-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How do I run an inspec profile in chef audit mode? #692
Comments
@mhedgpeth I fully agree that the chef client needs a converge and a audit phase. I was just saying, that I do not like the mix of converge and test resource in one directory. At this point of time, the audit mode is based on Serverspec and does not use InSpec under the hood. We developed the audit cookbook https://github.com/chef-cookbooks/audit to catch the compliance use case of the audit mode. The cookbook allows you:
Could you share your use case? That allows me to give you a more detailed answer. |
That works for us. Is the plan to support the ServerSpec audit mode for the forseeable future, to support the cookbook-based tests? I think we would want to define the profiles and upload them to a compliance server, so the model works great for us. |
We are thinking about two things:
Would that approach work for you? |
I never got into audit mode too much until now, but my perception was that the audit mode ran separate of the run list and even upon failures. So it would be nice if there were an audit run list of profiles that could be specified and run separate of the converge itself. I'm not sure about the kitchen tests. It does seem nice to be able to reuse your infrastructure and that feature would bring inspec into the testing side of the workflow, where it belongs as much as in the compliance side. It would also decouple what the security people want (control over profiles, definitions, etc.) with what the developers/operations wants (testing small things in infrastructure). For that reason alone it makes a lot of sense. |
@mhedgpeth You are absolutely right. That is the reason why we think we need a more generic audit-phase that runs independently of a successful converge. I like the separation you described between security folks and devops folks. Could you explain what you are not sure about with the kitchen-tests? |
Yes, I have the security person saying he wants it locked down and my operations person who wants to write inspec tests to test infrastructure. That separation is really essential to drive security adoption. I don't have much experience with test kitchen tests, but it would seem that one would have to be careful that the tests are performant enough to not upset the system. It's a great idea, I've just never executed it and thus it kind of scares me. |
Description
I want to be able to run an inspec profile during an audit mode run as a part of a chef-client run. Yes @chris-rock I know there is possibly a design flaw with this :), but for certain workflows it might be the easiest. How do I do this?
The text was updated successfully, but these errors were encountered: