InSpec and Chef — compliance as code
InSpec is an opensource language that can be used to assess the state of systems. It can form integration tests, but more importantly, with additional meta information, can create so called compliance profiles. These represent either business requirements or industry standards such as ISO 27001 and CIS.
On the 12th October I presented with Christoph Hartmann at the London Chef Summit on the subject of InSpec. We spoke about the changes in InSpec 1.0 and gave a demo showing how you can use InSpec in your cookbooks for integration tests, and to produce compliance profiles that can be applied at all stages of the development process.
Here are the resources from our talk!
Simple web cookbook — https://github.com/grdnrio/inspec-summit
Here you will see a .kitchen.yml file that contains the runlist for os and ssh hardening taken from the metadat.rb dependencies that we used in our demo. You’ll also find the website style attributes in the default location.
OS and SSH baseline InSpec profiles:
Use the following profiles to assess state.
Example corporate profile
This repo shows how you can build a single profile to address all of your compliance scanning needs with InSpec. This example, used in the presentation, shows how you can include upstream profiles, skip controls, and also include your own InSpec tests. It also demonstrates platform awareness, showing how a prpfile can be platform agnostic and therefore applied holistically.
OS and SSH hardening cookbooks:
chef-os-hardening - This chef cookbook provides numerous security-related configurations, providing all-round base…github.com
chef-ssh-hardening - This chef cookbook provides secure ssh-client and ssh-server configurations.github.com
Finally the best place to check for everything InSpec is the brand new website