12. Put it in Practice!
Getting Started on the RHEL9 Baseline
Let's practice writing a few 'real' controls using a security guidance document.
The Steps to write an InSpec Control
- Read the Control - Go to the control (you made from the stub generator) and read the check text to understand the goal of the control.
- Look for Key Words and Resources - Look for key words that would indicate what resource to use. If you can't find it, look at the resources page and compare back to the control.
- Read the documentation - Look at the documentation for the resource you need and understand the syntax and check out some examples.
- Write the test
- Run the test
- Troubleshoot errors If you have syntax errors or unexpected results, it's time to troubleshoot! The best first step in troubleshooting is to read the error message from the command line.
Example Control Using login_defs
Resource:
Let's go through an example using control SV-230324 to see the above steps in practice.
- Read the control - when referencing the control SV-230324 from the stub profile that was generated with the stub generator, look at the control, especially the check text, to understand the intention of the security guidance for this control.
This control is talking about verifying all local interactive users are assigned a home directory upon creation.
control 'SV-258043' do
title 'All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.'
desc 'If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.'
desc 'check', 'Verify all local interactive users on RHEL 9 are assigned a home directory upon creation with the following command:
$ grep -i create_home /etc/login.defs
CREATE_HOME yes
If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.'
desc 'fix', 'Configure RHEL 9 to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
CREATE_HOME yes'
impact 0.5
ref 'DPMS Target Red Hat Enterprise Linux 9'
tag check_id: 'C-61784r926114_chk'
tag severity: 'medium'
tag gid: 'V-258043'
tag rid: 'SV-258043r991589_rule'
tag stig_id: 'RHEL-09-411020'
tag gtitle: 'SRG-OS-000480-GPOS-00227'
tag fix_id: 'F-61708r926115_fix'
tag 'documentable'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
end
- Look for Key Words and Resources - Dive more into what key words exist in the check text to determine what InSpec resources to use when writing the test. Most importantly, identify commands that are written in the check test like shown below. Find the what of the command. For this control,
sudo
is not the what.grep
is also not the what.create_home
looks like an attribute of the/etc/login.defs
file, which looks like the what! Look for a resource namedlogin_defs
in the resource documentation.
desc "check", "Verify all local interactive users on RHEL 9 are assigned a home directory upon creation with
the following command:
$ sudo grep -i create_home /etc/login.defs
...
- Read the documentation - Reference the syntax and examples to see if this resource is correct and how to use it.
login defs resource page - Write the test! - Reference the documentation to write the test. Here we add the describe block to the control below.
describe login_defs do
its('CREATE_HOME') { should eq 'yes' }
end
control 'SV-258043' do
title 'All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.'
desc 'If local interactive users are not assigned a valid home directory,
there is no place for the storage and control of files they should own.'
desc 'check', 'Verify all local interactive users on RHEL 9 are assigned a home directory upon creation with the following command:
$ grep -i create_home /etc/login.defs
CREATE_HOME yes
If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.'
desc 'fix', 'Configure RHEL 9 to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
CREATE_HOME yes'
impact 0.5
ref 'DPMS Target Red Hat Enterprise Linux 9'
tag severity: 'medium'
tag gtitle: 'SRG-OS-000480-GPOS-00227'
tag gid: 'V-258043'
tag rid: 'SV-258043r926116_rule'
tag stig_id: 'RHEL-09-411020'
tag fix_id: 'F-61708r926115_fix'
tag cci: ['CCI-000366']
tag nist: ['CM-6 b']
tag 'host'
tag 'container'
describe login_defs do
its('CREATE_HOME') { should eq 'yes' }
end
end
Remember the matchers
Here, the login_defs resource shows examples using the includes
and eq
matcher. Here, we use eq
because we are looking for only one result from the command, not an array of items.
- Run the test!
inspec exec my_rhel9_stig_profile -t docker://redhat9
- Troubleshoot errors - If you have syntax errors or unexpected results, it's time to troubleshoot. The best first step in troubleshooting is to read the error message from the command line.
Controls We Will Demonstrate
Control | Resource Used |
---|---|
SV-258043 | login_defs resource |
SV-257915 | directory resource |
SV-257929 | directory looping & file resource |
SV-257936 | non applicable use case & package resource |
Suggested Level 1 Controls
Control | Resource Used |
---|---|
SV-258074 | login_defs resource |
SV-257914 | directory resource |
SV-258171 | directory looping & file resource |
SV-258081 | non applicable use case & package resource |
Suggested Level 2 Controls
Control | Resource Used |
---|---|
SV-257824 | parse config file |
SV-258104 | login_defs resource |
Strings
Single quotes are dumb strings. Double quotes are smart strings. Smart strings means they allow interpolation.
Suggested InSpec Resources to Review
Completed RHEL9 Profile for Reference
Below is the url to the completed RHEL9 Inspec Profile for reference, and a few things to take note of.
Key Elements in this Profile
- The use of
impact 0
for NA & Container Aware Controls - How we make the controls
container aware
, and - The
fail fast
approach to testing execution.
Wait, does this mean that I can cheat on all of these exercises by looking up all the real controls?!
Yes. Feel free. We suggest you at least try thinking through how you'd write this test code without the real baseline, though.