InSpec, Habitat, and Continuous Compliance

In my last post, I talked about some of the benefits of containers, how containers can complicate compliance requirements, and how InSpec can help. InSpec provides a human-readable infrastructure and compliance testing language that allows you to scan your hosts, VMs, and containers to ensure your fleet’s compliance.

But let’s take this one step further. By using Habitat to package, deploy, and manage your application and compliance profiles, we can achieve Continuous Compliance and do so with containers and more.

Intro to Habitat

Habitat by Chef is our new Application Automation tool that aims to make it easy, safe, and fast to build, deploy, and manage applications. From build dependencies, runtime dependencies, dynamic configuration, and service discovery (just to name a few), Habitat packages the automation with the application instead of relying on an underlying platform.

Habitat packages first start with a plan… a plan.sh, to be precise! The plan.sh file tells Habitat how to build an application. In addition to the plan, a list of configuration parameters (and default values) that users can change for the application can be supplied. Gone are the days of creating unique packages or containers per environment; simply expose the configuration options that may need to change in each deployment environment.

After writing the application’s plan, Habitat builds the package in a studio, a slimmed-down “cleanroom” environment designed to eliminate any implicit dependencies that may get inadvertently brought in from the workstation or development environment. During the build process, each dependency is resolved and locked to a specific version and build number. This build process ensures that the application will run successfully in any environment that supports Habitat, regardless of what system packages are installed.

The packages can then be distributed to a fleet manually, or they can be uploaded to an artifact store that we call the “Depot.” The Habitat team offers a public Depot, or a private Depot can be deployed as well.

Packages are run via the Habitat Supervisor, a process supervisor that runs an application and manages configuration updates for the application. In addition, supervisors can form a peer-to-peer network called a “ring” to discover other running services, facilitate configuration updates, and choreograph package updates.

Packages can also be exported in a number of formats, including a Docker container with all the package’s dependencies and the Habitat Supervisor included! If you are already using containers, or are beginning to investigate introducing containers into your environment, using Habitat allows you to build a better, easier-to-manage container.

And this is just the beginning of Habitat’s awesomeness! Swing by https://www.habitat.sh/ for lots more information.

Creating a Compliance Package

Beginning with InSpec v1.16.1, two new commands are available: inspec habitat profile create and inspec habitat profile upload. Each command takes a path to a compliance profile on the workstation, ensures the profile’s dependencies have been met (because profiles can rely on other profiles!), and then creates a Habitat package of the profile. The upload command publishes the package to a Habitat depot, such as our public depot, while the create command leaves the package on the workstation for the user to manage as he/she sees fit.

Here is an example of what the output of a inspec habitat profile upload command run looks like:

 $ inspec habitat profile upload ~/profiles/habtest
 [2017-03-25T13:46:10-04:00] INFO: Creating a Habitat artifact for profile: /Users/aleff/profiles/habtest
 [2017-03-25T13:46:10-04:00] INFO: Checking to see if Habitat is installed...
 [2017-03-25T13:46:10-04:00] INFO: Checking to see if the profile is valid...
 [2017-03-25T13:46:10-04:00] INFO: Profile is valid.
 [2017-03-25T13:46:10-04:00] INFO: Vendoring the profile's dependencies...
 [2017-03-25T13:46:11-04:00] INFO: Copying profile contents to the work directory...
 [2017-03-25T13:46:11-04:00] INFO: Generating Habitat plan at /var/folders/v5/z54gb76j2rs3wrn65hmtyf1r0000gp/T/inspec-habitat-exporter20170325-7222-f9ksed/habitat/plan.sh...
 [2017-03-25T13:46:11-04:00] INFO: Generating a Habitat run hook at /var/folders/v5/z54gb76j2rs3wrn65hmtyf1r0000gp/T/inspec-habitat-exporter20170325-7222-f9ksed/habitat/hooks/run...
 [2017-03-25T13:46:11-04:00] INFO: Generating Habitat's default.toml configuration...
 [2017-03-25T13:46:11-04:00] INFO: Building our Habitat artifact...
 hab-studio: Destroying Studio at /hab/studios/src (default)
 hab-studio: Creating Studio at /hab/studios/src (default)
 hab-studio: Importing adamleff secret origin key

... lots of Habitat Studio output here ...

[2017-03-25T13:46:52-04:00] INFO: Uploading the Habitat artifact to our Depot...
 [2017-03-25T13:46:57-04:00] INFO: Upload complete!

That’s it! One simple command creates a runnable Habitat compliance package!

