-
Notifications
You must be signed in to change notification settings - Fork 53
/
inspec.yml
100 lines (84 loc) · 3.79 KB
/
inspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# Copyright 2019 The inspec-gcp-cis-benchmark Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: inspec-gcp-cis-benchmark
title: "InSpec GCP CIS 1.2 Benchmark"
maintainer: "Google Cloud Platform"
copyright: "(c) 2022, Google, Inc."
copyright_email: "[email protected]"
license: "Apache-2.0"
summary: "Inspec Google Cloud Platform Center for Internet Security Benchmark v1.2 Profile"
version: 1.2.0-0
supports:
- platform: gcp
depends:
- name: inspec-gcp-helpers
url: https://github.com/GoogleCloudPlatform/inspec-gcp-helpers/archive/1.0.9.tar.gz
inputs:
# {{gcp_project_id}}
# must be defined at runtime by the user
- name: gcp_project_id
description: "The GCP project identifier."
type: String
required: true
value: 'aaa-bbb-ccc-ddd'
- name: cis_version
description: "The short version of the GCP CIS Benchmark"
value: "1.2"
type: String
- name: cis_url
description: "The URL to the GCP CIS Benchmark"
value: "https://www.cisecurity.org/benchmark/google_cloud_computing_platform/"
type: String
- name: sa_key_older_than_seconds
description: "How many seconds SA keys should not be older than"
value: 7776000
type: Numeric
- name: kms_rotation_period_seconds
description: "How many seconds KMS Keys should be last rotated (90 days)"
value: 7776000
type: Numeric
- name: gcp_gke_locations
description: "The list of regions and/or zone names where GKE clusters are running. An empty array searches all locations"
type: Array
value:
- ""
- name: gce_zones
description: "The list of zone names where GCE instances are running. An empty array searches all locations"
type: Array
value:
- ""
- name: log_min_messages
description: "(Cloud SQL PostgreSQL) The log_min_messages flag controls which message levels are written to the server log (see control 6.2.13). ERROR is cosidered best practice."
value: "ERROR"
type: String
- name: log_min_error_statement
description: "(Cloud SQL PostgreSQL) The log_min_error_statement flag controls which SQL statements that cause an error condition are recorded in the server log (see control 6.2.14). ERROR is cosidered best practice."
value: "ERROR"
type: String
- name: log_error_verbosity
description: "(Cloud SQL PostgreSQL) The log_min_error_statement flag controls the amount of detail written in the server log for each message that is logged (see control 6.2.2). DEFAULT is cosidered best practice."
value: "DEFAULT"
type: String
- name: log_statement
description: "(Cloud SQL PostgreSQL) The log_statement flag controls which SQL statements are logged. Valid values are none (off), ddl, mod, and all (all statements) (see control 6.2.7). ddl is cosidered best practice."
value: "ddl"
type: String
- name: log_hostname
description: "(Cloud SQL PostgreSQL) By default, connection log messages only show the IP address of the connecting host. Turning this parameter on causes logging of the host name as well (see control 6.2.8)."
value: "off"
type: String
- name: user_connections
description: "(Cloud SQL SQL Server) The user connections option specifies the maximum number of simultaneous user connections that are allowed on an instance of SQL Server. (see control 6.3.3)."
value: "0"
type: String