Build the VMs and Docker containers by running:
make start-vagrant-ubuntu
make start-vagrant-windows
make start-docker-ssh
make start-docker-mario
Set env var for keys and passwords so you don't have to typey typey too much:
export VAGRANT_KEY=./playground/vagrant-ubuntu/.vagrant/machines/default/virtualbox/private_key
export SSH_PASS='password'
export WINDOWS_PASS='vagrant'
You could actually get it via package, chefdk, and chef-client 13+, docker image and hab package too. But this is easiest here and now in our friendly terminal.
gem install inspec
inspec help
inspec version
Are you on latest InSpec? Check by going to https://rubygems.org/gems/inspec/
Pro tip: You're gonna wanna be at the root of the repo for all these commands, to ensure the KEY path is correct
inspec detect -t winrm://vagrant@127.0.0.1 --password $WINDOWS_PASS -p 55985
inspec detect -t ssh://pwsudo@localhost --password $SSH_PASS -p 11030
inspec detect -t ssh://vagrant@192.168.33.10 -i $VAGRANT_KEY
inspec detect -t docker://cc_pg
What's InSpec shell, you say? It's a pry based Read–Eval–Print Loop that can be used to quickly run InSpec controls and tests without having to write it to a file. Its functionality is similar to chef shell.
We'll start by connecting to the shell with our key and transport information, and then play around in the shell for a bit and write our first test.
inspec help shell
inspec shell -t ssh://pwsudo@localhost --password $SSH_PASS -p 11030
help
help resources
help sshd_config
sshd_config.params
sshd_config.port
sshd_config.Protocol
help matchers
describe sshd_config do
its('Protocol') { should eq '2' }
end
inspec init profile my-first-profile
# impact 1.0
# title 'check ssh config'
# ref 'something', url: 'http://something'
# tag 'safety first!'
describe sshd_config do
its('Protocol') { should eq '2' }
end
control 'ssh-config-check' do
impact 1.0 # how important is this test? (0-0.3 = minor, 0.4-0.7 = major, 0.7-1.0 critical)
title 'Check ssh config protocol'
desc 'Protocol should be set to 2. Version 1 = bad monkeys'
ref 'that doc that gives an overcomplicated explanation', url: 'http://someone/sounds/fancy'
tag 'safety-first-friends'
describe sshd_config do
its('Protocol') { should eq '2' }
end
end
A what yml?? An InSpec yml! That's a small file that contains metadata information about your profile.
name: mario-meets-inspec
title: Mario Meets InSpec, The Story of a Profile
maintainer: Victoria Jeffrey, Hannah Maddy
copyright: Victoria Jeffrey, Hannah Maddy
copyright_email: vjeffrey@chef.io
license: All Rights Reserved
summary: Bowser keeps trying to break into my vms! This should help keep him out.
version: 0.1.0
supports:
- os-name: ubuntu
inspec check profiles/simple-ssh
inspec exec profiles/simple-ssh -t ssh://pwsudo@localhost --password $SSH_PASS -p 11030
inspec exec profiles/simple-ssh -t ssh://pwsudo@localhost --password $SSH_PASS -p 11030 --format json
inspec exec profiles/simple-ssh -t ssh://pwsudo@localhost --password $SSH_PASS -p 11030 --format junit
Attributes may be used in profiles to define secrets, such as user names and passwords, that should not otherwise be stored in plain-text in a cookbook
inspec exec profiles/attributes --attrs profiles/attributes/princess-peach-attribute.yml
depends:
- name: my-linux-profile
git: https://github.com/dev-sec/linux-baseline
- name: ssh-baseline
url: https://github.com/dev-sec/ssh-baseline/archive/tar.gz
inspec vendor profiles/inheritance # downloads all the dependencies
inspec exec profiles/inheritance -t ssh://pwsudo@localhost --password $SSH_PASS -p 11030
inspec archive profiles/simple-ssh
ls # notice the tar file there?
inspec exec profiles/docker-love
inspec exec profiles/custom-resource
inspec exec profiles/special-sauce-ruby -t ssh://pwsudo@localhost --password $SSH_PASS -p 11030
Test-kitchen is a tool used to automatically test cookbook data across any combination of platforms and test suites. Well, that sounds nice. I sure would love to do a quick test of my profile against all these different platform versions, but how oh how do I do so? TADA: Kitchen Inspec What??? You're gonna InSpec my kitchen?? lol...you know you thought it was funny :) kitchen-inspec is a tool you can use with test-kitchen by adding the following to your .kitchen.yml
verifier:
name: inspec
Hey there big spender!! So you wanna get all fancy devops-like with your compliance? Let us help you get started! Take a look at the audit cookbook:
# Set the `data_collector.server_url` and `data_collector.token` in your `client.rb`
'audit': {
'reporter' = 'chef-automate'
'insecure' = false, ## true skips ssl cert verification
'profiles' = [
{
"name": "ssl",
"git": "https://github.com/dev-sec/ssl-baseline.git"
},
{
"name": "ssh",
"url": "https://github.com/dev-sec/ssh-baseline/archive/master.zip"
}
]
}
```
inspec help supermarket
inspec supermarket profiles
```
* https://github.com/dev-sec/cis-docker-benchmark
* https://blog.chef.io/2017/03/30/inspec-habitat-and-continuous-compliance/
* https://blog.chef.io/2017/03/22/docker-container-compliance-with-inspec/
* https://blog.chef.io/2017/05/23/inspec-launches-support-cloud-platform-assessments/
* https://github.com/alexpop/ec2-instance-profile
* https://blog.chef.io/2017/05/15/detecting-wannacry-exploit-inspec/