Skip to main content

7. Tailoring Inputs for InSpec

Aaron LippoldAbout 3 min

7. What are inputs and why do I need them?

Every InSpec profile on the SAF site is written to comply with some security guidance. However, every team's environment may be just a little bit different. For example, the path to a file may be different in different environments, or the list of permitted users for a certain system may vary with the environment.

To accomodate for these kinds of differences, InSpec profiles utilize inputs. In the previous section, we ran the InSpec profile on the NGINX component without specifying any inputs. This means that it just used the defaults. Now, let's review these variables and decide which inputs we want to change for our environment.

Best Practice

It is best practice to always run profiles with inputs so that the profile is properly tailored to your environment.

7.1 Profile Inputs (see inspec.yml file)

This profile uses InSpec Inputs to make the tests more flexible. You are able to provide inputs at runtime either via the cli or via YAML files to help the profile work best in your deployment.

Caution

DO NOT change the inputs in the inspec.yml file. This is where the variables and their defaults are defined.

DO create a separate file (often named inputs.yml) or pass values via the command line to overwrite default values to tailor the profile.

The inputs configured in the inspec.yml file are profile definition and defaults for the profile and not for the user. Automated InSpec scans are frequently run from a script, inside a pipeline or some kind of task scheduler where the runner will often not have access to the inspec.yml. However, those scripts or pipelines can easily pass an inputs file or command line arguments to modify the default values defined in the inspec.yml file.

To tailor the tested values for your deployment or organizationally defined values, you may update the inputs.

More information about InSpec inputs can be found in the InSpec Inputs Documentationopen in new window.

7.2 Use an --input-file to tailor an InSpec profile

For the NGINX example, we are going to add the following inputs. Make a new file called inputs.yml in your lab environment:

  1. Right click near the file list on the left side
  2. Click "New File..."
  3. Copy the code below into your inputs.yml file.
---
key_file_path: /etc/ssl/nginx-selfsigned.pem
org_allowed_nginx_version: 1.23.1
nginx_owner: "nginx"
uses_pki: false
sys_admin: ["root"]
sys_admin_group: ["root"]

In your codespaces, it should look like this:

NGINX Input File
NGINX Input File

How do I find the values that should be in the input file?

Start by checking the README on the GitHub repository for that InSpec profile. Most of the profiles have a "Tailoring to Your Environment" section that leads you through what variables are available as inputs.

To determine the value itself, you should think about the environment, talk to your assessor, and explore the target to see if you can find the necessary information.

If the profile does not have a "Tailoring to Your Environment" section in their README, then you can reference the inspec.yml file to see what inputs are defined and available and what their default values are. However, remember not to modify the inspec.yml file itself.

What is the difference between tailoring an InSpec profile with inputs vs. overlays?

Inputs are meant to tailor the profile while still complying to the guidance document for which the profile is based.

Overlays are used in the case that the organization requirements differ from the security guidance. For example, if there are additional controls required or some controls not available for the organization's requirements.