Implement control blacklisting

inspec / kitchen-inspec

Test-Kitchen Plugin for InSpec

Other

109 stars 58 forks source link

Implement control blacklisting #250

Closed stdevel closed 4 years ago

stdevel commented 4 years ago

Describe the Enhancement:

Currently, it is possible to select controls from an InSpec profile to execute - e.g.:

    verifier:
      inspec_tests:
        - name: dev-sec/ssh-baseline
      controls:
        - sshd-46

Unfortunately, it is not possible to only blacklist some controls from a profile. Imagine having a profile with 100 checks and you only want to disable 5 of them. Currently, this requires entering the other 95 under controls.

Describe the Need:

It would make using InSpec profiles much easier if you need to disable some of the controls (which is especially necessary when dealing with Dev-Sec InSpec profiles).

Current Alternative

Currently, only whitelisting is available - which might end up in a long and unreadable document.

Can We Help You Implement This?:

Unfortunately my skills with Ruby are kind of limited - so I'm afraid, I'm not able to implement it on my own.

BentoumiTech commented 4 years ago

I'm not sure but this could maybe help you, check the Skipping a Control from a Profile section

https://blog.chef.io/understanding-inspec-profile-inheritance/

james-stocks commented 4 years ago

I would also recommend using profile inheritance or the new waivers feature (if appropriate)

stdevel commented 4 years ago

I would also recommend using profile inheritance or the new waivers feature (if appropriate)

Thanks for pointing out the new waiver feature!

RulerOf commented 4 years ago

@james-stocks is there any information on how to include a waiver into my .kichen.yml file?

I go to your link but all I see is information on how to run inspec with a waiver file from my command line, which isn't useful in this context. I search this repo for the word "waiver" and only get the two issues discussing this exact topic.

Edit:

I found a viable workaround. The controls input accepts a regex, so you can craft a regex using negative lookahead that excludes all of the tests you don't want to run. I didn't want to run sshd-44, so my .kitchen.yml verifier section has this:

  inspec_tests:
    - name: ssh
      git: https://github.com/dev-sec/ssh-baseline.git
  controls:
    - /^(?!sshd-44$).*/

You can skip multiple tests with a pipe:

  controls:
    - /^(?!sshd-44$|sshd-45$|sshd-46$).*/

It's a little ugly, but does exactly what I need here.

deric4 commented 3 years ago

@james-stocks is there any information on how to include a waiver into my .kichen.yml file?

Hey @RulerOf , sounds like you worked something out but here's an example of using a waiver file in your kitchen config:

verifier:
  name: inspec
  inspec_tests:
    - git: https://github.com/dev-sec/cis-dil-benchmark.git
  input_files:
    - <your waiver file>.yaml

It wasn't super intuitive to me at first, but the inspec documentation for the waiver file format says:

Waiver files are input files with a specific format: ...

though the above works, it can make the list a little confusing to read without committing to some sort of naming/path convention.

Hope that helps!