How do I download a profile from a compliance server?

[mhedgpeth]

Description

I can't see how I would download a profile from a compliance server. I see that the upload is available.

InSpec and Platform Version

0.19.3

[chris-rock]

The video at https://asciinema.org/a/37803 should demonstrate the usage. We have some known issues with the compliance plugin and the latest version of Chef Compliance 1.0. Those will be resolved within the next days.

[mhedgpeth]

That is a helpful video, but I'm really asking about how to vendor a profile locally. As you state in #691 you have to do this in order to properly test inheritance. So I would want to download the CIS benchmark profile locally, create another profile and inherit it, then upload my new profile to the compliance server to run on everything. Does that make better sense?

[chris-rock]

Currently the vendoring has to be done manually. We know that this step is way to complicated. Therefore it is very difficult to test it locally at this point of time. The automatic dependency resolution is already in works.

[mhedgpeth]

One thing that confused me is why the default profiles I found on the
compliance server aren't on github and located on the supermarket. Is there
a reason for this? That would make it easier for me to see it work and
avoid the need (in the short term) for an easy vendoring workflow. There
are only four found on the chef supermarket here:
https://supermarket.chef.io/tools?type=compliance_profile and unfortunately
the interesting ones aren't published.

On Thu, Apr 28, 2016 at 7:57 AM Christoph Hartmann notifications@github.com
wrote:

Currently the vendoring has to be done manually. We know that this step is
way to complicated. Therefore it is very difficult to test it locally at
this point of time. The automatic dependency resolution is already in works.

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#690 (comment)

[chris-rock]

@mhedgpeth compliance plugin updates have been merged to master #695

At this point of time, we do not allow to login with username and password anymore via the api. We extended Chef Compliance to use full OpenID Connect in preparation to easily integrate with LDAP and Active Directory. It could also be federated with other OAuth2 providers. Therefore we cannot ensure, that the cli has access to an api endpoint that exchanges a user/pass to an api token. At this point of time, you need to obtain the token from our UI. (Improvements are scheduled to make it easier)

$ inspec compliance login https://default-ubuntu-1404 --insecure --user admin --refresh_token '1/NP3jJOf6_EHXs0vr59qQCLF0XgEJWuoJV0aIQmEFkAsmnCMRkwtdvLPM4pnVpsutb-DKb5OjzFm4bDpE0vxFvg=='
Successfully authenticated
$ inspec compliance profiles                                                                                       
Available profiles:
-------------------
 * admin/profile
 * base/apache
 * base/linux
 * base/mysql
 * base/postgres
 * base/ssh
 * base/windows
 * cis/cis-centos6-level1
 * cis/cis-centos6-level2
 * cis/cis-centos7-level1
 * cis/cis-centos7-level2
 * cis/cis-rhel6-level1
 * cis/cis-rhel6-level2
 * cis/cis-rhel7-level1
 * cis/cis-rhel7-level2
 * cis/cis-ubuntu12.04lts-level1
 * cis/cis-ubuntu12.04lts-level2
 * cis/cis-ubuntu14.04lts-level1
 * cis/cis-ubuntu14.04lts-level2
$ inspec compliance exec base/ssh

Alternatively you can use inspec exec compliance://base/ssh and inspec exec supermarket://hardening/ssh-hardening

[chris-rock]

Please let me know if this works

[mhedgpeth]

Chris, that worked, thanks.