5 Important Chef InSpec commands to keep your IT ecosystem compliant.
By Smitha Ravindran and Shua Matin
When you think of Progress Chef, you think of Configuration Management, right?
But did you know that it can also take care of your Compliance and Security needs too?
Progress Chef was initially created to overcome the obstacles associated with scaling and automating the management of complex infrastructure and application configurations with infrastructure as a code approach.
Beginning its journey as a Configuration Management Tool, Chef has come a long way by widening its scope to compliance as well as security.
While Progress Chef® Compliance™ makes it easier for DevOps, InfoSec and Compliance teams to maintain and ensure IT compliance and security across the enterprise, Progress Chef® Cloud Security™ enables ITOps teams to scan, monitor and remediate configuration issues across on-prem and cloud-native environments and multi-cloud accounts.
Chef Compliance and Chef Cloud Security run on a core engine — Progress® Chef® InSpec®.
If you are looking to augment your IT compliance with automated solutions, here is a sneak peek into what InSpec can do.
Chef InSpec uses an open-source framework for defining security and compliance rules as executable code that caters to all stages of the software delivery life cycle. It works by comparing the actual state of your system with the desired state. This is done with the help of human-readable Chef InSpec code. It detects violations and displays findings in the form of a report. You can use this report to effect remediation.
When defined with Chef InSpec; compliance, security and other policy requirements become automated tests that can be run against traditional servers, containers and cloud environments. This ensures that security and compliance standards are enforced consistently in every environment.
Chef InSpec supports the creation of complex test and compliance profiles, which organize controls to support dependency management and code reuse. Each profile is a standalone structure with its own distribution and execution flow.
Learn more about how to install Chef InSpec here.
Getting started with Chef InSpec requires four simple steps:
1. Create a profile
2. Write the test
3. Target your systems
4. View the results
To get an understanding of what InSpec can do for you, let’s dig into some of the popular InSpec commands:
( InSpec commands are run on a CLI environment.)
1. InSpec exec
‘InSpec exec’ is the most used and popular command within Chef InSpec. This command is used to run your tests against a specified target system.
When executed, this command loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls in the profiles. One or more reporters are used to generate the output.
The exit codes define the outcomes. For example
· 0 normal exit; all tests pass
· 100 normal exits; at least one test failed
· 101 normal exits, at least one test skipped, but none failed
InSpec exec <control_id> and patterns
InSpec exec can be used to scan a specific control by giving the control id as a parameter. In fact, it can be used to match multiple controls also or even control names that meet a specific pattern as shown below. This method can be utilized to split large profiles based on some text in the rule ID.
You can use the command InSpec exec to divide large profiles in custom ways. You could use an input to match an instance ID pattern and use it to restrict the instances that match. For example, you could use a resource to query all EC 2 instances that match a pattern you provide. This allows you to provide a pattern outside of your profile externally and then you can vary this pattern over time. For instance, start with all instances beginning with ‘1’, then ‘2’, ‘3’ and so on.
This allows you to shard your profiles based on some criteria, such as a resource ID. Did you know that some of our customers have used this feature to shard estates with millions of individual cloud resources?
2. InSpec shell
If you are new to InSpec, we suggest that you spend some time on ‘InSpec shell’. InSpec shell is your guide to learning and exploring InSpec.
Once you run this command against your machine, it will detect your machine configurations, such as your Operating System, the family, and the kernel version, along with the architecture details.
You can further use it to figure out what each command does by typing it directly into the shell.
What’s more interesting is that you can execute any InSpec profile at the prompt, and it shows the results in real-time. With InSpec Shell, you can also execute profiles directly on remote hosts to learn their behavior on remote hosts.
3. InSpec detect
Facing issues while connecting to a remote machine? Use ‘InSpec detect’ to diagnose connection problems. For example, you can use InSpec detect to match a profile to a target machine and find out the machine details such as family, release version, architecture including additional information about the SSH connection.
4. InSpec check
Preemptive auditing of profiles helps prevent compliance hassles in the future. ‘InSpec check’ lets you look for issues in compliance profiles. On executing this command, it will examine the profile and run all of its checks and warnings.
‘InSpec check’ is a great way to look for problems in your profiles; in fact, did you know that it can also look for issues in profiles every time you upload a profile to Automate?
4. InSpec export
InSpec has a new feature called IAF files, which are signed binary profiles for enhanced security. Since it’s tied to security, it does not allow you to peek into the profile to identify controls to use/override or to access waivers.
The ‘InSpec export’ command can be very handy here. With InSpec export, you can see everything about the profile, including metadata, controls, version, tags and more.
5. InSpec init
This is a great way to use your time effectively. Whenever you need a new profile, just generate it without writing a new profile from scratch; use the command InSpec init profile <profilename>. You can also generate new resources and plugins with this command.
InSpec has a myriad of options that lends you more flexibility and ease in enforcing compliance and cloud security. The commands mentioned above are a just few of the most important ones. To understand InSpec better, please refer to this documentation.
If you have any questions on how to use Chef InSpec, please contact us here.
Resources
Learn Chef is a great place to know more about Chef InSpec.
Watch the video; I didn’t know Chef InSpec could do that.
Learn more about Chef products.
