jerry
/
blog.jerryaldrichiii.com
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Content for blog.jerryaldrichiii.com
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
701 KiB
 
 
 
 
Tag: Branch: Tree: 45fcd9a336
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '45fcd9a336'
${ noResults }
blog.jerryaldrichiii.com/old_chef_blog/jerryaldrichiii.github.io/_posts/2017-08-04-compliance-using...

146 lines
4.8 KiB
Raw Blame History

---
layout: post
title: Compliance - Using the Audit Cookbook
category: chef_automate_1
tags: [chef, cookbooks, compliance, inspec]
summary: Ever wondered how to get Compliance data from chef-client runs?
---
## The Audit Cookbook
Want to gather compliance data via `chef-client` and have the output forwarded to Chef Automate? Then the `audit` cookbook ([Supermarket](https://supermarket.chef.io/cookbooks/audit)/[GitHub](https://github.com/chef-cookbooks/audit)) is just the tool you need.
The `audit` cookbook supports a myriad of configurations. This blog post intends to provide the most commonly used method and is best suited for customers who are using Chef Automate.
The only decision that you need to make is what InSpec profiles you will run.
---
## Deciding Which Profiles to Run
Deciding which InSpec profiles to use to scan your nodes is an individual business decision and outside the scope of this blog post. However, the Chef Automate server comes with many profiles bundled with it and it is recommended that you start there.
More information can be found [here](https://docs.chef.io/profile_store.html).
---
## Configuring Data Collection/Profile Storage
This guide uses the Chef Server as a proxy between the chef-client nodes and Automate. In order to enable this functionality do the following.
### Configure Data Collection
1. Add the following to `/etc/delivery.rb` on the Automate server:
```ruby
data_collector['token'] = 'SOMETOKENVALUE'
```
> NOTE: The token can be whatever you like, default is `93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506`
2. Reconfigure the Automate server by running:
```ruby
sudo automate-ctl reconfigure
```
3. Add the following to `/etc/opscode/chef-server.rb` on all Chef Servers:
```ruby
data_collector['root_url'] = 'https://AUTOMATE_SERVER_FQDN/data-collector/v0/'
data_collector['token'] = 'SOMETOKENVALUE'
profiles['root_url'] = 'https://AUTOMATE_SERVER_FQDN'
```
> NOTE: The token must match what you set on the Automate server
4. Reconfigure all the Chef Servers:
```ruby
sudo chef-server-ctl reconfigure
```
### Download the Necessary Profiles
This guide uses the Profile Store on the Automate server as the location where InSpec Profiles are fetched from. In order to use these profiles do the following:
1. Login to the Automate UI as the `admin` user (created during setup).
2. Click on the Compliance tab.
3. Click on the Profile Store button on the left of the screen.
4. Click Available.
5. Using arrow and `Get` button inside the orange box. Get the following Profiles:
- DevSec Linux Security Baseline
- DevSec Windows Security Baseline
---
## Using the Audit Cookbook
The recommended method for using the `audit` cookbook is via a wrapper cookbook. If you are unfamiliar with what a wrapper cookbook is, you can read my blog post on the subject [here](http://blog.jerryaldrichiii.com/chef/2017/01/31/chef-writing-wrapper-cookbooks.html).
> TL;DR: A wrapper cookbook is a regular cookbook that includes recipes from other cookbooks. In this case we are going to include `audit::default`.
### Creating the Wrapper Cookbook
1. Generate the wrapper cookbook:
```ruby
chef generate cookbook mycorp_audit
```
2. Place the following in `mycorp_audit/metadata.rb`:
```ruby
depends 'audit'
```
3. Add the following in `mycorp_audit/recipes/default.rb`:
```ruby
include_recipe 'audit::default'
```
4. Generate the default attributes file:
```ruby
chef generate attribute default
```
4. Add the following in `mycorp_audit/attributes/default.rb`:
```ruby
default['audit']['reporter'] = 'chef-server-automate'
default['audit']['profiles']['linux-baseline'] = {}
case node['os']
when 'linux'
default['audit']['profiles']['linux-baseline'] = {
'compliance': 'admin/linux-baseline'
}
when 'windows'
default['audit']['profiles']['windows-bseline'] = {
'compliance': 'admin/windows-baseline'
}
end
```
> NOTE: This will run the baseline profile for Windows or Linux depending on the OS the cookbook is ran on
5. Upload the cookbook to all Chef Servers.
---
## Gathering Data
1. Add `mycorp_audit::default` to a node's `run_list`
2. Run `chef-client`
Once that is complete, `chef-client` will perform it's converge phase and then use a [handler](https://docs.chef.io/handlers.html) to run your InSpec profiles.
---
## Viewing Data
Once the above is complete you should now have Converge and Compliance data in the Automate UI.
---
## Extra Resources
- [Audit Cookbook on GitHub](https://github.com/chef-cookbooks/audit)
- [Audit Cookbook on Supermarket](https://supermarket.chef.io/cookbooks/audit)