Skip to main content

Effortless Audit

[edit on GitHub]

Effortless Audit

Effortless Audit is the pattern for managing your Chef InSpec profiles. It uses Chef Habitat and Chef InSpec to build an artifact that contains your profiles and its dependencies alongside the scripts necessary to run them on your systems.

Learn more about Chef InSpec profiles.

Effortless Environment Set-up

  1. Install Chef Workstation
  2. Install Chef Habitat
  3. Configure Chef Habitat on your workstation by running hab setup

Patterns

Wrapper Profile Pattern

In Chef InSpec, a common pattern is to write a wrapper profile that depends on another profile. This pattern pulls profiles from a main profile source like the Chef Automate Profile Store. See an example of this pattern.

  1. To use this pattern, navigate to your profile:

    cd my_profile
    
  2. Make a habitat directory:

    mkdir habitat
    
  3. Make a plan file

    Use a plan.ps1 for a profile targeting Windows. Use a plan.sh for a profile targeting Linux. If the profile targets both Windows and Linux, you can have both a plan.ps1 and a plan.sh in the habitat directory. Create a plan in Linux with the following command:

    touch plan.sh
    
  4. Add some information about your profile to the plan file

    Add this profile information to the Linux plan.sh file:

    pkg_name=<my_profile>
    pkg_origin=<my_origin>
    pkg_version=<my_profile_version>
    pkg_maintainer="Your Name and Email"
    pkg_license=("Apache-2.0")
    pkg_scaffolding="chef/scaffolding-chef-inspec"
    

    Add this profile information to the Microsoft Windows plan.ps1 file:

    $pkg_name="<my_profile>"
    $pkg_origin="<my_origin>"
    $pkg_version="<my_profile_version>"
    $pkg_maintainer="My Name and Email"
    $pkg_license=("Apache-2.0")
    $pkg_scaffolding="chef/scaffolding-chef-inspec"
    
  5. Build the package

    Run the following command to build the package:

    hab pkg build .
    
  6. Add a kitchen.yml file to your profile with the following content:

    ---
    driver:
      name: vagrant
      synced_folders:
        - ["./results", "/tmp/results"]
    
    provisioner:
      name: shell
    
    verifier:
      name: inspec
    
    platforms:
      - name: centos-7.6
    
    suites:
      - name: base
        provisioner:
          arguments: ["<my_origin>", "<my_package_name>"]
        verifier:
          inspec_tests:
            test/integration/base
    
  7. Create a bootstrap.sh script and include:

    #!/bin/bash
    export HAB_LICENSE="accept-no-persist"
    export CHEF_LICENSE="accept-no-persist"
    
    if [ ! -e "/bin/hab" ]; then
    curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | sudo bash
    fi
    
    if grep "^hab:" /etc/passwd > /dev/null; then
    echo "Hab user exists"
    else
    useradd hab && true
    fi
    
    if grep "^hab:" /etc/group > /dev/null; then
    echo "Hab group exists"
    else
    groupadd hab && true
    fi
    
    pkg_origin=$1
    pkg_name=$2
    
    echo "Starting $pkg_origin/$pkg_name"
    
    latest_hart_file=$(ls -la /tmp/results/$pkg_origin-$pkg_name* | tail -n 1 | cut -d " " -f 9)
    echo "Latest hart file is $latest_hart_file"
    
    echo "Installing $latest_hart_file"
    hab pkg install $latest_hart_file
    
    echo "Determining pkg_prefix for $latest_hart_file"
    pkg_prefix=$(find /hab/pkgs/$pkg_origin/$pkg_name -maxdepth 2 -mindepth 2 | sort | tail -n 1)
    
    echo "Found $pkg_prefix"
    
    echo "Running inspec for $pkg_origin/$pkg_name"
    cd $pkg_prefix
    hab pkg exec $pkg_origin/$pkg_name inspec exec $pkg_prefix/*.tar.gz
    
  8. Run Test Kitchen to ensure your profile executes.

    Use this command to spin up a CentOS 7 virtual machine (VM) locally and run your profile using the latest Chef InSpec:

    kitchen converge base-centos
    

    If you experience failures when running the profile, know that most basic virtual machines are not fully hardened to your security policies. If you want to fix the failures, look at Chef Infra and the Effortless Config Pattern.

  9. When ready, delete the VM instance by running:

    kitchen destroy
    
  10. You can now upload your profile pkg to Chef Habitat Builder by running the following commands:

    source results/lastbuild.env
    hab pkg upload results/$pkg_artifact
    
  11. To run your profile on a system, install Chef Habitat as a service and run:

    hab svc load <your_origin>/<your_profile_name>
    

Features

Waivers

With the release of scaffolding-chef-inspec version 0.16.0 (Linux) and version 0.18.0 (Windows), we added the Chef InSpec Waivers feature. This feature allows you to specify a control ID in your Chef Habitat config that you would like to skip, or waive.

  1. Build an Effortless Audit profile and load it on your systems.

  2. Create a my_config.toml file similar to:

    [waivers]
    [waivers.control_id]
    run = false
    expiration_date: 2021-11-31
    justification = I don't want this control to run cause it breaks my app
    
  3. Apply the new change to your Chef Habitat config:

    hab config apply <my_profile_service>.<my_profile_service_group> $(date +'%s') <my_config.toml>
    
  4. Habitat will see a configuration change, automatically re-run your profile, and skip the control you specified in the my_config.toml file.