inspec-core 4.50.3 → 4.52.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 506be4d9918c8af46f6b3784e8a18550cee990ad73c7c731bb1afea7197c5370
4
- data.tar.gz: b48fa274325e96ac07185653b2eeb997ed5ea6fa39f570b0400706331a3b4d52
3
+ metadata.gz: a5fc9c31a9983866ff40fb11326a3c2bac04342e1d473b845e81639bbca88a8c
4
+ data.tar.gz: 6fd55b54b5c1510572fa963d2d4833a8f3132ae5cbfb1871a4662f8b3da720d9
5
5
  SHA512:
6
- metadata.gz: 4eb19bed92e35c49395e513e263f3afdb3f59abcf873b88f0c7dc07775a64c4e6aea3db57f069b19be73e9aa92de106db95ecb4b60fc3fc4c5b080f4fc97df6c
7
- data.tar.gz: e8eac56320e4c0e36078bdcef95dde1b6ec710d7bfdba1bbd4f8301ee0f5799c5a913f96edc5c31ba78c2dcc3647e671454b30ac430729943a0dca071191aa63
6
+ metadata.gz: d9f356b30301430dbeeeb599b696aacfc4ec1caaadafd61e6af40462db60fa400cd2bf4add6a682fe379c65ed4adb0f926a858e6b072066f06296821725f7f92
7
+ data.tar.gz: 25381065952aa3d460cedd9c56a5b389625b2ed11841f2085047e81444c3aa1d788338468c640f5c27403b4074a5649b825a3289e0b63cdc96d70e8450cc664c
data/Gemfile CHANGED
@@ -66,3 +66,7 @@ if Gem.ruby_version >= Gem::Version.new("2.7.0")
66
66
  gem "git"
67
67
  end
68
68
  end
69
+
70
+ if Gem.ruby_version < Gem::Version.new("2.7.0")
71
+ gem "activesupport", "6.1.4.4"
72
+ end
@@ -8,8 +8,27 @@ To use the CLI, this InSpec add-on adds the following commands:
8
8
 
9
9
  Compliance profiles from Supermarket can be executed in two ways:
10
10
 
11
- - via supermarket exec: `inspec supermarket exec nathenharvey/tmp-compliance-profile`
12
- - via supermarket scheme: `inspec exec supermarket://nathenharvey/tmp-compliance-profile`
11
+ - via supermarket exec:
12
+
13
+ **Public Supermarket**
14
+
15
+ `inspec supermarket exec nathenharvey/tmp-compliance-profile`
16
+
17
+ **Private Supermarket**
18
+
19
+ `inspec supermarket exec nathenharvey/tmp-compliance-profile --supermarket_url="PRIVATE_SUPERMARKET_URL"`
20
+
21
+
22
+ - via supermarket scheme:
23
+
24
+ **Public Supermarket**
25
+
26
+ `inspec exec supermarket://nathenharvey/tmp-compliance-profile`
27
+
28
+ **Private Supermarket**
29
+
30
+ `inspec exec supermarket://nathenharvey/tmp-compliance-profile --supermarket_url="PRIVATE_SUPERMARKET_URL"`
31
+
13
32
 
14
33
  ## Usage
15
34
 
@@ -15,10 +15,18 @@ module Supermarket
15
15
  end
16
16
 
17
17
  desc "profiles", "list all available profiles in Chef Supermarket"
18
+ supermarket_options
18
19
  def profiles
19
- # display profiles in format user/profile
20
- supermarket_profiles = Supermarket::API.profiles
20
+ o = config
21
+ diagnose(o)
22
+ configure_logger(o)
21
23
 
24
+ # display profiles in format user/profile
25
+ supermarket_profiles = if o["supermarket_url"]
26
+ Supermarket::API.profiles(o["supermarket_url"])
27
+ else
28
+ Supermarket::API.profiles
29
+ end
22
30
  headline("Available profiles:")
23
31
  supermarket_profiles.each do |p|
24
32
  li("#{p["tool_name"]} #{mark_text(p["tool_owner"] + "/" + p["slug"])}")
@@ -45,9 +53,18 @@ module Supermarket
45
53
  end
46
54
 
47
55
  desc "info PROFILE", "display Supermarket profile details"
56
+ supermarket_options
48
57
  def info(profile)
58
+ o = config
59
+ diagnose(o)
60
+ configure_logger(o)
61
+
49
62
  # check that the profile is available
50
- supermarket_profiles = Supermarket::API.profiles
63
+ supermarket_profiles = if o["supermarket_url"]
64
+ Supermarket::API.profiles(o["supermarket_url"])
65
+ else
66
+ Supermarket::API.profiles
67
+ end
51
68
  found = supermarket_profiles.select do |p|
52
69
  profile == "#{p["tool_owner"]}/#{p["slug"]}"
53
70
  end
@@ -9,10 +9,11 @@ module Supermarket
9
9
  priority 500
10
10
 
11
11
  def self.resolve(target, opts = {})
12
+ supermarket_url = opts["supermarket_url"] || Supermarket::API::SUPERMARKET_URL
12
13
  supermarket_uri, supermarket_server = if target.is_a?(String) && URI(target).scheme == "supermarket"
13
- [target, Supermarket::API::SUPERMARKET_URL]
14
+ [target, supermarket_url]
14
15
  elsif target.respond_to?(:key?) && target.key?(:supermarket)
15
- supermarket_server = target[:supermarket_url] || Supermarket::API::SUPERMARKET_URL
16
+ supermarket_server = target[:supermarket_url] || supermarket_url
16
17
  ["supermarket://#{target[:supermarket]}", supermarket_server]
17
18
  end
18
19
  return nil unless supermarket_uri
@@ -126,6 +126,8 @@ module Inspec
126
126
  desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
127
127
  option :docker_url, type: :string,
128
128
  desc: "Provides path to Docker API endpoint (Docker)"
129
+ option :ssh_config_file, type: :array,
130
+ desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config"
129
131
  end
130
132
 
131
133
  def self.profile_options
@@ -135,9 +137,15 @@ module Inspec
135
137
  desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
136
138
  end
137
139
 
140
+ def self.supermarket_options
141
+ option :supermarket_url, type: :string,
142
+ desc: "Specify the URL of a private Chef Supermarket."
143
+ end
144
+
138
145
  def self.exec_options
139
146
  target_options
140
147
  profile_options
148
+ supermarket_options
141
149
  option :controls, type: :array,
142
150
  desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
143
151
  option :tags, type: :array,
@@ -11,7 +11,7 @@ class PluginRegistry
11
11
  # @return [Plugin] plugin instance if it can be resolved, nil otherwise
12
12
  def resolve(target, opts = {})
13
13
  modules.each do |m|
14
- res = if Inspec::Fetcher::Url == m
14
+ res = if ["Inspec::Fetcher::Url", "Supermarket::Fetcher"].include? m.to_s
15
15
  m.resolve(target, opts)
16
16
  else
17
17
  m.resolve(target)
@@ -28,12 +28,13 @@ module Inspec::Resources
28
28
  EXAMPLE
29
29
 
30
30
  def initialize
31
- unless inspec.command("/sbin/auditctl").exist?
31
+ @auditctl_cmd_str = inspec.os.name.eql?("alpine") ? "/usr/sbin/auditctl" : "/sbin/auditctl"
32
+ unless inspec.command(@auditctl_cmd_str).exist?
32
33
  raise Inspec::Exceptions::ResourceFailed,
33
- "Command `/sbin/auditctl` does not exist"
34
+ "Command `#{@auditctl_cmd_str}` does not exist"
34
35
  end
35
36
 
36
- auditctl_cmd = "/sbin/auditctl -l"
37
+ auditctl_cmd = "#{@auditctl_cmd_str} -l"
37
38
  result = inspec.command(auditctl_cmd)
38
39
 
39
40
  if result.exit_status != 0
@@ -68,7 +69,7 @@ module Inspec::Resources
68
69
  filter.install_filter_methods_on_resource(self, :params)
69
70
 
70
71
  def status(name = nil)
71
- @status_content ||= inspec.command("/sbin/auditctl -s").stdout.chomp
72
+ @status_content ||= inspec.command("#{@auditctl_cmd_str} -s").stdout.chomp
72
73
 
