Effortless Audit
Effortless Audit
Effortless Audit is the pattern for managing your Chef InSpec profiles. It uses Chef Habitat and Chef InSpec to build an artifact that contains your profiles and its dependencies alongside the scripts necessary to run them on your systems.
Learn more about Chef InSpec profiles.
Effortless Environment Set-up
- Install Chef Workstation
- Install Chef Habitat
- Configure Chef Habitat on your workstation by running
hab setup
Patterns
Wrapper Profile Pattern
In Chef InSpec, a common pattern is to write a wrapper profile that depends on another profile. This pattern pulls profiles from a main profile source like the Chef Automate Profile Store. See an example of this pattern.
To use this pattern, navigate to your profile:
cd my_profile
Make a
habitat
directory:mkdir habitat
Make a plan file
Use a
plan.ps1
for a profile targeting Windows. Use aplan.sh
for a profile targeting Linux. If the profile targets both Windows and Linux, you can have both aplan.ps1
and aplan.sh
in thehabitat
directory. Create a plan in Linux with the following command:touch plan.sh
Add some information about your profile to the plan file
Add this profile information to the Linux
plan.sh
file:pkg_name=<my_profile> pkg_origin=<my_origin> pkg_version=<my_profile_version> pkg_maintainer="Your Name and Email" pkg_license=("Apache-2.0") pkg_scaffolding="chef/scaffolding-chef-inspec"
Add this profile information to the Microsoft Windows
plan.ps1
file:$pkg_name="<my_profile>" $pkg_origin="<my_origin>" $pkg_version="<my_profile_version>" $pkg_maintainer="My Name and Email" $pkg_license=("Apache-2.0") $pkg_scaffolding="chef/scaffolding-chef-inspec"
Build the package
Run the following command to build the package:
hab pkg build .
Add a
kitchen.yml
file to your profile with the following content:--- driver: name: vagrant synced_folders: - ["./results", "/tmp/results"] provisioner: name: shell verifier: name: inspec platforms: - name: centos-7.6 suites: - name: base provisioner: arguments: ["<my_origin>", "<my_package_name>"] verifier: inspec_tests: test/integration/base
Create a
bootstrap.sh
script and include:#!/bin/bash export HAB_LICENSE="accept-no-persist" export CHEF_LICENSE="accept-no-persist" if [ ! -e "/bin/hab" ]; then curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh | sudo bash fi if grep "^hab:" /etc/passwd > /dev/null; then echo "Hab user exists" else useradd hab && true fi if grep "^hab:" /etc/group > /dev/null; then echo "Hab group exists" else groupadd hab && true fi pkg_origin=$1 pkg_name=$2 echo "Starting $pkg_origin/$pkg_name" latest_hart_file=$(ls -la /tmp/results/$pkg_origin-$pkg_name* | tail -n 1 | cut -d " " -f 9) echo "Latest hart file is $latest_hart_file" echo "Installing $latest_hart_file" hab pkg install $latest_hart_file echo "Determining pkg_prefix for $latest_hart_file" pkg_prefix=$(find /hab/pkgs/$pkg_origin/$pkg_name -maxdepth 2 -mindepth 2 | sort | tail -n 1) echo "Found $pkg_prefix" echo "Running inspec for $pkg_origin/$pkg_name" cd $pkg_prefix hab pkg exec $pkg_origin/$pkg_name inspec exec $pkg_prefix/*.tar.gz
Run Test Kitchen to ensure your profile executes.
Use this command to spin up a CentOS 7 virtual machine (VM) locally and run your profile using the latest Chef InSpec:
kitchen converge base-centos
If you experience failures when running the profile, know that most basic virtual machines are not fully hardened to your security policies. If you want to fix the failures, look at Chef Infra and the Effortless Config Pattern.
When ready, delete the VM instance by running:
kitchen destroy
You can now upload your profile pkg to Chef Habitat Builder by running the following commands:
source results/lastbuild.env hab pkg upload results/$pkg_artifact
To run your profile on a system, install Chef Habitat as a service and run:
hab svc load <your_origin>/<your_profile_name>
Features
Waivers
With the release of scaffolding-chef-inspec
version 0.16.0 (Linux) and version 0.18.0 (Windows), we added the Chef InSpec Waivers feature. This feature allows you to specify a control ID in your Chef Habitat config that you would like to skip, or waive.
Build an Effortless Audit profile and load it on your systems.
Create a
my_config.toml
file similar to:[waivers] [waivers.control_id] run = false expiration_date: 2021-11-31 justification = I don't want this control to run cause it breaks my app
Apply the new change to your Chef Habitat config:
hab config apply <my_profile_service>.<my_profile_service_group> $(date +'%s') <my_config.toml>
Habitat will see a configuration change, automatically re-run your profile, and skip the control you specified in the
my_config.toml
file.