More Related Content
Similar to KGI compliance as-code approach (20)
KGI compliance as-code approach
- 1. © Kinney Group, Inc. 2021
© Kinney Group, Inc. 2021
Automating STIG
Compliance and Reporting
1
March 2021
- 2. © Kinney Group, Inc. 2021
• KGI has been developing automation solutions for Federal customers for
many years where STIG compliant systems are mandated
• There is not a consistent framework for implementing compliance-based
Puppet code
• Most customers implement it poorly or are not equipped with the appropriate
knowledge on Puppet best practices
• Ongoing maintenance of compliance code is time consuming for most
customers
• Having a 3rd party develop and maintain compliance remediation content
reduces risk for when Puppet expertise moves on
2
Identifying a need for a Puppet compliance-as-code standard
Why this Framework was Developed
- 3. © Kinney Group, Inc. 2021
• Puppet modules must be well documented
• Centralize code in purpose-built modules that can be quickly implemented
• Enforcement can be toggled on/off at the vulnerability level
• Leverage PuppetDB to store supporting compliance data
• Compliance modules must be data driven to allow customizable behavior
• Should not preclude the management of non-compliance system components
3
Standardization of Compliance Based Puppet Code
Lessons that shaped the KGI Framework
- 4. © Kinney Group, Inc. 2021
• One module to manage all STIG vulnerabilities can conflict with existing
Puppet modules
• Customers don’t want to pay for development of remediation content, they
want to pay us to integrate and implement
• Integrating STIG modules efficiently requires some knowledge and expertise
• Customers struggle to keep compliance modules current after we leave (and
resort back to manual bad habits)
4
Challenges we’ve encountered over the years
Typical Challenges
- 5. © Kinney Group, Inc. 2021
• Automated STIG Checklist Generator using PuppetDB
• Future: Plans and Tasks for PE integration
• Future: Splunk Compliance App using PuppetDB
5
Additional Benefits/Capabilities
- 6. © Kinney Group, Inc. 2021
• U.S. Army – INSCOM
• US Air Force – AFRL and STRATCOM
• US Marine Corps – Technical Services Organization
• Indiana Army National Guard – Indiana Intelligence Center
• State of Indiana – Indiana Office of Technology
6
Practical Implementation Experience