Sending Compliance Data to Chef Automate with Audit Cookbook
Note
audit cookbook uses the Chef InSpec gem. It will check for an installed version of Chef InSpec and install it upon finding none. The latest version of Chef InSpec will be installed by default unless otherwise specified with node['audit']['inspec_version'].Cookbooks are Chef’s primary unit of configuration management. For tutorials on working with cookbooks in Chef, see Learn Chef Rally.
Audit Cookbook
Note
node['audit']['inspec_version'] attribute in your cookbook.To send compliance data gathered by Chef InSpec as part of a Chef Infra Client run, you will need to use the audit cookbook. All profiles configured to run during the audit cookbook execution will send their results back to the Chef Automate server.
Configure the Node for Audit Cookbook
Once the cookbook is available in Chef Infra Server, you will need to add the audit::default recipe to the run-list of each node. Compliance profiles are added using the node['audit']['profiles'] attribute. A complete list of the configurations is documented on GitHub in the Audit Cookbook Repository.
To configure the audit cookbook to report compliance data directly to Chef Automate, you will first need to configure Chef Infra Client to send node converge data, as described in Data Collection. Next, configure the audit cookbook collector by setting the reporter, server, owner, refresh_token and profiles attributes.
-
reporter-'chef-automate'to report to Chef Automate. -
server- url of Chef Automate server with/api. -
owner- Chef Automate user or organization that will receive this scan report. -
refresh_token- refresh token for Chef Automate API. Please note that logging out of the user interface revokes therefresh_token. To workaround, log in once in a private browser session, grab the token and then close the browser without logging out. -
insecure- atruevalue will skip the SSL certificate verification when retrieving an access token. The default value isfalse.
A complete audit cookbook attribute configuration will look something like this:
['audit']['reporter'] = 'chef-automate'
['audit']['server'] = 'https://chef-automate-server/api'
['audit']['owner'] = 'my-comp-org'
['audit']['refresh_token'] = '5/4T...g=='
['audit']['insecure'] = false
['audit']['profiles'] = [
{
'name': 'windows',
'compliance': 'base/windows',
},
]
Instead of a refresh token, it is also possible to use a token that expires in 12h after creation.
['audit']['reporter'] = 'chef-automate'
['audit']['server'] = 'https://chef-automate-fqdn/api'
['audit']['owner'] = 'my-comp-org'
['audit']['token'] = 'eyJ........................YQ'
['audit']['profiles'] = [
{
'name': 'windows',
'compliance': 'base/windows',
},
]
Supported Audit Cookbook Configurations
The audit cookbook supports several different methods of fetching and reporting compliance information.
Warning
Chef Compliance is Chef Software’s premium audit and remediation content offering announced in 2020. The standalone Chef Compliance Server was an earlier security product and is now deprecated. The Chef Compliance Server’s end-of-life date was December 31, 2018. Chef Automate 2 has all of the functionality of Chef Compliance Server and also includes newer out-of-the-box compliance profiles, an improved compliance scanner with total cloud scanning functionality, better visualizations, role-based access control and many other features not found in Chef Compliance Server.
Fetch From Automate via Chef Infra Server
Note
| Action | Configuration |
|---|---|
| Fetch From Automate via Chef Infra Server and Report Directly to Automate | |
| Fetch From Automate via Chef Infra Server and Report Directly to Compliance | |
| Fetch From Automate via Chef Infra Server and Report to Automate via Chef Infra Server | |
| Fetch From Automate via Chef Infra Server and Report to Compliance via Chef Infra Server | |
Fetch From Compliance via Chef Infra Server
Note
| Action | Configuration |
|---|---|
| Fetch From Compliance via Chef Infra Server and Report Directly to Automate | |
| Fetch From Compliance via Chef Infra Server and Report Directly to Compliance | |
| Fetch From Compliance via Chef Infra Server and Report to Compliance via Chef Infra Server | |
| Fetch From Compliance via Chef Infra Server and Report to Automate via Chef Infra Server | |
Fetch Directly From Compliance
| Action | Configuration |
|---|---|
| Fetch from Compliance and Report Directly to Automate | |
| Fetch from Compliance and Report Directly to Compliance | |
| Fetch from Compliance and Report to Automate via Chef Infra Server | |
| Fetch from Compliance and Report to Compliance via Chef Infra Server | |
© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/audit_cookbook/