Updating Beginner Class 11-07-2023 (#51)

* adding updated of beginner class through section 6 Signed-off-by: Emily Rodriguez <[email protected]> * adding alt text to images Signed-off-by: wdower <[email protected]> * clarifying why rspec is useful Signed-off-by: wdower <[email protected]> * update control so it passes and update input file info Signed-off-by: Emily Rodriguez <[email protected]> --------- Signed-off-by: Emily Rodriguez <[email protected]> Signed-off-by: wdower <[email protected]> Co-authored-by: wdower <[email protected]>
mitre · Nov 8, 2023 · df64c19 · df64c19
1 parent 6a3b592
commit df64c19
Show file tree

Hide file tree

Showing 7 changed files with 254 additions and 101 deletions.
diff --git a/courses/beginner/03.md b/courses/beginner/03.md
@@ -47,13 +47,11 @@ tree my_nginx
 ```
 @tab Expected Output - my_nginx folder structure
 ```
-      my_nginx
-      ├── README.md
-      ├── controls
-      │   └── example.rb
-      └── inspec.yml
-
-      2 directories, 3 files
+my_nginx
+├── README.md
+├── controls
+│   └── example.rb
+└── inspec.yml
 ```
 :::
 

diff --git a/courses/beginner/04.md b/courses/beginner/04.md
@@ -71,7 +71,7 @@ The [InSpec shell](https://www.inspec.io/docs/reference/shell/) enables you to e
 You are not required to use the InSpec shell to develop your profiles, but some users (including this course's instructors) find the InSpec shell to be a useful way to get immediate feedback and explore what's available. You can also use the InSpec shell to debug your tests; the shell lets you write and execute `describe` blocks in-line.
 
 ::: details What is the InSpec Shell?
-InSpec shell is based on a tool called `pry`. `pry` is an interactive debugging environment for Ruby and is one of the Ruby developer's weapons against bugs.
+InSpec shell is based on a tool called `pry`. [`pry`](https://github.com/pry/pry) is an interactive debugging environment for Ruby.
 :::
 
 ### Entering the InSpec shell
@@ -155,10 +155,11 @@ inspec> help resources
          ...
          - file
          ...
-         - xml
-         - yaml
-         - yum
-         - yumrepo
+        - xml
+        - yaml
+        - yum
+        - zfs_dataset
+        - zfs_pool
 ```
 :::
 
@@ -354,22 +355,26 @@ nginx.methods
 
 Run `nginx.version` to see what result you get.
 
-```ruby
-nginx.version
-```
-
 ::: warning Expected Error Ahead 
 
 Recall that you're working on your workstation  environment, which does not have NGINX installed. 
 
 :::
 
+::: code-tabs#shell
+
+@tab Command - nginx version
 ```ruby
-inspec> nginx.version
+nginx.version
+```
 
-        NoMethodError: undefined method `[]' for nil:NilClass
-        from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.0.17/lib/resources/nginx.rb:39:in `block (2 levels) in <class:Nginx>'
+@tab Output - nginx version
+```ruby
+inspec> nginx.version
+NoMethodError: undefined method `[]' for nil:NilClass
+from /opt/inspec/embedded/lib/ruby/gems/2.4.0/gems/inspec-2.0.17/lib/resources/nginx.rb:39:in `block (2 levels) in <class:Nginx>'
 ```
+:::
 
 We can verify this with Inspec by running the following command:
 
@@ -393,7 +398,7 @@ We can instead run InSpec shell commands against the **target that does have NGI
 To do so, first start by exiting your InSpec shell session.
 
 ```
-inspec> exit
+exit
 ```
 
 Run `docker ps` to see the running docker containers in your development lab environment that we can test:
@@ -439,7 +444,7 @@ You are currently running on:
 
     Name:      debian
     Families:  debian, linux, unix, os
-    Release:   11.6
+    Release:   12.2
     Arch:      x86_64
 ```
 :::
@@ -478,7 +483,7 @@ nginx.version
 @tab Output - version
 ```
 inspec> nginx.version
-=> "1.23.3"
+=> "1.25.3"
 ```
 :::
 
@@ -527,7 +532,7 @@ Use the `file` resource to check whether the NGINX configuration file is owned b
 
 @tab Command - file methods
 ```sh
-inspec> file('/tmp').class.superclass.instance_methods(false).sort
+file('/tmp').class.superclass.instance_methods(false).sort
 ```
 
 @tab Output - file methods
@@ -561,7 +566,7 @@ To check whether shell access has been provided to non-admin users, because we w
 
 @tab Command - users methods
 ```sh
-inspec> users.class.superclass.instance_methods(false).sort
+users.class.superclass.instance_methods(false).sort
 ```
 
 @tab Output - users methods
@@ -592,5 +597,5 @@ inspec> users.class.superclass.instance_methods(false).sort
 Exit the InSpec shell session with the `exit` command.
 
 ```sh
-inspec> exit
+exit
 ```
diff --git a/courses/beginner/05.md b/courses/beginner/05.md
@@ -55,16 +55,24 @@ The test has an impact of 1.0, meaning it is most critical. A failure might indi
 
 Next, run `inspec exec` to execute the profile on the remote target.
 
+::: code-tabs#shell
+
+@tab Command - req 1
 ```sh
-inspec exec /root/my_nginx -t docker://DOCKER_CONTAINER_ID
+inspec exec ./my_nginx -t docker://nginx
 ```
 
-This will ouput:
+@tab Generic Command - req 1
+```sh
+inspec exec /root/my_nginx -t docker://{DOCKER_CONTAINER_ID or DOCKER_CONTAINER_NAME}
+```
 
+@tab Output - req 1
 ```sh
   Profile: InSpec Profile (my_nginx)
   Version: 0.1.0
   Target:  docker://DOCKER_CONTAINER_ID
+  Target ID: TARGET_ID
 
     ✔  nginx-version: NGINX version
        ✔  Nginx Environment version should cmp >= "1.10.3"
@@ -74,6 +82,8 @@ This will ouput:
   Test Summary: 1 successful, 0 failures, 0 skipped
 ```
 
+:::
+
 You see that the test passes.
 
 ### Requirement (2) - NGINX Modules are Installed
@@ -103,16 +113,24 @@ The second control resembles the first; however, this version uses multiple `its
 
 Run `inspec exec` on the target.
 
+::: code-tabs#shell
+
+@tab Command - req 2
 ```sh
-$ inspec exec /root/my_nginx -t docker://DOCKER_CONTAINER_ID
+inspec exec ./my_nginx -t docker://nginx
 ```
-Which again, will output:
 
+@tab Generic Command - req 2
 ```sh
+inspec exec /root/my_nginx -t docker://{DOCKER_CONTAINER_ID or DOCKER_CONTAINER_NAME}
+```
 
+@tab Output - req 2
+```sh
   Profile: InSpec Profile (my_nginx)
   Version: 0.1.0
   Target:  docker://DOCKER_CONTAINER_ID
+  Target ID: TARGET_ID
 
     ✔  nginx-version: NGINX version
        ✔  Nginx Environment version should cmp >= "1.10.3"
@@ -126,6 +144,8 @@ Which again, will output:
   Test Summary: 4 successful, 0 failures, 0 skipped
 ```
 
+:::
+
 This time, both controls pass.
 
 ### Requirement (3) - The `nginx_conf` file
@@ -147,23 +167,36 @@ end
 
 Run `inspec exec` on the target.
 
+::: code-tabs#shell
+
+@tab Command - req 3
 ```sh
-$ inspec exec /root/my_nginx -t docker://DOCKER_CONTAINER_ID
+inspec exec ./my_nginx -t docker://nginx
 ```
 
-Which will output:
-
+@tab Generic Command - req 3
 ```sh
-  Profile: InSpec Profile (my_nginx)
-  Version: 0.1.0
-  Target:  docker://DOCKER_CONTAINER_ID
-
-    ...
-    ✔  nginx-conf-file: NGINX configuration file
-        ✔  File /etc/nginx/nginx.conf is expected to be file
-
+inspec exec /root/my_nginx -t docker://{DOCKER_CONTAINER_ID or DOCKER_CONTAINER_NAME}
+```
 
