A Blog

An occasional data tap into Peter Burkholder’s brain

Chef: Running Your ‘Security’ Resource Last Doesn’t Save You

| Comments

I’ve come across the suggestion that corporate requirements come last in the run_list. Why that won’t work if you don’t trust your other Chef devs, with /etc/motd as an example.

Evil developer early in run_list:

file “bwahahahaha” do action :nothing path “/etc/motd” content “All your Appliance are owned by us\n” subscribes :create, “file[/etc/motd]” end

Security team puts MOTD last in run_list:

file “/etc/motd” do content “Property of Awesome Appliance, Inc.\n” end

Result:

Recipe: (chef-apply cookbook)::(chef-apply recipe) * file[bwahahahaha] action nothing (skipped due to action :nothing) * file[/etc/motd] action create - create new file /etc/motd - update content in file /etc/motd from none to cd5731 — /etc/motd 2014-11-04 10:19:15.000000000 -0500 +++ /tmp/.motd20141104-86735-2lu4fs 2014-11-04 10:19:15.000000000 -0500 @@ -1 +1,2 @@ +Property of Awesome Appliance, Inc. * file[bwahahahaha] action create - update content in file /etc/motd from cd5731 to 6b34be — /etc/motd 2014-11-04 10:19:15.000000000 -0500 +++ /tmp/.bwahahahaha20141104-86735-qq9idq 2014-11-04 10:19:15.000000000 -0500 @@ -1,2 +1,2 @@ -Property of Awesome Appliance, Inc. +All your Appliance are owned by us