InSpec: Inspect Your Infrastructure
InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.
# Disallow insecure protocols by testing
describe package('telnetd') do
it { should_not be_installed }
end
describe inetd_conf do
its("telnet") { should eq nil }
end
InSpec makes it easy to run your tests wherever you need.
# run test locally
inspec exec test.rb
# run test on remote host on SSH
inspec exec test.rb -t ssh://user@hostname
# run test on remote windows host on WinRM
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'
# run test on docker container
inspec exec test.rb -t docker://container_id
Features
- Built-in Compliance: Compliance no longer occurs at the end of the release cycle
- Targeted Tests: InSpec writes tests that specifically target compliance issues
- Metadata: Includes the metadata required by security and compliance pros
- Easy Testing: Includes a command-line interface to run tests quickly
Installation
InSpec requires Ruby ( >1.9 ).
Install it via rubygems.org
gem install inspec
Install it from source
That requires bundler:
bundle install
bundle exec bin/inspec help
To install it as a gem locally, run:
gem build inspec.gemspec
gem install inspec-*.gem
On Windows, you need to install Ruby with Ruby Development Kit to build dependencies with its native extensions.
Run InSpec
You should now be able to run:
$ inspec --help
Commands:
inspec check PATH # verify test structure in PATH
inspec detect # detect the target OS
inspec exec PATHS # run all test files
inspec help [COMMAND] # Describe available commands or one specific command
inspec json PATH # read all tests in PATH and generate a JSON profile
inspec shell # open an interactive debugging shell
inspec version # prints the version of this tool
Examples
- Only accept requests on secure ports - This test ensures that a web server is only listening on well-secured ports.
describe port(80) do
it { should_not be_listening }
end
describe port(443) do
it { should be_listening }
its('protocols') {should include 'tcp'}
end
- Use approved strong ciphers - This test ensures that only enterprise-compliant ciphers are used for SSH servers.
describe sshd_config do
its('Ciphers') { should eq('[email protected],aes256-ctr,aes192-ctr,aes128-ctr') }
end
- Test your
kitchen.ymlfile to verify that only Vagrant is configured as the driver.
describe yaml('.kitchen.yml') do
its('driver.name') { should eq('vagrant') }
end
Also have a look at our example that uses inspec in combination with test-kitchen
Command Line Usage
exec
Run tests against different targets:
# run test locally
inspec exec test.rb
# run test on remote host on SSH
inspec exec test.rb -t ssh://user@hostname
# run test on remote windows host on WinRM
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'
# run test on docker container
inspec exec test.rb -t docker://container_id
# run with sudo
inspec exec test.rb --sudo [--sudo-password ...] [--sudo-options ...]
detect
Verify your configuration and detect
id=$( docker run -dti ubuntu:14.04 /bin/bash )
inspec detect -t docker://$id
Which will provide you with:
{"family":"ubuntu","release":"14.04","arch":null}
Documentation
Documentation is available: https://github.com/chef/inspec/tree/master/docs
Kudos
InSpec is inspired by the wonderful Serverspec project. Kudos to mizzy and all contributors!
Contribute
- Fork it
- Create your feature branch (git checkout -b my-new-feature)
- Commit your changes (git commit -am 'Add some feature')
- Push to the branch (git push origin my-new-feature)
- Create new Pull Request
Testing InSpec
We perform unit, resource and integration tests.
unittests ensure the intended behaviour of the implementationresourcetests run against docker containersintegrationtests run against VMs via test-kitchen and kitchen-inspec
Unit tests
bundle exec rake test
If you like to run only one test, use
bundle exec ruby -W -Ilib:test test/unit/resources/user_test.rb
Resource tests
Resource tests make sure the backend execution layer behaves as expected. These tests will take a while, as a lot of different operating systems and configurations are being tested.
You will require:
- docker
Run resource tests with
bundle exec rake test:resources config=test/test.yaml
bundle exec rake test:resources config=test/test-extra.yaml
Integration tests
These tests download various virtual machines, to ensure InSpec is working as expected across different operating systems.
You will require:
- vagrant with virtualbox
- test-kitchen
Run integration tests with vagrant:
cd test/integration
bundle exec kitchen test
Run integration tests with AWS EC2:
export AWS_ACCESS_KEY_ID=enteryouryourkey
export AWS_SECRET_ACCESS_KEY=enteryoursecreykey
export AWS_SSH_KEY_ID=enteryoursshkeyid
cd test/integration
KITCHEN_LOCAL_YAML=.kitchen.ec2.yml bundle exec kitchen test
In addition you may need to add your ssh key to .kitchen.ec2.yml
transport:
ssh_key: /Users/chartmann/aws/aws_chartmann.pem
username: ec2-user
Chef Delivery Tests
It may be informative to look at what tests Chef Delivery is running for CI.
License
| Author: | Dominik Richter ([email protected])
| Author: | Christoph Hartmann ([email protected])
| Copyright: | Copyright (c) 2015 Chef Software Inc.
| Copyright: | Copyright (c) 2015 Vulcano Security GmbH.
| License: | Apache License, Version 2.0
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.