So, it’s taken me a while, but I finally landed at a place where I’m being asked to do some more Chef stuff, and where we want to start is with applying OS patches to our nodes. But we want to be careful in how we do this, and make sure we go through a baking-in process, where stuff sits in the Integration branch for a while before it clears QA, and then in QA for a while before it can be merged to production.
I’ve been looking at cookbooks to do this, and it seems to me that the best current choice on the Supermarket is auto-patch, at https://supermarket.chef.io/cookbooks/auto-patch. But is there anything else out there that I should be looking at?
Of course, Management is going to want to have reports of what versions of what libraries and packages are installed on what machines, so InSpec is definitely something we’re going to be looking at and some of the DevSec cookbooks look interesting in this space, especially https://github.com/dev-sec/linux-patch-baseline and https://github.com/dev-sec/chef-linux-patch.
Is there anything else I’m missing? Thanks!