inspec-core 4.36.4 → 4.37.23
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +14 -1
- data/etc/deprecations.json +5 -0
- data/inspec-core.gemspec +1 -1
- data/lib/inspec/base_cli.rb +2 -2
- data/lib/inspec/cli.rb +6 -2
- data/lib/inspec/fetcher/local.rb +1 -1
- data/lib/inspec/plugin/v2/loader.rb +9 -0
- data/lib/inspec/profile_context.rb +1 -1
- data/lib/inspec/resources/file.rb +4 -5
- data/lib/inspec/resources/http.rb +1 -1
- data/lib/inspec/resources/mssql_session.rb +1 -1
- data/lib/inspec/resources/mysql_session.rb +1 -1
- data/lib/inspec/resources/pip.rb +1 -1
- data/lib/inspec/resources/port.rb +9 -3
- data/lib/inspec/resources/registry_key.rb +1 -1
- data/lib/inspec/resources/users.rb +1 -1
- data/lib/inspec/resources/windows_feature.rb +2 -1
- data/lib/inspec/resources/windows_firewall_rule.rb +1 -1
- data/lib/inspec/resources/zfs_dataset.rb +7 -3
- data/lib/inspec/resources/zfs_pool.rb +7 -3
- data/lib/inspec/runner.rb +1 -1
- data/lib/inspec/utils/erlang_parser.rb +2 -2
- data/lib/inspec/utils/filter.rb +7 -7
- data/lib/inspec/utils/nginx_parser.rb +3 -3
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-compliance/README.md +125 -2
- data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +5 -0
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +36 -179
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +15 -137
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +26 -28
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +7 -24
- data/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +44 -34
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +1 -0
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile +6 -6
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Rakefile +8 -8
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +12 -12
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/{inspec-plugin-template.rb → inspec-plugin-template.erb} +1 -1
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/{cli_command.rb → cli_command.erb} +8 -8
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/{plugin.rb → plugin.erb} +15 -15
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/{reporter.rb → reporter.erb} +0 -0
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/{version.rb → version.erb} +1 -1
- metadata +13 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c9e4ef72fd93cf8c9de6cf6a6b14473388a1df8edee971d3e9db0dc89e31a756
|
4
|
+
data.tar.gz: 79ab3e58e1f574f6bd34aff949a965ed7c01744745cb09eba4768a420f9fe60b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c1254e07b8263b7f97c53a3a3768db4fd50692d49defe607e2f7ceb42fce86c6a53909472e0b28fe7cbb58cfcdb6255dd549adaca18836ba2475f8644dab4153
|
7
|
+
data.tar.gz: 8b45db91165ebd6a9af3102a4a4f60e9cf1fd404f5cc28452cc4df92e1554cce42a009e40b6a11de1d13569bada66a270d344076965138d32e52aea045a8ca52
|
data/Gemfile
CHANGED
@@ -28,7 +28,7 @@ group :omnibus do
|
|
28
28
|
end
|
29
29
|
|
30
30
|
group :test do
|
31
|
-
gem "chefstyle", "~>
|
31
|
+
gem "chefstyle", "~> 2.0.3"
|
32
32
|
gem "concurrent-ruby", "~> 1.0"
|
33
33
|
gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
|
34
34
|
gem "json_schemer", ">= 0.2.1", "< 0.2.19"
|
@@ -48,3 +48,16 @@ end
|
|
48
48
|
group :deploy do
|
49
49
|
gem "inquirer"
|
50
50
|
end
|
51
|
+
|
52
|
+
# Only include Test Kitchen support if we are on Ruby 2.7 or higher
|
53
|
+
# as chef-zero support requires Ruby 2.6
|
54
|
+
# See https://github.com/inspec/inspec/pull/5341
|
55
|
+
if Gem.ruby_version >= Gem::Version.new("2.7.0")
|
56
|
+
group :kitchen do
|
57
|
+
gem "berkshelf"
|
58
|
+
gem "test-kitchen", ">= 2.8"
|
59
|
+
gem "kitchen-inspec", ">= 2.0"
|
60
|
+
gem "kitchen-dokken", ">= 2.11"
|
61
|
+
gem "git"
|
62
|
+
end
|
63
|
+
end
|
data/etc/deprecations.json
CHANGED
@@ -120,6 +120,11 @@
|
|
120
120
|
"object_classes": {
|
121
121
|
"action": "warn",
|
122
122
|
"suffix": "These classes will be removed in InSpec 5.0."
