How do I run an inspec profile in chef audit mode?

[mhedgpeth]

Description

I want to be able to run an inspec profile during an audit mode run as a part of a chef-client run. Yes @chris-rock I know there is possibly a design flaw with this :), but for certain workflows it might be the easiest. How do I do this?

[chris-rock]

@mhedgpeth I fully agree that the chef client needs a converge and a audit phase. I was just saying, that I do not like the mix of converge and test resource in one directory. At this point of time, the audit mode is based on Serverspec and does not use InSpec under the hood.

We developed the audit cookbook https://github.com/chef-cookbooks/audit to catch the compliance use case of the audit mode. The cookbook allows you:

• it can only pull profiles from chef compliance
• it cannot load profiles from any http resource
• it cannot load tests from test/integration

Could you share your use case? That allows me to give you a more detailed answer.

[mhedgpeth]

That works for us. Is the plan to support the ServerSpec audit mode for the forseeable future, to support the cookbook-based tests? I think we would want to define the profiles and upload them to a compliance server, so the model works great for us.

[chris-rock]

We are thinking about two things:

• turn audit-mode into an full audit-phase where multiple compliance profiles can be executed (current approach with audit cookbook is well percieved, because the execution can be customized, but users need to ensure manually, that it is the last cookbook in the runlist)
• be able to run tests located in test/integration directory within that audit phase. That would allow users to reuse the same cookbook tests for test-kitchen and production

Would that approach work for you?

[mhedgpeth]

I never got into audit mode too much until now, but my perception was that the audit mode ran separate of the run list and even upon failures. So it would be nice if there were an audit run list of profiles that could be specified and run separate of the converge itself.

I'm not sure about the kitchen tests. It does seem nice to be able to reuse your infrastructure and that feature would bring inspec into the testing side of the workflow, where it belongs as much as in the compliance side. It would also decouple what the security people want (control over profiles, definitions, etc.) with what the developers/operations wants (testing small things in infrastructure). For that reason alone it makes a lot of sense.

[chris-rock]

@mhedgpeth You are absolutely right. That is the reason why we think we need a more generic audit-phase that runs independently of a successful converge.

I like the separation you described between security folks and devops folks. Could you explain what you are not sure about with the kitchen-tests?

[mhedgpeth]

Yes, I have the security person saying he wants it locked down and my operations person who wants to write inspec tests to test infrastructure. That separation is really essential to drive security adoption.

I don't have much experience with test kitchen tests, but it would seem that one would have to be careful that the tests are performant enough to not upset the system. It's a great idea, I've just never executed it and thus it kind of scares me.