inspec/docs/dsl_inspec.rst

239 lines
8 KiB
ReStructuredText
Raw Normal View History

2015-10-27 22:22:06 +00:00
=====================================================
InSpec DSL
=====================================================
2015-11-25 01:06:40 +00:00
|inspec| is a run-time framework and rule language used to specify compliance, security, and policy requirements. It includes a collection of resources that help you write auditing controls quickly and easily. The syntax used by both open source and |chef compliance| auditing is the same. The open source |inspec resource| framework is compatible with |chef compliance|.
2015-10-27 22:22:06 +00:00
2015-11-02 23:24:14 +00:00
The InSpec DSL is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
2015-10-27 22:22:06 +00:00
The following sections describe the syntax and show some simple examples of using the |inspec resources| to define
Syntax
=====================================================
The following resource tests |ssh| server configuration. For example, a simple control may described as:
2015-10-31 10:47:17 +00:00
.. code-block:: ruby
describe sshd_config do
its('Port') { should eq('22') }
end
2015-11-02 23:24:14 +00:00
In various use cases like implementing IT compliance across different departments, it becomes handy to extend the control with metadata. Each control may define an additional ``impact``, ``title`` or ``desc``. An example looks like:
2015-10-27 22:22:06 +00:00
.. code-block:: ruby
2015-11-02 23:24:14 +00:00
control 'sshd-8' do
2015-10-27 22:22:06 +00:00
impact 0.6
title 'Server: Configure the service port'
desc '
Always specify which port the SSH server should listen to.
Prevent unexpected settings.
'
2016-03-19 19:10:47 +00:00
tag 'ssh','sshd','openssh-server'
tag cce: 'CCE-27072-8'
ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
2015-10-31 10:47:17 +00:00
describe sshd_config do
2015-10-27 22:22:06 +00:00
its('Port') { should eq('22') }
end
end
2016-03-19 19:10:47 +00:00
2015-10-27 22:22:06 +00:00
where
2015-11-02 23:24:14 +00:00
* ``'sshd-8'`` is the name of the control
* ``impact``, ``title``, and ``desc`` define metadata that fully describes the importance of the control, its purpose, with a succinct and complete description
2015-10-31 10:47:17 +00:00
* ``impact`` is an float that measures the importance of the compliance results and must be a value between ``0.0`` and ``1.0``.
2016-03-19 19:10:47 +00:00
* ``tag`` is optional meta-information with with key or key-value pairs
* ``ref`` is a reference to an external document
2015-11-02 23:24:14 +00:00
* ``describe`` is a block that contains at least one test. A ``control`` block must contain at least one ``describe`` block, but may contain as many as required
2015-10-31 10:47:17 +00:00
* ``sshd_config`` is an |inspec| resource. For the full list of InSpec resources, see |inspec| resource documentation
2015-10-27 22:22:06 +00:00
* ``its('Port')`` is the matcher; ``{ should eq('22') }`` is the test. A ``describe`` block must contain at least one matcher, but may contain as many as required
2016-02-25 12:55:50 +00:00
Advanced concepts
=====================================================
With inspec it is possible to check if at least one of a collection of checks is true. For example: If a setting is configured in two different locations, you may want to test if either configuration A or configuration B have been set. This is accomplished via ``describe.one``. It defines a block of tests with at least one valid check.
.. code-block:: ruby
describe.one do
describe ConfigurationA do
its('setting_1') { should eq true }
end
describe ConfigurationB do
its('setting_2') { should eq true }
end
end
2015-10-27 22:22:06 +00:00
Examples
=====================================================
2015-11-02 23:24:14 +00:00
The following examples show simple compliance tests using a single ``control`` block.
2015-10-27 22:22:06 +00:00
Test System Event Log
-----------------------------------------------------
2015-10-31 10:47:17 +00:00
The following test shows how to audit machines running |windows| 2012 R2 that pwassword complexity is enabled:
2015-10-27 22:22:06 +00:00
.. code-block:: ruby
2015-11-02 23:24:14 +00:00
control 'windows-account-102' do
2015-10-31 10:47:17 +00:00
impact 1.0
title 'Windows Password Complexity is Enabled'
desc 'Password must meet complexity requirement'
describe security_policy do
its('PasswordComplexity') { should eq 1 }
end
end
2015-10-27 22:22:06 +00:00
Are PosgtreSQL passwords empty?
-----------------------------------------------------
The following test shows how to audit machines running |postgresql| to ensure that passwords are not empty.
.. code-block:: ruby
2015-11-02 23:24:14 +00:00
control 'postgres-7' do
2015-10-27 22:22:06 +00:00
impact 1.0
title 'Don't allow empty passwords'
2015-10-31 10:47:17 +00:00
describe postgres_session('user', 'pass').query("SELECT * FROM pg_shadow WHERE passwd IS NULL;") do
2015-10-27 22:22:06 +00:00
its('output') { should eq('') }
end
end
Are MySQL passwords in ENV?
-----------------------------------------------------
The following test shows how to audit machines running |mysql| to ensure that passwords are not stored in ``ENV``:
.. code-block:: ruby
2015-11-02 23:24:14 +00:00
control 'mysql-3' do
2015-10-27 22:22:06 +00:00
impact 1.0
title 'Do not store your MySQL password in your ENV'
desc '
Storing credentials in your ENV may easily expose
them to an attacker. Prevent this at all costs.
'
describe command('env') do
its('stdout') { should_not match(/^MYSQL_PWD=/) }
2015-10-27 22:22:06 +00:00
end
end
Is /etc/ssh a Directory?
-----------------------------------------------------
The following test shows how to audit machines to ensure that ``/etc/ssh`` is a directory:
.. code-block:: ruby
2015-11-02 23:24:14 +00:00
control 'basic-1' do
2015-10-27 22:22:06 +00:00
impact 1.0
title '/etc/ssh should be a directory'
desc '
In order for OpenSSH to function correctly, its
configuration path must be a folder.
'
describe file('/etc/ssh') do
it { should be_directory }
end
end
Is Apache running?
-----------------------------------------------------
The following test shows how to audit machines to ensure that |apache| is enabled and running:
.. code-block:: ruby
2015-11-02 23:24:14 +00:00
control 'apache-1' do
2015-10-27 22:22:06 +00:00
impact 0.3
title 'Apache2 should be configured and running'
describe service(apache.service) do
it { should be_enabled }
it { should be_running }
end
end
2015-10-31 10:47:17 +00:00
Are insecure packages installed ?
2015-10-27 22:22:06 +00:00
-----------------------------------------------------
2015-10-31 10:47:17 +00:00
The following test shows how to audit machines for insecure packages:
2015-10-27 22:22:06 +00:00
.. code-block:: ruby
2015-11-02 23:24:14 +00:00
control 'cis-os-services-5.1.3' do
2015-10-31 10:47:17 +00:00
impact 0.7
title '5.1.3 Ensure rsh client is not installed'
2015-10-27 22:22:06 +00:00
2015-10-31 10:47:17 +00:00
describe package('rsh') do
it { should_not be_installed }
end
2015-10-27 22:22:06 +00:00
2015-10-31 10:47:17 +00:00
describe package('rsh-redone-client') do
it { should_not be_installed }
end
end
Test Windows Registry Keys
2015-10-27 22:22:06 +00:00
-----------------------------------------------------
2015-10-31 10:47:17 +00:00
The following test shows how to audit machines to ensure Safe DLL Seach Mode is enabled:
2015-10-27 22:22:06 +00:00
.. code-block:: ruby
2015-11-02 23:24:14 +00:00
control 'windows-base-101' do
2015-10-31 10:47:17 +00:00
impact 1.0
title 'Safe DLL Search Mode is Enabled'
desc '
@link: https://msdn.microsoft.com/en-us/library/ms682586(v=vs.85).aspx
'
describe registry_key('HKLM\\System\\CurrentControlSet\\Control\\Session Manager') do
it { should exist }
it { should_not have_property_value('SafeDllSearchMode', :type_dword, '0') }
end
end
2016-03-19 19:10:47 +00:00
Additional metadata for controls
-----------------------------------------------------
The following example illustrates various ways to add tags and references to `control`
.. code-block:: ruby
control 'ssh-1' do
impact 1.0
title 'Allow only SSH Protocol 2'
desc 'Only SSH protocol version 2 connections should be permitted.
The default setting in /etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following line appears: Protocol 2'
tag 'production','development'
tag 'ssh','sshd','openssh-server'
tag cce: 'CCE-27072-8'
tag disa: 'RHEL-06-000227'
tag remediation: 'stig_rhel6/recipes/sshd-config.rb'
tag remediation: 'https://supermarket.chef.io/cookbooks/ssh-hardening'
ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
describe ssh_config do
its ('Protocol') { should eq '2'}
end
end`
2015-10-31 10:47:17 +00:00
.. |inspec| replace:: InSpec
.. |inspec resource| replace:: InSpec Resource
.. |chef compliance| replace:: Chef Compliance
.. |ruby| replace:: Ruby
2016-04-11 16:56:09 +00:00
.. |ssh| replace:: SSH
2015-10-31 10:47:17 +00:00
.. |windows| replace:: Microsoft Windows
.. |postgresql| replace:: PostgreSQL
.. |apache| replace:: Apache