inspec 2.3.10 → 2.3.23

Sign up to get free protection for your applications and to get access to all the features.
Files changed (271) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +34 -13
  3. data/etc/plugin_filters.json +25 -0
  4. data/inspec.gemspec +3 -3
  5. data/lib/bundles/inspec-compliance/api.rb +3 -0
  6. data/lib/bundles/inspec-compliance/configuration.rb +3 -0
  7. data/lib/bundles/inspec-compliance/http.rb +3 -0
  8. data/lib/bundles/inspec-compliance/support.rb +3 -0
  9. data/lib/bundles/inspec-compliance/target.rb +3 -0
  10. data/lib/inspec/objects/attribute.rb +3 -0
  11. data/lib/inspec/plugin/v2.rb +3 -0
  12. data/lib/inspec/plugin/v2/filter.rb +62 -0
  13. data/lib/inspec/plugin/v2/installer.rb +21 -1
  14. data/lib/inspec/plugin/v2/loader.rb +4 -0
  15. data/lib/inspec/profile.rb +3 -1
  16. data/lib/inspec/version.rb +1 -1
  17. data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +25 -3
  18. data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +65 -11
  19. data/lib/plugins/inspec-plugin-manager-cli/test/unit/cli_args_test.rb +5 -1
  20. data/lib/resources/package.rb +1 -1
  21. metadata +5 -253
  22. data/MAINTAINERS.toml +0 -52
  23. data/docs/.gitignore +0 -2
  24. data/docs/README.md +0 -41
  25. data/docs/dev/control-eval.md +0 -62
  26. data/docs/dev/filtertable-internals.md +0 -353
  27. data/docs/dev/filtertable-usage.md +0 -533
  28. data/docs/dev/integration-testing.md +0 -31
  29. data/docs/dev/plugins.md +0 -323
  30. data/docs/dsl_inspec.md +0 -354
  31. data/docs/dsl_resource.md +0 -100
  32. data/docs/glossary.md +0 -381
  33. data/docs/habitat.md +0 -193
  34. data/docs/inspec_and_friends.md +0 -114
  35. data/docs/matchers.md +0 -161
  36. data/docs/migration.md +0 -293
  37. data/docs/platforms.md +0 -119
  38. data/docs/plugin_kitchen_inspec.md +0 -60
  39. data/docs/plugins.md +0 -57
  40. data/docs/profiles.md +0 -576
  41. data/docs/reporters.md +0 -170
  42. data/docs/resources/aide_conf.md.erb +0 -86
  43. data/docs/resources/apache.md.erb +0 -77
  44. data/docs/resources/apache_conf.md.erb +0 -78
  45. data/docs/resources/apt.md.erb +0 -81
  46. data/docs/resources/audit_policy.md.erb +0 -57
  47. data/docs/resources/auditd.md.erb +0 -89
  48. data/docs/resources/auditd_conf.md.erb +0 -78
  49. data/docs/resources/aws_cloudtrail_trail.md.erb +0 -165
  50. data/docs/resources/aws_cloudtrail_trails.md.erb +0 -96
  51. data/docs/resources/aws_cloudwatch_alarm.md.erb +0 -101
  52. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +0 -164
  53. data/docs/resources/aws_config_delivery_channel.md.erb +0 -111
  54. data/docs/resources/aws_config_recorder.md.erb +0 -96
  55. data/docs/resources/aws_ebs_volume.md.erb +0 -76
  56. data/docs/resources/aws_ebs_volumes.md.erb +0 -86
  57. data/docs/resources/aws_ec2_instance.md.erb +0 -122
  58. data/docs/resources/aws_ec2_instances.md.erb +0 -89
  59. data/docs/resources/aws_elb.md.erb +0 -154
  60. data/docs/resources/aws_elbs.md.erb +0 -252
  61. data/docs/resources/aws_flow_log.md.erb +0 -128
  62. data/docs/resources/aws_iam_access_key.md.erb +0 -139
  63. data/docs/resources/aws_iam_access_keys.md.erb +0 -214
  64. data/docs/resources/aws_iam_group.md.erb +0 -74
  65. data/docs/resources/aws_iam_groups.md.erb +0 -92
  66. data/docs/resources/aws_iam_password_policy.md.erb +0 -92
  67. data/docs/resources/aws_iam_policies.md.erb +0 -97
  68. data/docs/resources/aws_iam_policy.md.erb +0 -264
  69. data/docs/resources/aws_iam_role.md.erb +0 -79
  70. data/docs/resources/aws_iam_root_user.md.erb +0 -86
  71. data/docs/resources/aws_iam_user.md.erb +0 -130
  72. data/docs/resources/aws_iam_users.md.erb +0 -289
  73. data/docs/resources/aws_kms_key.md.erb +0 -187
  74. data/docs/resources/aws_kms_keys.md.erb +0 -99
  75. data/docs/resources/aws_rds_instance.md.erb +0 -76
  76. data/docs/resources/aws_route_table.md.erb +0 -63
  77. data/docs/resources/aws_route_tables.md.erb +0 -65
  78. data/docs/resources/aws_s3_bucket.md.erb +0 -156
  79. data/docs/resources/aws_s3_bucket_object.md.erb +0 -99
  80. data/docs/resources/aws_s3_buckets.md.erb +0 -69
  81. data/docs/resources/aws_security_group.md.erb +0 -323
  82. data/docs/resources/aws_security_groups.md.erb +0 -107
  83. data/docs/resources/aws_sns_subscription.md.erb +0 -140
  84. data/docs/resources/aws_sns_topic.md.erb +0 -79
  85. data/docs/resources/aws_sns_topics.md.erb +0 -68
  86. data/docs/resources/aws_subnet.md.erb +0 -150
  87. data/docs/resources/aws_subnets.md.erb +0 -142
  88. data/docs/resources/aws_vpc.md.erb +0 -135
  89. data/docs/resources/aws_vpcs.md.erb +0 -135
  90. data/docs/resources/azure_generic_resource.md.erb +0 -183
  91. data/docs/resources/azure_resource_group.md.erb +0 -294
  92. data/docs/resources/azure_virtual_machine.md.erb +0 -357
  93. data/docs/resources/azure_virtual_machine_data_disk.md.erb +0 -234
  94. data/docs/resources/bash.md.erb +0 -85
  95. data/docs/resources/bond.md.erb +0 -100
  96. data/docs/resources/bridge.md.erb +0 -67
  97. data/docs/resources/bsd_service.md.erb +0 -77
  98. data/docs/resources/chocolatey_package.md.erb +0 -68
  99. data/docs/resources/command.md.erb +0 -176
  100. data/docs/resources/cpan.md.erb +0 -89
  101. data/docs/resources/cran.md.erb +0 -74
  102. data/docs/resources/crontab.md.erb +0 -103
  103. data/docs/resources/csv.md.erb +0 -64
  104. data/docs/resources/dh_params.md.erb +0 -221
  105. data/docs/resources/directory.md.erb +0 -40
  106. data/docs/resources/docker.md.erb +0 -240
  107. data/docs/resources/docker_container.md.erb +0 -113
  108. data/docs/resources/docker_image.md.erb +0 -104
  109. data/docs/resources/docker_plugin.md.erb +0 -80
  110. data/docs/resources/docker_service.md.erb +0 -124
  111. data/docs/resources/elasticsearch.md.erb +0 -252
  112. data/docs/resources/etc_fstab.md.erb +0 -135
  113. data/docs/resources/etc_group.md.erb +0 -85
  114. data/docs/resources/etc_hosts.md.erb +0 -88
  115. data/docs/resources/etc_hosts_allow.md.erb +0 -84
  116. data/docs/resources/etc_hosts_deny.md.erb +0 -84
  117. data/docs/resources/file.md.erb +0 -543
  118. data/docs/resources/filesystem.md.erb +0 -51
  119. data/docs/resources/firewalld.md.erb +0 -117
  120. data/docs/resources/gem.md.erb +0 -108
  121. data/docs/resources/group.md.erb +0 -71
  122. data/docs/resources/grub_conf.md.erb +0 -111
  123. data/docs/resources/host.md.erb +0 -96
  124. data/docs/resources/http.md.erb +0 -207
  125. data/docs/resources/iis_app.md.erb +0 -132
  126. data/docs/resources/iis_site.md.erb +0 -145
  127. data/docs/resources/inetd_conf.md.erb +0 -104
  128. data/docs/resources/ini.md.erb +0 -86
  129. data/docs/resources/interface.md.erb +0 -68
  130. data/docs/resources/iptables.md.erb +0 -74
  131. data/docs/resources/json.md.erb +0 -73
  132. data/docs/resources/kernel_module.md.erb +0 -130
  133. data/docs/resources/kernel_parameter.md.erb +0 -63
  134. data/docs/resources/key_rsa.md.erb +0 -95
  135. data/docs/resources/launchd_service.md.erb +0 -67
  136. data/docs/resources/limits_conf.md.erb +0 -85
  137. data/docs/resources/login_defs.md.erb +0 -81
  138. data/docs/resources/mount.md.erb +0 -79
  139. data/docs/resources/mssql_session.md.erb +0 -78
  140. data/docs/resources/mysql_conf.md.erb +0 -109
  141. data/docs/resources/mysql_session.md.erb +0 -84
  142. data/docs/resources/nginx.md.erb +0 -89
  143. data/docs/resources/nginx_conf.md.erb +0 -148
  144. data/docs/resources/npm.md.erb +0 -78
  145. data/docs/resources/ntp_conf.md.erb +0 -70
  146. data/docs/resources/oneget.md.erb +0 -63
  147. data/docs/resources/oracledb_session.md.erb +0 -103
  148. data/docs/resources/os.md.erb +0 -153
  149. data/docs/resources/os_env.md.erb +0 -101
  150. data/docs/resources/package.md.erb +0 -130
  151. data/docs/resources/packages.md.erb +0 -77
  152. data/docs/resources/parse_config.md.erb +0 -113
  153. data/docs/resources/parse_config_file.md.erb +0 -148
  154. data/docs/resources/passwd.md.erb +0 -151
  155. data/docs/resources/pip.md.erb +0 -77
  156. data/docs/resources/port.md.erb +0 -147
  157. data/docs/resources/postgres_conf.md.erb +0 -89
  158. data/docs/resources/postgres_hba_conf.md.erb +0 -103
  159. data/docs/resources/postgres_ident_conf.md.erb +0 -86
  160. data/docs/resources/postgres_session.md.erb +0 -79
  161. data/docs/resources/powershell.md.erb +0 -112
  162. data/docs/resources/processes.md.erb +0 -119
  163. data/docs/resources/rabbitmq_config.md.erb +0 -51
  164. data/docs/resources/registry_key.md.erb +0 -197
  165. data/docs/resources/runit_service.md.erb +0 -67
  166. data/docs/resources/security_policy.md.erb +0 -57
  167. data/docs/resources/service.md.erb +0 -131
  168. data/docs/resources/shadow.md.erb +0 -267
  169. data/docs/resources/ssh_config.md.erb +0 -83
  170. data/docs/resources/sshd_config.md.erb +0 -93
  171. data/docs/resources/ssl.md.erb +0 -129
  172. data/docs/resources/sys_info.md.erb +0 -52
  173. data/docs/resources/systemd_service.md.erb +0 -67
  174. data/docs/resources/sysv_service.md.erb +0 -67
  175. data/docs/resources/upstart_service.md.erb +0 -67
  176. data/docs/resources/user.md.erb +0 -150
  177. data/docs/resources/users.md.erb +0 -137
  178. data/docs/resources/vbscript.md.erb +0 -65
  179. data/docs/resources/virtualization.md.erb +0 -67
  180. data/docs/resources/windows_feature.md.erb +0 -69
  181. data/docs/resources/windows_hotfix.md.erb +0 -63
  182. data/docs/resources/windows_task.md.erb +0 -95
  183. data/docs/resources/wmi.md.erb +0 -91
  184. data/docs/resources/x509_certificate.md.erb +0 -161
  185. data/docs/resources/xinetd_conf.md.erb +0 -166
  186. data/docs/resources/xml.md.erb +0 -95
  187. data/docs/resources/yaml.md.erb +0 -79
  188. data/docs/resources/yum.md.erb +0 -108
  189. data/docs/resources/zfs_dataset.md.erb +0 -63
  190. data/docs/resources/zfs_pool.md.erb +0 -57
  191. data/docs/shared/matcher_be.md.erb +0 -1
  192. data/docs/shared/matcher_cmp.md.erb +0 -43
  193. data/docs/shared/matcher_eq.md.erb +0 -3
  194. data/docs/shared/matcher_include.md.erb +0 -1
  195. data/docs/shared/matcher_match.md.erb +0 -1
  196. data/docs/shell.md +0 -217
  197. data/docs/style.md +0 -178
  198. data/examples/README.md +0 -8
  199. data/examples/custom-resource/README.md +0 -3
  200. data/examples/custom-resource/controls/example.rb +0 -7
  201. data/examples/custom-resource/inspec.yml +0 -8
  202. data/examples/custom-resource/libraries/batsignal.rb +0 -20
  203. data/examples/custom-resource/libraries/gordon.rb +0 -21
  204. data/examples/inheritance/README.md +0 -65
  205. data/examples/inheritance/controls/example.rb +0 -14
  206. data/examples/inheritance/inspec.yml +0 -16
  207. data/examples/kitchen-ansible/.kitchen.yml +0 -25
  208. data/examples/kitchen-ansible/Gemfile +0 -19
  209. data/examples/kitchen-ansible/README.md +0 -53
  210. data/examples/kitchen-ansible/files/nginx.repo +0 -6
  211. data/examples/kitchen-ansible/tasks/main.yml +0 -16
  212. data/examples/kitchen-ansible/test/integration/default/default.yml +0 -5
  213. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -28
  214. data/examples/kitchen-chef/.kitchen.yml +0 -20
  215. data/examples/kitchen-chef/Berksfile +0 -3
  216. data/examples/kitchen-chef/Gemfile +0 -19
  217. data/examples/kitchen-chef/README.md +0 -27
  218. data/examples/kitchen-chef/metadata.rb +0 -7
  219. data/examples/kitchen-chef/recipes/default.rb +0 -6
  220. data/examples/kitchen-chef/recipes/nginx.rb +0 -30
  221. data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -28
  222. data/examples/kitchen-puppet/.kitchen.yml +0 -23
  223. data/examples/kitchen-puppet/Gemfile +0 -20
  224. data/examples/kitchen-puppet/Puppetfile +0 -25
  225. data/examples/kitchen-puppet/README.md +0 -53
  226. data/examples/kitchen-puppet/manifests/site.pp +0 -33
  227. data/examples/kitchen-puppet/metadata.json +0 -11
  228. data/examples/kitchen-puppet/modules/.gitkeep +0 -0
  229. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -28
  230. data/examples/meta-profile/README.md +0 -37
  231. data/examples/meta-profile/controls/example.rb +0 -13
  232. data/examples/meta-profile/inspec.yml +0 -13
  233. data/examples/plugins/inspec-resource-lister/Gemfile +0 -12
  234. data/examples/plugins/inspec-resource-lister/LICENSE +0 -13
  235. data/examples/plugins/inspec-resource-lister/README.md +0 -62
  236. data/examples/plugins/inspec-resource-lister/Rakefile +0 -40
  237. data/examples/plugins/inspec-resource-lister/inspec-resource-lister.gemspec +0 -45
  238. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister.rb +0 -16
  239. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/cli_command.rb +0 -70
  240. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/plugin.rb +0 -55
  241. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/version.rb +0 -10
  242. data/examples/plugins/inspec-resource-lister/test/fixtures/README.md +0 -24
  243. data/examples/plugins/inspec-resource-lister/test/functional/README.md +0 -18
  244. data/examples/plugins/inspec-resource-lister/test/functional/inspec_resource_lister_test.rb +0 -110
  245. data/examples/plugins/inspec-resource-lister/test/helper.rb +0 -26
  246. data/examples/plugins/inspec-resource-lister/test/unit/README.md +0 -17
  247. data/examples/plugins/inspec-resource-lister/test/unit/cli_args_test.rb +0 -64
  248. data/examples/plugins/inspec-resource-lister/test/unit/plugin_def_test.rb +0 -51
  249. data/examples/profile-attribute.yml +0 -2
  250. data/examples/profile-attribute/README.md +0 -14
  251. data/examples/profile-attribute/controls/example.rb +0 -11
  252. data/examples/profile-attribute/inspec.yml +0 -8
  253. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +0 -8
  254. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +0 -8
