Enable Compliance Frameworks
To get started monitoring your infrastructure's compliance, you must choose the frameworks you want to comply with. A framework is a set of published requirements (or guidelines) you want your organization to meet. These requirements are best practices and security measures that help make your systems secure.
Some frameworks are required for organizations doing business in certain industries and nations or with government agencies. Examples:
-
BIS C5 is mandatory for public cloud services provided to German federal agencies.
-
HIPAA is a required framework for health care organizations in the USA.
Other frameworks are voluntary but may be important to your customers or partners. Examples:
-
Many American businesses require SOC 2 compliance for all their partners and vendors.
-
PCI DSS is a globally accepted framework for protecting cardholders against misuse of personal information. Compliance with this framework is a worldwide standard.
Frameworks are documents that describe the practices and guidelines that the publishing organization requires or recommends. For example, the Center for Internet Security (CIS) publishes the framework CIS Critical Security Controls (known as CIS Controls). Here is one example of the many requirements documented this framework:
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
If you want your organization to reach CIS Controls compliance, you must meet this requirement. But how do you take a general guideline like this and demonstrate that all of the assets in your immense infrastructure follow the practice? How do you prove that every system complies with it?
Compliance frameworks in Mondoo
Mondoo breaks down and codifies compliance frameworks in order to automate continuous evidence collection and reporting. Mondoo's security team makes this possible by:
-
Analyzing each written requirement in the compliance framework to determine how the requirement applies to different platforms.
-
Identifying the practices and settings that different types of assets must follow to meet the requirement.
-
Codifying these practices into Mondoo frameworks, which are used to automatically collect evidence.
Based on these codified frameworks, Mondoo programmatically collects the data needed to evaluate the compliance of every asset in your infrastructure.
Controls and checks
In Mondoo, each overarching requirement is called a control. Some examples of controls are:
-
Establish and maintain a secure network architecture
-
Log sensitive data access
-
Configure trusted DNS servers on enterprise assets
A Mondoo framework is made up of controls that match the broad guidelines in the published framework document.
Each control maps to one or more checks, the individual practices and settings that assets must follow. Checks tell Mondoo's query engine what evidence to collect about individual assets.
For example, the Center for Internet Security's CIS Controls framework includes this control: "Implement and manage a firewall on end-user devices." Mondoo's security team analyzed the control and identified nearly 200 checks for different types of end-user devices. These are just a few examples:
-
On Ubuntu devices, install Uncomplicated Firewall (UFW)
-
On Ubuntu devices, configure iptables to deny incoming traffic by default
-
On Windows 11 devices, set the Windows Firewall to block incoming connections by default
-
On Windows 12 devices, log when Windows Firewall drops an incoming packet
-
On macOS 12 devices, enable firewall stealth mode
-
On Red Hat 9 devices, employ a single firewall configuration utility
When you enable a compliance framework, you tell Mondoo to verify all of the checks in all of the controls in that framework.
Enable a compliance framework
By default, for every space in your organization, all frameworks are in preview. Preview means that Mondoo collects data for the controls in a framework but doesn't provide an overall score.
Enable a framework to calculate a score that represents your progress toward 100% compliance with that framework.
Only team members with Editor or Owner access can perform this task.
-
In the Mondoo Console, navigate to the space for which you want to assess compliance progress.
-
In the side navigation bar, under Compliance, select Frameworks.
-
Select the SELECT COMPLIANCE FRAMEWORK button.
-
Select the framework you want to comply with.
-
Choose how to identify your work on the framework:
-
ACTIVE shows your team that you're working toward an upcoming audit based on this framework.
-
PREVIEW reflects that you're in the early stages of work toward complying with the framework and not yet striving to pass an audit.
-
-
Select the ADD FRAMEWORK button.
You can also enable a framework from the command line. To learn how, read cnspec framework active
.
Enable policies for a compliance framework
Frameworks don't contain checks; they contain controls. Each control maps to one or more checks, which exist in Mondoo policies. For Mondoo to perform the many checks required by a framework, you must enable the policies that contain the checks.
The controls in a framework typically map to checks in many different policies. In the CIS Controls example in the previous section, the single control, Implement and manage a firewall on end-user devices, maps to checks in different Ubuntu policies, macOS policies, Windows policies, and more. For the CIS Controls framework to accurately assess the compliance of all these different types of devices, each of those policies must be enabled.
After you enable a framework, Mondoo recommend policies to enable in order to measure compliance with that framework.
To enable a policy, hover over the policy and select the Enabled icon.
Only team members with Editor or Owner access can perform this task.