Making sure images and containers perform the way you want is an integral part of the software development cycle. Chef InSpec allows you to scan running Docker containers to ensure they are running based on the correct images, appropriate ports, running proper commands, and more. In this blog, learn how to test Docker containers and understand what the code should accomplish with code examples.
Docker:
Docker can be installed and run upon multiple operating systems. You can find detailed steps in the installation guide below given links.
Introduction about Docker Image:
A Docker image is a file used to execute code in a Docker container. Docker images act as a set of instructions to build a Docker container, like a template.
Setting up the Environment:
Setting up Workstation:
Download Chef Workstation here
- Create a new working directory
$ mkdir chef-inspec - Create a docker image, which can be of any operating system.
This guide explains working with Ubuntu as an example. - Create a
.ymlfile with workstation/target details.Example - docker.yml
version: '3'
services:
workstation:
container_name: workstation
image: chef/chefworkstation
stdin_open: true
tty: true
links:
- target
volumes:
- .:/root
target:
image: learnchef/inspec_target
build: target
stdin_open: true
tty: true
Steps to download images from Docker
- Browse to
DockerHub - Search for
“inspec_workstation”&“inspec_target” under official images category - Pull the images using the
$ docker pull command$ docker pull learnchef/inspec_workstation$ docker pull learnchef/inspec_target - Verify the pull in terminal using the command
$ docker images
- Run
$ docker-composecommand to retrieve the latest workstation image mentioned above.$ docker-compose pull$ docker-compose up -d
where“-d”states to run containers in the background. - You should see the directory name coming up in docker UI.
- Use the command
$ docker exec -it workstation bashto begin interactive Bash session on recently created workstation container.
After setting up of Chef repository, System initialization and Cookbook. Follow the below steps.
Steps to detect software installed using Inspec
$ inspec detect helps with the information of the target operating system.
$ inspec help is to understand different available commands.
InSpec code
$ inspec init profile auditd
Run $ tree auditd to check auditd profile
auditd
├── README.md ├── controls
│ └── auditd.rb
└── inspec.yml
To check the content of auditd.rb file
$ cat auditd.rb
describe package('auditd') do
it { should be_installed }
end
Using the InSpec Code to Compile
Code which you see above is InSpec code, which states that the package auditd should be installed. It gives the same requirement when compared to dpkg -s auditd.
$inspec exec command helps to execute your profile directly against your workstation
$ inspec exec auditd
Example of passed test case – You’ll see test being cleared as auditd package was previously installed on the system.
Example of failed test case – You’ll be testing for the package Osquery installed on your target node, which is not the case. So, the resulting result is failed.
Using the InSpec code to compile against Target node
In practice, you’ll typically write InSpec code from your workstation and then run your tests remotely on your target systems.
inspec exec auditd -t ssh://root:password@target
Above example shows component “osquery” in not installed on target node.
Check if profile/control are errors free.
$ inspec check auditd
Example – Without any error or warnings.
Example – With errors
Wrong “package” spelling..png?sfvrsn=79ac7c9e_0)
Tip – InSpec profile can contains hundreds of tests, you can package a profile as a compressed format (zip or tar) to make it easier to share.
$ inspec archive auditd
Where auditd is the unique name given in inspec.yml file
The file auditd-0.1.0.tar.gz will be generated.
Above achieve file can be stored in the system which can be directly accessed and run by validated users.
$ inspec exec auditd-0.1.0.tar.gz -t
ssh://root:password@target
On target node.
Using Chef Supermarket – Community Profile
$ inspec supermarket profiles
You can access it at Chef Supermarket.
You can use the code from the supermarket to check for multiple scenarios, for example, to see if the package has installed on Linux OS, to write log data to disk, check space left on the disk, etc.
You can also execute the command directly from supermarket using
$ inspec supermarket exec dev-sec/linux-baseline -t
ssh://root:password@target
Containers use less computing space and are faster and easier to deploy than traditional infrastructure. However, they also introduce interdependencies and complexities with respect to security postures. While this creates an opportunity to shift security left and build bridges between development, operations, and security teams, it also introduces new challenges associated with security and compliance continuously. Chef InSpec enables organizations to address these security challenges associated with implementing containers. Chef InSpec provides a powerful way to verify the security and compliance needs of your containers, as demonstrated with the example of Docker in this blog.
Additional Resources:
Chef 101 - Best Practices blog is a great place to start your journey with workstation.
Also Learn:
Know more on Chef InSpec and Chef with Multi-Cloud setup.
Know more on Chef InSpec best practises.
