Skip to main content

InSpec Delta - Making the Delta Release Branch

Aaron LippoldJanuary 5, 2024About 1 min

Prepair Your Environment

  • Download New Guidance: Download the appropriate profile from the DISA Document Library. Unzip the downloaded folder and identify the <name>xccdf.xml file.
  • Create the InSpec Profile JSON File: Clone or download the InSpec profile locally. Run the inspec json command to create the InSpec Profile JSON file to be used in the saf generate delta command.

Delta Workflow Process

Delta Workflow Process
Delta Workflow Process Image

Using Delta

The SAF InSpec Delta workflow typically involves two phases, preformatting and delta.

Before starting, ensure you have the latest SAF-CLI, the InSpec Profile JSON file, and the updated guidance file.

  1. Preformat the Source Profile: Before running the Delta command, preformat your source profile (usually the Patch Release profile) using the saf generate update_controls4delta command. This prepares the profile for the Delta process.
  2. Run the Delta Command: Execute saf generate delta [arguments] to start the Delta process.

For more information on these commands, refer to the following documentation:

Scope of Changes by Delta

Delta focuses on specific modifications migrating the changes from the XCCDF Benchmark Rules to the Profiles controls, and updating the 'metadata' of each of thosin the control ID, title, default desc, check text, and fix text, between the XCCDF Benchmark Rules and the Profile Controls.

If the XCCDF Guidance Document introduces a new 'Rule' or inspec control that is not in the current profile's controls directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the inspec_profile (aliases xccdf-benchmark-to-inspec-stubs) tool.

It also adjusts the tags and introduces a ref between the impact and tags.

Delta does not modify the Ruby/InSpec code within the control, leaving it intact. Instead, it updates the 'control metadata' using the information from the supplied XCCDF guidance document. This applies to 'matched controls' between the XCCDF Guidance Document and the InSpec profile.

Further InSpec Delta Information and Background

  • The original Delta branch can be found here.
  • Delta moves lines not labeled with 'desc' to the bottom, between tags and InSpec code.
  • Whether the controls are formatted to be 80 lines or not, Delta exhibits the same behavior with the extra text.
  • Parameterizing should be considered.
Apache-2.0 | Copyright © 2022 - The MITRE Corporation
Copyright © 2024 Aaron Lippold