Can Chef be used to alert manual changes?


#1

Let say I install Java 6 on a node using chef,
if someone goes and install java 7 on it, can chef alert me and tell me?
or is there a tool on the top of Chef that can help me do that?


#2

Haven’t done it yet, but the report handler can tell you what are the
resources that were updated in the chef run. The chef-run will bring back
to java6 in your case and will show up in the report.

On Wed, Aug 12, 2015 at 10:08 AM, Medya medya.gh@gmail.com wrote:

Let say I install Java 6 on a node using chef,
if someone goes and install java 7 on it, can chef alert me and tell me?
or is there a tool on the top of Chef that can help me do that?


Regards
nirish okram


#3

I meant if someone goes and install a different java manualy (not through a
chef run) can that be detected ?

On Wed, Aug 12, 2015 at 12:12 PM, niristotle okram nirish.okram@gmail.com
wrote:

Haven’t done it yet, but the report handler can tell you what are the
resources that were updated in the chef run. The chef-run will bring back
to java6 in your case and will show up in the report.

On Wed, Aug 12, 2015 at 10:08 AM, Medya medya.gh@gmail.com wrote:

Let say I install Java 6 on a node using chef,
if someone goes and install java 7 on it, can chef alert me and tell me?
or is there a tool on the top of Chef that can help me do that?


Regards
nirish okram


#4

If you re-run chef-client on a node that has had a previously-successful chef-client run, it will re-converge the necessary cookbook(s) to put the node into the desired state. In you example, the original cookbook that installed java will detect that a different java has been (manually) installed, and re-install its java version. You can write report handlers to send a notification (email?) if a cookbook converged.

Chris

From: Medya [mailto:medya.gh@gmail.com]
Sent: Wednesday, August 12, 2015 1:20 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: can Chef be used to alert manual changes?

I meant if someone goes and install a different java manualy (not through a chef run) can that be detected ?

On Wed, Aug 12, 2015 at 12:12 PM, niristotle okram <nirish.okram@gmail.commailto:nirish.okram@gmail.com> wrote:
Haven’t done it yet, but the report handler can tell you what are the resources that were updated in the chef run. The chef-run will bring back to java6 in your case and will show up in the report.

On Wed, Aug 12, 2015 at 10:08 AM, Medya <medya.gh@gmail.commailto:medya.gh@gmail.com> wrote:
Let say I install Java 6 on a node using chef,
if someone goes and install java 7 on it, can chef alert me and tell me?
or is there a tool on the top of Chef that can help me do that?


Regards
nirish okram


#5

You could also use Chef Audit Mode and write a test that does something
like expect “java -version” to return 6.x and if it returns 7, it would
alert you.

  • Julian

On Wed, Aug 12, 2015 at 3:37 PM Fouts, Chris Chris.Fouts@sensus.com wrote:

If you re-run chef-client on a node that has had a previously-successful
chef-client run, it will re-converge the necessary cookbook(s) to put the
node into the desired state. In you example, the original cookbook that
installed java will detect that a different java has been (manually)
installed, and re-install its java version. You can write report handlers
to send a notification (email?) if a cookbook converged.

Chris

From: Medya [mailto:medya.gh@gmail.com]
Sent: Wednesday, August 12, 2015 1:20 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: can Chef be used to alert manual changes?

I meant if someone goes and install a different java manualy (not through
a chef run) can that be detected ?

On Wed, Aug 12, 2015 at 12:12 PM, niristotle okram nirish.okram@gmail.com
wrote:

Haven’t done it yet, but the report handler can tell you what are the
resources that were updated in the chef run. The chef-run will bring back
to java6 in your case and will show up in the report.

On Wed, Aug 12, 2015 at 10:08 AM, Medya medya.gh@gmail.com wrote:

Let say I install Java 6 on a node using chef,

if someone goes and install java 7 on it, can chef alert me and tell me?

or is there a tool on the top of Chef that can help me do that?

Regards
nirish okram


#6

Julian, any example of Chef Audit mode?

On Wed, Aug 12, 2015 at 6:16 PM, Julian C. Dunn jdunn@aquezada.com wrote:

You could also use Chef Audit Mode and write a test that does something
like expect “java -version” to return 6.x and if it returns 7, it would
alert you.

  • Julian

On Wed, Aug 12, 2015 at 3:37 PM Fouts, Chris Chris.Fouts@sensus.com
wrote:

If you re-run chef-client on a node that has had a previously-successful
chef-client run, it will re-converge the necessary cookbook(s) to put the
node into the desired state. In you example, the original cookbook that
installed java will detect that a different java has been (manually)
installed, and re-install its java version. You can write report handlers
to send a notification (email?) if a cookbook converged.

Chris

From: Medya [mailto:medya.gh@gmail.com]
Sent: Wednesday, August 12, 2015 1:20 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: can Chef be used to alert manual changes?

I meant if someone goes and install a different java manualy (not through
a chef run) can that be detected ?

On Wed, Aug 12, 2015 at 12:12 PM, niristotle okram <
nirish.okram@gmail.com> wrote:

Haven’t done it yet, but the report handler can tell you what are the
resources that were updated in the chef run. The chef-run will bring back
to java6 in your case and will show up in the report.

On Wed, Aug 12, 2015 at 10:08 AM, Medya medya.gh@gmail.com wrote:

Let say I install Java 6 on a node using chef,

if someone goes and install java 7 on it, can chef alert me and tell me?

or is there a tool on the top of Chef that can help me do that?

Regards
nirish okram


#7

Hi Medya, I haven’t had a chance to try it, but this blog has what looks
like a good example of getting started.
http://jtimberman.housepub.org/blog/2015/04/03/chef-audit-mode-introduction/

I also noticed that they are starting to release some pre packaged audits
for CIS benchmarks

I honestly wasn’t aware of this function till this thread.
On Thu, Aug 13, 2015 at 11:05 AM Medya medya.gh@gmail.com wrote:

Julian, any example of Chef Audit mode?

On Wed, Aug 12, 2015 at 6:16 PM, Julian C. Dunn jdunn@aquezada.com
wrote:

You could also use Chef Audit Mode and write a test that does something
like expect “java -version” to return 6.x and if it returns 7, it would
alert you.

  • Julian

On Wed, Aug 12, 2015 at 3:37 PM Fouts, Chris Chris.Fouts@sensus.com
wrote:

If you re-run chef-client on a node that has had a previously-successful
chef-client run, it will re-converge the necessary cookbook(s) to put the
node into the desired state. In you example, the original cookbook that
installed java will detect that a different java has been (manually)
installed, and re-install its java version. You can write report handlers
to send a notification (email?) if a cookbook converged.

Chris

From: Medya [mailto:medya.gh@gmail.com]
Sent: Wednesday, August 12, 2015 1:20 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: can Chef be used to alert manual changes?

I meant if someone goes and install a different java manualy (not
through a chef run) can that be detected ?

On Wed, Aug 12, 2015 at 12:12 PM, niristotle okram <
nirish.okram@gmail.com> wrote:

Haven’t done it yet, but the report handler can tell you what are the
resources that were updated in the chef run. The chef-run will bring back
to java6 in your case and will show up in the report.

On Wed, Aug 12, 2015 at 10:08 AM, Medya medya.gh@gmail.com wrote:

Let say I install Java 6 on a node using chef,

if someone goes and install java 7 on it, can chef alert me and tell me?

or is there a tool on the top of Chef that can help me do that?

Regards
nirish okram


#8

dude, at least google search once,
http://jtimberman.housepub.org/blog/2015/04/03/chef-audit-mode-introduction/

On Thu, Aug 13, 2015 at 8:04 AM, Medya medya.gh@gmail.com wrote:

Julian, any example of Chef Audit mode?

On Wed, Aug 12, 2015 at 6:16 PM, Julian C. Dunn jdunn@aquezada.com
wrote:

You could also use Chef Audit Mode and write a test that does something
like expect “java -version” to return 6.x and if it returns 7, it would
alert you.

  • Julian

On Wed, Aug 12, 2015 at 3:37 PM Fouts, Chris Chris.Fouts@sensus.com
wrote:

If you re-run chef-client on a node that has had a previously-successful
chef-client run, it will re-converge the necessary cookbook(s) to put the
node into the desired state. In you example, the original cookbook that
installed java will detect that a different java has been (manually)
installed, and re-install its java version. You can write report handlers
to send a notification (email?) if a cookbook converged.

Chris

From: Medya [mailto:medya.gh@gmail.com]
Sent: Wednesday, August 12, 2015 1:20 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: can Chef be used to alert manual changes?

I meant if someone goes and install a different java manualy (not
through a chef run) can that be detected ?

On Wed, Aug 12, 2015 at 12:12 PM, niristotle okram <
nirish.okram@gmail.com> wrote:

Haven’t done it yet, but the report handler can tell you what are the
resources that were updated in the chef run. The chef-run will bring back
to java6 in your case and will show up in the report.

On Wed, Aug 12, 2015 at 10:08 AM, Medya medya.gh@gmail.com wrote:

Let say I install Java 6 on a node using chef,

if someone goes and install java 7 on it, can chef alert me and tell me?

or is there a tool on the top of Chef that can help me do that?

Regards
nirish okram


#9

You mean like this? :wink:

On Thu, Aug 13, 2015 at 8:29 AM, Ranjib Dey dey.ranjib@gmail.com wrote:

dude, at least google search once,

http://jtimberman.housepub.org/blog/2015/04/03/chef-audit-mode-introduction/

On Thu, Aug 13, 2015 at 8:04 AM, Medya medya.gh@gmail.com wrote:

Julian, any example of Chef Audit mode?

On Wed, Aug 12, 2015 at 6:16 PM, Julian C. Dunn jdunn@aquezada.com
wrote:

You could also use Chef Audit Mode and write a test that does something
like expect “java -version” to return 6.x and if it returns 7, it would
alert you.

  • Julian

On Wed, Aug 12, 2015 at 3:37 PM Fouts, Chris Chris.Fouts@sensus.com
wrote:

If you re-run chef-client on a node that has had a
previously-successful chef-client run, it will re-converge the necessary
cookbook(s) to put the node into the desired state. In you example, the
original cookbook that installed java will detect that a different java has
been (manually) installed, and re-install its java version. You can write
report handlers to send a notification (email?) if a cookbook converged.

Chris

From: Medya [mailto:medya.gh@gmail.com]
Sent: Wednesday, August 12, 2015 1:20 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: can Chef be used to alert manual changes?

I meant if someone goes and install a different java manualy (not
through a chef run) can that be detected ?

On Wed, Aug 12, 2015 at 12:12 PM, niristotle okram <
nirish.okram@gmail.com> wrote:

Haven’t done it yet, but the report handler can tell you what are the
resources that were updated in the chef run. The chef-run will bring back
to java6 in your case and will show up in the report.

On Wed, Aug 12, 2015 at 10:08 AM, Medya medya.gh@gmail.com wrote:

Let say I install Java 6 on a node using chef,

if someone goes and install java 7 on it, can chef alert me and tell me?

or is there a tool on the top of Chef that can help me do that?

Regards
nirish okram


Yoshi Spendiff
Ops Engineer
Indochino
Mobile: +1 778 952 2025
Email: yoshi.spendiff@indochino.com


#10

I’d suggest you start with the “Audit a node for compliance” tutorial on
LearnChef (https://learn.chef.io/).

  • Julian

On Thu, Aug 13, 2015 at 11:04 AM Medya medya.gh@gmail.com wrote:

Julian, any example of Chef Audit mode?

On Wed, Aug 12, 2015 at 6:16 PM, Julian C. Dunn jdunn@aquezada.com
wrote:

You could also use Chef Audit Mode and write a test that does something
like expect “java -version” to return 6.x and if it returns 7, it would
alert you.

  • Julian

On Wed, Aug 12, 2015 at 3:37 PM Fouts, Chris Chris.Fouts@sensus.com
wrote:

If you re-run chef-client on a node that has had a previously-successful
chef-client run, it will re-converge the necessary cookbook(s) to put the
node into the desired state. In you example, the original cookbook that
installed java will detect that a different java has been (manually)
installed, and re-install its java version. You can write report handlers
to send a notification (email?) if a cookbook converged.

Chris

From: Medya [mailto:medya.gh@gmail.com]
Sent: Wednesday, August 12, 2015 1:20 PM
To: chef@lists.opscode.com
Subject: [chef] Re: Re: can Chef be used to alert manual changes?

I meant if someone goes and install a different java manualy (not
through a chef run) can that be detected ?

On Wed, Aug 12, 2015 at 12:12 PM, niristotle okram <
nirish.okram@gmail.com> wrote:

Haven’t done it yet, but the report handler can tell you what are the
resources that were updated in the chef run. The chef-run will bring back
to java6 in your case and will show up in the report.

On Wed, Aug 12, 2015 at 10:08 AM, Medya medya.gh@gmail.com wrote:

Let say I install Java 6 on a node using chef,

if someone goes and install java 7 on it, can chef alert me and tell me?

or is there a tool on the top of Chef that can help me do that?

Regards
nirish okram