-Profile Summary: 3 successful control, 0 control failures, 0 controls skipped
+@tab Output - req 3
+```sh
+Profile:   InSpec Profile (my_nginx)
+Version:   0.1.0
+Target:  docker://DOCKER_CONTAINER_ID
+Target ID: TARGET_ID
+
+  ✔  nginx-version: NGINX version
+     ✔  Nginx Environment version is expected to cmp >= "1.10.3"
+  ✔  nginx-modules: NGINX modules
+     ✔  Nginx Environment modules is expected to include "http_ssl"
+     ✔  Nginx Environment modules is expected to include "stream_ssl"
+     ✔  Nginx Environment modules is expected to include "mail_ssl"
+  ✔  nginx-conf-file: NGINX configuration file
+     ✔  File /etc/nginx/nginx.conf is expected to be file
+
+
+Profile Summary: 3 successful controls, 0 control failures, 0 controls skipped
 Test Summary: 5 successful, 0 failures, 0 skipped
 ```
 
@@ -199,31 +232,48 @@ The first 2 tests use `should` to verify the `root` owner and group. The last 3
 
 Run `inspec exec` on the target.
 
+::: code-tabs#shell
+
+@tab Command - req 4
 ```sh
-$ inspec exec /root/my_nginx -t docker://DOCKER_CONTAINER_ID
+inspec exec ./my_nginx -t docker://nginx
 ```
 
-Again, outputting:
-
+@tab Generic Command - req 4
 ```sh
-  Profile: InSpec Profile (my_nginx)
-  Version: 0.1.0
-  Target:  docker://DOCKER_CONTAINER_ID
-
-    ...
-    ×  nginx-conf-perms: NGINX configuration (1 failed)
-       ✔  File /etc/nginx/nginx.conf should be owned by "root"
-       ✔  File /etc/nginx/nginx.conf should be grouped into "root"
-       ×  File /etc/nginx/nginx.conf should not be readable by others
-       expected File /etc/nginx/nginx.conf not to be readable by others
-       ✔  File /etc/nginx/nginx.conf should not be writable by others
-       ✔  File /etc/nginx/nginx.conf should not be executable by others
-
+inspec exec /root/my_nginx -t docker://{DOCKER_CONTAINER_ID or DOCKER_CONTAINER_NAME}
+```
 
-  Profile Summary: 3 successful controls, 1 control failure, 0 controls skipped
-  Test Summary: 9 successful, 1 failure, 0 skipped
+@tab Output - req 4
+```sh
+Profile: InSpec Profile (my_nginx)
+Version: 0.1.0
+Target:  docker://DOCKER_CONTAINER_ID
+Target ID: TARGET_ID
+
+  ✔  nginx-version: NGINX version
+     ✔  Nginx Environment version is expected to cmp >= "1.10.3"
+  ✔  nginx-modules: NGINX modules
+     ✔  Nginx Environment modules is expected to include "http_ssl"
+     ✔  Nginx Environment modules is expected to include "stream_ssl"
+     ✔  Nginx Environment modules is expected to include "mail_ssl"
+  ✔  nginx-conf-file: NGINX configuration file
+     ✔  File /etc/nginx/nginx.conf is expected to be file
+  ×  nginx-conf-perms: NGINX configuration (1 failed)
+     ✔  File /etc/nginx/nginx.conf is expected to be owned by "root"
+     ✔  File /etc/nginx/nginx.conf is expected to be grouped into "root"
+     ×  File /etc/nginx/nginx.conf is expected not to be readable by others
+     expected File /etc/nginx/nginx.conf not to be readable by others
+     ✔  File /etc/nginx/nginx.conf is expected not to be writable by others
+     ✔  File /etc/nginx/nginx.conf is expected not to be executable by others
+
+
+Profile Summary: 3 successful controls, 1 control failure, 0 controls skipped
+Test Summary: 9 successful, 1 failure, 0 skipped
 ```
 
+:::
+
 This time you see a failure. You discover that `/etc/nginx/nginx.conf` is potentially readable by others. Because this control also has an impact of 1.0, your team may need to investigate further.
 
 ### Requirement (5) - NGINX shell access
@@ -245,29 +295,61 @@ end
 
 Run `inspec exec` on the target.
 
+::: code-tabs#shell
+
+@tab Command - req 5
 ```sh
-$ inspec exec /root/my_nginx -t docker://DOCKER_CONTAINER_ID
+inspec exec ./my_nginx -t docker://nginx
 ```
 
-Which will output:
-
+@tab Generic Command - req 5
 ```sh
-  Profile: InSpec Profile (my_nginx)
-  Version: 0.1.0
-  Target:  docker://DOCKER_CONTAINER_ID
-
-    ...
-    ✔  nginx-conf-file: NGINX configuration file
-        ✔  File /etc/nginx/nginx.conf is expected to be file
-
+inspec exec /root/my_nginx -t docker://{DOCKER_CONTAINER_ID or DOCKER_CONTAINER_NAME}
+```
 
-Profile Summary: 3 successful control, 2 control failures, 0 controls skipped
+@tab Output - req 5
+```sh
+Profile: InSpec Profile (my_nginx)
+Version: 0.1.0
+Target:  docker://DOCKER_CONTAINER_ID
+Target ID: TARGET_ID
+
+  ✔  nginx-version: NGINX version
+     ✔  Nginx Environment version is expected to cmp >= "1.10.3"
+  ✔  nginx-modules: NGINX modules
+     ✔  Nginx Environment modules is expected to include "http_ssl"
+     ✔  Nginx Environment modules is expected to include "stream_ssl"
+     ✔  Nginx Environment modules is expected to include "mail_ssl"
+  ✔  nginx-conf-file: NGINX configuration file
+     ✔  File /etc/nginx/nginx.conf is expected to be file
+  ×  nginx-conf-perms: NGINX configuration (1 failed)
+     ✔  File /etc/nginx/nginx.conf is expected to be owned by "root"
+     ✔  File /etc/nginx/nginx.conf is expected to be grouped into "root"
+     ×  File /etc/nginx/nginx.conf is expected not to be readable by others
+     expected File /etc/nginx/nginx.conf not to be readable by others
+     ✔  File /etc/nginx/nginx.conf is expected not to be writable by others
+     ✔  File /etc/nginx/nginx.conf is expected not to be executable by others
+  ×  nginx-shell-access: NGINX shell access
+     ×  ["root"] is expected to be in "admin"
+     expected `["root"]` to be in the list: `["admin"]` 
+     Diff:
+      ["root"]
+
+
+Profile Summary: 3 successful controls, 2 control failures, 0 controls skipped
 Test Summary: 9 successful, 2 failures, 0 skipped
 ```
 
+:::
+
 
 Remember, the first step, detect, is where you identify where the problems are so that you can accurately assess risk and prioritize remediation actions. 
 
 For the second step, correct, you can use a configuration management tool or some other automation framework to correct compliance failures for you. 
 
-You won't correct this issue in this module, but later you can check out the [Integrated Compliance with Chef](https://learn.chef.io/tracks/integrated-compliance#/) track to learn more about how to correct compliance issues using Chef.
+You won't correct this issue in this module, but later you can check out the [Integrated Compliance with Chef](https://learn.chef.io/tracks/integrated-compliance#/) track to learn more about how to correct compliance issues using Chef.
+
+
+::: details The Target ID in the InSpec exec output
+The target_id in the reporter is the UUID generated by train to uniquely identify the target system/node. Reference the [PR that made this update](https://github.com/inspec/inspec/pull/5895)
+:::