mirror of
https://github.com/inspec/inspec
synced 2024-11-24 05:33:17 +00:00
232da2dbef
Added the rubygems installation to the README
267 lines
6.3 KiB
Markdown
267 lines
6.3 KiB
Markdown
# InSpec: Inspect Your Infrastructure
|
||
|
||
InSpec is open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.
|
||
|
||
```ruby
|
||
# Disallow insecure protocols by testing
|
||
|
||
describe package('telnetd') do
|
||
it { should_not be_installed }
|
||
end
|
||
|
||
describe inetd_conf do
|
||
its("telnet") { should eq nil }
|
||
end
|
||
```
|
||
|
||
InSpec makes it easy to run your tests wherever you need.
|
||
|
||
```bash
|
||
# run test locally
|
||
inspec exec test.rb
|
||
|
||
# run test on remote host on SSH
|
||
inspec exec test.rb -t ssh://user@hostname
|
||
|
||
# run test on remote windows host on WinRM
|
||
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'
|
||
|
||
# run test on docker container
|
||
inspec exec test.rb -t docker://container_id
|
||
```
|
||
|
||
# Features
|
||
|
||
- Built-in Compliance: Compliance no longer occurs at the end of the release cycle
|
||
- Targeted Tests: InSpec writes tests that specifically target compliance issues
|
||
- Metadata: Includes the metadata required by security and compliance pros
|
||
- Easy Testing: Includes a command-line interface to run tests quickly
|
||
|
||
## Installation
|
||
|
||
Requires Ruby ( >1.9 ).
|
||
|
||
To simply run it without installation, you must install [bundler](http://bundler.io/):
|
||
|
||
```bash
|
||
bundle install
|
||
bundle exec bin/inspec help
|
||
```
|
||
|
||
To install it as a gem locally, run:
|
||
|
||
```bash
|
||
gem build inspec.gemspec
|
||
gem install inspec-*.gem
|
||
```
|
||
|
||
Or you can install it via rubygems.org
|
||
|
||
```bash
|
||
gem install inspec
|
||
```
|
||
|
||
You should now be able to run:
|
||
|
||
```bash
|
||
inspec --help
|
||
```
|
||
|
||
# Examples
|
||
|
||
* Only accept requests on secure ports - This test ensures that a web server is only listening on well-secured ports.
|
||
|
||
```ruby
|
||
describe port(80) do
|
||
it { should_not be_listening }
|
||
end
|
||
|
||
describe port(443) do
|
||
it { should be_listening }
|
||
its('protocol') {should eq 'tcp'}
|
||
end
|
||
```
|
||
|
||
* Use approved strong ciphers - This test ensures that only enterprise-compliant ciphers are used for SSH servers.
|
||
|
||
```ruby
|
||
describe sshd_config do
|
||
its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
|
||
end
|
||
```
|
||
|
||
* Test your `kitchen.yml` file to verify that only Vagrant is configured as the driver.
|
||
|
||
```ruby
|
||
describe yaml('.kitchen.yml') do
|
||
its('driver.name') { should eq('vagrant') }
|
||
end
|
||
```
|
||
|
||
Also have a look at our [example](https://github.com/chef/inspec/tree/master/examples/test-kitchen) that uses `inspec` in combination with `test-kitchen`
|
||
|
||
## Command Line Usage
|
||
|
||
### exec
|
||
|
||
Run tests against different targets:
|
||
|
||
```bash
|
||
# run test locally
|
||
inspec exec test.rb
|
||
|
||
# run test on remote host on SSH
|
||
inspec exec test.rb -t ssh://user@hostname
|
||
|
||
# run test on remote windows host on WinRM
|
||
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'
|
||
|
||
# run test on docker container
|
||
inspec exec test.rb -t docker://container_id
|
||
|
||
# run with sudo
|
||
inspec exec test.rb --sudo [--sudo-password ...] [--sudo-options ...]
|
||
```
|
||
|
||
### detect
|
||
|
||
Verify your configuration and detect
|
||
|
||
```bash
|
||
id=$( docker run -dti ubuntu:14.04 /bin/bash )
|
||
inspec detect -t docker://$id
|
||
```
|
||
|
||
Which will provide you with:
|
||
|
||
```
|
||
{"family":"ubuntu","release":"14.04","arch":null}
|
||
```
|
||
|
||
## Custom InSpec resources
|
||
|
||
You can easily create your own resources. Here is a custom resource for an
|
||
application called Gordon. It is saved as `gordon_config.rb`.
|
||
|
||
```ruby
|
||
require 'yaml'
|
||
|
||
class GordonConfig < Inspec.resource(1)
|
||
name 'gordon_config'
|
||
|
||
def initialize
|
||
@path = '/etc/gordon/config.yaml'
|
||
@config = inspec.file(@path).content
|
||
@params = YAML.load(@config)
|
||
end
|
||
|
||
def method_missing(name)
|
||
@params[name.to_s]
|
||
end
|
||
end
|
||
```
|
||
|
||
Include this file in your `test.rb`:
|
||
|
||
```ruby
|
||
require_relative 'gordon_config'
|
||
```
|
||
|
||
Now you can start using your new resource:
|
||
|
||
```ruby
|
||
describe gordon_config do
|
||
its('Version') { should eq('1.0') }
|
||
end
|
||
```
|
||
|
||
## Documentation
|
||
|
||
Documentation is available: https://github.com/chef/inspec/tree/master/docs
|
||
|
||
## Kudos
|
||
|
||
InSpec is inspired by the wonderful [Serverspec](http://serverspec.org) project. Kudos to [mizzy](https://github.com/mizzy) and [all contributors](https://github.com/mizzy/serverspec/graphs/contributors)!
|
||
|
||
|
||
## Contribute
|
||
|
||
1. Fork it
|
||
1. Create your feature branch (git checkout -b my-new-feature)
|
||
1. Commit your changes (git commit -am 'Add some feature')
|
||
1. Push to the branch (git push origin my-new-feature)
|
||
1. Create new Pull Request
|
||
|
||
|
||
## Testing InSpec
|
||
|
||
We perform `unit`, `resource` and `integration` tests.
|
||
|
||
* `unit` tests ensure the intended behaviour of the implementation
|
||
* `resource` tests run against docker containers
|
||
* `integration` tests run against VMs via test-kitchen and [kitchen-inspec](https://github.com/chef/kitchen-inspec)
|
||
|
||
### Unit tests
|
||
|
||
```bash
|
||
bundle exec rake test
|
||
```
|
||
|
||
### Resource tests
|
||
|
||
Resource tests make sure the backend execution layer behaves as expected. These tests will take a while, as a lot of different operating systems and configurations are being tested.
|
||
|
||
You will require:
|
||
|
||
* docker
|
||
|
||
Run `resource` tests with
|
||
|
||
```bash
|
||
bundle exec rake test:resources config=test/test.yaml
|
||
bundle exec rake test:resources config=test/test-extra.yaml
|
||
```
|
||
|
||
### Integration tests
|
||
|
||
These tests download various virtual machines, to ensure InSpec is working as expected across different operating systems.
|
||
|
||
You will require:
|
||
|
||
* vagrant with virtualbox
|
||
* test-kitchen
|
||
|
||
Run `integration` tests with
|
||
|
||
```bash
|
||
cd test/integration
|
||
bundle exec kitchen test -t .
|
||
```
|
||
|
||
### Chef Delivery Tests
|
||
|
||
It may be informative to look at what [tests Chef Delivery](https://github.com/chef/inspec/blob/master/.delivery/build-cookbook/recipes/unit.rb) is running for CI.
|
||
|
||
## License
|
||
|
||
| **Author:** | Dominik Richter (<drichter@chef.io>)
|
||
|
||
| **Author:** | Christoph Hartmann (<chartmann@chef.io>)
|
||
|
||
| **Copyright:** | Copyright (c) 2015 Chef Software Inc.
|
||
|
||
| **Copyright:** | Copyright (c) 2015 Vulcano Security GmbH.
|
||
|
||
| **License:** | Apache License, Version 2.0
|
||
|
||
Licensed under the Apache License, Version 2.0 (the "License");
|
||
you may not use this file except in compliance with the License.
|
||
You may obtain a copy of the License at
|
||
|
||
http://www.apache.org/licenses/LICENSE-2.0
|
||
|
||
Unless required by applicable law or agreed to in writing, software
|
||
distributed under the License is distributed on an "AS IS" BASIS,
|
||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
See the License for the specific language governing permissions and
|
||
limitations under the License.
|