inspec-core 2.3.10 → 2.3.23
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +34 -13
- data/etc/plugin_filters.json +25 -0
- data/inspec-core.gemspec +1 -1
- data/lib/bundles/inspec-compliance/api.rb +3 -0
- data/lib/bundles/inspec-compliance/configuration.rb +3 -0
- data/lib/bundles/inspec-compliance/http.rb +3 -0
- data/lib/bundles/inspec-compliance/support.rb +3 -0
- data/lib/bundles/inspec-compliance/target.rb +3 -0
- data/lib/inspec/objects/attribute.rb +3 -0
- data/lib/inspec/plugin/v2.rb +3 -0
- data/lib/inspec/plugin/v2/filter.rb +62 -0
- data/lib/inspec/plugin/v2/installer.rb +21 -1
- data/lib/inspec/plugin/v2/loader.rb +4 -0
- data/lib/inspec/profile.rb +3 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +25 -3
- data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +65 -11
- data/lib/plugins/inspec-plugin-manager-cli/test/unit/cli_args_test.rb +5 -1
- data/lib/resources/package.rb +1 -1
- metadata +4 -197
- data/docs/.gitignore +0 -2
- data/docs/README.md +0 -41
- data/docs/dev/control-eval.md +0 -62
- data/docs/dev/filtertable-internals.md +0 -353
- data/docs/dev/filtertable-usage.md +0 -533
- data/docs/dev/integration-testing.md +0 -31
- data/docs/dev/plugins.md +0 -323
- data/docs/dsl_inspec.md +0 -354
- data/docs/dsl_resource.md +0 -100
- data/docs/glossary.md +0 -381
- data/docs/habitat.md +0 -193
- data/docs/inspec_and_friends.md +0 -114
- data/docs/matchers.md +0 -161
- data/docs/migration.md +0 -293
- data/docs/platforms.md +0 -119
- data/docs/plugin_kitchen_inspec.md +0 -60
- data/docs/plugins.md +0 -57
- data/docs/profiles.md +0 -576
- data/docs/reporters.md +0 -170
- data/docs/resources/aide_conf.md.erb +0 -86
- data/docs/resources/apache.md.erb +0 -77
- data/docs/resources/apache_conf.md.erb +0 -78
- data/docs/resources/apt.md.erb +0 -81
- data/docs/resources/audit_policy.md.erb +0 -57
- data/docs/resources/auditd.md.erb +0 -89
- data/docs/resources/auditd_conf.md.erb +0 -78
- data/docs/resources/bash.md.erb +0 -85
- data/docs/resources/bond.md.erb +0 -100
- data/docs/resources/bridge.md.erb +0 -67
- data/docs/resources/bsd_service.md.erb +0 -77
- data/docs/resources/chocolatey_package.md.erb +0 -68
- data/docs/resources/command.md.erb +0 -176
- data/docs/resources/cpan.md.erb +0 -89
- data/docs/resources/cran.md.erb +0 -74
- data/docs/resources/crontab.md.erb +0 -103
- data/docs/resources/csv.md.erb +0 -64
- data/docs/resources/dh_params.md.erb +0 -221
- data/docs/resources/directory.md.erb +0 -40
- data/docs/resources/docker.md.erb +0 -240
- data/docs/resources/docker_container.md.erb +0 -113
- data/docs/resources/docker_image.md.erb +0 -104
- data/docs/resources/docker_plugin.md.erb +0 -80
- data/docs/resources/docker_service.md.erb +0 -124
- data/docs/resources/elasticsearch.md.erb +0 -252
- data/docs/resources/etc_fstab.md.erb +0 -135
- data/docs/resources/etc_group.md.erb +0 -85
- data/docs/resources/etc_hosts.md.erb +0 -88
- data/docs/resources/etc_hosts_allow.md.erb +0 -84
- data/docs/resources/etc_hosts_deny.md.erb +0 -84
- data/docs/resources/file.md.erb +0 -543
- data/docs/resources/filesystem.md.erb +0 -51
- data/docs/resources/firewalld.md.erb +0 -117
- data/docs/resources/gem.md.erb +0 -108
- data/docs/resources/group.md.erb +0 -71
- data/docs/resources/grub_conf.md.erb +0 -111
- data/docs/resources/host.md.erb +0 -96
- data/docs/resources/http.md.erb +0 -207
- data/docs/resources/iis_app.md.erb +0 -132
- data/docs/resources/iis_site.md.erb +0 -145
- data/docs/resources/inetd_conf.md.erb +0 -104
- data/docs/resources/ini.md.erb +0 -86
- data/docs/resources/interface.md.erb +0 -68
- data/docs/resources/iptables.md.erb +0 -74
- data/docs/resources/json.md.erb +0 -73
- data/docs/resources/kernel_module.md.erb +0 -130
- data/docs/resources/kernel_parameter.md.erb +0 -63
- data/docs/resources/key_rsa.md.erb +0 -95
- data/docs/resources/launchd_service.md.erb +0 -67
- data/docs/resources/limits_conf.md.erb +0 -85
- data/docs/resources/login_defs.md.erb +0 -81
- data/docs/resources/mount.md.erb +0 -79
- data/docs/resources/mssql_session.md.erb +0 -78
- data/docs/resources/mysql_conf.md.erb +0 -109
- data/docs/resources/mysql_session.md.erb +0 -84
- data/docs/resources/nginx.md.erb +0 -89
- data/docs/resources/nginx_conf.md.erb +0 -148
- data/docs/resources/npm.md.erb +0 -78
- data/docs/resources/ntp_conf.md.erb +0 -70
- data/docs/resources/oneget.md.erb +0 -63
- data/docs/resources/oracledb_session.md.erb +0 -103
- data/docs/resources/os.md.erb +0 -153
- data/docs/resources/os_env.md.erb +0 -101
- data/docs/resources/package.md.erb +0 -130
- data/docs/resources/packages.md.erb +0 -77
- data/docs/resources/parse_config.md.erb +0 -113
- data/docs/resources/parse_config_file.md.erb +0 -148
- data/docs/resources/passwd.md.erb +0 -151
- data/docs/resources/pip.md.erb +0 -77
- data/docs/resources/port.md.erb +0 -147
- data/docs/resources/postgres_conf.md.erb +0 -89
- data/docs/resources/postgres_hba_conf.md.erb +0 -103
- data/docs/resources/postgres_ident_conf.md.erb +0 -86
- data/docs/resources/postgres_session.md.erb +0 -79
- data/docs/resources/powershell.md.erb +0 -112
- data/docs/resources/processes.md.erb +0 -119
- data/docs/resources/rabbitmq_config.md.erb +0 -51
- data/docs/resources/registry_key.md.erb +0 -197
- data/docs/resources/runit_service.md.erb +0 -67
- data/docs/resources/security_policy.md.erb +0 -57
- data/docs/resources/service.md.erb +0 -131
- data/docs/resources/shadow.md.erb +0 -267
- data/docs/resources/ssh_config.md.erb +0 -83
- data/docs/resources/sshd_config.md.erb +0 -93
- data/docs/resources/ssl.md.erb +0 -129
- data/docs/resources/sys_info.md.erb +0 -52
- data/docs/resources/systemd_service.md.erb +0 -67
- data/docs/resources/sysv_service.md.erb +0 -67
- data/docs/resources/upstart_service.md.erb +0 -67
- data/docs/resources/user.md.erb +0 -150
- data/docs/resources/users.md.erb +0 -137
- data/docs/resources/vbscript.md.erb +0 -65
- data/docs/resources/virtualization.md.erb +0 -67
- data/docs/resources/windows_feature.md.erb +0 -69
- data/docs/resources/windows_hotfix.md.erb +0 -63
- data/docs/resources/windows_task.md.erb +0 -95
- data/docs/resources/wmi.md.erb +0 -91
- data/docs/resources/x509_certificate.md.erb +0 -161
- data/docs/resources/xinetd_conf.md.erb +0 -166
- data/docs/resources/xml.md.erb +0 -95
- data/docs/resources/yaml.md.erb +0 -79
- data/docs/resources/yum.md.erb +0 -108
- data/docs/resources/zfs_dataset.md.erb +0 -63
- data/docs/resources/zfs_pool.md.erb +0 -57
- data/docs/shared/matcher_be.md.erb +0 -1
- data/docs/shared/matcher_cmp.md.erb +0 -43
- data/docs/shared/matcher_eq.md.erb +0 -3
- data/docs/shared/matcher_include.md.erb +0 -1
- data/docs/shared/matcher_match.md.erb +0 -1
- data/docs/shell.md +0 -217
- data/docs/style.md +0 -178
- data/examples/README.md +0 -8
- data/examples/custom-resource/README.md +0 -3
- data/examples/custom-resource/controls/example.rb +0 -7
- data/examples/custom-resource/inspec.yml +0 -8
- data/examples/custom-resource/libraries/batsignal.rb +0 -20
- data/examples/custom-resource/libraries/gordon.rb +0 -21
- data/examples/inheritance/README.md +0 -65
- data/examples/inheritance/controls/example.rb +0 -14
- data/examples/inheritance/inspec.yml +0 -16
- data/examples/kitchen-ansible/.kitchen.yml +0 -25
- data/examples/kitchen-ansible/Gemfile +0 -19
- data/examples/kitchen-ansible/README.md +0 -53
- data/examples/kitchen-ansible/files/nginx.repo +0 -6
- data/examples/kitchen-ansible/tasks/main.yml +0 -16
- data/examples/kitchen-ansible/test/integration/default/default.yml +0 -5
- data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -28
- data/examples/kitchen-chef/.kitchen.yml +0 -20
- data/examples/kitchen-chef/Berksfile +0 -3
- data/examples/kitchen-chef/Gemfile +0 -19
- data/examples/kitchen-chef/README.md +0 -27
- data/examples/kitchen-chef/metadata.rb +0 -7
- data/examples/kitchen-chef/recipes/default.rb +0 -6
- data/examples/kitchen-chef/recipes/nginx.rb +0 -30
- data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -28
- data/examples/kitchen-puppet/.kitchen.yml +0 -23
- data/examples/kitchen-puppet/Gemfile +0 -20
- data/examples/kitchen-puppet/Puppetfile +0 -25
- data/examples/kitchen-puppet/README.md +0 -53
- data/examples/kitchen-puppet/manifests/site.pp +0 -33
- data/examples/kitchen-puppet/metadata.json +0 -11
- data/examples/kitchen-puppet/modules/.gitkeep +0 -0
- data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -28
- data/examples/meta-profile/README.md +0 -37
- data/examples/meta-profile/controls/example.rb +0 -13
- data/examples/meta-profile/inspec.yml +0 -13
- data/examples/plugins/inspec-resource-lister/Gemfile +0 -12
- data/examples/plugins/inspec-resource-lister/LICENSE +0 -13
- data/examples/plugins/inspec-resource-lister/README.md +0 -62
- data/examples/plugins/inspec-resource-lister/Rakefile +0 -40
- data/examples/plugins/inspec-resource-lister/inspec-resource-lister.gemspec +0 -45
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister.rb +0 -16
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/cli_command.rb +0 -70
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/plugin.rb +0 -55
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/version.rb +0 -10
- data/examples/plugins/inspec-resource-lister/test/fixtures/README.md +0 -24
- data/examples/plugins/inspec-resource-lister/test/functional/README.md +0 -18
- data/examples/plugins/inspec-resource-lister/test/functional/inspec_resource_lister_test.rb +0 -110
- data/examples/plugins/inspec-resource-lister/test/helper.rb +0 -26
- data/examples/plugins/inspec-resource-lister/test/unit/README.md +0 -17
- data/examples/plugins/inspec-resource-lister/test/unit/cli_args_test.rb +0 -64
- data/examples/plugins/inspec-resource-lister/test/unit/plugin_def_test.rb +0 -51
- data/examples/profile-attribute.yml +0 -2
- data/examples/profile-attribute/README.md +0 -14
- data/examples/profile-attribute/controls/example.rb +0 -11
- data/examples/profile-attribute/inspec.yml +0 -8
- data/examples/profile-sensitive/README.md +0 -29
- data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -9
- data/examples/profile-sensitive/controls/sensitive.rb +0 -9
- data/examples/profile-sensitive/inspec.yml +0 -8
- data/examples/profile/README.md +0 -48
- data/examples/profile/controls/example.rb +0 -24
- data/examples/profile/controls/gordon.rb +0 -36
- data/examples/profile/controls/meta.rb +0 -36
- data/examples/profile/inspec.yml +0 -11
- data/examples/profile/libraries/gordon_config.rb +0 -59
@@ -1,26 +0,0 @@
|
|
1
|
-
# Test helper file for example plugins
|
2
|
-
|
3
|
-
# This file's job is to collect any libraries needed for testing, as well as provide
|
4
|
-
# any utilities to make testing a plugin easier.
|
5
|
-
|
6
|
-
# InSpec core provides a number of such libraries and facilities, in the file
|
7
|
-
# lib/pligins/shared/core_plugin_test_helper.rb . So, one job in this file is
|
8
|
-
# to locate and load that file.
|
9
|
-
require 'inspec/../plugins/shared/core_plugin_test_helper'
|
10
|
-
|
11
|
-
# Also load the InSpec plugin system. We need this so we can unit-test the plugin
|
12
|
-
# classes, which will rely on the plugin system.
|
13
|
-
require 'inspec/plugin/v2'
|
14
|
-
|
15
|
-
# Caution: loading all of InSpec (i.e. require 'inspec') may cause interference with
|
16
|
-
# minitest/spec; one symptom would be appearing to have no tests.
|
17
|
-
# See https://github.com/inspec/inspec/issues/3380
|
18
|
-
|
19
|
-
# You can select from a number of test harnesses. Since InSpec uses Spec-style controls
|
20
|
-
# in profile code, you will probably want to use something like minitest/spec, which provides
|
21
|
-
# Spec-style tests.
|
22
|
-
require 'minitest/spec'
|
23
|
-
require 'minitest/autorun'
|
24
|
-
|
25
|
-
# You might want to put some debugging tools here. We run tests to find bugs, after all.
|
26
|
-
require 'byebug'
|
@@ -1,17 +0,0 @@
|
|
1
|
-
# Unit Testing Area for Example Plugins
|
2
|
-
|
3
|
-
## What Example Tests are Provided?
|
4
|
-
|
5
|
-
Here, since this is a CliCommand plugin, we provide two sets of unit tests:
|
6
|
-
|
7
|
-
* plugin_def_test.rb - Would be useful in any plugin. Verifies that the plugin is properly detected and registered.
|
8
|
-
* cli_args_test.rb - Verifies that the expected commands are present, and that they have the expected options and args.
|
9
|
-
|
10
|
-
## What are Unit Tests?
|
11
|
-
|
12
|
-
Unit tests are tests that verify that the individual components of your plugin work as intended. To be picked up by the Rake tasks as tests, each test file should end in `_test.rb`.
|
13
|
-
|
14
|
-
## Unit vs Functional Tests
|
15
|
-
|
16
|
-
A practical difference between unit tests and functional tests is that unit tests all run within one process, while functional tests might exercise a CLI plugin by shelling out to an inspec command in a subprocess, and examining the results.
|
17
|
-
|
@@ -1,64 +0,0 @@
|
|
1
|
-
# This unit test performs some tests to verify that the command line options for
|
2
|
-
# inspec-resource-lister are correct.
|
3
|
-
|
4
|
-
# Include our test harness
|
5
|
-
require_relative '../helper'
|
6
|
-
|
7
|
-
# Load the class under test, the CliCommand definition.
|
8
|
-
require 'inspec-resource-lister/cli_command'
|
9
|
-
|
10
|
-
# Because InSpec is a Spec-style test suite, we're going to use MiniTest::Spec
|
11
|
-
# here, for familiar look and feel. However, this isn't InSpec (or RSpec) code.
|
12
|
-
describe InspecPlugins::ResourceLister::CliCommand do
|
13
|
-
|
14
|
-
# When writing tests, you can use `let` to create variables that you
|
15
|
-
# can reference easily.
|
16
|
-
|
17
|
-
# This is the CLI Command implementation class.
|
18
|
-
# It is a subclass of Thor, which is a CLI framework.
|
19
|
-
# This unit test file is mostly about verifying the Thor settings.
|
20
|
-
let(:cli_class) { InspecPlugins::ResourceLister::CliCommand }
|
21
|
-
|
22
|
-
# This is a Hash of Structs that tells us details of options for the 'core' subcommand.
|
23
|
-
let(:core_options) { cli_class.all_commands['core'].options }
|
24
|
-
|
25
|
-
# To group tests together, you can nest 'describe' in minitest/spec
|
26
|
-
# (that is discouraged in InSpec control code.)
|
27
|
-
describe 'the core command' do
|
28
|
-
|
29
|
-
# Some tests through here use minitest Expectations, which attach to all
|
30
|
-
# Objects, and begin with 'must' (positive) or 'wont' (negative)
|
31
|
-
# See https://ruby-doc.org/stdlib-2.1.0/libdoc/minitest/rdoc/MiniTest/Expectations.html
|
32
|
-
|
33
|
-
# Option count OK?
|
34
|
-
it "should take one option" do
|
35
|
-
core_options.count.must_equal(1)
|
36
|
-
end
|
37
|
-
|
38
|
-
# Summary option
|
39
|
-
describe "the summary option" do
|
40
|
-
it "should be present" do
|
41
|
-
core_options.keys.must_include(:summary)
|
42
|
-
end
|
43
|
-
it "should have a description" do
|
44
|
-
core_options[:summary].description.wont_be_nil
|
45
|
-
end
|
46
|
-
it "should not be required" do
|
47
|
-
core_options[:summary].required.wont_equal(true)
|
48
|
-
end
|
49
|
-
it "should have a single-letter alias" do
|
50
|
-
core_options[:summary].aliases.must_include(:s)
|
51
|
-
end
|
52
|
-
end
|
53
|
-
|
54
|
-
# Argument count
|
55
|
-
# The 'core' command takes one optional argument. According to the
|
56
|
-
# metaprogramming rules of Ruby, the core() method should thus have an
|
57
|
-
# arity of -1. See http://ruby-doc.org/core-2.5.1/Method.html#method-i-arity
|
58
|
-
# for how that number is caclulated.
|
59
|
-
it "should take one optional argument" do
|
60
|
-
cli_class.instance_method(:core).arity.must_equal(-1)
|
61
|
-
end
|
62
|
-
|
63
|
-
end
|
64
|
-
end
|
@@ -1,51 +0,0 @@
|
|
1
|
-
# This unit test performs some tests to verify that
|
2
|
-
# the inspec-resource-lister plugin is configured correctly.
|
3
|
-
|
4
|
-
# Include our test harness
|
5
|
-
require_relative '../helper'
|
6
|
-
|
7
|
-
# Load the class under test, the Plugin definition.
|
8
|
-
require 'inspec-resource-lister/plugin'
|
9
|
-
|
10
|
-
# Because InSpec is a Spec-style test suite, we're going to use MiniTest::Spec
|
11
|
-
# here, for familiar look and feel. However, this isn't InSpec (or RSpec) code.
|
12
|
-
|
13
|
-
describe InspecPlugins::ResourceLister::Plugin do
|
14
|
-
|
15
|
-
# When writing tests, you can use `let` to create variables that you
|
16
|
-
# can reference easily.
|
17
|
-
|
18
|
-
# Internally, plugins are always known by a Symbol name. Convert here.
|
19
|
-
let(:plugin_name) { :'inspec-resource-lister' }
|
20
|
-
|
21
|
-
# The Registry knows about all plugins that ship with InSpec by
|
22
|
-
# default, as well as any that are installed by the user. When a
|
23
|
-
# plugin definition is loaded, it will also self-register.
|
24
|
-
let(:registry) { Inspec::Plugin::V2::Registry.instance }
|
25
|
-
|
26
|
-
# The plugin status record tells us what the Registry knows.
|
27
|
-
# Note that you can use previously-defined 'let's.
|
28
|
-
let(:status) { registry[plugin_name] }
|
29
|
-
|
30
|
-
# OK, actual tests!
|
31
|
-
|
32
|
-
# Does the Registry know about us at all?
|
33
|
-
it "should be registered" do
|
34
|
-
registry.known_plugin?(plugin_name)
