问题
I am describing in brief the CHEF usage in our env and what we wish to accomplish from Inspec.
• We have two generic cookbooks available for Windows and Unix
• These generic cookbooks have individual recipes, each of which has the logic defining one specific chef resource, e.g. directory creation, package install, etc.
• Then; an application specific wrapper cookbook is created which consumes the generic cookbook.
• The properties of the chef resources(ones which are defined in generic cookbook) which needs to be applied to the nodes are declared in the wrapper cookbook role files.
I have written inspec tests with hard coded values and those work fine; however we have thousands of nodes for which we need to do the compliance test. Writing inspec for each of them is not desirable.
A sample inspec control
control '01' do
impact 0.7
title 'Verify my recipe'
desc 'Check if the folders were created with proper permissions'
describe directory('D:\\DATA\\Files') do
it { should exist }
it { should be_allowed('full-control', by_user: 'BUILTIN\Administrators') }
it { should be_allowed('execute', by_user: 'Everyone') }
it { should be_allowed('modify', by_user: 'MY_ORG\PRIV_ACCT') }
end
end
We hope to create a generic profile with generic controls. These controls can then pick up the attributes automatically declared in the wrapper role file or some other centralized location and check for compliance on the node.
This is much more desirable as this will require one time effort to set up the framework
来源:https://stackoverflow.com/questions/55920053/infrastructure-compliance-via-inspec