inspec-core 4.33.1 → 4.37.20

data/lib/inspec/resources/selinux.rb

@@ -0,0 +1,154 @@
+require "inspec/resources/command"
+require "inspec/utils/filter"
+
+module Inspec::Resources
+  class SelinuxModuleFilter
+    # use filtertable for SELinux Modules
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:names, field: :name)
+    filter.register_column(:status, field: :status)
+    filter.register_column(:states, field: :state)
+    filter.register_column(:priorities , field: :priority)
+    filter.register_custom_matcher(:enabled?) { |x| x.states[0] == "enabled" }
+    filter.register_custom_matcher(:installed?) { |x| x.status[0] == "installed" }
+    filter.install_filter_methods_on_resource(self, :modules)
+
+    attr_reader :modules
+    def initialize(modules)
+      @modules = modules
+    end
+
+    def to_s
+      "SELinux modules"
+    end
+  end
+
+  class SelinuxBooleanFilter
+    # use filtertable for SELinux Booleans
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:names, field: :name)
+    filter.register_column(:states, field: :state)
+    filter.register_column(:defaults, field: :default)
+    filter.register_custom_matcher(:on?) { |x| x.states[0] == "on" }
+    filter.install_filter_methods_on_resource(self, :booleans)
+
+    attr_reader :booleans
+    def initialize(booleans)
+      @booleans = booleans
+    end
+
+    def to_s
+      "SELinux booleans"
+    end
+  end
+
+  class Selinux < Inspec.resource(1)
+    name "selinux"
+    supports platform: "linux"
+
+    desc "Use the selinux Chef InSpec resource to test the configuration data of the SELinux policy, SELinux modules, and SELinux booleans."
+
+    example <<~EXAMPLE
+      describe selinux do
+        it { should be_installed }
+        it { should be_disabled }
+        it { should be_permissive }
+        it { should be_enforcing }
+      end
+
+      describe selinux do
+        its('policy') { should eq "targeted"}
+      end
+
+      describe selinux.modules.where("zebra") do
+        it { should exist }
+        it { should be_installed }
+        it { should be_enabled }
+      end
+
+      describe selinux.modules.where(status: "installed") do
+        it { should exist }
+        its('count') { should cmp 404 }
+      end
+
+      describe selinux.booleans.where(name: "xend_run_blktap") do
+        it { should be_on }
+      end
+
+      describe selinux.booleans.where { name == "xend_run_blktap" && state == "on" } do
+       it { should exist }
+      end
+    EXAMPLE
+
+    def initialize(selinux_path = "/etc/selinux/config")
+      @path = selinux_path
+      cmd = inspec.command("sestatus")
+
+      if cmd.exit_status != 0
+        # `sestatus` command not found error message comes in stdout so handling both here
+        out = cmd.stdout + "\n" + cmd.stderr
+        return skip_resource "Skipping resource: #{out}"
+      end
+
+      result = cmd.stdout.delete(" ").gsub(/\n/, ",").gsub(/\r/, "").downcase
+      @data = Hash[result.scan(/([^:]+):([^,]+)[,$]/)]
+    end
+
+    def installed?
+      inspec.file(@path).exist?
+    end
+
+    def disabled?
+      @data["selinuxstatus"] == "disabled"
+    end
+
+    def enforcing?
+      @data["currentmode"] == "enforcing"
+    end
+
+    def permissive?
+      @data["currentmode"] == "permissive"
+    end
+
+    def policy
+      @data["loadedpolicyname"]
+    end
+
+    def modules
+      SelinuxModuleFilter.new(parse_modules)
+    end
+
+    def booleans
+      SelinuxBooleanFilter.new(parse_booleans)
+    end
+
+    def to_s
+      "SELinux"
+    end
+
+    private
+
+    def parse_modules
+      raw_modules = inspec.command("semodule -lfull").stdout
+      r_modules = []
+      raw_modules.each_line do |entry|
+        data = entry.split.map(&:strip)
+        state = data.length == 4 ? data[3] : "enabled"
+        r_modules.push({ name: data[1], status: "installed", state: state, priority: data[0] })
+      end
+      r_modules
+    end
+
+    def parse_booleans
+      raw_booleans = inspec.command("semanage boolean -l -n").stdout
+      r_booleans = []
+      raw_booleans.each_line do |entry|
+        data = entry.scan(/([^(,)]+)/).flatten.map(&:strip)
+        r_booleans.push({ name: data[0], state: data[1], default: data[2] })
+      end
+      r_booleans
+    end
+  end
+end

data/lib/inspec/resources/users.rb

@@ -611,7 +611,7 @@ module Inspec::Resources
   # @see https://msdn.microsoft.com/en-us/library/aa394153(v=vs.85).aspx
   class WindowsUser < UserInfo
     def parse_windows_account(username)
-      account = username.split('\\')
+      account = username.split("\\")
       name = account.pop
       domain = account.pop unless account.empty?
       [name, domain]

data/lib/inspec/resources/windows_feature.rb

@@ -79,10 +79,11 @@ module Inspec::Resources
         result = cmd.stdout
         feature_name_regex = /Feature Name : (.*)(\r\n|\n)/
         description_regex = /Description : (.*)(\r\n|\n)/
+        state_regex = /State : (.*)(\r\n|\n)/
         feature_info = {
           name: result.match(feature_name_regex).captures[0].chomp,
           description: result.match(description_regex).captures[0].chomp,
-          installed: true,
+          installed: result.match(state_regex).captures[0].chomp == "Enabled",
         }
       end
 

data/lib/inspec/resources/windows_firewall_rule.rb

@@ -105,7 +105,7 @@ module Inspec::Resources
     # @see https://github.com/chef/chef/blob/master/lib/chef/resource/windows_firewall_rule.rb
     def load_firewall_state(rule_name)
       <<-EOH
-        Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+        Get-TypeData -TypeName System.Array | Remove-TypeData # workaround for PS bug here: https://bit.ly/2SRMQ8M
         $rule = Get-NetFirewallRule -Name "#{rule_name}"
         $addressFilter = $rule | Get-NetFirewallAddressFilter
         $portFilter = $rule | Get-NetFirewallPortFilter

data/lib/inspec/resources/zfs_dataset.rb

@@ -16,16 +16,20 @@ module Inspec::Resources
     EXAMPLE
 
     def initialize(zfs_dataset)
-      return skip_resource "The `zfs_dataset` resource is not supported on your OS yet." unless inspec.os.bsd?
+      return skip_resource "The `zfs_dataset` resource is not supported on your OS yet." unless inspec.os.bsd? || inspec.os.linux?
 
       @zfs_dataset = zfs_dataset
+      find_zfs = inspec.command("which zfs")
+      @zfs_cmd = find_zfs.stdout.strip
+
+      return skip_resource "zfs is not installed" if find_zfs.exit_status != 0
 
       @params = gather
     end
 
     # method called by 'it { should exist }'
     def exists?
-      inspec.command("/sbin/zfs get -Hp all #{@zfs_dataset}").exit_status == 0
+      inspec.command("#{@zfs_cmd} get -Hp all #{@zfs_dataset}").exit_status == 0
     end
 
     def mounted?
@@ -39,7 +43,7 @@ module Inspec::Resources
     end
 
     def gather
-      cmd = inspec.command("/sbin/zfs get -Hp all #{@zfs_dataset}")
+      cmd = inspec.command("#{@zfs_cmd} get -Hp all #{@zfs_dataset}")
       return nil if cmd.exit_status.to_i != 0
 
       # parse data

data/lib/inspec/resources/zfs_pool.rb

@@ -15,16 +15,20 @@ module Inspec::Resources
     EXAMPLE
 
     def initialize(zfs_pool)
-      return skip_resource "The `zfs_pool` resource is not supported on your OS yet." unless inspec.os.bsd?
+      return skip_resource "The `zfs_pool` resource is not supported on your OS yet." unless inspec.os.bsd? || inspec.os.linux?
 
       @zfs_pool = zfs_pool
+      find_zpool = inspec.command("which zpool")
+      @zpool_cmd = find_zpool.stdout.strip
+
+      return skip_resource "zfs is not installed" if find_zpool.exit_status != 0
 
       @params = gather
     end
 
     # method called by 'it { should exist }'
     def exists?
-      inspec.command("/sbin/zpool get -Hp all #{@zfs_pool}").exit_status == 0
+      inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}").exit_status == 0
     end
 
     def to_s
@@ -32,7 +36,7 @@ module Inspec::Resources
     end
 
     def gather
-      cmd = inspec.command("/sbin/zpool get -Hp all #{@zfs_pool}")
+      cmd = inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}")
       return nil if cmd.exit_status.to_i != 0
 
       # parse data

data/lib/inspec/rule.rb

@@ -180,7 +180,15 @@ module Inspec
         options[:priority] ||= 20
         options[:provider] = :inline_control_code
         evt = Inspec::Input.infer_event(options)
-        Inspec::InputRegistry.find_or_register_input(input_name, __profile_id, event: evt).value
+        Inspec::InputRegistry.find_or_register_input(
+          input_name,
+          __profile_id,
+          type: options[:type],
+          required: options[:required],
+          description: options[:description],
+          pattern: options[:pattern],
+          event: evt
+        ).value
       end
     end
 

data/lib/inspec/runner.rb

@@ -243,7 +243,7 @@ module Inspec
       # to provide access to local profiles that add resources.
       @depends.each do |dep|
         # support for windows paths
-        dep = dep.tr('\\', "/")
+        dep = dep.tr("\\", "/")
         Inspec::Profile.for_path(dep, { profile_context: ctx }).load_libraries
       end
 

data/lib/inspec/utils/erlang_parser.rb

@@ -52,13 +52,13 @@ class ErlangParser < Parslet::Parser
 
   rule(:stringS) do
     str("'") >> (
-      str('\\') >> any | str("'").absent? >> any
+      str("\\") >> any | str("'").absent? >> any
     ).repeat.as(:string) >> str("'") >> filler?
   end
 
   rule(:stringD) do
     str('"') >> (
-      str('\\') >> any | str('"').absent? >> any
+      str("\\") >> any | str('"').absent? >> any
     ).repeat.as(:string) >> str('"') >> filler?
   end
 

data/lib/inspec/utils/filter.rb

@@ -375,13 +375,13 @@ module FilterTable
       methods_to_install_on_resource_class = @filter_methods + @custom_properties.keys
       methods_to_install_on_resource_class.each do |method_name|
         resource_class.send(:define_method, method_name) do |*args, &block|
-          begin
-            # self here is the resource instance
-            filter_table_instance = table_class.new(self, send(raw_data_fetcher_method_name), " with")
-            filter_table_instance.send(method_name, *args, &block)
-          rescue Inspec::Exceptions::ResourceFailed, Inspec::Exceptions::ResourceSkipped => e
-            FilterTable::ExceptionCatcher.new(resource_class, e)
-          end
+
+          # self here is the resource instance
+          filter_table_instance = table_class.new(self, send(raw_data_fetcher_method_name), " with")
+          filter_table_instance.send(method_name, *args, &block)
+        rescue Inspec::Exceptions::ResourceFailed, Inspec::Exceptions::ResourceSkipped => e
+          FilterTable::ExceptionCatcher.new(resource_class, e)
+
         end
       end
     end

data/lib/inspec/utils/nginx_parser.rb

@@ -31,19 +31,19 @@ class NginxParser < Parslet::Parser
 
   rule(:standard_value) do
     ((match(/[#;{'"]/).absent? >> any) >> (
-      str('\\') >> any | match('[#;{]|\s').absent? >> any
+      str("\\") >> any | match('[#;{]|\s').absent? >> any
     ).repeat).as(:value) >> space.repeat
   end
 
   rule(:single_quoted_value) do
     str("'") >> (
-      str('\\') >> any | str("'").absent? >> any
+      str("\\") >> any | str("'").absent? >> any
     ).repeat.as(:value) >> str("'") >> space.repeat
   end
 
   rule(:double_quoted_value) do
     str('"') >> (
-      str('\\') >> any | str('"').absent? >> any
+      str("\\") >> any | str('"').absent? >> any
     ).repeat.as(:value) >> str('"') >> space.repeat
   end
 

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.33.1".freeze
+  VERSION = "4.37.20".freeze
 end

data/lib/plugins/inspec-compliance/README.md

@@ -6,24 +6,50 @@ This extensions offers the following features:
  - execute profiles directly from Chef Automate/Chef Compliance locally
  - upload a local profile to Chef Automate/Chef Compliance
 
+`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way.
+
 To use the CLI, this InSpec add-on adds the following commands:
 
+ * `$ inspec automate login` - authentication of the API token against Chef Automate/Chef Compliance
+ * `$ inspec automate profiles` - list all available Compliance profiles
+ * `$ inspec exec compliance://profile` - runs a Compliance profile
+ * `$ inspec automate upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
+ * `$ inspec automate logout` - logout of Chef Automate/Chef Compliance
+ 
+ Similar to these CLI commands are:
+
  * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance
  * `$ inspec compliance profiles` - list all available Compliance profiles
- * `$ inspec exec compliance://profile` - runs a Compliance profile
  * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
  * `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance
 
 Compliance profiles can be executed in two ways:
 
-- via compliance exec: `inspec compliance exec profile`
+- via compliance exec: `inspec automate exec profile` or `inspec compliance exec profile`
 - via compliance scheme: `inspec exec compliance://profile`
 
 
+
+
 ## Usage
 
 ### Command options
 
+```
+$ inspec automate
+Commands:
+  inspec automate download PROFILE  # downloads a profile from Chef Compliance
+  inspec automate exec PROFILE      # executes a Chef Compliance profile
+  inspec automate help [COMMAND]    # Describe subcommands or one specific subcommand
+  inspec automate login SERVER      # Log in to a Chef Automate/Chef Compliance SERVER
+  inspec automate logout            # user logout from Chef Compliance
+  inspec automate profiles          # list all available profiles in Chef Compliance
+  inspec automate upload PATH       # uploads a local profile to Chef Compliance
+  inspec automate version           # displays the version of the Chef Compliance server
+```
+
+or
+
 ```
 $ inspec compliance
 Commands:
@@ -41,6 +67,12 @@ Commands:
 
 You will need an API token for authentication. You can retrieve one via the admin section of your A2 web gui.
 
+```
+$ inspec automate login https://automate2.compliance.test --insecure --user 'admin' --token 'zuop..._KzE'
+```
+
+or
+
 ```
 $ inspec compliance login https://automate2.compliance.test --insecure --user 'admin' --token 'zuop..._KzE'
 ```
@@ -63,6 +95,12 @@ Example:
 
 You will need an access token for authentication. You can retrieve one via [UI](https://docs.chef.io/api_delivery.html) or [CLI](https://docs.chef.io/ctl_delivery.html#delivery-token).
 
+```
+$ inspec automate login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
+```
+
+or
+
 ```
 $ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
 ```
@@ -75,12 +113,42 @@ You will need an access token for authentication. You can retrieve one via:
 
 You can choose the access token (`--token`) or the refresh token (`--refresh_token`)
 
+```
+$ inspec automate login https://compliance.test --user admin --insecure --token '...'
+```
+
+or
+
 ```
 $ inspec compliance login https://compliance.test --user admin --insecure --token '...'
 ```
 
 ### List available profiles via Chef Compliance / Automate
 
+```
+ $ inspec automate profiles
+Available profiles:
+-------------------
+ * base/apache
+ * base/linux
+ * base/mysql
+ * base/postgres
+ * base/ssh
+ * base/windows
+ * cis/cis-centos6-level1
+ * cis/cis-centos6-level2
+ * cis/cis-centos7-level1
+ * cis/cis-centos7-level2
+ * cis/cis-rhel7-level1
+ * cis/cis-rhel7-level2
+ * cis/cis-ubuntu12.04lts-level1
+ * cis/cis-ubuntu12.04lts-level2
+ * cis/cis-ubuntu14.04lts-level1
+ * cis/cis-ubuntu14.04lts-level2
+```
+
+or
+
 ```
 $ inspec compliance profiles
 Available profiles:
@@ -105,6 +173,47 @@ Available profiles:
 
 ### Upload a profile to Chef Compliance / Automate
 
+```
+$ inspec automate version
+Chef Compliance version: 1.0.11
+➜  inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec automate upload examples/profile
+I, [2016-05-06T14:27:20.907547 #37592]  INFO -- : Checking profile in examples/profile
+I, [2016-05-06T14:27:20.907668 #37592]  INFO -- : Metadata OK.
+I, [2016-05-06T14:27:20.968584 #37592]  INFO -- : Found 4 controls.
+I, [2016-05-06T14:27:20.968638 #37592]  INFO -- : Control definitions OK.
+Profile is valid
+Generate temporary profile archive at /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz
+I, [2016-05-06T14:27:21.020017 #37592]  INFO -- : Generate archive /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz.
+I, [2016-05-06T14:27:21.024837 #37592]  INFO -- : Finished archive generation.
+Start upload to admin/profile
+Uploading to Chef Compliance
+Successfully uploaded profile
+
+# display all profiles
+$ inspec automate profiles
+Available profiles:
+-------------------
+ * admin/profile
+ * base/apache
+ * base/linux
+ * base/mysql
+ * base/postgres
+ * base/ssh
+ * base/windows
+ * cis/cis-centos6-level1
+ * cis/cis-centos6-level2
+ * cis/cis-centos7-level1
+ * cis/cis-centos7-level2
+ * cis/cis-rhel7-level1
+ * cis/cis-rhel7-level2
+ * cis/cis-ubuntu12.04lts-level1
+ * cis/cis-ubuntu12.04lts-level2
+ * cis/cis-ubuntu14.04lts-level1
+ * cis/cis-ubuntu14.04lts-level2
+```
+
+or
+
 ```
 $ inspec compliance version
 Chef Compliance version: 1.0.11
@@ -168,17 +277,31 @@ $ inspec exec compliance://admin/apache-baseline#2.0.1
 ```
 
 Download a specific version(2.0.2) of a profile when logged in with Automate:
+```
+$ inspec automate download compliance://admin/apache-baseline#2.0.2
+```
+
+or
+
 ```
 $ inspec compliance download compliance://admin/apache-baseline#2.0.2
 ```
 
 ### To Logout from Chef Compliance
 
+```
+$ inspec automate logout
+Successfully logged out
+```
+
+or
+
 ```
 $ inspec compliance logout
 Successfully logged out
 ```
 
+
 ## Integration Tests
 
 At this point of time, InSpec is not able to pick up the token directly, therefore the integration test is semi-automatic at this point of time: