inspec-cfgmgmtcamp-ghent-2019

The InSpec examples for Config Management Camp 2019 - presented by Gratien D'haese

If you have questions or remarks mail at gratien . dhaese @ gmail . com

Pre-requisites

• Linux or Mac OS/X system
• vim editor or alike
• docker
• vagrant
• Oracle VirtualBox
• InSpec from Chef
• git (to clone this git repo: https://github.com/gdha/inspec-cfgmgmtcamp-ghent-2019)

Start of docker mychefdf

• go to directory inspec-cfgmgmtcamp-ghent-2019/docker-chefdk
• run: ./build-chefdk
• run: ./run-chefdk
• (inside the container) run: inspec exec /cookbooks/myaccount/test/integration/default/default_test.rb

In another Bash shell windows (on your Linux or Mac)

• go to directory inspec-cfgmgmtcamp-ghent-2019/cookbooks/myaccount/test/integration/default
• run: docker ps -a
• run: docker rename $(docker ps -q) inspec-demo
• run: docker ps -a
• run: inspec exec default_test.rb -t docker://$(docker ps -q)

Remediate the mychefdk container with chef cookbook myaccount

• (inside the container) run: chef-client -z -o myaccount
• (inside the container) run: inspec exec /cookbook/myaccount/test/integration/default/default_test.rb
• (on Mac) run: inspec exec default_test.rb -t docker://$(docker ps -q)

Demonstrate the dockerprofile

• go to directory inspec-cfgmgmtcamp-ghent-2019/
• (on Mac) run: inspec exec dockerprofile/controls/docker.rb
• run: docker rename $(docker ps -q) inspec-demo
• (on Mac) run: inspec exec dockerprofile/controls/docker.rb
• (on Mac) run: inspec exec dockerprofile

Demonstrate InSpec Shell

• (on Mac) if container runs in detached mode run: docker exec -it inspec-demo /bin/bash
• (inside the container) run: inspec shell
• (inside the container) run: inspec> help
• (inside the container) run: inspec> command('uname -s').stdout
• (inside the container) run: inspec>

     describe file('/etc/gshadow') do
       it { should be_owned_by 'root' }  
     end 

Demonstrate InSpec profile

• (inside the container) run: inspec init profile newprofile
• (inside the container) run: inspec check newprofile

Demonstrate Vagrant with InSpec

• go to directory inspec-cfgmgmtcamp-ghent-2019/vagrant-ubuntu18

• (on Mac) run: vagrant status

• (on Mac) run: vagrant up --provision

• (on Mac) optional: echo '192.168.33.10 client' >> /etc/hosts

• (on Mac) run: inspec exec -t ssh://client --password vagrant ../path-check/

• (on Mac) run: inspec exec -t ssh://client --password vagrant https://github.com/dev-sec/ssh-baseline

  [expected output] Test Summary: 38 successful, 60 failures, 2 skipped

• (on Mac) run: vagrant ssh

• (inside vagrant): run: cd /home/vagrant

• (inside vagrant): run: sudo ansible-playbook /vagrant/ansible-ssh-hardening.yml

• (on Mac) run: inspec exec -t ssh://client --password vagrant https://github.com/dev-sec/ssh-baseline

  [expected output] Test Summary: 94 successful, 4 failures, 2 skipped

• (on Mac) run: vagrant halt (to stop the VM), or vagrant destroy (to stop&remove the VM)

Demonstrate kitchen test together with InSpec

• go to directory inspec-cfgmgmtcamp-ghent-2019/cookbooks/nginx_test

• (on Mac) run: cat recipes/default.rb

• (on Mac) run: kitchen converge

• (on Mac) run: kitchen verify

  [expected output] Test Summary: 86 successful, 44 failures, 1 skipped

• (on Mac) run: vi recipes/default.rb

  uncomment line: # include_recipe 'os-hardening'

• (on Mac) run: kitchen converge

• (on Mac) run: kitchen verify

  [expected output] Test Summary: 129 successful, 1 failure, 1 skipped

• (on Mac) run: kitchen destroy

LICENSE

What did you InSpec? by Gratien Dhaese is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.