jerry
/
blog.jerryaldrichiii.com
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Content for blog.jerryaldrichiii.com
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
701 KiB
 
 
 
 
Tag: Branch: Tree: 45fcd9a336
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '45fcd9a336'
${ noResults }
blog.jerryaldrichiii.com/old_chef_blog/jerryaldrichiii.github.io/_posts/2017-03-20-chef-using-the-a...

5.6 KiB
Raw Blame History

layout title category tags summary
post DEPRECATED - Using the Audit Cookbook deprecated [chef cookbooks compliance inspec] THIS IS DEPRECATED

NOTE: THIS POST IS DEPRECATED.

Updated version can be found here:

http://blog.jerryaldrichiii.com/chef_automate/2017/08/04/compliance-using-the-audit-cookbook.html

The Audit Cookbook

Tired of running scans from your Chef Compliance server? Want to run InSpec/Compliance scans in a distributed manner like the Chef Client and have the output forwarded to Chef Automate and/or Chef Compliance? Then the audit cookbook is just the tool you need.

The audit cookbook can be found on both Chef Supermarket and GitHub.

Using the Audit Cookbook

The audit cookbook functions can be broken down into a few simple decisions:

  • What collector(s) will I use?
  • What profiles will I use for my scans?
  • How will I configure my Chef managed node to do all the things?

NOTE: For a more detailed breakdown of how you can use the audit cookbook see the README.md on GitHub.

Collectors

The first decision to make is where will your InSpec profiles will be loaded from and where the scan results will be sent. This is decided by the collector variable.

Below is a table that should help you decide which to use; these can be combined or used individually:

Collector Profile Location Data Endpoint
chef-compliance Compliance Compliance
chef-visibility Automate/GitHub/Supermarket Automate
chef-server-compliance Compliance (via Chef Server) Compliance (via Chef Server
chef-server-visibility Automate (via Chef Server) Automate (via Chef Server)

In order to use the chef-server-* collectors you must pair your Automate/Compliance servers with Chef Server. Info on integrating with Compliance with Chef Server can be found here and info on integrating with Automate can be found here.

Combining Collectors/Using a Fetcher

The approach I use most often in the field is to use both the chef-server-compliance and the chef-server-visibility collectors. I also define a fetcher with the value of chef-server. This will send data to both Chef Compliance and Automate Visibility but use Chef Compliance as the profile store.

NOTE: Don't worry if this use case is confusing. This blog post uses this method below for it's example scenario.

Profiles

Deciding which InSpec profiles to use to scan your nodes is a decision that is likely an individual business decision and outside the scope of this blog post. However, the Chef Compliance server comes with many profiles bundled with it and it is recommended that you start there. For this example we will use the cis/cis-centos7-level1 profile.

Configuring a Node

After deciding on a collector (or collectors) and a set of profiles to use, there are a few options for defining how a Chef managed node will use the Audit cookbook. For the scope of this blog post, we will cover the option I most frequently use in the field, the wrapper cookbook method.

Creating a Wrapper Cookbook

If you are unfamiliar with what a wrapper cookbook is, you can read my blog post on the subject here.

TL;DR: A wrapper cookbook is a regular cookbook that includes recipes from other cookbooks. In this case we are going to include audit::default.

For this example, let's assume we have created a wrapper cookbook by executing chef generate cookbook mycorp_audit. Before we include the audit cookbook in our wrapper cookbook, we must first set some attributes within the mycorp_audit/attributes/default.rb file.

Here is a sample of an attribute file that I use frequently:

default['audit']['collector'] = ['chef-server-compliance', 'chef-server-visibility']
default['audit']['fetcher'] = 'chef-server'
default['audit']['profiles'] = [
  {
    'name': 'cis-centos7-level1',
    'compliance': 'cis/cis-centos7-level1'
  }
]

This configures the Audit cookbook to do the following:

  • Send data to both the Chef Compliance server and Chef Automate
  • Fetch profiles from the Chef Compliance server
  • Run the cis/cis-centos7-level1 InSpec profile on each Chef Client run

Putting it All Together

After doing the above, all that is left is the following:

  • Put depends 'audit' in your mycorp_audit/metadata.rb
  • Put include_recipe 'audit::default' in your mycorp_audit/recipes/default.rb
  • Upload your cookbook to your Chef Server with berks upload
  • Add mycorp_audit::default to a node's run_list.

Once that is complete, Chef Client will finish it's converge phase and then use a handler to run your Audit/InSpec scan.

Extra Resources