|
35
|
-
end
|
36
|
-
|
37
|
-
# Some tests through here use minitest Expectations, which attach to all
|
38
|
-
# Objects, and begin with 'must' (positive) or 'wont' (negative)
|
39
|
-
# See https://ruby-doc.org/stdlib-2.1.0/libdoc/minitest/rdoc/MiniTest/Expectations.html
|
40
|
-
|
41
|
-
# The plugin system had an undocumented v1 API; this should be a v2 example.
|
42
|
-
it "should be an api-v2 plugin" do
|
43
|
-
status.api_generation.must_equal(2)
|
44
|
-
end
|
45
|
-
|
46
|
-
# Plugins can support several different activator hooks, each of which has a type.
|
47
|
-
# Since this is (primarily) a CliCommand plugin, we'd expect to see that among our types.
|
48
|
-
it "should include a cli_command activator hook" do
|
49
|
-
status.plugin_types.must_include(:cli_command)
|
50
|
-
end
|
51
|
-
end
|
@@ -1,14 +0,0 @@
|
|
1
|
-
# Example InSpec Profile with Attributes
|
2
|
-
|
3
|
-
This profile uses InSpec attributes to parameterize a profile.
|
4
|
-
|
5
|
-
## Usage
|
6
|
-
|
7
|
-
```
|
8
|
-
$ inspec exec examples/profile-attribute --attrs examples/profile-attribute.yml
|
9
|
-
....
|
10
|
-
|
11
|
-
Finished in 0.00178 seconds (files took 0.48529 seconds to load)
|
12
|
-
4 examples, 0 failures
|
13
|
-
|
14
|
-
```
|
@@ -1,11 +0,0 @@
|
|
1
|
-
# encoding: utf-8
|
2
|
-
val_user = attribute('user', default: 'alice', description: 'An identification for the user')
|
3
|
-
val_password = attribute('password', description: 'A value for the password')
|
4
|
-
|
5
|
-
describe val_user do
|
6
|
-
it { should eq 'bob' }
|
7
|
-
end
|
8
|
-
|
9
|
-
describe val_password do
|
10
|
-
it { should eq 'secret' }
|
11
|
-
end
|
@@ -1,29 +0,0 @@
|
|
1
|
-
# Example InSpec Profile with Sensitive failures
|
2
|
-
|
3
|
-
This profile demonstrates resources flagged as sensitive
|
4
|
-
|
5
|
-
## Usage
|
6
|
-
|
7
|
-
```
|
8
|
-
$ inspec exec examples/profile-sensitive
|
9
|
-
....
|
10
|
-
|
11
|
-
bob should
|
12
|
-
∅ eq "billy"
|
13
|
-
|
14
|
-
expected: "billy"
|
15
|
-
got: "bob"
|
16
|
-
|
17
|
-
(compared using ==)
|
18
|
-
|
19
|
-
sensitivepassword should
|
20
|
-
∅ eq "secret"
|
21
|
-
*** sensitive output suppressed ***
|
22
|
-
bob should
|
23
|
-
✔ eq "bob"
|
24
|
-
sensitivepassword should
|
25
|
-
✔ eq "sensitivepassword"
|
26
|
-
|
27
|
-
Test Summary: 2 successful, 2 failures, 0 skipped
|
28
|
-
|
29
|
-
```
|
data/examples/profile/README.md
DELETED
@@ -1,48 +0,0 @@
|
|
1
|
-
# Example InSpec Profile
|
2
|
-
|
3
|
-
This example shows the implementation of an InSpec [profile](../../docs/profiles.md).
|
4
|
-
|
5
|
-
## Verify a profile
|
6
|
-
|
7
|
-
InSpec ships with built-in features to verify a profile structure.
|
8
|
-
|
9
|
-
```bash
|
10
|
-
$ inspec check examples/profile
|
11
|
-
Summary
|
12
|
-
-------
|
13
|
-
Location: examples/profile
|
14
|
-
Profile: profile
|
15
|
-
Controls: 4
|
16
|
-
Timestamp: 2016-03-24T16:20:21+00:00
|
17
|
-
Valid: true
|
18
|
-
|
19
|
-
Errors
|
20
|
-
------
|
21
|
-
|
22
|
-
Warnings
|
23
|
-
--------
|
24
|
-
```
|
25
|
-
|
26
|
-
## Execute a profile
|
27
|
-
|
28
|
-
To run all **supported** controls on a local machine use `inspec exec /path/to/profile`.
|
29
|
-
|
30
|
-
```bash
|
31
|
-
$ inspec exec examples/profile
|
32
|
-
..
|
33
|
-
|
34
|
-
Finished in 0.0025 seconds (files took 0.12449 seconds to load)
|
35
|
-
8 examples, 0 failures
|
36
|
-
```
|
37
|
-
|
38
|
-
## Execute a specific control from a profile
|
39
|
-
|
40
|
-
To run one control from the profile use `inspec exec /path/to/profile --controls name`.
