A waiver is a mechanism that allows you to bypass specific controls from a compliance scan. A Waiver will enable you to provide details about the exception, including expiration (if applicable) and justification.
Benefits of using Waivers:
- Justifies an excepted control (vs the older skip control mechanism)
- Promotes a culture of introspection; operators are encouraged to comply with all controls if not waived with a permanent justification.
- You can still “run” a control to track compliance progress without impacting overall posture.
- When running the
inspec exec
command by using the--waiver-file
switch. - Declared in the cookbook’s attributes file.
A waiver file contains the following pieces of information:
- Control ID_Name - the ID and Title of the control to be waived
- Expiration Date - the date when the waiver is set to expire
- Waiver Justification (optional) - a way to allow users to justify the waiver (i.e. why the given control must be waived).
- Skip run switch - allow users to skip the evaluation of the waived control.
Difference between a Skipped and Waived control?
- Skipped controls are not evaluated/run
- Waived controls that are
run: false
are not evaluated/run
Setting up the Environment
Within your cookbook, execute the command $ chef generate waiver <name of the file>
. The output tells you that a new directory is created for waiver, under compliance folder.
![](https://d34smkdb128qfi.cloudfront.net/images/cheflibraries/about/picture12bd8eeb6-6dd2-4c5f-ae03-bc3549044591.png?sfvrsn=3a15fb5f_1)
The command above will create a new yml
file. You can edit this file or create a new for compliance scanning.
- Recipe: The recipe below will install and start the nginx server on the remote node. Along with installation, it will push the waiver
release.yml
file to the remote node under the/tmp
directory.
Note: Waiver file should be present in the client node for it to be executed and applied.
- Example: Below, compliance has two controls. The first will check whether port 80 is listening, and the second will contain the version and the modules, respectively.
- Waiver – release.yml file
Below waiver file will exempt (waive off) the control nginx-port
when there is a client run until the expiration date.
![](https://d34smkdb128qfi.cloudfront.net/images/cheflibraries/about/picture44ff586e7-f3dd-44ba-8b84-207a1ac9368b.png?sfvrsn=a21ba2dc_1)
Note that the Control ID should match that of the waiver and control file. In the above example, the control ID and waiver is nginx-port
.
- Edit the attributes file to include the waiver.
![](https://d34smkdb128qfi.cloudfront.net/images/cheflibraries/about/picture54c3e9944-d429-43c2-a420-5f1ecd416c0d.png?sfvrsn=6206d0f8_1)
Note: You should not place your waivers in /tmp
. Every organization will have their own standards, we are using /tmp
as an example.
$ cookstyle –a
$ knife cookbook upload <cookbook-name>
, but the more modern way is to use Policyfiles. $ chef install Policyfile.rb
, which creates a Policyfile.lock.json
file, then use $ chef push prod Policyfile.lock.json
to bundle everything and send it to your Chef server. $ inspec exec compliance/profiles/<profile_name>/controls/<control.rb> --waiver-file compliance/waivers/<waiver-file.yml>
![](https://d34smkdb128qfi.cloudfront.net/images/cheflibraries/about/picture619107581-48c2-40a8-b646-90e3f40e4b91.png?sfvrsn=8f38936b_1)
nginx-port
is skipped
,and the other two controls are executed. $ sudo chef-client
command will execute the cookbook in the target node along with all the recipes, compliance and waivers files.
![](https://d34smkdb128qfi.cloudfront.net/images/cheflibraries/about/picture759c4e3d5-dcea-48d0-bdb0-2157e0ef6498.png?sfvrsn=203e76b5_1)
You can confirm the results from the Automate UI. As you can see the control nginx-port
is under waived control.
![](https://d34smkdb128qfi.cloudfront.net/images/cheflibraries/about/picture8.png?sfvrsn=ce6cf5c4_1)
Conclusion