Frequently Asked Questions About
What is TACO?
TACO is powered by Chef and leverages the power of the Chef infra client and Chef Automate. Each node or server that will be using the TACO service will require the installation of the Chef Infra client. This client is then configured to report directly to our Chef infrastructure or via an on-premise Chef server which then reports into our infrastructure. Which scenario is implemented depends on various factors and details with regard to these factors can be discussed with the Obsidian team.
For the initial bootstrap/onboarding process we need inbound access to these services on each node:
- Linux, Mac and AIX: SSH (The default port is 22, but can be almost anything as long as SSH is enabled)
- Windows: WinRM (default TCP ports 5985 for HTTP and 5986 for HTTPS)
Once nodes are bootstrapped and in the case of no on-prem chef server, each node will need to be able to connect outbound on port 443 to our infrastructure. Where we are using an on-prem Chef server, each node needs to be able to communicate on port 443 to that server and the on-prem Chef server must be able to communicate with our infrastructure on the same port.
No, as long as each node can be allowed to communicate back to our infrastructure on port 443. If your security policies do not allow for this then we can install a Chef server within your network, to which all the nodes will communicate. This single server can then be allowed to communicate back to our infrastructure in order to fetch compliance profiles and send scan data so that results can be reported on. We will only need inbound ssh or winrm for the initial setup. The Obsidian team will work with you on the details around this.
Connections between the client nodes and the server are only ever initiated on the client node, using the Chef client. Our infrastructure will never initiate communication or connections with the client nodes. The exception to this rule is during the initial onboarding phase. After that client nodes fetch profiles from our infrastructure and push compliance scan results to our infrastructure.
- A physical or virtual machine within your network. The required specifications of this server are dependent on the number of client nodes that will be bootstrapped to the TACO service. Below are requirements for 1000 nodes or less that need to be onboarded to TACO. The Chef Server requires the following:
- A single virtual or physical machine
- Operating system: Redhat/CentOS 7 or 8, Ubuntu 16.04 or 18.04, SLES 12.x
- CPU: 2 Cores
- RAM: 8 GB
- HDD: 100 GB
- The hostname of the Chef server
- DNS setup so the server is accessible on the hostname on the network
- VPN access setup to the Chef server setup
- Username and password provided to Obsidian
1 hour to 1 day, once access has been provided to the Obsidian team and all requirements provided the customer has been fulfilled.
Provided that all other requirements are met; less than 5 minutes per client node.
About 5 minutes per node, multiplied by the total number of nodes you wish to onboard.
Root or administrative access/privileges are required to do the initial setup of each node you want to onboard. After the node has been added to TACO, privileged access can be revoked. The Obsidian team will work with you in this regard surrounding specific decisions or requirements in this regard. The integrity of your network’s security is our utmost concern.
Bootstrapping is the name of the process in which a node is configured to communicate with a particular Chef server. This process involves the following:
- Install the Chef client
- Configure that Chef client to communicate back to the relevant Chef server (This is achieved by running a specific command from another machine configured for this task.)
The installed and running footprint of the Chef Infra client is very small. Each run generates a report data, which is sent to the server and these datasets are typically well under 2Mb each.
- Various Linux distributions including Debian, Ubuntu, RHEL, CentOS, SuSE and Amazon Linux. (Multiple architectures are supported)
- AIX 7.1 and 7.2
- Windows (Versions 8 and above, Server 2012 and above)
As a customer, you will be given access to a portal which can be accessed via a web browser or your phone. From here you will be able to see the latest scan results and also be able to draw reports for printing or emailing.
We make use of the CIS (Center for Internet Security) benchmarks and we can create compliance profiles around your own internal benchmarks or requirements too.