fixed section numbering and section 6.3

Signed-off-by: Aaron Lippold <[email protected]>
mitre · Dec 2, 2024 · dda16de · dda16de
1 parent 4a1546b
commit dda16de
Show file tree

Hide file tree

Showing 14 changed files with 142 additions and 173 deletions.
diff --git a/src/courses/user/03.md b/src/courses/user/03.md
@@ -6,7 +6,7 @@ author: Aaron Lippold
 headerDepth: 3
 ---
 
-## 3. SAF Scavenger Hunt
+## 3.1 SAF Scavenger Hunt
 
 Explore the [SAF homepage](https://saf.mitre.org/) to find the answers to this scavenger hunt and familiarize yourself with the topics of this course. When you are done, check your answers!
 

diff --git a/src/courses/user/04.md b/src/courses/user/04.md
@@ -6,27 +6,27 @@ author: Aaron Lippold
 headerDepth: 3
 ---
 
-## 4. Start with Planning
+## 4.1 Start with Planning
 
 The SAF's main pillars are Plan, Harden, Validate, Normalize, and Visualize. First, it is necessary to plan which components are/will be in your system and identify the security guidance available for those components.
 
 ![The Plan Capability](../../assets/img/SAF_Capabilities_Plan.png)
 
-### 4.1 Identify Your Stack of Components for the System
+## 4.2 Identify Your Stack of Components for the System
 
 Your software system is composed of multiple components, such as Cloud Services, Virtualization Platforms, Operating Systems, Databases, Application Logic, and Web Servers.
 
 The first step of any assessment is identifying the components of the system you are assessing.
 
-### 4.2 What is the Guidance?
+## 4.3 What is the Guidance?
 
 There could be Security Technical Implementation Guides (STIGs), Security Requirements Guides (SRGs), Center for Internet Security (CIS) Benchmarks, or vendor guidance written for the components in your software stack. Being aware of these can help inform which profile to use.
 
 ::: tip Note
 Outline any specific requirements for your organization that might differ from the specific published guidance. This will inform how to tailor the profiles later on.
 :::
 
-### 4.3 Content Libraries for Software Components
+## 4.4 Content Libraries for Software Components
 
 As you saw in the previous section's [SAF Site scavenger hunt](./03.md), the SAF website hosts links, information, and tools to ease the security process. To get a better idea of what may be in your software stack and what kind of content is available for automated testing, you can peruse the SAF's hardening and validation content libraries when you are making a plan.
 
@@ -45,7 +45,7 @@ Navigate to the [Validate page](https://saf.mitre.org/#/validate) to find librar
 ![Validation](../../assets/img/SAF_Site_Validate.png)
 :::
 
-### 4.4 What if There is No Content for a Software Component?
+## 4.5 What if There is No Content for a Software Component?
 
 1. First, reach out to the SAF team at [[email protected]](mailto:[email protected]) to find out if there is a profile in development or otherwise available but not listed that could meet your needs.
 2. Second, if there is still no profile available, identify the security guidance to which the profile should comply and reach out to find out how to best create that profile. We help teams do this and provide training courses on that as well!

diff --git a/src/courses/user/05.md b/src/courses/user/05.md
@@ -6,7 +6,7 @@ author: Aaron Lippold
 headerDepth: 3
 ---
 
-## 5. From "Plan" to "Validate"
+## 5.1 From "Plan" to "Validate"
 
 After identifying software components for your environment and knowing what security guidance exists for those components, the next step is validation, or in other words, testing.
 
@@ -29,7 +29,7 @@ The SAF team values this methodology and helps teams implement security complian
 ![Test-Driven Development](../../assets/img/TestDrivenDevelopment.png)
 :::
 
-## 5.1 What is InSpec?
+## 5.2 What is InSpec?
 
 "Chef [InSpec](https://www.chef.io/downloads/tools/inspec) is an infrastructure security and compliance testing framework with a human- and machine-readable language for comparing actual versus desired system state."
 
@@ -40,7 +40,7 @@ The term __InSpec profile__ refers to a collection of security tests written in
 To learn more, look at the Beginner Developer's section on [What is an InSpec Profile](../beginner/02.md#what-is-an-inspec-profile) and test your understanding in [this comprehension check](../beginner/02.md#check-in).
 :::
 
-## 5.2 Examples of InSpec profiles
+## 5.3 Examples of InSpec profiles
 
 Let's review the READMEs for each profile for more information and specific run instructions. The README is the first document in the GitHub repository and contains the following information:
 
@@ -49,13 +49,13 @@ Let's review the READMEs for each profile for more information and specific run
 3. Available inputs for tailoring to your environment
 4. Instructions for running the profile
 
-### 5.2.1 RHEL8 baseline profile
+### 5.3.1 RHEL8 baseline profile
 
 Let's take the [RHEL8 baseline profile](https://github.com/CMSgov/redhat-enterprise-linux-8-stig-baseline) as an example. You can find this InSpec profile at the provided link or through the [validation library of the SAF site](https://saf.mitre.org/libs/validate).
 
 ![The Red Hat 8 Profile](../../assets/img/Github_Rhel8.png)
 
-### 5.2.2 NGINX baseline profile
+### 5.3.2 NGINX baseline profile
 
 Let's take the [NGINX baseline profile](https://github.com/mitre/nginx-stigready-baseline) as an example. You can find this InSpec profile at the provided link or through the [validation library of the SAF site](https://saf.mitre.org/libs/validate).
 

diff --git a/src/courses/user/06.md b/src/courses/user/06.md
@@ -6,43 +6,70 @@ author: Aaron Lippold
 headerDepth: 3
 ---
 
-## 6. How to Run InSpec
+## 6.1 How to Run InSpec
 
-In this section, we will talk about how to run InSpec. In [Section 8](./08.md), you will put this into practice!
+In this section, we will discuss how to run InSpec. In [Section 8](./08.md), you will put this into practice!
 
-### 6.1 Requirements
+## 6.2 Requirements
 
 To run InSpec, you must have:
 
-1. **InSpec** - you must have InSpec downloaded on whatever machine is running the scans. This does not have to be the same machine that is being tested! _(We will run InSpec from the GitHub codespaces lab environment. Inspec is already downloaded in the GitHub codespaces lab environment after running the `build-lab.sh` script)_ Check out the [Installation Tab](../../installation) for more information on installing InSpec in a different environment.
-2. **A Target** - you have to have something to test! _In the GitHub codespaces in the lab environment, we have two Docker containers running to test._
-3. **An InSpec Profile** - you have to have the tests themselves! This is the code itself that will be run with all of the controls, or tests, against the target. You may have this code stored locally on your runner machine, or you may get it from GitHub if your system has access to the internet. We will look at both of those examples.
+1. **InSpec** - InSpec must be downloaded on the machine running the scans. This does not have to be the same machine that is being tested! _(We will run InSpec from the GitHub Codespaces lab environment. InSpec is already downloaded in the GitHub Codespaces lab environment after running the `build-lab.sh` script.)_ Check out the [Installation Tab](../../installation) for more information on installing InSpec in a different environment.
+2. **A Target** - You need something to test! _In the GitHub Codespaces lab environment, we have two Docker containers running to test._
+3. **An InSpec Profile** - You need the tests themselves! This is the code that will be run with all of the controls, or tests, against the target. You may have this code stored locally on your runner machine, or you may get it from GitHub if your system has internet access. We will look at both examples.
 
-### 6.2 The InSpec Command Formula
+## 6.3 The InSpec Command Formula
 
 You run InSpec from the command line. There are many different options for this command, but let's break down the simple formula based on the requirements above.
 
 ```sh
-inspec exec WHERE_IS_THE_PROFILE -t WHAT_IS_THE_TARGET --more-flags EXTRA_STUFF --reporter WHAT_SHOULD_INSPEC_DO_WITH_THE_RESULTS
+inspec exec <profile> -t <target> --more-flags ... --reporter <report types (json, cli, yaml, etc.)>
 ```
 
-#### Start with inspec exec
+```sh
+inspec exec WHERE_IS_THE_PROFILE  # 6.3.1 & 6.3.2
+-t WHAT_IS_THE_TARGET # 6.3.3
+--more-flags EXTRA_STUFF # 6.3.4
+--reporter WHAT_SHOULD_INSPEC_DO_WITH_THE_RESULTS # 6.3.5
+```
+
+### 6.3.1 Start with `inspec exec` (required)
+
+```sh
+inspec exec
+```
 
 You need to start with `inspec exec` so that your terminal knows what it is trying to do in the first place. `inspec exec` tells InSpec to execute an existing profile.
 
-#### WHERE_IS_THE_PROFILE
+### 6.3.2 WHERE_IS_THE_PROFILE (required)
+
+```sh
+inspec exec WHERE_IS_THE_PROFILE
+```
+
+Then, you must give the location of the InSpec profile, in other words, the code for the tests themselves. If the InSpec profile is stored locally, you can write a path to that file location, such as `/root/path/to/InSpecProfiles/nginx-profile`. If you are hoping to directly access the profile from GitHub, you can enter the URL of the GitHub profile, such as `https://github.com/mitre/nginx-stigready-baseline`.
 
-Then, you can give the location of the InSpec profile, in other words, the code for the tests themselves. If the InSpec profile is stored locally, you can write a path to that file location, such as `/root/path/to/InSpecProfiles/nginx-profile`. If you are hoping to directly access the profile from GitHub, you can enter the URL of the GitHub profile, such as `https://github.com/mitre/nginx-stigready-baseline`.
+### 6.3.3 WHAT_IS_THE_TARGET (default: local machine)
 
-#### WHAT_IS_THE_TARGET
+```sh
+-t WHAT_IS_THE_TARGET # 6.3.3
+```
 
 Next, you need to tell your computer what the target is. You add this information after the `-t` flag. Without the `-t` flag, by default, InSpec will execute the selected profile against your local system. However, we are often trying to run tests against a remote target. You could test a Virtual Machine, you could test a Docker container, or more. You could also specify different protocols to connect to that machine via SSH, WinRM, or more. For example `-t ssh://user-name@host-name:port` or `-t docker://instance-id`. We will talk more about these options later.
 
-#### EXTRA_STUFF
+### 6.3.4 EXTRA_STUFF (optional)
+
+```sh
+--more-flags EXTRA_STUFF # 6.3.4
+```
 
 There are MANY more options that you can specify when running the InSpec command. The next most common one is specifying inputs for your profile, for example `--input-file /path/to/inputs.yml` where you can add inputs that tailor the profile to your environment's needs. You can find more information on inputs in the [Tailoring Inputs](./07) section.
 
-#### WHAT_SHOULD_INSPEC_DO_WITH_THE_RESULTS
+### 6.3.5 WHAT_SHOULD_INSPEC_DO_WITH_THE_RESULTS (default: cli)
+
+```sh
+--reporter WHAT_SHOULD_INSPEC_DO_WITH_THE_RESULTS # 6.3.5
+```
 
 And of course, you probably want to see the results. You can specify where those results are displayed or saved based on what you enter after the `--reporter` flag at the end of your command. For example, the following would print the results on the command line and save it to a file (by creating or overwriting) the file at /path/to/results.json: `--reporter cli json:/path/to/results.json`. If you do not add this information, the command will default to providing results on the command line, but it will not save those into a file unless you specify the `--reporter` flag like the example.
 
@@ -115,7 +142,7 @@ Note that if you do not provide one of the required flags in the InSpec exec com
 | No --reporter flag         | Prints results to the terminal on the InSpec runner machine      |
 :::
 
-### 6.3 How to Deploy InSpec
+## 6.4 How to Deploy InSpec
 
 It is intended and recommended that InSpec be installed on a "runner" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) and run against the target remotely. However, InSpec may be deployed in [various ways](https://saf.mitre.org/faq/7) depending on the needs of the user:
 

diff --git a/src/courses/user/07.md b/src/courses/user/07.md
@@ -6,7 +6,7 @@ author: Aaron Lippold
 headerDepth: 3
 ---
 
-## 7. What are inputs and why do I need them?
+## 7.1 What are inputs and why do I need them?
 
