Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

SSL Certificate - InSpec Profile Compliance Profile

A library InSpec compliance profile containing an ssl_certificate resource that allows you to validate your SSL Certificates for properties like: key size, hash algorithm, days before expire, existence, trust, etc

Install & Usage Instructions

SSL Certificate - InSpec Profile

Description

A library InSpec compliance profile containing an ssl_certificate resource that allows you to validate your SSL Certificates for properties like: key size, hash algorithm, days before expire, existence, trust, etc. Unless you specify a path to the certificate file on the node, the ssl_certificate resource will retrieve the certificate via an HTTPS request from the machine where InSpec is executed.

The controls you find in the ./controls directory are sample ones to demonstrate how to use the ssl_certificate resource.

Requirements

Usage

  • Add this to your profile's inspec.yml to ensure a correct InSpec version and define the profile dependency:
supports:
  - inspec: '~> 1.0'
depends:
  - name: ssl-certificate-profile
    git: https://github.com/alexpop/ssl-certificate-profile
    version: '~> 0.1'

Examples

  • Use the ssl_certificate resource in your profiles, the same way you'd use core InSpec resources like file, service, command, etc.
# Verify the SSL certificate of a specific host and port
control 'CHECK github.com' do
  impact 0.7
  title 'Verify github.com`s SSL certificate'
  describe ssl_certificate(host: 'github.com', port: 443) do
    it { should exist }
    it { should be_trusted }
    its('ssl_error') { should eq nil }
    its('signature_algorithm') { should eq 'sha256WithRSAEncryption' }
    its('key_algorithm') { should eq 'RSA' }
    its('key_size') { should be >= 2048 }
    its('hash_algorithm') { should cmp /SHA(256|384|512)/ }
    its('expiration_days') { should be >= 30 }
  end
end

# Verify the SSL certificate using a full path
control 'CHECK cert using path' do
  impact 0.9
  title 'Verify SSL certificate from a path'
  describe file('/etc/httpd/ssl/cert.crt') do
    it { should exist }
  end
  describe ssl_certificate(path: '/etc/httpd/ssl/cert.crt') do
    it { should exist }
    its('key_size') { should be >= 2048 }
  end
end

# Verify the SSL certificate of the InSpec target
control 'CHECK github.com' do
  impact 0.7
  title 'Verify target`s SSL certificate'
  describe ssl_certificate(port: 443) do
    it { should exist }
    its('key_size') { should be >= 2048 }
  end
end

ssl_certificate resource parameters

Name Required Type Description
path no String Allows to specify a certificate file on the target node. No HTTPS request will be done so the parameters below are not used if this is defined.
host no String Resolvable hostname or IP for the HTTPS request used to retrieve the SSL Certificate information. Defaults to the InSpec target host if not specified.
port no Numeric Port for the HTTPS request, defaults to 443 if not specified.
timeout no Numeric Number of seconds to wait for the connection to open. The default value is 60 seconds.

Examples of instantiating the resource with a Hash of the above parameters:
```ruby
describe ssl_certificate(version: '2016-06-30', timeout: 3, curl_path: '/usr/bin/curl') do
it { should exist }
end

or via the path parameter

describe ssl_certificate(path: '/etc/httpd/ssl/cert.crt') do
its('key_size') { should be >= 2048 }
end
```

License and Author

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.