AWS Testing Suite
January 5, 2024About 2 min
AWS Testing Setup
- Configure your AWS CLI and set up your AWS Credentials.
- Test your AWS CLI access by running:
aws s3 ls
. - Clone the repository.
- Navigate to the profile repository root directory.
- Set the environment variable for the kitchen configuration file:
export KITCHEN_LOCAL_YAML=kitchen.ec2.yml
. - This uses the kitchen-ec2 driver.
- (Optional) Set a specific control to run:
export INSPEC_CONTROL='SV-230222'
.
Running Through the AWS Test Suite
- List the kitchen instances with:
bundle exec kitchen list
. You should see something like this:
Instance Driver Provisioner Verifier Transport Last Action Last Error
vanilla-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None
hardened-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None
- Create a kitchen instance:
bundle exec kitchen create vanilla
.
➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen create vanilla
-----> Starting Test Kitchen (v3.5.1)
-----> Creating <vanilla-rhel-8>...
< OTHER OUTPUT >
Finished creating <vanilla-rhel-8> (0m0.00s).
-----> Test Kitchen is finished. (0m1.21s)
- Converge the kitchen instance:
bundle exec kitchen converge
.
➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla
-----> Starting Test Kitchen (v3.5.1)
NOTICE - Installing needed packages
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
39 files removed
< LOTS OF OTHER OUTPUT >
Downloading files from <vanilla-rhel-8>
Finished converging <vanilla-rhel-8> (0m21.36s).
-----> Test Kitchen is finished. (1m13.52s)
- Run InSpec on the kitchen instance:
bundle exec kitchen verify
.
➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen verify vanilla
-----> Starting Test Kitchen (v3.5.1)
-----> Setting up <vanilla-rhel-8>...
Finished setting up <vanilla-rhel-8> (0m0.00s).
-----> Verifying <vanilla-rhel-8>...
Loaded redhat-enterprise-linux-8-stig-baseline
Could not determine patch status.
Profile: redhat-enterprise-linux-8-stig-baseline (redhat-enterprise-linux-8-stig-baseline)
Version: 1.12.0
Target: ssh://ec2-user@34.229.216.179:22
Target ID: 4c62a305-69eb-5ed6-9ee7-723cdc21c578
✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
✔ List of out-of-date packages is expected to be empty
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 1 successful, 0 failures, 0 skipped
Finished verifying <vanilla-rhel-8> (0m5.38s).
-----> Test Kitchen is finished. (0m6.62s)
- Destroy the kitchen instance:
bundle exec kitchen destroy vanilla
. - For steps that apply to making updates, patches, and updates to the profile, see the next section, Updating the Profile.
- Your InSpec scan results are located in the
./spec/results/
directory, named./spec/results/rhel-8_*
. - Use Heimdall Lite to load both the
hardened
andvanilla
results to ensure your changes and updates, "failed as expected and passed as expected and covered your courner cases."