New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Declare audit profile in recipes #257

mhedgpeth opened this Issue Jul 4, 2017 · 4 comments


None yet
2 participants

mhedgpeth commented Jul 4, 2017

I would like to have a way to have different teams declare what runs in the audit cookbook without bothering each other.

For example, let's say I have three teams: operations, application, and security.
operations wants to run the ops-profile, and logging-profile
application wants to run the application-up-profile
security wants to run cis-profile

Right now there isn't an easy way for these three teams to define that they want to run their profile without affecting the other teams.

This becomes even more problematic when considering that some teams want portions of their infrastructure to run different profiles.

For example:
operations wants to run logging-profile on nodes that have the logging recipe working, but the competitor-logging-profile on nodes that have the competitor's logging recipe running.

So these groups need fine-grained control over when the profile is included.

To solve this problem I suggest adding a library method to the audit cookbook:

audit_profile 'mycorp/myproduct_profile'

The audit_profile method would add the given profile to the list, preserving the existing list. That way anyone who wanted to could add to the list but wouldn't harm the list. You would end up getting the aggregate of all your run lists' things.

I'm happy to add a PR for this if you agree with the approach.


This comment has been minimized.


mhedgpeth commented Jul 7, 2017

@trevorghess updated this comment per our discussion.


This comment has been minimized.


mhedgpeth commented Jul 10, 2017

Another way of looking at this is that it's an include_recipe for profiles


This comment has been minimized.


jeremymv2 commented Jul 11, 2017

@mhedgpeth one way to accomplish this is with some conditional statements based on inspecting the run_list of the node and/or other Ohai based attributes.

You can have a recipe drop off either a full blown Ohai node.json object on the filesystem for inspec to read like this or just a decomposed json file with only the elements necessary for making decisions (like the node's roles, or run_list).

Then, in your meta profile, you could make the decisions on which profiles/controls to include like this


This comment has been minimized.


mhedgpeth commented Jul 11, 2017

Closing this for a different idea that I want to investigate with @jeremymv2

@mhedgpeth mhedgpeth closed this Jul 11, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment