InSpec, by Chef Software, is an open source command-line tool that can be used to audit many types of infrastructures against pre-defined security controls and benchmarks.
Profiles are used by the InSpec tool to scan an active instance of Docker EE, Universal Control Plane and Docker Trusted Registry and ensure that all of the components have been configured to meet applicable security requirements and baselines. We've included the following InSpec profiles for Docker EE:
- FedRAMP Moderate
- FedRAMP High
You can download the InSpec tool at https://www.inspec.io/downloads/. If you prefer, you can also use the official Docker image (chef/inspec) to execute an audit. Refer to the InSpec documentation for full CLI usage instructions.
Before you begin, you need to create a profile-attribute.yml file which contains your UCP and DTR login information. You can use the profile-attribute.example.yml file as an example.
You can then use the InSpec commands below to audit your cluster at a chosen baseline:
-
Set correct directory
cd validation/inspec -
Audit cluster at FedRAMP Moderate baseline
inspec exec FedRAMP/Moderate --attrs profile-attribute.yml
We also maintain a Docker image that already includes our InSpec profiles and the InSpec CLI. If you prefer, you can use it as follows:
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$PWD":/share docker/compliance-inspec exec FedRAMP/Moderate --attrs profile-attribute.yml