An Overview of Compliance in Chef Automate

[edit on GitHub]



The new compliance functionality described in this topic is currently in Beta. To enable compliance reporting in the Chef Automate UI, navigate to the Nodes tab, make sure your cursor is not in any text box or field, and type beta. A new Compliance tab should appear in the top-level menu of the UI. Note: Enabling the Compliance tab will allow you to view only new compliance scan data, not historical data.

While we encourage customers to try out this new functionality, the new compliance features are not recommended for production use until they are made generally available in an upcoming Chef Automate release.

Chef Automate 0.8.5 or later provides you the ability to store and manage compliance profiles, view compliance reports over time, and quickly filter compliance reports through a dashboard interface. In addition to seeing your compliance status, you can also easily see which controls failed and why to provide you immediate information for remediation.

Profile storage

Chef Automate contains a collection of built-in profiles to help you perform security audits of the nodes in your Chef Automate cluster. These profiles exist for many scenarios, such as those created by the Center for Internet Security (CIS), to help you audit your nodes for security requirements based on governmental and business needs.

These profiles can be searched and managed through the Chef Automate web UI. If you require custom profiles to be used across your cluster, Chef Automate also provides the ability to upload those profiles.

The following is a list of built-in profiles. See Perform a Compliance Scan in Chef Automate to see how to use these profiles against nodes in your cluster.

CIS profiles

The following CIS benchmark profiles are included:

  • AIX
  • Apache Tomcat
  • Amazon Linux
  • CentOS
  • Docker
  • HP-UX
  • macOS/OSX
  • Microsoft Windows
  • Oracle Linux
  • Oracle Solaris
  • Red Hat Enterprise Linux
  • SUSE Linux Enterprise Server
  • Ubuntu


Chef Automate has multiple profiles supporting different versions of the operating systems or environments listed above.

Baseline profiles

Chef Automate also ships the following “baseline” profiles with controls that check your nodes for a base level of hardening.

  • Apache
  • Linux Security
  • Linux Patch
  • MySQL
  • Nginx
  • PostgreSQL
  • SSH
  • Windows Security
  • Windows Patch

Different reporting perspectives

When analyzing compliance reports, Chef Automate provides the ability to pivot the data based on either nodes or profiles. The same detailed information is available in both views; however, depending on your role, you have the ability to drill down on the information that is important to you.


Powerful filtering of report data

Chef Automate provides the ability to filter on the compliance status of the nodes in your cluster. You can filter your data on categories such as the profile used, platform of the node, environment, and so on. You can also chain these filters together to get precise results over your report data.


See Filter Compliance Scans in Chef Automate for more information.