inspec 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (82) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +46 -3
  3. data/Gemfile +4 -1
  4. data/README.md +3 -0
  5. data/docs/dsl_inspec.md +3 -3
  6. data/docs/profiles.md +17 -0
  7. data/docs/resources/apache_conf.md.erb +10 -10
  8. data/docs/resources/apt.md.erb +13 -13
  9. data/docs/resources/audit_policy.md.erb +10 -10
  10. data/docs/resources/auditd_conf.md.erb +10 -10
  11. data/docs/resources/auditd_rules.md.erb +11 -11
  12. data/docs/resources/bash.md.erb +12 -12
  13. data/docs/resources/bond.md.erb +15 -15
  14. data/docs/resources/bridge.md.erb +11 -11
  15. data/docs/resources/bsd_service.md.erb +11 -11
  16. data/docs/resources/command.md.erb +21 -21
  17. data/docs/resources/csv.md.erb +10 -10
  18. data/docs/resources/directory.md.erb +8 -8
  19. data/docs/resources/etc_group.md.erb +16 -16
  20. data/docs/resources/etc_passwd.md.erb +17 -17
  21. data/docs/resources/etc_shadow.md.erb +19 -19
  22. data/docs/resources/file.md.erb +58 -58
  23. data/docs/resources/gem.md.erb +12 -12
  24. data/docs/resources/group.md.erb +12 -12
  25. data/docs/resources/grub_conf.md.erb +11 -11
  26. data/docs/resources/host.md.erb +13 -13
  27. data/docs/resources/iis_site.md.erb +16 -16
  28. data/docs/resources/inetd_conf.md.erb +10 -10
  29. data/docs/resources/ini.md.erb +9 -9
  30. data/docs/resources/interface.md.erb +11 -11
  31. data/docs/resources/iptables.md.erb +11 -11
  32. data/docs/resources/json.md.erb +10 -10
  33. data/docs/resources/kernel_module.md.erb +10 -10
  34. data/docs/resources/kernel_parameter.md.erb +12 -12
  35. data/docs/resources/launchd_service.md.erb +11 -11
  36. data/docs/resources/limits_conf.md.erb +10 -10
  37. data/docs/resources/login_def.md.erb +12 -12
  38. data/docs/resources/mount.md.erb +13 -13
  39. data/docs/resources/mysql_conf.md.erb +14 -14
  40. data/docs/resources/mysql_session.md.erb +10 -10
  41. data/docs/resources/npm.md.erb +12 -12
  42. data/docs/resources/ntp_conf.md.erb +9 -9
  43. data/docs/resources/oneget.md.erb +11 -11
  44. data/docs/resources/os.md.erb +13 -13
  45. data/docs/resources/os_env.md.erb +12 -12
  46. data/docs/resources/package.md.erb +15 -15
  47. data/docs/resources/parse_config.md.erb +13 -13
  48. data/docs/resources/parse_config_file.md.erb +22 -16
  49. data/docs/resources/pip.md.erb +12 -12
  50. data/docs/resources/port.md.erb +18 -18
  51. data/docs/resources/postgres_conf.md.erb +13 -13
  52. data/docs/resources/postgres_session.md.erb +11 -11
  53. data/docs/resources/powershell.md.erb +13 -13
  54. data/docs/resources/process.md.erb +12 -12
  55. data/docs/resources/registry_key.md.erb +17 -17
  56. data/docs/resources/runit_service.md.erb +11 -11
  57. data/docs/resources/security_policy.md.erb +10 -10
  58. data/docs/resources/service.md.erb +17 -17
  59. data/docs/resources/ssh_config.md.erb +13 -13
  60. data/docs/resources/sshd_config.md.erb +14 -14
  61. data/docs/resources/ssl.md.erb +12 -12
  62. data/docs/resources/sys_info.md.erb +10 -10
  63. data/docs/resources/systemd_service.md.erb +11 -11
  64. data/docs/resources/sysv_service.md.erb +11 -11
  65. data/docs/resources/upstart_service.md.erb +11 -11
  66. data/docs/resources/user.md.erb +20 -20
  67. data/docs/resources/users.md.erb +19 -19
  68. data/docs/resources/vbscript.md.erb +9 -9
  69. data/docs/resources/windows_feature.md.erb +10 -10
  70. data/docs/resources/wmi.md.erb +10 -10
  71. data/docs/resources/xinetd_conf.md.erb +17 -17
  72. data/docs/resources/yaml.md.erb +10 -10
  73. data/docs/resources/yum.md.erb +16 -16
  74. data/examples/meta-profile/README.md +0 -5
  75. data/lib/inspec/base_cli.rb +6 -0
  76. data/lib/inspec/cli.rb +10 -3
  77. data/lib/inspec/profile.rb +3 -3
  78. data/lib/inspec/rspec_json_formatter.rb +24 -15
  79. data/lib/inspec/version.rb +1 -1
  80. data/lib/resources/registry_key.rb +15 -5
  81. data/lib/utils/filter.rb +1 -0
  82. metadata +3 -4
@@ -6,7 +6,7 @@ title: About the yum Resource
6
6
 
7
7
  Use the `yum` InSpec audit resource to test packages in the Yum repository.
8
8
 
9
- # Syntax
9
+ ## Syntax
10
10
 
11
11
  A `yum` resource block declares a package repo, tests if the package repository is present, and if it that package repository is a valid package source (i.e. "is enabled"):
12
12
 
@@ -19,43 +19,43 @@ where
19
19
 
20
20
  * `repo('name')` is the (optional) name of a package repo, using either a full identifier (`'updates/7/x86_64'`) or a short identifier (`'updates'`)
21
21
 
22
- # Matchers
22
+ ## Matchers
23
23
 
24
24
  This InSpec audit resource has the following matchers:
25
25
 
26
- ## be
26
+ ### be
27
27
 
28
28
  <%= partial "/shared/matcher_be" %>
29
29
 
30
- ## be_enabled
30
+ ### be_enabled
31
31
 
32
32
  The `be_enabled` matcher tests if the package repository is a valid package source:
33
33
 
34
34
  it { should be_enabled }
35
35
 
36
- ## cmp
36
+ ### cmp
37
37
 
38
38
  <%= partial "/shared/matcher_cmp" %>
39
39
 
40
- ## eq
40
+ ### eq
41
41
 
42
42
  <%= partial "/shared/matcher_eq" %>
43
43
 
44
- ## exist
44
+ ### exist
45
45
 
46
46
  The `exist` matcher tests if the package repository exists:
47
47
 
48
48
  it { should exist }
49
49
 
50
- ## include
50
+ ### include
51
51
 
52
52
  <%= partial "/shared/matcher_include" %>
53
53
 
54
- ## match
54
+ ### match
55
55
 
56
56
  <%= partial "/shared/matcher_match" %>
57
57
 
58
- ## repo('name')
58
+ ### repo('name')
59
59
 
60
60
  The `repo('name')` matcher names a specific package repository:
61
61
 
@@ -63,13 +63,13 @@ The `repo('name')` matcher names a specific package repository:
63
63
  ...
64
64
  end
65
65
 
66
- ## repos
66
+ ### repos
67
67
 
68
68
  The `repos` matcher tests if a named repo, using either a full identifier (`'updates/7/x86_64'`) or a short identifier (`'updates'`), is included in the Yum repo:
69
69
 
70
70
  its('repos') { should include 'some_repo' }
71
71
 
72
- ## shortname
72
+ ### shortname
73
73
 
74
74
  The `shortname` matcher names a specific package repository's group identifier. For example, if a repository's group name is "Directory Server", the corresponding group idenfier is typically "directory-server":
75
75
 
@@ -77,17 +77,17 @@ The `shortname` matcher names a specific package repository's group identifier.
77
77
  its('shortname') { should eq 'directory-server' }
78
78
  end
79
79
 
80
- # Examples
80
+ ## Examples
81
81
 
82
82
  The following examples show how to use this InSpec audit resource.
83
83
 
84
- ## Test if the yum repo exists
84
+ ### Test if the yum repo exists
85
85
 
86
86
  describe yum do
87
87
  its('repos') { should exist }
88
88
  end
89
89
 
90
- ## Test if the 'base/7/x86_64' repo exists and is enabled
90
+ ### Test if the 'base/7/x86_64' repo exists and is enabled
91
91
 
92
92
  describe yum do
93
93
  its('repos') { should include 'base/7/x86_64' }
@@ -95,7 +95,7 @@ The following examples show how to use this InSpec audit resource.
95
95
  its('epel') { should be_enabled }
96
96
  end
97
97
 
98
- ## Test if a specific yum repo exists
98
+ ### Test if a specific yum repo exists
99
99
 
100
100
  describe yum.repo('epel') do
101
101
  it { should exist }
@@ -4,8 +4,3 @@ The inspec.yml file in this profile shows how one can use dependencies
4
4
  from non-local sources such as Git or an HTTP url. This feature can
5
5
  be used to build up a environment-wide profile that is based on more
6
6
  specific profiles managed by others.
7
-
8
- # WARNING
9
-
10
- This profile likely does not work yet. It exists as a target for
11
- ongoing development work.
@@ -32,6 +32,12 @@ module Inspec
32
32
  desc: 'Additional sudo options for a remote scan.'
33
33
  option :sudo_command, type: :string,
34
34
  desc: 'Alternate command for sudo.'
35
+ option :shell, type: :boolean,
36
+ desc: 'Run scans in a subshell. Only activates on Unix.'
37
+ option :shell_options, type: :string,
38
+ desc: 'Additional shell options.'
39
+ option :shell_command, type: :string,
40
+ desc: 'Specify a particular shell to use.'
35
41
  option :ssl, type: :boolean,
36
42
  desc: 'Use SSL for transport layer encryption (WinRM).'
37
43
  option :self_signed, type: :boolean,
@@ -34,6 +34,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
34
34
  diagnose
35
35
  o = opts.dup
36
36
  o[:ignore_supports] = true
37
+ o[:backend] = Inspec::Backend.create(target: 'mock://')
37
38
 
38
39
  profile = Inspec::Profile.for_target(target, o)
39
40
  dst = o[:output].to_s
@@ -60,6 +61,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
60
61
  o = opts.dup
61
62
  # configure_logger(o) # we do not need a logger for check yet
62
63
  o[:ignore_supports] = true # we check for integrity only
64
+ o[:backend] = Inspec::Backend.create(target: 'mock://')
63
65
 
64
66
  # run check
65
67
  profile = Inspec::Profile.for_target(path, o)
@@ -105,8 +107,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
105
107
 
106
108
  desc 'vendor', 'Download all dependencies and generate a lockfile'
107
109
  def vendor(path = nil)
108
- configure_logger(opts)
109
- profile = Inspec::Profile.for_target('./', opts.merge(cache: Inspec::Cache.new(path)))
110
+ o = opts.dup
111
+ o[:cache] = Inspec::Cache.new(path)
112
+ o[:backend] = Inspec::Backend.create(target: 'mock://')
113
+ configure_logger(o)
114
+
115
+ profile = Inspec::Profile.for_target('./', o)
110
116
  lockfile = profile.generate_lockfile
111
117
  File.write('inspec.lock', lockfile.to_yaml)
112
118
  rescue StandardError => e
@@ -131,12 +137,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
131
137
  o = opts.dup
132
138
  o[:logger] = Logger.new(STDOUT)
133
139
  o[:logger].level = get_log_level(o.log_level)
140
+ o[:backend] = Inspec::Backend.create(target: 'mock://')
134
141
 
135
142
  profile = Inspec::Profile.for_target(path, o)
136
143
  result = profile.check
137
144
 
138
145
  if result && !opts[:ignore_errors] == false
139
- @logger.info 'Profile check failed. Please fix the profile before generating an archive.'
146
+ o[:logger].info 'Profile check failed. Please fix the profile before generating an archive.'
140
147
  return exit 1
141
148
  end
142
149
 
@@ -64,9 +64,9 @@ module Inspec
64
64
  @tests_collected = false
65
65
  @libraries_loaded = false
66
66
  Metadata.finalize(@source_reader.metadata, @profile_id)
67
- @runner_context = options[:profile_context] || Inspec::ProfileContext.for_profile(self,
68
- @backend,
69
- options[:attributes])
67
+ @runner_context =
68
+ options[:profile_context] ||
69
+ Inspec::ProfileContext.for_profile(self, @backend, options[:attributes])
70
70
  end
71
71
 
72
72
  def name
@@ -287,6 +287,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
287
287
  @missing_controls = []
288
288
  @anonymous_tests = []
289
289
  @control_tests = []
290
+ @profile_printed = false
290
291
  super(*args)
291
292
  end
292
293
 
@@ -296,17 +297,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
296
297
  print_tests
297
298
  output.puts('')
298
299
 
299
- @profiles_info.each do |profile|
300
- next if profile[:already_printed]
301
- @current_profile = profile
302
- next unless print_current_profile
303
- print_line(
304
- color: '', indicator: @indicators['empty'], id: '', profile: '',
305
- summary: 'No tests executed.'
306
- ) if @current_control.nil?
307
- output.puts('')
308
- end
309
-
300
+ print_profiles_info if !@profile_printed
310
301
  controls_res = controls_summary
311
302
  tests_res = tests_summary
312
303
 
@@ -463,9 +454,8 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
463
454
  def flush_current_control
464
455
  return if @current_control.nil?
465
456
 
466
- prev_profile = @current_profile
467
457
  @current_profile = @profiles_info.find { |i| i[:id] == @current_control[:profile_id] }
468
- print_current_profile if prev_profile != @current_profile
458
+ print_current_profile if !@profile_printed
469
459
 
470
460
  fails, skips, passes, summary_indicator = current_control_infos
471
461
  summary = current_control_summary(fails, skips)
@@ -495,14 +485,32 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
495
485
  output.puts(before + connection.uri + after)
496
486
  end
497
487
 
488
+ def print_profiles_info
489
+ @profiles_info.each do |profile|
490
+ next if profile[:already_printed]
491
+ @current_profile = profile
492
+ next unless print_current_profile
493
+ print_line(
494
+ color: '', indicator: @indicators['empty'], id: '', profile: '',
495
+ summary: 'No tests executed.'
496
+ ) if @current_control.nil?
497
+ output.puts('')
498
+ end
499
+ end
500
+
498
501
  def print_current_profile
499
502
  profile = @current_profile
500
- return false if profile.nil?
501
-
503
+ if profile.nil?
504
+ print_profiles_info
505
+ @profile_printed = true
506
+ return true
507
+ end
502
508
  output.puts ''
503
509
  profile[:already_printed] = true
510
+
504
511
  if profile[:name].nil?
505
512
  print_target('Target: ', "\n\n")
513
+ @profile_printed = true
506
514
  return true
507
515
  end
508
516
 
@@ -515,6 +523,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
515
523
  output.puts 'Version: ' + (profile[:version] || 'unknown')
516
524
  print_target('Target: ', "\n")
517
525
  output.puts
526
+ @profile_printed = true
518
527
  true
519
528
  end
520
529
 
@@ -4,5 +4,5 @@
4
4
  # author: Christoph Hartmann
5
5
 
6
6
  module Inspec
7
- VERSION = '1.0.0'.freeze
7
+ VERSION = '1.1.0'.freeze
8
8
  end
@@ -147,6 +147,11 @@ module Inspec::Resources
147
147
  script = <<-EOH
148
148
  Function InSpec-GetRegistryKey($path) {
149
149
  $reg = Get-Item ('Registry::' + $path)
150
+ if ($reg -eq $null) {
151
+ Write-Error "InSpec: Failed to find registry key"
152
+ exit 1001
153
+ }
154
+
150
155
  $properties = New-Object -Type PSObject
151
156
  $reg.Property | ForEach-Object {
152
157
  $key = $_
@@ -167,11 +172,16 @@ module Inspec::Resources
167
172
  # cannot rely on exit code for now, successful command returns exit code 1
168
173
  # return nil if cmd.exit_status != 0, try to parse json
169
174
  begin
170
- @registry_cache = JSON.parse(cmd.stdout)
171
- # convert keys to lower case
172
- @registry_cache = Hash[@registry_cache.map do |key, value|
173
- [key.downcase, value]
174
- end]
175
+ if cmd.exit_status == 1001 && cmd.stderr =~ /InSpec: Failed to find registry key/
176
+ # TODO: provide the stderr output
177
+ @registry_cache = nil
178
+ else
179
+ @registry_cache = JSON.parse(cmd.stdout)
180
+ # convert keys to lower case
181
+ @registry_cache = Hash[@registry_cache.map do |key, value|
182
+ [key.downcase, value]
183
+ end]
184
+ end
175
185
  rescue JSON::ParserError => _e
176
186
  @registry_cache = nil
177
187
  end
@@ -44,6 +44,7 @@ module FilterTable
44
44
  def initialize(resource, params, filters)
45
45
  @resource = resource
46
46
  @params = params
47
+ @params = [] if @params.nil?
47
48
  @filters = filters
48
49
  end
49
50
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dominik Richter
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-09-26 00:00:00.000000000 Z
11
+ date: 2016-10-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: train
@@ -530,9 +530,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
530
530
  version: '0'
531
531
  requirements: []
532
532
  rubyforge_project:
533
- rubygems_version: 2.4.6
533
+ rubygems_version: 2.5.1
534
534
  signing_key:
535
535
  specification_version: 4
536
536
  summary: Infrastructure and compliance testing.
537
537
  test_files: []
538
- has_rdoc: