fd4e6d97a6
* Updated exec option to allow unsigned profiles run Signed-off-by: Nik08 <nikita.mathur@progress.com> * Added method to verify signed profile and to check for signed profile Signed-off-by: Nik08 <nikita.mathur@progress.com> * Invoked logic on each run to verify profiles if signed else raise sig req error Signed-off-by: Nik08 <nikita.mathur@progress.com> * Tests cases added to validate behaviour of inspec exec with signed and unsigned profiles with --chef-allow-unsigned flag Signed-off-by: Nik08 <nikita.mathur@progress.com> * Refactored and moved delete_signing_keys to common helper library for tests Signed-off-by: Nik08 <nikita.mathur@progress.com> * Updated code comments for more information and clarity on security update of signed profiles inspec exec Signed-off-by: Nik08 <nikita.mathur@progress.com> * Test cases to validate inspec run with combination of signed and unsigned profiles Signed-off-by: Nik08 <nikita.mathur@progress.com> * Documented usage of flag --chef-allow-unsigned Signed-off-by: Nik08 <nikita.mathur@progress.com> * Renamed the flag to run unsigned profiles to --allow-unsigned Signed-off-by: Nik08 <nikita.mathur@progress.com> * Refactored logic on profile level for profile signing verification Signed-off-by: Nik08 <nikita.mathur@progress.com> * Renaming the argument variable - from runner_call to silent Signed-off-by: Nik08 <nikita.mathur@progress.com> * Added profile mandate check for other inspec commands running profile evaluation Signed-off-by: Nik08 <nikita.mathur@progress.com> * Updated error message for profile sign requirement Signed-off-by: Nik08 <nikita.mathur@progress.com> * Updated test helper to fix inspec json test Signed-off-by: Nik08 <nikita.mathur@progress.com> * Fixed inspec json ability to use cli options successfully Signed-off-by: Nik08 <nikita.mathur@progress.com> * Documentation added for signed profiles mandatory usage with CLI commands Signed-off-by: Nik08 <nikita.mathur@progress.com> * Flow changes of raising exception when unsigned instead of direct exit Signed-off-by: Nik08 <nikita.mathur@progress.com> * Renamed unsigned profile flags Signed-off-by: Nik08 <nikita.mathur@progress.com> * Extracted out allow unsigned condition to config and modified comment info Signed-off-by: Nik08 <nikita.mathur@progress.com> * Doc update on consent of using signed and unsigned profiles Signed-off-by: Nik08 <nikita.mathur@progress.com> * Fix in signing mandatin check and added additional check on runner for better error UI for exec command Signed-off-by: Nik08 <nikita.mathur@progress.com> * Removed repeated allow-unsigned-profile defination from exec_options Signed-off-by: Nik08 <nikita.mathur@progress.com> * Test fixes Signed-off-by: Nik08 <nikita.mathur@progress.com> * Enabled feature preview flag for mandatory signing Signed-off-by: Nik08 <nikita.mathur@progress.com> * Test fixes after feature flag usage for mandatory signing Signed-off-by: Nik08 <nikita.mathur@progress.com> * Doc changes using feature preview flag for mandatory signing feature Signed-off-by: Nik08 <nikita.mathur@progress.com> * Inspec exec tests fixes for ENV values and parallel test fix using default option --allow-unsigned-profile false Signed-off-by: Nik08 <nikita.mathur@progress.com> * Kitchen fix while using signed profiles with inspec Signed-off-by: Nik08 <nikita.mathur@progress.com> * Unit test fix for profile resource exception Signed-off-by: Nik08 <nikita.mathur@progress.com> * Virtual profile detection improved Signed-off-by: Nik08 <nikita.mathur@progress.com> * Move mandatory profile sigining info to sigining page Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Renamed flag from --allow-unsigned-profile to --allow-unsigned-profiles Signed-off-by: Nik08 <nikita.mathur@progress.com> * Typo fix in signing doc Signed-off-by: Nik08 <nikita.mathur@progress.com> * Trim note in cli.md about mandatory profile signing Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Docs changes Signed-off-by: Ian Maddaus <ian.maddaus@progress.com> * Correct docs regarding exit code 5 Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> --------- Signed-off-by: Nik08 <nikita.mathur@progress.com> Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> Signed-off-by: Ian Maddaus <ian.maddaus@progress.com> Co-authored-by: Clinton Wolfe <clintoncwolfe@gmail.com> Co-authored-by: Ian Maddaus <ian.maddaus@progress.com> |
||
|---|---|---|
| .. | ||
| lib | ||
| templates/habitat | ||
| test | ||
| Berksfile | ||
| inspec-habitat.gemspec | ||
| kitchen.yml | ||
| README.md | ||
InSpec Habitat Plugin
Summary
This plugin allows you to do the following:
- Add Habitat configuration to a profile
- Create/Upload a Habitat package from an InSpec profile
Creating a Habitat package from an InSpec profile allows you to execute that profile as a service (via a Habitat Supervisor) on any Linux based platform.
When running as a service, an InSpec report will be created in JSON format (by
default at /hab/svc/YOUR_SERVICE/logs/inspec_last_run.json). Additionally, a
log of the last run will be located at
/hab/svc/YOUR_SERVICE/logs/inspec_log.txt and CLI output is viewable in
the Supervisor logs by default. You can also configure this service to report
to Chef Automate.
See below for usage instructions.
Plugin Usage
Adding Habitat Configuration to an InSpec Profile
Run the following command:
inspec habitat profile setup PATH
This will create the following files:
- habitat/plan.sh (Provides build time instructions to Habitat)
- habitat/default.toml (Used to configure the running Habitat service)
- habitat/hooks/run (Shell script to execute this profile as a service)
- habitat/config/inspec_exec_config.json (JSON for
inspec execCLI options)
Creating a Habitat Package
This command requires Habitat to be installed and configured. For instructions on how to do that see here.
Run the following command:
inspec habitat profile create PATH
This command will:
- Create a Habitat artifact (
.hartfile).
NOTE: If you are fetching packages from Chef Automate see below.
Uploading a Habitat Package
This command requires Habitat to be installed and configured. For instructions on how to do that see here.
Run the following command:
inspec habitat profile upload PATH
This command will:
- Create a Habitat artifact (
.hartfile). - Upload the Habitat artifact to bldr.habitat.sh.
NOTE: If you are fetching packages from Chef Automate see below.
Habitat Package Usage
This command requires Habitat to be installed and configured. For instructions on how to do that see here.
General usage instructions for using Habitat packages can be found here.
Installing the package from a HART file:
# See Habitat docs for more info. The below is for testing only.
hab pkg install PATH_TO_CREATED_HART_FILE
hab sup run YOUR_ORIGIN/inspec-profile-YOUR_PROFILE_NAME
Installing the package from the Public Builder Depot:
# See Habitat docs for more info. The below is for testing only.
hab pkg install YOUR_ORIGIN/inspec-profile-YOUR_PROFILE_NAME
hab sup run YOUR_ORIGIN/inspec-profile-YOUR_PROFILE_NAME
Integrating with Chef Automate
Fetching Profiles from Chef Automate During Build
Fetching profiles from Chef Automate requires authentication.
Run the following commands prior to creating/uploading your Habitat package:
# Remove -k if you are not using a self-signed certificate
inspec compliance login -k --user USER --token API_TOKEN https://AUTOMATE_FQDN
export HAB_STUDIO_SECRET_COMPLIANCE_CREDS=$(cat ~/.inspec/compliance/config.json)
Sending InSpec Reports to Chef Automate
After running your Habitat package as a service you can configure it to report to Chef Automate via a configuration update.
For example, create a TOML file (config.toml) that matches the below:
[automate]
url = 'https://chef-automate.test'
token = 'TOKEN'
user = 'admin'
Then apply it like so:
# The '1' here is the config version (increment this with each change)
hab config apply inspec-profile-PROFILE_NAME.default 1 /path/to/config.toml
This will apply the configuration to all services in the service group. For more info on service groups see the Habitat docs
Testing
Lint, unit, and functional tests are ran from the root of the InSpec source:
bundle exec rake test
To execute the integration tests (Test Kitchen + Vagrant + VirtualBox) run the following from the directory containing this README.md:
bundle exec kitchen test