  255. data/examples/profile-aws/controls/iam_root_user_mfa.rb +0 -8
  256. data/examples/profile-aws/controls/iam_users_access_key_age.rb +0 -8
  257. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +0 -8
  258. data/examples/profile-aws/inspec.yml +0 -11
  259. data/examples/profile-azure/controls/azure_resource_group_example.rb +0 -24
  260. data/examples/profile-azure/controls/azure_vm_example.rb +0 -29
  261. data/examples/profile-azure/inspec.yml +0 -11
  262. data/examples/profile-sensitive/README.md +0 -29
  263. data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -9
  264. data/examples/profile-sensitive/controls/sensitive.rb +0 -9
  265. data/examples/profile-sensitive/inspec.yml +0 -8
  266. data/examples/profile/README.md +0 -48
  267. data/examples/profile/controls/example.rb +0 -24
  268. data/examples/profile/controls/gordon.rb +0 -36
  269. data/examples/profile/controls/meta.rb +0 -36
  270. data/examples/profile/inspec.yml +0 -11
  271. data/examples/profile/libraries/gordon_config.rb +0 -59
@@ -1,99 +0,0 @@
1
- ---
2
- title: About the aws_kms_keys Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_kms\_keys
7
-
8
- Use the `aws_kms_keys` InSpec audit resource to test properties of some or all AWS KMS Keys.
9
-
10
- AWS Key Management Service (KMS) is a managed service that makes creating and controlling your encryption keys for your data easier. KMS uses Hardware Security Modules (HSMs) to protect the security of your keys.
11
-
12
- AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services.
13
-
14
- Each AWS KMS Key is uniquely identified by its key-id or key-arn.
15
-
16
- <br>
17
-
18
- ## Availability
19
-
20
- ### Installation
21
-
22
- This resource is distributed along with InSpec itself. You can use it automatically.
23
-
24
- ### Version
25
-
26
- This resource first became available in v2.0.16 of InSpec.
27
-
28
- ## Syntax
29
-
30
- An `aws_kms_keys` resource block uses an optional filter to select a group of KMS Keys and then tests that group.
31
-
32
- # Verify the number of KMS keys in the AWS account
33
- describe aws_kms_keys do
34
- its('entries.count') { should cmp 10 }
35
- end
36
-
37
- <br>
38
-
39
- ## Examples
40
-
41
- The following examples show how to use this InSpec audit resource.
42
-
43
- As this is the initial release of `aws_kms_keys`, its limited functionality precludes examples.
44
-
45
- <br>
46
-
47
- ## Properties
48
-
49
- * `entries`, `key_arns`, `key_ids`
50
-
51
- <br>
52
-
53
- ## Property Examples
54
-
55
- ### entries
56
-
57
- Provides access to the raw results of a query. This can be useful for checking counts and other advanced operations.
58
-
59
- # Allow at most 100 KMS Keys on the account
60
- describe aws_kms_keys do
61
- its('entries.count') { should be <= 100}
62
- end
63
-
64
- ### key\_arns
65
-
66
- Provides a list of key arns for all KMS Keys in the AWS account.
67
-
68
- describe aws_kms_keys do
69
- its('key_arns') { should include('arn:aws:kms:us-east-1::key/key-id') }
70
- end
71
-
72
- ### key\_ids
73
-
74
- Provides a list of key ids for all KMS Keys in the AWS account.
75
-
76
- describe aws_kms_keys do
77
- its('key_ids') { should include('fd7e608b-f435-4186-b8b5-111111111111') }
78
- end
79
-
80
- <br>
81
-
82
- ## Matchers
83
-
84
- This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
85
-
86
- ### exists
87
-
88
- The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
89
-
90
- # Verify that at least one KMS Key exists.
91
- describe aws_kms_keys
92
- it { should exist }
93
- end
94
-
95
- ## AWS Permissions
96
-
97
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `kms:ListKeys` action with Effect set to Allow.
98
-
99
- You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html).
@@ -1,76 +0,0 @@
1
- ---
2
- title: About the aws_rds_instance Resource
3
- ---
4
-
5
- # aws\_rds\_instance
6
-
7
- Use the `aws_rds_instance` InSpec audit resource to test detailed properties of an individual RDS instance.
8
-
9
- RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server.
10
-
11
- <br>
12
-
13
- ## Availability
14
-
15
- ### Installation
16
-
17
- This resource is distributed along with InSpec itself. You can use it automatically.
18
-
19
- ### Version
20
-
21
- This resource first became available in v2.1.21 of InSpec.
22
-
23
- ## Syntax
24
-
25
- An `aws_rds_instance` resource block uses resource parameters to search for an RDS instance, and then tests that RDS instance. If no RDS instances match, no error is raised, but the `exists` matcher will return `false` and all properties will be `nil`. If more than one RDS instance matches (due to vague search parameters), an error is raised.
26
-
27
- # Ensure you have a RDS instance with a certain ID
28
- # This is "safe" - RDS IDs are unique within an account
29
- describe aws_rds_instance('test-instance-id') do
30
- it { should exist }
31
- end
32
-
33
- # Ensure you have a RDS instance with a certain ID
34
- # This uses hash syntax
35
- describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
36
- it { should exist }
37
- end
38
-
39
- <br>
40
-
41
- ## Examples
42
-
43
- The following examples show how to use this InSpec audit resource.
44
-
45
- As this is the initial release of `aws_rds_instance`, its limited functionality precludes examples.
46
-
47
- <br>
48
-
49
- ## Resource Parameters
50
-
51
- This InSpec resource accepts the following parameters, which are used to search for the RDS instance.
52
-
53
- ### exists
54
-
55
- The control will pass if the specified RDS instance was found. Use should_not if you want to verify that the specified RDS instance does not exist.
56
-
57
- # Using Hash syntax
58
- describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
59
- it { should exist }
60
- end
61
-
62
- # Using the instance id directly from the terraform file
63
- describe aws_rds_instance(fixtures['rds_db_instance_id']) do
64
- it { should exist }
65
- end
66
-
67
- # Make sure we don't have any RDS instances with the name 'nogood'
68
- describe aws_rds_instance('nogood') do
69
- it { should_not exist }
70
- end
71
-
72
- ## AWS Permissions
73
-
74
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `rds:DescribeDBInstances` action with Effect set to Allow.
75
-
76
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html).
@@ -1,63 +0,0 @@
1
- ---
2
- title: About the aws_route_table Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_route\_table
7
-
8
- Use the `aws_route_table` InSpec audit resource to test properties of a single Route Table. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
9
-
10
- <br>
11
-
12
- ## Availability
13
-
14
- ### Installation
15
-
16
- This resource is distributed along with InSpec itself. You can use it automatically.
17
-
18
- ### Version
19
-
20
- This resource first became available in v2.0.16 of InSpec.
21
-
22
- ## Syntax
23
-
24
- # Ensure that a certain route table exists by name
25
- describe aws_route_table('rtb-123abcde') do
26
- it { should exist }
27
- end
28
-
29
- ## Resource Parameters
30
-
31
- ### route\_table\_id
32
-
33
- This resource expects a single parameter that uniquely identifies the Route Table. You may pass it as a string, or as the value in a hash:
34
-
35
- describe aws_route_table('rtb-123abcde') do
36
- it { should exist }
37
- end
38
- # Same
39
- describe aws_route_table(route_table_id: 'rtb-123abcde') do
40
- it { should exist }
41
- end
42
-
43
- ## Matchers
44
-
45
- For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
46
-
47
- ### exist
48
-
49
- Indicates that the Route Table provided was found. Use `should_not` to test for Route Tables that should not exist.
50
-
51
- describe aws_route_table('should-be-there') do
52
- it { should exist }
53
- end
54
-
55
- describe aws_route_table('should-not-be-there') do
56
- it { should_not exist }
57
- end
58
-
59
- ## AWS Permissions
60
-
61
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeRouteTables` action with Effect set to Allow.
62
-
63
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).
@@ -1,65 +0,0 @@
1
- ---
2
- title: About the aws_route_tables Resource
3
- ---
4
-
5
- # aws\_route\_table
6
-
7
- Use the `aws_route_tables` InSpec audit resource to test properties of all or a group of Route Tables. A Route Table contains a set of rules, called routes, that are used to determine where network traffic is directed.
8
-
9
- <br>
10
-
11
- ## Availability
12
-
13
- ### Installation
14
-
15
- This resource is distributed along with InSpec itself. You can use it automatically.
16
-
17
- ### Version
18
-
19
- This resource first became available in v2.1.30 of InSpec.
20
-
21
- ## Syntax
22
-
23
- # Ensure that there is at least one route table
24
- describe aws_route_tables do
25
- it { should exist }
26
- end
27
-
28
- ## Matchers
29
-
30
- ### exist
31
-
32
- Indicates that at least one Route Table was found. Use should_not to test that no Route Tables should exist.
33
-
34
- describe aws_route_tables do
35
- it { should exist }
36
- end
37
-
38
- describe aws_route_tables do
39
- it { should_not exist }
40
- end
41
-
42
- ## Properties
43
-
44
- ### vpc\_ids
45
-
46
- Lists all VPCs that are in the Route Tables.
47
-
48
- describe aws_route_tables do
49
- its('vpc_ids') { should include 'vpc_12345678' }
50
- end
51
-
52
-
53
- ### route\_table\_ids
54
-
55
- Lists all of the Route Table IDs.
56
-
57
- describe aws_route_tables do
58
- its('route_table_ids') { should include 'rtb-12345678' }
59
- end
60
-
61
- ## AWS Permissions
62
-
63
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeRouteTables` action with Effect set to Allow.
64
-
65
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).
@@ -1,156 +0,0 @@
1
- ---
2
- title: About the aws_s3_bucket Resource
3
- platform: aws
4
- ---
5
-
6
- # aws\_s3\_bucket
7
-
8
- Use the `aws_s3_bucket` InSpec audit resource to test properties of a single AWS bucket.
9
-
10
- To test properties of a multiple S3 buckets, use the `aws_s3_buckets` resource.
11
-
12
- <br>
13
-
14
- ## Limitations
15
-
16
- S3 bucket security is a complex matter. For details on how AWS evaluates requests for access, please see [the AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html). S3 buckets and the objects they contain support three different types of access control: bucket ACLs, bucket policies, and object ACLs.
17
-
18
- As of January 2018, this resource supports evaluating bucket ACLs and bucket policies. We do not support evaluating object ACLs because it introduces scalability concerns in the AWS API; we recommend using AWS mechanisms such as CloudTrail and Config to detect insecure object ACLs.
19
-
20
- In particular, users of the `be_public` matcher should carefully examine the conditions under which the matcher will detect an insecure bucket. See the `be_public` section under the Matchers section below.
21
-
22
- <br>
23
-
24
- ## Availability
25
-
26
- ### Installation
27
-
28
- This resource is distributed along with InSpec itself. You can use it automatically.
29
-
30
- ### Version
31
-
32
- This resource first became available in v2.0.16 of InSpec.
33
-
34
- ## Syntax
35
-
36
- An `aws_s3_bucket` resource block declares a bucket by name, and then lists tests to be performed.
37
-
38
- describe aws_s3_bucket(bucket_name: 'test_bucket') do
39
- it { should exist }
40
- it { should_not be_public }
41
- end
42
-
43
- describe aws_s3_bucket('test_bucket') do
44
- it { should exist }
45
- end
46
-
47
- <br>
48
-
49
- ## Examples
50
-
51
- The following examples show how to use this InSpec audit resource.
52
-
53
- ### Test the bucket-level ACL
54
-
55
- describe aws_s3_bucket('test_bucket') do
56
- its('bucket_acl.count') { should eq 1 }
57
- end
58
-
59
- ### Check if a bucket has a bucket policy
60
-
61
- describe aws_s3_bucket('test_bucket') do
62
- its('bucket_policy') { should be_empty }
63
- end
64
-
65
- ### Check if a bucket appears to be exposed to the public
66
-
67
- # See Limitations section above
68
- describe aws_s3_bucket('test_bucket') do
69
- it { should_not be_public }
70
- end
71
- <br>
72
-
73
- ## Properties
74
-
75
- ### region
76
-
77
- The `region` property identifies the AWS Region in which the S3 bucket is located.
78
-
79
- describe aws_s3_bucket('test_bucket') do
80
- # Check if the correct region is set
81
- its('region') { should eq 'us-east-1' }
82
- end
83
-
84
- ## Unsupported Properties
85
-
86
- ### bucket\_acl
87
-
88
- The `bucket_acl` property is a low-level property that lists the individual Bucket ACL grants in effect on the bucket. Other higher-level properties, such as be\_public, are more concise and easier to use. You can use the `bucket_acl` property to investigate which grants are in effect, causing be\_public to fail.
89
-
90
- The value of bucket_acl is an array of simple objects. Each object has a `permission` property and a `grantee` property. The `permission` property will be a string such as 'READ', 'WRITE' etc (See the [AWS documentation](https://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Client.html#get_bucket_acl-instance_method) for a full list). The `grantee` property contains sub-properties, such as `type` and `uri`.
91
-
92
-
93
- bucket_acl = aws_s3_bucket('my-bucket')
94
-
95
- # Look for grants to "AllUsers" (that is, the public)
96
- all_users_grants = bucket_acl.select do |g|
97
- g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
98
- end
99
-
100
- # Look for grants to "AuthenticatedUsers" (that is, any authenticated AWS user - nearly public)
101
- auth_grants = bucket_acl.select do |g|
102
- g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
103
- end
104
-
105
- ### bucket\_policy
106
-
107
- The `bucket_policy` is a low-level property that describes the IAM policy document controlling access to the bucket. The `bucket_policy` property returns a Ruby structure that you can probe to check for particular statements. We recommend using a higher-level property, such as `be_public`, which is concise and easier to implement in your policy files.
108
-
109
- The `bucket_policy` property returns an array of simple objects, each object being an IAM Policy Statement. See the [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-2) for details about the structure of this data.
110
-
111
- If there is no bucket policy, this property returns an empty array.
112
-
113
- bucket_policy = aws_s3_bucket('my-bucket')
114
-
115
- # Look for statements that allow the general public to do things
116
- # This may be a false positive; it is possible these statements
117
- # could be protected by conditions, such as IP restrictions.
118
- public_statements = bucket_policy.select do |s|
119
- s.effect == 'Allow' && s.principal == '*'
120
- end
121
-
122
- <br>
123
-
124
- ## Matchers
125
-
126
- This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
127
-
128
- ### be\_public
129
-
130
- The `be_public` matcher tests if the bucket has potentially insecure access controls. This high-level matcher detects several insecure conditions, which may be enhanced in the future. Currently, the matcher reports an insecure bucket if any of the following conditions are met:
131
-
132
- 1. A bucket ACL grant exists for the 'AllUsers' group
133
- 2. A bucket ACL grant exists for the 'AuthenticatedUsers' group
134
- 3. A bucket policy has an effect 'Allow' and principal '*'
135
-
136
- Note: This resource does not detect insecure object ACLs.
137
-
138
- it { should_not be_public }
139
-
140
- ### have\_access\_logging\_enabled
141
-
142
- The `have_access_logging_enabled` matcher tests if access logging is enabled for the s3 bucket.
143
-
144
- it { should have_access_logging_enabled }
145
-
146
- ### have\_default\_encryption\_enabled
147
-
148
- The `have_default_encryption_enabled` matcher tests if default encryption is enabled for the s3 bucket.
149
-
150
- it { should have_default_encryption_enabled }
151
-
152
- ## AWS Permissions
153
-
154
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `s3:GetBucketAcl`, `s3:GetBucketLocation`, `s3:GetBucketLogging`, `s3:GetBucketPolicy`, and `s3:GetEncryptionConfiguration` actions set to allow.
155
-
156
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon S3](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html).