We are delighted to announce the availability of version 17.5.22 of Chef Infra Client.
Compliance Phase Improvements
InSpec Profiles Within Cookbooks
You can now ship Chef InSpec profiles, waivers, and inputs directly in cookbooks allowing you to combine infrastructure and compliance concerns in a single artifact. Bringing infra and compliance together ensures security is always considered when making changes to your systems and enables collaboration in DevSecOps through shared pipelines. Combining infrastructure and compliance content in cookbook artifacts also allows for the safe and controlled promotion of compliance content from development to production using Policyfiles.
Cookbook Compliance Directory
A new compliance
directory in cookbooks includes InSpec content in inputs
, waivers
, and profiles
directories:
my_cookbook/
├─ compliance/
│ ├─ inputs/
│ │ ├─ my_inputs.yml
│ ├─ profiles/
│ │ ├─ my_profiles/
│ │ │ ├─ controls/
│ │ │ ├─ inspec.yml
│ ├─ waivers/
│ │ ├─ control_waiver.yml
├─ metadata.rb
InSpec content placed in these new directories will be available for execution during the Chef Infra Client Compliance Phase, similar to how recipes are shipped in cookbooks but must be executed with include_recipe
. This gives you fine-grained control of when and how InSpec content runs using Chef Langauge helpers.
Loading InSpec Content in Recipes
InSpec content is loaded from Chef Infra recipes using new include helpers in the Chef Language:
- include_profile
- include_waiver
- include_input
These helpers behave similarly to the existing include_recipe
helper, allowing you to include InSpec content from various cookbooks:
# load a single profile from a specific cookbook:
include_profile "my_cookbook::profile_name"
# load all waivers from a cookbook:
include_waiver "my_cookbook::.*"
# load all inputs that start with ssh
include_input "acme_cookbook::ssh.*"
# load a specific profiles depending on cloud:
include_profile "my_cookbook::ec2_node_profile" if ec2?
include_profile "my_cookbook::gce_node_profile" if gce?
Chef Infra Resources for InSpec
If you prefer to define your InSpec content directly in cookbooks, we also include new inspec_input and inspec_waiver resources that allow you to define inputs and waivers dynamically in recipes.
# defining a waiver directly in a recipe with dynamic values
inspec_waiver 'Add waiver entry for control' do
control 'my_inspec_control_01'
run_test false
justification "The subject of this control is not managed by Chef Infra Client on the systems in policy group \#{node['policy_group']}"
expiration '2022-01-01'
action :add
end
# loading a waiver with content on disk
inspec_waiver 'my-waiver-name' do
source '/path/to/my/waiver.toml'
end
# setting an input directly in a recipe
inspec_input 'setting my input' do
source( { ssh_custom_path: '/whatever2' })
end
# setting an input from content on disk
inspec_input '/path/to/my/input.yml'
Chef Inspec 4.41.20
Chef InSpec has been updated from 4.41.2 to 4.41.20 with the following improvements and fixes for Compliance Phase:
- Added support for Alibaba Cloud Linux 3 to the Chef InSpec service resource.
- Replaced the WMI command-line (WMIC) utility in the Chef InSpec security_identifier resource with Common Information Model (CIM) cmdlets as the WMIC utility will be deprecated soon.
- Fixed range based filtering in filter tables
- Fixed an issue in the Chef InSpec apache_conf resource when the ServerRoot is not specified in the Apache configuration file.
- Fixed an error in the Chef InSpec
postgres_session
resource where the resource was unable to connect to a database. - Fixed an error in the Chef InSpec apache_conf resource where it would overwrite any Apache configurations from the main Apache configuration file with configurations from any included configuration files.
- Fixed an error where the Chef InSpec
security_policy
resource returned a comma-separated string of local groups (rather than SIDs) instead of an array. - Updated the git fetcher to handle profiles with a default git branch that is not
master
.
Secrets Management Beta
Our secrets management beta within Chef Infra Client has been updated to support HashiCorp Vault and Akeyless Vault secrets. These can be fetched using the new secrets
helper using either AWS IAM authentication or token-based authentication.
Fetching Secrets From HashiCorp Vault Using AWS IAM
secret(name: "secret/example",
service: :hashi_vault,
config: {
vault_addr: "vault.example.com",
role_name: "example-role"
})
Fetching Secrets From HashiCorp Vault Using Tokens
secret(name: "secret/example",
service: :hashi_vault,
config: {
vault_addr: "vault.example.com",
token: "123456"
})
Fetching Secrets From Akeyless Vault Using Tokens
secret(name: "/secret/data/my_secret",
service: :akeyless_vault,
config: {
access_key: "12345678910=",
access_id: "p-12345678910"
})
Fetching Chef Solo Recipes from AWS S3
You can now fetch recipes from Amazon's S3 storage when using Chef Solo. To have Chef Solo fetch recipes from AWS S3, pass an S3 URL with the --recipe-url
command line flag, such as s3://my-private-bucket/setup-0.1.0.tgz
. Thanks for this improvement @tecracer-theinen!
Resource Updates
archive_file
The archive_file
has a new strip_components
property that allows you to strip any number of leading path elements similar to the tar --strip_components
behavior. For example, if archive archive.tar
contained some/file/name
, then setting strip_components 2
would extract just name
. Thanks for this improvement and a large number of new tests @jasonwbarnett!
chef_client_scheduled_task
The chef_client_scheduled_task
resource now supports setting the scheduled task priority for the execution of the Chef Infra Client with a new priority
property. You can also now set the scheduled task to run with the same splay value during each run using a new use_consistent_splay
property. With this property set, a random splay will still be used for the node, but it will be the same splay during subsequent runs. This ensures that Chef Infra Client always runs with a consistent time between runs (i.e., always exactly 30 minutes). Thanks for these improvements @gholtiii!
file
The file
resource and resources based on the file
resource now include additional verifiers for YAML and JSON content in files. Set verify :json
or verify :yaml
to validate JSON and YAML content. Thanks for this addition @gogsbread!
mount
The mount
resource no longer strips trailing /
values when the mount point is just /
. Thanks for this fix @jiokmiso!
registry_key
The registry_key
resource has been updated to allow lazily evaluating the data passed to the values
property. Thanks for reporting this @sjethvani!
remote_file
The remote_file
resource has been updated with a new http_options
option that accepts a Hash of Ruby Net/HTTP options such as http_retry_count
and http_retry_delay
.
ulimit
The ulimit
resource now supports setting sensitive true
to prevent logging ulimit data as it is written to disk.
windows_uac
The windows_uac
resource now sets the proper registry key value when using the consent_behavior_users
property. Thanks for reporting this @ahembree!
windows_user_privilege
The windows_user_privilege
resource no longer fails with an error stating that the privilege
property needs to be set, even if it is set.
Packages
We are now producing packages for the following platforms / architectures:
- Windows 11 - x64
- Windows 2022 - x64
- Debian 11 - amd64 / arm64
- macOS 12 (Monterey) - Intel
Security
OpenSSL 1.0.2za
OpenSSL has been updated from 1.0.2y to 1.0.2za to resolve CVE-2021-3712.
Get the Build
As always, you can download binaries directly from downloads.chef.io or by using the mixlib-install
command-line utility:
$ mixlib-install download chef -v 17.5.22
Alternatively, you can install Chef Infra Client using one of the following command options:
# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef -v 17.5.22
# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex