inspec 0.9.7 → 0.9.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 521db4877e62abdfe0b3314d45f1a1510ca6afc0
-  data.tar.gz: 53255bfa015cb24273b887670a09eda05e10f12e
+  metadata.gz: 05af717dedcf5fea001060356a73c799927a3ac5
+  data.tar.gz: 5fb4a23de7019a3f89d806737758e61ae8dace4c
 SHA512:
-  metadata.gz: 7a291a8c658ef86fce86c3aedcea6518edf90a0c0314fd3503449349d3ee590b857b6248281d29d9a8ab77baea7dd84d58f1bffe17eccbc3b61fbc62ef906a62
-  data.tar.gz: 977dafda6c3a71f952ec1a2b043bb6a8cc84482db9a9a501509957444b00de4a676b652e329e7cdc8ff8af5914354e5758ac5ee6fbd30d66105b914bf7ff5e11
+  metadata.gz: f0da77acc1e683f4cef31cb497eecba9052e854555357f030e631e9749ad030bfdca6adf26ef5f1501b1d3789aae1377b6a416833ffc9c7c6baa2e074aae6ecf
+  data.tar.gz: 4523247eeb675b640da571394253bd47f7f396a1a500140a280b394fa44472ea7a1b60ef0abfd7a1cb66490bbf15596e1cc104bacbc56b5e433dcd2689251825

data/CHANGELOG.md

@@ -1,7 +1,44 @@
 # Change Log
 
-## [0.9.7](https://github.com/chef/inspec/tree/0.9.7) (2015-12-21)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.9.6...0.9.7)
+## [0.9.8](https://github.com/chef/inspec/tree/0.9.8) (2016-01-11)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.9.7...0.9.8)
+
+**Implemented enhancements:**
+
+- Control Numbers and Display in Compliance GUI [\#306](https://github.com/chef/inspec/issues/306)
+- Support supports for resources [\#282](https://github.com/chef/inspec/issues/282)
+- Unify metadata and collect it from target resolver [\#342](https://github.com/chef/inspec/pull/342) ([arlimus](https://github.com/arlimus))
+- implement `mount` resource [\#341](https://github.com/chef/inspec/pull/341) ([chris-rock](https://github.com/chris-rock))
+- Update Integration Tests [\#314](https://github.com/chef/inspec/pull/314) ([chris-rock](https://github.com/chris-rock))
+- RFC: Compliance Profile Structure [\#252](https://github.com/chef/inspec/pull/252) ([chris-rock](https://github.com/chris-rock))
+
+**Fixed bugs:**
+
+- Inspec doesn't read controls [\#351](https://github.com/chef/inspec/issues/351)
+- not working under windows, installed from gem [\#323](https://github.com/chef/inspec/issues/323)
+- Resource 'file' missing 'be\_mounted.with' [\#310](https://github.com/chef/inspec/issues/310)
+- `inspec check` on examples generates errors [\#215](https://github.com/chef/inspec/issues/215)
+- bugfix: ignore supports when generating a profile's json representation [\#355](https://github.com/chef/inspec/pull/355) ([srenatus](https://github.com/srenatus))
+- Support old "supports" field in metadata [\#347](https://github.com/chef/inspec/pull/347) ([srenatus](https://github.com/srenatus))
+- Fix custom resource loading from `libraries` [\#337](https://github.com/chef/inspec/pull/337) ([arlimus](https://github.com/arlimus))
+
+**Closed issues:**
+
+- Create RFC on profile structure [\#296](https://github.com/chef/inspec/issues/296)
+
+**Merged pull requests:**
+
+- fix reading profiles bug [\#352](https://github.com/chef/inspec/pull/352) ([srenatus](https://github.com/srenatus))
+- clarify how to bump version in rake [\#348](https://github.com/chef/inspec/pull/348) ([arlimus](https://github.com/arlimus))
+- Add `supports` to metadata to specify supported systems [\#344](https://github.com/chef/inspec/pull/344) ([arlimus](https://github.com/arlimus))
+- Update list of examples [\#340](https://github.com/chef/inspec/pull/340) ([chris-rock](https://github.com/chris-rock))
+- add a description for custom resources [\#339](https://github.com/chef/inspec/pull/339) ([arlimus](https://github.com/arlimus))
+- ignore auto-generated controls during verify check [\#332](https://github.com/chef/inspec/pull/332) ([arlimus](https://github.com/arlimus))
+- Set exit status to return value of Inspec Runner [\#331](https://github.com/chef/inspec/pull/331) ([rbhitchcock](https://github.com/rbhitchcock))
+- Verify profile metadata contents correctly [\#330](https://github.com/chef/inspec/pull/330) ([arlimus](https://github.com/arlimus))
+
+## [v0.9.7](https://github.com/chef/inspec/tree/v0.9.7) (2015-12-21)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.9.6...v0.9.7)
 
