InspecTools on Offline Windows

For those looking to ensure that their vSphere environments are DISA-compliant, VMware has created a pretty nice repo of tools which help address the nearly 500(!) compliance checks.

The solution is a mixed bag of ansible and PowerShell for remediation and Chef inspec for evaluation. I never worked with inspec so I looked it up and found that it's a Chef product, based on Ruby, that enables "Compliance as Code".

MITRE offers a complementary toolset InspecTools which helps generate STIG checklists, too.

InspecTools is a command-line and Ruby API of utilities, converters and tools for creating, converting and processing security baseline formats, results and data

Nice! If only I knew Ruby, this would go a whole lot faster ๐Ÿ˜…

Not only do I know nothing about Ruby, but whatever solution I go with has to work offline. Because being offline means that I can't grab dependencies as needed, I have to figure out how to package everything up neatly.

Solution

After some research, I discovered that there's no Ruby equivalent of PowerShell's Save-Module which also saves dependencies. Bummer. In addition, I've been warned that Ruby on Windows is hellish. I know I've tried to install it in the past and just had so many path issues and often ran into command not found.

Creating and subsequently securing a Linux VM just to run inspec was not an option for me (because it's ludicrous), so I wanted to push through.

Setting up inspec and inspec_tools

I will say that one big upside to Chef's inspec is that it comes with its own embedded version of Ruby. But we return to the downside this impacts environmental variables and I have zero clue where to start.

Thankfully, I have friends who did/do Ruby on Windows a whole lot and they gave me the magic that I needed to set my paths and get everything setup. Huuuuuuge thanks goes out to Glenn Sarti (Lord Sarti - Purveyor of Terraform Cloud Compliance - Killer of Pester Tests - Destroyer of Dreams) for figuring all of this out for me.

First, I added these environmental variables to my PowerShell $profile.

1$ENV:RUBYOPT = 'rubygems'
2$ENV:RUBY_DIR = 'C:\opscode\inspec\embedded'
3$ENV:GEM_PATH = 'C:\opscode\inspec\embedded\lib\ruby\gems\2.7.0\gems'
4$ENV:PATH = 'C:\opscode\inspec\embedded\bin;' + $ENV:PATH

Next, I updated train to a newer version which has a bugfix for its VMware gem module then installed inspec_tools.

1gem update train # out of the box, the train version for VMware is broken
2gem install inspec_tools

Gorgeous! This worked flawlessly.

Now to get inspec_tools (and inspec) working offline, I can just zip up C:\opscode, copy the required environmental variables to my profile and execute inspec_tools.