cookbook 'audit', '= 0.14.0'
audit
(74) Versions
0.14.0
-
-
9.5.0
-
9.4.0
-
9.3.0
-
9.2.1
-
9.2.0
-
9.1.0
-
9.0.1
-
9.0.0
-
8.1.1
-
8.0.0
-
7.8.0
-
7.7.0
-
7.6.0
-
7.5.0
-
7.4.1
-
7.4.0
-
7.3.0
-
7.2.0
-
7.1.0
-
7.0.1
-
7.0.0
-
6.1.0
-
6.0.2
-
6.0.1
-
6.0.0
-
5.0.4
-
5.0.3
-
5.0.2
-
5.0.1
-
5.0.0
-
4.3.0
-
4.2.0
-
4.1.1
-
4.1.0
-
4.0.0
-
3.1.0
-
3.0.0
-
2.4.0
-
2.3.5
-
2.3.4
-
2.3.3
-
2.3.2
-
2.3.1
-
2.3.0
-
2.2.0
-
2.1.0
-
2.0.0
-
1.1.0
-
1.0.2
-
1.0.1
-
1.0.0
-
0.14.4
-
0.14.3
-
0.14.2
-
0.14.1
-
0.14.0
-
0.13.1
-
0.13.0
-
0.12.0
-
0.11.0
-
0.10.0
-
0.9.1
-
0.9.0
-
0.8.0
-
0.7.0
-
0.6.0
-
0.5.1
-
0.5.0
-
0.4.4
-
0.4.3
-
0.3.3
-
0.3.2
-
0.3.1
-
0.3.0
Follow42
- 9.5.0
- 9.4.0
- 9.3.0
- 9.2.1
- 9.2.0
- 9.1.0
- 9.0.1
- 9.0.0
- 8.1.1
- 8.0.0
- 7.8.0
- 7.7.0
- 7.6.0
- 7.5.0
- 7.4.1
- 7.4.0
- 7.3.0
- 7.2.0
- 7.1.0
- 7.0.1
- 7.0.0
- 6.1.0
- 6.0.2
- 6.0.1
- 6.0.0
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.1
- 5.0.0
- 4.3.0
- 4.2.0
- 4.1.1
- 4.1.0
- 4.0.0
- 3.1.0
- 3.0.0
- 2.4.0
- 2.3.5
- 2.3.4
- 2.3.3
- 2.3.2
- 2.3.1
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.0
- 1.1.0
- 1.0.2
- 1.0.1
- 1.0.0
- 0.14.4
- 0.14.3
- 0.14.2
- 0.14.1
- 0.14.0
- 0.13.1
- 0.13.0
- 0.12.0
- 0.11.0
- 0.10.0
- 0.9.1
- 0.9.0
- 0.8.0
- 0.7.0
- 0.6.0
- 0.5.1
- 0.5.0
- 0.4.4
- 0.4.3
- 0.3.3
- 0.3.2
- 0.3.1
- 0.3.0
Allows for fetching and executing compliance profiles, and reporting their results
cookbook 'audit', '= 0.14.0', :supermarket
knife supermarket install audit
knife supermarket download audit
audit cookbook
Requirements
Chef
- Chef Client >=12.5.1
The audit
cookbook allows you to run Chef Compliance profiles as part of a Chef Client run. It downloads configured profiles from Chef Compliance and reports audit runs to Chef Compliance.
Chef Compliance and InSpec
Using the inspec_version
attribute, please use the following InSpec
version based on your Chef Compliance version:
Chef Compliance version | InSpec version | Audit Cookbook version |
---|---|---|
Less or equal to 1.1.23 | 0.20.1 | 0.7.0 |
Greater than 1.1.23 | Greater or equal to 0.22.1 | 0.8.0 |
You can see all publicly available InSpec versions here
Overview
The audit
support three scenarios:
Chef Server Integration
The first scenario requires at least Chef Compliance 1.0 and the Chef Server extensions for Compliance. The architecture looks as following:
┌──────────────────────┐ ┌──────────────────────┐ ┌─────────────────────┐
│ Chef Client │ │ Chef Server │ │ Chef Compliance │
│ │ │ │ │ │
│ ┌──────────────────┐ │ │ │ │ │
│ │ │◀┼────┼──────────────────────┼────│ Profiles │
│ │ audit cookbook │ │ │ │ │ │
│ │ │─┼────┼──────────────────────┼───▶│ Reports │
│ └──────────────────┘ │ │ │ │ │
│ │ │ │ │ │
└──────────────────────┘ └──────────────────────┘ └─────────────────────┘
Chef Compliance Integration
The second scenario supports a direct connection with Chef Compliance. It also supports chef-solo mode.
┌──────────────────────┐ ┌─────────────────────┐
│ Chef Client │ │ Chef Compliance │
│ │ │ │
│ ┌──────────────────┐ │ │ │
│ │ │◀┼────────────────────────────────│ Profiles │
│ │ audit cookbook │ │ │ │
│ │ │─┼───────────────────────────────▶│ Reports │
│ └──────────────────┘ │ │ │
│ │ │ │
└──────────────────────┘ └─────────────────────┘
Chef Visibility Integration
The third scenario supports direct reporting to Chef Visibility. It also supports chef-solo mode.
┌──────────────────────┐ ┌─────────────────────┐
│ Chef Client │ ┌───────────────────────┐ │ Chef Visibility │
│ │ ┌──│ Profiles(Supermarket, │ │ │
│ ┌──────────────────┐ │ │ │ Github, local, etc) │ │ │
│ │ │◀┼──┘ └───────────────────────┘ │ │
│ │ audit cookbook │ │ │ │
│ │ │─┼───────────────────────────────▶│ Reports │
│ └──────────────────┘ │ │ │
│ │ │ │
└──────────────────────┘ └─────────────────────┘
Usage
The audit cookbook needs to be configured for each node where the chef-client
runs. The audit
cookbook can be reused for all nodes, all node-specific configuration is done via Chef attributes.
Upload cookbook to Chef Server
The audit
cookbook is available at Chef Supermarket. This allows you to reuse your existing workflow for managing cookbooks in your runlist.
If you want to upload the cookbook from git, use the following commands:
mkdir chef-cookbooks
cd chef-cookbooks
git clone https://github.com/chef-cookbooks/audit
cd ..
knife cookbook upload audit -o ./chef-cookbooks
Please ensure that chef-cookbooks
is the parent directory of audit
cookbook.
Configure node
Once the cookbook is available in Chef Server, you need to add the audit::default
recipe to the run-list of each node. The profiles are selected via the node['audit']['profiles']
attribute. For example you can define the attribute in a JSON-based role or environment file like this:
audit = { "profiles" => { # org / profile name from Chef Compliance 'base/linux' => true, # supermarket url 'brewinc/ssh-hardening' => { # location where inspec will fetch the profile from 'source' => 'supermarket://hardening/ssh-hardening', 'key' => 'value', }, # local Windows path 'brewinc/win2012_audit' => { # filesystem path 'source' => 'E:/profiles/win2012_audit', }, # github url 'brewinc/tmp_compliance_profile' => { 'source' => 'https://github.com/nathenharvey/tmp_compliance_profile', }, # disable profile 'brewinc/tmp_compliance_profile-master' => { 'source' => '/tmp/tmp_compliance_profile-master', 'disabled' => true, }, }, }
You can also configure in a policyfile like this:
default['audit'] = { profiles: { 'base/linux' => true, 'base/ssh' => true } }
Direct reporting to Chef Compliance
If you want the audit cookbook to directly report to Chef Compliance, set the collector
, server
and the token
attribute.
