inspec-core 4.41.20 → 4.52.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 26a893a79810f4d3e7aeb90032bd625636c045c8edc11274dddef456d504d278
-  data.tar.gz: 05c34cf8764889bc585a0175cfd7d7c63ef54a4c45c30d182f599de1b3ef8a56
+  metadata.gz: a5fc9c31a9983866ff40fb11326a3c2bac04342e1d473b845e81639bbca88a8c
+  data.tar.gz: 6fd55b54b5c1510572fa963d2d4833a8f3132ae5cbfb1871a4662f8b3da720d9
 SHA512:
-  metadata.gz: 6d04b25d7423b4fec6be048b8f131bfc28e90266a631829270930b8aa96a520b220c19a0d8fe463689441f67cb8d567d6163df7f56fcc27786ef72f25508dbfc
-  data.tar.gz: f798eee0dafda728d169d34ac8a73fef9803f3a70b1b1342d395d3954420644cef3fedcc202c1dc30204bdf1b2098741831af0200b1b3758c03511f38874e9ca
+  metadata.gz: d9f356b30301430dbeeeb599b696aacfc4ec1caaadafd61e6af40462db60fa400cd2bf4add6a682fe379c65ed4adb0f926a858e6b072066f06296821725f7f92
+  data.tar.gz: 25381065952aa3d460cedd9c56a5b389625b2ed11841f2085047e81444c3aa1d788338468c640f5c27403b4074a5649b825a3289e0b63cdc96d70e8450cc664c

data/Gemfile

@@ -66,3 +66,7 @@ if Gem.ruby_version >= Gem::Version.new("2.7.0")
     gem "git"
   end
 end
+
+if Gem.ruby_version < Gem::Version.new("2.7.0")
+  gem "activesupport", "6.1.4.4"
+end

data/etc/deprecations.json

@@ -4,7 +4,7 @@
   "groups": {
     "attrs_value_replaces_default": {
       "action": "warn",
-      "prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead."
+      "prefix": "The 'default' option for inputs is being replaced by 'value' - please use it instead."
     },
     "attrs_dsl": {
       "action": "ignore",

data/lib/bundles/inspec-supermarket/README.md

@@ -8,8 +8,27 @@ To use the CLI, this InSpec add-on adds the following commands:
 
  Compliance profiles from Supermarket can be executed in two ways:
 
- - via supermarket exec: `inspec supermarket exec nathenharvey/tmp-compliance-profile`
- - via supermarket scheme: `inspec exec supermarket://nathenharvey/tmp-compliance-profile`
+ - via supermarket exec:
+
+ **Public Supermarket**
+
+ `inspec supermarket exec nathenharvey/tmp-compliance-profile`
+
+ **Private Supermarket**
+
+ `inspec supermarket exec nathenharvey/tmp-compliance-profile --supermarket_url="PRIVATE_SUPERMARKET_URL"`
+
+
+ - via supermarket scheme:
+
+ **Public Supermarket**
+
+ `inspec exec supermarket://nathenharvey/tmp-compliance-profile`
+
+ **Private Supermarket**
+
+ `inspec exec supermarket://nathenharvey/tmp-compliance-profile --supermarket_url="PRIVATE_SUPERMARKET_URL"`
+
 
 ## Usage
 

data/lib/bundles/inspec-supermarket/cli.rb

@@ -15,10 +15,18 @@ module Supermarket
     end
 
     desc "profiles", "list all available profiles in Chef Supermarket"
+    supermarket_options
     def profiles
-      # display profiles in format user/profile
-      supermarket_profiles = Supermarket::API.profiles
+      o = config
+      diagnose(o)
+      configure_logger(o)
 
+      # display profiles in format user/profile
+      supermarket_profiles =  if o["supermarket_url"]
+                                Supermarket::API.profiles(o["supermarket_url"])
+                              else
+                                Supermarket::API.profiles
+                              end
       headline("Available profiles:")
       supermarket_profiles.each do |p|
         li("#{p["tool_name"]} #{mark_text(p["tool_owner"] + "/" + p["slug"])}")
@@ -45,9 +53,18 @@ module Supermarket
     end
 
     desc "info PROFILE", "display Supermarket profile details"
+    supermarket_options
     def info(profile)
+      o = config
+      diagnose(o)
+      configure_logger(o)
+
       # check that the profile is available
-      supermarket_profiles = Supermarket::API.profiles
+      supermarket_profiles =  if o["supermarket_url"]
+                                Supermarket::API.profiles(o["supermarket_url"])
+                              else
+                                Supermarket::API.profiles
+                              end
       found = supermarket_profiles.select do |p|
         profile == "#{p["tool_owner"]}/#{p["slug"]}"
       end

data/lib/bundles/inspec-supermarket/target.rb

@@ -9,10 +9,11 @@ module Supermarket
     priority 500
 
     def self.resolve(target, opts = {})
+      supermarket_url = opts["supermarket_url"] || Supermarket::API::SUPERMARKET_URL
       supermarket_uri, supermarket_server = if target.is_a?(String) && URI(target).scheme == "supermarket"
-                                              [target, Supermarket::API::SUPERMARKET_URL]
+                                              [target, supermarket_url]
                                             elsif target.respond_to?(:key?) && target.key?(:supermarket)
-                                              supermarket_server = target[:supermarket_url] || Supermarket::API::SUPERMARKET_URL
+                                              supermarket_server = target[:supermarket_url] || supermarket_url
                                               ["supermarket://#{target[:supermarket]}", supermarket_server]
                                             end
       return nil unless supermarket_uri

data/lib/inspec/base_cli.rb

@@ -126,6 +126,8 @@ module Inspec
         desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
       option :docker_url, type: :string,
         desc: "Provides path to Docker API endpoint (Docker)"
+      option :ssh_config_file, type: :array,
+        desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config"
     end
 
     def self.profile_options
@@ -135,9 +137,15 @@ module Inspec
         desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
     end
 
+    def self.supermarket_options
+      option :supermarket_url, type: :string,
+        desc: "Specify the URL of a private Chef Supermarket."
+    end
+
     def self.exec_options
       target_options
       profile_options
+      supermarket_options
       option :controls, type: :array,
         desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
       option :tags, type: :array,
@@ -174,6 +182,10 @@ module Inspec
         desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
       option :filter_empty_profiles, type: :boolean, default: false,
         desc: "Filter empty profiles (profiles without controls) from the report."
+      option :filter_waived_controls, type: :boolean,
+        desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores `run` setting of waiver file."
+      option :retain_waiver_data, type: :boolean,
+        desc: "EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped"
       option :command_timeout, type: :numeric,
         desc: "Maximum seconds to allow commands to run during execution.",
         long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."

data/lib/inspec/cli.rb

@@ -93,7 +93,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   end
 
   desc "check PATH", "verify all tests at the specified PATH"
-  option :format, type: :string
+  option :format, type: :string,
+    desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
     o = config
@@ -121,8 +122,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       end
       puts
 
-      if result[:errors].empty? && result[:warnings].empty?
-        ui.plain_line("No errors or warnings")
+      enable_offenses = !Inspec.locally_windows? # See 5723
+      if result[:errors].empty? && result[:warnings].empty? && result[:offenses].empty?
+        if enable_offenses
+          ui.plain_line("No errors, warnings, or offenses")
+        else
+          ui.plain_line("No errors or warnings")
+        end
       else
         item_msg = lambda { |item|
           pos = [item[:file], item[:line], item[:column]].compact.join(":")
@@ -134,11 +140,22 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
         puts
 
+        if enable_offenses && !result[:offenses].empty?
+          puts "Offenses:\n"
+          result[:offenses].each { |item| ui.cyan(" #{Inspec::UI::GLYPHS[:script_x]} #{item_msg.call(item)}\n\n") }
+        end
+
+        offenses = ui.cyan("#{result[:offenses].length} offenses", print: false)
         errors = ui.red("#{result[:errors].length} errors", print: false)
         warnings = ui.yellow("#{result[:warnings].length} warnings", print: false)
-        ui.plain_line("Summary:     #{errors}, #{warnings}")
+        if enable_offenses
+          ui.plain_line("Summary:     #{errors}, #{warnings}, #{offenses}")
+        else
+          ui.plain_line("Summary:     #{errors}, #{warnings}")
+        end
       end
     end
+
     ui.exit Inspec::UI::EXIT_USAGE_ERROR unless result[:summary][:valid]
   rescue StandardError => e
     pretty_handle_exception(e)

data/lib/inspec/control_eval_context.rb

@@ -18,6 +18,7 @@ module Inspec
     attr_accessor :skip_file
     attr_accessor :profile_context
     attr_accessor :resources_dsl
+    attr_accessor :conf
 
     def initialize(profile_context, resources_dsl, backend, conf, dependencies, require_loader, skip_only_if_eval)
       @profile_context = profile_context
@@ -189,29 +190,24 @@ module Inspec
       @skip_file = true
     end
 
-    private
-
-    def block_location(block, alternate_caller)
-      if block.nil?
-        alternate_caller[/^(.+:\d+):in .+$/, 1] || "unknown"
-      else
-        path, line = block.source_location
-        "#{File.basename(path)}:#{line}"
+    # Check if the given control exist in the --tags option
+    def tag_exist_in_control_tags?(tag_ids)
+      tag_option_matches_with_list = false
+      if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist?
+        tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty?
+        unless tag_option_matches_with_list
+          @conf["profile"].include_tags_list.any? do |inclusion|
+            # Try to see if the inclusion is a regex, and if it matches
+            if inclusion.is_a?(Regexp)
+              tag_ids.each do |id|
+                tag_option_matches_with_list = (inclusion =~ id)
+                break if tag_option_matches_with_list
+              end
+            end
+          end
+        end
       end
-    end
-
-    # Returns true if configuration hash is not empty and it contains the list of controls is not empty
-    def profile_config_exist?
-      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
-    end
-
-    def profile_tag_config_exist?
-      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty?
-    end
-
-    # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
-    def controls_list_empty?
-      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
+      tag_option_matches_with_list
     end
 
     def tags_list_empty?
@@ -230,24 +226,29 @@ module Inspec
       id_exist_in_list
     end
 
-    # Check if the given control exist in the --tags option
-    def tag_exist_in_control_tags?(tag_ids)
-      tag_option_matches_with_list = false
-      if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist?
-        tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty?
-        unless tag_option_matches_with_list
-          @conf["profile"].include_tags_list.any? do |inclusion|
-            # Try to see if the inclusion is a regex, and if it matches
-            if inclusion.is_a?(Regexp)
-              tag_ids.each do |id|
-                tag_option_matches_with_list = (inclusion =~ id)
-                break if tag_option_matches_with_list
-              end
-            end
-          end
-        end
+    # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
+    def controls_list_empty?
+      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
+    end
+
+    private
+
+    def block_location(block, alternate_caller)
+      if block.nil?
+        alternate_caller[/^(.+:\d+):in .+$/, 1] || "unknown"
+      else
+        path, line = block.source_location
+        "#{File.basename(path)}:#{line}"
       end
-      tag_option_matches_with_list
+    end
+
+    # Returns true if configuration hash is not empty and it contains the list of controls is not empty
+    def profile_config_exist?
+      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
+    end
+
+    def profile_tag_config_exist?
+      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty?
     end
   end
 end

data/lib/inspec/dsl.rb

@@ -93,23 +93,38 @@ module Inspec::DSL
     context = dep_entry.profile.runner_context
     # if we don't want all the rules, then just make 1 pass to get all rule_IDs
     # that we want to keep from the original
-    filter_included_controls(context, dep_entry.profile, &block) unless opts[:include_all]
+    if !opts[:include_all] || !(opts[:conf]["profile"].include_tags_list.empty?) || !opts[:conf]["profile"].include_controls_list.empty?
+      filter_included_controls(context, dep_entry.profile, opts, &block)
+    end
     # interpret the block and skip/modify as required
     context.load(block) if block_given?
     bind_context.add_subcontext(context)
   end
 
-  def self.filter_included_controls(context, profile, &block)
+  def self.filter_included_controls(context, profile, opts, &block)
     mock = Inspec::Backend.create(Inspec::Config.mock)
     include_ctx = Inspec::ProfileContext.for_profile(profile, mock)
     include_ctx.load(block) if block_given?
+    include_ctx.control_eval_context.conf = opts[:conf]
+    control_eval_ctx = include_ctx.control_eval_context
     # remove all rules that were not registered
     context.all_rules.each do |r|
       id = Inspec::Rule.rule_id(r)
       fid = Inspec::Rule.profile_id(r) + "/" + id
-      unless include_ctx.rules[id] || include_ctx.rules[fid]
+      if !opts[:include_all] && !(include_ctx.rules[id] || include_ctx.rules[fid])
         context.remove_rule(fid)
       end
+
+      unless control_eval_ctx.controls_list_empty?
+        # filter the dependent profile controls which are not in the --controls options list
+        context.remove_rule(fid) unless control_eval_ctx.control_exist_in_controls_list?(id)
+      end
+
+      unless control_eval_ctx.tags_list_empty?
+        # filter included controls using --tags
+        tag_ids = control_eval_ctx.control_tags(r)
+        context.remove_rule(fid) unless control_eval_ctx.tag_exist_in_control_tags?(tag_ids)
+      end
     end
   end
 end

data/lib/inspec/globals.rb

@@ -18,4 +18,9 @@ module Inspec
     require "etc" unless defined?(Etc)
     Etc.getpwuid.dir
   end
+
+  def self.locally_windows?
+    require "rbconfig" unless defined?(RbConfig)
+    RbConfig::CONFIG["host_os"] =~ /mswin|mingw|cygwin/
+  end
 end

data/lib/inspec/plugin/v1/registry.rb

@@ -11,7 +11,7 @@ class PluginRegistry
   # @return [Plugin] plugin instance if it can be resolved, nil otherwise
   def resolve(target, opts = {})
     modules.each do |m|
-      res = if Inspec::Fetcher::Url == m
+      res = if ["Inspec::Fetcher::Url", "Supermarket::Fetcher"].include? m.to_s
               m.resolve(target, opts)
             else
               m.resolve(target)

data/lib/inspec/profile.rb

@@ -217,6 +217,9 @@ module Inspec
 
         locked_dependencies.each(&:collect_tests)
 
+        tests = filter_waived_controls
+
+        # Collect tests
         tests.each do |path, content|
           next if content.nil? || content.empty?
 
@@ -233,6 +236,65 @@ module Inspec
       @runner_context.all_rules
     end
 
+    # Wipe out waived controls
+    def filter_waived_controls
+      cfg = Inspec::Config.cached
+      return tests unless cfg["filter_waived_controls"]
+
+      ## Find the waivers file
+      # - TODO: cli_opts and instance_variable_get could be exposed
+      waiver_paths = cfg.instance_variable_get(:@cli_opts)["waiver_file"]
+      if waiver_paths.blank?
+        Inspec::Log.error "Must use --waiver-file with --filter-waived-controls"
+        Inspec::UI.new.exit(:usage_error)
+      end
+
+      # # Pull together waiver
+      waived_control_ids = []
+      waiver_paths.each do |waiver_path|
+        waiver_content = YAML.load_file(waiver_path)
+        unless waiver_content
+          # Note that we will have already issued a detailed warning
+          Inspec::Log.error "YAML parsing error in #{waiver_path}"
+          Inspec::UI.new.exit(:usage_error)
+        end
+        waived_control_ids << waiver_content.keys
+      end
+      waived_control_id_regex = "(#{waived_control_ids.join("|")})"
+
+      ## Purge tests (this could be doone in next block for performance)
+      ## TODO: implement earlier with pure AST and pure autocorrect AST
+      filtered_tests = {}
+      if cfg["retain_waiver_data"]
+        # VERY EXPERIMENTAL, but an empty describe block at the top level
+        # of the control blocks evaluation of ruby code until later-term
+        # waivers (behind the scenes this tells RSpec to hold on and use its internals to lazy load the code). This allows current waiver-data (e.g. skips) to still
+        # be processed and rendered
+        tests.each do |control_filename, source_code|
+          cleared_tests = source_code.scan(/control\s+['"].+?['"].+?(?=(?:control\s+['"].+?['"])|\z)/m).collect do |element|
+            next if element.blank?
+
+            if element&.match?(waived_control_id_regex)
+              splitlines = element.split("\n")
+              splitlines[0] + "\ndescribe '---' do\n" + splitlines[1..-1].join("\n") + "\nend\n"
+            else
+              element
+            end
+          end.join("")
+          filtered_tests[control_filename] = cleared_tests
+        end
+      else
+        tests.each do |control_filename, source_code|
+          cleared_tests = source_code.scan(/control\s+['"].+?['"].+?(?=(?:control\s+['"].+?['"])|\z)/m).select do |control_code|
+            !control_code.match?(waived_control_id_regex)
+          end.join("")
+
+          filtered_tests[control_filename] = cleared_tests
+        end
+      end
+      filtered_tests
+    end
+
     # This creates the list of controls provided in the --controls options which need to be include
     # for evaluation.
     def include_controls_list
@@ -386,6 +448,45 @@ module Inspec
       res
     end
 
