Executing Benchmarks using Inspec


InSpec is a free and open-source framework meant for testing and auditing your applications and infrastructure. InSpec detects violations and reports the findings that help in control of remediation.

You can use the InSpec tool to run the tests under CIS profiles. Follow the steps below to run Benchmarks using the InSpec tool:

  1. Installing InSpec Tool
  2. Verifying tool installation
  3. Copying the Benchmarks to Avi Service Engine
  4. Running InSpec

For complete information on CIS compliance for Avi Vantage, refer to CIS Compliance.

Installing InSpec Tool

Download the InSpec tool from downloads and install it on the Avi Service Engine, as shown below.

    root@user-service-engine:/home/admin# dpkg -i inspec_2.1.54-1_amd64.deb
    (Reading database ... 21762 files and directories currently installed.)
    Preparing to unpack inspec_2.1.54-1_amd64.deb ...
    You're about to install InSpec!
    Unpacking inspec (2.1.54-1) ...
    Setting up inspec (2.1.54-1) ...
    Thank you for installing InSpec!

Note: The example above uses the latest version of the InSpec tool. You can use any version that is relevant.

Verifying tool installation

Use the inspect detect command to verify if the InSpec tool has been installed correctly.

    root@user-service-engine:/home/admin# inspec detect
     == Operating System Details
    Name: ubuntu
    Family: debian
    Release: 14.04
    Arch: x86_64

Copying the Benchmarks to Avi Service Engine

Copy or SCP all content in the cis-dil-benchmark directory from the Github repository at the link here: https://github.com/dev-sec/cis-dil-benchmark to Avi Service Engine’s home directory.

    root@user-service-engine:/home/admin# ls
    cis-dil-benchmark inspec_2.1.54-1_amd64.deb
    root@user-service-engine:/home/admin# cd cis-dil-benchmark/
    root@user-service-engine:/home/admin/cis-dil-benchmark# ls
    LICENSE README.md controls inspec.yml libraries

Running InSpec

Run the InSpec tool to run all the Benchmark tests.

     root@user-service-engine:/home/admin# inspec exec /home/admin/cis-dil-benchmark/
     Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
     Version: 0.1.0
     Target:  local://
       ✔  cis-dil-benchmark-6.2.1: Ensure password fields are not empty
          ✔  /etc/shadow passwords should not include ""
       ⊚  cis-dil-benchmark-3.3.3: Ensure IPv6 is disabled (6 failed)
          ×  File /boot/grub/grub.conf content should match /ipv6\.disable=1/
          expected nil to match /ipv6\.disable=1/
          ×  File /boot/grub/grub.cfg content should match /ipv6\.disable=1/
          expected nil to match /ipv6\.disable=1/
          ×  File /boot/grub/menu.lst content should match /ipv6\.disable=1/
          expected nil to match /ipv6\.disable=1/
          ×  File /boot/boot/grub/grub.conf content should match /ipv6\.disable=1/
          expected nil to match /ipv6\.disable=1/
          ×  File /boot/boot/grub/grub.cfg content should match /ipv6\.disable=1/
          expected nil to match /ipv6\.disable=1/
          ×  File /boot/boot/grub/menu.lst content should match /ipv6\.disable=1/
          expected nil to match /ipv6\.disable=1/
     Profile Summary: 86 successful controls, 98 control failures, 38 controls skipped
     Test Summary: 942 successful, 316 failures, 44 skipped

Note: By default the CIS 2.0 profile is run. You need to explicitly change the profile to 1.0 for the CIS 1.0 results.