Contributors1 hourChef Automate is an enterprise platform that allows developers, operations and security engineers to collaborate effortlessly on delivering application & infrastructure changes at the speed of business. Chef Automate provides actionable insights into the state of your compliance, configurations, with an auditable history of every change that’s been applied to your environments.
Let's scan a few systems for compliance and check whether they adhere to the recommended guidelines.
Prerequisites
In this module you will use Chef Automate installed on a preconfigured Vagrant image, so you will need Vagrant installed on your laptop before you start.
Vagrant requires to run on a hypervisor, e.g. Virtualbox or VMWare Fusion, so the installation of Vagrant will also guide you through the installation of this hypervisor software. We'd recommend using Virtualbox initially, as its free and easy to install.
| Chef does not maintain VirtualBox or Vagrant. If you're having trouble getting VirtualBox or Vagrant working, check the Vagrant issues and VirtualBox Bugtracker pages. We're also happy to help as best we can. |
This module was developed and tested on a macOS workstation.
Setup
In this part you'll use Vagrant to bring up an Ubuntu virtual machine on your workstation. Perform these steps to set up your environment.
Bring up a terminal window
Bring up a terminal window and move to a working directory, for example your home directory.
Bring up a web browser
We recommend Google Chrome or Mozilla Firefox.
1. Get the Vagrantfile
From the command line, run the command that matches your system to download a file named Vagrantfile.
macOS:
Terminal: ~
$ | curl http://learnchef.s3.amazonaws.com/Vagrantfile > Vagrantfile
|
Linux:
Terminal: ~
$ | wget http://learnchef.s3.amazonaws.com/Vagrantfile
|
2. Start the Virtual Machine
Next, run the following vagrant up command to start the Chef Automate virtual machine.
This command brings up the virtual machine. It can take a few minutes for the VM to come up, depending upon your internet connection.
During the installation you will be prompted to accept the Terms of Service and the Master License and Services Agreement. Type YES at the prompt
Before you can log into the Chef Automate you will need to add an entry to your /etc/hosts file. So run this command on your workstation when vagrant up completes (or in a new terminal window while its running), entering your password when prompted
Terminal: ~
$ | echo 192.168.33.199 chef-automate.test | sudo tee -a /etc/hosts
|
| We will give you instructions on removing this line from /etc/hosts at the end of the module. |
Now from your web browser, navigate to https://chef-automate.test/.
| It might take a minute or so for the site to become available after launch. |
The first time you connect you will be presented with a screen saying Your connection is not private.
The reason for this is you are using HTTPS, but there is no SSL certificate. Thats OK in our test environment, so click on Advanced then Proceed to automate-deployment.test (unsafe).
You will be prompted for login credentials. You can find these credentials in the file automate-credentials.toml within the VM, so log into the VM and cat that file.
Terminal: ~
$ | vagrant sshvagrant@automate-deployment:~$ sudo cat automate-credentials.toml
url = "https://chef-automate.test"username = "admin"password = "3b52f84b09507413397b4b9381ec25be"
|
Enter the credentials, then click Sign In
Click 'It's okay, I know what I'm doing'.
You will then be prompted to register for a 60 day trial licence. Fill in the form as appropriate, click to agree the T&Cs and click Sign Up.
You will see a date for when the trial licence will expire.
Once you close this dialog box you will see the main Chef Automate screen.
At the top, you see 6 tabs – Event Feeds, Client Runs, Compliance, Scan Jobs, Asset Store, and Admin. The default view upon login is the Event Feeds tab. This tab shows a timeline representing Chef Server and Compliance events, however in this module we'll focus on the Compliance, Scan Jobs, Asset Store and Admin tabs.
3. Scan for compliance
In Chef terms, a node is any system that's managed by Chef. Chef Automate enables you to monitor and visualize the status of your nodes. For example, when you use InSpec to scan your nodes for compliance, you can see the results from Chef Automate's web interface.
You will see in the Client Runs screen that there are initially 0 nodes.
Next, select the Compliance tab. Similarly, you see an empty report.
Now let's bring up a node, scan it against a basic compliance profile, and see the results. To do this we will bring up an Ubuntu Docker container. Docker is also installed on our 'Automate' Vagrant virtual machine, so log into the VM, if not already logged in.
