Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
2.
Reports 
2.1.
Filtering
2.2.
Compliance Overview
3.
Scan Jobs
4.
Profiles
4.1.
Understanding Profiles
4.2.
Interacting with Profiles 
5.
Nodes API
6.
Frequently Asked Questions
6.1.
What is a Profile Identifier?
6.2.
How to resolve the unreachable status of a node?
6.3.
What happens when instances are added or deleted after periodically scheduling a scan job?
7.
Conclusion
Last Updated: Mar 27, 2024

Chef Compliance

Author Yashesvinee V
0 upvote
gp-icon
Devops
Free guided path
4 chapters
99+ problems
gp-badge
Earn badges and level up

Introduction

Chef Compliance simplifies maintaining and enforcing compliance across an enterprise, with audits based on specific standards tuned to adapt to the organisation’s needs in hybrid and multi-cloud environments. It allows for the correction and remediation of configuration drifts from the desired state. Organisations can monitor the compliance state and automatically reconfigure the IT resource into compliance. Chef provides compliance reports, and the facility runs scan jobs and inspects profiles to maintain compliance. Let us look at each of these in detail.

Chef Compliance

Reports 

Reports

Source

Reports provide information on the infrastructure compliance status. Scan results for audit cookbook configurations can also be viewed on this page. All results are listed in the dashboard with end times on the selected day. The currently selected day is a timestamp in the Coordinated Universal Time (UTC). A historical overview of node status over time is represented using trend graphs. The period can be ten days, one month, three months, or one year.

Filtering

Users can view and filter specific compliance scan results by setting one or more filters. Wildcard characters like * can also be used to filter results. For instance, ‘Node Name: prod*’ will list all node names starting with the pattern prod. Following are some of the filters available to refine the searches.

  • Chef Infra Server
  • Chef Organization
  • Chef Tag
  • Control Tag
  • Controls
  • Environment
  • InSpec Version
  • Node Name
  • Platform
  • Policy Group
  • Policy Name
  • Profile
  • Recipe
  • Role
     

Deep filtering is a method used to obtain reports on compliance profiles and controls. It uses the profile_id attribute to check the granular level of the compliance status. Filtering with the profile_name attribute creates a report for every version of profile_name in the infrastructure.

Compliance Overview

The system’s compliance state can be viewed in Node status and Profile status views. A system’s compliance status from the operational perspective of nodes can be observed in the Node status view. It displays the following.

  • Node Status
  • The severity of Node Failures
  • Node Status Over Time
  • Top Platform Failures
  • Top Environment Failures
     

The Profile Status view shows the system’s compliance status from the compliance perspective of profile runs during scans. It displays the following.

  • Control Status
  • The severity of Control Failures
  • Control Status Over Time
  • Top Profile Failures
  • Top Control Failures
     

Users can also switch between tabs to view compliance reports taken from various perspectives, namely, Nodes, profiles and Controls.

  • The Nodes view gives insight into the compliance status of the nodes in the system. It provides information about the Node, Platform, Environment, Last Scan and Control Failures, if any.
     
  • The Profiles tab lists the compliance profiles installed under a user account. It shows the Profile title, Version and Identifier.
     
  • The controls tab shows all the compliance controls installed under a user account. It displays Control Name, Profile, Impact, Last Scan and Node Status.
Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Scan Jobs

Scan jobs are executed to deliver results for compliance reporting. They are similar to executing inspec exec against a set of targets. They can be scheduled to run at any given time or interval. Scan jobs are run on manually added nodes, aws-ec2 instances, aws-api regions. azure-vm virtual machines and azure-api subscriptions. Scan jobs created using UI and select one or more managers that act as automated managers. Scan jobs can also be created using APIs.

Scan Job code

Source

Users can manually add nodes using UI or APIs if they want to scan nodes that are not discoverable via integrations. This requires specifying the node’s ip/hostname, port configuration, and sudo requirement, if any.

Profiles

Compliance profiles help secure infrastructure by translating CIS Benchmarks and other security standards into readable policies. There are 300+ ready-to-use compliance profiles from Profiles in Chef Automate. Users can search for profiles using the search bar. The page has two tabs - the Profile and Available tab. The Profile tab displays the profiles installed within Chef Automate, and the Available tab displays all ready-to-use compliance profiles available in Chef Automate. Profiles can be installed by clicking on Get on the right side of the profile name.

