inspec 0.35.0 → 1.0.0.beta2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +83 -2
- data/Gemfile +6 -0
- data/Rakefile +3 -55
- data/docs/README.md +20 -0
- data/docs/cli.rst +6 -0
- data/docs/dsl_inspec.md +245 -0
- data/docs/dsl_resource.md +93 -0
- data/docs/inspec_and_friends.md +102 -0
- data/docs/matchers.md +136 -0
- data/docs/plugin_kitchen_inspec.html.md +55 -0
- data/docs/profiles.md +271 -0
- data/docs/resources.rst +1 -1
- data/docs/shell.md +150 -0
- data/inspec.gemspec +1 -1
- data/lib/bundles/inspec-compliance/api.rb +28 -18
- data/lib/bundles/inspec-compliance/cli.rb +19 -27
- data/lib/fetchers/git.rb +4 -0
- data/lib/fetchers/local.rb +16 -1
- data/lib/fetchers/mock.rb +4 -0
- data/lib/fetchers/url.rb +40 -12
- data/lib/inspec/base_cli.rb +4 -0
- data/lib/inspec/cli.rb +6 -8
- data/lib/inspec/control_eval_context.rb +8 -0
- data/lib/inspec/dependencies/{vendor_index.rb → cache.rb} +5 -4
- data/lib/inspec/dependencies/dependency_set.rb +8 -14
- data/lib/inspec/dependencies/requirement.rb +10 -20
- data/lib/inspec/dependencies/resolver.rb +2 -2
- data/lib/inspec/dsl.rb +9 -0
- data/lib/inspec/fetcher.rb +1 -1
- data/lib/inspec/objects/test.rb +8 -2
- data/lib/inspec/plugins/fetcher.rb +11 -12
- data/lib/inspec/plugins/resource.rb +3 -0
- data/lib/inspec/profile.rb +60 -14
- data/lib/inspec/profile_context.rb +28 -7
- data/lib/inspec/resource.rb +17 -2
- data/lib/inspec/rspec_json_formatter.rb +80 -35
- data/lib/inspec/runner.rb +42 -18
- data/lib/inspec/shell.rb +5 -16
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/apache_conf.rb +1 -1
- data/lib/resources/gem.rb +1 -0
- data/lib/resources/oneget.rb +1 -0
- data/lib/resources/os.rb +1 -1
- data/lib/resources/package.rb +3 -1
- data/lib/resources/pip.rb +1 -1
- data/lib/resources/ssl.rb +9 -11
- metadata +15 -15
- data/docs/dsl_inspec.rst +0 -259
- data/docs/dsl_resource.rst +0 -90
- data/docs/inspec_and_friends.rst +0 -85
- data/docs/matchers.rst +0 -137
- data/docs/profiles.rst +0 -169
- data/docs/readme.rst +0 -105
- data/docs/shell.rst +0 -130
- data/docs/template.rst +0 -51
data/docs/dsl_resource.rst
DELETED
@@ -1,90 +0,0 @@
|
|
1
|
-
=====================================================
|
2
|
-
Resource DSL
|
3
|
-
=====================================================
|
4
|
-
|
5
|
-
InSpec provides a mechanism for defining custom resources. These become available with their respective names and provide easy functionality to profiles.
|
6
|
-
|
7
|
-
Resource location
|
8
|
-
-----------------------------------------------------
|
9
|
-
|
10
|
-
Resources may be added to profiles in the `libraries` folder:
|
11
|
-
|
12
|
-
.. code-block:: bash
|
13
|
-
|
14
|
-
$ tree examples/profile
|
15
|
-
examples/profile
|
16
|
-
...
|
17
|
-
├── libraries
|
18
|
-
│ └── gordon_config.rb
|
19
|
-
|
20
|
-
|
21
|
-
Resource structure
|
22
|
-
-----------------------------------------------------
|
23
|
-
|
24
|
-
The smallest possible resource takes this form:
|
25
|
-
|
26
|
-
.. code-block:: ruby
|
27
|
-
|
28
|
-
class Tiny < Inspec.resource(1)
|
29
|
-
name 'tiny'
|
30
|
-
end
|
31
|
-
|
32
|
-
Resources are written as a regular Ruby `class` which inherits from `Inspec.resource`. The number (`1`) specifies the version this resource plugin targets. As InSpec evolves, this interface may change and may require a higher version.
