-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Adam Leff <adam@leff.co>
- Loading branch information
0 parents
commit 940bb09
Showing
4 changed files
with
93 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # Profile Inheritance Example | ||
|
|
||
| This is an example InSpec profile that shows how profile inheritance works. | ||
|
|
||
| InSpec allows controls from other profiles to be included into another another profile. For example, profile "my-profile" can execute controls from "my-company-base-profile" anytime "my-profile" is executed. | ||
|
|
||
| In addition, controls from "my-company-base-profile" can be skipped or modified if needed. For example, if a control from "my-company-base-profile" does not apply to a particular host or application, it can be skipped completely. If a control that is normally considered critical if it fails is not actually critical for a particualr host or application, its impact can be modified. | ||
|
|
||
| ## Defining Dependencies | ||
|
|
||
| All profiles from which controls are to be inherited must be defined in the `inspec.yml` file in the `depends` section: | ||
|
|
||
| ```yaml | ||
| depends: | ||
| - name: linux-baseline | ||
| url: https://github.com/dev-sec/linux-baseline/archive/master.tar.gz | ||
| - name: ssh-baseline | ||
| url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz | ||
| ``` | ||
| Once defined, the profile names, and the controls from these profiles, can be used within any control file in the including profile. | ||
| ## Including Controls | ||
| From within a controls file in a profile, the `include_controls` and `require_controls` commands provide the ability to include all or specific controls from an included profile. | ||
|
|
||
| See the `controls/controls_from_other_profiles.rb` file in this example profile for more details and examples on how this works. | ||
|
|
||
| ## Need more info? | ||
|
|
||
| Swing by [inspec.io](https://www.inspec.io) for more information, including [more details on InSpec profiles](https://www.inspec.io/docs/reference/profiles/) and using inheritance. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # | ||
| # The "include_controls" command brings in all controls for the named profile. | ||
| # In this example, all controls from the "linux-baseline" profile will be run | ||
| # against our target every time our profile is executed. | ||
| # | ||
| # Profiles to be included/inherited must be defined in the "depends" section of | ||
| # the inspec.yml. | ||
| # | ||
| include_controls 'linux-baseline' do | ||
| # In the event there is a control from an inherited profile that should not be | ||
| # run, it can be skipped with the "skip_control" command. In this example, | ||
| # InSpec will not run the "os-05" control from the "linux-baseline" profile | ||
| # even though we've told InSpec to run all controls from "linux-baseline". | ||
| skip_control 'os-05' | ||
|
|
||
| # Controls from an inherited profile can be modified as well without requiring | ||
| # forking the profile and maintaining a copy. A common use-case is altering | ||
| # the impact of a given control. In this example, we are lowering the priority | ||
| # of the "package-08" control to 0.1 (low severity) from the original impact | ||
| # of 1.0 (critical severity). | ||
| control 'package-08' do | ||
| impact 0.1 | ||
| end | ||
| end | ||
|
|
||
| # | ||
| # The "require_controls" command allows specific controls from an inherited profile to be executed. | ||
| # | ||
| # In this example, only the controls from the "ssh-baseline" profile that are | ||
| # called out with the "control" command below will be executed when our profile | ||
| # is executed. No other controls from the "ssh-baseline" profile will be | ||
| # executed. | ||
| # | ||
| require_controls 'ssh-baseline' do | ||
| # Controls "sshd-01" and "sshd-02" will be executed as-is as they are defined | ||
| # in the "ssh-baseline" profile whenever our profile is executed. | ||
| control 'sshd-01' | ||
| control 'sshd-02' | ||
|
|
||
| # Just like the "include_controls" command, controls inherited from another | ||
| # profile can be modified if necessary without requiring the control or | ||
| # profile to be copied and maintained separately. In this example, the | ||
| # "sshd-03" control will be executed every time our profile is executed, but | ||
| # if it fails, it will only report as a low severity (0.1) instead of the | ||
| # original critical severity. | ||
| control 'sshd-03' do | ||
| impact 0.1 | ||
| end | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| name: wrapper-example | ||
| title: Profile Inheritance Example | ||
| maintainer: Adam Leff | ||
| copyright: Chef Software, Inc. | ||
| copyright_email: adamleff@chef.io | ||
| license: Apache-2.0 | ||
| summary: This profile shows how controls from other profiles can be inherited, executed, and modified as needed. | ||
| version: 0.1.0 | ||
| depends: | ||
| - name: linux-baseline | ||
| url: https://github.com/dev-sec/linux-baseline/archive/master.tar.gz | ||
| - name: ssh-baseline | ||
| url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz |
Empty file.