diff options
author | Lamont Granquist <lamont@scriptkiddie.org> | 2021-02-25 15:36:04 -0800 |
---|---|---|
committer | Tim Smith <tsmith84@gmail.com> | 2021-03-05 12:31:44 -0800 |
commit | bc969068b48f5c7d7fd89c2a7c7a7aab12a0a9e7 (patch) | |
tree | 8573ea6d38636bb02df062bfd1f005d2a72a2ea1 | |
parent | cd045c668d04c132e276de003047fe2789543e36 (diff) | |
download | chef-bc969068b48f5c7d7fd89c2a7c7a7aab12a0a9e7.tar.gz |
Add a compliance_mode node attribute
Setting node["audit"]["compliance_mode"] to be false should force the
compliance mode to not run.
This is for sites which run override run lists which have the audit
cookbook in them, but the rest of their cookbooks define profiles so
that in normal running they still have those profiles defined but
they're manually running the cookbook.
That is likely a pretty bad pattern since the cookbook_synchronizer will
be thrashing on at least the audit cookbook being downloaded and then
removed, but it seems people have settled on this as their solution
which breaks the assumptions we had for the compliance_mode.
To sort this out those sites should set node["audit"]["compliance_mode"]
to be false on their runs which aren't supposed to run audits. Instead
of an override run list with the audit cookbook in it, they can just run
an override run_list which sets this node attribute to true (in any
fashion: roles, policyfiles, wrapper cookbook style, recipe mode, etc.)
This also is obviously an opt-out switch, although sites preferring to
use the audit cookbook should understand that cookbook development will
be abandoned after it is deprecated and there will be no more bugfixes
or support for that.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
-rw-r--r-- | lib/chef/compliance/default_attributes.rb | 7 | ||||
-rw-r--r-- | lib/chef/compliance/runner.rb | 2 | ||||
-rw-r--r-- | spec/unit/compliance/runner_spec.rb | 7 |
3 files changed, 13 insertions, 3 deletions
diff --git a/lib/chef/compliance/default_attributes.rb b/lib/chef/compliance/default_attributes.rb index 9b368d4f64..b0653b46d8 100644 --- a/lib/chef/compliance/default_attributes.rb +++ b/lib/chef/compliance/default_attributes.rb @@ -1,5 +1,5 @@ # Author:: Stephan Renatus <srenatus@chef.io> -# Copyright:: (c) 2016-2019, Chef Software Inc. <legal@chef.io> +# Copyright:: Copyright (c) Chef Software Inc. <legal@chef.io> # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -87,7 +87,10 @@ class Chef # If enabled, a hash representation of the Chef Infra node object will be sent to Chef InSpec in an input # named `chef_node`. - "chef_node_attribute_enabled" => false + "chef_node_attribute_enabled" => false, + + # Should the built-in compliance phase run. + "compliance_phase" => true ) end end diff --git a/lib/chef/compliance/runner.rb b/lib/chef/compliance/runner.rb index 871d86ea23..fc5a6b386e 100644 --- a/lib/chef/compliance/runner.rb +++ b/lib/chef/compliance/runner.rb @@ -23,7 +23,7 @@ class Chef logger.debug("#{self.class}##{__method__}: #{Inspec::Dist::PRODUCT_NAME} profiles? #{inspec_profiles.any?}") logger.debug("#{self.class}##{__method__}: audit cookbook? #{audit_cookbook_present}") - inspec_profiles.any? && !audit_cookbook_present + inspec_profiles.any? && !audit_cookbook_present && node["audit"]["compliance_phase"] end def node=(node) diff --git a/spec/unit/compliance/runner_spec.rb b/spec/unit/compliance/runner_spec.rb index d982174e67..d46d756b0e 100644 --- a/spec/unit/compliance/runner_spec.rb +++ b/spec/unit/compliance/runner_spec.rb @@ -19,6 +19,13 @@ describe Chef::Compliance::Runner do expect(runner).to be_enabled end + it "is false if the node attributes have audit profiles and the audit cookbook is not present, and the compliance mode attribute is unset" do + node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" } + node.normal["audit"]["compliance_mode"] = false + + expect(runner).to be_enabled + end + it "is false if the node attributes have audit profiles and the audit cookbook is present" do stub_const("::Reporter::ChefAutomate", true) node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" } |