Chef Blogs

Compliance with InSpec: Any Node. Any Time. Anywhere.

Kimberly Garmoe | Posted on | Chef InSpec | compliance

InSpec is an agentless compliance scanner, which means that you can use InSpec to perform compliance scans of configuration settings without installing anything, changing configuration settings, or otherwise affecting the state of the machine you are scanning. Compliance scanning is important for many reasons, among which are the ability to assess formal regulatory compliance, diagnosing emerging or recurring security concerns, and defining compliance standards that suit your unique systems and needs. InSpec gives you near-immediate insight into your system. You can combine the power of InSpec with the flexibility of working from your Android phone, which lets you apply your compliance tools to any node, at any time, and from anywhere.

Assess the compliance of any machine

What’s often missed in the discussion of InSpec as a compliance tool is that you can use it to assess the compliance of any machine, not just nodes that are under management by Chef. While you can execute InSpec scans as part of a chef client run, it’s equally effective at scanning systems not under active configuration management. InSpec may also be used to scan Docker containers, virtual machines, on-site hardware, as well as systems that are managed by Ansible or Puppet.

From a practical perspective, the ability to scan any system represents the reality of large operations with many different groups that may have many different methods of configuration management and deployment — or none at all. While–of course–we think you should use Chef products for all of your configuration and deployment needs, we are also sufficiently realistic to realize that you have compliance needs regardless of whatever decisions you have already made.

Scan an Ansible tower using InSpec on Android

Using InSpec for compliance scanning is as simple as downloading InSpec, selecting a compliance profile from Chef Supermarket, and running it against a machine. To scan a node, all you need is InSpec, the address of a node, and the key for the node. In the following video, I scanned an Ansible tower running on the AWS CloudFoundation, using InSpec installed Termux app on my new-in-2015 Samsung Galaxy Note 5 and pulled the ssh-baseline profile available from the Chef Supermarket.

 

If you’re interested in trying this out, you’ll need an Android phone, the free Termux App, access to a node somewhere, and your ssh key.

Setting up Termux on Android is exactly like setting up any other computer, it takes some tweaking. For running InSpec, you’ll need to set Termux up for Ruby develop, enable it to compile, install InSpec, and make Git available. Your installation may vary, but for my phone, I needed:

1) Set up for Ruby development:

apt-get install ruby
apt-get install ruby-dev

2) Set up to compile:

apt-get install make
apt-get install libffi
apt-get install libffi-dev
apt-get install chomp

3) Set up and install InSpec:

gem install bundler
bundle install
gem install inspec

4) Make Git available:

apt-get install openssl
gem install git

To run the scan, the command syntax is:

inspec supermarket exec dev-sec/ssh-baseline -t ssh://ipaddress -i mykey.pem

For example:

inspec supermarket exec dev-sec/ssh-baseline -t ssh://ec2-user:ec2-user@ec2-34-211-195-159.us-west-2.compute.amazonaws.com -i mykey.pem

Try InSpec

See how InSpec can help you quickly identify potential compliance and security issues on your infrastructure. Try InSpec using this step-by-step quick start module on Learn Chef Rally.