jerry
/
blog.jerryaldrichiii.com
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Content for blog.jerryaldrichiii.com
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
701 KiB
 
 
 
 
Tag: Branch: Tree: 45fcd9a336
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '45fcd9a336'
${ noResults }
blog.jerryaldrichiii.com/old_chef_blog/jerryaldrichiii.github.io/_posts/2017-03-20-chef-using-the-a...

110 lines
5.6 KiB
Raw Blame History

---
layout: post
title: DEPRECATED - Using the Audit Cookbook
category: deprecated
tags: [chef, cookbooks, compliance, inspec]
summary: THIS IS DEPRECATED
---
## NOTE: THIS POST IS DEPRECATED.
Updated version can be found here:
[http://blog.jerryaldrichiii.com/chef_automate/2017/08/04/compliance-using-the-audit-cookbook.html](http://blog.jerryaldrichiii.com/chef_automate/2017/08/04/compliance-using-the-audit-cookbook.html)
## The Audit Cookbook
Tired of running scans from your [Chef Compliance](https://docs.chef.io/compliance.html) server? Want to run InSpec/Compliance scans in a distributed manner like the Chef Client and have the output forwarded to Chef Automate and/or Chef Compliance? Then the `audit` cookbook is just the tool you need.
The `audit` cookbook can be found on both [Chef Supermarket](https://supermarket.chef.io/cookbooks/audit) and [GitHub](https://github.com/chef-cookbooks/audit).
---
## Using the Audit Cookbook
The `audit` cookbook functions can be broken down into a few simple decisions:
- What collector(s) will I use?
- What profiles will I use for my scans?
- How will I configure my Chef managed node to do all the things?
> NOTE: For a more detailed breakdown of how you can use the `audit` cookbook see the [README.md](https://github.com/chef-cookbooks/audit) on GitHub.
---
## Collectors
The first decision to make is where will your InSpec profiles will be loaded from and where the scan results will be sent. This is decided by the `collector` variable.
Below is a table that should help you decide which to use; these can be combined or used individually:
| Collector | Profile Location | Data Endpoint |
| ---------------------- | ---------------------------- | --------------------------- |
| chef-compliance | Compliance | Compliance |
| chef-visibility | Automate/GitHub/Supermarket | Automate |
| chef-server-compliance | Compliance (via Chef Server) | Compliance (via Chef Server |
| chef-server-visibility | Automate (via Chef Server) | Automate (via Chef Server) |
In order to use the `chef-server-*` collectors you must pair your Automate/Compliance servers with Chef Server. Info on integrating with Compliance with Chef Server can be found [here](https://docs.chef.io/integrate_compliance_chef_server.html) and info on integrating with Automate can be found [here](https://docs.chef.io/integrate_compliance_chef_automate.html).
---
## Combining Collectors/Using a Fetcher
The approach I use most often in the field is to use both the `chef-server-compliance` and the `chef-server-visibility` collectors. I also define a `fetcher` with the value of `chef-server`. This will send data to both Chef Compliance and Automate Visibility but use Chef Compliance as the profile store.
> NOTE: Don't worry if this use case is confusing. This blog post uses this method below for it's example scenario.
---
## Profiles
Deciding which InSpec profiles to use to scan your nodes is a decision that is likely an individual business decision and outside the scope of this blog post. However, the Chef Compliance server comes with many profiles bundled with it and it is recommended that you start there. For this example we will use the `cis/cis-centos7-level1` profile.
---
## Configuring a Node
After deciding on a collector (or collectors) and a set of profiles to use, there are a few options for defining how a Chef managed node will use the Audit cookbook. For the scope of this blog post, we will cover the option I most frequently use in the field, the wrapper cookbook method.
### Creating a Wrapper Cookbook
If you are unfamiliar with what a wrapper cookbook is, you can read my blog post on the subject [here](http://localhost:4000/chef/2017/01/31/chef-writing-wrapper-cookbooks.html).
> TL;DR: A wrapper cookbook is a regular cookbook that includes recipes from other cookbooks. In this case we are going to include `audit::default`.
For this example, let's assume we have created a wrapper cookbook by executing `chef generate cookbook mycorp_audit`. Before we include the `audit` cookbook in our wrapper cookbook, we must first set some attributes within the `mycorp_audit/attributes/default.rb` file.
Here is a sample of an attribute file that I use frequently:
```ruby
default['audit']['collector'] = ['chef-server-compliance', 'chef-server-visibility']
default['audit']['fetcher'] = 'chef-server'
default['audit']['profiles'] = [
{
'name': 'cis-centos7-level1',
'compliance': 'cis/cis-centos7-level1'
}
]
```
This configures the Audit cookbook to do the following:
- Send data to both the Chef Compliance server and Chef Automate
- Fetch profiles from the Chef Compliance server
- Run the `cis/cis-centos7-level1` InSpec profile on each Chef Client run
---
## Putting it All Together
After doing the above, all that is left is the following:
- Put `depends 'audit'` in your `mycorp_audit/metadata.rb`
- Put `include_recipe 'audit::default'` in your `mycorp_audit/recipes/default.rb`
- Upload your cookbook to your Chef Server with `berks upload`
- Add `mycorp_audit::default` to a node's run_list.
Once that is complete, Chef Client will finish it's converge phase and then use a [handler](https://docs.chef.io/handlers.html) to run your Audit/InSpec scan.
---
## Extra Resources
- [Audit Cookbook on GitHub](https://github.com/chef-cookbooks/audit)
- [Audit Cookbook on Supermarket](https://supermarket.chef.io/cookbooks/audit)
- [Relevent reveal.js Presentation](https://github.com/jerryaldrichiii/revealjs-chef-compliance-class-supplement)