inspec-core 2.1.67

data/docs/migration.md

@@ -0,0 +1,293 @@
+---
+title: InSpec Migration Guide
+---
+
+# Migrate from Serverspec to InSpec
+
+## How is InSpec different from Serverspec
+
+We've written a complete blog post about that topic: [The Road to InSpec](https://blog.chef.io/2015/11/04/the-road-to-inspec/)
+
+## Is InSpec suitable for infrastructure testing?
+
+InSpec is a framework that allows you to run infrastructure testing as well as compliance testing. The compliance features are always optional and provide customers a way to use InSpec for both use-cases. To ensure we build the best infrastructure testing, we migrate our cookbooks [chef-cookbooks](https://github.com/chef-cookbooks) to InSpec.
+
+## Which Serverspec resources are available in InSpec?
+
+The following resources are available in InSpec:
+
+|                                         Serverspec                                         |                                        InSpec                                        |
+|:------------------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
+| [`bond`](http://serverspec.org/resource_types.html#bond)                                     | [`bond`](https://www.inspec.io/docs/reference/resources/bond/)                         |
+| [`bridge`](http://serverspec.org/resource_types.html#bridge)                                 | [`bridge`](https://www.inspec.io/docs/reference/resources/bridge/)                     |
+| [`command`](http://serverspec.org/resource_types.html#command)                               | [`command`](https://www.inspec.io/docs/reference/resources/command/)                   |
+| [`cron`](http://serverspec.org/resource_types.html#cron)                                     | [`crontab`](https://www.inspec.io/docs/reference/resources/crontab/)                   |
+| [`docker_container`](http://serverspec.org/resource_types.html#docker_container)             | [`docker_container`](https://www.inspec.io/docs/reference/resources/docker_container/) |
+| [`docker_image`](http://serverspec.org/resource_types.html#docker_image)                     | [`docker_image`](https://www.inspec.io/docs/reference/resources/docker_image/)         |
+| [`file`](http://serverspec.org/resource_types.html#file)                                     | [`file`](https://www.inspec.io/docs/reference/resources/file/)                         |
+| [`group`](http://serverspec.org/resource_types.html#group)                                   | [`group`](https://www.inspec.io/docs/reference/resources/group/)                       |
+| [`host`](http://serverspec.org/resource_types.html#host)                                     | [`host`](https://www.inspec.io/docs/reference/resources/host/)                         |
+| [`interface`](http://serverspec.org/resource_types.html#interface)                           | [`interface`](https://www.inspec.io/docs/reference/resources/interface/)               |
+| [`iis_website`](http://serverspec.org/resource_types.html#iis_website)                       | [`iis_website`](https://www.inspec.io/docs/reference/resources/iis_website/)           |
+| [`iis_app_pool`](http://serverspec.org/resource_types.html#iis_app_pool)                     | [`iis_website`](https://www.inspec.io/docs/reference/resources/iis_website/)           |
+| [`iptables`](http://serverspec.org/resource_types.html#iptables)                             | [`iptables`](https://www.inspec.io/docs/reference/resources/iptables/)                 |
+| [`kernel_module`](http://serverspec.org/resource_types.html#kernel_module)                   | [`kernel_module`](https://www.inspec.io/docs/reference/resources/kernel_module/)       |
+| [`linux_kernel_parameter`](http://serverspec.org/resource_types.html#linux_kernel_parameter) | [`kernel_parameter`](https://www.inspec.io/docs/reference/resources/kernel_parameter/) |
+| [`mysql_config`](http://serverspec.org/resource_types.html#mysql_config)                     | [`mysql_conf`](https://www.inspec.io/docs/reference/resources/mysql_conf/)             |
+| [`package`](http://serverspec.org/resource_types.html#package)                               | [`package`](https://www.inspec.io/docs/reference/resources/package/)                   |
+| [`port`](http://serverspec.org/resource_types.html#port)                                     | [`port`](https://www.inspec.io/docs/reference/resources/port/)                         |
+| [`ppa`](http://serverspec.org/resource_types.html#ppa)                                       | [`apt`](https://www.inspec.io/docs/reference/resources/apt/)                           |
+| [`process`](http://serverspec.org/resource_types.html#process)                               | [`processes`](https://www.inspec.io/docs/reference/resources/processes/)               |
+| [`service`](http://serverspec.org/resource_types.html#service)                               | [`service`](https://www.inspec.io/docs/reference/resources/service/)                   |
+| [`user`](http://serverspec.org/resource_types.html#user)                                     | [`user`](https://www.inspec.io/docs/reference/resources/user/)                         |
+| [`windows_feature`](http://serverspec.org/resource_types.html#windows_feature)               | [`windows_feature`](https://www.inspec.io/docs/reference/resources/windows_feature/)   |
+| [`windows_registry_key`](http://serverspec.org/resource_types.html#windows_registry_key)     | [`registry_key`](https://www.inspec.io/docs/reference/resources/registry_key/)         |
+| [`x509_certificate`](http://serverspec.org/resource_types.html#x509_certificate)             | [`x509_certificate`](https://www.inspec.io/docs/reference/resources/x509_certificate/) |
+| [`yumrepo`](http://serverspec.org/resource_types.html#yumrepo)                               | [`yum`](https://www.inspec.io/docs/reference/resources/yum/)                           |
+| [`zfs`](http://serverspec.org/resource_types.html#zfs)                                       | [`zfs_pool`](https://www.inspec.io/docs/reference/resources/zfs_pool/)                 |
+
+Some Serverspec resources are not available yet. We will implement those resources based on user feedback. If you need a resource that is not available in InSpec, please open an [Github issue](https://github.com/chef/inspec/issues). The list of resources that are not available in InSpec:
+
+* [`cgroup`](http://serverspec.org/resource_types.html#cgroup)
+* [`default_gateway`](http://serverspec.org/resource_types.html#default_gateway)
+* [`ip6tables`](http://serverspec.org/resource_types.html#ip6tables)
+* [`ipfilter`](http://serverspec.org/resource_types.html#ipfilter)
+* [`ipnat`](http://serverspec.org/resource_types.html#ipnat)
+* [`linux_audit_system`](http://serverspec.org/resource_types.html#linux_audit_system)
+* [`lxc`](http://serverspec.org/resource_types.html#lxc)
+* [`mail_alias`](http://serverspec.org/resource_types.html#mail_alias)
+* [`php_config`](http://serverspec.org/resource_types.html#php_config)
+* [`routing_table`](http://serverspec.org/resource_types.html#routing_table)
+* [`selinux`](http://serverspec.org/resource_types.html#selinux)
+* [`selinux_module`](http://serverspec.org/resource_types.html#selinux_module)
+* [`x509_private_key`](http://serverspec.org/resource_types.html#x509_private_key)
+
+In addition InSpec provides additional [resources](https://www.inspec.io/docs/reference/resources/) that are not available in Serverspec:
+
+* [`apache_conf`](https://www.inspec.io/docs/reference/resources/apache_conf/)
+* [`apt`](https://www.inspec.io/docs/reference/resources/apt/)
+* [`audit_policy`](https://www.inspec.io/docs/reference/resources/audit_policy/)
+* [`auditd_conf`](https://www.inspec.io/docs/reference/resources/auditd_conf/)
+* [`bash`](https://www.inspec.io/docs/reference/resources/bash/)
+* [`csv`](https://www.inspec.io/docs/reference/resources/csv/)
+* [`etc_shadow`](https://www.inspec.io/docs/reference/resources/etc_shadow/)
+* [`gem`](https://www.inspec.io/docs/reference/resources/gem/)
+* [`grub_conf`](https://www.inspec.io/docs/reference/resources/grub_conf/)
+* [`inetd_conf`](https://www.inspec.io/docs/reference/resources/inetd_conf/)
+* [`ini`](https://www.inspec.io/docs/reference/resources/ini/)
+* [`json`](https://www.inspec.io/docs/reference/resources/json/)
+* [`npm`](https://www.inspec.io/docs/reference/resources/npm/)
+* [`ntp_conf`](https://www.inspec.io/docs/reference/resources/ntp_conf/)
+* [`oneget`](https://www.inspec.io/docs/reference/resources/oneget/)
+* [`pip`](https://www.inspec.io/docs/reference/resources/pip/)
+* [`powershell`](https://www.inspec.io/docs/reference/resources/powershell/)
+* [`security_policy`](https://www.inspec.io/docs/reference/resources/security_policy/)
+* [`ssh_config`](https://www.inspec.io/docs/reference/resources/ssh_config/)
+* [`sshd_config`](https://www.inspec.io/docs/reference/resources/sshd_config/)
+* [`sys_info`](https://www.inspec.io/docs/reference/resources/sys_info/)
+
+## How do I migrate my Serverspec tests to InSpec
+
+For most cases, the migration to InSpec is pretty straight forward. First, replace the current verifier in `kitchen.yml` configuration with:
+
+```
+verifier:
+  name: inspec
+```
+
+Second, rename the directory `test/integration/default/serverspec` to
+`test/integration/default/inspec`
+
+Third, remove the Serverspec-specific code from the test files.
