Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## First hand experience with the waivers support in inspec v4.17.7
- **myprofile1/controls/profile1.rb**
- ```ruby
- control 'pro1-con1' do
- impact 0.8
- title 'Profile 1 - Control 1'
- describe file('/etc/hosts11111') do
- its('mode') { should eq 0644 }
- end
- end
- control 'pro1-con2' do
- impact 0.9
- title 'Profile 1 - Control 2'
- tag 'password'
- describe file('/etc/222222') do
- it { should exist }
- end
- only_if { 1 == 2 }
- end
- control 'pro1-con3' do
- impact 1
- title 'Profile 1 - Control 3'
- describe file('/tmp/33333') do
- it { should exist }
- end
- describe file('/etc/44444') do
- it { should exist }
- end
- end
- control 'pro1-con4' do
- impact 0.9
- title 'Profile 1 - Control 4'
- describe file('/etc/4-1') do
- it { should exist }
- end
- describe file('/etc/4-2') do
- it { should exist }
- end
- end
- control 'pro1-con5' do
- impact 0.9
- title 'Profile 1 - Control 5'
- describe file('/etc/55555555') do
- it { should exist }
- end
- end
- ```
- -------
- **waivers.yaml**
- ```yaml
- pro1-con1:
- justification: Sound reasoning
- skip: no
- pro1-con2:
- justification: Sheer cleverness
- skip: no
- pro1-con3:
- expiration_date: 1977-06-01
- justification: Necessity
- skip: yes
- pro1-con4:
- expiration_date: 2025-06-01
- justification: Whimsy
- skip: yes
- ```
- ------
- **json output for inspec v4.17.7**
- ```bash
- inspec exec ~/git/myprofile1 --waiver-file ~/git/waivers.yaml --reporter json-automate | jq .
- ```
- ```json
- {
- "platform": {
- "name": "mac_os_x",
- "release": "17.7.0"
- },
- "profiles": [
- {
- "name": "myprofile1",
- "version": "1.0.1",
- "sha256": "447542ecfb8a8800ed0146039da3af8fed047f575f6037cfba75f3b664a97ea4",
- "title": "My Profile 1 title",
- "maintainer": "Demo, Inc.",
- "summary": "My Profile 1 summary",
- "license": "Apache-2.0",
- "copyright": "Demo, Inc.",
- "copyright_email": "support@example.com",
- "supports": [],
- "attributes": [],
- "groups": [
- {
- "id": "controls/profile1.rb",
- "controls": [
- "pro1-con1",
- "pro1-con2",
- "pro1-con3",
- "pro1-con4",
- "pro1-con5"
- ]
- }
- ],
- "controls": [
- {
- "id": "pro1-con1",
- "title": "Profile 1 - Control 1",
- "desc": null,
- "descriptions": [],
- "impact": 0.8,
- "refs": [],
- "tags": {},
- "code": "control 'pro1-con1' do\n impact 0.8\n title 'Profile 1 - Control 1'\n describe file('/etc/hosts11111') do\n its('mode') { should eq 0644 }\n end\nend\n",
- "source_location": {
- "line": 1,
- "ref": "/Users/apop/git/mycompliance-profile/myprofile1/controls/profile1.rb"
- },
- "results": [
- {
- "status": "failed",
- "code_desc": "File /etc/hosts11111 mode should eq 420",
- "run_time": 0.032021,
- "start_time": "2019-10-04T20:49:22+01:00",
- "message": "\nexpected: 420\n got: nil\n\n(compared using ==)\n",
- "waiver_data": {
- "justification": "Sound reasoning",
- "skip": false,
- "skipped_due_to_waiver": false,
- "message": ""
- }
- }
- ]
- },
- {
- "id": "pro1-con2",
- "title": "Profile 1 - Control 2",
- "desc": null,
- "descriptions": [],
- "impact": 0.9,
- "refs": [],
- "tags": {
- "password": null
- },
- "code": "control 'pro1-con2' do\n impact 0.9\n title 'Profile 1 - Control 2'\n tag 'password'\n describe file('/etc/222222') do\n it { should exist }\n end\n only_if { 1 == 2 }\nend\n",
- "source_location": {
- "line": 9,
- "ref": "/Users/apop/git/mycompliance-profile/myprofile1/controls/profile1.rb"
- },
- "results": [
- {
- "status": "skipped",
- "code_desc": "Operating System Detection",
- "run_time": 9e-06,
- "start_time": "2019-10-04T20:49:22+01:00",
- "resource": "Operating System Detection",
- "skip_message": "Skipped control due to only_if condition.",
- "waiver_data": {
- "justification": "Sheer cleverness",
- "skip": false,
- "skipped_due_to_waiver": false,
- "message": ""
- }
- }
- ]
- },
- {
- "id": "pro1-con3",
- "title": "Profile 1 - Control 3",
- "desc": null,
- "descriptions": [],
- "impact": 1,
- "refs": [],
- "tags": {},
- "code": "control 'pro1-con3' do\n impact 1\n title 'Profile 1 - Control 3'\n describe file('/tmp/33333') do\n it { should exist }\n end\n describe file('/etc/44444') do\n it { should exist }\n end\nend\n",
- "source_location": {
- "line": 19,
- "ref": "/Users/apop/git/mycompliance-profile/myprofile1/controls/profile1.rb"
- },
- "results": [
- {
- "status": "failed",
- "code_desc": "File /tmp/33333 should exist",
- "run_time": 0.002398,
- "start_time": "2019-10-04T20:49:22+01:00",
- "message": "expected File /tmp/33333 to exist",
- "waiver_data": {
- "expiration_date": "1977-06-01",
- "justification": "Necessity",
- "skip": true,
- "skipped_due_to_waiver": false,
- "message": "Waiver expired on 1977-06-01, evaluating control normally"
- }
- },
- {
- "status": "failed",
- "code_desc": "File /etc/44444 should exist",
- "run_time": 0.000871,
- "start_time": "2019-10-04T20:49:22+01:00",
- "message": "expected File /etc/44444 to exist",
- "waiver_data": {
- "expiration_date": "1977-06-01",
- "justification": "Necessity",
- "skip": true,
- "skipped_due_to_waiver": false,
- "message": "Waiver expired on 1977-06-01, evaluating control normally"
- }
- }
- ]
- },
- {
- "id": "pro1-con4",
- "title": "Profile 1 - Control 4",
- "desc": null,
- "descriptions": [],
- "impact": 0.9,
- "refs": [],
- "tags": {},
- "code": "control 'pro1-con4' do\n impact 0.9\n title 'Profile 1 - Control 4'\n describe file('/etc/4-1') do\n it { should exist }\n end\n describe file('/etc/4-2') do\n it { should exist }\n end\nend\n",
- "source_location": {
- "line": 30,
- "ref": "/Users/apop/git/mycompliance-profile/myprofile1/controls/profile1.rb"
- },
- "results": [
- {
- "status": "skipped",
- "code_desc": "Operating System Detection",
- "run_time": 7e-06,
- "start_time": "2019-10-04T20:49:22+01:00",
- "resource": "Operating System Detection",
- "skip_message": "Skipped control due to waiver condition: Whimsy",
- "waiver_data": {
- "expiration_date": "2025-06-01",
- "justification": "Whimsy",
- "skip": true,
- "skipped_due_to_waiver": true,
- "message": ""
- }
- }
- ]
- },
- {
- "id": "pro1-con5",
- "title": "Profile 1 - Control 5",
- "desc": null,
- "descriptions": [],
- "impact": 0.9,
- "refs": [],
- "tags": {},
- "code": "control 'pro1-con5' do\n impact 0.9\n title 'Profile 1 - Control 5'\n describe file('/etc/55555555') do\n it { should exist }\n end\nend\n",
- "source_location": {
- "line": 41,
- "ref": "/Users/apop/git/mycompliance-profile/myprofile1/controls/profile1.rb"
- },
- "results": [
- {
- "status": "failed",
- "code_desc": "File /etc/55555555 should exist",
- "run_time": 0.000189,
- "start_time": "2019-10-04T20:49:22+01:00",
- "message": "expected File /etc/55555555 to exist"
- }
- ]
- }
- ],
- "status": "loaded"
- }
- ],
- "statistics": {
- "duration": 0.040207
- },
- "version": "4.17.7"
- }
- ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement