Chef Supermarket Integration

ansible-inspec integrates with Chef Supermarket to provide access to 100+ pre-built InSpec compliance profiles. This allows you to leverage community-tested compliance frameworks without writing tests from scratch.

Overview

Chef Supermarket hosts curated compliance profiles from leading security frameworks:

  • DevSec Hardening Frameworks: Security baselines for Linux, SSH, Apache, MySQL, Nginx, PostgreSQL

  • CIS Benchmarks: Center for Internet Security hardening standards

  • DISA STIGs: Department of Defense Security Technical Implementation Guides

  • Community Profiles: Custom compliance frameworks shared by the community

Quick Start

Basic Usage

Run a Chef Supermarket profile against your infrastructure:

# Using the --supermarket flag
ansible-inspec exec dev-sec/linux-baseline --supermarket -i inventory.yml

# Test a specific target
ansible-inspec exec dev-sec/ssh-baseline --supermarket -t ssh://user@host

# Docker container testing
ansible-inspec exec cis-docker-benchmark --supermarket -t docker://container_id

Python API

Popular Compliance Profiles

DevSec Hardening Frameworks

Industry-standard security baselines maintained by the DevSec project:

Linux Baseline

Tests: 56 controls covering OS hardening, file permissions, user management, kernel parameters

Use Cases:

  • General Linux server hardening

  • Meeting SOC 2 security requirements

  • Pre-deployment security validation

SSH Baseline

Tests: 28 controls for SSH configuration security

Key Checks:

  • Disabled password authentication

  • Strong cipher configurations

  • Proper permission settings

  • Protocol version enforcement

Apache Baseline

Tests: 15 controls for Apache HTTP Server hardening

Key Checks:

  • Directory listing disabled

  • Server tokens hidden

  • SSL/TLS configuration

  • File permissions

MySQL Baseline

Tests: 20+ controls for MySQL/MariaDB security

Key Checks:

  • Anonymous user removal

  • Test database removal

  • Strong password policies

  • Network exposure controls

Nginx Baseline

Tests: 12 controls for Nginx hardening

Key Checks:

  • Directory listing disabled

  • Server version hidden

  • SSL/TLS best practices

  • Access controls

PostgreSQL Baseline

Tests: 25+ controls for PostgreSQL security

Key Checks:

  • Authentication configuration

  • Connection encryption

  • File permissions

  • User privilege separation

CIS Benchmarks

Center for Internet Security industry-accepted configuration standards:

CIS Docker Benchmark

Tests: 100+ controls based on CIS Docker 1.3.0 benchmark

Coverage:

  • Docker daemon configuration

  • Container runtime security

  • Image security

  • Network configuration

  • Logging and auditing

CIS Kubernetes Benchmark

Tests: Comprehensive Kubernetes security validation

Coverage:

  • API server configuration

  • Controller manager settings

  • Scheduler security

  • etcd configuration

  • Worker node security

DISA STIGs

Department of Defense Security Technical Implementation Guides:

Compliance Level: Government-grade security standards for high-security environments

Advanced Usage

Multi-Profile Testing

Test against multiple compliance frameworks:

Waiving Specific Controls

Create a waiver file to skip specific controls:

Custom Attributes

Override profile defaults with custom attributes:

CI/CD Integration

GitHub Actions

GitLab CI

Jenkins Pipeline

Docker Usage

Using Pre-built Image

Docker Compose

Profile Discovery

Browse Available Profiles

Visit Chef Supermarket to browse all available compliance profiles.

Search Profiles

Profile Information

Best Practices

1. Start with Baseline Profiles

Begin with general baseline profiles before implementing specific benchmarks:

2. Use Waivers for Known Exceptions

Don't modify profiles; use waivers for documented exceptions:

3. Test in Stages

Test development → staging → production:

4. Combine with Custom Tests

Mix Supermarket profiles with custom controls:

5. Regular Compliance Monitoring

Schedule regular compliance checks:

Troubleshooting

Profile Download Issues

If profile download fails:

Authentication Requirements

Some profiles may require Chef Supermarket authentication:

Version Pinning

Pin specific profile versions for reproducibility:

Contributing

Share Your Custom Profiles

If you've created custom compliance profiles, consider sharing them on Chef Supermarket:

  1. Create an InSpec profile

  2. Test thoroughly

  3. Upload to Chef Supermarket

  4. Share with the community

Visit Chef Supermarket to learn more about contributing.

Resources

  • Chef Supermarket: https://supermarket.chef.io

  • InSpec Documentation: https://docs.chef.io/inspec/

  • DevSec Project: https://dev-sec.io

  • CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks

  • ansible-inspec: https://github.com/Htunn/ansible-inspec

Support

For issues specific to Chef Supermarket integration:

  1. Check the ansible-inspec issues

  2. Review InSpec documentation

  3. Visit Chef Supermarket for profile-specific questions

PreviousReal-World Use CasesNextProfile Conversion

Last updated