 **Implemented enhancements:**
 
@@ -22,6 +59,7 @@
 
 **Merged pull requests:**
 
+- 0.9.7 [\#328](https://github.com/chef/inspec/pull/328) ([arlimus](https://github.com/arlimus))
 - remove format default for `inspec exec` [\#326](https://github.com/chef/inspec/pull/326) ([srenatus](https://github.com/srenatus))
 - teach `cmp` matcher octal tricks [\#324](https://github.com/chef/inspec/pull/324) ([srenatus](https://github.com/srenatus))
 

data/Gemfile

@@ -16,6 +16,7 @@ group :integration do
   gem 'test-kitchen'
   gem 'kitchen-vagrant'
   gem 'kitchen-inspec'
+  gem 'kitchen-ec2'
 end
 
 group :tools do

data/README.md

@@ -214,13 +214,32 @@ You will require:
 * vagrant with virtualbox
 * test-kitchen
 
-Run `integration` tests with
+**Run `integration` tests with vagrant:**
 
 ```bash
 cd test/integration
-bundle exec kitchen test -t .
+bundle exec kitchen test
 ```
 
+**Run `integration` tests with AWS EC2:**
+
+```bash
+export AWS_ACCESS_KEY_ID=enteryouryourkey
+export AWS_SECRET_ACCESS_KEY=enteryoursecreykey
+export AWS_SSH_KEY_ID=enteryoursshkeyid
+cd test/integration
+KITCHEN_LOCAL_YAML=.kitchen.ec2.yml bundle exec kitchen test
+```
+
+In addition you may need to add your ssh key to `.kitchen.ec2.yml`
+
+```
+transport:
+  ssh_key: /Users/chartmann/aws/aws_chartmann.pem
+  username: ec2-user
+```
+
+
 ### Chef Delivery Tests
 
 It may be informative to look at what [tests Chef Delivery](https://github.com/chef/inspec/blob/master/.delivery/build-cookbook/recipes/unit.rb) is running for CI.

data/Rakefile

@@ -119,7 +119,7 @@ end
 desc 'Bump the version of this gem'
 task :bump_version, [:version] do |_, args|
   v = args[:version] || ENV['to']
-  fail "You must specify a target version!  rake release[1.2.3]" if v.empty?
+  fail "You must specify a target version!  rake bump_version to=1.2.3" if v.empty?
   check_update_requirements
   inspec_version(v)
   Rake::Task['changelog'].invoke

data/bin/inspec

@@ -52,8 +52,10 @@ class InspecCLI < Thor # rubocop:disable Metrics/ClassLength
   def json(path)
     diagnose
 
-    profile = Inspec::Profile.from_path(path, opts)
-    dst = opts[:output].to_s
+    o = opts.dup
+    o[:ignore_supports] = true
+    profile = Inspec::Profile.from_path(path, o)
+    dst = o[:output].to_s
     if dst.empty?
       puts JSON.pretty_generate(profile.info)
     else
@@ -73,10 +75,30 @@ class InspecCLI < Thor # rubocop:disable Metrics/ClassLength
 
     o = opts.dup
     o[:logger] = Logger.new(STDOUT)
+    o[:ignore_supports] = true # we check for integrity only
     profile = Inspec::Profile.from_path(path, o)
     exit 1 unless profile.check
   end
 
+  desc 'archive PATH', 'archive a profile to tar.gz (default) or zip'
+  option :zip, type: :boolean, default: false,
+    desc: 'Generates a zip archive.'
+  option :tar, type: :boolean, default: false,
+    desc: 'Generates a tar.gz archive.'
+  option :overwrite, type: :boolean, default: false,
+    desc: 'Overwrite existing archive.'
+  option :ignore_errors, type: :boolean, default: false,
+    desc: 'Ignore profile warnings.'
+  def archive(path)
+    diagnose
+
+    o = options.dup
+    o[:logger] = Logger.new(STDOUT)
+    profile = Inspec::Profile.from_path(path, o)
+    # generate archive
+    exit 1 unless profile.archive(opts)
+  end
+
   desc 'exec PATHS', 'run all test files at the specified PATH.'
   option :id, type: :string,
     desc: 'Attach a profile ID to all test results'
@@ -87,7 +109,7 @@ class InspecCLI < Thor # rubocop:disable Metrics/ClassLength
 
     runner = Inspec::Runner.new(opts)
     runner.add_tests(tests)
-    runner.run
+    exit runner.run
   rescue RuntimeError => e
     puts e.message
   end

data/bin/os

@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+# encoding: utf-8
+
+require 'train'
+
+train = Train.create('local')
+
+# start or reuse a connection
+conn = train.connection
+os = conn.os
+
+# get OS info
+conf = {
+  name:    os[:name],
+  family:  os[:family],
+  release: os[:release],
+  arch:    os[:arch],
+}
+puts JSON.dump(conf)
+
+
+# close the connection
+conn.close

data/docs/dsl_resource.rst

@@ -0,0 +1,90 @@
+=====================================================
+Resource DSL
+=====================================================
+
+InSpec provides a mechanism for defining custom resources. These become available with their respective names and provide easy functionality to profiles.
+
+Resource location
+-----------------------------------------------------
+
+Resources may be added to profiles in the `libraries` folder:
+
+.. code-block:: bash
+
+  $ tree examples/profile
+  examples/profile
+  ...
+  ├── libraries
+  │   └── gordon_config.rb
+
+
+Resource structure
+-----------------------------------------------------
+
+The smallest possible resource takes this form:
+
+.. code-block:: ruby
+
+  class Tiny < Inspec.resource(1)
+    name 'tiny'
+  end
+
+Resources are written as a regular Ruby `class` which inherits from `Inspec.resource`. The number (`1`) specifies the version this resource plugin targets. As InSpec evolves, this interface may change and may require a higher version.
+
+The following attributes can be configured:
+
+* `name` - Identifier of the resource (required)
+* `desc` - Description of the resource (optional)
+* `example` - Example usage of the resource (optional)
+
+The following methods are available to the resource:
+
+* `inspec` - Contains a registry of all other resources to interact with the operating system or target in general.
+* `skip_resource` - A resource may call this method to indicate, that requirements aren't met. All tests that use this resource will be marked as `skipped`.
+
+The following example shows a full resource using attributes and methods to provide simple access to a configuration file:
+
+.. code-block:: ruby
+
+  class GordonConfig < Inspec.resource(1)
+    name 'gordon_config'
+
+    desc '
+      Resource description ...
+    '
+
+    example '
+      describe gordon_config do
+        its("signal") { should eq "on" }
+      end
+    '
+
+    # Load the configuration file on initialization
+    def initialiaze(path = nil)
+      @path = path || '/etc/gordon.conf'
+      @params = SimpleConfig.new( read_content )
+    end
+
+    # Expose all parameters of the configuration file.
+    def method_missing(name)
+      @params[name]
+    end
+
+    private
+
+    def read_content
+      f = inspec.file(@path)
+      # Test if the path exist and that it's a file
+      if f.file?
+        # Retrieve the file's contents
+        f.content
+      else
+        # If the file doesn't exist, skip all tests that use gordon_config
+        skip_resource "Can't read config from #{@path}."
+      end
+    end
+  end
+
+For a full example, see our `example resource`_.
+
+.. _example resource: ../examples/profile

data/docs/profiles.rst

@@ -0,0 +1,167 @@
+=====================================================
+InSpec Profiles
+=====================================================
+
+InSpec supports the creation of complex test and compliance profiles, which organize controls to support dependency management and code re-use. These profiles are standalone structures with their own distribution and execution flow.
+
+InSpec profile structure
+-----------------------------------------------------
+
+To create a new profile just place the files according to the following structure:
+
+.. code-block:: bash
+
+  $ tree examples/profile
+  examples/profile
+  ├── README.md
+  ├── controls
+  │   ├── example.rb
+  │   └── gordon.rb
+  ├── libraries
+  │   └── gordon_config.rb
+  └── inspec.yml
+
+
+ * `inspec.yml` - includes the profile description (required)
+ * `controls` - a folder which contains  all tests (required)
+ * `libraries` - a folder which contains InSpec resource extensions (optional)
+ * `README.md` - a best-practice readme to each explain the profile and its scope
+
+For a full example, see our `example profile`_.
+
+.. _example profile: ../examples/profile
+
+InSpec profile manifest
+-----------------------------------------------------
+
+Each profile has a manifest file `inspec.yml`. It looks as follows
+
+.. code-block:: yaml
+
+  name: ssh
+  title: Basic SSH
+  maintainer: Chef Software, Inc.
+  copyright: Chef Software, Inc.
+  copyright_email: support@chef.io
+  license: Proprietary, All rights reserved
+  summary: Verify that SSH Server and SSH Client are configured securely
+  version: 1.0.0
+  supports:
+    - os-family: linux
+
+
+A manifest description may contain the following values:
+
+ * `name` - Identifier of the profile (required)
+ * `title` - Human-readable name of the profile (optional)
+ * `maintainer` - Name of the profile maintainer (optional)
+ * `copyright` - Copyright holder (optional)
+ * `copyright_email` - Support contact for profile (optional)
+ * `license` - License of the profile (optional)
+ * `summary` - One-line summary of the profile (optional)
+ * `description` - Description of the profile (optional)
+ * `version` - Version of the profile (optional)
+ * `supports` - A list of supported targets (optional)
+
+Supported targets
+-----------------------------------------------------
+
+The manifest contains the `supports` flag, which specifies operating systems or even cloud systems that the profile is targeting.
+
+This list can contain simple names, names and versions, or detailed flags for the targeted system. These can freely be combined:
+
+.. code-block:: yaml
+
+  name: ssh
+  supports:
+    // Runs on any version of Debian Linux
+    - os-name: debian
+
+    // Only runs on Ubuntu 14.04
+    - os-name: ubuntu
+      release: 14.04
+
+    // Targets RedHat, CentOS, Oracle Linux ...
+    - os-family: redhat
+
+    // Or even broader
+    - platform: aws
+
+
+InSpec profile verification
+-----------------------------------------------------
+
+InSpec ships with a verification command that verifies the implementation of a profile
+
+$ inspec check examples/profile
+
+
+InSpec profile archive
+-----------------------------------------------------
+
+Profiles are composed of multiple files. This hinders easy distribution of a profile. InSpec solves the problem by offering to collect all files in one archive.
+
+The InSpec profile archive format aims for flexibility and reuse of standard and common technologies:
+
+ * tar and gzip (default)
+ * zip
+ * HTTP
+
+This should enable third-parties to easily build InSpec profile archives:
+
+ * InSpec archives MUST be named with the stanard suffix
+ * InSpec archives MUST be a tar.gz or zip formatted file
+ * InSpec archives MUST have no duplicate entries
+ * InSpec archives MAY be compressed with gzip, bzip2, or xz.
+
+InSpec is able to create profile archive for you. By default it generates a tar-file on Unix and zip on Windows or Mac.
+
+.. code-block:: bash
+
+  # will generate a example-profile.tar.gz
+  $ inspec archive examples/profile
+
+  # will generate a example-profile.zip
+  $ inspec archive examples/profile --zip
+
+
+Profile inheritance
+-----------------------------------------------------
+
+**Include controls of existing profile**
+
+The `include_controls` keyword allows you to import all rules from an existing profile. This can be easily extended with additional rules.
+
+.. code-block:: bash
+
+  include_controls 'cis-level-1' do
+
+    control "cis-fs-2.7" do
+      impact 1.0
+    ...
+
+  end
+
+**Inherit from a profile, but skip some rules**
+
+Sometimes, not all requirements can be fullfiled for a legacy application. To manage the derivation, you can skip certain controls with `skip_control`.
+
+.. code-block:: bash
+
+  include_controls 'cis-level-1' do
+
+    skip_control "cis-fs-2.1"
+    skip_control "cis-fs-2.2"
+
+  end
+
+**Load specific controls from another profile**
+
+.. code-block:: bash
+
+  require_controls 'cis-level-1' do
+
+    control "cis-fs-2.1"
+    control "cis-fs-2.2"
+
+  end