New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vendor dependent profiles in archive #1283

Closed
chris-rock opened this Issue Nov 7, 2016 · 3 comments

Comments

@chris-rock
Member

chris-rock commented Nov 7, 2016

Description

Lets assume we have a meta-profile like https://github.com/chris-rock/acme-inspec-profile

acme-inspec-profile
├── LICENSE
├── README.md
├── controls
│   ├── hardening.rb
│   ├── patch.rb
│   └── ssl.rb
└── inspec.yml

That depends on a couple of other profiles:

name: acme-inspec-profile
...
depends:
  - name: linux-patch-benchmark
    git: https://github.com/dev-sec/linux-patch-benchmark.git
  - name: windows-patch-benchmark
    git: https://github.com/dev-sec/windows-patch-benchmark.git
  - name: os-hardening
    git: https://github.com/dev-sec/tests-os-hardening.git
  - name: ssh-hardening
    git: https://github.com/dev-sec/tests-ssh-hardening.git
  - name: ssl-benchmark
    git: https://github.com/dev-sec/ssl-benchmark.git

Now we can use InSpec to archive the profile:

inspec archive /Users/chartmann/Development/Demo/InSpec-1.0-Webinar/acme-inspec-profile
I, [2016-11-07T11:12:42.366206 #52646]  INFO -- : Checking profile in /Users/chartmann/Development/Demo/InSpec-1.0-Webinar/acme-inspec-profile
I, [2016-11-07T11:12:42.366280 #52646]  INFO -- : Metadata OK.
`command(ssh).exist?` is not suported on your OS: 
I, [2016-11-07T11:12:43.383553 #52646]  INFO -- : Found 120 controls.
W, [2016-11-07T11:12:43.383748 #52646]  WARN -- : Control verify-kb has no description
W, [2016-11-07T11:12:43.383777 #52646]  WARN -- : Control important-count has no description
W, [2016-11-07T11:12:43.383789 #52646]  WARN -- : Control important-patches has no description
W, [2016-11-07T11:12:43.383799 #52646]  WARN -- : Control important-patches has no tests defined
W, [2016-11-07T11:12:43.383819 #52646]  WARN -- : Control optional-count has no description
W, [2016-11-07T11:12:43.383829 #52646]  WARN -- : Control optional-patches has no description
W, [2016-11-07T11:12:43.383837 #52646]  WARN -- : Control optional-patches has no tests defined
W, [2016-11-07T11:12:43.383846 #52646]  WARN -- : Control verify-patches has no description
W, [2016-11-07T11:12:43.383879 #52646]  WARN -- : Control patches has no description
W, [2016-11-07T11:12:43.383888 #52646]  WARN -- : Control patches has no tests defined
I, [2016-11-07T11:12:43.384120 #52646]  INFO -- : Generate archive /Users/chartmann/Development/compliance/inspec/acme-inspec-profile.tar.gz.
I, [2016-11-07T11:12:43.392569 #52646]  INFO -- : Finished archive generation.

Only the profile is packaged, not the dependencies.

$ tar -tvf acme-inspec-profile.tar.gz 
drwxr-xr-x  0 wheel  wheel       0 Nov  7 11:12 controls
-rw-r--r--  0 wheel  wheel     724 Nov  7 11:12 controls/hardening.rb
-rw-r--r--  0 wheel  wheel     758 Nov  7 11:12 controls/patch.rb
-rw-r--r--  0 wheel  wheel    1256 Nov  7 11:12 controls/ssl.rb
-rw-r--r--  0 wheel  wheel     731 Nov  7 11:12 inspec.yml
-rw-r--r--  0 wheel  wheel   11357 Nov  7 11:12 LICENSE
-rw-r--r--  0 wheel  wheel      49 Nov  7 11:12 README.md

I still need all dependencies available and accessible at their location during runtime

InSpec and Platform Version

1.4.1

Possible Solutions

We create a vendor directory, that included a dependent profiles:

acme-inspec-profile
├── LICENSE
├── README.md
├── controls
│   ├── hardening.rb
│   ├── patch.rb
│   └── ssl.rb
├── inspec.lock
├── inspec.yml
└── vendor
    ├── 0312593fd472be25966685615f83bc31098fc113
    │   ├── LICENSE
    │   ├── README.md
    │   ├── controls
    │   │   └── patches.rb
    │   ├── inspec.yml
    │   └── libraries
    │       └── linux_updates.rb
    ├── 75754b9b3fe45c601f0fa0036b01c61c8b8e26d9
    │   ├── Gemfile
    │   ├── README.md
    │   ├── controls
    │   │   ├── ssh_spec.rb
    │   │   └── sshd_spec.rb
    │   ├── inspec.yml
    │   └── libraries
    │       └── ssh_crypto.rb
    ├── c183d08eb25638e7f5eac97e521640ea314c8e3d
    │   ├── CONTRIBUTING.md
    │   ├── LICENSE
    │   ├── README.md
    │   ├── controls
    │   │   └── patches.rb
    │   ├── inspec.yml
    │   └── libraries
    │       └── windows_updates.rb
    ├── da3a1b6ce8a845d6818152a824e123c2445c355f
    │   ├── CHANGELOG.md
    │   ├── Gemfile
    │   ├── README.md
    │   ├── Rakefile
    │   ├── controls
    │   │   ├── os_spec.rb
    │   │   ├── package_spec.rb
    │   │   └── sysctl_spec.rb
    │   └── inspec.yml
    └── e17486c864434c818f96ca13edd2c5a420100a45
        ├── README.md
        ├── controls
        │   └── ssl_test.rb
        └── inspec.yml

The inspec.lock references the sha sums:


---
lockfile_version: 1
depends:
- name: linux-patch-benchmark
  resolved_source:
    git: https://github.com/dev-sec/linux-patch-benchmark.git
    ref: 0312593fd472be25966685615f83bc31098fc113
  version_constraints: ">= 0"
- name: windows-patch-benchmark
  resolved_source:
    git: https://github.com/dev-sec/windows-patch-benchmark.git
    ref: c183d08eb25638e7f5eac97e521640ea314c8e3d
  version_constraints: ">= 0"
- name: os-hardening
  resolved_source:
    git: https://github.com/dev-sec/tests-os-hardening.git
    ref: da3a1b6ce8a845d6818152a824e123c2445c355f
  version_constraints: ">= 0"
- name: ssh-hardening
  resolved_source:
    git: https://github.com/dev-sec/tests-ssh-hardening.git
    ref: 75754b9b3fe45c601f0fa0036b01c61c8b8e26d9
  version_constraints: ">= 0"
- name: ssl-benchmark
  resolved_source:
    git: https://github.com/dev-sec/ssl-benchmark.git
    ref: e17486c864434c818f96ca13edd2c5a420100a45
  version_constraints: ">= 0"

The archive will include the vendor directory as well as the inspec.lock file. If the archive includes a vendor directory, InSpec tries to fetch the profile from that location during inspec exec phase.

Stacktrace

Please include the stacktrace output or link to a gist of it, if there is one.

@arlimus

This comment has been minimized.

Show comment
Hide comment
@arlimus

arlimus Nov 7, 2016

Contributor

LGTM 👍

Also needed for air-gapped environments and self-contained packaging of profiles.

Contributor

arlimus commented Nov 7, 2016

LGTM 👍

Also needed for air-gapped environments and self-contained packaging of profiles.

@mhedgpeth

This comment has been minimized.

Show comment
Hide comment
@mhedgpeth

mhedgpeth Nov 7, 2016

I really like this approach, it will serve us well.

One potential confusing aspect is that a user should not look to the Compliance UI for dependencies, or else can do so but look (on the UI) inside of the profile as a similar tree level.

To me that's straightforward, I'm just saying keep it straightforward at all levels.

mhedgpeth commented Nov 7, 2016

I really like this approach, it will serve us well.

One potential confusing aspect is that a user should not look to the Compliance UI for dependencies, or else can do so but look (on the UI) inside of the profile as a similar tree level.

To me that's straightforward, I'm just saying keep it straightforward at all levels.

@username-is-already-taken2

This comment has been minimized.

Show comment
Hide comment
@username-is-already-taken2

username-is-already-taken2 Nov 9, 2016

Contributor

Looks good

Contributor

username-is-already-taken2 commented Nov 9, 2016

Looks good

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment