Inspec multi-server queries

[juju4]

Description

Any integrated option or plan to query multiple systems at once?
Any alternative recommendation like
https://github.com/hack2learn/inspec-multi-server

Typical use cases:

• check a fleet for compliance
• monitoring interface like sensu json input (sadly only one I know doing that, https://www.slideshare.net/m_richardson/serverspec-and-sensu-testing-and-monitoring-collide)

Thanks

[adamleff]

@juju4 thank you for submitting this inquiry.

I am unaware of any current plans for InSpec itself to query multiple systems. At Chef, we have some commercial offerings that allow you to use the audit cookbook (which is open source) to run InSpec profiles every time Chef runs on your node so you don't have to actively scan your infrastructure - it will continuously scan.

If you wish to package your application with Habitat (which I strongly encourage you to check out!), we have some cool integrations with Habitat that allow you to ship your compliance profiles with your application which will then continuously scan your fleet for you automatically.

@arlimus and @chris-rock, please correct me if I'm mistaken.

[chris-rock]

@juju4 Thank you for bringing that up. Thank you @adamleff for the clarification.

InSpec is following the unix principle: 'Do One Thing and Do It Well'. Therefore we aim to provide the best tool for infrastructure testing and compliance scanning. InSpec is prepared for on-top automation. We use InSpec as the compliance engine for Chef Automate and Chef Compliance. Please checkout our CLI json feature like inspec exec /path/to/profile --format json. If you see something is blocking you from implementing a tool like inspec-multi-server around inspec, please let us know. There are no aims to introduce orchestration into InSpec, since this leads to more topics like node and credentials management. Therefore this is out for scope for InSpec.

[juju4]

Sadly, if I'm very happy with inspec, I'm not in a Chef environment, so need to review how to best used it widely else go back to serverspec.

[mhedgpeth]

@juju4 we have successfully run inspec by using a powershell script. You could also use ansible or saltstack to do it. We may be using jenkins as a runner and the nunit output formatter to see the tests in Jenkins. There are a lot of options there for you, even if it's not built into the product.

[juju4]

Thanks @mhedgpeth
Good to know!

Was not worrying much about Jenkins use but more how to translate with other inventory tools like the one of ansible or salt. There is ansiblespec tool which does that for serverspec and an issue exists to include inspec support but for now, it's pending contributions.

[chris-rock]

@juju4 InSpec does not depend on Chef. Also Chef Compliance is a standalone server that can be deployed independently of Chef Server. We have a lot of companies that use InSpec/Chef Compliance with various devops tools (even manual deployment). Could you help me understand how that is tight to the multi server project?

[chris-rock]

@juju4 Can you please help me to understand which specific integrations are missing for you? This would allow us to help the community to add InSpec in the local tooling. InSpec is independent from any devops tool. We are proofing this continuously with our support for the dev-sec project, where we use inspec in combination with Ansible, Chef and Puppet.

[juju4]

Hello @chris-rock
I'm fine with the principle 'Do One Thing and Do It Well'.

But I'm trying to find the glue with my three main use cases

• first is CI/CD. In that case, it works pretty well with test-kitchen and inspec as verifier.
• second is ansible environment
• third is puppet environment
  2 and 3 mostly for monitoring and compliance, if possible by re-using same inventory, hosts & groups, than orchestration tools. I'm not developing on the hard problem of keys management and supposed it's done. And prefer to avoid installing inspec locally on each systems.

For ansible, I think the preferred road would probably through ansiblespec. not sure if other options existing or new.
For puppet, don't know. Only found an install module (https://forge.puppet.com/jaxxstorm/inspec)

[lelloz0]

@mhedgpeth I'm very interested about how you got inspec to run through powershell, especially if it's in a domain environment. My goal is to run inspec against a fleet of servers in a domain environment, maybe through a jenkins pipeline where I can specify the hostnames to run it against.