0

Question: (How) Is it possible to "overwrite" inspec controls? (specificly in the DevSec Inspec Baselines)?

I don't want to rewrite a whole inspec definition, just specific controls in a contro-file.

Background:
I regularly pull the current baselines from the DevSec repository to stay up to date with the current specifications. But I want to adjust some of those "controls" to my needs or want to disable them.

Is it possible to change a specification by changing some environment variable or by placing a file with a higher priority somewhere in the inspec directorystructure? Or do I have to overwrite/edit the whole "controlfile.rb" specification - this would invovle manual intervention everytime the control-file changes and be counterproductive to the automation process.

(I see the consideration, that for security-relevant changes it would be wise to inspect every new update of the controls)

update One solution is answer below, to just execute specific controls. I still don't know how to EXCLUDE specific control (negating regex seem to not work)

MacMartin
  • 2,366
  • 1
  • 24
  • 27

1 Answers1

0

To just use specifig controls:
In found it in the command-help it says:

 [--controls=one two three]                                             
      # A list of control names to run, or a list of /regexes/ to match a gainst control names. Ignore all other tests.

(I now also found it in the docs: https://docs.chef.io/inspec/cli/#options-3)

The following will execute just the controls starting with "ssh" in the specified profile:

inspec exec /profilepath/profilename --controls "/ssh-.*/"

to overwrite controls To overwrite specific controls they can be overwritten in the "controls"-directory of a profile, that can be "applied ontop of the baseline" which is included there, see https://blog.chef.io/understanding-inspec-profile-inheritance, like:

include_controls 'linux-baseline' do
  somevariable = attribute('somevariable', value: false, description: 'do something')
    control 'package-08' do
      impact 1.0
      title 'Install pkg'
      desc 'install some packaged'
      only_if { somevariable }
      audit_pkg = 'packagename'
      describe package(mypkg) do
        it { should be_installed }
      end
end

include "linux-patch-baseline"
# nothing to replace here
MacMartin
  • 2,366
  • 1
  • 24
  • 27