Progress Chef® Compliance™ makes it easier for DevOps, InfoSec and Compliance teams to maintain and ensure IT compliance and security across the enterprise. Progress Chef® Cloud Security™ enables you to scan, monitor and remediate configuration issues across on-prem and cloud-native environments in your multi-cloud accounts.
InSpec exec, which is the command that lets you execute a compliance profile.
But did you know that Chef InSpec has many more options?
We have categorized the InSpec commands into the four groups below.
- Explore and Diagnose
- Manage large profiles
- Integrate with other systems
- Learn to work more efficiently
Explore and Diagnose (InSpec Shell, InSpec Detect, InSpec Check and InSpec Export)
1. InSpec Shell
InSpec Shellis a great way to learn and explore about InSpec.
InSpec Shelland find out what they do. When you run
InSpec Shellagainst your machine, you will be presented with a prompt with precisely what is detected.
You can execute any InSpec profile at the prompt, and it shows the results in real time as you're typing it in. With
InSpec Shell you can also execute profiles directly on remote hosts to learn its behavior on remote hosts.
2. InSpec Detect
InSpec detectis a great way to diagnose connection issues.
InSpec detectis a great way to find out this information.
You can run it on a local machine or even a remote machine to get the target machine’s details. While running with debugging information, it can retrieve extra information about the SSH connection.
3. InSpec Check
InSpec checklets you look for issues in compliance profiles. It detects problems like ‘required fields missing’ in the profile code and the inspec.yml metadata file. It also includes essential support for linting, with more rules coming in the future.
InSpec checkand the name of your profile. It will examine the profile and run all of its checks and warnings.
InSpec checkis a great way to look for problems in your profiles; in fact, did you know that it can also look for issues in profiles every time you upload a profile to Automate?
4. InSpec Export
InSpec has introduced a new feature called IAF files, which are signed binary profiles for enhanced security. Since it’s tied to security, it does not allow you to peek into the profile to identify controls to use/override or to access waivers. The
InSpec Export command can be very handy here. With
InSpec Export you can see everything about the profile, including metadata, controls, version, tags and more.
How do you manage large profiles?
Progress Bar Reporter
The progress bar reporter is a configurable output stream for InSpec exec. A large profile run produces a lot of information. However, InSpec provides real-time feedback with the names of the controls that are executed and a progress bar at the bottom of the screen. This way, you are informed about controls that are slow, allowing you to focus on optimization efforts.
Focus on specific controls with InSpec exec – controls
You can also use a pattern to match multiple controls and use it to divide a profile into different parts. E.g., Consider a profile with several controls named with the word ‘rule’, followed by a number. We can split it to run the controls whose name begins with the name rule 1. When you run that, it will only match the controls that match the word rule_1. This way, you could split large profiles based on some text in the rule ID.
Divide a profile in custom ways using inputs
InSpec also allows you to divide large profiles in custom ways. You could use an input to match an instance ID pattern and use it to restrict the instances that match. For example, you could use a resource to query all EC 2 instances that match a pattern you provide. This allows you to provide a pattern outside of your profile externally and then you can vary this pattern over time. For instance, start with all instances beginning with ‘1’, then ‘2’, ‘3’ and so on.
This allows you to shard your profiles based on some criteria, such as a resource ID. Did you know that some of our customers have used this feature to shard estates with millions of individual cloud resources?