inspec-core 4.6.9 → 4.7.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +5 -2
- data/lib/inspec/config.rb +13 -13
- data/lib/inspec/plugin/v2/installer.rb +2 -2
- data/lib/inspec/plugin/v2/status.rb +1 -1
- data/lib/inspec/profile.rb +1 -1
- data/lib/inspec/resources.rb +1 -0
- data/lib/inspec/resources/apt.rb +1 -1
- data/lib/inspec/resources/ip6tables.rb +79 -0
- data/lib/inspec/resources/service.rb +6 -2
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d3f9a9b00cc2ce6cc3be695589b41cdeecdc988c00d6f0636024fc35b739ffac
|
|
4
|
+
data.tar.gz: 385c7be34679985f6e6541bba865277f42b64cc6d14ed6d69c9430b3472b6d60
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 47250251654358a3f822c058c7babce2d2d17dcd31c7ca78feef1832ce459c919f4a979550bf39af6ea419119314176ff6649b1df38bf2cdc08132707ea2305f
|
|
7
|
+
data.tar.gz: d2d2ee9b16a474021a92f546b266e518bc37da3c98034007a7810171a6741ff3bacbb901e9857d417f173fc34a3e45371c6a0be62de0da4286aa991f727c48e1
|
data/README.md
CHANGED
|
@@ -31,15 +31,18 @@ Chef InSpec makes it easy to run your tests wherever you need. More options are
|
|
|
31
31
|
# run test locally
|
|
32
32
|
inspec exec test.rb
|
|
33
33
|
|
|
34
|
-
# run test on remote host
|
|
34
|
+
# run test on remote host via SSH
|
|
35
35
|
inspec exec test.rb -t ssh://user@hostname -i /path/to/key
|
|
36
36
|
|
|
37
37
|
# run test on remote host using SSH agent private key authentication. Requires Chef InSpec 1.7.1
|
|
38
38
|
inspec exec test.rb -t ssh://user@hostname
|
|
39
39
|
|
|
40
|
-
# run test on remote windows host
|
|
40
|
+
# run test on remote windows host via WinRM
|
|
41
41
|
inspec exec test.rb -t winrm://Administrator@windowshost --password 'your-password'
|
|
42
42
|
|
|
43
|
+
# run test on remote windows host via WinRM as a domain user
|
|
44
|
+
inspec exec test.rb -t winrm://windowshost --user 'UserName@domain' --password 'your-password'
|
|
45
|
+
|
|
43
46
|
# run test on docker container
|
|
44
47
|
inspec exec test.rb -t docker://container_id
|
|
45
48
|
```
|
data/lib/inspec/config.rb
CHANGED
|
@@ -295,19 +295,19 @@ module Inspec
|
|
|
295
295
|
def validate_reporters!(reporters)
|
|
296
296
|
return if reporters.nil?
|
|
297
297
|
# TODO: move this into a reporter plugin type system
|
|
298
|
-
valid_types =
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
310
|
-
|
|
298
|
+
valid_types = %w{
|
|
299
|
+
automate
|
|
300
|
+
cli
|
|
301
|
+
documentation
|
|
302
|
+
html
|
|
303
|
+
json
|
|
304
|
+
json-automate
|
|
305
|
+
json-min
|
|
306
|
+
json-rspec
|
|
307
|
+
junit
|
|
308
|
+
progress
|
|
309
|
+
yaml
|
|
310
|
+
}
|
|
311
311
|
|
|
312
312
|
reporters.each do |reporter_name, reporter_config|
|
|
313
313
|
raise NotImplementedError, "'#{reporter_name}' is not a valid reporter type." unless valid_types.include?(reporter_name)
|
|
@@ -461,9 +461,9 @@ module Inspec::Plugin::V2
|
|
|
461
461
|
|
|
462
462
|
# Combine the Sets, so the resolver has one composite place to look
|
|
463
463
|
Gem::Resolver.compose_sets(
|
|
464
|
-
installed_plugins_gem_set,
|
|
464
|
+
installed_plugins_gem_set, # The gems that are in the plugin gem path directory tree
|
|
465
465
|
InstalledVendorSet.new,
|
|
466
|
-
*extra_request_sets
|
|
466
|
+
*extra_request_sets # Anything else our caller wanted to include
|
|
467
467
|
)
|
|
468
468
|
end
|
|
469
469
|
|
|
@@ -14,7 +14,7 @@ module Inspec::Plugin::V2
|
|
|
14
14
|
:loaded, # true, false False could mean not attempted or failed
|
|
15
15
|
:load_exception, # Exception class if it failed to load
|
|
16
16
|
:name, # String name
|
|
17
|
-
:version
|
|
17
|
+
:version # three-digit version. Core / bundled plugins use InSpec version here.
|
|
18
18
|
) do
|
|
19
19
|
def initialize(*)
|
|
20
20
|
super
|
data/lib/inspec/profile.rb
CHANGED
|
@@ -127,7 +127,7 @@ module Inspec
|
|
|
127
127
|
cli_input_files: options[:runner_conf][:input_file], # From CLI --input-file
|
|
128
128
|
profile_metadata: metadata,
|
|
129
129
|
# TODO: deprecation checks here
|
|
130
|
-
runner_api: options[:runner_conf][:attributes]
|
|
130
|
+
runner_api: options[:runner_conf][:attributes] # This is the route the audit_cookbook and kitchen-inspec take
|
|
131
131
|
)
|
|
132
132
|
|
|
133
133
|
@runner_context =
|
data/lib/inspec/resources.rb
CHANGED
|
@@ -56,6 +56,7 @@ require "inspec/resources/iis_app_pool"
|
|
|
56
56
|
require "inspec/resources/iis_site"
|
|
57
57
|
require "inspec/resources/inetd_conf"
|
|
58
58
|
require "inspec/resources/interface"
|
|
59
|
+
require "inspec/resources/ip6tables"
|
|
59
60
|
require "inspec/resources/iptables"
|
|
60
61
|
require "inspec/resources/kernel_module"
|
|
61
62
|
require "inspec/resources/kernel_parameter"
|
data/lib/inspec/resources/apt.rb
CHANGED
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
require "inspec/resources/command"
|
|
2
|
+
|
|
3
|
+
# Usage:
|
|
4
|
+
# describe ip6tables do
|
|
5
|
+
# it { should have_rule('-P INPUT ACCEPT') }
|
|
6
|
+
# end
|
|
7
|
+
#
|
|
8
|
+
# The following serverspec sytax is not implemented:
|
|
9
|
+
# describe ip6tables do
|
|
10
|
+
# it { should have_rule('-P INPUT ACCEPT').with_table('mangle').with_chain('INPUT') }
|
|
11
|
+
# end
|
|
12
|
+
# Please use the new sytax:
|
|
13
|
+
# describe ip6tables(table:'mangle', chain: 'input') do
|
|
14
|
+
# it { should have_rule('-P INPUT ACCEPT') }
|
|
15
|
+
# end
|
|
16
|
+
#
|
|
17
|
+
# Note: Docker containers normally do not have ip6tables installed
|
|
18
|
+
#
|
|
19
|
+
# @see http://ipset.netfilter.org/ip6tables.man.html
|
|
20
|
+
# @see http://ipset.netfilter.org/ip6tables.man.html
|
|
21
|
+
module Inspec::Resources
|
|
22
|
+
class Ip6Tables < Inspec.resource(1)
|
|
23
|
+
name "ip6tables"
|
|
24
|
+
supports platform: "linux"
|
|
25
|
+
desc "Use the ip6tables InSpec audit resource to test rules that are defined in ip6tables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet."
|
|
26
|
+
example <<~EXAMPLE
|
|
27
|
+
describe ip6tables do
|
|
28
|
+
it { should have_rule('-P INPUT ACCEPT') }
|
|
29
|
+
end
|
|
30
|
+
EXAMPLE
|
|
31
|
+
|
|
32
|
+
def initialize(params = {})
|
|
33
|
+
@table = params[:table]
|
|
34
|
+
@chain = params[:chain]
|
|
35
|
+
|
|
36
|
+
# we're done if we are on linux
|
|
37
|
+
return if inspec.os.linux?
|
|
38
|
+
|
|
39
|
+
# ensures, all calls are aborted for non-supported os
|
|
40
|
+
@ip6tables_cache = []
|
|
41
|
+
skip_resource "The `ip6tables` resource is not supported on your OS yet."
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def has_rule?(rule = nil, _table = nil, _chain = nil)
|
|
45
|
+
# checks if the rule is part of the ruleset
|
|
46
|
+
# for now, we expect an exact match
|
|
47
|
+
retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def retrieve_rules
|
|
51
|
+
return @ip6tables_cache if defined?(@ip6tables_cache)
|
|
52
|
+
|
|
53
|
+
# construct ip6tables command to read all rules
|
|
54
|
+
bin = find_ip6tables_or_error
|
|
55
|
+
table_cmd = "-t #{@table}" if @table
|
|
56
|
+
ip6tables_cmd = format("%s %s -S %s", bin, table_cmd, @chain).strip
|
|
57
|
+
|
|
58
|
+
cmd = inspec.command(ip6tables_cmd)
|
|
59
|
+
return [] if cmd.exit_status.to_i != 0
|
|
60
|
+
|
|
61
|
+
# split rules, returns array or rules
|
|
62
|
+
@ip6tables_cache = cmd.stdout.split("\n").map(&:strip)
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
def to_s
|
|
66
|
+
format("Ip6tables %s %s", @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
private
|
|
70
|
+
|
|
71
|
+
def find_ip6tables_or_error
|
|
72
|
+
%w{/usr/sbin/ip6tables /sbin/ip6tables ip6tables}.each do |cmd|
|
|
73
|
+
return cmd if inspec.command(cmd).exist?
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
raise Inspec::Exceptions::ResourceFailed, "Could not find `ip6tables`"
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
@@ -127,10 +127,14 @@ module Inspec::Resources
|
|
|
127
127
|
Systemd.new(inspec, service_ctl)
|
|
128
128
|
end
|
|
129
129
|
elsif %w{debian}.include?(platform)
|
|
130
|
-
|
|
130
|
+
if os[:release] == "buster/sid"
|
|
131
|
+
version = 10
|
|
132
|
+
else
|
|
133
|
+
version = os[:release].to_i
|
|
134
|
+
end
|
|
131
135
|
if version > 7
|
|
132
136
|
Systemd.new(inspec, service_ctl)
|
|
133
|
-
|
|
137
|
+
elsif version > 0
|
|
134
138
|
SysV.new(inspec, service_ctl || "/usr/sbin/service")
|
|
135
139
|
end
|
|
136
140
|
elsif %w{redhat fedora centos oracle cloudlinux}.include?(platform)
|
data/lib/inspec/version.rb
CHANGED
data/lib/matchers/matchers.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: inspec-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.7.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dominik Richter
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-07-
|
|
11
|
+
date: 2019-07-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: train-core
|
|
@@ -507,6 +507,7 @@ files:
|
|
|
507
507
|
- lib/inspec/resources/inetd_conf.rb
|
|
508
508
|
- lib/inspec/resources/ini.rb
|
|
509
509
|
- lib/inspec/resources/interface.rb
|
|
510
|
+
- lib/inspec/resources/ip6tables.rb
|
|
510
511
|
- lib/inspec/resources/iptables.rb
|
|
511
512
|
- lib/inspec/resources/json.rb
|
|
512
513
|
- lib/inspec/resources/kernel_module.rb
|