CIS benchmarks compliance translated to ruby scripts

Hi, I’ve been discovering inspec lately and I’m trying to translate some CIS benchmarks to ruby scripts that I can execute using InSpec.

The thing is that I’m not familiar with ruby, by any chance, can I use another language for coding those scripts ?
I’ve been following a youtube tutorial from chef :

I couldn’t even install atom correctly on ubuntu 16.04,

Did anone face the same issues ?

That is the only language option for Inspec - it is a very simplified form of ruby if that helps.

While it can sometimes be difficult to get atom installed on ubuntu 16.04 - you can use another editor. Nano or vim might be a better choice to try out inspec.

If you have a Safari subscription, you might also want to check out my video series on InSpec (and Chef). I spend some time walking through how to install atom on Ubuntu 16.04 in more steps. More than half the series content is on InSpec, and you can skip right to the parts on InSpec:

Alright, I’ll have a look

Can I paste a part of the code I wrote so you can tell me if I’m doing it good or not ?
I’m still trying to make it work on InSpec…

Sure. Go ahead. It is a good way to learn - make your best attempt first then get some feedback.

I tried vim as you told me
And I had a look on ur tutos, for now I think I’ll keep using vim until I face another issue.
Can you tell me please where the problem is in this code ?

Concerning the first block I didnt quite understand what I’ve to put inside the “describe file…”

title ‘test’

describe file(’/tmp’) do
it { should be_directory }

control ‘premier’ do
impact 0.7
title ‘Remove extraneous files and directories’
desc ‘premier test.’
describe file(’/CATALINA_HOME’) do
it { ls -l $CATALINA_HOME/webapps/docs \ $CATALINA_HOME/webapps/examples }

Here is the error I get when I execute the code :

aicha@ubuntu:~/learn-inspec$ inspec exec tomcat/
/opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/profile_context.rb:157:in instance_eval': tomcat/controls/example.rb:18: syntax error, unexpected tGVAR, expecting keyword_do or '{' or '(' (SyntaxError) it { ls -l $CATALINA_HOME/webapps/docs \ $CATALINA_HOME ^ tomcat/controls/example.rb:18: syntax error, unexpected $undefined, expecting keyword_do or '{' or '(' $CATALINA_HOME/webapps/docs \ $CATALINA_HOME/webapps/exampl ^ from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/profile_context.rb:157:inload_with_context’
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/profile_context.rb:141:in load_control_file' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/profile.rb:167:inblock in collect_tests’
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/profile.rb:164:in each' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/profile.rb:164:incollect_tests’
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/runner.rb:93:in block in load' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/runner.rb:82:ineach’
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/runner.rb:82:in load' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/runner.rb:103:inrun’
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/lib/inspec/cli.rb:168:in exec' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/command.rb:27:inrun’
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in invoke_command' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor.rb:387:indispatch’
from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/base.rb:466:in start' from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.1.10/bin/inspec:12:in<top (required)>’
from /usr/bin/inspec:72:in load' from /usr/bin/inspec:72:in

Yes, it can be difficult to know where to go next with some of these InSpec constructs until you get some practice.

You really should consider spending some time watching my video on InSpec/Chef at - I explain how the file construct works in more detail and many other things about inspec programming language. It should make things more clear about what the file construct does.

You may also want to check out Annie Hedgpeth’s series on InSpec as well. She wrote a great series of tutorial blog posts starting with this one:

All the information you need to address your error can be found here - where she covers the command resource:

If you want to run a command and scrape the output, it would look something like this to correct the execution errors:

describe command(‘ls -l $CATALINA_HOME/webapps/docs \ $CATALINA_HOME/webapps/examples’) do

its(‘stdout’) { should match ‘<something you want to search in the output>’ }


Now this won’t work exactly like you expect because an environment variable like $CATALINA_HOME usually isn’t defined at the system level where InSpec can cope with it. So until you learn more about how to work with those from InSpec, you may want to consider starting out replacing $CATALINA_HOME with the actual full path if you see more issues, like so:

describe command(‘ls -l /usr/apache/tomcat/webapps/docs \ /usr/apache/tomcat/webapps/examples’) do

its(‘stdout’) { should match ‘<something you want to search in the output>’ }


But that being said, a more efficient way to check to make sure that the “docs” and “examples” directories do not exist (which is what I think is your intent) is to use the file resource something like this (refer to my videos or Annie’s blog posts for more explanation):

describe file(‘/usr/apache/tomcat/webapps/docs’) do

it { should_not exist }


describe file(‘/usr/apache/tomcat/webapps/examples’) do

it { should_not exist }


Good luck in your InSpec learning!

Thank’s a lot, your answer’s really helpful…
and yeah as you told me to do, I’ll start by have a look on Annie’s and your videos

Thank you

Another thing to note is there may be some good examples out there if you look for cis on the Supermarket. I believe there is a cis_mitigation cookbook and the source with their tests should be available as well.

I’ll have a look, thank you
The thing is that “annihedgie”'s tutorials were really helpful