Commit 04341aef authored by Szymon Szypulski's avatar Szymon Szypulski

Inspec blog post code examples

Basic demo cookbook web/db with infrastructure validation done using
Test Kitchen.
parents
---
driver:
name: vagrant
provision: true
vm_hostname: inspec.ragnarson.com
provisioner:
name: chef_zero
client_rb:
node_name: inspec.ragnarson.com
require_chef_omnibus: "12.18.31"
verifier:
name: inspec
platforms:
- name: ubuntu-14.04
- name: ubuntu-16.04
suites:
- name: web
run_list:
- recipe[inspec-blog-post::web]
- name: database
run_list:
- recipe[inspec-blog-post::database]
includes:
- ubuntu-16.04
- name: ssh-hardening
includes:
- ubuntu-16.04
verifier:
inspec_tests:
- name: ssh-hardening
url: https://github.com/dev-sec/tests-ssh-hardening/archive/master.tar.gz
source 'https://supermarket.chef.io'
metadata
cookbook 'apt', '~> 4.0'
DEPENDENCIES
apt (~> 4.0.0)
inspec-blog-post
path: .
metadata: true
GRAPH
apt (4.0.2)
compat_resource (>= 12.10)
compat_resource (12.16.3)
inspec-blog-post (1.0.0)
apt (>= 0.0.0)
source 'https://rubygems.org'
ruby '2.3.3'
group :development, :test do
gem 'berkshelf', '~> 5.5'
gem 'hashie', '~> 3.4.0'
gem 'kitchen-inspec', '~> 0.17'
gem 'kitchen-vagrant', '~> 1.0'
gem 'test-kitchen', '~> 1.15'
end
GEM
remote: https://rubygems.org/
specs:
addressable (2.5.0)
public_suffix (~> 2.0, >= 2.0.2)
artifactory (2.5.2)
berkshelf (5.5.0)
addressable (~> 2.3, >= 2.3.4)
berkshelf-api-client (>= 2.0.2, < 4.0)
buff-config (~> 2.0)
buff-extensions (~> 2.0)
buff-shell_out (~> 1.0)
cleanroom (~> 1.0)
faraday (~> 0.9)
httpclient (~> 2.7)
minitar (~> 0.5, >= 0.5.4)
mixlib-archive (~> 0.1)
octokit (~> 4.0)
retryable (~> 2.0)
ridley (~> 5.0)
solve (> 2.0, < 4.0)
thor (~> 0.19, < 0.19.2)
berkshelf-api-client (3.0.0)
faraday (~> 0.9)
httpclient (~> 2.7)
ridley (>= 4.5, < 6.0)
buff-config (2.0.0)
buff-extensions (~> 2.0)
varia_model (~> 0.6)
buff-extensions (2.0.0)
buff-ignore (1.2.0)
buff-ruby_engine (1.0.0)
buff-shell_out (1.1.0)
buff-ruby_engine (~> 1.0)
builder (3.2.3)
celluloid (0.16.0)
timers (~> 4.0.0)
celluloid-io (0.16.2)
celluloid (>= 0.16.0)
nio4r (>= 1.1.0)
chef-config (12.18.31)
addressable
fuzzyurl
mixlib-config (~> 2.0)
mixlib-shellout (~> 2.0)
cleanroom (1.0.0)
coderay (1.1.1)
diff-lcs (1.3)
docker-api (1.33.2)
excon (>= 0.38.0)
json
domain_name (0.5.20161129)
unf (>= 0.0.5, < 1.0.0)
erubis (2.7.0)
excon (0.54.0)
faraday (0.9.2)
multipart-post (>= 1.2, < 3)
ffi (1.9.17)
fuzzyurl (0.9.0)
gssapi (1.2.0)
ffi (>= 1.0.1)
gyoku (1.3.1)
builder (>= 2.1.2)
hashie (3.4.6)
hitimes (1.2.4)
http (2.1.0)
addressable (~> 2.3)
http-cookie (~> 1.0)
http-form_data (~> 1.0.1)
http_parser.rb (~> 0.6.0)
http-cookie (1.0.3)
domain_name (~> 0.5)
http-form_data (1.0.1)
http_parser.rb (0.6.0)
httpclient (2.8.3)
inspec (1.11.0)
hashie (~> 3.4)
http (~> 2.1.0)
json (>= 1.8, < 3.0)
method_source (~> 0.8)
mixlib-log
parallel (~> 1.9)
pry (~> 0)
rainbow (~> 2)
rspec (~> 3)
rspec-its (~> 1.2)
rspec_junit_formatter (~> 0.2.3)
rubyzip (~> 1.1)
sslshake (~> 1)
thor (~> 0.19)
train (>= 0.22.0, < 1.0)
json (2.0.3)
kitchen-inspec (0.17.0)
hashie (~> 3.4)
inspec (>= 0.34.0, < 2.0.0)
test-kitchen (~> 1.6)
kitchen-vagrant (1.0.0)
test-kitchen (~> 1.4)
little-plugger (1.1.4)
logging (2.1.0)
little-plugger (~> 1.1)
multi_json (~> 1.10)
method_source (0.8.2)
minitar (0.5.4)
mixlib-archive (0.3.0)
mixlib-log
mixlib-authentication (1.4.1)
mixlib-log
mixlib-config (2.2.4)
mixlib-install (2.1.11)
artifactory
mixlib-shellout
mixlib-versioning
thor
mixlib-log (1.7.1)
mixlib-shellout (2.2.7)
mixlib-versioning (1.1.0)
molinillo (0.5.5)
multi_json (1.12.1)
multipart-post (2.0.0)
net-scp (1.2.1)
net-ssh (>= 2.6.5)
net-ssh (4.0.1)
net-ssh-gateway (1.3.0)
net-ssh (>= 2.6.5)
nio4r (2.0.0)
nori (2.6.0)
octokit (4.6.2)
sawyer (~> 0.8.0, >= 0.5.3)
parallel (1.10.0)
pry (0.10.4)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
slop (~> 3.4)
public_suffix (2.0.5)
rainbow (2.2.1)
retryable (2.0.4)
ridley (5.1.0)
addressable
buff-config (~> 2.0)
buff-extensions (~> 2.0)
buff-ignore (~> 1.2)
buff-shell_out (~> 1.0)
celluloid (~> 0.16.0)
celluloid-io (~> 0.16.1)
chef-config (>= 12.5.0)
erubis
faraday (~> 0.9.0)
hashie (>= 2.0.2, < 4.0.0)
httpclient (~> 2.7)
json (>= 1.7.7)
mixlib-authentication (>= 1.3.0)
retryable (~> 2.0)
semverse (~> 2.0)
varia_model (~> 0.6)
rspec (3.5.0)
rspec-core (~> 3.5.0)
rspec-expectations (~> 3.5.0)
rspec-mocks (~> 3.5.0)
rspec-core (3.5.4)
rspec-support (~> 3.5.0)
rspec-expectations (3.5.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.5.0)
rspec-its (1.2.0)
rspec-core (>= 3.0.0)
rspec-expectations (>= 3.0.0)
rspec-mocks (3.5.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.5.0)
rspec-support (3.5.0)
rspec_junit_formatter (0.2.3)
builder (< 4)
rspec-core (>= 2, < 4, != 2.12.0)
rubyntlm (0.6.1)
rubyzip (1.2.0)
safe_yaml (1.0.4)
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
semverse (2.0.0)
slop (3.6.0)
solve (3.1.0)
molinillo (>= 0.5)
semverse (>= 1.1, < 3.0)
sslshake (1.0.13)
test-kitchen (1.15.0)
mixlib-install (>= 1.2, < 3.0)
mixlib-shellout (>= 1.2, < 3.0)
net-scp (~> 1.1)
net-ssh (>= 2.9, < 5.0)
net-ssh-gateway (~> 1.2)
safe_yaml (~> 1.0)
thor (~> 0.18)
thor (0.19.1)
timers (4.0.4)
hitimes
train (0.22.1)
docker-api (~> 1.26)
json (>= 1.8, < 3.0)
mixlib-shellout (~> 2.0)
net-scp (~> 1.2)
net-ssh (>= 2.9, < 5.0)
winrm (~> 2.0)
winrm-fs (~> 1.0)
unf (0.1.4)
unf_ext
unf_ext (0.0.7.2)
varia_model (0.6.0)
buff-extensions (~> 2.0)
hashie (>= 2.0.2, < 4.0.0)
winrm (2.1.2)
builder (>= 2.1.2)
erubis (~> 2.7)
gssapi (~> 1.2)
gyoku (~> 1.0)
httpclient (~> 2.2, >= 2.2.0.2)
logging (>= 1.6.1, < 3.0)
nori (~> 2.0)
rubyntlm (~> 0.6.0, >= 0.6.1)
winrm-fs (1.0.1)
erubis (~> 2.7)
logging (>= 1.6.1, < 3.0)
rubyzip (~> 1.1)
winrm (~> 2.0)
PLATFORMS
ruby
DEPENDENCIES
berkshelf (~> 5.5)
hashie (~> 3.4.0)
kitchen-inspec (~> 0.17)
kitchen-vagrant (~> 1.0)
test-kitchen (~> 1.15)
RUBY VERSION
ruby 2.3.3p222
BUNDLED WITH
1.13.6
# Running a demo
Vagrant and virtualbox have to be installed before running demo.
```
bundle install
kitchen verify
```
For more, visit https://blog.ragnarson.com.
name 'inspec-blog-post'
version '1.0.0'
depends 'apt'
# Cookbook Name:: inspec-blog-post
# Recipe:: database
include_recipe 'inspec-blog-post::default'
package 'postgresql'
# Cookbook Name:: inspec-blog-post
# Recipe:: default
include_recipe 'inspec-blog-post::default'
# Cookbook Name:: inspec-blog-post
# Recipe:: web
include_recipe 'inspec-blog-post::default'
package 'nginx'
describe package('postgresql') do
it { should be_installed }
end
describe service('postgresql') do
it { should be_running }
end
describe postgres_conf do
its('max_connections') { should eq '100' }
end
describe port(5432) do
it { should be_listening }
its('addresses') { should_not include '0.0.0.0' }
its('protocols') { should include('tcp') }
end
describe command("psql") do
its('stdout') { should match /abc/ }
end
describe port.where { protocol =~ /tcp/ && port > 22 && port < 80 } do
it { should_not be_listening }
end
describe package('nginx') do
it { should be_installed }
end
describe service('nginx') do
it { should be_running }
# it { should be_monitored.by("monit") }
end
describe file('/etc/nginx/nginx.conf') do
it { should exist }
its(:content) { should match(/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/) }
end
# CVE-2016
describe file('/var/log/nginx') do
it { should_not be_owned_by('www-data') }
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment