Closed stdevel closed 4 years ago
I'm not sure but this could maybe help you, check the Skipping a Control from a Profile
section
https://blog.chef.io/understanding-inspec-profile-inheritance/
I would also recommend using profile inheritance or the new waivers feature (if appropriate)
I would also recommend using profile inheritance or the new waivers feature (if appropriate)
Thanks for pointing out the new waiver feature!
@james-stocks is there any information on how to include a waiver into my .kichen.yml file?
I go to your link but all I see is information on how to run inspec with a waiver file from my command line, which isn't useful in this context. I search this repo for the word "waiver" and only get the two issues discussing this exact topic.
Edit:
I found a viable workaround. The controls
input accepts a regex, so you can craft a regex using negative lookahead that excludes all of the tests you don't want to run. I didn't want to run sshd-44
, so my .kitchen.yml verifier section has this:
inspec_tests:
- name: ssh
git: https://github.com/dev-sec/ssh-baseline.git
controls:
- /^(?!sshd-44$).*/
You can skip multiple tests with a pipe:
controls:
- /^(?!sshd-44$|sshd-45$|sshd-46$).*/
It's a little ugly, but does exactly what I need here.
@james-stocks is there any information on how to include a waiver into my .kichen.yml file?
Hey @RulerOf , sounds like you worked something out but here's an example of using a waiver file in your kitchen config:
verifier:
name: inspec
inspec_tests:
- git: https://github.com/dev-sec/cis-dil-benchmark.git
input_files:
- <your waiver file>.yaml
It wasn't super intuitive to me at first, but the inspec documentation for the waiver file format says:
Waiver files are input files with a specific format: ...
though the above works, it can make the list a little confusing to read without committing to some sort of naming/path convention.
Hope that helps!
Describe the Enhancement:
Currently, it is possible to select controls from an InSpec profile to execute - e.g.:
Unfortunately, it is not possible to only blacklist some controls from a profile. Imagine having a profile with 100 checks and you only want to disable 5 of them. Currently, this requires entering the other 95 under
controls
.Describe the Need:
It would make using InSpec profiles much easier if you need to disable some of the controls (which is especially necessary when dealing with Dev-Sec InSpec profiles).
Current Alternative
Currently, only whitelisting is available - which might end up in a long and unreadable document.
Can We Help You Implement This?:
Unfortunately my skills with Ruby are kind of limited - so I'm afraid, I'm not able to implement it on my own.