Add example profiles for AWS/Azure (#2680)

* Add example AWS profile Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> * Add example Azure profile Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2024-11-21 20:23:06 +00:00 · 2018-02-18 05:12:44 -06:00 · 2018-02-18 05:12:44 -06:00 · 9616ebf19a
commit 9616ebf19a
parent 1458790696
9 changed files with 115 additions and 0 deletions
--- a/examples/profile-aws/controls/iam_password_policy_expiration.rb
+++ b/examples/profile-aws/controls/iam_password_policy_expiration.rb
@ -0,0 +1,8 @@
+control 'iam_password_policy_expiration' do
+  title 'Passwords must be set to expire'
+  impact 1.0
+
+  describe aws_iam_password_policy do
+    it { should expire_passwords }
+  end
+end
--- a/examples/profile-aws/controls/iam_password_policy_max_age.rb
+++ b/examples/profile-aws/controls/iam_password_policy_max_age.rb
@ -0,0 +1,8 @@
+control 'iam_password_policy_max_age' do
+  title 'Passwords older than 90 days are not allowed'
+  impact 1.0
+
+  describe aws_iam_password_policy do
+    its('max_password_age_in_days') { should cmp <=90 }
+  end
+end
--- a/examples/profile-aws/controls/iam_root_user_mfa.rb
+++ b/examples/profile-aws/controls/iam_root_user_mfa.rb
@ -0,0 +1,8 @@
+control 'iam_root_user_mfa' do
+  title 'MFA should be enabled for the root user'
+  impact 1.0
+
+  describe aws_iam_root_user do
+    it { should have_mfa_enabled }
+  end
+end
--- a/examples/profile-aws/controls/iam_users_access_key_age.rb
+++ b/examples/profile-aws/controls/iam_users_access_key_age.rb
@ -0,0 +1,8 @@
+control 'iam_users_access_key_age' do
+  title 'No access keys may be older than 90 days'
+  impact 1.0
+
+  describe aws_iam_access_keys.where { created_days_ago > 90 } do
+    its('entries') { should be_empty }
+  end
+end
--- a/examples/profile-aws/controls/iam_users_console_users_mfa.rb
+++ b/examples/profile-aws/controls/iam_users_console_users_mfa.rb
@ -0,0 +1,8 @@
+control 'iam_users_console_users_mfa' do
+  title 'Users with console access must have MFA enabled'
+  impact 1.0
+
+  describe aws_iam_users.where { has_console_password and not has_mfa_enabled } do
+    its('entries') { should be_empty }
+  end
+end
--- a/examples/profile-aws/inspec.yml
+++ b/examples/profile-aws/inspec.yml
@ -0,0 +1,11 @@
+name: profile-aws
+title: AWS Example Profile
+maintainer: Chef Software, Inc.
+copyright: Chef Software, Inc.
+copyright_email: support@chef.io
+license: Apache-2.0
+summary: Demonstrates the use of an InSpec Compliance Profile on AWS
+version: 1.0.0
+
+supports:
+  - platform: aws
--- a/examples/profile-azure/controls/azure_resource_group_example.rb
+++ b/examples/profile-azure/controls/azure_resource_group_example.rb
@ -0,0 +1,24 @@
+control 'azure_resource_group_example' do
+  title 'Check if the Example Resource Group matches expectations'
+  impact 1.0
+
+  describe azure_resource_group(name: 'Inspec-Azure') do
+    # Check if the Resource Group is located in the correct region
+    its('location') { should cmp 'westeurope' }
+
+    # Check if the Resource Group has tags
+    it { should have_tags }
+
+    # Check if the number of VMs in the Resource Group is correct
+    its('vm_count') { should eq 3 }
+
+    # Check if the number of public IPs is correct
+    its('public_ip_count') { should eq 1 }
+
+    # Check if the number of Network Security Groups is correct
+    its('nsg_count') { should eq 1 }
+
+    # Check if the number of Storage Accounts is correct
+    its('sa_count') { should eq 1 }
+  end
+end
--- a/examples/profile-azure/controls/azure_vm_example.rb
+++ b/examples/profile-azure/controls/azure_vm_example.rb
@ -0,0 +1,29 @@
+control 'azure_vm_example' do
+  title 'Check if the Example VM matches expectations'
+  impact 1.0
+
+  describe azure_generic_resource(group_name: 'Inspec-Azure', name: 'Windows-Example-VM') do
+    # Check if the VM is located in the correct region
+    its('location') { should cmp 'westeurope' }
+
+    # Check if the VM has tags
+    it { should_not have_tags }
+
+    # Check if the VM has the correct image
+    its('properties.storageProfile.imageReference.publisher') { should cmp 'MicrosoftWindowsServer' }
+    its('properties.storageProfile.imageReference.offer') { should cmp 'WindowsServer' }
+    its('properties.storageProfile.imageReference.sku') { should cmp '2016-Datacenter' }
+
+    # Check if the VM has the correct size
+    its('properties.hardwareProfile.vmSize') { should cmp 'Standard_DS2_v2' }
+
+    # Check if the VM has the correct computer name
+    its('properties.osProfile.computerName') { should eq 'SomethingObscure' }
+
+    # Check if the VM has the correct admin username
+    its('properties.osProfile.adminUsername') { should eq 'SomethingSecure' }
+
+    # Check if the VM has automatic updates enabled
+    its('properties.osProfile.windowsConfiguration.enableAutomaticUpdates') { should be true }
+  end
+end
--- a/examples/profile-azure/inspec.yml
+++ b/examples/profile-azure/inspec.yml
@ -0,0 +1,11 @@
+name: profile-azure
+title: Azure Example Profile
+maintainer: Chef Software, Inc.
+copyright: Chef Software, Inc.
+copyright_email: support@chef.io
+license: Apache-2.0
+summary: Demonstrates the use of an InSpec Compliance Profile on Azure
+version: 1.0.0
+
+supports:
+  - platform: azure