When the newly-created InSpec Habitat package is run via the Habitat Supervisor, the supervisor will install InSpec and continuously execute the InSpec compliance profile. By default, InSpec will execute the profile every 300 seconds (5 minutes), but this is configurable by changing the sleep_time runtime configuration value.

Your compliance profile package will write out a JSON file to /hab/svc/inspec-profile-PROFILE_NAME/inspec_results/PROFILE_NAME.json which will contain the results of the last InSpec run. A future Habitat enhancement will provide centralized collection of these JSON results from all connected supervisors in a ring.

Application + Compliance == <3

In the current versions of Habitat, the Habitat Supervisor is responsible for a single package/service. If there is a need to run two services on a host, it requires running two supervisors and some additional configuration to avoid port conflicts, etc.

With the next Habitat release, this is no longer the case. The next version of Habitat provides the ability for one Supervisor to run more than one service. Those services can be any Habitat package, including… a compliance package!

Let’s think about that for a second… with one command (and a small spec file for each service), Habitat will run your application and your compliance profile simultaneously, ensure they stay running, and give you the insight you need to ensure they’re running properly. That sounds pretty delightful to me.

Let’s look at it in action. First, the spec file for a sample frontend web application:

[root@localhost ~]# cat /hab/sup/default/specs/sample-multitier-frontend.spec.toml
 ident = "adamleff/sample-multitier-frontend"

Yup, unless you need to change any default behavior, it’s that simple! Now, how about our compliance package?

[root@localhost ~]# cat /hab/sup/default/specs/inspec-profile-habtest.spec.toml
 ident = "adamleff/inspec-profile-habtest"

And now we start the supervisor:

[root@localhost ~]# hab start
 hab-sup(MN): Enabling feature: Multi
 hab-sup(MR): Butterfly Member ID 0cff4c72bf0547e1bb3fb42c447acd58
 hab-sup(SR): Adding adamleff/inspec-profile-habtest/0.1.0/20170325174641
 hab-sup(SR): Adding adamleff/sample-multitier-frontend/0.0.1/20170219201908
 hab-sup(MR): Starting butterfly on 0.0.0.0:9638
 hab-sup(MR): Starting http-gateway on 0.0.0.0:9631
 inspec-profile-habtest.default(SR): Initializing
 inspec-profile-habtest.default(SV): Starting process as user=hab, group=hab
 sample-multitier-frontend.default(SR): Initializing
 inspec-profile-habtest.default(O): Executing InSpec for adamleff/inspec-profile-habtest
 sample-multitier-frontend.default hook[init]:(HK): Removing previous version deployed at /hab/svc/sample-multitier-frontend/data
 sample-multitier-frontend.default hook[init]:(HK): Deploying new version from /hab/pkgs/adamleff/sample-multitier-frontend/0.0.1/20170219201908 to /hab/svc/sample-multitier-frontend/data
 sample-multitier-frontend.default hook[init]:(HK): Setting permissions on /hab/svc/sample-multitier-frontend/data
 sample-multitier-frontend.default hook[init]:(HK): Creating symlink for mime.types file...
 sample-multitier-frontend.default(SV): Starting process as user=root, group=hab
 inspec-profile-habtest.default(O): InSpec run completed successfully.
 inspec-profile-habtest.default(O): sleeping for 300 seconds

One supervisor, two packages, one of which is going to scan our host every 5 minutes using our compliance profile, and write out its findings. There will be no need to periodically scan your fleet for security and compliance reports; Habitat will be doing it for you, providing you Continuous Compliance!

And with the already-built-in features of the Habitat Supervisor, such as update strategies, it’s never been easier to keep applications and compliance profiles updated; simply modify the application or profile, publish it to a Habitat Depot, and let the Supervisor do the rest. And since the app and compliance profiles remain separate packages, they can be updated independently.

But I don’t use containers!

That’s OK! While Habitat absolutely makes creating, deploying, and managing containers amazing, Habitat is not just for containers! You can use Habitat to manage and deploy applications on bare metal machines or VMs as well, and Habitat supports Linux and Windows. Managing application and compliance results with Habitat provides the freedom to choose a traditional host deployment or a popular workload scheduler like Kubernetes.

Wrapping Up

Continuous Compliance is here and we’re ready to help you. By using Habitat to manage your applications and your compliance policies, you can rest easy knowing that your fleet and your applications are being continuously scanned to ensure they adhere to your policies.

There’s so much more to learn about Habitat and how it can make managing your applications delightful. If you’ve never tried Habitat, come visit us at https://www.habitat.sh/ and try our in-browser demo and our tutorials. If you haven’t yet started using InSpec, swing by https://inspec.io to try our demo and learn how easy it is to start codifying and automating your compliance requirements.

Author Adam Leff

Former Chef Employee