Feat/updates cinc inspec v4

[deric4]

updates to use cinc-auditor v4

able to run bundle exec rake lint and bundle exec rake test:check and reports output in json format

Example rake test:check output

{
  "summary": {
    "valid": true,
    "timestamp": "2020-08-11T21:42:40-07:00",
    "location": ".",
    "profile": "cis-dil-benchmark",
    "controls": 225
  },
  "errors": [],
  "warnings": [
    {
      "file": "./controls/1_6_mandatory_access_control.rb",
      "line": 140,
      "column": null,
      "control_id": "cis-dil-benchmark-1.6.1.6",
      "msg": "Control cis-dil-benchmark-1.6.1.6 has no tests defined"
    },
    {
      "file": "./controls/5_3_configure_pam.rb",
      "line": 20,
      "column": null,
      "control_id": "cis-dil-benchmark-5.3.1",
      "msg": "Control cis-dil-benchmark-5.3.1 has no tests defined"
    },
    {
      "file": "./controls/6_2_user_and_group_settings.rb",
      "line": 132,
      "column": null,
      "control_id": "cis-dil-benchmark-6.2.7",
      "msg": "Control cis-dil-benchmark-6.2.7 has no tests defined"
    },
    {
      "file": "./controls/6_2_user_and_group_settings.rb",
      "line": 149,
      "column": null,
      "control_id": "cis-dil-benchmark-6.2.8",
      "msg": "Control cis-dil-benchmark-6.2.8 has no tests defined"
    },
    {
      "file": "./controls/6_2_user_and_group_settings.rb",
      "line": 170,
      "column": null,
      "control_id": "cis-dil-benchmark-6.2.9",
      "msg": "Control cis-dil-benchmark-6.2.9 has no tests defined"
    },
    {
      "file": "./controls/6_2_user_and_group_settings.rb",
      "line": 187,
      "column": null,
      "control_id": "cis-dil-benchmark-6.2.10",
      "msg": "Control cis-dil-benchmark-6.2.10 has no tests defined"
    },
    {
      "file": "./controls/6_2_user_and_group_settings.rb",
      "line": 207,
      "column": null,
      "control_id": "cis-dil-benchmark-6.2.11",
      "msg": "Control cis-dil-benchmark-6.2.11 has no tests defined"
    },
    {
      "file": "./controls/6_2_user_and_group_settings.rb",
      "line": 224,
      "column": null,
      "control_id": "cis-dil-benchmark-6.2.12",
      "msg": "Control cis-dil-benchmark-6.2.12 has no tests defined"
    },
    {
      "file": "./controls/6_2_user_and_group_settings.rb",
      "line": 241,
      "column": null,
      "control_id": "cis-dil-benchmark-6.2.13",
      "msg": "Control cis-dil-benchmark-6.2.13 has no tests defined"
    },
    {
      "file": "./controls/6_2_user_and_group_settings.rb",
      "line": 263,
      "column": null,
      "control_id": "cis-dil-benchmark-6.2.14",
      "msg": "Control cis-dil-benchmark-6.2.14 has no tests defined"
    },
    {
      "file": "./controls/6_2_user_and_group_settings.rb",
      "line": 280,
      "column": null,
      "control_id": "cis-dil-benchmark-6.2.15",
      "msg": "Control cis-dil-benchmark-6.2.15 has no tests defined"
    },
    {
      "file": "./controls/5_4_user_accounts_and_environments.rb",
      "line": 118,
      "column": null,
      "control_id": "cis-dil-benchmark-5.4.2",
      "msg": "Control cis-dil-benchmark-5.4.2 has no tests defined"
    },
    {
      "file": "./controls/4_2_configure_logging.rb",
      "line": 220,
      "column": null,
      "control_id": "cis-dil-benchmark-4.2.4",
      "msg": "Control cis-dil-benchmark-4.2.4 has no tests defined"
    },
    {
      "file": "./controls/3_6_firewall_configuration.rb",
      "line": 90,
      "column": null,
      "control_id": "cis-dil-benchmark-3.6.5",
      "msg": "Control cis-dil-benchmark-3.6.5 has no tests defined"
    },
    {
      "file": "./controls/3_6_firewall_configuration.rb",
      "line": 106,
      "column": null,
      "control_id": "cis-dil-benchmark-3.7",
      "msg": "Control cis-dil-benchmark-3.7 has no tests defined"
    },
    {
      "file": "./controls/4_1_configure_system_accounting_auditd.rb",
      "line": 291,
      "column": null,
      "control_id": "cis-dil-benchmark-4.1.12",
      "msg": "Control cis-dil-benchmark-4.1.12 has no tests defined"
    }
  ]
}

[chris-rock]

@deric4 those changes are great. Thank you

[chris-rock]

@deric4 Can you please sign-off your commits?

