inspec 4.22.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b0617ca52a1e32ccc79646ed1afcbabe5ee38fa846bde842ce6217f12ef9b0be
+  data.tar.gz: 2a34c28543888a356b94d085b98210f784eac9316ee342a59d547185583a44d3
+SHA512:
+  metadata.gz: d247307b6ca0194a10259fa68b5eadc7f98488663b4acd413e4225848192f7524c24f1932a19237bc15101fd637e47b2123f95f98ae2ae657835a1bcd8f9ad8c
+  data.tar.gz: d08bf61ff1f9c9ac1729e56193793686814118cbe60c0d9029067da3578a23d9a85acb8e34cc69db54ab8fe934b593f387abb53b2ea818b3861ef5c05b2c0700

data/Gemfile

@@ -0,0 +1,63 @@
+source "https://rubygems.org"
+
+gem "inspec", path: "."
+
+# This dependency is NOT used for normal gem deployment
+# - instead, inspec-bin gemspec-depends on inspec
+#
+# However, AppBundler requires a top-level Gemfile.lock with inspec-bin
+# in it in order to package the executable. Hence the odd backwards dependency.
+gem "inspec-bin", path: "./inspec-bin"
+
+gem "ffi", ">= 1.9.14", "!= 1.13.0"
+
+group :omnibus do
+  gem "rb-readline"
+  gem "appbundler"
+  gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
+  gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
+end
+
+group :test do
+  gem "chefstyle", "~> 0.13.0"
+  gem "minitest", "~> 5.5"
+  gem "minitest-sprint", "~> 1.0"
+  gem "rake", ">= 10"
+  gem "simplecov", ["~> 0.10", "<=0.18.2"]
+  gem "concurrent-ruby", "~> 1.0"
+  gem "mocha", "~> 1.1"
+  gem "ruby-progressbar", "~> 1.8"
+  gem "webmock", "~> 3.0"
+  gem "m"
+  gem "pry", "~> 0.10"
+  gem "pry-byebug"
+  gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
+end
+
+group :integration do
+  gem "berkshelf"
+  gem "test-kitchen"
+  gem "kitchen-vagrant"
+  gem "chef", "< 15"
+  gem "chef-zero", "< 15"
+  gem "kitchen-inspec"
+  gem "kitchen-ec2"
+  gem "kitchen-dokken"
+  gem "git"
+end
+
+# gems for Maintainers.md generation
+group :maintenance do
+  gem "tomlrb"
+
+  # To sync maintainers with github
+  gem "octokit"
+  gem "netrc"
+end
+
+group :deploy do
+  gem "inquirer"
+end
+
+# add these additional dependencies into Gemfile.local
+eval_gemfile(__FILE__ + ".local") if File.exist?(__FILE__ + ".local")

data/inspec.gemspec

@@ -0,0 +1,36 @@
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "inspec/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "inspec"
+  spec.version       = Inspec::VERSION
+  spec.authors       = ["Chef InSpec Team"]
+  spec.email         = ["inspec@chef.io"]
+  spec.summary       = "Infrastructure and compliance testing."
+  spec.description   = "InSpec provides a framework for creating end-to-end infrastructure tests. You can use it for integration or even compliance testing. Create fully portable test profiles and use them in your workflow to ensure stability and security. Integrate InSpec in your change lifecycle for local testing, CI/CD, and deployment verification."
+  spec.homepage      = "https://github.com/inspec/inspec"
+  spec.license       = "Apache-2.0"
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = "~> 2.4"
+
+  # ONLY the aws/azure/gcp files. The rest will come in from inspec-core
+  # the gemspec is necessary for appbundler so don't remove it
+  spec.files =
+    Dir.glob("{{lib,etc}/**/*,Gemfile,inspec.gemspec}")
+      .grep(/aws|azure|gcp|gemspec|Gemfile|inspec.gemspec/)
+      .reject { |f| File.directory?(f) }
+
+  spec.add_dependency "inspec-core", "= #{Inspec::VERSION}"
+
+  spec.add_dependency "train", "~> 3.0"
+
+  # Used for Azure profile until integrated into train
+  spec.add_dependency "faraday_middleware", "~> 0.12.2"
+
+  # Train plugins we ship with InSpec
+  spec.add_dependency "train-habitat", "~> 0.1"
+  spec.add_dependency "train-aws",     "~> 0.1"
+  spec.add_dependency "train-winrm",   "~> 0.2"
+end

data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile

@@ -0,0 +1,11 @@
+source 'https://rubygems.org'
+
+gemspec
+
+group :development do
+  gem 'bundler'
+  gem 'byebug'
+  gem 'minitest'
+  gem 'rake'
+  gem 'rubocop', '= 0.49.1' # Need to keep in sync with main InSpec project, so config files will work
+end

data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec

@@ -0,0 +1,43 @@
+# As plugins are usually packaged and distributed as a RubyGem,
+# we have to provide a .gemspec file, which controls the gembuild
+# and publish process.  This is a fairly generic gemspec.
+
+# It is traditional in a gemspec to dynamically load the current version
+# from a file in the source tree.  The next three lines make that happen.
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require '<%= plugin_name %>/version'
+
+Gem::Specification.new do |spec|
+  # Importantly, all InSpec plugins must be prefixed with `inspec-` (most
+  # plugins) or `train-` (plugins which add new connectivity features).
+  spec.name          = '<%= plugin_name %>'
+
+  # It is polite to namespace your plugin under InspecPlugins::YourPluginInCamelCase
+  spec.version       = InspecPlugins::<%= module_name %>::VERSION
+  spec.authors       = ['<%= author_name %>']
+  spec.email         = ['<%= author_email %>']
+  spec.summary       = '<%= summary %>'
+  spec.description   = '<%= description %>'
+  spec.homepage      = '<%= homepage %>'
+  spec.license       = '<%= license_name %>'
+
+  # Though complicated-looking, this is pretty standard for a gemspec.
+  # It just filters what will actually be packaged in the gem (leaving
+  # out tests, etc)
+  spec.files = %w{
+    README.md <%= snake_case %>.gemspec Gemfile
+  } + Dir.glob(
+    'lib/**/*', File::FNM_DOTMATCH
+  ).reject { |f| File.directory?(f) }
+  spec.require_paths = ['lib']
+
+  # If you rely on any other gems, list them here with any constraints.
+  # This is how `inspec plugin install` is able to manage your dependencies.
+  # For example, perhaps you are writing a thing that talks to AWS, and you
+  # want to ensure you have `aws-sdk` in a certain version.
+
+  # All plugins should mention inspec, > 2.2.78
+  # 2.2.78 included the v2 Plugin API
+  spec.add_dependency 'inspec', '>=2.2.78', '<4.0.0'
+end

data/lib/plugins/inspec-init/templates/profiles/aws/README.md

@@ -0,0 +1,192 @@
+# Example InSpec Profile For AWS
+
+This example shows the implementation of an InSpec profile for AWS.
+
+##  Create a profile 
+
+```
+$ inspec init profile --platform aws my-profile
+
+ ─────────────────────────── InSpec Code Generator ───────────────────────────
+
+Creating new profile at /Users/spaterson/my-profile
+ • Creating directory libraries
+ • Creating file README.md
+ • Creating directory controls
+ • Creating file controls/example.rb
+ • Creating file inspec.yml
+ • Creating file attributes.yml
+ • Creating file libraries/.gitkeep
+ 
+```
+
+## Optionally update `attributes.yml` to point to your custom VPC
+
+```
+aws_vpc_id: 'custom-vpc-id'
+```
+
+The related control will simply be skipped if this is not provided.  See the [InSpec DSL documentation](https://www.inspec.io/docs/reference/dsl_inspec/) for more details on conditional execution using `only_if`.
+
+## Run the tests
+
+### With a VPC Identifier
+
+With a supplied VPC identifier in `attributes.yml` both of the example controls will run.  The 'aws-single-vpc-exists-check' control will only check for a VPC identifier in the currently configured AWS SDK region e.g. `eu-west-2` in the below:
+
+```
+$ cd my-profile/
+$ inspec exec . -t aws://  --attrs attributes.yml
+
+Profile: AWS InSpec Profile (my-profile)
+Version: 0.1.0
+Target:  aws://eu-west-2
+
+  ✔  aws-single-vpc-exists-check: Check to see if custom VPC exists.
+     ✔  VPC vpc-1ea06476 should exist
+  ✔  aws-vpcs-check: Check in all the VPCs for default sg not allowing 22 inwards
+     ✔  EC2 Security Group sg-067cd21e928c3a2f1 should allow in {:port=>22}
+     ✔  EC2 Security Group sg-9bb3b9f3 should allow in {:port=>22}
+  ✔  aws-vpcs-multi-region-status-check: Check AWS VPCs in all regions have status "available"
+     ✔  VPC vpc-6458b70d in eu-north-1 should exist
+     ✔  VPC vpc-6458b70d in eu-north-1 should be available
+     ✔  VPC vpc-8d1390e5 in ap-south-1 should exist
+     ✔  VPC vpc-8d1390e5 in ap-south-1 should be available
+     ✔  VPC vpc-07a71d6e in eu-west-3 should exist
+     ✔  VPC vpc-07a71d6e in eu-west-3 should be available
+     ✔  VPC vpc-021630e2e767412b5 in eu-west-2 should exist
+     ✔  VPC vpc-021630e2e767412b5 in eu-west-2 should be available
+     ✔  VPC vpc-1ea06476 in eu-west-2 should exist
+     ✔  VPC vpc-1ea06476 in eu-west-2 should be available
+     ✔  VPC vpc-169dee70 in eu-west-1 should exist
+     ✔  VPC vpc-169dee70 in eu-west-1 should be available
+     ✔  VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should exist
+     ✔  VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should be available
+     ✔  VPC vpc-09ff83d71da9d2b6e in eu-west-1 should exist
+     ✔  VPC vpc-09ff83d71da9d2b6e in eu-west-1 should be available
+     ✔  VPC vpc-0ebccac2337a90f13 in eu-west-1 should exist
+     ✔  VPC vpc-0ebccac2337a90f13 in eu-west-1 should be available
+     ✔  VPC vpc-c2a53da4 in eu-west-1 should exist
+     ✔  VPC vpc-c2a53da4 in eu-west-1 should be available
+     ✔  VPC vpc-4fb3f127 in ap-northeast-2 should exist
+     ✔  VPC vpc-4fb3f127 in ap-northeast-2 should be available
+     ✔  VPC vpc-0804856f in ap-northeast-1 should exist
+     ✔  VPC vpc-0804856f in ap-northeast-1 should be available
+     ✔  VPC vpc-ccb917ab in sa-east-1 should exist
+     ✔  VPC vpc-ccb917ab in sa-east-1 should be available
+     ✔  VPC vpc-0afcc60c70a30a615 in ca-central-1 should exist
+     ✔  VPC vpc-0afcc60c70a30a615 in ca-central-1 should be available
+     ✔  VPC vpc-20a25048 in ca-central-1 should exist
+     ✔  VPC vpc-20a25048 in ca-central-1 should be available
+     ✔  VPC vpc-5896143f in ap-southeast-1 should exist
+     ✔  VPC vpc-5896143f in ap-southeast-1 should be available
+     ✔  VPC vpc-47972220 in ap-southeast-2 should exist
+     ✔  VPC vpc-47972220 in ap-southeast-2 should be available
+     ✔  VPC vpc-071b6f0c69d1d0311 in eu-central-1 should exist
+     ✔  VPC vpc-071b6f0c69d1d0311 in eu-central-1 should be available
+     ✔  VPC vpc-807dfdeb in eu-central-1 should exist
+     ✔  VPC vpc-807dfdeb in eu-central-1 should be available
+     ✔  VPC vpc-0be54a71311bc362d in eu-central-1 should exist
+     ✔  VPC vpc-0be54a71311bc362d in eu-central-1 should be available
+     ✔  VPC vpc-f060cd8b in us-east-1 should exist
+     ✔  VPC vpc-f060cd8b in us-east-1 should be available
+     ✔  VPC vpc-0c3a7e116c58d714b in us-east-1 should exist
+     ✔  VPC vpc-0c3a7e116c58d714b in us-east-1 should be available
+     ✔  VPC vpc-047bff6c in us-east-2 should exist
+     ✔  VPC vpc-047bff6c in us-east-2 should be available
+     ✔  VPC vpc-93dd6ef4 in us-west-1 should exist
+     ✔  VPC vpc-93dd6ef4 in us-west-1 should be available
+     ✔  VPC vpc-2c0a6a55 in us-west-2 should exist
+     ✔  VPC vpc-2c0a6a55 in us-west-2 should be available
+
+
+Profile: Amazon Web Services  Resource Pack (inspec-aws)
+Version: 0.1.0
+Target:  aws://eu-west-2
+
+     No tests executed.
+
+Profile Summary: 3 successful controls, 0 control failures, 0 controls skipped
+Test Summary: 53 successful, 0 failures, 0 skipped
+```
+
+
+### Without Supplying a VPC Identifier 
+
+If no VPC identifier is supplied, the 'aws-single-vpc-exists-check' control is skipped and the other control runs.  The `attributes.yml` file does not have to be specified to InSpec in this case.
+
+```
+$ cd my-profile/
+$ inspec exec . -t aws://  
+
+Profile: AWS InSpec Profile (my-profile)
+Version: 0.1.0
+Target:  aws://eu-west-2
+
+  ↺  aws-single-vpc-exists-check: Check to see if custom VPC exists.
+     ↺  Skipped control due to only_if condition.
+  ✔  aws-vpcs-check: Check in all the VPCs for default sg not allowing 22 inwards
+     ✔  EC2 Security Group sg-067cd21e928c3a2f1 should allow in {:port=>22}
+     ✔  EC2 Security Group sg-9bb3b9f3 should allow in {:port=>22}
+  ✔  aws-vpcs-multi-region-status-check: Check AWS VPCs in all regions have status "available"
+     ✔  VPC vpc-6458b70d in eu-north-1 should exist
+     ✔  VPC vpc-6458b70d in eu-north-1 should be available
+     ✔  VPC vpc-8d1390e5 in ap-south-1 should exist
+     ✔  VPC vpc-8d1390e5 in ap-south-1 should be available
+     ✔  VPC vpc-07a71d6e in eu-west-3 should exist
+     ✔  VPC vpc-07a71d6e in eu-west-3 should be available
+     ✔  VPC vpc-021630e2e767412b5 in eu-west-2 should exist
+     ✔  VPC vpc-021630e2e767412b5 in eu-west-2 should be available
+     ✔  VPC vpc-1ea06476 in eu-west-2 should exist
+     ✔  VPC vpc-1ea06476 in eu-west-2 should be available
+     ✔  VPC vpc-169dee70 in eu-west-1 should exist
+     ✔  VPC vpc-169dee70 in eu-west-1 should be available
+     ✔  VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should exist
+     ✔  VPC vpc-01ac7ba0be447a1c4 in eu-west-1 should be available
+     ✔  VPC vpc-09ff83d71da9d2b6e in eu-west-1 should exist
+     ✔  VPC vpc-09ff83d71da9d2b6e in eu-west-1 should be available
+     ✔  VPC vpc-0ebccac2337a90f13 in eu-west-1 should exist
+     ✔  VPC vpc-0ebccac2337a90f13 in eu-west-1 should be available
+     ✔  VPC vpc-c2a53da4 in eu-west-1 should exist
+     ✔  VPC vpc-c2a53da4 in eu-west-1 should be available
+     ✔  VPC vpc-4fb3f127 in ap-northeast-2 should exist
+     ✔  VPC vpc-4fb3f127 in ap-northeast-2 should be available
+     ✔  VPC vpc-0804856f in ap-northeast-1 should exist
+     ✔  VPC vpc-0804856f in ap-northeast-1 should be available
+     ✔  VPC vpc-ccb917ab in sa-east-1 should exist
+     ✔  VPC vpc-ccb917ab in sa-east-1 should be available
+     ✔  VPC vpc-0afcc60c70a30a615 in ca-central-1 should exist
+     ✔  VPC vpc-0afcc60c70a30a615 in ca-central-1 should be available
+     ✔  VPC vpc-20a25048 in ca-central-1 should exist
+     ✔  VPC vpc-20a25048 in ca-central-1 should be available
+     ✔  VPC vpc-5896143f in ap-southeast-1 should exist
+     ✔  VPC vpc-5896143f in ap-southeast-1 should be available
+     ✔  VPC vpc-47972220 in ap-southeast-2 should exist
+     ✔  VPC vpc-47972220 in ap-southeast-2 should be available
+     ✔  VPC vpc-071b6f0c69d1d0311 in eu-central-1 should exist
+     ✔  VPC vpc-071b6f0c69d1d0311 in eu-central-1 should be available
+     ✔  VPC vpc-807dfdeb in eu-central-1 should exist
+     ✔  VPC vpc-807dfdeb in eu-central-1 should be available
+     ✔  VPC vpc-0be54a71311bc362d in eu-central-1 should exist
+     ✔  VPC vpc-0be54a71311bc362d in eu-central-1 should be available
+     ✔  VPC vpc-f060cd8b in us-east-1 should exist
+     ✔  VPC vpc-f060cd8b in us-east-1 should be available
+     ✔  VPC vpc-0c3a7e116c58d714b in us-east-1 should exist
+     ✔  VPC vpc-0c3a7e116c58d714b in us-east-1 should be available
+     ✔  VPC vpc-047bff6c in us-east-2 should exist
+     ✔  VPC vpc-047bff6c in us-east-2 should be available
+     ✔  VPC vpc-93dd6ef4 in us-west-1 should exist
+     ✔  VPC vpc-93dd6ef4 in us-west-1 should be available
+     ✔  VPC vpc-2c0a6a55 in us-west-2 should exist
+     ✔  VPC vpc-2c0a6a55 in us-west-2 should be available
+
+
+Profile: Amazon Web Services  Resource Pack (inspec-aws)
+Version: 0.1.0
+Target:  aws://eu-west-2
+
+     No tests executed.
+
+Profile Summary: 2 successful controls, 0 control failures, 1 control skipped
+Test Summary: 52 successful, 0 failures, 1 skipped
+```

data/lib/plugins/inspec-init/templates/profiles/aws/attributes.yml

@@ -0,0 +1,2 @@
+# Below is to be uncommented and set with your AWS Custom VPC ID:
+# aws_vpc_id: 'vpc-xxxxxxx'

data/lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb

@@ -0,0 +1,39 @@
+# copyright: 2018, The Authors
+
+title "Sample Section"
+
+aws_vpc_id = attribute("aws_vpc_id", default: "", description: "Optional AWS VPC identifier.")
+
+# You add controls here
+control "aws-single-vpc-exists-check" do # A unique ID for this control.
+  only_if { aws_vpc_id != "" } # Only run this control if the `aws_vpc_id` attribute is provided.
+  impact 1.0                                                                # The criticality, if this control fails.
+  title "Check to see if custom VPC exists."                                # A human-readable title.
+  describe aws_vpc(aws_vpc_id) do                                           # The test itself.
+    it { should exist }
+  end
+end
+
+# Plural resources can be inspected to check for specific resource details.
+control "aws-vpcs-check" do
+  impact 1.0
+  title "Check in all the VPCs for default sg not allowing 22 inwards"
+  aws_vpcs.vpc_ids.each do |vpc_id|
+    describe aws_security_group(vpc_id: vpc_id, group_name: "default") do
+      it { should allow_in(port: 22) }
+    end
+  end
+end
+
+control "aws-vpcs-multi-region-status-check" do                             # A unique ID for this control.
+  impact 1.0                                                                # The criticality, if this control fails.
+  title 'Check AWS VPCs in all regions have status "available"'             # A human-readable title.
+  aws_regions.region_names.each do |region|                                 # Loop over all available AWS regions
+    aws_vpcs(aws_region: region).vpc_ids.each do |vpc|                      # Find all VPCs in a single AWS region
+      describe aws_vpc(aws_region: region, vpc_id: vpc) do                  # The test itself.
+        it { should exist }                                                 # Confirms AWS VPC exists
+        it { should be_available }                                          # Confirms AWS VPC has status "available"
+      end
+    end
+  end
+end

data/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml

@@ -0,0 +1,22 @@
+name: <%= name %>
+title: AWS InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile For AWS
+version: 0.1.0
+inspec_version: '~> 4'
+attributes:
+- name: aws_vpc_id
+  required: false
+  # Below is deliberately left as a default empty string to allow the profile to run when this is not provided.
+  # Please see the README for more details.
+  default: ''
+  description: 'Optional Custom AWS VPC Id'
+  type: string
+depends:
+  - name: inspec-aws
+    url: https://github.com/inspec/inspec-aws/archive/master.tar.gz
+supports:
+  - platform: aws

data/lib/plugins/inspec-init/templates/profiles/azure/README.md

@@ -0,0 +1,56 @@
+# Example InSpec Profile For Azure
+
+This example shows the implementation of an InSpec profile for Azure. See [https://github.com/inspec/inspec-azure](https://github.com/inspec/inspec-azure) for details on how to configure credentials for your subscription.
+
+##  Create a profile 
+
+```
+$ inspec init profile --platform azure my-profile
+
+ ─────────────────────────── InSpec Code Generator ───────────────────────────
+
+Creating new profile at /Users/spaterson/my-profile
+ • Creating directory libraries
+ • Creating file README.md
+ • Creating directory controls
+ • Creating file controls/example.rb
+ • Creating file inspec.yml
+ • Creating file libraries/.gitkeep
+ 
+```
+
+## Run the tests
+
+```
+$ cd  my-profile/
+$ inspec exec . -t azure://
+
+
+Profile: Azure InSpec Profile (my-profile)
+Version: 0.1.0
+Target:  azure://12345abc-987d-654e-fg21-abcdef23324r
+
+  ×  azure-virtual-machines-exist-check: Check resource groups to see if any VMs exist. (4 failed)
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ✔  Azure Virtual Machines should exist
+     ✔  Azure Virtual Machines should exist
+     ✔  Azure Virtual Machines should exist
+
+
+Profile: Azure Resource Pack (inspec-azure)
+Version: 1.2.0
+Target:  azure://12345abc-987d-654e-fg21-abcdef23324r
+
+     No tests executed.
+
+Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
+Test Summary: 3 successful, 4 failures, 0 skipped
+
+```