mirror of
https://github.com/inspec/inspec
synced 2024-11-10 07:04:15 +00:00
Add example profiles for AWS/Azure (#2680)
* Add example AWS profile Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add example Azure profile Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
This commit is contained in:
parent
1458790696
commit
9616ebf19a
9 changed files with 115 additions and 0 deletions
|
@ -0,0 +1,8 @@
|
|||
control 'iam_password_policy_expiration' do
|
||||
title 'Passwords must be set to expire'
|
||||
impact 1.0
|
||||
|
||||
describe aws_iam_password_policy do
|
||||
it { should expire_passwords }
|
||||
end
|
||||
end
|
|
@ -0,0 +1,8 @@
|
|||
control 'iam_password_policy_max_age' do
|
||||
title 'Passwords older than 90 days are not allowed'
|
||||
impact 1.0
|
||||
|
||||
describe aws_iam_password_policy do
|
||||
its('max_password_age_in_days') { should cmp <=90 }
|
||||
end
|
||||
end
|
8
examples/profile-aws/controls/iam_root_user_mfa.rb
Normal file
8
examples/profile-aws/controls/iam_root_user_mfa.rb
Normal file
|
@ -0,0 +1,8 @@
|
|||
control 'iam_root_user_mfa' do
|
||||
title 'MFA should be enabled for the root user'
|
||||
impact 1.0
|
||||
|
||||
describe aws_iam_root_user do
|
||||
it { should have_mfa_enabled }
|
||||
end
|
||||
end
|
|
@ -0,0 +1,8 @@
|
|||
control 'iam_users_access_key_age' do
|
||||
title 'No access keys may be older than 90 days'
|
||||
impact 1.0
|
||||
|
||||
describe aws_iam_access_keys.where { created_days_ago > 90 } do
|
||||
its('entries') { should be_empty }
|
||||
end
|
||||
end
|
|
@ -0,0 +1,8 @@
|
|||
control 'iam_users_console_users_mfa' do
|
||||
title 'Users with console access must have MFA enabled'
|
||||
impact 1.0
|
||||
|
||||
describe aws_iam_users.where { has_console_password and not has_mfa_enabled } do
|
||||
its('entries') { should be_empty }
|
||||
end
|
||||
end
|
11
examples/profile-aws/inspec.yml
Normal file
11
examples/profile-aws/inspec.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
name: profile-aws
|
||||
title: AWS Example Profile
|
||||
maintainer: Chef Software, Inc.
|
||||
copyright: Chef Software, Inc.
|
||||
copyright_email: support@chef.io
|
||||
license: Apache-2.0
|
||||
summary: Demonstrates the use of an InSpec Compliance Profile on AWS
|
||||
version: 1.0.0
|
||||
|
||||
supports:
|
||||
- platform: aws
|
|
@ -0,0 +1,24 @@
|
|||
control 'azure_resource_group_example' do
|
||||
title 'Check if the Example Resource Group matches expectations'
|
||||
impact 1.0
|
||||
|
||||
describe azure_resource_group(name: 'Inspec-Azure') do
|
||||
# Check if the Resource Group is located in the correct region
|
||||
its('location') { should cmp 'westeurope' }
|
||||
|
||||
# Check if the Resource Group has tags
|
||||
it { should have_tags }
|
||||
|
||||
# Check if the number of VMs in the Resource Group is correct
|
||||
its('vm_count') { should eq 3 }
|
||||
|
||||
# Check if the number of public IPs is correct
|
||||
its('public_ip_count') { should eq 1 }
|
||||
|
||||
# Check if the number of Network Security Groups is correct
|
||||
its('nsg_count') { should eq 1 }
|
||||
|
||||
# Check if the number of Storage Accounts is correct
|
||||
its('sa_count') { should eq 1 }
|
||||
end
|
||||
end
|
29
examples/profile-azure/controls/azure_vm_example.rb
Normal file
29
examples/profile-azure/controls/azure_vm_example.rb
Normal file
|
@ -0,0 +1,29 @@
|
|||
control 'azure_vm_example' do
|
||||
title 'Check if the Example VM matches expectations'
|
||||
impact 1.0
|
||||
|
||||
describe azure_generic_resource(group_name: 'Inspec-Azure', name: 'Windows-Example-VM') do
|
||||
# Check if the VM is located in the correct region
|
||||
its('location') { should cmp 'westeurope' }
|
||||
|
||||
# Check if the VM has tags
|
||||
it { should_not have_tags }
|
||||
|
||||
# Check if the VM has the correct image
|
||||
its('properties.storageProfile.imageReference.publisher') { should cmp 'MicrosoftWindowsServer' }
|
||||
its('properties.storageProfile.imageReference.offer') { should cmp 'WindowsServer' }
|
||||
its('properties.storageProfile.imageReference.sku') { should cmp '2016-Datacenter' }
|
||||
|
||||
# Check if the VM has the correct size
|
||||
its('properties.hardwareProfile.vmSize') { should cmp 'Standard_DS2_v2' }
|
||||
|
||||
# Check if the VM has the correct computer name
|
||||
its('properties.osProfile.computerName') { should eq 'SomethingObscure' }
|
||||
|
||||
# Check if the VM has the correct admin username
|
||||
its('properties.osProfile.adminUsername') { should eq 'SomethingSecure' }
|
||||
|
||||
# Check if the VM has automatic updates enabled
|
||||
its('properties.osProfile.windowsConfiguration.enableAutomaticUpdates') { should be true }
|
||||
end
|
||||
end
|
11
examples/profile-azure/inspec.yml
Normal file
11
examples/profile-azure/inspec.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
name: profile-azure
|
||||
title: Azure Example Profile
|
||||
maintainer: Chef Software, Inc.
|
||||
copyright: Chef Software, Inc.
|
||||
copyright_email: support@chef.io
|
||||
license: Apache-2.0
|
||||
summary: Demonstrates the use of an InSpec Compliance Profile on Azure
|
||||
version: 1.0.0
|
||||
|
||||
supports:
|
||||
- platform: azure
|
Loading…
Reference in a new issue