inspec-core 2.2.27 → 2.2.34
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +33 -16
- data/docs/resources/shadow.md.erb +169 -64
- data/lib/bundles/inspec-init/cli.rb +7 -3
- data/lib/inspec/base_cli.rb +10 -2
- data/lib/inspec/formatters/base.rb +1 -1
- data/lib/inspec/metadata.rb +4 -7
- data/lib/inspec/profile.rb +21 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/apache_conf.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6bf2d60a9d79b27af5eb0b5d1d490f3912def9ab18ffc0dd8218243ae9bc9045
|
|
4
|
+
data.tar.gz: c2bbc3231ece1ecd74c3d258767fce943c0998c1173465e3803ed8edf816f4a2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 05c378d057cb713d3c0bdaf4ac0db3dc45ea5d3c4bf550c838580cff5cd6227c3cc7ccff82cfbe03c3bcd2a840e3695f76da3ac24443c63fc69ba3bf5b102fd7
|
|
7
|
+
data.tar.gz: b94f0b4f767a910ac98765fbae736ee38caa9d41cc3a2740907e74e919f3b138a99f8ee8def2b577f4f5f81cfb518792e3b6cbdd2887cff1edd21d84dce3347a
|
data/CHANGELOG.md
CHANGED
|
@@ -1,32 +1,50 @@
|
|
|
1
1
|
# Change Log
|
|
2
2
|
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
|
|
3
|
-
<!-- latest_release 2.2.
|
|
4
|
-
## [v2.2.
|
|
3
|
+
<!-- latest_release 2.2.34 -->
|
|
4
|
+
## [v2.2.34](https://github.com/inspec/inspec/tree/v2.2.34) (2018-07-05)
|
|
5
5
|
|
|
6
|
-
####
|
|
7
|
-
-
|
|
6
|
+
#### Bug Fixes
|
|
7
|
+
- fix for apache_conf to handle quoted Includes [#3193](https://github.com/inspec/inspec/pull/3193) ([voroniys](https://github.com/voroniys))
|
|
8
8
|
<!-- latest_release -->
|
|
9
9
|
|
|
10
|
-
<!-- release_rollup since=2.2.
|
|
11
|
-
### Changes since 2.2.
|
|
10
|
+
<!-- release_rollup since=2.2.27 -->
|
|
11
|
+
### Changes since 2.2.27 release
|
|
12
12
|
|
|
13
13
|
#### New Features
|
|
14
|
-
-
|
|
15
|
-
- Set parent_profile field on child profiles (json report) [#3164](https://github.com/inspec/inspec/pull/3164) ([jquick](https://github.com/jquick)) <!-- 2.2.25 -->
|
|
14
|
+
- cli: Add `--insecure` option for `exec` and `shell` [#3195](https://github.com/inspec/inspec/pull/3195) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.31 -->
|
|
16
15
|
|
|
17
|
-
####
|
|
18
|
-
-
|
|
19
|
-
-
|
|
16
|
+
#### Bug Fixes
|
|
17
|
+
- fix for apache_conf to handle quoted Includes [#3193](https://github.com/inspec/inspec/pull/3193) ([voroniys](https://github.com/voroniys)) <!-- 2.2.34 -->
|
|
18
|
+
- Fix some issues with the vendor functional tests [#3196](https://github.com/inspec/inspec/pull/3196) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.30 -->
|
|
20
19
|
|
|
21
20
|
#### Merged Pull Requests
|
|
22
|
-
-
|
|
21
|
+
- Prevent Slashes in profile names [#3175](https://github.com/inspec/inspec/pull/3175) ([miah](https://github.com/miah)) <!-- 2.2.32 -->
|
|
22
|
+
- Fix vendor functional test to not validate a repo hash that can change. [#3198](https://github.com/inspec/inspec/pull/3198) ([miah](https://github.com/miah)) <!-- 2.2.29 -->
|
|
23
23
|
|
|
24
|
-
####
|
|
25
|
-
-
|
|
26
|
-
-
|
|
24
|
+
#### Enhancements
|
|
25
|
+
- Accept regexes for --controls option to inspec exec [#3179](https://github.com/inspec/inspec/pull/3179) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.33 -->
|
|
26
|
+
- Update the node platform issues to warn severity [#3186](https://github.com/inspec/inspec/pull/3186) ([jquick](https://github.com/jquick)) <!-- 2.2.28 -->
|
|
27
27
|
<!-- release_rollup -->
|
|
28
28
|
|
|
29
29
|
<!-- latest_stable_release -->
|
|
30
|
+
## [v2.2.27](https://github.com/inspec/inspec/tree/v2.2.27) (2018-06-29)
|
|
31
|
+
|
|
32
|
+
#### New Features
|
|
33
|
+
- Set parent_profile field on child profiles (json report) [#3164](https://github.com/inspec/inspec/pull/3164) ([jquick](https://github.com/jquick))
|
|
34
|
+
- Document exit codes for 'inspec exec' and add --no-distinct-exit option [#3178](https://github.com/inspec/inspec/pull/3178) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
|
35
|
+
|
|
36
|
+
#### Enhancements
|
|
37
|
+
- apache_conf resource: Strip quotes from values [#3142](https://github.com/inspec/inspec/pull/3142) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
|
|
38
|
+
- Update core resources with filtertable API changes [#3117](https://github.com/inspec/inspec/pull/3117) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
|
39
|
+
|
|
40
|
+
#### Bug Fixes
|
|
41
|
+
- Add support for shallow link paths [#3168](https://github.com/inspec/inspec/pull/3168) ([ColinHebert](https://github.com/ColinHebert))
|
|
42
|
+
- Detect inspec-core mode and do not attempt to load cloud resources [#3163](https://github.com/inspec/inspec/pull/3163) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
|
43
|
+
|
|
44
|
+
#### Merged Pull Requests
|
|
45
|
+
- Add functional tests for nested attributes [#3157](https://github.com/inspec/inspec/pull/3157) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
|
46
|
+
<!-- latest_stable_release -->
|
|
47
|
+
|
|
30
48
|
## [v2.2.20](https://github.com/inspec/inspec/tree/v2.2.20) (2018-06-21)
|
|
31
49
|
|
|
32
50
|
#### Enhancements
|
|
@@ -36,7 +54,6 @@
|
|
|
36
54
|
|
|
37
55
|
#### Merged Pull Requests
|
|
38
56
|
- Accept symbols and downcased criteria in aws_iam_policy have_statement matcher [#3129](https://github.com/inspec/inspec/pull/3129) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
|
39
|
-
<!-- latest_stable_release -->
|
|
40
57
|
|
|
41
58
|
## [v2.2.16](https://github.com/inspec/inspec/tree/v2.2.16) (2018-06-15)
|
|
42
59
|
|
|
@@ -5,148 +5,253 @@ platform: linux
|
|
|
5
5
|
|
|
6
6
|
# shadow
|
|
7
7
|
|
|
8
|
-
Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are only
|
|
8
|
+
Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are readable only by the `root` user. `shadow` is a [plural resource](https://www.inspec.io/docs/reference/glossary/#plural_resource). Like all plural resources, it functions by performing searches across multiple entries in the shadow file.
|
|
9
|
+
|
|
10
|
+
The format for `/etc/shadow` includes:
|
|
9
11
|
|
|
10
12
|
* A username
|
|
11
13
|
* The hashed password for that user
|
|
12
|
-
* The last
|
|
14
|
+
* The last date a password was changed, as the number of days since Jan 1 1970
|
|
13
15
|
* The minimum number of days a password must exist, before it may be changed
|
|
14
16
|
* The maximum number of days after which a password must be changed
|
|
15
17
|
* The number of days a user is warned about an expiring password
|
|
16
18
|
* The number of days a user must be inactive before the user account is disabled
|
|
17
|
-
* The
|
|
19
|
+
* The date on which a user account was disabled, as the number of days since Jan 1 1970
|
|
18
20
|
|
|
19
21
|
These entries are defined as a colon-delimited row in the file, one row per user:
|
|
20
22
|
|
|
21
23
|
dannos:Gb7crrO5CDF.:10063:0:99999:7:::
|
|
22
24
|
|
|
25
|
+
The `shadow` resource understands this format, allows you to search on the fields, and exposes the selected users' properties.
