inspec 2.0.17 → 2.0.32
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +28 -7
- data/MAINTAINERS.md +3 -1
- data/MAINTAINERS.toml +6 -1
- data/README.md +3 -4
- data/Rakefile +60 -22
- data/docs/matchers.md +15 -12
- data/docs/resources/auditd.md.erb +3 -3
- data/docs/resources/aws_config_recorder.md.erb +71 -0
- data/docs/resources/aws_ec2_instance.md.erb +1 -1
- data/docs/resources/aws_iam_policy.md.erb +2 -4
- data/docs/resources/aws_iam_role.md.erb +12 -14
- data/docs/resources/aws_route_table.md.erb +12 -12
- data/docs/resources/aws_security_group.md.erb +5 -6
- data/docs/resources/aws_security_groups.md.erb +2 -3
- data/docs/resources/aws_sns_topic.md.erb +12 -12
- data/docs/resources/crontab.md.erb +2 -1
- data/docs/resources/dh_params.md.erb +1 -13
- data/docs/resources/docker.md.erb +74 -19
- data/docs/resources/host.md.erb +17 -9
- data/docs/resources/http.md.erb +113 -17
- data/docs/resources/json.md.erb +6 -5
- data/docs/resources/kernel_module.md.erb +29 -16
- data/docs/shell.md +62 -19
- data/lib/inspec/plugins/resource.rb +9 -7
- data/lib/inspec/runner.rb +3 -2
- data/lib/inspec/runner_rspec.rb +1 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/resource_support/aws.rb +1 -0
- data/lib/resources/aws/aws_config_recorder.rb +98 -0
- data/lib/resources/http.rb +1 -1
- data/lib/resources/package.rb +8 -1
- data/lib/resources/parse_config.rb +1 -1
- data/lib/resources/virtualization.rb +4 -8
- data/lib/utils/database_helpers.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 00731d7ba23826e1f9ad7f39c7933d5c9518bf4f
|
|
4
|
+
data.tar.gz: 92ec9aee2d0a554623e0d10da40f5c2c5340a0c3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8c9287685dfbef7033537051a64a7fd55e96191835be97349912abd8a172926a81d0f579443afdb2c8ad1c0e21808369cedfb8ece8e5d832edbed99702c0b44b
|
|
7
|
+
data.tar.gz: 955962215c0e09d23721d34c13fb72f35399d7a8b33ef61ac04e5e6afedad3b7a6fdd6ee00c71e6ac4643ce8272a722f9ddcd8f35b42814dab674f811c311250
|
data/CHANGELOG.md
CHANGED
|
@@ -1,20 +1,42 @@
|
|
|
1
1
|
# Change Log
|
|
2
2
|
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
|
|
3
|
-
<!-- latest_release 2.0.
|
|
4
|
-
## [v2.0.
|
|
3
|
+
<!-- latest_release 2.0.32 -->
|
|
4
|
+
## [v2.0.32](https://github.com/chef/inspec/tree/v2.0.32) (2018-03-01)
|
|
5
5
|
|
|
6
6
|
#### Merged Pull Requests
|
|
7
|
-
-
|
|
7
|
+
- mssql_session - Handling cases where the data is nil [#2752](https://github.com/chef/inspec/pull/2752) ([frezbo](https://github.com/frezbo))
|
|
8
8
|
<!-- latest_release -->
|
|
9
9
|
|
|
10
|
-
<!-- release_rollup since=2.0.
|
|
11
|
-
### Changes since 2.0.
|
|
10
|
+
<!-- release_rollup since=2.0.17 -->
|
|
11
|
+
### Changes since 2.0.17 release
|
|
12
|
+
|
|
13
|
+
#### Bug Fixes
|
|
14
|
+
- package resource: Fix `brew` package detection [#2730](https://github.com/chef/inspec/pull/2730) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.0.21 -->
|
|
12
15
|
|
|
13
16
|
#### Merged Pull Requests
|
|
14
|
-
-
|
|
17
|
+
- mssql_session - Handling cases where the data is nil [#2752](https://github.com/chef/inspec/pull/2752) ([frezbo](https://github.com/frezbo)) <!-- 2.0.32 -->
|
|
18
|
+
- Docs: Clarify Matchers page to speak about Universal matchers [#2754](https://github.com/chef/inspec/pull/2754) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.0.31 -->
|
|
19
|
+
- virtualization_resource: Fix `NoMethodError` on `nil:NilClass` [#2603](https://github.com/chef/inspec/pull/2603) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.0.30 -->
|
|
20
|
+
- Updated omnibus `postinst` script to symlink to appbundle created binstubs [#2732](https://github.com/chef/inspec/pull/2732) ([miah](https://github.com/miah)) <!-- 2.0.29 -->
|
|
21
|
+
- New Resource aws_config_recorder [#2635](https://github.com/chef/inspec/pull/2635) ([dromazmj](https://github.com/dromazmj)) <!-- 2.0.28 -->
|
|
22
|
+
- http resource: Support OPTIONS method [#2742](https://github.com/chef/inspec/pull/2742) ([cbeckr](https://github.com/cbeckr)) <!-- 2.0.27 -->
|
|
23
|
+
- Ensure we have a proper exit code and report data for ad-hoc runners [#2747](https://github.com/chef/inspec/pull/2747) ([jquick](https://github.com/jquick)) <!-- 2.0.26 -->
|
|
24
|
+
- Various small fixes/adjustments to the integration tests for AWS and Azure [#2745](https://github.com/chef/inspec/pull/2745) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.0.25 -->
|
|
25
|
+
- Move AWS/Azure tests to integration directory [#2675](https://github.com/chef/inspec/pull/2675) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.0.24 -->
|
|
26
|
+
- Fix inspec check to work with platforms [#2737](https://github.com/chef/inspec/pull/2737) ([jquick](https://github.com/jquick)) <!-- 2.0.23 -->
|
|
27
|
+
- Reword `it` block in `inspec check` tests to match actual test [#2721](https://github.com/chef/inspec/pull/2721) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.0.22 -->
|
|
28
|
+
- Update maintainers file [#2728](https://github.com/chef/inspec/pull/2728) ([jquick](https://github.com/jquick)) <!-- 2.0.20 -->
|
|
29
|
+
- remove release-2.0 branch from Travis [#2718](https://github.com/chef/inspec/pull/2718) ([juliandunn](https://github.com/juliandunn)) <!-- 2.0.19 -->
|
|
30
|
+
- InSpec SEO [#2725](https://github.com/chef/inspec/pull/2725) ([hannah-radish](https://github.com/hannah-radish)) <!-- 2.0.18 -->
|
|
15
31
|
<!-- release_rollup -->
|
|
16
32
|
|
|
17
33
|
<!-- latest_stable_release -->
|
|
34
|
+
## [v2.0.17](https://github.com/chef/inspec/tree/v2.0.17) (2018-02-20)
|
|
35
|
+
|
|
36
|
+
#### Merged Pull Requests
|
|
37
|
+
- Update shell detect to work with platforms [#2712](https://github.com/chef/inspec/pull/2712) ([jquick](https://github.com/jquick))
|
|
38
|
+
<!-- latest_stable_release -->
|
|
39
|
+
|
|
18
40
|
## [v2.0.16](https://github.com/chef/inspec/tree/v2.0.16) (2018-02-20)
|
|
19
41
|
|
|
20
42
|
#### Merged Pull Requests
|
|
@@ -36,7 +58,6 @@
|
|
|
36
58
|
- HM website optimization [#2699](https://github.com/chef/inspec/pull/2699) ([hannah-radish](https://github.com/hannah-radish))
|
|
37
59
|
- move /tutorial to /demo [#2700](https://github.com/chef/inspec/pull/2700) ([arlimus](https://github.com/arlimus))
|
|
38
60
|
- HM Mobile IE [#2705](https://github.com/chef/inspec/pull/2705) ([hannah-radish](https://github.com/hannah-radish))
|
|
39
|
-
<!-- latest_stable_release -->
|
|
40
61
|
|
|
41
62
|
## [v1.51.18](https://github.com/chef/inspec/tree/v1.51.18) (2018-02-12)
|
|
42
63
|
|
data/MAINTAINERS.md
CHANGED
|
@@ -17,7 +17,7 @@ project lead.
|
|
|
17
17
|
## InSpec
|
|
18
18
|
|
|
19
19
|
Handles the [InSpec](https://github.com/chef/inspec) toolset.
|
|
20
|
-
|
|
20
|
+
|
|
21
21
|
To mention the team, use @chef/inspec-maintainers
|
|
22
22
|
|
|
23
23
|
### Lieutenant
|
|
@@ -29,3 +29,5 @@ To mention the team, use @chef/inspec-maintainers
|
|
|
29
29
|
* [Christoph Hartmann](https://github.com/chris-rock)
|
|
30
30
|
* [Adam Leff](https://github.com/adamleff)
|
|
31
31
|
* [Alex Pop](https://github.com/alexpop)
|
|
32
|
+
* [Jared Quick](https://github.com/jquick)
|
|
33
|
+
|
data/MAINTAINERS.toml
CHANGED
|
@@ -26,7 +26,8 @@ project lead.
|
|
|
26
26
|
maintainers = [
|
|
27
27
|
"chris-rock",
|
|
28
28
|
"adamleff",
|
|
29
|
-
"alexpop"
|
|
29
|
+
"alexpop",
|
|
30
|
+
"jquick"
|
|
30
31
|
]
|
|
31
32
|
|
|
32
33
|
[people]
|
|
@@ -45,3 +46,7 @@ project lead.
|
|
|
45
46
|
[people.alexpop]
|
|
46
47
|
Name = "Alex Pop"
|
|
47
48
|
GitHub = "alexpop"
|
|
49
|
+
|
|
50
|
+
[people.jquick]
|
|
51
|
+
Name = "Jared Quick"
|
|
52
|
+
GitHub = "jquick"
|
data/README.md
CHANGED
|
@@ -84,21 +84,20 @@ gem install inspec
|
|
|
84
84
|
|
|
85
85
|
### Usage via Docker
|
|
86
86
|
|
|
87
|
-
Download the image and define
|
|
87
|
+
Download the image and define a function for convenience:
|
|
88
88
|
|
|
89
89
|
```
|
|
90
90
|
docker pull chef/inspec
|
|
91
|
-
|
|
91
|
+
function inspec { docker run -it --rm -v $(pwd):/share chef/inspec $@; }
|
|
92
92
|
```
|
|
93
93
|
|
|
94
|
-
If you call inspec from
|
|
94
|
+
If you call `inspec` from your shell, it automatically mounts the current directory into the Docker container. Therefore you can easily use local tests and key files. Note: Only files in the current directory and sub-directories are available within the container.
|
|
95
95
|
|
|
96
96
|
```
|
|
97
97
|
$ ls -1
|
|
98
98
|
vagrant
|
|
99
99
|
test.rb
|
|
100
100
|
|
|
101
|
-
|
|
102
101
|
$ inspec exec test.rb -t ssh://root@192.168.64.2:11022 -i vagrant
|
|
103
102
|
..
|
|
104
103
|
|
data/Rakefile
CHANGED
|
@@ -95,9 +95,9 @@ namespace :test do
|
|
|
95
95
|
project_dir = File.dirname(__FILE__)
|
|
96
96
|
namespace :aws do
|
|
97
97
|
['default', 'minimal'].each do |account|
|
|
98
|
-
integration_dir = File.join(project_dir, 'test', 'aws', account)
|
|
98
|
+
integration_dir = File.join(project_dir, 'test', 'integration', 'aws', account)
|
|
99
99
|
attribute_file = File.join(integration_dir, '.attribute.yml')
|
|
100
|
-
|
|
100
|
+
|
|
101
101
|
task :"setup:#{account}", :tf_workspace do |t, args|
|
|
102
102
|
tf_workspace = args[:tf_workspace] || ENV['INSPEC_TERRAFORM_ENV']
|
|
103
103
|
abort("You must either call the top-level test:aws:#{account} task, or set the INSPEC_TERRAFORM_ENV variable.") unless tf_workspace
|
|
@@ -111,7 +111,7 @@ namespace :test do
|
|
|
111
111
|
sh("cd #{integration_dir}/build/ && AWS_PROFILE=inspec-aws-test-#{account} terraform apply")
|
|
112
112
|
Rake::Task["test:aws:dump_attrs:#{account}"].execute
|
|
113
113
|
end
|
|
114
|
-
|
|
114
|
+
|
|
115
115
|
task :"dump_attrs:#{account}" do
|
|
116
116
|
sh("cd #{integration_dir}/build/ && AWS_PROFILE=inspec-aws-test-#{account} terraform output > #{attribute_file}")
|
|
117
117
|
raw_output = File.read(attribute_file)
|
|
@@ -123,7 +123,7 @@ namespace :test do
|
|
|
123
123
|
puts "----> Run"
|
|
124
124
|
sh("bundle exec inspec exec #{integration_dir}/verify -t aws://${AWS_REGION}/inspec-aws-test-#{account} --attrs #{attribute_file}")
|
|
125
125
|
end
|
|
126
|
-
|
|
126
|
+
|
|
127
127
|
task :"cleanup:#{account}", :tf_workspace do |t, args|
|
|
128
128
|
tf_workspace = args[:tf_workspace] || ENV['INSPEC_TERRAFORM_ENV']
|
|
129
129
|
abort("You must either call the top-level test:aws:#{account} task, or set the INSPEC_TERRAFORM_ENV variable.") unless tf_workspace
|
|
@@ -132,7 +132,7 @@ namespace :test do
|
|
|
132
132
|
sh("cd #{integration_dir}/build/ && terraform workspace select default")
|
|
133
133
|
sh("cd #{integration_dir}/build && terraform workspace delete #{tf_workspace}")
|
|
134
134
|
end
|
|
135
|
-
|
|
135
|
+
|
|
136
136
|
task :"#{account}" do
|
|
137
137
|
tf_workspace = ENV['INSPEC_TERRAFORM_ENV'] || prompt("Please enter a workspace for your integration tests to run in: ")
|
|
138
138
|
begin
|
|
@@ -151,16 +151,17 @@ namespace :test do
|
|
|
151
151
|
|
|
152
152
|
namespace :azure do
|
|
153
153
|
# Specify the directory for the integration tests
|
|
154
|
-
integration_dir = 'test
|
|
155
|
-
|
|
154
|
+
integration_dir = File.join(project_dir, 'test', 'integration', 'azure')
|
|
155
|
+
attribute_file = File.join(integration_dir, '.attribute.yml')
|
|
156
156
|
|
|
157
|
-
task :
|
|
158
|
-
|
|
157
|
+
task :setup, :tf_workspace do |t, args|
|
|
158
|
+
tf_workspace = args[:tf_workspace] || ENV['INSPEC_TERRAFORM_ENV']
|
|
159
|
+
abort("You must either call the top-level test:azure task, or set the INSPEC_TERRAFORM_ENV variable.") unless tf_workspace
|
|
160
|
+
puts '----> Setup'
|
|
159
161
|
sh("cd #{integration_dir}/build/ && terraform init")
|
|
160
|
-
|
|
162
|
+
sh("cd #{integration_dir}/build/ && terraform workspace new #{tf_workspace}")
|
|
161
163
|
|
|
162
|
-
|
|
163
|
-
puts '----> Setup'
|
|
164
|
+
# Generate Azure crendentials
|
|
164
165
|
creds = Train.create('azure').connection.connect
|
|
165
166
|
|
|
166
167
|
# Determine the storage account name and the admin password
|
|
@@ -171,35 +172,72 @@ namespace :test do
|
|
|
171
172
|
suffix = sa_name[0..3]
|
|
172
173
|
|
|
173
174
|
# Create the plan that can be applied to Azure
|
|
174
|
-
cmd
|
|
175
|
+
cmd = ""
|
|
176
|
+
cmd += "cd #{integration_dir}/build/ && terraform plan -out inspec-azure.plan"
|
|
177
|
+
cmd += " -var 'subscription_id=#{creds[:subscription_id]}' "
|
|
178
|
+
cmd += " -var 'client_id=#{creds[:client_id]}' "
|
|
179
|
+
cmd += " -var 'client_secret=#{creds[:client_secret]}' "
|
|
180
|
+
cmd += " -var 'tenant_id=#{creds[:tenant_id]}' "
|
|
181
|
+
cmd += " -var 'storage_account_name=#{sa_name}' "
|
|
182
|
+
cmd += " -var 'admin_password=#{admin_password}' "
|
|
183
|
+
cmd += " -var 'suffix=#{suffix}' "
|
|
175
184
|
sh(cmd)
|
|
176
185
|
|
|
177
186
|
# Apply the plan on Azure
|
|
178
|
-
cmd =
|
|
187
|
+
cmd = "cd #{integration_dir}/build/ && terraform apply inspec-azure.plan"
|
|
179
188
|
sh(cmd)
|
|
189
|
+
|
|
190
|
+
# Dump TF outputs to InSpec attributes file
|
|
191
|
+
Rake::Task["test:azure:dump_attrs"].execute
|
|
180
192
|
end
|
|
181
193
|
|
|
182
|
-
task :
|
|
194
|
+
task :"dump_attrs" do
|
|
195
|
+
sh("cd #{integration_dir}/build/ && terraform output > #{attribute_file}")
|
|
196
|
+
raw_output = File.read(attribute_file)
|
|
197
|
+
yaml_output = raw_output.gsub(" = ", " : ")
|
|
198
|
+
File.open(attribute_file, "w") {|file| file.puts yaml_output}
|
|
199
|
+
end
|
|
200
|
+
|
|
201
|
+
task :run do
|
|
183
202
|
puts '----> Run'
|
|
184
203
|
sh("bundle exec inspec exec #{integration_dir}/verify -t azure://1e0b427a-d58b-494e-ae4f-ee558463ebbf")
|
|
185
204
|
end
|
|
186
205
|
|
|
187
|
-
task :
|
|
206
|
+
task :cleanup, :tf_workspace do |t, args|
|
|
207
|
+
tf_workspace = args[:tf_workspace] || ENV['INSPEC_TERRAFORM_ENV']
|
|
208
|
+
abort("You must either call the top-level test:azure task, or set the INSPEC_TERRAFORM_ENV variable.") unless tf_workspace
|
|
188
209
|
puts '----> Cleanup'
|
|
210
|
+
|
|
189
211
|
creds = Train.create('azure').connection.connect
|
|
190
212
|
|
|
191
|
-
cmd
|
|
213
|
+
cmd = ""
|
|
214
|
+
cmd += "cd #{integration_dir}/build/ && terraform destroy -force "
|
|
215
|
+
cmd += " -var 'subscription_id=#{creds[:subscription_id]}' "
|
|
216
|
+
cmd += " -var 'client_id=#{creds[:client_id]}' "
|
|
217
|
+
cmd += " -var 'client_secret=#{creds[:client_secret]}' "
|
|
218
|
+
cmd += " -var 'tenant_id=#{creds[:tenant_id]}' "
|
|
219
|
+
cmd += " -var 'storage_account_name=dummy' "
|
|
220
|
+
cmd += " -var 'admin_password=dummy' "
|
|
221
|
+
cmd += " -var 'suffix=dummy' "
|
|
222
|
+
|
|
192
223
|
sh(cmd)
|
|
224
|
+
|
|
225
|
+
sh("cd #{integration_dir}/build/ && terraform workspace select default")
|
|
226
|
+
sh("cd #{integration_dir}/build && terraform workspace delete #{tf_workspace}")
|
|
193
227
|
end
|
|
194
228
|
end
|
|
195
229
|
|
|
196
230
|
desc "Perform Azure Integration Tests"
|
|
197
231
|
task :azure do
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
232
|
+
tf_workspace = ENV['INSPEC_TERRAFORM_ENV'] || prompt("Please enter a workspace for your integration tests to run in: ")
|
|
233
|
+
begin
|
|
234
|
+
Rake::Task["test:azure:setup"].execute({:tf_workspace => tf_workspace})
|
|
235
|
+
Rake::Task["test:azure:run"].execute
|
|
236
|
+
rescue
|
|
237
|
+
abort("Integration testing has failed")
|
|
238
|
+
ensure
|
|
239
|
+
Rake::Task["test:azure:cleanup"].execute({:tf_workspace => tf_workspace})
|
|
240
|
+
end
|
|
203
241
|
end
|
|
204
242
|
end
|
|
205
243
|
|
data/docs/matchers.md
CHANGED
|
@@ -1,18 +1,21 @@
|
|
|
1
1
|
---
|
|
2
|
-
title: InSpec Matchers Reference
|
|
2
|
+
title: InSpec Universal Matchers Reference
|
|
3
3
|
---
|
|
4
4
|
|
|
5
|
-
# InSpec Matchers Reference
|
|
5
|
+
# InSpec Universal Matchers Reference
|
|
6
6
|
|
|
7
|
-
|
|
8
|
-
The following matchers are available:
|
|
7
|
+
InSpec uses matchers to help compare resource values to expectations. Matchers may be dedicated to a specific resource (such as the `aws_iam_root_user` resource's [`have_mfa_enabled`](https://www.inspec.io/docs/reference/resources/aws_iam_root_user/#have_mfa_enabled) matcher). If a matcher may be used on any resource type, it is _universal_.
|
|
9
8
|
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
* `
|
|
15
|
-
* `
|
|
9
|
+
You may also use any matcher provided by [RSpec::Expectations](https://relishapp.com/rspec/rspec-expectations/docs), but those matchers are outside of InSpec's [scope of support](https://www.inspec.io/docs/reference/inspec_and_friends/#rspec).
|
|
10
|
+
|
|
11
|
+
The following InSpec-supported universal matchers are available:
|
|
12
|
+
|
|
13
|
+
* [`be`](#be) - make numeric comparisons
|
|
14
|
+
* [`be_in`](#be_in) - look for the property value in a list
|
|
15
|
+
* [`cmp`](#cmp) - general-use equality (try this first)
|
|
16
|
+
* [`eq`](#eq) - type-specific equality
|
|
17
|
+
* [`include`](#include) - look for an expected value in a list-valued property
|
|
18
|
+
* [`match`](#match) - look for patterns in text using regular expressions
|
|
16
19
|
|
|
17
20
|
<br>
|
|
18
21
|
|
|
@@ -32,7 +35,7 @@ end
|
|
|
32
35
|
|
|
33
36
|
## cmp
|
|
34
37
|
|
|
35
|
-
Unlike `eq`, cmp is a matcher for less-restrictive comparisons. It will
|
|
38
|
+
Unlike `eq`, `cmp` is a matcher for less-restrictive comparisons. It will
|
|
36
39
|
try to fit the actual value to the type you are comparing it to. This is
|
|
37
40
|
meant to relieve the user from having to write type-casts and
|
|
38
41
|
resolutions.
|
|
@@ -116,7 +119,7 @@ describe sshd_config do
|
|
|
116
119
|
end
|
|
117
120
|
```
|
|
118
121
|
|
|
119
|
-
|
|
122
|
+
`eq` fails if types don't match. Please keep this in mind, when comparing
|
|
120
123
|
configuration entries that are numbers:
|
|
121
124
|
|
|
122
125
|
```ruby
|
|
@@ -68,9 +68,9 @@ The where accessor can be used to filter on fields. For example:
|
|
|
68
68
|
|
|
69
69
|
The key filter may be useful in evaluating rules with particular key values:
|
|
70
70
|
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
71
|
+
describe auditd.where { key == "privileged" } do
|
|
72
|
+
its('permissions') { should include ['x'] }
|
|
73
|
+
end
|
|
74
74
|
|
|
75
75
|
<br>
|
|
76
76
|
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: About the aws_config_recorder Resource
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
# aws\_config\_recorder
|
|
6
|
+
|
|
7
|
+
Use the `aws_config_recorder` InSpec audit resource to test properties of your AWS Config Service.
|
|
8
|
+
|
|
9
|
+
The AWS Config service can monitor and record changes to your AWS resource configurations. The Aws Config Recorder is used to detect changes in resource configurations and capture these changes as configuration items.
|
|
10
|
+
|
|
11
|
+
<br>
|
|
12
|
+
|
|
13
|
+
## Syntax
|
|
14
|
+
|
|
15
|
+
An `aws_config_recorder` resource block declares the tests for a single AWS configuration recorder.
|
|
16
|
+
|
|
17
|
+
describe aws_config_recorder('my_recorder') do
|
|
18
|
+
it { should exist }
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
describe aws_config_recorder(recorder_name: 'my-recorder') do
|
|
22
|
+
it { should exist }
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
<br>
|
|
26
|
+
|
|
27
|
+
## Examples
|
|
28
|
+
|
|
29
|
+
The following examples show how to use this InSpec audit resource.
|
|
30
|
+
|
|
31
|
+
### Test if the recorder is active and recording.
|
|
32
|
+
|
|
33
|
+
describe aws_config_recorder(recorder_name: 'my-recorder') do
|
|
34
|
+
it { should be_recording }
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
## Properties
|
|
38
|
+
|
|
39
|
+
### role\_arn
|
|
40
|
+
|
|
41
|
+
Provides the IAM role arn associated with the configuration recorder. The role is used to grant permissions to S3 Buckets, SNS topics and to get configuration details for supported AWS resources.
|
|
42
|
+
|
|
43
|
+
describe aws_config_recorder(username: 'bob')
|
|
44
|
+
its('role_arn') { should eq 'arn:aws:iam::721741954427:role/My_Recorder' }
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
### resource\_types
|
|
48
|
+
|
|
49
|
+
Provides a list of AWS resource types for which the AWS Config records configuration will change. Note that if be_recording_all_resource_types is true than this property is meaningless and will return and empty array.
|
|
50
|
+
|
|
51
|
+
describe aws_config_recorder(username: 'bob')
|
|
52
|
+
its('resource_types') { should include 'AWS::EC2::CustomerGateway' }
|
|
53
|
+
its('resource_types') { should include 'AWS::EC2::EIP' }
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
<br>
|
|
57
|
+
|
|
58
|
+
## Matchers
|
|
59
|
+
|
|
60
|
+
### be\_recording\_all\_resource\_types
|
|
61
|
+
|
|
62
|
+
Indicates if the ConfigurationRecorder will record changes for all resources, regardless of type. If this is true, resource_types is ignored.
|
|
63
|
+
|
|
64
|
+
it { should be_all_supported }
|
|
65
|
+
|
|
66
|
+
### be\_recording\_all\_global\_types
|
|
67
|
+
|
|
68
|
+
Indicates whether the ConfigurationRecorder will record changes for global resource types (such as IAM Users).
|
|
69
|
+
|
|
70
|
+
it { should be_recording_all_global_types }
|
|
71
|
+
|
|
@@ -65,7 +65,7 @@ This InSpec audit resource has the following special matchers. For a full list o
|
|
|
65
65
|
|
|
66
66
|
### be\_pending
|
|
67
67
|
|
|
68
|
-
The `
|
|
68
|
+
The `be_pending` matcher tests if the described EC2 instance state is `pending`. This indicates that an instance is provisioning. This state should be temporary.
|
|
69
69
|
|
|
70
70
|
it { should be_pending }
|
|
71
71
|
|
|
@@ -7,9 +7,9 @@ platform: aws
|
|
|
7
7
|
|
|
8
8
|
Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy.
|
|
9
9
|
|
|
10
|
-
A policy is an entity in AWS that, when attached to an identity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine if the request is allowed or denied.
|
|
10
|
+
A policy is an entity in AWS that, when attached to an identity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine if the request is allowed or denied.
|
|
11
11
|
|
|
12
|
-
Each IAM Policy is uniquely identified by either its
|
|
12
|
+
Each IAM Policy is uniquely identified by either its policy\_name or arn.
|
|
13
13
|
|
|
14
14
|
<br>
|
|
15
15
|
|
|
@@ -142,5 +142,3 @@ The test will pass if the identified policy attached the specified role.
|
|
|
142
142
|
describe aws_iam_policy('AWSSupportAccess') do
|
|
143
143
|
it { should be_attached_to_role(ROLENAME) }
|
|
144
144
|
end
|
|
145
|
-
|
|
146
|
-
|
|
@@ -11,10 +11,10 @@ Use the `aws_iam_role` InSpec audit resource to test properties of a single IAM
|
|
|
11
11
|
|
|
12
12
|
## Syntax
|
|
13
13
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
14
|
+
# Ensure that a certain role exists by name
|
|
15
|
+
describe aws_iam_role('my-role') do
|
|
16
|
+
it { should exist }
|
|
17
|
+
end
|
|
18
18
|
|
|
19
19
|
<br>
|
|
20
20
|
|
|
@@ -24,13 +24,13 @@ Use the `aws_iam_role` InSpec audit resource to test properties of a single IAM
|
|
|
24
24
|
|
|
25
25
|
This resource expects a single parameter that uniquely identifies the IAM Role, the Role Name. You may pass it as a string, or as the value in a hash:
|
|
26
26
|
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
27
|
+
describe aws_iam_role('my-role') do
|
|
28
|
+
it { should exist }
|
|
29
|
+
end
|
|
30
|
+
# Same
|
|
31
|
+
describe aws_iam_role(role_name: 'my-role') do
|
|
32
|
+
it { should exist }
|
|
33
|
+
end
|
|
34
34
|
|
|
35
35
|
<br>
|
|
36
36
|
|
|
@@ -52,7 +52,7 @@ This InSpec audit resource has the following special matchers. For a full list o
|
|
|
52
52
|
|
|
53
53
|
### exist
|
|
54
54
|
|
|
55
|
-
Indicates that the Role Name provided was found. Use should_not to test for IAM Roles that should not exist.
|
|
55
|
+
Indicates that the Role Name provided was found. Use `should_not` to test for IAM Roles that should not exist.
|
|
56
56
|
|
|
57
57
|
describe aws_iam_role('should-be-there') do
|
|
58
58
|
it { should exist }
|
|
@@ -61,5 +61,3 @@ Indicates that the Role Name provided was found. Use should_not to test for IAM
|
|
|
61
61
|
describe aws_iam_role('should-not-be-there') do
|
|
62
62
|
it { should_not exist }
|
|
63
63
|
end
|
|
64
|
-
|
|
65
|
-
|
|
@@ -11,10 +11,10 @@ Use the `aws_route_table` InSpec audit resource to test properties of a single R
|
|
|
11
11
|
|
|
12
12
|
## Syntax
|
|
13
13
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
14
|
+
# Ensure that a certain route table exists by name
|
|
15
|
+
describe aws_route_table('rtb-123abcde') do
|
|
16
|
+
it { should exist }
|
|
17
|
+
end
|
|
18
18
|
|
|
19
19
|
## Resource Parameters
|
|
20
20
|
|
|
@@ -22,13 +22,13 @@ Use the `aws_route_table` InSpec audit resource to test properties of a single R
|
|
|
22
22
|
|
|
23
23
|
This resource expects a single parameter that uniquely identifies the Route Table. You may pass it as a string, or as the value in a hash:
|
|
24
24
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
25
|
+
describe aws_route_table('rtb-123abcde') do
|
|
26
|
+
it { should exist }
|
|
27
|
+
end
|
|
28
|
+
# Same
|
|
29
|
+
describe aws_route_table(route_table_id: 'rtb-123abcde') do
|
|
30
|
+
it { should exist }
|
|
31
|
+
end
|
|
32
32
|
|
|
33
33
|
## Matchers
|
|
34
34
|
|
|
@@ -36,7 +36,7 @@ For a full list of available matchers, please visit our [matchers page](https://
|
|
|
36
36
|
|
|
37
37
|
### exist
|
|
38
38
|
|
|
39
|
-
Indicates that the Route Table provided was found. Use should_not to test for Route Tables that should not exist.
|
|
39
|
+
Indicates that the Route Table provided was found. Use `should_not` to test for Route Tables that should not exist.
|
|
40
40
|
|
|
41
41
|
describe aws_route_table('should-be-there') do
|
|
42
42
|
it { should exist }
|
|
@@ -44,7 +44,7 @@ This InSpec resource accepts the following parameters, which are used to search
|
|
|
44
44
|
|
|
45
45
|
The Security Group ID of the Security Group. This is of the format `sg-` followed by 8 hexadecimal characters. The ID is unique within your AWS account; using ID ensures that you will never match more than one SG. The ID is also the default resource parameter, so you may omit the hash syntax.
|
|
46
46
|
|
|
47
|
-
# Using Hash syntax
|
|
47
|
+
# Using Hash syntax
|
|
48
48
|
describe aws_security_group(id: 'sg-12345678') do
|
|
49
49
|
it { should exist }
|
|
50
50
|
end
|
|
@@ -79,7 +79,7 @@ A string identifying the VPC that contains the security group. Since VPCs common
|
|
|
79
79
|
|
|
80
80
|
# This will error if there is more than the default SG
|
|
81
81
|
describe aws_security_group(vpc_id: 'vpc-12345678') do
|
|
82
|
-
it { should exist }
|
|
82
|
+
it { should exist }
|
|
83
83
|
end
|
|
84
84
|
|
|
85
85
|
<br>
|
|
@@ -138,15 +138,14 @@ This InSpec audit resource has the following special matchers. For a full list o
|
|
|
138
138
|
|
|
139
139
|
### exists
|
|
140
140
|
|
|
141
|
-
The control will pass if the specified SG was found. Use should_not if you want to verify that the specified SG does not exist.
|
|
141
|
+
The control will pass if the specified SG was found. Use `should_not` if you want to verify that the specified SG does not exist.
|
|
142
142
|
|
|
143
143
|
# You will always have at least one SG, the VPC default SG
|
|
144
144
|
describe aws_security_group(group_name: 'default')
|
|
145
145
|
it { should exist }
|
|
146
|
-
end
|
|
146
|
+
end
|
|
147
147
|
|
|
148
148
|
# Make sure we don't have any security groups with the name 'nogood'
|
|
149
149
|
describe aws_security_group(group_name: 'nogood')
|
|
150
150
|
it { should_not exist }
|
|
151
|
-
end
|
|
152
|
-
|
|
151
|
+
end
|
|
@@ -54,7 +54,7 @@ A string identifying a group. Since groups are contained in VPCs, group names ar
|
|
|
54
54
|
|
|
55
55
|
## Properties
|
|
56
56
|
|
|
57
|
-
* `entries`, `
|
|
57
|
+
* `entries`, `group_ids`
|
|
58
58
|
|
|
59
59
|
<br>
|
|
60
60
|
|
|
@@ -88,5 +88,4 @@ The control will pass if the filter returns at least one result. Use `should_not
|
|
|
88
88
|
# You will always have at least one SG, the VPC default SG
|
|
89
89
|
describe aws_security_groups
|
|
90
90
|
it { should exist }
|
|
91
|
-
end
|
|
92
|
-
|
|
91
|
+
end
|
|
@@ -10,16 +10,16 @@ Use the `aws_sns_topic` InSpec audit resource to test properties of a single AWS
|
|
|
10
10
|
|
|
11
11
|
## Syntax
|
|
12
12
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
13
|
+
# Ensure that a topic exists and has at least one subscription
|
|
14
|
+
describe aws_sns_topic('arn:aws:sns:*::my-topic-name') do
|
|
15
|
+
it { should exist }
|
|
16
|
+
its('confirmed_subscription_count') { should_not be_zero }
|
|
17
|
+
end
|
|
18
18
|
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
19
|
+
# You may also use has syntax to pass the ARN
|
|
20
|
+
describe aws_sns_topic(arn: 'arn:aws:sns:*::my-topic-name') do
|
|
21
|
+
it { should exist }
|
|
22
|
+
end
|
|
23
23
|
|
|
24
24
|
## Resource Parameters
|
|
25
25
|
|
|
@@ -27,7 +27,7 @@ Use the `aws_sns_topic` InSpec audit resource to test properties of a single AWS
|
|
|
27
27
|
|
|
28
28
|
This resource expects a single parameter that uniquely identifes the SNS Topic, an ARN. Amazon Resource Names for SNS topics have the format `arn:aws:sns:region:account-id:topicname`. AWS requires a fully-specified ARN for looking up an SNS topic. The account ID and region are required. Wildcards are not permitted.
|
|
29
29
|
|
|
30
|
-
See also the
|
|
30
|
+
See also the [AWS documentation on ARNs](http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html).
|
|
31
31
|
|
|
32
32
|
<br>
|
|
33
33
|
|
|
@@ -50,7 +50,7 @@ This InSpec audit resource has the following special matchers. For a full list o
|
|
|
50
50
|
|
|
51
51
|
### exist
|
|
52
52
|
|
|
53
|
-
Indicates that the ARN provided was found. Use should_not to test for SNS topics that should not exist.
|
|
53
|
+
Indicates that the ARN provided was found. Use `should_not` to test for SNS topics that should not exist.
|
|
54
54
|
|
|
55
55
|
# Expect good news
|
|
56
56
|
describe aws_sns_topic('arn:aws:sns:*::good-news') do
|
|
@@ -60,4 +60,4 @@ Indicates that the ARN provided was found. Use should_not to test for SNS topic
|
|
|
60
60
|
# No bad news allowed
|
|
61
61
|
describe aws_sns_topic('arn:aws:sns:*::bad-news') do
|
|
62
62
|
it { should_not exist }
|
|
63
|
-
end
|
|
63
|
+
end
|