mirror of
https://github.com/inspec/inspec
synced 2024-12-03 18:09:32 +00:00
Fixes formatting on aws/azure resources
Signed-off-by: kagarmoe <kgarmoe@chef.io>
This commit is contained in:
parent
b9162f5c1b
commit
d63d15c457
12 changed files with 230 additions and 95 deletions
|
@ -4,7 +4,7 @@ title: About the audit_policy Resource
|
|||
|
||||
# audit_policy
|
||||
|
||||
Use the `audit_policy` Inspec audit resource to test auditing policies on the Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each enabled auditing category property, the auditing level may be set to `No Auditing`, `Not Specified`, `Success`, `Success and Failure`, or `Failure`.
|
||||
Use the `audit_policy` InSpec audit resource to test auditing policies on the Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each enabled auditing category property, the auditing level may be set to `No Auditing`, `Not Specified`, `Success`, `Success and Failure`, or `Failure`.
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
@ -120,4 +120,4 @@ This InSpec audit resource has the following special matchers. For a full list o
|
|||
|
||||
The `be_active` matcher tests if the described IAM access key is active.
|
||||
|
||||
it { should be_active }
|
||||
it { should be_active }
|
||||
|
|
|
@ -3,7 +3,7 @@ title: About the aws_iam_policy Resource
|
|||
platform: aws
|
||||
---
|
||||
|
||||
# aws_iam_policy
|
||||
# aws\_iam\_policy
|
||||
|
||||
Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy.
|
||||
|
||||
|
|
|
@ -48,6 +48,8 @@ A textual description of the IAM Role.
|
|||
|
||||
## Matchers
|
||||
|
||||
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
|
||||
### exist
|
||||
|
||||
Indicates that the Role Name provided was found. Use should_not to test for IAM Roles that should not exist.
|
||||
|
|
|
@ -71,7 +71,7 @@ Provides a list of key ids for all KMS Keys in the AWS account.
|
|||
|
||||
## Matchers
|
||||
|
||||
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
|
||||
### exists
|
||||
|
||||
|
|
|
@ -109,6 +109,8 @@ If there is no bucket policy, this property returns an empty array.
|
|||
s.effect == 'Allow' && s.principal == '*'
|
||||
end
|
||||
|
||||
<br>
|
||||
|
||||
## Matchers
|
||||
|
||||
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
|
|
|
@ -83,27 +83,23 @@ A string identifying the VPC that contains the security group. Since VPCs common
|
|||
end
|
||||
|
||||
<br>
|
||||
|
||||
## Matchers
|
||||
|
||||
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
|
||||
### exists
|
||||
|
||||
The control will pass if the specified SG was found. Use should_not if you want to verify that the specified SG does not exist.
|
||||
|
||||
# You will always have at least one SG, the VPC default SG
|
||||
describe aws_security_group(group_name: 'default')
|
||||
it { should exist }
|
||||
end
|
||||
|
||||
# Make sure we don't have any security groups with the name 'nogood'
|
||||
describe aws_security_group(group_name: 'nogood')
|
||||
it { should_not exist }
|
||||
end
|
||||
|
||||
## Properties
|
||||
|
||||
* `description`, `group_id', `group_name`, `vpc_id`
|
||||
|
||||
<br>
|
||||
|
||||
## Property Examples
|
||||
|
||||
### description
|
||||
|
||||
A String reflecting the human-meaningful description that was given to the SG at creation time.
|
||||
|
||||
# Require a description of a particular group
|
||||
describe aws_security_group('sg-12345678') do
|
||||
its('description') { should_not be_empty }
|
||||
end
|
||||
|
||||
### group\_id
|
||||
|
||||
Provides the Security Group ID.
|
||||
|
@ -125,15 +121,6 @@ A String reflecting the name that was given to the SG at creation time.
|
|||
its('group_name') { should cmp 'my_group' }
|
||||
end
|
||||
|
||||
### description
|
||||
|
||||
A String reflecting the human-meaningful description that was given to the SG at creation time.
|
||||
|
||||
# Require a description of a particular group
|
||||
describe aws_security_group('sg-12345678') do
|
||||
its('description') { should_not be_empty }
|
||||
end
|
||||
|
||||
### vpc\_id
|
||||
|
||||
A String in the format 'vpc-' followed by 8 hexadecimal characters reflecting VPC that contains the security group.
|
||||
|
@ -141,4 +128,25 @@ A String in the format 'vpc-' followed by 8 hexadecimal characters reflecting VP
|
|||
# Inspec the VPC ID of a particular group
|
||||
describe aws_security_group('sg-12345678') do
|
||||
its('vpc_id') { should cmp 'vpc-12345678' }
|
||||
end
|
||||
end
|
||||
|
||||
<br>
|
||||
|
||||
## Matchers
|
||||
|
||||
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
|
||||
### exists
|
||||
|
||||
The control will pass if the specified SG was found. Use should_not if you want to verify that the specified SG does not exist.
|
||||
|
||||
# You will always have at least one SG, the VPC default SG
|
||||
describe aws_security_group(group_name: 'default')
|
||||
it { should exist }
|
||||
end
|
||||
|
||||
# Make sure we don't have any security groups with the name 'nogood'
|
||||
describe aws_security_group(group_name: 'nogood')
|
||||
it { should_not exist }
|
||||
end
|
||||
|
||||
|
|
|
@ -50,10 +50,16 @@ A string identifying a group. Since groups are contained in VPCs, group names ar
|
|||
it { should exist }
|
||||
end
|
||||
|
||||
<br>
|
||||
|
||||
## Properties
|
||||
|
||||
* `entries`, `group\_ids`
|
||||
|
||||
<br>
|
||||
|
||||
## Property Examples
|
||||
|
||||
### entries
|
||||
|
||||
Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
|
||||
|
@ -73,7 +79,7 @@ Provides a list of all security group IDs matched.
|
|||
|
||||
## Matchers
|
||||
|
||||
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
|
||||
### exists
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ As this is the initial release of `aws_vpcs`, its limited functionality preclude
|
|||
|
||||
## Matchers
|
||||
|
||||
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
This InSpec audit resource has the following special matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
|
||||
### exists
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ title: About the azure_generic_resource Resource
|
|||
|
||||
# azure\_generic\_resource
|
||||
|
||||
Use the `azure_generic_resource` Inspec audit resource to test any valid Azure Resource. This is very useful if you need to test something that we do not yet have a specific Inspec resource for.
|
||||
Use the `azure_generic_resource` InSpec audit resource to test any valid Azure Resource. This is very useful if you need to test something that we do not yet have a specific Inspec resource for.
|
||||
|
||||
## Syntax
|
||||
|
||||
|
@ -16,20 +16,19 @@ Use the `azure_generic_resource` Inspec audit resource to test any valid Azure R
|
|||
|
||||
where
|
||||
|
||||
* Resource Parameters
|
||||
* `MyResourceGroup` is the name of the resource group that contains the Azure Resource to be validated
|
||||
* `MyResource` is the name of the resource that needs to be checked
|
||||
* `MyResourceGroup` is the name of the resource group that contains the Azure Resource to be validated
|
||||
* `MyResource` is the name of the resource that needs to be checked
|
||||
* `property` - This generic resource dynamically creates the properties on the fly based on the type of resource that has been targetted.
|
||||
* `value` is the expected output from the chosen property
|
||||
|
||||
The options that can be passed to the resource are as follows.
|
||||
|
||||
| Name | Description | Required | Example |
|
||||
|-------------|---------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------|
|
||||
| group_name: | Azure Resource Group to be tested | yes | MyResourceGroup |
|
||||
| name: | Name of the Azure resource to test | no | MyVM |
|
||||
| type: | Azure Resource Type to look for | no | Microsoft.Compute/virtualMachines |
|
||||
| apiversion: | API Version to use when interrogating the resource. If not set then the latest version for the resoure type is used | no | 2017-10-9 |
|
||||
The options that can be passed to the resource are as follows.
|
||||
|
||||
* `group_name`, the Azure resource group to be tested. Example: 'MyResourceGroup' (required)
|
||||
* `name`, the name of the Azure resource to test. Example: 'MyVM'
|
||||
* `type`, the Azure resource type. Example: 'Microsoft.Compute/virtualMachines'
|
||||
* `apiversion`, the API Version to use when querying the resource. Defaults to the latest version for the resoure type is used. Example: 2017-10-9
|
||||
|
||||
These options can also be set using the environment variables:
|
||||
|
||||
|
@ -42,18 +41,17 @@ When the options have been set as well as the environment variables, the environ
|
|||
|
||||
There are _normally_ three standard tests that can be performed on a resource.
|
||||
|
||||
| Name | Description |
|
||||
|------|-------------|
|
||||
| name | Name of the resource |
|
||||
| type | Type of resource |
|
||||
| location | Location of the resource within Azure |
|
||||
* `name`: tests the resource name
|
||||
* `type`: tests the resource type
|
||||
* `location`: tests the resource's location within Azure
|
||||
|
||||
For example:
|
||||
## Example
|
||||
|
||||
```ruby
|
||||
describe azure_generic_resource(group_name: 'Inspec-Azure', name: 'Linux-Internal-VM') do
|
||||
its('location') { should eq 'westeurope' }
|
||||
end
|
||||
```ruby
|
||||
describe azure_generic_resource(group_name: 'Inspec-Azure', name: 'Linux-Internal-VM') do
|
||||
its('location') { should eq 'westeurope' }
|
||||
end
|
||||
```
|
||||
```
|
||||
|
||||
## Properties
|
||||
|
@ -76,4 +74,8 @@ Please see the integration tests for in depth examples of how this resource can
|
|||
- [Generic Virtual Network](../test/integration/verify/controls/generic_virtual_network.rb)
|
||||
- [Generic Windows Internal VM NIC](../test/integration/verify/controls/generic_windows_internal_vm_nic.rb)
|
||||
- [Generic Windows Internal VM](../test/integration/verify/controls/generic_windows_internal_vm.rb)
|
||||
|
||||
## Matchers
|
||||
|
||||
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
|
|
@ -10,11 +10,11 @@ Use the `azure_resource_group_resource_counts` InSpec audit resource to check th
|
|||
|
||||
The name of the resource group is specified as a parameter on the resource:
|
||||
|
||||
```ruby
|
||||
describe azure_resource_group(name: 'MyResourceGroup') do
|
||||
its('property') { should eq 'value' }
|
||||
end
|
||||
```
|
||||
```ruby
|
||||
describe azure_resource_group(name: 'MyResourceGroup') do
|
||||
its('property') { should eq 'value' }
|
||||
end
|
||||
```
|
||||
|
||||
where
|
||||
|
||||
|
@ -25,10 +25,51 @@ where
|
|||
|
||||
The options that can be passed to the resource are as follows.
|
||||
|
||||
| Name | Description | Required | Example |
|
||||
|-------------|---------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------|
|
||||
| group_name: | Azure Resource Group to be tested | yes | MyResourceGroup |
|
||||
| name: | Name of the Azure resource to test | no | MyVM |
|
||||
## Examples
|
||||
|
||||
The following examples show how to use this InSpec audit resource
|
||||
|
||||
Please refer the integration tests for more in depth examples:
|
||||
|
||||
- [Resource Group](../../test/integration/verify/controls/resource_group.rb)
|
||||
|
||||
### Test Resource Group has the correct number of resources
|
||||
|
||||
```ruby
|
||||
describe azure_resource_group_resource_counts(name: 'Inspec-Azure') do
|
||||
its('total') { should eq 7}
|
||||
```
|
||||
|
||||
### Ensure that the Resource Group contains the correct resources
|
||||
|
||||
```ruby
|
||||
describe azure_resource_group_resource_counts(name: 'Inspec-Azure') do
|
||||
its('total') { should eq 7 }
|
||||
its('vm_count') { should eq 2 }
|
||||
its('nic_count') { should eq 2 }
|
||||
its('public_ip_count') { should eq 1 }
|
||||
its('sa_count') { should eq 1 }
|
||||
its('vnet_count') { should eq 1 }
|
||||
end
|
||||
```
|
||||
|
||||
<br>
|
||||
|
||||
## Resource Parameters
|
||||
|
||||
The options that can be passed to the resource are as follows.
|
||||
|
||||
### `group_name` (required)
|
||||
|
||||
Use this parameter to define the Azure Resource Group to be tested.
|
||||
|
||||
example: MyResourceGroup
|
||||
|
||||
### name
|
||||
|
||||
Use this parameter to define the name of the Azure resource to test
|
||||
|
||||
example: MyVM
|
||||
|
||||
If both `group_name` and `name` is set then `name` will take priority
|
||||
|
||||
|
@ -39,106 +80,182 @@ These options can also be set using the environment variables:
|
|||
|
||||
When the options have been set as well as the environment variables, the environment variables take priority.
|
||||
|
||||
For example:
|
||||
### Parameter Example
|
||||
|
||||
```ruby
|
||||
describe azure_resource_group_resource_counts(name: 'ChefAutomate') do
|
||||
its('total') { should eq 7}
|
||||
its('nic_count') { should eq 1 }
|
||||
its('vm_count') { should eq 1 }
|
||||
its('total') { should eq 7}
|
||||
its('nic_count') { should eq 1 }
|
||||
its('vm_count') { should eq 1 }
|
||||
end
|
||||
```
|
||||
|
||||
<br>
|
||||
|
||||
## Properties
|
||||
|
||||
* `name`, `location` ,`id`, `provisioning_state`, `subscription_id`, `total`, `nic_count`, `vm_count`, `extension_count`, `vnet_count`, `sa_count`, `public_ip_count`,`managed_disk_image_count`, `managed_disk_count`, `tag_count`
|
||||
|
||||
|
||||
<br>
|
||||
|
||||
## Property Examples
|
||||
|
||||
This InSpec audit resource has the following properties:
|
||||
|
||||
### name
|
||||
|
||||
Returns the name of the resource group.
|
||||
|
||||
```ruby
|
||||
its(name) { should cmp 'nugget' }
|
||||
```
|
||||
|
||||
### location
|
||||
|
||||
Returns where in Azure the resource group is located.
|
||||
|
||||
```ruby
|
||||
its(location) { should cmp 'us-west' }
|
||||
```
|
||||
|
||||
### id
|
||||
|
||||
Returns the full qualified ID of the resource group.
|
||||
|
||||
This is in the format `/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>`.
|
||||
|
||||
### provisioning\_state
|
||||
```ruby
|
||||
its(id) { should cmp 'FQDN' }
|
||||
```
|
||||
|
||||
### provisioning_state
|
||||
|
||||
The provisioning state of the resource group.
|
||||
|
||||
### subscription\_id
|
||||
```ruby
|
||||
its(provisioning_state) { should cmp '????' }
|
||||
```
|
||||
|
||||
### subscription_id
|
||||
|
||||
Returns the subscription ID which contains the resource group.
|
||||
|
||||
This is derived from the `id`.
|
||||
|
||||
```ruby
|
||||
its(subscription_id) { should cmp '????' }
|
||||
```
|
||||
|
||||
### total
|
||||
|
||||
The total number of resources in the resource group
|
||||
|
||||
### nic\_count
|
||||
```ruby
|
||||
its(total) { should eq 5 }
|
||||
```
|
||||
|
||||
### nic_count
|
||||
|
||||
The number of network interface cards in the resource group
|
||||
|
||||
### vm\_count
|
||||
```ruby
|
||||
its(nic_count) { should eq 2 }
|
||||
```
|
||||
|
||||
### vm_count
|
||||
|
||||
The number of virtual machines in the resource group
|
||||
|
||||
### vnet\_count
|
||||
```ruby
|
||||
its(vm_count) { should eq 5 }
|
||||
```
|
||||
|
||||
### vnet_count
|
||||
|
||||
The number of virtual networks in the resource group
|
||||
|
||||
### sa\_count
|
||||
```ruby
|
||||
its(vnet_count) { should eq 5 }
|
||||
```
|
||||
|
||||
### sa_count
|
||||
|
||||
The number of storage accounts in the resource group
|
||||
|
||||
### public\_ip\_count
|
||||
```ruby
|
||||
its(sa_count) { should eq 5 }
|
||||
```
|
||||
|
||||
### public_ip_count
|
||||
|
||||
The number of Public IP Addresses in the resource group
|
||||
|
||||
### managed\_disk\_image\_count
|
||||
```ruby
|
||||
its(public_ip_count) { should eq 5 }
|
||||
```
|
||||
|
||||
### managed_disk_image_count
|
||||
|
||||
The number of managed disk images that are in the resource group.
|
||||
|
||||
These are the items from which managed disks are created which are attached to machines. Generally the images are created from a base image or a custom image (e.g. Packer)
|
||||
|
||||
### managed\_disk\_count
|
||||
```ruby
|
||||
its(managed_disk_image_count) { should eq 5 }
|
||||
```
|
||||
|
||||
### managed_disk_count
|
||||
|
||||
The number of managed disks in the resource group.
|
||||
|
||||
If a resource group contains one virtual machine with an OS disk and 2 data disks that are all Managed Disks, then the count would be 3.
|
||||
|
||||
<br>
|
||||
```ruby
|
||||
its(managed_disk_count) { should eq 3 }
|
||||
```
|
||||
|
||||
<br>
|
||||
|
||||
## Matchers
|
||||
|
||||
This resource has a number of `have_xxxx` matchers that provide a simple way to test of a specific Azure Resoure Type exists in the resource group.
|
||||
|
||||
The following table shows the methods that are currently supported and what their associated Azure Resource Type is.
|
||||
### `have_nics`
|
||||
|
||||
| Matcher Name | Azure Resource Type |
|
||||
|-------------|---------------------|
|
||||
| have_nics | Microsoft.Network/networkInterfaces |
|
||||
| have_vms | Microsoft.Compute/virtualMachines |
|
||||
| have_extensions | Microsoft.Compute/virtualMachines/extensions |
|
||||
| have_nsgs | Microsoft.Network/networkSecurityGroups |
|
||||
| have_vnets | Microsoft.Network/virtualNetworks |
|
||||
| have_managed_disks | Microsoft.Compute/disks |
|
||||
| have_managed_disk_images | Microsoft.Compute/images |
|
||||
| have_sas | Microsoft.Storage/storageAccounts |
|
||||
| have_public_ips | Microsoft.Network/publicIPAddresses |
|
||||
Use this resource to test `
|
||||
Microsoft.Network/networkInterfaces`
|
||||
|
||||
### `have_vms`
|
||||
|
||||
Use this resource to test `Microsoft.Compute/virtualMachines`
|
||||
|
||||
### `have_extensions`
|
||||
|
||||
Use this resource to test `Microsoft.Compute/virtualMachines/extensions``
|
||||
|
||||
### `have_nsgs`
|
||||
|
||||
Use this resource to test `Microsoft.Network/networkSecurityGroups`
|
||||
|
||||
### `have_vnets`
|
||||
|
||||
Use this resource to test `Microsoft.Network/virtualNetworks`
|
||||
|
||||
### `have_managed_disks`
|
||||
|
||||
Use this resource to test `Microsoft.Compute/disks`
|
||||
|
||||
### `have_managed_disk_images`
|
||||
|
||||
Use this resource to test `Microsoft.Compute/images`
|
||||
|
||||
### `have_sas`
|
||||
|
||||
Use this resource to test `Microsoft.Storage/storageAccounts`
|
||||
|
||||
### `have_public_ips`
|
||||
|
||||
Use this resource to test `Microsoft.Network/publicIPAddresses`
|
||||
|
||||
With these methods the following tests are possible
|
||||
|
||||
|
@ -146,8 +263,6 @@ With these methods the following tests are possible
|
|||
it { should have_nics }
|
||||
it { should_not have_extensions }
|
||||
```
|
||||
|
||||
|
||||
## Tags
|
||||
|
||||
It is possible to test the tags that have been assigned to the resource. There are a number of properties that can be called to check that it has tags, that it has the correct number and that the correct ones are assigned.
|
||||
|
@ -190,7 +305,7 @@ Then a property is available called `Owner_tag`.
|
|||
|
||||
```ruby
|
||||
its('Owner_tag') { should cmp 'Russell Seymour' }
|
||||
```
|
||||
```
|
||||
|
||||
Note: The tag name is case sensitive which makes the test case sensitive. E.g. `owner_tag` does not equal `Owner_tag`.
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ title: About the windows_task Resource
|
|||
|
||||
# windows_task
|
||||
|
||||
Use the `windows_task` Inspec audit resource to test a scheduled tasks configuration on a Windows platform.
|
||||
Use the `windows_task` InSpec audit resource to test a scheduled tasks configuration on a Windows platform.
|
||||
Microsoft and application vendors use scheduled tasks to perform a variety of system maintaince tasks but system administrators can schedule their own.
|
||||
|
||||
<br>
|
||||
|
|
Loading…
Reference in a new issue