Chef Automate Release 1.7.114

We are delighted to announce release 1.7.114 of Chef Automate. The release is available for download from https://downloads.chef.io/automate.

New Features

Compliance Scanner, Job Scheduling and Improvements (Beta)
This month’s release marks the addition of job scheduling to the compliance scanner and completes its core functionality. It allows for compliance scans to be scheduled for future or recurring runs. This enables users to run their tests on a regular schedule in a fully automated way.

We have also improved the security on the secrets management system in the compliance scanner. It will not expose user secrets in the UI nor the API anymore and keep it for internal calls to the compliance scanner only. This increases the confidentiality of data while allowing the scanner to still fully use these secrets.

The compliance scanner is in open beta as we continue to respond to user feedback before releasing it as generally available. To activate it, type beta anywhere in the UI and enable the feature in the popup that appears.

CIS Compliance Profile for Windows 2016
This release also features our new CIS Compliance Profile for Windows Server 2016. It contains subprofiles for both the Member Server and Domain Controller, both in Level 1 and Level 2. They each feature up to 350 controls to help achieve compliance for modern Windows Servers.

RHEL6 STIG Compliance Profile
The first set of STIG compliance profiles have been added to this release of Chef Automate. They include 261 controls for Red Hat Enterprise Linux 6 compliance. These controls also span category I - III and contain detailed information and reference with every rule.

Performance Improvements for Compliance Profiles
Windows performance has been considerably improved with the release of audit cookbook v6 that leverages new mechanisms in InSpec and Train to speed up all tests. This is achieved with a caching approach allowing for considerably faster execution of all calls and resources on Microsoft Windows. On average, we found the CIS Windows benchmarks to reduce their execution time by 90% for a significant increase in speed. Moreover on CIS for Linux benchmarks we found an average 30% reduction in execution time.

By default, caching is now enabled with audit cookbook v6. Please update it alongside Chef Automate and InSpec on your nodes to fully leverage these performance gains.

Performance Improvements for Compliance Reporting
Large environments with thousands of nodes provide great insights, but were somewhat slow to load in Chef Automate. This is due to the sheer amount of data that needs processing. In this release, we introduced a number of improvements to the backend that will make API calls and the UI feel faster when looking at very large environments.

In the same cycle we improved the suggestions on all searches in Compliance Reporting. These now return more accurate results and become noticeably faster.

Delete Runner Command
We’ve added a delete-runner subcommand to automate-ctl for easier management of runners used as part of a workflow pipeline. Previously it was only possible to remove a runner by calling the delivery api.

Data Retention Improvements for Reaper
Chef Automate’s Reaper feature for managing archive and deletion of Elasticsearch data now supports configuration of distinct retention periods for compliance and Chef client run data. As many organizations require that compliance data be stored for longer, this allows users to set the retention threshold without also requiring that Chef client run data be stored for the same period.

Resolved Issues

  • Fixed an issue that caused the umask check to incorrectly fail during the preflight-check. The preflight-check currently checks on the return value of \su -c 'umask' -l root\ and this can return values besides the raw int of the umask.
  • After an upgrade of the Automate package in all versions up to and including 1.7.10, the user was previously encouraged to run automate-ctl setup, which for an existing system is unnecessary. Now the user is prompted to run automate-ctl reconfigure.
  • Corrected an issue where Chef Automate only displayed up to 10 Chef Servers or organizations in the Nodes UI. All servers and orgs reporting data to Chef Automate are now visible and available for filtering.
  • Resolved an issue with invalid JSON in the workflow Slack notifications, which was impacting webhook integration with Mattermost.
  • Chef Automate’s Reaper now works in archive mode when using a non-default location for the archive repo. In previous releases Reaper archive mode only operated correctly when using the default repo path of /var/opt/delivery/elastisearch_backups.
  • Improved response time for automate-ctl help.
  • Improved the startup performance of Chef Automate by speeding up the Compliance service
  • The scanner doesn’t return passwords via API calls to anymore
  • Compliance APIs have had their timestamps unified to RFC3339
  • RabbitMQ now listens only on the loopback interface and uses SSL for authentication and communication.
  • Searching for nodes by attribute or resource now properly supports spaces and special characters.
  • Testing a workflow runner from the Manage Runners page now correctly raises an error if the runner’s user account has an expired password.
  • Installing a runner now works on CentOS/RHEL when the remote user does not have /usr/sbin in their PATH.
  • Installing a runner now works when the remote user’s shell is /bin/sh.
  • Installing a runner now defaults to collecting only the minimally required Ohai attributes to avoid potential issues with Ohai plugins. You must now pass the ‘–full-ohai’ argument to automate-ctl install-runner to run all plugins on runner installation.

We encourage you to upgrade often. As always, we welcome your feedback and invite you to contact us directly or share your feedback online. Thanks for using Chef Automate!