[chris-rock]

We still need to fix the robucop issues as reported by travis https://travis-ci.org/github/dev-sec/cis-dil-benchmark/builds/717146821?utm_source=github_status&utm_medium=notification

Offenses:
488
489Gemfile:3:48: C: Style/HashSyntax: Use the new Ruby 1.9 hash syntax.
490gem 'github_changelog_generator', '~> 1.12.0', :source => 'https://rubygems.org/'
491                                               ^^^^^^^^^^
492Gemfile:4:13: C: Style/HashSyntax: Use the new Ruby 1.9 hash syntax.
493gem 'rake', :source => 'https://rubygems.org/'
494            ^^^^^^^^^^
495Gemfile:5:16: C: Style/HashSyntax: Use the new Ruby 1.9 hash syntax.
496gem 'rubocop', :source => 'https://rubygems.org/'
497               ^^^^^^^^^^
498Gemfile:6:16: C: Style/HashSyntax: Use the new Ruby 1.9 hash syntax.
499gem 'unf_ext', :source => 'https://rubygems.org/'
500               ^^^^^^^^^^
501Gemfile:9:7: C: Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
502  gem "chef-config"
503      ^^^^^^^^^^^^^
504Gemfile:10:7: C: Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
505  gem "chef-utils"
506      ^^^^^^^^^^^^
507Gemfile:11:7: C: Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
508  gem "cinc-auditor-bin"
509      ^^^^^^^^^^^^^^^^^^
510Gemfile:12:7: C: Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
511  gem "inspec"
512      ^^^^^^^^
513Gemfile:13:7: C: Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
514  gem "inspec-core"
515      ^^^^^^^^^^^^^

[deric4]

@deric4 Can you please sign-off your commits?

@chris-rock ya! sorry about that! thought i had that configured. I've been hacking around with the Gemfile and make sure dependencies are correct.

If the vendor path isn't specified, all the versions of inspec or chef-auditor will default to using ~/.inspec. Is there a preferred convention dev-sec uses when working with different profiles?

[chris-rock]

So far we have not used cinc-auditor and Inspec in parallel. We planned to switch to cinc-auditor but have not done the switch for the profiles yet. PRs are welcome to switch the profiles to cinc-auditor

I am not sure which specific issue you face with the profile vendoring. In general, we do not vendor profiles for dev-sec development.

[deric4]

I am not sure which specific issue you face with the profile vendoring. In general, we do not vendor profiles for dev-sec development.

Ok, was just curious if anything else could be added to the rake file.

For example, installing a plugin with Inspec:

$ which inspec
/usr/local/bin/inspec

$ inspec version
4.21.3

$  inspec plugin install inspec-iggy
Fetching inspec-iggy-0.8.0.gem
inspec-iggy plugin, version 0.8.0, installed from rubygems.org

will cause my previously working cinc-auditor to fail:

bundle exec cinc-auditor version
[2020-08-11T22:46:54-07:00] ERROR: Could not load plugin inspec-iggy: Unable to resolve dependency: user requested 'inspec-iggy (> 0)'
[2020-08-11T22:46:56-07:00] ERROR: Errors were encountered while loading plugins...
[2020-08-11T22:46:56-07:00] ERROR: Plugin name: inspec-iggy
[2020-08-11T22:46:56-07:00] ERROR: Error: Unable to resolve dependency: user requested 'inspec-iggy (> 0)'
[2020-08-11T22:46:56-07:00] ERROR: Run again with --debug for a stacktrace.

running rm -rf ~/.inspec makes everything work again.

$ bundle exec cinc-auditor version
4.22.8

[micheelengronne]

That is so cool what you did there !! For me, it is good to merge and give it a try.