Inspec and remediation


#1

Is there a way to run an inspec test and run a recipe to remediate if that inspec test result is a failure?


#2

In most cases you need a human in the loop to decide the remediation. For example, if you’re using a weak SSL/TLS cipher/version/whatever, it might be fixed by upgrading a package to pick up new defaults or you might modify the config to disable the weak cipher. There’s different trade-offs involved with each approach.

Chef has its own detect/repair logic, so once you identify an issue and choose a remediation approach, you should just add that to the appropriate cookbook and let chef run on a schedule to enforce it.


#3

There are some other really interesting use cases around using inspec/serverspec in a monitoring solutions such as sensu to monitor for compliance. Like you said the majority of the time auto remediation with just a chef-client run will require a human to add/modify a cookbook to remediate. This also gives great information for auditors as you could send the sensu logs off to something like ELK for indexing and searching.