+
+```
+require 'serverspec'
+
+# Required by serverspec
+set :backend, :exec
+```
+
+InSpec is now configured with Test-Kitchen:
+
+```
+kitchen verify package-install-centos-72
+-----> Starting Kitchen (v1.14.2)
+-----> Verifying <package-install-centos-72>...
+       Detected alternative framework tests for `inspec`
+       Loaded
+
+Target:  ssh://vagrant@127.0.0.1:2200
+
+
+  PHP has
+     ✔  php
+     ✔  the pear.php.net channel
+     ✔  the pecl.php.net channel
+
+Test Summary: 3 successful, 0 failures, 0 skipped
+       Finished verifying <package-install-centos-72> (0m0.40s).
+-----> Kitchen is finished. (0m3.31s)
+```
+
+Some real-world migrations are available:
+
+* [docker](https://github.com/chef-cookbooks/docker)
+* [nginx](https://github.com/chef-cookbooks/chef_nginx/pull/5/files)
+* [mysql](https://github.com/chef-cookbooks/mysql/pull/430/files)
+* [php](https://github.com/chef-cookbooks/php/pull/189/files)
+
+Some general recommendations:
+
+* use test-kitchen 1.14+
+* in case of errors, increase the log level `kitchen verify package-install-centos-72 -l debug`
+
+## Do I still need the backend configuration?
+
+InSpec does not attach backend information to test files. All tests are defined independently of any backend. Therefore a Serverspec test file:
+
+```
+require 'serverspec'
+
+# Required by serverspec
+set :backend, :exec
+
+describe 'PHP' do
+  it 'has php' do
+    expect(command('php -v').exit_status).to eq(0)
+  end
+
+  it 'has the pear.php.net channel' do
+    expect(command('pear list-channels').stdout).to include('pear.php.net')
+  end
+
+  it 'has the pecl.php.net channel' do
+    expect(command('pear list-channels').stdout).to include('pecl.php.net')
+  end
+end
+```
+
+will become the following InSpec test file:
+
+```
+describe 'PHP' do
+  it 'has php' do
+    expect(command('php -v').exit_status).to eq(0)
+  end
+
+  it 'has the pear.php.net channel' do
+    expect(command('pear list-channels').stdout).to include('pear.php.net')
+  end
+
+  it 'has the pecl.php.net channel' do
+    expect(command('pear list-channels').stdout).to include('pecl.php.net')
+  end
+end
+```
+
+As you can see, the InSpec test files just focuses on tests and tries to avoid all clutter.
+
+## Nested describe blocks
+
+Serverspec and RSpec allow you to define nested describe blocks. We did a survey and found out that most users use nested describe blocks only to improve their output report. We believe the code structure should not change to improve the output of a report. Nevertheless we understand that nested describe blocks help you to structure test code. A sample code block looks like:
+
+```
+describe 'chef-server-directories' do
+  describe file('/etc/opscode') do
+    it { should be_directory }
+    it { should be_owned_by 'root' }
+  end
+
+  describe file('/etc/opscode-analytics') do
+    it { should be_directory }
+    it { should be_owned_by 'opscode' }
+    it { should be_grouped_into 'opscode' }
+  end
+
+  describe file('/var/log/opscode') do
+    it { should be_directory }
+    it { should be_owned_by 'opscode' }
+    it { should be_grouped_into 'opscode' }
+  end
+
+  describe file('/var/opt/opscode') do
+    it { should be_directory }
+    it { should be_owned_by 'root' }
+  end
+end
+```
+
+In InSpec you would split up groups into files.
+
+```
+tests
+├── server-directories.rb
+├── other-tests.rb
+└── further-tests.rb
+```
+
+Each file can have a top-level description of its content:
+
+```
+title "Chef Server Directories"
+
+describe file('/etc/opscode') do
+  it { should be_directory }
+  it { should be_owned_by 'root' }
+end
+
+describe file('/etc/opscode-analytics') do
+  it { should be_directory }
+  it { should be_owned_by 'opscode' }
+  it { should be_grouped_into 'opscode' }
+end
+
+describe file('/var/log/opscode') do
+  it { should be_directory }
+  it { should be_owned_by 'opscode' }
+  it { should be_grouped_into 'opscode' }
+end
+
+describe file('/var/opt/opscode') do
+  it { should be_directory }
+  it { should be_owned_by 'root' }
+end
+
+```
+
+## Are you supporting the `expect` syntax?
+
+Of course. We still prefer the `should` syntax for UX reasons. We did surveys with various types of customers like devops engineers, auditors, managers. All participants who preferred the `expect` syntax have been Ruby experts. All non-Ruby developers found it easier to understand the `should` syntax.
+
+### `should` syntax with InSpec
+
+```
+describe command('php -v') do
+  its('exit_status') { should eq 0 }
+end
+
+describe command('pear list-channels') do
+  its('stdout') { should include('pear.php.net')}
+end
+
+describe command('pear list-channels') do
+  its('stdout') { should include('pecl.php.net')}
+end
+```
+
+### `expect` syntax with InSpec
+
+```
+describe 'PHP' do
+  it 'has php' do
+    expect(command('php -v').exit_status).to eq(0)
+  end
+
+  it 'has the pear.php.net channel' do
+    expect(command('pear list-channels').stdout).to include('pear.php.net')
+  end
+
+  it 'has the pecl.php.net channel' do
+    expect(command('pear list-channels').stdout).to include('pecl.php.net')
+  end
+end
+```

data/docs/platforms.md

@@ -0,0 +1,119 @@
+# Using InSpec 2.0 on Cloud Platforms
+
+We are pleased to announce that with this release of InSpec 2.0, we have expanded our platform support beyond individual machines and now include support for select AWS and Azure resources.
+
+With InSpec 2.0, you may now use several InSpec resources to audit properties of your cloud infrastructure - for example, an Amazon Web Services S3 bucket.
+
+<br>
+
+## AWS Platform Support in InSpec 2.0
+
+### Setting up AWS credentials for InSpec
+
+InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities.
+
+* 1 Create an IAM user in the AWS console, with your choice of username. Check the box marked "Programmatic Access."
+* 2 On the Permissions screen, choose Direct Attach. Select the AWS-managed IAM Profile named "ReadOnlyAccess." If you wish to restrict the user further, you may do so; see individual InSpec resources to identify which permissions are required.
+* 3 After generating the key, record the Access Key ID and Secret Key.
+
+#### Using Environment Variables to provide credentials
+
+You may provide the credentials to InSpec by setting the following environment variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_KEY_ID`. You may also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the [AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) for details.
+
+Once you have your environment variables set, you can verify your credentials by running:
+
+```bash
+you$ inspec detect -t aws://
+
+== Platform Details
+Name:      aws
+Families:  cloud, api
+Release:   aws-sdk-v2.10.125
+```
+
+#### Using the InSpec target option to provide credentials on AWS
+
+Look for a file in your home directory named `~/.aws/credentials`. If it does not exist, create it. Choose a name for your profile; here, we're using the name 'auditing'. Add your credentials as a new profile, in INI format:
+
+```bash
+[auditing]
+aws_access_key_id = AKIA....
+aws_secret_access_key = 1234....abcd
+```
+
+You may now run InSpec using the `--target` / `-t` option, using the format `-t aws://region/profile`.  For example, to connect to the Ohio region using a profile named 'auditing', use `-t aws://us-east-2/auditing`.
+
+To verify your credentials,
+
+```bash
+you$ inspec detect -t aws://
+
+== Platform Details
+Name:      aws
+Families:  cloud, api
+Release:   aws-sdk-v2.10.125
+```
+
+<br>
+
+## Azure Platform Support in InSpec 2.0
+
+### Setting up Azure credentials for InSpec
+
+To use InSpec Azure resources, you will need to create a Service Principal Name (SPN) for auditing an Azure subscription.
+
+This can be done on the command line or from the Azure Portal:
+
+* [Azure CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-cli)
+* [PowerShell](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal)
+* [Azure Portal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal)
+
+The information from the SPN can be specified either in the file `~/.azure/credentials`, as environment variables, or by using InSpec target URIs.
+
+#### Setting up the Azure Credentials File
+
+By default InSpec is configured to look at ~/.azure/credentials, and it should contain:
+
+```powershell
+[<SUBSCRIPTION_ID>]
+client_id = "<CLIENT_ID>"
+client_secret = "<CLIENT_SECRET>"
+tenant_id = "<TENANT_ID>"
+```
+
+NOTE: In the Azure web portal, these values are labeled differently:
+* The client_id is referred to as the 'Application ID'
+* The client_secret is referred to as the 'Key (Password Type)'
+* The tenant_id is referred to as the 'Directory ID'
+
+With the credentials are in place you may now execute InSpec:
+
+```bash
+inspec exec my-inspec-profile -t azure://
+```
+
+#### Using Environment variables to provide credentials
+
+You may also set the Azure credentials via environment variables:
+
+* `AZURE_SUBSCRIPTION_ID`
+* `AZURE_CLIENT_ID`
+* `AZURE_CLIENT_SECRET`
+* `AZURE_TENANT_ID`
+
+For example:
+
+```bash
+AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \
+AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \
+AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \
+AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure://
+```
+
+#### Using the InSpec target option to provide credentials on Azure
+
+If you have created a `~/.azure/credentials` file as above, you may also use the InSpec command line `--target` / `-t` option to select a subscription ID.  For example:
+
+```bash
+inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3
+```

data/docs/plugin_kitchen_inspec.md

@@ -0,0 +1,50 @@
+---
+title: About kitchen-inspec
+---
+
+# kitchen-inspec
+
+Use InSpec as a Kitchen verifier with `kitchen-inspec`.
+
+Add the InSpec verifier to the `.kitchen.yml` file:
+
+    verifier:
+      name: inspec
+
+Use a compliance profile from the Chef Compliance server:
+
+    suites:
+      - name: compliance
+        run_list:
+          - recipe[ssh-hardening::default]
+        verifier:
+          inspec_tests:
+            - compliance://base/ssh
+
+and then run the following command:
+
+    $ inspec compliance login https://compliance.test --user admin --insecure --token ''
+
+where `--insecure` is required when using self-signed certificates.
+
+Use a compliance profile from the Chef Supermarket:
+
+    suites:
+      - name: supermarket
+        run_list:
+          - recipe[ssh-hardening::default]
+        verifier:
+          inspec_tests:
+            - supermarket://dev-sec/ssh-baseline
+
+Use InSpec tests from the local file system:
+
+    suites:
+      - name: local
+        run_list:
+          - recipe[my_cookbook::default]
+        verifier:
+          inspec_tests:
+            - test/integration/default
+
+Check out [Detect and correct with Test Kitchen](https://learn.chef.io/modules/detect-correct-kitchen#/) on Learn Chef Rally for a hands-on look at how to use Test Kitchen to run InSpec profiles.