As part of delving into InSpec for my CI tests, I decided that I need
to have some form of baseline to follow.
To that end, our public STIG profile does the following:
1. Build a system
2. Download and compile the SSG
3. Run an oscap remediate using the SSG
4. Check the system using InSpec
The idea here is that the remediation should get the system to a point
where the more static OVAL checks that SCAP uses should be used as a
low water mark for the more dynamic InSpec checks.
I wanted to share the tests in Travis CI in case it helps anyone here
find issues with the SSG in the future. For instance, some of the
profile renaming just bit us and makes automating the scans pretty
Anyway, you can watch the 'System Test' build stage here
that will get
triggered any time things are updated in the repo and, of course, you
can also download it and run it locally.
Ideally, these tests will start showing a 100% pass across the board
and this can serve as some help to the community.
Thanks for sharing! Will check it out.
Any intent to contribute your Inspec remediations? Would be great to get
them folded into SSG!