InSpec compliance profiles for Azure’s CIS Benchmark and Azure Cloud Scanner in Chef Automate 2.0

InSpec by Chef is a powerful “compliance as code” tool powered by an ever growing number of compliance profiles and target resources. It enables users to achieve continuous compliance across their IT environments.

Over the last six months Chef has created dedicated teams to create and test profiles for a variety of OSs and Cloud Platform APIs. We have also built out an automated pipeline for creation and testing of profiles this ensures Chef can keep pace with the release of updated versions from the likes of CIS and DISA.

Compliance profiles for Azure

An example of this work is the creation of an InSpec profile that covers the CIS Azure Foundations Benchmark using an updated set of InSpec resources for Azure. This allows Azure customers to achieve continuous compliance across their entire Azure platform infrastructure and ensure compliance against CIS standards. This work has involved both expanding out the available resources that are able to interact with Azure and also changes to our underlying transport mechanism in InSpec meaning we now have the capability to test against the CIS Azure Foundations Benchmark.

The addition of new resources and updates to the existing resources within InSpec Azure mean that the key areas of the CIS benchmark can be tested. Resources and areas of the benchmark supported for testing include:

  • ad_user resource enables testing of IAM in CIS
  • security_policy & security_policies resources enable testing of Security Center in CIS
  • resource_groups, monitor_activity_log_alert, storage_accounts, storage_account & storage_containers resources enable the testing of Storage Accounts in CIS
  • sql_database, sql_databases, sql_server & sql_servers resources enable the testing of SQL Services in CIS
  • monitor_activity_log_alert & monitor_log_profiles resources enable the testing of Logging and Monitoring in CIS
  • resource_groups, network_security_groups, network_security_group, network_watcher & network_watchers resources enable the testing of Networking in CIS
  • virtual_machine, virtual_machines, virtual_machine_disk & resource_groups resources enable the testing of Virtual Machines in CIS
  • key_vault & key_vaults resources enable the testing of the Other Security Considerations in CIS

As the Chef team has gone through and added the resources to the InSpec resource pack for Azure, we have also worked through and created an InSpec profile that fully tests compliance to CIS Azure Level 1. This is currently in a Beta state while we go through the initial stages of getting certified with CIS and polishing off some changes in a couple of the resources to ensure everything works as it should. This profile is available to Chef Automate 2.0 customers within the Asset Store. We’ll continue to update and maintain with bug fixes and improvements and also look to add support for CIS Azure Level 2 as we go through the certification process for the Level 1 controls.

Screenshot of some of the CIS Controls within Automate 2’s UI
Screenshot of some of the CIS Controls within Chef Automate 2’s UI

Chef Automate 2.0’s use of InSpec provides a rounded view of compliance with the ability to perform on-node scans using the Audit Cookbook, WinRm/SSH scans against network addressable VMs as well as physical machines and also the ability to scan using Cloud Provider APIs such as the Azure ARM API. The use of standardized benchmarks within Chef Automate 2.0 allows enterprises to achieve compliance in a uniform way across multiple aspects of their estate, and with compliance-as-code they can test at multiple points along the CI/CD pipeline and in production with a single source of truth from their audit teams.

Azure Cloud Scanner integration

We’re also happy to announce the beta availability of Azure Cloud Scanner integration for Chef Automate 2.0. Organizations can provide Azure Service Principal credentials in Chef Automate to quickly gather a list of subscriptions, resources, and VMs to create compliance scan jobs against. It is now easier than ever to start validating the compliance of your Azure environment.

The underlying resource pack for InSpec Azure is open source and open to contributions from the community at Chef will continue to add and maintain further resources for the wider community to use and extend with their own custom-built controls. It’s been great to see the contributions from the community enhancing the value of InSpec Azure for it’s users.

Davy McAleer

Davy is an engineering manager with Chef and runs the Chef Belfast office, helping build out our Compliance automation content team and Partner engineering group. Before joining Chef he has spent time running engineering teams, support organisations and product management for large telecoms software companies. He dreams of DevOps throughout the land!