InSpec by Chef is a powerful “compliance as code” tool powered by an ever growing number of compliance profiles and target resources. It enables users to achieve continuous compliance across their IT environments.
Over the last six months Chef has created dedicated teams to create and test profiles for a variety of OSs and Cloud Platform APIs. We have also built out an automated pipeline for creation and testing of profiles this ensures Chef can keep pace with the release of updated versions from the likes of CIS and DISA.
An example of this work is the creation of an InSpec profile that covers the CIS Azure Foundations Benchmark using an updated set of InSpec resources for Azure. This allows Azure customers to achieve continuous compliance across their entire Azure platform infrastructure and ensure compliance against CIS standards. This work has involved both expanding out the available resources that are able to interact with Azure and also changes to our underlying transport mechanism in InSpec meaning we now have the capability to test against the CIS Azure Foundations Benchmark.
The addition of new resources and updates to the existing resources within InSpec Azure mean that the key areas of the CIS benchmark can be tested. Resources and areas of the benchmark supported for testing include:
ad_user
resource enables testing of IAM in CISsecurity_policy
& security_policies
resources enable testing of Security Center in CISresource_groups
, monitor_activity_log_alert
, storage_accounts
, storage_account
& storage_containers
resources enable the testing of Storage Accounts in CISsql_database
, sql_databases
, sql_server
& sql_servers
resources enable the testing of SQL Services in CISmonitor_activity_log_alert
& monitor_log_profiles
resources enable the testing of Logging and Monitoring in CISresource_groups
, network_security_groups
, network_security_group
, network_watcher
& network_watchers
resources enable the testing of Networking in CISvirtual_machine
, virtual_machines
, virtual_machine_disk
& resource_groups
resources enable the testing of Virtual Machines in CISkey_vault
& key_vaults
resources enable the testing of the Other Security Considerations in CISAs the Chef team has gone through and added the resources to the InSpec resource pack for Azure, we have also worked through and created an InSpec profile that fully tests compliance to CIS Azure Level 1. This is currently in a Beta state while we go through the initial stages of getting certified with CIS and polishing off some changes in a couple of the resources to ensure everything works as it should. This profile is available to Chef Automate 2.0 customers within the Asset Store. We’ll continue to update and maintain with bug fixes and improvements and also look to add support for CIS Azure Level 2 as we go through the certification process for the Level 1 controls.
Chef Automate 2.0’s use of InSpec provides a rounded view of compliance with the ability to perform on-node scans using the Audit Cookbook, WinRm/SSH scans against network addressable VMs as well as physical machines and also the ability to scan using Cloud Provider APIs such as the Azure ARM API. The use of standardized benchmarks within Chef Automate 2.0 allows enterprises to achieve compliance in a uniform way across multiple aspects of their estate, and with compliance-as-code they can test at multiple points along the CI/CD pipeline and in production with a single source of truth from their audit teams.
We’re also happy to announce the beta availability of Azure Cloud Scanner integration for Chef Automate 2.0. Organizations can provide Azure Service Principal credentials in Chef Automate to quickly gather a list of subscriptions, resources, and VMs to create compliance scan jobs against. It is now easier than ever to start validating the compliance of your Azure environment.
The underlying resource pack for InSpec Azure is open source and open to contributions from the community at https://github.com/inspec/inspec-azure. Chef will continue to add and maintain further resources for the wider community to use and extend with their own custom-built controls. It’s been great to see the contributions from the community enhancing the value of InSpec Azure for it’s users.