Compliance, Remediation, Service Desk Integration

asked 2014-03-21 18:20:16 -0600

sam
21 ●2 ●2 ●3

From my understanding of puppet a lot of things can be achieved using modules so I'm assuming when it comes to operational compliance I would populate my modules with desired policies.

However, I'd like to know how Security and Regulatory(HIPAA,PCI, SOX etc) compliance are maintained/ enforced. What approach is currently supported by Puppet and are there accompanying remediation packages with these?

More so, what service desk integration tools are currently supported by puppet for closed loop compliance purposes

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2014-03-21 22:56:06 -0600

richburroughs
21 ●2

Hi,

I'm at a company that does yearly PCI and SOX audits, and I'm not aware of any tools that make Puppet enforce a specific type of compliance like that. One area we have found Puppet to be handy is to demonstrate to our auditors that the things we control through Puppet are all tracked by out Git repo, and that if someone were to make an unauthorized change to one of them on a host, that Puppet would revert the change. It was acknowledged as one of the ways we handle FIM (file integrity monitoring), along with ... (more)

edit flag offensive delete link

add a comment

answered 2014-03-21 23:11:39 -0600

spuder
1451 ●45 ●52 ●87

This is a good question.

In a PCI audit, you are required to answer questions like "Can anyone besides root access the system?". The auditors are satisfied if you can show them your puppet policy.

A PCI auditor was recently interviewed on this podcast and explained how puppet can satisfy audits:

http://linuxadminshow.com/2012/11/07/episode-5-dealing-with-a-pci-audit-with-shawn-lukaschuk/

As for service desk integration tools, I do not believe there are any. Maybe the the foreman can be modified to achieve what you are looking for. .

edit flag offensive delete link

add a comment