Getting Started with Chef InSpec

Posted on In ,

I recently evaluated Microsoft Security Compliance Toolkit and Chef InSpec—two Windows-friendly baseline scanners. Here are the essentials for Chef InSpec.

Overview

Chef InSpec is a security baseline scanner from Chef. It supports Windows, macOS, Red Hat, Ubuntu, and more.

This walkthrough focuses on Windows Server.

Download

https://downloads.chef.io/inspec/

You can also follow the GitHub README to install via Ruby gems:

For CentOS / Red Hat / Fedora:

yum -y install ruby ruby-devel make gcc gcc-c++

For Ubuntu:

apt-get -y install ruby ruby-dev gcc g++ make

Then install InSpec:

gem install inspec-bin

Usage

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ inspec --help
Commands:
  inspec archive PATH                # archive a profile to tar.gz (default) ...
  inspec check PATH                  # verify all tests at the specified PATH
  inspec compliance SUBCOMMAND ...   # Chef Compliance commands
  inspec detect                      # detect the target OS
  inspec exec PATH(S)                # run all test files at the specified PATH.
  inspec help [COMMAND]              # Describe available commands or one spe...
  inspec init TEMPLATE ...           # Scaffolds a new project
  inspec json PATH                   # read all tests in PATH and generate a ...
  inspec shell                       # open an interactive debugging shell
  inspec supermarket SUBCOMMAND ...  # Supermarket commands
  inspec version                     # prints the version of this tool

Options:
  [--diagnose], [--no-diagnose]  # Show diagnostics (versions, configurations)

To run an existing baseline, use inspec exec:

inspec exec https://github.com/dev-sec/windows-baseline

You can point it at profiles shared on GitHub, or download them first:

1
2
git clone https://github.com/dev-sec/windows-baseline
inspec exec windows-baseline

Chef hosts Chef Supermarket for sharing profiles. Browse it to find baselines that fit your needs.

Notes

Version support

Each release of Chef InSpec documents the operating systems it supports. For example, versions 1.50.1 and later drop Windows Server 2008. Individual profiles have their own requirements: the sample windows-baseline targets Windows Server 2012 R2 and newer. In practice I was able to install Chef InSpec 1, 3, and 4 on Windows Server 2008 R2. Version 1 fails to run the windows-baseline profile, while versions 3 and 4 report errors but still produce many findings—version 4 surfaces the most.