Executing Benchmarks using Inspec
Overview
InSpec is a free and open-source framework meant for testing and auditing your applications and infrastructure. InSpec detects violations and reports the findings that help in control of remediation.
You can use the InSpec tool to run the tests under CIS profiles. Follow the steps below to run Benchmarks using the InSpec tool:
- Installing InSpec Tool
- Verifying tool installation
- Copying the Benchmarks to Avi Service Engine
- Running InSpec
For complete information on CIS compliance for Avi Vantage, refer to CIS Compliance.
Installing InSpec Tool
Download the InSpec tool from downloads and install it on the Avi Service Engine, as shown below.
root@user-service-engine:/home/admin# dpkg -i inspec_2.1.54-1_amd64.deb
(Reading database ... 21762 files and directories currently installed.)
Preparing to unpack inspec_2.1.54-1_amd64.deb ...
You're about to install InSpec!
Unpacking inspec (2.1.54-1) ...
Setting up inspec (2.1.54-1) ...
Thank you for installing InSpec!
root@user-service-engine:/home/admin#
Note: The example above uses the latest version of the InSpec tool. You can use any version that is relevant.
Verifying tool installation
Use the inspect detect
command to verify if the InSpec tool has been installed correctly.
root@user-service-engine:/home/admin# inspec detect
== Operating System Details
Name: ubuntu
Family: debian
Release: 14.04
Arch: x86_64
root@user-service-engine:/home/admin#
Copying the Benchmarks to Avi Service Engine
Copy or SCP all content in the cis-dil-benchmark directory from the Github repository at the link here: https://github.com/dev-sec/cis-dil-benchmark to Avi Service Engine’s home directory.
root@user-service-engine:/home/admin# ls
cis-dil-benchmark inspec_2.1.54-1_amd64.deb
root@user-service-engine:/home/admin# cd cis-dil-benchmark/
root@user-service-engine:/home/admin/cis-dil-benchmark# ls
LICENSE README.md controls inspec.yml libraries
Running InSpec
Run the InSpec tool to run all the Benchmark tests.
root@user-service-engine:/home/admin# inspec exec /home/admin/cis-dil-benchmark/
root@user-service-engine:/home/admin# inspec exec /home/admin/cis-dil-benchmark/
Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version: 0.1.0
Target: local://
✔ cis-dil-benchmark-6.2.1: Ensure password fields are not empty
✔ /etc/shadow passwords should not include ""
snip
⊚ cis-dil-benchmark-3.3.3: Ensure IPv6 is disabled (6 failed)
× File /boot/grub/grub.conf content should match /ipv6\.disable=1/
expected nil to match /ipv6\.disable=1/
× File /boot/grub/grub.cfg content should match /ipv6\.disable=1/
expected nil to match /ipv6\.disable=1/
× File /boot/grub/menu.lst content should match /ipv6\.disable=1/
expected nil to match /ipv6\.disable=1/
× File /boot/boot/grub/grub.conf content should match /ipv6\.disable=1/
expected nil to match /ipv6\.disable=1/
× File /boot/boot/grub/grub.cfg content should match /ipv6\.disable=1/
expected nil to match /ipv6\.disable=1/
× File /boot/boot/grub/menu.lst content should match /ipv6\.disable=1/
expected nil to match /ipv6\.disable=1/
Profile Summary: 86 successful controls, 98 control failures, 38 controls skipped
Test Summary: 942 successful, 316 failures, 44 skipped
Note: By default the CIS 2.0 profile is run. You need to explicitly change the profile to 1.0 for the CIS 1.0 results.