Options for automating manual ESXi Inspec checks.

[pstearns]

Is your feature request related to a problem? Please describe.

There are several ESXi inspec checks that are currently skipped, most of which are due to them requiring SSH transport versus the VMware transport.
Creating a SSH transport also has it complications because the built-in ssh transport only includes Unix and Windows. Since ESXi detects as ESX ssh fails due to backend.

Describe the solution you'd like

To allow the default SSH transport to accept ESX:
I updated the inspec-core files to include the ESX platform and vmkernel OS.
For my setup these files were located under:
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources
Anywhere 'supports platform: "unix"', I added 'supports platform: "esx"' line.

    supports platform: "unix"
    supports platform: "esx"
    supports platform: "windows"

grep -rn '/opt/inspec/embedded/lib/ruby/gems/2.7.0/gems/' -e 'supports platform: "unix"'

Additionally, anywhere os.linux was called I added an or os.vmkernel.
if os.linux? || os.vmkernel?
or
if os.unix? || os.vmkernel?

While not all files needed to be updated these are the ones I modified.

./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/bash.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/parse_config.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/command.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/directory.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/mount.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/file.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/filesystem.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/gem.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/groups.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/users.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-5.18.14/lib/inspec/resources/users.rb
./inspec/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-4.56.20/lib/inspec/resources/bash.rb

Run secondary Inspec Profile with ssh controls:
Once the default SSH would connect to ESX platform:
Created a secondary ESX profile containing the controls with ssh.
Updated these RBs to run ssh commands.
Create a ps1 wrapper that runs both the ESX profile and the ESX-SSH profiles and then combines them. Since we are outputting to ckl files, I just used the ckl files XML to combine, then resave ckl.

Not the most elegant way but it helps cover the extra manual items.
I am currently working on reevaluating the other manual items for automation methods.

Describe alternatives you've considered

Rather than modifying the default inspec-core file it may be possible to create a custom train that could be used for SSH to ESX.

Additional context

One reason I stuck with the ps1 wrapper was that we need individual CKL files for each ESXi server.
My wrapper script does the following:

• Connects to the vCenter and for each ESX
• Runs Inspec profiles ESX and ESX-SSH
• Outputs CKL file for each profile
• Merges ESX and ESX-SSH CKLs
• Updates CKL Asset information
• Outputs one CKL file

Thanks to @HerbBoy' work on ANSIBLE additions. I hope to add an option in the script to remediate any open findings leveraging Ansible similar to what I did on the VCSA side.

[pstearns]

I got most of the automation mentioned above working in: https://github.com/pstearns/vSphere-STIG-Automation
After getting to work I was trying to re-align my project back to the main but haven't had time to finish working on it.
https://github.com/pstearns/dod-compliance-and-automation/tree/custom-automation