|
41
|
-
|
42
|
-
```bash
|
43
|
-
$ inspec exec examples/profile --controls tmp-1.0
|
44
|
-
.
|
45
|
-
|
46
|
-
Finished in 0.0025 seconds (files took 0.12449 seconds to load)
|
47
|
-
1 examples, 0 failures
|
48
|
-
```
|
@@ -1,24 +0,0 @@
|
|
1
|
-
# encoding: utf-8
|
2
|
-
# copyright: 2015, Chef Software, Inc.
|
3
|
-
|
4
|
-
title '/tmp profile'
|
5
|
-
|
6
|
-
# you add controls here
|
7
|
-
control "tmp-1.0" do # A unique ID for this control
|
8
|
-
impact 0.7 # The criticality, if this control fails.
|
9
|
-
title "Create /tmp directory" # A human-readable title
|
10
|
-
desc "An optional description..." # Describe why this is needed
|
11
|
-
desc "label", "An optional description with a label" # Pair a part of the description with a label
|
12
|
-
tag data: "temp data" # A tag allows you to associate key information
|
13
|
-
tag "security" # to the test
|
14
|
-
ref "Document A-12", url: 'http://...' # Additional references
|
15
|
-
|
16
|
-
describe file('/tmp') do # The actual test
|
17
|
-
it { should be_directory }
|
18
|
-
end
|
19
|
-
end
|
20
|
-
|
21
|
-
# you can also use plain tests
|
22
|
-
describe file('/tmp') do
|
23
|
-
it { should be_directory }
|
24
|
-
end
|
@@ -1,36 +0,0 @@
|
|
1
|
-
# encoding: utf-8
|
2
|
-
# copyright: 2016, Chef Software, Inc.
|
3
|
-
|
4
|
-
title 'Gordon Config Checks'
|
5
|
-
|
6
|
-
# To pass the test, create the following file
|
7
|
-
# ```bash
|
8
|
-
# mkdir -p /tmp/gordon
|
9
|
-
# cat <<EOF > /tmp/gordon/config.yaml
|
10
|
-
# version: '1.0'
|
11
|
-
# EOF
|
12
|
-
# ```
|
13
|
-
control 'gordon-1.0' do
|
14
|
-
impact 'critical'
|
15
|
-
title 'Verify the version number of Gordon'
|
16
|
-
desc 'An optional description...'
|
17
|
-
tag 'gordon'
|
18
|
-
ref 'Gordon Requirements 1.0', uri: 'http://...'
|
19
|
-
|
20
|
-
# Test using the custom gordon_config Inspec resource
|
21
|
-
# Find the resource content here: ../libraries/
|
22
|
-
describe gordon_config do
|
23
|
-
it { should exist }
|
24
|
-
its('version') { should eq('1.0') }
|
25
|
-
its('file_size') { should <= 20 }
|
26
|
-
its('comma_count') { should eq 0 }
|
27
|
-
end
|
28
|
-
|
29
|
-
# Test the version again to showcase variables
|
30
|
-
g = gordon_config
|
31
|
-
g_path = g.file_path
|
32
|
-
g_version = g.version
|
33
|
-
describe file(g_path) do
|
34
|
-
its('content') { should match g_version }
|
35
|
-
end
|
36
|
-
end
|
@@ -1,36 +0,0 @@
|
|
1
|
-
title 'SSH Server Configuration'
|
2
|
-
|
3
|
-
control 'ssh-1' do
|
4
|
-
impact 1.0
|
5
|
-
|
6
|
-
title 'Allow only SSH Protocol 2'
|
7
|
-
desc 'Only SSH protocol version 2 connections should be permitted.