|
33
|
-
|
34
|
-
The following attributes can be configured:
|
35
|
-
|
36
|
-
* `name` - Identifier of the resource (required)
|
37
|
-
* `desc` - Description of the resource (optional)
|
38
|
-
* `example` - Example usage of the resource (optional)
|
39
|
-
|
40
|
-
The following methods are available to the resource:
|
41
|
-
|
42
|
-
* `inspec` - Contains a registry of all other resources to interact with the operating system or target in general.
|
43
|
-
* `skip_resource` - A resource may call this method to indicate, that requirements aren't met. All tests that use this resource will be marked as `skipped`.
|
44
|
-
|
45
|
-
The following example shows a full resource using attributes and methods to provide simple access to a configuration file:
|
46
|
-
|
47
|
-
.. code-block:: ruby
|
48
|
-
|
49
|
-
class GordonConfig < Inspec.resource(1)
|
50
|
-
name 'gordon_config'
|
51
|
-
|
52
|
-
desc '
|
53
|
-
Resource description ...
|
54
|
-
'
|
55
|
-
|
56
|
-
example '
|
57
|
-
describe gordon_config do
|
58
|
-
its("signal") { should eq "on" }
|
59
|
-
end
|
60
|
-
'
|
61
|
-
|
62
|
-
# Load the configuration file on initialization
|
63
|
-
def initialize(path = nil)
|
64
|
-
@path = path || '/etc/gordon.conf'
|
65
|
-
@params = SimpleConfig.new( read_content )
|
66
|
-
end
|
67
|
-
|
68
|
-
# Expose all parameters of the configuration file.
|
69
|
-
def method_missing(name)
|
70
|
-
@params[name]
|
71
|
-
end
|
72
|
-
|
73
|
-
private
|
74
|
-
|
75
|
-
def read_content
|
76
|
-
f = inspec.file(@path)
|
77
|
-
# Test if the path exist and that it's a file
|
78
|
-
if f.file?
|
79
|
-
# Retrieve the file's contents
|
80
|
-
f.content
|
81
|
-
else
|
82
|
-
# If the file doesn't exist, skip all tests that use gordon_config
|
83
|
-
skip_resource "Can't read config from #{@path}."
|
84
|
-
end
|
85
|
-
end
|
86
|
-
end
|
87
|
-
|
88
|
-
For a full example, see our `example resource`_.
|
89
|
-
|
90
|
-
.. _example resource: ../examples/profile/libraries/gordon_config.rb
|
data/docs/inspec_and_friends.rst
DELETED
@@ -1,85 +0,0 @@
|
|
1
|
-
=====================================================
|
2
|
-
InSpec and friends
|
3
|
-
=====================================================
|
4
|
-
|
5
|
-
RSpec
|
6
|
-
=====================================================
|
7
|
-
|
8
|
-
RSpec is an awesome framework that is widely used to test Ruby code. It enables test-driven development (TDD) and helps developers to write better code every day.
|
9
|
-
|
10
|
-
InSpec is built on top of RSpec and uses it as the underlying foundation to execute tests. It uses the key strengths of RSpec, easily execute tests and a DSL to write tests, but extends the functionality for use as compliance audits. InSpec ships with custom audit resources that make it easy to write audit checks and with the ability to run those checks on remote servers. These audit resources provided know the differences between operating systems and help you abstract from the local operating system, similar to other resources you might use in your Chef recipes.
|
11
|
-
|
12
|
-
A complete InSpec rule looks like:
|
13
|
-
|
14
|
-
.. code-block:: ruby
|
15
|
-
|
16
|
-
control "sshd-11" do
|
17
|
-
impact 1.0
|
18
|
-
title "Server: Set protocol version to SSHv2"
|
19
|
-
desc "Set the SSH protocol version to 2. Don't use legacy
|
20
|
-
insecure SSHv1 connections anymore."
|
21
|
-
tag security: "level-1"
|
22
|
-
tag "openssh-server"
|
23
|
-
ref "Server Security Guide v.1.0", url: "http://..."
|
24
|
-
|
25
|
-
describe sshd_config do
|
26
|
-
its('Protocol') { should eq('2') }
|
27
|
-
end
|
28
|
-
end
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
Serverspec
|
33
|
-
=====================================================
|
34
|
-
|
35
|
-
Serverspec can be credited as the first extension of RSpec that enabled users to run RSpec tests on servers to verify deployed artifacts. It was created in March 2013 by Gosuke Miyashita and has been widely adopted. It is also one of the core test frameworks within test-kitchen and has been widely used within the Chef ecosystem. InSpec takes lessons learned implementing and using Serverspec and builds on them to make auditing and compliance easier.
|
36
|
-
|
37
|
-
Lessons learned from Serverspec include:
|
38
|
-
|
39
|
-
* IT, compliance, and security professional require metadata beyond what Serverspec offers, such as criticality, to fully describe controls.
|
40
|
-
|
41
|
-
* Setting up and running the same tests across multiple machines must be easy.
|
42
|
-
|
43
|
-
* It must be easy to locate, debug, and extend operating system-dependent code.
|
44
|
-
|
45
|
-
* It must be easy to extend the language and create custom resources.
|
46
|
-
|
47
|
-
* It must run multiple tests simultaneously.
|
48
|
-
|
49
|
-
* Support for Windows is a first-class requirement.
|
50
|
-
|
51
|
-
* A command line interface (CLI) is required for faster iteration of test code.
|
52
|
-
|
53
|
-
|
54
|
-
How is InSpec different than Serverspec
|
55
|
-
-----------------------------------------------------
|
56
|
-
|
57
|
-
One of the key differences is that InSpec targets more user groups. It is optimized for DevOps, Security, and Compliance professionals. Additional metadata, such as impact, title, and description, make it easier to fully describe the controls which makes it easier to share the controls with other departments. This enables Security departments to prioritize rules. DevOps teams use this information to focus on the most critical issues to remediate.
|
58
|
-
|
59
|
-
.. code-block:: ruby
|
60
|
-
|
61
|
-
control "sshd-11" do
|
62
|
-
impact 1.0
|
63
|
-
title "Server: Set protocol version to SSHv2"
|
64
|
-
desc "Set the SSH protocol version to 2. Don't use legacy
|
65
|
-
insecure SSHv1 connections anymore."
|
66
|
-
tag security: "level-1"
|
67
|
-
tag "openssh-server"
|
68
|
-
ref "Server Security Guide v.1.0" url: "http://..."
|
69
|
-
|
70
|
-
describe sshd_config do
|
71
|
-
its('Protocol') { should cmp 2 }
|
72
|
-
end
|
73
|
-
end
|
74
|
-
|
75
|
-
**Why not fork Serverspec?**
|
76
|
-
|
77
|
-
InSpec started as an extension of Serverspec. As the extension grew, it became clear that a new library was required. Creating and maintaining a fork was not practical so a new project was born.
|
78
|
-
|
79
|
-
**Will InSpec only work on machines managed by Chef?**
|
80
|
-
|
81
|
-
No, InSpec can be used on any machine. It doesn’t matter if that machine was configured by Chef or configured lovingly by the hands of your local System Administrator.
|
82
|
-
|
83
|
-
**Is InSpec a replacement of Serverspec?**
|
84
|
-
|
85
|
-
InSpec is intended to be a drop-in replacement of Serverspec. Popular Serverspec resources have been ported to InSpec. It changed some behaviour as documented in our migration guide.
|
data/docs/matchers.rst
DELETED
@@ -1,137 +0,0 @@
|
|
1
|
-
=====================================================
|
2
|
-
InSpec Matchers Reference
|
3
|
-
=====================================================
|
4
|
-
|
5
|
-
|
6
|
-
Inspec uses matchers to help compare resource values to expectations. The following matchers are available:
|
7
|
-
|
8
|
-
* `be`
|
9
|
-
* `cmp`
|
10
|
-
* `eq`
|
11
|
-
* `include`
|
12
|
-
* `match`
|
13
|
-
|
14
|
-
|
15
|
-
be
|
16
|
-
=====================================================
|
17
|
-
|
18
|
-
This matcher can be followed by many different comparison operators. Always make sure to use numbers, not strings, for these comparisons.
|
19
|
-
|
20
|
-
.. code-block:: ruby
|
21
|
-
|
22
|
-
describe file('/proc/cpuinfo') do
|
23
|
-
its('size') { should be >= 10 }
|
24
|
-
its('size') { should be < 1000 }
|
25
|
-
end
|
26
|
-
|
27
|
-
cmp
|
28
|
-
=====================================================
|
29
|
-
|
30
|
-
Unlike ``eq``, cmp is a matcher for less-restrictive comparisons. It will try to fit the actual value to the type you are comparing it to. This is meant to relieve the user from having to write type-casts and resolutions.
|
31
|
-
|
32
|
-
.. code-block:: ruby
|
33
|
-
|
34
|
-
describe sshd_config do
|
35
|
-
its('Protocol') { should cmp 2 }
|
36
|
-
end
|
37
|
-
|
38
|
-
describe passwd.uid(0) do
|
39
|
-
its('users') { should cmp 'root' }
|
40
|
-
end
|
41
|
-
|
42
|
-
``cmp`` behaves in the following way:
|
43
|
-
|
44
|
-
* Compare strings to numbers
|
45
|
-
|
46
|
-
.. code-block:: ruby
|
47
|
-
|
48
|
-
describe sshd_config do
|
49
|
-
its('Protocol') { should eq '2' }
|
50
|
-
|
51
|
-
its('Protocol') { should cmp '2' }
|
52
|
-
its('Protocol') { should cmp 2 }
|
53
|
-
end
|
54
|
-
|
55
|
-
* String comparisons are not case-sensitive
|
56
|
-
|
57
|
-
.. code-block:: ruby
|
58
|
-
|
59
|
-
describe auditd_conf do
|
60
|
-
its('log_format') { should cmp 'raw' }
|
61
|
-
its('log_format') { should cmp 'RAW' }
|
62
|
-
end
|
63
|
-
|
64
|
-
* Compare arrays with only one entry to a value
|
65
|
-
|
66
|
-
.. code-block:: ruby
|
67
|
-
|
68
|
-
describe passwd.uids(0) do
|
69
|
-
its('users') { should cmp 'root' }
|
70
|
-
its('users') { should cmp ['root'] }
|
71
|
-
end
|
72
|
-
|
73
|
-
* Single-value arrays of strings may also be compared to a regex
|
74
|
-
|
75
|
-
.. code-block:: ruby
|
76
|
-
|
77
|
-
describe auditd_conf do
|
78
|
-
its('log_format') { should cmp /raw/i }
|
79
|
-
end
|
80
|
-
|
81
|
-
* Improved printing of octal comparisons
|
82
|
-
|
83
|
-
.. code-block:: ruby
|
84
|
-
|
85
|
-
describe file('/proc/cpuinfo') do
|
86
|
-
its('mode') { should cmp '0345' }
|
87
|
-
end
|
88
|
-
|
89
|
-
expected: 0345
|
90
|
-
got: 0444
|
91
|
-
|
92
|
-
eq
|
93
|
-
=====================================================
|
94
|
-
|
95
|
-
Test for exact equality of two values.
|
96
|
-
|
97
|
-
.. code-block:: ruby
|
98
|
-
|
99
|
-
describe sshd_config do
|
100
|
-
its('RSAAuthentication') { should_not eq 'no' }
|
101
|
-
its('Protocol') { should eq '2' }
|
102
|
-
end
|
103
|
-
|
104
|
-
It fails if types don't match. Please keep this in mind, when comparing configuration
|
105
|
-
entries that are numbers:
|
106
|
-
|
107
|
-
.. code-block:: ruby
|
108
|
-
|
109
|
-
its('Port') { should eq '22' } # ok
|
110
|
-
|
111
|
-
its('Port') { should eq 22 }
|
112
|
-
# fails: '2' != 2 (string vs int)
|
113
|
-
|
114
|
-
For less restrictive comparisons, please use ``cmp``.
|
115
|
-
|
116
|
-
include
|
117
|
-
=====================================================
|
118
|
-
|
119
|
-
Verifies if a value is included in a list.
|
120
|
-
|
121
|
-
.. code-block:: ruby
|
122
|
-
|
123
|
-
describe passwd do
|
124
|
-
its('users') { should include 'my_user' }
|
125
|
-
end
|
126
|
-
|
127
|
-
|
128
|
-
match
|
129
|
-
=====================================================
|
130
|
-
|
131
|
-
Check if a string matches a regular expression.
|
132
|
-
|
133
|
-
.. code-block:: ruby
|
134
|
-
|
135
|
-
describe sshd_config do
|
136
|
-
its('Ciphers') { should_not match /cbc/ }
|
137
|
-
end
|
data/docs/profiles.rst
DELETED
@@ -1,169 +0,0 @@
|
|
1
|
-
=====================================================
|
2
|
-
InSpec Profiles
|
3
|
-
=====================================================
|
4
|
-
|
5
|
-
InSpec supports the creation of complex test and compliance profiles, which organize controls to support dependency management and code re-use. These profiles are standalone structures with their own distribution and execution flow.
|
6
|
-
|
7
|
-
InSpec profile structure
|
8
|
-
-----------------------------------------------------
|
9
|
-
|
10
|
-
To create a new profile just place the files according to the following structure:
|
11
|
-
|
12
|
-
.. code-block:: bash
|
13
|
-
|
14
|
-
$ tree examples/profile
|
15
|
-
examples/profile
|
16
|
-
├── README.md
|
17
|
-
├── controls
|
18
|
-
│ ├── example.rb
|
19
|
-
│ └── gordon.rb
|
20
|
-
├── libraries
|
21
|
-
│ └── gordon_config.rb
|
22
|
-
└── inspec.yml
|
23
|
-
|
24
|
-
|
25
|
-
* `inspec.yml` - includes the profile description (required)
|
26
|
-
* `controls` - a folder which contains all tests (required)
|
27
|
-
* `libraries` - a folder which contains InSpec resource extensions (optional)
|
28
|
-
* `README.md` - a best-practice readme to each explain the profile and its scope
|
29
|
-
|
30
|
-
For a full example, see our `example profile`_.
|
31
|
-
|
32
|
-
.. _example profile: ../examples/profile
|
33
|
-
|
34
|
-
InSpec profile manifest
|
35
|
-
-----------------------------------------------------
|
36
|
-
|
37
|
-
Each profile has a manifest file `inspec.yml`. It looks as follows
|
38
|
-
|
39
|
-
.. code-block:: yaml
|
40
|
-
|
41
|
-
name: ssh
|
42
|
-
title: Basic SSH
|
43
|
-
maintainer: Chef Software, Inc.
|
44
|
-
copyright: Chef Software, Inc.
|
45
|
-
copyright_email: support@chef.io
|
46
|
-
license: Proprietary, All rights reserved
|
47
|
-
summary: Verify that SSH Server and SSH Client are configured securely
|
48
|
-
version: 1.0.0
|
49
|
-
supports:
|
50
|
-
- os-family: linux
|
51
|
-
|
52
|
-
|
53
|
-
A manifest description may contain the following values:
|
54
|
-
|
55
|
-
* `name` - Identifier of the profile (required)
|
56
|
-
* `title` - Human-readable name of the profile (optional)
|
57
|
-
* `maintainer` - Name of the profile maintainer (optional)
|
58
|
-
* `copyright` - Copyright holder (optional)
|
59
|
-
* `copyright_email` - Support contact for profile (optional)
|
60
|
-
* `license` - License of the profile (optional)
|
61
|
-
* `summary` - One-line summary of the profile (optional)
|
62
|
-
* `description` - Description of the profile (optional)
|
63
|
-
* `version` - Version of the profile (optional)
|
64
|
-
* `supports` - A list of supported targets (optional)
|
65
|
-
|
66
|
-
Supported targets
|
67
|
-
-----------------------------------------------------
|
68
|
-
|
69
|
-
The manifest contains the `supports` flag, which specifies operating systems or even cloud systems that the profile is targeting.
|
70
|
-
|
71
|
-
This list can contain simple names, names and versions, or detailed flags for the targeted system. These can freely be combined:
|
72
|
-
|
73
|
-
.. code-block:: yaml
|
74
|
-
|
75
|
-
name: ssh
|
76
|
-
supports:
|
77
|
-
// Runs on any version of Debian Linux
|
78
|
-
- os-name: debian
|
79
|
-
|
80
|
-
// Only runs on Ubuntu 14.04
|
81
|
-
- os-name: ubuntu
|
82
|
-
release: 14.04
|
83
|
-
|
84
|
-
// Targets RedHat, CentOS, Oracle Linux ...
|
85
|
-
- os-family: redhat
|
86
|
-
|
87
|
-
// Or even broader
|
88
|
-
- platform: aws
|
89
|
-
|
90
|
-
|
91
|
-
InSpec profile verification
|
92
|
-
-----------------------------------------------------
|
93
|
-
|
94
|
-
InSpec ships with a verification command that verifies the implementation of a profile:
|
95
|
-
|
96
|
-
.. code-block:: bash
|
97
|
-
|
98
|
-
$ inspec check examples/profile
|
99
|
-
|
100
|
-
|
101
|
-
InSpec profile archive
|
102
|
-
-----------------------------------------------------
|
103
|
-
|
104
|
-
Profiles are composed of multiple files. This hinders easy distribution of a profile. InSpec solves the problem by offering to collect all files in one archive.
|
105
|
-
|
106
|
-
The InSpec profile archive format aims for flexibility and reuse of standard and common technologies:
|
107
|
-
|
108
|
-
* tar and gzip (default)
|
109
|
-
* zip
|
110
|
-
* HTTP
|
111
|
-
|
112
|
-
This should enable third-parties to easily build InSpec profile archives:
|
113
|
-
|
114
|
-
* InSpec archives MUST be named with the stanard suffix
|
115
|
-
* InSpec archives MUST be a tar.gz or zip formatted file
|
116
|
-
* InSpec archives MUST have no duplicate entries
|
117
|
-
* InSpec archives MAY be compressed with gzip, bzip2, or xz.
|
118
|
-
|
119
|
-
InSpec is able to create profile archive for you. By default it generates a tar-file on Unix and zip on Windows or Mac.
|
120
|
-
|
121
|
-
.. code-block:: bash
|
122
|
-
|
123
|
-
# will generate a example-profile.tar.gz
|
124
|
-
$ inspec archive examples/profile
|
125
|
-
|
126
|
-
# will generate a example-profile.zip
|
127
|
-
$ inspec archive examples/profile --zip
|
128
|
-
|
129
|
-
|
130
|
-
Profile inheritance
|
131
|
-
-----------------------------------------------------
|
132
|
-
|
133
|
-
**Include controls of existing profile**
|
134
|
-
|
135
|
-
The `include_controls` keyword allows you to import all rules from an existing profile. This can be easily extended with additional rules.
|
136
|
-
|
137
|
-
.. code-block:: bash
|
138
|
-
|
139
|
-
include_controls 'cis-level-1' do
|
140
|
-
|
141
|
-
control "cis-fs-2.7" do
|
142
|
-
impact 1.0
|
143
|
-
...
|
144
|
-
|
145
|
-
end
|
146
|
-
|
147
|
-
**Inherit from a profile, but skip some rules**
|
148
|
-
|
149
|
-
Sometimes, not all requirements can be fulfilled for a legacy application. To manage the derivation, you can skip certain controls with `skip_control`.
|
150
|
-
|
151
|
-
.. code-block:: bash
|
152
|
-
|
153
|
-
include_controls 'cis-level-1' do
|
154
|
-
|
155
|
-
skip_control "cis-fs-2.1"
|
156
|
-
skip_control "cis-fs-2.2"
|
157
|
-
|
158
|
-
end
|
159
|
-
|
160
|
-
**Load specific controls from another profile**
|
161
|
-
|
162
|
-
.. code-block:: bash
|
163
|
-
|
164
|
-
require_controls 'cis-level-1' do
|
165
|
-
|
166
|
-
control "cis-fs-2.1"
|
167
|
-
control "cis-fs-2.2"
|
168
|
-
|
169
|
-
end
|