Integrate Chef Compliance with Chef Automate¶
Warning
The standalone Chef Compliance server is deprecated. The standalone Chef Compliance server’s end-of-life date is December 31, 2018. Chef Automate 2 has all of the functionality of Chef Compliance Server and also includes newer out-of-the-box compliance profiles, an improved compliance scanner with total cloud scanning functionality, better visualizations, role-based access control and many other features not found in Chef Compliance Server.
This page describes how to use the standalone Chef Compliance server with Chef Automate.
To make it easy to retrieve profiles, execute and report results via chef converges, an audit
cookbook was created. It’s available in the Chef Supermarket or as a public GitHub repo. The cookbook depends on InSpec
and uses attributes to support a few different ways of retrieving profiles and reporting the scan results:
Reporter: chef-automate
¶
This method is compatible with Chef Server managed nodes or Chef Solo (commonly referred to as “Chef client local mode”).
When setting the node['audit']['reporter']
attribute to chef-automate
, the audit
cookbook can retrieve profiles from the following sources: Chef Supermarket
, local filesystem
and git repository
.
The profiles execution result will be sent to Chef Automate using the data_collector
URL and token
. For more details, see the README file of the audit cookbook.
Reporter: chef-compliance
¶
This method is compatible with Chef Server managed nodes or Chef Solo.
When setting the node['audit']['reporter']
attribute to chef-compliance
, the audit
cookbook can retrieve profiles from the following sources: Chef Compliance server
, Chef Supermarket
, local filesystem
and git repository
.
The profiles execution result will be sent to Chef Compliance. Attributes to specify the Chef Compliance API sever and authentication token are required. For more details, see the README file of the audit cookbook.
Reporter: chef-server-automate
¶
This method is compatible with nodes managed by a Chef server integrated with Chef Automate and requires the following:
- Requires
audit
cookbook version 3.1.0 or newer. - Requires Chef client version 12.16.42 or newer.
- Requires Chef server version 12.11.1 or newer.
- Requires Chef Automate 0.6.6 or newer.
Using the above versions allows:
- Nodes under management by Chef to download compliance profiles from the Chef Automate asset store via Chef Server.
- Nodes under management by Chef to report converge and compliance scan results to Chef Automate(Visibility) via Chef Server.
To enable this use-case, add the following settings to /etc/opscode/chef-server.rb
on the Chef server:
data_collector['root_url'] = 'https://my-automate-server.mycompany.com/data-collector/v0/'
data_collector['token'] = 'TOKEN'
profiles['root_url'] = 'https://my-automate-server.mycompany.com'
and run sudo chef-server-ctl reconfigure
.
The profiles store service also needs to be enabled in Chef Automate. This is documented in Profiles. Manage the profiles in profiles asset store using the Chef Automate API.
When using the audit
cookbook, set the node['audit']['reporter']
attribute to chef-server-automate
, and retrieve profiles from the following sources: Chef Automate
( via Chef Server
), Chef Supermarket
, local filesystem
and git repository
.
The profiles execution result will be sent to Chef Visibility. For more details, see the README file of the audit cookbook.
The audit
cookbook does not require Chef Automate url or token attributes as Chef Server is acting as a proxy in this setup.
Reporter: chef-server
¶
This method is compatible with nodes managed by a Chef server integrated with Chef Compliance.
Integration instructions can be found here.
Integrating Chef Compliance with Chef server allows:
- Users of Chef Compliance to log in using their Chef Server credentials
- Nodes under management by Chef to download Chef Compliance profiles, run them on nodes, and then send the results back to Chef Compliance
When setting the node['audit']['reporter']
attribute to chef-server
, the audit
cookbook can retrieve profiles from the following sources: Chef Compliance server
, Chef Supermarket
, local filesystem
and git repository
.
The profiles execution result will be sent to Chef Compliance. For more details, see the README file of the audit cookbook.
No Chef Compliance URL or token attributes are required by this setup as Chef Server is acting as a proxy.