Chef Infra Client 17.5.22 Released!

We are delighted to announce the availability of version 17.5.22 of Chef Infra Client.

Compliance Phase Improvements

InSpec Profiles Within Cookbooks

You can now ship Chef InSpec profiles, waivers, and inputs directly in cookbooks allowing you to combine infrastructure and compliance concerns in a single artifact. Bringing infra and compliance together ensures security is always considered when making changes to your systems and enables collaboration in DevSecOps through shared pipelines. Combining infrastructure and compliance content in cookbook artifacts also allows for the safe and controlled promotion of compliance content from development to production using Policyfiles.

Cookbook Compliance Directory

A new compliance directory in cookbooks includes InSpec content in inputs, waivers, and profiles directories:

my_cookbook/
├─ compliance/
│  ├─ inputs/
│  │  ├─ my_inputs.yml
│  ├─ profiles/
│  │  ├─ my_profiles/
│  │  │  ├─ controls/
│  │  │  ├─ inspec.yml
│  ├─ waivers/
│  │  ├─ control_waiver.yml
├─ metadata.rb

InSpec content placed in these new directories will be available for execution during the Chef Infra Client Compliance Phase, similar to how recipes are shipped in cookbooks but must be executed with include_recipe. This gives you fine-grained control of when and how InSpec content runs using Chef Langauge helpers.

Loading InSpec Content in Recipes

InSpec content is loaded from Chef Infra recipes using new include helpers in the Chef Language:

  • include_profile
  • include_waiver
  • include_input

These helpers behave similarly to the existing include_recipe helper, allowing you to include InSpec content from various cookbooks:

# load a single profile from a specific cookbook:
include_profile "my_cookbook::profile_name"

# load all waivers from a cookbook:
include_waiver "my_cookbook::.*"

# load all inputs that start with ssh
include_input "acme_cookbook::ssh.*"

# load a specific profiles depending on cloud:
include_profile "my_cookbook::ec2_node_profile" if ec2?
include_profile "my_cookbook::gce_node_profile" if gce?

Chef Infra Resources for InSpec

If you prefer to define your InSpec content directly in cookbooks, we also include new inspec_input and inspec_waiver resources that allow you to define inputs and waivers dynamically in recipes.

# defining a waiver directly in a recipe with dynamic values
inspec_waiver 'Add waiver entry for control' do
  control 'my_inspec_control_01'
  run_test false
  justification "The subject of this control is not managed by Chef Infra Client on the systems in policy group \#{node['policy_group']}"
  expiration '2022-01-01'
  action :add
end

# loading a waiver with content on disk
inspec_waiver 'my-waiver-name' do
  source '/path/to/my/waiver.toml'
end

# setting an input directly in a recipe
inspec_input 'setting my input' do
  source( { ssh_custom_path: '/whatever2' })
end

# setting an input from content on disk
inspec_input '/path/to/my/input.yml'

Chef Inspec 4.41.20

Chef InSpec has been updated from 4.41.2 to 4.41.20 with the following improvements and fixes for Compliance Phase:

  • Added support for Alibaba Cloud Linux 3 to the Chef InSpec service resource.
  • Replaced the WMI command-line (WMIC) utility in the Chef InSpec security_identifier resource with Common Information Model (CIM) cmdlets as the WMIC utility will be deprecated soon.
  • Fixed range based filtering in filter tables
  • Fixed an issue in the Chef InSpec apache_conf resource when the ServerRoot is not specified in the Apache configuration file.
  • Fixed an error in the Chef InSpec postgres_session resource where the resource was unable to connect to a database.
  • Fixed an error in the Chef InSpec apache_conf resource where it would overwrite any Apache configurations from the main Apache configuration file with configurations from any included configuration files.
  • Fixed an error where the Chef InSpec security_policy resource returned a comma-separated string of local groups (rather than SIDs) instead of an array.
  • Updated the git fetcher to handle profiles with a default git branch that is not master.

Secrets Management Beta

Our secrets management beta within Chef Infra Client has been updated to support HashiCorp Vault and Akeyless Vault secrets. These can be fetched using the new secrets helper using either AWS IAM authentication or token-based authentication.

Fetching Secrets From HashiCorp Vault Using AWS IAM

secret(name: "secret/example", 
      service: :hashi_vault,
      config: {
        vault_addr: "vault.example.com",
        role_name: "example-role"
      })

Fetching Secrets From HashiCorp Vault Using Tokens

secret(name: "secret/example", 
      service: :hashi_vault,
      config: {
        vault_addr: "vault.example.com",
        token: "123456"
      })

Fetching Secrets From Akeyless Vault Using Tokens

secret(name: "/secret/data/my_secret",
       service: :akeyless_vault,
       config: {
         access_key: "12345678910=",
         access_id: "p-12345678910"
      })

Fetching Chef Solo Recipes from AWS S3

You can now fetch recipes from Amazon's S3 storage when using Chef Solo. To have Chef Solo fetch recipes from AWS S3, pass an S3 URL with the --recipe-url command line flag, such as s3://my-private-bucket/setup-0.1.0.tgz. Thanks for this improvement @tecracer-theinen!

Resource Updates

archive_file

The archive_file has a new strip_components property that allows you to strip any number of leading path elements similar to the tar --strip_components behavior. For example, if archive archive.tar contained some/file/name, then setting strip_components 2 would extract just name. Thanks for this improvement and a large number of new tests @jasonwbarnett!

chef_client_scheduled_task

The chef_client_scheduled_task resource now supports setting the scheduled task priority for the execution of the Chef Infra Client with a new priority property. You can also now set the scheduled task to run with the same splay value during each run using a new use_consistent_splay property. With this property set, a random splay will still be used for the node, but it will be the same splay during subsequent runs. This ensures that Chef Infra Client always runs with a consistent time between runs (i.e., always exactly 30 minutes). Thanks for these improvements @gholtiii!

file

The file resource and resources based on the file resource now include additional verifiers for YAML and JSON content in files. Set verify :json or verify :yaml to validate JSON and YAML content. Thanks for this addition @gogsbread!

mount

The mount resource no longer strips trailing / values when the mount point is just /. Thanks for this fix @jiokmiso!

registry_key

The registry_key resource has been updated to allow lazily evaluating the data passed to the values property. Thanks for reporting this @sjethvani!

remote_file

The remote_file resource has been updated with a new http_options option that accepts a Hash of Ruby Net/HTTP options such as http_retry_count and http_retry_delay.

ulimit

The ulimit resource now supports setting sensitive true to prevent logging ulimit data as it is written to disk.

windows_uac

The windows_uac resource now sets the proper registry key value when using the consent_behavior_users property. Thanks for reporting this @ahembree!

windows_user_privilege

The windows_user_privilege resource no longer fails with an error stating that the privilege property needs to be set, even if it is set.

Packages

We are now producing packages for the following platforms / architectures:

  • Windows 11 - x64
  • Windows 2022 - x64
  • Debian 11 - amd64 / arm64
  • macOS 12 (Monterey) - Intel

Security

OpenSSL 1.0.2za

OpenSSL has been updated from 1.0.2y to 1.0.2za to resolve CVE-2021-3712.


Get the Build

As always, you can download binaries directly from downloads.chef.io or by using the mixlib-install command-line utility:

$ mixlib-install download chef -v 17.5.22

Alternatively, you can install Chef Infra Client using one of the following command options:

# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef -v 17.5.22
# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex