From 5ccacecd40944eef8f7194a0f3708132a10d649d Mon Sep 17 00:00:00 2001 From: Matt Ray Date: Mon, 13 Aug 2018 23:09:21 +1000 Subject: [PATCH] Add support for node['audit']['profiles'] as a hash of hashes rather than an array of hashes. Policyfiles with includes do not allow merging arrays and it's a bit unclear why an array was chosen. This patch does not change the existing behavior, only supplements it. Signed-off-by: Matt Ray --- .kitchen.vagrant.yml | 30 ++++++++++++++++++++++----- .kitchen.yml | 12 ++++++++++- .travis.yml | 6 ++++++ README.md | 15 +++++++++++++- files/default/handler/audit_report.rb | 12 ++++++++++- 5 files changed, 67 insertions(+), 8 deletions(-) diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml index 9f24922d..4dffdeed 100644 --- a/.kitchen.vagrant.yml +++ b/.kitchen.vagrant.yml @@ -2,22 +2,42 @@ driver: name: vagrant +transport: + name: ssh + provisioner: - name: chef_solo + name: chef_zero verifier: name: inspec sudo: true platforms: - - name: centos-7.1 - - name: centos-6.7 - - name: centos-5.11 + - name: centos-6 + - name: centos-7 - name: ubuntu-14.04 - - name: ubuntu-12.04 + - name: ubuntu-16.04 suites: - name: default run_list: - recipe[audit::default] attributes: + audit: + reporter: json-file + profiles: + - name: ssh-hardening + url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip + - name: ssh-baseline + supermarket: dev-sec/ssh-baseline + - name: hash + run_list: + - recipe[audit::default] + attributes: + audit: + reporter: json-file + profiles: + ssh-hardening: + url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip + ssh-baseline: + supermarket: dev-sec/ssh-baseline diff --git a/.kitchen.yml b/.kitchen.yml index 6288c274..804bd287 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -78,7 +78,6 @@ suites: profiles: - name: ssh-hardening url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip - - git: https://github.com/dev-sec/tests-ssh-hardening.git - name: ssh-baseline supermarket: dev-sec/ssh-baseline - name: inspec-attributes @@ -184,3 +183,14 @@ suites: reporter: json-file inspec_version: 1.25.1 fail_if_not_present: true + - name: hash + run_list: + - recipe[audit::default] + attributes: + audit: + reporter: json-file + profiles: + ssh-hardening: + url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip + ssh-baseline: + supermarket: dev-sec/ssh-baseline diff --git a/.travis.yml b/.travis.yml index 397030f9..577febc1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -50,3 +50,9 @@ matrix: - rvm: 2.3.3 script: bundle exec rake $SUITE env: SUITE=test:integration OS='chef-node-disabled-ubuntu-1404' + - rvm: 2.3.3 + script: bundle exec rake $SUITE + env: SUITE=test:integration OS='hash-centos-7' + - rvm: 2.3.3 + script: bundle exec rake $SUITE + env: SUITE=test:integration OS='hash-ubuntu-1404' diff --git a/README.md b/README.md index 113fbf4c..9c124a9d 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # audit cookbook [![Cookbook Version](http://img.shields.io/cookbook/v/audit.svg)][cookbook] [![Build Status](http://img.shields.io/travis/chef-cookbooks/audit.svg)][travis] -The `audit` cookbook allows you to run InSpec profiles as part of a Chef Client run. It downloads configured profiles from various sources like Chef Compliance, Chef Supermarket or Git and reports audit runs to Chef Compliance or Chef Automate. +The `audit` cookbook allows you to run InSpec profiles as part of a Chef Client run. It downloads configured profiles from various sources like Chef Automate, Chef Supermarket or Git and reports audit runs to Chef Automate. ## Quickstart @@ -116,6 +116,7 @@ default['audit']['reporter'] = 'chef-server-compliance' # Omit this to use the latest InSpec default['audit']['inspec-version'] = '1.29.0' +# You may use an array of hashes (shown here) or hash of hashes (shown below) default['audit']['profiles'].push( # Profile from Chef Compliance { @@ -154,6 +155,18 @@ default['audit']['profiles'].push( ) ``` +You may prefer to use hashes for your `node['audit']['profiles']` when you are merging attributes from multiple sources. Policyfiles do not merge arrays and in the case of Policyfiles with includes you will be able to append additional profiles with each Policyfile. + +```ruby +# Hash of hashes, works with Policyfile includes +default['audit']['profiles']['linux'] = { 'compliance': 'base/linux' } +default['audit']['profiles']['linux-baseline'] = { 'compliance': 'user/linux-baseline', 'version': '2.1.0' } +default['audit']['profiles']['ssh'] = { 'supermarket': 'hardening/ssh-hardening' } +default['audit']['profiles']['brewinc/win2012_audit'] = { 'path': 'E:/profiles/win2012_audit' } +default['audit']['profiles']['ssl'] = { 'git': 'https://github.com/dev-sec/ssl-benchmark.git' } +default['audit']['profiles']['ssh2'] = { 'url': 'https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip' } +``` + #### Attributes You can also pass in [InSpec Attributes](https://www.inspec.io/docs/reference/profiles/) to your audit run. Do this by defining the attributes: diff --git a/files/default/handler/audit_report.rb b/files/default/handler/audit_report.rb index 813f5b8b..a60316e3 100644 --- a/files/default/handler/audit_report.rb +++ b/files/default/handler/audit_report.rb @@ -27,7 +27,17 @@ def report interval = node['audit']['interval'] interval_enabled = node['audit']['interval']['enabled'] interval_time = node['audit']['interval']['time'] - profiles = node['audit']['profiles'] + if node['audit']['profiles'].class.eql?(Chef::Node::ImmutableMash) + profiles = [] + node['audit']['profiles'].keys.each do |p| + h = node['audit']['profiles'][p].to_hash + h['name'] = p + profiles.push(h) + end + else + Chef::Log.warn "Use of a hash array for the node['audit']['profiles'] is deprecated. Please refer to the README and use a hash of hashes." + profiles = node['audit']['profiles'] + end quiet = node['audit']['quiet'] fetcher = node['audit']['fetcher'] attributes = node['audit']['attributes'].to_h