Downloaded 20 times
![config.json
{
"audit": {
"collector": "chef-visibility",
"inspec_version": "1.15.0",
"profiles": [
{
"name": "ssh",
"path": "/home/chef/profiles/ssh"
}
]
}
}
cat config.json](https://image.slidesharecdn.com/devopsdc-inspec-workshop-slideshare-170316223019/85/Compliance-Automation-with-InSpec-15-320.jpg)
![Test-Driven Development
• Write a test, watch it fail
• Write some code
• Write and run more tests
• Code review
• Delivery pipeline to production
• Lowered chance of production failure
Add a test
Run the tests
Make a little change
Run the tests
pass
[development
continues]fail
fail
pass
pass
[development stops]](https://image.slidesharecdn.com/devopsdc-inspec-workshop-slideshare-170316223019/85/Compliance-Automation-with-InSpec-21-320.jpg)
![Test-driven Development
Add a test
Run the tests
Make a little change
Run the tests
pass
[development
continues]fail
fail
pass
pass
[development stops]](https://image.slidesharecdn.com/devopsdc-inspec-workshop-slideshare-170316223019/85/Compliance-Automation-with-InSpec-23-320.jpg)
![Test-driven Development
Add a test
Run the tests
Make a little change
Run the tests
pass
[development
continues]fail
fail
pass
pass
[development stops]](https://image.slidesharecdn.com/devopsdc-inspec-workshop-slideshare-170316223019/85/Compliance-Automation-with-InSpec-25-320.jpg)
![Test-driven Development
Add a test
Run the tests
Make a little change
Run the tests
pass
[development
continues]fail
fail
pass
pass
[development stops]](https://image.slidesharecdn.com/devopsdc-inspec-workshop-slideshare-170316223019/85/Compliance-Automation-with-InSpec-26-320.jpg)
Uploaded byNathen Harvey
Compliance Automation with InSpec
The document discusses compliance automation using Inspec, focusing on tools like Chef DK, Foodcritic, and Cookstyle for developing and validating Chef code against best practices. It outlines the process for remediating compliance issues through test-driven development and includes resources for further assistance within the Chef community. Information about ChefConf and engagement opportunities is also highlighted to foster collaboration and learning.
More Related Content
Similar to Compliance Automation with InSpec
Compliance Automation with InSpec
- 1. Compliance Automation withInSpec Learning Lab Nathen Harvey - @nathenharvey
- 2. Join Slack Team& Channel • http://www.dctechslack.com/ • #devopsdc-meetup #devopsdc-meetup
- 3. Chef DK -The Chef Development Kit • Definitive tooling for local development of Chef code & Infrastructure as Code development ▪ Validate your Chef code against Chef best practices ▪ Extend with rules to enforce organizational Chef development best practices ▪ Enforce compliance & security practices Foodcritic Test Your “Chef Style” ▪ Validate your Chef code against Ruby best practices ▪ Identify potential Ruby errors Unclosed strings, etc. ▪ Identify style/convention that helps write better code Single quotes vs. double quotes CookStyle Validate your Ruby ▪ Validate your Chef code will run ▪ Testing for more Chef advanced use cases ▪ Useful for regression testing ChefSpec Simulate Chef ▪ Executes your Chef code on an instance or container ▪ Integrates with Cloud and Virtualization providers ▪ Validate your Chef code locally before sharing ▪ Speed development of Chef Cookbooks Test Kitchen Let’s do this (almost) for real ▪ Assert the intention of your Chef code ▪ Verify on live systems that your Chef code produced the correct result ▪ Confirm your Chef code didn’t not produce compliance drift InSpec Verify automation results & ensure compliance FAST INEXPENSIVE TESTING DEEP INTEGRATION TESTING
- 4. Continuous Compliance Chef Automateand InSpec Profiles
- 5. Chef Automate –Node View • View aggregate status of your infrastructure Overall & trend views of converge status Overall & trend views of compliance status Filter & search options • View details of any node Status of converged resources Run List applied to the node Attributes of the node
- 6. Chef Solo Executes chef-clientwithout relying on a Chef server to provide configuration policies (cookbooks, environments, etc.) https://docs.chef.io/chef_solo.html
- 7. Chef Solo • Localdirectory for configuration policy Or a URL from which a .tar.gz file can be downloaded • Node objects stored as a local JSON file • Attribute data stored in a JSON file Local or remote • Does not pull from a Chef Server • Can be configured to send data to a Chef Server
- 8. Chef Client –Local Mode Local mode is a way to run the chef-client against the chef- repo on a local machine as if it were running against the Chef server. https://docs.chef.io/ctl_chef_client.html#run-in-local-mode
- 9. Review the set-up tyingit all together
- 10.
- 11. List contents Berksfile config.jsonfirstname-lastname profiles Berksfile.lock cookbooks nodes ls
- 12.
- 13. Audit Cookbook • InstallInSpec • Run InSpec profiles • Report results to Chef Compliance or Chef Visibility
- 14. Compat Resource Cookbook •Adds functionality introduced in the latest chef-client releases to any chef-client from 12.1 onwards. • Includes Custom Resource functionality notification improvements new resources added to core chef • Allows for these new resources in cookbooks without requiring the very latest Chef client release.
- 15. config.json { "audit": { "collector": "chef-visibility", "inspec_version":"1.15.0", "profiles": [ { "name": "ssh", "path": "/home/chef/profiles/ssh" } ] } } cat config.json
- 16. Local Profiles profiles/ └── ssh ├──controls │ └── ssh.rb ├── inspec.lock └── inspec.yml 2 directories, 3 files tree profiles
- 17. Next Steps • Remediatethe failing control • Run the audit cookbook to verify the remediation • View the compliant node in Automate
- 18. Remediate the FailingControl
- 19. Simple SSH Cookbook •A server recipe to manage the sshd_config file • Local test environment configured
- 20. Remember… • Infrastructure policiesneed testing ↳ Linting ↳ Static Analysis ↳ Unit Testing ↳ Integration Testing ↳ Compliance Testing "Infrastructure as Code" should be tested like ANY other codebase.
- 21. Test-Driven Development • Writea test, watch it fail • Write some code • Write and run more tests • Code review • Delivery pipeline to production • Lowered chance of production failure Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
- 22.
- 23. Test-driven Development Add atest Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
- 24. Test-driven Development Add atest Run the tests Make a little change fail pass
- 25. Test-driven Development Add atest Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
- 26. Test-driven Development Add atest Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
- 27. What’s next? • Test-drivendevelopment cycle is complete • Deploy the change
- 28. Further Resources Where togo for additional help
- 29. Community Resources • InSpecWebsite, includes tutorials and docs - http://inspec.io/ • #inspec channel of the Chef Community Slack - http://community-slack.chef.io/ • InSpec category of the Chef Mailing List - https://discourse.chef.io/c/inspec • Compliance Profiles on the Supermarket - https://supermarket.chef.io/tools?type=compliance_profile • Open Source Project - https://github.com/chef/inspec
- 30. ★ Workshops &Chef Training ★ DevOps Leadership Summit ★ Community Summit ★ Partner Summit ★ Welcome Reception ★ Customer Dinner ★ Analyst Day • Exhibit Hall Open & Sales suites available • chefconf.chef.io • DAY 1 // MAY 22 ★ Keynotes ★ Technical Sessions ★ Happy Hour ★ Game Night ★ Executive Dinner DAY 2 // MAY 23 ★ Keynotes ★ Technical Sessions ★ Awesome Chef Awards ★ Community Celebration DAY 3 // MAY 24 ★ Hackday DAY 4 // MAY 25
Editor's Notes
- #3 >>> INSTRUCTOR NOTE – Update the slack channel name
- #4 Definitive tooling for local development of Chef code: Fast inexpensive testing tools: Food Critic Cook Style ChefSpec Deeper integration testing: Test Kitchen Inspec Designed to speed Infrastructure as Code development
- #8 Describe some of the differences between chef-client and chef-solo Next, we’ll look at our own chef-solo setup
- #9 Chef Client is local mode acts in a very similar way to chef-solo. The Automate server does not distinguish between chef-solo and chef-client --local-mode
- #16 Node-specific attributes are specified in a JSON file. These attributes are used by the audit cookbook.
- #24 Technically, we haven’t written any tests just yet. However, one could argue that a passing ‘kitchen converge’ is, itself, a worthwhile test. By setting up test kitchen we’ve not added a test, run the test, seen the tests pass. But we’re not done so it’s time to restart the loop.
- #25 Technically, we haven’t written any tests just yet. However, one could argue that a passing ‘kitchen converge’ is, itself, a worthwhile test. By setting up test kitchen we’ve not added a test, run the test, seen the tests pass. But we’re not done so it’s time to restart the loop.
- #26 Technically, we haven’t written any tests just yet. However, one could argue that a passing ‘kitchen converge’ is, itself, a worthwhile test. By setting up test kitchen we’ve not added a test, run the test, seen the tests pass. But we’re not done so it’s time to restart the loop.
- #27 We’ve completed the cycle. But are we done?
- #31 Texas, austin, bathroom law