Baking in Security with Chef

Jonathan Trull, Chief Information Security Officer

In this second blog series discussing DevOps tools for security professionals, we are going to turn our attention to Chef.  A competitor to Puppet, Chef is a configuration management tool that enables system administrators and engineers to automatically provision and manage servers throughout their lifecycle.

Chef employs a client-server architecture and consists of three main parts, including the client, server, and infrastructure code.  The client is the part of the program that runs on each of the systems you want to manage, and the server is used to deliver the code to the systems under management.  Finally, the infrastructure code, also known as cookbooks, is the set of instructions dictating how the system is configured.

Cookbooks, which are written in Ruby, are used to configure the systems under management.  To assist you in managing your cookbooks, the maker’s of Chef created a command-line tool called knife.  Using the knife utility, you can then begin creating cookbooks by typing: knife cookbook create <name_of_cookbook>.  With that command, knife creates all the required files and directories that are needed to configure your infrastructure. 

Now, you need to write the actual Ruby code that will be used to install and configure your target system.    For example, you can write code that will automatically install Apache, MySQL, and PHP and configure these applications according to security best practices such as those published by the Center for Internet Security.  Before writing any of the Ruby code yourself, however, I recommend that you checkout the Opscode Community site at https://supermarket.chef.io/cookbooks-directory where you can find hundreds of free cookbooks for all different purposes.  To use any of these open source cookbooks, you would just run knife cookbook site download <name_of_cookbook>.

Although not considered a security tool, as you can see Chef can be leveraged by the information and security operations teams to reduce risk by maintaining uniform and secure configurations across a company’s infrastructure. 

I highly recommend that as part of your information assurance career you get familiar with installing and working with a large number of tools.  You want to do this in a safe manner so that any misconfigurations or bad installs won’t impact your home or company’s production systems.  I would recommend that you take advantage of cloud server providers like Amazon’s EC2 or Rackspace.  Although these services may cost you a little money upfront, it is well worth the knowledge you’ll gain.  As an alternative, you can install servers on your home computer as a virtual machine using freely distributed virtualization software.  Just be sure to sandbox these virtual machines from your work environment. 

Finally, to gain hands-on experience with Chef, I highly recommend you complete the tutorial at http://gettingstartedwithchef.com/first-steps-with-chef.html.

To learn more about the Master of Science in Information Assurance program at Regis University, call us at 877-820-0581 or request more information.