Profile Applicability:
Level 1
Description:
All deployment configurations for build workers—including infrastructure definitions, environment settings, and automation scripts—must be stored and managed within a version control system. This practice ensures configuration traceability, facilitates collaboration, and supports rollback in case of issues.
Rationale:
Storing deployment configurations in version control enhances change management, reduces configuration drift, and improves reproducibility and auditability. It strengthens the reliability and security of build infrastructure by enabling controlled and documented changes.
Impact:
Pros:
Provides clear history and accountability of configuration changes.
Supports collaboration and peer review of deployment settings.
Enables rollback to previous known-good configurations.
Facilitates compliance and auditing processes.
Cons:
Requires discipline to maintain and update versioned configurations.
May add overhead for managing infrastructure-as-code.
Default value:
Deployment configurations are often maintained manually or outside version control, risking drift and undocumented changes.
Audit:
Verify that build worker deployment configurations are committed to and managed via version control repositories. Review change logs and access controls.
Remediation:
Implement infrastructure-as-code tools (e.g., Terraform, Ansible) with configurations stored in version control. Establish policies enforcing configuration versioning. Train teams on best practices.
References:
Infrastructure as Code with Terraform: https://www.terraform.io/
Ansible Best Practices: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/