The InSpec examples for Config Management Camp 2019 - presented by Gratien D'haese
If you have questions or remarks mail at gratien . dhaese @ gmail . com
- Linux or Mac OS/X system
- vim editor or alike
- docker
- vagrant
- Oracle VirtualBox
- InSpec from Chef
- git (to clone this git repo: https://github.com/gdha/inspec-cfgmgmtcamp-ghent-2019)
- go to directory inspec-cfgmgmtcamp-ghent-2019/docker-chefdk
- run: ./build-chefdk
- run: ./run-chefdk
- (inside the container) run: inspec exec /cookbooks/myaccount/test/integration/default/default_test.rb
- go to directory inspec-cfgmgmtcamp-ghent-2019/cookbooks/myaccount/test/integration/default
- run: docker ps -a
- run: docker rename $(docker ps -q) inspec-demo
- run: docker ps -a
- run: inspec exec default_test.rb -t docker://$(docker ps -q)
- (inside the container) run: chef-client -z -o myaccount
- (inside the container) run: inspec exec /cookbook/myaccount/test/integration/default/default_test.rb
- (on Mac) run: inspec exec default_test.rb -t docker://$(docker ps -q)
- go to directory inspec-cfgmgmtcamp-ghent-2019/
- (on Mac) run: inspec exec dockerprofile/controls/docker.rb
- run: docker rename $(docker ps -q) inspec-demo
- (on Mac) run: inspec exec dockerprofile/controls/docker.rb
- (on Mac) run: inspec exec dockerprofile
- (on Mac) if container runs in detached mode run: docker exec -it inspec-demo /bin/bash
- (inside the container) run: inspec shell
- (inside the container) run: inspec> help
- (inside the container) run: inspec> command('uname -s').stdout
- (inside the container) run: inspec>
describe file('/etc/gshadow') do
it { should be_owned_by 'root' }
end
- (inside the container) run: inspec init profile newprofile
- (inside the container) run: inspec check newprofile
-
go to directory inspec-cfgmgmtcamp-ghent-2019/vagrant-ubuntu18
-
(on Mac) run: vagrant status
-
(on Mac) run: vagrant up --provision
-
(on Mac) optional: echo '192.168.33.10 client' >> /etc/hosts
-
(on Mac) run: inspec exec -t ssh://client --password vagrant ../path-check/
-
(on Mac) run: inspec exec -t ssh://client --password vagrant https://github.com/dev-sec/ssh-baseline
[expected output] Test Summary: 38 successful, 60 failures, 2 skipped
-
(on Mac) run: vagrant ssh
-
(inside vagrant): run: cd /home/vagrant
-
(inside vagrant): run: sudo ansible-playbook /vagrant/ansible-ssh-hardening.yml
-
(on Mac) run: inspec exec -t ssh://client --password vagrant https://github.com/dev-sec/ssh-baseline
[expected output] Test Summary: 94 successful, 4 failures, 2 skipped
-
(on Mac) run: vagrant halt (to stop the VM), or vagrant destroy (to stop&remove the VM)
-
go to directory inspec-cfgmgmtcamp-ghent-2019/cookbooks/nginx_test
-
(on Mac) run: cat recipes/default.rb
-
(on Mac) run: kitchen converge
-
(on Mac) run: kitchen verify
[expected output] Test Summary: 86 successful, 44 failures, 1 skipped
-
(on Mac) run: vi recipes/default.rb
uncomment line: # include_recipe 'os-hardening'
-
(on Mac) run: kitchen converge
-
(on Mac) run: kitchen verify
[expected output] Test Summary: 129 successful, 1 failure, 1 skipped
-
(on Mac) run: kitchen destroy
What did you InSpec? by Gratien Dhaese is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.