|
8
|
-
The default setting in /etc/ssh/sshd_config is correct, and can be
|
9
|
-
verified by ensuring that the following line appears: Protocol 2'
|
10
|
-
|
11
|
-
tag 'production','development'
|
12
|
-
tag 'ssh','sshd','openssh-server'
|
13
|
-
|
14
|
-
tag cce: 'CCE-27072-8'
|
15
|
-
tag disa: 'RHEL-06-000227'
|
16
|
-
|
17
|
-
tag nist: 'AC-3(10).i'
|
18
|
-
tag nist: 'IA-5(1)'
|
19
|
-
|
20
|
-
tag cci: 'CCI-000776'
|
21
|
-
tag cci: 'CCI-000774'
|
22
|
-
tag cci: 'CCI-001436'
|
23
|
-
|
24
|
-
tag remediation: 'stig_rhel6/recipes/sshd-config.rb'
|
25
|
-
tag remediation: 'https://supermarket.chef.io/cookbooks/ssh-hardening'
|
26
|
-
|
27
|
-
ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
|
28
|
-
ref 'DISA-RHEL6-SG - Section 9.2.1', url: 'http://iasecontent.disa.mil/stigs/zip/Jan2016/U_RedHat_6_V1R10_STIG.zip'
|
29
|
-
ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
|
30
|
-
|
31
|
-
only_if { platform.in_family?('unix') }
|
32
|
-
|
33
|
-
describe file('/bin/sh') do
|
34
|
-
it { should be_owned_by 'root' }
|
35
|
-
end
|
36
|
-
end
|
data/examples/profile/inspec.yml
DELETED
@@ -1,11 +0,0 @@
|
|
1
|
-
name: profile
|
2
|
-
title: InSpec Example Profile
|
3
|
-
maintainer: Chef Software, Inc.
|
4
|
-
copyright: Chef Software, Inc.
|
5
|
-
copyright_email: support@chef.io
|
6
|
-
license: Apache-2.0
|
7
|
-
summary: Demonstrates the use of InSpec Compliance Profile
|
8
|
-
version: 1.0.0
|
9
|
-
supports:
|
10
|
-
- platform-family: unix
|
11
|
-
- platform-family: windows
|
@@ -1,59 +0,0 @@
|
|
1
|
-
require 'yaml'
|
2
|
-
|
3
|
-
# Custom resource based on the InSpec resource DSL
|
4
|
-
class GordonConfig < Inspec.resource(1)
|
5
|
-
name 'gordon_config'
|
6
|
-
|
7
|
-
supports platform: 'unix'
|
8
|
-
supports platform: 'windows'
|
9
|
-
|
10
|
-
desc "
|
11
|
-
Gordon's resource description ...
|
12
|
-
"
|
13
|
-
|
14
|
-
example "
|
15
|
-
describe gordon_config do
|
16
|
-
its('version') { should eq('1.0') }
|
17
|
-
its('file_size') { should > 1 }
|
18
|
-
end
|
19
|
-
"
|
20
|
-
|
21
|
-
# Load the configuration file on initialization
|
22
|
-
def initialize
|
23
|
-
@params = {}
|
24
|
-
@path = '/tmp/gordon/config.yaml'
|
25
|
-
@file = inspec.file(@path)
|
26
|
-
|
27
|
-
unless @file.file?
|
28
|
-
raise Inspec::Exceptions::ResourceSkipped, "Can't find file `#{@path}`"
|
29
|
-
end
|
30
|
-
|
31
|
-
# Protect from invalid YAML content
|
32
|
-
begin
|
33
|
-
@params = YAML.load(@file.content)
|
34
|
-
# Add two extra matchers
|
35
|
-
@params['file_size'] = @file.size
|
36
|
-
@params['file_path'] = @path
|
37
|
-
@params['ruby'] = 'RUBY IS HERE TO HELP ME!'
|
38
|
-
rescue StandardError => e
|
39
|
-
raise Inspec::Exceptions::ResourceSkipped, "#{@file}: #{e.message}"
|
40
|
-
end
|
41
|
-
end
|
42
|
-
|
43
|
-
# Example method called by 'it { should exist }'
|
44
|
-
# Returns true or false from the 'File.exist?' method
|
45
|
-
def exists?
|
46
|
-
File.exist?(@path)
|
47
|
-
end
|
48
|
-
|
49
|
-
# Example matcher for the number of commas in the file
|
50
|
-
def comma_count
|
51
|
-
text = @file.content
|
52
|
-
text.count(',')
|
53
|
-
end
|
54
|
-
|
55
|
-
# Expose all parameters
|
56
|
-
def method_missing(name)
|
57
|
-
@params[name.to_s]
|
58
|
-
end
|
59
|
-
end
|