Dan Munro - Dev-Sec-Ops Engineer   About

Infrastructure Validation And Auditing

There are many reasons why infrastructure and security validation checks are manual. Maybe the reliability of infrastructure provisioning is trusted; ops and dev teams are overloaded with work already; the perception that a manual check provides equivalent value to an automated check.

It’s possible these assumptions are wrong.

Infrastructure and security checks, automated into a CI/CD pipeline, provide immense value. Benefits include internal and external audit compliance, CVE auditing, saving time and sanity – the list goes on. High visibility failures in turn lead to fast fixes.

Testing Tools

There are a few options for infrastructure testing tools.

ServerSpec - With strong community support and a good reputation, ServerSpec is a solid option. Tests are in ruby and utilize RSpec. Example:

require 'spec_helper'

describe package('httpd'), :if => os[:family] == 'redhat' do
  it { should be_installed }

InSpec - Emphasizes compliance, policy requirements, and provisioning validation. InSpec is an expressive testing library built on ServerSpec, so it’s ruby as well. Example:

control 'sshd-21' do
  title 'Set SSH Protocol to 2'
  desc 'A detailed description'
  impact 1.0 # This is critical ref 'compliance guide, section 2.1'
  describe sshd_config do
   its('Protocol') { should cmp 2 }

test_infra - Focused on provisioning tool validation, test_infra aims to be a port of ServerSpec to python. Example:

def test_passwd_file(host):
  passwd = host.file("/etc/passwd")
  assert passwd.contains("root")
  assert passwd.user == "root"
  assert passwd.group == "root"
  assert passwd.mode == 0o644

Here is a small demo I put together, bolting test_infra tests onto a docker-compose flask + redis example app.

Written on August 15, 2018