InSpec Profiles

Source

Understanding Profiles

The Profiles details page contains all information on installed and uninstalled profiles. Uninstalled profiles can be downloaded or installed again. Installed profiles can be deleted, which removes them from the profiles collection in the namespace but not from Profiles.

A profile header and body contain all necessary information. The profile header displays the profile title, a short description, and the options to get or delete. It has a status box that gives details on the status, version, author, and license.

The profile body contains a series of controls, each having one or more InSpec tests. The controls table displays the control name, total tests and the severity. A more detailed description and InSpec code are displayed upon expanding a control from the table.

Interacting with Profiles 

Chef Automate Profiles can be interacted with using the command line and the user interface. Following are some of the cURL commands for command line interaction.

Get All Installed Profiles 

curl --insecure -H "X-Data-Collector-Token: token-value" https://automate.example.com/api/v0/compliance/profiles/search -d '{"owner": "test"}'

Get All Available Profiles 

curl --insecure -H "X-Data-Collector-Token: token-value" https://automate.example.com/api/v0/compliance/profiles/search -d '{}'

Download .tar 

curl --insecure -H "x-data-collector-token: token-val" https://automate.example.com/api/v0/compliance/profiles/tar -d '{"name":"cis-aix-5.3-6.1-level1","owner":"admin","version":"1.1.0-3"}'

Upload tar 

curl --insecure -F file=@cis-ubuntu12_04lts-level1-1.1.0-2.tar.gz -H "x-data-collector-token: token-val"  https://automate.

Nodes API

The /nodes endpoint in Chef Automate maintains a log of all the nodes in the infrastructure. Creating a node or adding a node integration is also recorded in the /nodes endpoint. If a node already exists, the last contact time, run data and scan data are updated.

A node could be ‘unknown’, ‘reachable’ or ‘unreachable’. The default status is ‘unknown’. The node status is changed to ‘reachable’ if the inspec detect job performed on a newly added node is successful. If the detect job fails, it implies that the node cannot be reached, and the status is updated to ‘unreachable’.

The nodes listed at the /nodes endpoint can be filtered based on the following.

  • name
  • platform_name
  • platform_release
  • manager_type 
  • manager_id
  • account_id 
  • region
  • source_id
  • state
  • statechange_timerange 
  • status
  • tags
  • last_run_timerange 
  • last_scan_timerange 
  • last_run_status 
  • last_scan_status
  • last_run_penultimate_status 
  • last_scan_penultimate_status 

Frequently Asked Questions

What is a Profile Identifier?

The profile identifier contains the user’s username and the profile name as found in the installed profiles list. They are directly mapped to the username. The identifier can be used to specify profiles through the InSpec CLI and for audit cookbooks.

How to resolve the unreachable status of a node?

Anode with unreachable status has an error message attached to it. Users can edit the associated credentials to resolve the problem or rerun the node if they assume that the detect job failed due to a network error.

What happens when instances are added or deleted after periodically scheduling a scan job?

Every time the scan job is scheduled to run, the current list of nodes is queried. The scan job is run against the instances present in the most recently queried list only. 

Conclusion

This blog discusses the features provided for Chef Compliance. It discusses the use of compliance reports, scan jobs and profiles. It also explains the /nodes endpoint in the Nodes API. Check out our articles on Chef InSpec TerminologyChef Shell for Debugging and Troubleshooting Chef Workstation. Explore our Library on Coding Ninjas Studio to gain knowledge on Data Structures and Algorithms, Machine Learning, Deep Learning, Cloud Computing and many more! Test your coding skills by solving our test series and participating in the contests hosted on Coding Ninjas Studio! 

Looking for questions from tech giants like Amazon, Microsoft, Uber, etc.? Look at the problems, interview experiences, and interview bundle for placement preparations. Upvote our blogs if you find them insightful and engaging! Happy Coding!

Thank you

Previous article
Chef Applications
Next article
CHEF - INFRASTRUCTURE
Guided path
Free
gridgp-icon
Devops
4 chapters
178+ Problems
gp-badge
Earn badges and level up
Live masterclass