The InSpec project is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements. The project name stands for “infrastructure specification,” and it also can be thought of as an abbreviation of “inspect.”
You can use InSpec to examine any node in your infrastructure. The InSpec framework runs locally or remotely on the node being inspected. As input, it uses audit rules you write with the InSpec language. If it detects security, compliance or policy issues, they are flagged in a log.
The InSpec project includes many resources that help you write audit rules quickly and easily. Here are some examples.
* Disallow insecure protocols - In this example, the package and inetd_conf resources ensure that insecure services and protocols, such as telnet, are not used.
```ruby
describe package('telnetd') do
it { should_not be_installed }
end
describe inetd_conf do
its("telnet") { should eq nil }
end
```
* Only accept requests on secure ports - This code ensures that the web server is only listening on well-secured ports.
```ruby
describe port(80) do
it { should_not be_listening }
end
describe port(443) do
it { should be_listening }
its('protocol') {should eq 'tcp'}
end
```
* Use approved strong ciphers - This code ensures that only enterprise-compliant ciphers are used for SSH servers.
```ruby
describe sshd_config do
its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
end
```
* Test a kitchen.yml file driver - This code ensures that the Test Kitchen driver is Vagrant.