+    def cookstyle_linting_check
+      msgs = []
+      return msgs if Inspec.locally_windows? # See #5723
+
+      output = cookstyle_rake_output.split("Offenses:").last
+      msgs = output.split("\n").select { |x| x =~ /[A-Z]:/ } unless output.nil?
+      msgs
+    end
+
+    # Cookstyle linting rake run output
+    def cookstyle_rake_output
+      require "cookstyle"
+      require "rubocop/rake_task"
+      begin
+        RuboCop::RakeTask.new(:cookstyle_lint) do |spec|
+          spec.options += [
+            "--display-cop-names",
+            "--parallel",
+            "--only=InSpec/Deprecations",
+          ]
+          spec.patterns += Dir.glob("#{@target}/**/*.rb").reject { |f| File.directory?(f) }
+          spec.fail_on_error = false
+        end
+      rescue LoadError
+        puts "Rubocop is not available. Install the rubocop gem to run the lint tests."
+      end
+      begin
+        stdout = StringIO.new
+        $stdout = stdout
+        Rake::Task["cookstyle_lint"].invoke
+        $stdout = STDOUT
+        Rake.application["cookstyle_lint"].reenable
+        stdout.string
+      rescue => e
+        puts "Cookstyle lint checks could not be performed. Error while running cookstyle - #{e}"
+        ""
+      end
+    end
+
     # Check if the profile is internally well-structured. The logger will be
     # used to print information on errors and warnings which are found.
     #
@@ -402,6 +503,7 @@ module Inspec
         },
         errors: [],
         warnings: [],
+        offenses: [],
       }
 
       entry = lambda { |file, line, column, control, msg|
@@ -424,6 +526,10 @@ module Inspec
         result[:errors].push(entry.call(file, line, column, control, msg))
       }
 
+      offense = lambda { |file, line, column, control, msg|
+        result[:offenses].push(entry.call(file, line, column, control, msg))
+      }
+
       @logger.info "Checking profile in #{@target}"
       meta_path = @source_reader.target.abs_path(@source_reader.metadata.ref)
 
@@ -486,8 +592,15 @@ module Inspec
         warn.call(sfile, sline, nil, id, "Control #{id} has no tests defined") if control[:checks].nil? || control[:checks].empty?
       end
 
-      # profile is valid if we could not find any error
-      result[:summary][:valid] = result[:errors].empty?
+      # Running cookstyle to check for code offenses
+      cookstyle_linting_check.each do |lint_output|
+        data = lint_output.split(":")
+        msg = "#{data[-2]}:#{data[-1]}"
+        offense.call(data[0], data[1], data[2], nil, msg)
+      end
+
+      # profile is valid if we could not find any error & offenses
+      result[:summary][:valid] = result[:errors].empty? && result[:offenses].empty?
 
       @logger.info "Control definitions OK." if result[:warnings].empty?
       result

data/lib/inspec/resources/auditd.rb

@@ -28,12 +28,13 @@ module Inspec::Resources
     EXAMPLE
 
     def initialize
-      unless inspec.command("/sbin/auditctl").exist?
+      @auditctl_cmd_str = inspec.os.name.eql?("alpine") ? "/usr/sbin/auditctl" : "/sbin/auditctl"
+      unless inspec.command(@auditctl_cmd_str).exist?
         raise Inspec::Exceptions::ResourceFailed,
-              "Command `/sbin/auditctl` does not exist"
+              "Command `#{@auditctl_cmd_str}` does not exist"
       end
 
-      auditctl_cmd = "/sbin/auditctl -l"
+      auditctl_cmd = "#{@auditctl_cmd_str} -l"
       result = inspec.command(auditctl_cmd)
 
       if result.exit_status != 0
@@ -68,7 +69,7 @@ module Inspec::Resources
     filter.install_filter_methods_on_resource(self, :params)
 
     def status(name = nil)
-      @status_content ||= inspec.command("/sbin/auditctl -s").stdout.chomp
+      @status_content ||= inspec.command("#{@auditctl_cmd_str} -s").stdout.chomp
 
       # See: https://github.com/inspec/inspec/issues/3113
       if @status_content =~ /^AUDIT_STATUS/

data/lib/inspec/resources/cassandra.rb

@@ -0,0 +1,64 @@
+module Inspec::Resources
+  class Cassandra < Inspec.resource(1)
+    name "cassandra"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "The 'cassandra' resource is a helper for the 'cql_conf'"
+
+    attr_reader :conf_path
+
+    def initialize
+      case inspec.os[:family]
+      when "debian", "redhat", "linux", "suse"
+        determine_conf_dir_and_path_in_linux
+      when "windows"
+        determine_conf_dir_and_path_in_windows
+      end
+    end
+
+    def to_s
+      "CassandraDB"
+    end
+
+    private
+
+    def determine_conf_dir_and_path_in_linux
+      cassandra_home = inspec.os_env("CASSANDRA_HOME").content
+
+      if cassandra_home.nil? || cassandra_home.empty?
+        warn "$CASSANDRA_HOME environment variable not set in the system"
+        nil
+      else
+        conf_path = "#{cassandra_home}/cassandra.yaml"
+        if !inspec.file(conf_path).exist?
+          warn "Cassandra conf file not found in #{cassandra_home} directory."
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading cassandra conf file: #{e}"
+    end
+
+    def determine_conf_dir_and_path_in_windows
+      cassandra_home = inspec.os_env("CASSANDRA_HOME").content
+
+      if cassandra_home.nil? || cassandra_home.empty?
+        warn "CASSANDRA_HOME environment variable not set in the system"
+        nil
+      else
+        conf_path = "#{cassandra_home}\\conf\\cassandra.yaml"
+        if !inspec.file(conf_path).exist?
+          warn "Cassandra conf file not found in #{cassandra_home}\\conf directory."
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading cassandra conf file: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/cassandradb_conf.rb

@@ -0,0 +1,47 @@
+require "inspec/resources/json"
+require "inspec/resources/cassandra"
+
+module Inspec::Resources
+  class CassandradbConf < JsonConfig
+    name "cassandradb_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the cql_conf InSpec audit resource to test the contents of the configuration file for Cassandra DB"
+    example <<~EXAMPLE
+      describe cassandradb_conf do
+        its('listen_address') { should eq '0.0.0.0' }
+      end
+    EXAMPLE
+
+    def initialize(conf_path = nil)
+      cassandra = nil
+      if conf_path.nil?
+        cassandra = inspec.cassandra
+        @conf_path = cassandra.conf_path
+      else
+        @conf_path = conf_path
+      end
+
+      if cassandra && cassandra.resource_failed?
+        raise cassandra.resource_exception_message
+      elsif @conf_path.nil?
+        return skip_resource "Cassandra db conf path is not set"
+      end
+
+      super(@conf_path)
+    end
+
+    private
+
+    def parse(content)
+      YAML.load(content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse `cassandra.yaml` file: #{e.message}"
+    end
+
+    def resource_base_name
+      "Cassandra Configuration"
+    end
+
+  end
+end