Configuration Drift Detection
Compare intended configuration against actual host state to find drift.
Overview
Configuration drift occurs when actual infrastructure state diverges from intended configuration. Infracast detects drift by comparing your configuration management definitions against discovered host state, helping you maintain compliance and reduce security risk.
Supported Sources
Ansible
Upload Ansible playbooks and roles to establish your intended state.
What we analyze:
- Package installations
- Service states (running, enabled)
- File permissions
- User/group configurations
- Firewall rules
Kubernetes
Upload Kubernetes manifests or Helm charts.
What we analyze:
- Deployment configurations
- Resource limits and requests
- Security contexts
- Network policies
- Pod security settings
Terraform
Upload Terraform configurations and state files.
What we analyze:
- Resource configurations
- Security group rules
- IAM policies
- Encryption settings
- Tagging compliance
DISA STIGs
Automated STIG compliance checking with CKL export.
Supported STIGs:
- Red Hat Enterprise Linux 8/9
- Ubuntu 20.04/22.04
- Windows Server 2019/2022
- Amazon Linux 2
Drift Detection
How It Works
- Upload your intended configuration (Ansible playbook, K8s manifest, etc.)
- Infracast parses the expected state
- Compares against discovered host configuration
- Reports differences as drift findings
Drift Categories
| Category | Description | Example |
|---|---|---|
| Missing | Expected configuration not present | Package not installed |
| Extra | Unexpected configuration present | Unauthorized service running |
| Modified | Configuration differs from expected | Different file permissions |
Using Configuration Drift
Navigate to Config Drift
- Go to Operations → Configuration Drift
- Click Upload Configuration
- Select your source type and upload files
- Choose target hosts to compare against
View Results
- Drift items grouped by host
- Severity based on security impact
- Remediation guidance for each finding
Export Reports
- PDF summary for management
- CKL files for STIG compliance (DISA-compatible)
- CSV for custom analysis
STIG Compliance
Automated STIG Checking
Infracast automates STIG compliance assessment by:
- Parsing STIG requirements
- Checking host configuration
- Generating findings for non-compliant items
CKL Export
Export results in Checklist (CKL) format for:
- DISA eMASS submission
- Auditor review
- Compliance documentation
Supported Checks
- File permissions and ownership
- Service configurations
- Password policies
- Audit logging settings
- Network configurations
Best Practices
- Version Control Configs — Keep configuration sources in Git for tracking
- Run Regularly — Check for drift weekly or after changes
- Remediate Quickly — Address high-severity drift immediately
- Document Exceptions — Track intentional differences with justification
- Integrate with CI/CD — Check drift before deployments
Integration with IaC Scanning
Configuration Drift complements IaC scanning:
| Capability | IaC Scanning | Config Drift |
|---|---|---|
| When | Pre-deployment | Post-deployment |
| What | Code analysis | Actual vs intended |
| Focus | Secure defaults | Operational drift |
Use both for complete coverage: IaC scanning catches issues before deployment, Configuration Drift catches drift after.
Troubleshooting
No Drift Detected
- Verify configuration files are correctly formatted
- Ensure target hosts were discovered
- Check that host discovery includes the relevant configuration data
Parsing Errors
- Validate Ansible YAML syntax
- Verify Kubernetes manifests are complete
- Check Terraform files for syntax errors