Using inSpec for CIS Compliance: A Step-by-Step Guide

In the world of cybersecurity, compliance is critical. One of the most commonly followed compliance frameworks is the Center for Internet Security (CIS), which provides benchmarks for securing systems across multiple platforms. inSpec, an open-source framework by Chef, is a powerful tool for testing and ensuring compliance with the CIS benchmarks.

In this post, we will walk you through how to use inSpec to assess your system’s compliance with CIS benchmarks, how to set up the relevant CIS profile, and how to run it locally on your system.

Why CIS Compliance?

CIS provides a comprehensive set of security controls that are widely adopted to ensure that systems are secured according to industry standards. Achieving CIS compliance helps organizations:

Improve security posture by following best practices.
Reduce vulnerabilities and mitigate risks.
Meet regulatory requirements for certain industries.

Setting Up inSpec for CIS Compliance

Before you begin testing your system, you need to set up inSpec and get the right profile.

1. Install inSpec

Ensure that you have inSpec installed on your system. You can do this by following the installation steps in the official documentation based on your operating system and preferences.

Alternatively, you can install it using homebrew:

brew install inspec

2. Get the CIS Profile

The next step is to download the CIS InSpec Profile, which is a set of predefined controls for testing compliance against the CIS benchmarks. To use the profile, you can pull it directly from the Chef InSpec GitHub repository.

After downloading the profile, verify that it is installed correctly. The profile is essentially a collection of tests or controls that you can use to assess your system. To check if it is downloaded properly, use the following command

inspec profile list

You should see the CIS profile in the list of profiles.

This command will scan your system and output the available profiles and resources that inSpec can use for testing.

Running CIS Compliance Locally with inSpec

Now that you’ve installed inSpec and downloaded the CIS profile, it’s time to run the tests locally.

1. Run a Basic Compliance Check

To run the CIS profile against your system, use the following command:

inspec exec cis-linux --target ssh://user@hostname --password 'your_password'

Here, cis-linux is the CIS Linux profile that you downloaded, user@hostname is the target system, and your_password is the SSH password for that system. You can also use key-based authentication if preferred.

2. Check for Specific Controls

If you are only interested in running specific controls or checks, you can specify them by control IDs. For example:

inspec exec cis-linux --target ssh://user@hostname --password 'your_password' --controls '1.1.1'

This command will only execute control 1.1.1 from the CIS Linux profile, which tests a specific setting on the system.

3. Generate Reports

Once the tests are complete, you can output the results in various formats, such as JSON, HTML, or JUnit, depending on your needs. For example, to generate a human-readable HTML report, run:

inspec exec cis-linux --target ssh://user@hostname --password 'your_password' --reporter html > cis_compliance_report.html

This will produce an HTML report with detailed compliance findings.

Interpreting the Results

Once the compliance checks are completed, you will receive a list of controls along with their results. The controls will typically show one of the following statuses:

Passed: The system is in compliance with the CIS benchmark for this control.
Failed: The system does not meet the CIS requirement, and the security setting needs to be corrected.
Not Applicable: The control is not relevant for the system or environment being tested.

You should focus on the Failed results and work to remediate any issues to bring your system into compliance with the CIS benchmarks.

Conclusion

Using inSpec for CIS compliance testing is an excellent way to ensure that your systems are secure and adhere to best practices. By setting up the correct CIS profiles, running them locally, and interpreting the results, you can proactively manage security and compliance within your organization.

The total time it takes to run the compliance check locally is usually about 5 minutes, depending on the number of controls being tested.

Of course, like any tool, inSpec is only as effective as its configuration. Make sure to continuously update profiles to stay in line with the latest CIS benchmarks and security practices.