Skip to content

Instantly share code, notes, and snippets.

@thommay

thommay/workshop.md

Last active August 29, 2015 14:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save thommay/2081c87efe0c8d09d4f9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save thommay/2081c87efe0c8d09d4f9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
workshop.md

Getting started

In the analytics directory, run rake converge.

Once the rake command has completed, you should be able to go to the Chef Web UI and log in with username analytics and password workshop.

Once logged in, download a private key for your user by going to the user's profile page, selecting reset key then copy the text into .chef/analytics.pem in this directory.

Setting up analytics

Copy oc-id configuration from chef-server:

rake login:server
scp -r /etc/opscode-analytics 192.168.56.101:

password is 'vagrant'

Put config in place and configure analytics

rake login:analytics
sudo cp -r opscode-analytics /etc

#ensure configuration is correct:
sudo opscode-analytics-ctl preflight-check

# configure analytics:
sudo opscode-analytics-ctl reconfigure

Log in to analytics - you'll be prompted to authorize analytics access to your account on the chef server.

Verify analytics is receiving events

In manage, go to Policy and then Environments and click Create. Enter "production" for the name and a description, and add some default attributes. Click Create Environment. Go to your Analytics server and enable auto-refresh. You'll see "User analytics created Environment production". You can click on the arrow to see more details.

Sign up for HipChat for this workshop

https://www.hipchat.com/invite/371475/5fe9b48380d9cc6fa62d40fcc81d3a3f?utm_medium=email&utm_source=evaluator_drip_1

Bootstrap your client node

We'll use the client node to run audits on. I've made a rake target to save typing:

rake bootstrap

You'll be prompted for a unique name that notifications will display.

You should see two events in analytics - the analytics user creating a new client and a new node, both with the name you entered.

Checkpoint

Now we have

  • Three running nodes
    • Chef Server
    • Chef Analytics Server
    • Client
  • Authenticated knife on your workstation
  • The analytics engine receiving events from the Chef server
  • A HipChat login
  • A bootstrapped chef client

Demo

In the cookbooks directory, there are two cookbooks - demo and FIXME. We're going to upload the demo cookbook to our chef server, add some rules and notifications to our analytics server, and run an audited chef client run.

First, we'll upload some sample rules and notifications:

rake upload

Let's expand this task:

  • First, we install the knife-analytics plugin: chef gem install knife-analytics. We've already added the necessary configuration to your .chef/knife.rb config file.
  • Next, we enter the notifications directory and run knife notification create <file>.json for each file.
  • Lastly, we enter the rules directory and run knife rule create <file>.json for each file.

You can see the rules and notifications in Analytics.

Next, we'll upload the demo cookbook:

knife cookbook upload demo

Audit

Let's run the audit on our client node:

rake login:client
sudo chef-client --audit-mode audit-only -o 'recipe[demo::audit]'

Two things here:

  • --audit-mode tells chef-client how to use an audit. It can be set to either enabled, disabled, or audit-only. Audit-only skips the converge and just runs the controls.
  • We're setting a "partial run list": -o 'recipe[demo::audit].

The result of the run should be that there is one failed control and one successful control. In analytics, there'll be two new items in the Alerts tab, and there'll be two notifications about your node in HipChat.

Review

Let's dig in to the audit. Recipe containing control_groups and controls. Control must be inside a control_group. Use serverspec for matchers. Use controls to group together a set of tests that fulfil a purpose.

Testing for a package:

expect(package('wget')).to_not be_installed

Rspec expect syntax. Should syntax is not supported and will result in unexpected behaviour.

Remediate

Now, let's make the node compliant.

sudo chef-client --audit-mode disabled -o 'recipe[demo::remediate]'

Audit

sudo chef-client --audit-mode audit-only -o 'recipe[demo::audit]'

This time, you should see two successful controls in the chef-client output.

Checkpoint

Using a prepared cookbook, we've audited a node, brought it into compliance, and re-audited it.

Perform an Audit

Our security team has prepared a checklist for our audit. We're going to convert that into a set of controls and run an audit on our client.

The checklist

  • SSHd must be installed and running
  • Root logins must not be permitted
  • Password authentication must not be permitted
  • Telnet must not be present
  • NTPd must be installed and running
  • It must be syncing time from centos ntp pool
  • There must be nothing listening on port 80
  • The guest user must not be present
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment