No description
Find a file
chef-delivery a2bc0845cd Merge pull request #158 from chef/readme
Merged change 0534a0a5-42fd-4359-a583-3a017835925d

From review branch readme into master

Signed-off-by: drichter <drichter@chef.io>
2015-10-26 18:19:53 -07:00
.delivery temporarily remove kitchen inspec until it is moved 2015-10-26 12:48:09 +01:00
bin rename vulcanosec -> inspec 2015-10-26 12:34:15 +01:00
docs resource => audit resource 2015-10-26 16:29:57 -07:00
examples/test-kitchen update to new kitchen-inspect 2015-10-26 19:33:53 +01:00
lib consistently set an empty logger in non-verbose mode 2015-10-26 18:27:46 +01:00
test update to new kitchen-inspect 2015-10-26 19:33:53 +01:00
.gitignore ignore local bundle config 2015-10-26 11:36:42 +01:00
.rubocop.yml lint 2015-10-26 04:39:16 +01:00
.travis.yml fix travis builds for 1.9.3 2015-10-25 23:22:52 +01:00
CHANGELOG.md 0.8.0 2015-10-21 21:49:07 +02:00
Gemfile update to new kitchen-inspect 2015-10-26 19:33:53 +01:00
inspec.gemspec rename vulcanosec -> inspec 2015-10-26 12:34:15 +01:00
Rakefile setup test-kitchen workflow 2015-10-23 12:14:00 +02:00
README.md minor adjustments to readme 2015-10-27 02:16:32 +01:00

Inspec

What is InSpec?

InSpec is an open-source testing framework for infrastructure with an easy language for specifying compliance, security, and policy requirements. The project name stands for "infrastructure specification" and can be thought of as an abbreviation of "inspect".

You can use InSpec to examine any node in your infrastructure. The InSpec framework runs locally or remotely on the node being inspected. As input, it uses test rules written in the InSpec language. If it detects security, compliance, or policy issues, they are flagged in a log.

The InSpec project includes many resources that help you write audit rules quickly and easily. Here are some examples.

  • Disallow insecure protocols - In this example, the package and inetd_conf resources ensure that insecure services and protocols, such as telnet, are not used.
describe package('telnetd') do
  it { should_not be_installed }
end

describe inetd_conf do
  its("telnet") { should eq nil }
end
  • Only accept requests on secure ports - This test ensures, that a web server is only listening on well-secured ports.
describe port(80) do
  it { should_not be_listening }
end

describe port(443) do
  it { should be_listening }
  its('protocol') {should eq 'tcp'}
end
  • Use approved strong ciphers - This test ensures, that only enterprise-compliant ciphers are used for SSH servers.
describe sshd_config do
   its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
end
  • Test your kitchen.yml file, to verify that only Vagrant is configured as the driver.
describe yaml('.kitchen.yml') do
  its('driver.name') { should eq('vagrant') }
end

Test your Server, VM, or workstation.

Small example: Write a your checks in test.rb:

describe file('/proc/cpuinfo') do
  it { should be_file }
end

describe ssh_config do
  its('Protocol') { should eq('2') }
end

Run this file locally:

inspec exec test.rb

Installation

Requires Ruby ( >1.9 ).

To simply run it without installation, you must install bundler:

bundle install
bundle exec bin/inspec help

To install it as a gem locally, run:

gem build inspec.gemspec
gem install inspec-*.gem

You should now be able to run:

inspec --help

Usage

exec

Run tests against different targets:

# run test locally
inspec exec test.rb

# run test on remote host on SSH
inspec exec test.rb -t ssh://user@hostname

# run test on remote windows host on WinRM
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'

# run test on docker container
inspec exec test.rb -t docker://container_id

detect

Verify your configuration and detect

id=$( docker run -dti ubuntu:14.04 /bin/bash )
inspec detect -t docker://$id

Which will provide you with:

{"family":"ubuntu","release":"14.04","arch":null}

Custom resources

You can easily create your own resources. Here is a custom resource for an application called Gordon and save it in gordon_config.rb:

require 'yaml'

class GordonConfig < Inspec.resource
  name 'gordon_config'

  def initialize
    @path = '/etc/gordon/config.yaml'
    @config = inspec.file(@path).content
    @params = YAML.load(@config)
  end

  def method_missing(name)
    @params[name.to_s]
  end
end

Include this file in your test.rb:

require_relative 'gordon_config'

Now you can start using your new resource:

describe gordon_config do
  its('Version') { should eq('1.0') }
end

Tests

Runner

Runner tests will make sure the backend execution layer behaves as expected. These tests will take a while, as a lot of different operating systems and configurations are being tested.

You will require:

  • vagrant with virtualbox
  • test-kitchen
  • docker

Run all tests via

rake test:runner

# configure concurrency:
CONCURRENCY=3 rake test:runner

This will go to test/runner and run kitchen test. You can test specific operating systems and configurations via test-kitchen.

Learn More

For more information see the InSpec documentation: https://github.com/chef/inspec/tree/master/docs

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

Copyright 2015 Chef Software Inc. All rights reserved.

Copyright 2015 Vulcano Security GmbH. All rights reserved.

Copyright 2015 Dominik Richter. All rights reserved.