Compliance Profile - Waivers

A waiver is a mechanism that allows you to bypass specific controls from a compliance scan. A Waiver will enable you to provide details about the exception, including expiration (if applicable) and justification. 

The waiver file is written in yaml and contains one or more code blocks. Each block of code specifies the control to exempt, the expiration date for the exemption, and the reason for the exemption.  

Benefits of using Waivers: 

  • Justifies an excepted control (vs the older skip control mechanism) 
  • Promotes a culture of introspection; operators are encouraged to comply with all controls if not waived with a permanent justification.
  • You can still “run” a control to track compliance progress without impacting overall posture. 
Waivers are applied at the control level of a profile and can be used in two different ways: 

  • When running the inspec exec command by using the --waiver-file switch.  
  • Declared in the cookbook’s attributes file.  

A waiver file contains the following pieces of information:  

  • Control ID_Name - the ID and Title of the control to be waived 
  • Expiration Date - the date when the waiver is set to expire
  • Waiver Justification (optional) - a way to allow users to justify the waiver (i.e. why the given control must be waived).
  • Skip run switch - allow users to skip the evaluation of the waived control. 

Difference between a Skipped and Waived control?  

  • Skipped controls are not evaluated/run 
  • Waived controls that are run: false are not evaluated/run 

Setting up the Environment  

As with many other components in Chef, a waiver file can be created by using the chef generate command. 

Within your cookbook, execute the command $ chef generate waiver <name of the file>. The output tells you that a new directory is created for waiver, under compliance folder. 


The command above will create a new yml file. You can edit this file or create a new for compliance scanning.
 

  • Recipe: The recipe below will install and start the nginx server on the remote node. Along with installation, it will push the waiver  release.yml file to the remote node under the /tmp directory.  

Note: Waiver file should be present in the client node for it to be executed and applied.


  • Example: Below, compliance has two controls. The first will check whether port 80 is listening, and the second will contain the version and the modules, respectively. 


  • Waiver – release.yml file  

Below waiver file will exempt (waive off) the control nginx-port when there is a client run until the expiration date.


Note that the Control ID should match that of the waiver and control file. In the above example, the control ID and waiver is nginx-port.  

  • Edit the attributes file to include the waiver. 


Note: You should not place your waivers in /tmp. Every organization will have their own standards, we are using /tmp as an example.  

Once the recipes, controls and waivers are saved, you can run cookstyle against the files to check for any syntax errors:  

$ cookstyle –a  

When your recipes are error-free, you can upload them to the Chef Infra Server using $ knife cookbook upload <cookbook-name>, but the more modern way is to use Policyfiles. 

With Policyfiles, you can bundle your cookbooks and compliance profiles and upload them to your Chef server. First, use the command $ chef install Policyfile.rb, which creates a Policyfile.lock.json file, then use $ chef push prod Policyfile.lock.json  to bundle everything and send it to your Chef server.  

You can run the audit scan locally and check if the waivers are applied. 

$ inspec exec compliance/profiles/<profile_name>/controls/<control.rb> --waiver-file compliance/waivers/<waiver-file.yml>


The image above shows that the control nginx-port is skipped,and the other two controls are executed.  

$ sudo chef-client command will execute the cookbook in the target node along with all the recipes, compliance and waivers files. 


No-op – No operation – This is a bug which will be fixed in the next release.  

You can confirm the results from the Automate UI. As you can see the control nginx-port is under waived control.


You can manually upload your compliance profile with Automate UI and set the scheduled scan against the remote node. 

Conclusion 

This blog explains how to use Waivers on Chef platforms. It must now be clear how to create and execute a Waiver file locally or on the remote node.  

For more information about how to get started with waivers, check out our documentation or watch our recent livestream episode on waivers. Also, join our Community Slack to stay informed about all things. 


 

Tags:

Akshay Parvatikar

Akshay Parvatikar is a Manager of Technical Marketing at Progress. With a career of over ten years and a bachelor's degree in Engineering, Akshay has worked in various roles such as solution engineering, customer consulting, and business development in web performance for Telecom and the e-commerce industry.