diff options
| author | Lamont Granquist <lamont@scriptkiddie.org> | 2021-02-25 15:36:04 -0800 |
|---|---|---|
| committer | Tim Smith <tsmith84@gmail.com> | 2021-03-05 12:31:44 -0800 |
| commit | bc969068b48f5c7d7fd89c2a7c7a7aab12a0a9e7 (patch) | |
| tree | 8573ea6d38636bb02df062bfd1f005d2a72a2ea1 /spec | |
| parent | cd045c668d04c132e276de003047fe2789543e36 (diff) | |
| download | chef-bc969068b48f5c7d7fd89c2a7c7a7aab12a0a9e7.tar.gz | |
Add a compliance_mode node attribute
Setting node["audit"]["compliance_mode"] to be false should force the
compliance mode to not run.
This is for sites which run override run lists which have the audit
cookbook in them, but the rest of their cookbooks define profiles so
that in normal running they still have those profiles defined but
they're manually running the cookbook.
That is likely a pretty bad pattern since the cookbook_synchronizer will
be thrashing on at least the audit cookbook being downloaded and then
removed, but it seems people have settled on this as their solution
which breaks the assumptions we had for the compliance_mode.
To sort this out those sites should set node["audit"]["compliance_mode"]
to be false on their runs which aren't supposed to run audits. Instead
of an override run list with the audit cookbook in it, they can just run
an override run_list which sets this node attribute to true (in any
fashion: roles, policyfiles, wrapper cookbook style, recipe mode, etc.)
This also is obviously an opt-out switch, although sites preferring to
use the audit cookbook should understand that cookbook development will
be abandoned after it is deprecated and there will be no more bugfixes
or support for that.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/unit/compliance/runner_spec.rb | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/spec/unit/compliance/runner_spec.rb b/spec/unit/compliance/runner_spec.rb index d982174e67..d46d756b0e 100644 --- a/spec/unit/compliance/runner_spec.rb +++ b/spec/unit/compliance/runner_spec.rb @@ -19,6 +19,13 @@ describe Chef::Compliance::Runner do expect(runner).to be_enabled end + it "is false if the node attributes have audit profiles and the audit cookbook is not present, and the compliance mode attribute is unset" do + node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" } + node.normal["audit"]["compliance_mode"] = false + + expect(runner).to be_enabled + end + it "is false if the node attributes have audit profiles and the audit cookbook is present" do stub_const("::Reporter::ChefAutomate", true) node.normal["audit"]["profiles"]["ssh"] = { 'compliance': "base/ssh" } |