inspec 3.7.1 → 3.7.11
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +7 -2
- data/lib/inspec/config.rb +12 -0
- data/lib/inspec/shell.rb +2 -15
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-habitat/Berksfile +5 -0
- data/lib/plugins/inspec-habitat/README.md +150 -0
- data/lib/plugins/inspec-habitat/kitchen.yml +28 -0
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/cli.rb +9 -9
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +164 -280
- data/lib/plugins/inspec-habitat/templates/habitat/config/inspec_exec_config.json.erb +25 -0
- data/lib/plugins/inspec-habitat/templates/habitat/default.toml.erb +9 -0
- data/lib/plugins/inspec-habitat/templates/habitat/hooks/run.erb +32 -0
- data/lib/plugins/inspec-habitat/templates/habitat/plan.sh.erb +85 -0
- data/lib/plugins/inspec-habitat/test/cookbooks/inspec_habitat_fixture/Berksfile +2 -0
- data/lib/plugins/inspec-habitat/test/cookbooks/inspec_habitat_fixture/README.md +3 -0
- data/lib/plugins/inspec-habitat/test/cookbooks/inspec_habitat_fixture/files/hab_setup.exp +28 -0
- data/lib/plugins/inspec-habitat/test/cookbooks/inspec_habitat_fixture/metadata.rb +9 -0
- data/lib/plugins/inspec-habitat/test/cookbooks/inspec_habitat_fixture/recipes/default.rb +61 -0
- data/lib/plugins/inspec-habitat/test/functional/inspec_habitat_test.rb +38 -0
- data/lib/plugins/inspec-habitat/test/integration/default/inspec_habitat/README.md +3 -0
- data/lib/plugins/inspec-habitat/test/integration/default/inspec_habitat/controls/inspec_habitat.rb +40 -0
- data/lib/plugins/inspec-habitat/test/integration/default/inspec_habitat/inspec.yml +10 -0
- data/lib/plugins/inspec-habitat/test/support/example_profile/README.md +3 -0
- data/lib/plugins/inspec-habitat/test/support/example_profile/controls/example.rb +7 -0
- data/lib/plugins/inspec-habitat/test/support/example_profile/inspec.yml +10 -0
- data/lib/plugins/inspec-habitat/test/unit/profile_test.rb +188 -132
- data/lib/plugins/inspec-init/templates/profiles/azure/README.md +56 -0
- data/lib/plugins/inspec-init/templates/profiles/azure/controls/example.rb +15 -0
- data/lib/plugins/inspec-init/templates/profiles/azure/inspec.yml +14 -0
- data/lib/plugins/inspec-init/templates/profiles/azure/libraries/.gitkeep +0 -0
- data/lib/plugins/inspec-init/test/functional/inspec_init_profile_test.rb +12 -0
- data/lib/resources/aide_conf.rb +2 -2
- data/lib/resources/apache.rb +2 -2
- data/lib/resources/apache_conf.rb +2 -2
- data/lib/resources/apt.rb +2 -2
- data/lib/resources/audit_policy.rb +2 -2
- data/lib/resources/auditd.rb +2 -2
- data/lib/resources/auditd_conf.rb +2 -2
- data/lib/resources/aws/aws_billing_report.rb +3 -2
- data/lib/resources/aws/aws_billing_reports.rb +11 -10
- data/lib/resources/aws/aws_cloudtrail_trail.rb +2 -2
- data/lib/resources/aws/aws_cloudtrail_trails.rb +2 -2
- data/lib/resources/aws/aws_cloudwatch_alarm.rb +9 -9
- data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +18 -18
- data/lib/resources/aws/aws_config_delivery_channel.rb +2 -2
- data/lib/resources/aws/aws_config_recorder.rb +2 -2
- data/lib/resources/aws/aws_ebs_volume.rb +2 -2
- data/lib/resources/aws/aws_ebs_volumes.rb +2 -2
- data/lib/resources/aws/aws_ec2_instance.rb +2 -2
- data/lib/resources/aws/aws_ec2_instances.rb +2 -2
- data/lib/resources/aws/aws_ecs_cluster.rb +2 -2
- data/lib/resources/aws/aws_eks_cluster.rb +2 -2
- data/lib/resources/aws/aws_elb.rb +2 -2
- data/lib/resources/aws/aws_elbs.rb +2 -2
- data/lib/resources/aws/aws_flow_log.rb +2 -2
- data/lib/resources/aws/aws_iam_access_key.rb +2 -2
- data/lib/resources/aws/aws_iam_access_keys.rb +2 -2
- data/lib/resources/aws/aws_iam_group.rb +2 -2
- data/lib/resources/aws/aws_iam_groups.rb +2 -2
- data/lib/resources/aws/aws_iam_password_policy.rb +2 -2
- data/lib/resources/aws/aws_iam_policies.rb +2 -2
- data/lib/resources/aws/aws_iam_policy.rb +2 -2
- data/lib/resources/aws/aws_iam_role.rb +2 -2
- data/lib/resources/aws/aws_iam_root_user.rb +2 -2
- data/lib/resources/aws/aws_iam_user.rb +2 -2
- data/lib/resources/aws/aws_iam_users.rb +2 -2
- data/lib/resources/aws/aws_kms_key.rb +2 -2
- data/lib/resources/aws/aws_kms_keys.rb +2 -2
- data/lib/resources/aws/aws_rds_instance.rb +2 -2
- data/lib/resources/aws/aws_route_table.rb +2 -2
- data/lib/resources/aws/aws_route_tables.rb +2 -2
- data/lib/resources/aws/aws_s3_bucket.rb +2 -2
- data/lib/resources/aws/aws_s3_bucket_object.rb +2 -2
- data/lib/resources/aws/aws_s3_buckets.rb +2 -2
- data/lib/resources/aws/aws_security_group.rb +5 -5
- data/lib/resources/aws/aws_security_groups.rb +2 -2
- data/lib/resources/aws/aws_sns_subscription.rb +2 -2
- data/lib/resources/aws/aws_sns_topic.rb +2 -2
- data/lib/resources/aws/aws_sns_topics.rb +2 -2
- data/lib/resources/aws/aws_sqs_queue.rb +2 -2
- data/lib/resources/aws/aws_subnet.rb +2 -2
- data/lib/resources/aws/aws_subnets.rb +2 -2
- data/lib/resources/aws/aws_vpc.rb +2 -2
- data/lib/resources/aws/aws_vpcs.rb +2 -2
- data/lib/resources/bash.rb +2 -2
- data/lib/resources/bond.rb +2 -2
- data/lib/resources/bridge.rb +2 -2
- data/lib/resources/chocolatey_package.rb +2 -2
- data/lib/resources/command.rb +2 -2
- data/lib/resources/cpan.rb +2 -2
- data/lib/resources/cran.rb +2 -2
- data/lib/resources/crontab.rb +2 -2
- data/lib/resources/csv.rb +2 -2
- data/lib/resources/dh_params.rb +2 -2
- data/lib/resources/directory.rb +2 -2
- data/lib/resources/docker.rb +2 -2
- data/lib/resources/docker_container.rb +2 -2
- data/lib/resources/docker_image.rb +2 -2
- data/lib/resources/docker_plugin.rb +2 -2
- data/lib/resources/docker_service.rb +2 -2
- data/lib/resources/elasticsearch.rb +2 -2
- data/lib/resources/etc_fstab.rb +2 -2
- data/lib/resources/etc_group.rb +2 -2
- data/lib/resources/etc_hosts.rb +2 -2
- data/lib/resources/etc_hosts_allow_deny.rb +4 -4
- data/lib/resources/file.rb +2 -2
- data/lib/resources/filesystem.rb +2 -2
- data/lib/resources/firewalld.rb +2 -2
- data/lib/resources/gem.rb +2 -2
- data/lib/resources/groups.rb +4 -4
- data/lib/resources/grub_conf.rb +2 -2
- data/lib/resources/host.rb +2 -2
- data/lib/resources/http.rb +25 -5
- data/lib/resources/iis_app.rb +2 -2
- data/lib/resources/iis_app_pool.rb +6 -3
- data/lib/resources/iis_site.rb +4 -4
- data/lib/resources/inetd_conf.rb +2 -2
- data/lib/resources/ini.rb +2 -2
- data/lib/resources/interface.rb +2 -2
- data/lib/resources/iptables.rb +2 -2
- data/lib/resources/json.rb +2 -3
- data/lib/resources/kernel_module.rb +17 -18
- data/lib/resources/kernel_parameter.rb +2 -2
- data/lib/resources/key_rsa.rb +2 -2
- data/lib/resources/ksh.rb +2 -2
- data/lib/resources/limits_conf.rb +2 -2
- data/lib/resources/login_def.rb +2 -2
- data/lib/resources/mount.rb +2 -2
- data/lib/resources/mssql_session.rb +2 -2
- data/lib/resources/mysql_conf.rb +2 -2
- data/lib/resources/mysql_session.rb +2 -2
- data/lib/resources/nginx.rb +2 -2
- data/lib/resources/nginx_conf.rb +2 -2
- data/lib/resources/npm.rb +2 -2
- data/lib/resources/ntp_conf.rb +2 -2
- data/lib/resources/oneget.rb +2 -2
- data/lib/resources/oracledb_session.rb +2 -2
- data/lib/resources/os.rb +2 -2
- data/lib/resources/os_env.rb +2 -2
- data/lib/resources/package.rb +2 -2
- data/lib/resources/packages.rb +2 -2
- data/lib/resources/parse_config.rb +4 -4
- data/lib/resources/passwd.rb +2 -2
- data/lib/resources/pip.rb +2 -2
- data/lib/resources/platform.rb +2 -2
- data/lib/resources/port.rb +2 -2
- data/lib/resources/postgres_conf.rb +2 -2
- data/lib/resources/postgres_hba_conf.rb +2 -2
- data/lib/resources/postgres_ident_conf.rb +2 -2
- data/lib/resources/postgres_session.rb +2 -2
- data/lib/resources/powershell.rb +2 -2
- data/lib/resources/processes.rb +2 -2
- data/lib/resources/rabbitmq_conf.rb +2 -2
- data/lib/resources/registry_key.rb +2 -2
- data/lib/resources/security_identifier.rb +2 -2
- data/lib/resources/security_policy.rb +2 -2
- data/lib/resources/service.rb +14 -14
- data/lib/resources/shadow.rb +2 -2
- data/lib/resources/ssh_conf.rb +4 -4
- data/lib/resources/ssl.rb +2 -2
- data/lib/resources/sys_info.rb +2 -2
- data/lib/resources/toml.rb +2 -2
- data/lib/resources/users.rb +4 -4
- data/lib/resources/vbscript.rb +2 -2
- data/lib/resources/virtualization.rb +2 -2
- data/lib/resources/windows_feature.rb +2 -2
- data/lib/resources/windows_hotfix.rb +2 -2
- data/lib/resources/windows_task.rb +2 -2
- data/lib/resources/wmi.rb +2 -2
- data/lib/resources/x509_certificate.rb +2 -2
- data/lib/resources/xinetd.rb +2 -2
- data/lib/resources/xml.rb +2 -2
- data/lib/resources/yaml.rb +2 -2
- data/lib/resources/yum.rb +2 -2
- data/lib/resources/zfs_dataset.rb +2 -2
- data/lib/resources/zfs_pool.rb +2 -2
- metadata +26 -4
@@ -0,0 +1,56 @@
|
|
1
|
+
# Example InSpec Profile For Azure
|
2
|
+
|
3
|
+
This example shows the implementation of an InSpec profile for Azure. See [https://github.com/inspec/inspec-azure](https://github.com/inspec/inspec-azure) for details on how to configure credentials for your subscription.
|
4
|
+
|
5
|
+
## Create a profile
|
6
|
+
|
7
|
+
```
|
8
|
+
$ inspec init profile --platform azure my-profile
|
9
|
+
|
10
|
+
─────────────────────────── InSpec Code Generator ───────────────────────────
|
11
|
+
|
12
|
+
Creating new profile at /Users/spaterson/my-profile
|
13
|
+
• Creating directory libraries
|
14
|
+
• Creating file README.md
|
15
|
+
• Creating directory controls
|
16
|
+
• Creating file controls/example.rb
|
17
|
+
• Creating file inspec.yml
|
18
|
+
• Creating file libraries/.gitkeep
|
19
|
+
|
20
|
+
```
|
21
|
+
|
22
|
+
## Run the tests
|
23
|
+
|
24
|
+
```
|
25
|
+
$ cd my-profile/
|
26
|
+
$ inspec exec . -t azure://
|
27
|
+
|
28
|
+
|
29
|
+
Profile: Azure InSpec Profile (my-profile)
|
30
|
+
Version: 0.1.0
|
31
|
+
Target: azure://12345abc-987d-654e-fg21-abcdef23324r
|
32
|
+
|
33
|
+
× azure-virtual-machines-exist-check: Check resource groups to see if any VMs exist. (4 failed)
|
34
|
+
× Azure Virtual Machines should exist
|
35
|
+
expected Azure Virtual Machines to exist
|
36
|
+
× Azure Virtual Machines should exist
|
37
|
+
expected Azure Virtual Machines to exist
|
38
|
+
× Azure Virtual Machines should exist
|
39
|
+
expected Azure Virtual Machines to exist
|
40
|
+
× Azure Virtual Machines should exist
|
41
|
+
expected Azure Virtual Machines to exist
|
42
|
+
✔ Azure Virtual Machines should exist
|
43
|
+
✔ Azure Virtual Machines should exist
|
44
|
+
✔ Azure Virtual Machines should exist
|
45
|
+
|
46
|
+
|
47
|
+
Profile: Azure Resource Pack (inspec-azure)
|
48
|
+
Version: 1.2.0
|
49
|
+
Target: azure://12345abc-987d-654e-fg21-abcdef23324r
|
50
|
+
|
51
|
+
No tests executed.
|
52
|
+
|
53
|
+
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
|
54
|
+
Test Summary: 3 successful, 4 failures, 0 skipped
|
55
|
+
|
56
|
+
```
|
@@ -0,0 +1,15 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
# copyright: 2018, The Authors
|
3
|
+
|
4
|
+
title 'Sample Section'
|
5
|
+
|
6
|
+
# you add controls here
|
7
|
+
control 'azure-virtual-machines-exist-check' do # A unique ID for this control.
|
8
|
+
impact 1.0 # The criticality, if this control fails.
|
9
|
+
title 'Check resource groups to see if any VMs exist.' # A human-readable title
|
10
|
+
azurerm_resource_groups.names.each do |resource_group_name| # Plural resources can be leveraged to loop across many resources
|
11
|
+
describe azurerm_virtual_machines(resource_group: resource_group_name) do
|
12
|
+
it { should exist } # The test itself.
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,14 @@
|
|
1
|
+
name: <%= name %>
|
2
|
+
title: Azure InSpec Profile
|
3
|
+
maintainer: The Authors
|
4
|
+
copyright: The Authors
|
5
|
+
copyright_email: you@example.com
|
6
|
+
license: Apache-2.0
|
7
|
+
summary: An InSpec Compliance Profile For Azure
|
8
|
+
version: 0.1.0
|
9
|
+
inspec_version: '>= 2.2.7'
|
10
|
+
depends:
|
11
|
+
- name: inspec-azure
|
12
|
+
url: https://github.com/inspec/inspec-azure/archive/master.tar.gz
|
13
|
+
supports:
|
14
|
+
- platform: azure
|
File without changes
|
@@ -74,6 +74,18 @@ class InitCli < MiniTest::Test
|
|
74
74
|
end
|
75
75
|
end
|
76
76
|
|
77
|
+
def test_generating_inspec_profile_azure
|
78
|
+
Dir.mktmpdir do |dir|
|
79
|
+
profile = File.join(dir, 'test-azure-profile')
|
80
|
+
out = run_inspec_process("init profile --platform azure test-azure-profile", prefix: "cd #{dir} &&")
|
81
|
+
assert_equal 0, out.exit_status
|
82
|
+
assert_includes out.stdout, 'Creating new profile at'
|
83
|
+
assert_includes out.stdout, profile
|
84
|
+
assert_includes Dir.entries(profile).join, 'inspec.yml'
|
85
|
+
assert_includes Dir.entries(profile).join, 'README.md'
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
77
89
|
def test_generating_inspec_profile_os
|
78
90
|
Dir.mktmpdir do |dir|
|
79
91
|
profile = File.join(dir, 'test-os-profile')
|
data/lib/resources/aide_conf.rb
CHANGED
@@ -9,7 +9,7 @@ module Inspec::Resources
|
|
9
9
|
supports platform: 'unix'
|
10
10
|
desc 'Use the aide_conf InSpec audit resource to test the rules established for
|
11
11
|
the file integrity tool AIDE. Controlled by the aide.conf file typically at /etc/aide.conf.'
|
12
|
-
example
|
12
|
+
example <<~EXAMPLE
|
13
13
|
describe aide_conf do
|
14
14
|
its('selection_lines') { should include '/sbin' }
|
15
15
|
end
|
@@ -21,7 +21,7 @@ module Inspec::Resources
|
|
21
21
|
describe aide_conf.all_have_rule('sha512') do
|
22
22
|
it { should eq true }
|
23
23
|
end
|
24
|
-
|
24
|
+
EXAMPLE
|
25
25
|
|
26
26
|
attr_reader :params
|
27
27
|
|
data/lib/resources/apache.rb
CHANGED
@@ -6,7 +6,7 @@ module Inspec::Resources
|
|
6
6
|
name 'apache'
|
7
7
|
supports platform: 'unix'
|
8
8
|
desc 'Use the apache InSpec audit resource to retrieve Apache environment settings.'
|
9
|
-
example
|
9
|
+
example <<~EXAMPLE
|
10
10
|
describe apache do
|
11
11
|
its ('service') { should cmp 'apache2' }
|
12
12
|
end
|
@@ -22,7 +22,7 @@ module Inspec::Resources
|
|
22
22
|
describe apache do
|
23
23
|
its ('user') { should cmp 'www-data' }
|
24
24
|
end
|
25
|
-
|
25
|
+
EXAMPLE
|
26
26
|
|
27
27
|
attr_reader :service, :conf_dir, :conf_path, :user
|
28
28
|
def initialize
|
@@ -11,11 +11,11 @@ module Inspec::Resources
|
|
11
11
|
supports platform: 'linux'
|
12
12
|
supports platform: 'debian'
|
13
13
|
desc 'Use the apache_conf InSpec audit resource to test the configuration settings for Apache. This file is typically located under /etc/apache2 on the Debian and Ubuntu platforms and under /etc/httpd on the Fedora, CentOS, Red Hat Enterprise Linux, and Arch Linux platforms. The configuration settings may vary significantly from platform to platform.'
|
14
|
-
example
|
14
|
+
example <<~EXAMPLE
|
15
15
|
describe apache_conf do
|
16
16
|
its('setting_name') { should eq 'value' }
|
17
17
|
end
|
18
|
-
|
18
|
+
EXAMPLE
|
19
19
|
|
20
20
|
include FindFiles
|
21
21
|
include FileReader
|
data/lib/resources/apt.rb
CHANGED
@@ -31,12 +31,12 @@ module Inspec::Resources
|
|
31
31
|
name 'apt'
|
32
32
|
supports platform: 'unix'
|
33
33
|
desc 'Use the apt InSpec audit resource to verify Apt repositories on the Debian and Ubuntu platforms, and also PPA repositories on the Ubuntu platform.'
|
34
|
-
example
|
34
|
+
example <<~EXAMPLE
|
35
35
|
describe apt('nginx/stable') do
|
36
36
|
it { should exist }
|
37
37
|
it { should be_enabled }
|
38
38
|
end
|
39
|
-
|
39
|
+
EXAMPLE
|
40
40
|
|
41
41
|
def initialize(ppa_name)
|
42
42
|
@deb_url = nil
|
@@ -26,11 +26,11 @@ module Inspec::Resources
|
|
26
26
|
name 'audit_policy'
|
27
27
|
supports platform: 'windows'
|
28
28
|
desc 'Use the audit_policy InSpec audit resource to test auditing policies on the Microsoft Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each enabled auditing category property, the auditing level may be set to No Auditing, Not Specified, Success, Success and Failure, or Failure.'
|
29
|
-
example
|
29
|
+
example <<~EXAMPLE
|
30
30
|
describe audit_policy do
|
31
31
|
its('parameter') { should eq 'value' }
|
32
32
|
end
|
33
|
-
|
33
|
+
EXAMPLE
|
34
34
|
|
35
35
|
def method_missing(method)
|
36
36
|
key = method.to_s
|
data/lib/resources/auditd.rb
CHANGED
@@ -14,7 +14,7 @@ module Inspec::Resources
|
|
14
14
|
name 'auditd'
|
15
15
|
supports platform: 'unix'
|
16
16
|
desc 'Use the auditd InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditcl -l command.'
|
17
|
-
example
|
17
|
+
example <<~EXAMPLE
|
18
18
|
describe auditd.syscall('chown').where {arch == 'b32'} do
|
19
19
|
its('action') { should eq ['always'] }
|
20
20
|
its('list') { should eq ['exit'] }
|
@@ -27,7 +27,7 @@ module Inspec::Resources
|
|
27
27
|
describe auditd do
|
28
28
|
its('lines') { should include %r(-w /etc/ssh/sshd_config) }
|
29
29
|
end
|
30
|
-
|
30
|
+
EXAMPLE
|
31
31
|
|
32
32
|
def initialize
|
33
33
|
unless inspec.command('/sbin/auditctl').exist?
|
@@ -9,11 +9,11 @@ module Inspec::Resources
|
|
9
9
|
name 'auditd_conf'
|
10
10
|
supports platform: 'unix'
|
11
11
|
desc "Use the auditd_conf InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under /etc/audit/auditd.conf' on UNIX and Linux platforms."
|
12
|
-
example
|
12
|
+
example <<~EXAMPLE
|
13
13
|
describe auditd_conf do
|
14
14
|
its('space_left_action') { should eq 'email' }
|
15
15
|
end
|
16
|
-
|
16
|
+
EXAMPLE
|
17
17
|
|
18
18
|
include FileReader
|
19
19
|
|
@@ -2,7 +2,7 @@ class AwsBillingReport < Inspec.resource(1)
|
|
2
2
|
name 'aws_billing_report'
|
3
3
|
supports platform: 'aws'
|
4
4
|
desc 'Verifies settings for AWS Cost and Billing Reports.'
|
5
|
-
example
|
5
|
+
example <<~EXAMPLE
|
6
6
|
describe aws_billing_report('inspec1') do
|
7
7
|
its('report_name') { should cmp 'inspec1' }
|
8
8
|
its('time_unit') { should cmp 'hourly' }
|
@@ -10,7 +10,8 @@ class AwsBillingReport < Inspec.resource(1)
|
|
10
10
|
|
11
11
|
describe aws_billing_report(report: 'inspec1') do
|
12
12
|
it { should exist }
|
13
|
-
end
|
13
|
+
end
|
14
|
+
EXAMPLE
|
14
15
|
|
15
16
|
include AwsSingularResourceMixin
|
16
17
|
|
@@ -4,17 +4,18 @@ class AwsBillingReports < Inspec.resource(1)
|
|
4
4
|
name 'aws_billing_reports'
|
5
5
|
supports platform: 'aws'
|
6
6
|
desc 'Verifies settings for AWS Cost and Billing Reports.'
|
7
|
-
example
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
7
|
+
example <<~EXAMPLE
|
8
|
+
describe aws_billing_reports do
|
9
|
+
its('report_names') { should include 'inspec1' }
|
10
|
+
its('s3_buckets') { should include 'inspec1-s3-bucket' }
|
11
|
+
end
|
12
12
|
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
13
|
+
describe aws_billing_reports.where { report_name =~ /inspec.*/ } do
|
14
|
+
its ('report_names') { should include ['inspec1'] }
|
15
|
+
its ('time_units') { should include ['DAILY'] }
|
16
|
+
its ('s3_buckets') { should include ['inspec1-s3-bucket'] }
|
17
|
+
end
|
18
|
+
EXAMPLE
|
18
19
|
|
19
20
|
include AwsPluralResourceMixin
|
20
21
|
|
@@ -1,11 +1,11 @@
|
|
1
1
|
class AwsCloudTrailTrail < Inspec.resource(1)
|
2
2
|
name 'aws_cloudtrail_trail'
|
3
3
|
desc 'Verifies settings for an individual AWS CloudTrail Trail'
|
4
|
-
example
|
4
|
+
example <<~EXAMPLE
|
5
5
|
describe aws_cloudtrail_trail('trail-name') do
|
6
6
|
it { should exist }
|
7
7
|
end
|
8
|
-
|
8
|
+
EXAMPLE
|
9
9
|
|
10
10
|
supports platform: 'aws'
|
11
11
|
|
@@ -1,11 +1,11 @@
|
|
1
1
|
class AwsCloudTrailTrails < Inspec.resource(1)
|
2
2
|
name 'aws_cloudtrail_trails'
|
3
3
|
desc 'Verifies settings for AWS CloudTrail Trails in bulk'
|
4
|
-
example
|
4
|
+
example <<~EXAMPLE
|
5
5
|
describe aws_cloudtrail_trails do
|
6
6
|
it { should exist }
|
7
7
|
end
|
8
|
-
|
8
|
+
EXAMPLE
|
9
9
|
supports platform: 'aws'
|
10
10
|
|
11
11
|
include AwsPluralResourceMixin
|
@@ -1,14 +1,14 @@
|
|
1
1
|
class AwsCloudwatchAlarm < Inspec.resource(1)
|
2
2
|
name 'aws_cloudwatch_alarm'
|
3
|
-
desc
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
3
|
+
desc <<~EXAMPLE
|
4
|
+
# Look for a specific alarm
|
5
|
+
aws_cloudwatch_alarm(
|
6
|
+
metric_name: 'my-metric-name',
|
7
|
+
metric_namespace: 'my-metric-namespace',
|
8
|
+
) do
|
9
|
+
it { should exist }
|
10
|
+
end
|
11
|
+
EXAMPLE
|
12
12
|
supports platform: 'aws'
|
13
13
|
|
14
14
|
include AwsSingularResourceMixin
|
@@ -1,25 +1,25 @@
|
|
1
1
|
class AwsCloudwatchLogMetricFilter < Inspec.resource(1)
|
2
2
|
name 'aws_cloudwatch_log_metric_filter'
|
3
3
|
desc 'Verifies individual Cloudwatch Log Metric Filters'
|
4
|
-
example
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
4
|
+
example <<~EXAMPLE
|
5
|
+
# Look for a LMF by its filter name and log group name. This combination
|
6
|
+
# will always either find at most one LMF - no duplicates.
|
7
|
+
describe aws_cloudwatch_log_metric_filter(
|
8
|
+
filter_name: 'my-filter',
|
9
|
+
log_group_name: 'my-log-group'
|
10
|
+
) do
|
11
|
+
it { should exist }
|
12
|
+
end
|
13
13
|
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
14
|
+
# Search for an LMF by pattern and log group.
|
15
|
+
# This could result in an error if the results are not unique.
|
16
|
+
describe aws_cloudwatch_log_metric_filter(
|
17
|
+
log_group_name: 'my-log-group',
|
18
|
+
pattern: 'my-filter'
|
19
|
+
) do
|
20
|
+
it { should exist }
|
21
|
+
end
|
22
|
+
EXAMPLE
|
23
23
|
supports platform: 'aws'
|
24
24
|
include AwsSingularResourceMixin
|
25
25
|
attr_reader :filter_name, :log_group_name, :metric_name, :metric_namespace, :pattern
|
@@ -1,13 +1,13 @@
|
|
1
1
|
class AwsConfigDeliveryChannel < Inspec.resource(1)
|
2
2
|
name 'aws_config_delivery_channel'
|
3
3
|
desc 'Verifies settings for AWS Config Delivery Channel'
|
4
|
-
example
|
4
|
+
example <<~EXAMPLE
|
5
5
|
describe aws_config_delivery_channel do
|
6
6
|
it { should exist }
|
7
7
|
its('s3_bucket_name') { should eq 'my_bucket' }
|
8
8
|
its('sns_topic_arn') { should eq arn:aws:sns:us-east-1:721741954427:sns_topic' }
|
9
9
|
end
|
10
|
-
|
10
|
+
EXAMPLE
|
11
11
|
supports platform: 'aws'
|
12
12
|
|
13
13
|
include AwsSingularResourceMixin
|
@@ -1,14 +1,14 @@
|
|
1
1
|
class AwsConfigurationRecorder < Inspec.resource(1)
|
2
2
|
name 'aws_config_recorder'
|
3
3
|
desc 'Verifies settings for AWS Configuration Recorder'
|
4
|
-
example
|
4
|
+
example <<~EXAMPLE
|
5
5
|
describe aws_config_recorder('My_Recorder') do
|
6
6
|
it { should exist }
|
7
7
|
it { should be_recording }
|
8
8
|
it { should be_all_supported }
|
9
9
|
it { should have_include_global_resource_types }
|
10
10
|
end
|
11
|
-
|
11
|
+
EXAMPLE
|
12
12
|
supports platform: 'aws'
|
13
13
|
|
14
14
|
include AwsSingularResourceMixin
|
@@ -2,7 +2,7 @@ class AwsEbsVolume < Inspec.resource(1)
|
|
2
2
|
name 'aws_ebs_volume'
|
3
3
|
desc 'Verifies settings for an EBS volume'
|
4
4
|
|
5
|
-
example
|
5
|
+
example <<~EXAMPLE
|
6
6
|
describe aws_ebs_volume('vol-123456') do
|
7
7
|
it { should be_encrypted }
|
8
8
|
its('size') { should cmp 8 }
|
@@ -12,7 +12,7 @@ class AwsEbsVolume < Inspec.resource(1)
|
|
12
12
|
its('encrypted') { should eq true }
|
13
13
|
its('iops') { should cmp 100 }
|
14
14
|
end
|
15
|
-
|
15
|
+
EXAMPLE
|
16
16
|
supports platform: 'aws'
|
17
17
|
|
18
18
|
# TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
|
@@ -1,11 +1,11 @@
|
|
1
1
|
class AwsEbsVolumes < Inspec.resource(1)
|
2
2
|
name 'aws_ebs_volumes'
|
3
3
|
desc 'Verifies settings for AWS EBS Volumes in bulk'
|
4
|
-
example
|
4
|
+
example <<~EXAMPLE
|
5
5
|
describe aws_ebs_volumes do
|
6
6
|
it { should exist }
|
7
7
|
end
|
8
|
-
|
8
|
+
EXAMPLE
|
9
9
|
supports platform: 'aws'
|
10
10
|
|
11
11
|
include AwsPluralResourceMixin
|
@@ -3,7 +3,7 @@ class AwsEc2Instance < Inspec.resource(1)
|
|
3
3
|
name 'aws_ec2_instance'
|
4
4
|
desc 'Verifies settings for an EC2 instance'
|
5
5
|
|
6
|
-
example
|
6
|
+
example <<~EXAMPLE
|
7
7
|
describe aws_ec2_instance('i-123456') do
|
8
8
|
it { should be_running }
|
9
9
|
it { should have_roles }
|
@@ -13,7 +13,7 @@ class AwsEc2Instance < Inspec.resource(1)
|
|
13
13
|
it { should be_running }
|
14
14
|
it { should have_roles }
|
15
15
|
end
|
16
|
-
|
16
|
+
EXAMPLE
|
17
17
|
supports platform: 'aws'
|
18
18
|
|
19
19
|
# TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
|