Compliance - Using the Audit Cookbook

The Audit Cookbook

Want to gather compliance data via chef-client and have the output forwarded to Chef Automate? Then the audit cookbook (Supermarket/GitHub) is just the tool you need.

The audit cookbook supports a myriad of configurations. This blog post intends to provide the most commonly used method and is best suited for customers who are using Chef Automate.

The only decision that you need to make is what InSpec profiles you will run.


Deciding Which Profiles to Run

Deciding which InSpec profiles to use to scan your nodes is an individual business decision and outside the scope of this blog post. However, the Chef Automate server comes with many profiles bundled with it and it is recommended that you start there.

More information can be found here.


Configuring Data Collection/Profile Storage

This guide uses the Chef Server as a proxy between the chef-client nodes and Automate. In order to enable this functionality do the following.

Configure Data Collection

  1. Add the following to /etc/delivery.rb on the Automate server:

    data_collector['token'] = 'SOMETOKENVALUE'
    

    NOTE: The token can be whatever you like, default is 93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506

  2. Reconfigure the Automate server by running:

    sudo automate-ctl reconfigure
    
  3. Add the following to /etc/opscode/chef-server.rb on all Chef Servers:

    data_collector['root_url'] = 'https://AUTOMATE_SERVER_FQDN/data-collector/v0/'
    data_collector['token'] = 'SOMETOKENVALUE'
    profiles['root_url'] = 'https://AUTOMATE_SERVER_FQDN'
    

    NOTE: The token must match what you set on the Automate server

  4. Reconfigure all the Chef Servers:

    sudo chef-server-ctl reconfigure
    

Download the Necessary Profiles

This guide uses the Profile Store on the Automate server as the location where InSpec Profiles are fetched from. In order to use these profiles do the following:

  1. Login to the Automate UI as the admin user (created during setup).
  2. Click on the Compliance tab.
  3. Click on the Profile Store button on the left of the screen.
  4. Click Available.
  5. Using arrow and Get button inside the orange box. Get the following Profiles:
    • DevSec Linux Security Baseline
    • DevSec Windows Security Baseline

Using the Audit Cookbook

The recommended method for using the audit cookbook is via a wrapper cookbook. If you are unfamiliar with what a wrapper cookbook is, you can read my blog post on the subject here.

TL;DR: A wrapper cookbook is a regular cookbook that includes recipes from other cookbooks. In this case we are going to include audit::default.

Creating the Wrapper Cookbook

  1. Generate the wrapper cookbook:

    chef generate cookbook mycorp_audit
    
  2. Place the following in mycorp_audit/metadata.rb:

    depends 'audit'
    
  3. Add the following in mycorp_audit/recipes/default.rb:

    include_recipe 'audit::default'
    
  4. Generate the default attributes file:

    chef generate attribute default
    
  5. Add the following in mycorp_audit/attributes/default.rb:

    default['audit']['reporter'] = 'chef-server-automate'
    
    case node['os']
    when 'linux'
      default['audit']['profiles'] = [
        {
          'name': 'DevSec Linux Security Baseline',
          'compliance': 'admin/linux-baseline'
        }
      ]
    when 'windows'
      default['audit']['profiles'] = [
        {
          'name': 'DevSec Windows Security Baseline',
          'compliance': 'admin/windows-baseline'
        }
      ]
    end
    

    NOTE: This will run the baseline profile for Windows or Linux depending on the OS the cookbook is ran on

  6. Upload the cookbook to all Chef Servers.


Gathering Data

  1. Add mycorp_audit::default to a node’s run_list
  2. Run chef-client

Once that is complete, chef-client will perform it’s converge phase and then use a handler to run your InSpec profiles.


Viewing Data

Once the above is complete you should now have Converge and Compliance data in the Automate UI.


Extra Resources