there's another framework for that
Yes, and it would be ideal to test that type of configuration on the host itself.
In lieu of such a solution we built a BDD based framework specifically aimed at security testing both the infrastructure and web application tiers. It can be found by searching for "BDD-Security".