CIS/DISA baselines & waivers
Prebuilt controls; documented exceptions.
You do not write CIS or DISA STIG controls from scratch — the community and vendors maintain InSpec profiles for the major standards, and you consume them. The CIS Benchmarks (Linux, Windows, Kubernetes, cloud) and the DISA STIGs have published or community InSpec profiles with hundreds of controls mapped to the standard’s rule IDs. You run the baseline against your systems, then overlay your tailoring — the base/overlay pattern from the last section, applied to real, authoritative content.
$ inspec supermarket exec dev-sec/linux-baseline -t ssh://ops@web1# or run a CIS/STIG profile you pinned in your overlay’s inspec.ymlProfile Summary: 173 successful, 12 failures, 8 skipped (waived)
Waivers: exceptions done right
No real system passes 100% of a baseline, and some failures are accepted risks — a control that conflicts with a business need, a finding scheduled for later remediation. A waiver file records those explicitly: which control, why, who approved it, and an expiration date, so the control is skipped or marked expected-failure with a documented, time-boxed justification. Waivers turn “we ignore that one” into an auditable, owned decision that expires and gets re-reviewed.
xccdf_org.cisecurity_rule_1.1.1.1:expiration_date: 2026-06-30justification: "tmpfs mount conflicts with app X; risk accepted TICKET-901"run: false # skip it (or run: true to still run but not fail the build)# inspec exec baseline --waiver-file waivers.yaml