Chef Supermarket Integration

ansible-inspec integrates with Chef Supermarketarrow-up-right to provide access to 100+ pre-built InSpec compliance profiles. This allows you to leverage community-tested compliance frameworks without writing tests from scratch.

Overview

Chef Supermarket hosts curated compliance profiles from leading security frameworks:

  • DevSec Hardening Frameworks: Security baselines for Linux, SSH, Apache, MySQL, Nginx, PostgreSQL

  • CIS Benchmarks: Center for Internet Security hardening standards

  • DISA STIGs: Department of Defense Security Technical Implementation Guides

  • Community Profiles: Custom compliance frameworks shared by the community

Quick Start

Basic Usage

Run a Chef Supermarket profile against your infrastructure:

# Using the --supermarket flag
ansible-inspec exec dev-sec/linux-baseline --supermarket -i inventory.yml

# Test a specific target
ansible-inspec exec dev-sec/ssh-baseline --supermarket -t ssh://user@host

# Docker container testing
ansible-inspec exec cis-docker-benchmark --supermarket -t docker://container_id

Python API

DevSec Hardening Frameworks

Industry-standard security baselines maintained by the DevSec project:

Linux Baseline

Tests: 56 controls covering OS hardening, file permissions, user management, kernel parameters

Use Cases:

  • General Linux server hardening

  • Meeting SOC 2 security requirements

  • Pre-deployment security validation

SSH Baseline

Tests: 28 controls for SSH configuration security

Key Checks:

  • Disabled password authentication

  • Strong cipher configurations

  • Proper permission settings

  • Protocol version enforcement

Apache Baseline

Tests: 15 controls for Apache HTTP Server hardening

Key Checks:

  • Directory listing disabled

  • Server tokens hidden

  • SSL/TLS configuration

  • File permissions

MySQL Baseline

Tests: 20+ controls for MySQL/MariaDB security

Key Checks:

  • Anonymous user removal

  • Test database removal

  • Strong password policies

  • Network exposure controls

Nginx Baseline

Tests: 12 controls for Nginx hardening

Key Checks:

  • Directory listing disabled

  • Server version hidden

  • SSL/TLS best practices

  • Access controls

PostgreSQL Baseline

Tests: 25+ controls for PostgreSQL security

Key Checks:

  • Authentication configuration

  • Connection encryption

  • File permissions

  • User privilege separation

CIS Benchmarks

Center for Internet Security industry-accepted configuration standards:

CIS Docker Benchmark

Tests: 100+ controls based on CIS Docker 1.3.0 benchmark

Coverage:

  • Docker daemon configuration

  • Container runtime security

  • Image security

  • Network configuration

  • Logging and auditing

CIS Kubernetes Benchmark

Tests: Comprehensive Kubernetes security validation

Coverage:

  • API server configuration

  • Controller manager settings

  • Scheduler security

  • etcd configuration

  • Worker node security

DISA STIGs

Department of Defense Security Technical Implementation Guides:

Compliance Level: Government-grade security standards for high-security environments

Advanced Usage

Multi-Profile Testing

Test against multiple compliance frameworks:

Waiving Specific Controls

Create a waiver file to skip specific controls:

Custom Attributes

Override profile defaults with custom attributes:

CI/CD Integration

GitHub Actions

GitLab CI

Jenkins Pipeline

Docker Usage

Using Pre-built Image

Docker Compose

Profile Discovery

Browse Available Profiles

Visit Chef Supermarketarrow-up-right to browse all available compliance profiles.

Search Profiles

Profile Information

Best Practices

1. Start with Baseline Profiles

Begin with general baseline profiles before implementing specific benchmarks:

2. Use Waivers for Known Exceptions

Don't modify profiles; use waivers for documented exceptions:

3. Test in Stages

Test development → staging → production:

4. Combine with Custom Tests

Mix Supermarket profiles with custom controls:

5. Regular Compliance Monitoring

Schedule regular compliance checks:

Troubleshooting

Profile Download Issues

If profile download fails:

Authentication Requirements

Some profiles may require Chef Supermarket authentication:

Version Pinning

Pin specific profile versions for reproducibility:

Contributing

Share Your Custom Profiles

If you've created custom compliance profiles, consider sharing them on Chef Supermarket:

  1. Create an InSpec profile

  2. Test thoroughly

  3. Upload to Chef Supermarket

  4. Share with the community

Visit Chef Supermarketarrow-up-right to learn more about contributing.

Resources

  • Chef Supermarket: https://supermarket.chef.io

  • InSpec Documentation: https://docs.chef.io/inspec/

  • DevSec Project: https://dev-sec.io

  • CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks

  • ansible-inspec: https://github.com/Htunn/ansible-inspec

Support

For issues specific to Chef Supermarket integration:

  1. Visit Chef Supermarketarrow-up-right for profile-specific questions

Last updated