SEITE 153

Listing 1: In Azure VMs prüfen

control 'azurerm_virtual_machine' do
title "Check vm 'azl12345'"
desc "Check if vm 'azl12345' is present and in compliant state"
describe azurerm_virtual_machine(resource_group: 'itadmin-test', name: 'azl12345') do
it { should exist }
its('location') { should eq('westeurope') }
its('name') { should eq('azl12345') }
its('type') { should eq 'Microsoft.Compute/virtualMachines' }
its('installed_extensions_types') { should include('OmsAgentForLinux') }
its('installed_extensions_names') { should include('OmsAgentForLinux') }
end
end


SEITE 154

Listing 2: In AWS Security Groups untersuchen

control 'aws-multi-region-security-group-ftp-1.0' do
impact 1.0
title 'Ensure AWS Security Groups disallow SSH ingress from 0.0.0.0/0.'
aws_regions.region_names.each do |region|
aws_security_groups(aws_region: region).group_ids.each do |security_group_id|
describe aws_security_group(aws_region: region, group_id: security_group_id) do
it { should exist }
it { should_not allow_in(ipv4_range: '0.0.0.0/0', port: 22) }
end
end
end
end


Listing 3: Security Groups in Azure abfragen

control 'azure_network_security_group' do
describe azure_network_security_group(resource_group: resource_group, name: 'secgroup') do
it { should exist }
its('type') { should eq 'Microsoft.Network/networkSecurityGroups' }
its('security_rules') { should_not be_empty }
its('default_security_rules') { should_not be_empty }
it { should_not allow_ssh_from_internet }
end
end