mitre · aaronlippold · Dec 20, 2023 · Nov 9, 2023 · Nov 9, 2023 · Nov 9, 2023
diff --git a/.github/workflows/verify-ec2-other.yml b/.github/workflows/verify-ec2-other.yml
@@ -0,0 +1,98 @@
+---
+name: CIS AWS Foundations v2.0.0 - Other
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  my-job:
+    name: Validate the CIS AWS Benchmark v2.0
+    runs-on: ubuntu-latest
+    env:
+      CHEF_LICENSE: accept-silent
+      CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
+      RESULTS_FILE: other_inspec_results.json
+      PROFILE_FILE: profile.json
+      INPUT_FILE: other.inputs.yml
+      THRESHOLD_FILE: other.threshold.yml
+      AWS_REGION: ${{ secrets.OTHER_AWS_REGION }}
+      HEIMDALL_URL: https://heimdall-demo.mitre.org
+    steps:
+      - name: add needed packages
+        run: sudo apt-get install -y jq curl 
+
+      - name: Configure AWS credentials
+        env:
+          AWS_REGION: ${{ secrets.OTHER_AWS_REGION }}
+          #AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }}
+
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.OTHER_AWS_ACCESS_KEY }}
+          aws-secret-access-key: ${{ secrets.OTHER_AWS_SECRET }}
+          aws-region: ${{ secrets.OTHER_AWS_REGION }}
+          audience: https://sts.${{ secrets.OTHER_AWS_REGION }}.amazonaws.com
+
+      - name: Check out repository
+        uses: actions/checkout@v3
+
+      - name: Clone full repository so we can push
+        run: git fetch --prune --unshallow
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+
+      - name: Confirm git commit SHA output
+        run: echo ${{ env.COMMIT_SHORT_SHA }}
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.1"
+
+      - name: Disable ri and rdoc
+        run: 'echo "gem: --no-document" >> ~/.gemrc'
+
+      - name: Bundle Install
+        run: bundle install
+
+      - name: Installed Inspec
+        run: bundle exec inspec version
+
+      - name: Vendor the InSpec Profile
+        run: bundle exec inspec vendor --overwrite
+
+      - name: Lint the Inspec profile
+        run: bundle exec inspec check .
+
+      - name: Run the Profile
+        run: |
+          bundle exec inspec exec . --target aws:// --input-file=${{ env.INPUT_FILE }} --reporter cli json:${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} --enhanced-outcomes --filter-empty-profiles || true
+
+      - name: Save Test Result JSON
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
+          path: |
+            ./${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}
+
+      - name: Upload to Heimdall
+        run: | 
+          curl -# -s -F data=@${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE}}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_KEY }}" "${{ env.HEIMDALL_URL }}/evaluations"
+
+      - name: Display our ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} results summary
+        uses: mitre/saf_action@v1
+        with:
+          command_string: "view summary -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}"
+
+      - name: Ensure ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} meets our results threshold
+        uses: mitre/saf_action@v1
+        with:
+          command_string: "validate threshold -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F ${{ env.THRESHOLD_FILE }}"
+
diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml
@@ -0,0 +1,95 @@
+---
+name: CIS AWS Foundations v2.0.0
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  my-job:
+    name: Validate my profile
+    runs-on: ubuntu-latest
+    env:
+      CHEF_LICENSE: accept-silent
+      CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
+      RESULTS_FILE: inspec_results.json
+      PROFILE_FILE: profile.json
+      INPUT_FILE: default.inputs.yml
+      THRESHOLD_FILE: default.threshold.yml
+      HEIMDALL_URL: https://heimdall-demo.mitre.org
+    steps:
+      - name: add needed packages
+        run: sudo apt-get install -y jq curl
+
+      - name: Configure AWS credentials
+        env:
+          AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }}
+          AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }}
+
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      - name: Check out repository
+        uses: actions/checkout@v3
+
+      - name: Clone full repository so we can push
+        run: git fetch --prune --unshallow
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+
+      - name: Confirm git commit SHA output
+        run: echo ${{ env.COMMIT_SHORT_SHA }}
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.1"
+
+      - name: Disable ri and rdoc
+        run: 'echo "gem: --no-document" >> ~/.gemrc'
+
+      - name: Bundle Install
+        run: bundle install
+
+      - name: Installed Inspec
+        run: bundle exec inspec version
+
+      - name: Vendor the InSpec Profile
+        run: bundle exec inspec vendor --overwrite
+
+      - name: Lint the Inspec profile
+        run: bundle exec inspec check .
+
+      - name: Run the Profile
+        run: |
+          bundle exec inspec exec . --target aws:// --input-file=${{ env.INPUT_FILE }} --reporter cli json:${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} --enhanced-outcomes --filter-empty-profiles || true
+
+      - name: Save Test Result JSON
+        uses: actions/upload-artifact@v3
+        with:
+          name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
+          path: |
+            ./${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}
+
+      - name: Upload to Heimdall
+        run: |
+          curl -# -s -F data=@${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE}}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_KEY }}" "${{ env.HEIMDALL_URL }}/evaluations"
+
+      - name: Display our ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} results summary
+        uses: mitre/saf_action@v1
+        with:
+          command_string: "view summary -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }}"
+
+      - name: Ensure ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} meets our results threshold
+        uses: mitre/saf_action@v1
+        with:
+          command_string: "validate threshold -i ${{ env.COMMIT_SHORT_SHA }}-${{ env.RESULTS_FILE }} -F ${{ env.THRESHOLD_FILE }}"
diff --git a/.gitignore b/.gitignore
@@ -1,7 +1,9 @@
+aws*
+inspec-aws
 *.lock
 *.gem
 *.rbc
-
+*results.json
 inputs.yml
 
 /.config

diff --git a/.rubocop.yml b/.rubocop.yml
@@ -1,21 +1,162 @@
-Style/WordArray:
-  Description: 'Use %w or %W for an array of words. (https://rubystyle.guide#percent-w)'
-  Enabled : false
+---
+AllCops:
+  Exclude:
+    - Gemfile
+    - Rakefile
+    - "test/**/*"
+    - "examples/**/*"
+    - "vendor/**/*"
+    - "lib/bundles/inspec-init/templates/**/*"
+    - .direnv/**/*
+  TargetRubyVersion: 2.6.3
 
-Style/RedundantPercentQ:
+Layout/EmptyLinesAroundBlockBody:
+  Enabled: false
+Layout/HashAlignment:
+  Enabled: false
+Layout/EmptyLineAfterGuardClause:
+  Enabled: false
+Layout/MultilineBlockLayout:
+  Enabled: false
+Layout/EmptyLinesAroundAttributeAccessor:
   Enabled: true
-
-Style/NestedParenthesizedCalls:
+Layout/SpaceAroundOperators:
   Enabled: false
-
-Style/TrailingCommaInHashLiteral:
-  Description: 'https://docs.rubocop.org/rubocop/cops_style.html#styletrailingcommainhashliteral'
+Layout/ParameterAlignment:
+  Enabled: true
+Layout/LineLength:
+  Enabled: false
+Layout/SpaceAroundMethodCallOperator:
+  Enabled: true
+Lint/DeprecatedOpenSSLConstant:
+  Enabled: true
+Lint/MixedRegexpCaptureTypes:
+  Enabled: true
+Style/RedundantRegexpCharacterClass:
+  Enabled: false
+Style/RedundantRegexpEscape:
+  Enabled: false
+Lint/ParenthesesAsGroupedExpression:
+  Enabled: false
+Lint/ReturnInVoidContext:
+  Enabled: false
+Lint/AmbiguousBlockAssociation:
+  Exclude:
+    - "controls/*"
+Lint/RaiseException:
+  Enabled: true
+Lint/StructNewOverride:
   Enabled: true
-  EnforcedStyleForMultiline: no_comma
 
