Skip to content
SAF Advanced InSpec Profile Developer CourseSAF Advanced InSpec Profile Developer Course
MITRE InSpec Advanced Profile Developer Course
Course
Resources
Installation
  • Course

    • 1. Course Overview
      • 2. Review the Fundamentals
        • 2. InSpec Content Review
          • 2.1 InSpec Profile Structure
            • 2.2 Control Structure
              • 2.3 Describe Block Structure
            • 3. Practice the Fundamentals
              • 4. Tools for Automation
                • 5. Automate Security Testing
                  • 6. Explore InSpec Resources
                    • 7. Local vs Built-in Resources
                      • 8. Create a Custom Resource - The Git Example
                        • 9. Create a Custom Resource - The Docker Example
                          • 10. Writing Plural Resources
                            • 11. Dissecting Resources
                              • 12. Exercise - Develop your own resources
                                • 13. Add Your Resource to InSpec
                                  • 14. Custom Resource Examples from InSpec

                                  2. Review the Fundamentals

                                  June 7, 2022About 1 min

                                  On This Page
                                  • 2. InSpec Content Review
                                    • 2.1 InSpec Profile Structure
                                    • 2.2 Control Structure
                                    • 2.3 Describe Block Structure

                                  In the first classopen in new window, we explained the structure and output of InSpec Profiles. Let's review some content, then practice by revisiting, running, and viewing results of an InSpec profile.

                                  # 2. InSpec Content Review

                                  # 2.1 InSpec Profile Structure

                                  Remember that a profile is a set of automated tests that usually relates directly back to a Security Requirements Benchmark.

                                  Profiles have two (2) required elements:

                                  • An inspec.yml file
                                  • A controls directory

                                  and four (4) optional elements:

                                  • A libraries directory
                                  • A files directory
                                  • An inputs.yml file
                                  • A README.md file

                                  # 2.2 Control Structure

                                  Let's take a look at the default control file, controls/example.rb.

                                  title 'sample section'
                                  
                                  # you can also use plain tests
                                  describe file('/tmp') do
                                    it { should be_directory }
                                  end
                                  
                                  # you add controls here
                                  control 'tmp-1.0' do                        # A unique ID for this control
                                    impact 0.7                                # The criticality, if this control fails.
                                    title 'Create /tmp directory'             # A human-readable title
                                    desc 'An optional description...'
                                    describe file('/tmp') do                  # The actual test
                                      it { should be_directory }
                                    end
                                  end
                                  

                                  This example shows two tests. Both tests check for the existence of the /tmp directory. The second test provides additional information about the test. Let's break down each component.

                                  • control (line 9) is followed by the control's name. Each control in a profile has a unique name.
                                  • impact (line 10) measures the relative importance of the test and must be a value between 0.0 and 1.0.
                                  • title (line 11) defines the control's purpose.
                                  • desc (line 12) provides a more complete description of what the control checks for.
                                  • describe (lines 13 — 15) defines the test. Here, the test checks for the existence of the /tmp directory.

                                  # 2.3 Describe Block Structure

                                  As with many test frameworks, InSpec code resembles natural language. Here's the format of a describe block.

                                  describe <entity> do
                                    it { <expectation> }
                                  end
                                  

                                  Inspec Resources

                                  InSpec uses resources like the file resource to aid in control development. These resources can often be used as the <entity> in the describe block, where the expectation is checking a requirement of that entity. Find a list of resources hereopen in new window.

                                  Edit this pageopen in new window
                                  Last update: 6/13/2022, 3:33:42 PM
                                  Contributors: Emily Rodriguez
                                  Prev
                                  1. Course Overview
                                  Next
                                  3. Practice the Fundamentals
                                  Apache-2.0 | Copyright © 2022 - The MITRE Corporation
                                  Copyright © 2022 Aaron Lippold