Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TRACKER]Chef Workstation 2020 Testing - Inspec #1210

Closed
kvivek1115 opened this issue May 18, 2020 · 6 comments
Closed

[TRACKER]Chef Workstation 2020 Testing - Inspec #1210

kvivek1115 opened this issue May 18, 2020 · 6 comments
Assignees
@dheerajd-msys
Labels
Epic

Comments

@kvivek1115
Copy link

kvivek1115 commented May 18, 2020
edited by jonsmorrow
Loading

Description

Parent task

#1167

Reference

Chef Workstation Version

Platform Version

Aha! Link: https://chef.aha.io/features/SH-1949
@kvivek1115 kvivek1115 added Aspect: Testing Does the project have good coverage, and is CI working? Status: Sustaining Backlog An issue ideal for the Sustaining Engineering team (or anyone else if they want to adopt it). labels May 18, 2020
@dheerajd-msys
Copy link

inspec env
OUTPUT:

_inspec() {
local _inspec_top_level_commands="help json check vendor archive exec detect shell env
schema version nothing supermarket"
local _inspec_supermarket_commands="help profiles exec info"
cur=${COMP_WORDS[COMP_CWORD]}
prev=${COMP_WORDS[COMP_CWORD-1]}
if [ "$COMP_CWORD" -eq 1 ]; then
case "$prev" in
inspec)
COMPREPLY=( $( compgen -W "$_inspec_top_level_commands" -- "$cur" ) )
;;
esac
elif [ "$COMP_CWORD" -eq 2 ]; then
case "$prev" in
archive|check|exec|json)
COMPREPLY=( $( compgen -f -- "$cur" ) )
;;
help)
COMPREPLY=( $( compgen -W "$_inspec_top_level_commands" -- "$cur" ) )
;;
supermarket)
COMPREPLY=( $( compgen -W "$_inspec_supermarket_commands" -- "$cur" ) )
;;
esac
elif [ "$COMP_CWORD" -eq 3 ]; then
prev2=${COMP_WORDS[COMP_CWORD-2]}
case "$prev2-$prev" in
compliance-upload)
COMPREPLY=( $( compgen -f -- "$cur" ) )
;;
supermarket-help)
COMPREPLY=( $( compgen -W "$_inspec_supermarket_commands" -- "$cur" ) )
;;
esac
fi
}

inspec exec test.rb
Output:

Profile: tests from test.rb (tests from test.rb)
Version: (not specified)
Target: local://
System Package telnetd
✔ is expected not to be installed
Test Summary: 1 successful, 0 failures, 0 skipped

@dheerajd-msys
Copy link

inspec archive auditd

Dependencies for profile auditd successfully vendored to
/home/dheeraj/Desktop/inspectest/auditd/vendor
I, [2020-05-18T20:06:21.031950 #8454] INFO -- : Checking profile in auditd
I, [2020-05-18T20:06:21.032387 #8454] INFO -- : Metadata OK.
I, [2020-05-18T20:06:21.150185 #8454] INFO -- : Found 1 controls.
I, [2020-05-18T20:06:21.150244 #8454] INFO -- : Control definitions OK.
I, [2020-05-18T20:06:21.150372 #8454] INFO -- : Generate archive
/home/dheeraj/Desktop/inspectest/auditd-0.1.0.tar.gz.
I, [2020-05-18T20:06:21.165551 #8454] INFO -- : Finished archive generation.

inspec check auditd
Output:

Location : auditd
Profile : auditd
Controls : 1
Timestamp : 2020-05-18T20:08:08+05:30
Valid : true
No errors or warnings

inspec detect
Output:

────────────────────────────── Platform Details
──────────────────────────────
Name: ubuntu
Families: debian, linux, unix, os
Release: 18.04
Arch: x86_64

sudo inspec exec test.rb -t ssh://[email protected]:2222 -i
/home/nirbhay/centos/.vagrant/machines/default/virtualbox/private_key
Output:

Profile: tests from test.rb (tests from test.rb)
Version: (not specified)
Target: ssh://[email protected]:2222
System Package telnetd
✔ is expected not to be installed
Test Summary: 1 successful, 0 failures, 0 skipped

inspec exec test.rb -t winrm://[email protected]:55985 --password
'vagrant'

Output :
Profile: tests from test.rb (tests from test.rb)
Version: (not specified)
Target: winrm://vagrant@http://127.0.0.1:55985/wsman:3389
System Package telnetd
✔ is expected not to be installed
Test Summary: 1 successful, 0 failures, 0 skipped

Command :
>sudo inspec exec test.rb -t
docker://4bbc2e693b219dfabbd866c4acace31c866895eef8de39919ede2effc228dc94
Output :

Profile: tests from test.rb (tests from test.rb)
Version: (not specified)
Target: docker://4bbc2e693b219dfabbd866c4acace31c866895eef8de39919ede2effc228dc94
System Package telnetd
✔ is expected not to be installed
Test Summary: 1 successful, 0 failures, 0 skipped

>inspec json auditd
Output:

{"name":"auditd","title":"InSpec Profile","maintainer":"The Authors","copyright":"The
Authors","copyright_email":"[email protected]","license":"Apache-2.0","summary":"An
InSpec Compliance
Profile","version":"0.1.0","supports":[],"controls":[{"title":null,"desc":null,"descriptions":{},"impact
":0.5,"refs":[],"tags":{},"code":"","source_location":{"ref":"/opt/chef-
workstation/embedded/lib/ruby/gems/2.7.0/gems/inspec-core-
4.18.114/lib/inspec/control_eval_context.rb","line":71},"id":"(generated from example.rb:1

5f65aa74b46b6d5cba40097b0462f4a6)"}],"groups":[{"title":null,"controls":["(generated from
example.rb:1
5f65aa74b46b6d5cba40097b0462f4a6)"],"id":"controls/example.rb"}],"inputs":[],"sha256":"9a0
b08f182493acf3e4a89df6c4e20d65f6754cd3199285a5fa73352abd7b0bb","status":"loaded","
generator":{"name":"inspec","version":"4.18.114"}}

@dheerajd-msys
Copy link

inspec shell
Output:

/opt/chef-workstation/embedded/lib/ruby/gems/2.7.0/gems/pry-byebug-3.9.0/lib/pry-
byebug/pry_ext.rb:13: warning: __FILE__ in eval may not return location in binding; use
Binding#source_location instead
/opt/chef-workstation/embedded/lib/ruby/gems/2.7.0/gems/pry-stack_explorer-0.4.9.3/lib/pry-
stack_explorer/when_started_hook.rb:63: warning: in `eval'
/opt/chef-workstation/embedded/lib/ruby/gems/2.7.0/gems/pry-
0.13.1/lib/pry/core_extensions.rb:45: warning: __FILE__ in eval may not return location in
binding; use Binding#source_location instead
/opt/chef-workstation/embedded/lib/ruby/gems/2.7.0/gems/pry-stack_explorer-0.4.9.3/lib/pry-
stack_explorer/when_started_hook.rb:63: warning: in `eval'
Welcome to the interactive InSpec Shell
To find out how to use it, type: help
You are currently running on:
Name: ubuntu
Families: debian, linux, unix, os
Release: 18.04
Arch: x86_64
inspec>

inspec nothing
Output:
you did nothing

inspec vendor
Output:

Dependencies for profile /home/nirbhay/Desktop/inspectest successfully vendored to
/home/nirbhay/Desktop/inspectest/vendor

inspec supermarket profile
Output:

──────────────────────────── Available profiles:
────────────────────────────
• Ansible Fashion Police brucellino/ansible-fashion-police
• apache2-compliance-test-tthompson thompsontelmate/apache2-compliance-test-tthompson
• Apache DISA STIG som3guy/apache-disa-stig
• Black Panther brucellino/black-panther
• chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql
• chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat
• chef-client-hardening sliim/chef-client-hardening
• CIS Distribution Independent Linux Benchmark dev-sec/cis-linux-benchmark
• CIS Docker Benchmark dev-sec/cis-docker-benchmark
• CIS Kubernetes Benchmark dev-sec/cis-kubernetes-benchmark
• CVE-2016-5195 ndobson/cve-2016-5195
• DevSec Apache Baseline dev-sec/apache-baseline
• DevSec Linux Baseline dev-sec/linux-baseline
• DevSec Linux Patch Baseline dev-sec/linux-patch-baseline
• DevSec MySQl Baseline dev-sec/mysql-baseline
• DevSec Nginx Baseline dev-sec/nginx-baseline
• DevSec PHP Baseline dev-sec/php-baseline
• DevSec PostgreSQL Baseline dev-sec/postgres-baseline
• DevSec SSH Baseline dev-sec/ssh-baseline
• DevSec SSL/TLS Baseline dev-sec/ssl-basline
• DevSec Windows Baseline dev-sec/windows-baseline
• DevSec Windows Patch Baseline dev-sec/windows-patch-baseline
• dev-sec-wrapper imiell/dev-sec-wrapper
• EC2 Instance - InSpec Profile alexpop/ec2-instance-profile
• InSpec AEM shinesolutions/inspec-aem
• InSpec AEM AWS shinesolutions/inspec-aem-aws
• InSpec AEM Security shinesolutions/inspec-aem-security

• inspec-chef-server jtimberman/inspec-chef-server
• inspec_java awim/inspec_java
• inspec-meltdownspectre vibrato/inspec-meltdownspectre
• inspec-meltdownspectre_old nathandines/inspec-meltdownspectre_old
• inspec_oracledb awim/inspec_oracledb
• InSpec Wrapper Profile Example adamleff/inspec-wrapper-profile-example
• myApacheTest petrillodennis/myapachetest
• profile-test bigbam505/profile-test
• RHEL6 STIG paulczar/rhel6-stig
• SSL Certificate - InSpec Profile alexpop/ssl-certificate-profile
• /tmp Compliance Profile nathenharvey/tmp-compliance-profile
• tomcat-baseline rndmh3ro/tomcat-baseline
• utils alfresco/utils
• uyuni-inspec stdevel/uyuni-inspec
• WannaCry Exploit Mitigation adamleff/wannacry-exploit

inspec supermarket exec awim/inspec_java

Output :

[2020-05-19T10:06:33+05:30] WARN: URL target https://github.com/awim/inspec_java
transformed to https://github.com/awim/inspec_java/archive/master.tar.gz. Consider using the
git fetcher
Profile: InSpec Java in system (java)
Version: 0.0.1
Target: local://
× java-1.0: identify java in system (2 failed)
× java_info is expected to exist
expected java_info to exist
× java_info version
undefined method `gsub' for nil:NilClass
↺ java-2.0: run java from specific path
↺ Can't find file "/opt/jdk/current"
↺ java-3.0: identify java home
↺ Can't find file "/opt/jdk/current"

Profile Summary: 0 successful controls, 1 control failure, 2 controls skipped
Test Summary: 0 successful, 2 failures, 2 skipped

inspec init profile nirb

Output :

─────────────────────────── InSpec Code Generator
───────────────────────────
Creating new profile at /home/nirbhay/Desktop/inspectest/nirb
• Creating file inspec.yml
• Creating directory controls
• Creating file controls/example.rb
• Creating file README.md

Inspec plugin list

Output :
┌───────────────────────────┬──────────┬──────────────┬───
──────┐
│ Plugin Name │ Version │ Via │ ApiVer │
├───────────────────────────┼──────────┼──────────────┼───
──────┤
│ inspec-artifact │ 4.18.114 │ core │ 2 │
│ inspec-compliance │ 4.18.114 │ core │ 2 │
│ inspec-habitat │ 4.18.114 │ core │ 2 │
│ inspec-init │ 4.18.114 │ core │ 2 │
│ inspec-plugin-manager-cli │ 4.18.114 │ core │ 2 │
│ inspec-supermarket │ 4.18.114 │ core │ 0 │
│ train-aws │ 0.1.16 │ gem (system) │ train-1 │
│ train-habitat │ 0.2.13 │ gem (system) │ train-1 │
│ train-winrm │ 0.2.6 │ gem (system) │ train-1 │
└───────────────────────────┴──────────┴──────────────┴───
──────┘
9 plugin(s) total

inspec plugin uninstall train-aws
Output :

train-aws plugin, version , has been uninstalled

inspec plugin install train-aws
Output :

train-aws plugin, version , installed from rubygems.org

inspec compliance login https://xxxautomate.test --insecure --
user='admin' --password='56917566af9dexxxxx84861' --token=&#3xxxxe-
f0b5-4280-9903-89949a446577'

output:
Stored configuration for Chef Automate2: https://automate.test/api/v0' with user: 'admin'

inspec compliance upload auditd
Output :

Profile is already vendored. Use --overwrite.
I, [2020-05-19T14:35:40.482168 #30643] INFO -- : Checking profile in auditd
I, [2020-05-19T14:35:40.482624 #30643] INFO -- : Metadata OK.
I, [2020-05-19T14:35:40.611682 #30643] INFO -- : Found 1 controls.
I, [2020-05-19T14:35:40.611750 #30643] INFO -- : Control definitions OK.
Profile is valid
Generate temporary profile archive at /tmp/auditd20200519-30643-oqcpg9.tar.gz
I, [2020-05-19T14:35:40.630841 #30643] INFO -- : Generate archive /tmp/auditd20200519-
30643-oqcpg9.tar.gz.
I, [2020-05-19T14:35:40.650494 #30643] INFO -- : Finished archive generation.
Start upload to admin/auditd
Uploading to Chef Automate
Successfully uploaded profile

inspec compliance profiles

Output :

──────────────────────────── Available profiles:
────────────────────────────
CIS AIX 5.3 and AIX 6.1 Benchmark Level 1 v1.1.0-5 (admin/cis-aix-5.3-6.1-level1)
CIS CentOS Linux 7 Benchmark Level 2 - Workstation v2.2.0-10 (admin/cis-centos7-level2-
workstation)
InSpec Profile v0.1.0 (admin/auditd)

inspec compliance download admin/cis-centos7-level2-workstation

Output :

Downloading `admin/cis-centos7-level2-workstation`
Profile stored to cis-centos7-level2-workstation.tar.gz

inspec compliance exec admin/auditd
Output :

Profile: InSpec Profile (auditd)
Version: 0.1.0
Target: local://
System Package auditd
× is expected to be installed
expected that `System Package auditd` is installed
Test Summary: 0 successful, 1 failure, 0 skipped

inspec artifact generate –keyname=Keynir

Output

Generating keys
Generating private key
Generating public key

inspec artifact sign-profile --keyname=Keynir --profile=auditd
OUTPUT:

Signing auditd with key Keynir
Successfully generated auditd-0.1.0.iaf

inspec artifact verify-profile --infile=auditd-0.1.0.iaf
Output:

Verifying auditd-0.1.0.iaf
Looking for Keynir.pem.pub to verify artifact
Artifact is valid

inspec supermarket profiles

Output :

──────────────────────────── Available profiles:
────────────────────────────
• Ansible Fashion Police brucellino/ansible-fashion-police
• apache2-compliance-test-tthompson thompsontelmate/apache2-compliance-test-tthompson
• Apache DISA STIG som3guy/apache-disa-stig
• Black Panther brucellino/black-panther
• chef-alfresco-inspec-mysql alfresco/chef-alfresco-inspec-mysql
• chef-alfresco-inspec-tomcat alfresco/chef-alfresco-inspec-tomcat
• chef-client-hardening sliim/chef-client-hardening
• CIS Distribution Independent Linux Benchmark dev-sec/cis-linux-benchmark
• CIS Docker Benchmark dev-sec/cis-docker-benchmark
• CIS Kubernetes Benchmark dev-sec/cis-kubernetes-benchmark
• CVE-2016-5195 ndobson/cve-2016-5195
• DevSec Apache Baseline dev-sec/apache-baseline
• DevSec Linux Baseline dev-sec/linux-baseline
• DevSec Linux Patch Baseline dev-sec/linux-patch-baseline

• DevSec MySQl Baseline dev-sec/mysql-baseline
• DevSec Nginx Baseline dev-sec/nginx-baseline
• DevSec PHP Baseline dev-sec/php-baseline
• DevSec PostgreSQL Baseline dev-sec/postgres-baseline
• DevSec SSH Baseline dev-sec/ssh-baseline
• DevSec SSL/TLS Baseline dev-sec/ssl-basline
• DevSec Windows Baseline dev-sec/windows-baseline
• DevSec Windows Patch Baseline dev-sec/windows-patch-baseline
• dev-sec-wrapper imiell/dev-sec-wrapper
• EC2 Instance - InSpec Profile alexpop/ec2-instance-profile
• InSpec AEM shinesolutions/inspec-aem
• InSpec AEM AWS shinesolutions/inspec-aem-aws
• InSpec AEM Security shinesolutions/inspec-aem-security
• inspec-chef-server jtimberman/inspec-chef-server
• inspec_java awim/inspec_java
• inspec-meltdownspectre vibrato/inspec-meltdownspectre
• inspec-meltdownspectre_old nathandines/inspec-meltdownspectre_old
• inspec_oracledb awim/inspec_oracledb
• InSpec Wrapper Profile Example adamleff/inspec-wrapper-profile-example
• myApacheTest petrillodennis/myapachetest
• profile-test bigbam505/profile-test
• RHEL6 STIG paulczar/rhel6-stig
• SSL Certificate - InSpec Profile alexpop/ssl-certificate-profile
• /tmp Compliance Profile nathenharvey/tmp-compliance-profile
• tomcat-baseline rndmh3ro/tomcat-baseline
• utils alfresco/utils
• uyuni-inspec stdevel/uyuni-inspec
• WannaCry Exploit Mitigation adamleff/wannacry-exploit

inspec supermarket info brucellino/ansible-fashion-police
Output :

name: ansible-fashion-police
owner: brucellino
url: https://github.com/EGI-Foundation/ansible-fashion-police
description: A profile to see if your Ansible roles are compliant with the [EGI Ansible Style
Guide](https://github.com/EGI-Foundation/ansible-style-guide)

inspec supermarket exec dev-sec/linux-baseline

OUTPUT:

[2020-05-19T15:04:43+05:30] WARN: URL target https://github.com/dev-sec/linux-baseline
transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using
the git fetcher
Profile: DevSec Linux Security Baseline (linux-baseline)
Version: 2.4.0
Target: local://
✔ os-01: Trusted hosts login
✔ File /etc/hosts.equiv is expected not to exist
✔ os-02: Check owner and permissions for /etc/shadow
✔ File /etc/shadow is expected to exist
✔ File /etc/shadow is expected to be file
✔ File /etc/shadow is expected to be owned by "root"
✔ File /etc/shadow is expected not to be executable
✔ File /etc/shadow is expected not to be readable by other
✔ File /etc/shadow group is expected to eq "shadow"
✔ File /etc/shadow is expected to be writable by owner
✔ File /etc/shadow is expected to be readable by owner
✔ File /etc/shadow is expected to be readable by group
✔ os-03: Check owner and permissions for /etc/passwd
✔ File /etc/passwd is expected to exist
✔ File /etc/passwd is expected to be file
✔ File /etc/passwd is expected to be owned by "root"
✔ File /etc/passwd is expected not to be executable
✔ File /etc/passwd is expected to be writable by owner
✔ File /etc/passwd is expected not to be writable by group
✔ File /etc/passwd is expected not to be writable by other
✔ File /etc/passwd is expected to be readable by owner
✔ File /etc/passwd is expected to be readable by group
✔ File /etc/passwd is expected to be readable by other
✔ File /etc/passwd group is expected to eq "root"
✔ os-04: Dot in PATH variable
✔ Environment variable PATH split is expected not to include ""
✔ Environment variable PATH split is expected not to include "."
× os-05: Check login.defs (3 failed)
✔ File /etc/login.defs is expected to exist

✔ File /etc/login.defs is expected to be file
✔ File /etc/login.defs is expected to be owned by "root"
✔ File /etc/login.defs is expected not to be executable
✔ File /etc/login.defs is expected to be readable by owner
✔ File /etc/login.defs is expected to be readable by group
✔ File /etc/login.defs is expected to be readable by other
✔ File /etc/login.defs group is expected to eq "root"
✔ login.defs ENV_SUPATH is expected to include
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
✔ login.defs ENV_PATH is expected to include "/usr/local/bin:/usr/bin:/bin"
× login.defs UMASK is expected to include "027"
expected "022" to include "027"
× login.defs PASS_MAX_DAYS is expected to eq "60"
expected: "60"
got: "99999"
(compared using ==)
× login.defs PASS_MIN_DAYS is expected to eq "7"
expected: "7"
got: "0"
(compared using ==)
✔ login.defs PASS_WARN_AGE is expected to eq "7"
✔ login.defs LOGIN_RETRIES is expected to eq "5"
✔ login.defs LOGIN_TIMEOUT is expected to eq "60"
✔ login.defs UID_MIN is expected to eq "1000"
✔ login.defs GID_MIN is expected to eq "1000"
↺ os-05b: Check login.defs - RedHat specific
↺ Skipped control due to only_if condition.
× os-06: Check for SUID/ SGID blacklist
× suid_check diff is expected to be empty
expected `["/usr/lib/evolution/camel-lock-helper-1.2"].empty?` to return true, got false
✔ os-07: Unique uid and gid
✔ /etc/passwd uids is expected not to contain duplicates
✔ /etc/group gids is expected not to contain duplicates
✔ os-08: Entropy
✔ 3717 is expected to >= 1000
✔ os-09: Check for .rhosts and .netrc file
✔ [] is expected to be empty
× os-10: CIS: Disable unused filesystems (8 failed)
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install cramfs /bin/true"
expected nil to match "install cramfs /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install freevxfs
/bin/true"
expected nil to match "install freevxfs /bin/true"

× File /etc/modprobe.d/dev-sec.conf content is expected to match "install jffs2 /bin/true"
expected nil to match "install jffs2 /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install hfs /bin/true"
expected nil to match "install hfs /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install hfsplus /bin/true"
expected nil to match "install hfsplus /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install squashfs
/bin/true"
expected nil to match "install squashfs /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install udf /bin/true"
expected nil to match "install udf /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install vfat /bin/true"
expected nil to match "install vfat /bin/true"
✔ os-11: Protect log-directory
✔ File /var/log is expected to be directory
✔ File /var/log is expected to be owned by "root"
✔ File /var/log group is expected to match /^root|syslog$/
✔ package-01: Do not run deprecated inetd or xinetd
✔ System Package inetd is expected not to be installed
✔ System Package xinetd is expected not to be installed
✔ package-02: Do not install Telnet server
✔ System Package telnetd is expected not to be installed
✔ package-03: Do not install rsh server
✔ System Package rsh-server is expected not to be installed
✔ package-05: Do not install ypserv server (NIS)
✔ System Package ypserv is expected not to be installed
✔ package-06: Do not install tftp server
✔ System Package tftp-server is expected not to be installed
✔ package-07: Install syslog server package
✔ System Package rsyslog is expected to be installed
↺ package-08: Install auditd (1 failed) (1 skipped)
× System Package auditd is expected to be installed
expected that `System Package auditd` is installed
↺ Can't find file: /etc/audit/auditd.conf
✔ package-09: CIS: Additional process hardening
✔ System Package prelink is expected not to be installed
× sysctl-01: IPv4 Forwarding (2 failed)
× Kernel Parameter net.ipv4.ip_forward value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× Kernel Parameter net.ipv4.conf.all.forwarding value is expected to eq 0
expected: 0
got: 1

(compared using ==)
✔ sysctl-02: Reverse path filtering
✔ Kernel Parameter net.ipv4.conf.all.rp_filter value is expected to eq 1
✔ Kernel Parameter net.ipv4.conf.default.rp_filter value is expected to eq 1
✔ sysctl-03: ICMP ignore bogus error responses
✔ Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value is expected to
eq 1
✔ sysctl-04: ICMP echo ignore broadcasts
✔ Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value is expected to eq 1
× sysctl-05: ICMP ratelimit
× Kernel Parameter net.ipv4.icmp_ratelimit value is expected to eq 100
expected: 100
got: 1000
(compared using ==)
× sysctl-06: ICMP ratemask
× Kernel Parameter net.ipv4.icmp_ratemask value is expected to eq 88089
expected: 88089
got: 6168
(compared using ==)
× sysctl-07: TCP timestamps
× Kernel Parameter net.ipv4.tcp_timestamps value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-08: ARP ignore
× Kernel Parameter net.ipv4.conf.all.arp_ignore value is expected to eq 1
expected: 1
got: 0
(compared using ==)
× sysctl-09: ARP announce
× Kernel Parameter net.ipv4.conf.all.arp_announce value is expected to eq 2
expected: 2
got: 0
(compared using ==)

× sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait
× Kernel Parameter net.ipv4.tcp_rfc1337 value is expected to eq 1
expected: 1
got: 0
(compared using ==)
✔ sysctl-11: Protection against SYN flood attacks
✔ Kernel Parameter net.ipv4.tcp_syncookies value is expected to eq 1
✔ sysctl-12: Shared Media IP Architecture
✔ Kernel Parameter net.ipv4.conf.all.shared_media value is expected to eq 1
✔ Kernel Parameter net.ipv4.conf.default.shared_media value is expected to eq 1
× sysctl-13: Disable Source Routing (1 failed)
✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected to eq 0
× Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-14: Disable acceptance of all IPv4 redirected packets (1 failed)
× Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected to eq 0
× sysctl-15: Disable acceptance of all secure redirected packets (2 failed)
× Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-16: Disable sending of redirects packets (2 failed)
× Kernel Parameter net.ipv4.conf.default.send_redirects value is expected to eq 0

expected: 0
got: 1
(compared using ==)
× Kernel Parameter net.ipv4.conf.all.send_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-17: Disable log martians (2 failed)
× Kernel Parameter net.ipv4.conf.all.log_martians value is expected to eq 1
expected: 1
got: 0
(compared using ==)
× Kernel Parameter net.ipv4.conf.default.log_martians value is expected to eq 1
expected: 1
got: 0
(compared using ==)
× sysctl-18: Disable IPv6 if it is not needed
× Kernel Parameter net.ipv6.conf.all.disable_ipv6 value is expected to eq 1
expected: 1
got: 0
(compared using ==)
✔ sysctl-19: IPv6 Forwarding
✔ Kernel Parameter net.ipv6.conf.all.forwarding value is expected to eq 0
× sysctl-20: Disable acceptance of all IPv6 redirected packets (2 failed)
× Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected to eq 0
expected: 0

got: 1
(compared using ==)
× sysctl-21: Disable acceptance of IPv6 router solicitations messages
× Kernel Parameter net.ipv6.conf.default.router_solicitations value is expected to eq 0
expected: 0
got: "-1"
(compared using ==)
× sysctl-22: Disable Accept Router Preference from router advertisement
× Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-23: Disable learning Prefix Information from router advertisement
× Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-24: Disable learning Hop limit from router advertisement
× Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-25: Disable the system`s acceptance of router advertisement (2 failed)
× Kernel Parameter net.ipv6.conf.all.accept_ra value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× Kernel Parameter net.ipv6.conf.default.accept_ra value is expected to eq 0
expected: 0
got: 1

(compared using ==)
× sysctl-26: Disable IPv6 autoconfiguration
× Kernel Parameter net.ipv6.conf.default.autoconf value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-27: Disable neighbor solicitations to send out per address
× Kernel Parameter net.ipv6.conf.default.dad_transmits value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-28: Assign one global unicast IPv6 addresses to each interface
× Kernel Parameter net.ipv6.conf.default.max_addresses value is expected to eq 1
expected: 1
got: 16
(compared using ==)
✔ sysctl-29: Disable loading kernel modules
✔ Kernel Parameter kernel.modules_disabled value is expected to eq 0
× sysctl-30: Magic SysRq
× Kernel Parameter kernel.sysrq value is expected to eq 0
expected: 0
got: 176
(compared using ==)
✔ sysctl-31a: Secure Core Dumps - dump settings
✔ Kernel Parameter fs.suid_dumpable value is expected to cmp == /(0|2)/
✔ sysctl-31b: Secure Core Dumps - dump path
✔ Kernel Parameter kernel.core_pattern value is expected to match /^\|?\/.*/
✔ sysctl-32: kernel.randomize_va_space
✔ Kernel Parameter kernel.randomize_va_space value is expected to eq 2
✔ sysctl-33: CPU No execution Flag or Kernel ExecShield
✔ /proc/cpuinfo Flags should include NX

Profile Summary: 26 successful controls, 27 control failures, 1 control skipped
Test Summary: 68 successful, 42 failures, 2 skipped

@dheerajd-msys
Copy link

inspec habitat profile create auditd

[2020-05-19T20:15:09+05:30] INFO: Creating a Habitat artifact for 'auditd'...
[2020-05-19T20:15:10+05:30] INFO: Generating Habitat plan at /tmp/d20200519-10970-faa0ja/habitat/plan.sh...
[sudo hab-studio] password for nirbhay: 
   hab-studio: Destroying Studio at /hab/studios/tmp--d20200519-10970-faa0ja ()
   hab-studio: Creating Studio at /hab/studios/tmp--d20200519-10970-faa0ja (default)
   hab-studio: Importing 'learn-chef' secret origin key
» Importing origin key from standard input
★ Imported secret origin key learn-chef-20200519141857.
   hab-studio: Importing 'learn-chef' public origin key
» Importing origin key from standard input
★ Imported public origin key learn-chef-20200519141857.
» Installing core/hab-backline/1.6.0/20200420201847
☛ Verifying core/hab-backline/1.6.0/20200420201847
↓ Downloading core-20180119235000 public origin key
☑ Cached core-20180119235000 public origin key
☛ Verifying core/acl/2.2.53/20190115012136
☛ Verifying core/attr/2.4.48/20190115012129
☛ Verifying core/bash/4.4.19/20190115012619
☛ Verifying core/binutils/2.31.1/20190115003743
☛ Verifying core/bzip2/1.0.6/20190115011950
☛ Verifying core/cacerts/2018.12.05/20190115014206
☛ Verifying core/coreutils/8.30/20190115012313
☛ Verifying core/diffutils/3.6/20190115013221
☛ Verifying core/file/5.34/20190115003731
☛ Verifying core/findutils/4.6.0/20190115013303
☛ Verifying core/gawk/4.2.1/20190115012752
☛ Verifying core/gcc-libs/8.2.0/20190115011926
☛ Verifying core/glibc/2.27/20190115002733

@dheerajd-msys
Copy link

Everything above is tested on latest chef-workstation v20.5.41

chef -v
Chef Workstation version: 20.5.41
Chef Infra Client version: 16.1.0
Chef InSpec version: 4.18.114
Chef CLI version: 3.0.1
Test Kitchen version: 2.5.1
Cookstyle version: 6.4.4

@dheerajd-msys
Copy link

Closing as everything works well !!

@jonsmorrow jonsmorrow added Epic and removed Aspect: Testing Does the project have good coverage, and is CI working? Status: Sustaining Backlog An issue ideal for the Sustaining Engineering team (or anyone else if they want to adopt it). labels Nov 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dheerajd-msys dheerajd-msys

Labels
Epic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonsmorrow @dheerajd-msys @kvivek1115