inspec-core 2.2.35 → 2.2.41

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da1f9a4f568dc803f6bd8820468b7eda7fe38cdc2f8edd06d6d702036304a697
-  data.tar.gz: f74b2863a6a78d3dbe62b760b959f9b23a1b4e48c1a7142d1a70fdc3e4280423
+  metadata.gz: 8ec584b8e2eb7260e903be0bf770a8bf0444328b368868af003eb505afc28af6
+  data.tar.gz: 82df7a477d7ec95210eed851871707642d72229eb06ef4ca015731e31c80ab21
 SHA512:
-  metadata.gz: '039debeadd4d1203117055e34dec6ea68b227aa0597cbfe045cbaedc7e1870f463cf60770c9db03f720b606f2b10969f65e3a291c5ba751bccd5877df66cf7df'
-  data.tar.gz: 2639e167eeb1d8687e9d500acba9bbae0b5572ddcf2fe4a1918b47c73590f6c86a247766c28691b0e8c5e0d1f51ad81a11be50164fbfc4119eff01d227c9f6d6
+  metadata.gz: a2076391eb95996b0f2e30d2d735e03f07f3034a700db227f0804182479c0a5b80d1736029e82991dd5d049479faeb0ea1222e02786f5f18d5e491376b2036b1
+  data.tar.gz: becceec3ddc7eeb141faffa8da36dd6f3498def618244e77defa723cf7b8503a0ec79c13b13be5f668ba2637ba11904c1f968f3ddb842956e53ef5017acc91bb

data/CHANGELOG.md

@@ -1,20 +1,32 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.2.35 -->
-## [v2.2.35](https://github.com/inspec/inspec/tree/v2.2.35) (2018-07-09)
-
-#### New Features
-- A number of bug fixes and new features for oracledb_session resource [#3170](https://github.com/inspec/inspec/pull/3170) ([voroniys](https://github.com/voroniys))
+<!-- latest_release -->
 <!-- latest_release -->
 
-<!-- release_rollup since=2.2.34 -->
-### Changes since 2.2.34 release
+<!-- release_rollup -->
+<!-- release_rollup -->
+
+<!-- latest_stable_release -->
+## [v2.2.41](https://github.com/inspec/inspec/tree/v2.2.41) (2018-07-20)
 
 #### New Features
-- A number of bug fixes and new features for oracledb_session resource [#3170](https://github.com/inspec/inspec/pull/3170) ([voroniys](https://github.com/voroniys)) <!-- 2.2.35 -->
-<!-- release_rollup -->
+- command resource: Allow redacting `#to_s` [#3207](https://github.com/inspec/inspec/pull/3207) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Add Alpine package provider [#3215](https://github.com/inspec/inspec/pull/3215) ([damacus](https://github.com/damacus))
 
+#### Enhancements
+- Refactor &#39;inspec init profile&#39; into a reusable component. [#3214](https://github.com/inspec/inspec/pull/3214) ([clintoncwolfe](https://github.com/clintoncwolfe))
+- Ensure resources fail that target something that isn&#39;t supported [#3231](https://github.com/inspec/inspec/pull/3231) ([miah](https://github.com/miah))
+
+#### Merged Pull Requests
+- docs: Fix formatting/style on InSpec DSL page [#3201](https://github.com/inspec/inspec/pull/3201) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Update hab package to use psql client [#3234](https://github.com/inspec/inspec/pull/3234) ([jquick](https://github.com/jquick))
 <!-- latest_stable_release -->
+
+## [v2.2.35](https://github.com/inspec/inspec/tree/v2.2.35) (2018-07-12)
+
+#### New Features
+- A number of bug fixes and new features for oracledb_session resource [#3170](https://github.com/inspec/inspec/pull/3170) ([voroniys](https://github.com/voroniys))
+
 ## [v2.2.34](https://github.com/inspec/inspec/tree/v2.2.34) (2018-07-05)
 
 #### New Features
@@ -31,7 +43,6 @@
 #### Merged Pull Requests
 - Fix vendor functional test to not validate a repo hash that can change. [#3198](https://github.com/inspec/inspec/pull/3198) ([miah](https://github.com/miah))
 - Prevent Slashes in profile names [#3175](https://github.com/inspec/inspec/pull/3175) ([miah](https://github.com/miah))
-<!-- latest_stable_release -->
 
 ## [v2.2.27](https://github.com/inspec/inspec/tree/v2.2.27) (2018-06-29)
 

data/README.md

@@ -90,7 +90,7 @@ For Linux:
 
 ```
 docker pull chef/inspec
-function inspec { docker run -it --rm -v $(pwd):/share chef/inspec $@; }
+function inspec { docker run -it --rm -v $(pwd):/share chef/inspec "$@"; }
 ```
 
 For Windows (PowerShell):
@@ -352,11 +352,13 @@ The AWS resources were inspired by [inspec-aws](https://github.com/arothian/insp
 1. Push to the branch (git push origin my-new-feature)
 1. Create new Pull Request
 
-
 The InSpec community and maintainers are very active and helpful. This project benefits greatly from this activity.
 
-[![InSpec health](https://graphs.waffle.io/chef/inspec/throughput.svg)](https://waffle.io/chef/inspec/metrics/throughput)
+If you'd like to chat with the community and maintainers directly join us in the `#inspec` channel on the [Chef Community Slack](http://community-slack.chef.io/).
+
+As a reminder, all participants are expected to follow the [Code of Conduct](https://github.com/inspec/inspec/blob/master/CODE_OF_CONDUCT.md).
 
+[![Slack](https://community-slack.chef.io/badge.svg)](https://community-slack.chef.io/)
 
 ## Testing InSpec
 
@@ -450,5 +452,5 @@ Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
-limitations under the License. 
- 
+limitations under the License.
+

data/docs/dsl_inspec.md

@@ -16,7 +16,7 @@ The following resource tests |ssh| server configuration. For example, a simple c
 
 ```ruby
 describe sshd_config do
-  its('Port') { should eq('22') }
+  its('Port') { should cmp 22 }
 end
 ```
 
@@ -27,15 +27,15 @@ control 'sshd-8' do
   impact 0.6
   title 'Server: Configure the service port'
   desc '
-   Always specify which port the SSH server should listen to.
-   Prevent unexpected settings.
+    Always specify which port the SSH server should listen to.
+    Prevent unexpected settings.
   '
   tag 'ssh','sshd','openssh-server'
   tag cce: 'CCE-27072-8'
   ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
 
   describe sshd_config do
-   its('Port') { should eq('22') }
+    its('Port') { should cmp 22 }
   end
 end
 ```
@@ -45,15 +45,14 @@ where
 * `'sshd-8'` is the name of the control
 * `impact`, `title`, and `desc` define metadata that fully describes the importance of the control, its purpose, with a succinct and complete description
 * `impact` is an float that measures the importance of the compliance results and must be a value between `0.0` and `1.0`. The value ranges are:
-    * `0.0 to <0.4` these are controls with minor criticality
-    * `0.4 to <0.7` these are controls with major criticality
-    * `0.7 to 1.0` these are critical controls
+  * `0.0 to <0.4` these are controls with minor criticality
+  * `0.4 to <0.7` these are controls with major criticality
+  * `0.7 to 1.0` these are critical controls
 * `tag` is optional meta-information with with key or key-value pairs
 * `ref` is a reference to an external document
 * `describe` is a block that contains at least one test. A `control` block must contain at least one `describe` block, but may contain as many as required
 * `sshd_config` is an InSpec resource. For the full list of InSpec resources, see InSpec resource documentation
-* `its('Port')` is the matcher; `{ should eq('22') }` is the test. A `describe` block must contain at least one matcher, but may contain as many as required
-
+* `its('Port')` is the matcher; `{ should eq '22' }` is the test. A `describe` block must contain at least one matcher, but may contain as many as required
 
 ## Advanced concepts
 
@@ -62,22 +61,22 @@ With InSpec it is possible to check if at least one of a collection of checks is
 ```ruby
 describe.one do
   describe ConfigurationA do
-   its('setting_1') { should eq true }
+    its('setting_1') { should eq true }
   end
 
   describe ConfigurationB do
-   its('setting_2') { should eq true }
+    its('setting_2') { should eq true }
   end
 end
 ```
 
-#### Sensitive resources
+### Sensitive resources
 
 In some scenarios, you may be writing checks involving resources with sensitive content (e.g. a file resource). In the case of failures, it may be desired to suppress output. This can be done by adding the `:sensitive` flag to the resource definition
 
 ```ruby
 describe file('/tmp/mysecretfile'), :sensitive do
-  its('content') { should contain 'secret_info' }
+  its('content') { should match /secret_info/ }
 end
 ```
 
@@ -95,12 +94,12 @@ control 'windows-account-102' do
   title 'Windows Password Complexity is Enabled'
   desc 'Password must meet complexity requirement'
   describe security_policy do
-    its('PasswordComplexity') { should eq 1 }
+    its('PasswordComplexity') { should cmp 1 }
   end
 end
 ```
 
-## Are PostgreSQL passwords empty?
+## Test if PostgreSQL passwords are empty
 
 The following test shows how to audit machines running PostgreSQL to ensure that passwords are not empty.
 
@@ -109,12 +108,12 @@ control 'postgres-7' do
   impact 1.0
   title "Don't allow empty passwords"
   describe postgres_session('user', 'pass').query("SELECT * FROM pg_shadow WHERE passwd IS NULL;") do
-   its('output') { should eq('') }
+    its('output') { should cmp '' }
   end
 end
 ```
 
-## Are MySQL passwords in ENV?
+## Test if MySQL passwords are in ENV
 
 The following test shows how to audit machines running MySQL to ensure that passwords are not stored in `ENV`:
 
@@ -123,16 +122,16 @@ control 'mysql-3' do
   impact 1.0
   title 'Do not store your MySQL password in your ENV'
   desc '
-   Storing credentials in your ENV may easily expose
-   them to an attacker. Prevent this at all costs.
+    Storing credentials in your ENV may easily expose
+    them to an attacker. Prevent this at all costs.
   '
   describe command('env') do
-   its('stdout') { should_not match(/^MYSQL_PWD=/) }
+    its('stdout') { should_not match /^MYSQL_PWD=/ }
   end
 end
 ```
 
-## Is `/etc/ssh` a Directory?
+## Test if `/etc/ssh` is a Directory
 
 The following test shows how to audit machines to ensure that `/etc/ssh` is a directory:
 
@@ -141,16 +140,16 @@ control 'basic-1' do
   impact 1.0
   title '/etc/ssh should be a directory'
   desc '
-   In order for OpenSSH to function correctly, its
-   configuration path must be a folder.
+    In order for OpenSSH to function correctly, its
+    configuration path must be a folder.
   '
   describe file('/etc/ssh') do
-   it { should be_directory }
+    it { should be_directory }
   end
 end
 ```
 
-## Is Apache running?
+## Test if Apache running
 
 The following test shows how to audit machines to ensure that Apache is enabled and running:
 
@@ -159,13 +158,13 @@ control 'apache-1' do
   impact 0.3
   title 'Apache2 should be configured and running'
   describe service(apache.service) do
-   it { should be_enabled }
-   it { should be_running }
+    it { should be_enabled }
+    it { should be_running }
   end
 end
 ```
 
-## Are insecure packages installed ?
+## Test if insecure packages are installed
 
 The following test shows how to audit machines for insecure packages:
 
@@ -173,11 +172,9 @@ The following test shows how to audit machines for insecure packages:
 control 'cis-os-services-5.1.3' do
   impact 0.7
   title '5.1.3 Ensure rsh client is not installed'
-
   describe package('rsh') do
     it { should_not be_installed }
   end
-
   describe package('rsh-redone-client') do
     it { should_not be_installed }
   end
@@ -213,12 +210,10 @@ control 'nutcracker-connect-redis-001' do
   title 'Check if nutcracker can pass commands to redis'
   desc 'execute redis-cli set key command, to check connectivity of the service'
 
-  only_if do
-    command('redis-cli').exist?
-  end
+  only_if { command('redis-cli').exist? }
 
   describe command('redis-cli SET test_inspec "HELLO"') do
-    its(:stdout) { should match(/OK/) }
+    its('stdout') { should match /OK/ }
   end
 end
 ```
@@ -227,7 +222,6 @@ Mixing this with other conditionals (like checking existence of the files etc.)
 
 ## Additional metadata for controls
 
-
 The following example illustrates various ways to add tags and references to `control`
 
 ```ruby
@@ -235,9 +229,11 @@ control 'ssh-1' do
   impact 1.0
 
   title 'Allow only SSH Protocol 2'
-  desc 'Only SSH protocol version 2 connections should be permitted.
-        The default setting in /etc/ssh/sshd_config is correct, and can be
-        verified by ensuring that the following line appears: Protocol 2'
+  desc '
+    Only SSH protocol version 2 connections should be permitted.
+    The default setting in /etc/ssh/sshd_config is correct, and can be
+    verified by ensuring that the following line appears: Protocol 2
+  '
 
   tag 'production','development'
   tag 'ssh','sshd','openssh-server'
@@ -252,7 +248,7 @@ control 'ssh-1' do
   ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
 
   describe ssh_config do
-    its ('Protocol') { should eq '2'}
+    its('Protocol') { should cmp 2 }
   end
 end
 ```

data/docs/glossary.md

@@ -11,7 +11,7 @@ There are two ways to use it:
 
 ### Motivating Example
 
-Suppose we are interested in auditing cars. Let's suppose we have two InSpec resources for auditing: `cars`, which searchs for and filters groups of cars, and `car`, which performs detailed auditing of a single car.
+Suppose we are interested in auditing cars. Let's suppose we have two InSpec resources for auditing: `cars`, which searches for and filters groups of cars, and `car`, which performs detailed auditing of a single car.
 
 ### Basic Syntax
 
@@ -134,7 +134,7 @@ A [resource](#resource) that is _not_ included with InSpec. It may be a resource
 
 The _`describe`_ keyword is used with a _`describe block`_ to refer to an InSpec resource. You use the `describe` keyword along with the name of a [resource](#resource) to enclose related [tests](#test) that apply to the resource. Multiple describe blocks are usually grouped together in a [control](#control), but you can also use them outside of a control.
 
-```
+```Ruby
 control 'Rule 1.1 - Color restrictions' do
   # Count only blue cars
   describe cars.where(color: 'blue') do
@@ -155,7 +155,7 @@ When using a [matcher](#matcher), the _`expected result`_ is the value the match
 
 In this example, the [`cmp`](https://www.inspec.io/docs/reference/matchers/#cmp) matcher is being used to compare the `color` property to the expected result 'black'.
 
-```
+```Ruby
 describe car(owner: 'Bruce Wayne') do
   its('color') { should cmp 'black' }
 end
@@ -169,7 +169,7 @@ A filter statement may use method call syntax (which allows basic criteria opera
 
 In this example, `where(...)` is the filter statement.
 
-```
+```Ruby
 # Count only blue cars
 describe cars.where(color: 'blue') do
   its('count') { should eq 20 }
@@ -186,7 +186,7 @@ When method-call syntax is used with the filter statement, you provide filter cr
 
 Here, `(color: blue)` is a single filter criterion being used with a filter statement in method-call syntax.
 
-```
+```Ruby
 # Count only blue cars
 describe cars.where(color: 'blue') do
   its('count') { should eq 20 }
@@ -197,7 +197,7 @@ When block-method syntax is used with the filter statement, you provide a block.
 
 Here, `{ engine_cylinders >= 6 }` is a block-syntax filter statement referring to one filter criterion.
 
-```
+```Ruby
 # Vroom!
 describe cars.where { engine_cylinders >= 6 } do
   its('city_mpg_ratings') { should_not include '4-star' }
@@ -212,7 +212,7 @@ Within a [describe block](#describe), _`it`_ declares an individual [test](#test
 
 Here, `it { should ... }` declares a test, calling the `classy?` matcher on Tony Clifton's car.
 
-```
+```Ruby
 describe car(owner: 'Tony Clifton') do
   it { should be_classy }
 end
@@ -228,7 +228,7 @@ The property to access is passed as a single string argument to `its`. As an adv
 
 Here, `its('fuzzy_dice') { should ... }` declares a test, testing against the `fuzzy_dice` property of Tony Clifton's car. Let's assume - Tony being Tony - that `fuzzy_dice` will return an Array.
 
-```
+```Ruby
 describe car(owner: 'Tony Clifton') do
   its('fuzzy_dice') { should_not be_empty }
   its('fuzzy_dice.count') { should be >= 2 }
@@ -249,7 +249,7 @@ For information on how RSpec matchers are related o InSpec matchers, see [InSpec
 
 Here, `be_classy` is a resource-specific matcher operating directly on the `car`, while `cmp` is a universal matcher operating on the `manufacturer` property.
 
-```
+```Ruby
 describe car(owner: 'Tony Clifton') do
   it { should be_classy }
   its('manufacturer') { should cmp 'Cadillac' }
@@ -266,7 +266,7 @@ Plural resources support [filter statements](#filter_statement). See the [resour
 
 Here, `cars` is a plural resource.
 
-```
+```Ruby
 describe cars.where(color: 'blue') do
   its('count') { should eq 20 }
   its('license_plates') { should include 'AUTOAZUL' }
@@ -296,7 +296,7 @@ Each resource has different properties. See the [resource documentation](https:/
 
 Here, `manufacturer` is a property of the `car` resource.
 
-```
+```Ruby
 describe car(owner: 'Tony Clifton') do
   its('manufacturer') { should cmp 'Cadillac' }
 end
@@ -316,7 +316,7 @@ Resources are used within a [describe block](#describe_block) to perform [tests]
 
 Here, `car` is a resource.
 
-```
+```Ruby
 describe car(owner: 'Tony Clifton') do
   it { should be_classy }
 end
@@ -334,7 +334,7 @@ Resource parameters vary from resource to resource; refer to the [resource docum
 
 Here, `owner: 'Tony Clifton'` is a resource parameter.
 
-```
+```Ruby
 describe car(owner: 'Tony Clifton') do
   it { should be_classy }
 end
@@ -348,7 +348,7 @@ Resource-specific matchers often provide highly customized behavior. Check the [
 
 For example, the hypothetical `car` resource defines a `classy?` method, which is exposed as the `be_classy` matcher in InSpec tests.
 
-```
+```Ruby
 describe car(owner: 'Tony Clifton') do
   it { should be_classy }
 end
@@ -374,7 +374,7 @@ Universal matchers are documented on the [Universal Matchers](https://www.inspec
 
 Here, we access the 'color' property, then use the `cmp` universal matcher to compare the property to the 'black' [expected result](#expected_result).
 
-```
+```Ruby
 describe car(owner: 'Bruce Wayne') do
   its('color') { should cmp 'black' }
 end

data/docs/habitat.md

@@ -6,7 +6,7 @@ title: InSpec Integration with Habitat
 
 InSpec provides an easy method to create an executable Habitat package for an InSpec profile. When run via the Habitat Supervisor, the package will run InSpec with your profile and write out its findings to a JSON file. This provides the ability to ship your compliance controls alongside your Habitat-packaged application and continuously run InSpec, providing you *Continuous Compliance.*
 
-## What is Habitat?
+## What is Habitat
 
 Habitat by Chef is our new Application Automation tool that aims to make it easy, safe, and fast to build, deploy, and manage applications. From build dependencies, runtime dependencies, dynamic configuration, and service discovery (just to name a few), Habitat packages the automation with the application instead of relying on an underlying platform.
 
@@ -28,7 +28,7 @@ HAB_INSPEC_PROFILE_FRONTEND1="sleep_time = 60" hab start adamleff/inspec-profile
 
 The Habitat Supervisor will display output like this:
 
-```
+```text
 hab start adamleff/inspec-profile-frontend1
 ∵ Missing package for core/hab-sup/0.17.0
 » Installing core/hab-sup/0.17.0
@@ -62,7 +62,7 @@ The above sample output shows the supervisor starting, downloading the necessary
 
 InSpec will write a JSON file in the `${svc_var_path}/inspec_results` directory containing the results of the last InSpec run. For example, for the `adamleff/inspec-profile-frontend1` package, the InSpec results will be at:
 
-```
+```text
 /hab/svc/inspec-profile-frontend1/var/inspec_results/inspec-profile-frontend1.json
 ```
 
@@ -74,13 +74,13 @@ Create a Habitat package for an InSpec profile. InSpec will validate the profile
 
 The package file will be named:
 
-```
+```text
 HABITAT_ORIGIN-inspec-profile-PROFILE_NAME-PROFILE_VERSION-BUILD_ID-x86_64-linux.hart
 ```
 
 For example:
 
-```
+```text
 adamleff-inspec-profile-frontend1-0.1.0-20170328173005-x86_64-linux.hart
 ```
 
@@ -104,13 +104,13 @@ The package can then be manually uploaded to a Habitat Depot or manually distrib
 
 The package file will be named:
 
-```
+```text
 HABITAT_ORIGIN-inspec-profile-PROFILE_NAME-PROFILE_VERSION-BUILD_ID-x86_64-linux.hart
 ```
 
 For example:
 
-```
+```text
 adamleff-inspec-profile-frontend1-0.1.0-20170328173005-x86_64-linux.hart
 ```
 
@@ -128,7 +128,7 @@ inspec habitat profile create ~/profiles/frontend1
 
 #### Example Output
 
-```
+```text
 $ habitat profile create ~/profiles/frontend1
 [2017-03-28T13:29:32-04:00] INFO: Creating a Habitat artifact for profile: /Users/aleff/profiles/frontend1
 [2017-03-28T13:29:32-04:00] INFO: Checking to see if Habitat is installed...
@@ -168,7 +168,8 @@ inspec habitat profile upload ~/profiles/frontend1
 ```
 
 #### Example Output
-```
+
+```text
 [2017-03-28T13:29:32-04:00] INFO: Creating a Habitat artifact for profile: /Users/aleff/profiles/frontend1
 [2017-03-28T13:29:32-04:00] INFO: Checking to see if Habitat is installed...
 [2017-03-28T13:29:32-04:00] INFO: Copying profile contents to the work directory...