inspec-core 4.38.3 → 4.46.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da7b208efcb020501f9a283e5e512d3862cd4c3e7c19f2012e143af2721fd893
-  data.tar.gz: f534843ff5445086f3d40802fff3fe19c8ed787660dde2ce17816e8dc1225cac
+  metadata.gz: 1cc013914b6503c547eeb5fbba13ce8398cf039236b82a0422339a8b7d178649
+  data.tar.gz: bb763eb39cb82fa264417d15147769d9d4b3fe1dff34ac40351712a35c6dbcb3
 SHA512:
-  metadata.gz: efd72de313d408802e8484dba99e6291bcd1a571fe028642736fccfcb3d02b78bb700d88a0441d6b2525285891707a738b8315c8dc315edc50e288eb000940e3
-  data.tar.gz: 12d51bdaea741376370ea5e64abf645d9734a2edf4328118b8931c11d6032446830f0f7f495eed987e7fcc27518472e21f523d93bd1c1578468b97d9028d11c3
+  metadata.gz: 492c4bbde3afe3c8be2d7640bb5e6a04f973a762aa2b541231dc61a3862d2d4d3248a49ff9b149ca66fa07eba83e1cd61260185a61fb073ba6a3cc9b542ac04f
+  data.tar.gz: 89b55b1c8d8da24e1266bf6e19f688d284b88b18ec36c97f3f088c6f0422ac6ae6b0ddcab867bcb174ae789fc8e5bb334ed40cfd49adb26c7c3eb401c3164123

data/Gemfile

@@ -20,28 +20,21 @@ end
 # but our runtime dep is still 3.9+
 gem "rspec", ">= 3.10"
 
-def probably_x86?
-  # We don't currently build on ARM windows, so assume x86 there
-  return true if RUBY_PLATFORM =~ /windows|mswin|msys|mingw|cygwin/
-
-  # Otherwise rely on uname -m
-  `uname -m`.match?(/^(x86_64|i\d86)/)
-end
-
 group :omnibus do
   gem "rb-readline"
   gem "appbundler"
   gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
   gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
-  if probably_x86?
-    gem "x25519" # ed25519 KEX module, not supported on ARM
-  end
 end
 
 group :test do
   gem "chefstyle", "~> 2.0.3"
   gem "concurrent-ruby", "~> 1.0"
-  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
+  if Gem.ruby_version.to_s.start_with?("2.5")
+    gem "html-proofer", "= 3.19.1" , platforms: :ruby # do not attempt to run proofer on windows
+  else
+    gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
+  end
   gem "json_schemer", ">= 0.2.1", "< 0.2.19"
   gem "m"
   gem "minitest-sprint", "~> 1.0"

data/etc/deprecations.json

@@ -4,7 +4,7 @@
   "groups": {
     "attrs_value_replaces_default": {
       "action": "warn",
-      "prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead."
+      "prefix": "The 'default' option for inputs is being replaced by 'value' - please use it instead."
     },
     "attrs_dsl": {
       "action": "ignore",

data/lib/inspec/base_cli.rb

@@ -43,11 +43,15 @@ module Inspec
       begin
         if (allowed_commands & ARGV.map(&:downcase)).empty? && # Did they use a non-exempt command?
             !ARGV.empty? # Did they supply at least one command?
-          LicenseAcceptance::Acceptor.check_and_persist(
+          license_acceptor_output = LicenseAcceptance::Acceptor.check_and_persist(
             Inspec::Dist::EXEC_NAME,
             Inspec::VERSION,
             logger: Inspec::Log
           )
+          if license_acceptor_output && ARGV.count == 1 && (ARGV.first.include? "--chef-license")
+            Inspec::UI.new.exit
+          end
+          license_acceptor_output
         end
       rescue LicenseAcceptance::LicenseNotAcceptedError
         Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without accepting the license"
@@ -136,6 +140,8 @@ module Inspec
       profile_options
       option :controls, type: :array,
         desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
+      option :tags, type: :array,
+        desc: "A list of tags names that are part of controls to filter and run controls, or a list of /regexes/ to match against tags names of controls. Ignore all other tests."
       option :reporter, type: :array,
         banner: "one two:/output/file/path",
         desc: "Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml"

data/lib/inspec/cached_fetcher.rb

@@ -6,9 +6,9 @@ module Inspec
     extend Forwardable
 
     attr_reader :cache, :target, :fetcher
-    def initialize(target, cache)
+    def initialize(target, cache, opts = {})
       @target = target
-      @fetcher = Inspec::Fetcher::Registry.resolve(target)
+      @fetcher = Inspec::Fetcher::Registry.resolve(target, opts)
 
       if @fetcher.nil?
         raise("Could not fetch inspec profile in #{target.inspect}.")

