inspec-core 4.18.51 → 4.18.85

data/lib/inspec/utils/simpleconfig.rb

@@ -4,7 +4,7 @@ require "inspec/utils/parser"
 require "hashie"
 
 class SimpleConfig
-  include CommentParser
+  include Inspec::Utils::CommentParser
 
   attr_reader :params, :groups
   def initialize(raw_data, opts = {})

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.18.51".freeze
+  VERSION = "4.18.85".freeze
 end

data/lib/matchers/matchers.rb

@@ -221,9 +221,7 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
   end
 
   def octal?(value)
-    return false unless value.is_a?(String)
-
-    !(value =~ /\A0+[0-7]+\Z/).nil?
+    value.is_a?(String) && (value =~ /\A0+[0-7]+\Z/)
   end
 
   def boolean?(value)
@@ -288,25 +286,28 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
     end
   end
 
+  def format_actual(actual)
+    actual = "0%o" % actual if octal?(@expected)
+    "\n%s\n     got: %s\n\n(compared using `cmp` matcher)\n" % [format_expectation(false), actual]
+  end
+
   def format_expectation(negate)
-    return "expected: " + @expected.inspect if @operation == :== && !negate
+    return "expected: %s" % [@expected] if @operation == :== && !negate
 
     negate_str = negate ? "not " : ""
-    "expected it #{negate_str}to be #{@operation} #{@expected.inspect}"
+    "expected it %sto be %s %p" % [negate_str, @operation, @expected]
   end
 
   failure_message do |actual|
-    actual = ("0" + actual.to_s(8)) if octal?(@expected)
-    "\n" + format_expectation(false) + "\n     got: #{actual.inspect}\n\n(compared using `cmp` matcher)\n"
+    format_actual actual
   end
 
   failure_message_when_negated do |actual|
-    actual = ("0" + actual.to_s(8)).inspect if octal?(@expected)
-    "\n" + format_expectation(true) + "\n     got: #{actual.inspect}\n\n(compared using `cmp` matcher)\n"
+    format_actual actual
   end
 
   description do
-    "cmp #{@operation} #{@expected.inspect}"
+    "cmp %s %p" % [@operation, @expected]
   end
 end
 

data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb

@@ -8,5 +8,8 @@ module InspecPlugins
         InspecPlugins::Compliance::CLI
       end
     end
+
+    autoload :Configuration, "plugins/inspec-compliance/lib/inspec-compliance/configuration"
+    autoload :API, "plugins/inspec-compliance/lib/inspec-compliance/api"
   end
 end

data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb

@@ -9,7 +9,7 @@ module InspecPlugins
     class Profile
       include Inspec::Dist
 
-      attr_reader :logger
+      attr_reader :logger, :options
       def initialize(path, options = {})
         @path    = path
         @options = options
@@ -149,7 +149,7 @@ module InspecPlugins
                     "vendor process.")
         else
           logger.debug("Vendoring the profile's dependencies...")
-          profile_vendor.vendor!
+          profile_vendor.vendor!(options)
 
           logger.debug("Ensuring all vendored content has read permissions...")
           profile_vendor.make_readable

data/lib/plugins/inspec-init/templates/profiles/aws/README.md

@@ -0,0 +1,192 @@
+# Example InSpec Profile For AWS
+
+This example shows the implementation of an InSpec profile for AWS.
+
+##  Create a profile 
+
+```
+$ inspec init profile --platform aws my-profile
+
+ ─────────────────────────── InSpec Code Generator ───────────────────────────
+
+Creating new profile at /Users/spaterson/my-profile
+ • Creating directory libraries
+ • Creating file README.md
+ • Creating directory controls
+ • Creating file controls/example.rb
+ • Creating file inspec.yml
+ • Creating file attributes.yml
+ • Creating file libraries/.gitkeep
+ 
+```
+
+## Optionally update `attributes.yml` to point to your custom VPC
+
+```
+aws_vpc_id: 'custom-vpc-id'
+```
+
+The related control will simply be skipped if this is not provided.  See the [InSpec DSL documentation](https://www.inspec.io/docs/reference/dsl_inspec/) for more details on conditional execution using `only_if`.
+
+## Run the tests
+
+### With a VPC Identifier
+
+With a supplied VPC identifier in `attributes.yml` both of the example controls will run.  The 'aws-single-vpc-exists-check' control will only check for a VPC identifier in the currently configured AWS SDK region e.g. `eu-west-2` in the below:
+
+```
+$ cd my-profile/
+$ inspec exec . -t aws://  --attrs attributes.yml
+
+Profile: AWS InSpec Profile (my-profile)
+Version: 0.1.0
+Target:  aws://eu-west-2
+
+  ✔  aws-single-vpc-exists-check: Check to see if custom VPC exists.
+     ✔  VPC vpc-1ea06476 should exist
+  ✔  aws-vpcs-check: Check in all the VPCs for default sg not allowing 22 inwards
+     ✔  EC2 Security Group sg-067cd21e928c3a2f1 should allow in {:port=>22}
+     ✔  EC2 Security Group sg-9bb3b9f3 should allow in {:port=>22}
+  ✔  aws-vpcs-multi-region-status-check: Check AWS VPCs in all regions have status "available"
+     ✔  VPC vpc-6458b70d in eu-north-1 should exist
+     ✔  VPC vpc-6458b70d in eu-north-1 should be available
+     ✔  VPC vpc-8d1390e5 in ap-south-1 should exist
+     ✔  VPC vpc-8d1390e5 in ap-south-1 should be available
+     ✔  VPC vpc-07a71d6e in eu-west-3 should exist
+     ✔  VPC vpc-07a71d6e in eu-west-3 should be available
+     ✔  VPC vpc-021630e2e767412b5 in eu-west-2 should exist
+     ✔  VPC vpc-021630e2e767412b5 in eu-west-2 should be available
+     ✔  VPC vpc-1ea06476 in eu-west-2 should exist
+     ✔  VPC vpc-1ea06476 in eu-west-2 should be available
+     ✔  VPC vpc-169dee70 in eu-west-1 should exist
+     ✔  VPC vpc-169dee70 in eu-west-1 should be available
+     ✔  VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should exist
+     ✔  VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should be available
+     ✔  VPC vpc-09ff83d71da9d2b6e in eu-west-1 should exist
+     ✔  VPC vpc-09ff83d71da9d2b6e in eu-west-1 should be available
+     ✔  VPC vpc-0ebccac2337a90f13 in eu-west-1 should exist
+     ✔  VPC vpc-0ebccac2337a90f13 in eu-west-1 should be available
+     ✔  VPC vpc-c2a53da4 in eu-west-1 should exist
+     ✔  VPC vpc-c2a53da4 in eu-west-1 should be available
+     ✔  VPC vpc-4fb3f127 in ap-northeast-2 should exist
+     ✔  VPC vpc-4fb3f127 in ap-northeast-2 should be available
+     ✔  VPC vpc-0804856f in ap-northeast-1 should exist
+     ✔  VPC vpc-0804856f in ap-northeast-1 should be available
+     ✔  VPC vpc-ccb917ab in sa-east-1 should exist
+     ✔  VPC vpc-ccb917ab in sa-east-1 should be available
+     ✔  VPC vpc-0afcc60c70a30a615 in ca-central-1 should exist
+     ✔  VPC vpc-0afcc60c70a30a615 in ca-central-1 should be available
+     ✔  VPC vpc-20a25048 in ca-central-1 should exist
+     ✔  VPC vpc-20a25048 in ca-central-1 should be available
+     ✔  VPC vpc-5896143f in ap-southeast-1 should exist
+     ✔  VPC vpc-5896143f in ap-southeast-1 should be available
+     ✔  VPC vpc-47972220 in ap-southeast-2 should exist
+     ✔  VPC vpc-47972220 in ap-southeast-2 should be available
+     ✔  VPC vpc-071b6f0c69d1d0311 in eu-central-1 should exist
+     ✔  VPC vpc-071b6f0c69d1d0311 in eu-central-1 should be available
+     ✔  VPC vpc-807dfdeb in eu-central-1 should exist
+     ✔  VPC vpc-807dfdeb in eu-central-1 should be available
+     ✔  VPC vpc-0be54a71311bc362d in eu-central-1 should exist
+     ✔  VPC vpc-0be54a71311bc362d in eu-central-1 should be available
+     ✔  VPC vpc-f060cd8b in us-east-1 should exist
+     ✔  VPC vpc-f060cd8b in us-east-1 should be available
+     ✔  VPC vpc-0c3a7e116c58d714b in us-east-1 should exist
+     ✔  VPC vpc-0c3a7e116c58d714b in us-east-1 should be available
+     ✔  VPC vpc-047bff6c in us-east-2 should exist
+     ✔  VPC vpc-047bff6c in us-east-2 should be available
+     ✔  VPC vpc-93dd6ef4 in us-west-1 should exist
+     ✔  VPC vpc-93dd6ef4 in us-west-1 should be available
+     ✔  VPC vpc-2c0a6a55 in us-west-2 should exist
+     ✔  VPC vpc-2c0a6a55 in us-west-2 should be available
+
+
+Profile: Amazon Web Services  Resource Pack (inspec-aws)
+Version: 0.1.0
+Target:  aws://eu-west-2
+
+     No tests executed.
+
+Profile Summary: 3 successful controls, 0 control failures, 0 controls skipped
+Test Summary: 53 successful, 0 failures, 0 skipped
+```
+
+
+### Without Supplying a VPC Identifier 
+
+If no VPC identifier is supplied, the 'aws-single-vpc-exists-check' control is skipped and the other control runs.  The `attributes.yml` file does not have to be specified to InSpec in this case.
+
+```
+$ cd my-profile/
+$ inspec exec . -t aws://  
+
+Profile: AWS InSpec Profile (my-profile)
+Version: 0.1.0
+Target:  aws://eu-west-2
+
+  ↺  aws-single-vpc-exists-check: Check to see if custom VPC exists.
+     ↺  Skipped control due to only_if condition.
+  ✔  aws-vpcs-check: Check in all the VPCs for default sg not allowing 22 inwards
+     ✔  EC2 Security Group sg-067cd21e928c3a2f1 should allow in {:port=>22}
+     ✔  EC2 Security Group sg-9bb3b9f3 should allow in {:port=>22}
+  ✔  aws-vpcs-multi-region-status-check: Check AWS VPCs in all regions have status "available"
+     ✔  VPC vpc-6458b70d in eu-north-1 should exist
+     ✔  VPC vpc-6458b70d in eu-north-1 should be available
+     ✔  VPC vpc-8d1390e5 in ap-south-1 should exist
+     ✔  VPC vpc-8d1390e5 in ap-south-1 should be available
+     ✔  VPC vpc-07a71d6e in eu-west-3 should exist
+     ✔  VPC vpc-07a71d6e in eu-west-3 should be available
+     ✔  VPC vpc-021630e2e767412b5 in eu-west-2 should exist
+     ✔  VPC vpc-021630e2e767412b5 in eu-west-2 should be available
+     ✔  VPC vpc-1ea06476 in eu-west-2 should exist
+     ✔  VPC vpc-1ea06476 in eu-west-2 should be available
+     ✔  VPC vpc-169dee70 in eu-west-1 should exist
+     ✔  VPC vpc-169dee70 in eu-west-1 should be available
+     ✔  VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should exist
+     ✔  VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should be available
+     ✔  VPC vpc-09ff83d71da9d2b6e in eu-west-1 should exist
+     ✔  VPC vpc-09ff83d71da9d2b6e in eu-west-1 should be available
+     ✔  VPC vpc-0ebccac2337a90f13 in eu-west-1 should exist
+     ✔  VPC vpc-0ebccac2337a90f13 in eu-west-1 should be available
+     ✔  VPC vpc-c2a53da4 in eu-west-1 should exist
+     ✔  VPC vpc-c2a53da4 in eu-west-1 should be available
+     ✔  VPC vpc-4fb3f127 in ap-northeast-2 should exist
+     ✔  VPC vpc-4fb3f127 in ap-northeast-2 should be available
+     ✔  VPC vpc-0804856f in ap-northeast-1 should exist
+     ✔  VPC vpc-0804856f in ap-northeast-1 should be available
+     ✔  VPC vpc-ccb917ab in sa-east-1 should exist
+     ✔  VPC vpc-ccb917ab in sa-east-1 should be available
+     ✔  VPC vpc-0afcc60c70a30a615 in ca-central-1 should exist
+     ✔  VPC vpc-0afcc60c70a30a615 in ca-central-1 should be available
+     ✔  VPC vpc-20a25048 in ca-central-1 should exist
+     ✔  VPC vpc-20a25048 in ca-central-1 should be available
+     ✔  VPC vpc-5896143f in ap-southeast-1 should exist
+     ✔  VPC vpc-5896143f in ap-southeast-1 should be available
+     ✔  VPC vpc-47972220 in ap-southeast-2 should exist
+     ✔  VPC vpc-47972220 in ap-southeast-2 should be available
+     ✔  VPC vpc-071b6f0c69d1d0311 in eu-central-1 should exist
+     ✔  VPC vpc-071b6f0c69d1d0311 in eu-central-1 should be available
+     ✔  VPC vpc-807dfdeb in eu-central-1 should exist
+     ✔  VPC vpc-807dfdeb in eu-central-1 should be available
+     ✔  VPC vpc-0be54a71311bc362d in eu-central-1 should exist
+     ✔  VPC vpc-0be54a71311bc362d in eu-central-1 should be available
+     ✔  VPC vpc-f060cd8b in us-east-1 should exist
+     ✔  VPC vpc-f060cd8b in us-east-1 should be available
+     ✔  VPC vpc-0c3a7e116c58d714b in us-east-1 should exist
+     ✔  VPC vpc-0c3a7e116c58d714b in us-east-1 should be available
+     ✔  VPC vpc-047bff6c in us-east-2 should exist
+     ✔  VPC vpc-047bff6c in us-east-2 should be available
+     ✔  VPC vpc-93dd6ef4 in us-west-1 should exist
+     ✔  VPC vpc-93dd6ef4 in us-west-1 should be available
+     ✔  VPC vpc-2c0a6a55 in us-west-2 should exist
+     ✔  VPC vpc-2c0a6a55 in us-west-2 should be available
+
+
+Profile: Amazon Web Services  Resource Pack (inspec-aws)
+Version: 0.1.0
+Target:  aws://eu-west-2
+
+     No tests executed.
+
+Profile Summary: 2 successful controls, 0 control failures, 1 control skipped
+Test Summary: 52 successful, 0 failures, 1 skipped
+```

data/lib/plugins/inspec-init/templates/profiles/aws/attributes.yml

@@ -0,0 +1,2 @@
+# Below is to be uncommented and set with your AWS Custom VPC ID:
+# aws_vpc_id: 'vpc-xxxxxxx'

data/lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb

@@ -0,0 +1,39 @@
+# copyright: 2018, The Authors
+
+title "Sample Section"
+
+aws_vpc_id = attribute("aws_vpc_id", default: "", description: "Optional AWS VPC identifier.")
+
+# You add controls here
+control "aws-single-vpc-exists-check" do # A unique ID for this control.
+  only_if { aws_vpc_id != "" } # Only run this control if the `aws_vpc_id` attribute is provided.
+  impact 1.0                                                                # The criticality, if this control fails.
+  title "Check to see if custom VPC exists."                                # A human-readable title.
+  describe aws_vpc(aws_vpc_id) do                                           # The test itself.
+    it { should exist }
+  end
+end
+
+# Plural resources can be inspected to check for specific resource details.
+control "aws-vpcs-check" do
+  impact 1.0
+  title "Check in all the VPCs for default sg not allowing 22 inwards"
+  aws_vpcs.vpc_ids.each do |vpc_id|
+    describe aws_security_group(vpc_id: vpc_id, group_name: "default") do
+      it { should allow_in(port: 22) }
+    end
+  end
+end
+
+control "aws-vpcs-multi-region-status-check" do                             # A unique ID for this control.
+  impact 1.0                                                                # The criticality, if this control fails.
+  title 'Check AWS VPCs in all regions have status "available"'             # A human-readable title.
+  aws_regions.region_names.each do |region|                                 # Loop over all available AWS regions
+    aws_vpcs(aws_region: region).vpc_ids.each do |vpc|                      # Find all VPCs in a single AWS region
+      describe aws_vpc(aws_region: region, vpc_id: vpc) do                  # The test itself.
+        it { should exist }                                                 # Confirms AWS VPC exists
+        it { should be_available }                                          # Confirms AWS VPC has status "available"
+      end
+    end
+  end
+end

data/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml

@@ -0,0 +1,22 @@
+name: <%= name %>
+title: AWS InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile For AWS
+version: 0.1.0
+inspec_version: '~> 4'
+attributes:
+- name: aws_vpc_id
+  required: false
+  # Below is deliberately left as a default empty string to allow the profile to run when this is not provided.
+  # Please see the README for more details.
+  default: ''
+  description: 'Optional Custom AWS VPC Id'
+  type: string
+depends:
+  - name: inspec-aws
+    url: https://github.com/inspec/inspec-aws/archive/master.tar.gz
+supports:
+  - platform: aws

