Hello my friends. I hope you’re back for some InSpec goodness. I’ve missed talking about InSpec! Check out all we’ve covered so far:
- Day 1: Hello World
- Day 2: Command Resource
- Day 3: File Resource
- Day 4: Custom Matchers
- Day 5: Creating a Profile
I’ve been quite occupied lately building my skill-set with some studying up on Linux, Chef, Kitchen, remediation workflow, and a little bit of Ruby so that I can use InSpec in a broader sense. No big. Seriously, though, starting from scratch is not easy, but it’s definitely not boring, either.
I’m not exactly giving you another tutorial today, but instead I want to step back a little bit to get a broader perspective of InSpec. I’m going to talk about the different ways in which we can run InSpec and the different places in which to store it.
Running and Storing InSpec Locally
Of course, we start locally, right? We’ve done this already. You’re simply saving the commands to a directory on your local machine and then running them from the command line.
This is obviously just for testing in development. In film terms, I think of this as pre-production, but I guess I need to get used to calling it by its proper name. This is for when we’re in the process of creating our profile and seeing if it works. And while we’re doing that, we’re also testing like mad to insure speedy success and to keep things nice and neat.
Running InSpec Profiles Through Test Kitchen
I had a lot of fun learning how to do this workflow this week (which is why I was studying up a lot). This is only for testing in development, too. When we run our profiles in Kitchen, we can test against cookbook development and remediate failures through the cookbook.
We can use profiles stored just about anywhere for this:
- locally
- Github
- Chef Supermarket
- Chef Compliance (you’ll need to log in first and use an API token)
Your .kitchen.yml might look a little something like this (pick your inspec-tests
verifier, of course):
---
driver:
name: vagrant
provisioner:
name: chef_zero
verifier:
name: inspec
platforms:
- name: centos-6.7
suites:
- name: default
run_list:
- recipe[inspec-workshop-cookbook::default]
verifier:
inspec_tests:
- /Path/to/local/folder
- https://github.com/<username>/<profilename>
- supermarket://<owner>/<profile-name>
- compliance://base/ssh
Scanning a Node in Chef Compliance
So we’ve done this, and it was so easy and fun. And this is for use in all stages of the development life cycle. And I’m a little embarrassed because I thought it might be complicated to upload your profile to Chef Compliance, but this is literally as complicated as it gets:
Just zip it up and upload it. You can also upload it from the command line using the inspec compliance upload
command
after you authenticate/log in with the inspec compliance login
command.
When you’re scanning on Chef Compliance, you can only use profiles that are stored on the Compliance server, not on GitHub or the Chef Supermarket. But I hear rumblings of the ability to store it on Chef Supermarket for use in Chef Compliance in the near future.
Running InSpec in an audit cookbook
You might not be able to scan on Chef Compliance. Perhaps you don’t want to store credentials on the Chef Compliance server. And you may not want the Chef Compliance server to see the nodes you’re scanning for security purposes.
In that case, you’ll want to use this audit cookbook if you’ve decided that
you can’t let the Chef Compliance server scan your machines. This cookbook will run your InSpec profiles as a part of
your chef-client
run by pulling your profiles off of wherever you’re storing them - the Supermarket, Compliance
Server, GitHub, etc. While the results of the scan will go to the Compliance server and supply the data for all those
pretty charts, the server will never have scanned your machine.
This, too, is for use in all stages of the development life cycle and has the flexibility to have profiles stored in:
Concluding Thoughts
After learning InSpec at a very basic level, I was pleased with how approachable and easy to grasp it was. And the more I’ve worked with it, I’ve come to find InSpec quite versatile. It’s been a great study tool for me because I was able to start out so simply and build on that knowledge. I think that’s the key to learning any new skill, really - start with small, manageable chunks and work your way up. Try not to get discouraged by what you don’t know, and focus on what you do know.
Go to Day 7: How to Inherit a Profile from Chef Compliance Server