Vendor dependent profiles in archive #1283

Open
chris-rock opened this Issue Nov 7, 2016 · 3 comments

Projects

None yet

4 participants

@chris-rock
Contributor
chris-rock commented Nov 7, 2016 edited

Description

Lets assume we have a meta-profile like https://github.com/chris-rock/acme-inspec-profile

acme-inspec-profile
├── LICENSE
├── README.md
├── controls
│   ├── hardening.rb
│   ├── patch.rb
│   └── ssl.rb
└── inspec.yml

That depends on a couple of other profiles:

name: acme-inspec-profile
...
depends:
  - name: linux-patch-benchmark
    git: https://github.com/dev-sec/linux-patch-benchmark.git
  - name: windows-patch-benchmark
    git: https://github.com/dev-sec/windows-patch-benchmark.git
  - name: os-hardening
    git: https://github.com/dev-sec/tests-os-hardening.git
  - name: ssh-hardening
    git: https://github.com/dev-sec/tests-ssh-hardening.git
  - name: ssl-benchmark
    git: https://github.com/dev-sec/ssl-benchmark.git

Now we can use InSpec to archive the profile:

inspec archive /Users/chartmann/Development/Demo/InSpec-1.0-Webinar/acme-inspec-profile
I, [2016-11-07T11:12:42.366206 #52646]  INFO -- : Checking profile in /Users/chartmann/Development/Demo/InSpec-1.0-Webinar/acme-inspec-profile
I, [2016-11-07T11:12:42.366280 #52646]  INFO -- : Metadata OK.
`command(ssh).exist?` is not suported on your OS: 
I, [2016-11-07T11:12:43.383553 #52646]  INFO -- : Found 120 controls.
W, [2016-11-07T11:12:43.383748 #52646]  WARN -- : Control verify-kb has no description
W, [2016-11-07T11:12:43.383777 #52646]  WARN -- : Control important-count has no description
W, [2016-11-07T11:12:43.383789 #52646]  WARN -- : Control important-patches has no description
W, [2016-11-07T11:12:43.383799 #52646]  WARN -- : Control important-patches has no tests defined
W, [2016-11-07T11:12:43.383819 #52646]  WARN -- : Control optional-count has no description
W, [2016-11-07T11:12:43.383829 #52646]  WARN -- : Control optional-patches has no description
W, [2016-11-07T11:12:43.383837 #52646]  WARN -- : Control optional-patches has no tests defined
W, [2016-11-07T11:12:43.383846 #52646]  WARN -- : Control verify-patches has no description
W, [2016-11-07T11:12:43.383879 #52646]  WARN -- : Control patches has no description
W, [2016-11-07T11:12:43.383888 #52646]  WARN -- : Control patches has no tests defined
I, [2016-11-07T11:12:43.384120 #52646]  INFO -- : Generate archive /Users/chartmann/Development/compliance/inspec/acme-inspec-profile.tar.gz.
I, [2016-11-07T11:12:43.392569 #52646]  INFO -- : Finished archive generation.

Only the profile is packaged, not the dependencies.

$ tar -tvf acme-inspec-profile.tar.gz 
drwxr-xr-x  0 wheel  wheel       0 Nov  7 11:12 controls
-rw-r--r--  0 wheel  wheel     724 Nov  7 11:12 controls/hardening.rb
-rw-r--r--  0 wheel  wheel     758 Nov  7 11:12 controls/patch.rb
-rw-r--r--  0 wheel  wheel    1256 Nov  7 11:12 controls/ssl.rb
-rw-r--r--  0 wheel  wheel     731 Nov  7 11:12 inspec.yml
-rw-r--r--  0 wheel  wheel   11357 Nov  7 11:12 LICENSE
-rw-r--r--  0 wheel  wheel      49 Nov  7 11:12 README.md

I still need all dependencies available and accessible at their location during runtime

InSpec and Platform Version

1.4.1

Possible Solutions

We create a vendor directory, that included a dependent profiles:

acme-inspec-profile
├── LICENSE
├── README.md
├── controls
│   ├── hardening.rb
│   ├── patch.rb
│   └── ssl.rb
├── inspec.lock
├── inspec.yml
└── vendor
    ├── 0312593fd472be25966685615f83bc31098fc113
    │   ├── LICENSE
    │   ├── README.md
    │   ├── controls
    │   │   └── patches.rb
    │   ├── inspec.yml
    │   └── libraries
    │       └── linux_updates.rb
    ├── 75754b9b3fe45c601f0fa0036b01c61c8b8e26d9
    │   ├── Gemfile
    │   ├── README.md
    │   ├── controls
    │   │   ├── ssh_spec.rb
    │   │   └── sshd_spec.rb
    │   ├── inspec.yml
    │   └── libraries
    │       └── ssh_crypto.rb
    ├── c183d08eb25638e7f5eac97e521640ea314c8e3d
    │   ├── CONTRIBUTING.md
    │   ├── LICENSE
    │   ├── README.md
    │   ├── controls
    │   │   └── patches.rb
    │   ├── inspec.yml
    │   └── libraries
    │       └── windows_updates.rb
    ├── da3a1b6ce8a845d6818152a824e123c2445c355f
    │   ├── CHANGELOG.md
    │   ├── Gemfile
    │   ├── README.md
    │   ├── Rakefile
    │   ├── controls
    │   │   ├── os_spec.rb
    │   │   ├── package_spec.rb
    │   │   └── sysctl_spec.rb
    │   └── inspec.yml
    └── e17486c864434c818f96ca13edd2c5a420100a45
        ├── README.md
        ├── controls
        │   └── ssl_test.rb
        └── inspec.yml

The inspec.lock references the sha sums:


---
lockfile_version: 1
depends:
- name: linux-patch-benchmark
  resolved_source:
    git: https://github.com/dev-sec/linux-patch-benchmark.git
    ref: 0312593fd472be25966685615f83bc31098fc113
  version_constraints: ">= 0"
- name: windows-patch-benchmark
  resolved_source:
    git: https://github.com/dev-sec/windows-patch-benchmark.git
    ref: c183d08eb25638e7f5eac97e521640ea314c8e3d
  version_constraints: ">= 0"
- name: os-hardening
  resolved_source:
    git: https://github.com/dev-sec/tests-os-hardening.git
    ref: da3a1b6ce8a845d6818152a824e123c2445c355f
  version_constraints: ">= 0"
- name: ssh-hardening
  resolved_source:
    git: https://github.com/dev-sec/tests-ssh-hardening.git
    ref: 75754b9b3fe45c601f0fa0036b01c61c8b8e26d9
  version_constraints: ">= 0"
- name: ssl-benchmark
  resolved_source:
    git: https://github.com/dev-sec/ssl-benchmark.git
    ref: e17486c864434c818f96ca13edd2c5a420100a45
  version_constraints: ">= 0"

The archive will include the vendor directory as well as the inspec.lock file. If the archive includes a vendor directory, InSpec tries to fetch the profile from that location during inspec exec phase.

Stacktrace

Please include the stacktrace output or link to a gist of it, if there is one.

@arlimus
Contributor
arlimus commented Nov 7, 2016

LGTM 👍

Also needed for air-gapped environments and self-contained packaging of profiles.

@mhedgpeth

I really like this approach, it will serve us well.

One potential confusing aspect is that a user should not look to the Compliance UI for dependencies, or else can do so but look (on the UI) inside of the profile as a similar tree level.

To me that's straightforward, I'm just saying keep it straightforward at all levels.

@username-is-already-taken2
Contributor

Looks good

@chris-rock chris-rock added this to the meta-profile support milestone Nov 25, 2016
@arlimus arlimus added the ready label Nov 28, 2016
@chris-rock chris-rock self-assigned this Nov 28, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment