Skip to content
/ InSpec_Local Public

Shifting Compliance Left (Chef Infra + Ansible + Puppet)

2 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

danf425/InSpec_Local

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
ansible
ansible
 
 
chef
chef
 
 
inspec_docker
inspec_docker
 
 
puppet
puppet
 
 
.DS_Store
.DS_Store
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

TDD + Local Compliance Exercise

Intent: Show value of "shifting left" both in terms of Compliance and Integration Testing. Demonstrate the ease of using InSpec + Infra locally through a simple exercise.
Follow these steps by step instructions for Chef Infra. For ready-to-go instances, go to the Ansible, Puppet, or Chef dirs

  1. Generate chef cookbook (Creating a webserver)
    chef generate cookbook webserver_test
    cd webserver_test

  2. Look at the structure of it through VSCode
    code .

  3. Show the kitchen yaml, recipes, tests, explain how things function. Comment out the ubuntu line... Converge. kitchen converge centos

  4. Modify tests located in directory: test/integration/default/default_test.rb
    Explain the resources you are using... below are some testing examples (use the first 2):

# is apache httpd installed?
describe package('httpd') do
  it { should be_installed }
end

# is the service enabled or running?
describe service('httpd') do
  it { should be_enabled }
  it { should be_running }
end

# what's the stdout of localhost?
describe command('curl localhost') do
  its('stdout') { should match /hello/ }
end

# is port 80 listening?
describe port(80) do
  it { should be_listening }
end

  1. See that everything fails (it should because it's a brand new centos machine):
    kitchen verify centos

  2. Add content to default.rb so that we can begin seeing chef infra in action: recipes/default.rb

package 'httpd' do
    action :install
end

  1. Apply changes to centos machine: kitchen converge centos

  2. One of the tests should pass now: kitchen verify centos

  3. Optional: add more content to default recipe if you want to get all the tests passing: recipes/default.rb

# Start and enable the httpd service.
service 'httpd' do
  action [:enable, :start]
end

# Serve a custom home page.
file '/var/www/html/index.html' do
  content '<html>
  <body>
    <h1>hello world</h1>
  </body>
</html>'
end
Cool, but what about local compliance?
  1. Edit the inspec_test in kitchen.yml to any of the below: Github integration is dope. Pulling compliance from a single source of truth. No excuses for shipping vulnerable infrastructure. Production ready as soon as it leaves your workstation. Buzzwords. blahblahblah.
suites:
  - name: default
    verifier:
      inspec_tests:
      #  - test/integration/default
         - name: dev-sec/linux-baseline
      #  - https://github.com/nathenharvey/tmp_compliance_profile   
      #  - name: ssh-hardening
      #    url: https://github.com/dev-sec/tests-ssh-hardening
      controls:
         - sshd-46

  1. Optional: You can SSH into the kitchen instance to see that this isn't smoke and mirrors kitchen ssh centos

  2. Optional: Add data collector within kitchen.yaml to report data to automate:

provisioner:
  name: dokken
  always_update_cookbooks: true
  client_rb:
    data_collector.server_url: 'https://np-eh-a2.chef-demo.com/data-collector/v0/'
    data_collector.token: '61RpF2KmrtuNhqMnmH3jWUOsld0='
    verify_api_cert: false
    ssl_verify_mode: :verify_none
  1. Destroy: kitchen destroy

About

Shifting Compliance Left (Chef Infra + Ansible + Puppet)

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages