8. Using an --input-file to tailor specifics | MITRE InSpec Assessor Course

# 8. Using an --input-file to tailor specifics

The following inputs may be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the InSpec Profile Documentation (opens new window).

# 8.1 Base input file

In the below example we are using the inputs for the Redhat 8 Github profile (opens new window). We can tailor the following inputs in a new file called inputs.yml and pass that into our execution script.

  - name: disable_slow_controls
    description: Controls that are known to consistently have long run times can be disabled with this attribute
    type: Boolean
    value: false

  #SV-230548
  - name: container_host
    description: Flag to designate if the target is a container host
    type: Boolean
    value: false

  # SV-230368
  - name: min_reuse_generations
    description: Number of reuse generations
    type: Numeric
    value: 5

  # SV-230369, SV-230370
  - name: min_len
    description: Minimum number of characters for a new password
    type: Numeric
    value: 15

  # SV-230234
  - name: grub_uefi_main_cfg
    description: Main grub boot config file
    type: String
    value: "/boot/efi/EFI/redhat/grub.cfg"

  - name: grub_uefi_user_boot_files
    description: Grub boot config files
    type: Array
    value: ["/boot/efi/EFI/redhat/user.cfg"]

  # SV-230317, SV-230321, SV-230322, SV-230325, SV-230328, SV-230309, SV-230320
  - name: exempt_home_users
    description: Users exempt from home directory-based controls in array format
    type: Array
    value: ["vagrant"]

  - name: non_interactive_shells
    description: These shells do not allow a user to login
    type: Array
    value:
      - "/sbin/nologin"
      - "/sbin/halt"
      - "/sbin/shutdown"
      - "/bin/false"
      - "/bin/sync"
      - "/bin/true"

  # SV-230379
  - name: known_system_accounts
    description: System accounts that support approved system activities.
    type: Array
    value:
      - "root"
      - "bin"
      - "daemon"
      - "adm"
      - "lp"
      - "sync"
      - "shutdown"
      - "halt"
      - "mail"
      - "operator"
      - "nobody"
      - "systemd-bus-proxy"
      - "dbus"
      - "polkitd"
      - "postfix"
      - "sssd"
      - "chrony"
      - "systemd-network"
      - "sshd"
      - "ntp"

  - name: user_accounts
    description: Accounts of known managed users
    type: Array
    value: ["vagrant"]

  # SV-230379
  - name: log_pkg_path
    description: The path to the logging package
    type: String
    value: "/etc/rsyslog.conf"

  # SV-230235
  - name: grub_main_cfg
    description: Main grub boot config file
    type: String
    value: "/boot/grub2/grub.cfg"

  - name: grub_user_boot_files
    description: Grub boot config files
    type: Array
    value:
      - "/boot/grub2/user.cfg"

  # SV-230537
  - name: ipv4_enabled
    description: Set to 'true' if IPv4 is enabled on the system.
    type: Boolean
    value: true

  # SV-230537
  - name: ipv6_enabled
    description: Set to 'true' if IPv6 is enabled on the system.
    type: Boolean
    value: true

  # SV-230493
  - name: camera_installed
    description: Device or system does not have a camera installed.
    type: Boolean
    value: true

  # SV-230503
  - name: bluetooth_installed
    description: 'Device or operating system has a Bluetooth adapter installed'
    type: Boolean
    value: true

  # SV-230242
  - name: known_system_accounts
    description: System accounts that support approved system activities.
    type: Array
    value: 
      - 'root'
      - 'bin'
      - 'daemon'
      - 'adm'
      - 'lp'
      - 'sync'
      - 'shutdown'
      - 'halt'
      - 'mail'
      - 'operator'
      - 'nobody'
      - 'systemd-bus-proxy'
      - 'dbus'
      - 'polkitd'
      - 'postfix'
      - 'sssd'
      - 'chrony'
      - 'systemd-network'
      - 'sshd'
      - 'ntp'

  - name: smart_card_status
    description: Smart card status (enabled or disabled)
    type: String
    value: 'enabled'

  # SV-230263
  - name: file_integrity_tool
    description: Name of tool
    type: String
    value: 'aide'
  # SV-230484
  - name: authoritative_timeserver
    description: Timeserver used in /etc/chrony.conf
    type: String
    value: 0.us.pool.ntp.mil

  # SV-230537
  - name: non_removable_media_fs
    description: File systems listed in /etc/fstab which are not removable media devices
    type: Array
    value: ["/", "/tmp", "none", "/home"]

  # SV-230230
  - name: private_key_files
    description: List of full paths to private key files on the system
    type: Array
    value: []

  #SV-230229
  - name: root_ca_file
    description: Path to an accepted trust anchor certificate file (DoD)
    type: String
    value: "/etc/sssd/pki/sssd_auth_ca_db.pem"

  #SV-230333
  - name: unsuccessful_attempts
    description: Maximum number of unsuccessful attempts before lockout
    type: Numeric
    value: 3

  #SV-230353
  - name: system_inactivity_timeout
    description: Maximum system inactivity timeout (time in seconds).
    type: Numeric
    value: 900

  #SV-230356
  - name: max_retry
    description: Maximum number of retry attempts for login
    type: Numeric
    value: 3

  #SV-230363
  - name: difok
    description: Minimum number of characters that must be different from previous password
    type: Numeric
    value: 8

  #SV-230373
  - name: days_of_inactivity
    description: Maximum number of days if account inactivity before account lockout
    type: Numeric
    value: 35

  - name: temporary_accounts
    description: Temporary user accounts
    type: Array
    value: []

  - name: banner_message_text_cli
    description: Banner message text for command line interface logins.
    type: String
    value: "You are accessing a U.S. Government (USG) Information System (IS) that is \
    provided for USG-authorized use only. By using this IS (which includes any \
    device attached to this IS), you consent to the following conditions: -The USG \
    routinely intercepts and monitors communications on this IS for purposes \
    including, but not limited to, penetration testing, COMSEC monitoring, network \
    operations and defense, personnel misconduct (PM), law enforcement (LE), and \
    counterintelligence (CI) investigations. -At any time, the USG may inspect and \
    seize data stored on this IS. -Communications using, or data stored on, this \
    IS are not private, are subject to routine monitoring, interception, and \
    search, and may be disclosed or used for any USG-authorized purpose. -This IS \
    includes security measures (e.g., authentication and access controls) to \
    protect USG interests--not for your personal benefit or privacy. \
    -Notwithstanding the above, using this IS does not constitute consent to PM, \
    LE or CI investigative searching or monitoring of the content of privileged \
    communications, or work product, related to personal representation or \
    services by attorneys, psychotherapists, or clergy, and their assistants. Such \
    communications and work product are private and confidential. See User \
    Agreement for details."


  - name: banner_message_text_ral
    description: Banner message text for remote access logins.
    type: String
    value: "You are accessing a U.S. Government (USG) Information System (IS) that is \
    provided for USG-authorized use only. By using this IS (which includes any \
    device attached to this IS), you consent to the following conditions: -The USG \
    routinely intercepts and monitors communications on this IS for purposes \
    including, but not limited to, penetration testing, COMSEC monitoring, network \
    operations and defense, personnel misconduct (PM), law enforcement (LE), and \
    counterintelligence (CI) investigations. -At any time, the USG may inspect and \
    seize data stored on this IS. -Communications using, or data stored on, this \
    IS are not private, are subject to routine monitoring, interception, and \
    search, and may be disclosed or used for any USG-authorized purpose. -This IS \
    includes security measures (e.g., authentication and access controls) to \
    protect USG interests--not for your personal benefit or privacy. \
    -Notwithstanding the above, using this IS does not constitute consent to PM, \
    LE or CI investigative searching or monitoring of the content of privileged \
    communications, or work product, related to personal representation or \
    services by attorneys, psychotherapists, or clergy, and their assistants. Such \
    communications and work product are private and confidential. See User \
    Agreement for details."

  - name: banner_message_text_gui
    description: Banner message text for graphical user interface logins.
    type: String
    value: "You are accessing a U.S. Government (USG) Information System (IS) that is \
    provided for USG-authorized use only. By using this IS (which includes any \
    device attached to this IS), you consent to the following conditions: -The USG \
    routinely intercepts and monitors communications on this IS for purposes \
    including, but not limited to, penetration testing, COMSEC monitoring, network \
    operations and defense, personnel misconduct (PM), law enforcement (LE), and \
    counterintelligence (CI) investigations. -At any time, the USG may inspect and \
    seize data stored on this IS. -Communications using, or data stored on, this \
    IS are not private, are subject to routine monitoring, interception, and \
    search, and may be disclosed or used for any USG-authorized purpose. -This IS \
    includes security measures (e.g., authentication and access controls) to \
    protect USG interests--not for your personal benefit or privacy. \
    -Notwithstanding the above, using this IS does not constitute consent to PM, \
    LE or CI investigative searching or monitoring of the content of privileged \
    communications, or work product, related to personal representation or \
    services by attorneys, psychotherapists, or clergy, and their assistants. Such \
    communications and work product are private and confidential. See User \
    Agreement for details."

  - name: maxlogins_limit
    description: Amount of max logins allowed
    type: String
    value: '10'

  - name: unsuccessful_attempts
    description: number of unsuccessful attempts
    type: Numeric
    value: 3

  - name: fail_interval
    description: Interval of time in which the consecutive failed logon attempts must occur in order for the account to be locked out (time in seconds)
    type: Numeric
    value: 900

  - name: lockout_time
    description: Minimum amount of time account must be locked out after failed logins. This attribute should never be set greater than 604800 (time in seconds).
    type: Numeric
    value: 604800

  - name: log_directory
    description: Documented tally log directory
    type: String
    value: '/var/log/faillock'

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310

We will run the profile now using the default inputs. inspec exec https://github.com/CMSgov/redhat-enterprise-linux-8-stig-baseline -t docker://nginx --reporter progress-bar json:before_inputs.json

# 8.2. Updated input file

For this example we have 3 controls that run very long depending on the file system that is being queried. Our inputs.yml file could look like this:

# Used by InSpec checks V-71849, V-71855, V-72037
# InSpec Tests that are known to consistently have long run times (V-71849, V-71855, V-72037) can be disabled with this attribute
# Acceptable values: false, true
# (default: false)
disable_slow_controls: true

1
2
3
4
5

Now we will run the profile again using our new updated input inspec exec https://github.com/CMSgov/redhat-enterprise-linux-8-stig-baseline -t docker://nginx --reporter progress-bar json:after_inputs.json

# 8.3. Exercise 1 NGINX

Now that we know the process of how to update our inputs file for the redhat 8 profile, this time lets try the same thing again but with the nginx (opens new window) profile.

Steps

Go to the nginx profile page (opens new window)
Copy the inputs and put them on a file in your environment
Run the inspec exec command and generate an output
Update the inputs in the input file
Run the inspec exec command again and generate an output

# 8.4. Exercise 2 Open profiles

Now lets choose a different profile from SAF site (opens new window). After you choose your profile that you want to run, go over to Docker Hub (opens new window) and search for a container for your intended profile. Once you do, you can run the docker pull command listed on the page to pull that container into your environment and you can start executing profiles using the steps of the above exercise.

← 7. Example running an InSpec profile directly from Github 9. MITRE Heimdall Tools →