Last active
October 13, 2020 15:50
-
-
Save caylorme/1db0ed3532af23d3c87bf57b957473a7 to your computer and use it in GitHub Desktop.
Automated Compliance with InSpec and Systems Manager in AWS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| control 'cis-dil-benchmark-4.2.1.1' do | |
| title 'Ensure rsyslog Service is enabled' | |
| desc "Once the rsyslog package is installed it needs to be activated.\n\nRationale: If the rsyslog service is not activated the system may default to the syslogd service or lack logging instead." | |
| impact 1.0 | |
| tag cis: 'distribution-independent-linux:4.2.1.1' | |
| tag level: 1 | |
| only_if do | |
| package('rsyslog').installed? || command('rsyslogd').exist? | |
| end | |
| describe service('rsyslog') do | |
| it { should be_enabled } | |
| it { should be_running } | |
| end | |
| end |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aws ssm create-association \ | |
| --association-name "CISLinuxCLI" \ | |
| --name "AWS-RunInspecChecks" \ | |
| --parameters 'sourceType=[GitHub],sourceInfo=[{"owner":\"dev-sec\",\"repository\":\"cis-dil-benchmark\",\"path\": \"\",\"getOptions\" : \"branch:master\"}"]' \ | |
| --targets '[{"Key":"tag:Compliance","Values":["InSpec"]},{"Key":"tag:OS","Values":["Linux"]}]' \ | |
| --schedule-expression "rate(1 day)" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aws ssm describe-association-execution-targets --association-id f34a2976-1c57-423a-9e80-8f1994056c15 --execution-id 46d0263d-3524-44d4-90cd-960096c03442 | |
| AssociationExecutionTargets: | |
| - AssociationId: f34a2976-1c57-423a-9e80-8f1994056c15 | |
| AssociationVersion: '1' | |
| DetailedStatus: Success | |
| ExecutionId: 46d0263d-3524-44d4-90cd-960096c03442 | |
| LastExecutionDate: '2020-10-07T01:17:56.671000-04:00' | |
| OutputSource: | |
| OutputSourceId: ce3440af-8719-4cbf-bc67-c221f20b0c56 | |
| OutputSourceType: RunCommand | |
| ResourceId: i-0f09e901f085a9246 | |
| ResourceType: ManagedInstance | |
| Status: Success |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aws ssm describe-association-executions --association-id f34a2976-1c57-423a-9e80-8f1994056c15 --format yaml | |
| AssociationExecutions: | |
| - AssociationId: f34a2976-1c57-423a-9e80-8f1994056c15 | |
| AssociationVersion: '1' | |
| CreatedTime: '2020-10-07T01:17:06.776000-04:00' | |
| DetailedStatus: Success | |
| ExecutionId: 46d0263d-3524-44d4-90cd-960096c03442 | |
| ResourceCountByStatus: '{Success=1}' | |
| Status: Success |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aws ssm describe-association --association-id f34a2976-1c57-423a-9e80-8f1994056c15 --format yaml | |
| AssociationDescription: | |
| ApplyOnlyAtCronInterval: false | |
| AssociationId: f34a2976-1c57-423a-9e80-8f1994056c15 | |
| AssociationName: CISLinuxCLI | |
| AssociationVersion: '1' | |
| Date: '2020-10-07T01:17:06.693000-04:00' | |
| DocumentVersion: $DEFAULT | |
| LastExecutionDate: '2020-10-07T01:17:56.671000-04:00' | |
| LastSuccessfulExecutionDate: '2020-10-07T01:17:56.671000-04:00' | |
| LastUpdateAssociationDate: '2020-10-07T01:17:06.693000-04:00' | |
| Name: AWS-RunInspecChecks | |
| Overview: | |
| AssociationStatusAggregatedCount: | |
| Success: 1 | |
| DetailedStatus: Success | |
| Status: Success | |
| Parameters: | |
| sourceInfo: | |
| - '{"owner":"dev-sec","repository":"cis-dil-benchmark","path":"","getOptions":"branch:master"}' | |
| sourceType: | |
| - GitHub | |
| ScheduleExpression: rate(1 day) | |
| Targets: | |
| - Key: tag:Compliance | |
| Values: | |
| - InSpec | |
| - Key: tag:OS | |
| Values: | |
| - Linux |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # use this command to get an overview of the command | |
| aws ssm list-commands --command-id ${COMMAND_ID} | |
| # use this command to get list of invocations per instance | |
| aws ssm list-command-invocations --command-id ${COMMAND_ID} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aws ssm list-compliance-items --resource-ids "i-0f09e901f085a9246" --resource-types "ManagedInstance" --filters "Key=ComplianceType,Values=Custom:InSpec,Type=EQUAL" "Key=Severity,Values=CRITICAL,Type=EQUAL" "Key=Status,Values=NON_COMPLIANT,Type=EQUAL" --max-items 5 --format yaml | |
| ComplianceItems: | |
| - ComplianceType: Custom:InSpec | |
| Details: {} | |
| ExecutionSummary: | |
| ExecutionId: ce3440af-8719-4cbf-bc67-c221f20b0c56 | |
| ExecutionTime: '2020-10-07T01:17:51-04:00' | |
| ExecutionType: Command | |
| Id: cis-dil-benchmark-1.1.1.1-1 | |
| ResourceId: i-0f09e901f085a9246 | |
| ResourceType: ManagedInstance | |
| Severity: CRITICAL | |
| Status: NON_COMPLIANT | |
| Title: 'Ensure mounting of cramfs filesystems is disabled : Kernel Module cramfs | |
| is expected to be disabled' | |
| - ComplianceType: Custom:InSpec | |
| Details: {} | |
| ExecutionSummary: | |
| ExecutionId: ce3440af-8719-4cbf-bc67-c221f20b0c56 | |
| ExecutionTime: '2020-10-07T01:17:51-04:00' | |
| ExecutionType: Command | |
| Id: cis-dil-benchmark-1.1.1.2-3 | |
| ResourceId: i-0f09e901f085a9246 | |
| ResourceType: ManagedInstance | |
| Severity: CRITICAL | |
| Status: NON_COMPLIANT | |
| Title: 'Ensure mounting of freevxfs filesystems is disabled : Kernel Module freevxfs | |
| is expected to be disabled' | |
| - ComplianceType: Custom:InSpec | |
| Details: {} | |
| ExecutionSummary: | |
| ExecutionId: ce3440af-8719-4cbf-bc67-c221f20b0c56 | |
| ExecutionTime: '2020-10-07T01:17:51-04:00' | |
| ExecutionType: Command | |
| Id: cis-dil-benchmark-1.1.1.3-5 | |
| ResourceId: i-0f09e901f085a9246 | |
| ResourceType: ManagedInstance | |
| Severity: CRITICAL | |
| Status: NON_COMPLIANT | |
| Title: 'Ensure mounting of jffs2 filesystems is disabled : Kernel Module jffs2 is | |
| expected to be disabled' | |
| - ComplianceType: Custom:InSpec | |
| Details: {} | |
| ExecutionSummary: | |
| ExecutionId: ce3440af-8719-4cbf-bc67-c221f20b0c56 | |
| ExecutionTime: '2020-10-07T01:17:51-04:00' | |
| ExecutionType: Command | |
| Id: cis-dil-benchmark-1.1.1.4-7 | |
| ResourceId: i-0f09e901f085a9246 | |
| ResourceType: ManagedInstance | |
| Severity: CRITICAL | |
| Status: NON_COMPLIANT | |
| Title: 'Ensure mounting of hfs filesystems is disabled : Kernel Module hfs is expected | |
| to be disabled' | |
| - ComplianceType: Custom:InSpec | |
| Details: {} | |
| ExecutionSummary: | |
| ExecutionId: ce3440af-8719-4cbf-bc67-c221f20b0c56 | |
| ExecutionTime: '2020-10-07T01:17:51-04:00' | |
| ExecutionType: Command | |
| Id: cis-dil-benchmark-1.1.1.5-9 | |
| ResourceId: i-0f09e901f085a9246 | |
| ResourceType: ManagedInstance | |
| Severity: CRITICAL | |
| Status: NON_COMPLIANT | |
| Title: 'Ensure mounting of hfsplus filesystems is disabled : Kernel Module hfsplus | |
| is expected to be disabled' | |
| NextToken: eyJOZXh0VG9rZW4iOiBudWxsLCAiYm90b190cnVuY2F0ZV9hbW91bnQiOiA1fQ== |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| aws ssm send-command \ | |
| --document-name "AWS-RunInspecChecks" | |
| --document-version "1" \ | |
| --targets Key=tag:Env,Values=Dev Key=tag:Role,Values=WebServers | |
| --parameters '{"sourceType":["GitHub"],"sourceInfo":["{\"owner\":\"awslabs\",\"repository\":\"amazon-ssm\",\"path\":\"Compliance/InSpec/PortCheck\",\"getOptions\":\"branch:master\"}"]}' \ | |
| --timeout-seconds 600 \ | |
| --max-concurrency "50" \ | |
| --max-errors "0" \ | |
| --region us-east-1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: "2010-09-09" | |
| Description: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-association.html | |
| Parameters: | |
| InspecChecksBucketName: | |
| Description: The name of the S3 Bucket this template will create for storing Association Outputs | |
| Type: String | |
| Resources: | |
| InSpecAssociationWindows: | |
| Type: AWS::SSM::Association | |
| Properties: | |
| AssociationName: CISBenchmarkWindows | |
| AutomationTargetParameterName: InstanceId | |
| ComplianceSeverity: HIGH | |
| DocumentVersion: '$LATEST' | |
| MaxConcurrency: '100%' | |
| MaxErrors: '0' | |
| Name: AWS-RunInspecChecks | |
| OutputLocation: | |
| S3Location: | |
| OutputS3BucketName: !Ref InspecChecksBucket | |
| OutputS3KeyPrefix: "Windows/" | |
| Parameters: | |
| sourceType: | |
| - 'GitHub' | |
| sourceInfo: | |
| - '{"owner":"dev-sec","repository":"windows-baseline","path":"","getOptions":"branch:master"}' | |
| ScheduleExpression: rate(24 hours) | |
| SyncCompliance: AUTO | |
| Targets: | |
| - Key: tag:OS | |
| Values: | |
| - Windows | |
| - Key: tag:Compliance | |
| Values: | |
| - InSpec | |
| #WaitForSuccessTimeoutSeconds: Integer | |
| InSpecAssociationLinux: | |
| Type: AWS::SSM::Association | |
| Properties: | |
| AssociationName: CISBenchmarkLinux | |
| AutomationTargetParameterName: InstanceId | |
| ComplianceSeverity: HIGH | |
| DocumentVersion: '$LATEST' | |
| MaxConcurrency: '100%' | |
| MaxErrors: '0' | |
| Name: AWS-RunInspecChecks | |
| OutputLocation: | |
| S3Location: | |
| OutputS3BucketName: !Ref InspecChecksBucket | |
| OutputS3KeyPrefix: "Windows/" | |
| Parameters: | |
| sourceType: | |
| - GitHub | |
| sourceInfo: | |
| - '{"owner":"dev-sec","repository":"cis-dil-benchmark","path":"","getOptions":"branch:master"}' | |
| ScheduleExpression: rate(24 hours) | |
| SyncCompliance: AUTO | |
| Targets: | |
| - Key: tag:OS | |
| Values: | |
| - Linux | |
| - Key: tag:Compliance | |
| Values: | |
| - InSpec | |
| #WaitForSuccessTimeoutSeconds: Integer | |
| InspecChecksBucket: | |
| Type: AWS::S3::Bucket | |
| DeletionPolicy: Delete | |
| Properties: | |
| BucketName: !Ref InspecChecksBucketName | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment