InSpec 1.4.1, Train 0.21.1, audit cookbook 2.0, kitchen-inspec 0.16.0


#1

Dear InSpec friends,

We have some great updates available:

  • InSpec 1.4.1
  • audit cookbook 2.0 :confetti_ball:
  • Train 0.21.1
  • kitchen-inspec 0.16.0

InSpec 1.4.0 Release notes: https://github.com/chef/inspec/releases/tag/v1.4.0

  • improvements for supermarket plugin
  • json resource can now parse results from commands (contributed by Arista/Jere Julian)
  • bugfixes
describe json({ command: 'retrieve_data.py --json' }) do
  its('state') { should eq('open') }
end

Train 0.21.1 release notes: https://github.com/chef/train/releases/tag/v0.21.1

  • Arista EOS support (contributed by Arista/Jere Julian)
  • Fix for OS detection with PTY (thanks Tyler Ball for highlighting this issue)

audit cookbook 2.0 release notes https://github.com/chef-cookbooks/audit/releases/tag/v2.0.0

This is a complete rewrite from audit cookbook v1. The second version is more stable and easier to maintain. Iā€™d like to thank Michael Hedgpeth from NCR for the idea to use Chef Handler mechanism. In addition Jeremy Miller, Joe Gardiner and Scott Russel helped with intensive testing.

  • complete rewrite, easier to maintain, reuses more features from InSpec
  • will not report a converge in chef-client run
  • support for multiple reporters
  • introduces json file reporter

It uses a new syntax for the profiles (https://github.com/chef-cookbooks/audit#configure-node):

"audit" => {
  "collector" => "chef-server",
  "inspec_version" => "1.2.1",
  "profiles" => [
    # profile from Chef Compliance
    {
      "name": "linux",
      "compliance": "base/linux"
    },
    # profile from supermarket
    # note: If reporting to Compliance, the Supermarket profile needs to be uploaded to Chef Compliance first
    {
      "name": "ssh",
      "supermarket": "hardening/ssh-hardening"
    },
    # local Windows path
    {
      "name": "brewinc/win2012_audit",
      # filesystem path
      "path": "E:/profiles/win2012_audit"
    },
    # github
    {
      "name": "ssl",
      "git": "https://github.com/dev-sec/ssl-benchmark.git"
    },
    # url
    {
      "name": "ssh",
      "url": "https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip"
    }
  ]
}

You can also define multiple reporters: https://github.com/chef-cookbooks/audit#multiple-reporters

"audit": {
  "collector": [ "chef-compliance", "json-file" ]
  "server": "https://compliance-fqdn/api",
  "owner": "my-comp-org",
  "refresh_token": "5/4T...g==",
  "insecure": false,
  "profiles": [
    {
      "name": "windows",
      "compliance": "base/windows"
    }
  ]
}

kitchen-inspec 0.16.0 release notes https://github.com/chef/kitchen-inspec/releases/tag/v0.16.0

  • support for more targets like supermarket and git
suites:
  - name: contains_inspec
    run_list:
      - recipe[apt]
      - recipe[yum]
      - recipe[ssh-hardening]
      - recipe[os-hardening]
    verifier:
      inspec_tests:
        - name: hardening/ssh-hardening  # name only defaults to supermarket
        - name: ssh-supermarket  # alternatively, you can explicitly specify that the profile is from supermarket in this way
          supermarket: hardening/ssh-hardening
        - path: path/to/some/local/tests
        - name: ssh-hardening
          url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.zip
        - name: os-hardening
          git: https://github.com/dev-sec/tests-os-hardening.git
  • support for attributes
verifier:
  inspec_tests:
    - path: test/integration/attributes
  # inline attributes
  attributes:
    user: bob
    password: secret
  # attributes files
  attrs:
    - test/integration/profile-attribute.yml

Christoph Hartmann
InSpec Creator