inspec 1.0.0.beta2 → 1.0.0.beta3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +41 -2
- data/Gemfile +4 -0
- data/Rakefile +2 -1
- data/docs/.gitignore +2 -0
- data/docs/README.md +21 -1
- data/docs/resources/apache_conf.md.erb +75 -0
- data/docs/resources/apt.md.erb +84 -0
- data/docs/resources/audit_policy.md.erb +61 -0
- data/docs/resources/auditd_conf.md.erb +79 -0
- data/docs/resources/auditd_rules.md.erb +132 -0
- data/docs/resources/bash.md.erb +84 -0
- data/docs/resources/bond.md.erb +97 -0
- data/docs/resources/bridge.md.erb +67 -0
- data/docs/resources/bsd_service.md.erb +76 -0
- data/docs/resources/command.md.erb +151 -0
- data/docs/resources/csv.md.erb +62 -0
- data/docs/resources/directory.md.erb +43 -0
- data/docs/resources/etc_group.md.erb +116 -0
- data/docs/resources/etc_passwd.md.erb +155 -0
- data/docs/resources/etc_shadow.md.erb +149 -0
- data/docs/resources/file.md.erb +460 -0
- data/docs/resources/gem.md.erb +73 -0
- data/docs/resources/group.md.erb +74 -0
- data/docs/resources/grub_conf.md.erb +115 -0
- data/docs/resources/host.md.erb +85 -0
- data/docs/resources/iis_site.md.erb +142 -0
- data/docs/resources/inetd_conf.md.erb +99 -0
- data/docs/resources/ini.md.erb +69 -0
- data/docs/resources/interface.md.erb +66 -0
- data/docs/resources/iptables.md.erb +70 -0
- data/docs/resources/json.md.erb +76 -0
- data/docs/resources/kernel_module.md.erb +60 -0
- data/docs/resources/kernel_parameter.md.erb +72 -0
- data/docs/resources/launchd_service.md.erb +76 -0
- data/docs/resources/limits_conf.md.erb +80 -0
- data/docs/resources/login_def.md.erb +77 -0
- data/docs/resources/mount.md.erb +83 -0
- data/docs/resources/mysql_conf.md.erb +102 -0
- data/docs/resources/mysql_session.md.erb +63 -0
- data/docs/resources/npm.md.erb +75 -0
- data/docs/resources/ntp_conf.md.erb +76 -0
- data/docs/resources/oneget.md.erb +67 -0
- data/docs/resources/os.md.erb +154 -0
- data/docs/resources/os_env.md.erb +98 -0
- data/docs/resources/package.md.erb +115 -0
- data/docs/resources/parse_config.md.erb +122 -0
- data/docs/resources/parse_config_file.md.erb +143 -0
- data/docs/resources/pip.md.erb +74 -0
- data/docs/resources/port.md.erb +150 -0
- data/docs/resources/postgres_conf.md.erb +90 -0
- data/docs/resources/postgres_session.md.erb +75 -0
- data/docs/resources/powershell.md.erb +116 -0
- data/docs/resources/process.md.erb +73 -0
- data/docs/resources/registry_key.md.erb +149 -0
- data/docs/resources/runit_service.md.erb +76 -0
- data/docs/resources/security_policy.md.erb +61 -0
- data/docs/resources/service.md.erb +135 -0
- data/docs/resources/ssh_config.md.erb +94 -0
- data/docs/resources/sshd_config.md.erb +97 -0
- data/docs/resources/ssl.md.erb +133 -0
- data/docs/resources/sys_info.md.erb +55 -0
- data/docs/resources/systemd_service.md.erb +76 -0
- data/docs/resources/sysv_service.md.erb +76 -0
- data/docs/resources/upstart_service.md.erb +76 -0
- data/docs/resources/user.md.erb +154 -0
- data/docs/resources/users.md.erb +140 -0
- data/docs/resources/vbscript.md.erb +69 -0
- data/docs/resources/windows_feature.md.erb +61 -0
- data/docs/resources/wmi.md.erb +95 -0
- data/docs/resources/xinetd_conf.md.erb +170 -0
- data/docs/resources/yaml.md.erb +69 -0
- data/docs/resources/yum.md.erb +103 -0
- data/docs/ruby_usage.md +154 -0
- data/docs/shared/matcher_be.md.erb +1 -0
- data/docs/shared/matcher_cmp.md.erb +45 -0
- data/docs/shared/matcher_eq.md.erb +3 -0
- data/docs/shared/matcher_include.md.erb +1 -0
- data/docs/shared/matcher_match.md.erb +1 -0
- data/lib/fetchers/url.rb +27 -29
- data/lib/inspec/cached_fetcher.rb +67 -0
- data/lib/inspec/dependencies/requirement.rb +6 -7
- data/lib/inspec/objects/each_loop.rb +5 -2
- data/lib/inspec/plugins/fetcher.rb +2 -0
- data/lib/inspec/profile.rb +9 -41
- data/lib/inspec/resource.rb +1 -1
- data/lib/inspec/rspec_json_formatter.rb +11 -5
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/groups.rb +190 -0
- data/lib/resources/users.rb +3 -2
- metadata +79 -6
- data/docs/cli.rst +0 -448
- data/docs/resources.rst +0 -4836
- data/docs/ruby_usage.rst +0 -145
- data/lib/resources/group.rb +0 -137
data/docs/ruby_usage.rst
DELETED
@@ -1,145 +0,0 @@
|
|
1
|
-
=====================================================
|
2
|
-
Using |ruby| in InSpec
|
3
|
-
=====================================================
|
4
|
-
|
5
|
-
The |inspec| DSL is a |ruby| based DSL for writing audit controls, which includes audit resources that you can invoke.
|
6
|
-
Core and custom resources are written as regular |ruby| classes which inherit from ``Inspec.resource``.
|
7
|
-
|
8
|
-
Assuming we have a |json| file like this on the node to be tested:
|
9
|
-
|
10
|
-
.. code-block:: json
|
11
|
-
|
12
|
-
{
|
13
|
-
"keys":[
|
14
|
-
{"username":"john", "key":"/opt/keys/johnd.key"},
|
15
|
-
{"username":"jane", "key":"/opt/keys/janed.key"},
|
16
|
-
{"username":"sunny ", "key":"/opt/keys/sunnym.key"}
|
17
|
-
]
|
18
|
-
}
|
19
|
-
|
20
|
-
The following example shows how you can use pure |ruby| code(variables, loops, conditionals, regular expressions, etc) to run a few tests against the above |json| file:
|
21
|
-
|
22
|
-
.. code-block:: ruby
|
23
|
-
|
24
|
-
control 'check-interns' do
|
25
|
-
# use the json inspec resource to get the file
|
26
|
-
json_obj = json('/opt/keys/interns.json')
|
27
|
-
describe json_obj do
|
28
|
-
its('keys') { should_not eq nil }
|
29
|
-
end
|
30
|
-
if json_obj['keys']
|
31
|
-
# loop over the keys array
|
32
|
-
json_obj['keys'].each do |intern|
|
33
|
-
username = intern['username'].strip
|
34
|
-
# check for white spaces chars in usernames
|
35
|
-
describe username do
|
36
|
-
it { should_not match(/\s/) }
|
37
|
-
end
|
38
|
-
# check key file owners and permissions
|
39
|
-
describe file(intern['key']) do
|
40
|
-
it { should be_owned_by username }
|
41
|
-
its('mode') { should cmp '0600' }
|
42
|
-
end
|
43
|
-
end
|
44
|
-
end
|
45
|
-
end
|
46
|
-
|
47
|
-
Execution
|
48
|
-
=====================================================
|
49
|
-
|
50
|
-
It's important to understand that |ruby| code used in custom resources and controls DSL is executed on the system that runs |inspec|. This allows |inspec| to work without |ruby| and rubygems being required on remote targets(servers or containers).
|
51
|
-
|
52
|
-
For example, using ```ls``` or ``system('ls')`` will result in the ``ls`` command being run locally and not on the target(remote) system.
|
53
|
-
In order to process the output of ``ls`` executed on the target system, use ``inspec.command('ls')`` or ``inspec.powershell('ls')``
|
54
|
-
|
55
|
-
Similarly, use ``inspec.file(PATH)`` to access files or directories from remote systems in your tests or custom resources.
|
56
|
-
|
57
|
-
Using rubygems
|
58
|
-
=====================================================
|
59
|
-
|
60
|
-
|ruby| gems are self-contained programs and libraries ...
|
61
|
-
|
62
|
-
|
63
|
-
Interactive Debugging with Pry
|
64
|
-
=====================================================
|
65
|
-
|
66
|
-
Here's a sample |inspec| control that users |ruby| variables to instantiate an |inspec| resource once and use the content in multipLe tests.
|
67
|
-
|
68
|
-
.. code-block:: ruby
|
69
|
-
|
70
|
-
control 'check-perl' do
|
71
|
-
impact 0.3
|
72
|
-
title 'Check perl compiled options and permissions'
|
73
|
-
perl_out = command('perl -V')
|
74
|
-
#require 'pry'; binding.pry;
|
75
|
-
describe perl_out do
|
76
|
-
its('exit_status') { should eq 0 }
|
77
|
-
its('stdout') { should match (/USE_64_BIT_ALL/) }
|
78
|
-
its('stdout') { should match (/useposix=true/) }
|
79
|
-
its('stdout') { should match (/-fstack-protector/) }
|
80
|
-
end
|
81
|
-
|
82
|
-
# extract an array of include directories
|
83
|
-
perl_inc = perl_out.stdout.partition('@INC:').last.strip.split("\n")
|
84
|
-
# ensure include directories are only writable by 'owner'
|
85
|
-
perl_inc.each do |path|
|
86
|
-
describe directory(path.strip) do
|
87
|
-
it { should_not be_writable.by('group') }
|
88
|
-
it { should_not be_writable.by('other') }
|
89
|
-
end
|
90
|
-
end
|
91
|
-
end
|
92
|
-
|
93
|
-
An **advanced** but very useful |ruby| tip. In the previous example, I commented out the ``require 'pry'; binding.pry;`` line. If you remove the ``#`` prefix and run the control, the execution will stop at that line and give you a ``pry`` shell. Use that to troubleshoot, print variables, see methods available, etc. For the above example:
|
94
|
-
|
95
|
-
.. code-block:: ruby
|
96
|
-
|
97
|
-
[1] pry> perl_out.exit_status
|
98
|
-
=> 0
|
99
|
-
[2] pry> perl_out.stderr
|
100
|
-
=> ""
|
101
|
-
[3] pry> ls perl_out
|
102
|
-
Inspec::Plugins::Resource#methods: inspect
|
103
|
-
Inspec::Resources::Cmd#methods: command exist? exit_status result stderr stdout to_s
|
104
|
-
Inspec::Plugins::ResourceCommon#methods: resource_skipped skip_resource
|
105
|
-
Inspec::Resource::Registry::Command#methods: inspec
|
106
|
-
instance variables: @__backend_runner__ @__resource_name__ @command @result
|
107
|
-
[4] pry> perl_out.stdout.partition('@INC:').last.strip.split("\n")
|
108
|
-
=> ["/Library/Perl/5.18/darwin-thread-multi-2level",
|
109
|
-
" /Library/Perl/5.18",
|
110
|
-
...REDACTED...
|
111
|
-
[5] pry> exit # or abort
|
112
|
-
|
113
|
-
You can use ``pry`` inside both the controls DSL and resources.
|
114
|
-
Similarly, for dev and test, you can use ``inspec shell`` which is based on ``pry``, for example:
|
115
|
-
|
116
|
-
.. code-block:: ruby
|
117
|
-
|
118
|
-
$ inspec shell
|
119
|
-
Welcome to the interactive InSpec Shell
|
120
|
-
To find out how to use it, type: help
|
121
|
-
|
122
|
-
inspec> command('ls /home/gordon/git/inspec/docs').stdout
|
123
|
-
=> "ctl_inspec.rst\ndsl_inspec.rst\ndsl_resource.rst\n"
|
124
|
-
inspec> command('ls').stdout.split("\n")
|
125
|
-
=> ["ctl_inspec.rst", "dsl_inspec.rst", "dsl_resource.rst"]
|
126
|
-
|
127
|
-
inspec> help command
|
128
|
-
Name: command
|
129
|
-
|
130
|
-
Description:
|
131
|
-
Use the command InSpec audit resource to test an arbitrary command that is run on the system.
|
132
|
-
|
133
|
-
Example:
|
134
|
-
describe command('ls -al /') do
|
135
|
-
it { should exist }
|
136
|
-
its('stdout') { should match /bin/ }
|
137
|
-
its('stderr') { should eq '' }
|
138
|
-
its('exit_status') { should eq 0 }
|
139
|
-
end
|
140
|
-
|
141
|
-
.. |inspec| replace:: InSpec
|
142
|
-
.. |chef compliance| replace:: Chef Compliance
|
143
|
-
.. |ruby| replace:: Ruby
|
144
|
-
.. |csv| replace:: CSV
|
145
|
-
.. |json| replace:: JSON
|
data/lib/resources/group.rb
DELETED
@@ -1,137 +0,0 @@
|
|
1
|
-
# encoding: utf-8
|
2
|
-
# author: Christoph Hartmann
|
3
|
-
# author: Dominik Richter
|
4
|
-
|
5
|
-
# Usage:
|
6
|
-
# describe group('root') do
|
7
|
-
# it { should exist }
|
8
|
-
# its('gid') { should eq 0 }
|
9
|
-
# end
|
10
|
-
#
|
11
|
-
# deprecated has matcher
|
12
|
-
# describe group('root') do
|
13
|
-
# it { should have_gid 0 }
|
14
|
-
# end
|
15
|
-
|
16
|
-
module Inspec::Resources
|
17
|
-
class Group < Inspec.resource(1)
|
18
|
-
name 'group'
|
19
|
-
desc 'Use the group InSpec audit resource to test groups on the system.'
|
20
|
-
example "
|
21
|
-
describe group('root') do
|
22
|
-
it { should exist }
|
23
|
-
its('gid') { should eq 0 }
|
24
|
-
end
|
25
|
-
"
|
26
|
-
|
27
|
-
def initialize(groupname, domain = nil)
|
28
|
-
@group = groupname.downcase
|
29
|
-
@domain = domain
|
30
|
-
@domain = @domain.downcase unless @domain.nil?
|
31
|
-
|
32
|
-
@cache = nil
|
33
|
-
|
34
|
-
# select group manager
|
35
|
-
@group_provider = nil
|
36
|
-
if inspec.os.unix?
|
37
|
-
@group_provider = UnixGroup.new(inspec)
|
38
|
-
elsif inspec.os.windows?
|
39
|
-
@group_provider = WindowsGroup.new(inspec)
|
40
|
-
else
|
41
|
-
return skip_resource 'The `group` resource is not supported on your OS yet.'
|
42
|
-
end
|
43
|
-
end
|
44
|
-
|
45
|
-
# verifies if a group exists
|
46
|
-
def exists?
|
47
|
-
# ensure that we found one group
|
48
|
-
!group_info.nil? && group_info.size > 0
|
49
|
-
end
|
50
|
-
|
51
|
-
def gid
|
52
|
-
return nil if group_info.nil? || group_info.size == 0
|
53
|
-
|
54
|
-
# the default case should be one group
|
55
|
-
return group_info[0][:gid] if group_info.size == 1
|
56
|
-
|
57
|
-
# return array if we got multiple gids
|
58
|
-
group_info.map { |grp| grp[:gid] }
|
59
|
-
end
|
60
|
-
|
61
|
-
# implements rspec has matcher, to be compatible with serverspec
|
62
|
-
def has_gid?(compare_gid)
|
63
|
-
gid == compare_gid
|
64
|
-
end
|
65
|
-
|
66
|
-
def local
|
67
|
-
return nil if group_info.nil? || group_info.size == 0
|
68
|
-
|
69
|
-
# the default case should be one group
|
70
|
-
return group_info[0][:local] if group_info.size == 1
|
71
|
-
|
72
|
-
# return array if we got multiple gids
|
73
|
-
group_info.map { |grp| grp[:local] }
|
74
|
-
end
|
75
|
-
|
76
|
-
def to_s
|
77
|
-
"Group #{@group}"
|
78
|
-
end
|
79
|
-
|
80
|
-
private
|
81
|
-
|
82
|
-
def group_info
|
83
|
-
return @cache if !@cache.nil?
|
84
|
-
@cache = @group_provider.group_info(@group, @domain) if !@group_provider.nil?
|
85
|
-
end
|
86
|
-
end
|
87
|
-
|
88
|
-
class GroupInfo
|
89
|
-
attr_reader :inspec
|
90
|
-
def initialize(inspec)
|
91
|
-
@inspec = inspec
|
92
|
-
end
|
93
|
-
end
|
94
|
-
|
95
|
-
# implements generic unix groups via /etc/group
|
96
|
-
class UnixGroup < GroupInfo
|
97
|
-
def group_info(group, _domain = nil)
|
98
|
-
inspec.etc_group.where(name: group).entries.map { |grp|
|
99
|
-
{
|
100
|
-
name: grp['name'],
|
101
|
-
gid: grp['gid'],
|
102
|
-
}
|
103
|
-
}
|
104
|
-
end
|
105
|
-
end
|
106
|
-
|
107
|
-
class WindowsGroup < GroupInfo
|
108
|
-
def group_info(compare_group, compare_domain = nil)
|
109
|
-
cmd = inspec.command('Get-WmiObject Win32_Group | Select-Object -Property Caption, Domain, Name, SID, LocalAccount | ConvertTo-Json')
|
110
|
-
|
111
|
-
# cannot rely on exit code for now, successful command returns exit code 1
|
112
|
-
# return nil if cmd.exit_status != 0, try to parse json
|
113
|
-
begin
|
114
|
-
groups = JSON.parse(cmd.stdout)
|
115
|
-
rescue JSON::ParserError => _e
|
116
|
-
return nil
|
117
|
-
end
|
118
|
-
|
119
|
-
# ensure we have an array of groups
|
120
|
-
groups = [groups] if !groups.is_a?(Array)
|
121
|
-
|
122
|
-
# reduce list
|
123
|
-
groups.each_with_object([]) do |grp, grp_collection|
|
124
|
-
# map object
|
125
|
-
grp_info = {
|
126
|
-
name: grp['Name'],
|
127
|
-
domain: grp['Domain'],
|
128
|
-
caption: grp['Caption'],
|
129
|
-
gid: nil,
|
130
|
-
sid: grp['SID'],
|
131
|
-
local: grp['LocalAccount'],
|
132
|
-
}
|
133
|
-
return grp_collection.push(grp_info) if grp_info[:name].casecmp(compare_group) == 0 && (compare_domain.nil? || grp_info[:domain].casecmp(compare_domain) == 0)
|
134
|
-
end
|
135
|
-
end
|
136
|
-
end
|
137
|
-
end
|