Add example profiles for AWS/Azure (#2680)

* Add example AWS profile

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Add example Azure profile

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
This commit is contained in:
Jerry Aldrich 2018-02-18 05:12:44 -06:00 committed by Christoph Hartmann
parent 1458790696
commit 9616ebf19a
9 changed files with 115 additions and 0 deletions

View file

@ -0,0 +1,8 @@
control 'iam_password_policy_expiration' do
title 'Passwords must be set to expire'
impact 1.0
describe aws_iam_password_policy do
it { should expire_passwords }
end
end

View file

@ -0,0 +1,8 @@
control 'iam_password_policy_max_age' do
title 'Passwords older than 90 days are not allowed'
impact 1.0
describe aws_iam_password_policy do
its('max_password_age_in_days') { should cmp <=90 }
end
end

View file

@ -0,0 +1,8 @@
control 'iam_root_user_mfa' do
title 'MFA should be enabled for the root user'
impact 1.0
describe aws_iam_root_user do
it { should have_mfa_enabled }
end
end

View file

@ -0,0 +1,8 @@
control 'iam_users_access_key_age' do
title 'No access keys may be older than 90 days'
impact 1.0
describe aws_iam_access_keys.where { created_days_ago > 90 } do
its('entries') { should be_empty }
end
end

View file

@ -0,0 +1,8 @@
control 'iam_users_console_users_mfa' do
title 'Users with console access must have MFA enabled'
impact 1.0
describe aws_iam_users.where { has_console_password and not has_mfa_enabled } do
its('entries') { should be_empty }
end
end

View file

@ -0,0 +1,11 @@
name: profile-aws
title: AWS Example Profile
maintainer: Chef Software, Inc.
copyright: Chef Software, Inc.
copyright_email: support@chef.io
license: Apache-2.0
summary: Demonstrates the use of an InSpec Compliance Profile on AWS
version: 1.0.0
supports:
- platform: aws

View file

@ -0,0 +1,24 @@
control 'azure_resource_group_example' do
title 'Check if the Example Resource Group matches expectations'
impact 1.0
describe azure_resource_group(name: 'Inspec-Azure') do
# Check if the Resource Group is located in the correct region
its('location') { should cmp 'westeurope' }
# Check if the Resource Group has tags
it { should have_tags }
# Check if the number of VMs in the Resource Group is correct
its('vm_count') { should eq 3 }
# Check if the number of public IPs is correct
its('public_ip_count') { should eq 1 }
# Check if the number of Network Security Groups is correct
its('nsg_count') { should eq 1 }
# Check if the number of Storage Accounts is correct
its('sa_count') { should eq 1 }
end
end

View file

@ -0,0 +1,29 @@
control 'azure_vm_example' do
title 'Check if the Example VM matches expectations'
impact 1.0
describe azure_generic_resource(group_name: 'Inspec-Azure', name: 'Windows-Example-VM') do
# Check if the VM is located in the correct region
its('location') { should cmp 'westeurope' }
# Check if the VM has tags
it { should_not have_tags }
# Check if the VM has the correct image
its('properties.storageProfile.imageReference.publisher') { should cmp 'MicrosoftWindowsServer' }
its('properties.storageProfile.imageReference.offer') { should cmp 'WindowsServer' }
its('properties.storageProfile.imageReference.sku') { should cmp '2016-Datacenter' }
# Check if the VM has the correct size
its('properties.hardwareProfile.vmSize') { should cmp 'Standard_DS2_v2' }
# Check if the VM has the correct computer name
its('properties.osProfile.computerName') { should eq 'SomethingObscure' }
# Check if the VM has the correct admin username
its('properties.osProfile.adminUsername') { should eq 'SomethingSecure' }
# Check if the VM has automatic updates enabled
its('properties.osProfile.windowsConfiguration.enableAutomaticUpdates') { should be true }
end
end

View file

@ -0,0 +1,11 @@
name: profile-azure
title: Azure Example Profile
maintainer: Chef Software, Inc.
copyright: Chef Software, Inc.
copyright_email: support@chef.io
license: Apache-2.0
summary: Demonstrates the use of an InSpec Compliance Profile on Azure
version: 1.0.0
supports:
- platform: azure