Chef InSpec: Inspect Your Infrastructure

• Project State: Active
• Issues Response SLA: 14 business days
• Pull Request Response SLA: 14 business days

For more information on project states and SLAs, see this documentation.

Chef InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.

# Disallow insecure protocols by testing

describe package('telnetd') do
  it { should_not be_installed }
end

describe inetd_conf do
  its("telnet") { should eq nil }
end

Chef InSpec makes it easy to run your tests wherever you need. More options are found in our CLI docs.

# run test locally
inspec exec test.rb

# run test on remote host via SSH
inspec exec test.rb -t ssh://user@hostname -i /path/to/key

# run test on remote host using SSH agent private key authentication. Requires Chef InSpec 1.7.1
inspec exec test.rb -t ssh://user@hostname

# run test on remote windows host via WinRM
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'

# run test on remote windows host via WinRM as a domain user
inspec exec test.rb -t winrm://windowshost --user 'UserName@domain' --password 'your-password'

# run test on docker container
inspec exec test.rb -t docker://container_id

Features

• Built-in Compliance: Compliance no longer occurs at the end of the release cycle
• Targeted Tests: Chef InSpec writes tests that specifically target compliance issues
• Metadata: Includes the metadata required by security and compliance pros
• Easy Testing: Includes a command-line interface to run tests quickly

Installation

Chef InSpec requires Ruby ( >= 3.1.0 ).

All currently supported versions of Chef InSpec (5.0 and later) require accepting the EULA to use. Please visit the license acceptance page on the Chef docs site for more information.

Install as package

The Chef InSpec package is available for MacOS, RedHat, Ubuntu and Windows. Download the latest package at Chef InSpec Downloads or install Chef InSpec via script:

# RedHat, Ubuntu, and macOS
curl https://chefdownload-commercial.chef.io/install.sh?license_id=<LICENSE_ID> | sudo bash -s -- -P inspec

# Windows
. { iwr -useb https://chefdownload-commercial.chef.io/install.ps1?license_id=<LICENSE_ID> } | iex; install -project inspec

Replace <LICENSE_ID> with your license ID.

For more information about the install scripts, see the Chef Install Script documentation.

Install it via rubygems.org

Installing Chef InSpec from source may require installing ruby build tools to manage gem dependencies. (A compiler-free variant is available with reduced functionality; use inspec-core-bin and inspec-core.)

To install build tools, use your package manager.

For CentOS/RedHat/Fedora:

yum -y install ruby ruby-devel make gcc gcc-c++

For Ubuntu:

apt-get -y install ruby ruby-dev gcc g++ make

To install the inspec executable, which requires accepting the Chef License, run:

gem install inspec-bin

You may also use inspec as a library, with no executable. This does not require accepting the license. To install the library as a gem, run:

gem install inspec

Usage via Docker

Download the image and define a function for convenience:

For Linux:

docker pull chef/inspec
function inspec { docker run -it --rm -v $(pwd):/share chef/inspec "$@"; }

For Windows (PowerShell):

docker pull chef/inspec
function inspec { docker run -it --rm -v "$(pwd):/share" chef/inspec $args; }

If you call inspec from your shell, it automatically mounts the current directory into the Docker container. Therefore you can easily use local tests and key files. Note: Only files in the current directory and sub-directories are available within the container.

$ ls -1
vagrant
test.rb

$ inspec exec test.rb -t ssh://root@192.168.64.2:11022 -i vagrant
..

Finished in 0.04321 seconds (files took 0.54917 seconds to load)
2 examples, 0 failures

To scan the docker containers running on the host using the containerized InSpec, we need to bind-mount the Unix socket /var/run/docker.sock from the host machine to the InSpec Container.

docker pull chef/inspec
function inspec { docker run -it --rm -v $(pwd):/share -v /var/run/docker.sock:/var/run/docker.sock chef/inspec "$@"; }

/var/run/docker.sock is the Unix socket the Docker daemon listens on by default.

Install it from source

Note that installing from OS packages from the download page is the preferred method.

That requires bundler:

bundle install
bundle exec inspec help

To install it as a gem locally, run:

gem build inspec.gemspec
gem install inspec-*.gem

On Windows, you need to install Ruby with Ruby Development Kit to build dependencies with its native extensions.

Install via Chef Habitat

Currently, this method of installation only supports Linux. See the Chef Habitat site for more information.

Download the hab binary from the Chef Habitat site.

hab pkg install chef/inspec --binlink

inspec

Run Chef InSpec

You should now be able to run:

$ inspec --help
Commands:
  inspec archive PATH                                       # archive a profile to tar.gz (default) ...
  inspec check PATH                                         # verify all tests at the specified PATH
  inspec automate SUBCOMMAND ...                            # Chef Automate commands
  inspec compliance SUBCOMMAND ...                          # Chef Automate commands (backwards compatible alias)
  inspec detect                                             # detect the target OS
  inspec exec PATH(S)                                       # run all test files at the specified PATH.
  inspec help [COMMAND]                                     # Describe available commands or one spe...
  inspec init TEMPLATE ...                                  # Scaffolds a new project
  inspec json PATH                                          # read all tests in PATH and generate a ...
  inspec shell                                              # open an interactive debugging shell
  inspec supermarket SUBCOMMAND ...                         # Supermarket commands
  inspec version                                            # prints the version of this tool

Options:
  [--diagnose], [--no-diagnose]  # Show diagnostics (versions, configurations)

Examples

• Only accept requests on secure ports - This test ensures that a web server is only listening on well-secured ports.

describe port(80) do
  it { should_not be_listening }
end

describe port(443) do
  it { should be_listening }
  its('protocols') {should include 'tcp'}
end

• Test your kitchen.yml file to verify that only Vagrant is configured as the driver. The %w() formatting will pass rubocop linting and allow you to access nested mappings.

describe yaml('.kitchen.yml') do
  its(%w(driver name)) { should eq('vagrant') }
end

Also have a look at our examples for:

• Using Chef InSpec with Test Kitchen & Chef Infra
• Using Chef InSpec with Test Kitchen & Puppet
• Using Chef InSpec with Test Kitchen & Ansible
• Implementing an Chef InSpec profile

Or tests: Testing for a OR b

• Using describe.one, you can test for a or b. The control will be marked as passing if EITHER condition is met.

control 'or-test' do
  impact 1.0
  title 'This is a OR test'
  describe.one do
    describe ssh_config do
      its('Protocol') { should eq('3') }
    end
    describe ssh_config do
      its('Protocol') { should eq('2') }
    end
  end
end

Command Line Usage

exec

Run tests against different targets:

# run test locally
inspec exec test.rb

# run test on remote host on SSH
inspec exec test.rb -t ssh://user@hostname

# run test on remote windows host on WinRM
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'

# run test on docker container
inspec exec test.rb -t docker://container_id

# run test on podman container
inspec exec test.rb -t podman://container_id --podman-url "unix:///run/user/1000/podman/podman.sock"

# run with sudo
inspec exec test.rb --sudo [--sudo-password ...] [--sudo-options ...] [--sudo_command ...]

# run in a subshell
inspec exec test.rb --shell [--shell-options ...] [--shell-command ...]

# run a profile targeting AWS using env vars
inspec exec test.rb -t aws://

# or store your AWS credentials in your ~/.aws/credentials profiles file
inspec exec test.rb -t aws://us-east-2/my-profile

# run a profile targeting Azure using env vars
inspec exec test.rb -t azure://

# or store your Azure credentials in your ~/.azure/credentials profiles