|
|
26
|
+
|
|
23
27
|
<br>
|
|
24
28
|
|
|
25
|
-
##
|
|
29
|
+
## Resource Parameters
|
|
26
30
|
|
|
27
|
-
|
|
31
|
+
The `shadow` resource takes one optional parameter: the path to the shadow file. If omitted, `/etc/shadow` is assumed.
|
|
28
32
|
|
|
33
|
+
# Expect a file to exist at the default location and have 32 users
|
|
29
34
|
describe shadow do
|
|
30
|
-
its('
|
|
35
|
+
its('count') { should eq 32 }
|
|
31
36
|
end
|
|
32
37
|
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
its('count') { should eq 1 }
|
|
38
|
+
# Use a custom location
|
|
39
|
+
describe shadow('/etc/my-custom-place/shadow') do
|
|
40
|
+
its('count') { should eq 32 }
|
|
37
41
|
end
|
|
38
42
|
|
|
39
|
-
|
|
43
|
+
## Examples
|
|
40
44
|
|
|
41
|
-
|
|
42
|
-
its ('users') { should include 'nfs' }
|
|
43
|
-
end
|
|
45
|
+
A `shadow` resource block uses `where` to filter entries from the shadow file. If `where` is omitted, all entries are selected.
|
|
44
46
|
|
|
45
|
-
|
|
46
|
-
|
|
47
|
+
# Select all users. Among them, there should not be a user with the name 'forbidden_user'.
|
|
48
|
+
describe shadow do
|
|
49
|
+
its('users') { should_not include 'forbidden_user' }
|
|
47
50
|
end
|
|
48
51
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
* `last_changes`
|
|
54
|
-
* `min_days`
|
|
55
|
-
* `max_days`
|
|
56
|
-
* `warn_days`
|
|
57
|
-
* `inactive_days`
|
|
58
|
-
* `expiry_dates`
|
|
59
|
-
* `reserved`
|
|
60
|
-
|
|
61
|
-
<br>
|
|
62
|
-
|
|
63
|
-
## Examples
|
|
64
|
-
|
|
65
|
-
The following examples show how to use this InSpec audit resource.
|
|
52
|
+
# Ensure there is only one user named 'root' (Select all with name 'root', then count them).
|
|
53
|
+
describe shadow.where(user: 'root') do
|
|
54
|
+
its('count') { should eq 1 }
|
|
55
|
+
end
|
|
66
56
|
|
|
67
|
-
|
|
57
|
+
Use `where` to match any of the supported [filter criteria](#filter_criteria). `where` has a method form for simple equality and a block form for more complex queries.
|
|
68
58
|
|
|
69
|
-
|
|
70
|
-
|
|
59
|
+
# Method form, simple
|
|
60
|
+
# Select just the root user (direct equality)
|
|
61
|
+
describe shadow.where(user: 'root') do
|
|
62
|
+
its ('count') { should eq 1 }
|
|
71
63
|
end
|
|
72
64
|
|
|
73
|
-
|
|
65
|
+
# Method form, with a regex
|
|
66
|
+
# Select all users whose names begin with smb
|
|
67
|
+
describe shadow.where(user: /^smb/) do
|
|
68
|
+
its ('count') { should eq 2 }
|
|
69
|
+
end
|
|
74
70
|
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
71
|
+
# Block form
|
|
72
|
+
# Select users whose passwords have expired
|
|
73
|
+
describe shadow.where { expiry_date > 0 } do
|
|
74
|
+
# This test directly asserts that there should be 0 such users
|
|
75
|
+
its('count') { should eq 0 }
|
|
76
|
+
# But if the count test fails, this test outputs the users that are causing the failure.
|
|
77
|
+
its('users') { should be_empty }
|
|
78
78
|
end
|
|
79
79
|
|
|
80
80
|
<br>
|
|
81
81
|
|
|
82
82
|
## Properties
|
|
83
83
|
|
|
84
|
+
As a [plural resource](https://www.inspec.io/docs/reference/glossary/#plural_resource), all of `shadow`'s properties return lists (that is, Ruby Arrays). `include` and `be_empty` are two useful matchers when working with lists. You can also perform manipulation of the lists, such as calling `uniq`, `sort`, `count`, `first`, `last`, `min`, and `max`.
