inspec run a single control as sudo

Question

I am using inspec to verify some AMIs that I am building, and in the main I want the controls in the profile to run as a normal user so I can test as a standard user would see things.

However there area couple of controls that I want to run as root (sudo) to check things like services.

I know I can pass --sudo to the exec command but that runs the whole profile as sudo. Is it possible to elevate a single control? (you would use become in Ansible). Or do I need to write two profiles and execute them independantly?

score 1 · Answer 1 · answered Aug 21 '19 at 21:01

1

hmm, if its just a single control couldn't you just use su -l USERNAME -c COMMAND and capture the output? Might not be ideal to use the command resource, but this would give you access to the users' environment. i.e.:

root@machine:~# su -l ubuntu -c env

answered Aug 21 '19 at 21:01

shaftdiesel

416
4
7

oops, meant to put that in inspec format: `describe command( 'su -l ubuntu -c env') do` – shaftdiesel Aug 21 '19 at 21:06
2

Seems like this is the only way to go :/ Shame they dont just add a option to run as different user. – apr_1985 Aug 22 '19 at 07:37

score 0 · Answer 2 · edited May 12 '22 at 01:04

0

You can use below method to run sudo commands remotely via chef inspec:

history_file = ssh -o StrictHostKeyChecking=no -tt #{input('host')} sudo find / -name '.mysql_history'.strip 

file_check = ssh -o StrictHostKeyChecking=no -tt #{input('host')} sudo ls -l #{history_file}.strip

edited May 12 '22 at 01:04

Jeremy Caney

7,102
69
48
77

answered May 10 '22 at 15:13

Raj Wedhikar

1

inspec run a single control as sudo

2 Answers2