No description
Find a file
Paul Welch 27203110cd Add AWS hardware MFA matcher (#2892)
* Add AWS hardware MFA matcher
Adding a hardware as well as a virtual MFA matcher for aws_iam_root_user
resource

* Add New AWS Root Matcher Docs
- Add documentation for new root MFA matchers
- Fix logic for checking MFA devices from feedback on PR

* Add Integration tests for MFA matchers
- Add integration tests for virtual and hardware MFA matchers
- Clean up logic for has_virtual_mfa_enabled? method

Signed-off-by: Paul Welch <pwelch@chef.io>
2018-04-03 09:13:52 -04:00
.expeditor Add 1.x and 2.x release branches (#2651) 2018-02-15 14:50:24 -05:00
.github Update CODEOWNERS file (#2398) 2017-12-15 11:30:28 -05:00
bin Remove any "All Rights Reserved" references (#1969) 2017-06-28 04:14:19 -07:00
ci Updated omnibus postinst script to symlink to appbundle created binstubs (#2732) 2018-02-28 13:47:08 -05:00
docs Add AWS hardware MFA matcher (#2892) 2018-04-03 09:13:52 -04:00
examples Fix: pointed concurrent-ruby to version 1.0 to fix dependencies (#2879) 2018-03-26 14:28:11 -04:00
habitat Habitat build works for all versions, eliminates rake (#2301) 2017-11-14 05:01:51 +01:00
lib Add AWS hardware MFA matcher (#2892) 2018-04-03 09:13:52 -04:00
omnibus Update to newer sha for our forked unf_ext to resolve AIX builds. (#2870) 2018-03-23 10:18:06 -04:00
support/ci Add rake task for flushing Fastly cache 2017-04-28 14:22:00 -04:00
tasks HM website optimization (#2699) 2018-02-19 13:14:01 -08:00
test Add AWS hardware MFA matcher (#2892) 2018-04-03 09:13:52 -04:00
www fix(homebrew): correct homebrew installation command (#2832) 2018-03-19 12:53:05 -04:00
.gitignore Various small fixes/adjustments to the integration tests for AWS and Azure (#2745) 2018-02-26 16:37:36 -05:00
.kitchen.chef.yml Change Atlas to VagrantCloud (#2372) 2017-12-05 12:21:06 -05:00
.kitchen.ec2.yml call ssh cookbook from prepare cookbook 2017-01-03 11:40:09 +01:00
.kitchen.vagrant.yml Add wildcard support to Utils::FindFiles (#2159) 2017-09-23 09:17:34 +02:00
.kitchen.yml update chef version for openssl cookbook 2017-05-30 23:09:21 -05:00
.rubocop.yml move /tutorial to /demo (#2700) 2018-02-19 16:57:19 -08:00
.travis.yml Now that release-2.0 has merged into master you don't need to test it anymore! (#2718) 2018-02-21 16:45:29 -08:00
appveyor.yml Ruby 2.5.0 is released and stable we need to start testing (#2604) 2018-02-13 12:39:47 -05:00
Berksfile run integration tests in docker 2016-05-16 18:25:17 +02:00
CHANGELOG.md Update CHANGELOG.md to reflect the promotion of 2.1.21 2018-03-29 18:55:33 +00:00
CONTRIBUTING.md Fix issue template link in CONTRIBUTING.md (#2321) 2017-11-27 10:26:39 -05:00
Dockerfile Update CHANGELOG.md to reflect the promotion of 2.1.21 2018-03-29 18:55:33 +00:00
Gemfile Add pry-byebug to our Gemfile. We all install this anyway, lets make it a (#2889) 2018-03-28 11:23:06 -04:00
inspec.gemspec Pin to Train 1.3.0. (#2898) 2018-03-29 12:51:10 -04:00
ISSUE_TEMPLATE.md emoji in issue template (#2743) 2018-02-26 11:08:51 -05:00
LICENSE license belongs in LICENSE 2015-11-03 10:04:16 -08:00
MAINTAINERS.md Update maintainers file. (#2728) 2018-02-22 10:45:22 -05:00
MAINTAINERS.toml Update maintainers file. (#2728) 2018-02-22 10:45:22 -05:00
netlify.toml move /tutorial to /demo (#2700) 2018-02-19 16:57:19 -08:00
Rakefile Various small fixes/adjustments to the integration tests for AWS and Azure (#2745) 2018-02-26 16:37:36 -05:00
README.md Fix typo in some docs (#2841) 2018-03-20 08:43:30 -04:00
VERSION Bump version to 2.1.21 by Expeditor 2018-03-29 17:02:13 +00:00

InSpec: Inspect Your Infrastructure

Slack Build Status Master Build Status Master

InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

# Disallow insecure protocols by testing

describe package('telnetd') do
  it { should_not be_installed }
end

describe inetd_conf do
  its("telnet") { should eq nil }
end

InSpec makes it easy to run your tests wherever you need. More options are found in our CLI docs.

# run test locally
inspec exec test.rb

# run test on remote host on SSH
inspec exec test.rb -t ssh://user@hostname -i /path/to/key

# run test on remote host using SSH agent private key authentication. Requires InSpec 1.7.1
inspec exec test.rb -t ssh://user@hostname

# run test on remote windows host on WinRM
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'

# run test on docker container
inspec exec test.rb -t docker://container_id

Features

  • Built-in Compliance: Compliance no longer occurs at the end of the release cycle
  • Targeted Tests: InSpec writes tests that specifically target compliance issues
  • Metadata: Includes the metadata required by security and compliance pros
  • Easy Testing: Includes a command-line interface to run tests quickly

Installation

InSpec requires Ruby ( >1.9 ).

Install as package

The InSpec package is available for MacOS, RedHat, Ubuntu and Windows. Download the latest package at InSpec Downloads or install InSpec via script:

# RedHat, Ubuntu, and macOS
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec

# Windows
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project inspec

Install it via rubygems.org

When installing from source, gem dependencies may require ruby build tools to be installed.

For CentOS/RedHat/Fedora:

yum -y install ruby ruby-devel make gcc gcc-c++

For Ubuntu:

apt-get -y install ruby ruby-dev gcc g++ make

To install inspec from rubygems:

gem install inspec

Usage via Docker

Download the image and define a function for convenience:

For Linux:

docker pull chef/inspec
function inspec { docker run -it --rm -v $(pwd):/share chef/inspec $@; }

For Windows (PowerShell):

docker pull chef/inspec
function inspec { docker run -it --rm -v "$(pwd):/share" chef/inspec $args; }

If you call inspec from your shell, it automatically mounts the current directory into the Docker container. Therefore you can easily use local tests and key files. Note: Only files in the current directory and sub-directories are available within the container.

$ ls -1
vagrant
test.rb

$ inspec exec test.rb -t ssh://root@192.168.64.2:11022 -i vagrant
..

Finished in 0.04321 seconds (files took 0.54917 seconds to load)
2 examples, 0 failures

Install it from source

That requires bundler:

bundle install
bundle exec bin/inspec help

To install it as a gem locally, run:

gem build inspec.gemspec
gem install inspec-*.gem

On Windows, you need to install Ruby with Ruby Development Kit to build dependencies with its native extensions.

Install via Habitat

Currently, this method of installation only supports Linux. See the Habitat site for more information.

Download the hab binary from the Habitat site.

hab pkg install chef/inspec
export PATH="$(hab pkg path core/ruby)/bin:$(hab pkg path chef/inspec)/bin:$PATH"

inspec

Run InSpec

You should now be able to run:

$ inspec --help
Commands:
  inspec archive PATH                # archive a profile to tar.gz (default) ...
  inspec check PATH                  # verify all tests at the specified PATH
  inspec compliance SUBCOMMAND ...   # Chef Compliance commands
  inspec detect                      # detect the target OS
  inspec exec PATH(S)                # run all test files at the specified PATH.
  inspec help [COMMAND]              # Describe available commands or one spe...
  inspec init TEMPLATE ...           # Scaffolds a new project
  inspec json PATH                   # read all tests in PATH and generate a ...
  inspec shell                       # open an interactive debugging shell
  inspec supermarket SUBCOMMAND ...  # Supermarket commands
  inspec version                     # prints the version of this tool

Options:
  [--diagnose], [--no-diagnose]  # Show diagnostics (versions, configurations)

Examples

  • Only accept requests on secure ports - This test ensures that a web server is only listening on well-secured ports.
describe port(80) do
  it { should_not be_listening }
end

describe port(443) do
  it { should be_listening }
  its('protocols') {should include 'tcp'}
end
  • Use approved strong ciphers - This test ensures that only enterprise-compliant ciphers are used for SSH servers.
describe sshd_config do
   its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
end
  • Test your kitchen.yml file to verify that only Vagrant is configured as the driver. The %w() formatting will pass rubocop linting and allow you to access nested mappings.
describe yaml('.kitchen.yml') do
  its(%w(driver name)) { should eq('vagrant') }
end

Also have a look at our examples for:

Or tests: Testing for a OR b

  • Using describe.one, you can test for a or b. The control will be marked as passing if EITHER condition is met.
control 'or-test' do
  impact 1.0
  title 'This is a OR test'
  describe.one do
    describe ssh_config do
      its('Protocol') { should eq('3') }
    end
    describe ssh_config do
      its('Protocol') { should eq('2') }
    end
  end
end

Command Line Usage

exec

Run tests against different targets:

# run test locally
inspec exec test.rb

# run test on remote host on SSH
inspec exec test.rb -t ssh://user@hostname

# run test on remote windows host on WinRM
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'

# run test on docker container
inspec exec test.rb -t docker://container_id

# run with sudo
inspec exec test.rb --sudo [--sudo-password ...] [--sudo-options ...] [--sudo_command ...]

# run in a subshell
inspec exec test.rb --shell [--shell-options ...] [--shell-command ...]

# run a profile targeting AWS using env vars
inspec exec test.rb -t aws://

# or store your AWS credentials in your ~/.aws/credentials profiles file
inspec exec test.rb -t aws://us-east-2/my-profile

# run a profile targeting Azure using env vars
inspec exec test.rb -t azure://

# or store your Azure credentials in your ~/.azure/credentials profiles file
inspec exec test.rb -t azure://subscription_id

detect

Verify your configuration and detect

id=$( docker run -dti ubuntu:14.04 /bin/bash )
inspec detect -t docker://$id

Which will provide you with:

{"family":"ubuntu","release":"14.04","arch":null}

Supported OS

Remote Targets

Platform Versions Architectures
AIX 6.1, 7.1, 7.2 ppc64
CentOS 5, 6, 7 i386, x86_64
Debian 7, 8 i386, x86_64
FreeBSD 9, 10 i386, amd64
Mac OS X 10.9, 10.10, 10.11 x86_64
Oracle Enterprise Linux 5, 6, 7 i386, x86_64
Red Hat Enterprise Linux 5, 6, 7 i386, x86_64
Solaris 10, 11 sparc, x86
Windows 7, 8, 8.1, 10, 2008, 2008R2 , 2012, 2012R2, 2016 x86, x86_64
Ubuntu Linux x86, x86_64
SUSE Linux Enterprise Server 11, 12 x86_64
Scientific Linux 5.x, 6.x and 7.x i386, x86_64
Fedora x86_64
OpenSUSE 13.1/13.2/42.1 x86_64
OmniOS x86_64
Gentoo Linux x86_64
Arch Linux x86_64
HP-UX 11.31 ia64

For Windows, PowerShell 3.0 or above is required.

In addition, runtime support is provided for:

Platform Versions
Debian 8
RHEL 6, 7
Ubuntu 12.04+
Windows 7+
Windows 2012+

Documentation

Documentation

Tutorials/Blogs/Podcasts:

Relationship to other tools (RSpec, Serverspec):

Share your Profiles

You may share your InSpec Profiles in the Tools & Plugins section of the Chef Supermarket. Sign in and add the details of your profile.

You may also browse the Supermarket for shared Compliance Profiles.

Kudos

InSpec is inspired by the wonderful Serverspec project. Kudos to mizzy and all contributors!

The AWS resources were inspired by inspec-aws from arothian.

Contribute

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

The InSpec community and maintainers are very active and helpful. This project benefits greatly from this activity.

InSpec health

Testing InSpec

We offer unit, integration, and aws tests.

  • unit tests ensure the intended behaviour of the implementation
  • integration tests run against Docker-based VMs via test-kitchen and kitchen-inspec
  • aws tests exercise the AWS resources against real AWS accounts

Unit tests

bundle exec rake test

If you like to run only one test file:

bundle exec m test/unit/resources/user_test.rb

You may also run a single test within a file by line number:

bundle exec m test/unit/resources/user_test.rb -l 123

Integration tests

These tests download various virtual machines, to ensure InSpec is working as expected across different operating systems.

These tests require the following gems:

  • test-kitchen
  • kitchen-dokken
  • kitchen-inspec

These gems are provided via the integration group in the project's Gemfile.

In addition, these test require Docker to be available on your machine or a remote Docker machine configured via the standard Docker environment variables.

Running Integration tests

List the various test instances available:

bundle exec kitchen list

The platforms and test suites are configured in the .kitchen.yml file. Once you know which instance you wish to test, test that instance:

bundle exec kitchen test <INSTANCE_NAME>

You may test all instances in parallel with:

bundle exec kitchen test -c

AWS Tests

Use the rake task bundle exec rake test:aws to test the AWS resources against a pair of real AWS accounts.

Please see TESTING_AGAINST_AWS.md for details on how to setup the needed AWS accounts to perform testing.

License

Author: Dominik Richter (drichter@chef.io)
Author: Christoph Hartmann (chartmann@chef.io)
Copyright: Copyright (c) 2015 Vulcano Security GmbH.
Copyright: Copyright (c) 2017 Chef Software Inc.
License: Apache License, Version 2.0

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.