Skip to main content

7. Tailoring Inputs for InSpec

Aaron LippoldJune 29, 2022About 2 min

7.1 What are inputs and why do I need them?

Every InSpec profile on the SAF site is written to comply with specific security guidance. However, every team's environment may be slightly different. For example, the path to a file may vary between environments, or the list of permitted users for a certain system may differ.

To accommodate these differences, InSpec profiles utilize inputs. In the previous section, we ran the InSpec profile on the NGINX component without specifying any inputs. This means that it just used the defaults. Now, let's review these variables and decide which inputs we want to change for our environment.

Best Practice

It is best practice to always run profiles with inputs so that the profile is properly tailored to your environment.

7.2 Profile Inputs (see inspec.yml file)

This profile uses InSpec Inputs to make the tests more flexible. You can provide inputs at runtime either via the CLI or via YAML files to help the profile work best in your deployment.

Caution

DO NOT change the inputs in the inspec.yml file. This is where the variables and their defaults are defined.

DO create a separate file (often named inputs.yml) or pass values via the command line to overwrite default values to tailor the profile.

The inputs configured in the inspec.yml file are profile definitions and defaults for the profile and not for tailoring. Automated InSpec scans are frequently run from a script, inside a pipeline, or some kind of task scheduler where the runner will often not have access to the inspec.yml. However, those scripts or pipelines can easily pass an inputs file or command line arguments to modify the default values defined in the inspec.yml file.

To tailor the tested values for your deployment or organizationally defined values, you may update the inputs.

More information about InSpec inputs can be found in the InSpec Inputs Documentation.

7.3 Use an --input-file to tailor an InSpec profile

For the NGINX example, we are going to add the following inputs. Make a new file called inputs.yml in your lab environment:

  1. Right-click near the file list on the left side.
  2. Click "New File..."
  3. Copy the code below into your inputs.yml file.
---
key_file_path: /etc/ssl/nginx-selfsigned.pem
org_allowed_nginx_version: 1.23.1
nginx_owner: nginx
uses_pki: false
sys_admin: [root]
sys_admin_group: [root]

In your codespaces, it should look like this:

NGINX Input File
NGINX Input File

How do I find the values that should be in the input file?

Start by checking the README on the GitHub repository for that InSpec profile. Most of the profiles have a "Tailoring to Your Environment" section that guides you through what variables are available as inputs.

To determine the value itself, you should consider the environment, consult with your assessor, and explore the target to find the necessary information.

If the profile does not have a "Tailoring to Your Environment" section in its README, you can reference the inspec.yml file to see what inputs are defined and available and what their default values are. However, remember not to modify the inspec.yml file itself.

What is the difference between tailoring an InSpec profile with inputs vs. overlays?

Inputs are meant to tailor the profile while still complying with the guidance document on which the profile is based.

Overlays are used when the organization's requirements differ from the security guidance. For example, if there are additional controls required or some controls are not applicable to the organization's requirements.

Edit this page on GitHub
Last update: 12/3/2024, 8:30:14 PM
Contributors: p-oneil,Shivani Karikar,Aaron Lippold,Will,dependabot[bot],wdower,wdower,Emily Rodriguez,Emily Rodriguez
Apache-2.0 | Copyright © 2022 - The MITRE Corporation
Copyright © 2024 Aaron Lippold