On 6/20/18 5:03 PM, Trevor Vaughan wrote:
Hi All,

As part of delving into InSpec for my CI tests, I decided that I need to have some form of baseline to follow.

To that end, our public STIG profile does the following:
  1. Build a system
  2. Download and compile the SSG
  3. Run an oscap remediate using the SSG
  4. Check the system using InSpec
The idea here is that the remediation should get the system to a point where the more static OVAL checks that SCAP uses should be used as a low water mark for the more dynamic InSpec checks.

I wanted to share the tests in Travis CI in case it helps anyone here find issues with the SSG in the future. For instance, some of the profile renaming just bit us and makes automating the scans pretty interesting.

Anyway, you can watch the 'System Test' build stage here https://travis-ci.org/simp/inspec-profile-disa_stig-el7 that will get triggered any time things are updated in the repo and, of course, you can also download it and run it locally.

Ideally, these tests will start showing a 100% pass across the board and this can serve as some help to the community.

Thanks for sharing! Will check it out.

Any intent to contribute your Inspec remediations? Would be great to get them folded into SSG!