Skip to main content

12. Put it in Practice!

Aaron LippoldAbout 4 min

Getting Started on the RHEL8 Baseline

Let's practice writing a few 'real' controls using a security guidance document.

The Steps to write an InSpec Control

  1. Read the Control - Go to the control (you made from the stub generator) and read the check text to understand the goal of the control
  2. Look for Key Words and Resources - Look for key words that would indicate what resource to use. If you can't find it, look at the resources pageopen in new window and compare back to the control.
  3. Read the documentation - Look at the documentation for the resource you need and understand the syntax and checkout some examples.
  4. Write the test
  5. Run the test
  6. Troubleshoot errors If you have syntax errors or unexpected results, it's time to troubleshoot. The best first step in troubleshooting is to read the error message from the command line.

Example Control Using login_defs Resource:

Let's go through an example using control SV-230324 to see the above steps in practice.

  1. Read the control - when referencing the control SV-230324 from the stub profile that was generated with the stub generator, look at the control, especially the check text, to understand the intention of the security guidance for this control.
    This control is talking about verifying all local interactive users are assigned a home directory upon creation.
Stub Generated Control
control "SV-230324" do
  title "All RHEL 8 local interactive user accounts must be assigned a home directory upon creation."
  desc "If local interactive users are not assigned a valid home directory, there is no place for the 
storage and control of files they should own."
  desc "check", "Verify all local interactive users on RHEL 8 are assigned a home directory upon creation with 
the following command:

$ sudo grep -i create_home /etc/login.defs

CREATE_HOME yes

If 
the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is 
commented out, this is a finding."
  desc "fix", "Configure RHEL 8 to assign home directories to all new local interactive users by setting the 
\"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows.

CREATE_HOME yes"
  impact 0.5
  tag severity: "medium"
  tag gtitle: "SRG-OS-000480-GPOS-00227"
  tag gid: "V-230324"
  tag rid: "SV-230324r627750_rule"
  tag stig_id: "RHEL-08-010760"
  tag fix_id: "F-32968r567719_fix"
  tag cci: ["CCI-000366"]
  tag nist: ["CM-6 b"]
end
  1. Look for Key Words and Resources - Dive more into what key words exist in the check text to determine what InSpec resources to use when writing the test. Most importantly, identify commands that are written in the check test like shown below. Find the what of the command. For this control, sudo is not the what. grep is also not the what. create_home looks like an attribute of the /etc/login.defs file, which looks like the what! Look for a resource named login_defs in the resource documentationopen in new window.
  desc "check", "Verify all local interactive users on RHEL 8 are assigned a home directory upon creation with 
the following command:

$ sudo grep -i create_home /etc/login.defs
...
  1. Read the documentation - Reference the syntax and examples to see if this resource is correct and how to use it.
    login defs resource pageopen in new window
    The Resource
  2. Write the test! - Reference the documentation to write the test. Here we add the describe block to the control below.
Describe Block
  describe login_defs do
    its('CREATE_HOME') { should eq 'yes' }
  end

Remember the matchers

Here, the login_defs resource shows examples using the includes and eq matcher. Here, we use eq because we are looking for only one result from the command, not an array of items.

  1. Run the test!
inspec exec rhel8-baseline-stubs -t docker://redhat8
  1. Troubleshoot errors - If you have syntax errors or unexpected results, it's time to troubleshoot. The best first step in troubleshooting is to read the error message from the command line.

Controls We Will Demonstrate

ControlResource Used
SV-230324login_defs resource
SV-230250directory resource
SV-230243directory looping & file resource
SV-230505non applicable use case & package resource

Suggested Level 1 Controls

ControlResource Used
SV-230383login_defs resource
SV-230249directory resource
SV-230471directory looping & file resource
SV-230241non applicable use case & package resource

Suggested Level 2 Controls

ControlResource Used
SV-230281parse config file
SV-230365login_defs resource
SV-230264file content

Strings

Single quotes are dumb strings. Double quotes are smart strings. Smart strings means they allow interpolationopen in new window.

Suggested InSpec Resources to Review

Completed RHEL8 Profile for Reference

Below is the url to the completed RHEL8 Inspec Profile for reference, and a few things to take note of.

  1. redhat-enterprise-linux-8-stig-baselineopen in new window

Key Elements in this Profile

  • The use of impact 0 for NA & Container Aware Controls
  • How we make the controls container aware, and
  • The fail fast approach to testing execution.

Wait, does this mean that I can cheat on all of these exercises by looking up all the real controls?!

Yes. Feel free. We suggest you at least try thinking through how you'd write this test code without the real baseline, though.

Apache-2.0 | Copyright © 2022 - The MITRE Corporation
Copyright © 2024 Aaron Lippold