## Compliance Phase Improvements ### InSpec Profiles Within Cookbooks You can now ship Chef InSpec profiles, waivers, and inputs directly in cookbooks allowing you to combine infrastructure and compliance concerns in a single artifact. Bringing infra and compliance together ensures security is always considered when making changes to your systems and enables collaboration in DevSecOps through shared pipelines. Combining infrastructure and compliance content in cookbook artifacts also allows for the safe and controlled promotion of compliance content from development to production using Policyfiles. #### Cookbook Compliance Directory A new `compliance` directory in cookbooks includes InSpec content in `inputs`, `waivers`, and `profiles` directories: ``` my_cookbook/ ├─ compliance/ │ ├─ inputs/ │ │ ├─ my_inputs.yml │ ├─ profiles/ │ │ ├─ my_profiles/ │ │ │ ├─ controls/ │ │ │ ├─ inspec.yml │ ├─ waivers/ │ │ ├─ control_waiver.yml ├─ metadata.rb ``` InSpec content placed in these new directories will be available for execution during the Chef Infra Client Compliance Phase, similar to how recipes are shipped in cookbooks but must be executed with `include_recipe`. This gives you fine-grained control of when and how InSpec content runs using Chef Langauge helpers. #### Loading InSpec Content in Recipes InSpec content is loaded from Chef Infra recipes using new include helpers in the Chef Language: - include_profile - include_waiver - include_input These helpers behave similarly to the existing `include_recipe` helper, allowing you to include InSpec content from various cookbooks: ```ruby # load a single profile from a specific cookbook: include_profile "my_cookbook::profile_name" # load all waivers from a cookbook: include_waiver "my_cookbook::.*" # load all inputs that start with ssh include_input "acme_cookbook::ssh.*" # load a specific profiles depending on cloud: include_profile "my_cookbook::ec2_node_profile" if ec2? include_profile "my_cookbook::gce_node_profile" if gce? ``` #### Chef Infra Resources for InSpec If you prefer to define your InSpec content directly in cookbooks, we also include new [inspec_input](https://docs.chef.io/resources/inspec_input/) and [inspec_waiver](https://docs.chef.io/resources/inspec_waiver/) resources that allow you to define inputs and waivers dynamically in recipes. ```ruby # defining a waiver directly in a recipe with dynamic values inspec_waiver 'Add waiver entry for control' do control 'my_inspec_control_01' run_test false justification "The subject of this control is not managed by Chef Infra Client on the systems in policy group \#{node['policy_group']}" expiration '2022-01-01' action :add end # loading a waiver with content on disk inspec_waiver 'my-waiver-name' do source '/path/to/my/waiver.toml' end # setting an input directly in a recipe inspec_input 'setting my input' do source( { ssh_custom_path: '/whatever2' }) end # setting an input from content on disk inspec_input '/path/to/my/input.yml' ``` ### Chef Inspec 4.41.20 Chef InSpec has been updated from 4.41.2 to 4.41.20 with the following improvements and fixes for Compliance Phase: - Added support for Alibaba Cloud Linux 3 to the Chef InSpec service resource. - Replaced the WMI command-line (WMIC) utility in the Chef InSpec security_identifier resource with Common Information Model (CIM) cmdlets as the WMIC utility will be deprecated soon. - Fixed range based filtering in filter tables - Fixed an issue in the Chef InSpec apache_conf resource when the ServerRoot is not specified in the Apache configuration file. - Fixed an error in the Chef InSpec `postgres_session` resource where the resource was unable to connect to a database. - Fixed an error in the Chef InSpec apache_conf resource where it would overwrite any Apache configurations from the main Apache configuration file with configurations from any included configuration files. - Fixed an error where the Chef InSpec `security_policy` resource returned a comma-separated string of local groups (rather than SIDs) instead of an array. - Updated the git fetcher to handle profiles with a default git branch that is not `master`. ## Secrets Management Beta Our secrets management beta within Chef Infra Client has been updated to support HashiCorp Vault and Akeyless Vault secrets. These can be fetched using the new `secrets` helper using either AWS IAM authentication or token-based authentication. ### Fetching Secrets From HashiCorp Vault Using AWS IAM ```ruby secret(name: "secret/example", service: :hashi_vault, config: { vault_addr: "vault.example.com", role_name: "example-role" }) ``` ### Fetching Secrets From HashiCorp Vault Using Tokens ```ruby secret(name: "secret/example", service: :hashi_vault, config: { vault_addr: "vault.example.com", token: "123456" }) ``` ### Fetching Secrets From Akeyless Vault Using Tokens ```ruby secret(name: "/secret/data/my_secret", service: :akeyless_vault, config: { access_key: "12345678910=", access_id: "p-12345678910" }) ``` ## Fetching Chef Solo Recipes from AWS S3 You can now fetch recipes from Amazon's S3 storage when using Chef Solo. To have Chef Solo fetch recipes from AWS S3, pass an S3 URL with the `--recipe-url` command line flag, such as `s3://my-private-bucket/setup-0.1.0.tgz`. Thanks for this improvement [@tecracer-theinen](https://github.com/tecracer-theinen)! ## Resource Updates ### archive_file The `archive_file` has a new `strip_components` property that allows you to strip any number of leading path elements similar to the `tar --strip_components` behavior. For example, if archive `archive.tar` contained `some/file/name`, then setting `strip_components 2` would extract just `name`. Thanks for this improvement and a large number of new tests [@jasonwbarnett](https://github.com/jasonwbarnett)! ### chef_client_scheduled_task The `chef_client_scheduled_task` resource now supports setting the scheduled task priority for the execution of the Chef Infra Client with a new `priority` property. You can also now set the scheduled task to run with the same splay value during each run using a new `use_consistent_splay` property. With this property set, a random splay will still be used for the node, but it will be the same splay during subsequent runs. This ensures that Chef Infra Client always runs with a consistent time between runs (i.e., always exactly 30 minutes). Thanks for these improvements [@gholtiii](https://github.com/gholtiii)! ### file The `file` resource and resources based on the `file` resource now include additional verifiers for YAML and JSON content in files. Set `verify :json` or `verify :yaml` to validate JSON and YAML content. Thanks for this addition [@gogsbread](https://github.com/gogsbread)! ### mount The `mount` resource no longer strips trailing `/` values when the mount point is just `/`. Thanks for this fix [@jiokmiso](https://github.com/jiokmiso)! ### registry_key The `registry_key` resource has been updated to allow lazily evaluating the data passed to the `values` property. Thanks for reporting this [@sjethvani](https://github.com/sjethvani)! ### remote_file The `remote_file` resource has been updated with a new `http_options` option that accepts a Hash of Ruby Net/HTTP options such as `http_retry_count` and `http_retry_delay`. ### ulimit The `ulimit` resource now supports setting `sensitive true` to prevent logging ulimit data as it is written to disk. ### windows_uac The `windows_uac` resource now sets the proper registry key value when using the `consent_behavior_users` property. Thanks for reporting this [@ahembree](https://github.com/ahembree)! ### windows_user_privilege The `windows_user_privilege` resource no longer fails with an error stating that the `privilege` property needs to be set, even if it is set. ## Packages We are now producing packages for the following platforms / architectures: - Windows 11 - x64 - Windows 2022 - x64 - Debian 11 - amd64 / arm64 - macOS 12 (Monterey) - Intel ## Security ### OpenSSL 1.0.2za OpenSSL has been updated from 1.0.2y to 1.0.2za to resolve [CVE-2021-3712](https://nvd.nist.gov/vuln/detail/CVE-2021-3712).