-Style/TrailingCommaInArrayLiteral:
+Lint/DuplicateBranch: # (new in 1.3)
+  Enabled: true
+Lint/DuplicateRegexpCharacterClassElement: # (new in 1.1)
+  Enabled: true
+Lint/EmptyBlock: # (new in 1.1)
+  Enabled: true
+Lint/EmptyClass: # (new in 1.3)
+  Enabled: true
+Lint/NoReturnInBeginEndBlocks: # (new in 1.2)
   Enabled: true
-  EnforcedStyleForMultiline: no_comma
+Lint/ToEnumArguments: # (new in 1.1)
+  Enabled: true
+Lint/UnmodifiedReduceAccumulator: # (new in 1.1)
+  Enabled: true
+
+Metrics/ClassLength:
+  Max: 500
+  Exclude:
+    - libraries/aws_ecs_task_definition.rb
+Metrics/MethodLength:
+  Max: 100
+  Exclude:
+    - libraries/aws_cloudfront_distribution.rb
+Metrics/BlockLength:
+  Max: 300
+Metrics/AbcSize:
+  Max: 75
+Metrics/BlockNesting:
+  Enabled: false
+Metrics/CyclomaticComplexity:
+  Max: 25
+Metrics/PerceivedComplexity:
+  Max: 25
+
+Naming/AccessorMethodName:
+  Enabled: false
+Naming/FileName:
+  Enabled: false
+Naming/PredicateName:
+  Enabled: false
+Naming/VariableNumber:
+  Enabled: false
 
 Style/BlockDelimiters:
   Enabled: false
+Style/Documentation:
+  Enabled: false
+Style/Encoding:
+  Enabled: true
+Style/NumericLiterals:
+  MinDigits: 10
+Style/PercentLiteralDelimiters:
+  PreferredDelimiters:
+    "%": "{}"
+    "%i": ()
+    "%q": "{}"
+    "%Q": ()
+    "%r": "{}"
+    "%s": ()
+    "%w": "{}"
+    "%W": ()
+    "%x": ()
+Style/ClassAndModuleChildren:
+  Enabled: false
+Style/ConditionalAssignment:
+  Enabled: false
+Style/AndOr:
+  Enabled: false
+Style/Not:
+  Enabled: false
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: comma
+Style/TrailingCommaInArguments:
+  EnforcedStyleForMultiline: comma
+Style/NegatedIf:
+  Enabled: false
+Style/UnlessElse:
+  Enabled: false
+Style/RedundantBegin:
+  Enabled: false
+Style/IfUnlessModifier:
+  Enabled: false
+Style/RescueStandardError:
+  Enabled: false
+Style/ExponentialNotation:
+  Enabled: true
+Style/HashEachMethods:
+  Enabled: true
+Style/HashTransformKeys:
+  Enabled: false
+Style/HashTransformValues:
+  Enabled: true
+Style/HashSyntax:
+  Enabled: true
+Style/SlicingWithRange:
+  Enabled: true
+Style/ArgumentsForwarding: # (new in 1.1)
+  Enabled: true
+Style/CollectionCompact: # (new in 1.2)
+  Enabled: true
+Style/DocumentDynamicEvalDefinition: # (new in 1.1)
+  Enabled: true
+Style/NegatedIfElseCondition: # (new in 1.2)
+  Enabled: true
+Style/NilLambda: # (new in 1.3)
+  Enabled: true
+Style/SwapValues: # (new in 1.1)
+  Enabled: true
+Style/FrozenStringLiteralComment:
+  Enabled: false
diff --git a/Gemfile b/Gemfile
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gem 'inspec', '>= 6.6.0'
+gem 'inspec-core'
+gem 'inspec-bin'
+gem 'kitchen-inspec'
+gem 'rake'
+gem 'rubocop'
+gem 'rubocop-rake'
+gem "train-aws", git: 'https://github.com/mitre/train-aws.git', branch: 'al/dep-updates'
+