|
123
|
+
},
|
124
|
+
"cli_option_hook":{
|
125
|
+
"action": "warn",
|
126
|
+
"prefix": "The --hook option is being replaced by the --activator option.",
|
127
|
+
"suffix": "This options will be removed in InSpec 4.0."
|
123
128
|
}
|
124
129
|
}
|
125
130
|
}
|
data/inspec-core.gemspec
CHANGED
@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
|
|
23
23
|
.reject { |f| File.directory?(f) }
|
24
24
|
|
25
25
|
# Implementation dependencies
|
26
|
-
spec.add_dependency "chef-telemetry", "~> 1.0"
|
26
|
+
spec.add_dependency "chef-telemetry", "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
|
27
27
|
spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
|
28
28
|
spec.add_dependency "thor", ">= 0.20", "< 2.0"
|
29
29
|
spec.add_dependency "method_source", ">= 0.8", "< 2.0"
|
data/lib/inspec/base_cli.rb
CHANGED
@@ -181,7 +181,7 @@ module Inspec
|
|
181
181
|
puts " Patents: chef.io/patents\n\n"
|
182
182
|
end
|
183
183
|
|
184
|
-
def self.format_platform_info(params: {}, indent: 0, color: 39)
|
184
|
+
def self.format_platform_info(params: {}, indent: 0, color: 39, enable_color: true)
|
185
185
|
str = ""
|
186
186
|
params.each do |item, info|
|
187
187
|
data = info
|
@@ -192,7 +192,7 @@ module Inspec
|
|
192
192
|
# Do not output fields of data is missing ('unknown' is fine)
|
193
193
|
next if data.nil?
|
194
194
|
|
195
|
-
data = "\e[1m\e[#{color}m#{data}\e[0m"
|
195
|
+
data = "\e[1m\e[#{color}m#{data}\e[0m" if enable_color
|
196
196
|
str << format("#{" " * indent}%-10s %s\n", item.to_s.capitalize + ":", data)
|
197
197
|
end
|
198
198
|
str
|
data/lib/inspec/cli.rb
CHANGED
@@ -218,9 +218,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
|
218
218
|
|
219
219
|
Automate:
|
220
220
|
```
|
221
|
-
#{Inspec::Dist::EXEC_NAME}
|
221
|
+
#{Inspec::Dist::EXEC_NAME} automate login
|
222
222
|
#{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline
|
223
223
|
```
|
224
|
+
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
|
225
|
+
```
|
226
|
+
#{Inspec::Dist::EXEC_NAME} compliance login
|
227
|
+
```
|
224
228
|
|
225
229
|
Supermarket:
|
226
230
|
```
|
@@ -301,7 +305,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
|
301
305
|
puts res.to_json
|
302
306
|
else
|
303
307
|
ui.headline("Platform Details")
|
304
|
-
ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36)
|
308
|
+
ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36, enable_color: ui.color?)
|
305
309
|
end
|
306
310
|
rescue ArgumentError, RuntimeError, Train::UserError => e
|
307
311
|
$stderr.puts e.message
|
data/lib/inspec/fetcher/local.rb
CHANGED
@@ -117,6 +117,15 @@ module Inspec::Plugin::V2
|
|
117
117
|
# `inspec dosomething` => activate the :dosomething hook
|
118
118
|
activate_me ||= cli_args.include?(act.activator_name.to_s)
|
119
119
|
|
120
|
+
# Only one compliance command to be activated at one time.
|
121
|
+
# Since both commands are defined in the same class,
|
122
|
+
# activators were not getting fetched uniquely.
|
123
|
+
if cli_args.include?("automate") && act.activator_name.to_s.eql?("compliance")
|
124
|
+
activate_me = false
|
125
|
+
elsif cli_args.include?("compliance") && act.activator_name.to_s.eql?("automate")
|
126
|
+
activate_me = false
|
127
|
+
end
|
128
|
+
|
120
129
|
# OK, activate.
|
121
130
|
if activate_me
|
122
131
|
act.activate
|
@@ -136,10 +136,10 @@ module Inspec::Resources
|
|
136
136
|
alias sticky? sticky
|
137
137
|
|
138
138
|
def more_permissive_than?(max_mode = nil)
|
139
|
-
|
140
|
-
raise ArgumentError, "You must
|
141
|
-
raise ArgumentError, "You must
|
142
|
-
raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-
|
139
|
+
return nil unless exist?
|
140
|
+
raise ArgumentError, "You must provide a value for the `maximum allowable permission` for the file." if max_mode.nil?
|
141
|
+
raise ArgumentError, "You must provide the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String)
|
142
|
+
raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-digit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
|
143
143
|
|
144
144
|
# Using the files mode and a few bit-wise calculations we can ensure a
|
145
145
|
# file is no more permisive than desired.
|
@@ -160,7 +160,6 @@ module Inspec::Resources
|
|
160
160
|
|
161
161
|
max_mode = max_mode.to_i(8)
|
162
162
|
inv_mode = 0777 ^ max_mode
|
163
|
-
|
164
163
|
inv_mode & file.mode != 0
|
165
164
|
end
|
166
165
|
|
@@ -58,7 +58,7 @@ module Inspec::Resources
|
|
58
58
|
end
|
59
59
|
|
60
60
|
def query(q) # rubocop:disable Metrics/PerceivedComplexity
|
61
|
-
escaped_query = q.gsub(/\\/,
|
61
|
+
escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '""').gsub(/\$/, '\\$')
|
62
62
|
# surpress 'x rows affected' in SQLCMD with 'set nocount on;'
|
63
63
|
cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','"
|
64
64
|
cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil?
|
@@ -75,7 +75,7 @@ module Inspec::Resources
|
|
75
75
|
def create_mysql_cmd(q, db = "")
|
76
76
|
# TODO: simple escape, must be handled by a library
|
77
77
|
# that does this securely
|
78
|
-
escaped_query = q.gsub(/\\/,
|
78
|
+
escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '\\"').gsub(/\$/, '\\$')
|
79
79
|
|
80
80
|
# construct the query
|
81
81
|
command = "mysql"
|
data/lib/inspec/resources/pip.rb
CHANGED
@@ -117,7 +117,7 @@ module Inspec::Resources
|
|
117
117
|
if defined?(windows_paths["Python"]) && pipcmd.nil?
|
118
118
|
return nil if windows_paths["Pip"].nil?
|
119
119
|
|
120
|
-
pipdir = windows_paths["Python"].split(
|
120
|
+
pipdir = windows_paths["Python"].split("\\")
|
121
121
|
# remove python.exe
|
122
122
|
pipdir.pop
|
123
123
|
pipcmd = pipdir.push("Scripts").push("pip.exe").join("/")
|
@@ -54,7 +54,7 @@ module Inspec::Resources
|
|
54
54
|
def port_manager_for_os
|
55
55
|
os = inspec.os
|
56
56
|
if os.linux?
|
57
|
-
LinuxPorts.new(inspec)
|
57
|
+
LinuxPorts.new(inspec, @port)
|
58
58
|
elsif os.aix?
|
59
59
|
# AIX: see http://www.ibm.com/developerworks/aix/library/au-lsof.html#resources
|
60
60
|
# and https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp
|
@@ -102,8 +102,9 @@ module Inspec::Resources
|
|
102
102
|
# }]
|
103
103
|
class PortsInfo
|
104
104
|
attr_reader :inspec
|
105
|
-
def initialize(inspec)
|
105
|
+
def initialize(inspec, port = nil)
|
106
106
|
@inspec = inspec
|
107
|
+
@port = port
|
107
108
|
end
|
108
109
|
end
|
109
110
|
|
@@ -394,7 +395,12 @@ module Inspec::Resources
|
|
394
395
|
def ports_via_ss
|
395
396
|
return nil unless inspec.command("ss").exist?
|
396
397
|
|
397
|
-
|
398
|
+
if @port.nil?
|
399
|
+
cmd = inspec.command("ss -tulpen")
|
400
|
+
else
|
401
|
+
cmd = inspec.command("ss -tulpen '( dport = #{@port} or sport = #{@port} )'")
|
402
|
+
end
|
403
|
+
|
398
404
|
return nil unless cmd.exit_status.to_i == 0
|
399
405
|
|
400
406
|
ports = []
|
@@ -611,7 +611,7 @@ module Inspec::Resources
|
|
611
611
|
# @see https://msdn.microsoft.com/en-us/library/aa394153(v=vs.85).aspx
|
612
612
|
class WindowsUser < UserInfo
|
613
613
|
def parse_windows_account(username)
|
614
|
-
account = username.split(
|
614
|
+
account = username.split("\\")
|
615
615
|
name = account.pop
|
616
616
|
domain = account.pop unless account.empty?
|
617
617
|
[name, domain]
|
@@ -79,10 +79,11 @@ module Inspec::Resources
|
|
79
79
|
result = cmd.stdout
|
80
80
|
feature_name_regex = /Feature Name : (.*)(\r\n|\n)/
|
81
81
|
description_regex = /Description : (.*)(\r\n|\n)/
|
82
|
+
state_regex = /State : (.*)(\r\n|\n)/
|
82
83
|
feature_info = {
|
83
84
|
name: result.match(feature_name_regex).captures[0].chomp,
|
84
85
|
description: result.match(description_regex).captures[0].chomp,
|
85
|
-
installed:
|
86
|
+
installed: result.match(state_regex).captures[0].chomp == "Enabled",
|
86
87
|
}
|
87
88
|
end
|
88
89
|
|
@@ -105,7 +105,7 @@ module Inspec::Resources
|
|
105
105
|
# @see https://github.com/chef/chef/blob/master/lib/chef/resource/windows_firewall_rule.rb
|
106
106
|
def load_firewall_state(rule_name)
|
107
107
|
<<-EOH
|
108
|
-
|
108
|
+
Get-TypeData -TypeName System.Array | Remove-TypeData # workaround for PS bug here: https://bit.ly/2SRMQ8M
|
109
109
|
$rule = Get-NetFirewallRule -Name "#{rule_name}"
|
110
110
|
$addressFilter = $rule | Get-NetFirewallAddressFilter
|
111
111
|
$portFilter = $rule | Get-NetFirewallPortFilter
|
@@ -16,16 +16,20 @@ module Inspec::Resources
|
|
16
16
|
EXAMPLE
|
17
17
|
|
18
18
|
def initialize(zfs_dataset)
|
19
|
-
return skip_resource "The `zfs_dataset` resource is not supported on your OS yet." unless inspec.os.bsd?
|
19
|
+
return skip_resource "The `zfs_dataset` resource is not supported on your OS yet." unless inspec.os.bsd? || inspec.os.linux?
|
20
20
|
|
21
21
|
@zfs_dataset = zfs_dataset
|
22
|
+
find_zfs = inspec.command("which zfs")
|
23
|
+
@zfs_cmd = find_zfs.stdout.strip
|
24
|
+
|
25
|
+
return skip_resource "zfs is not installed" if find_zfs.exit_status != 0
|
22
26
|
|
23
27
|
@params = gather
|
24
28
|
end
|
25
29
|
|
26
30
|
# method called by 'it { should exist }'
|
27
31
|
def exists?
|
28
|
-
inspec.command("
|
32
|
+
inspec.command("#{@zfs_cmd} get -Hp all #{@zfs_dataset}").exit_status == 0
|
29
33
|
end
|
30
34
|
|
31
35
|
def mounted?
|
@@ -39,7 +43,7 @@ module Inspec::Resources
|
|
39
43
|
end
|
40
44
|
|
41
45
|
def gather
|
42
|
-
cmd = inspec.command("
|
46
|
+
cmd = inspec.command("#{@zfs_cmd} get -Hp all #{@zfs_dataset}")
|
43
47
|
return nil if cmd.exit_status.to_i != 0
|
44
48
|
|
45
49
|
# parse data
|
@@ -15,16 +15,20 @@ module Inspec::Resources
|
|
15
15
|
EXAMPLE
|
16
16
|
|
17
17
|
def initialize(zfs_pool)
|
18
|
-
return skip_resource "The `zfs_pool` resource is not supported on your OS yet." unless inspec.os.bsd?
|
18
|
+
return skip_resource "The `zfs_pool` resource is not supported on your OS yet." unless inspec.os.bsd? || inspec.os.linux?
|
19
19
|
|
20
20
|
@zfs_pool = zfs_pool
|
21
|
+
find_zpool = inspec.command("which zpool")
|
22
|
+
@zpool_cmd = find_zpool.stdout.strip
|
23
|
+
|
24
|
+
return skip_resource "zfs is not installed" if find_zpool.exit_status != 0
|
21
25
|
|
22
26
|
@params = gather
|
23
27
|
end
|
24
28
|
|
25
29
|
# method called by 'it { should exist }'
|
26
30
|
def exists?
|
27
|
-
inspec.command("
|
31
|
+
inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}").exit_status == 0
|
28
32
|
end
|
29
33
|
|
30
34
|
def to_s
|
@@ -32,7 +36,7 @@ module Inspec::Resources
|
|
32
36
|
end
|
33
37
|
|
34
38
|
def gather
|
35
|
-
cmd = inspec.command("
|
39
|
+
cmd = inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}")
|
36
40
|
return nil if cmd.exit_status.to_i != 0
|
37
41
|
|
38
42
|
# parse data
|
data/lib/inspec/runner.rb
CHANGED
@@ -243,7 +243,7 @@ module Inspec
|
|
243
243
|
# to provide access to local profiles that add resources.
|
244
244
|
@depends.each do |dep|
|
245
245
|
# support for windows paths
|
246
|
-
dep = dep.tr(
|
246
|
+
dep = dep.tr("\\", "/")
|
247
247
|
Inspec::Profile.for_path(dep, { profile_context: ctx }).load_libraries
|
248
248
|
end
|
249
249
|
|
@@ -52,13 +52,13 @@ class ErlangParser < Parslet::Parser
|
|
52
52
|
|
53
53
|
rule(:stringS) do
|
54
54
|
str("'") >> (
|
55
|
-
str(
|
55
|
+
str("\\") >> any | str("'").absent? >> any
|
56
56
|
).repeat.as(:string) >> str("'") >> filler?
|
57
57
|
end
|
58
58
|
|
59
59
|
rule(:stringD) do
|
60
60
|
str('"') >> (
|
61
|
-
str(
|
61
|
+
str("\\") >> any | str('"').absent? >> any
|
62
62
|
).repeat.as(:string) >> str('"') >> filler?
|
63
63
|
end
|
64
64
|
|
data/lib/inspec/utils/filter.rb
CHANGED
@@ -375,13 +375,13 @@ module FilterTable
|
|
375
375
|
methods_to_install_on_resource_class = @filter_methods + @custom_properties.keys
|
376
376
|
methods_to_install_on_resource_class.each do |method_name|
|
377
377
|
resource_class.send(:define_method, method_name) do |*args, &block|
|
378
|
-
|
379
|
-
|
380
|
-
|
381
|
-
|
382
|
-
|
383
|
-
|
384
|
-
|
378
|
+
|
379
|
+
# self here is the resource instance
|
380
|
+
filter_table_instance = table_class.new(self, send(raw_data_fetcher_method_name), " with")
|
381
|
+
filter_table_instance.send(method_name, *args, &block)
|
382
|
+
rescue Inspec::Exceptions::ResourceFailed, Inspec::Exceptions::ResourceSkipped => e
|
383
|
+
FilterTable::ExceptionCatcher.new(resource_class, e)
|
384
|
+
|
385
385
|
end
|
386
386
|
end
|
387
387
|
end
|
@@ -31,19 +31,19 @@ class NginxParser < Parslet::Parser
|
|
31
31
|
|
32
32
|
rule(:standard_value) do
|
33
33
|
((match(/[#;{'"]/).absent? >> any) >> (
|
34
|
-
str(
|
34
|
+
str("\\") >> any | match('[#;{]|\s').absent? >> any
|
35
35
|
).repeat).as(:value) >> space.repeat
|
36
36
|
end
|
37
37
|
|
38
38
|
rule(:single_quoted_value) do
|
39
39
|
str("'") >> (
|
40
|
-
str(
|
40
|
+
str("\\") >> any | str("'").absent? >> any
|
41
41
|
).repeat.as(:value) >> str("'") >> space.repeat
|
42
42
|
end
|
43
43
|
|
44
44
|
rule(:double_quoted_value) do
|
45
45
|
str('"') >> (
|
46
|
-
str(
|
46
|
+
str("\\") >> any | str('"').absent? >> any
|
47
47
|
).repeat.as(:value) >> str('"') >> space.repeat
|
48
48
|
end
|
49
49
|
|
data/lib/inspec/version.rb
CHANGED
@@ -6,24 +6,50 @@ This extensions offers the following features:
|
|
6
6
|
- execute profiles directly from Chef Automate/Chef Compliance locally
|
7
7
|
- upload a local profile to Chef Automate/Chef Compliance
|
8
8
|
|
9
|
+
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way.
|
10
|
+
|
9
11
|
To use the CLI, this InSpec add-on adds the following commands:
|
10
12
|
|
13
|
+
* `$ inspec automate login` - authentication of the API token against Chef Automate/Chef Compliance
|
14
|
+
* `$ inspec automate profiles` - list all available Compliance profiles
|
15
|
+
* `$ inspec exec compliance://profile` - runs a Compliance profile
|
16
|
+
* `$ inspec automate upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
|
17
|
+
* `$ inspec automate logout` - logout of Chef Automate/Chef Compliance
|
18
|
+
|
19
|
+
Similar to these CLI commands are:
|
20
|
+
|
11
21
|
* `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance
|
12
22
|
* `$ inspec compliance profiles` - list all available Compliance profiles
|
13
|
-
* `$ inspec exec compliance://profile` - runs a Compliance profile
|
14
23
|
* `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance
|
15
24
|
* `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance
|
16
25
|
|
17
26
|
Compliance profiles can be executed in two ways:
|
18
27
|
|
19
|
-
- via compliance exec: `inspec compliance exec profile`
|
28
|
+
- via compliance exec: `inspec automate exec profile` or `inspec compliance exec profile`
|
20
29
|
- via compliance scheme: `inspec exec compliance://profile`
|
21
30
|
|
22
31
|
|
32
|
+
|
33
|
+
|
23
34
|
## Usage
|
24
35
|
|
25
36
|
### Command options
|
26
37
|
|
38
|
+
```
|
39
|
+
$ inspec automate
|
40
|
+
Commands:
|
41
|
+
inspec automate download PROFILE # downloads a profile from Chef Compliance
|
42
|
+
inspec automate exec PROFILE # executes a Chef Compliance profile
|
43
|
+
inspec automate help [COMMAND] # Describe subcommands or one specific subcommand
|
44
|
+
inspec automate login SERVER # Log in to a Chef Automate/Chef Compliance SERVER
|
45
|
+
inspec automate logout # user logout from Chef Compliance
|
46
|
+
inspec automate profiles # list all available profiles in Chef Compliance
|
47
|
+
inspec automate upload PATH # uploads a local profile to Chef Compliance
|
48
|
+
inspec automate version # displays the version of the Chef Compliance server
|
49
|
+
```
|
50
|
+
|
51
|
+
or
|
52
|
+
|
27
53
|
```
|
28
54
|
$ inspec compliance
|
29
55
|
Commands:
|
@@ -41,6 +67,12 @@ Commands:
|
|
41
67
|
|
42
68
|
You will need an API token for authentication. You can retrieve one via the admin section of your A2 web gui.
|
43
69
|
|
70
|
+
```
|
71
|
+
$ inspec automate login https://automate2.compliance.test --insecure --user 'admin' --token 'zuop..._KzE'
|
72
|
+
```
|
73
|
+
|
74
|
+
or
|
75
|
+
|
44
76
|
```
|
45
77
|
$ inspec compliance login https://automate2.compliance.test --insecure --user 'admin' --token 'zuop..._KzE'
|
46
78
|
```
|
@@ -63,6 +95,12 @@ Example:
|
|
63
95
|
|
64
96
|
You will need an access token for authentication. You can retrieve one via [UI](https://docs.chef.io/api_delivery.html) or [CLI](https://docs.chef.io/ctl_delivery.html#delivery-token).
|
65
97
|
|
98
|
+
```
|
99
|
+
$ inspec automate login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
|
100
|
+
```
|
101
|
+
|
102
|
+
or
|
103
|
+
|
66
104
|
```
|
67
105
|
$ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE'
|
68
106
|
```
|
@@ -75,12 +113,42 @@ You will need an access token for authentication. You can retrieve one via:
|
|
75
113
|
|
76
114
|
You can choose the access token (`--token`) or the refresh token (`--refresh_token`)
|
77
115
|
|
116
|
+
```
|
117
|
+
$ inspec automate login https://compliance.test --user admin --insecure --token '...'
|
118
|
+
```
|
119
|
+
|
120
|
+
or
|
121
|
+
|
78
122
|
```
|
79
123
|
$ inspec compliance login https://compliance.test --user admin --insecure --token '...'
|
80
124
|
```
|
81
125
|
|
82
126
|
### List available profiles via Chef Compliance / Automate
|
83
127
|
|
128
|
+
```
|
129
|
+
$ inspec automate profiles
|
130
|
+
Available profiles:
|
131
|
+
-------------------
|
132
|
+
* base/apache
|
133
|
+
* base/linux
|
134
|
+
* base/mysql
|
135
|
+
* base/postgres
|
136
|
+
* base/ssh
|
137
|
+
* base/windows
|
138
|
+
* cis/cis-centos6-level1
|
139
|
+
* cis/cis-centos6-level2
|
140
|
+
* cis/cis-centos7-level1
|
141
|
+
* cis/cis-centos7-level2
|
142
|
+
* cis/cis-rhel7-level1
|
143
|
+
* cis/cis-rhel7-level2
|
144
|
+
* cis/cis-ubuntu12.04lts-level1
|
145
|
+
* cis/cis-ubuntu12.04lts-level2
|
146
|
+
* cis/cis-ubuntu14.04lts-level1
|
147
|
+
* cis/cis-ubuntu14.04lts-level2
|
148
|
+
```
|
149
|
+
|
150
|
+
or
|
151
|
+
|
84
152
|
```
|
85
153
|
$ inspec compliance profiles
|
86
154
|
Available profiles:
|
@@ -105,6 +173,47 @@ Available profiles:
|
|
105
173
|
|
106
174
|
### Upload a profile to Chef Compliance / Automate
|
107
175
|
|
176
|
+
```
|
177
|
+
$ inspec automate version
|
178
|
+
Chef Compliance version: 1.0.11
|
179
|
+
➜ inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec automate upload examples/profile
|
180
|
+
I, [2016-05-06T14:27:20.907547 #37592] INFO -- : Checking profile in examples/profile
|
181
|
+
I, [2016-05-06T14:27:20.907668 #37592] INFO -- : Metadata OK.
|
182
|
+
I, [2016-05-06T14:27:20.968584 #37592] INFO -- : Found 4 controls.
|
183
|
+
I, [2016-05-06T14:27:20.968638 #37592] INFO -- : Control definitions OK.
|
184
|
+
Profile is valid
|
185
|
+
Generate temporary profile archive at /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz
|
186
|
+
I, [2016-05-06T14:27:21.020017 #37592] INFO -- : Generate archive /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz.
|
187
|
+
I, [2016-05-06T14:27:21.024837 #37592] INFO -- : Finished archive generation.
|
188
|
+
Start upload to admin/profile
|
189
|
+
Uploading to Chef Compliance
|
190
|
+
Successfully uploaded profile
|
191
|
+
|
192
|
+
# display all profiles
|
193
|
+
$ inspec automate profiles
|
194
|
+
Available profiles:
|
195
|
+
-------------------
|
196
|
+
* admin/profile
|
197
|
+
* base/apache
|
198
|
+
* base/linux
|
199
|
+
* base/mysql
|
200
|
+
* base/postgres
|
201
|
+
* base/ssh
|
202
|
+
* base/windows
|
203
|
+
* cis/cis-centos6-level1
|
204
|
+
* cis/cis-centos6-level2
|
205
|
+
* cis/cis-centos7-level1
|
206
|
+
* cis/cis-centos7-level2
|
207
|
+
* cis/cis-rhel7-level1
|
208
|
+
* cis/cis-rhel7-level2
|
209
|
+
* cis/cis-ubuntu12.04lts-level1
|
210
|
+
* cis/cis-ubuntu12.04lts-level2
|
211
|
+
* cis/cis-ubuntu14.04lts-level1
|
212
|
+
* cis/cis-ubuntu14.04lts-level2
|
213
|
+
```
|
214
|
+
|
215
|
+
or
|
216
|
+
|
108
217
|
```
|
109
218
|
$ inspec compliance version
|
110
219
|
Chef Compliance version: 1.0.11
|
@@ -168,17 +277,31 @@ $ inspec exec compliance://admin/apache-baseline#2.0.1
|
|
168
277
|
```
|
169
278
|
|
170
279
|
Download a specific version(2.0.2) of a profile when logged in with Automate:
|
280
|
+
```
|
281
|
+
$ inspec automate download compliance://admin/apache-baseline#2.0.2
|
282
|
+
```
|
283
|
+
|
284
|
+
or
|
285
|
+
|
171
286
|
```
|
172
287
|
$ inspec compliance download compliance://admin/apache-baseline#2.0.2
|
173
288
|
```
|
174
289
|
|
175
290
|
### To Logout from Chef Compliance
|
176
291
|
|
292
|
+
```
|
293
|
+
$ inspec automate logout
|
294
|
+
Successfully logged out
|
295
|
+
```
|
296
|
+
|
297
|
+
or
|
298
|
+
|
177
299
|
```
|
178
300
|
$ inspec compliance logout
|
179
301
|
Successfully logged out
|
180
302
|
```
|
181
303
|
|
304
|
+
|
182
305
|
## Integration Tests
|
183
306
|
|
184
307
|
At this point of time, InSpec is not able to pick up the token directly, therefore the integration test is semi-automatic at this point of time:
|