Chef Compliance Guide

[edit on GitHub]

Chef Compliance uses premium Chef content to audit and harden your fleet for CIS. Chef Compliance uses a combination of Effortless Audit and a customized Effortless Remediation package, and gives you the ability to turn controls on and off with a single YAML configuration file.

The Windows and Linux packages in this demonstration work with the Chef Compliance Audit and Remediation content. Find out more about our Chef Compliance offerings.

Chef Compliance Environment Set-up

1. Install Chef Workstation
2. Install Chef Habitat
3. Configure Chef Habitat on your workstation by running hab setup
4. Create a directory for your Chef Compliance profiles–for example: mkdir ~/dev–and change into that directory with cd dev

The Chef Compliance Pattern

The Chef Compliance pattern has two components. The first is the Chef Habitat plan.sh or plan.ps1 file that you will use to invoke the Chef Compliance premium scan and remediation profiles. The second part of the pattern in the config.yaml file that you will use for customizing the Chef Compliance profile.

Create a Chef Habitat Plan

1. Create a plan file for your target operating system (OS). Find out more about writing plans.

   Use a plan.ps1 for a package targeting Windows. Use a plan.sh for a package targeting Linux. If the package targets both Windows and Linux, you can have both a plan.ps1 and a plan.sh in the habitat directory. Create a plan in Linux with the following command:

   touch plan.sh
   

2. In the next several steps, you will fill out your plan file. Copy this basic content into your plan file and make changes by following the next steps. The content values are the same for both Linux and Windows operating systems. Copy the correct file example for your operating system:

   A Linux plan file:

   pkg_name=<company-CIS-benchmark>
   pkg_origin=chef
   pkg_version="semver"
   pkg_maintainer="org"
   pkg_license=("Apache-2.0")
   pkg_scaffolding="chef/scaffolding-chef-benchmark"
   scaffold_scan_package="chef/<Chef_Compliance_scan_package>"
   scaffold_remediate_package="chef/<Chef_Compliance_remediation_package>"
   

   A Windows plan file (note the $ before the plan variables):

   $pkg_name=<company-CIS-benchmark>
   $pkg_origin=chef
   $pkg_version="2.2.0"
   $pkg_maintainer="org"
   $pkg_license=("Apache-2.0")
   $pkg_scaffolding="chef/scaffolding-chef-benchmark"
   $scaffold_scan_package="chef/<Chef_Compliance_scan_package>"
   $scaffold_remediate_package="chef/<Chef_Compliance_remediation_package>"
   

Define Plan Variables

1. Name the package

   Name the package after the CIS benchmark that it contains is the best practice, for example, company-cis-linux-policy. You can also name the package for the application stack that the exceptions and remediation changes apply, for example, redis-company-cis-linux-policy.

   For plan.sh for Linux:

   pkg_name=<company-CIS-benchmark>
   

   To your company name:

   pkg_name=4thcoffee-CIS-benchmark
   

2. Specify your Chef Habitat origin:

   pkg_origin="chef"
   

3. Add a version tag

   Use the same version number as the CIS profile. This best practice helps to avoid confusion as sometimes CIS changes the control IDs between versions.

   pkg_version="2.2.0"
   

4. Add a maintainer and license to the plan:

   pkg_maintainer="tls"
   pkg_license=("Apache-2.0")
   

5. Add the scaffolding to the plan

   The scaffolding is the most critical part. Scaffolding properly sets up the scan and remediation packages to run on the system. Find out more about scaffolding in the Chef Habitat documentation.

   pkg_scaffolding="chef/scaffolding-chef-benchmark"
   

6. Specify the Effortless scan package or an array of Effortless scan packages that you are using to audit your system

   The Compliance packages in this guide are available to all for demonstration purposes. See our Chef Compliance site for more information about our premium packages.

   As a single package:

   scaffold_scan_package="chef/chef-cis-sample-linux-inspec"
   

   As an array of packages:

   scaffold_scan_package=("chef/chef-cis-sample-linux-inspec" "chef/simple_profile")
   

The Chef Compliance Remediation Pattern

If you are a Chef Compliance Remediation customer, add your remediation package next.

Remediation is hard! Remediation changes your system to according to the policy that you design. The Chef Compliance Remediation works in three steps:

• Scanning your system according to your Compliance profile
• Remediating your system according to the rules of the scaffold_remediate_package and your individual control customizations in the config.yml
• Re-scanning your system to confirm its compliance status

Chef Compliance Remediation is a write action and requires two components:

• A specified scaffold_remediate_package in your plan file
• A valid config.yml

In the absence of either of these components, the process stops after the first compliance scan. The output for the first scan, the remediation, and the second scan are all written to the Chef Habitat Supervisor log.

Because compliance remediation changes your system, its defaults are different than compliance scanning:

• Scan is a read action, so it defaults to true
• Remediation is a write action, so it defaults to false

When a remediation action takes place, it works by executing a bash script found the remediation for each control. The script resets the failed setting by changing it to the CIS control specification. For example, if CIS requires the AIDE package, then the remediation step installs the package.

Chef InSpec scan:

control '1.3.1_Ensure_AIDE_is_installed' do
  title 'Ensure AIDE is installed'
  desc  "
    AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system.
    Rationale: By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.
  "
  impact 1.0
  describe package('aide') do
    it { should be_installed }
  end
end

The remediation installs the “AIDE” package onto your system.

Set Up Chef Compliance Remediation

Set the remediation package in your plan:

scaffold_remediate_package="chef/Chef_CIS_Sample_Linux_v_1_0_0_remediation"

You can set the dry_run variable in your habitat config, and the remediation will run a dry run for all of its controls and output a report on what actions it would have taken.

Once you have tested the changes and you are ready to remediate the entire profile for CIS, you can set the hab configuration to all and it will run all the remediation steps in the scaffold_remediate_package.

While this is an option, there is no unset on remediation. The only way to unset a remediation is to change it back using a remediate overlay command. To protect against this, we run a scan before we run the remediation, so that you can reference the state to help you go back if needed.

Review Finished Plan

Your plan file is complete.

A Linux plan file:

pkg_name=cis-linux-benchmark
pkg_origin=chef
pkg_version="2.2.0"
pkg_maintainer="tls"
pkg_license=("Apache-2.0")
pkg_scaffolding="chef/scaffolding-chef-benchmark"
scaffold_scan_package="chef/chef-cis-sample-linux-inspec"
scaffold_remediate_package="chef/Chef_CIS_Sample_Linux_v_1_0_0_remediation"

A Windows plan file (note the $ before the plan variables):

$pkg_name=cis-linux-benchmark
$pkg_origin=chef
$pkg_version="2.2.0"
$pkg_maintainer="tls"
$pkg_license=("Apache-2.0")
$pkg_scaffolding="chef/scaffolding-chef-benchmark"
$scaffold_scan_package="chef/chef-cis-sample-linux-inspec"
$scaffold_remediate_package="chef/Chef_CIS_Sample_Linux_v_1_0_0_remediation"

Build and Run Your Package

1. Build the package

   Run the following command to build the package:

   hab pkg build .
   

2. You can now upload your profile pkg to Chef Habitat Builder by running the following commands:

   source results/lastbuild.env
   hab pkg upload results/$pkg_artifact
   

3. To run your profile on a system, install Chef Habitat as a service and run hab svc load <my_origin>/<my_profile_name>

Customize Chef Compliance

Now that we have the package running, it is time to make customizations. When making a customization, consider if you want to customize the scan or the remediation? Here are a list of available options for scanning and remediation:

Custom Compliance Configuration

In this next section, you will build out a custom configuration.

The config.yml is the interface to the remediation system. You will express all of your policy customizations in the config.yml. You can find the content of failed compliance scans in Chef Automate. Copy the controls for customization from the Chef Automate Compliance > Reporting results into the config.yml.

1. In the custom CIS package folder, create a new folder called config and a config.yml file within that folder:

   cd ~/dev/cis-linux-benchmark
   mkdir config
   touch config.yml
   

   Skip ahead and see the completed configuration example if desired.

2. In order for your remediation to work, you need to add the provider of the benchmark, the name of the benchmark, and the version of the benchmark as metadata as the first three lines of your config.yml. Add the metadata:

   ---provider:Chefbenchmark:CIS Sample Linuxprovider_version:v.1.0.0

3. Add a permanent exception for a control with scan and remediate turned off:

   controls:- id:<control_id_number>scan:run:falseremediate:run:falsejustification:"This is an example of a justification"

4. Turn on a remediation for a control:

   - id:<control_id_number>remediate:run:true

5. Override a control’s remediation and disable the scan:

   - id:<control_id_number>scan:run:falseremediate:run:trueoverlay_commands:- local:echo "this is an overlay command"justification:"This control is disabled as the company standard is x"

6. Use one justification in a control:

   controls:- id:<control_id_number>scan:run:falsejustification:"This is an example of a justification"remediate:run:false# For an overlay command:# An overlay command replaces the command in the remediation# In this example, the remediation does not install the 'aide' package# and instead outputs the overlay_commands to the screen# run: true#  overlay_commands:#    - local: echo "this is an overlay command"justification:"This is an example of another justification. But only use one justification."

7. Create an exception with an end date:

   - id:<control_id_number>scan:run:falseremediate:run:truewaiver:start_date_utc:"--- 2019-10-17 08:25:57.571436000 Z\n"expiration_date_utc:"--- 2021-01-20 08:25:57.571522000 Z\n"identifier:ticket_12345justification:"This is a reason not to run this scan"

8. Re-build your custom CIS profile in the Chef Habitat studio:

   ~/dev/cis-linux-benchmark $ hab studio enter -D
   ...
   [2][default:/src:0]$ build
      cis-linux-benchmark:
      cis-linux-benchmark: I love it when a plan.sh comes together.
      cis-linux-benchmark:
      cis-linux-benchmark: Build time: 0m36s
   [2][default:/src:0]$
   

9. Upload your package to Chef Habitat Builder:

   source results/last_build.env
   hab pkg upload results/$pkg_artifact
   

10. It may take a little bit for the profile and the remediation to run, but once complete, you will see the newly skipped controls and the remediated controls.

Completed Compliance config.yml Example

---provider:Chefbenchmark:CIS Sample Linuxprovider_version:v.1.0.0controls:- id:1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabledremediate:run:true- id:1.3.1_Ensure_AIDE_is_installedremediate:run:true- id:5.2.11_Ensure_SSH_PermitEmptyPasswords_is_disabledremediate:run:true- id:5.2.14_Ensure_SSH_access_is_limitedscan:run:falsejustification:"I don't want to disable SSH access at this time: John Snow"remediate:run:false- id:5.2.4_Ensure_SSH_Protocol_is_set_to_2remediate:run:true- id:5.4.1.2_Ensure_minimum_days_between_password_changes_is_7_or_moreremediate:run:true

Summary

That’s it! You can quickly change the running controls for exceptions and remediation, and deploy it to your system in minutes.