No description
Find a file
2015-11-24 16:46:17 +01:00
.delivery do not load maintenance gems during testing 2015-10-30 17:30:44 +01:00
bin update cli description of --path 2015-11-02 02:06:14 +01:00
docs Added links to the different sections. 2015-11-19 15:22:15 +01:00
examples/test-kitchen change test-kitchen example from rule to control 2015-11-13 08:32:05 +01:00
lib rewrite extraction of values 2015-11-24 16:46:17 +01:00
tasks fix more lint issues 2015-10-30 17:18:50 +01:00
test add more case-insensitive tests 2015-11-23 16:25:33 +01:00
.gitignore ignore local bundle config 2015-10-26 11:36:42 +01:00
.rubocop.yml lint 2015-10-26 04:39:16 +01:00
.travis.yml do not load maintenance gems during testing 2015-10-30 17:30:44 +01:00
CHANGELOG.md 0.9.3 2015-11-20 23:33:18 +01:00
Gemfile add github changelog generator 2015-11-20 22:23:25 +01:00
inspec.gemspec lint 2015-11-13 00:48:52 +01:00
LICENSE license belongs in LICENSE 2015-11-03 10:04:16 -08:00
MAINTAINERS.md A MAINTAINERS file lists the maintainers of the prject 2015-10-30 16:37:53 +01:00
MAINTAINERS.toml A MAINTAINERS file lists the maintainers of the prject 2015-10-30 16:37:53 +01:00
Rakefile configure future changelog version from inspec version 2015-11-20 23:33:18 +01:00
README.md update install instructions and add notes for windows builds 2015-11-23 14:03:50 +01:00

InSpec: Inspect Your Infrastructure

InSpec is open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

# Disallow insecure protocols by testing

describe package('telnetd') do
  it { should_not be_installed }
end

describe inetd_conf do
  its("telnet") { should eq nil }
end

InSpec makes it easy to run your tests wherever you need.

# run test locally
inspec exec test.rb

# run test on remote host on SSH
inspec exec test.rb -t ssh://user@hostname

# run test on remote windows host on WinRM
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'

# run test on docker container
inspec exec test.rb -t docker://container_id

Features

  • Built-in Compliance: Compliance no longer occurs at the end of the release cycle
  • Targeted Tests: InSpec writes tests that specifically target compliance issues
  • Metadata: Includes the metadata required by security and compliance pros
  • Easy Testing: Includes a command-line interface to run tests quickly

Installation

InSpec requires Ruby ( >1.9 ).

Install it via rubygems.org

gem install inspec

Install it from source

That requires bundler:

bundle install
bundle exec bin/inspec help

To install it as a gem locally, run:

gem build inspec.gemspec
gem install inspec-*.gem

On Windows, you need to install Ruby with Ruby Development Kit to build dependencies with its native extensions.

Run InSpec

You should now be able to run:

$ inspec --help
Commands:
  inspec check PATH      # verify test structure in PATH
  inspec detect          # detect the target OS
  inspec exec PATHS      # run all test files
  inspec help [COMMAND]  # Describe available commands or one specific command
  inspec json PATH       # read all tests in PATH and generate a JSON profile
  inspec shell           # open an interactive debugging shell
  inspec version         # prints the version of this tool

Examples

  • Only accept requests on secure ports - This test ensures that a web server is only listening on well-secured ports.
describe port(80) do
  it { should_not be_listening }
end

describe port(443) do
  it { should be_listening }
  its('protocol') {should eq 'tcp'}
end
  • Use approved strong ciphers - This test ensures that only enterprise-compliant ciphers are used for SSH servers.
describe sshd_config do
   its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
end
  • Test your kitchen.yml file to verify that only Vagrant is configured as the driver.
describe yaml('.kitchen.yml') do
  its('driver.name') { should eq('vagrant') }
end

Also have a look at our example that uses inspec in combination with test-kitchen

Command Line Usage

exec

Run tests against different targets:

# run test locally
inspec exec test.rb

# run test on remote host on SSH
inspec exec test.rb -t ssh://user@hostname

# run test on remote windows host on WinRM
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'

# run test on docker container
inspec exec test.rb -t docker://container_id

# run with sudo
inspec exec test.rb --sudo [--sudo-password ...] [--sudo-options ...]

detect

Verify your configuration and detect

id=$( docker run -dti ubuntu:14.04 /bin/bash )
inspec detect -t docker://$id

Which will provide you with:

{"family":"ubuntu","release":"14.04","arch":null}

Custom InSpec resources

You can easily create your own resources. Here is a custom resource for an application called Gordon. It is saved as gordon_config.rb.

require 'yaml'

class GordonConfig < Inspec.resource(1)
  name 'gordon_config'

  def initialize
    @path = '/etc/gordon/config.yaml'
    @config = inspec.file(@path).content
    @params = YAML.load(@config)
  end

  def method_missing(name)
    @params[name.to_s]
  end
end

Include this file in your test.rb:

require_relative 'gordon_config'

Now you can start using your new resource:

describe gordon_config do
  its('Version') { should eq('1.0') }
end

Documentation

Documentation is available: https://github.com/chef/inspec/tree/master/docs

Kudos

InSpec is inspired by the wonderful Serverspec project. Kudos to mizzy and all contributors!

Contribute

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

Testing InSpec

We perform unit, resource and integration tests.

  • unit tests ensure the intended behaviour of the implementation
  • resource tests run against docker containers
  • integration tests run against VMs via test-kitchen and kitchen-inspec

Unit tests

bundle exec rake test

Resource tests

Resource tests make sure the backend execution layer behaves as expected. These tests will take a while, as a lot of different operating systems and configurations are being tested.

You will require:

  • docker

Run resource tests with

bundle exec rake test:resources config=test/test.yaml
bundle exec rake test:resources config=test/test-extra.yaml

Integration tests

These tests download various virtual machines, to ensure InSpec is working as expected across different operating systems.

You will require:

  • vagrant with virtualbox
  • test-kitchen

Run integration tests with

cd test/integration
bundle exec kitchen test -t .

Chef Delivery Tests

It may be informative to look at what tests Chef Delivery is running for CI.

License

| Author: | Dominik Richter (drichter@chef.io)

| Author: | Christoph Hartmann (chartmann@chef.io)

| Copyright: | Copyright (c) 2015 Chef Software Inc.

| Copyright: | Copyright (c) 2015 Vulcano Security GmbH.

| License: | Apache License, Version 2.0

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.