How do I inherit a profile from another profile?

[mhedgpeth]

Description

I want to take the CIS benchmark on the compliance server and inherit from it, but remove two rules. I want to test this locally. How do I do this?

[chris-rock]

Is this helpful? https://github.com/chef/inspec/blob/master/docs/profiles.rst#profile-inheritance

[mhedgpeth]

Yes that does help. One other question: Where is the base profile? On the
file system? On the compliance server? Supermarjet? This may relate to how
I download a profile

On Thu, Apr 28, 2016, 06:17 Christoph Hartmann notifications@github.com
wrote:

Is this helpful?
https://github.com/chef/inspec/blob/master/docs/profiles.rst#profile-inheritance

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#691 (comment)

[chris-rock]

$ inspec help exec
Usage:
  inspec exec PATHS

Options:
      [--id=ID]                            # Attach a profile ID to all test results
  t, [--target=TARGET]                     # Simple targeting option using URIs, e.g. ssh://user:pass@host:port
  b, [--backend=BACKEND]                   # Choose a backend: local, ssh, winrm, docker.
      [--host=HOST]                        # Specify a remote host which is tested.
  p, [--port=N]                            # Specify the login port for a remote scan.
      [--user=USER]                        # The login user for a remote scan.
      [--password=PASSWORD]                # Login password for a remote scan, if required.
  i, [--key-files=one two three]           # Login key or certificate file for a remote scan.
      [--path=PATH]                        # Login path to use when connecting to the target (WinRM).
      [--sudo], [--no-sudo]                # Run scans with sudo. Only activates on Unix and non-root user.
      [--sudo-password=SUDO_PASSWORD]      # Specify a sudo password, if it is required.
      [--sudo-options=SUDO_OPTIONS]        # Additional sudo options for a remote scan.
      [--ssl], [--no-ssl]                  # Use SSL for transport layer encryption (WinRM).
      [--self-signed], [--no-self-signed]  # Allow remote scans with self-signed certificates (WinRM).
      [--json-config=JSON_CONFIG]          # Read configuration from JSON file (`-` reads from stdin).
  l, [--log-level=LOG_LEVEL]               # Set the log level: info (default), debug, warn, error
      [--profiles-path=PROFILES_PATH]      # Folder which contains referenced profiles.
      [--controls=one two three]           # A list of controls to run. Ignore all other tests.
      [--format=FORMAT]                    # Which formatter to use: progress, documentation, json
      [--color], [--no-color]              # Use colors in output.
                                           # Default: true
      [--diagnose], [--no-diagnose]        # Show diagnostics (versions, configurations)

Since we have no profile dependency resolution yet, you need to vendor all profiles into a directory. Then you need to use the --profiles-path=PROFILES_PATH option to tell Inspec the directory of the referenced directory.

[mhedgpeth]

That makes sense. The missing piece is how to vendor a profile from a compliance server. Once I know that I'll be able to follow the workflow.

[chris-rock]

In our examples we include a profile called inheritance. If you try to run it, you get an error that highlights the missing --profiles-path. If you set this path to examples, inspec is able to load the examples/profile (inspec exec examples/profile)

$ inspec exec examples/inheritance 
You must supply a --profiles-path to inherit from other profiles.
$ inspec exec examples/inheritance --profiles-path examples/
.*..

Pending: (Failures listed here are expected and do not affect your suite's status)

  1) gordon_config Can't find file "/tmp/gordon/config.yaml"
     # Not yet implemented
     # ./lib/inspec/runner.rb:146


Finished in 0.0297 seconds (files took 0.40952 seconds to load)
4 examples, 0 failures, 1 pending

[mhedgpeth]

That makes sense, thanks.