Start United States USA — software Chef InSpec: Where Compliance and Security Blend

Chef InSpec: Where Compliance and Security Blend

123
0
TEILEN

This blog discusses where to start on the technical side for a new Chef InSpec user. And to write their first InSpec code.
Join the DZone community and get the full member experience. As your applications grow and become more complex, so can your worries about the risks to your environments and ensuring they comply with your system policies and regulatory standards. While administrators deal with audits and other routine work, they also need to work on planned projects. DevSecOps teams could manage their endpoints with existing tools for small fleets of devices, but challenges arise when you begin to scale. This is where Chef InSpec comes into the picture. Chef InSpec is a security and compliance testing tool that can help you address these concerns by providing an easy-to-understand (human-readable) and customizable code framework. InSpec helps define expectations for the systems you manage and detect any deviation from your set policies. It’s easy to get started because InSpec does not require an agent to work with Linux, Windows, or macOS target nodes to scan and verify configurations. It also provides a great amount of flexibility in how you go about that detection process. For ad hoc point-in-time scans, the InSpec command-line utility allows you to evaluate any system reachable over SSH or WinRM. InSpec can also be used with Chef Automate to scan thousands of nodes at once in on-prem, cloud, and edge environments. Chef InSpec DSL provides a broad set of resources and matchers that allow you to write easily readable code without having any knowledge of the underlying Ruby language. InSpec tests and more sophisticated profiles let you describe a system resource and make statements about how that resource should behave or be configured. InSpec includes nearly 500 built-in resources, and you can combine them to make your own custom resources. Resources declare a resource type and then provide information about that system object. The following example looks at a file resource type, providing the path to the specific file on the system to be analyzed, confirming that it exists and contains the content you want. The following example tells InSpec to look at a specific file on a target node and confirms that it contains “Hello, world!”: The best way to get started with InSpec is to install Chef Workstation, a collection of tools that enable you to create, test, and run Chef code. You can install Chef Workstation by downloading an OS-specific installer for Windows, Linux, or macOS. You can find details about how to set up Workstation, Chef Infra Server, and Chef Automate in this getting-started document. You can use Chef InSpec to scan for files, applications, open ports, and many other resources configured on Linux, Windows, or macOS. The following example determines if auditd is installed on a Linux system using an InSpec profile. Profiles are made up of controls, which bundle one or more InSpec resources into blocks that define one or more expectations for your target systems.

Continue reading...