inspec 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +46 -3
- data/Gemfile +4 -1
- data/README.md +3 -0
- data/docs/dsl_inspec.md +3 -3
- data/docs/profiles.md +17 -0
- data/docs/resources/apache_conf.md.erb +10 -10
- data/docs/resources/apt.md.erb +13 -13
- data/docs/resources/audit_policy.md.erb +10 -10
- data/docs/resources/auditd_conf.md.erb +10 -10
- data/docs/resources/auditd_rules.md.erb +11 -11
- data/docs/resources/bash.md.erb +12 -12
- data/docs/resources/bond.md.erb +15 -15
- data/docs/resources/bridge.md.erb +11 -11
- data/docs/resources/bsd_service.md.erb +11 -11
- data/docs/resources/command.md.erb +21 -21
- data/docs/resources/csv.md.erb +10 -10
- data/docs/resources/directory.md.erb +8 -8
- data/docs/resources/etc_group.md.erb +16 -16
- data/docs/resources/etc_passwd.md.erb +17 -17
- data/docs/resources/etc_shadow.md.erb +19 -19
- data/docs/resources/file.md.erb +58 -58
- data/docs/resources/gem.md.erb +12 -12
- data/docs/resources/group.md.erb +12 -12
- data/docs/resources/grub_conf.md.erb +11 -11
- data/docs/resources/host.md.erb +13 -13
- data/docs/resources/iis_site.md.erb +16 -16
- data/docs/resources/inetd_conf.md.erb +10 -10
- data/docs/resources/ini.md.erb +9 -9
- data/docs/resources/interface.md.erb +11 -11
- data/docs/resources/iptables.md.erb +11 -11
- data/docs/resources/json.md.erb +10 -10
- data/docs/resources/kernel_module.md.erb +10 -10
- data/docs/resources/kernel_parameter.md.erb +12 -12
- data/docs/resources/launchd_service.md.erb +11 -11
- data/docs/resources/limits_conf.md.erb +10 -10
- data/docs/resources/login_def.md.erb +12 -12
- data/docs/resources/mount.md.erb +13 -13
- data/docs/resources/mysql_conf.md.erb +14 -14
- data/docs/resources/mysql_session.md.erb +10 -10
- data/docs/resources/npm.md.erb +12 -12
- data/docs/resources/ntp_conf.md.erb +9 -9
- data/docs/resources/oneget.md.erb +11 -11
- data/docs/resources/os.md.erb +13 -13
- data/docs/resources/os_env.md.erb +12 -12
- data/docs/resources/package.md.erb +15 -15
- data/docs/resources/parse_config.md.erb +13 -13
- data/docs/resources/parse_config_file.md.erb +22 -16
- data/docs/resources/pip.md.erb +12 -12
- data/docs/resources/port.md.erb +18 -18
- data/docs/resources/postgres_conf.md.erb +13 -13
- data/docs/resources/postgres_session.md.erb +11 -11
- data/docs/resources/powershell.md.erb +13 -13
- data/docs/resources/process.md.erb +12 -12
- data/docs/resources/registry_key.md.erb +17 -17
- data/docs/resources/runit_service.md.erb +11 -11
- data/docs/resources/security_policy.md.erb +10 -10
- data/docs/resources/service.md.erb +17 -17
- data/docs/resources/ssh_config.md.erb +13 -13
- data/docs/resources/sshd_config.md.erb +14 -14
- data/docs/resources/ssl.md.erb +12 -12
- data/docs/resources/sys_info.md.erb +10 -10
- data/docs/resources/systemd_service.md.erb +11 -11
- data/docs/resources/sysv_service.md.erb +11 -11
- data/docs/resources/upstart_service.md.erb +11 -11
- data/docs/resources/user.md.erb +20 -20
- data/docs/resources/users.md.erb +19 -19
- data/docs/resources/vbscript.md.erb +9 -9
- data/docs/resources/windows_feature.md.erb +10 -10
- data/docs/resources/wmi.md.erb +10 -10
- data/docs/resources/xinetd_conf.md.erb +17 -17
- data/docs/resources/yaml.md.erb +10 -10
- data/docs/resources/yum.md.erb +16 -16
- data/examples/meta-profile/README.md +0 -5
- data/lib/inspec/base_cli.rb +6 -0
- data/lib/inspec/cli.rb +10 -3
- data/lib/inspec/profile.rb +3 -3
- data/lib/inspec/rspec_json_formatter.rb +24 -15
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/registry_key.rb +15 -5
- data/lib/utils/filter.rb +1 -0
- metadata +3 -4
data/docs/resources/yum.md.erb
CHANGED
@@ -6,7 +6,7 @@ title: About the yum Resource
