13. Understanding Release Updates

Learning Objectives

• Understand what a Release Update is and when it's needed
• Learn the step-by-step process of creating a Release Update
• Master the key components of Release Update management

What is a Release Update?

A Release Update is a structured process for updating a profile to accommodate a new benchmark version. This process ensures consistent quality and maintains traceability of changes.

Release Update Workflow

Step 1: Branch Creation

Create a new branch named v{x}r{xx} from either:

• The main branch
• The tagged commit associated with the latest release

Step 2: Generate Delta

Run the saf generate delta workflow to automatically update the InSpec profile as per the new guidance. Items that get updated include:

• Control metadata
• inspec.yml configuration
• README.md documentation
• Other profile elements

Saved!

This process preserves existing describe blocks and other Ruby code logic, but you will still need to review them to ensure that what they're assessing still lines up with what the requirement says we now need to be assessing.

Step 3: Change Management

Follow these best practices to organize your work as you implement any new requirements and update any changed ones:

3.1 Control Tracking

• Create a tracking table (CSV or Markdown) containing:
  • New control IDs
  • Status (completed/pending)
  • Associated PR links
  • Validation checkboxes

3.2 Quality Assurance Steps

1. Validation Checklist

   • Control requirements reviewed
   • Code changes verified
   • Tests updated
   • Documentation current

2. Infrastructure Updates

   • Update the version of the hardening content that is used to test the InSpec profile to match the version of the benchmark:
     • Ansible playbooks
     • Puppet modules
     • Chef cookbooks
     • Docker images
     • Vagrant boxes

Parallel workstreams

You might be required to update the hardening content itself to match the new or adjusted requirements coming from the benchmark instead of just consuming the newest version. However, updating the hardening and validation content lock-step is a straightforward process!

3. Metadata Management
   • Update all version references
   • Verify control titles
   • Check benchmark labels

Tips for Success

• Focus on controls with modified check text or fix text
• Unchanged control text typically means no code changes are needed
• Use PR links to track changes in your tracking table
• Maintain CI/CD pipeline health throughout updates

Next Steps

After completing these steps, proceed with the Patch Update workflow, keeping in mind that Release Updates typically involve more extensive validation.