Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for node['audit']['profiles'] as a hash of hashes #328

Merged
merged 1 commit into from Aug 20, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
30 changes: 25 additions & 5 deletions .kitchen.vagrant.yml
Expand Up @@ -2,22 +2,42 @@
driver:
name: vagrant

transport:
name: ssh

provisioner:
name: chef_solo
name: chef_zero

verifier:
name: inspec
sudo: true

platforms:
- name: centos-7.1
- name: centos-6.7
- name: centos-5.11
- name: centos-6
- name: centos-7
- name: ubuntu-14.04
- name: ubuntu-12.04
- name: ubuntu-16.04

suites:
- name: default
run_list:
- recipe[audit::default]
attributes:
audit:
reporter: json-file
profiles:
- name: ssh-hardening
url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip
- name: ssh-baseline
supermarket: dev-sec/ssh-baseline
- name: hash
run_list:
- recipe[audit::default]
attributes:
audit:
reporter: json-file
profiles:
ssh-hardening:
url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip
ssh-baseline:
supermarket: dev-sec/ssh-baseline
12 changes: 11 additions & 1 deletion .kitchen.yml
Expand Up @@ -78,7 +78,6 @@ suites:
profiles:
- name: ssh-hardening
url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip
- git: https://github.com/dev-sec/tests-ssh-hardening.git
- name: ssh-baseline
supermarket: dev-sec/ssh-baseline
- name: inspec-attributes
Expand Down Expand Up @@ -184,3 +183,14 @@ suites:
reporter: json-file
inspec_version: 1.25.1
fail_if_not_present: true
- name: hash
run_list:
- recipe[audit::default]
attributes:
audit:
reporter: json-file
profiles:
ssh-hardening:
url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip
ssh-baseline:
supermarket: dev-sec/ssh-baseline
6 changes: 6 additions & 0 deletions .travis.yml
Expand Up @@ -50,3 +50,9 @@ matrix:
- rvm: 2.3.3
script: bundle exec rake $SUITE
env: SUITE=test:integration OS='chef-node-disabled-ubuntu-1404'
- rvm: 2.3.3
script: bundle exec rake $SUITE
env: SUITE=test:integration OS='hash-centos-7'
- rvm: 2.3.3
script: bundle exec rake $SUITE
env: SUITE=test:integration OS='hash-ubuntu-1404'
15 changes: 14 additions & 1 deletion README.md
@@ -1,7 +1,7 @@
# audit cookbook
[![Cookbook Version](http://img.shields.io/cookbook/v/audit.svg)][cookbook] [![Build Status](http://img.shields.io/travis/chef-cookbooks/audit.svg)][travis]

The `audit` cookbook allows you to run InSpec profiles as part of a Chef Client run. It downloads configured profiles from various sources like Chef Compliance, Chef Supermarket or Git and reports audit runs to Chef Compliance or Chef Automate.
The `audit` cookbook allows you to run InSpec profiles as part of a Chef Client run. It downloads configured profiles from various sources like Chef Automate, Chef Supermarket or Git and reports audit runs to Chef Automate.

## Quickstart

Expand Down Expand Up @@ -116,6 +116,7 @@ default['audit']['reporter'] = 'chef-server-compliance'
# Omit this to use the latest InSpec
default['audit']['inspec-version'] = '1.29.0'

# You may use an array of hashes (shown here) or hash of hashes (shown below)
default['audit']['profiles'].push(
# Profile from Chef Compliance
{
Expand Down Expand Up @@ -154,6 +155,18 @@ default['audit']['profiles'].push(
)
```

You may prefer to use hashes for your `node['audit']['profiles']` when you are merging attributes from multiple sources. Policyfiles do not merge arrays and in the case of Policyfiles with includes you will be able to append additional profiles with each Policyfile.

```ruby
# Hash of hashes, works with Policyfile includes
default['audit']['profiles']['linux'] = { 'compliance': 'base/linux' }
default['audit']['profiles']['linux-baseline'] = { 'compliance': 'user/linux-baseline', 'version': '2.1.0' }
default['audit']['profiles']['ssh'] = { 'supermarket': 'hardening/ssh-hardening' }
default['audit']['profiles']['brewinc/win2012_audit'] = { 'path': 'E:/profiles/win2012_audit' }
default['audit']['profiles']['ssl'] = { 'git': 'https://github.com/dev-sec/ssl-benchmark.git' }
default['audit']['profiles']['ssh2'] = { 'url': 'https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip' }
```

#### Attributes

You can also pass in [InSpec Attributes](https://www.inspec.io/docs/reference/profiles/) to your audit run. Do this by defining the attributes:
Expand Down
12 changes: 11 additions & 1 deletion files/default/handler/audit_report.rb
Expand Up @@ -27,7 +27,17 @@ def report
interval = node['audit']['interval']
interval_enabled = node['audit']['interval']['enabled']
interval_time = node['audit']['interval']['time']
profiles = node['audit']['profiles']
if node['audit']['profiles'].class.eql?(Chef::Node::ImmutableMash)
profiles = []
node['audit']['profiles'].keys.each do |p|
h = node['audit']['profiles'][p].to_hash
h['name'] = p
profiles.push(h)
end
else
Chef::Log.warn "Use of a hash array for the node['audit']['profiles'] is deprecated. Please refer to the README and use a hash of hashes."
profiles = node['audit']['profiles']
end
quiet = node['audit']['quiet']
fetcher = node['audit']['fetcher']
attributes = node['audit']['attributes'].to_h
Expand Down