restructure profiles RFC document

2025-02-17 06:28:40 +00:00 · 2015-12-28 12:24:46 +01:00 · 2015-12-28 12:24:46 +01:00 · 95382b5363
commit 95382b5363
parent a97b05bfc6
1 changed files with 92 additions and 104 deletions
--- a/docs/profiles.rst
+++ b/docs/profiles.rst
@ -2,23 +2,103 @@
 InSpec Profiles
 =====================================================

-InSpec is a test and audit framework and enables you to quickly write rules. Just creating a simple `test.rb` is enough to run the test on a local or remove machine.
+InSpec supports the creation of complex test and compliance profiles, which organize controls to support dependency management and code re-use.

-.. code-block:: ruby
+InSpec profile structure
+-----------------------------------------------------

-  describe port(80) do
-    it { should_not be_listening }
-  end
-
-To run the test locally, just execute:
+To create a new profile just place the files according to the following structure:

 .. code-block:: bash

-  $ inspec exec test.rb
+  $ tree examples/profile
+  examples/profile
+  ├── README.md
+  ├── controls
+  │   ├── example_spec.rb
+  │   └── gordon_spec.rb
+  ├── libraries
+  │   └── gordon_config.rb
+  └── inspec.yml

-While this approach is very handy for quick tests, it has its limitation for a collection of tests. Once the amount of tests grows, we need mechanisms to organize our code and re-use existing rules.

-**Include rules of existing profile**
+ * `inspec.yml` - includes the profile description (required)
+ * `controls` - a folder which contains  all tests (required)
+ * `libraries` - a folder which contains InSpec resource extensions (optional)
+ * `README.md` - a best-practice readme to each explain the profile and its scope
+
+
+InSpec profile manifest
+-----------------------------------------------------
+
+Each profile has a manifest file `inspec.yml`. It looks as follows
+
+.. code-block:: yaml
+
+  name: ssh
+  title: Basic SSH
+  maintainer: Chef Software, Inc.
+  copyright: Chef Software, Inc.
+  copyright_email: support@chef.io
+  license: Proprietary, All rights reserved
+  summary: Verify that SSH Server and SSH Client are configured securely
+  version: 1.0.0
+
+
+A manifest description may contain the following values:
+
+ * `name` - Identifier of the profile (required)
+ * `title` - Human-readable name of the profile (optional)
+ * `maintainer` - Name of the profile maintainer (optional)
+ * `copyright` - Copyright holder (optional)
+ * `copyright_email` - Support contact for profile (optional)
+ * `license` - License of the profile (optional)
+ * `summary` - One-line summary of the profile (optional)
+ * `description` - Description of the profile (optional)
+ * `version` - Version of the profile (optional)
+
+
+InSpec profile verification
+-----------------------------------------------------
+
+InSpec ships with a verification command that verifies the implementation of a profile
+
+$ inspec check examples/profile
+
+
+InSpec profile archive
+-----------------------------------------------------
+
+Profiles are composed of multiple files. This hinders easy distribution of a profile. InSpec solves the problem by offering to collect all files in one archive.
+
+The InSpec profile archive format aims for flexibility and reuse of standard and common technologies:
+
+ * tar and gzip (default)
+ * zip
+ * HTTP
+
+This should enable third-parties to easily build InSpec profile archives:
+
+ * InSpec archives MUST be named with the stanard suffix
+ * InSpec archives MUST be a tar.gz or zip formatted file
+ * InSpec archives MUST have no duplicate entries
+ * InSpec archives MAY be compressed with gzip, bzip2, or xz.
+
+InSpec is able to create profile archive for you. By default it generates a tar-file on Unix and zip on Windows or Mac.
+
+.. code-block:: bash
+
+  # will generate a example-profile.tar.gz
+  $ inspec archive examples/profile
+
+  # will generate a example-profile.zip
+  $ inspec archive examples/profile --zip
+
+
+Profile inheritance
+-----------------------------------------------------
+
+**Include controls of existing profile**

 The `include_controls` keyword allows you to import all rules from an existing profile. This can be easily extended with additional rules.

@ -50,100 +130,8 @@ Sometimes, not all requirements can be fullfiled for a legacy application. To ma
 .. code-block:: bash

  require_controls 'cis-level-1' do
+
    control "cis-fs-2.1"
    control "cis-fs-2.2"
+
  end
-
-
-InSpec Profile Structure
-----------------------------------------------------
-
-To use a profile and their mechanisms, just place the files according to the following structure:
-
-.. code-block:: bash
-
-  $ tree examples/profile
-  examples/profile
-  ├── README.md
-  ├── controls
-  │   ├── example_spec.rb
-  │   └── gordon_spec.rb
-  ├── libraries
-  │   └── gordon_config.rb
-  └── inspec.yml
-
-
- * `inspec.yml` - includes the profile description (required)
- * `controls` - the directory includes all tests (required)
- * `libraries` - is an optional feature to load custom InSpec resource extensions (optional)
- * `README.md` - its best-practice to add a readme to each profile to explain its scope
-
-
-InSpec Profile Manifest
-----------------------------------------------------
-
-Each profile has a manifest file `inspec.yml`. It looks as follows
-
-.. code-block:: yaml
-
-  name: ssh
-  title: Basic SSH
-  maintainer: Chef Software, Inc.
-  copyright: Chef Software, Inc.
-  copyright_email: support@chef.io
-  license: Proprietary, All rights reserved
-  summary: Verify that SSH Server and SSH Client are configured securely
-  version: 1.0.0
-  supports:
-    - linux
-
-
-A manifest description may contain the following values:
-
- * `name` - Identifier of the profile (required)
- * `title` - Human-readable name of the profile (optional)
- * `maintainer` - Name of the profile maintainer (optional)
- * `copyright` - Copyright holder (optional)
- * `copyright_email` - Support contact for profile (optional)
- * `license` - License of the profile (optional)
- * `summary` - One-line summary of the profile (optional)
- * `description` - Description of the profile (optional)
- * `version` - Version of the profile (optional)
-
-
-InSpec Profile Verification
-----------------------------------------------------
-
-InSpec ships with a verification command that verifies the implementation of a profile
-
-$ inspec check examples/profile
-
-
-InSpec Profile Archive
-----------------------------------------------------
-
-Profiles are composed of multiple files. This hinders easy distribution of a profile. InSpec solves the problem by offering to collect all files in one archive.
-
-The InSpec profile archive format aims for flexibility and reuse of standard and common technologies:
-
- * tar and gzip (default)
- * zip
- * HTTP
-
-This should enable third-parties to easily build InSpec profile archives:
-
- * InSpec archives MUST be named with the stanard suffix
- * InSpec archives MUST be a tar.gz or zip formatted file
- * InSpec archives MUST have no duplicate entries
- * All files in the archive MUST maintain all of their original properties (like timestamps, Unix modes, and extended attributes (xattrs))
- * InSpec archives MAY be compressed with gzip, bzip2, or xz.
-
-InSpec allows you to generating a profile archive for you. By default it generates a tarbal on Unix and zip on Windows and Mac.
-
-.. code-block:: bash
-
-  # will generate a example-profile.tar.gz
-  $ inspec archive examples/profile
-
-  # will generate a example-profile.zip
-  $ inspec archive examples/profile -zip