Releases: mitre/serverless-inspec-lambda
serverless-inspec-lambda v0.16.1
serverless-inspec-lambda v0.16.0
Notable Changes:
- function can now propagate groups to heimdall using results, KMS log encryption
- various compliance changes
serverless-inspec-lambda v0.15.7
Notable changes
Gemfile Updates
Address gem dependency issues that prevented 0.15.6 from building properly
serverless-inspec-lambda v0.15.6
Notable changes
ENV and /tmp/ cleanup
The lambda will now explicitly clear out set ENV variables and /tmp/ with an ensure block at the end of every execution.
serverless-inspec-lambda v0.15.5
Notable changes
Pinned gem versions
There was an issue with InSpec 4.41.2 so the version has been pinned to 4.38.9. train-awsssm has been pinned to the latest version
Changes to how command is validated
Added check to ensure that command
starts with inspec exec
serverless-inspec-lambda v0.15.4
Notable changes
Addressed inspec command not found error
There was a command not found error that only appeared when the lambda was deployed to AWS and executed. This issue has been fixed.
serverless-inspec-lambda v0.15.1
Notable changes
Addressed Docker Build Failure
There was a docker build failure in 0.15.0 that prevented the image from building successfully.
serverless-inspec-lambda v0.15.0
Notable changes
Generalized required resources for an InSpec scan
Instead of defining specific event attributes for each kind of required resource, the function has been made more generalized and now allows definition of all required file & environment variable resources from S3, SSM Parameter Store, or AWS Secrets Manager in one resources
event attribute.
InSpec commands are now equivalent to inspec exec
CLI commands
The command
event attribute now expects a natural inspec exec ...
CLI command. This was done to reduce the unnecessary learning requirement for operating the function and make it more accessible to users.
Various improvements
See the updated README for a full explanation of the lambda's features.
serverless-inspec-lambda v0.14.0
Notable changes
Added ability to run SSH via SSM without needing to manage keys
Previously running the "SSH via SSM" method of scanning linux instances required that SSH keys be manually managed by users. This feature has been enhanced by now also allowing the lambda to create, add, and remove temporary SSH keys completely on its own.
This method of InSpec scanning works with the following sequence of events:
- Generate a SSH key pair within the lambda function
- Use the train-awsssm plugin to send the public key material to
~/.ssh/authorized_keys
using SSM Send Command - Immedately queue another SSM Send Command to remove the key from
~/.ssh/authorized_keys
after 60 seconds - Start an SSH session using the generated key pair and execute the InSpec scan over SSH
Assumptions with this method:
- Scanning linux-based instances (i.e. not Windows)
- The instance has the following commands installed:
su
,mkdir
,touch
,echo
,sleep
,grep
,mv
- The user that runs "SSM Send Command" commands is priviledged to write to any user's
~/.ssh
directory (this should default to root unless explicitly changed)
This method is advantageous over the "SSM Send Command" method mentioned above because invoking all InSpec commands over SSM Send Command is significantly slower than over SSH, and it shares advantage of relieving the need to manually manage SSH keys.
{
"...": "...",
"ssm_temp_ssh_key": true,
"config": {
"target": "ssh://ec2-use@i-00f1868f8f3b4cc03"
}
}
serverless-inspec-lambda v0.13.1
This release contains a bugfix related to downloading profiles from S3.