inspec-core 4.24.28 → 4.28.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +6 -2
- data/inspec-core.gemspec +4 -3
- data/lib/inspec/base_cli.rb +5 -1
- data/lib/inspec/cli.rb +14 -0
- data/lib/inspec/config.rb +14 -1
- data/lib/inspec/profile_context.rb +3 -0
- data/lib/inspec/resources/auditd_conf.rb +2 -0
- data/lib/inspec/resources/crontab.rb +8 -2
- data/lib/inspec/resources/nginx_conf.rb +39 -0
- data/lib/inspec/resources/oracledb_session.rb +1 -1
- data/lib/inspec/resources/ssh_config.rb +25 -3
- data/lib/inspec/runner_rspec.rb +1 -1
- data/lib/inspec/utils/run_data_filters.rb +9 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +1 -1
- metadata +31 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f7e64d5cc4ef40dc18b0c488e88c804425403123a38ed5bdfbeac8e4e26c4f02
|
4
|
+
data.tar.gz: 1b953e8cf39b218bed69e379bb5f03d92ae7bde3f402de1a17bfee2a7c67f58d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9f6b97c6cc9e7d23f64a5f5b9666831e6a1577ad164ce3b32a3bff3ce24b628be65f0b60894681aa9d408ce989355d5da946bc87f67ec51ca4679e04be2f0b77
|
7
|
+
data.tar.gz: 246ddd83d0af2e3ce069deb932451c0eb905e2e73dc5255b8ce574e862115b03e30cfc92a9cda0611a996d1d00ddb3895a7284cb44aa66677e4fea932bff9d09
|
data/Gemfile
CHANGED
@@ -16,6 +16,10 @@ if Gem.ruby_version.to_s.start_with?("2.5")
|
|
16
16
|
gem "chef-utils", "< 16.7.23" # TODO: remove when we drop ruby 2.5
|
17
17
|
end
|
18
18
|
|
19
|
+
# inspec tests depend text output that changed in the 3.10 release
|
20
|
+
# but our runtime dep is still 3.9+
|
21
|
+
gem "rspec", ">= 3.10"
|
22
|
+
|
19
23
|
group :omnibus do
|
20
24
|
gem "rb-readline"
|
21
25
|
gem "appbundler"
|
@@ -24,10 +28,10 @@ group :omnibus do
|
|
24
28
|
end
|
25
29
|
|
26
30
|
group :test do
|
27
|
-
gem "chefstyle", "~> 1.
|
31
|
+
gem "chefstyle", "~> 1.7.1"
|
28
32
|
gem "concurrent-ruby", "~> 1.0"
|
29
33
|
gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
|
30
|
-
gem "json_schemer", ">= 0.2.1", "< 0.2.
|
34
|
+
gem "json_schemer", ">= 0.2.1", "< 0.2.19"
|
31
35
|
gem "m"
|
32
36
|
gem "minitest-sprint", "~> 1.0"
|
33
37
|
gem "minitest", "~> 5.5"
|
data/inspec-core.gemspec
CHANGED
@@ -28,19 +28,20 @@ Gem::Specification.new do |spec|
|
|
28
28
|
spec.add_dependency "thor", ">= 0.20", "< 2.0"
|
29
29
|
spec.add_dependency "method_source", ">= 0.8", "< 2.0"
|
30
30
|
spec.add_dependency "rubyzip", ">= 1.2.2", "< 3.0"
|
31
|
-
spec.add_dependency "rspec", "
|
31
|
+
spec.add_dependency "rspec", ">= 3.9", "< 3.11"
|
32
32
|
spec.add_dependency "rspec-its", "~> 1.2"
|
33
33
|
spec.add_dependency "pry", "~> 0.13"
|
34
34
|
spec.add_dependency "hashie", ">= 3.4", "< 5.0"
|
35
35
|
spec.add_dependency "mixlib-log", "~> 3.0"
|
36
36
|
spec.add_dependency "sslshake", "~> 1.2"
|
37
37
|
spec.add_dependency "parallel", "~> 1.9"
|
38
|
-
spec.add_dependency "faraday", ">= 0.9.0", "< 1.
|
38
|
+
spec.add_dependency "faraday", ">= 0.9.0", "< 1.4"
|
39
|
+
spec.add_dependency "faraday_middleware", "~> 1.0"
|
39
40
|
spec.add_dependency "tty-table", "~> 0.10"
|
40
41
|
spec.add_dependency "tty-prompt", "~> 0.17"
|
41
42
|
spec.add_dependency "tomlrb", ">= 1.2", "< 2.1"
|
42
43
|
spec.add_dependency "addressable", "~> 2.4"
|
43
|
-
spec.add_dependency "parslet", ">= 1.5", "<
|
44
|
+
spec.add_dependency "parslet", ">= 1.5", "< 2.0" # Pinned < 2.0, see #5389
|
44
45
|
spec.add_dependency "semverse", "~> 3.0"
|
45
46
|
spec.add_dependency "multipart-post", "~> 2.0"
|
46
47
|
|
data/lib/inspec/base_cli.rb
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
require "thor"
|
1
|
+
require "thor" # rubocop:disable Chef/Ruby/UnlessDefinedRequire
|
2
2
|
require "inspec/log"
|
3
3
|
require "inspec/ui"
|
4
4
|
require "inspec/config"
|
@@ -118,6 +118,8 @@ module Inspec
|
|
118
118
|
desc: "Disable SSL verification on select targets"
|
119
119
|
option :target_id, type: :string,
|
120
120
|
desc: "Provide a ID which will be included on reports"
|
121
|
+
option :winrm_shell_type, type: :string, default: "powershell",
|
122
|
+
desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
|
121
123
|
end
|
122
124
|
|
123
125
|
def self.profile_options
|
@@ -162,6 +164,8 @@ module Inspec
|
|
162
164
|
desc: "Use --no-diff to suppress 'diff' output of failed textual test results."
|
163
165
|
option :sort_results_by, type: :string, default: "file", banner: "--sort-results-by=none|control|file|random",
|
164
166
|
desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
|
167
|
+
option :filter_empty_profiles, type: :boolean, default: false,
|
168
|
+
desc: "Filter empty profiles (profiles without controls) from the report."
|
165
169
|
end
|
166
170
|
|
167
171
|
def self.help(*args)
|
data/lib/inspec/cli.rb
CHANGED
@@ -395,6 +395,20 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
|
395
395
|
end
|
396
396
|
map %w{-v --version} => :version
|
397
397
|
|
398
|
+
desc "clear_cache", "clears the InSpec cache. Useful for debugging."
|
399
|
+
option :vendor_cache, type: :string,
|
400
|
+
desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
|
401
|
+
def clear_cache
|
402
|
+
o = config
|
403
|
+
configure_logger(o)
|
404
|
+
cache_path = o[:vendor_cache] || "~/.inspec/cache"
|
405
|
+
FileUtils.rm_r Dir.glob(File.expand_path(cache_path))
|
406
|
+
|
407
|
+
o[:logger] = Logger.new($stdout)
|
408
|
+
o[:logger].level = get_log_level(o[:log_level])
|
409
|
+
o[:logger].info "== InSpec cache cleared successfully =="
|
410
|
+
end
|
411
|
+
|
398
412
|
private
|
399
413
|
|
400
414
|
def run_command(opts)
|
data/lib/inspec/config.rb
CHANGED
@@ -128,12 +128,25 @@ module Inspec
|
|
128
128
|
end
|
129
129
|
|
130
130
|
#-----------------------------------------------------------------------#
|
131
|
-
#
|
131
|
+
# Handling Plugin Data
|
132
132
|
#-----------------------------------------------------------------------#
|
133
133
|
def fetch_plugin_config(plugin_name)
|
134
134
|
Thor::CoreExt::HashWithIndifferentAccess.new(@plugin_cfg[plugin_name] || {})
|
135
135
|
end
|
136
136
|
|
137
|
+
def set_plugin_config(plugin_name, plugin_config)
|
138
|
+
plugin_name = plugin_name.to_s unless plugin_name.is_a? String
|
139
|
+
|
140
|
+
@plugin_cfg[plugin_name] = plugin_config
|
141
|
+
end
|
142
|
+
|
143
|
+
def merge_plugin_config(plugin_name, additional_plugin_config)
|
144
|
+
plugin_name = plugin_name.to_s unless plugin_name.is_a? String
|
145
|
+
|
146
|
+
@plugin_cfg[plugin_name] = {} if @plugin_cfg[plugin_name].nil?
|
147
|
+
@plugin_cfg[plugin_name].merge!(additional_plugin_config)
|
148
|
+
end
|
149
|
+
|
137
150
|
# clear the cached config
|
138
151
|
def self.__reset
|
139
152
|
@cached_config = nil
|
@@ -67,8 +67,14 @@ module Inspec::Resources
|
|
67
67
|
end
|
68
68
|
|
69
69
|
def crontab_cmd
|
70
|
-
|
71
|
-
|
70
|
+
if @user.nil?
|
71
|
+
"crontab -l"
|
72
|
+
elsif inspec.os.aix?
|
73
|
+
"crontab -l #{@user}"
|
74
|
+
else
|
75
|
+
# TODO: the -u scenario needs to be able to do sudo
|
76
|
+
"crontab -l -u #{@user}"
|
77
|
+
end
|
72
78
|
end
|
73
79
|
|
74
80
|
filter = FilterTable.create
|
@@ -54,6 +54,21 @@ module Inspec::Resources
|
|
54
54
|
"nginx_conf #{@conf_path}"
|
55
55
|
end
|
56
56
|
|
57
|
+
def method_missing(name)
|
58
|
+
return super if name.to_s.match?(/^to_/)
|
59
|
+
|
60
|
+
v = params[name.to_s]
|
61
|
+
return v.flatten unless v.nil?
|
62
|
+
|
63
|
+
nil
|
64
|
+
end
|
65
|
+
|
66
|
+
def respond_to_missing?(name, include_all = false)
|
67
|
+
return super if name.to_s.match?(/^to_/)
|
68
|
+
|
69
|
+
true
|
70
|
+
end
|
71
|
+
|
57
72
|
private
|
58
73
|
|
59
74
|
def read_content(path)
|
@@ -175,6 +190,18 @@ module Inspec::Resources
|
|
175
190
|
end
|
176
191
|
alias inspect to_s
|
177
192
|
|
193
|
+
def method_missing(name)
|
194
|
+
return super if name.to_s.match?(/^to_/)
|
195
|
+
|
196
|
+
(@params[name.to_s] || []).flatten
|
197
|
+
end
|
198
|
+
|
199
|
+
def respond_to_missing?(name, include_all = false)
|
200
|
+
return super if name.to_s.match?(/^to_/)
|
201
|
+
|
202
|
+
true
|
203
|
+
end
|
204
|
+
|
178
205
|
private
|
179
206
|
|
180
207
|
def server_table
|
@@ -207,6 +234,18 @@ module Inspec::Resources
|
|
207
234
|
end
|
208
235
|
alias inspect to_s
|
209
236
|
|
237
|
+
def method_missing(name)
|
238
|
+
return super if name.to_s.match?(/^to_/)
|
239
|
+
|
240
|
+
(@params[name.to_s] || []).flatten
|
241
|
+
end
|
242
|
+
|
243
|
+
def respond_to_missing?(name, include_all = false)
|
244
|
+
return super if name.to_s.match?(/^to_/)
|
245
|
+
|
246
|
+
true
|
247
|
+
end
|
248
|
+
|
210
249
|
private
|
211
250
|
|
212
251
|
def location_table
|
@@ -48,7 +48,7 @@ module Inspec::Resources
|
|
48
48
|
format_options = "set sqlformat csv\nSET FEEDBACK OFF"
|
49
49
|
else
|
50
50
|
@bin = "#{@sqlplus_bin} -S"
|
51
|
-
format_options = "SET
|
51
|
+
format_options = "SET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF"
|
52
52
|
end
|
53
53
|
|
54
54
|
command = command_builder(format_options, sql)
|
@@ -7,6 +7,7 @@ module Inspec::Resources
|
|
7
7
|
class SshConfig < Inspec.resource(1)
|
8
8
|
name "ssh_config"
|
9
9
|
supports platform: "unix"
|
10
|
+
supports platform: "windows"
|
10
11
|
desc "Use the `ssh_config` InSpec audit resource to test OpenSSH client configuration data located at `/etc/ssh/ssh_config` on Linux and Unix platforms."
|
11
12
|
example <<~EXAMPLE
|
12
13
|
describe ssh_config do
|
@@ -19,7 +20,7 @@ module Inspec::Resources
|
|
19
20
|
include FileReader
|
20
21
|
|
21
22
|
def initialize(conf_path = nil, type = nil)
|
22
|
-
@conf_path = conf_path || "
|
23
|
+
@conf_path = conf_path || ssh_config_file("ssh_config")
|
23
24
|
typename = (@conf_path.include?("sshd") ? "Server" : "Client")
|
24
25
|
@type = type || "SSH #{typename} configuration #{conf_path}"
|
25
26
|
read_content
|
@@ -38,7 +39,7 @@ module Inspec::Resources
|
|
38
39
|
def convert_hash(hash)
|
39
40
|
new_hash = {}
|
40
41
|
hash.each do |k, v|
|
41
|
-
new_hash[k.downcase]
|
42
|
+
new_hash[k.downcase] ||= v
|
42
43
|
end
|
43
44
|
new_hash
|
44
45
|
end
|
@@ -75,11 +76,21 @@ module Inspec::Resources
|
|
75
76
|
)
|
76
77
|
@params = convert_hash(conf.params)
|
77
78
|
end
|
79
|
+
|
80
|
+
def ssh_config_file(type)
|
81
|
+
if inspec.os.windows?
|
82
|
+
programdata = inspec.os_env("programdata").content
|
83
|
+
return "#{programdata}\\ssh\\#{type}"
|
84
|
+
end
|
85
|
+
|
86
|
+
"/etc/ssh/#{type}"
|
87
|
+
end
|
78
88
|
end
|
79
89
|
|
80
90
|
class SshdConfig < SshConfig
|
81
91
|
name "sshd_config"
|
82
92
|
supports platform: "unix"
|
93
|
+
supports platform: "windows"
|
83
94
|
desc "Use the sshd_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges."
|
84
95
|
example <<~EXAMPLE
|
85
96
|
describe sshd_config do
|
@@ -88,11 +99,22 @@ module Inspec::Resources
|
|
88
99
|
EXAMPLE
|
89
100
|
|
90
101
|
def initialize(path = nil)
|
91
|
-
super(path || "
|
102
|
+
super(path || ssh_config_file("sshd_config"))
|
92
103
|
end
|
93
104
|
|
94
105
|
def to_s
|
95
106
|
"SSHD Configuration"
|
96
107
|
end
|
108
|
+
|
109
|
+
private
|
110
|
+
|
111
|
+
def ssh_config_file(type)
|
112
|
+
if inspec.os.windows?
|
113
|
+
programdata = inspec.os_env("programdata").content
|
114
|
+
return "#{programdata}\\ssh\\#{type}"
|
115
|
+
end
|
116
|
+
|
117
|
+
"/etc/ssh/#{type}"
|
118
|
+
end
|
97
119
|
end
|
98
120
|
end
|
data/lib/inspec/runner_rspec.rb
CHANGED
@@ -5,7 +5,7 @@ require "matchers/matchers"
|
|
5
5
|
require "inspec/rspec_extensions"
|
6
6
|
|
7
7
|
# There be dragons!! Or borgs, or something...
|
8
|
-
# This file and all its contents cannot be unit-tested. both test-
|
8
|
+
# This file and all its contents cannot be unit-tested. both test-suites
|
9
9
|
# collide and disable all unit tests that have been added.
|
10
10
|
|
11
11
|
module Inspec
|
@@ -13,6 +13,7 @@ module Inspec
|
|
13
13
|
def apply_run_data_filters_to_hash
|
14
14
|
@config[:runtime_config] = Inspec::Config.cached || {}
|
15
15
|
apply_report_resize_options
|
16
|
+
filter_empty_profiles
|
16
17
|
redact_sensitive_inputs
|
17
18
|
suppress_diff_output
|
18
19
|
sort_controls
|
@@ -36,6 +37,14 @@ module Inspec
|
|
36
37
|
end
|
37
38
|
end
|
38
39
|
|
40
|
+
# Filters profiles from report which don't have controls in it.
|
41
|
+
def filter_empty_profiles
|
42
|
+
runtime_config = @config[:runtime_config]
|
43
|
+
if runtime_config[:filter_empty_profiles] && @run_data[:profiles].count > 1
|
44
|
+
@run_data[:profiles].delete_if { |p| p[:controls].empty? }
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
39
48
|
# Find any inputs with :sensitive = true and replace their values with "***"
|
40
49
|
def redact_sensitive_inputs
|
41
50
|
@run_data[:profiles]&.each do |p|
|
data/lib/inspec/version.rb
CHANGED
data/lib/matchers/matchers.rb
CHANGED
@@ -287,7 +287,7 @@ RSpec::Matchers.define :cmp do |first_expected| # rubocop:disable Metrics/BlockL
|
|
287
287
|
end
|
288
288
|
|
289
289
|
def format_actual(actual)
|
290
|
-
actual = "0%o" % actual if octal?(@expected)
|
290
|
+
actual = "0%o" % actual if octal?(@expected) && !actual.nil?
|
291
291
|
"\n%s\n got: %s\n\n(compared using `cmp` matcher)\n" % [format_expectation(false), actual]
|
292
292
|
end
|
293
293
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.
|
4
|
+
version: 4.28.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chef InSpec Team
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-03-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: chef-telemetry
|
@@ -108,16 +108,22 @@ dependencies:
|
|
108
108
|
name: rspec
|
109
109
|
requirement: !ruby/object:Gem::Requirement
|
110
110
|
requirements:
|
111
|
-
- - "
|
111
|
+
- - ">="
|
112
|
+
- !ruby/object:Gem::Version
|
113
|
+
version: '3.9'
|
114
|
+
- - "<"
|
112
115
|
- !ruby/object:Gem::Version
|
113
|
-
version: '3.
|
116
|
+
version: '3.11'
|
114
117
|
type: :runtime
|
115
118
|
prerelease: false
|
116
119
|
version_requirements: !ruby/object:Gem::Requirement
|
117
120
|
requirements:
|
118
|
-
- - "
|
121
|
+
- - ">="
|
122
|
+
- !ruby/object:Gem::Version
|
123
|
+
version: '3.9'
|
124
|
+
- - "<"
|
119
125
|
- !ruby/object:Gem::Version
|
120
|
-
version: '3.
|
126
|
+
version: '3.11'
|
121
127
|
- !ruby/object:Gem::Dependency
|
122
128
|
name: rspec-its
|
123
129
|
requirement: !ruby/object:Gem::Requirement
|
@@ -217,7 +223,7 @@ dependencies:
|
|
217
223
|
version: 0.9.0
|
218
224
|
- - "<"
|
219
225
|
- !ruby/object:Gem::Version
|
220
|
-
version: '1.
|
226
|
+
version: '1.4'
|
221
227
|
type: :runtime
|
222
228
|
prerelease: false
|
223
229
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -227,7 +233,21 @@ dependencies:
|
|
227
233
|
version: 0.9.0
|
228
234
|
- - "<"
|
229
235
|
- !ruby/object:Gem::Version
|
230
|
-
version: '1.
|
236
|
+
version: '1.4'
|
237
|
+
- !ruby/object:Gem::Dependency
|
238
|
+
name: faraday_middleware
|
239
|
+
requirement: !ruby/object:Gem::Requirement
|
240
|
+
requirements:
|
241
|
+
- - "~>"
|
242
|
+
- !ruby/object:Gem::Version
|
243
|
+
version: '1.0'
|
244
|
+
type: :runtime
|
245
|
+
prerelease: false
|
246
|
+
version_requirements: !ruby/object:Gem::Requirement
|
247
|
+
requirements:
|
248
|
+
- - "~>"
|
249
|
+
- !ruby/object:Gem::Version
|
250
|
+
version: '1.0'
|
231
251
|
- !ruby/object:Gem::Dependency
|
232
252
|
name: tty-table
|
233
253
|
requirement: !ruby/object:Gem::Requirement
|
@@ -299,7 +319,7 @@ dependencies:
|
|
299
319
|
version: '1.5'
|
300
320
|
- - "<"
|
301
321
|
- !ruby/object:Gem::Version
|
302
|
-
version: '
|
322
|
+
version: '2.0'
|
303
323
|
type: :runtime
|
304
324
|
prerelease: false
|
305
325
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -309,7 +329,7 @@ dependencies:
|
|
309
329
|
version: '1.5'
|
310
330
|
- - "<"
|
311
331
|
- !ruby/object:Gem::Version
|
312
|
-
version: '
|
332
|
+
version: '2.0'
|
313
333
|
- !ruby/object:Gem::Dependency
|
314
334
|
name: semverse
|
315
335
|
requirement: !ruby/object:Gem::Requirement
|
@@ -750,7 +770,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
750
770
|
- !ruby/object:Gem::Version
|
751
771
|
version: '0'
|
752
772
|
requirements: []
|
753
|
-
rubygems_version: 3.
|
773
|
+
rubygems_version: 3.1.4
|
754
774
|
signing_key:
|
755
775
|
specification_version: 4
|
756
776
|
summary: Infrastructure and compliance testing. Core library.
|