data/lib/inspec/cli.rb

@@ -65,6 +65,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
     desc: "Save the created profile to a path"
   option :controls, type: :array,
     desc: "A list of controls to include. Ignore all other tests."
+  option :tags, type: :array,
+    desc: "A list of tags to filter controls and include only those. Ignore all other tests."
   profile_options
   def json(target)
     require "json" unless defined?(JSON)
@@ -91,7 +93,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   end
 
   desc "check PATH", "verify all tests at the specified PATH"
-  option :format, type: :string
+  option :format, type: :string,
+    desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
     o = config

data/lib/inspec/control_eval_context.rb

@@ -18,6 +18,7 @@ module Inspec
     attr_accessor :skip_file
     attr_accessor :profile_context
     attr_accessor :resources_dsl
+    attr_accessor :conf
 
     def initialize(profile_context, resources_dsl, backend, conf, dependencies, require_loader, skip_only_if_eval)
       @profile_context = profile_context
@@ -53,12 +54,30 @@ module Inspec
 
     def control(id, opts = {}, &block)
       opts[:skip_only_if_eval] = @skip_only_if_eval
-      if control_exist_in_controls_list?(id) || controls_list_empty?
+      if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id)
         register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
+      elsif !tags_list_empty?
+        # Inside elsif rule is initialised before registering it because it enables fetching of control tags
+        # This condition is only true when --tags option is used
+        inspec_rule = Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block)
+        tag_ids = control_tags(inspec_rule)
+        register_control(inspec_rule) if tag_exist_in_control_tags?(tag_ids)
       end
     end
+
     alias rule control
 
+    def control_tags(inspec_rule)
+      all_tags = []
+      inspec_rule.tag.each do |key, value|
+        all_tags.push(key)
+        all_tags.push(value) unless value.nil?
+      end
+      all_tags.flatten.compact.uniq.map(&:to_s)
+    rescue
+      []
+    end
+
     # Describe allows users to write rspec-like bare describe
     # blocks without declaring an inclosing control. Here, we
     # generate a control for them automatically and then execute
@@ -74,7 +93,7 @@ module Inspec
         res = describe(*args, &block)
       end
 
-      if control_exist_in_controls_list?(id) || controls_list_empty?
+      if controls_list_empty? || control_exist_in_controls_list?(id)
         register_control(rule, &block)
       end
 
@@ -171,6 +190,47 @@ module Inspec
       @skip_file = true
     end
 
+    # Check if the given control exist in the --tags option
+    def tag_exist_in_control_tags?(tag_ids)
+      tag_option_matches_with_list = false
+      if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist?
+        tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty?
+        unless tag_option_matches_with_list
+          @conf["profile"].include_tags_list.any? do |inclusion|
+            # Try to see if the inclusion is a regex, and if it matches
+            if inclusion.is_a?(Regexp)
+              tag_ids.each do |id|
+                tag_option_matches_with_list = (inclusion =~ id)
+                break if tag_option_matches_with_list
+              end
+            end
+          end
+        end
+      end
+      tag_option_matches_with_list
+    end
+
+    def tags_list_empty?
+      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_tags_list.empty? || @conf.empty?
+    end
+
+    # Check if the given control exist in the --controls option
+    def control_exist_in_controls_list?(id)
+      id_exist_in_list = false
+      if profile_config_exist?
+        id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
+          # Try to see if the inclusion is a regex, and if it matches
+          inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
+        end
+      end
+      id_exist_in_list
+    end
+
+    # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
+    def controls_list_empty?
+      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
+    end
+
     private
 
     def block_location(block, alternate_caller)
@@ -187,21 +247,8 @@ module Inspec
       !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
     end
 
-    # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
-    def controls_list_empty?
-      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
-    end
-
-    # Check if the given control exist in the --controls option
-    def control_exist_in_controls_list?(id)
-      id_exist_in_list = false
-      if profile_config_exist?
-        id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
-          # Try to see if the inclusion is a regex, and if it matches
-          inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
-        end
-      end
-      id_exist_in_list
+    def profile_tag_config_exist?
+      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty?
     end
   end
 end

data/lib/inspec/dsl.rb

@@ -93,23 +93,38 @@ module Inspec::DSL
     context = dep_entry.profile.runner_context
     # if we don't want all the rules, then just make 1 pass to get all rule_IDs
     # that we want to keep from the original
-    filter_included_controls(context, dep_entry.profile, &block) unless opts[:include_all]
+    if !opts[:include_all] || !(opts[:conf]["profile"].include_tags_list.empty?) || !opts[:conf]["profile"].include_controls_list.empty?
+      filter_included_controls(context, dep_entry.profile, opts, &block)
+    end
     # interpret the block and skip/modify as required
     context.load(block) if block_given?
     bind_context.add_subcontext(context)
   end
 
-  def self.filter_included_controls(context, profile, &block)
+  def self.filter_included_controls(context, profile, opts, &block)
     mock = Inspec::Backend.create(Inspec::Config.mock)
     include_ctx = Inspec::ProfileContext.for_profile(profile, mock)
     include_ctx.load(block) if block_given?
+    include_ctx.control_eval_context.conf = opts[:conf]
+    control_eval_ctx = include_ctx.control_eval_context
     # remove all rules that were not registered
     context.all_rules.each do |r|
       id = Inspec::Rule.rule_id(r)
       fid = Inspec::Rule.profile_id(r) + "/" + id
-      unless include_ctx.rules[id] || include_ctx.rules[fid]
+      if !opts[:include_all] && !(include_ctx.rules[id] || include_ctx.rules[fid])
         context.remove_rule(fid)
       end
+
+      unless control_eval_ctx.controls_list_empty?
+        # filter the dependent profile controls which are not in the --controls options list
+        context.remove_rule(fid) unless control_eval_ctx.control_exist_in_controls_list?(id)
+      end
+
+      unless control_eval_ctx.tags_list_empty?
+        # filter included controls using --tags
+        tag_ids = control_eval_ctx.control_tags(r)
+        context.remove_rule(fid) unless control_eval_ctx.tag_exist_in_control_tags?(tag_ids)
+      end
     end
   end
 end

data/lib/inspec/fetcher/url.rb

@@ -44,11 +44,17 @@ module Inspec::Fetcher
     #  - Branch URL
     #  - Commit URL
     #
-    # master url:
+    # master url(default branch master):
     # https://github.com/nathenharvey/tmp_compliance_profile/ is transformed to
     # https://github.com/nathenharvey/tmp_compliance_profile/archive/master.tar.gz
     # https://bitbucket.org/username/repo is transformed to
     # https://bitbucket.org/username/repo/get/master.tar.gz
+
+    # main url(default branch main):
+    # https://github.com/nathenharvey/tmp_compliance_profile/ is transformed to
+    # https://github.com/nathenharvey/tmp_compliance_profile/archive/main.tar.gz
+    # https://bitbucket.org/username/repo is transformed to
+    # https://bitbucket.org/username/repo/get/main.tar.gz
     #
     # branch:
     # https://github.com/hardening-io/tests-os-hardening/tree/2.0 is transformed to
@@ -68,14 +74,18 @@ module Inspec::Fetcher
     BITBUCKET_URL_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)(\.git)?(/)?$}.freeze
     BITBUCKET_URL_BRANCH_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)/branch/(?<branch>[\w\.]+)(/)?$}.freeze
     BITBUCKET_URL_COMMIT_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)/commits/(?<commit>[\w\.]+)(/)?$}.freeze
+    GITHUB_URL = "https://github.com".freeze
+    BITBUCKET_URL = "https://bitbucket.org".freeze
 
     def self.transform(target)
       transformed_target = if m = GITHUB_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
-                             "https://github.com/#{m[:user]}/#{m[:repo]}/archive/master.tar.gz"
+                             default_branch = default_ref(m, GITHUB_URL)
+                             "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{default_branch}.tar.gz"
                            elsif m = GITHUB_URL_WITH_TREE_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
                              "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{m[:commit]}.tar.gz"
                            elsif m = BITBUCKET_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
-                             "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/master.tar.gz"
+                             default_branch = default_ref(m, BITBUCKET_URL)
+                             "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{default_branch}.tar.gz"
                            elsif m = BITBUCKET_URL_BRANCH_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
                              "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{m[:branch]}.tar.gz"
                            elsif m = BITBUCKET_URL_COMMIT_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
@@ -120,6 +130,38 @@ module Inspec::Fetcher
 
     private
 
+    class << self
+      def default_ref(match_data, repo_url)
+        remote_url = "#{repo_url}/#{match_data[:user]}/#{match_data[:repo]}.git"
+        command_string = "git remote show #{remote_url}"
+        cmd = shellout(command_string)
+        unless cmd.exitstatus == 0
+          raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': #{cmd.stderr}")
+        else
+          ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip
+          unless ref
+            raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': NULL reference")
+          end
+
+          ref
+        end
+      end
+
+      def shellout(cmd, opts = {})
+        Inspec::Log.debug("Running external command: #{cmd} (#{opts})")
+        cmd = Mixlib::ShellOut.new(cmd, opts)
+        cmd.run_command
+        Inspec::Log.debug("External command: completed with exit status: #{cmd.exitstatus}")
+        Inspec::Log.debug("External command: STDOUT BEGIN")
+        Inspec::Log.debug(cmd.stdout)
+        Inspec::Log.debug("External command: STDOUT END")
+        Inspec::Log.debug("External command: STDERR BEGIN")
+        Inspec::Log.debug(cmd.stderr)
+        Inspec::Log.debug("External command: STDERR END")
+        cmd
+      end
+    end
+
     def parse_uri(target)
       return URI.parse(target) if target.is_a?(String)
 

data/lib/inspec/fetcher.rb

@@ -2,12 +2,12 @@ require "inspec/plugin/v1"
 
 module Inspec
   class FetcherRegistry < PluginRegistry
-    def resolve(target)
+    def resolve(target, opts = {})
       if fetcher_specified?(target)
-        super(target)
+        super(target, opts)
       else
         Inspec::Log.debug("Assuming default supermarket source for #{target}")
-        super(with_default_fetcher(target))
+        super(with_default_fetcher(target), opts)
       end
     end
 

data/lib/inspec/plugin/v1/registry.rb

@@ -9,9 +9,13 @@ class PluginRegistry
   #
   # @param [String] target to resolve
   # @return [Plugin] plugin instance if it can be resolved, nil otherwise
-  def resolve(target)
+  def resolve(target, opts = {})
     modules.each do |m|
-      res = m.resolve(target)
+      res = if Inspec::Fetcher::Url == m
+              m.resolve(target, opts)
+            else
+              m.resolve(target)
+            end
       return res unless res.nil?
     end
     nil

data/lib/inspec/profile.rb

@@ -18,9 +18,9 @@ module Inspec
   class Profile
     extend Forwardable
 
-    def self.resolve_target(target, cache)
+    def self.resolve_target(target, cache, opts = {})
       Inspec::Log.debug "Resolve #{target} into cache #{cache.path}"
-      Inspec::CachedFetcher.new(target, cache)
+      Inspec::CachedFetcher.new(target, cache, opts)
     end
 
     # Check if the profile contains a vendored cache, move content into global cache
@@ -70,7 +70,11 @@ module Inspec
 
     def self.for_target(target, opts = {})
       opts[:vendor_cache] ||= Cache.new
-      fetcher = resolve_target(target, opts[:vendor_cache])
+      config = {}
+      unless opts[:runner_conf].nil?
+        config = opts[:runner_conf].respond_to?(:final_options) ? opts[:runner_conf].final_options : opts[:runner_conf]
+      end
+      fetcher = resolve_target(target, opts[:vendor_cache], config)
       for_fetcher(fetcher, opts)
     end
 
@@ -87,6 +91,7 @@ module Inspec
       @logger = options[:logger] || Logger.new(nil)
       @locked_dependencies = options[:dependencies]
       @controls = options[:controls] || []
+      @tags = options[:tags] || []
       @writable = options[:writable] || false
       @profile_id = options[:id]
       @profile_name = options[:profile_name]
@@ -206,7 +211,7 @@ module Inspec
       @params ||= load_params
     end
 
-    def collect_tests(include_list = @controls)
+    def collect_tests
       unless @tests_collected || failed?
         return unless supports_platform?
 
