inspec 0.28.1 → 0.29.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +46 -2
- data/README.md +3 -3
- data/inspec.gemspec +1 -1
- data/lib/inspec/rspec_json_formatter.rb +107 -34
- data/lib/inspec/runner.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/apache.rb +1 -2
- data/lib/resources/auditd_rules.rb +1 -1
- data/lib/resources/command.rb +2 -2
- data/lib/resources/grub_conf.rb +29 -17
- data/lib/resources/kernel_module.rb +1 -1
- data/lib/resources/mysql.rb +1 -1
- data/lib/resources/oneget.rb +1 -1
- data/lib/resources/os_env.rb +1 -1
- data/lib/resources/package.rb +1 -1
- data/lib/resources/parse_config.rb +22 -13
- data/lib/resources/pip.rb +1 -3
- data/lib/resources/port.rb +27 -21
- data/lib/resources/postgres.rb +9 -15
- data/lib/resources/service.rb +27 -26
- data/lib/resources/windows_feature.rb +1 -1
- data/test/cookbooks/os_prepare/recipes/apt.rb +2 -2
- data/test/cookbooks/os_prepare/recipes/default.rb +2 -0
- data/test/cookbooks/os_prepare/recipes/package.rb +1 -2
- data/test/cookbooks/os_prepare/recipes/postgres.rb +2 -0
- data/test/cookbooks/os_prepare/recipes/prep_container.rb +15 -0
- data/test/cookbooks/os_prepare/recipes/service.rb +3 -3
- data/test/docker_test.rb +8 -0
- data/test/functional/inspec_exec_test.rb +4 -3
- data/test/helper.rb +20 -19
- data/test/integration/default/_debug_spec.rb +8 -1
- data/test/integration/default/apache_conf_spec.rb +8 -3
- data/test/integration/default/apt_spec.rb +1 -6
- data/test/integration/default/etc_group_spec.rb +4 -2
- data/test/integration/default/file_spec.rb +4 -3
- data/test/integration/default/iptables_spec.rb +4 -3
- data/test/integration/default/kernel_module_spec.rb +8 -3
- data/test/integration/default/kernel_parameter_spec.rb +4 -3
- data/test/integration/default/mount_spec.rb +8 -3
- data/test/integration/default/package_spec.rb +0 -3
- data/test/integration/default/port_spec.rb +4 -3
- data/test/integration/default/postgres_session_spec.rb +4 -3
- data/test/integration/default/service_spec.rb +4 -3
- data/test/unit/mock/files/sysctl.conf +7 -0
- data/test/unit/profile_context_test.rb +6 -6
- data/test/unit/resources/os_test.rb +5 -5
- data/test/unit/resources/parse_config_test.rb +26 -0
- data/test/unit/resources/port_test.rb +9 -0
- metadata +10 -4
@@ -24,7 +24,7 @@ module Inspec::Resources
|
|
24
24
|
# default lsmod command
|
25
25
|
lsmod_cmd = 'lsmod'
|
26
26
|
# special care for CentOS 5 and sudo
|
27
|
-
lsmod_cmd = '/sbin/lsmod' if inspec.os[:
|
27
|
+
lsmod_cmd = '/sbin/lsmod' if inspec.os[:name] == 'centos' && inspec.os[:release].to_i == 5
|
28
28
|
|
29
29
|
# get list of all modules
|
30
30
|
cmd = inspec.command(lsmod_cmd)
|
data/lib/resources/mysql.rb
CHANGED
data/lib/resources/oneget.rb
CHANGED
@@ -23,7 +23,7 @@ module Inspec::Resources
|
|
23
23
|
@package_name = package_name
|
24
24
|
|
25
25
|
# verify that this resource is only supported on Windows
|
26
|
-
return skip_resource 'The `oneget` resource is not supported on your OS.' if inspec.os
|
26
|
+
return skip_resource 'The `oneget` resource is not supported on your OS.' if !inspec.os.windows?
|
27
27
|
end
|
28
28
|
|
29
29
|
def info
|
data/lib/resources/os_env.rb
CHANGED
@@ -59,7 +59,7 @@ module Inspec::Resources
|
|
59
59
|
out = inspec.command(command)
|
60
60
|
|
61
61
|
unless out.exit_status == 0
|
62
|
-
skip_resource "Can't read environment variables on #{os[:
|
62
|
+
skip_resource "Can't read environment variables on #{os[:name]}. "\
|
63
63
|
"Tried `#{command}` which returned #{out.exit_status}"
|
64
64
|
end
|
65
65
|
|
data/lib/resources/package.rb
CHANGED
@@ -29,7 +29,7 @@ module Inspec::Resources
|
|
29
29
|
os = inspec.os
|
30
30
|
if os.debian?
|
31
31
|
@pkgman = Deb.new(inspec)
|
32
|
-
elsif
|
32
|
+
elsif %w{redhat suse amazon fedora}.include?(os[:family])
|
33
33
|
@pkgman = Rpm.new(inspec)
|
34
34
|
elsif ['arch'].include?(os[:family])
|
35
35
|
@pkgman = Pacman.new(inspec)
|
@@ -25,21 +25,32 @@ module Inspec::Resources
|
|
25
25
|
end
|
26
26
|
"
|
27
27
|
|
28
|
+
attr_reader :content
|
28
29
|
def initialize(content = nil, useropts = nil)
|
29
30
|
@opts = {}
|
30
31
|
@opts = useropts.dup unless useropts.nil?
|
31
32
|
@files_contents = {}
|
32
|
-
@params = nil
|
33
33
|
|
34
34
|
@content = content
|
35
|
-
|
35
|
+
read_params unless @content.nil?
|
36
36
|
end
|
37
37
|
|
38
38
|
def method_missing(name)
|
39
|
-
|
40
|
-
@params[name.to_s]
|
39
|
+
read_params[name.to_s]
|
41
40
|
end
|
42
41
|
|
42
|
+
def params(*opts)
|
43
|
+
opts.inject(read_params) do |res, nxt|
|
44
|
+
res.respond_to?(:key) ? res[nxt] : nil
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
def to_s
|
49
|
+
"Parse Config #{@conf_path}"
|
50
|
+
end
|
51
|
+
|
52
|
+
private
|
53
|
+
|
43
54
|
def parse_file(conf_path)
|
44
55
|
@conf_path = conf_path
|
45
56
|
|
@@ -52,21 +63,19 @@ module Inspec::Resources
|
|
52
63
|
return skip_resource "Can't read file \"#{conf_path}\""
|
53
64
|
end
|
54
65
|
|
55
|
-
|
66
|
+
read_params
|
56
67
|
end
|
57
68
|
|
58
69
|
def read_file(path)
|
59
70
|
@files_contents[path] ||= inspec.file(path).content
|
60
71
|
end
|
61
72
|
|
62
|
-
def
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
def to_s
|
69
|
-
"Parse Config #{@conf_path}"
|
73
|
+
def read_params
|
74
|
+
@params ||= if content.nil?
|
75
|
+
{}
|
76
|
+
else
|
77
|
+
SimpleConfig.new(content, @opts).params
|
78
|
+
end
|
70
79
|
end
|
71
80
|
end
|
72
81
|
|
data/lib/resources/pip.rb
CHANGED
@@ -57,9 +57,7 @@ module Inspec::Resources
|
|
57
57
|
def pip_cmd
|
58
58
|
# Pip is not on the default path for Windows, therefore we do some logic
|
59
59
|
# to find the binary on Windows
|
60
|
-
|
61
|
-
case family
|
62
|
-
when 'windows'
|
60
|
+
if inspec.os.windows?
|
63
61
|
# we need to detect the pip command on Windows
|
64
62
|
cmd = inspec.command('New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Pip -Value (Invoke-Command -ScriptBlock {where.exe pip}) -PassThru | Add-Member -MemberType NoteProperty -Name Python -Value (Invoke-Command -ScriptBlock {where.exe python}) -PassThru | ConvertTo-Json')
|
65
63
|
begin
|
data/lib/resources/port.rb
CHANGED
@@ -36,29 +36,15 @@ module Inspec::Resources
|
|
36
36
|
def initialize(*args)
|
37
37
|
args.unshift(nil) if args.length <= 1 # add the ip address to the front
|
38
38
|
@ip = args[0]
|
39
|
-
@port = args[1]
|
39
|
+
@port = if args[1].nil?
|
40
|
+
nil
|
41
|
+
else
|
42
|
+
args[1].to_i
|
43
|
+
end
|
40
44
|
|
41
|
-
@port_manager = nil
|
42
45
|
@cache = nil
|
43
|
-
|
44
|
-
if
|
45
|
-
@port_manager = LinuxPorts.new(inspec)
|
46
|
-
elsif %w{darwin aix}.include?(os[:family])
|
47
|
-
# AIX: see http://www.ibm.com/developerworks/aix/library/au-lsof.html#resources
|
48
|
-
# and https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp
|
49
|
-
# Darwin: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/lsof.8.html
|
50
|
-
@port_manager = LsofPorts.new(inspec)
|
51
|
-
elsif os.windows?
|
52
|
-
@port_manager = WindowsPorts.new(inspec)
|
53
|
-
elsif ['freebsd'].include?(os[:family])
|
54
|
-
@port_manager = FreeBsdPorts.new(inspec)
|
55
|
-
elsif os.solaris?
|
56
|
-
@port_manager = SolarisPorts.new(inspec)
|
57
|
-
elsif os.hpux?
|
58
|
-
@port_manager = HpuxPorts.new(inspec)
|
59
|
-
else
|
60
|
-
return skip_resource 'The `port` resource is not supported on your OS yet.'
|
61
|
-
end
|
46
|
+
@port_manager = port_manager_for_os
|
47
|
+
return skip_resource 'The `port` resource is not supported on your OS yet.' if @port_manager.nil?
|
62
48
|
end
|
63
49
|
|
64
50
|
filter = FilterTable.create
|
@@ -78,6 +64,26 @@ module Inspec::Resources
|
|
78
64
|
|
79
65
|
private
|
80
66
|
|
67
|
+
def port_manager_for_os
|
68
|
+
os = inspec.os
|
69
|
+
if os.linux?
|
70
|
+
LinuxPorts.new(inspec)
|
71
|
+
elsif %w{darwin aix}.include?(os[:family])
|
72
|
+
# AIX: see http://www.ibm.com/developerworks/aix/library/au-lsof.html#resources
|
73
|
+
# and https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp
|
74
|
+
# Darwin: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/lsof.8.html
|
75
|
+
LsofPorts.new(inspec)
|
76
|
+
elsif os.windows?
|
77
|
+
WindowsPorts.new(inspec)
|
78
|
+
elsif ['freebsd'].include?(os[:family])
|
79
|
+
FreeBsdPorts.new(inspec)
|
80
|
+
elsif os.solaris?
|
81
|
+
SolarisPorts.new(inspec)
|
82
|
+
elsif os.hpux?
|
83
|
+
HpuxPorts.new(inspec)
|
84
|
+
end
|
85
|
+
end
|
86
|
+
|
81
87
|
def info
|
82
88
|
return @cache if !@cache.nil?
|
83
89
|
# abort if os detection has not worked
|
data/lib/resources/postgres.rb
CHANGED
@@ -10,33 +10,27 @@ module Inspec::Resources
|
|
10
10
|
|
11
11
|
attr_reader :service, :data_dir, :conf_dir, :conf_path
|
12
12
|
def initialize
|
13
|
-
|
14
|
-
|
13
|
+
os = inspec.os
|
14
|
+
if os.debian?
|
15
15
|
@service = 'postgresql'
|
16
16
|
@data_dir = '/var/lib/postgresql'
|
17
17
|
@version = inspec.command('ls /etc/postgresql/').stdout.chomp
|
18
18
|
@conf_dir = "/etc/postgresql/#{@version}/main"
|
19
|
-
|
20
|
-
|
21
|
-
when 'arch'
|
22
|
-
@service = 'postgresql'
|
23
|
-
@data_dir = '/var/lib/postgres/data'
|
24
|
-
@conf_dir = '/var/lib/postgres/data'
|
25
|
-
@conf_path = File.join @conf_dir, 'postgresql.conf'
|
26
|
-
|
27
|
-
when 'centos', 'redhat'
|
19
|
+
elsif os.redhat?
|
28
20
|
@service = 'postgresql'
|
29
21
|
@version = inspec.command('ls /var/lib/pgsql/').stdout.chomp
|
30
22
|
@data_dir = "/var/lib/pgsql/#{@version}/data"
|
31
|
-
|
32
|
-
@
|
33
|
-
|
23
|
+
elsif os[:name] == 'arch'
|
24
|
+
@service = 'postgresql'
|
25
|
+
@data_dir = '/var/lib/postgres/data'
|
26
|
+
@conf_dir = '/var/lib/postgres/data'
|
34
27
|
else
|
35
28
|
@service = 'postgresql'
|
36
29
|
@data_dir = '/var/lib/postgresql'
|
37
30
|
@conf_dir = '/var/lib/pgsql/data'
|
38
|
-
@conf_path = File.join @conf_dir, 'postgresql.conf'
|
39
31
|
end
|
32
|
+
|
33
|
+
@conf_path = File.join @conf_dir, 'postgresql.conf'
|
40
34
|
end
|
41
35
|
|
42
36
|
def to_s
|
data/lib/resources/service.rb
CHANGED
@@ -102,7 +102,7 @@ module Inspec::Resources
|
|
102
102
|
|
103
103
|
def select_service_mgmt # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
|
104
104
|
os = inspec.os
|
105
|
-
|
105
|
+
platform = os[:name]
|
106
106
|
|
107
107
|
# Ubuntu
|
108
108
|
# @see: https://wiki.ubuntu.com/SystemdForUpstartUsers
|
@@ -112,46 +112,46 @@ module Inspec::Resources
|
|
112
112
|
# Ubuntu < 15.04 : Upstart
|
113
113
|
# Upstart runs with PID 1 as /sbin/init.
|
114
114
|
# Systemd runs with PID 1 as /lib/systemd/systemd.
|
115
|
-
if %w{ubuntu}.include?(
|
116
|
-
version =
|
115
|
+
if %w{ubuntu}.include?(platform)
|
116
|
+
version = os[:release].to_f
|
117
117
|
if version < 15.04
|
118
118
|
Upstart.new(inspec, service_ctl)
|
119
119
|
else
|
120
120
|
Systemd.new(inspec, service_ctl)
|
121
121
|
end
|
122
|
-
elsif %w{debian}.include?(
|
123
|
-
version =
|
122
|
+
elsif %w{debian}.include?(platform)
|
123
|
+
version = os[:release].to_i
|
124
124
|
if version > 7
|
125
125
|
Systemd.new(inspec, service_ctl)
|
126
126
|
else
|
127
127
|
SysV.new(inspec, service_ctl || '/usr/sbin/service')
|
128
128
|
end
|
129
|
-
elsif %w{redhat fedora centos}.include?(
|
130
|
-
version =
|
131
|
-
if (%w{ redhat centos }.include?(
|
129
|
+
elsif %w{redhat fedora centos}.include?(platform)
|
130
|
+
version = os[:release].to_i
|
131
|
+
if (%w{ redhat centos }.include?(platform) && version >= 7) || (platform == 'fedora' && version >= 15)
|
132
132
|
Systemd.new(inspec, service_ctl)
|
133
133
|
else
|
134
134
|
SysV.new(inspec, service_ctl || '/sbin/service')
|
135
135
|
end
|
136
|
-
elsif %w{wrlinux}.include?(
|
136
|
+
elsif %w{wrlinux}.include?(platform)
|
137
137
|
SysV.new(inspec, service_ctl)
|
138
|
-
elsif %w{
|
138
|
+
elsif %w{mac_os_x}.include?(platform)
|
139
139
|
LaunchCtl.new(inspec, service_ctl)
|
140
140
|
elsif os.windows?
|
141
141
|
WindowsSrv.new(inspec)
|
142
|
-
elsif %w{freebsd}.include?(
|
142
|
+
elsif %w{freebsd}.include?(platform)
|
143
143
|
BSDInit.new(inspec, service_ctl)
|
144
|
-
elsif %w{arch}.include?(
|
144
|
+
elsif %w{arch}.include?(platform)
|
145
145
|
Systemd.new(inspec, service_ctl)
|
146
|
-
elsif %w{suse opensuse}.include?(
|
147
|
-
if
|
146
|
+
elsif %w{suse opensuse}.include?(platform)
|
147
|
+
if os[:release].to_i >= 12
|
148
148
|
Systemd.new(inspec, service_ctl)
|
149
149
|
else
|
150
150
|
SysV.new(inspec, service_ctl || '/sbin/service')
|
151
151
|
end
|
152
|
-
elsif %w{aix}.include?(
|
152
|
+
elsif %w{aix}.include?(platform)
|
153
153
|
SrcMstr.new(inspec)
|
154
|
-
elsif %w{amazon}.include?(
|
154
|
+
elsif %w{amazon}.include?(platform)
|
155
155
|
Upstart.new(inspec, service_ctl)
|
156
156
|
elsif os.solaris?
|
157
157
|
Svcs.new(inspec)
|
@@ -233,6 +233,14 @@ module Inspec::Resources
|
|
233
233
|
super
|
234
234
|
end
|
235
235
|
|
236
|
+
def is_enabled?(service_name)
|
237
|
+
inspec.command("#{service_ctl} is-enabled #{service_name} --quiet").exit_status == 0
|
238
|
+
end
|
239
|
+
|
240
|
+
def is_active?(service_name)
|
241
|
+
inspec.command("#{service_ctl} is-active #{service_name} --quiet").exit_status == 0
|
242
|
+
end
|
243
|
+
|
236
244
|
def info(service_name)
|
237
245
|
cmd = inspec.command("#{service_ctl} show --all #{service_name}")
|
238
246
|
return nil if cmd.exit_status.to_i != 0
|
@@ -246,20 +254,13 @@ module Inspec::Resources
|
|
246
254
|
|
247
255
|
# LoadState values eg. loaded, not-found
|
248
256
|
installed = params['LoadState'] == 'loaded'
|
249
|
-
# test via 'systemctl is-active service'
|
250
|
-
# SubState values running
|
251
|
-
running = (params['ActiveState'] == 'active') ||
|
252
|
-
(params['SubState'] == 'running')
|
253
|
-
# test via systemctl --quiet is-enabled
|
254
|
-
# ActiveState values eg.g inactive, active
|
255
|
-
enabled = %w{enabled static}.include? params['UnitFileState']
|
256
257
|
|
257
258
|
{
|
258
259
|
name: params['Id'],
|
259
260
|
description: params['Description'],
|
260
261
|
installed: installed,
|
261
|
-
running:
|
262
|
-
enabled:
|
262
|
+
running: is_active?(service_name),
|
263
|
+
enabled: is_enabled?(service_name),
|
263
264
|
type: 'systemd',
|
264
265
|
params: params,
|
265
266
|
}
|
@@ -358,7 +359,7 @@ module Inspec::Resources
|
|
358
359
|
enabled = !config[/^\s*start on/].nil?
|
359
360
|
|
360
361
|
# implement fallback for Ubuntu 10.04
|
361
|
-
if inspec.os[:
|
362
|
+
if inspec.os[:name] == 'ubuntu' &&
|
362
363
|
inspec.os[:release].to_f >= 10.04 &&
|
363
364
|
inspec.os[:release].to_f < 12.04 &&
|
364
365
|
status.exit_status == 0
|
@@ -42,7 +42,7 @@ module Inspec::Resources
|
|
42
42
|
@cache = nil
|
43
43
|
|
44
44
|
# verify that this resource is only supported on Windows
|
45
|
-
return skip_resource 'The `windows_feature` resource is not supported on your OS.' if inspec.os
|
45
|
+
return skip_resource 'The `windows_feature` resource is not supported on your OS.' if !inspec.os.windows?
|
46
46
|
end
|
47
47
|
|
48
48
|
# returns true if the package is installed
|
@@ -5,13 +5,13 @@
|
|
5
5
|
# add nginx apt repository
|
6
6
|
case node['platform']
|
7
7
|
when 'ubuntu'
|
8
|
-
|
8
|
+
# use ppa
|
9
9
|
apt_repository 'nginx' do
|
10
10
|
uri 'ppa:nginx/stable'
|
11
11
|
distribution node['lsb']['codename']
|
12
12
|
end
|
13
13
|
when 'debian'
|
14
|
-
|
14
|
+
# use plain repo
|
15
15
|
apt_repository 'nginx' do
|
16
16
|
uri 'http://nginx.org/packages/debian'
|
17
17
|
distribution node['lsb']['codename']
|
@@ -10,6 +10,8 @@ when 'ubuntu', 'centos'
|
|
10
10
|
# also skip it on ubuntu 15.10, because the cookbook is not supported
|
11
11
|
# with `enable_pgdg_apt` yet
|
12
12
|
return if node['platform_version'] == "15.10"
|
13
|
+
# skip it on centos 5, because ca-certificates is not available
|
14
|
+
return if node['platform_version'] == "5"
|
13
15
|
|
14
16
|
node.default['postgresql']['enable_pgdg_apt'] = true
|
15
17
|
node.default['postgresql']['config']['listen_addresses'] = 'localhost'
|
@@ -0,0 +1,15 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
# author: Christoph Hartmann
|
3
|
+
# author: Dominik Richter
|
4
|
+
#
|
5
|
+
# prepares container for normal use :-)
|
6
|
+
|
7
|
+
# install docker pre-conditions
|
8
|
+
if ['ubuntu', 'debian'].include?(node['platform'])
|
9
|
+
include_recipe('apt')
|
10
|
+
|
11
|
+
# if package lsb-release & procps is not installed
|
12
|
+
# chef returns an empty node['lsb']['codename']
|
13
|
+
package("lsb-release")
|
14
|
+
package("procps")
|
15
|
+
end
|
@@ -12,8 +12,8 @@ when 'ubuntu'
|
|
12
12
|
|
13
13
|
when 'centos'
|
14
14
|
# install runit for alternative service mgmt
|
15
|
-
if node['platform_version'].to_i
|
16
|
-
include_recipe 'os_prepare::_runit_service_centos'
|
17
|
-
include_recipe 'os_prepare::_upstart_service_centos'
|
15
|
+
if node['platform_version'].to_i == 6
|
16
|
+
include_recipe 'os_prepare::_runit_service_centos' unless node['osprepare']['docker']
|
17
|
+
include_recipe 'os_prepare::_upstart_service_centos' unless node['osprepare']['docker']
|
18
18
|
end
|
19
19
|
end
|
data/test/docker_test.rb
CHANGED
@@ -3,6 +3,14 @@
|
|
3
3
|
|
4
4
|
require_relative 'docker_run'
|
5
5
|
require_relative '../lib/inspec'
|
6
|
+
#
|
7
|
+
# BUGON: These requires are to get around concurrency issues with
|
8
|
+
# autoloading in Ruby
|
9
|
+
#
|
10
|
+
require 'train'
|
11
|
+
require 'train/plugins'
|
12
|
+
require 'train/plugins/transport'
|
13
|
+
require 'train/transports/docker'
|
6
14
|
|
7
15
|
tests = ARGV
|
8
16
|
if tests.empty?
|