|
|
85
|
+
|
|
84
86
|
### users
|
|
85
87
|
|
|
86
|
-
|
|
88
|
+
A list of strings, representing the usernames matched by the filter.
|
|
87
89
|
|
|
88
|
-
|
|
90
|
+
describe shadow
|
|
91
|
+
its('users') { should include 'root' }
|
|
92
|
+
end
|
|
89
93
|
|
|
90
94
|
### passwords
|
|
91
95
|
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
For example:
|
|
96
|
+
A list of strings, representing the encrypted password strings for entries matched by the `where` filter. Each string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed. Different operating systems use different flags here (such as `*LK*` to indicate the account is locked).
|
|
95
97
|
|
|
96
|
-
|
|
98
|
+
# Use uniq to remove duplicates, then determine
|
|
99
|
+
# if the only password left on the list is '*'
|
|
100
|
+
describe shadow.where(user: /adm$/) do
|
|
101
|
+
its('passwords.uniq.first') { should cmp '*' }
|
|
102
|
+
its('passwords.uniq.count') { should eq 1 }
|
|
103
|
+
end
|
|
97
104
|
|
|
98
105
|
### last\_changes
|
|
99
106
|
|
|
100
|
-
|
|
107
|
+
A list of integers, indicating the number of days since Jan 1 1970 since the password for each matching entry was changed.
|
|
101
108
|
|
|
102
|
-
|
|
109
|
+
# Ensure all entries have changed their password in the last 90 days. (Probably want a filter on that)
|
|
110
|
+
describe shadow do
|
|
111
|
+
its('last_changes.min') { should be < Date.today - 90 - Date.new(1970,1,1) }
|
|
112
|
+
end
|
|
103
113
|
|
|
104
114
|
### min\_days
|
|
105
115
|
|
|
106
|
-
|
|
116
|
+
A list of integers reflecting the minimum number of days a password must exist, before it may be changed, for the users that matched the filter.
|
|
107
117
|
|
|
108
|
-
|
|
118
|
+
# min_days seems crazy today; make sure it is zero for everyone
|
|
119
|
+
describe shadow do
|
|
120
|
+
its('min_days.uniq') { should eq [0] }
|
|
121
|
+
end
|
|
109
122
|
|
|
110
123
|
### max\_days
|
|
111
124
|
|
|
112
|
-
|
|
125
|
+
A list of integers reflecting the maximum number of days after which the password must be changed for each user matching the filter.
|
|
113
126
|
|
|
114
|
-
|
|
127
|
+
# Make sure there is no policy allowing longer than 90 days
|
|
128
|
+
describe shadow do
|
|
129
|
+
its('max_days.max') { should be < 90 }
|
|
130
|
+
end
|
|
115
131
|
|
|
116
132
|
### warn\_days
|
|
117
133
|
|
|
118
|
-
|
|
134
|
+
A list of integers reflecting the number of days a user is warned about an expiring password for each user matching the filter.
|
|
119
135
|
|
|
120
|
-
|
|
136
|
+
# Ensure everyone gets the same 7-day policy
|
|
137
|
+
describe shadow do
|
|
138
|
+
its('warn_days.uniq.count') { should eq 1 }
|
|
139
|
+
its('warn_days.uniq.first') { should eq 7 }
|
|
140
|
+
end
|
|
121
141
|
|
|
122
142
|
### inactive\_days
|
|
123
143
|
|
|
124
|
-
|
|
144
|
+
A list of integers reflecting the number of days a user must be inactive before the user account is disabled for each user matching the filter.
|
|
125
145
|
|
|
126
|
-
|
|
146
|
+
# Ensure everyone except admins has an stale policy of no more than 14 days
|
|
147
|
+
describe shadow.where { user !~ /adm$/ } do
|
|
148
|
+
its('inactive_days.max') { should be <= 14 }
|
|
149
|
+
end
|
|
127
150
|
|
|
128
151
|
### expiry\_dates
|
|
129
152
|
|
|
130
|
-
|
|
153
|
+
A list of integers reflecting the number of days since Jan 1 1970 that a user account has been disabled, for each user matching the filter. Value is `nil` if the account has not expired.
|
|
131
154
|
|
|
132
|
-
|
|
155
|
+
# No one should have an expired account.
|
|
156
|
+
describe shadow do
|
|
157
|
+
its('expiry_dates.compact') { should be_empty }
|
|
158
|
+
end
|
|
133
159
|
|
|
134
160
|
### count
|
|
135
161
|
|
|
136
|
-
The `count` property tests the number of
|
|
162
|
+
The `count` property tests the number of records that the filter matched.
|
|
137
163
|
|
|
164
|
+
# Should probably only have one root user
|
|
138
165
|
describe shadow.user('root') do
|
|
139
166
|
its('count') { should eq 1 }
|
|
140
167
|
end
|
|
141
168
|
|
|
142
|
-
|
|
169
|
+
<br>
|
|
143
170
|
|
|
144
|
-
|
|
145
|
-
|
|
171
|
+
## Filter Criteria
|
|
172
|
+
|
|
173
|
+
You may use any of these filter criteria with the `where` function. They are named after the columns in the shadow file. Each has a related list [property](#properties).
|
|
174
|
+
|
|
175
|
+
### user
|
|
176
|
+
|
|
177
|
+
The string username of a user. Always present. Not required to be unique.
|
|
178
|
+
|
|
179
|
+
# Expect all users whose name ends in adm to have a disabled password via the '*' flag
|
|
180
|
+
describe shadow.where(user: /adm$/) do
|
|
181
|
+
its('password.uniq') { should eq ['*'] }
|
|
146
182
|
end
|
|
147
183
|
|
|
148
|
-
|
|
184
|
+
### password
|
|
185
|
+
|
|
186
|
+
The encrypted password strings, or an account status string. Each string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed. Different operating systems use other flags here (such as `*LK*` to indicate the account is locked).
|
|
187
|
+
|
|
188
|
+
# Find 'locked' accounts and ensure 'nobody' is on the list
|
|
189
|
+
describe shadow.where(password: '*LK*') do
|
|
190
|
+
its('users') { should include 'nobody' }
|
|
191
|
+
end
|
|
192
|
+
|
|
193
|
+
### last_change
|
|
194
|
+
|
|
195
|
+
An integer reflecting the number of days since Jan 1 1970 since the user's password was changed.
|
|
196
|
+
|
|
197
|
+
# Find users who have not changed their password within 90 days
|
|
198
|
+
describe shadow.where { last_change > Date.today - 90 - Date.new(1970,1,1) } do
|
|
199
|
+
its('users') { should be_empty }
|
|
200
|
+
end
|
|
201
|
+
|
|
202
|
+
### min_days
|
|
203
|
+
|
|
204
|
+
An integer reflecting the minimum number of days a user is required to wait before
|
|
205
|
+
changing their password again.
|
|
206
|
+
|
|
207
|
+
# Find users who have a nonzero wait time
|
|
208
|
+
describe shadow.where { min_days > 0 } do
|
|
209
|
+
its('users') { should be_empty }
|
|
210
|
+
end
|
|
211
|
+
|
|
212
|
+
### max_days
|
|
213
|
+
|
|
214
|
+
An integer reflecting the maximum number of days a user may go without changing their password.
|
|
215
|
+
|
|
216
|
+
# All users should have a 30-day policy
|
|
217
|
+
describe shadow.where { max_days != 30 } do
|
|
218
|
+
its('users') { should be_empty }
|
|
219
|
+
end
|
|
220
|
+
|
|
221
|
+
### warn_days
|
|
222
|
+
|
|
223
|
+
An integer reflecting the number of days before a password expiration that a user recieves an alert.
|
|
224
|
+
|
|
225
|
+
# All users should have a 7-day warning policy
|
|
226
|
+
describe shadow.where { warn_days != 7 } do
|
|
227
|
+
its('users') { should be_empty }
|
|
228
|
+
end
|
|
229
|
+
|
|
230
|
+
### inactive_days
|
|
231
|
+
|
|
232
|
+
An integer reflecting the number of days that must pass before a user who has not logged in will be disabled.
|
|
233
|
+
|
|
234
|
+
# Ensure everyone has a stale policy of no more than 14 days.
|
|
235
|
+
describe shadow.where { inactive_days.nil? || inactive_days > 14 } do
|
|
236
|
+
its('users') { should be_empty }
|
|
237
|
+
end
|
|
238
|
+
|
|
239
|
+
### expiry_date
|
|
240
|
+
|
|
241
|
+
An integer reflecting the number of days since Jan 1, 1970 on which the user was disabled. The `expiry_date` criterion is `nil` for enabled users.
