:warning: EL7 DISA STIG InSpec Profile is now maintained by MITRE at https://github.com/mitre/redhat-enterprise-linux-7-stig-baseline :warning:
This InSpec profile is being developed and maintained as part of the SIMP project.
That said, it is our goal to make them valid for general purpose usage and hopefully hand them off to a more structured body as time progresses.
This repository uses either Beaker to run tests or the KitchenCI framework to run tests on the various profiles. Please see the documentation below on how to use each of the frameworks.
To run the tests, perform the following actions:
bundle install
rake beaker:suites
If you need to debug your systems, you can run Beaker with a couple of options:
Preserve the VM unconditionally
BEAKER_destroy=no rake beaker:suites
Preserve the VM unless the tests pass
BEAKER_destroy=onpass rake beaker:suites
You can then access the VM by going to the root level of the repository and
navigating to .vagrant/beaker_vagrant_files/<automatic directory>
.
You should find a Vagrantfile
at that location and can use any standard
Vagrant CLI Commands.
The most useful of these will be vagrant status
and vagrant ssh <vm name>
.
The tests are housed under the spec/acceptance
directory and use the
profiles in spec/fixtures/inspec_profiles
during testing.
An installation of ChefDK may generate conflicts when combined with the installed kitchen gems. Recommend NOT installing ChefDK before testing with this repo.
If you run into errors when running bundle install
, use the following
commands to install gems:
gem install kitchen-puppet
gem install librarian-puppet
gem install kitchen-vagrant
If the tests are not found when running kitchen verify
, open
.kitchen.yml
and consult inspec_tests
under the suites
section.
You may also experience an error when running kitchen converge
where a
folder is unable to be created due to the length of the path. In this case,
you may need to edit a registry key as explained
here.
git clone -b dev https://github.com/simp/inspec_profiles.git
inspec_profiles
bundle install
kitchen list
- you should see the following choice:
default-centos-7
kitchen converge default-centos-7
kitchen list
- your should see your host with status "converged"Note: Once the open issues are resolved in InSpec and kitchen-inspec these
steps will not really be needed but for now we have to do a few things a bit
more manually. Once resolved fully, you will only need to run kitchen verify (machine name)
and everything will be taken care of.
.kitchen/
ssh_key:
value for later2222
) and use in the next stepsOn the terminal: export SSH_KEY=(value from before)
cd to inspec_profiles
inspec check
, and
ensure there are no errors in the baseline.run: inspec exec -i $SSH_KEY -t ssh://vagrant@127.0.0.1:2222 ( or the port mapped from step '4' above )
inspec exec -i $SSH_KEY --controls=V-#####,V-##### -t ssh://vagrant@127.0.0.1:2222
to just test a
small set of controlsIf you are going to be working on the ansible scripts you can continue to run
kitchen converge
and it will rerun your ansible scripts without going through
the entire machine creations process etc.
Making Changes and Testing
kitchen converge (machine name)
- runs any changes to your hardening scriptskitchen verify (machine name)
- runs the inspec testsStarting Clean:
kitchen destroy (machine name)
kitchen will drop your box and you can start cleanGoing through the entire process ( create, build, configure, verify, destroy )
kitchen test (machine name)
or to test all defined machines kitchen test
Just running the validation scripts
kitchen verify (machine name)
just run one or more controls in the validation
controls:
section add the control id(s)
to the list> output.txt
In the tools
directory there are a few useful scripts for getting a little
better output for general display and demo, to use them see the README.md
file in the tools
directory or as an example:
kitchen converge (machine name) | ./tools/ansi2html.sh --bg=dark > kitchen-run.html
inspec exec . -i $SSH_KEY -t ssh://vagrant@127.0.0.1:2222 | ./tools/ansi2html.sh --bg=dark > inspec-validation-run.html