Inspec, or how to translate compliance spreadsheets into code
11 likes•5,426 views
The document details Inspec, a compliance testing tool that translates compliance spreadsheets into code, focusing on features like multi-platform support and a command line interface for efficient testing. It discusses the anatomy of controls, including metadata and resources, as well as profile management and validation. Additionally, it provides insights into running Inspec tests locally and remotely, along with links for further resources.
![CUSTOM RESOURCES
Just like Chef, you can define your own custom
InSpec resources if you need them.
require 'yaml'
class GordonConfig < Inspec.resource(1)
name 'gordon_config'
def initialize
@path = '/etc/gordon/config.yaml'
@file = inspec.file(@path)
return skip_resource "Can't find file "#{@path}"" if !@file.file?
@params = YAML.load(@file.content)
end
def method_missing(name)
@params[name.to_s]
end
end
Include them in libraries folder in your profiles.](https://image.slidesharecdn.com/inspecorhowtotranslatecompliancespreadsheetsintocode-160201153017/85/Inspec-or-how-to-translate-compliance-spreadsheets-into-code-17-320.jpg)
Inspec, or how to translate compliance spreadsheets into code
- 1. INSPEC OR HOW TO TRANSLATE COMPLIANCE SPREADSHEETS INTO CODE Created by / / Michael Goetz [email protected] @michaelpgoetz
- 6. SPREADSHEET
- 7. PDF
- 8. XML <Rule id="usgcb-rhel5desktop-rule-2.2.2.5.d" selected="false" weight="10.0" <status date="2011-09-30">accepted</status> <version update="1"/> <title override="0">CCE-15087-0:Disable Mounting of hfs</title> <description override="0"> Using the install command inside /etc/modprobe.conf the kernel module loading system to run the command speciï¬ed (here, /bin/true) instead of inserting the module in the kernel as normal. This effectively prevents usage of these uncommon ï¬lesystems.</description <ident system="http://cce.mitre.org">CCE-15087-0</ident> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" selector <check-content-ref href="usgcb-rhel5desktop-oval.xml" name="oval:gov.nist.usg </check> </Rule>
- 9. ANATOMY OF A CONTROL describe sshd_config do its('Port') { should eq('22') } end describe is a block that contains at least one test sshd_config is an InSpec resource
- 10. ANATOMY OF A CONTROL control 'sshd-8' do impact 0.6 title 'Server: Configure the service port' desc ' Always specify which port the SSH server should listen to. Prevent unexpected settings. ' describe sshd_config do its('Port') { should eq('22') } end end 'sshd-8' is the name of the control control must contain at least one describe block impact, title, and desc define metadata to describe the control
- 12. PROFILE MANIFEST name: profile title: InSpec Example Profile maintainer: Chef Software, Inc. copyright: Chef Software, Inc. copyright_email: [email protected] license: Apache 2 license summary: Demonstrates the use of InSpec Compliance Profile version: 1.0.0 supports: - os-family: linux name - Identifier of the profile (required) Profiles can also be included in other profiles by referring to the name.
- 13. PROFILE OS SUPPORT supports: // Runs on any version of Debian Linux - os-name: debian // Only runs on Ubuntu 14.04 - os-name: ubuntu release: 14.04 // Targets RedHat, CentOS, Oracle Linux ... - os-family: redhat Restrict your profiles to only support targeted operating systems.
- 14. PROFILE INHERITANCE include_controls 'cis-level-1' do skip_control "cis-fs-2.1" skip_control "cis-fs-2.2" control "cis-fs-2.7" do impact 1.0 ... end Include all controls from external profiles and skip specific controls if necessary.
- 15. PROFILE CONTROL INCLUSION require_controls 'cis-level-1' do control "cis-fs-2.1" control "cis-fs-2.2" end If you just need a few controls from a profile, you can require just specific controls.
- 16. PROFILE VALIDATION & DISTRIBUTION $ inspec check examples/profile Check your profile syntax with the inspec check command. # will generate a example-profile.tar.gz $ inspec archive examples/profile # will generate a example-profile.zip $ inspec archive examples/profile --zip Package and redistribute using gzip, bzip2, or xz
- 17. CUSTOM RESOURCES Just like Chef, you can define your own custom InSpec resources if you need them. require 'yaml' class GordonConfig < Inspec.resource(1) name 'gordon_config' def initialize @path = '/etc/gordon/config.yaml' @file = inspec.file(@path) return skip_resource "Can't find file "#{@path}"" if [email protected]? @params = YAML.load(@file.content) end def method_missing(name) @params[name.to_s] end end Include them in libraries folder in your profiles.
- 18. RUNNING INSPEC TESTS Local Remote via SSH Remote via WinRM Docker, Docker, Docker inspec exec test.rb inspec exec test.rb -t ssh://user@hostname inspec exec test.rb -t winrm://Administrator@windowshost --password 'password' inspec exec test.rb -t docker://container_id
- 20. DEMO