data/lib/plugins/inspec-init/templates/profiles/azure/README.md

@@ -0,0 +1,56 @@
+# Example InSpec Profile For Azure
+
+This example shows the implementation of an InSpec profile for Azure. See [https://github.com/inspec/inspec-azure](https://github.com/inspec/inspec-azure) for details on how to configure credentials for your subscription.
+
+##  Create a profile 
+
+```
+$ inspec init profile --platform azure my-profile
+
+ ─────────────────────────── InSpec Code Generator ───────────────────────────
+
+Creating new profile at /Users/spaterson/my-profile
+ • Creating directory libraries
+ • Creating file README.md
+ • Creating directory controls
+ • Creating file controls/example.rb
+ • Creating file inspec.yml
+ • Creating file libraries/.gitkeep
+ 
+```
+
+## Run the tests
+
+```
+$ cd  my-profile/
+$ inspec exec . -t azure://
+
+
+Profile: Azure InSpec Profile (my-profile)
+Version: 0.1.0
+Target:  azure://12345abc-987d-654e-fg21-abcdef23324r
+
+  ×  azure-virtual-machines-exist-check: Check resource groups to see if any VMs exist. (4 failed)
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ✔  Azure Virtual Machines should exist
+     ✔  Azure Virtual Machines should exist
+     ✔  Azure Virtual Machines should exist
+
+
+Profile: Azure Resource Pack (inspec-azure)
+Version: 1.2.0
+Target:  azure://12345abc-987d-654e-fg21-abcdef23324r
+
+     No tests executed.
+
+Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
+Test Summary: 3 successful, 4 failures, 0 skipped
+
+```

data/lib/plugins/inspec-init/templates/profiles/azure/controls/example.rb

@@ -0,0 +1,14 @@
+# copyright: 2018, The Authors
+
+title "Sample Section"
+
+# you add controls here
+control "azure-virtual-machines-exist-check" do                                # A unique ID for this control.
+  impact 1.0                                                                   # The criticality, if this control fails.
+  title "Check resource groups to see if any VMs exist."                       # A human-readable title
+  azurerm_resource_groups.names.each do |resource_group_name|                  # Plural resources can be leveraged to loop across many resources
+    describe azurerm_virtual_machines(resource_group: resource_group_name) do
+      it { should exist } # The test itself.
+    end
+  end
+end

data/lib/plugins/inspec-init/templates/profiles/azure/inspec.yml

@@ -0,0 +1,14 @@
+name: <%= name %>
+title: Azure InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile For Azure
+version: 0.1.0
+inspec_version: '>= 2.2.7'
+depends:
+- name: inspec-azure
+  url: https://github.com/inspec/inspec-azure/archive/master.tar.gz
+supports:
+- platform: azure

data/lib/plugins/inspec-init/templates/profiles/gcp/README.md

@@ -0,0 +1,66 @@
+# Example InSpec Profile For GCP
+
+This example shows the implementation of an InSpec profile for GCP that depends on the [InSpec GCP Resource Pack](https://github.com/inspec/inspec-gcp).  See the [README](https://github.com/inspec/inspec-gcp) for instructions on setting up appropriate GCP credentials.
+
+##  Create a profile 
+
+```
+$ inspec init profile --platform gcp my-profile
+Create new profile at /Users/spaterson/my-profile
+ * Create directory libraries
+ * Create file README.md
+ * Create directory controls
+ * Create file controls/example.rb
+ * Create file inspec.yml
+ * Create file attributes.yml
+ * Create file libraries/.gitkeep 
+ 
+```
+
+## Update `attributes.yml` to point to your project
+
+```
+gcp_project_id: 'my-gcp-project'
+```
+
+## Run the tests
+
+```
+$ cd gcp-profile/
+$ inspec exec . -t gcp:// --attrs attributes.yml
+
+Profile: GCP InSpec Profile (my-profile)
+Version: 0.1.0
+Target:  gcp://local-service-account@my-gcp-project.iam.gserviceaccount.com
+
+  ✔  gcp-single-region-1.0: Ensure single region has the correct properties.
+     ✔  Region europe-west2 zone_names should include "europe-west2-a"
+  ✔  gcp-regions-loop-1.0: Ensure regions have the correct properties in bulk.
+     ✔  Region asia-east1 should be up
+     ✔  Region asia-northeast1 should be up
+     ✔  Region asia-south1 should be up
+     ✔  Region asia-southeast1 should be up
+     ✔  Region australia-southeast1 should be up
+     ✔  Region europe-north1 should be up
+     ✔  Region europe-west1 should be up
+     ✔  Region europe-west2 should be up
+     ✔  Region europe-west3 should be up
+     ✔  Region europe-west4 should be up
+     ✔  Region northamerica-northeast1 should be up
+     ✔  Region southamerica-east1 should be up
+     ✔  Region us-central1 should be up
+     ✔  Region us-east1 should be up
+     ✔  Region us-east4 should be up
+     ✔  Region us-west1 should be up
+     ✔  Region us-west2 should be up
+
+
+Profile: Google Cloud Platform Resource Pack (inspec-gcp)
+Version: 0.5.0
+Target:  gcp://local-service-account@my-gcp-project.iam.gserviceaccount.com
+
+     No tests executed.
+
+Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped
+Test Summary: 18 successful, 0 failures, 0 skipped
+```