Compliance Automation with InSpec Learning Lab Nathen Harvey - @nathenharvey
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Name of Presentation
Compliance Automation with InSpecLearning LabNathen Harvey - @nathenharvey
1
Join Slack Team & Channelhttp://www.dctechslack.com/#devopsdc-meetup
#devopsdc-meetup
>>> INSTRUCTOR NOTE Update the slack channel name2
Chef DK - The Chef Development KitDefinitive tooling for local development of Chef code & Infrastructure as Code developmentValidate your Chef code against Chef best practicesExtend with rules to enforce organizational Chef development best practicesEnforce compliance & security practices FoodcriticTest Your Chef StyleValidate your Chef code against Ruby best practicesIdentify potential Ruby errorsUnclosed strings, etc.Identify style/convention that helps write better codeSingle quotes vs. double quotesCookStyleValidate your RubyValidate your Chef code will run Testing for more Chef advanced use casesUseful for regression testing
ChefSpecSimulate ChefExecutes your Chef code on an instance or containerIntegrates with Cloud and Virtualization providersValidate your Chef code locally before sharingSpeed development of Chef CookbooksTest KitchenLets do this (almost) for realAssert the intention of your Chef codeVerify on live systems that your Chef code produced the correct resultConfirm your Chef code didnt not produce compliance driftInSpecVerify automation results & ensure complianceFAST INEXPENSIVE TESTINGDEEP INTEGRATION TESTING
Definitive tooling for local development of Chef code:Fast inexpensive testing tools:Food CriticCook StyleChefSpecDeeper integration testing:Test KitchenInspecDesigned to speed Infrastructure as Code development
Continuous ComplianceChef Automate and InSpec Profiles
Chef Automate Node ViewView aggregate status of your infrastructureOverall & trend views of converge statusOverall & trend views of compliance statusFilter & search optionsView details of any nodeStatus of converged resourcesRun List applied to the nodeAttributes of the node
Chef SoloExecutes chef-client without relying on a Chef server to provide configuration policies (cookbooks, environments, etc.)
https://docs.chef.io/chef_solo.html
Chef SoloLocal directory for configuration policyOr a URL from which a .tar.gz file can be downloadedNode objects stored as a local JSON fileAttribute data stored in a JSON fileLocal or remoteDoes not pull from a Chef ServerCan be configured to send data to a Chef Server
Describe some of the differences between chef-client and chef-solo
Next, well look at our own chef-solo setup7
Chef Client Local ModeLocal mode is a way to run the chef-client against the chef-repo on a local machine as if it were running against the Chef server.
https://docs.chef.io/ctl_chef_client.html#run-in-local-mode
Chef Client is local mode acts in a very similar way to chef-solo. The Automate server does not distinguish between chef-solo and chef-client --local-mode8
Review the set-uptying it all together
Go home
cd ~
$
List contentsBerksfile config.json firstname-lastname profilesBerksfile.lock cookbooks nodesls
$
List cookbooksaudit compat_resourcels cookbooks
$
Audit CookbookInstall InSpecRun InSpec profilesReport results to Chef Compliance or Chef Visibility
Compat Resource CookbookAdds functionality introduced in the latest chef-client releases to any chef-client from 12.1 onwards. IncludesCustom Resource functionalitynotification improvementsnew resources added to core chefAllows for these new resources in cookbooks without requiring the very latest Chef client release.
config.json{ "audit": { "collector": "chef-visibility", "inspec_version": "1.15.0", "profiles": [ { "name": "ssh", "path": "/home/chef/profiles/ssh" } ] }}cat config.json
$
Node-specific attributes are specified in a JSON file.
These attributes are used by the audit cookbook.15
Local Profilesprofiles/ ssh controls ssh.rb inspec.lock inspec.yml
2 directories, 3 files
tree profiles
$
Next StepsRemediate the failing controlRun the audit cookbook to verify the remediationView the compliant node in Automate
Remediate the Failing Control
Simple SSH CookbookA server recipe to manage the sshd_config fileLocal test environment configured
RememberInfrastructure policies need testing Linting Static Analysis Unit Testing Integration Testing Compliance Testing
"Infrastructure as Code" should be tested like ANY other codebase.
Test-Driven DevelopmentWrite a test, watch it failWrite some codeWrite and run more testsCode reviewDelivery pipeline to productionLowered chance of production failureAdd a testRun the testsMake a little changeRun the tests
pass[development continues]failfailpasspass[development stops]
Testing the change
Test-driven DevelopmentAdd a testRun the testsMake a little changeRun the tests
pass[development continues]failfailpasspass[development stops]
Technically, we havent written any tests just yet. However, one could argue that a passing kitchen converge is, itself, a worthwhile test.
By setting up test kitchen weve not added a test, run the test, seen the tests pass. But were not done so its time to restart the loop.23
Test-driven DevelopmentAdd a testRun the testsMake a little change
failpass
Technically, we havent written any tests just yet. However, one could argue that a passing kitchen converge is, itself, a worthwhile test.
By setting up test kitchen weve not added a test, run the test, seen the tests pass. But were not done so its time to restart the loop.24
Test-driven DevelopmentAdd a testRun the testsMake a little changeRun the tests
pass[development continues]failfailpasspass[development stops]
Technically, we havent written any tests just yet. However, one could argue that a passing kitchen converge is, itself, a worthwhile test.
By setting up test kitchen weve not added a test, run the test, seen the tests pass. But were not done so its time to restart the loop.25
Test-driven DevelopmentAdd a testRun the testsMake a little changeRun the tests
pass[development continues]failfailpasspass[development stops]
Weve completed the cycle. But are we done?26
Whats next?Test-driven development cycle is completeDeploy the change
Further ResourcesWhere to go for additional help
Community ResourcesInSpec Website, includes tutorials and docs - http://inspec.io/#inspec channel of the Chef Community Slack - http://community-slack.chef.io/InSpec category of the Chef Mailing List - https://discourse.chef.io/c/inspec Compliance Profiles on the Supermarket - https://supermarket.chef.io/tools?type=compliance_profile Open Source Project - https://github.com/chef/inspec
Workshops & Chef TrainingDevOps Leadership SummitCommunity SummitPartner SummitWelcome ReceptionCustomer DinnerAnalyst Day
Exhibit Hall Open & Sales suites available chefconf.chef.io
DAY 1 // MAY 22
KeynotesTechnical SessionsHappy HourGame NightExecutive DinnerDAY 2 // MAY 23
KeynotesTechnical SessionsAwesome Chef AwardsCommunity CelebrationDAY 3 // MAY 24HackdayDAY 4 // MAY 25
Texas, austin, bathroom law
30
Related Documents
