Automated compliance testing with InSpec
Strictly Managed
Compliance is a valid tool for enabling or facilitating secure operation of any type of IT organization, which is what ISO 27001 [1], BSI Base Protection [2], and various other certification bodies claim for their customers. However, corporations often need to implement compliance rules for certification that are contrary to existing business practices. To keep the promises made to the certification authority, regular systems checks are needed. Thus, a corporation needs to verify whether the rules laid down in its statutes are in fact implemented on all relevant systems, as the instructions require. The question is, how can you implement this kind of check?
One way would be to employ admins who do nothing but handle this task, but that would be inefficient; moreover, it would cause a worrying situation in which regular administrators feel they are being watched. Infinitely preferable is automated compliance tests: InSpec to the rescue.
Audits and Tests
Those who have been involved in converting a home-grown system to one in which strict compliance rules are observed knows the pain involved. Whereas previously a laissez-faire atmosphere ruled the day, all of a sudden, a rigid structure with many requirements and conditions regulate the administrator's work, often with far-reaching consequences. The sheer volume of regulations alone can make moving forward difficult. If a quick fix is needed in an emergency, compliance rules often provide for exceptions, but they do need to be replaced by the right solutions looking forward.
InSpec, from the developer of Chef, promises to run compliance tests automatically and regularly on target systems with tests you define in a human-readable language that avoids the need to learn an overly elaborate syntax. InSpec describes itself as a framework for auditing and testing. First and foremost, it's all about acid testing the existing automated system to determine whether the system and the services running on it are configured in line with policies. The slogan is "Compliance as Code."
Having a tool for automated compliance testing come from the same company that also has the Chef automation tool in its portfolio makes a lot of sense. If you run configuration management, you probably do so because you want the same status on all your managed systems. Tools such as Chef, if in doubt, simply write over configuration deviations and thus enforce uniformity, but what about the system components that Chef does not touch? How can you tell whether individual systems have been deliberately, manually manipulated so that they no longer comply with the standard? Chef's response to these questions is InSpec.
InSpec is available under a free license and is free for download from Chef's GitHub directory [3]. It supports a variety of target systems: Linux is represented by CentOS, RHEL, SLES, Debian, Ubuntu, and others. Windows is also covered – InSpec claims to be executable on all relevant and recent Windows versions. The BSD family is represented by FreeBSD, and even more exotic operating systems like AIX, HP-UX, and Solaris can be tested with InSpec. Additionally, InSpec works on Mac OS X. The supported systems are so diverse, almost all applications in the server room can be supported by the current version.
Hello World!
The example in this article is, what else but, the famous "Hello World!" program. To use InSpec, you first have to install it. The developers offer an installation script for RHEL, Ubuntu, Mac OS, and Windows in the form of finished packages that install InSpec on your system. The command in Ubuntu is:
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
If you are working on a different system, either install InSpec via RubyGems.org [4] or download a Docker container in which InSpec is already running.
In theory, the above command also works on Mac OS, but some caution is advisable: Like Chef, InSpec relies on Ruby, but the version of Ruby included in Mac OS is prehistoric. You can remedy this by installing Homebrew [5] and from there procure a current Ruby for your system. If the installation goes well, a simple call to inspec
at the command line displays the program help text.
First Test
Similar to Chef Cookbooks, InSpec tests also follow a strict syntax. It is therefore recommended to create a folder first; I named it helloworld
in the example. In the next step, create a file named helloworld.txt
by opening it in an editor. For the moment, the file should include a single line of text that reads "Helo World!" (retain the typo; read on to discover why).
Then comes the actual InSpec test or, as it is referred to in InSpec-speak, the Specification. Open the helloworld_spec.rb
file in a text editor. It makes sense to use an editor that supports syntax highlighting for Ruby. The first test looks like Listing 1. If you are not familiar with Ruby syntax, you will probably not understand every line right away. However, the majority of the instructions can be decrypted with the kind of basic knowledge any administrator has.
Listing 1
Hello World!
01 control "hello-world-1" do 02 impact 1.0 03 title "Hello World" 04 desc "Text should include the words 'hello world'." 05 describe file('helloworld.txt') do 06 its('content') { should match 'Hello World' } 07 end 08 end
Line 1 initiates the specification with the control
directive; the character string in quotes is a mechanically processable, unique designation of the test. The impact
directive in line 2 establishes a point system to indicate how bad it is if the test in question fails. The points level and the actions resulting from them can be configured individually for InSpec. In this example, 1.0
was chosen arbitrarily.
The title
and desc
strings give the test a name and description. Both values should be understandable for people without any knowledge of Ruby. Finally, describe
in line 5 initiates the condition: In the specific example, InSpec opens the helloworld.txt
file and checks whether the string contains the words Hello World
.
Buy this article as PDF
(incl. VAT)