MITRE InSpec Assessor Course

# 7. Example running an InSpec profile directly from Github

# 7.1. Running baseline straight from Github

In this module, we use NGINX for learning purposes. If you're interested in NGINX specifically, you may be interested in the MITRE nginx-baseline (opens new window) profile on GitHub. Alternatively, you may also check out the DevSec Nginx Baseline (opens new window) profile on Chef Supermarket.

To execute the GitHub profile on your target system, run this inspec exec command.

$ inspec exec https://github.com/dev-sec/nginx-baseline -t docker://nginx

$ inspec exec https://github.com/dev-sec/nginx-baseline -t docker://nginx
[2022-07-15T03:46:59+00:00] WARN: URL target https://github.com/dev-sec/nginx-baseline transformed to https://github.com/dev-sec/nginx-baseline/archive/master.tar.gz. Consider using the git fetcher

Profile:   DevSec Nginx Baseline (nginx-baseline)
Version:   2.5.1
Target:    docker://bd4414b39839a25fb745eafed218ae12e9ed4929bb6fa356d78c55f8bccb0e3c
Target ID: 07276d06-8bdd-50be-bc49-87db8c2fe619

  ×  nginx-01: Running worker process as non-privileged user (1 failed)
     ✔  User www-data is expected to exist
     ×  Parse Config File /etc/nginx/nginx.conf user is expected to eq "www-data"
     
     expected: "www-data"
          got: "nginx"
     
     (compared using ==)

     ✔  Parse Config File /etc/nginx/nginx.conf group is expected not to eq "root"
  ×  nginx-02: Check NGINX config file owner, group and permissions. (1 failed)
     ✔  File /etc/nginx/nginx.conf is expected to be owned by "root"
     ✔  File /etc/nginx/nginx.conf is expected to be grouped into "root"
     ×  File /etc/nginx/nginx.conf is expected not to be readable by others
     expected File /etc/nginx/nginx.conf not to be readable by others
     ✔  File /etc/nginx/nginx.conf is expected not to be writable by others
     ✔  File /etc/nginx/nginx.conf is expected not to be executable by others
  ×  nginx-03: Nginx default files (1 failed)
     ×  File /etc/nginx/conf.d/default.conf is expected not to be file
     expected `File /etc/nginx/conf.d/default.conf.file?` to be falsey, got true
     ✔  File /etc/nginx/sites-enabled/default is expected not to be file
  ×  nginx-04: Check for multiple instances
     ×  Command: `ps aux | egrep "nginx: master" | egrep -v "grep" | wc -l` stdout is expected to match /^1$/
     expected "0\n" to match /^1$/
     Diff:
     @@ -1,2 +1,2 @@
     -/^1$/
     +0

  ×  nginx-05: Disable server_tokens directive
     ×  Parse Config  server_tokens is expected to eq "off"
     
     expected: "off"
          got: nil
     
     (compared using ==)

  ×  nginx-06: Prevent buffer overflow attacks (4 failed)
     ×  Parse Config  client_body_buffer_size is expected to eq "1k"
     
     expected: "1k"
          got: nil
     
     (compared using ==)

     ×  Parse Config  client_max_body_size is expected to eq "1k"
     
     expected: "1k"
          got: nil
     
     (compared using ==)

     ×  Parse Config  client_header_buffer_size is expected to eq "1k"
     
     expected: "1k"
          got: nil
     
     (compared using ==)

     ×  Parse Config  large_client_header_buffers is expected to eq "2 1k"
     
     expected: "2 1k"
          got: nil
     
     (compared using ==)

  ×  nginx-07: Control simultaneous connections (2 failed)
     ×  Parse Config  limit_conn_zone is expected to eq "$binary_remote_addr zone=default:10m"
     
     expected: "$binary_remote_addr zone=default:10m"
          got: nil
     
     (compared using ==)

     ×  Parse Config  limit_conn is expected to eq "default 5"
     
     expected: "default 5"
          got: nil
     
     (compared using ==)

  ×  nginx-08: Prevent clickjacking
     ×  Parse Config  add_header is expected to include "X-Frame-Options SAMEORIGIN"
     expected nil to include "X-Frame-Options SAMEORIGIN", but it does not respond to `include?`
  ×  nginx-09: Enable Cross-site scripting filter
     ×  Parse Config  add_header is expected to include "X-XSS-Protection \"1; mode=block\""
     expected nil to include "X-XSS-Protection \"1; mode=block\"", but it does not respond to `include?`
  ×  nginx-10: Disable content-type sniffing
     ×  Parse Config  add_header is expected to include "X-Content-Type-Options nosniff"
     expected nil to include "X-Content-Type-Options nosniff", but it does not respond to `include?`
  ×  nginx-12: TLS Protocols (5 failed)
     ×  Parse Config  ssl_protocols is expected to be in "TLSv1.3", "TLSv1.2", "TLSv1.2 TLSv1.3", and "TLSv1.3 TLSv1.2"
     expected `` to be in the list: `["TLSv1.3", "TLSv1.2", "TLSv1.2 TLSv1.3", "TLSv1.3 TLSv1.2"]`
     ×  Parse Config  ssl_session_tickets is expected to eq "off"
     
     expected: "off"
          got: nil
     
     (compared using ==)

     ×  Parse Config  ssl_ciphers is expected to eq "'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-C...CDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'"
     
     expected: "'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-C...CDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'"
          got: nil
     
     (compared using ==)

     ×  Parse Config  ssl_prefer_server_ciphers is expected to eq "on"
     
     expected: "on"
          got: nil
     
     (compared using ==)

     ×  Parse Config  ssl_dhparam is expected to eq "/etc/nginx/dh4096.pem"
     
     expected: "/etc/nginx/dh4096.pem"
          got: nil
     
     (compared using ==)

  ×  nginx-13: Add HSTS Header
     ×  Parse Config  add_header is expected to include "Strict-Transport-Security max-age=15768000"
     expected nil to include "Strict-Transport-Security max-age=15768000", but it does not respond to `include?`
  ↺  nginx-14: Disable insecure HTTP-methods
     ↺  Skipped control due to only_if condition.
  ×  nginx-15: Content-Security-Policy
     ×  Parse Config  add_header is expected to include "Content-Security-Policy \"script-src 'self'; object-src 'self'\""
     expected nil to include "Content-Security-Policy \"script-src 'self'; object-src 'self'\"", but it does not respond to `include?`
  ↺  nginx-16: Set cookie with HttpOnly and Secure flag
     ↺  Skipped control due to only_if condition.
  ×  nginx-17: Control timeouts to improve performance (4 failed)
     ×  Parse Config  keepalive_timeout is expected to eq "5 5"
     
     expected: "5 5"
          got: "65"
     
     (compared using ==)

     ×  Parse Config  client_body_timeout is expected to eq "10"
     
     expected: "10"
          got: nil
     
     (compared using ==)

     ×  Parse Config  client_header_timeout is expected to eq "10"
     
     expected: "10"
          got: nil
     
     (compared using ==)

     ×  Parse Config  send_timeout is expected to eq "10"
     
     expected: "10"
          got: nil
     
     (compared using ==)



Profile Summary: 0 successful controls, 14 control failures, 2 controls skipped
Test Summary: 7 successful, 25 failures, 2 skipped
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

You see that many of the tests pass, while others fail and may require investigation.

You may want to extend the nginx-baseline with your own custom requirements. To do that, you might use what's called a wrapper profile. You can check out Create a custom InSpec profile (opens new window) for a more complete example.

# 7.2. Viewing and Analyzing Results

InSpec allows you to output your test results to one or more reporters. You can configure the reporter(s) using either the --json-config option or the --reporter option. While you can configure multiple reporters to write to different files, only one reporter can output to the screen(stdout).

$ inspec exec /root/my_nginx -t ssh://TARGET_USERNAME:TARGET_PASSWORD@TARGET_IP --reporter cli json:baseline_output.json
1

# 7.2.1. Syntax

You can specify one or more reporters using the --reporter cli flag. You can also specify a output by appending a path separated by a colon.

Output json to screen.

inspec exec /root/my_nginx --reporter json
or
inspec exec /root/my_nginx --reporter json:-
1
2
3

Output yaml to screen

inspec exec /root/my_nginx --reporter yaml
or
inspec exec /root/my_nginx --reporter yaml:-
1
2
3

Output cli to screen and write json to a file.

inspec exec /root/my_nginx --reporter cli json:/tmp/output.json

Output nothing to screen and write junit and html to a file.

inspec exec /root/my_nginx --reporter junit:/tmp/junit.xml html:www/index.html

Output json to screen and write to a file. Write junit to a file.

inspec exec /root/my_nginx --reporter json junit:/tmp/junit.xml | tee out.json

# 7.2.2. Supported Reporters

The following are the current supported reporters:

  • cli
  • json
  • json-min
  • yaml
  • documentation
  • junit
  • progress
  • progress-bar
  • json-rspec
  • html

You can read more about InSpec Reporters (opens new window) on the documentation page.

# 7.2.3. Putting it all together

The following command will run the nginx baseline profile from github and use the reporter to output a json, you will need this for the next step loading it into heimdall:

$ inspec exec https://github.com/mitre/nginx-baseline -t docker://nginx --reporter progress-bar json:baseline_output.json

8. Using an --input-file to tailor specifics