inspec 3.9.3 → 4.1.4.preview
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/Gemfile +2 -7
- data/README.md +1 -2
- data/etc/deprecations.json +88 -6
- data/inspec.gemspec +4 -2
- data/lib/inspec/base_cli.rb +5 -5
- data/lib/inspec/cli.rb +39 -9
- data/lib/inspec/config.rb +2 -2
- data/lib/inspec/metadata.rb +3 -5
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +4 -1
- data/lib/inspec/ui.rb +1 -0
- data/lib/inspec/version.rb +1 -6
- data/lib/matchers/matchers.rb +1 -0
- data/lib/plugins/inspec-init/templates/profiles/aws/README.md +164 -26
- data/lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb +18 -4
- data/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml +10 -4
- data/lib/resource_support/aws.rb +17 -1
- data/lib/resources/apache.rb +1 -1
- data/lib/resources/apt.rb +1 -3
- data/lib/resources/aws/aws_iam_user.rb +3 -3
- data/lib/resources/azure/azure_generic_resource.rb +1 -1
- data/lib/resources/file.rb +34 -1
- data/lib/resources/filesystem.rb +1 -1
- data/lib/resources/host.rb +2 -2
- data/lib/resources/iis_site.rb +1 -1
- data/lib/resources/interface.rb +75 -1
- data/lib/resources/kernel_parameter.rb +2 -7
- data/lib/resources/mssql_session.rb +1 -1
- data/lib/resources/oracledb_session.rb +1 -1
- data/lib/resources/powershell.rb +1 -5
- data/lib/resources/processes.rb +1 -1
- data/lib/resources/registry_key.rb +1 -7
- data/lib/resources/shadow.rb +5 -10
- data/lib/resources/users.rb +6 -10
- data/lib/resources/wmi.rb +1 -2
- data/lib/utils/deprecation/deprecator.rb +9 -8
- data/lib/utils/deprecation/global_method.rb +1 -1
- data/lib/utils/parser.rb +1 -1
- metadata +37 -14
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 7dd53f745c6f68b24d0b987f09258c973a6d4579
|
4
|
+
data.tar.gz: f9b791e75517949b5007d0d6904c7d70752103b6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bcfdc38552520f03dcb738e3273d8cbee50ea35bb33d6f5f0e4bde0fae9b2b3b1dd36369b88a754fea078ddf23073400a81a914bb54468b0d573f5f471bec1e5
|
7
|
+
data.tar.gz: 1ee7fdfc45f33bcbf182da86da273e2634825da4b6a218750ddbf77dfc150eb5f70484df22e524dead114dc8d4656784e00f402cdb49ebb8b2ce0c646bea6d58
|
data/Gemfile
CHANGED
@@ -4,12 +4,10 @@ source 'https://rubygems.org'
|
|
4
4
|
gem 'inspec', path: '.'
|
5
5
|
|
6
6
|
gem 'ffi', '>= 1.9.14'
|
7
|
-
gem 'aws-sdk', '~> 2'
|
8
7
|
|
9
8
|
group :omnibus do
|
10
9
|
gem 'rb-readline'
|
11
10
|
gem 'appbundler'
|
12
|
-
gem 'unf_ext', git: 'https://github.com/chef/ruby-unf_ext.git', ref: '55d872fb15f3a26e4ee8f8dbe7ba859c80d40383'
|
13
11
|
end
|
14
12
|
|
15
13
|
group :test do
|
@@ -20,7 +18,7 @@ group :test do
|
|
20
18
|
gem 'concurrent-ruby', '~> 1.0'
|
21
19
|
gem 'mocha', '~> 1.1'
|
22
20
|
gem 'ruby-progressbar', '~> 1.8'
|
23
|
-
gem 'webmock', '~>
|
21
|
+
gem 'webmock', '~> 3.0'
|
24
22
|
gem 'jsonschema', '~> 2.0.2'
|
25
23
|
gem 'passgen'
|
26
24
|
gem 'm'
|
@@ -28,10 +26,7 @@ group :test do
|
|
28
26
|
end
|
29
27
|
|
30
28
|
group :integration do
|
31
|
-
|
32
|
-
if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('2.4')
|
33
|
-
gem 'berkshelf', '~> 7'
|
34
|
-
end
|
29
|
+
gem 'berkshelf', '~> 7'
|
35
30
|
gem 'test-kitchen', '>= 1.24'
|
36
31
|
gem 'kitchen-vagrant'
|
37
32
|
# we need winrm v2 support >= 0.15.1
|
data/README.md
CHANGED
@@ -46,7 +46,7 @@ inspec exec test.rb -t docker://container_id
|
|
46
46
|
|
47
47
|
## Installation
|
48
48
|
|
49
|
-
InSpec requires Ruby (
|
49
|
+
InSpec requires Ruby ( >= 2.4 ).
|
50
50
|
|
51
51
|
### Install as package
|
52
52
|
|
@@ -454,4 +454,3 @@ distributed under the License is distributed on an "AS IS" BASIS,
|
|
454
454
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
455
455
|
See the License for the specific language governing permissions and
|
456
456
|
limitations under the License.
|
457
|
-
|
data/etc/deprecations.json
CHANGED
@@ -6,24 +6,106 @@
|
|
6
6
|
"action": "ignore",
|
7
7
|
"prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead."
|
8
8
|
},
|
9
|
+
"aws_resources_in_resource_pack": {
|
10
|
+
"comment": "See #3822",
|
11
|
+
"action": "ignore",
|
12
|
+
"prefix": "AWS resources shipped with core InSpec are being to moved to a resource pack for faster iteration. Please update your profiles to depend on git@github.com:inspec/inspec-aws.git ."
|
13
|
+
},
|
9
14
|
"cli_option_json_config": {
|
10
15
|
"action": "ignore",
|
11
16
|
"prefix": "The --json-config option is being replaced by the --config option.",
|
12
17
|
"comment": "See #3661"
|
13
18
|
},
|
14
|
-
"
|
19
|
+
"file_resource_be_mounted_matchers": {
|
20
|
+
"action": "warn",
|
21
|
+
"suffix": "This will not be supported in InSpec 4.0."
|
22
|
+
},
|
23
|
+
"host_resource_proto_usage": {
|
24
|
+
"action": "warn",
|
25
|
+
"suffix": "This will not be supported in InSpec 4.0."
|
26
|
+
},
|
27
|
+
"inspec_ui_methods": {
|
28
|
+
"action": "ignore",
|
29
|
+
"suffix": "Please call `cli.ui` directly",
|
30
|
+
"comment": "See #3715"
|
31
|
+
},
|
32
|
+
"mssql_session_pass_option": {
|
33
|
+
"action": "warn",
|
34
|
+
"suffix": "This will not be supported in InSpec 4.0."
|
35
|
+
},
|
36
|
+
"oracledb_session_pass_option": {
|
37
|
+
"action": "warn",
|
38
|
+
"suffix": "This will not be supported in InSpec 4.0."
|
39
|
+
},
|
40
|
+
"property_filesystem_size": {
|
15
41
|
"action": "ignore",
|
16
42
|
"comment": "See #3778"
|
17
43
|
},
|
44
|
+
"property_processes_list": {
|
45
|
+
"action": "warn",
|
46
|
+
"suffix": "This property will be removed in InSpec 4.0."
|
47
|
+
},
|
48
|
+
"properties_aws_iam_user": {
|
49
|
+
"action": "warn",
|
50
|
+
"suffix": "This property will be removed in InSpec 4.0."
|
51
|
+
},
|
52
|
+
"properties_shadow": {
|
53
|
+
"action": "warn",
|
54
|
+
"suffix": "This property will be removed in InSpec 4.0."
|
55
|
+
},
|
18
56
|
"rename_attributes_to_inputs": {
|
19
57
|
"action": "ignore",
|
20
58
|
"prefix": "InSpec Attributes are being renamed to InSpec Inputs to avoid confusion with Chef Attributes.",
|
21
59
|
"comment": "See #3802"
|
22
60
|
},
|
23
|
-
"
|
24
|
-
"
|
25
|
-
"
|
26
|
-
|
61
|
+
"resource_apache": {
|
62
|
+
"action": "warn",
|
63
|
+
"suffix": "This resource will be removed in InSpec 4.0."
|
64
|
+
},
|
65
|
+
"resource_azure_generic_resource": {
|
66
|
+
"action": "warn",
|
67
|
+
"prefix": "The azure_generic_resource is deprecated. Please use a specific resource. See: 'https://github.com/inspec/inspec/issues/3131'"
|
68
|
+
},
|
69
|
+
"resource_iis_website": {
|
70
|
+
"action": "warn",
|
71
|
+
"suffix": "This resource will be removed in InSpec 4.0.",
|
72
|
+
"comment": "Needed for ServerSpec compatibility"
|
73
|
+
},
|
74
|
+
"resource_linux_kernel_parameter": {
|
75
|
+
"action": "warn",
|
76
|
+
"suffix": "This resource will be removed in InSpec 4.0.",
|
77
|
+
"comment": "Needed for ServerSpec compatibility"
|
78
|
+
},
|
79
|
+
"resource_ppa": {
|
80
|
+
"action": "warn",
|
81
|
+
"suffix": "This resource will be removed in InSpec 4.0.",
|
82
|
+
"comment": "Needed for ServerSpec compatibility"
|
83
|
+
},
|
84
|
+
"resource_script": {
|
85
|
+
"action": "warn",
|
86
|
+
"suffix": "This resource will be removed in InSpec 4.0"
|
87
|
+
},
|
88
|
+
"resource_user_serverspec_compat": {
|
89
|
+
"action": "warn"
|
90
|
+
},
|
91
|
+
"resource_windows_registry_key": {
|
92
|
+
"action": "warn",
|
93
|
+
"suffix": "This resource will be removed in InSpec 4.0.",
|
94
|
+
"comment": "Needed for ServerSpec compatibility"
|
95
|
+
},
|
96
|
+
"serverspec_compatibility": {
|
97
|
+
"action": "warn",
|
98
|
+
"suffix": "This is only allowed for compatibility with ServerSpec"
|
99
|
+
},
|
100
|
+
"supports_syntax": {
|
101
|
+
"action": "warn"
|
102
|
+
},
|
103
|
+
"mount_parser_serverspec_compat": {
|
104
|
+
"action": "warn"
|
105
|
+
},
|
106
|
+
"wmi_non_hash_usage": {
|
107
|
+
"action": "warn",
|
108
|
+
"suffix": "This property will be removed in InSpec 4.0."
|
27
109
|
}
|
28
110
|
}
|
29
|
-
}
|
111
|
+
}
|
data/inspec.gemspec
CHANGED
@@ -23,13 +23,15 @@ Gem::Specification.new do |spec|
|
|
23
23
|
.reject { |f| File.directory?(f) || f =~ %r{lib/plugins/.*/test/} }
|
24
24
|
spec.require_paths = ['lib']
|
25
25
|
|
26
|
-
spec.required_ruby_version = '>= 2.
|
26
|
+
spec.required_ruby_version = '>= 2.4'
|
27
27
|
|
28
|
-
spec.add_dependency 'train', '~>
|
28
|
+
spec.add_dependency 'train', '~> 2.0' # Inspec 4 must have train 2+
|
29
29
|
# Train plugins we ship with InSpec
|
30
30
|
spec.add_dependency 'train-habitat', '~> 0.1'
|
31
|
+
spec.add_dependency 'train-aws', '~> 0.1'
|
31
32
|
|
32
33
|
# Implementation dependencies
|
34
|
+
spec.add_dependency 'license-acceptance', '~> 0.2'
|
33
35
|
spec.add_dependency 'thor', '~> 0.20'
|
34
36
|
spec.add_dependency 'json', '>= 1.8', '< 3.0'
|
35
37
|
spec.add_dependency 'method_source', '~> 0.8'
|
data/lib/inspec/base_cli.rb
CHANGED
@@ -164,28 +164,28 @@ module Inspec
|
|
164
164
|
end
|
165
165
|
|
166
166
|
def mark_text(text)
|
167
|
-
|
167
|
+
Inspec.deprecate(:inspec_ui_methods)
|
168
168
|
# Note that this one doesn't automatically print
|
169
169
|
ui.emphasis(text, print: false)
|
170
170
|
end
|
171
171
|
|
172
172
|
def headline(title)
|
173
|
-
|
173
|
+
Inspec.deprecate(:inspec_ui_methods)
|
174
174
|
ui.headline(title)
|
175
175
|
end
|
176
176
|
|
177
177
|
def li(entry)
|
178
|
-
|
178
|
+
Inspec.deprecate(:inspec_ui_methods)
|
179
179
|
ui.list_item(entry)
|
180
180
|
end
|
181
181
|
|
182
182
|
def plain_text(msg)
|
183
|
-
|
183
|
+
Inspec.deprecate(:inspec_ui_methods)
|
184
184
|
ui.plain(msg + "\n")
|
185
185
|
end
|
186
186
|
|
187
187
|
def exit(code)
|
188
|
-
|
188
|
+
Inspec.deprecate(:inspec_ui_methods)
|
189
189
|
ui.exit code
|
190
190
|
end
|
191
191
|
end
|
data/lib/inspec/cli.rb
CHANGED
@@ -39,6 +39,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
|
39
39
|
class_option :disable_user_plugins, type: :string, banner: '',
|
40
40
|
desc: 'Disable loading all plugins that the user installed.'
|
41
41
|
|
42
|
+
require 'license_acceptance/cli_flags/thor'
|
43
|
+
include LicenseAcceptance::CLIFlags::Thor
|
44
|
+
|
42
45
|
desc 'json PATH', 'read all tests in PATH and generate a JSON summary'
|
43
46
|
option :output, aliases: :o, type: :string,
|
44
47
|
desc: 'Save the created profile to a path'
|
@@ -196,6 +199,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
|
196
199
|
3 Fatal deprecation encountered
|
197
200
|
100 Normal exit, at least one test failed
|
198
201
|
101 Normal exit, at least one test skipped but none failed
|
202
|
+
172 Chef License not accepted
|
199
203
|
```
|
200
204
|
|
201
205
|
Below are some examples of using `exec` with different test LOCATIONS:
|
@@ -373,18 +377,44 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
|
373
377
|
end
|
374
378
|
end
|
375
379
|
|
380
|
+
#=====================================================================#
|
381
|
+
# Pre-Flight Code
|
382
|
+
#=====================================================================#
|
383
|
+
|
384
|
+
help_commands = ['-h', '--help', 'help']
|
385
|
+
version_commands = ['-v', '--version', 'version']
|
386
|
+
commands_exempt_from_license_check = help_commands + version_commands
|
387
|
+
|
388
|
+
#---------------------------------------------------------------------#
|
389
|
+
# EULA acceptance
|
390
|
+
#---------------------------------------------------------------------#
|
391
|
+
require 'license_acceptance/acceptor'
|
376
392
|
begin
|
377
|
-
#
|
378
|
-
|
379
|
-
|
380
|
-
(help_commands & ARGV).each do |cmd|
|
381
|
-
# move the help argument to one place behind the end for Thor to digest
|
382
|
-
if ARGV.size > 1
|
383
|
-
match = ARGV.delete(cmd)
|
384
|
-
ARGV.insert(-2, match)
|
385
|
-
end
|
393
|
+
if (commands_exempt_from_license_check & ARGV.map(&:downcase)).empty? && # Did they use a non-exempt command?
|
394
|
+
!ARGV.empty? # Did they supply at least one command?
|
395
|
+
LicenseAcceptance::Acceptor.check_and_persist('inspec', Inspec::VERSION)
|
386
396
|
end
|
397
|
+
rescue LicenseAcceptance::LicenseNotAcceptedError
|
398
|
+
Inspec::Log.error 'InSpec cannot execute without accepting the license'
|
399
|
+
Inspec::UI.new.exit(:license_not_accepted)
|
400
|
+
end
|
387
401
|
|
402
|
+
#---------------------------------------------------------------------#
|
403
|
+
# Adjustments for help handling
|
404
|
+
# This allows you to use any of the normal help commands after the normal args.
|
405
|
+
#---------------------------------------------------------------------#
|
406
|
+
(help_commands & ARGV).each do |cmd|
|
407
|
+
# move the help argument to one place behind the end for Thor to digest
|
408
|
+
if ARGV.size > 1
|
409
|
+
match = ARGV.delete(cmd)
|
410
|
+
ARGV.insert(-2, match)
|
411
|
+
end
|
412
|
+
end
|
413
|
+
|
414
|
+
#---------------------------------------------------------------------#
|
415
|
+
# Plugin Loading
|
416
|
+
#---------------------------------------------------------------------#
|
417
|
+
begin
|
388
418
|
# Load v2 plugins. Manually check for plugin disablement.
|
389
419
|
omit_core = ARGV.delete('--disable-core-plugins')
|
390
420
|
omit_user = ARGV.delete('--disable-user-plugins')
|
data/lib/inspec/config.rb
CHANGED
@@ -197,7 +197,7 @@ module Inspec
|
|
197
197
|
|
198
198
|
def check_for_piped_config(cli_opts)
|
199
199
|
cli_opt = cli_opts[:config] || cli_opts[:json_config]
|
200
|
-
Inspec.deprecate(:cli_option_json_config
|
200
|
+
Inspec.deprecate(:cli_option_json_config) if cli_opts.key?(:json_config)
|
201
201
|
|
202
202
|
return nil unless cli_opt
|
203
203
|
return nil unless cli_opt == '-'
|
@@ -209,7 +209,7 @@ module Inspec
|
|
209
209
|
|
210
210
|
def determine_cfg_path(cli_opts)
|
211
211
|
path = cli_opts[:config] || cli_opts[:json_config]
|
212
|
-
Inspec.deprecate(:cli_option_json_config
|
212
|
+
Inspec.deprecate(:cli_option_json_config) if cli_opts.key?(:json_config)
|
213
213
|
|
214
214
|
if path.nil?
|
215
215
|
default_path = File.join(Inspec.config_dir, 'config.json')
|
data/lib/inspec/metadata.rb
CHANGED
@@ -149,11 +149,9 @@ module Inspec
|
|
149
149
|
nil
|
150
150
|
when nil then nil
|
151
151
|
else
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
"supports:\n - os-family: #{x}\n\n",
|
156
|
-
)
|
152
|
+
Inspec.deprecate(:supports_syntax,
|
153
|
+
"Do not use deprecated `supports: #{x}` syntax. Instead use:\n"\
|
154
|
+
"supports:\n - os-family: #{x}\n\n")
|
157
155
|
{ :'os-family' => x } # rubocop:disable Style/HashSyntax
|
158
156
|
end
|
159
157
|
end
|
@@ -147,7 +147,10 @@ module Inspec
|
|
147
147
|
end
|
148
148
|
|
149
149
|
# rubocop:enable Lint/NestedMethodDefinition
|
150
|
-
|
150
|
+
|
151
|
+
# Warn if a resource pack is overwriting a core resource.
|
152
|
+
# Suppress warning if the resource is an AWS resource, see #3822
|
153
|
+
if __resource_registry.key?(name) && !name.start_with?('aws_')
|
151
154
|
Inspec::Log.warn("Overwriting resource #{name}. To reference a specific version of #{name} use the resource() method")
|
152
155
|
end
|
153
156
|
__resource_registry[name] = cl
|
data/lib/inspec/ui.rb
CHANGED
data/lib/inspec/version.rb
CHANGED
data/lib/matchers/matchers.rb
CHANGED
@@ -107,6 +107,7 @@ end
|
|
107
107
|
# Deprecated: You should not use this matcher anymore
|
108
108
|
RSpec::Matchers.define :be_running do
|
109
109
|
match do |service|
|
110
|
+
Inspec.deprecate(:serverspec_compatibility, 'The service `be_running?` matcher is deprecated.')
|
110
111
|
service.running? == true
|
111
112
|
end
|
112
113
|
|
@@ -5,50 +5,188 @@ This example shows the implementation of an InSpec profile for AWS.
|
|
5
5
|
## Create a profile
|
6
6
|
|
7
7
|
```
|
8
|
-
$ inspec init profile --platform aws
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
8
|
+
$ inspec init profile --platform aws my-profile
|
9
|
+
|
10
|
+
─────────────────────────── InSpec Code Generator ───────────────────────────
|
11
|
+
|
12
|
+
Creating new profile at /Users/spaterson/my-profile
|
13
|
+
• Creating directory libraries
|
14
|
+
• Creating file README.md
|
15
|
+
• Creating directory controls
|
16
|
+
• Creating file controls/example.rb
|
17
|
+
• Creating file inspec.yml
|
18
|
+
• Creating file attributes.yml
|
19
|
+
• Creating file libraries/.gitkeep
|
17
20
|
|
18
21
|
```
|
19
22
|
|
20
|
-
##
|
23
|
+
## Optionally update `attributes.yml` to point to your custom VPC
|
21
24
|
|
22
25
|
```
|
23
26
|
aws_vpc_id: 'custom-vpc-id'
|
24
27
|
```
|
25
28
|
|
29
|
+
The related control will simply be skipped if this is not provided. See the [InSpec DSL documentation](https://www.inspec.io/docs/reference/dsl_inspec/) for more details on conditional execution using `only_if`.
|
30
|
+
|
26
31
|
## Run the tests
|
27
32
|
|
33
|
+
### With a VPC Identifier
|
34
|
+
|
35
|
+
With a supplied VPC identifier in `attributes.yml` both of the example controls will run. The 'aws-single-vpc-exists-check' control will only check for a VPC identifier in the currently configured AWS SDK region e.g. `eu-west-2` in the below:
|
36
|
+
|
37
|
+
```
|
38
|
+
$ cd my-profile/
|
39
|
+
$ inspec exec . -t aws:// --attrs attributes.yml
|
40
|
+
|
41
|
+
Profile: AWS InSpec Profile (my-profile)
|
42
|
+
Version: 0.1.0
|
43
|
+
Target: aws://eu-west-2
|
44
|
+
|
45
|
+
✔ aws-single-vpc-exists-check: Check to see if custom VPC exists.
|
46
|
+
✔ VPC vpc-1ea06476 should exist
|
47
|
+
✔ aws-vpcs-check: Check in all the VPCs for default sg not allowing 22 inwards
|
48
|
+
✔ EC2 Security Group sg-067cd21e928c3a2f1 should allow in {:port=>22}
|
49
|
+
✔ EC2 Security Group sg-9bb3b9f3 should allow in {:port=>22}
|
50
|
+
✔ aws-vpcs-multi-region-status-check: Check AWS VPCs in all regions have status "available"
|
51
|
+
✔ VPC vpc-6458b70d in eu-north-1 should exist
|
52
|
+
✔ VPC vpc-6458b70d in eu-north-1 should be available
|
53
|
+
✔ VPC vpc-8d1390e5 in ap-south-1 should exist
|
54
|
+
✔ VPC vpc-8d1390e5 in ap-south-1 should be available
|
55
|
+
✔ VPC vpc-07a71d6e in eu-west-3 should exist
|
56
|
+
✔ VPC vpc-07a71d6e in eu-west-3 should be available
|
57
|
+
✔ VPC vpc-021630e2e767412b5 in eu-west-2 should exist
|
58
|
+
✔ VPC vpc-021630e2e767412b5 in eu-west-2 should be available
|
59
|
+
✔ VPC vpc-1ea06476 in eu-west-2 should exist
|
60
|
+
✔ VPC vpc-1ea06476 in eu-west-2 should be available
|
61
|
+
✔ VPC vpc-169dee70 in eu-west-1 should exist
|
62
|
+
✔ VPC vpc-169dee70 in eu-west-1 should be available
|
63
|
+
✔ VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should exist
|
64
|
+
✔ VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should be available
|
65
|
+
✔ VPC vpc-09ff83d71da9d2b6e in eu-west-1 should exist
|
66
|
+
✔ VPC vpc-09ff83d71da9d2b6e in eu-west-1 should be available
|
67
|
+
✔ VPC vpc-0ebccac2337a90f13 in eu-west-1 should exist
|
68
|
+
✔ VPC vpc-0ebccac2337a90f13 in eu-west-1 should be available
|
69
|
+
✔ VPC vpc-c2a53da4 in eu-west-1 should exist
|
70
|
+
✔ VPC vpc-c2a53da4 in eu-west-1 should be available
|
71
|
+
✔ VPC vpc-4fb3f127 in ap-northeast-2 should exist
|
72
|
+
✔ VPC vpc-4fb3f127 in ap-northeast-2 should be available
|
73
|
+
✔ VPC vpc-0804856f in ap-northeast-1 should exist
|
74
|
+
✔ VPC vpc-0804856f in ap-northeast-1 should be available
|
75
|
+
✔ VPC vpc-ccb917ab in sa-east-1 should exist
|
76
|
+
✔ VPC vpc-ccb917ab in sa-east-1 should be available
|
77
|
+
✔ VPC vpc-0afcc60c70a30a615 in ca-central-1 should exist
|
78
|
+
✔ VPC vpc-0afcc60c70a30a615 in ca-central-1 should be available
|
79
|
+
✔ VPC vpc-20a25048 in ca-central-1 should exist
|
80
|
+
✔ VPC vpc-20a25048 in ca-central-1 should be available
|
81
|
+
✔ VPC vpc-5896143f in ap-southeast-1 should exist
|
82
|
+
✔ VPC vpc-5896143f in ap-southeast-1 should be available
|
83
|
+
✔ VPC vpc-47972220 in ap-southeast-2 should exist
|
84
|
+
✔ VPC vpc-47972220 in ap-southeast-2 should be available
|
85
|
+
✔ VPC vpc-071b6f0c69d1d0311 in eu-central-1 should exist
|
86
|
+
✔ VPC vpc-071b6f0c69d1d0311 in eu-central-1 should be available
|
87
|
+
✔ VPC vpc-807dfdeb in eu-central-1 should exist
|
88
|
+
✔ VPC vpc-807dfdeb in eu-central-1 should be available
|
89
|
+
✔ VPC vpc-0be54a71311bc362d in eu-central-1 should exist
|
90
|
+
✔ VPC vpc-0be54a71311bc362d in eu-central-1 should be available
|
91
|
+
✔ VPC vpc-f060cd8b in us-east-1 should exist
|
92
|
+
✔ VPC vpc-f060cd8b in us-east-1 should be available
|
93
|
+
✔ VPC vpc-0c3a7e116c58d714b in us-east-1 should exist
|
94
|
+
✔ VPC vpc-0c3a7e116c58d714b in us-east-1 should be available
|
95
|
+
✔ VPC vpc-047bff6c in us-east-2 should exist
|
96
|
+
✔ VPC vpc-047bff6c in us-east-2 should be available
|
97
|
+
✔ VPC vpc-93dd6ef4 in us-west-1 should exist
|
98
|
+
✔ VPC vpc-93dd6ef4 in us-west-1 should be available
|
99
|
+
✔ VPC vpc-2c0a6a55 in us-west-2 should exist
|
100
|
+
✔ VPC vpc-2c0a6a55 in us-west-2 should be available
|
101
|
+
|
102
|
+
|
103
|
+
Profile: Amazon Web Services Resource Pack (inspec-aws)
|
104
|
+
Version: 0.1.0
|
105
|
+
Target: aws://eu-west-2
|
106
|
+
|
107
|
+
No tests executed.
|
108
|
+
|
109
|
+
Profile Summary: 3 successful controls, 0 control failures, 0 controls skipped
|
110
|
+
Test Summary: 53 successful, 0 failures, 0 skipped
|
111
|
+
```
|
112
|
+
|
113
|
+
|
114
|
+
### Without Supplying a VPC Identifier
|
115
|
+
|
116
|
+
If no VPC identifier is supplied, the 'aws-single-vpc-exists-check' control is skipped and the other control runs. The `attributes.yml` file does not have to be specified to InSpec in this case.
|
117
|
+
|
28
118
|
```
|
29
|
-
$ cd
|
30
|
-
$ inspec exec -t aws://
|
119
|
+
$ cd my-profile/
|
120
|
+
$ inspec exec . -t aws://
|
31
121
|
|
32
|
-
Profile: InSpec Profile (
|
122
|
+
Profile: AWS InSpec Profile (my-profile)
|
33
123
|
Version: 0.1.0
|
34
124
|
Target: aws://eu-west-2
|
35
125
|
|
36
|
-
|
37
|
-
|
126
|
+
↺ aws-single-vpc-exists-check: Check to see if custom VPC exists.
|
127
|
+
↺ Skipped control due to only_if condition.
|
38
128
|
✔ aws-vpcs-check: Check in all the VPCs for default sg not allowing 22 inwards
|
39
|
-
✔ EC2 Security Group sg-
|
40
|
-
✔ EC2 Security Group sg-
|
41
|
-
|
42
|
-
✔
|
43
|
-
✔
|
44
|
-
✔
|
45
|
-
✔
|
46
|
-
✔
|
47
|
-
✔
|
48
|
-
✔
|
49
|
-
✔
|
129
|
+
✔ EC2 Security Group sg-067cd21e928c3a2f1 should allow in {:port=>22}
|
130
|
+
✔ EC2 Security Group sg-9bb3b9f3 should allow in {:port=>22}
|
131
|
+
✔ aws-vpcs-multi-region-status-check: Check AWS VPCs in all regions have status "available"
|
132
|
+
✔ VPC vpc-6458b70d in eu-north-1 should exist
|
133
|
+
✔ VPC vpc-6458b70d in eu-north-1 should be available
|
134
|
+
✔ VPC vpc-8d1390e5 in ap-south-1 should exist
|
135
|
+
✔ VPC vpc-8d1390e5 in ap-south-1 should be available
|
136
|
+
✔ VPC vpc-07a71d6e in eu-west-3 should exist
|
137
|
+
✔ VPC vpc-07a71d6e in eu-west-3 should be available
|
138
|
+
✔ VPC vpc-021630e2e767412b5 in eu-west-2 should exist
|
139
|
+
✔ VPC vpc-021630e2e767412b5 in eu-west-2 should be available
|
140
|
+
✔ VPC vpc-1ea06476 in eu-west-2 should exist
|
141
|
+
✔ VPC vpc-1ea06476 in eu-west-2 should be available
|
142
|
+
✔ VPC vpc-169dee70 in eu-west-1 should exist
|
143
|
+
✔ VPC vpc-169dee70 in eu-west-1 should be available
|
144
|
+
✔ VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should exist
|
145
|
+
✔ VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should be available
|
146
|
+
✔ VPC vpc-09ff83d71da9d2b6e in eu-west-1 should exist
|
147
|
+
✔ VPC vpc-09ff83d71da9d2b6e in eu-west-1 should be available
|
148
|
+
✔ VPC vpc-0ebccac2337a90f13 in eu-west-1 should exist
|
149
|
+
✔ VPC vpc-0ebccac2337a90f13 in eu-west-1 should be available
|
150
|
+
✔ VPC vpc-c2a53da4 in eu-west-1 should exist
|
151
|
+
✔ VPC vpc-c2a53da4 in eu-west-1 should be available
|
152
|
+
✔ VPC vpc-4fb3f127 in ap-northeast-2 should exist
|
153
|
+
✔ VPC vpc-4fb3f127 in ap-northeast-2 should be available
|
154
|
+
✔ VPC vpc-0804856f in ap-northeast-1 should exist
|
155
|
+
✔ VPC vpc-0804856f in ap-northeast-1 should be available
|
156
|
+
✔ VPC vpc-ccb917ab in sa-east-1 should exist
|
157
|
+
✔ VPC vpc-ccb917ab in sa-east-1 should be available
|
158
|
+
✔ VPC vpc-0afcc60c70a30a615 in ca-central-1 should exist
|
159
|
+
✔ VPC vpc-0afcc60c70a30a615 in ca-central-1 should be available
|
160
|
+
✔ VPC vpc-20a25048 in ca-central-1 should exist
|
161
|
+
✔ VPC vpc-20a25048 in ca-central-1 should be available
|
162
|
+
✔ VPC vpc-5896143f in ap-southeast-1 should exist
|
163
|
+
✔ VPC vpc-5896143f in ap-southeast-1 should be available
|
164
|
+
✔ VPC vpc-47972220 in ap-southeast-2 should exist
|
165
|
+
✔ VPC vpc-47972220 in ap-southeast-2 should be available
|
166
|
+
✔ VPC vpc-071b6f0c69d1d0311 in eu-central-1 should exist
|
167
|
+
✔ VPC vpc-071b6f0c69d1d0311 in eu-central-1 should be available
|
168
|
+
✔ VPC vpc-807dfdeb in eu-central-1 should exist
|
169
|
+
✔ VPC vpc-807dfdeb in eu-central-1 should be available
|
170
|
+
✔ VPC vpc-0be54a71311bc362d in eu-central-1 should exist
|
171
|
+
✔ VPC vpc-0be54a71311bc362d in eu-central-1 should be available
|
172
|
+
✔ VPC vpc-f060cd8b in us-east-1 should exist
|
173
|
+
✔ VPC vpc-f060cd8b in us-east-1 should be available
|
174
|
+
✔ VPC vpc-0c3a7e116c58d714b in us-east-1 should exist
|
175
|
+
✔ VPC vpc-0c3a7e116c58d714b in us-east-1 should be available
|
176
|
+
✔ VPC vpc-047bff6c in us-east-2 should exist
|
177
|
+
✔ VPC vpc-047bff6c in us-east-2 should be available
|
178
|
+
✔ VPC vpc-93dd6ef4 in us-west-1 should exist
|
179
|
+
✔ VPC vpc-93dd6ef4 in us-west-1 should be available
|
180
|
+
✔ VPC vpc-2c0a6a55 in us-west-2 should exist
|
181
|
+
✔ VPC vpc-2c0a6a55 in us-west-2 should be available
|
50
182
|
|
51
183
|
|
184
|
+
Profile: Amazon Web Services Resource Pack (inspec-aws)
|
185
|
+
Version: 0.1.0
|
186
|
+
Target: aws://eu-west-2
|
52
187
|
|
188
|
+
No tests executed.
|
53
189
|
|
190
|
+
Profile Summary: 2 successful controls, 0 control failures, 1 control skipped
|
191
|
+
Test Summary: 52 successful, 0 failures, 1 skipped
|
54
192
|
```
|