 Every InSpec profile on the SAF site is written to comply with specific security guidance. However, every team's environment may be slightly different. For example, the path to a file may vary between environments, or the list of permitted users for a certain system may differ.
 
@@ -16,7 +16,7 @@ To accommodate these differences, InSpec profiles utilize inputs. In the previou
 It is best practice to always run profiles with inputs so that the profile is properly tailored to your environment.
 :::
 
-## 7.1 Profile Inputs (see `inspec.yml` file)
+## 7.2 Profile Inputs (see `inspec.yml` file)
 
 This profile uses InSpec Inputs to make the tests more flexible. You can provide inputs at runtime either via the CLI or via YAML files to help the profile work best in your deployment.
 
@@ -32,7 +32,7 @@ To tailor the tested values for your deployment or organizationally defined valu
 
 More information about InSpec inputs can be found in the [InSpec Inputs Documentation](https://docs.chef.io/inspec/inputs/).
 
-## 7.2 Use an `--input-file` to tailor an InSpec profile
+## 7.3 Use an `--input-file` to tailor an InSpec profile
 
 For the NGINX example, we are going to add the following inputs. Make a new file called `inputs.yml` in your lab environment:
 

diff --git a/src/courses/user/08.md b/src/courses/user/08.md
@@ -6,9 +6,9 @@ author: Aaron Lippold
 headerDepth: 3
 ---
 
-## 8. Run InSpec - NGINX Example
+## 8.1 Run InSpec - NGINX Example
 
-### 8.1. Example Running an InSpec Profile Directly from GitHub
+### 8.2 Example Running an InSpec Profile Directly from GitHub
 
 In this module, we use NGINX for learning purposes. If you're interested in NGINX specifically, you may be interested in the [MITRE nginx-stigready-baseline](https://github.com/mitre/nginx-stigready-baseline) profile on GitHub.
 
@@ -22,7 +22,7 @@ Sometimes, there are multiple profiles available for the same software component
 If you see multiple profiles available and are unsure which to use, read the READMEs in each to see what guidance they are based on to understand what is most useful for your situation. You can also run multiple profiles and compare the results to see which is more informative for your assessment. Lastly, you can always reach out to <[email protected]> if you have more questions.
 :::
 
