Skip to content

Releases: mitre/serverless-inspec-lambda

serverless-inspec-lambda v0.16.1

27 Sep 15:22
e355e54
Compare
Choose a tag to compare

Notable Changes:

  • allow logs KMS key to be passed via variable

serverless-inspec-lambda v0.16.0

27 Sep 13:37
39d49dd
Compare
Choose a tag to compare

Notable Changes:

  • function can now propagate groups to heimdall using results, KMS log encryption
  • various compliance changes

serverless-inspec-lambda v0.15.7

07 Sep 19:35
b613436
Compare
Choose a tag to compare

Notable changes

Gemfile Updates

Address gem dependency issues that prevented 0.15.6 from building properly

serverless-inspec-lambda v0.15.6

07 Sep 18:47
a2f93b1
Compare
Choose a tag to compare

Notable changes

ENV and /tmp/ cleanup

The lambda will now explicitly clear out set ENV variables and /tmp/ with an ensure block at the end of every execution.

serverless-inspec-lambda v0.15.5

27 Aug 19:11
3b0f31a
Compare
Choose a tag to compare

Notable changes

Pinned gem versions

There was an issue with InSpec 4.41.2 so the version has been pinned to 4.38.9. train-awsssm has been pinned to the latest version

Changes to how command is validated

Added check to ensure that command starts with inspec exec

serverless-inspec-lambda v0.15.4

26 Aug 23:44
548aee7
Compare
Choose a tag to compare

Notable changes

Addressed inspec command not found error

There was a command not found error that only appeared when the lambda was deployed to AWS and executed. This issue has been fixed.

serverless-inspec-lambda v0.15.1

26 Aug 21:56
f66424e
Compare
Choose a tag to compare

Notable changes

Addressed Docker Build Failure

There was a docker build failure in 0.15.0 that prevented the image from building successfully.

serverless-inspec-lambda v0.15.0

26 Aug 21:13
f81948e
Compare
Choose a tag to compare

Notable changes

Generalized required resources for an InSpec scan

Instead of defining specific event attributes for each kind of required resource, the function has been made more generalized and now allows definition of all required file & environment variable resources from S3, SSM Parameter Store, or AWS Secrets Manager in one resources event attribute.

InSpec commands are now equivalent to inspec exec CLI commands

The command event attribute now expects a natural inspec exec ... CLI command. This was done to reduce the unnecessary learning requirement for operating the function and make it more accessible to users.

Various improvements

See the updated README for a full explanation of the lambda's features.

serverless-inspec-lambda v0.14.0

24 Aug 13:44
ba6981a
Compare
Choose a tag to compare

Notable changes

Added ability to run SSH via SSM without needing to manage keys

Previously running the "SSH via SSM" method of scanning linux instances required that SSH keys be manually managed by users. This feature has been enhanced by now also allowing the lambda to create, add, and remove temporary SSH keys completely on its own.

This method of InSpec scanning works with the following sequence of events:

  1. Generate a SSH key pair within the lambda function
  2. Use the train-awsssm plugin to send the public key material to ~/.ssh/authorized_keys using SSM Send Command
  3. Immedately queue another SSM Send Command to remove the key from ~/.ssh/authorized_keys after 60 seconds
  4. Start an SSH session using the generated key pair and execute the InSpec scan over SSH

Assumptions with this method:

  • Scanning linux-based instances (i.e. not Windows)
  • The instance has the following commands installed: su, mkdir, touch, echo, sleep, grep, mv
  • The user that runs "SSM Send Command" commands is priviledged to write to any user's ~/.ssh directory (this should default to root unless explicitly changed)

This method is advantageous over the "SSM Send Command" method mentioned above because invoking all InSpec commands over SSM Send Command is significantly slower than over SSH, and it shares advantage of relieving the need to manually manage SSH keys.

{
  "...": "...",
  "ssm_temp_ssh_key": true,
  "config": {
    "target": "ssh://ec2-use@i-00f1868f8f3b4cc03"
  }
}

serverless-inspec-lambda v0.13.1

04 Aug 20:39
Compare
Choose a tag to compare

This release contains a bugfix related to downloading profiles from S3.