inspec 1.51.25 → 2.0.16
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +1 -1
- data/CHANGELOG.md +24 -19
- data/Gemfile +3 -1
- data/LICENSE +0 -0
- data/MAINTAINERS.md +0 -0
- data/MAINTAINERS.toml +0 -0
- data/README.md +22 -3
- data/Rakefile +117 -0
- data/docs/.gitignore +0 -0
- data/docs/README.md +0 -0
- data/docs/dsl_inspec.md +0 -0
- data/docs/dsl_resource.md +0 -0
- data/docs/glossary.md +0 -0
- data/docs/habitat.md +0 -0
- data/docs/inspec_and_friends.md +0 -0
- data/docs/matchers.md +0 -0
- data/docs/migration.md +0 -0
- data/docs/platforms.md +119 -0
- data/docs/plugin_kitchen_inspec.md +0 -0
- data/docs/profiles.md +0 -0
- data/docs/reporters.md +0 -0
- data/docs/resources/aide_conf.md.erb +6 -8
- data/docs/resources/apache.md.erb +2 -1
- data/docs/resources/apache_conf.md.erb +2 -1
- data/docs/resources/apt.md.erb +2 -1
- data/docs/resources/audit_policy.md.erb +3 -2
- data/docs/resources/auditd.md.erb +2 -1
- data/docs/resources/auditd_conf.md.erb +3 -3
- data/docs/resources/aws_cloudtrail_trail.md.erb +140 -0
- data/docs/resources/aws_cloudtrail_trails.md.erb +81 -0
- data/docs/resources/aws_cloudwatch_alarm.md.erb +86 -0
- data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +151 -0
- data/docs/resources/aws_ec2_instance.md.erb +106 -0
- data/docs/resources/aws_iam_access_key.md.erb +123 -0
- data/docs/resources/aws_iam_access_keys.md.erb +198 -0
- data/docs/resources/aws_iam_group.md.erb +46 -0
- data/docs/resources/aws_iam_groups.md.erb +43 -0
- data/docs/resources/aws_iam_password_policy.md.erb +76 -0
- data/docs/resources/aws_iam_policies.md.erb +82 -0
- data/docs/resources/aws_iam_policy.md.erb +146 -0
- data/docs/resources/aws_iam_role.md.erb +65 -0
- data/docs/resources/aws_iam_root_user.md.erb +58 -0
- data/docs/resources/aws_iam_user.md.erb +64 -0
- data/docs/resources/aws_iam_users.md.erb +90 -0
- data/docs/resources/aws_kms_keys.md.erb +84 -0
- data/docs/resources/aws_route_table.md.erb +47 -0
- data/docs/resources/aws_s3_bucket.md.erb +134 -0
- data/docs/resources/aws_security_group.md.erb +152 -0
- data/docs/resources/aws_security_groups.md.erb +92 -0
- data/docs/resources/aws_sns_topic.md.erb +63 -0
- data/docs/resources/aws_subnet.md.erb +134 -0
- data/docs/resources/aws_subnets.md.erb +126 -0
- data/docs/resources/aws_vpc.md.erb +120 -0
- data/docs/resources/aws_vpcs.md.erb +48 -0
- data/docs/resources/azure_generic_resource.md.erb +140 -0
- data/docs/resources/azure_resource_group.md.erb +284 -0
- data/docs/resources/azure_virtual_machine.md.erb +314 -0
- data/docs/resources/azure_virtual_machine_data_disk.md.erb +182 -0
- data/docs/resources/bash.md.erb +2 -1
- data/docs/resources/bond.md.erb +2 -1
- data/docs/resources/bridge.md.erb +5 -2
- data/docs/resources/bsd_service.md.erb +3 -1
- data/docs/resources/command.md.erb +2 -1
- data/docs/resources/cpan.md.erb +4 -3
- data/docs/resources/cran.md.erb +2 -1
- data/docs/resources/crontab.md.erb +2 -1
- data/docs/resources/csv.md.erb +2 -1
- data/docs/resources/dh_params.md.erb +2 -1
- data/docs/resources/directory.md.erb +4 -2
- data/docs/resources/docker.md.erb +2 -1
- data/docs/resources/docker_container.md.erb +5 -2
- data/docs/resources/docker_image.md.erb +2 -1
- data/docs/resources/docker_service.md.erb +2 -1
- data/docs/resources/elasticsearch.md.erb +12 -1
- data/docs/resources/etc_fstab.md.erb +2 -1
- data/docs/resources/etc_group.md.erb +2 -1
- data/docs/resources/etc_hosts.md.erb +4 -1
- data/docs/resources/etc_hosts_allow.md.erb +2 -1
- data/docs/resources/etc_hosts_deny.md.erb +2 -1
- data/docs/resources/file.md.erb +6 -3
- data/docs/resources/filesystem.md.erb +2 -1
- data/docs/resources/firewalld.md.erb +4 -3
- data/docs/resources/gem.md.erb +2 -1
- data/docs/resources/group.md.erb +2 -1
- data/docs/resources/grub_conf.md.erb +2 -2
- data/docs/resources/host.md.erb +2 -1
- data/docs/resources/http.md.erb +4 -7
- data/docs/resources/iis_app.md.erb +3 -1
- data/docs/resources/iis_site.md.erb +4 -1
- data/docs/resources/inetd_conf.md.erb +2 -3
- data/docs/resources/ini.md.erb +6 -2
- data/docs/resources/interface.md.erb +5 -2
- data/docs/resources/iptables.md.erb +2 -1
- data/docs/resources/json.md.erb +2 -1
- data/docs/resources/kernel_module.md.erb +2 -1
- data/docs/resources/kernel_parameter.md.erb +3 -3
- data/docs/resources/key_rsa.md.erb +5 -3
- data/docs/resources/launchd_service.md.erb +2 -1
- data/docs/resources/limits_conf.md.erb +4 -2
- data/docs/resources/login_def.md.erb +2 -2
- data/docs/resources/mount.md.erb +2 -1
- data/docs/resources/mssql_session.md.erb +2 -1
- data/docs/resources/mysql_conf.md.erb +2 -1
- data/docs/resources/mysql_session.md.erb +2 -1
- data/docs/resources/nginx.md.erb +1 -0
- data/docs/resources/nginx_conf.md.erb +2 -1
- data/docs/resources/npm.md.erb +2 -1
- data/docs/resources/ntp_conf.md.erb +2 -1
- data/docs/resources/oneget.md.erb +2 -1
- data/docs/resources/oracledb_session.md.erb +2 -1
- data/docs/resources/os.md.erb +4 -3
- data/docs/resources/os_env.md.erb +2 -1
- data/docs/resources/package.md.erb +3 -2
- data/docs/resources/packages.md.erb +2 -1
- data/docs/resources/parse_config.md.erb +2 -1
- data/docs/resources/parse_config_file.md.erb +3 -2
- data/docs/resources/passwd.md.erb +2 -1
- data/docs/resources/pip.md.erb +2 -1
- data/docs/resources/port.md.erb +2 -1
- data/docs/resources/postgres_conf.md.erb +2 -1
- data/docs/resources/postgres_hba_conf.md.erb +2 -1
- data/docs/resources/postgres_ident_conf.md.erb +2 -1
- data/docs/resources/postgres_session.md.erb +2 -1
- data/docs/resources/powershell.md.erb +2 -1
- data/docs/resources/processes.md.erb +3 -1
- data/docs/resources/rabbitmq_config.md.erb +2 -1
- data/docs/resources/registry_key.md.erb +2 -1
- data/docs/resources/runit_service.md.erb +2 -1
- data/docs/resources/security_policy.md.erb +2 -1
- data/docs/resources/service.md.erb +2 -1
- data/docs/resources/shadow.md.erb +2 -1
- data/docs/resources/ssh_config.md.erb +2 -1
- data/docs/resources/sshd_config.md.erb +2 -1
- data/docs/resources/ssl.md.erb +2 -1
- data/docs/resources/sys_info.md.erb +2 -1
- data/docs/resources/systemd_service.md.erb +2 -1
- data/docs/resources/sysv_service.md.erb +2 -1
- data/docs/resources/upstart_service.md.erb +2 -1
- data/docs/resources/user.md.erb +3 -1
- data/docs/resources/users.md.erb +2 -1
- data/docs/resources/vbscript.md.erb +2 -1
- data/docs/resources/virtualization.md.erb +2 -1
- data/docs/resources/windows_feature.md.erb +2 -1
- data/docs/resources/windows_hotfix.md.erb +2 -1
- data/docs/resources/windows_task.md.erb +49 -43
- data/docs/resources/wmi.md.erb +2 -1
- data/docs/resources/x509_certificate.md.erb +1 -0
- data/docs/resources/xinetd_conf.md.erb +2 -1
- data/docs/resources/xml.md.erb +2 -1
- data/docs/resources/yaml.md.erb +2 -1
- data/docs/resources/yum.md.erb +2 -1
- data/docs/resources/zfs_dataset.md.erb +2 -1
- data/docs/resources/zfs_pool.md.erb +2 -1
- data/docs/ruby_usage.md +0 -0
- data/docs/shared/matcher_be.md.erb +0 -0
- data/docs/shared/matcher_cmp.md.erb +0 -0
- data/docs/shared/matcher_eq.md.erb +0 -0
- data/docs/shared/matcher_include.md.erb +0 -0
- data/docs/shared/matcher_match.md.erb +0 -0
- data/docs/shell.md +0 -0
- data/examples/README.md +0 -0
- data/examples/inheritance/README.md +0 -0
- data/examples/inheritance/controls/example.rb +0 -0
- data/examples/inheritance/inspec.yml +0 -0
- data/examples/kitchen-ansible/.kitchen.yml +0 -0
- data/examples/kitchen-ansible/Gemfile +0 -0
- data/examples/kitchen-ansible/README.md +0 -0
- data/examples/kitchen-ansible/files/nginx.repo +0 -0
- data/examples/kitchen-ansible/tasks/main.yml +0 -0
- data/examples/kitchen-ansible/test/integration/default/default.yml +0 -0
- data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -0
- data/examples/kitchen-chef/.kitchen.yml +0 -0
- data/examples/kitchen-chef/Berksfile +0 -0
- data/examples/kitchen-chef/Gemfile +0 -0
- data/examples/kitchen-chef/README.md +0 -0
- data/examples/kitchen-chef/metadata.rb +0 -0
- data/examples/kitchen-chef/recipes/default.rb +0 -0
- data/examples/kitchen-chef/recipes/nginx.rb +0 -0
- data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -0
- data/examples/kitchen-puppet/.kitchen.yml +0 -0
- data/examples/kitchen-puppet/Gemfile +0 -0
- data/examples/kitchen-puppet/Puppetfile +0 -0
- data/examples/kitchen-puppet/README.md +0 -0
- data/examples/kitchen-puppet/manifests/site.pp +0 -0
- data/examples/kitchen-puppet/metadata.json +0 -0
- data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -0
- data/examples/meta-profile/README.md +0 -0
- data/examples/meta-profile/controls/example.rb +0 -0
- data/examples/meta-profile/inspec.yml +0 -0
- data/examples/profile-attribute.yml +0 -0
- data/examples/profile-attribute/README.md +0 -0
- data/examples/profile-attribute/controls/example.rb +0 -0
- data/examples/profile-attribute/inspec.yml +0 -0
- data/examples/profile-aws/controls/iam_password_policy_expiration.rb +8 -0
- data/examples/profile-aws/controls/iam_password_policy_max_age.rb +8 -0
- data/examples/profile-aws/controls/iam_root_user_mfa.rb +8 -0
- data/examples/profile-aws/controls/iam_users_access_key_age.rb +8 -0
- data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +8 -0
- data/examples/profile-aws/inspec.yml +11 -0
- data/examples/profile-azure/controls/azure_resource_group_example.rb +24 -0
- data/examples/profile-azure/controls/azure_vm_example.rb +29 -0
- data/examples/profile-azure/inspec.yml +11 -0
- data/examples/profile-sensitive/README.md +0 -0
- data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -0
- data/examples/profile-sensitive/controls/sensitive.rb +0 -0
- data/examples/profile-sensitive/inspec.yml +0 -0
- data/examples/profile/README.md +0 -0
- data/examples/profile/controls/example.rb +0 -0
- data/examples/profile/controls/gordon.rb +0 -0
- data/examples/profile/controls/meta.rb +0 -0
- data/examples/profile/inspec.yml +0 -0
- data/examples/profile/libraries/gordon_config.rb +0 -0
- data/inspec.gemspec +1 -1
- data/lib/bundles/README.md +0 -0
- data/lib/bundles/inspec-artifact.rb +0 -0
- data/lib/bundles/inspec-artifact/README.md +0 -0
- data/lib/bundles/inspec-artifact/cli.rb +0 -0
- data/lib/bundles/inspec-compliance.rb +0 -0
- data/lib/bundles/inspec-compliance/.kitchen.yml +0 -0
- data/lib/bundles/inspec-compliance/README.md +0 -0
- data/lib/bundles/inspec-compliance/api/login.rb +0 -0
- data/lib/bundles/inspec-compliance/bootstrap.sh +0 -0
- data/lib/bundles/inspec-compliance/cli.rb +12 -35
- data/lib/bundles/inspec-compliance/configuration.rb +0 -0
- data/lib/bundles/inspec-compliance/http.rb +0 -0
- data/lib/bundles/inspec-compliance/images/cc-token.png +0 -0
- data/lib/bundles/inspec-compliance/support.rb +0 -0
- data/lib/bundles/inspec-compliance/target.rb +0 -0
- data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +0 -0
- data/lib/bundles/inspec-habitat.rb +0 -0
- data/lib/bundles/inspec-habitat/cli.rb +0 -0
- data/lib/bundles/inspec-habitat/log.rb +0 -0
- data/lib/bundles/inspec-habitat/profile.rb +0 -0
- data/lib/bundles/inspec-init.rb +0 -0
- data/lib/bundles/inspec-init/README.md +0 -0
- data/lib/bundles/inspec-init/cli.rb +0 -0
- data/lib/bundles/inspec-init/templates/profile/README.md +0 -0
- data/lib/bundles/inspec-init/templates/profile/controls/example.rb +1 -1
- data/lib/bundles/inspec-init/templates/profile/inspec.yml +0 -0
- data/lib/bundles/inspec-init/templates/profile/libraries/.gitkeep +0 -0
- data/lib/bundles/inspec-supermarket.rb +0 -0
- data/lib/bundles/inspec-supermarket/README.md +0 -0
- data/lib/bundles/inspec-supermarket/api.rb +0 -0
- data/lib/bundles/inspec-supermarket/cli.rb +11 -3
- data/lib/bundles/inspec-supermarket/target.rb +0 -0
- data/lib/fetchers/git.rb +0 -0
- data/lib/fetchers/local.rb +0 -0
- data/lib/fetchers/mock.rb +0 -0
- data/lib/fetchers/url.rb +0 -0
- data/lib/inspec.rb +0 -0
- data/lib/inspec/archive/tar.rb +0 -0
- data/lib/inspec/archive/zip.rb +0 -0
- data/lib/inspec/backend.rb +0 -0
- data/lib/inspec/base_cli.rb +2 -4
- data/lib/inspec/cached_fetcher.rb +0 -0
- data/lib/inspec/cli.rb +15 -11
- data/lib/inspec/completions/bash.sh.erb +0 -0
- data/lib/inspec/completions/fish.sh.erb +0 -0
- data/lib/inspec/completions/zsh.sh.erb +0 -0
- data/lib/inspec/control_eval_context.rb +0 -0
- data/lib/inspec/dependencies/cache.rb +0 -0
- data/lib/inspec/dependencies/dependency_set.rb +0 -0
- data/lib/inspec/dependencies/lockfile.rb +0 -0
- data/lib/inspec/dependencies/requirement.rb +0 -0
- data/lib/inspec/dependencies/resolver.rb +0 -0
- data/lib/inspec/describe.rb +0 -0
- data/lib/inspec/dsl.rb +0 -0
- data/lib/inspec/dsl_shared.rb +0 -0
- data/lib/inspec/env_printer.rb +0 -0
- data/lib/inspec/errors.rb +0 -0
- data/lib/inspec/exceptions.rb +0 -0
- data/lib/inspec/expect.rb +0 -0
- data/lib/inspec/fetcher.rb +0 -0
- data/lib/inspec/file_provider.rb +0 -0
- data/lib/inspec/formatters.rb +0 -0
- data/lib/inspec/formatters/base.rb +43 -1
- data/lib/inspec/formatters/json_rspec.rb +0 -0
- data/lib/inspec/formatters/show_progress.rb +0 -0
- data/lib/inspec/library_eval_context.rb +0 -0
- data/lib/inspec/log.rb +0 -0
- data/lib/inspec/metadata.rb +3 -9
- data/lib/inspec/method_source.rb +0 -0
- data/lib/inspec/objects.rb +0 -0
- data/lib/inspec/objects/attribute.rb +0 -0
- data/lib/inspec/objects/control.rb +0 -0
- data/lib/inspec/objects/describe.rb +0 -0
- data/lib/inspec/objects/each_loop.rb +0 -0
- data/lib/inspec/objects/list.rb +0 -0
- data/lib/inspec/objects/or_test.rb +0 -0
- data/lib/inspec/objects/ruby_helper.rb +0 -0
- data/lib/inspec/objects/tag.rb +0 -0
- data/lib/inspec/objects/test.rb +0 -0
- data/lib/inspec/objects/value.rb +0 -0
- data/lib/inspec/plugins.rb +0 -0
- data/lib/inspec/plugins/cli.rb +0 -0
- data/lib/inspec/plugins/fetcher.rb +0 -0
- data/lib/inspec/plugins/resource.rb +10 -9
- data/lib/inspec/plugins/secret.rb +0 -0
- data/lib/inspec/plugins/source_reader.rb +0 -0
- data/lib/inspec/polyfill.rb +0 -0
- data/lib/inspec/profile.rb +0 -0
- data/lib/inspec/profile_context.rb +0 -0
- data/lib/inspec/profile_vendor.rb +0 -0
- data/lib/inspec/reporters.rb +0 -0
- data/lib/inspec/reporters/base.rb +0 -0
- data/lib/inspec/reporters/cli.rb +12 -51
- data/lib/inspec/reporters/json.rb +3 -26
- data/lib/inspec/reporters/json_min.rb +0 -0
- data/lib/inspec/reporters/junit.rb +0 -0
- data/lib/inspec/require_loader.rb +0 -0
- data/lib/inspec/resource.rb +11 -1
- data/lib/inspec/rule.rb +0 -0
- data/lib/inspec/runner.rb +10 -8
- data/lib/inspec/runner_mock.rb +0 -0
- data/lib/inspec/runner_rspec.rb +18 -2
- data/lib/inspec/runtime_profile.rb +0 -0
- data/lib/inspec/schema.rb +25 -4
- data/lib/inspec/secrets.rb +0 -0
- data/lib/inspec/secrets/yaml.rb +0 -0
- data/lib/inspec/shell.rb +0 -0
- data/lib/inspec/shell_detector.rb +0 -0
- data/lib/inspec/source_reader.rb +0 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +1 -59
- data/lib/resource_support/aws.rb +40 -0
- data/lib/resource_support/aws/aws_backend_base.rb +12 -0
- data/lib/resource_support/aws/aws_backend_factory_mixin.rb +12 -0
- data/lib/resource_support/aws/aws_plural_resource_mixin.rb +21 -0
- data/lib/resource_support/aws/aws_resource_mixin.rb +66 -0
- data/lib/resource_support/aws/aws_singular_resource_mixin.rb +24 -0
- data/lib/resources/aide_conf.rb +1 -1
- data/lib/resources/apache.rb +1 -2
- data/lib/resources/apache_conf.rb +2 -4
- data/lib/resources/apt.rb +1 -2
- data/lib/resources/audit_policy.rb +1 -2
- data/lib/resources/auditd.rb +1 -3
- data/lib/resources/auditd_conf.rb +1 -2
- data/lib/resources/aws/aws_cloudtrail_trail.rb +77 -0
- data/lib/resources/aws/aws_cloudtrail_trails.rb +47 -0
- data/lib/resources/aws/aws_cloudwatch_alarm.rb +62 -0
- data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +100 -0
- data/lib/resources/aws/aws_ec2_instance.rb +157 -0
- data/lib/resources/aws/aws_iam_access_key.rb +106 -0
- data/lib/resources/aws/aws_iam_access_keys.rb +144 -0
- data/lib/resources/aws/aws_iam_group.rb +56 -0
- data/lib/resources/aws/aws_iam_groups.rb +45 -0
- data/lib/resources/aws/aws_iam_password_policy.rb +116 -0
- data/lib/resources/aws/aws_iam_policies.rb +46 -0
- data/lib/resources/aws/aws_iam_policy.rb +119 -0
- data/lib/resources/aws/aws_iam_role.rb +51 -0
- data/lib/resources/aws/aws_iam_root_user.rb +60 -0
- data/lib/resources/aws/aws_iam_user.rb +111 -0
- data/lib/resources/aws/aws_iam_users.rb +96 -0
- data/lib/resources/aws/aws_kms_keys.rb +46 -0
- data/lib/resources/aws/aws_route_table.rb +61 -0
- data/lib/resources/aws/aws_s3_bucket.rb +115 -0
- data/lib/resources/aws/aws_security_group.rb +93 -0
- data/lib/resources/aws/aws_security_groups.rb +68 -0
- data/lib/resources/aws/aws_sns_topic.rb +53 -0
- data/lib/resources/aws/aws_subnet.rb +88 -0
- data/lib/resources/aws/aws_subnets.rb +53 -0
- data/lib/resources/aws/aws_vpc.rb +69 -0
- data/lib/resources/aws/aws_vpcs.rb +45 -0
- data/lib/resources/azure/azure_backend.rb +377 -0
- data/lib/resources/azure/azure_generic_resource.rb +59 -0
- data/lib/resources/azure/azure_resource_group.rb +152 -0
- data/lib/resources/azure/azure_virtual_machine.rb +264 -0
- data/lib/resources/azure/azure_virtual_machine_data_disk.rb +136 -0
- data/lib/resources/bash.rb +1 -2
- data/lib/resources/bond.rb +1 -2
- data/lib/resources/bridge.rb +1 -2
- data/lib/resources/command.rb +2 -2
- data/lib/resources/cpan.rb +1 -3
- data/lib/resources/cran.rb +1 -3
- data/lib/resources/crontab.rb +1 -0
- data/lib/resources/csv.rb +4 -2
- data/lib/resources/dh_params.rb +1 -2
- data/lib/resources/directory.rb +2 -2
- data/lib/resources/docker.rb +1 -4
- data/lib/resources/docker_container.rb +1 -4
- data/lib/resources/docker_image.rb +1 -4
- data/lib/resources/docker_object.rb +0 -0
- data/lib/resources/docker_service.rb +1 -5
- data/lib/resources/elasticsearch.rb +1 -0
- data/lib/resources/etc_fstab.rb +1 -1
- data/lib/resources/etc_group.rb +1 -2
- data/lib/resources/etc_hosts.rb +1 -1
- data/lib/resources/etc_hosts_allow_deny.rb +2 -1
- data/lib/resources/file.rb +2 -2
- data/lib/resources/filesystem.rb +1 -1
- data/lib/resources/firewalld.rb +1 -1
- data/lib/resources/gem.rb +2 -3
- data/lib/resources/groups.rb +4 -2
- data/lib/resources/grub_conf.rb +1 -1
- data/lib/resources/host.rb +2 -2
- data/lib/resources/http.rb +20 -22
- data/lib/resources/iis_app.rb +1 -0
- data/lib/resources/iis_site.rb +1 -0
- data/lib/resources/inetd_conf.rb +1 -2
- data/lib/resources/ini.rb +2 -2
- data/lib/resources/interface.rb +2 -3
- data/lib/resources/iptables.rb +1 -2
- data/lib/resources/json.rb +4 -2
- data/lib/resources/kernel_module.rb +1 -4
- data/lib/resources/kernel_parameter.rb +1 -1
- data/lib/resources/key_rsa.rb +2 -2
- data/lib/resources/limits_conf.rb +1 -2
- data/lib/resources/login_def.rb +1 -2
- data/lib/resources/mount.rb +1 -3
- data/lib/resources/mssql_session.rb +1 -3
- data/lib/resources/mysql.rb +1 -2
- data/lib/resources/mysql_conf.rb +2 -1
- data/lib/resources/mysql_session.rb +2 -3
- data/lib/resources/nginx.rb +1 -2
- data/lib/resources/nginx_conf.rb +1 -2
- data/lib/resources/npm.rb +2 -2
- data/lib/resources/ntp_conf.rb +1 -2
- data/lib/resources/oneget.rb +1 -2
- data/lib/resources/oracledb_session.rb +2 -3
- data/lib/resources/os.rb +2 -12
- data/lib/resources/os_env.rb +2 -2
- data/lib/resources/package.rb +2 -2
- data/lib/resources/packages.rb +1 -2
- data/lib/resources/parse_config.rb +2 -2
- data/lib/resources/passwd.rb +1 -23
- data/lib/resources/pip.rb +2 -2
- data/lib/resources/platform.rb +19 -22
- data/lib/resources/port.rb +2 -2
- data/lib/resources/postgres.rb +1 -3
- data/lib/resources/postgres_conf.rb +2 -3
- data/lib/resources/postgres_hba_conf.rb +1 -2
- data/lib/resources/postgres_ident_conf.rb +1 -2
- data/lib/resources/postgres_session.rb +2 -3
- data/lib/resources/powershell.rb +1 -2
- data/lib/resources/processes.rb +2 -2
- data/lib/resources/rabbitmq_conf.rb +1 -2
- data/lib/resources/registry_key.rb +1 -1
- data/lib/resources/security_policy.rb +1 -2
- data/lib/resources/service.rb +8 -3
- data/lib/resources/shadow.rb +1 -2
- data/lib/resources/ssh_conf.rb +2 -2
- data/lib/resources/ssl.rb +2 -2
- data/lib/resources/sys_info.rb +2 -0
- data/lib/resources/toml.rb +0 -0
- data/lib/resources/users.rb +4 -2
- data/lib/resources/vbscript.rb +1 -2
- data/lib/resources/virtualization.rb +1 -1
- data/lib/resources/windows_feature.rb +1 -2
- data/lib/resources/windows_hotfix.rb +1 -1
- data/lib/resources/windows_task.rb +1 -2
- data/lib/resources/wmi.rb +1 -2
- data/lib/resources/x509_certificate.rb +2 -2
- data/lib/resources/xinetd.rb +1 -2
- data/lib/resources/xml.rb +2 -1
- data/lib/resources/yaml.rb +4 -2
- data/lib/resources/yum.rb +1 -2
- data/lib/resources/zfs_dataset.rb +1 -1
- data/lib/resources/zfs_pool.rb +1 -1
- data/lib/source_readers/flat.rb +0 -0
- data/lib/source_readers/inspec.rb +0 -0
- data/lib/utils/command_wrapper.rb +0 -0
- data/lib/utils/convert.rb +0 -0
- data/lib/utils/database_helpers.rb +0 -0
- data/lib/utils/erlang_parser.rb +0 -0
- data/lib/utils/filter.rb +0 -0
- data/lib/utils/filter_array.rb +0 -0
- data/lib/utils/find_files.rb +0 -0
- data/lib/utils/hash.rb +0 -0
- data/lib/utils/json_log.rb +0 -0
- data/lib/utils/latest_version.rb +0 -0
- data/lib/utils/modulator.rb +0 -0
- data/lib/utils/nginx_parser.rb +0 -0
- data/lib/utils/object_traversal.rb +0 -0
- data/lib/utils/parser.rb +0 -0
- data/lib/utils/plugin_registry.rb +0 -0
- data/lib/utils/simpleconfig.rb +0 -12
- data/lib/utils/spdx.rb +0 -0
- data/lib/utils/spdx.txt +0 -0
- metadata +81 -6
- data/docs/resources/auditd_rules.md.erb +0 -116
- data/lib/resources/auditd_rules.rb +0 -205
@@ -0,0 +1,151 @@
|
|
1
|
+
---
|
2
|
+
title: About the aws_cloudwatch_log_metric_filter Resource
|
3
|
+
platform: aws
|
4
|
+
---
|
5
|
+
|
6
|
+
# aws\_cloudwatch\_log\_metric\_filter
|
7
|
+
|
8
|
+
Use the `aws_cloudwatch_log_metric_filter` InSpec audit resource to search for and test properties of individual AWS Cloudwatch Log Metric Filters.
|
9
|
+
|
10
|
+
A Log Metric Filter (LMF) is an AWS resource that observes log traffic, looks for a specified pattern, and updates a metric about the number times the match occurs. The metric can also be connected to AWS Cloudwatch Alarms, so that actions can be taken when a match occurs.
|
11
|
+
|
12
|
+
<br>
|
13
|
+
|
14
|
+
## Syntax
|
15
|
+
|
16
|
+
An `aws_cloudwatch_log_metric_filter` resource block searches for an LMF, specified by several search options. If more than one log metric filter matches, an error occurs.
|
17
|
+
|
18
|
+
# Look for a LMF by its filter name and log group name. This combination
|
19
|
+
# will always either find at most one LMF - no duplicates.
|
20
|
+
describe aws_cloudwatch_log_metric_filter(
|
21
|
+
filter_name: 'my-filter',
|
22
|
+
log_group_name: 'my-log-group'
|
23
|
+
) do
|
24
|
+
it { should exist }
|
25
|
+
end
|
26
|
+
|
27
|
+
# Search for an LMF by pattern and log group.
|
28
|
+
# This could result in an error if the results are not unique.
|
29
|
+
describe aws_cloudwatch_log_metric_filter(
|
30
|
+
log_group_name: 'my-log-group',
|
31
|
+
pattern: 'my-filter'
|
32
|
+
) do
|
33
|
+
it { should exist }
|
34
|
+
end
|
35
|
+
|
36
|
+
<br>
|
37
|
+
|
38
|
+
## Filter Attributes
|
39
|
+
|
40
|
+
* `filter_name`, `log_group_name`, `pattern`
|
41
|
+
|
42
|
+
<br>
|
43
|
+
|
44
|
+
## Filter Examples
|
45
|
+
|
46
|
+
### filter\_name
|
47
|
+
|
48
|
+
This is the identifier of the log metric filter within its log group. To ensure you have a unique result, you must also provide the `log_group_name`.
|
49
|
+
|
50
|
+
describe aws_cloudwatch_log_metric_filter(
|
51
|
+
filter_name: 'my-filter'
|
52
|
+
) do
|
53
|
+
it { should exist }
|
54
|
+
end
|
55
|
+
|
56
|
+
### log\_group\_name
|
57
|
+
|
58
|
+
The name of the Cloudwatch Log Group that the LMF is watching. Together with `filter_name`, this uniquely identifies an LMF.
|
59
|
+
|
60
|
+
describe aws_cloudwatch_log_metric_filter(
|
61
|
+
log_group_name: 'my-log-group',
|
62
|
+
) do
|
63
|
+
it { should exist }
|
64
|
+
end
|
65
|
+
|
66
|
+
### pattern
|
67
|
+
|
68
|
+
The filter pattern used to match entries from the logs in the log group.
|
69
|
+
|
70
|
+
describe aws_cloudwatch_log_metric_filter(
|
71
|
+
pattern: '"ERROR" - "Exiting"',
|
72
|
+
) do
|
73
|
+
it { should exist }
|
74
|
+
end
|
75
|
+
|
76
|
+
<br>
|
77
|
+
|
78
|
+
## Properties
|
79
|
+
|
80
|
+
* `filter_name`, `log_group_name`,` metric_name`, `metric_namespace`, `pattern`
|
81
|
+
|
82
|
+
<br>
|
83
|
+
|
84
|
+
## Property Examples
|
85
|
+
|
86
|
+
### filter\_name
|
87
|
+
|
88
|
+
The name of the LMF within the `log_group`.
|
89
|
+
|
90
|
+
# Check the name of the LMF that has a certain pattern
|
91
|
+
describe aws_cloudwatch_log_metric_filter(
|
92
|
+
log_group_name: 'app-log-group',
|
93
|
+
pattern: 'KERBLEWIE',
|
94
|
+
) do
|
95
|
+
its('filter_name') { should cmp 'kaboom_lmf' }
|
96
|
+
end
|
97
|
+
|
98
|
+
### log\_group\_name
|
99
|
+
|
100
|
+
The name of the log group that the LMF is watching.
|
101
|
+
|
102
|
+
# Check which log group the LMF 'error-watcher' is watching
|
103
|
+
describe aws_cloudwatch_log_metric_filter(
|
104
|
+
filter_name: 'error-watcher',
|
105
|
+
) do
|
106
|
+
its('log_group_name') { should cmp 'app-log-group' }
|
107
|
+
end
|
108
|
+
|
109
|
+
### metric\_name, metric\_namespace
|
110
|
+
|
111
|
+
The name and namespace of the Cloudwatch Metric that will be updated when the LMF matches. You also need the `metric_namespace` to uniquely identify the metric.
|
112
|
+
|
113
|
+
# Ensure that the LMF has the right metric name
|
114
|
+
describe aws_cloudwatch_log_metric_filter(
|
115
|
+
filter_name: 'my-filter',
|
116
|
+
log_group_name: 'my-log-group',
|
117
|
+
) do
|
118
|
+
its('metric_name') { should cmp 'MyMetric' }
|
119
|
+
its('metric_namespace') { should cmp 'MyFantasticMetrics' }
|
120
|
+
end
|
121
|
+
|
122
|
+
### pattern
|
123
|
+
|
124
|
+
The pattern used to match entries from the logs in the log group.
|
125
|
+
|
126
|
+
# Ensure that the LMF is watching for errors
|
127
|
+
describe aws_cloudwatch_log_metric_filter(
|
128
|
+
filter_name: 'error-watcher',
|
129
|
+
log_group_name: 'app-log-group',
|
130
|
+
) do
|
131
|
+
its('pattern') { should cmp 'ERROR' }
|
132
|
+
end
|
133
|
+
|
134
|
+
<br>
|
135
|
+
|
136
|
+
## Matchers
|
137
|
+
|
138
|
+
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
139
|
+
|
140
|
+
### exist
|
141
|
+
|
142
|
+
Matches (i.e., passes the test) if the resource parameters (search criteria) were able to locate exactly one LMF.
|
143
|
+
|
144
|
+
describe aws_cloudwatch_log_metric_filter(
|
145
|
+
log_group_name: 'my-log-group',
|
146
|
+
) do
|
147
|
+
it { should exist }
|
148
|
+
end
|
149
|
+
|
150
|
+
|
151
|
+
|
@@ -0,0 +1,106 @@
|
|
1
|
+
---
|
2
|
+
title: About the aws_ec2_instance Resource
|
3
|
+
platform: aws
|
4
|
+
---
|
5
|
+
|
6
|
+
# aws\_ec2\_instance
|
7
|
+
|
8
|
+
Use the `aws_ec2_instance` InSpec audit resource to test properties of a single AWS EC2 instance.
|
9
|
+
|
10
|
+
<br>
|
11
|
+
|
12
|
+
## Syntax
|
13
|
+
|
14
|
+
An `aws_ec2_instance` resource block declares the tests for a single AWS EC2 instance by either name or id.
|
15
|
+
|
16
|
+
describe aws_ec2_instance('i-01a2349e94458a507') do
|
17
|
+
it { should exist }
|
18
|
+
end
|
19
|
+
|
20
|
+
describe aws_ec2_instance(name: 'my-instance') do
|
21
|
+
it { should be_running }
|
22
|
+
end
|
23
|
+
|
24
|
+
<br>
|
25
|
+
|
26
|
+
## Examples
|
27
|
+
|
28
|
+
The following examples show how to use this InSpec audit resource.
|
29
|
+
|
30
|
+
### Test that an EC2 instance does not exist
|
31
|
+
|
32
|
+
describe aws_ec2_instance(name: 'dev-server') do
|
33
|
+
it { should_not exist }
|
34
|
+
end
|
35
|
+
|
36
|
+
### Test that an EC2 instance is running
|
37
|
+
|
38
|
+
describe aws_ec2_instance(name: 'prod-database') do
|
39
|
+
it { should be_running }
|
40
|
+
end
|
41
|
+
|
42
|
+
### Test that an EC2 instance is using the correct image ID
|
43
|
+
|
44
|
+
describe aws_iam_instance(name: 'my-instance') do
|
45
|
+
its('image_id') { should eq 'ami-27a58d5c' }
|
46
|
+
end
|
47
|
+
|
48
|
+
### Test that an EC2 instance has the correct tag
|
49
|
+
|
50
|
+
describe aws_ec2_instance('i-090c29e4f4c165b74') do
|
51
|
+
its('tags') { should include(key: 'Contact', value: 'Gilfoyle') }
|
52
|
+
end
|
53
|
+
|
54
|
+
<br>
|
55
|
+
|
56
|
+
## Properties
|
57
|
+
|
58
|
+
* `architecture`, `client_token`, `image_id`,`instance_type`, `key_name`, `launch_time`,`private_ip_address`, `private_dns_name`, `public_dns_name`, `public_ip_address`, `root_device_type`, `root_device_name`, `security_group_ids`, `subnet_id`, `tags`,`virtualization_type`, `vpc_id`
|
59
|
+
|
60
|
+
<br>
|
61
|
+
|
62
|
+
## Matchers
|
63
|
+
|
64
|
+
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
65
|
+
|
66
|
+
### be\_pending
|
67
|
+
|
68
|
+
The `be\_pending` matcher tests if the described EC2 instance state is `pending`. This indicates that an instance is provisioning. This state should be temporary.
|
69
|
+
|
70
|
+
it { should be_pending }
|
71
|
+
|
72
|
+
### be\_running
|
73
|
+
|
74
|
+
The `be_running` matcher tests if the described EC2 instance state is `running`. This indicates the instance is fully operational from AWS's perspective.
|
75
|
+
|
76
|
+
it { should be_running }
|
77
|
+
|
78
|
+
### be\_shutting\_down
|
79
|
+
|
80
|
+
The `be_shutting_down` matcher tests if the described EC2 instance state is `shutting-down`. This indicates the instance has received a termination command and is in the process of being permanently halted and de-provisioned. This state should be temporary.
|
81
|
+
|
82
|
+
it { should be_shutting_down }
|
83
|
+
|
84
|
+
### be\_stopped
|
85
|
+
|
86
|
+
The `be_stopped` matcher tests if the described EC2 instance state is `stopped`. This indicates that the instance is suspended and may be started again.
|
87
|
+
|
88
|
+
it { should be_stopped }
|
89
|
+
|
90
|
+
### be\_stopping
|
91
|
+
|
92
|
+
The `be_stopping` matcher tests if the described EC2 instance state is `stopping`. This indicates that an AWS stop command has been issued, which will suspend the instance in an OS-unaware manner. This state should be temporary.
|
93
|
+
|
94
|
+
it { should be_stopping }
|
95
|
+
|
96
|
+
### be\_terminated
|
97
|
+
|
98
|
+
The `be_terminated` matcher tests if the described EC2 instance state is `terminated`. This indicates the instance is permanently halted and will be removed from the instance listing in a short period. This state should be temporary.
|
99
|
+
|
100
|
+
it { should be_terminated }
|
101
|
+
|
102
|
+
### be\_unknown
|
103
|
+
|
104
|
+
The `be_unknown` matcher tests if the described EC2 instance state is `unknown`. This indicates an error condition in the AWS management system. This state should be temporary.
|
105
|
+
|
106
|
+
it { should be_unknown }
|
@@ -0,0 +1,123 @@
|
|
1
|
+
---
|
2
|
+
title: About the aws_iam_access_key Resource
|
3
|
+
platform: aws
|
4
|
+
---
|
5
|
+
|
6
|
+
# aws\_iam\_access\_key
|
7
|
+
|
8
|
+
Use the `aws_iam_access_key` InSpec audit resource to test properties of a single AWS IAM access key.
|
9
|
+
|
10
|
+
<br>
|
11
|
+
|
12
|
+
## Syntax
|
13
|
+
|
14
|
+
An `aws_iam_access_key` resource block declares the tests for a single AWS IAM access key. An access key is uniquely identified by its access key id.
|
15
|
+
|
16
|
+
# This is unique - the key will either exist or it won't, but it will never be an error.
|
17
|
+
describe aws_iam_access_key(access_key_id: 'AKIA12345678ABCD') do
|
18
|
+
it { should exist }
|
19
|
+
it { should_not be_active }
|
20
|
+
its('create_date') { should be > Time.now - 365 * 86400 }
|
21
|
+
its('last_used_date') { should be > Time.now - 90 * 86400 }
|
22
|
+
end
|
23
|
+
|
24
|
+
# id is an alias for access_key_id
|
25
|
+
describe aws_iam_access_key(id: 'AKIA12345678ABCD') do
|
26
|
+
# Same
|
27
|
+
end
|
28
|
+
|
29
|
+
|
30
|
+
Access keys are associated with IAM users, who may have zero, one or two access keys. You may also lookup an access key by username. If the user has more than one access key, an error occurs (You may use `aws_iam_access_keys` with the `username` resource parameter to access a user's keys when they have multiple keys.)
|
31
|
+
|
32
|
+
# This is not unique. If the user has zero or one keys, it is not an error.
|
33
|
+
# If they have two, it is an error.
|
34
|
+
describe aws_iam_access_key(username: 'roderick') do
|
35
|
+
it { should exist }
|
36
|
+
it { should be_active }
|
37
|
+
end
|
38
|
+
|
39
|
+
You may also use both username and access key id to ensure that a particular key is associated with a particular user.
|
40
|
+
|
41
|
+
describe aws_iam_access_key(username: 'roderick', access_key_id: 'AKIA12345678ABCD') do
|
42
|
+
it { should exist }
|
43
|
+
end
|
44
|
+
|
45
|
+
<br>
|
46
|
+
|
47
|
+
## Examples
|
48
|
+
|
49
|
+
The following examples show how to use this InSpec audit resource.
|
50
|
+
|
51
|
+
### Test that an IAM access key is not active
|
52
|
+
|
53
|
+
describe aws_iam_access_key(username: 'username', id: 'access-key-id') do
|
54
|
+
it { should_not be_active }
|
55
|
+
end
|
56
|
+
|
57
|
+
### Test that an IAM access key is older than one year
|
58
|
+
|
59
|
+
describe aws_iam_access_key(username: 'username', id: 'access-key-id') do
|
60
|
+
its('create_date') { should be > Time.now - 365 * 86400 }
|
61
|
+
end
|
62
|
+
|
63
|
+
### Test that an IAM access key has been used in the past 90 days
|
64
|
+
|
65
|
+
describe aws_iam_access_key(username: 'username', id: 'access-key-id') do
|
66
|
+
its('last_used_date') { should be > Time.now - 90 * 86400 }
|
67
|
+
end
|
68
|
+
|
69
|
+
<br>
|
70
|
+
|
71
|
+
## Properties
|
72
|
+
|
73
|
+
* `access_key_id`, `create_date`, `last_used_date`, `username`
|
74
|
+
|
75
|
+
<br>
|
76
|
+
|
77
|
+
## Property Examples
|
78
|
+
|
79
|
+
### access\_key\_id
|
80
|
+
|
81
|
+
The unique ID of this access key.
|
82
|
+
|
83
|
+
describe aws_iam_access_key(username: 'bob')
|
84
|
+
its('access_key_id') { should cmp 'AKIA12345678ABCD' }
|
85
|
+
end
|
86
|
+
|
87
|
+
### create\_date
|
88
|
+
|
89
|
+
The date and time, as a Ruby DateTime, at which the access key was created.
|
90
|
+
|
91
|
+
# Is the access key less than a year old?
|
92
|
+
describe aws_iam_access_key(username: 'bob')
|
93
|
+
its('create_date') { should be > Time.now - 365 * 86400 }
|
94
|
+
end
|
95
|
+
|
96
|
+
### last\_used\_date
|
97
|
+
|
98
|
+
The date and time, as a Ruby DateTime, at which the access key was last_used.
|
99
|
+
|
100
|
+
# Has the access key been used in the last year?
|
101
|
+
describe aws_iam_access_key(username: 'bob')
|
102
|
+
its('last_used_date') { should be > Time.now - 365 * 86400 }
|
103
|
+
end
|
104
|
+
|
105
|
+
### username
|
106
|
+
|
107
|
+
The IAM user that owns this key.
|
108
|
+
|
109
|
+
describe aws_iam_access_key(access_key_id: 'AKIA12345678ABCD')
|
110
|
+
its('username') { should cmp 'bob' }
|
111
|
+
end
|
112
|
+
|
113
|
+
<br>
|
114
|
+
|
115
|
+
## Matchers
|
116
|
+
|
117
|
+
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
118
|
+
|
119
|
+
### be\_active
|
120
|
+
|
121
|
+
The `be_active` matcher tests if the described IAM access key is active.
|
122
|
+
|
123
|
+
it { should be_active }
|
@@ -0,0 +1,198 @@
|
|
1
|
+
---
|
2
|
+
title: About the aws_iam_access_keys Resource
|
3
|
+
platform: aws
|
4
|
+
---
|
5
|
+
|
6
|
+
# aws\_iam\_access\_keys
|
7
|
+
|
8
|
+
Use the `aws_iam_access_keys` InSpec audit resource to test properties of some or all IAM Access Keys.
|
9
|
+
|
10
|
+
To test properties of a single Access Key, use the `aws_iam_access_key` resource instead.
|
11
|
+
To test properties of an individual user's access keys, use the `aws_iam_user` resource.
|
12
|
+
|
13
|
+
Access Keys are closely related to AWS User resources. Use this resource to perform audits of all keys or of keys specified by criteria unrelated to any particular user.
|
14
|
+
|
15
|
+
<br>
|
16
|
+
|
17
|
+
## Syntax
|
18
|
+
|
19
|
+
An `aws_iam_access_keys` resource block uses an optional filter to select a group of access keys and then tests that group.
|
20
|
+
|
21
|
+
# Do not allow any access keys
|
22
|
+
describe aws_iam_access_keys do
|
23
|
+
it { should_not exist }
|
24
|
+
end
|
25
|
+
|
26
|
+
# Don't let fred have access keys, using filter argument syntax
|
27
|
+
describe aws_iam_access_keys.where(username: 'fred') do
|
28
|
+
it { should_not exist }
|
29
|
+
end
|
30
|
+
|
31
|
+
# Don't let fred have access keys, using filter block syntax (most flexible)
|
32
|
+
describe aws_iam_access_keys.where { username == 'fred' } do
|
33
|
+
it { should_not exist }
|
34
|
+
end
|
35
|
+
|
36
|
+
<br>
|
37
|
+
|
38
|
+
## Examples
|
39
|
+
|
40
|
+
The following examples show how to use this InSpec audit resource.
|
41
|
+
|
42
|
+
### Disallow access keys created more than 90 days ago
|
43
|
+
|
44
|
+
describe aws_iam_access_keys.where { created_age > 90 } do
|
45
|
+
it { should_not exist }
|
46
|
+
end
|
47
|
+
|
48
|
+
<br>
|
49
|
+
|
50
|
+
## Filter Criteria
|
51
|
+
* `active`, `create_date`, `created_days_ago`, `created_hours_ago`, `created_with_user`, `ever_used`, `inactive`, `last_used_date`, `last_used_hours_ago`, `last_used_days_ago`, `never_used`, `user_created_date`
|
52
|
+
|
53
|
+
<br>
|
54
|
+
|
55
|
+
## Filter Examples
|
56
|
+
|
57
|
+
### active
|
58
|
+
|
59
|
+
A true / false value indicating if an Access Key is currently "Active" (the normal state) in the AWS console. See also: `inactive`.
|
60
|
+
|
61
|
+
# Check if a particular key is enabled
|
62
|
+
describe aws_iam_access_keys.where { active } do
|
63
|
+
its('access_key_ids') { should include('AKIA1234567890ABCDEF')}
|
64
|
+
end
|
65
|
+
|
66
|
+
### create\_date
|
67
|
+
|
68
|
+
A DateTime identifying when the Access Key was created. See also `created_days_ago` and `created_hours_ago`.
|
69
|
+
|
70
|
+
# Detect keys older than 2017
|
71
|
+
describe aws_iam_access_keys.where { create_date < DateTime.parse('2017-01-01') } do
|
72
|
+
it { should_not exist }
|
73
|
+
end
|
74
|
+
|
75
|
+
### created\_days\_ago, created\_hours\_ago
|
76
|
+
|
77
|
+
An integer, representing how old the access key is.
|
78
|
+
|
79
|
+
# Don't allow keys that are older than 90 days
|
80
|
+
describe aws_iam_access_keys.where { created_days_ago > 90 } do
|
81
|
+
it { should_not exist }
|
82
|
+
end
|
83
|
+
|
84
|
+
### created\_with\_user
|
85
|
+
|
86
|
+
A true / false value indicating if the Access Key was likely created at the same time as the user, by checking if the difference between created_date and user_created_date is less than 1 hour.
|
87
|
+
|
88
|
+
# Do not automatically create keys for users
|
89
|
+
describe aws_iam_access_keys.where { created_with_user } do
|
90
|
+
it { should_not exist }
|
91
|
+
end
|
92
|
+
|
93
|
+
### ever\_used
|
94
|
+
|
95
|
+
A true / false value indicating if the Access Key has ever been used, based on the last_used_date. See also: `never_used`.
|
96
|
+
|
97
|
+
# Check to see if a particular key has ever been used
|
98
|
+
describe aws_iam_access_keys.where { ever_used } do
|
99
|
+
its('access_key_ids') { should include('AKIA1234567890ABCDEF')}
|
100
|
+
end
|
101
|
+
|
102
|
+
### inactive
|
103
|
+
|
104
|
+
A true / false value indicating if the Access Key has been marked Inactive in the AWS console. See also: `active`.
|
105
|
+
|
106
|
+
# Don't leave inactive keys laying around
|
107
|
+
describe aws_iam_access_keys.where { inactive } do
|
108
|
+
it { should_not exist }
|
109
|
+
end
|
110
|
+
|
111
|
+
### last\_used\_date
|
112
|
+
|
113
|
+
A DateTime identifying when the Access Key was last used. Returns nil if the key has never been used. See also: `ever_used`, `last_used_days_ago`, `last_used_hours_ago`, and `never_used`.
|
114
|
+
|
115
|
+
# No one should do anything on Mondays
|
116
|
+
describe aws_iam_access_keys.where { ever_used and last_used_date.monday? } do
|
117
|
+
it { should_not exist }
|
118
|
+
end
|
119
|
+
|
120
|
+
### last\_used\_days\_ago, last\_used\_hours\_ago
|
121
|
+
|
122
|
+
An integer representing when the key was last used. See also: `ever_used`, `last_used_date`, and `never_used`.
|
123
|
+
|
124
|
+
# Don't allow keys that sit unused for more than 90 days
|
125
|
+
describe aws_iam_access_keys.where { last_used_days_ago > 90 } do
|
126
|
+
it { should_not exist }
|
127
|
+
end
|
128
|
+
|
129
|
+
### never\_used
|
130
|
+
|
131
|
+
A true / false value indicating if the Access Key has never been used, based on the `last_used_date`. See also: `ever_used`.
|
132
|
+
|
133
|
+
# Don't allow unused keys to lay around
|
134
|
+
describe aws_iam_access_keys.where { never_used } do
|
135
|
+
it { should_not exist }
|
136
|
+
end
|
137
|
+
|
138
|
+
### username
|
139
|
+
|
140
|
+
Searches for access keys owned by the named user. Each user may have zero, one, or two access keys.
|
141
|
+
|
142
|
+
describe aws_iam_access_keys(username: 'bob') do
|
143
|
+
it { should exist }
|
144
|
+
end
|
145
|
+
|
146
|
+
### user\_created\_date
|
147
|
+
|
148
|
+
The date at which the user was created.
|
149
|
+
|
150
|
+
# Users have to be a week old to have a key
|
151
|
+
describe aws_iam_access_keys.where { user_created_date > Date.now - 7 }
|
152
|
+
it { should_not exist }
|
153
|
+
end
|
154
|
+
|
155
|
+
<br>
|
156
|
+
|
157
|
+
## Properties
|
158
|
+
|
159
|
+
* `access_key_ids`, `entries`
|
160
|
+
|
161
|
+
## Property Examples
|
162
|
+
|
163
|
+
### access\_key\_ids
|
164
|
+
|
165
|
+
Provides a list of all access key IDs matched.
|
166
|
+
|
167
|
+
describe aws_iam_access_keys do
|
168
|
+
its('access_key_ids') { should include('AKIA1234567890ABCDEF') }
|
169
|
+
end
|
170
|
+
|
171
|
+
### entries
|
172
|
+
|
173
|
+
Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
|
174
|
+
|
175
|
+
# Allow at most 100 access keys on the account
|
176
|
+
describe aws_iam_access_keys do
|
177
|
+
its('entries.count') { should be <= 100}
|
178
|
+
end
|
179
|
+
|
180
|
+
<br>
|
181
|
+
|
182
|
+
## Matchers
|
183
|
+
|
184
|
+
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
185
|
+
|
186
|
+
### exists
|
187
|
+
|
188
|
+
The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
|
189
|
+
|
190
|
+
# Sally should have at least one access key
|
191
|
+
describe aws_iam_access_keys.where(username: 'sally') do
|
192
|
+
it { should exist }
|
193
|
+
end
|
194
|
+
|
195
|
+
# Don't let fred have access keys
|
196
|
+
describe aws_iam_access_keys.where(username: 'fred') do
|
197
|
+
it { should_not exist }
|
198
|
+
end
|