|
|
242
|
+
|
|
243
|
+
# Ensure no one is disabled due to a old password
|
|
244
|
+
describe shadow.where { !expiry_date.nil? } do
|
|
245
|
+
its('users') { should be_empty }
|
|
246
|
+
end
|
|
247
|
+
|
|
248
|
+
# Ensure no one is disabled for more than 14 days
|
|
249
|
+
describe shadow.where { !expiry_date.nil? && expiry_date - Date.new(1970,1,1) > 14} do
|
|
250
|
+
its('users') { should be_empty }
|
|
251
|
+
end
|
|
149
252
|
|
|
150
253
|
## Matchers
|
|
151
254
|
|
|
152
|
-
|
|
255
|
+
This resource has no resource-specific matchers.
|
|
256
|
+
|
|
257
|
+
For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
|
|
@@ -1,5 +1,4 @@
|
|
|
1
1
|
# encoding: utf-8
|
|
2
|
-
# author: Christoph Hartmann
|
|
3
2
|
|
|
4
3
|
require 'pathname'
|
|
5
4
|
|
|
@@ -42,8 +41,13 @@ module Init
|
|
|
42
41
|
base_dir = File.join(dir, 'templates', type)
|
|
43
42
|
# prepare glob for all subdirectories and files
|
|
44
43
|
template = File.join(base_dir, '**', '{*,.*}')
|
|
45
|
-
#
|
|
46
|
-
|
|
44
|
+
# Use the name attribute to define the path to the profile.
|
|
45
|
+
profile_path = attributes[:name]
|
|
46
|
+
# Use slashes (\, /) to split up the name into an Array then use the last entry
|
|
47
|
+
# to reset the name of the profile.
|
|
48
|
+
attributes[:name] = attributes[:name].split(%r{\\|\/}).last
|
|
49
|
+
# Generate the full target path on disk
|
|
50
|
+
target = Pathname.new(Dir.pwd).join(profile_path)
|
|
47
51
|
puts "Create new #{type} at #{mark_text(target)}"
|
|
48
52
|
|
|
49
53
|
# check that the directory does not exist
|
data/lib/inspec/base_cli.rb
CHANGED
|
@@ -13,7 +13,7 @@ module Inspec
|
|
|
13
13
|
true
|
|
14
14
|
end
|
|
15
15
|
|
|
16
|
-
def self.target_options
|
|
16
|
+
def self.target_options # rubocop:disable MethodLength
|
|
17
17
|
option :target, aliases: :t, type: :string,
|
|
18
18
|
desc: 'Simple targeting option using URIs, e.g. ssh://user:pass@host:port'
|
|
19
19
|
option :backend, aliases: :b, type: :string,
|
|
@@ -54,6 +54,14 @@ module Inspec
|
|
|
54
54
|
desc: 'Read configuration from JSON file (`-` reads from stdin).'
|
|
55
55
|
option :proxy_command, type: :string,
|
|
56
56
|
desc: 'Specifies the command to use to connect to the server'
|
|
57
|
+
option :bastion_host, type: :string,
|
|
58
|
+
desc: 'Specifies the bastion host if applicable'
|
|
59
|
+
option :bastion_user, type: :string,
|
|
60
|
+
desc: 'Specifies the bastion user if applicable'
|
|
61
|
+
option :bastion_port, type: :string,
|
|
62
|
+
desc: 'Specifies the bastion port if applicable'
|
|
63
|
+
option :insecure, type: :boolean, default: false,
|
|
64
|
+
desc: 'Disable SSL verification on select targets'
|
|
57
65
|
end
|
|
58
66
|
|
|
59
67
|
def self.profile_options
|
|
@@ -65,7 +73,7 @@ module Inspec
|
|
|
65
73
|
target_options
|
|
66
74
|
profile_options
|
|
67
75
|
option :controls, type: :array,
|
|
68
|
-
desc: 'A list of
|
|
76
|
+
desc: 'A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests.'
|
|
69
77
|
option :format, type: :string,
|
|
70
78
|
desc: '[DEPRECATED] Please use --reporter - this will be removed in InSpec 3.0'
|
|
71
79
|
option :reporter, type: :array,
|
data/lib/inspec/metadata.rb
CHANGED
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
# encoding: utf-8
|
|
2
2
|
# Copyright 2015 Dominik Richter
|
|
3
|
-
# author: Dominik Richter
|
|
4
|
-
# author: Christoph Hartmann
|
|
5
3
|
|
|
6
4
|
require 'logger'
|
|
7
5
|
require 'rubygems/version'
|
|
@@ -78,10 +76,9 @@ module Inspec
|
|
|
78
76
|
errors.push("Missing profile #{field} in #{ref}")
|
|
79
77
|
end
|
|
80
78
|
|
|
81
|
-
if
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
'name in the `inspec.yml` file.')
|
|
79
|
+
if %r{[\/\\]} =~ params[:name]
|
|
80
|
+
errors.push("The profile name (#{params[:name]}) contains a slash" \
|
|
81
|
+
' which is not permitted. Please remove all slashes from `inspec.yml`.')
|
|
85
82
|
end
|
|
86
83
|
|
|
87
84
|
# if version is set, ensure it is correct
|
|
@@ -190,7 +187,7 @@ module Inspec
|
|
|
190
187
|
# unit tests that look for warning sequences
|
|
191
188
|
return if original_target.to_s.empty?
|
|
192
189
|
metadata.params[:title] = "tests from #{original_target}"
|
|
193
|
-
metadata.params[:name] = metadata.params[:title].gsub(%r{[
|
|
190
|
+
metadata.params[:name] = metadata.params[:title].gsub(%r{[\/\\]}, '.')
|
|
194
191
|
end
|
|
195
192
|
|
|
196
193
|
def self.finalize(metadata, profile_id, options, logger = nil)
|
data/lib/inspec/profile.rb
CHANGED
|
@@ -177,9 +177,29 @@ module Inspec
|
|
|
177
177
|
|
|
178
178
|
def filter_controls(controls_array, include_list)
|
|
179
179
|
return controls_array if include_list.nil? || include_list.empty?
|
|
180
|
+
|
|
181
|
+
# Check for anything that might be a regex in the list, and make it official
|
|
182
|
+
include_list.each_with_index do |inclusion, index|
|
|
183
|
+
next if inclusion.is_a?(Regexp)
|
|
184
|
+
# Insist the user wrap the regex in slashes to demarcate it as a regex
|
|
185
|
+
next unless inclusion.start_with?('/') && inclusion.end_with?('/')
|
|
186
|
+
inclusion = inclusion[1..-2] # Trim slashes
|
|
187
|
+
begin
|
|
188
|
+
re = Regexp.new(inclusion)
|
|
189
|
+
include_list[index] = re
|
|
190
|
+
rescue RegexpError => e
|
|
191
|
+
warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}"
|
|
192
|
+
include_list[index] = nil
|
|
193
|
+
end
|
|
194
|
+
end
|
|
195
|
+
include_list.compact!
|
|
196
|
+
|
|
180
197
|
controls_array.select do |c|
|
|
181
198
|
id = ::Inspec::Rule.rule_id(c)
|
|
182
|
-
include_list.
|
|
199
|
+
include_list.any? do |inclusion|
|
|
200
|
+
# Try to see if the inclusion is a regex, and if it matches
|
|
201
|
+
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
|
|
202
|
+
end
|
|
183
203
|
end
|
|
184
204
|
end
|
|
185
205
|
|
data/lib/inspec/version.rb
CHANGED
|
@@ -82,7 +82,7 @@ module Inspec::Resources
|
|
|
82
82
|
# The regex is terminated by an expression that matches zero or more spaces.
|
|
83
83
|
params = SimpleConfig.new(
|
|
84
84
|
raw_conf,
|
|
85
|
-
assignment_regex: /^\s*(\S+)\s+((?=.*\s+$)
|
|
85
|
+
assignment_regex: /^\s*(\S+)\s+['"]*((?=.*\s+$).*?|.*?)['"]*\s*$/,
|
|
86
86
|
multiple_values: true,
|
|
87
87
|
).params
|
|
88
88
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: inspec-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.34
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dominik Richter
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-07-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: train-core
|