|
|
6
6
|
|
7
7
|
Use the `yum` InSpec audit resource to test packages in the Yum repository.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `yum` resource block declares a package repo, tests if the package repository is present, and if it that package repository is a valid package source (i.e. "is enabled"):
|
12
12
|
|
@@ -19,43 +19,43 @@ where
|
|
19
19
|
|
20
20
|
* `repo('name')` is the (optional) name of a package repo, using either a full identifier (`'updates/7/x86_64'`) or a short identifier (`'updates'`)
|
21
21
|
|
22
|
-
|
22
|
+
## Matchers
|
23
23
|
|
24
24
|
This InSpec audit resource has the following matchers:
|
25
25
|
|
26
|
-
|
26
|
+
### be
|
27
27
|
|
28
28
|
<%= partial "/shared/matcher_be" %>
|
29
29
|
|
30
|
-
|
30
|
+
### be_enabled
|
31
31
|
|
32
32
|
The `be_enabled` matcher tests if the package repository is a valid package source:
|
33
33
|
|
34
34
|
it { should be_enabled }
|
35
35
|
|
36
|
-
|
36
|
+
### cmp
|
37
37
|
|
38
38
|
<%= partial "/shared/matcher_cmp" %>
|
39
39
|
|
40
|
-
|
40
|
+
### eq
|
41
41
|
|
42
42
|
<%= partial "/shared/matcher_eq" %>
|
43
43
|
|
44
|
-
|
44
|
+
### exist
|
45
45
|
|
46
46
|
The `exist` matcher tests if the package repository exists:
|
47
47
|
|
48
48
|
it { should exist }
|
49
49
|
|
50
|
-
|
50
|
+
### include
|
51
51
|
|
52
52
|
<%= partial "/shared/matcher_include" %>
|
53
53
|
|
54
|
-
|
54
|
+
### match
|
55
55
|
|
56
56
|
<%= partial "/shared/matcher_match" %>
|
57
57
|
|
58
|
-
|
58
|
+
### repo('name')
|
59
59
|
|
60
60
|
The `repo('name')` matcher names a specific package repository:
|
61
61
|
|
@@ -63,13 +63,13 @@ The `repo('name')` matcher names a specific package repository:
|
|
63
63
|
...
|
64
64
|
end
|
65
65
|
|
66
|
-
|
66
|
+
### repos
|
67
67
|
|
68
68
|
The `repos` matcher tests if a named repo, using either a full identifier (`'updates/7/x86_64'`) or a short identifier (`'updates'`), is included in the Yum repo:
|
69
69
|
|
70
70
|
its('repos') { should include 'some_repo' }
|
71
71
|
|
72
|
-
|
72
|
+
### shortname
|
73
73
|
|
74
74
|
The `shortname` matcher names a specific package repository's group identifier. For example, if a repository's group name is "Directory Server", the corresponding group idenfier is typically "directory-server":
|
75
75
|
|
@@ -77,17 +77,17 @@ The `shortname` matcher names a specific package repository's group identifier.
|
|
77
77
|
its('shortname') { should eq 'directory-server' }
|
78
78
|
end
|
79
79
|
|
80
|
-
|
80
|
+
## Examples
|
81
81
|
|
82
82
|
The following examples show how to use this InSpec audit resource.
|
83
83
|
|
84
|
-
|
84
|
+
### Test if the yum repo exists
|
85
85
|
|
86
86
|
describe yum do
|
87
87
|
its('repos') { should exist }
|
88
88
|
end
|
89
89
|
|
90
|
-
|
90
|
+
### Test if the 'base/7/x86_64' repo exists and is enabled
|
91
91
|
|
92
92
|
describe yum do
|
93
93
|
its('repos') { should include 'base/7/x86_64' }
|
@@ -95,7 +95,7 @@ The following examples show how to use this InSpec audit resource.
|
|
95
95
|
its('epel') { should be_enabled }
|
96
96
|
end
|
97
97
|
|
98
|
-
|
98
|
+
### Test if a specific yum repo exists
|
99
99
|
|
100
100
|
describe yum.repo('epel') do
|
101
101
|
it { should exist }
|
@@ -4,8 +4,3 @@ The inspec.yml file in this profile shows how one can use dependencies
|
|
4
4
|
from non-local sources such as Git or an HTTP url. This feature can
|
5
5
|
be used to build up a environment-wide profile that is based on more
|
6
6
|
specific profiles managed by others.
|
7
|
-
|
8
|
-
# WARNING
|
9
|
-
|
10
|
-
This profile likely does not work yet. It exists as a target for
|
11
|
-
ongoing development work.
|
data/lib/inspec/base_cli.rb
CHANGED
@@ -32,6 +32,12 @@ module Inspec
|
|
32
32
|
desc: 'Additional sudo options for a remote scan.'
|
33
33
|
option :sudo_command, type: :string,
|
34
34
|
desc: 'Alternate command for sudo.'
|
35
|
+
option :shell, type: :boolean,
|
36
|
+
desc: 'Run scans in a subshell. Only activates on Unix.'
|
37
|
+
option :shell_options, type: :string,
|
38
|
+
desc: 'Additional shell options.'
|
39
|
+
option :shell_command, type: :string,
|
40
|
+
desc: 'Specify a particular shell to use.'
|
35
41
|
option :ssl, type: :boolean,
|
36
42
|
desc: 'Use SSL for transport layer encryption (WinRM).'
|
37
43
|
option :self_signed, type: :boolean,
|
data/lib/inspec/cli.rb
CHANGED
@@ -34,6 +34,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
|
|
34
34
|
diagnose
|
35
35
|
o = opts.dup
|
36
36
|
o[:ignore_supports] = true
|
37
|
+
o[:backend] = Inspec::Backend.create(target: 'mock://')
|
37
38
|
|
38
39
|
profile = Inspec::Profile.for_target(target, o)
|
39
40
|
dst = o[:output].to_s
|
@@ -60,6 +61,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
|
|
60
61
|
o = opts.dup
|
61
62
|
# configure_logger(o) # we do not need a logger for check yet
|
62
63
|
o[:ignore_supports] = true # we check for integrity only
|
64
|
+
o[:backend] = Inspec::Backend.create(target: 'mock://')
|
63
65
|
|
64
66
|
# run check
|
65
67
|
profile = Inspec::Profile.for_target(path, o)
|
@@ -105,8 +107,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
|
|
105
107
|
|
106
108
|
desc 'vendor', 'Download all dependencies and generate a lockfile'
|
107
109
|
def vendor(path = nil)
|
108
|
-
|
109
|
-
|
110
|
+
o = opts.dup
|
111
|
+
o[:cache] = Inspec::Cache.new(path)
|
112
|
+
o[:backend] = Inspec::Backend.create(target: 'mock://')
|
113
|
+
configure_logger(o)
|
114
|
+
|
115
|
+
profile = Inspec::Profile.for_target('./', o)
|
110
116
|
lockfile = profile.generate_lockfile
|
111
117
|
File.write('inspec.lock', lockfile.to_yaml)
|
112
118
|
rescue StandardError => e
|
@@ -131,12 +137,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
|
|
131
137
|
o = opts.dup
|
132
138
|
o[:logger] = Logger.new(STDOUT)
|
133
139
|
o[:logger].level = get_log_level(o.log_level)
|
140
|
+
o[:backend] = Inspec::Backend.create(target: 'mock://')
|
134
141
|
|
135
142
|
profile = Inspec::Profile.for_target(path, o)
|
136
143
|
result = profile.check
|
137
144
|
|
138
145
|
if result && !opts[:ignore_errors] == false
|
139
|
-
|
146
|
+
o[:logger].info 'Profile check failed. Please fix the profile before generating an archive.'
|
140
147
|
return exit 1
|
141
148
|
end
|
142
149
|
|
data/lib/inspec/profile.rb
CHANGED
@@ -64,9 +64,9 @@ module Inspec
|
|
64
64
|
@tests_collected = false
|
65
65
|
@libraries_loaded = false
|
66
66
|
Metadata.finalize(@source_reader.metadata, @profile_id)
|
67
|
-
@runner_context =
|
68
|
-
|
69
|
-
|
67
|
+
@runner_context =
|
68
|
+
options[:profile_context] ||
|
69
|
+
Inspec::ProfileContext.for_profile(self, @backend, options[:attributes])
|
70
70
|
end
|
71
71
|
|
72
72
|
def name
|
@@ -287,6 +287,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
|
|
287
287
|
@missing_controls = []
|
288
288
|
@anonymous_tests = []
|
289
289
|
@control_tests = []
|
290
|
+
@profile_printed = false
|
290
291
|
super(*args)
|
291
292
|
end
|
292
293
|
|
@@ -296,17 +297,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
|
|
296
297
|
print_tests
|
297
298
|
output.puts('')
|
298
299
|
|
299
|
-
|
300
|
-
next if profile[:already_printed]
|
301
|
-
@current_profile = profile
|
302
|
-
next unless print_current_profile
|
303
|
-
print_line(
|
304
|
-
color: '', indicator: @indicators['empty'], id: '', profile: '',
|
305
|
-
summary: 'No tests executed.'
|
306
|
-
) if @current_control.nil?
|
307
|
-
output.puts('')
|
308
|
-
end
|
309
|
-
|
300
|
+
print_profiles_info if !@profile_printed
|
310
301
|
controls_res = controls_summary
|
311
302
|
tests_res = tests_summary
|
312
303
|
|
@@ -463,9 +454,8 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
|
|
463
454
|
def flush_current_control
|
464
455
|
return if @current_control.nil?
|
465
456
|
|
466
|
-
prev_profile = @current_profile
|
467
457
|
@current_profile = @profiles_info.find { |i| i[:id] == @current_control[:profile_id] }
|
468
|
-
print_current_profile if
|
458
|
+
print_current_profile if !@profile_printed
|
469
459
|
|
470
460
|
fails, skips, passes, summary_indicator = current_control_infos
|
471
461
|
summary = current_control_summary(fails, skips)
|
@@ -495,14 +485,32 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
|
|
495
485
|
output.puts(before + connection.uri + after)
|
496
486
|
end
|
497
487
|
|
488
|
+
def print_profiles_info
|
489
|
+
@profiles_info.each do |profile|
|
490
|
+
next if profile[:already_printed]
|
491
|
+
@current_profile = profile
|
492
|
+
next unless print_current_profile
|
493
|
+
print_line(
|
494
|
+
color: '', indicator: @indicators['empty'], id: '', profile: '',
|
495
|
+
summary: 'No tests executed.'
|
496
|
+
) if @current_control.nil?
|
497
|
+
output.puts('')
|
498
|
+
end
|
499
|
+
end
|
500
|
+
|
498
501
|
def print_current_profile
|
499
502
|
profile = @current_profile
|
500
|
-
|
501
|
-
|
503
|
+
if profile.nil?
|
504
|
+
print_profiles_info
|
505
|
+
@profile_printed = true
|
506
|
+
return true
|
507
|
+
end
|
502
508
|
output.puts ''
|
503
509
|
profile[:already_printed] = true
|
510
|
+
|
504
511
|
if profile[:name].nil?
|
505
512
|
print_target('Target: ', "\n\n")
|
513
|
+
@profile_printed = true
|
506
514
|
return true
|
507
515
|
end
|
508
516
|
|
@@ -515,6 +523,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
|
|
515
523
|
output.puts 'Version: ' + (profile[:version] || 'unknown')
|
516
524
|
print_target('Target: ', "\n")
|
517
525
|
output.puts
|
526
|
+
@profile_printed = true
|
518
527
|
true
|
519
528
|
end
|
520
529
|
|
data/lib/inspec/version.rb
CHANGED
@@ -147,6 +147,11 @@ module Inspec::Resources
|
|
147
147
|
script = <<-EOH
|
148
148
|
Function InSpec-GetRegistryKey($path) {
|
149
149
|
$reg = Get-Item ('Registry::' + $path)
|
150
|
+
if ($reg -eq $null) {
|
151
|
+
Write-Error "InSpec: Failed to find registry key"
|
152
|
+
exit 1001
|
153
|
+
}
|
154
|
+
|
150
155
|
$properties = New-Object -Type PSObject
|
151
156
|
$reg.Property | ForEach-Object {
|
152
157
|
$key = $_
|
@@ -167,11 +172,16 @@ module Inspec::Resources
|
|
167
172
|
# cannot rely on exit code for now, successful command returns exit code 1
|
168
173
|
# return nil if cmd.exit_status != 0, try to parse json
|
169
174
|
begin
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
+
if cmd.exit_status == 1001 && cmd.stderr =~ /InSpec: Failed to find registry key/
|
176
|
+
# TODO: provide the stderr output
|
177
|
+
@registry_cache = nil
|
178
|
+
else
|
179
|
+
@registry_cache = JSON.parse(cmd.stdout)
|
180
|
+
# convert keys to lower case
|
181
|
+
@registry_cache = Hash[@registry_cache.map do |key, value|
|
182
|
+
[key.downcase, value]
|
183
|
+
end]
|
184
|
+
end
|
175
185
|
rescue JSON::ParserError => _e
|
176
186
|
@registry_cache = nil
|
177
187
|
end
|
data/lib/utils/filter.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dominik Richter
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-
|
11
|
+
date: 2016-10-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: train
|
@@ -530,9 +530,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
530
530
|
version: '0'
|
531
531
|
requirements: []
|
532
532
|
rubyforge_project:
|
533
|
-
rubygems_version: 2.
|
533
|
+
rubygems_version: 2.5.1
|
534
534
|
signing_key:
|
535
535
|
specification_version: 4
|
536
536
|
summary: Infrastructure and compliance testing.
|
537
537
|
test_files: []
|
538
|
-
has_rdoc:
|