inspec-core 4.49.0 → 4.56.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 31dcab9ba9621f43755fc390ad061c08b7e6ab19466d26a38921d33960e1bbf5
-  data.tar.gz: eecdf0ec772ef012bfbf5185b379c47dd008fe902b9e91d4feee6979b0294c0f
+  metadata.gz: 9930c475b5a1e282ab613db458f60c77561db82d6c009d6c7254f5a3789132f5
+  data.tar.gz: 8a11ae471b5954568be5bf6fc88e52d974a5ac9cb83caf2a6560dd3dd26d55fe
 SHA512:
-  metadata.gz: 1059703ad59c2bf7c213a0914f94a8852cc550b1d305f634e07a08b364edae5c0f550927a8bcec9e712cd313949388082fdebf5c3164147ef12c21df952281b9
-  data.tar.gz: 1d4e6e64b8851c40349b7d696d46904fa73c0683d19c70afaa942a4c4bef4591a3ed4d7ec2c89aa5f7717da70617d70f182a7e9b894338da77592231b4c62234
+  metadata.gz: 0106f09ddcc1077650b6781631188dcb4231829b4e2b737680f49c6736b3c08001523d34a9398eb7499147dde9d22c4bbdd9058721c484424fe69933535e7557
+  data.tar.gz: b04b2c02c6d1009cee30a5ca32521d4c62e62fcf72727d0f720af5fa54da01029dbcd1b25656460f73d9d4cb7f3bf3b94b7e1f049479770a0a4848aa1f25034f

data/Gemfile

@@ -11,11 +11,6 @@ gem "inspec-bin", path: "./inspec-bin"
 
 gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
 
-if Gem.ruby_version.to_s.start_with?("2.5")
-  # 16.7.23 required ruby 2.6+
-  gem "chef-utils", "< 16.7.23" # TODO: remove when we drop ruby 2.5
-end
-
 # inspec tests depend text output that changed in the 3.10 release
 # but our runtime dep is still 3.9+
 gem "rspec", ">= 3.10"
@@ -30,11 +25,7 @@ end
 group :test do
   gem "chefstyle", "~> 2.0.3"
   gem "concurrent-ruby", "~> 1.0"
-  if Gem.ruby_version.to_s.start_with?("2.5")
-    gem "html-proofer", "= 3.19.1" , platforms: :ruby # do not attempt to run proofer on windows
-  else
-    gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
-  end
+  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
   gem "json_schemer", ">= 0.2.1", "< 0.2.19"
   gem "m"
   gem "minitest-sprint", "~> 1.0"
@@ -45,7 +36,8 @@ group :test do
   gem "pry", "~> 0.10"
   gem "rake", ">= 10"
   gem "ruby-progressbar", "~> 1.8"
-  gem "simplecov", "~> 0.18"
+  gem "simplecov", "~> 0.21"
+  gem "simplecov_json_formatter"
   gem "webmock", "~> 3.0"
 end
 
@@ -66,3 +58,7 @@ if Gem.ruby_version >= Gem::Version.new("2.7.0")
     gem "git"
   end
 end
+
+if Gem.ruby_version < Gem::Version.new("2.7.0")
+  gem "activesupport", "6.1.4.4"
+end

data/inspec-core.gemspec

@@ -13,7 +13,7 @@ Gem::Specification.new do |spec|
   spec.license       = "Apache-2.0"
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.5"
+  spec.required_ruby_version = ">= 2.6"
 
   # the gemfile and gemspec are necessary for appbundler so don't remove it
   spec.files =
@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "thor",               ">= 0.20", "< 2.0"
   spec.add_dependency "method_source",      ">= 0.8", "< 2.0"
   spec.add_dependency "rubyzip",            ">= 1.2.2", "< 3.0"
-  spec.add_dependency "rspec",              ">= 3.9", "< 3.11"
+  spec.add_dependency "rspec",              ">= 3.9", "<= 3.11"
   spec.add_dependency "rspec-its",          "~> 1.2"
   spec.add_dependency "pry",                "~> 0.13"
   spec.add_dependency "hashie",             ">= 3.4", "< 5.0"

data/lib/bundles/inspec-supermarket/README.md

@@ -8,8 +8,27 @@ To use the CLI, this InSpec add-on adds the following commands:
 
  Compliance profiles from Supermarket can be executed in two ways:
 
- - via supermarket exec: `inspec supermarket exec nathenharvey/tmp-compliance-profile`
- - via supermarket scheme: `inspec exec supermarket://nathenharvey/tmp-compliance-profile`
+ - via supermarket exec:
+
+ **Public Supermarket**
+
+ `inspec supermarket exec nathenharvey/tmp-compliance-profile`
+
+ **Private Supermarket**
+
+ `inspec supermarket exec nathenharvey/tmp-compliance-profile --supermarket_url="PRIVATE_SUPERMARKET_URL"`
+
+
+ - via supermarket scheme:
+
+ **Public Supermarket**
+
+ `inspec exec supermarket://nathenharvey/tmp-compliance-profile`
+
+ **Private Supermarket**
+
+ `inspec exec supermarket://nathenharvey/tmp-compliance-profile --supermarket_url="PRIVATE_SUPERMARKET_URL"`
+
 
 ## Usage
 

data/lib/bundles/inspec-supermarket/cli.rb

@@ -15,10 +15,18 @@ module Supermarket
     end
 
     desc "profiles", "list all available profiles in Chef Supermarket"
+    supermarket_options
     def profiles
-      # display profiles in format user/profile
-      supermarket_profiles = Supermarket::API.profiles
+      o = config
+      diagnose(o)
+      configure_logger(o)
 
+      # display profiles in format user/profile
+      supermarket_profiles =  if o["supermarket_url"]
+                                Supermarket::API.profiles(o["supermarket_url"])
+                              else
+                                Supermarket::API.profiles
+                              end
       headline("Available profiles:")
       supermarket_profiles.each do |p|
         li("#{p["tool_name"]} #{mark_text(p["tool_owner"] + "/" + p["slug"])}")
@@ -45,9 +53,18 @@ module Supermarket
     end
 
     desc "info PROFILE", "display Supermarket profile details"
+    supermarket_options
     def info(profile)
+      o = config
+      diagnose(o)
+      configure_logger(o)
+
       # check that the profile is available
-      supermarket_profiles = Supermarket::API.profiles
+      supermarket_profiles =  if o["supermarket_url"]
+                                Supermarket::API.profiles(o["supermarket_url"])
+                              else
+                                Supermarket::API.profiles
+                              end
       found = supermarket_profiles.select do |p|
         profile == "#{p["tool_owner"]}/#{p["slug"]}"
       end

data/lib/bundles/inspec-supermarket/target.rb

@@ -9,10 +9,11 @@ module Supermarket
     priority 500
 
     def self.resolve(target, opts = {})
+      supermarket_url = opts["supermarket_url"] || Supermarket::API::SUPERMARKET_URL
       supermarket_uri, supermarket_server = if target.is_a?(String) && URI(target).scheme == "supermarket"
-                                              [target, Supermarket::API::SUPERMARKET_URL]
+                                              [target, supermarket_url]
                                             elsif target.respond_to?(:key?) && target.key?(:supermarket)
-                                              supermarket_server = target[:supermarket_url] || Supermarket::API::SUPERMARKET_URL
+                                              supermarket_server = target[:supermarket_url] || supermarket_url
                                               ["supermarket://#{target[:supermarket]}", supermarket_server]
                                             end
       return nil unless supermarket_uri

data/lib/inspec/base_cli.rb

@@ -126,6 +126,8 @@ module Inspec
         desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
       option :docker_url, type: :string,
         desc: "Provides path to Docker API endpoint (Docker)"
+      option :ssh_config_file, type: :array,
+        desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config"
     end
 
     def self.profile_options
@@ -135,9 +137,15 @@ module Inspec
         desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
     end
 
+    def self.supermarket_options
+      option :supermarket_url, type: :string,
+        desc: "Specify the URL of a private Chef Supermarket."
+    end
+
     def self.exec_options
       target_options
       profile_options
+      supermarket_options
       option :controls, type: :array,
         desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
       option :tags, type: :array,

data/lib/inspec/cli.rb

@@ -122,8 +122,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
       end
       puts
 
+      enable_offenses = !Inspec.locally_windows? # See 5723
       if result[:errors].empty? && result[:warnings].empty? && result[:offenses].empty?
-        ui.plain_line("No errors, warnings, or offenses")
+        if enable_offenses
+          ui.plain_line("No errors, warnings, or offenses")
+        else
+          ui.plain_line("No errors or warnings")
+        end
       else
         item_msg = lambda { |item|
           pos = [item[:file], item[:line], item[:column]].compact.join(":")
@@ -135,7 +140,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
 
         puts
 
-        unless result[:offenses].empty?
+        if enable_offenses && !result[:offenses].empty?
           puts "Offenses:\n"
           result[:offenses].each { |item| ui.cyan(" #{Inspec::UI::GLYPHS[:script_x]} #{item_msg.call(item)}\n\n") }
         end
@@ -143,7 +148,11 @@ class Inspec::InspecCLI < Inspec::BaseCLI
         offenses = ui.cyan("#{result[:offenses].length} offenses", print: false)
         errors = ui.red("#{result[:errors].length} errors", print: false)
         warnings = ui.yellow("#{result[:warnings].length} warnings", print: false)
-        ui.plain_line("Summary:     #{errors}, #{warnings}, #{offenses}")
+        if enable_offenses
+          ui.plain_line("Summary:     #{errors}, #{warnings}, #{offenses}")
+        else
+          ui.plain_line("Summary:     #{errors}, #{warnings}")
+        end
       end
     end
 

data/lib/inspec/config.rb

@@ -367,7 +367,11 @@ module Inspec
         .find_activators(plugin_type: :reporter)\
         .map(&:activator_name).map(&:to_s)
 
-      valid_types = rspec_built_in_formatters + inspec_reporters_that_are_not_yet_plugins + plugin_reporters
+      streaming_reporters = Inspec::Plugin::V2::Registry.instance\
+        .find_activators(plugin_type: :streaming_reporter)\
+        .map(&:activator_name).map(&:to_s)
+
+      valid_types = rspec_built_in_formatters + inspec_reporters_that_are_not_yet_plugins + plugin_reporters + streaming_reporters
 
       reporters.each do |reporter_name, reporter_config|
         raise NotImplementedError, "'#{reporter_name}' is not a valid reporter type." unless valid_types.include?(reporter_name)

data/lib/inspec/dependencies/requirement.rb

@@ -102,7 +102,8 @@ module Inspec
     end
 
     def fetcher
-      @fetcher ||= Inspec::CachedFetcher.new(opts, @cache)
+      @runner_options ||= (Inspec::Config.cached || {})
+      @fetcher ||= Inspec::CachedFetcher.new(opts, @cache, @runner_options)
     end
 
     # load dependencies of the dependency

data/lib/inspec/formatters/base.rb

@@ -70,6 +70,7 @@ module Inspec::Formatters
         name: platform(:name),
         release: platform(:release),
         target: backend_target,
+        target_id: platform(:uuid),
       }
     end
 
@@ -205,12 +206,13 @@ module Inspec::Formatters
     def platform(field)
       return nil if @backend.nil?
 
-      begin
-        @backend.platform[field]
-      rescue Train::Error => e
-        Inspec::Log.warn(e.message)
-        nil
-      end
+      @backend.platform[field]
+    rescue Train::PlatformUuidDetectionFailed
+      Inspec::Log.warn("Could not find platform target_id.")
+      nil
+    rescue Train::Error => e
+      Inspec::Log.warn(e.message)
+      nil
     end
 
     def backend_target

data/lib/inspec/globals.rb

@@ -18,4 +18,9 @@ module Inspec
     require "etc" unless defined?(Etc)
     Etc.getpwuid.dir
   end
+
+  def self.locally_windows?
+    require "rbconfig" unless defined?(RbConfig)
+    RbConfig::CONFIG["host_os"] =~ /mswin|mingw|cygwin/
+  end
 end

data/lib/inspec/library_eval_context.rb

@@ -30,6 +30,8 @@ module Inspec
 
       c3 = Class.new do
         include Inspec::DSL::RequireOverride
+        include Inspec::Resources
+
         def initialize(require_loader)
           @require_loader = require_loader
           @inspec_binding = nil

data/lib/inspec/plugin/v1/registry.rb

@@ -11,7 +11,7 @@ class PluginRegistry
   # @return [Plugin] plugin instance if it can be resolved, nil otherwise
   def resolve(target, opts = {})
     modules.each do |m|
-      res = if Inspec::Fetcher::Url == m
+      res = if ["Inspec::Fetcher::Url", "Supermarket::Fetcher"].include? m.to_s
               m.resolve(target, opts)
             else
               m.resolve(target)

data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb

@@ -0,0 +1,10 @@
+module Inspec::Plugin::V2::PluginType
+  class StreamingReporter < Inspec::Plugin::V2::PluginBase # TBD Superclass may need to change
+    register_plugin_type(:streaming_reporter)
+
+    #====================================================================#
+    #                StreamingReporter plugin type API
+    #====================================================================#
+    # Implementation classes must implement these methods.
+  end
+end

data/lib/inspec/profile.rb

@@ -450,6 +450,8 @@ module Inspec
 
     def cookstyle_linting_check
       msgs = []
+      return msgs if Inspec.locally_windows? # See #5723
+
       output = cookstyle_rake_output.split("Offenses:").last
       msgs = output.split("\n").select { |x| x =~ /[A-Z]:/ } unless output.nil?
       msgs

data/lib/inspec/profile_context.rb

@@ -68,6 +68,7 @@ module Inspec
     end
 
     def reload_dsl
+      @resource_registry.merge!(Inspec::Resource.new_registry)
       @control_eval_context = nil
     end
 
@@ -263,9 +264,3 @@ module Inspec
     end # DomainSpecificLunacy
   end # ProfileContext
 end
-
-if RUBY_VERSION < "2.5"
-  class Module
-    public :define_method
-  end
-end

data/lib/inspec/reporters/automate.rb

@@ -21,7 +21,7 @@ module Inspec::Reporters
       final_report[:type] = "inspec_report"
 
       final_report[:end_time] = Time.now.utc.strftime("%FT%TZ")
-      final_report[:node_uuid] = @config["node_uuid"] || @config["target_id"]
+      final_report[:node_uuid] = report[:platform][:target_id] || @config["node_uuid"] || @config["target_id"]
       raise Inspec::ReporterError, "Cannot find a UUID for your node. Please specify one via json-config." if final_report[:node_uuid].nil?
 
       final_report[:report_uuid] = @config["report_uuid"] || uuid_from_string(final_report[:end_time] + final_report[:node_uuid])

data/lib/inspec/reporters/json.rb

@@ -29,7 +29,7 @@ module Inspec::Reporters
       {
         name:      run_data[:platform][:name],
         release:   run_data[:platform][:release],
-        target_id: @config["target_id"],
+        target_id: run_data[:platform][:target_id] || @config["target_id"],
       }.reject { |_k, v| v.nil? }
     end
 

data/lib/inspec/resources/auditd.rb

@@ -28,12 +28,13 @@ module Inspec::Resources
     EXAMPLE
 
     def initialize
-      unless inspec.command("/sbin/auditctl").exist?
+      @auditctl_cmd_str = inspec.os.name.eql?("alpine") ? "/usr/sbin/auditctl" : "/sbin/auditctl"
+      unless inspec.command(@auditctl_cmd_str).exist?
         raise Inspec::Exceptions::ResourceFailed,
-              "Command `/sbin/auditctl` does not exist"
+              "Command `#{@auditctl_cmd_str}` does not exist"
       end
 
-      auditctl_cmd = "/sbin/auditctl -l"
+      auditctl_cmd = "#{@auditctl_cmd_str} -l"
       result = inspec.command(auditctl_cmd)
 
       if result.exit_status != 0
@@ -68,7 +69,7 @@ module Inspec::Resources
     filter.install_filter_methods_on_resource(self, :params)
 
     def status(name = nil)
-      @status_content ||= inspec.command("/sbin/auditctl -s").stdout.chomp
+      @status_content ||= inspec.command("#{@auditctl_cmd_str} -s").stdout.chomp
 
       # See: https://github.com/inspec/inspec/issues/3113
       if @status_content =~ /^AUDIT_STATUS/

data/lib/inspec/resources/bash.rb

@@ -5,6 +5,8 @@ module Inspec::Resources
   class Bash < Cmd
     name "bash"
     supports platform: "unix"
+    supports platform: "esx"
+
     desc "Run a command or script in BASH."
     example <<~EXAMPLE
       describe bash('ls -al /') do

data/lib/inspec/resources/file.rb

@@ -61,6 +61,24 @@ module Inspec::Resources
       res.force_encoding("utf-8")
     end
 
+    # returns hash containing list of users/groups and their file permissions.
+    def user_permissions
+      return {} unless exist?
+
+      return skip_reource"`user_permissions` is not supported on your OS yet." unless inspec.os.windows?
+
+      @perms_provider.user_permissions(file)
+    end
+
+    # returns true if inheritance is enabled on file or folder
+    def inherited?
+      return false unless exist?
+
+      return skip_resource "`inherited?` is not supported on your OS yet." unless inspec.os.windows?
+
+      @perms_provider.inherited?(file)
+    end
+
     def contain(*_)
       raise "Contain is not supported. Please use standard RSpec matchers."
     end
@@ -244,6 +262,26 @@ module Inspec::Resources
   end
 
   class WindowsFilePermissions < FilePermissions
+
+    def user_permissions(file)
+      script = <<-EOH
+      $Acl = Get-Acl -Path #{file.path}
+      $Result = foreach ($Access in $acl.Access) {
+        [PSCustomObject]@{
+          $Access.IdentityReference.Value  = $Access.FileSystemRights.ToString()
+        }
+      }
+      $Result | ConvertTo-Json
+      EOH
+      result = inspec.powershell(script)
+      JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
+    end
+
+    def inherited?(file)
+      cmd = inspec.command("(Get-Acl -Path #{file.path}).access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
+      cmd.stdout.chomp == "0" ? false : true
+    end
+
     def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)
       raise "`check_file_permission_by_mask` is not supported on Windows"
     end

data/lib/inspec/resources/firewalld.rb

@@ -32,6 +32,17 @@ module Inspec::Resources
       .register_column(:interfaces, field: "interfaces")
       .register_column(:sources,    field: "sources")
       .register_column(:services,   field: "services")
+      .register_column(:target, field: "target")
+      .register_column(:ports, field: "ports")
+      .register_column(:protocols, field: "protocols")
+      .register_column(:forward_ports, field: "forward_ports")
+      .register_column(:source_ports, field: "source_ports")
+      .register_column(:icmp_blocks, field: "icmp_blocks")
+      .register_column(:rich_rules, field: "rich_rules")
+      .register_custom_matcher(:icmp_block_inversion?) { |x| x.params[0]["icmp_block_inversion"] }
+      .register_custom_matcher(:has_icmp_block_inversion_enabled?) { |x| x.params[0]["icmp_block_inversion"] }
+      .register_custom_matcher(:masquerade?) { |x| x.params[0]["masquerade"] }
+      .register_custom_matcher(:has_masquerade_enabled?) { |x| x.params[0]["masquerade"] }
 
     filter.install_filter_methods_on_resource(self, :params)
 
@@ -64,28 +75,28 @@ module Inspec::Resources
     end
 
     def has_service_enabled_in_zone?(query_service, query_zone = default_zone)
-      firewalld_command("--zone=#{query_zone} --query-service=#{query_service}") == "yes"
+      firewalld_command("--permanent --zone=#{query_zone} --query-service=#{query_service}") == "yes"
     end
 
     def service_ports_enabled_in_zone(query_service, query_zone = default_zone)
       # return: String of ports open
       # example: ['22/tcp', '4722/tcp']
-      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-ports --permanent").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --service=#{query_service} --get-ports").split(" ")
     end
 
     def service_protocols_enabled_in_zone(query_service, query_zone = default_zone)
-      # return: String of protocoals open
+      # return: String of protocols open
       # example: ['icmp', 'ipv4', 'igmp']
-      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --service=#{query_service} --get-protocols").split(" ")
     end
 
     def has_port_enabled_in_zone?(query_port, query_zone = default_zone)
-      firewalld_command("--zone=#{query_zone} --query-port=#{query_port}") == "yes"
+      firewalld_command("--permanent --zone=#{query_zone} --query-port=#{query_port}") == "yes"
     end
 
     def has_rule_enabled?(rule, query_zone = default_zone)
       rule = "rule #{rule}" unless rule.start_with?("rule")
-      firewalld_command("--zone=#{query_zone} --query-rich-rule='#{rule}'") == "yes"
+      firewalld_command("--permanent --zone=#{query_zone} --query-rich-rule='#{rule}'") == "yes"
     end
 
     def to_s
@@ -120,19 +131,82 @@ module Inspec::Resources
         "interfaces" => line.split(":")[1].split(" "),
         "services" => services_bound(zone),
         "sources" => sources_bound(zone),
+        "target" => target_bound(zone),
+        "icmp_block_inversion" => icmp_block_inversion_bound?(zone),
+        "ports" => ports_bound(zone),
+        "protocols" => protocols_bound(zone),
+        "masquerade" => masquerade_bound?(zone),
+        "forward_ports" => forward_ports_bound(zone),
+        "source_ports" => source_ports_bound(zone),
+        "icmp_blocks" => icmp_blocks_bound(zone),
+        "rich_rules" => rich_rules_bound(zone),
       }
     end
 
+    def target_bound(query_zone)
+      # result: a target bound for the zone
+      # example: 'DROP'
+      firewalld_command("--permanent --zone=#{query_zone} --get-target").strip
+    end
+
+    def icmp_block_inversion_bound?(query_zone)
+      # result: true/false whether inversion of icmp blocks has been enabled for a zone
+      # example: true
+      firewalld_command("--permanent --zone=#{query_zone} --query-icmp-block-inversion") == "yes"
+    end
+
+    def ports_bound(query_zone)
+      # result: a list of ports bound for a zone
+      # example: ['80/tcp', '443/tcp']
+      firewalld_command("--permanent --zone=#{query_zone} --list-ports").split(" ")
+    end
+
+    def protocols_bound(query_zone)
+      # result: a list of protocols added for a zone
+      # example: ['icmp', 'ipv4', 'igmp']
+      firewalld_command("--permanent --zone=#{query_zone} --list-protocols").split(" ")
+    end
+
+    def masquerade_bound?(query_zone)
+      # result: true/false whether IPv4 masquerading has been enabled for a zone
+      # example: true
+      firewalld_command("--permanent --zone=#{query_zone} --query-masquerade") == "yes"
+    end
+
+    def forward_ports_bound(query_zone)
+      # result: a list of IPv4 forward ports bound to a zone
+      # example: ['port=80:proto=tcp:toport=88', 'port=12345:proto=tcp:toport=54321:toaddr=192.168.1.3']
+      firewalld_command("--permanent --zone=#{query_zone} --list-forward-ports").split("\n")
+    end
+
+    def source_ports_bound(query_zone)
+      # result: a list of source ports bound to a zone
+      # example: ['80/tcp', '8080/tcp']
+      firewalld_command("--permanent --zone=#{query_zone} --list-source-ports").split(" ")
+    end
+
+    def icmp_blocks_bound(query_zone)
+      # result: a list of internet ICMP type blocks bound to a zone
+      # example: ['echo-request', 'echo-reply']
+      firewalld_command("--permanent --zone=#{query_zone} --list-icmp-blocks").split(" ")
+    end
+
+    def rich_rules_bound(query_zone)
+      # result: a list of rich language rules bound to a zone
+      # example: ['rule protocol value="ah" accept', 'rule service name="ftp" log limit value="1/m" audit accept']
+      firewalld_command("--permanent --zone=#{query_zone} --list-rich-rules").split("\n")
+    end
+
     def sources_bound(query_zone)
       # result: a list containing either an ip address or ip address with a mask, or a ipset or an ipset with the ipset prefix.
       # example: ['192.168.0.4', '192.168.0.0/16', '2111:DB28:ABC:12::', '2111:db89:ab3d:0112::0/64']
-      firewalld_command("--zone=#{query_zone} --list-sources").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --list-sources").split(" ")
     end
 
     def services_bound(query_zone)
       # result: a list of services bound to a zone.
       # example: ['ssh', 'dhcpv6-client']
-      firewalld_command("--zone=#{query_zone} --list-services").split(" ")
+      firewalld_command("--permanent --zone=#{query_zone} --list-services").split(" ")
     end
 
     def firewalld_command(command)
@@ -145,4 +219,4 @@ module Inspec::Resources
       result.stdout.strip
     end
   end
-end
+end

data/lib/inspec/resources/grub_conf.rb

@@ -162,7 +162,7 @@ module Inspec::Resources
 
         current_kernel = file_line.split(" ", 2)[1]
         lines.drop(index + 1).each do |kernel_line|
-          if kernel_line =~ /^\s.*/
+          if kernel_line =~ /(?:^\s*\w+)/ && !(kernel_line =~ /^title.*/)
             option_type = kernel_line.split(" ")[0]
             line_options = kernel_line.split(" ").drop(1)
             if (menu_entry == conf["default"].to_i && @kernel == "default") || current_kernel == @kernel