Now run the following Docker command
Terminal: ~
$ | sudo docker run learnchef/compliance-loader-pass
|
For brevity, we've omitted sample output, but you'll see Chef and InSpec run on the container instance. Chef writes a sample message to the log, then (using the Audit Cookbook) InSpec scans the node against a basic compliance profile and posts the results to Chef Automate.
Return to Chef Automate. From the Compliance tab, refresh the page. You see that the compliance scan passes.
Let's drill down into more detail. On the same page, click the tab that reads 1 Nodes. Then select your node.
You see a summary of the compliance run, including each test. Scroll to package-02: Do not install Telnet server for the linux-baseline profile, and click the + button.
This test comes from the linux-baseline profile. A profile contains multiple tests, called controls, that are written in InSpec.
Because InSpec tests are code, rules are unambiguous, can be understood by everyone on the team, and can be run automatically. To illustrate this, click the View Source button.
(You can also view the source code on GitHub.)
An InSpec control describes the test as well as its relative impact. The code for the test itself resembles human-readable language. This test specifies that the telnetd package should not be installed.
The tests you previously ran were just a portion of the linux-baseline profile. Now let's see what happens when you scan a second node against the full linux-baseline profile.
From the command line, start by running this command to launch a second container.
Terminal: ~
$ | sudo docker run learnchef/compliance-loader-fail
|
After the Chef and InSpec runs finish, return to Chef Automate and select the Compliance tab. You see that this compliance scan discovered potential issues.
Select the tab that reads 2 Nodes. The second node appears along with a summary of the number of tests that failed.
Select the failed node and drill down into the details just as you did for the first node.
You can explore the failed tests. As an example, click Critical Controls, then expand os-08: Entropy.
You can use Chef to correct the compliance failures, and then rescan your nodes on an ongoing basis to ensure they remain compliant. You'll learn more in future Learn Chef modules.
Let's take a quick look at some other compliance profiles you can use. Select the Asset Store tab and click the tab that reads Available. You see a list of available compliance profiles, including profiles that implement many DevSec and CIS recommendations.
You can also add your own profiles to the profile store. You'll do that in a future module.
Now's a great time to explore Chef Automate on your own. For example, go back to the Compliance tab and explore details about the nodes you scanned for compliance.
Be sure to answer the quiz questions at the end of this module to check your understanding. When you're done, check out the Integrated Compliance with Chef track if you're interested in learning more about compliance using your Chef Automate Pilot installation.
4. Suspending the installation
If you need a break as you evaluate Chef Automate, run this command to exit out of the VM
To suspend the running VM services, run this command.
When you're ready to come back, run this command.
When you're finished, run this command to remove the VM.
Remove the entry from /etc/hosts file
Terminal: ~
$ | sudo sed -i '' '/192.168.33.199 chef-automate.test/d' /etc/hosts
|
Where to go next
This is just a glimpse into what Chef Automate can do. Chef Automate integrates with these open-source products:
- Chef is for infrastructure automation.
- InSpec is for compliance automation.
- Habitat is for application automation.
Read on to learn how to get more hands-on experience.
Chef for infrastructure automation
If you're new to Chef, we suggest starting with the Infrastructure Automation track. You'll learn the basics of how Chef works, write your first cookbook, and get started using Chef server.
InSpec for compliance automation
If you're interested in compliance, the Integrated Compliance with Chef and Compliance Automation with InSpec tracks show you how to assess your infrastructure's adherence to compliance requirements, correct compliance failures, and monitor your infrastructure on an ongoing basis.
Also be sure to check out www.inspec.io.
Habitat for application automation
Habitat is a way to build and run your applications both on containers and using traditional services, such as the cloud or on-prem. In fact, Chef Automate Pilot is packaged using Habitat.
You can continue using your Docker setup to run a basic web application that uses Habitat packages we've built for you. See the Try Habitat quickstart module to get started.
Also be sure to visit habitat.sh.
Learn more about Chef Automate
When you're ready to get more hands-on with Chef Automate, the Continuous Automation track is the place to go. You'll bring up a full Chef Automate installation and see how to push configuration changes to a production-like environment.
Talk to us
Learn more about how to bring the full power of Chef Automate to accomplish your business goals. Go to www.chef.io/automate to read the whitepaper. Then click the Contact Us button to talk to us about how Chef Automate can help transform your workflow.
Have questions or suggestions on how Chef Automate can better fit your workflow? Drop us feedback.
