Compliance Automation with InSpec
Download as PPTX, PDF3 likes1,132 views
InSpec is an open source testing framework for infrastructure with a human-readable language for specifying compliance, security, and other policy requirements. Easily integrate automated tests that check for advherence to policy into any stage of your deployment pipeline.
![config.json
{
"audit": {
"collector": "chef-visibility",
"inspec_version": "1.15.0",
"profiles": [
{
"name": "ssh",
"path": "/home/chef/profiles/ssh"
}
]
}
}
cat config.json](https://image.slidesharecdn.com/devopsdc-inspec-workshop-slideshare-170316223019/85/Compliance-Automation-with-InSpec-15-320.jpg)
![Test-Driven Development
• Write a test, watch it fail
• Write some code
• Write and run more tests
• Code review
• Delivery pipeline to production
• Lowered chance of production failure
Add a test
Run the tests
Make a little change
Run the tests
pass
[development
continues]fail
fail
pass
pass
[development stops]](https://image.slidesharecdn.com/devopsdc-inspec-workshop-slideshare-170316223019/85/Compliance-Automation-with-InSpec-21-320.jpg)
![Test-driven Development
Add a test
Run the tests
Make a little change
Run the tests
pass
[development
continues]fail
fail
pass
pass
[development stops]](https://image.slidesharecdn.com/devopsdc-inspec-workshop-slideshare-170316223019/85/Compliance-Automation-with-InSpec-23-320.jpg)
![Test-driven Development
Add a test
Run the tests
Make a little change
Run the tests
pass
[development
continues]fail
fail
pass
pass
[development stops]](https://image.slidesharecdn.com/devopsdc-inspec-workshop-slideshare-170316223019/85/Compliance-Automation-with-InSpec-25-320.jpg)
![Test-driven Development
Add a test
Run the tests
Make a little change
Run the tests
pass
[development
continues]fail
fail
pass
pass
[development stops]](https://image.slidesharecdn.com/devopsdc-inspec-workshop-slideshare-170316223019/85/Compliance-Automation-with-InSpec-26-320.jpg)
Ad
More Related Content
What's hot (20)
Viewers also liked (14)
Ad
Similar to Compliance Automation with InSpec (20)
Ad
More from Nathen Harvey (12)
Recently uploaded (20)
Compliance Automation with InSpec
- 1. Compliance Automation with InSpec Learning Lab Nathen Harvey - @nathenharvey
- 2. Join Slack Team & Channel • http://www.dctechslack.com/ • #devopsdc-meetup #devopsdc-meetup
- 3. Chef DK - The Chef Development Kit • Definitive tooling for local development of Chef code & Infrastructure as Code development ▪ Validate your Chef code against Chef best practices ▪ Extend with rules to enforce organizational Chef development best practices ▪ Enforce compliance & security practices Foodcritic Test Your “Chef Style” ▪ Validate your Chef code against Ruby best practices ▪ Identify potential Ruby errors Unclosed strings, etc. ▪ Identify style/convention that helps write better code Single quotes vs. double quotes CookStyle Validate your Ruby ▪ Validate your Chef code will run ▪ Testing for more Chef advanced use cases ▪ Useful for regression testing ChefSpec Simulate Chef ▪ Executes your Chef code on an instance or container ▪ Integrates with Cloud and Virtualization providers ▪ Validate your Chef code locally before sharing ▪ Speed development of Chef Cookbooks Test Kitchen Let’s do this (almost) for real ▪ Assert the intention of your Chef code ▪ Verify on live systems that your Chef code produced the correct result ▪ Confirm your Chef code didn’t not produce compliance drift InSpec Verify automation results & ensure compliance FAST INEXPENSIVE TESTING DEEP INTEGRATION TESTING
- 4. Continuous Compliance Chef Automate and InSpec Profiles
- 5. Chef Automate – Node View • View aggregate status of your infrastructure Overall & trend views of converge status Overall & trend views of compliance status Filter & search options • View details of any node Status of converged resources Run List applied to the node Attributes of the node
- 6. Chef Solo Executes chef-client without relying on a Chef server to provide configuration policies (cookbooks, environments, etc.) https://docs.chef.io/chef_solo.html
- 7. Chef Solo • Local directory for configuration policy Or a URL from which a .tar.gz file can be downloaded • Node objects stored as a local JSON file • Attribute data stored in a JSON file Local or remote • Does not pull from a Chef Server • Can be configured to send data to a Chef Server
- 8. Chef Client – Local Mode Local mode is a way to run the chef-client against the chef- repo on a local machine as if it were running against the Chef server. https://docs.chef.io/ctl_chef_client.html#run-in-local-mode
- 9. Review the set-up tying it all together
- 10. Go home cd ~
- 11. List contents Berksfile config.json firstname-lastname profiles Berksfile.lock cookbooks nodes ls
- 12. List cookbooks audit compat_resource ls cookbooks
- 13. Audit Cookbook • Install InSpec • Run InSpec profiles • Report results to Chef Compliance or Chef Visibility
- 14. Compat Resource Cookbook • Adds functionality introduced in the latest chef-client releases to any chef-client from 12.1 onwards. • Includes Custom Resource functionality notification improvements new resources added to core chef • Allows for these new resources in cookbooks without requiring the very latest Chef client release.
- 15. config.json { "audit": { "collector": "chef-visibility", "inspec_version": "1.15.0", "profiles": [ { "name": "ssh", "path": "/home/chef/profiles/ssh" } ] } } cat config.json
- 16. Local Profiles profiles/ └── ssh ├── controls │ └── ssh.rb ├── inspec.lock └── inspec.yml 2 directories, 3 files tree profiles
- 17. Next Steps • Remediate the failing control • Run the audit cookbook to verify the remediation • View the compliant node in Automate
- 18. Remediate the Failing Control
- 19. Simple SSH Cookbook • A server recipe to manage the sshd_config file • Local test environment configured
- 20. Remember… • Infrastructure policies need testing ↳ Linting ↳ Static Analysis ↳ Unit Testing ↳ Integration Testing ↳ Compliance Testing "Infrastructure as Code" should be tested like ANY other codebase.
- 21. Test-Driven Development • Write a test, watch it fail • Write some code • Write and run more tests • Code review • Delivery pipeline to production • Lowered chance of production failure Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
- 23. Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
- 24. Test-driven Development Add a test Run the tests Make a little change fail pass
- 25. Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
- 26. Test-driven Development Add a test Run the tests Make a little change Run the tests pass [development continues]fail fail pass pass [development stops]
- 27. What’s next? • Test-driven development cycle is complete • Deploy the change
- 28. Further Resources Where to go for additional help
- 29. Community Resources • InSpec Website, includes tutorials and docs - http://inspec.io/ • #inspec channel of the Chef Community Slack - http://community-slack.chef.io/ • InSpec category of the Chef Mailing List - https://discourse.chef.io/c/inspec • Compliance Profiles on the Supermarket - https://supermarket.chef.io/tools?type=compliance_profile • Open Source Project - https://github.com/chef/inspec
- 30. ★ Workshops & Chef Training ★ DevOps Leadership Summit ★ Community Summit ★ Partner Summit ★ Welcome Reception ★ Customer Dinner ★ Analyst Day • Exhibit Hall Open & Sales suites available • chefconf.chef.io • DAY 1 // MAY 22 ★ Keynotes ★ Technical Sessions ★ Happy Hour ★ Game Night ★ Executive Dinner DAY 2 // MAY 23 ★ Keynotes ★ Technical Sessions ★ Awesome Chef Awards ★ Community Celebration DAY 3 // MAY 24 ★ Hackday DAY 4 // MAY 25
Editor's Notes
- #3: >>> INSTRUCTOR NOTE – Update the slack channel name
- #4: Definitive tooling for local development of Chef code: Fast inexpensive testing tools: Food Critic Cook Style ChefSpec Deeper integration testing: Test Kitchen Inspec Designed to speed Infrastructure as Code development
- #8: Describe some of the differences between chef-client and chef-solo Next, we’ll look at our own chef-solo setup
- #9: Chef Client is local mode acts in a very similar way to chef-solo. The Automate server does not distinguish between chef-solo and chef-client --local-mode
- #16: Node-specific attributes are specified in a JSON file. These attributes are used by the audit cookbook.
- #24: Technically, we haven’t written any tests just yet. However, one could argue that a passing ‘kitchen converge’ is, itself, a worthwhile test. By setting up test kitchen we’ve not added a test, run the test, seen the tests pass. But we’re not done so it’s time to restart the loop.
- #25: Technically, we haven’t written any tests just yet. However, one could argue that a passing ‘kitchen converge’ is, itself, a worthwhile test. By setting up test kitchen we’ve not added a test, run the test, seen the tests pass. But we’re not done so it’s time to restart the loop.
- #26: Technically, we haven’t written any tests just yet. However, one could argue that a passing ‘kitchen converge’ is, itself, a worthwhile test. By setting up test kitchen we’ve not added a test, run the test, seen the tests pass. But we’re not done so it’s time to restart the loop.
- #27: We’ve completed the cycle. But are we done?
- #31: Texas, austin, bathroom law