Using Chef Compliance and the audit cookbook only – Part IV

Whilst you already saw the audit cookbook working with the Chef Server there is another way that was implemented by public demand. Some people have separated departments or just want to test their cookbooks against Chef Compliance using the audit cookbook without a Chef Server. When we have a look back on out .kitchen.yml file you may already added the audit cookbook to the run_list:
---
driver:
  name: vagrant
  network:
    - ["private_network", { type: "dhcp" }]
    - ['public_network', bridge: 'en0: Wi-Fi (AirPort)']

provisioner:
  name: chef_zero

# Uncomment the following verifier to leverage Inspec instead of Busser (the
# default verifier)
verifier:
 name: inspec

platforms:
  - name: ubuntu-14.04
  - name: windows-2012r2

suites:
  - name: default
    run_list:
      - recipe[atom::default]
      - recipe[audit::default]
    attributes:
If not, just add it after downloading it from GitHub into your cookbooks folder (where your Atom cookbook resides as well):
git clone git@github.com:chef-cookbooks/audit.git
Now you have to add the audit cookbook to your Berksfile (as it is local) and not on a Chef Server:
source 'https://localhost'

metadata

cookbook 'audit', path: '/Users/cjo/cookbooks/audit'
The configuration of the audit cookbook is done with attributes where you have to add the Chef Compliance server, it´s token and the profile to check against. Since this could change from cookbook to cookbook it makes sense to add the attributes to the Atom cookbook (attributes/default.rb):
token = 'YourtokenfromtheUI'

default['audit']['server'] = 'https://172.28.128.4:443/api/'
default['audit']['token'] = token
default['audit']['owner'] = 'cjohannsen'
default['audit']['quiet'] = nil
default['audit']['refresh_token'] = nil

case node['platform']
  when 'windows'
    default['audit']['profiles']['cjohannsen/profile'] = true
  when 'debian', 'ubuntu'
    default['audit']['profiles']['base/linux'] = true
  end
ProTip: Please ensure that you copied the full token from the UI as “-” or “.” may end your selection.
As you may have noticed I added a piece of code to call the profile based on the platform as my test-kitchen Ubuntu Linux will not have an exe file installed 🙂
Remember that we had to run a “kitchen verify” to check against the local integration test last time? Now this is already done when calling:
kitchen converge
While you could set the option:
default['audit']['quiet'] = false
to have more visibility, the reports should be available in Chef Compliance now:
VirtualBox_compliance-demo_chef-compliance_1464003288587_74206_27_05_2016_18_22_34
ProTip: If you receive a “glib zip” error in your run, your token is invalid (lease time or length from copy).
As you can see this is really powerful, especially in Enterprise environments where deployments have to match certain compliance and security while they are written and tested. Please note that there is also an integration with Chef Delivery available when you´ve reached that maturity level.

Leave a Reply