Chef Compliance

Scan Jobs

Scan jobs are executed to deliver results for compliance reporting. They are similar to executing inspec exec against a set of targets. They can be scheduled to run at any given time or interval. Scan jobs are run on manually added nodes, aws-ec2 instances, aws-api regions. azure-vm virtual machines and azure-api subscriptions. Scan jobs created using UI and select one or more managers that act as automated managers. Scan jobs can also be created using APIs.

Source

Users can manually add nodes using UI or APIs if they want to scan nodes that are not discoverable via integrations. This requires specifying the node’s ip/hostname, port configuration, and sudo requirement, if any.

Profiles

Compliance profiles help secure infrastructure by translating CIS Benchmarks and other security standards into readable policies. There are 300+ ready-to-use compliance profiles from Profiles in Chef Automate. Users can search for profiles using the search bar. The page has two tabs - the Profile and Available tab. The Profile tab displays the profiles installed within Chef Automate, and the Available tab displays all ready-to-use compliance profiles available in Chef Automate. Profiles can be installed by clicking on Get on the right side of the profile name.

Source

Understanding Profiles

The Profiles details page contains all information on installed and uninstalled profiles. Uninstalled profiles can be downloaded or installed again. Installed profiles can be deleted, which removes them from the profiles collection in the namespace but not from Profiles.

A profile header and body contain all necessary information. The profile header displays the profile title, a short description, and the options to get or delete. It has a status box that gives details on the status, version, author, and license.

The profile body contains a series of controls, each having one or more InSpec tests. The controls table displays the control name, total tests and the severity. A more detailed description and InSpec code are displayed upon expanding a control from the table.

Interacting with Profiles 

Chef Automate Profiles can be interacted with using the command line and the user interface. Following are some of the cURL commands for command line interaction.

Get All Installed Profiles 

curl --insecure -H "X-Data-Collector-Token: token-value" https://automate.example.com/api/v0/compliance/profiles/search -d '{"owner": "test"}'

Get All Available Profiles 

curl --insecure -H "X-Data-Collector-Token: token-value" https://automate.example.com/api/v0/compliance/profiles/search -d '{}'

Download .tar 

curl --insecure -H "x-data-collector-token: token-val" https://automate.example.com/api/v0/compliance/profiles/tar -d '{"name":"cis-aix-5.3-6.1-level1","owner":"admin","version":"1.1.0-3"}'

Upload tar 

curl --insecure -F file=@cis-ubuntu12_04lts-level1-1.1.0-2.tar.gz -H "x-data-collector-token: token-val"  https://automate.

Nodes API

The /nodes endpoint in Chef Automate maintains a log of all the nodes in the infrastructure. Creating a node or adding a node integration is also recorded in the /nodes endpoint. If a node already exists, the last contact time, run data and scan data are updated.

A node could be ‘unknown’, ‘reachable’ or ‘unreachable’. The default status is ‘unknown’. The node status is changed to ‘reachable’ if the inspec detect job performed on a newly added node is successful. If the detect job fails, it implies that the node cannot be reached, and the status is updated to ‘unreachable’.

The nodes listed at the /nodes endpoint can be filtered based on the following.

• name
• platform_name
• platform_release
• manager_type 
• manager_id
• account_id 
• region
• source_id
• state
• statechange_timerange 
• status
• tags
• last_run_timerange 
• last_scan_timerange 
• last_run_status 
• last_scan_status
• last_run_penultimate_status 
• last_scan_penultimate_status 

Frequently Asked Questions

What is a Profile Identifier?

The profile identifier contains the user’s username and the profile name as found in the installed profiles list. They are directly mapped to the username. The identifier can be used to specify profiles through the InSpec CLI and for audit cookbooks.

How to resolve the unreachable status of a node?

Anode with unreachable status has an error message attached to it. Users can edit the associated credentials to resolve the problem or rerun the node if they assume that the detect job failed due to a network error.

What happens when instances are added or deleted after periodically scheduling a scan job?

Every time the scan job is scheduled to run, the current list of nodes is queried. The scan job is run against the instances present in the most recently queried list only. 

Conclusion

This blog discusses the features provided for Chef Compliance. It discusses the use of compliance reports, scan jobs and profiles. It also explains the /nodes endpoint in the Nodes API. Check out our articles on Chef InSpec Terminology, Chef Shell for Debugging and Troubleshooting Chef Workstation. Explore our Library on Coding Ninjas Studio to gain knowledge on Data Structures and Algorithms, Machine Learning, Deep Learning, Cloud Computing and many more! Test your coding skills by solving our test series and participating in the contests hosted on Coding Ninjas Studio! 

Looking for questions from tech giants like Amazon, Microsoft, Uber, etc.? Look at the problems, interview experiences, and interview bundle for placement preparations. Upvote our blogs if you find them insightful and engaging! Happy Coding!