New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How do I download a profile from a compliance server? #690

Closed
mhedgpeth opened this Issue Apr 28, 2016 · 7 comments

Comments

Projects
None yet
2 participants
@mhedgpeth

mhedgpeth commented Apr 28, 2016

Description

I can't see how I would download a profile from a compliance server. I see that the upload is available.

InSpec and Platform Version

0.19.3

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Apr 28, 2016

Member

The video at https://asciinema.org/a/37803 should demonstrate the usage. We have some known issues with the compliance plugin and the latest version of Chef Compliance 1.0. Those will be resolved within the next days.

Member

chris-rock commented Apr 28, 2016

The video at https://asciinema.org/a/37803 should demonstrate the usage. We have some known issues with the compliance plugin and the latest version of Chef Compliance 1.0. Those will be resolved within the next days.

@mhedgpeth

This comment has been minimized.

Show comment
Hide comment
@mhedgpeth

mhedgpeth Apr 28, 2016

That is a helpful video, but I'm really asking about how to vendor a profile locally. As you state in #691 you have to do this in order to properly test inheritance. So I would want to download the CIS benchmark profile locally, create another profile and inherit it, then upload my new profile to the compliance server to run on everything. Does that make better sense?

mhedgpeth commented Apr 28, 2016

That is a helpful video, but I'm really asking about how to vendor a profile locally. As you state in #691 you have to do this in order to properly test inheritance. So I would want to download the CIS benchmark profile locally, create another profile and inherit it, then upload my new profile to the compliance server to run on everything. Does that make better sense?

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Apr 28, 2016

Member

Currently the vendoring has to be done manually. We know that this step is way to complicated. Therefore it is very difficult to test it locally at this point of time. The automatic dependency resolution is already in works.

Member

chris-rock commented Apr 28, 2016

Currently the vendoring has to be done manually. We know that this step is way to complicated. Therefore it is very difficult to test it locally at this point of time. The automatic dependency resolution is already in works.

@mhedgpeth

This comment has been minimized.

Show comment
Hide comment
@mhedgpeth

mhedgpeth Apr 28, 2016

One thing that confused me is why the default profiles I found on the
compliance server aren't on github and located on the supermarket. Is there
a reason for this? That would make it easier for me to see it work and
avoid the need (in the short term) for an easy vendoring workflow. There
are only four found on the chef supermarket here:
https://supermarket.chef.io/tools?type=compliance_profile and unfortunately
the interesting ones aren't published.

On Thu, Apr 28, 2016 at 7:57 AM Christoph Hartmann notifications@github.com
wrote:

Currently the vendoring has to be done manually. We know that this step is
way to complicated. Therefore it is very difficult to test it locally at
this point of time. The automatic dependency resolution is already in works.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#690 (comment)

mhedgpeth commented Apr 28, 2016

One thing that confused me is why the default profiles I found on the
compliance server aren't on github and located on the supermarket. Is there
a reason for this? That would make it easier for me to see it work and
avoid the need (in the short term) for an easy vendoring workflow. There
are only four found on the chef supermarket here:
https://supermarket.chef.io/tools?type=compliance_profile and unfortunately
the interesting ones aren't published.

On Thu, Apr 28, 2016 at 7:57 AM Christoph Hartmann notifications@github.com
wrote:

Currently the vendoring has to be done manually. We know that this step is
way to complicated. Therefore it is very difficult to test it locally at
this point of time. The automatic dependency resolution is already in works.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#690 (comment)

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Apr 28, 2016

Member

@mhedgpeth compliance plugin updates have been merged to master #695

At this point of time, we do not allow to login with username and password anymore via the api. We extended Chef Compliance to use full OpenID Connect in preparation to easily integrate with LDAP and Active Directory. It could also be federated with other OAuth2 providers. Therefore we cannot ensure, that the cli has access to an api endpoint that exchanges a user/pass to an api token. At this point of time, you need to obtain the token from our UI. (Improvements are scheduled to make it easier)

screen shot 2016-04-29 at 1 46 20 am

$ inspec compliance login https://default-ubuntu-1404 --insecure --user admin --refresh_token '1/NP3jJOf6_EHXs0vr59qQCLF0XgEJWuoJV0aIQmEFkAsmnCMRkwtdvLPM4pnVpsutb-DKb5OjzFm4bDpE0vxFvg=='
Successfully authenticated
$ inspec compliance profiles                                                                                       
Available profiles:
-------------------
 * admin/profile
 * base/apache
 * base/linux
 * base/mysql
 * base/postgres
 * base/ssh
 * base/windows
 * cis/cis-centos6-level1
 * cis/cis-centos6-level2
 * cis/cis-centos7-level1
 * cis/cis-centos7-level2
 * cis/cis-rhel6-level1
 * cis/cis-rhel6-level2
 * cis/cis-rhel7-level1
 * cis/cis-rhel7-level2
 * cis/cis-ubuntu12.04lts-level1
 * cis/cis-ubuntu12.04lts-level2
 * cis/cis-ubuntu14.04lts-level1
 * cis/cis-ubuntu14.04lts-level2
$ inspec compliance exec base/ssh

Alternatively you can use inspec exec compliance://base/ssh and inspec exec supermarket://hardening/ssh-hardening

Member

chris-rock commented Apr 28, 2016

@mhedgpeth compliance plugin updates have been merged to master #695

At this point of time, we do not allow to login with username and password anymore via the api. We extended Chef Compliance to use full OpenID Connect in preparation to easily integrate with LDAP and Active Directory. It could also be federated with other OAuth2 providers. Therefore we cannot ensure, that the cli has access to an api endpoint that exchanges a user/pass to an api token. At this point of time, you need to obtain the token from our UI. (Improvements are scheduled to make it easier)

screen shot 2016-04-29 at 1 46 20 am

$ inspec compliance login https://default-ubuntu-1404 --insecure --user admin --refresh_token '1/NP3jJOf6_EHXs0vr59qQCLF0XgEJWuoJV0aIQmEFkAsmnCMRkwtdvLPM4pnVpsutb-DKb5OjzFm4bDpE0vxFvg=='
Successfully authenticated
$ inspec compliance profiles                                                                                       
Available profiles:
-------------------
 * admin/profile
 * base/apache
 * base/linux
 * base/mysql
 * base/postgres
 * base/ssh
 * base/windows
 * cis/cis-centos6-level1
 * cis/cis-centos6-level2
 * cis/cis-centos7-level1
 * cis/cis-centos7-level2
 * cis/cis-rhel6-level1
 * cis/cis-rhel6-level2
 * cis/cis-rhel7-level1
 * cis/cis-rhel7-level2
 * cis/cis-ubuntu12.04lts-level1
 * cis/cis-ubuntu12.04lts-level2
 * cis/cis-ubuntu14.04lts-level1
 * cis/cis-ubuntu14.04lts-level2
$ inspec compliance exec base/ssh

Alternatively you can use inspec exec compliance://base/ssh and inspec exec supermarket://hardening/ssh-hardening

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Apr 28, 2016

Member

Please let me know if this works

Member

chris-rock commented Apr 28, 2016

Please let me know if this works

@mhedgpeth

This comment has been minimized.

Show comment
Hide comment
@mhedgpeth

mhedgpeth May 4, 2016

Chris, that worked, thanks.

mhedgpeth commented May 4, 2016

Chris, that worked, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment