[TRACKER]Chef Workstation 2020 Testing - test-kitchen with inspec

chef / chef-workstation

Chef Workstation gives you everything you need to get started with Chef, so you can automate how you audit, configure, and manage applications end environments.

Apache License 2.0

134 stars 112 forks source link

> inspec help Commands: inspec archive PATH # archive a profile to tar.gz (default) ... inspec artifact SUBCOMMAND # Manage Chef InSpec Artifacts inspec check PATH # verify all tests at the specified PATH inspec compliance SUBCOMMAND # Chef Compliance commands inspec detect # detect the target OS inspec env # Output shell-appropriate completion co... inspec exec LOCATIONS # Run all test files at the specified LO... inspec habitat SUBCOMMAND # Manage Habitat with Chef InSpec inspec help [COMMAND] # Describe available commands or one spe... inspec init SUBCOMMAND # Generate InSpec code inspec json PATH # read all tests in PATH and generate a ... inspec nothing # does nothing inspec plugin SUBCOMMAND # Manage Chef InSpec and Train plugins inspec shell # open an interactive debugging shell inspec supermarket SUBCOMMAND ... # Supermarket commands inspec vendor PATH # Download all dependencies and generate... inspec version # prints the version of this tool Options: l, [--log-level=LOG_LEVEL] # Set the log level: info (default), debug, warn, error [--log-location=LOG_LOCATION] # Location to send diagnostic log messages to. (default: $stdout or Inspec::Log.error) [--diagnose], [--no-diagnose] # Show diagnostics (versions, configurations) [--color], [--no-color] # Use colors in output. [--interactive], [--no-interactive] # Allow or disable user interaction [--disable-core-plugins] # Disable loading all plugins that are shipped in the lib/plugins directory of InSpec. Useful in development. [--disable-user-plugins] # Disable loading all plugins that the user installed. [--enable-telemetry], [--no-enable-telemetry] # Allow or disable telemetry [--chef-license=CHEF_LICENSE] # Accept the license for this product and any contained products: accept, accept-no-persist, accept-silentinspec help Commands: inspec archive PATH # archive a profile to tar.gz (default) ... inspec artifact SUBCOMMAND # Manage Chef InSpec Artifacts inspec check PATH # verify all tests at the specified PATH inspec compliance SUBCOMMAND # Chef Compliance commands inspec detect # detect the target OS inspec env # Output shell-appropriate completion co... inspec exec LOCATIONS # Run all test files at the specified LO... inspec habitat SUBCOMMAND # Manage Habitat with Chef InSpec inspec help [COMMAND] # Describe available commands or one spe... inspec init SUBCOMMAND # Generate InSpec code inspec json PATH # read all tests in PATH and generate a ... inspec nothing # does nothing inspec plugin SUBCOMMAND # Manage Chef InSpec and Train plugins inspec shell # open an interactive debugging shell inspec supermarket SUBCOMMAND ... # Supermarket commands inspec vendor PATH # Download all dependencies and generate... inspec version # prints the version of this tool Options: l, [--log-level=LOG_LEVEL] # Set the log level: info (default), debug, warn, error [--log-location=LOG_LOCATION] # Location to send diagnostic log messages to. (default: $stdout or Inspec::Log.error) [--diagnose], [--no-diagnose] # Show diagnostics (versions, configurations) [--color], [--no-color] # Use colors in output. [--interactive], [--no-interactive] # Allow or disable user interaction [--disable-core-plugins] # Disable loading all plugins that are shipped in the lib/plugins directory of InSpec. Useful in development. [--disable-user-plugins] # Disable loading all plugins that the user installed. [--enable-telemetry], [--no-enable-telemetry] # Allow or disable telemetry [--chef-license=CHEF_LICENSE] # Accept the license for this product and any contained products: accept, accept-no-persist, accept-silent > inspec detect ────────────────────────────── Platform Details ────────────────────────────── Name: windows_10_home_single_language Families: windows, os Release: 10.0.18363 Arch: x86_64 C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.7.0/gems/win32-process-0.8.3/lib/win32/process.rb:744: warning: $SAFE will become a normal global variable in Ruby 3.0 C:/opscode/chef-workstation/embedded/lib/ruby/gems/2.7.0/gems/win32-process-0.8.3/lib/win32/process.rb:744: warning: $SAFE will become a normal global variable in Ruby 3.0 > inspec exec .\auditd\ Profile: InSpec Profile (auditd) Version: 0.1.0 Target: local:// [PASS] world-1.0: Hello World [PASS] File hello.txt content is expected to match "Hello World" Profile Summary: 1 successful control, 0 control failures, 0 controls skipped Test Summary: 1 successful, 0 failures, 0 skipped > inspec exec .\auditd\ --reporter=json {"platform":{"name":"windows_10_home_single_language","release":"10.0.18363"},"profiles":[{"name":"auditd","version":"0.1.0","sha256":"59333f01e5286478f881be94f2367d6de6af0d8e6f93efce80259c8b18b840e0","title":"InSpec Profile","maintainer":"The Authors","summary":"An InSpec Compliance Profile","license":"Apache-2.0","copyright":"The Authors","copyright_email":"you@example.com","supports":[],"attributes":[],"groups":[{"id":"controls/example.rb","controls":["world-1.0"]}],"controls":[{"id":"world-1.0","title":"Hello World","desc":"Text should include the words 'hello world'.","descriptions":[{"label":"default","data":"Text should include the words 'hello world'."}],"impact":1.0,"refs":[],"tags":{},"code":"control \"world-1.0\" do # A unique ID for this control\n impact 1.0 # Just how critical is\n title \"Hello World\" # Readable by a human\n desc \"Text should include the words 'hello world'.\" # Optional description\n describe file('hello.txt') do # The actual test / Resources \n its('content') { should match 'Hello World' } # Custom matchers\n end\nend\n","source_location":{"line":1,"ref":"./auditd/controls/example.rb"},"waiver_data":{},"results":[{"status":"passed","code_desc":"File hello.txt content is expected to match \"Hello World\"","run_time":0.0387841,"start_time":"2020-05-18T16:03:51+05:30"}]}],"status":"loaded"}],"statistics":{"duration":0.1053206},"version":"4.18.111"} > inspec check auditd Location : auditd Profile : auditd Controls : 1 Timestamp : 2020-05-18T16:06:25+05:30 Valid : true > inspec archive auditd Dependencies for profile auditd successfully vendored to C:/Users/sneha/auditd/vendor I, [2020-05-18T16:08:30.438339 #16284] INFO -- : Checking profile in auditd I, [2020-05-18T16:08:30.438927 #16284] INFO -- : Metadata OK. I, [2020-05-18T16:08:30.817960 #16284] INFO -- : Found 1 controls. I, [2020-05-18T16:08:30.818215 #16284] INFO -- : Control definitions OK. I, [2020-05-18T16:08:30.818955 #16284] INFO -- : Generate archive C:/Users/sneha/auditd-0.1.0.tar.gz. I, [2020-05-18T16:08:30.916459 #16284] INFO -- : Finished archive generation. > inspec exec auditd-0.1.0.tar.gz Profile: InSpec Profile (auditd) Version: 0.1.0 Target: local:// [PASS] world-1.0: Hello World [PASS] File hello.txt content is expected to match "Hello World" Profile Summary: 1 successful control, 0 control failures, 0 controls skipped Test Summary: 1 successful, 0 failures, 0 skipped > inspec supermarket profiles ──────────────────────────── Available profiles: ──────────────────────────── • Ansible Fashion Police brucellino/ansible-fashion-police • apache2-compliance-test-tthompson thompsontelmate/apache2-compliance-test-tthompson • Apache DISA STIG som3guy/apache-disa-stig • Black Panther brucellino/black-panther • chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql • chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat • chef-client-hardening sliim/chef-client-hardening • CIS Distribution Independent Linux Benchmark dev-sec/cis-linux-benchmark • CIS Docker Benchmark dev-sec/cis-docker-benchmark • CIS Kubernetes Benchmark dev-sec/cis-kubernetes-benchmark • CVE-2016-5195 ndobson/cve-2016-5195 • DevSec Apache Baseline dev-sec/apache-baseline • DevSec Linux Baseline dev-sec/linux-baseline • DevSec Linux Patch Baseline dev-sec/linux-patch-baseline • DevSec MySQl Baseline dev-sec/mysql-baseline • DevSec Nginx Baseline dev-sec/nginx-baseline • DevSec PHP Baseline dev-sec/php-baseline • DevSec PostgreSQL Baseline dev-sec/postgres-baseline • DevSec SSH Baseline dev-sec/ssh-baseline • DevSec SSL/TLS Baseline dev-sec/ssl-basline • DevSec Windows Baseline dev-sec/windows-baseline • DevSec Windows Patch Baseline dev-sec/windows-patch-baseline • dev-sec-wrapper imiell/dev-sec-wrapper • EC2 Instance - InSpec Profile alexpop/ec2-instance-profile • InSpec AEM shinesolutions/inspec-aem • InSpec AEM AWS shinesolutions/inspec-aem-aws • InSpec AEM Security shinesolutions/inspec-aem-security • inspec-chef-server jtimberman/inspec-chef-server • inspec_java awim/inspec_java • inspec-meltdownspectre vibrato/inspec-meltdownspectre • inspec-meltdownspectre_old nathandines/inspec-meltdownspectre_old • inspec_oracledb awim/inspec_oracledb • InSpec Wrapper Profile Example adamleff/inspec-wrapper-profile-example • myApacheTest petrillodennis/myapachetest • profile-test bigbam505/profile-test • RHEL6 STIG paulczar/rhel6-stig • SSL Certificate - InSpec Profile alexpop/ssl-certificate-profile • /tmp Compliance Profile nathenharvey/tmp-compliance-profile • tomcat-baseline rndmh3ro/tomcat-baseline • utils alfresco/utils • uyuni-inspec stdevel/uyuni-inspec • WannaCry Exploit Mitigation adamleff/wannacry-exploit $ inspec supermarket info dev-sec/linux-baseline name: linux-baseline owner: dev-sec url: https://github.com/dev-sec/linux-baseline description: Linux compliance profile, used for Security + DevOps. More information is available at http://dev-sec.io

> inspec supermarket profiles
 ──────────────────────────── Available profiles: ────────────────────────────
 • Ansible Fashion Police brucellino/ansible-fashion-police
 • apache2-compliance-test-tthompson thompsontelmate/apache2-compliance-test-tthompson
 • Apache DISA STIG som3guy/apache-disa-stig
 • Black Panther brucellino/black-panther
 • chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql
 • chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat
 • chef-client-hardening sliim/chef-client-hardening
 • CIS Distribution Independent Linux Benchmark dev-sec/cis-linux-benchmark
 • CIS Docker Benchmark dev-sec/cis-docker-benchmark
 • CIS Kubernetes Benchmark dev-sec/cis-kubernetes-benchmark
 • CVE-2016-5195 ndobson/cve-2016-5195
 • DevSec Apache Baseline dev-sec/apache-baseline
 • DevSec Linux Baseline dev-sec/linux-baseline
 • DevSec Linux Patch Baseline dev-sec/linux-patch-baseline
 • DevSec MySQl Baseline dev-sec/mysql-baseline
 • DevSec Nginx Baseline dev-sec/nginx-baseline
 • DevSec PHP Baseline dev-sec/php-baseline
 • DevSec PostgreSQL Baseline dev-sec/postgres-baseline
 • DevSec SSH Baseline dev-sec/ssh-baseline
 • DevSec SSL/TLS Baseline dev-sec/ssl-basline
 • DevSec Windows Baseline dev-sec/windows-baseline
 • DevSec Windows Patch Baseline dev-sec/windows-patch-baseline
 • dev-sec-wrapper imiell/dev-sec-wrapper
 • EC2 Instance - InSpec Profile alexpop/ec2-instance-profile
 • InSpec AEM shinesolutions/inspec-aem
 • InSpec AEM AWS shinesolutions/inspec-aem-aws
 • InSpec AEM Security shinesolutions/inspec-aem-security
 • inspec-chef-server jtimberman/inspec-chef-server
 • inspec_java awim/inspec_java
 • inspec-meltdownspectre vibrato/inspec-meltdownspectre
 • inspec-meltdownspectre_old nathandines/inspec-meltdownspectre_old
 • inspec_oracledb awim/inspec_oracledb
 • InSpec Wrapper Profile Example adamleff/inspec-wrapper-profile-example
 • myApacheTest petrillodennis/myapachetest
 • profile-test bigbam505/profile-test
 • RHEL6 STIG paulczar/rhel6-stig
 • SSL Certificate - InSpec Profile alexpop/ssl-certificate-profile
 • /tmp Compliance Profile nathenharvey/tmp-compliance-profile
 • tomcat-baseline rndmh3ro/tomcat-baseline
 • utils alfresco/utils
 • uyuni-inspec stdevel/uyuni-inspec
 • WannaCry Exploit Mitigation adamleff/wannacry-exploit

$ inspec supermarket info dev-sec/linux-baseline
name:   linux-baseline
owner:  dev-sec
url:    https://github.com/dev-sec/linux-baseline
description:   Linux compliance profile, used for Security + DevOps. More information is available at http://dev-sec.io

$ inspec supermarket exec dev-sec/linux-baseline
[2020-05-19T07:10:52+00:00] WARN: URL target https://github.com/dev-sec/linux-baseline transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using the git fetcher
Profile: DevSec Linux Security Baseline (linux-baseline)
Version: 2.4.0
Target:  local://
  ✔  os-01: Trusted hosts login
     ✔  File /etc/hosts.equiv is expected not to exist
  ✔  os-02: Check owner and permissions for /etc/shadow
     ✔  File /etc/shadow is expected to exist
     ✔  File /etc/shadow is expected to be file
     ✔  File /etc/shadow is expected to be owned by "root"
     ✔  File /etc/shadow is expected not to be executable
     ✔  File /etc/shadow is expected not to be readable by other
     ✔  File /etc/shadow group is expected to eq "shadow"
     ✔  File /etc/shadow is expected to be writable by owner
     ✔  File /etc/shadow is expected to be readable by owner
     ✔  File /etc/shadow is expected to be readable by group
  ✔  os-03: Check owner and permissions for /etc/passwd
     ✔  File /etc/passwd is expected to exist
     ✔  File /etc/passwd is expected to be file
     ✔  File /etc/passwd is expected to be owned by "root"
     ✔  File /etc/passwd is expected not to be executable
     ✔  File /etc/passwd is expected to be writable by owner
     ✔  File /etc/passwd is expected not to be writable by group
     ✔  File /etc/passwd is expected not to be writable by other
     ✔  File /etc/passwd is expected to be readable by owner
     ✔  File /etc/passwd is expected to be readable by group
     ✔  File /etc/passwd is expected to be readable by other
     ✔  File /etc/passwd group is expected to eq "root"
  ✔  os-04: Dot in PATH variable
     ✔  Environment variable PATH split is expected not to include ""
     ✔  Environment variable PATH split is expected not to include "."
  ×  os-05: Check login.defs (3 failed)
     ✔  File /etc/login.defs is expected to exist
     ✔  File /etc/login.defs is expected to be file
     ✔  File /etc/login.defs is expected to be owned by "root"
     ✔  File /etc/login.defs is expected not to be executable
     ✔  File /etc/login.defs is expected to be readable by owner
     ✔  File /etc/login.defs is expected to be readable by group
     ✔  File /etc/login.defs is expected to be readable by other
     ✔  File /etc/login.defs group is expected to eq "root"
     ✔  login.defs ENV_SUPATH is expected to include "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
     ✔  login.defs ENV_PATH is expected to include "/usr/local/bin:/usr/bin:/bin"
     ×  login.defs UMASK is expected to include "027"
     expected "022" to include "027"
     ×  login.defs PASS_MAX_DAYS is expected to eq "60"
     expected: "60"
          got: "99999"
     (compared using ==)
     ×  login.defs PASS_MIN_DAYS is expected to eq "7"
     expected: "7"
          got: "0"
     (compared using ==)
     ✔  login.defs PASS_WARN_AGE is expected to eq "7"
     ✔  login.defs LOGIN_RETRIES is expected to eq "5"
     ✔  login.defs LOGIN_TIMEOUT is expected to eq "60"
     ✔  login.defs UID_MIN is expected to eq "1000"
     ✔  login.defs GID_MIN is expected to eq "1000"
  ↺  os-05b: Check login.defs - RedHat specific
     ↺  Skipped control due to only_if condition.
  ✔  os-06: Check for SUID/ SGID blacklist
     ✔  suid_check diff is expected to be empty
  ✔  os-07: Unique uid and gid
     ✔  /etc/passwd uids is expected not to contain duplicates
     ✔  /etc/group gids is expected not to contain duplicates
  ✔  os-08: Entropy
     ✔  3206 is expected to >= 1000
  ✔  os-09: Check for .rhosts and .netrc file
     ✔  [] is expected to be empty
  ×  os-10: CIS: Disable unused filesystems (8 failed)
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install cramfs /bin/true"
     expected nil to match "install cramfs /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install freevxfs /bin/true"
     expected nil to match "install freevxfs /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install jffs2 /bin/true"
     expected nil to match "install jffs2 /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install hfs /bin/true"
     expected nil to match "install hfs /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install hfsplus /bin/true"
     expected nil to match "install hfsplus /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install squashfs /bin/true"
     expected nil to match "install squashfs /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install udf /bin/true"
     expected nil to match "install udf /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install vfat /bin/true"
     expected nil to match "install vfat /bin/true"
  ✔  os-11: Protect log-directory
     ✔  File /var/log is expected to be directory
     ✔  File /var/log is expected to be owned by "root"
     ✔  File /var/log group is expected to match /^root|syslog$/
  ✔  package-01: Do not run deprecated inetd or xinetd
     ✔  System Package inetd is expected not to be installed
     ✔  System Package xinetd is expected not to be installed
  ✔  package-02: Do not install Telnet server
     ✔  System Package telnetd is expected not to be installed
  ✔  package-03: Do not install rsh server
     ✔  System Package rsh-server is expected not to be installed
  ✔  package-05: Do not install ypserv server (NIS)
     ✔  System Package ypserv is expected not to be installed
  ✔  package-06: Do not install tftp server
     ✔  System Package tftp-server is expected not to be installed
  ✔  package-07: Install syslog server package
     ✔  System Package rsyslog is expected to be installed
  ↺  package-08: Install auditd (1 failed) (1 skipped)
     ×  System Package auditd is expected to be installed
     expected that `System Package auditd` is installed
     ↺  Can't find file: /etc/audit/auditd.conf
  ✔  package-09: CIS: Additional process hardening
     ✔  System Package prelink is expected not to be installed
  ✔  sysctl-01: IPv4 Forwarding
     ✔  Kernel Parameter net.ipv4.ip_forward value is expected to eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.forwarding value is expected to eq 0
  ✔  sysctl-02: Reverse path filtering
     ✔  Kernel Parameter net.ipv4.conf.all.rp_filter value is expected to eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.rp_filter value is expected to eq 1
  ✔  sysctl-03: ICMP ignore bogus error responses
     ✔  Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value is expected to eq 1
  ✔  sysctl-04: ICMP echo ignore broadcasts
     ✔  Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value is expected to eq 1
  ×  sysctl-05: ICMP ratelimit
     ×  Kernel Parameter net.ipv4.icmp_ratelimit value is expected to eq 100
     expected: 100
          got: 1000
     (compared using ==)
  ×  sysctl-06: ICMP ratemask
     ×  Kernel Parameter net.ipv4.icmp_ratemask value is expected to eq 88089
     expected: 88089
          got: 6168
     (compared using ==)
  ×  sysctl-07: TCP timestamps
     ×  Kernel Parameter net.ipv4.tcp_timestamps value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-08: ARP ignore
     ×  Kernel Parameter net.ipv4.conf.all.arp_ignore value is expected to eq 1
     expected: 1
          got: 0
     (compared using ==)
  ×  sysctl-09: ARP announce
     ×  Kernel Parameter net.ipv4.conf.all.arp_announce value is expected to eq 2
     expected: 2
          got: 0
     (compared using ==)
  ×  sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait
     ×  Kernel Parameter net.ipv4.tcp_rfc1337 value is expected to eq 1
     expected: 1
          got: 0
     (compared using ==)
  ✔  sysctl-11: Protection against SYN flood attacks
     ✔  Kernel Parameter net.ipv4.tcp_syncookies value is expected to eq 1
  ✔  sysctl-12: Shared Media IP Architecture
     ✔  Kernel Parameter net.ipv4.conf.all.shared_media value is expected to eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.shared_media value is expected to eq 1
  ×  sysctl-13: Disable Source Routing (1 failed)
     ✔  Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected to eq 0
     ×  Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-14: Disable acceptance of all IPv4 redirected packets (2 failed)
     ×  Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
     ×  Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-15: Disable acceptance of all secure redirected packets (2 failed)
     ×  Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
     ×  Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-16: Disable sending of redirects packets (2 failed)
     ×  Kernel Parameter net.ipv4.conf.default.send_redirects value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
     ×  Kernel Parameter net.ipv4.conf.all.send_redirects value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-17: Disable log martians (2 failed)
     ×  Kernel Parameter net.ipv4.conf.all.log_martians value is expected to eq 1
     expected: 1
          got: 0
     (compared using ==)
     ×  Kernel Parameter net.ipv4.conf.default.log_martians value is expected to eq 1
     expected: 1
          got: 0
     (compared using ==)
  ×  sysctl-18: Disable IPv6 if it is not needed
     ×  Kernel Parameter net.ipv6.conf.all.disable_ipv6 value is expected to eq 1
     expected: 1
          got: 0
     (compared using ==)
  ✔  sysctl-19: IPv6 Forwarding
     ✔  Kernel Parameter net.ipv6.conf.all.forwarding value is expected to eq 0
  ×  sysctl-20: Disable acceptance of all IPv6 redirected packets (2 failed)
     ×  Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
     ×  Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-21: Disable acceptance of IPv6 router solicitations messages
     ×  Kernel Parameter net.ipv6.conf.default.router_solicitations value is expected to eq 0
     expected: 0
          got: "-1"
     (compared using ==)
  ×  sysctl-22: Disable Accept Router Preference from router advertisement
     ×  Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-23: Disable learning Prefix Information from router advertisement
     ×  Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-24: Disable learning Hop limit from router advertisement
     ×  Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-25: Disable the system`s acceptance of router advertisement (2 failed)
     ×  Kernel Parameter net.ipv6.conf.all.accept_ra value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
     ×  Kernel Parameter net.ipv6.conf.default.accept_ra value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-26: Disable IPv6 autoconfiguration
     ×  Kernel Parameter net.ipv6.conf.default.autoconf value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-27: Disable neighbor solicitations to send out per address
     ×  Kernel Parameter net.ipv6.conf.default.dad_transmits value is expected to eq 0
     expected: 0
          got: 1
     (compared using ==)
  ×  sysctl-28: Assign one global unicast IPv6 addresses to each interface
     ×  Kernel Parameter net.ipv6.conf.default.max_addresses value is expected to eq 1
     expected: 1
          got: 16
     (compared using ==)
  ✔  sysctl-29: Disable loading kernel modules
     ✔  Kernel Parameter kernel.modules_disabled value is expected to eq 0
  ×  sysctl-30: Magic SysRq
     ×  Kernel Parameter kernel.sysrq value is expected to eq 0
     expected: 0
          got: 176
     (compared using ==)
  ✔  sysctl-31a: Secure Core Dumps - dump settings
     ✔  Kernel Parameter fs.suid_dumpable value is expected to cmp == /(0|2)/
  ✔  sysctl-31b: Secure Core Dumps - dump path
     ✔  Kernel Parameter kernel.core_pattern value is expected to match /^\|?\/.*/
  ✔  sysctl-32: kernel.randomize_va_space
     ✔  Kernel Parameter kernel.randomize_va_space value is expected to eq 2
  ✔  sysctl-33: CPU No execution Flag or Kernel ExecShield
     ✔  /proc/cpuinfo Flags should include NX

Profile Summary: 28 successful controls, 25 control failures, 1 control skipped
Test Summary: 70 successful, 40 failures, 2 skipped

$ inspec exec https://github.com/dev-sec/linux-baseline | grep -A 7 package-08
  ↺  package-08: Install auditd (1 skipped)
     ✔  System Package auditd is expected to be installed
     ↺  Can't find file: /etc/audit/auditd.conf
  ✔  package-09: CIS: Additional process hardening
     ✔  System Package prelink is expected not to be installed
  ✔  sysctl-01: IPv4 Forwarding
     ✔  Kernel Parameter net.ipv4.ip_forward value is expected to eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.forwarding value is expected to eq 0

$ inspec exec https://github.com/dev-sec/linux-baseline --controls package-08
[2020-05-19T07:25:14+00:00] WARN: URL target https://github.com/dev-sec/linux-baseline transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using the git fetcher
Profile: DevSec Linux Security Baseline (linux-baseline)
Version: 2.4.0
Target:  local://
  ↺  package-08: Install auditd (1 skipped)
     ✔  System Package auditd is expected to be installed
     ↺  Can't find file: /etc/audit/auditd.conf

Profile Summary: 0 successful controls, 0 control failures, 1 control skipped
Test Summary: 1 successful, 0 failures, 1 skipped

kitchen.yml --- driver: name: vagrant provisioner: name: chef_solo platforms: - name: ubuntu-18.04 suites: - name: default run_list: attributes: verifier: name: inspec > kitchen converge -----> Starting Test Kitchen (v2.5.0) -----> Converging <default-ubuntu-1804>... Preparing files for transfer Preparing dna.json Preparing cookbooks from project directory Removing non-cookbook files before transfer Preparing solo.rb -----> Chef installation detected (install only if missing) Transferring files to <default-ubuntu-1804> Starting Chef Infra Client, version 16.1.0 resolving cookbooks for run list: [] Synchronizing Cookbooks: Installing Cookbook Gems: Compiling Cookbooks... [2020-05-19T11:56:24+00:00] WARN: Node default-ubuntu-1804 has an empty run list. Converging 0 resources Running handlers: Running handlers complete Chef Infra Client finished, 0/0 resources updated in 01 seconds Downloading files from <default-ubuntu-1804> Finished converging <default-ubuntu-1804> (0m9.74s). -----> Creating <default-centos-7>... Bringing machine 'default' up with 'virtualbox' provider... ==> default: Importing base box 'bento/centos-7'... ==> default: Matching MAC address for NAT networking... ==> default: Checking if box 'bento/centos-7' version '202004.15.0' is up to date... ==> default: A newer version of the box 'bento/centos-7' for provider 'virtualbox' is ==> default: available! You currently have version '202004.15.0'. The latest is version ==> default: '202005.12.0'. Run `vagrant box update` to update. ==> default: Setting the name of the VM: kitchen-msys-default-centos-7-31850bdb-6e4e-4e52-8d4a-74d660e42dfd ==> default: Clearing any previously set network interfaces... ==> default: Preparing network interfaces based on configuration... default: Adapter 1: nat ==> default: Forwarding ports... default: 22 (guest) => 2222 (host) (adapter 1) ==> default: Running 'pre-boot' VM customizations... ==> default: Booting VM... ==> default: Waiting for machine to boot. This may take a few minutes... default: SSH address: 127.0.0.1:2222 default: SSH username: vagrant default: SSH auth method: private key default: default: Vagrant insecure key detected. Vagrant will automatically replace default: this with a newly generated keypair for better security. default: default: Inserting generated public key within guest... default: Removing insecure key from the guest if it's present... default: Key inserted! Disconnecting and reconnecting using new SSH key... ==> default: Machine booted and ready! ==> default: Checking for guest additions in VM... ==> default: Setting hostname... ==> default: Mounting shared folders... default: /tmp/omnibus/cache => C:/Users/msys/.kitchen/cache ==> default: Machine not provisioned because `--no-provision` is specified. [SSH] Established Vagrant instance <default-centos-7> created. Finished creating <default-centos-7> (1m8.07s). -----> Converging <default-centos-7>... Preparing files for transfer Preparing dna.json Preparing cookbooks from project directory Removing non-cookbook files before transfer Preparing solo.rb -----> Installing Chef install only if missing package Downloading https://omnitruck.chef.io/install.sh to file /tmp/install.sh Trying wget... Download complete. el 7 x86_64 Getting information for chef stable for el... downloading https://omnitruck.chef.io/stable/chef/metadata?v=&p=el&pv=7&m=x86_64 to file /tmp/install.sh.3139/metadata.txt trying wget... sha1 d83b40e2e8a100eab14199f4b21781b86b0223a6 sha256 d6c538bef603eccbcbd999b222dbb63af64a2e7428c50b94252cef0024723fa3 url https://packages.chef.io/files/stable/chef/16.1.0/el/7/chef-16.1.0-1.el7.x86_64.rpm version 16.1.0 downloaded metadata file looks valid... downloading https://packages.chef.io/files/stable/chef/16.1.0/el/7/chef-16.1.0-1.el7.x86_64.rpm to file /tmp/omnibus/cache/chef-16.1.0-1.el7.x86_64.rpm trying wget... Comparing checksum with sha256sum... WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING You are installing a package without a version pin. If you are installing on production servers via an automated process this is DANGEROUS and you will be upgraded without warning on new releases, even to new major releases. Letting the version float is only appropriate in desktop, test, development or CI/CD environments. WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING Installing chef installing with rpm... warning: /tmp/omnibus/cache/chef-16.1.0-1.el7.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 83ef826a: NOKEY Preparing... ################################# [100%] Updating / installing... 1:chef-16.1.0-1.el7 ################################# [100%] Thank you for installing Chef Infra Client! For help getting started visit https://learn.chef.io Transferring files to <default-centos-7> +---------------------------------------------+ ✔ 2 product licenses accepted. +---------------------------------------------+ Starting Chef Infra Client, version 16.1.0 Creating a new client identity for default-centos-7 using the validator key. resolving cookbooks for run list: [] Synchronizing Cookbooks: Installing Cookbook Gems: Compiling Cookbooks... [2020-05-19T12:02:41+00:00] WARN: Node default-centos-7 has an empty run list. Converging 0 resources Running handlers: Running handlers complete Chef Infra Client finished, 0/0 resources updated in 02 seconds Downloading files from <default-centos-7> Finished converging <default-centos-7> (0m36.68s). -----> Test Kitchen is finished. (2m58.44s) > kitchen verify default-* -----> Starting Test Kitchen (v2.5.0) -----> Verifying <default-ubuntu-1804>... Loaded tests from {:path=>"C:.Users.msys.test.integration.default"} Profile: tests from {:path=>"C:/Users/msys/test/integration/default"} (tests from {:path=>"C:.Users.msys.test.integration.default"}) Version: (not specified) Target: ssh://vagrant@127.0.0.1:2222 File hello.txt [PASS] world-1.0: Hello World [PASS] File hello.txt content is expected to match "Hello World" Test Summary: 1 successful, 0 failure, 0 skipped -----> Verifying <default-centos-7>... Loaded tests from {:path=>"C:.Users.msys.test.integration.default"} Profile: tests from {:path=>"C:/Users/msys/test/integration/default"} (tests from {:path=>"C:.Users.msys.test.integration.default"}) Version: (not specified) Target: ssh://vagrant@127.0.0.1:2200 File hello.txt [PASS] world-1.0: Hello World [PASS] File hello.txt content is expected to match "Hello World" Test Summary: 1 successful, 0 failure, 0 skipped kitchen.yml --- driver: name: vagrant provisioner: name: chef_solo platforms: - name: ubuntu-18.04 suites: - name: default verifier: inspec_tests: - test/integration/default > kitchen verify -----> Starting Test Kitchen (v2.5.0) -----> Verifying <default-ubuntu-1804>... Preparing files for transfer Transferring files to <default-ubuntu-1804> Downloading files from <default-ubuntu-1804> Version: (not specified) Target: ssh://vagrant@127.0.0.1:2202 System Package apache2 ✔ should be installed Service apache2 ✔ should be installed ✔ should be enabled ✔ should be running Port 80 ✔ should be listening http GET on localhost ✔ status should eq 200 ✔ headers.Content-Type should include "text/html" ✔ body should include "Hello World!" Test Summary: 8 successful, 0 failures, 0 skipped -----> Test Kitchen is finished. (0m10.76s)

chef / chef-workstation

[TRACKER]Chef Workstation 2020 Testing - test-kitchen with inspec #1211

Description

Parent task

Reference

Chef Workstation Version

Platform Version