cookbook 'audit', '= 0.6.0'
audit
(74) Versions
0.6.0
-
-
9.5.0
-
9.4.0
-
9.3.0
-
9.2.1
-
9.2.0
-
9.1.0
-
9.0.1
-
9.0.0
-
8.1.1
-
8.0.0
-
7.8.0
-
7.7.0
-
7.6.0
-
7.5.0
-
7.4.1
-
7.4.0
-
7.3.0
-
7.2.0
-
7.1.0
-
7.0.1
-
7.0.0
-
6.1.0
-
6.0.2
-
6.0.1
-
6.0.0
-
5.0.4
-
5.0.3
-
5.0.2
-
5.0.1
-
5.0.0
-
4.3.0
-
4.2.0
-
4.1.1
-
4.1.0
-
4.0.0
-
3.1.0
-
3.0.0
-
2.4.0
-
2.3.5
-
2.3.4
-
2.3.3
-
2.3.2
-
2.3.1
-
2.3.0
-
2.2.0
-
2.1.0
-
2.0.0
-
1.1.0
-
1.0.2
-
1.0.1
-
1.0.0
-
0.14.4
-
0.14.3
-
0.14.2
-
0.14.1
-
0.14.0
-
0.13.1
-
0.13.0
-
0.12.0
-
0.11.0
-
0.10.0
-
0.9.1
-
0.9.0
-
0.8.0
-
0.7.0
-
0.6.0
-
0.5.1
-
0.5.0
-
0.4.4
-
0.4.3
-
0.3.3
-
0.3.2
-
0.3.1
-
0.3.0
Follow42
- 9.5.0
- 9.4.0
- 9.3.0
- 9.2.1
- 9.2.0
- 9.1.0
- 9.0.1
- 9.0.0
- 8.1.1
- 8.0.0
- 7.8.0
- 7.7.0
- 7.6.0
- 7.5.0
- 7.4.1
- 7.4.0
- 7.3.0
- 7.2.0
- 7.1.0
- 7.0.1
- 7.0.0
- 6.1.0
- 6.0.2
- 6.0.1
- 6.0.0
- 5.0.4
- 5.0.3
- 5.0.2
- 5.0.1
- 5.0.0
- 4.3.0
- 4.2.0
- 4.1.1
- 4.1.0
- 4.0.0
- 3.1.0
- 3.0.0
- 2.4.0
- 2.3.5
- 2.3.4
- 2.3.3
- 2.3.2
- 2.3.1
- 2.3.0
- 2.2.0
- 2.1.0
- 2.0.0
- 1.1.0
- 1.0.2
- 1.0.1
- 1.0.0
- 0.14.4
- 0.14.3
- 0.14.2
- 0.14.1
- 0.14.0
- 0.13.1
- 0.13.0
- 0.12.0
- 0.11.0
- 0.10.0
- 0.9.1
- 0.9.0
- 0.8.0
- 0.7.0
- 0.6.0
- 0.5.1
- 0.5.0
- 0.4.4
- 0.4.3
- 0.3.3
- 0.3.2
- 0.3.1
- 0.3.0
Allows for fetching and executing compliance profiles, and reporting their results
cookbook 'audit', '= 0.6.0', :supermarket
knife supermarket install audit
knife supermarket download audit
audit cookbook
Requirements
Chef
- Chef Client >=12.5.1
The audit
cookbook allows you to run Chef Compliance profiles as part of a Chef Client run. It downloads configured profiles from Chef Compliance and reports audit runs to Chef Compliance.
Overview
The audit
requires at least Chef Compliance 1.0 and the Chef Server extensions for Compliance. The architecture looks as following:
┌──────────────────────┐ ┌──────────────────────┐ ┌──────────────────────┐
│ Chef Client │ │ Chef Server │ │ Chef Compliance │
│ │ │ │ │ │
│ ┌──────────────────┐ │ │ │ │ │
│ │ │◀┼────┼──────────────────────┼────│ Profiles │
│ │ audit cookbook │ │ │ │ │ │
│ │ │─┼────┼──────────────────────┼───▶│ Reports │
│ └──────────────────┘ │ │ │ │ │
│ │ │ │ │ │
└──────────────────────┘ └──────────────────────┘ └──────────────────────┘
Usage
The audit cookbook needs to be configured for each node where the chef-client
runs. The audit
cookbook can be reused for all nodes, all node-specific configuration is done via Chef attributes.
Upload cookbook to Chef Server
The audit
cookbook is available at Chef Supermarket. This allows you to reuse the existing workflow.
If you want to upload the cookbook from git, use the following commands:
mkdir chef-cookbooks
cd chef-cookbooks
git clone https://github.com/chef-cookbooks/audit
cd ..
knife cookbook upload audit -o ./chef-cookbooks
Please ensure that chef-cookbooks
is the parent directory of audit
cookbook.
Configure node
Once the cookbook is available in Chef Server, you need to add the audit::default
recipe to the run-list of each node. The profiles are selected via the node['audit']['profiles']
attribute. For example, to run the base/ssh
and base/linux
profiles, you can define the attribute in a JSON-based role or environment file like this:
"audit": { "profiles": { "base/ssh": true, "base/linux": true } }
How does it relate to Chef Audit Mode
The following tables compares the Chef Client audit mode with this audit
cookbook.
audit mode | audit cookbook | |
---|---|---|
Works with Chef Compliance | No | Yes |
Execution Engine | Serverspec | InSpec |
Execute InSpec Compliance Profiles | No | Yes |
Execute tests embedded in Chef recipes | Yes | No |
How to migrate from audit mode to audit cookbook:
We will improve the migration and help to ease the process and to reuse existing audit mode test as much as possible. At this point of time, an existing audit-mode test like:
control_group 'Check SSH Port' do
control 'SSH' do
it 'should be listening on port 22' do
expect(port(22)).to be_listening
end
end
end
can be re-written in InSpec as follows:
# rename `control_group` to `control` and use a unique identifier
control "blog-1" do
title 'Check SSH Port' # add the title from `control_group`
# rename the old `control` to `describe`
describe 'SSH' do
it 'should be listening on port 22' do
expect(port(22)).to be_listening
end
end
end
or even simplified to:
control "blog-1" do
title 'SSH should be listening on port 22'
describe port(22) do
it { should be_listening }
end
end
Interval Settings
If you have long running audit profiles that you don't wish to execute on every chef-client run,
you can use the interval recipe instead of the default recipe in your runlist, and set the
following attributes:
default['audit']['interval']['enabled'] = false
default['audit']['interval']['time'] = 1440
The time attribute is in minutes.
You can enable the interval and set the interval time, along with your desired profiles,
in an environment or role like this:
"audit": { "profiles": { "base/ssh": true, "base/linux": true }, "interval": { "enabled": "true", "time": 1440 } }
Please let us know if you have any issues, we are happy to help.
License
Author: | Stephan Renatus (srenatus@chef.io) |
Author: | Christoph Hartmann (chartmann@chef.io) |
Copyright: | Copyright (c) 2015 Chef Software Inc. |
License: | Apache License, Version 2.0 |
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
Foodcritic Metric
0.6.0 passed this metric
0.6.0 passed this metric