73
74
  # See: https://github.com/inspec/inspec/issues/3113
74
75
  if @status_content =~ /^AUDIT_STATUS/
@@ -121,6 +121,10 @@ module Inspec::Resources
121
121
  def max_redirects
122
122
  opts.fetch(:max_redirects, nil)
123
123
  end
124
+
125
+ def proxy
126
+ opts.fetch(:proxy, nil)
127
+ end
124
128
  end
125
129
 
126
130
  class Local < Base
@@ -141,12 +145,18 @@ module Inspec::Resources
141
145
  def response
142
146
  return @response if @response
143
147
 
148
+ Faraday.ignore_env_proxy = true if proxy == "disable"
149
+
144
150
  conn = Faraday.new(url: url, headers: request_headers, params: params, ssl: { verify: ssl_verify? }) do |builder|
145
151
  builder.request :url_encoded
146
152
  builder.use FaradayMiddleware::FollowRedirects, limit: max_redirects unless max_redirects.nil?
147
153
  builder.adapter Faraday.default_adapter
148
154
  end
149
155
 
156
+ unless proxy == "disable" || proxy.nil?
157
+ conn.proxy = proxy
158
+ end
159
+
150
160
  # set basic authentication
151
161
  conn.basic_auth username, password unless username.nil? || password.nil?
152
162
 
@@ -252,6 +262,14 @@ module Inspec::Resources
252
262
  cmd << "-X #{http_method}"
253
263
  end
254
264
 
265
+ cmd << "--noproxy '*'" if proxy == "disable"
266
+ unless proxy == "disable" || proxy.nil?
267
+ if proxy.is_a?(Hash)
268
+ cmd << "--proxy #{proxy[:uri]} --proxy-user #{proxy[:user]}:#{proxy[:password]}"
269
+ else
270
+ cmd << "--proxy #{proxy}"
271
+ end
272
+ end
255
273
  cmd << "--connect-timeout #{open_timeout}"
256
274
  cmd << "--max-time #{open_timeout + read_timeout}"
257
275
  cmd << "--user \'#{username}:#{password}\'" unless username.nil? || password.nil?
@@ -292,6 +310,17 @@ module Inspec::Resources
292
310
  else
293
311
  cmd << "'#{url}?#{params.map { |e| e.join("=") }.join("&")}'"
294
312
  end
313
+
314
+ proxy_script = ""
315
+ unless proxy == "disable" || proxy.nil?
316
+ cmd << "-Proxy #{proxy[:uri]}"
317
+ cmd << "-ProxyCredential $proxyCreds"
318
+ proxy_script = <<-EOH
319
+ $secPasswd = ConvertTo-SecureString "#{proxy[:password]}" -AsPlainText -Force
320
+ $proxyCreds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{proxy[:user]}",$secPasswd
321
+ EOH
322
+ end
323
+
295
324
  command = cmd.join(" ")
296
325
  body = "\'#{request_body}\'"
297
326
  script = <<-EOH
@@ -302,10 +331,10 @@ module Inspec::Resources
302
331
  foreach ($property in $Body.PSObject.Properties) {
303
332
  $HashTable[$property.Name] = $property.Value
304
333
  }
305
- $response = #{command} -Body $HashTable
334
+ $response = #{command} -Body $HashTable -UseBasicParsing
306
335
  $response | Select-Object -Property * | ConvertTo-json # We use `Select-Object -Property * ` to get around an odd PowerShell error
307
336
  EOH
308
- script.strip
337
+ proxy_script.strip + "\n" + script.strip
309
338
  end
310
339
  end
311
340
  end
@@ -46,12 +46,12 @@ module Inspec::Resources
46
46
 
47
47
  # check if following specific error is there. Sourcing the db2profile to resolve the error.
48
48
  if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved. Reason code: "3"/
49
- cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;")
49
+ cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} \"#{q}\"\;")
50
50
  out = cmd.stdout + "\n" + cmd.stderr
51
51
  end
52
52
  elsif inspec.os.platform?("windows")
53
53
  # set-item command set the powershell to run the db2 commands.
54
- cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 #{q}\;")
54
+ cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 \"#{q}\"\;")
55
55
  out = cmd.stdout + "\n" + cmd.stderr
56
56
  end
57
57
 
@@ -118,7 +118,9 @@ module Inspec::Resources
118
118
  output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
119
119
  converter = ->(header) { header.downcase }
120
120
  CSV.parse(output, headers: true, header_converters: converter).map do |row|
121
- revised_row = row.entries.flatten.map { |entry| entry.gsub("comma_query_sub", ",") }
121
+ next if row.entries.flatten.empty?
122
+
123
+ revised_row = row.entries.flatten.map { |entry| entry&.gsub("comma_query_sub", ",") }
122
124
  Hashie::Mash.new([revised_row].to_h)
123
125
  end
124
126
  end
@@ -26,6 +26,8 @@ module Inspec::Resources
26
26
  @pkgs = Debs.new(inspec)
27
27
  elsif os.redhat? || %w{suse amazon fedora}.include?(os[:family])
28
28
  @pkgs = Rpms.new(inspec)
29
+ elsif ["alpine"].include?(os[:name])
30
+ @pkgs = AlpinePkgs.new(inspec)
29
31
  else
30
32
  return skip_resource "The packages resource is not yet supported on OS #{inspec.os.name}"
31
33
  end
@@ -108,4 +110,23 @@ module Inspec::Resources
108
110
  end
109
111
  end
110
112
  end
113
+
114
+ # RedHat family
115
+ class AlpinePkgs < PkgsManagement
116
+ def build_package_list
117
+ command = "apk list --no-network --installed"
118
+ cmd = inspec.command(command)
119
+ all = cmd.stdout.split("\n")
120
+ return [] if all.nil? || cmd.exit_status.to_i != 0
121
+
122
+ all.map do |m|
123
+ next if m =~ /^WARNING/i
124
+
125
+ a = m.split(" ")
126
+ version = a[0].split("-")[-2]
127
+ name = a[2].gsub(/[{}^]*/, "")
128
+ PackageStruct.new("installed", name, version, a[1])
129
+ end
130
+ end
131
+ end
111
132
  end
@@ -163,7 +163,12 @@ module Inspec::Resources
163
163
  when "mac_os_x", "darwin"
164
164
  LaunchCtl.new(inspec, service_ctl)
165
165
  when "freebsd"
166
- BSDInit.new(inspec, service_ctl)
166
+ version = os[:release].to_f
167
+ if version < 10
168
+ BSDInit.new(inspec, service_ctl)
169
+ else
170
+ FreeBSD10Init.new(inspec, service_ctl)
171
+ end
167
172
  when "arch"
168
173
  Systemd.new(inspec, service_ctl)
169
174
  when "coreos"
@@ -186,6 +191,8 @@ module Inspec::Resources
186
191
  Svcs.new(inspec)
187
192
  when "yocto"
188
193
  Systemd.new(inspec, service_ctl)
194
+ when "alpine"
195
+ SysV.new(inspec, service_ctl)
189
196
  end
190
197
  end
191
198
 
@@ -478,6 +485,7 @@ module Inspec::Resources
478
485
 
479
486
  # @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
480
487
  # @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
488
+ # @see: https://www.freebsd.org/cgi/man.cgi?query=rc&apropos=0&sektion=8&manpath=FreeBSD+9.3-RELEASE&arch=default&format=html
481
489
  class BSDInit < ServiceManager
482
490
  def initialize(service_name, service_ctl = nil)
483
491
  @service_ctl = service_ctl || "service"
@@ -485,17 +493,20 @@ module Inspec::Resources
485
493
  end
486
494
 
487
495
  def info(service_name)
488
- # check if service is enabled
489
- # services are enabled in /etc/rc.conf and /etc/defaults/rc.conf
490
- # via #{service_name}_enable="YES"
491
- # service SERVICE status returns the following result if not activated:
492
- # Cannot 'status' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
493
- # gather all enabled services
496
+ # `service -e` lists all enabled services. Output format:
497
+ # % service -e
498
+ # /etc/rc.d/hostid
499
+ # /etc/rc.d/hostid_save
500
+ # /etc/rc.d/cleanvar
501
+ # /etc/rc.d/ip6addrctl
502
+ # /etc/rc.d/devd
503
+
494
504
  cmd = inspec.command("#{service_ctl} -e")
495
505
  return nil if cmd.exit_status != 0
496
506
 
497
507
  # search for the service
498
- srv = /(^.*#{service_name}$)/.match(cmd.stdout)
508
+
509
+ srv = %r{^.*/(#{service_name}$)}.match(cmd.stdout)
499
510
  return nil if srv.nil? || srv[0].nil?
500
511
 
501
512
  enabled = true
@@ -516,6 +527,37 @@ module Inspec::Resources
516
527
  end
517
528
  end
518
529
 
530
+ # @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
531
+ # @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
532
+ # @see: https://www.freebsd.org/cgi/man.cgi?query=rc&apropos=0&sektion=8&manpath=FreeBSD+10.0-RELEASE&arch=default&format=html
533
+ class FreeBSD10Init < ServiceManager
534
+ def initialize(service_name, service_ctl = nil)
535
+ @service_ctl = service_ctl || "service"
536
+ super
537
+ end
538
+
539
+ def info(service_name)
540
+ # check if service is enabled
541
+ cmd = inspec.command("#{service_ctl} #{service_name} enabled")
542
+
543
+ enabled = cmd.exit_status == 0
544
+
545
+ # check if the service is running
546
+ # if the service is not available or not running, we always get an error code
547
+ cmd = inspec.command("#{service_ctl} #{service_name} onestatus")
548
+ running = cmd.exit_status == 0
549
+
550
+ {
551
+ name: service_name,
552
+ description: nil,
553
+ installed: true,
554
+ running: running,
555
+ enabled: enabled,
556
+ type: "bsd-init",
557
+ }
558
+ end
559
+ end
560
+
519
561
  class Runit < ServiceManager
520
562
  def initialize(service_name, service_ctl = nil)
521
563
  @service_ctl = service_ctl || "sv"
@@ -782,7 +824,14 @@ module Inspec::Resources
782
824
  EXAMPLE
783
825
 
784
826
  def select_service_mgmt
785
- BSDInit.new(inspec, service_ctl)
827
+ os = inspec.os
828
+ version = os[:release].to_f
829
+
830
+ if version >= 10
831
+ FreeBSD10Init.new(inspec, service_ctl)
832
+ else
833
+ BSDInit.new(inspec, service_ctl)
834
+ end
786
835
  end
787
836
  end
788
837
 
@@ -38,6 +38,7 @@ module Inspec::Resources
38
38
  "tls1.0",
39
39
  "tls1.1",
40
40
  "tls1.2",
41
+ "tls1.3",
41
42
  ].freeze
42
43
 
43
44
  attr_reader :host, :port, :timeout, :retries
@@ -72,6 +73,11 @@ module Inspec::Resources
72
73
  protocol: proto, ciphers: e.map(&:cipher),
73
74
  timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
74
75
  end
76
+
77
+ if !res[0].empty? && res[0][1].key?("error") && res[0][1]["error"].include?("Connection error Errno::ECONNREFUSED")
78
+ raise "#{res[0][1]["error"]}"
79
+ end
80
+
75
81
  Hash[res]
76
82
  end
77
83
  .install_filter_methods_on_resource(self, :scan_config)
@@ -89,6 +95,7 @@ module Inspec::Resources
89
95
  { "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
90
96
  { "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
91
97
  { "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
98
+ { "protocol" => "tls1.3", "ciphers" => SSLShake::TLS::TLS13_CIPHERS.keys },
92
99
  ].map do |line|
93
100
  line["ciphers"].map do |cipher|
94
101
  { "protocol" => line["protocol"], "cipher" => cipher }
@@ -1,3 +1,3 @@
1
1
  module Inspec
2
- VERSION = "4.50.3".freeze
2
+ VERSION = "4.52.9".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec-core
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.50.3
4
+ version: 4.52.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - Chef InSpec Team
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-11-19 00:00:00.000000000 Z
11
+ date: 2021-12-20 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: chef-telemetry