Installing Chef InSpec
macOS
Homebrew
It is available as a standalone Homebrew package. The below-mentioned command can be used in the terminal to install Chef InSpec
brew install chef/chef/inspec
The user may be prompted to enter the password for the system while this command is running.
CLI
The user can use the below-mentioned command to download the Chef InSpec via curl script
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
Windows
Installer
The user can download the latest version of the Chef InSpec package as per their Microsoft version from the website directly, double-click the .msi file in order to launch the installer, and follow the prompts displayed.
Powershell
The below-mentioned command can be used to install Chef InSpec via Powershell script
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project inspec
Once the installation is complete, the user can run the inspec version command to verify the status of the installation.
Uninstalling Chef InSpec
macOS
Homebrew
The below-mentioned destructive command can be used to remove the Chef InSpec standalone homebrew package
brew cask uninstall inspec
CLI
The below-mentioned destructive command can be used in the terminal to remove the Chef InSpec package:
sudo rm -rf /opt/inspec
Windows
Installer
By using the Add/Remove Programs, the user can remove the Chef InSpec.
Using Chef InSpec on Cloud Platforms
Since Chef InSpec 2.0, the platform support has been expanded to AWS, Azure, GCP, and AliCloud resources. By using InSpec, the user can use several Chef InSpec resources for auditing properties of the cloud infrastructure.
AWS Platform Support
Setting Up
The standard AWS authentication mechanism is used by the Chef InSpec. For this, the user needs to create an IAM user specifically for auditing activities:
- From the AWS console, create an IAM user with a username of choice. Make sure that the box marked as 'Programmatic Access' is checked.
- Select Direct Attach from the Permissions screen. Choose the IAM Profile that is named 'ReadOnlyAccess', which AWS manages. If the user further wants to restrict the user, the user can check the individual Chef InSpec resources to identify what permissions are required.
- Once the key is generated, record both: the Access Key ID and Secret Key.
Using Environment Variables to provide credentials
The user can provide the credentials to the Chef InSpec by setting the following variables: AWS_REGION, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. Once the variables have been set, the credentials can be verified by running the below command
$ inspec detect -t aws://
== Platform Details
Name: aws
Families: cloud, api
Release: aws-sdk-v2.10.125
Using Chef InSpec target option to provide credentials on AWS
Locate a file in the home directory labeled as ~/.aws/credentials. If in case the file does not exist, then create it. Choose a name for the profile, for reference, 'auditing' is used. Using the below-mentioned INI format, add your credentials:
[auditing]
aws_access_key_id = AKIA....
aws_secret_access_key = 1234....abcd
The user can now run the Chef InSpec using the -t option. If the user wants to verify the credentials, run the following command:
$ inspec detect -t aws://
== Platform Details
Name: aws
Families: cloud, api
Release: aws-sdk-v2.10.125
Azure Platform Support in InSpec
Setting Up Azure Credentials
If the user wishes to use the Chef InSpec Azure resources, then the user needs to create an SPN (Service Principal Name) for the purpose of auditing the Azure subscription.
This can be done either through the command line or from the Azure Portal:
- Azure CLI
- PowerShell
- Azure Portal
Information from SPN can be specified in the file ~/.azure/credentials in the form of environment variables or by using the Chef InSpec target URIs.
Setting up the Azure Credentials File
By default, the Chef InSpec is configured to look at the ~/.azure/credentials, and it must contain:
[<SUBSCRIPTION_ID>]
client_id = "<CLIENT_ID>"
client_secret = "<CLIENT_SECRET>"
tenant_id = "<TENANT_ID>"
If the credentials are in place, then the user may execute InSpec
inspec exec my-inspec-profile -t azure://
Note
Some of the values are labeled differently in the Azure web portal, which are:
- The client_id is the other name for 'Application ID'.
- The client_secret is the other name for 'Key (Password Type)'
- The tenant_id is the other name for Directory ID'.
Using Environment variables to provide credentials
The user can also use environment variables to set the Azure credentials:
- AZURE_SUBSCRIPTION_ID
- AZURE_CLIENT_ID
- AZURE_CLIENT_SECRET
- AZURE_TENANT_ID
Chef InSpec and Friends
RSpec
It's an amazing framework widely used to test the Ruby code. It allows test-driven development and helps the developers write better and more efficient code every day. RSpec is used as a base for building Chef InSpec, it uses it as the underlying foundation for executing tests. The key strengths of RSpec are used: easy execution of tests and DSL for writing tests as well as extends the functionality for use as a compliance audits. As the Chef InSpec comes with custom audit resources, making it easier to write audit checks along with the ability to run these checks on remote servers. The audit resources which are provided know the difference between operating systems and thereby help the user to be abstract from the local operating system, similar to other resources that the user might use in the Chef recipes.
The complete Chef InSpec rule looks like this:
control "sshd-11" do
impact 1.0
title "Server: Set protocol version to SSHv2"
desc "Set the SSH protocol version to 2. Don't use legacy
insecure SSHv1 connections anymore."
tag security: "level-1"
tag "openssh-server"
ref "Server Security Guide v.1.0", url: "http://..."
describe sshd_config do
its('Protocol') { should eq('2') }
end
end
The key differences between Chef InSpec and RSpec are mentioned below:
- In the case of InSpec, the describe blocks shouldn't be nested. Instead, control blocks should be used to describe the higher-level grouping of tests.
- The shared_example construct of the RSpec is not supported. Instead of this, create a simple custom resource that executes repetitious tasks.
- Since Chef InSpec is aimed at compliance practitioners and infrastructure testers, the focus is to provide well-supported, easy-to-use universal matchers like cmp. Whereas RSpec is a tool which is designed for software engineers. Therefore it supports a large range of matchers, that enables testing of software engineering constructs such as exceptions and so on.
- Though Chef InSpec uses parts of the RSpec project and codebase, it is a separate project from InSpec.
Serverspec
It is the first extension of RSpec that enabled the users to run RSpec tests onto the servers to verify the deployed artifacts. It is one of the core test frameworks within the test-kitchen and is being widely used within the Chef ecosystem. The Chef InSpec takes the lessons learned by implementing as well as using Serverspec and builds on them to make auditing and compliance easier.
Some of the lessons learned from the Serverspec include:
- IT, compliance, and security professionals require metadata which is beyond what Serverspec offers to completely describe controls.
- It must be easy to set up and run the same tests across multiple machines
- To locate, debug as well as extend the operating system-dependent code must be easy.
- The process of extending the language and creating custom resources must be easy.
- It must be capable of running multiple tests simultaneously.
- A CLI is needed for faster iteration of the test code.
How is Chef InSpec different from Serverspec?
The major difference between Chef InSpec and Serverspec is that it targets more user groups. Moreover, it is optimized for DevOps, Security, and Compliance professionals. Metadata like impact, title, and description makes the process of describing the controls easier, which in turn makes it easier to share the controls with other departments.
Frequently Asked Questions
Which authentication mechanism is used by Chef InSpec?
The standard AWS authentication mechanism is used by the Chef InSpec
Which version supported the use of resources like AWS, Azure, and GCP?
Chef InSpec 2.0 started the support for AWS, Azure, and GCP.
Which format is used when providing credentials on AWS from the Chef InSpec target option?
The INI format is used when providing credentials on AWS from the Chef InSpec target option.
Conclusion
In this article, we have extensively discussed the Overview of Chef InSpec
After reading about the Chef InSpec, are you not feeling excited to read/explore more articles on Configuration Management? Don't worry; Coding Ninjas has you covered. To learn about what ansible is, what is ansible YAML syntax and how errors are handled in the ansible playbook.
If you wish to enhance your skills in Data Structures and Algorithms, Competitive Programming, JavaScript, etc., you should check out our Guided path column at Coding Ninjas Studio. We at Coding Ninjas Studio organize many contests in which you can participate. You can also prepare for the contests and test your coding skills by giving the mock test series available. In case you have just started the learning process, and your dream is to crack major tech giants like Amazon, Microsoft, etc., then you should check out the most frequently asked problems and the interview experiences of your seniors that will surely help you in landing a job in your dream company.
Do upvote if you find the blogs helpful.
Happy Learning!
7+ registered 
