF, 23. 1. 2020 26

Slide 27

Slide 27 text

Metrics # HELP inspec_checks_total Number of inspec checks # TYPE inspec_checks_total gauge inspec_checks_total{profile="ssl-baseline",status="passed"} 6 inspec_checks_total{profile="ssl-baseline",status="failed"} 0 inspec_checks_total{profile="ssl-baseline",status="skipped"} 0 4 prometheus_inspec_exporter by Dave Cadwallader Ladislav Prskavec - itSMF, 23. 1. 2020 27

Slide 28

Slide 28 text

Ladislav Prskavec - itSMF, 23. 1. 2020 28

Slide 29

Slide 29 text

Summary 4 Why Compliance? 4 Why Compliance as code? 4 Why Automated audit? Ladislav Prskavec - itSMF, 23. 1. 2020 29

Slide 30

Slide 30 text

Q & A Or ask on twitter: @abtris Ladislav Prskavec - itSMF, 23. 1. 2020 30