-
collector
- 'chef-compliance' to report to Chef Compliance -
server
- url of Chef Compliance server with/api
-
token
- access token for Chef Compliance API (https://github.com/chef/inspec/issues/690)
audit: { collector: 'chef-compliance', server: 'https://compliance-fqdn/api/', token: 'eyJ........................YQ', profiles: { 'base/windows' => true, }, }
It is also possible to use a refresh_token
instead of an access token:
audit: { collector: 'chef-compliance', server: 'https://compliance-fqdn/api/', refresh_token: '5/4T...g==', profiles: { 'base/windows' => true, }, }
Direct reporting to Chef Visibility
If you want the audit cookbook to directly report to Chef Visibility, set the collector
attribute to 'chef-visibility'.
This method is sending the report to data_collector.server_url
, defined in client.rb
. It require inspec
version 0.27.1
or greater.
audit: { collector: 'chef-visibility', profiles: { 'brewinc/tmp_compliance_profile' => { 'source' => 'https://github.com/nathenharvey/tmp_compliance_profile' } } }
Relationship with Chef Audit Mode
The following tables compares the Chef Client audit mode with this audit
cookbook.
audit mode | audit cookbook | |
---|---|---|
Works with Chef Compliance | No | Yes |
Execution Engine | Serverspec | InSpec |
Execute InSpec Compliance Profiles | No | Yes |
Execute tests embedded in Chef recipes | Yes | No |
Eventually the audit
cookbook will replace audit mode. The only drawback is that you will not be able to execute tests in Chef recipes, but since you will be running these tests in production, you will want to have a straightforward, consistent process by which you include these tests throughout your development lifecycle. Within Chef Compliance, this is a profile.
Migrating from audit mode to audit cookbook:
We will improve the migration and help to ease the process and to reuse existing audit mode test as much as possible. At this point of time, an existing audit-mode test like:
control_group 'Check SSH Port' do
control 'SSH' do
it 'should be listening on port 22' do
expect(port(22)).to be_listening
end
end
end
can be re-written in InSpec as follows:
# rename `control_group` to `control` and use a unique identifier
control "blog-1" do
title 'Check SSH Port' # add the title from `control_group`
# rename the old `control` to `describe`
describe 'SSH' do
it 'should be listening on port 22' do
expect(port(22)).to be_listening
end
end
end
or even simplified to:
control "blog-1" do
title 'SSH should be listening on port 22'
describe port(22) do
it { should be_listening }
end
end
Interval Settings
If you have long running audit profiles that you don't wish to execute on every chef-client run,
you can enable an interval:
default['audit']['interval']['enabled'] = true
default['audit']['interval']['time'] = 1440 # once a day, the default value
The time attribute is in minutes.
You can enable the interval and set the interval time, along with your desired profiles,
in an environment or role like this:
"audit": { "profiles": { "base/ssh": true, "base/linux": true }, "interval": { "enabled": true, "time": 1440 } }
Please let us know if you have any issues, we are happy to help.
License
Author: | Stephan Renatus (srenatus@chef.io) |
Author: | Christoph Hartmann (chartmann@chef.io) |
Copyright: | Copyright (c) 2015 Chef Software Inc. |
License: | Apache License, Version 2.0 |
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
Change Log
0.14.0 (2016-08-12)
Merged pull requests:
- removing requirement for setting chef server url #73 (jeremymv2)
- Add collector attribute and visibility reporting #72 (chris-rock)
v0.13.1 (2016-06-27)
Merged pull requests:
- 0.13.1 #69 (chris-rock)
- Standardized node access to classic way #68 (mhedgpeth)
v0.13.0 (2016-06-22)
Closed issues:
- audit cookbook should not report a converge #23
Merged pull requests:
- Merged interval functionality into default.rb recipe, updated documentation, gave quiet default #64 (mhedgpeth)
v0.12.0 (2016-06-09)
Merged pull requests:
v0.11.0 (2016-06-09)
Merged pull requests:
- Release 0.11.0 #60 (smurawski)
- http_rescue not required with tempfile #59 (Anirudh-Gupta)
v0.10.0 (2016-06-01)
Merged pull requests:
- handle auth error #58 (chris-rock)
v0.9.1 (2016-05-26)
Closed issues:
- Reports are not displayed in Chef Compliance #52
- Cookbook issue with Windows path #48
- Report to Chef Compliance directly #45
Merged pull requests:
- test-kitchen example for Chef Compliance direct reporting #57 (chris-rock)
- changed access token handling #56 (cjohannsen81)
- add changelog #55 (chris-rock)
v0.9.0 (2016-05-25)
Closed issues:
- Provide support for additional profile hosting sources #49
- Scan reports showing up as "Skipped" in the Compliance server UI #46
Merged pull requests:
- Optimize the direct reporting to Chef Compliance #54 (chris-rock)
- changed FileUtils, tar_path and profile_path behavior #51 (cjohannsen81)
- Support other sources #50 (jeremymv2)
- quiet mode for inspec scans #47 (jeremymv2)
v0.8.0 (2016-05-18)
Closed issues:
- Compliance results no longer reports back to Chef Compliance with latest version of inspec #41
Merged pull requests:
- Inspec 0.22.1 for Chef Compliance 1.2.3 #44 (chris-rock)
- Update readme and bump patch version #43 (alexpop)
v0.7.0 (2016-05-13)
Closed issues:
- Undefined method 'path' for nil:NilClass #39
- Support chef-client < 12.5.1 #30
- standalone Compliance report #12
- we should use the latest inspec version by default #8
Merged pull requests:
- pin inspec to 0.20.1 #42 (chris-rock)
v0.6.0 (2016-05-03)
Merged pull requests:
- fix: use_ssl value has changed error #37 (jeremymv2)
- Add profile name validation and unit tests #36 (alexpop)
- Adding an interval check, if you don't want to run every time #17 (spuranam)
v0.5.1 (2016-04-27)
Merged pull requests:
v0.5.0 (2016-04-25)
Closed issues:
- add option to fail chef run, if the audit failed #3
Merged pull requests:
- Make inspec_version a cookbook attribute and default it to latest #33 (alexpop)
- update bundler #32 (chris-rock)
- update README.md with client version requirement #29 (jeremymv2)
v0.4.4 (2016-04-22)
Merged pull requests:
- update inspec gem version pin #31 (jeremymv2)
- work with token and direct compliance server API #20 (srenatus)
v0.4.3 (2016-04-20)
Merged pull requests:
- chef-compliance profiles changes require a new ver of inspec #28 (alexpop)
- Add our github templates #27 (tas50)
- failing converge if any audits failed #25 (jeremymv2)
- Misc updates #24 (tas50)
- adding ability to handle offline compliance server #22 (jeremymv2)
v0.3.3 (2016-04-05)
Merged pull requests:
v0.3.2 (2016-04-04)
Merged pull requests:
v0.3.1 (2016-04-01)
Closed issues:
- Do not crash default recipe, if node['audit'] is not defined #4
- add default recipe that reads profiles from attributes #1
Merged pull requests:
- Update readme and update version to test stove cookbook update #16 (alexpop)
- Update github links and change to version 0.3.0 #15 (alexpop)
- prepare test-kitchen tests #10 (chris-rock)
- offer native inspec-style syntax as an alternative #9 (arlimus)
- lint files and activate travis testing #7 (chris-rock)
- Update readme and add license information #6 (chris-rock)
- add default attributes file #5 (srenatus)
- audit::default: read profiles from attributes, push report to chefserver #2 (srenatus)
* This Change Log was automatically generated by github_changelog_generator
Collaborator Number Metric
0.14.0 passed this metric
Foodcritic Metric
0.14.0 passed this metric
0.14.0 passed this metric
0.14.0 passed this metric