InSpec is a free and open-source framework meant for testing and auditing your applications and infrastructure. InSpec detects violations and reports the findings that help in control of remediation.
You can use the InSpec tool to run the tests under CIS profiles. Follow the steps below to run Benchmarks using the InSpec tool:
For complete information on CIS compliance for Avi Load Balancer, see CIS Compliance for NSX Advanced Load Balancer.
Installing InSpec Tool
Download the InSpec tool from downloads and install it on the Service Engine, as shown below.
root@user-service-engine:/home/admin# dpkg -i inspec_2.1.54-1_amd64.deb (Reading database ... 21762 files and directories currently installed.) Preparing to unpack inspec_2.1.54-1_amd64.deb ... You're about to install InSpec! Unpacking inspec (2.1.54-1) ... Setting up inspec (2.1.54-1) ... Thank you for installing InSpec! root@user-service-engine:/home/admin#
The example above uses the latest version of the InSpec tool. You can use any version that is relevant.
Verifying Tool Installation
Use the inspect detect command to verify if the InSpec tool has been installed correctly.
root@user-service-engine:/home/admin# inspec detect == Operating System Details Name: ubuntu Family: debian Release: 14.04 Arch: x86_64 root@user-service-engine:/home/admin#
Copying Benchmarks to the Avi Load Balancer Service Engine
Copy or SCP all content in the cis-dil-benchmark directory from the Github repository to the Service Engine’s home directory.
root@user-service-engine:/home/admin# ls cis-dil-benchmark inspec_2.1.54-1_amd64.deb root@user-service-engine:/home/admin# cd cis-dil-benchmark/ root@user-service-engine:/home/admin/cis-dil-benchmark# ls LICENSE README.md controls inspec.yml libraries
Running InSpec
Run the InSpec tool to run all the Benchmark tests.
root@user-service-engine:/home/admin# inspec exec /home/admin/cis-dil-benchmark/ root@user-service-engine:/home/admin# inspec exec /home/admin/cis-dil-benchmark/ Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark) Version: 0.1.0 Target: local:// ✔ cis-dil-benchmark-6.2.1: Ensure password fields are not empty ✔ /etc/shadow passwords should not include "" snip ⊚ cis-dil-benchmark-3.3.3: Ensure IPv6 is disabled (6 failed) × File /boot/grub/grub.conf content should match /ipv6\.disable=1/ expected nil to match /ipv6\.disable=1/ × File /boot/grub/grub.cfg content should match /ipv6\.disable=1/ expected nil to match /ipv6\.disable=1/ × File /boot/grub/menu.lst content should match /ipv6\.disable=1/ expected nil to match /ipv6\.disable=1/ × File /boot/boot/grub/grub.conf content should match /ipv6\.disable=1/ expected nil to match /ipv6\.disable=1/ × File /boot/boot/grub/grub.cfg content should match /ipv6\.disable=1/ expected nil to match /ipv6\.disable=1/ × File /boot/boot/grub/menu.lst content should match /ipv6\.disable=1/ expected nil to match /ipv6\.disable=1/ Profile Summary: 86 successful controls, 98 control failures, 38 controls skipped Test Summary: 942 successful, 316 failures, 44 skipped
By default, the CIS 2.0 profile is run. You need to explicitly change the profile to 1.0 for the CIS 1.0 results.