In this article you will find:
- Technical Overview
- How to configure Chef connector
- How to generate cookbooks via Vulcan
- How to use Chef in playbooks
- Chef on-premise
1. Technical Overview
Vulcan's Chef connector enables users to push auto-generated cookbooks into your Chef server.
The cookbook will contain:
- run_list file - Used to add Run List items (recipes) to a node.
- recipes - fixes that were generated by Vulcan
Basic flow:
2. Configuring Chef connector
In the Connectors page, click on Add a Connector
Click on Chef connector
Upload the relevant files:
Knife.rb file - File used to specify the chef-repo-specific configuration details for knife. More details of how to configure knife.rb can be found here
Pem file - Used for authentication
Click on Create
- You can see the connector's process under the Log tab
3. Generating cookbooks via Vulcan
Note: This feature will be enabled only if the vulnerability can be fixed by Chef - meaning, at least one of the assets is a Chef client and the OS is one of the following:
- RedHat
- CentOS
- Ubuntu
To generate a recipe for a vulnerability, simply click on Take Action and Deploy a patch
Go to Generate Chef scripts.
If you have more than one Chef server, you can choose which one to deploy the cookbook.
Also Vulcan offers 3 types of fallback options in the case the generated solution was not completed:
Fallback to the latest package version - If the specific package version was not found, then update to the latest version available.
Skip to the next solution - Try to deploy the next generated recipe.
Stop the deployment - Do not try to perform additional action.
In addition, you can click on Download scripts to view the generated cookbook
Click on Deploy fix
The cookbook is now added to Run List in the Chef server.
4. How to use Chef in playbooks
You can automatically generate and add to the run list Chef's cookbook using Vulcan's Automation module.
Go to Automation --> Create New Playbook
- Name your playbook.
- Choose which vulnerabilities you want to fix - For example, each vulnerability that came from Qualys, and the affected package is 'vim', where the asset is managed by Chef.
- Choose remediation action 'Generate Chef scripts'. Choose a fallback method as mentioned above (under 'Generating cookbooks via Vulcan').
- Click Save
5. Chef On-Premise
Vulcan's Chef connector is also available for on-premise versions of Chef.
Once the connector is configured, all abilities as the cloud version will be available
Pre-requisite
- Allow access from Vulcan to Chef server by using Vulcan Gateway
- Supported version: Chef 12.17
- Chef server Internal IP - Note that any change in the
How to configure Chef on-premise
- Once the Vulcan Gateway is up and running, enable the Use Vulcan Gateway toggle in the Chef connector.
- Type the Chef's server internal IP
- Upload knife.rb file
- Upload .pem file