I've also been looking at Inspec and it shows quite a bit of promise to fix a lot of the usability issues of the SSG project.

However, to be an integrated enhancement/replacement, it will need to go through the same level of rigor as the SSG checks.

Let's face it, while that rigor can be painful, it is at least validatable while Inspec is truly just whatever code you wish to run on a system.

I'd be a bit scared of running Inspec on production nodes since it's basically a root-level command and control system with almost nothing in the way of checks and balances.

That said, for validating demonstration frameworks, it may be useful if, and only if, the community content can become peer reviewed and concrete.

Thoughts about integrating it into the SSG project?

Trevor

On Sun, Mar 12, 2017 at 8:17 PM, <nevion@gmail.com> wrote:
Hi folks,

I've watched the project for a couple of years now and done some work with it.  I'm grateful many of you took the time to get SSG where it's at. Recently I came across chef.io's Inspec and I thought hey, this seems to solve alot of the engineering challenges the SSG project seems to have, especially with multi-distro support.
Github: https://github.com/chef/inspec
Product: https://www.chef.io/inspec/

Here are some of the benefits my eyes see:

* Content is centralized (less mutli-file editing for the same tests aka less XMHell :-)
* Content is encouraged to be less distribution specific but allowed to be as specific as it needs, and this is encouraged inside a module, meaning less versions are floating around in the codebase
* Declarative/Programmatic as opposed to Declaritive/document oriented - I'd say with the later case has led to somewhat awkward and hard write tests, in some cases
* Can test active configuration as well as configuration file state
* Looks significantly less verbose - as in saving 10x lines of sourcecode (not counting XML output) and developer productivity would be much higher
* and as a possible benefit, I wouldn't be surprised if tests ran much faster - though I have done no extensive tests to show this.

Most importantly I believe inspec could pave the way to all distros working off of a common and smaller codebase than the existing SSG implementation and be far less maintenance burden and as such I wanted to raise awareness and get a topic going on the ML.

Inspec doesn't seem compatible out right with openscap (or maybe it is - they have bidirectional oval/xccdf consumers/emitters), but it IS aiming to replace OVAL/XCCDF as something more sane and just plain old better for the tasks.  They also have tools for running it without scap tools involved of course so it doesn't have to lean on openscap et al, but for some people being seperate from SCAP tools is going to be a con and not a pro.
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org



--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --