Chef Blogs

Did You Know This About Chef Compliance and Chef Cloud Security? - Part 1

Shua Matin | Posted on | Chef Cloud Security | Chef Compliance

Progress Chef® Compliance™ makes it easier for DevOps, InfoSec and Compliance teams to maintain and ensure IT compliance and security across the enterprise. Progress Chef® Cloud Security™ enables you to scan, monitor and remediate configuration issues across on-prem and cloud-native environments in your multi-cloud accounts.  

Chef Compliance and Chef Cloud Security ensure that your IT resources are always compliant and secure using CIS and DISA STIG-certified audit and remediation content. They also provide easily tuned baselines to adapt to the organization’s internal requirements and visibility and control for the security and compliance posture across heterogeneous environments. 

Progress® Chef® InSpec® is the engine behind Chef Compliance and Chef Cloud Security, and it uses an open-source framework for defining security and compliance rules as executable code. This framework is designed to cater to all stages of the software delivery life cycle. As more diverse technologies are deployed across data centers, hybrid or multi-cloud estates, validating compliance organization-wide has become increasingly difficult.  

When defined with Chef InSpec, compliance, security and other policy requirements become automated tests that can be run against traditional servers, containers and cloud environments. This ensures security and compliance standards are enforced consistently in every environment. 

You might be familiar with some popular commands in InSpec, like InSpec exec , which is the command that lets you execute a compliance profile. 

But did you know that Chef InSpec has many more options? 

Chef InSpec has many other commands that help you streamline your compliance and security processes. In this blog series, we’ll explore all the different things you can do with InSpec. 

We have categorized the InSpec commands into the four groups below.  

  1. Explore and Diagnose 
  2. Manage large profiles
  3. Integrate with other systems
  4. Learn to work more efficiently 
In this blog, we will look at the first two groups, followed by the next two groups in our upcoming blog.  

Explore and Diagnose (InSpec Shell, InSpec Detect, InSpec Check and InSpec Export) 

1. InSpec Shell 

InSpec Shell is a great way to learn and explore about InSpec.  

You can type InSpec commands directly into the InSpec Shell and find out what they do. When you run InSpec Shell against your machine, you will be presented with a prompt with precisely what is detected.  

For example, if it detects the operating system as a Mac on a machine, it can also tell it's in the Darwin BSD family, along with the kernel version and the architecture.  

You can execute any InSpec profile at the prompt, and it shows the results in real time as you're typing it in. With InSpec Shell you can also execute profiles directly on remote hosts to learn its behavior on remote hosts.

2. InSpec Detect 

InSpec detect is a great way to diagnose connection issues.  

For instance, you may face issues when you try to connect to a remote machine. You may have tried to use a target matcher to match a profile to a target machine and wonder what its family is. InSpec detect is a great way to find out this information.  

You can run it on a local machine or even a remote machine to get the target machine’s details. While running with debugging information, it can retrieve extra information about the SSH connection.

3. InSpec Check 

InSpec check lets you look for issues in compliance profiles. It detects problems like ‘required fields missing’ in the profile code and the inspec.yml metadata file. It also includes essential support for linting, with more rules coming in the future. 

To use this command, type InSpec check and the name of your profile. It will examine the profile and run all of its checks and warnings.

InSpec check is a great way to look for problems in your profiles; in fact, did you know that it can also look for issues in profiles every time you upload a profile to Automate? 

4. InSpec Export  

InSpec has introduced a new feature called IAF files, which are signed binary profiles for enhanced security. Since it’s tied to security, it does not allow you to peek into the profile to identify controls to use/override or to access waivers. The InSpec Export command can be very handy here. With InSpec Export you can see everything about the profile, including metadata, controls, version, tags and more. 


How do you manage large profiles?

Progress Bar Reporter 

There may be instances when you must run a very large profile and you want to be able to work with it effectively. You may be interested to see progress on the profile.  

The progress bar reporter is a configurable output stream for InSpec exec. A large profile run produces a lot of information. However, InSpec provides real-time feedback with the names of the controls that are executed and a progress bar at the bottom of the screen. This way, you are informed about controls that are slow, allowing you to focus on optimization efforts. 


Focus on specific controls with InSpec exec – controls 

This command executes the specified controls by ID.  

You can also use a pattern to match multiple controls and use it to divide a profile into different parts. E.g., Consider a profile with several controls named with the word ‘rule’, followed by a number. We can split it to run the controls whose name begins with the name rule 1. When you run that, it will only match the controls that match the word rule_1. This way, you could split large profiles based on some text in the rule ID. 

Divide a profile in custom ways using inputs

InSpec also allows you to divide large profiles in custom ways. You could use an input to match an instance ID pattern and use it to restrict the instances that match. For example, you could use a resource to query all EC 2 instances that match a pattern you provide. This allows you to provide a pattern outside of your profile externally and then you can vary this pattern over time. For instance, start with all instances beginning with ‘1’, then ‘2’, ‘3’ and so on. 


This allows you to shard your profiles based on some criteria, such as a resource ID. Did you know that some of our customers have used this feature to shard estates with millions of individual cloud resources? 

Read our next blog about integration and efficiency

Chef InSpec has a multitude of options that can prove to be very useful to you. We’ve started by showcasing use cases with InSpec, such as exploring and diagnosing systems and how to effectively manage large profiles.  In the next blog in this series, we’ll discuss how InSpec can be used to integrate with other systems and how it can make your work more efficient. 

Resources 

Check out the Part 2 & Part 3 of the Did you Know this About Chef Compliance and Chef Cloud Security series.

Learn Chef is a great place to know more about Chef InSpec 


Learn more about Chef products  


Tags

Cloud Security Compliance Management continuous compliance What is compliance management and why is it important?