--- layout: post title: Compliance - Using the Audit Cookbook category: chef_automate_1 tags: [chef, cookbooks, compliance, inspec] summary: Ever wondered how to get Compliance data from chef-client runs? --- ## The Audit Cookbook Want to gather compliance data via `chef-client` and have the output forwarded to Chef Automate? Then the `audit` cookbook ([Supermarket](https://supermarket.chef.io/cookbooks/audit)/[GitHub](https://github.com/chef-cookbooks/audit)) is just the tool you need. The `audit` cookbook supports a myriad of configurations. This blog post intends to provide the most commonly used method and is best suited for customers who are using Chef Automate. The only decision that you need to make is what InSpec profiles you will run. --- ## Deciding Which Profiles to Run Deciding which InSpec profiles to use to scan your nodes is an individual business decision and outside the scope of this blog post. However, the Chef Automate server comes with many profiles bundled with it and it is recommended that you start there. More information can be found [here](https://docs.chef.io/profile_store.html). --- ## Configuring Data Collection/Profile Storage This guide uses the Chef Server as a proxy between the chef-client nodes and Automate. In order to enable this functionality do the following. ### Configure Data Collection 1. Add the following to `/etc/delivery.rb` on the Automate server: ```ruby data_collector['token'] = 'SOMETOKENVALUE' ``` > NOTE: The token can be whatever you like, default is `93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506` 2. Reconfigure the Automate server by running: ```ruby sudo automate-ctl reconfigure ``` 3. Add the following to `/etc/opscode/chef-server.rb` on all Chef Servers: ```ruby data_collector['root_url'] = 'https://AUTOMATE_SERVER_FQDN/data-collector/v0/' data_collector['token'] = 'SOMETOKENVALUE' profiles['root_url'] = 'https://AUTOMATE_SERVER_FQDN' ``` > NOTE: The token must match what you set on the Automate server 4. Reconfigure all the Chef Servers: ```ruby sudo chef-server-ctl reconfigure ``` ### Download the Necessary Profiles This guide uses the Profile Store on the Automate server as the location where InSpec Profiles are fetched from. In order to use these profiles do the following: 1. Login to the Automate UI as the `admin` user (created during setup). 2. Click on the Compliance tab. 3. Click on the Profile Store button on the left of the screen. 4. Click Available. 5. Using arrow and `Get` button inside the orange box. Get the following Profiles: - DevSec Linux Security Baseline - DevSec Windows Security Baseline --- ## Using the Audit Cookbook The recommended method for using the `audit` cookbook is via a wrapper cookbook. If you are unfamiliar with what a wrapper cookbook is, you can read my blog post on the subject [here](http://blog.jerryaldrichiii.com/chef/2017/01/31/chef-writing-wrapper-cookbooks.html). > TL;DR: A wrapper cookbook is a regular cookbook that includes recipes from other cookbooks. In this case we are going to include `audit::default`. ### Creating the Wrapper Cookbook 1. Generate the wrapper cookbook: ```ruby chef generate cookbook mycorp_audit ``` 2. Place the following in `mycorp_audit/metadata.rb`: ```ruby depends 'audit' ``` 3. Add the following in `mycorp_audit/recipes/default.rb`: ```ruby include_recipe 'audit::default' ``` 4. Generate the default attributes file: ```ruby chef generate attribute default ``` 4. Add the following in `mycorp_audit/attributes/default.rb`: ```ruby default['audit']['reporter'] = 'chef-server-automate' default['audit']['profiles']['linux-baseline'] = {} case node['os'] when 'linux' default['audit']['profiles']['linux-baseline'] = { 'compliance': 'admin/linux-baseline' } when 'windows' default['audit']['profiles']['windows-bseline'] = { 'compliance': 'admin/windows-baseline' } end ``` > NOTE: This will run the baseline profile for Windows or Linux depending on the OS the cookbook is ran on 5. Upload the cookbook to all Chef Servers. --- ## Gathering Data 1. Add `mycorp_audit::default` to a node's `run_list` 2. Run `chef-client` Once that is complete, `chef-client` will perform it's converge phase and then use a [handler](https://docs.chef.io/handlers.html) to run your InSpec profiles. --- ## Viewing Data Once the above is complete you should now have Converge and Compliance data in the Automate UI. --- ## Extra Resources - [Audit Cookbook on GitHub](https://github.com/chef-cookbooks/audit) - [Audit Cookbook on Supermarket](https://supermarket.chef.io/cookbooks/audit)