2. Starting the Journey | InSpec Profile Developers Course

# 2. Starting the Journey

# InSpec Profiles

InSpec organizes its work in what it calls Profiles. A profile is a set of automated tests that usually relates directly back to a Security Requirements Benchmark - like a CIS Benchmark or a DISA Security Technical Implementation Guide (STIG) - and provides an organized structure to articulate that set of requirements and tests in code.

Profiles have four (2) required elements:

An inspec.yml file
A controls directory

and four (4) optional elements:

A libraries directory
A files directory
An inputs.yml file
A README.md file

You can learn all the details here: https://docs.chef.io/inspec/profiles/ (opens new window)

We will be going over each of these durning our class.

# 2.1. InSpec Profile Structure

$ tree nginx
      nginx
      └── profile
          ├── README.md
          ├── inputs.yml
          ├── controls
          │   ├── V-2230.rb
          │   └── V-2232.rb
          ├── files
          │   └── services-and-ports.yml
          ├── inspec.yml
          └── libraries
              └── nginx_helper.rb

1
2
3
4
5
6
7
8
9
10
11
12
13

# 2.2. InSpec Controls Structure

control "V-13727" do
  title "The worker_processes StartServers directive must be set properly."

  desc "These requirements are set to mitigate the effects of several types of
  denial of service attacks. Although there is some latitude concerning the
  settings themselves, the requirements attempt to provide reasonable limits
  for the protection of the web server. If necessary, these limits can be
  adjusted to accommodate the operational requirement of a given system."

  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "WA000-WWA026"
  tag "gid": "V-13727"
  tag "rid": "SV-36645r2_rule"
  tag "stig_id": "WA000-WWA026 A22"
  tag "nist": ["CM-6", "Rev_4"]

  tag "check": "To view the worker_processes directive value enter the
  following command:
  grep ""worker_processes"" on the nginx.conf file and any separate included
  configuration files
  If the value of ""worker_processes"" is not set to auto or explicitly set,
  this is a finding:
  worker_processes   auto;
  worker_processes defines the number of worker processes. The optimal value
  depends on many factors including (but not limited to) the number of CPU
  cores, the number of hard disk drives that store data, and load pattern. When
  one is in doubt, setting it to the number of available CPU cores would be a
  good start (the value “auto” will try to autodetect it)."

  tag "fix": "Edit the configuration file and set the value of
  ""worker_processes"" to the value of auto or a value of 1 or higher:
  worker_processes auto;"

  describe nginx_conf(NGINX_CONF_FILE).params['worker_processes'] do
    it { should cmp [['auto']] }
  end
end

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

# 2.3. InSpec Results

# 2.3.1. Failure

Alt text

# 2.3.2. Pass

Alt text

# 2.3.3. Multiple Controls

Alt text

# 2.4. Tooling and Reporting

Alt text

← 1. About InSpec 3. Studying an InSpec profile →