Finally, when the changes have passed all the stages in the pipe­ line, you can send them to the Chef server. The Chef server can then begin to bring the nodes up­to­date. Chef Automate gives you visibility into everything that’s happening in your infrastruc­ ture once the changes are deployed.
Automating Compliance with InSpec
One of the largest banks in India has begun using InSpec in its Banking Services division, which is responsible for most of the bank’s transactions. Compliance is particularly critical for it. The division has approximately 500 HP­UX servers that make up its development, test and production environments.
Of course, there are many regulatory and security guidelines the bank must follow and each month the team checks to make sure its servers are compliant. There are around 100 checks and, before InSpec, they were performed manually. The process was very difficult. The team had to log in to each machine, check the config­ uration settings, provide the results on paper and then log them. Completing a single check took about 5 minutes, so vetting just one server took about 8 hours.
When the team began using automated compliance with InSpec, the impact was evident. It could see the entire scan result in min­ utes. The team could see how many servers were in compliance, how many weren’t in compliance, and based on that it could make quick decisions. What had taken 500 minutes to perform on one server what could now be performed in 2 minutes.
InSpec also made it much easier to satisfy the bank’s auditors. IT auditors sometimes asked to see the status of a particular machine and retrieving the information was slow. Team members had to run scripts manually, get the output and make it suitable for a report. Now, with a single click, the team could instantly show the auditor what checks have been performed.
Also, InSpec is human readable and easy to learn. Most ven­ dors for security and auditing use a binary format and the tools are difficult to use. When the banking team members saw InSpec, they felt that they could easily learn it within a few days because thelearningcurvewasverysmall.(Youcanreadaboutthis onthe Learn Chef Web site at bit.ly/2mGthmE.)
Wrapping Up
InSpec is an open source testing language that lets you treat compli­ ance as code. When compliance is code, rules are unambiguous and can be understood by everyone on the team. Developers know what standards they’re expected to meet and auditors know exactly what’s being tested. With InSpec, you can replace documents and manual checklists with programmatic tests that have a clear intent.
Youcanalsointegrateyourcom­ pliance tests into your deployment pipeline and automatically test for adherence to security policies. Run tests as often as you need, start test­ ing for compliance on every change and catch problems earlier in the development process, well before you’ve released to production. n
Michael Ducy is director of Open Source Product Marketing for Chef Software. He’s used, managed and advocated for open source software for almost 20 years. Ducy has held a number of roles in tech- nology from Linux systems engineer and IT instructor, to presales engineer and more. He’s always interested in engaging with the broader community and can be found on Twitter: @mfdii.
Thanks to the following technical experts for reviewing this article: Bakh Inamov, Adam Leff and Roberta Leibovitz
DevOps
Figure 4 Example of a Compliance Report 32 msdn magazine