InspecTools on Offline Windows
The solution is a mixed bag of ansible and PowerShell for remediation and Chef
inspec for evaluation. I never worked with inspec so I looked it up and found that it's a Chef product, based on Ruby, that enables "Compliance as Code".
MITRE offers a complementary toolset InspecTools which helps generate STIG checklists, too.
InspecTools is a command-line and Ruby API of utilities, converters and tools for creating, converting and processing security baseline formats, results and data
Nice! If only I knew Ruby, this would go a whole lot faster 😅
Not only do I know nothing about Ruby, but whatever solution I go with has to work offline. Because being offline means that I can't grab dependencies as needed, I have to figure out how to package everything up neatly.
After some research, I discovered that there's no Ruby equivalent of PowerShell's
Save-Module which also saves dependencies. Bummer. In addition, I've been warned that Ruby on Windows is hellish. I know I've tried to install it in the past and just had so many path issues and often ran into
command not found.
Creating and subsequently securing a Linux VM just to run
inspec was not an option for me (because it's ludicrous), so I wanted to push through.
Setting up inspec and inspec_tools
I will say that one big upside to Chef's
inspec is that it comes with its own embedded version of Ruby. But we return to the downside this impacts environmental variables and I have zero clue where to start.
Thankfully, I have friends who did/do Ruby on Windows a whole lot and they gave me the magic that I needed to set my paths and get everything setup. Huuuuuuge thanks goes out to Glenn Sarti (Lord Sarti - Purveyor of Terraform Cloud Compliance - Killer of Pester Tests - Destroyer of Dreams) for figuring all of this out for me.
First, I added these environmental variables to my PowerShell
1$ENV:RUBYOPT = 'rubygems'
2$ENV:RUBY_DIR = 'C:\opscode\inspec\embedded'
3$ENV:GEM_PATH = 'C:\opscode\inspec\embedded\lib\ruby\gems\2.7.0\gems'
4$ENV:PATH = 'C:\opscode\inspec\embedded\bin;' + $ENV:PATH
Next, I updated
train to a newer version which has a bugfix for its VMware gem module then installed
1gem update train # out of the box, the train version for VMware is broken
2gem install inspec_tools
Gorgeous! This worked flawlessly.
Now to get
inspec) working offline, I can just zip up
C:\opscode, copy the required environmental variables to my profile and execute