Chef Blogs

Chef InSpec with Docker

Akshay Parvatikar | Posted on | Technical Guide | Workstation

Making sure images and containers perform the way you want is an integral part of the software development cycle. Chef InSpec allows you to scan running Docker containers to ensure they are running based on the correct images, appropriate ports, running proper commands, and more. In this blog, learn how to test Docker containers and understand what the code should accomplish with code examples.

Docker:

Docker can be installed and run upon multiple operating systems. You can find detailed steps in the installation guide below given links.

  1. Mac
  2. Windows
  3. Linux

Introduction about Docker Image:

A Docker image is a file used to execute code in a Docker container. Docker images act as a set of instructions to build a Docker container, like a template.

Setting up the Environment:

Setting up Workstation:

Download Chef Workstation here

  1. Create a new working directory
    $ mkdir chef-inspec
  2. Create a docker image, which can be of any operating system.
    This guide explains working with Ubuntu as an example.
  3. Create a .yml file with workstation/target details.
    Example - docker.yml

version: '3'
services:
   workstation:
        container_name: workstation
        image: chef/chefworkstation
        stdin_open: true
        tty: true
        links:
            - target
        volumes:
            - .:/root

target:
     image: learnchef/inspec_target
     build: target
     stdin_open: true
     tty: true

Steps to download images from Docker

  1. Browse to DockerHub
  2. Search for “inspec_workstation” & “inspec_target ” under official images category
  3. Pull the images using the $ docker pull command
    $ docker pull learnchef/inspec_workstation
    $ docker pull learnchef/inspec_target
  4. Verify the pull in terminal using the command $ docker images

  5. Run $ docker-compose command to retrieve the latest workstation image mentioned above. 
    $ docker-compose pull
    $ docker-compose up -d
    where “-d” states to run containers in the background.
  6. You should see the directory name coming up in docker UI.

  7. Use the command $ docker exec -it workstation bash to begin interactive Bash session on recently created workstation container.

After setting up of Chef repository, System initialization and Cookbook. Follow the below steps.

Steps to detect software installed using Inspec

$ inspec detect helps with the information of the target operating system.

$ inspec help is to understand different available commands.

InSpec code

$ inspec init profile auditd

Run $ tree auditd to check auditd profile

auditd 

├── README.md 
├── controls  
│  └── auditd.rb  
└── inspec.yml  

To check the content of auditd.rb file

$ cat auditd.rb

describe package('auditd') do
it { should be_installed }
end

Using the InSpec Code to Compile

Code which you see above is InSpec code, which states that the package auditd should be installed. It gives the same requirement when compared to dpkg -s auditd.

$inspec exec command helps to execute your profile directly against your workstation

$ inspec exec auditd

Example of passed test case – You’ll see test being cleared as auditd package was previously installed on the system.

Example of failed test case – You’ll be testing for the package Osquery installed on your target node, which is not the case. So, the resulting result is failed.



Using the InSpec code to compile against Target node

In practice, you’ll typically write InSpec code from your workstation and then run your tests remotely on your target systems.

inspec exec auditd -t ssh://root:password@target

Above example shows component “osquery” in not installed on target node.

Check if profile/control are errors free.

$ inspec check auditd

Example – Without any error or warnings.

Example – With errors

Wrong “package” spelling.



Tip – InSpec profile can contains hundreds of tests, you can package a profile as a compressed format (zip or tar) to make it easier to share.

$ inspec archive auditd

Where auditd is the unique name given in inspec.yml file

The file auditd-0.1.0.tar.gz will be generated.

Above achieve file can be stored in the system which can be directly accessed and run by validated users.

$ inspec exec auditd-0.1.0.tar.gz -t
ssh://root:password@target

On target node.

Using Chef Supermarket – Community Profile

$ inspec supermarket profiles

You can access it at Chef Supermarket.

You can use the code from the supermarket to check for multiple scenarios, for example, to see if the package has installed on Linux OS, to write log data to disk, check space left on the disk, etc.

You can also execute the command directly from supermarket using

$ inspec supermarket exec dev-sec/linux-baseline -t
ssh://root:password@target

Containers use less computing space and are faster and easier to deploy than traditional infrastructure. However, they also introduce interdependencies and complexities with respect to security postures. While this creates an opportunity to shift security left and build bridges between development, operations, and security teams, it also introduces new challenges associated with security and compliance continuously. Chef InSpec enables organizations to address these security challenges associated with implementing containers. Chef InSpec provides a powerful way to verify the security and compliance needs of your containers, as demonstrated with the example of Docker in this blog.

Additional Resources:

Chef 101 - Best Practices blog is a great place to start your journey with workstation.

Also Learn:

Know more on Chef InSpec and Chef with Multi-Cloud setup.

Know more on Chef InSpec best practises.