@@ -253,6 +258,30 @@ module Inspec
       included_controls
     end
 
+    # This creates the list of controls to be filtered by tag values provided in the --tags options
+    def include_tags_list
+      return [] if @tags.nil? || @tags.empty?
+
+      included_tags = @tags
+      # Check for anything that might be a regex in the list, and make it official
+      included_tags.each_with_index do |inclusion, index|
+        next if inclusion.is_a?(Regexp)
+        # Insist the user wrap the regex in slashes to demarcate it as a regex
+        next unless inclusion.start_with?("/") && inclusion.end_with?("/")
+
+        inclusion = inclusion[1..-2] # Trim slashes
+        begin
+          re = Regexp.new(inclusion)
+          included_tags[index] = re
+        rescue RegexpError => e
+          warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}"
+          included_tags[index] = nil
+        end
+      end
+      included_tags.compact!
+      included_tags
+    end
+
     def load_libraries
       return @runner_context if @libraries_loaded
 

data/lib/inspec/resources/apache_conf.rb

@@ -82,7 +82,7 @@ module Inspec::Resources
           end
         end
 
-        @params.merge!(params)
+        @params.merge!(params) { |key, current_val, new_val| [*current_val].to_a + [*new_val].to_a }
 
         to_read = to_read.drop(1)
         to_read += include_files(params).find_all do |fp|
@@ -101,12 +101,14 @@ module Inspec::Resources
       include_files_optional = params["IncludeOptional"] || []
 
       includes = []
-      (include_files + include_files_optional).each do |f|
-        id    = Pathname.new(f).absolute? ? f : File.join(conf_dir, f)
-        files = find_files(id, depth: 1, type: "file")
-        files += find_files(id, depth: 1, type: "link")
+      unless conf_dir.nil?
+        (include_files + include_files_optional).each do |f|
+          id    = Pathname.new(f).absolute? ? f : File.join(conf_dir, f)
+          files = find_files(id, depth: 1, type: "file")
+          files += find_files(id, depth: 1, type: "link")
 
-        includes.push(files) if files
+          includes.push(files) if files
+        end
       end
 
       # [].flatten! == nil

data/lib/inspec/resources/chrony_conf.rb

@@ -0,0 +1,55 @@
+# chrony_conf
+
+require "inspec/utils/simpleconfig"
+require "inspec/utils/file_reader"
+
+module Inspec::Resources
+  class ChronyConf < Inspec.resource(1)
+    name "chrony_conf"
+    supports platform: "unix"
+    desc "Use the chrony_conf InSpec audit resource to test the synchronization settings defined in the chrony.conf file. This file is typically located at /etc/chrony.conf."
+    example <<~EXAMPLE
+      describe chrony_conf do
+        its('server') { should_not cmp nil }
+        its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery' }
+        its('pool') { should include 'pool.ntp.org iburst' }
+        its('driftfile') { should cmp '/var/lib/ntp/drift' }
+        its('allow') { should cmp nil }
+        its('keyfile') { should cmp '/etc/chrony.keys' }
+      end
+    EXAMPLE
+
+    include FileReader
+
+    def initialize(path = nil)
+      @conf_path = path || "/etc/chrony.conf"
+      @content = read_file_content(@conf_path)
+    end
+
+    def method_missing(name)
+      param = read_params[name.to_s]
+      # extract first value if we have only one value in array
+      return param[0] if param.is_a?(Array) && (param.length == 1)
+
+      param
+    end
+
+    def to_s
+      "chrony.conf"
+    end
+
+    private
+
+    def read_params
+      return @params if defined?(@params)
+
+      # parse the file
+      conf = SimpleConfig.new(
+        @content,
+        assignment_regex: /^\s*(\S+)\s+(.*)\s*$/,
+        multiple_values: true
+      )
+      @params = conf.params
+    end
+  end
+end

data/lib/inspec/resources/csv.rb

@@ -11,14 +11,28 @@ module Inspec::Resources
       describe csv('example.csv') do
         its('name') { should eq(['John', 'Alice']) }
       end
+
+      describe csv('example.csv', false).params do
+        its[[0]] { should eq (['name', 'col1', 'col2']) }
+      emd
     EXAMPLE
 
+    def initialize(path, headers = true)
+      @headers = headers
+      super(path)
+    end
+
     # override the parse method from JsonConfig
     # Assuming a header row of name,col1,col2, it will output an array of hashes like so:
     #    [
     #      { 'name' => 'row1', 'col1' => 'value1', 'col2' => 'value2' },
     #      { 'name' => 'row2', 'col1' => 'value3', 'col2' => 'value4' }
     #    ]
+    # When headers is set to false it will return data as array of array
+    #    [
+    #      ['name', col1', 'col2'],
+    #      ['row2', 'value3', 'value4']
+    #    ]
     def parse(content)
       require "csv" unless defined?(CSV)
 
@@ -28,10 +42,14 @@ module Inspec::Resources
       end
 
       # implicit conversion of values
-      csv = CSV.new(content, headers: true, converters: %i{all blank_to_nil})
+      csv = CSV.new(content, headers: @headers, converters: %i{all blank_to_nil})
 
       # convert to hash
-      csv.to_a.map(&:to_hash)
+      if @headers
+        csv.to_a.map(&:to_hash)
+      else
+        csv.to_a
+      end
     rescue => e
       raise Inspec::Exceptions::ResourceFailed, "Unable to parse CSV: #{e.message}"
     end
@@ -42,7 +60,12 @@ module Inspec::Resources
     # #value method from JsonConfig (which uses ObjectTraverser.extract_value)
     # doesn't make sense here.
     def value(key)
-      @params.map { |x| x[key.first.to_s] }.compact
+      if @headers
+        @params.map { |x| x[key.first.to_s] }.compact
+      else
+        # when headers is set to false send the array as it is.
+        @params
+      end
     end
 
     private

data/lib/inspec/resources/ibmdb2_conf.rb

@@ -0,0 +1,57 @@
+module Inspec::Resources
+  class Ibmdb2Conf < Inspec.resource(1)
+    name "ibmdb2_conf"
+
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the ibmdb2_conf InSpec audit resource to test the configuration values of IBM Db2 database."
+    example <<~EXAMPLE
+      describe ibmdb2_conf(db2_executable_file_path: "path_to_db2_binary", db_instance: "db2inst1") do
+        its("output") { should_not be_empty }
+        its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")}
+      end
+    EXAMPLE
+
+    attr_reader :output
+
+    def initialize(opts = {})
+      if inspec.os.platform?("unix")
+        @db2_executable_file_path = opts[:db2_executable_file_path]
+        @db_instance = opts[:db_instance]
+        raise Inspec::Exceptions::ResourceFailed, "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." if @db2_executable_file_path.nil? || @db_instance.nil?
+      end
+      @output = run_command
+    end
+
+    def to_s
+      "IBM Db2 Conf"
+    end
+
+    private
+
+    def run_command
+      # attach to the db2 instance and get the configuration
+      if inspec.os.platform?("unix")
+        cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration")
+        out = cmd.stdout + "\n" + cmd.stderr
+
+        # check if following specific error is there. Sourcing the db2profile to resolve the error.
+        if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved.  Reason code: "3"/
+          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration")
+          out = cmd.stdout + "\n" + cmd.stderr
+        end
+      elsif inspec.os.platform?("windows")
+        # set-item command set the powershell to run the db2 commands.
+        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 get database manager configuration")
+        out = cmd.stdout + "\n" + cmd.stderr
+      end
+
+      if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/
+        raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}"
+      else
+        cmd.stdout.gsub(/\n|\r/, ",").split(",").reject { |n| n.nil? || n.empty? }.map { |n| n.strip.gsub!(/\s+/, " ") }
+      end
+    end
+  end
+end