Run InSpec on each instance?


#1

We’re evaluating InSpec, but the notion of a central Chef Compliance server remotely executing code via ssh on every VM might be a hard sell for my Security team.

Is it possible to run InSpec locally on each instance, and also have each instance run scheduled scans and report results to the Compliance server?

This way, I understand there would be more work since we’d have to deploy the InSpec scripts using Chef, etc.

Thanks for any advice!
Dave


#2

You’ve clearly identified why the remote scanner isn’t for everyone, what you want is to use the Audit cookbook. Chef client will run your audits with each scheduled run and report back the state of your compliance directly to Chef Automate or to your Chef server which will forward to Automate. InSpec scripts may be stored on the Automate server, in Git, deployed on the local filesystem (possibly managed with Chef), or fetched remotely over http. Good luck!

https://github.com/chef-cookbooks/audit