SAF Advanced InSpec Profile Developer Course

2. Review the Fundamentals

June 7, 2022About 1 min

In the first classopen in new window, we explained the structure and output of InSpec Profiles. Let's review some content, then practice by revisiting, running, and viewing results of an InSpec profile.

2. InSpec Content Review

2.1 InSpec Profile Structure

Remember that a profile is a set of automated tests that usually relates directly back to a Security Requirements Benchmark.

Profiles have two (2) required elements:

  • An inspec.yml file
  • A controls directory

and four (4) optional elements:

  • A libraries directory
  • A files directory
  • An inputs.yml file
  • A README.md file

2.2 Control Structure

Let's take a look at the default control file, controls/example.rb.

title 'sample section'

# you can also use plain tests
describe file('/tmp') do
  it { should be_directory }
end

# you add controls here
control 'tmp-1.0' do                        # A unique ID for this control
  impact 0.7                                # The criticality, if this control fails.
  title 'Create /tmp directory'             # A human-readable title
  desc 'An optional description...'
  describe file('/tmp') do                  # The actual test
    it { should be_directory }
  end
end

This example shows two tests. Both tests check for the existence of the /tmp directory. The second test provides additional information about the test. Let's break down each component.

  • control (line 9) is followed by the control's name. Each control in a profile has a unique name.
  • impact (line 10) measures the relative importance of the test and must be a value between 0.0 and 1.0.
  • title (line 11) defines the control's purpose.
  • desc (line 12) provides a more complete description of what the control checks for.
  • describe (lines 13 — 15) defines the test. Here, the test checks for the existence of the /tmp directory.

2.3 Describe Block Structure

As with many test frameworks, InSpec code resembles natural language. Here's the format of a describe block.

describe <entity> do
  it { <expectation> }
end

Inspec Resources

InSpec uses resources like the file resource to aid in control development. These resources can often be used as the <entity> in the describe block, where the expectation is checking a requirement of that entity. Find a list of resources hereopen in new window.

Apache-2.0 | Copyright © 2022 - The MITRE Corporation
Copyright © 2022 Aaron Lippold