SAF InSpec Profile Developer

Starting the Journey

May 22, 2022About 1 min

Starting the Journey

InSpec Profiles

InSpec organizes its code into what we call profiles. A profile is a set of automated tests that usually relates directly back to a Security Requirements Benchmark -- such as a CIS Benchmark or a Defense Information Security Agency (DISA) Security Technical Implementation Guide (STIGs) - and provides an organized structure to articulate that set of requirements and tests in code.

Profiles have two (2) required elements:

  • An inspec.yml file
  • A controls directory

and four (4) optional elements:

  • A libraries directory
  • A files directory
  • An inputs.yml file
  • A README.md file

You can learn all the details here: https://docs.chef.io/inspec/profiles/open in new window

We will be going over each of these durning our class.

InSpec Profile Structure

$ tree nginx
      nginx
      └── profile
          β”œβ”€β”€ README.md
          β”œβ”€β”€ inputs.yml
          β”œβ”€β”€ controls
          β”‚   β”œβ”€β”€ V-2230.rb
          β”‚   └── V-2232.rb
          β”œβ”€β”€ files
          β”‚   └── services-and-ports.yml
          β”œβ”€β”€ inspec.yml
          └── libraries
              └── nginx_helper.rb

InSpec Controls Structure

control "V-13727" do
  title "The worker_processes StartServers directive must be set properly."

  desc "These requirements are set to mitigate the effects of several types of
  denial of service attacks. Although there is some latitude concerning the
  settings themselves, the requirements attempt to provide reasonable limits
  for the protection of the web server. If necessary, these limits can be
  adjusted to accommodate the operational requirement of a given system."

  impact 0.5
  tag "severity": "medium"
  tag "gtitle": "WA000-WWA026"
  tag "gid": "V-13727"
  tag "rid": "SV-36645r2_rule"
  tag "stig_id": "WA000-WWA026 A22"
  tag "nist": ["CM-6", "Rev_4"]

  tag "check": "To view the worker_processes directive value enter the
  following command:
  grep ""worker_processes"" on the nginx.conf file and any separate included
  configuration files
  If the value of ""worker_processes"" is not set to auto or explicitly set,
  this is a finding:
  worker_processes   auto;
  worker_processes defines the number of worker processes. The optimal value
  depends on many factors including (but not limited to) the number of CPU
  cores, the number of hard disk drives that store data, and load pattern. When
  one is in doubt, setting it to the number of available CPU cores would be a
  good start (the value β€œauto” will try to autodetect it)."

  tag "fix": "Edit the configuration file and set the value of
  ""worker_processes"" to the value of auto or a value of 1 or higher:
  worker_processes auto;"

  describe nginx_conf(NGINX_CONF_FILE).params['worker_processes'] do
    it { should cmp [['auto']] }
  end
end

InSpec Results

Failure

Alt text

Pass

Alt text

Multiple Controls

Alt text

Tooling and Reporting

Alt text

Apache-2.0 | Copyright Β© 2022 - The MITRE Corporation
Copyright Β© 2022 Aaron Lippold