TACO FAQ

Frequently Asked Questions About

TACO

What is TACO?

Is there anything that needs to be installed on my servers or within my network?

TACO is powered by Chef and leverages the power of the Chef infra client and Chef Automate. Each node or server that will be using the TACO service will require the installation of the Chef Infra client.  This client is then configured to report directly to our Chef infrastructure or via an on-premise Chef server which then reports into our infrastructure.  Which scenario is implemented depends on various factors and details with regard to these factors can be discussed with the Obsidian team.

What ports and services need to be running and listening on my nodes and for TACO cloud-hosted server access?

For the initial bootstrap/onboarding process we need inbound access to these services on each node:

  • Linux, Mac and AIX:  SSH (The default port is 22, but can be almost anything as long as SSH is enabled)
  • Windows:  WinRM (default TCP ports 5985 for HTTP and 5986 for HTTPS)

Once nodes are bootstrapped and in the case of no on-prem chef server, each node will need to be able to connect outbound on port 443 to our infrastructure.  Where we are using an on-prem Chef server, each node needs to be able to communicate on port 443 to that server and the on-prem Chef server must be able to communicate with our infrastructure on the same port.

Is a Chef server required within my network to be able to use the TACO service?

No, as long as each node can be allowed to communicate back to our infrastructure on port 443.  If your security policies do not allow for this then we can install a Chef server within your network, to which all the nodes will communicate. This single server can then be allowed to communicate back to our infrastructure in order to fetch compliance profiles and send scan data so that results can be reported on. We will only need inbound ssh or winrm for the initial setup.  The Obsidian team will work with you on the details around this.

How does the Chef client communicate with Obsidian’s TACO service?

Connections between the client nodes and the server are only ever initiated on the client node, using the Chef client. Our infrastructure will never initiate communication or connections with the client nodes.  The exception to this rule is during the initial onboarding phase.  After that client nodes fetch profiles from our infrastructure and push compliance scan results to our infrastructure.

What is needed by Obsidian to set up an on-premise server for Chef and TACO?
  • A physical or virtual machine within your network.  The required specifications of this server are dependent on the number of client nodes that will be bootstrapped to the TACO service. Below are requirements for 1000 nodes or less that need to be onboarded to TACO. The Chef Server requires the following:
    • A single virtual or physical machine
    • Operating system: Redhat/CentOS 7 or 8, Ubuntu 16.04 or 18.04, SLES 12.x
    • CPU: 2 Cores
    • RAM: 8 GB
    • HDD: 100 GB
  • The hostname of the Chef server
  • DNS setup so the server is accessible on the hostname on the network
  • VPN access setup to the Chef server setup
  • Username and password provided to Obsidian
How long does it take Obsidian to set up an on-premise server for Chef? (If required)

1 hour to 1 day, once access has been provided to the Obsidian team and all requirements provided the customer has been fulfilled.

How long does it take to onboard / bootstrap each client node?

Provided that all other requirements are met; less than 5 minutes per client node.

How long does it take to onboard all my servers in my infrastructure to the TACO cloud-hosted environment?

About 5 minutes per node, multiplied by the total number of nodes you wish to onboard.

Do you need root or administrative access/privileges on each client node?

Root or administrative access/privileges are required to do the initial setup of each node you want to onboard. After the node has been added to TACO, privileged access can be revoked.  The Obsidian team will work with you in this regard surrounding specific decisions or requirements in this regard.  The integrity of your network’s security is our utmost concern.

Will my nodes need to be rebooted as part of the bootstrap process or after the installation of the Chef Infra client?

No

What is this bootstrapping business all about?

Bootstrapping is the name of the process in which a node is configured to communicate with a particular Chef server.  This process involves the following:

  • Install the Chef client
  • Configure that Chef client to communicate back to the relevant Chef server (This is achieved by running a specific command from another machine configured for this task.)
Will the Chef Infra client and subsequent runs of the Chef Infra client consume many resources on my servers and network?

The installed and running footprint of the Chef Infra client is very small.  Each run generates a report data, which is sent to the server and these datasets are typically well under 2Mb each.

What operating systems can TACO do compliance scans on?
  • Various Linux distributions including Debian, Ubuntu, RHEL, CentOS, SuSE and Amazon Linux. (Multiple architectures are supported)
  • AIX 7.1 and 7.2
  • Windows (Versions 8 and above, Server 2012 and above)
  • macOS
  • FreeBSD
How will I access the results of the continuous compliance scans?

As a customer, you will be given access to a portal which can be accessed via a web browser or your phone.  From here you will be able to see the latest scan results and also be able to draw reports for printing or emailing.

What frameworks or benchmarks are used in our TACO scans?

We make use of the CIS (Center for Internet Security) benchmarks and we can create compliance profiles around your own internal benchmarks or requirements too.