Skip to main content

AWS Testing Suite

Aaron LippoldJanuary 5, 2024About 2 min

AWS Testing Setup

  1. Configure your AWS CLI and set up your AWS Credentials.
  2. Test your AWS CLI access by running: aws s3 ls.
  3. Clone the repository.
  4. Navigate to the profile repository root directory.
  5. Set the environment variable for the kitchen configuration file: export KITCHEN_LOCAL_YAML=kitchen.ec2.yml.
  6. This uses the kitchen-ec2 driver.
  7. (Optional) Set a specific control to run: export INSPEC_CONTROL='SV-230222'.

Running Through the AWS Test Suite

  1. List the kitchen instances with: bundle exec kitchen list. You should see something like this:
  Instance         Driver  Provisioner      Verifier  Transport  Last Action  Last Error
  vanilla-rhel-8   Ec2     AnsiblePlaybook  Inspec    Ssh        Verified     None
  hardened-rhel-8  Ec2     AnsiblePlaybook  Inspec    Ssh        Verified     None
  1. Create a kitchen instance: bundle exec kitchen create vanilla.
➜  redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen create vanilla
-----> Starting Test Kitchen (v3.5.1)
-----> Creating <vanilla-rhel-8>...
    < OTHER OUTPUT >
    Finished creating <vanilla-rhel-8> (0m0.00s).
-----> Test Kitchen is finished. (0m1.21s)
  1. Converge the kitchen instance: bundle exec kitchen converge.
➜  redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla
-----> Starting Test Kitchen (v3.5.1)
      NOTICE - Installing needed packages
      Updating Subscription Management repositories.
      Unable to read consumer identity

      This system is not registered with an entitlement server. You can use subscription-manager to register.

      39 files removed
      < LOTS OF OTHER OUTPUT >
      Downloading files from <vanilla-rhel-8>
      Finished converging <vanilla-rhel-8> (0m21.36s).
-----> Test Kitchen is finished. (1m13.52s)
  1. Run InSpec on the kitchen instance: bundle exec kitchen verify.
    ➜  redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen verify vanilla
  -----> Starting Test Kitchen (v3.5.1)
  -----> Setting up <vanilla-rhel-8>...
        Finished setting up <vanilla-rhel-8> (0m0.00s).
  -----> Verifying <vanilla-rhel-8>...
        Loaded redhat-enterprise-linux-8-stig-baseline
  Could not determine patch status.
  Profile:   redhat-enterprise-linux-8-stig-baseline (redhat-enterprise-linux-8-stig-baseline)
  Version:   1.12.0
  Target:    ssh://ec2-user@34.229.216.179:22
  Target ID: 4c62a305-69eb-5ed6-9ee7-723cdc21c578

    ✔  SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
      ✔  List of out-of-date packages is expected to be empty
  Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
  Test Summary: 1 successful, 0 failures, 0 skipped
        Finished verifying <vanilla-rhel-8> (0m5.38s).
  -----> Test Kitchen is finished. (0m6.62s)
  1. Destroy the kitchen instance: bundle exec kitchen destroy vanilla.
  2. For steps that apply to making updates, patches, and updates to the profile, see the next section, Updating the Profile.
  3. Your InSpec scan results are located in the ./spec/results/ directory, named ./spec/results/rhel-8_*.
  4. Use Heimdall Lite to load both the hardened and vanilla results to ensure your changes and updates, "failed as expected and passed as expected and covered your courner cases."
Apache-2.0 | Copyright © 2022 - The MITRE Corporation
Copyright © 2024 Aaron Lippold