Chef for Compliance Announcement: Waivers Support

Today Chef announces compliance waiver support within Chef InSpec and Chef Automate.

Using Chef for compliance provides a holistic solution for enterprises to achieve continuous compliance. Companies audit their various endpoints for compliance against CIS or DISA standards using Chef InSpec, while viewing the aggregate compliance state of their fleet in Chef Automate.

Today, customers are able to skip controls within Chef InSpec, but have no way to understand how long ago the skip was implemented and for what purpose. In order to maintain operational continuity, customers need to know how exceptions to their compliance posture changes, especially as that has ramifications for their audits. Chef aims to fix that with this announcement of waiver support within Chef InSpec and Chef Automate.

Waivers fulfills the purpose of skipped controls by allowing customers to provide a business justification for controls against which they are unable to be compliant. They can also specify an end date to track when a control should be remediated, or leave it blank to make the waiver permanent. This could be helpful for controls that are either not relevant to the customer’s infrastructural architecture or are handled by another process within the customer’s organization.

Chef InSpec can take waivers as input to an audit run. The result of that audit can then be piped into Chef Automate to provide complete operational visibility into the customer’s compliance posture, which now includes waivers that are applied throughout the fleet. Chef Automate provides developers, operators, and security engineers a rally point from which they can deliver compliant application and infrastructure changes at the speed of their business.

How to set Waivers

To set waivers, do this via Chef InSpec CLI or by using the Audit Cookbook

You will need to be on the latest version of Chef InSpec (ver. 4.18.104).

Waiver files are written in YAML format and are included in your `inspec exec` run with the new `–waiver-file` argument.

Waivers are applied at the control level, in the following format:

  • expiration_date is optional. Absence means the waiver is permanent.
  • run is optional. If present and true, the control will run and be reported, but failures in it won’t make the overall run fail. If absent or false, the control will not be run. You may use any of yes, no, true or false.
  • justification can be any text you want and might include a reason as well as who signed off on the waiver.

As an example:

Chef InSpec will apply waivers during the run and output the results for you to review. As hinted at the beginning of this post, viewing results is best done in Chef Automate.

How to view Waivers in Automate

Chef customers wishing to view Waivers within Chef Automate, will need to be on the latest version of Chef Automate v2 (build number: 20200408145843).

Waivers can be viewed in the following pages within Automate under Compliance:

  • Overview and Nodes page: see how many nodes have been waived.

  • Profiles Page: See how many profiles have been waived and drill down to see which profile was waived

  • Controls Page: Hover over waived controls to see why the control was waived

Learn more

For more information about this release and to get started, check out the waivers documentation in Chef InSpec and Chef Automate today.

Your feedback is always welcome as we continue to improve the waivers experience. We invite you to provide feedback by entering your suggestions in Chef’s Idea Portal.

Keka Ichinose

Keka is the product manager for Chef InSpec and Chef Automate - Compliance. He has been learning and honing DevOps practices for the last 15 years, helping improve the operational excellence of AT&T, Expedia, and The Walt Disney Company just to name a few. His passion is using automation to answer the questions of today so he can start answering the as-yet unexplored and more compelling questions of tomorrow.

Natalie Fisher

Natalie is a Product Manager at Chef, working on Chef Automate out of Chef HQ in Seattle. She has spent 15 years in product, working in companies ranging from e-Commerce, Data Analytics, and Government.