-### 8.2 Forming the InSpec Command
+### 8.3 Forming the InSpec Command
 
 - Since we are using the profile from GitHub, we will use the GitHub link `https://github.com/mitre/nginx-stigready-baseline` to specify the profile.
 - Because we are using a Docker container that is running in our lab environment, we can specify the target as `-t docker://nginx`.
@@ -35,11 +35,11 @@ To execute this command to run the GitHub profile on your target system, run thi
 inspec exec https://github.com/mitre/nginx-stigready-baseline -t docker://nginx --input-file inputs.yml --reporter cli json:./results/nginx_vanilla_results.json
 ```
 
-### 8.3 Run the Command
+### 8.4 Run the Command
 
 Enter the command from the previous step in your terminal and press enter. It will take a moment to start running.
 
-#### 8.3.1 CLI (Command Line) Results
+#### 8.4.1 CLI (Command Line) Results
 
 You should see output similar to that below. The whole profile should execute in only a couple minutes.
 
@@ -77,7 +77,7 @@ Test Summary: 137 successful, 91 failures, 55 skipped
 
 You see that many of the tests pass, while others fail and may require investigation.
 
-#### 8.3.2 Results saved to a file
+#### 8.4.2 Results saved to a file
 
 You should also see your results in a JSON file located in `/results` folder with the name that you specified in the command, for example `nginx_vanilla_results.json`. If you are using the lab environment GitHub codespaces, you should see it on the left of your screen under files. Right-click that file and click "Download" so that you have this file locally for the next steps.
 ![The Results Folder](../../assets/img/ResultsFolder.png)

diff --git a/src/courses/user/09.md b/src/courses/user/09.md
@@ -6,29 +6,29 @@ author: Aaron Lippold
 headerDepth: 3
 ---
 
-## 9. Visualize - MITRE Heimdall
+## 9.1 Visualize - MITRE Heimdall
 
 Now we want to see our results in a more meaningful way!
 
 ![The Visualize Capability](../../assets/img/SAF_Capabilities_Visualize.png)
 
 Navigate to our online version of the Heimdall application, the visualization tool, [Heimdall Lite](https://heimdall-lite.mitre.org/).
 
-### 9.1 Upload Results
+### 9.2 Upload Results
 
 Click on the `Upload` button, navigate to your JSON output file that you saved from the previous step, select that file, and then click open.
 
 This will allow you to view the InSpec results in Heimdall.
 
 ![Loading Data Into Heimdall](../../assets/img/Heimdall_Load.png)
 
-### 9.2 Visualize Results
+### 9.3 Visualize Results
 
 Your visualization should look similar to the following:
 
 ![Visualizing NGINX](../../assets/img/Heimdall_NGINX_Vanilla_With_Inputs.png)
 
-### 9.3 Explore Heimdall
+### 9.4 Explore Heimdall
 
 Heimdall allows you to see a lot of different information based on the available data. See if you can find the following information from your uploaded results!
 

diff --git a/src/courses/user/10.md b/src/courses/user/10.md
@@ -6,23 +6,23 @@ author: Aaron Lippold
 headerDepth: 3
 ---
 
-## 10. From "Plan" to "Validate" to "Visualize" to "Harden"
+## 10.1 From "Plan" to "Validate" to "Visualize" to "Harden"
 
 Finally! We get to secure the software. After starting with a plan, then seeing the requirements and current state through validation and visualiztion, let's harden the component and revalidate it after the changes.
 
 ![The Harden Capability](../../assets/img/SAF_Capabilities_Harden.png)
 
-### 10.1 Find the hardening content
+### 10.2 Find the hardening content
 
 Remember when you perused the hardening content on the SAF site when we talked about the "Plan" pillar? This is where we will find automated content for configuring a software component to some guidance. In this case, we will use the NGINX Stigready Content on the [saf hardening page](https://saf.mitre.org/#/harden).
 
 ![The SAF Hardening Page](../../assets/img/SAF_Site_Harden.png)
 
 You could peruse this GitHub repository, including the README and inputs to find out more information, but for this training, we have put any preparation needed for running this hardening content into a pre-script.
 
-### 10.2 Prepare your Codespaces to run the hardening script
+### 10.3 Prepare your Codespaces to run the hardening script
 
-Just like we saw some requirements for running an InSpec scan, there are also some requirements to run the hardening script on the NGINX container in your Codespaces. We are going to run another setup script for those. 
+Just like we saw some requirements for running an InSpec scan, there are also some requirements to run the hardening script on the NGINX container in your Codespaces. We are going to run another setup script for those.
 
 In your Codespace terminal from your main workspace directory, run the following commands:
 
@@ -34,23 +34,24 @@ This command will make sure that the NGINX docker container has the required sof
 
 ![After Running the Hardening Tools Script](../../assets/img/Codespaces_Hardening_Files.png)
 
-
-### 10.3 CLI Results of Hardening Script
+### 10.4 CLI Results of Hardening Script
 
 You should see the following results from the hardening script. If you run this hardening content multiple times, the numbers in the results may be different because the starting configuration will be different and the script will not have to change the same numbers of settings.
 
-::: note 
+::: note
 Make sure you are in the ansible content's directory before running the following command. You can run the command
  `cd ansible-nginx-stigready-hardening`
  to enter the directory. That means your current working directory path will look something like `/workspaces/saf-training-lab-environment/ansible-nginx-stigready-hardening` with variation if you named your repository differently in the lab setup.
  :::
 
 Run this command:
+
 ```sh
 ansible-playbook -i hosts.yml hardening-playbook.yml
 ```
 
 To see the following results:
+
 ```sh
 ansible-playbook -i hosts.yml hardening-playbook.yml 
 [WARNING]: Ansible is being run in a world writable directory (/workspaces/saf-training-lab-environment/ansible-nginx-stigready-hardening), ignoring