Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 15:14:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fixes formatting on aws/azure resources

Browse source 
Signed-off-by: kagarmoe <kgarmoe@chef.io>
This commit is contained in:
kagarmoe 2018-02-14 20:31:56 -08:00
parent b9162f5c1b
commit d63d15c457
12 changed files with 230 additions and 95 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docs/resources/audit_policy.md.erb
View file

@ -4,7 +4,7 @@ title: About the audit_policy Resource
# audit_policy
Use the `audit_policy` Inspec audit resource to test auditing policies on the Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each enabled auditing category property, the auditing level may be set to `No Auditing`, `Not Specified`, `Success`, `Success and Failure`, or `Failure`.
Use the `audit_policy` InSpec audit resource to test auditing policies on the Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each enabled auditing category property, the auditing level may be set to `No Auditing`, `Not Specified`, `Success`, `Success and Failure`, or `Failure`.
<br>

2
docs/resources/aws_iam_access_key.md.erb
View file

@ -120,4 +120,4 @@ This InSpec audit resource has the following special matchers. For a full list o
The `be_active` matcher tests if the described IAM access key is active.
it { should be_active }
it { should be_active }

2
docs/resources/aws_iam_policy.md.erb
View file

@ -3,7 +3,7 @@ title: About the aws_iam_policy Resource
platform: aws
---
# aws_iam_policy
# aws\_iam\_policy
Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy.

2
docs/resources/aws_iam_role.md.erb
View file

@ -48,6 +48,8 @@ A textual description of the IAM Role.
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exist
Indicates that the Role Name provided was found. Use should_not to test for IAM Roles that should not exist.

2
docs/resources/aws_kms_keys.md.erb
View file

@ -71,7 +71,7 @@ Provides a list of key ids for all KMS Keys in the AWS account.
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exists

2
docs/resources/aws_s3_bucket.md.erb
View file

@ -109,6 +109,8 @@ If there is no bucket policy, this property returns an empty array.
s.effect == 'Allow' && s.principal == '*'
end
<br>
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

66
docs/resources/aws_security_group.md.erb
View file

@ -83,27 +83,23 @@ A string identifying the VPC that contains the security group. Since VPCs common
end
<br>
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exists
The control will pass if the specified SG was found. Use should_not if you want to verify that the specified SG does not exist.
# You will always have at least one SG, the VPC default SG
describe aws_security_group(group_name: 'default')
it { should exist }
end
# Make sure we don't have any security groups with the name 'nogood'
describe aws_security_group(group_name: 'nogood')
it { should_not exist }
end
## Properties
* `description`, `group_id', `group_name`, `vpc_id`
<br>
## Property Examples
### description
A String reflecting the human-meaningful description that was given to the SG at creation time.
# Require a description of a particular group
describe aws_security_group('sg-12345678') do
its('description') { should_not be_empty }
end
### group\_id
Provides the Security Group ID.
@ -125,15 +121,6 @@ A String reflecting the name that was given to the SG at creation time.
its('group_name') { should cmp 'my_group' }
end
### description
A String reflecting the human-meaningful description that was given to the SG at creation time.
# Require a description of a particular group
describe aws_security_group('sg-12345678') do
its('description') { should_not be_empty }
end
### vpc\_id
A String in the format 'vpc-' followed by 8 hexadecimal characters reflecting VPC that contains the security group.
@ -141,4 +128,25 @@ A String in the format 'vpc-' followed by 8 hexadecimal characters reflecting VP
# Inspec the VPC ID of a particular group
describe aws_security_group('sg-12345678') do
its('vpc_id') { should cmp 'vpc-12345678' }
end
end
<br>
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exists
The control will pass if the specified SG was found. Use should_not if you want to verify that the specified SG does not exist.
# You will always have at least one SG, the VPC default SG
describe aws_security_group(group_name: 'default')
it { should exist }
end
# Make sure we don't have any security groups with the name 'nogood'
describe aws_security_group(group_name: 'nogood')
it { should_not exist }
end

8
docs/resources/aws_security_groups.md.erb
View file

@ -50,10 +50,16 @@ A string identifying a group. Since groups are contained in VPCs, group names ar
it { should exist }
end
<br>
## Properties
* `entries`, `group\_ids`
<br>
## Property Examples
### entries
Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
@ -73,7 +79,7 @@ Provides a list of all security group IDs matched.
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exists

2
docs/resources/aws_vpcs.md.erb
View file

@ -36,7 +36,7 @@ As this is the initial release of `aws_vpcs`, its limited functionality preclude
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exists

42
docs/resources/azure_generic_resource.md.erb
View file

@ -4,7 +4,7 @@ title: About the azure_generic_resource Resource
# azure\_generic\_resource
Use the `azure_generic_resource` Inspec audit resource to test any valid Azure Resource. This is very useful if you need to test something that we do not yet have a specific Inspec resource for.
Use the `azure_generic_resource` InSpec audit resource to test any valid Azure Resource. This is very useful if you need to test something that we do not yet have a specific Inspec resource for.
## Syntax
@ -16,20 +16,19 @@ Use the `azure_generic_resource` Inspec audit resource to test any valid Azure R
where
* Resource Parameters
* `MyResourceGroup` is the name of the resource group that contains the Azure Resource to be validated
* `MyResource` is the name of the resource that needs to be checked
* `MyResourceGroup` is the name of the resource group that contains the Azure Resource to be validated
* `MyResource` is the name of the resource that needs to be checked
* `property` - This generic resource dynamically creates the properties on the fly based on the type of resource that has been targetted.
* `value` is the expected output from the chosen property
The options that can be passed to the resource are as follows.
| Name | Description | Required | Example |
|-------------|---------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------|
| group_name: | Azure Resource Group to be tested | yes | MyResourceGroup |
| name: | Name of the Azure resource to test | no | MyVM |
| type: | Azure Resource Type to look for | no | Microsoft.Compute/virtualMachines |
| apiversion: | API Version to use when interrogating the resource. If not set then the latest version for the resoure type is used | no | 2017-10-9 |
The options that can be passed to the resource are as follows.
* `group_name`, the Azure resource group to be tested. Example: 'MyResourceGroup' (required)
* `name`, the name of the Azure resource to test. Example: 'MyVM'
* `type`, the Azure resource type. Example: 'Microsoft.Compute/virtualMachines'
* `apiversion`, the API Version to use when querying the resource. Defaults to the latest version for the resoure type is used. Example: 2017-10-9
These options can also be set using the environment variables:
@ -42,18 +41,17 @@ When the options have been set as well as the environment variables, the environ
There are _normally_ three standard tests that can be performed on a resource.
| Name | Description |
|------|-------------|
| name | Name of the resource |
| type | Type of resource |
| location | Location of the resource within Azure |
* `name`: tests the resource name
* `type`: tests the resource type
* `location`: tests the resource's location within Azure
For example:
## Example
```ruby
describe azure_generic_resource(group_name: 'Inspec-Azure', name: 'Linux-Internal-VM') do
its('location') { should eq 'westeurope' }
end
```ruby
describe azure_generic_resource(group_name: 'Inspec-Azure', name: 'Linux-Internal-VM') do
its('location') { should eq 'westeurope' }
end
```
```
## Properties
@ -76,4 +74,8 @@ Please see the integration tests for in depth examples of how this resource can
- [Generic Virtual Network](../test/integration/verify/controls/generic_virtual_network.rb)
- [Generic Windows Internal VM NIC](../test/integration/verify/controls/generic_windows_internal_vm_nic.rb)
- [Generic Windows Internal VM](../test/integration/verify/controls/generic_windows_internal_vm.rb)
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

193
docs/resources/azure_resource_group.md.erb
View file

@ -10,11 +10,11 @@ Use the `azure_resource_group_resource_counts` InSpec audit resource to check th
The name of the resource group is specified as a parameter on the resource:
```ruby
describe azure_resource_group(name: 'MyResourceGroup') do
its('property') { should eq 'value' }
end
```
```ruby
describe azure_resource_group(name: 'MyResourceGroup') do
its('property') { should eq 'value' }
end
```
where
@ -25,10 +25,51 @@ where
The options that can be passed to the resource are as follows.
| Name | Description | Required | Example |
|-------------|---------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------|
| group_name: | Azure Resource Group to be tested | yes | MyResourceGroup |
| name: | Name of the Azure resource to test | no | MyVM |
## Examples
The following examples show how to use this InSpec audit resource
Please refer the integration tests for more in depth examples:
- [Resource Group](../../test/integration/verify/controls/resource_group.rb)
### Test Resource Group has the correct number of resources
```ruby
describe azure_resource_group_resource_counts(name: 'Inspec-Azure') do
its('total') { should eq 7}
```
### Ensure that the Resource Group contains the correct resources
```ruby
describe azure_resource_group_resource_counts(name: 'Inspec-Azure') do
its('total') { should eq 7 }
its('vm_count') { should eq 2 }
its('nic_count') { should eq 2 }
its('public_ip_count') { should eq 1 }
its('sa_count') { should eq 1 }
its('vnet_count') { should eq 1 }
end
```
<br>
## Resource Parameters
The options that can be passed to the resource are as follows.
### `group_name` (required)
Use this parameter to define the Azure Resource Group to be tested.
example: MyResourceGroup
### name
Use this parameter to define the name of the Azure resource to test
example: MyVM
If both `group_name` and `name` is set then `name` will take priority
@ -39,106 +80,182 @@ These options can also be set using the environment variables:
When the options have been set as well as the environment variables, the environment variables take priority.
For example:
### Parameter Example
```ruby
describe azure_resource_group_resource_counts(name: 'ChefAutomate') do
its('total') { should eq 7}
its('nic_count') { should eq 1 }
its('vm_count') { should eq 1 }
its('total') { should eq 7}
its('nic_count') { should eq 1 }
its('vm_count') { should eq 1 }
end
```
<br>
## Properties
* `name`, `location` ,`id`, `provisioning_state`, `subscription_id`, `total`, `nic_count`, `vm_count`, `extension_count`, `vnet_count`, `sa_count`, `public_ip_count`,`managed_disk_image_count`, `managed_disk_count`, `tag_count`
<br>
## Property Examples
This InSpec audit resource has the following properties:
### name
Returns the name of the resource group.
```ruby
its(name) { should cmp 'nugget' }
```
### location
Returns where in Azure the resource group is located.
```ruby
its(location) { should cmp 'us-west' }
```
### id
Returns the full qualified ID of the resource group.
This is in the format `/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>`.
### provisioning\_state
```ruby
its(id) { should cmp 'FQDN' }
```
### provisioning_state
The provisioning state of the resource group.
### subscription\_id
```ruby
its(provisioning_state) { should cmp '????' }
```
### subscription_id
Returns the subscription ID which contains the resource group.
This is derived from the `id`.
```ruby
its(subscription_id) { should cmp '????' }
```
### total
The total number of resources in the resource group
### nic\_count
```ruby
its(total) { should eq 5 }
```
### nic_count
The number of network interface cards in the resource group
### vm\_count
```ruby
its(nic_count) { should eq 2 }
```
### vm_count
The number of virtual machines in the resource group
### vnet\_count
```ruby
its(vm_count) { should eq 5 }
```
### vnet_count
The number of virtual networks in the resource group
### sa\_count
```ruby
its(vnet_count) { should eq 5 }
```
### sa_count
The number of storage accounts in the resource group
### public\_ip\_count
```ruby
its(sa_count) { should eq 5 }
```
### public_ip_count
The number of Public IP Addresses in the resource group
### managed\_disk\_image\_count
```ruby
its(public_ip_count) { should eq 5 }
```
### managed_disk_image_count
The number of managed disk images that are in the resource group.
These are the items from which managed disks are created which are attached to machines. Generally the images are created from a base image or a custom image (e.g. Packer)
### managed\_disk\_count
```ruby
its(managed_disk_image_count) { should eq 5 }
```
### managed_disk_count
The number of managed disks in the resource group.
If a resource group contains one virtual machine with an OS disk and 2 data disks that are all Managed Disks, then the count would be 3.
<br>
```ruby
its(managed_disk_count) { should eq 3 }
```
<br>
## Matchers
This resource has a number of `have_xxxx` matchers that provide a simple way to test of a specific Azure Resoure Type exists in the resource group.
The following table shows the methods that are currently supported and what their associated Azure Resource Type is.
### `have_nics`
| Matcher Name | Azure Resource Type |
|-------------|---------------------|
| have_nics | Microsoft.Network/networkInterfaces |
| have_vms | Microsoft.Compute/virtualMachines |
| have_extensions | Microsoft.Compute/virtualMachines/extensions |
| have_nsgs | Microsoft.Network/networkSecurityGroups |
| have_vnets | Microsoft.Network/virtualNetworks |
| have_managed_disks | Microsoft.Compute/disks |
| have_managed_disk_images | Microsoft.Compute/images |
| have_sas | Microsoft.Storage/storageAccounts |
| have_public_ips | Microsoft.Network/publicIPAddresses |
Use this resource to test `
Microsoft.Network/networkInterfaces`
### `have_vms`
Use this resource to test `Microsoft.Compute/virtualMachines`
### `have_extensions`
Use this resource to test `Microsoft.Compute/virtualMachines/extensions``
### `have_nsgs`
Use this resource to test `Microsoft.Network/networkSecurityGroups`
### `have_vnets`
Use this resource to test `Microsoft.Network/virtualNetworks`
### `have_managed_disks`
Use this resource to test `Microsoft.Compute/disks`
### `have_managed_disk_images`
Use this resource to test `Microsoft.Compute/images`
### `have_sas`
Use this resource to test `Microsoft.Storage/storageAccounts`
### `have_public_ips`
Use this resource to test `Microsoft.Network/publicIPAddresses`
With these methods the following tests are possible
@ -146,8 +263,6 @@ With these methods the following tests are possible
it { should have_nics }
it { should_not have_extensions }
```
## Tags
It is possible to test the tags that have been assigned to the resource. There are a number of properties that can be called to check that it has tags, that it has the correct number and that the correct ones are assigned.
@ -190,7 +305,7 @@ Then a property is available called `Owner_tag`.
```ruby
its('Owner_tag') { should cmp 'Russell Seymour' }
```
```
Note: The tag name is case sensitive which makes the test case sensitive. E.g. `owner_tag` does not equal `Owner_tag`.

2
docs/resources/windows_task.md.erb
View file

@ -4,7 +4,7 @@ title: About the windows_task Resource
# windows_task
Use the `windows_task` Inspec audit resource to test a scheduled tasks configuration on a Windows platform.
Use the `windows_task` InSpec audit resource to test a scheduled tasks configuration on a Windows platform.
Microsoft and application vendors use scheduled tasks to perform a variety of system maintaince tasks but system administrators can schedule their own.
<br>