In government, compliance and security are a critical component of our job function. The current state of compliance frameworks are bulky and unwieldy for those inexperienced with OpenSCAP/XML. Microsoft Azure Government cloud and InSpec are designed to provide a common language for security, compliance, and automation teams to converge around.
Azure Government is designed to solve your compliance needs all the way up to the systems you manage. That’s where Chef Automate and InSpec take over for that ‘last mile’. Chef Automate and InSpec allow us to view compliance controls in a human-readable, easily digestible format.
title 'RHEL-06-000227: The SSH daemon must be configured to use only the SSHv2 protocol.'
control 'RHEL-06-000227' do
impact 1.0
title 'The SSH daemon must be configured to use only the SSHv2 protocol.'
desc 'SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used.'
tag group: 'SRG-OS-000112'
tag vulid: 'V-38607'
tag ruleid: 'SV-50408r1_rule'
tag severity: 'CAT I'
tag stigid: 'RHEL-06-000227'
tag cci: 'CCI-000774'
tag fixtext: 'Only SSH protocol version 2 connections should be permitted. The default setting in "/etc/ssh/sshd_config" is correct, and can be verified by ensuring that the following line appears: Protocol 2'
tag checkcontent: 'To check which SSH protocol version is allowed, run the following command: # grep Protocol /etc/ssh/sshd_config If configured properly, output should be Protocol 2 If it is not, this is a finding.'
tag remediation: ''
ref 'http://iasecontent.disa.mil/stigs/zip/U_RedHat_6_V1R15_STIG.zip'
describe sshd_config do
its('Protocol') { should eq('2') }
end
end
The above control is the DISA STIG RHEL6 Control pertaining to which protocol version of SSH your system runs. This is just one of hundreds of controls published by DISA for managing RedHat systems. The value of InSpec over traditional testing and compliance frameworks is that InSpec includes all the context we need to understand not just the actual code check itself, but all of the other information we need to understand why we’re checking for this setting. Chef Automate includes profiles for DISA STIGs and CIS Benchmarks out of the box.
By using these InSpec profiles in conjunction with Azure Government, we can simplify and reduce the effort it takes to prove compliance in our environment. Recently, I presented a live webinar on this topic with Microsoft’s Technical Solutions Specialist, Derrick Schwartz, to show how our technologies work together to achieve this goal. You can watch a recording of the webinar below.
Learn More
- Download our datasheet on using Chef Automate in Federal Government
- Get a taste of Chef Automate and InSpec with these hands-on tutorials in preconfigured, ready-to-go environments
- Discover how to bridge the gap between DevOps and InfoSec to decrease risk, increase quality and velocity with automated compliance assurance
