Compliance as Code:
An Introduction to InSpec

By Annie Hedgpeth

One of my main goals at 10th Magnitude is to make every cloud migration or implementation safer and more secure than it used to be on premise. One way in which we can get a greater assurance of security is to not only see the infrastructure as code, but to see the compliance as code, too. A great framework in which to achieve this is an open-source, automated security and compliance auditing framework called InSpec. I’m going to share with you some very compelling reasons that you, too, might want to consider using it.

1. Anyone can use it.

When I heard that InSpec was written with non-developers in mind, I set about on a mission to prove whether that was true. At the time, I had no development experience at all, so learning InSpec myself made for a great experiment. I started to learn how to write InSpec audit controls, and I wrote a series of tutorials along the way so that others could learn how to use it, too.

One very important thing that I proved throughout this blog series was that InSpec is completely accessible. I began the series with a very simple ‘Hello World’ tutorial in which I first laid out at a very basic level how to install InSpec on a Mac and then how to write your very first audit control test with InSpec. I wrote it from a perspective that the reader was not a technically-minded person, so really anybody can follow this tutorial.

control "world-1.0" do  # A unique ID for this control
  impact 1.0            # Just how critical is
  title "Hello World"   # Readable by a human
  desc "Text should include the words 'hello world'." # Optional description
  describe file('hello.txt') do  # The actual test / Resources 
    its('content') { should match 'Hello World' } # Custom matchers
  end
end

Another aspect of its accessibility is that, while InSpec is owned by Chef, it’s completely platform agnostic, and you don’t even need configuration automation to use it! When you scan your infrastructure, nothing gets installed, changed or configured on the node that you’re testing.

2. Its strength is in its simplicity.

InSpec has a number of different resources to use in your audit controls, but at the heart of all of them is either searching a file or directory or running a command. In Day 2 and Day 3 of the tutorial series, I teach how to use both the file resource and the command resource—the meat and potatoes of InSpec. When someone is equipped with just these two resources, they can get pretty far with creating their own auditing controls!

describe file('/etc/yum.conf') do  # Searching a file
  its('content') { should match /gpgcheck=1/ }  # Using the "Content" matcher

end

describe command('rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey') do  # Running a command 
   its('stdout') { should match (/[0-9]/) }   # Matching its standard output

end

After you’ve experimented with that sufficiently, you can start learning how to use all of the other resources at your disposal at InSpec‘s website, as well as custom matchers, which I teach you how to choose in Day 4.

The other aspect of its simplicity that I really love is that you can run the profiles (a grouping of audit controls) from anywhere! You can learn how to create a profile on Day 5. In Day 6, you learn that you can store them locally, in version control, in the Chef Supermarket, or on the Chef Compliance server (if you have a Chef enterprise license, then you’ll want to read Day 7 about inheriting profiles from the Compliance server).

And because you can store them anywhere, that gives you many options about how and where to use InSpec. Take a look at these commands that you can run in order to run a profile on a node:

# run test locally
inspec exec test.rb

# run test on remote host on SSH
inspec exec test.rb -t ssh://user@hostname -i /path/to/key

# run test on remote host using SSH agent private key authentication. Requires InSpec 1.7.1
inspec exec test.rb -t ssh://user@hostname

# run test on remote windows host on WinRM
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'

# run test on docker container
inspec exec test.rb -t docker://container_id

Now, imagine that you can put the link to a stored InSpec profile where it says test.rb. If you have InSpec installed on your machine, then you can run either of these commands right now using a profile stored on the Chef Supermarket to verify that all updates have been installed on a Windows machine.

# run test stored on Github locally 
inspec exec https://github.com/dev-sec/windows-patch-baseline

# run test stored on Github on remote windows host on WinRM
inspec exec https://github.com/dev-sec/windows-patch-baseline -t winrm://Administrator@windowshost --password 'your-password'

Now, imagine putting those commands in a CI/CD pipeline and using them across all of your environments. So many possibilities!

3. You begin to see how much you need it.

Imagine a world in which security and compliance is not an afterthought but is brought in from the very beginning, and compliance issues and bugs are found with InSpec in development instead of waiting all the way until the end with a slow manual check, further delaying release to production.

If your company requires strict adherence to regulatory requirements, then you definitely know that you can benefit from an automated auditing tool. Imagine being able to create a profile that tests for CIS compliance, and instead of auditing it manually once a year, you run that profile every single time someone changes something at any stage in the pipeline!

Also, imagine that you have run all your configuration scripts, and instead of hoping for the best, you actually created an InSpec profile that validates all of your configuration. InSpec will be your safety net before deploying!

Is your interest piqued yet?

Here are some things you can do to start leveraging InSpec.

  • Start writing smoke tests with InSpec as a way of validating your configuration
  • Show your smoke tests to your security and compliance team and see what they think about them using it
  • Let’s talk about how we can make your security and compliance team an equal partner in your cloud initiative

I’d like to encourage you to think of different ways in which to leverage InSpec in your own cloud initiative, and 10th Magnitude would love to work with you on all of those implementations.

Try it out!

Feel free to follow 10th Magnitude on Twitter to stay on top of the latest and greatest in cloud.

Full disclosure: All of these thoughts are my own, and I was not paid by Chef to write about InSpec. I just really like it!