How to generate InSpec Profile Structures
An InSpec profile is a reusable artifact that organizes controls into a standalone structure for testing and auditing applications and infrastructure. InSpec profiles are used to organize controls, support dependency management, and support code reuse.
MITRE SAF provides an automated capability for generating a new profile structure via the Command Line Interface (CLI) generate:inspect_profile (alias - generate:xccdf_benchmark2inspec_stub).
The process uses Extensible Configuration Checklist Description Format (XCCDF) guidance (sets of security configuration rules for systems or applications) uniquely or in combination with Open Vulnerability and Assessment Language (OVAL) definitions (standardized checks for vulnerabilities) files. This combination allows for the creation of a comprehensive profile structure that can be used for security assessments.
For more information on the generated structure, refer to the Generated Structure section.
Important
Currently only DISA STIGs and CIS Benchmarks are supported
For detail and comprehensive capabilities invoke the command with the help (-h or --help) flag which provides information on what flags to used and expected outcome.
Tip
When generating a profile skeleton from a CIS guidance file (XCCDF) make sure that the -T or --idType flag is provided with the value cis
Note
All controls can be written to a single control file by invoking the -s or --singleFile flag
It is important to notice that if an output directory is not provided via the -o or --output flag the process will generate the skeleton profile structure using a directory name based on the following:
- Output directory is provided
- The provided directory name is used
- Output directory name is NOT provided
- Use the XCCDF Benchmark title element
- If unable to retrieve the Benchmark title element defaults to
profile
To provide information used in the inspec.yml file use the -m or --metadata flag to specify the content to be used. The flag should point to a json file that contains the metadata. The json file format is a follows:
{"maintainer": string, "copyright": string, "copyright_email": string, "license": string, "version": string}
After generating the profile skeleton structure the necessary describe coding blocks need to be developed.
Describe blocks are written in Ruby using the InSpec DSL, which is a Ruby Domain-Specific Language (DSL) for writing audit controls and includes audit resources that you can invoke.
For detailed information on how-to write InSpec Controls see MITRE Training
The process generates the following structure:
<profile_name>/
└── controls/
│ ├── control_1.rb
│ └── control_2.rb
├── libraries
│ └── [empty dir]
├── .gemrc
├── .gitignore
├── .rubocop.yml
├── Gemfile
├── Rakefile
├── inspec.yml
├── LICENSE.md
├── NOTICE.md
└── README.md
Directories description
| Directory | Description | Required |
|---|---|---|
| controls | The controls directory contains all tests | ✅ |
| libraries | The libraries directory contains all Chef InSpec resource extensions |
Files description
| File | Description | Required |
|---|---|---|
| .gemrc | A YAML file that uses strings to match gem command arguments and symbols to match RubyGems options | |
| .gitignore | A text file that tells Git which files or folders to ignore in a project | |
| .rubocop.yml | Configuration file that makes it possible to enable/disable certain cops (checks) and to alter their behavior if they accept any parameters | |
| inspec.yml | The inspec.yml file describes the profile | ✅ |
| Gemfile | A text file used in Ruby development that lists all the external libraries (called "gems") needed for a project to run | |
| Rakefile | Describes the tasks that Rake can perform within the project, and how to perform those tasks | |
| LICENSE.md | A Markdown file that supplies required information—such as product name, authorization number, and user contact information | |
| NOTICE.md | A Markdown file, containing important notices or information, that conveys key details about licenses, copyright, or other crucial aspects | |
| README.md | The README.md explains the profile, its scope, and usage |
- Home
- How to create a release
- Splunk Configuration
- Supplement HDF Configuration
- Validation with Thresholds
- SAF CLI Delta Process
- Mapper Creation Guide for HDF Converters
- How to create a SAF CLI
- How to recommend development of a mapper
- Use unreleased version of a package from the Heimdall monorepo in the SAF CLI
- Troubleshooting