inspec 1.34.1 → 1.35.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f8652931e666396eaecf1bdfd94e9979cd8dea97
-  data.tar.gz: 1769b0dea0a7fe11e89943ada4951b1b1d219545
+  metadata.gz: 75f7ef6bcd93aae1ea6bda13e5d50675fa234afa
+  data.tar.gz: a43bc69d1420af04b82860164873a42f5fc0ba4b
 SHA512:
-  metadata.gz: c85ea367f1d2d196cae095cbc3e9479947bb1876718ff55d68db0d506226f5ea2ddccec00bf36e7d2fd296e49337d4c376889bf3aa88680845b51dd09f19b765
-  data.tar.gz: ef7c008ff3915b2f80bf3fa60a4f302bb0a245cd50cfc6a293e3a788d64ff275b7f642f4dc21594b274c6e1c4aa033ad765c458751e4c2a1778ffffc1bcb48d0
+  metadata.gz: 0f7bffcdfa35005e4805026dd0028031713f1ecb30b7fae10d811c79bde5840599df4e35dc9631ffea18d637c768abed92dbe05392d1a7c77efaf1332629e445
+  data.tar.gz: b24fc841af39b05e38ee9537e76da3d1b68bcdd07349e59af1c6b140a5298cec578fef54e1167d7b48b348829d02a59054c785a4fb265fd7cce9767868d3f1b5

data/CHANGELOG.md

@@ -1,24 +1,40 @@
 # Change Log
 
-<!-- latest_release 1.33.15 -->
-## [v1.33.15](https://github.com/chef/inspec/tree/v1.33.15) (2017-08-23)
+<!-- latest_release 1.34.10 -->
+## [v1.34.10](https://github.com/chef/inspec/tree/v1.34.10) (2017-08-31)
 
-#### Enhancements
-- Refine the profile/test summary output of the CLI formatter [#2094](https://github.com/chef/inspec/pull/2094) ([adamleff](https://github.com/adamleff))
+#### New Resources
+- etc_hosts resource: test the contents of the /etc/hosts file [#2065](https://github.com/chef/inspec/pull/2065) ([dromazmj](https://github.com/dromazmj))
 <!-- latest_release -->
 
-<!-- release_rollup since=1.33.12 -->
-### Changes since 1.33.12 release
+<!-- release_rollup since=1.34.1 -->
+### Changes since 1.34.1 release
 
 #### Enhancements
-- Refine the profile/test summary output of the CLI formatter [#2094](https://github.com/chef/inspec/pull/2094) ([adamleff](https://github.com/adamleff)) <!-- 1.33.15 -->
+- port resource: support ss instead of netstat [#2110](https://github.com/chef/inspec/pull/2110) ([adamleff](https://github.com/adamleff)) <!-- 1.34.8 -->
+- pip resource: support non-default pip locations, such as virtualenvs [#2097](https://github.com/chef/inspec/pull/2097) ([tonybaloney](https://github.com/tonybaloney)) <!-- 1.34.7 -->
+
+#### Bug Fixes
+- Support mixed-case group entries [#2101](https://github.com/chef/inspec/pull/2101) ([adamleff](https://github.com/adamleff)) <!-- 1.34.6 -->
+- http resource: prevent repeat calls during a control with multiple tests [#2108](https://github.com/chef/inspec/pull/2108) ([mivok](https://github.com/mivok)) <!-- 1.34.5 -->
+- auditd_rules resource: fix get_keys error on lines that have no keys [#2103](https://github.com/chef/inspec/pull/2103) ([jburns12](https://github.com/jburns12)) <!-- 1.34.4 -->
 
 #### Merged Pull Requests
-- Add slack notifications for Travis CI builds to master [#2092](https://github.com/chef/inspec/pull/2092) ([adamleff](https://github.com/adamleff)) <!-- 1.33.14 -->
-- Update CHANGELOG (add fix author) [#2091](https://github.com/chef/inspec/pull/2091) ([n-rodriguez](https://github.com/n-rodriguez)) <!-- 1.33.13 -->
+- Add sensitive flag to resources to restrict logging output [#2017](https://github.com/chef/inspec/pull/2017) ([arothian](https://github.com/arothian)) <!-- 1.34.3 -->
+
+#### New Resources
+- etc_hosts resource: test the contents of the /etc/hosts file [#2065](https://github.com/chef/inspec/pull/2065) ([dromazmj](https://github.com/dromazmj)) <!-- 1.34.10 -->
+- Add support for XML files [#2107](https://github.com/chef/inspec/pull/2107) ([jonathanmorley](https://github.com/jonathanmorley)) <!-- 1.34.9 -->
+- aide_conf resource: test configuration of the AIDE file integrity tool [#2063](https://github.com/chef/inspec/pull/2063) ([jburns12](https://github.com/jburns12)) <!-- 1.34.2 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v1.34.1](https://github.com/chef/inspec/tree/v1.34.1) (2017-08-24)
+
+#### Enhancements
+- Refine the profile/test summary output of the CLI formatter [#2094](https://github.com/chef/inspec/pull/2094) ([adamleff](https://github.com/adamleff))
+<!-- latest_stable_release -->
+
 ## [v1.33.12](https://github.com/chef/inspec/tree/v1.33.12) (2017-08-18)
 
 #### Bug Fixes
@@ -34,7 +50,6 @@
 #### Merged Pull Requests
 - add functional tests for inspec check [#2077](https://github.com/chef/inspec/pull/2077) ([chris-rock](https://github.com/chris-rock))
 - Move bug fixes in CHANGELOG to correct header [#2089](https://github.com/chef/inspec/pull/2089) ([adamleff](https://github.com/adamleff))
-<!-- latest_stable_release -->
 
 ## [v1.33.1](https://github.com/chef/inspec/tree/v1.33.1) (2017-08-10)
 

data/docs/dsl_inspec.md

@@ -71,6 +71,16 @@ describe.one do
 end
 ```
 
+#### Sensitive resources
+
+In some scenarios, you may be writing checks involving resources with sensitive content (e.g. a file resource). In the case of failures, it may be desired to suppress output. This can be done by adding the `:sensitive` flag to the resource definition
+
+```ruby
+describe file('/tmp/mysecretfile'), :sensitive do
+  its('content') { should contain 'secret_info' }
+end
+```
+
 ## Examples
 
 The following examples show simple compliance tests using a single `control` block.

data/docs/resources/aide_conf.md.erb

@@ -0,0 +1,81 @@
+---
+title: About the aide_conf Resource
+---
+
+# aide_conf
+
+Use the `aide_conf` InSpec audit resource to test the rules established for the file integrity tool AIDE. Controlled by the aide.conf file typically at /etc/aide.conf.
+
+## Syntax
+
+An `aide_conf` resource block can be used to determine if the selection lines contain one (or more) directories whose files should be added to the aide database:
+
+    describe aide_conf('path') do
+      its('selection_lines') { should include '/sbin' }
+    end
+
+where
+
+* `'selection_lines'` refers to all selection lines found in the aide.conf file
+* `('path')` is the non-default path to the `aide.conf` file (optional)
+* `should include 'value'` is the value that is expected
+
+Use the where clause to match a selection_line to one rule or a particular set of rules found in the aide.conf file:
+
+    describe aide_conf.where { selection_line == '/bin' } do
+      its('rules.flatten') { should include 'r' }
+    end
+
+    describe aide_conf.where { selection_line == '/sbin' } do
+      its('rules') { should include ['p', 'i', 'l', 'n', 'u', 'g', 'sha512'] }
+    end
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### be
+
+<%= partial "/shared/matcher_be" %>
+
+### cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+### eq
+
+<%= partial "/shared/matcher_eq" %>
+
+### include
+
+<%= partial "/shared/matcher_include" %>
+
+### all_have_rule
+
+The usage of all_have_rule will return whether or not all selection lines in audit.conf contain a particular rule:
+
+    describe aide_conf.all_have_rule('sha512') do
+      it { should eq true }
+    end
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test if all selection lines contain the xattr rule
+
+    describe aide_conf.all_have_rule('xattr') do
+      it { should eq true }
+    end
+
+### Test whether selection line for /bin contains a particular rule
+
+    describe aide_conf.where { selection_line == '/bin' } do
+      its('rules.flatten') { should include 'r' }
+    end
+
+### Test whether selection line for /sbin consists of a particular set of rules
+
+    describe aide_conf.where { selection_line == '/sbin' } do
+      its('rules') { should include ['r', 'sha512'] }
+    end

data/docs/resources/etc_hosts.md.erb

@@ -0,0 +1,62 @@
+---
+title: About the etc_hosts Resource
+---
+
+# etc_hosts
+
+Use the `etc_hosts` InSpec audit resource to test rules set to match IP addresses with hostnames.
+## Syntax
+
+An etc/hosts rule specifies an IP address and what its hostname is along with optional aliases it can have.
+
+## Syntax
+
+Use the where clause to match a property to one or more rules in the hosts file.
+
+    describe etc_hosts.where { ip_address == 'value' } do
+      its('primary_name') { should cmp 'hostname' }
+      its('all_host_names') { should cmp 'list' }
+    end
+
+Use the optional constructor parameter to give an alternative path to hosts file
+
+    describe etc_hosts('path/to/hosts').where { ip_address == 'value' } do
+      its('primary_name') { should cmp 'hostname' }
+      its('all_host_names') { should cmp 'list' }
+    end
+
+where
+
+* `ip_address` is the ip address of the hostname in either ipv4 or ipv6 format.
+* `primary_name` is the name associated with the ip address.
+* `all_host_names` is a list including the primary_name as the first entry followed by any aliase names the host has.
+
+## Supported Properties
+
+    'ip_address', 'primary_name', 'all_host_names'
+
+## Property Examples and Return Types
+
+### ip_address
+
+`ip_address` returns a string array of ip addresses specified in the etc/hosts file.
+
+    describe etc_hosts.where { primary_name == 'localhost' } do
+      its('ip_address') { should cmp '127.0.1.154' }
+    end
+
+### primary_name
+
+`primary_name` returns a string array of primary_names specified in the etc/hosts file.
+
+    describe etc_hosts.where { ip_address == '::1' } do
+      its('primary_name') { should cmp 'localhost' }
+    end
+
+### all_host_names
+
+`all_host_names` returns a two dimensional string array where each entry has the primary_name first followed by any aliases.
+
+    describe etc_hosts.where { ip_address == '127.0.1.154' } do
+      its('all_host_names') { should eq [['localhost', 'localhost.localdomain', 'localhost4', 'localhost4.localdomain4'],  ['localhost', 'localhost.localdomain', 'localhost6', 'localhost6.localdomain6']] }
+    end

data/docs/resources/xml.md.erb

@@ -0,0 +1,75 @@
+---
+title: About the xml Resource
+---
+
+# xml
+
+Use the `xml` InSpec audit resource to test data in an XML file.
+
+## Syntax
+
+An `xml` resource block declares the data to be tested. Assume the following XML file:
+
+    <root>
+      <name>hello</name>
+      <meta>
+        <creator>John Doe</creator>
+      </meta>
+      <array>
+        <element>one</element>
+        <element>two</element>
+      </array>
+    </root>
+
+This file can be queried using:
+
+    describe xml('/path/to/name.xml') do
+      its('root/name') { should eq ['hello'] }
+      its('root/meta/creator') { should eq ['John Doe'] }
+      its('root/array[2]/element]) { should eq ['two'] }
+    end
+
+where
+
+* `root/name` is an XPath expression
+* `should eq ['foo']` tests a value of `root/name` as read from an XML file versus the value declared in the test
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### be
+
+<%= partial "/shared/matcher_be" %>
+
+### cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+### eq
+
+<%= partial "/shared/matcher_eq" %>
+
+### include
+
+<%= partial "/shared/matcher_include" %>
+
+### match
+
+<%= partial "/shared/matcher_match" %>
+
+### name
+
+The `name` matcher tests the value of `name` as read from a JSON file versus the value declared in the test:
+
+    its('name') { should eq 'foo' }
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test an AppPool's presence in an applicationHost.config file
+
+    describe xml('applicationHost.config') do
+      its('configuration/system.applicationHost/applicationPools/add@name') { should contain('my_pool') }
+    end

data/examples/profile-sensitive/README.md

@@ -0,0 +1,29 @@
+# Example InSpec Profile with Sensitive failures
+
+This profile demostrates resources flagged as sensitive
+
+## Usage
+
+```
+$ inspec exec examples/profile-sensitive
+....
+
+  bob should
+   ∅  eq "billy"
+
+   expected: "billy"
+        got: "bob"
+
+   (compared using ==)
+
+  sensitivepassword should
+     ∅  eq "secret"
+     *** sensitive output suppressed ***
+  bob should
+     ✔  eq "bob"
+  sensitivepassword should
+     ✔  eq "sensitivepassword"
+
+Test Summary: 2 successful, 2 failures, 0 skipped
+
+```

data/examples/profile-sensitive/controls/sensitive-failures.rb

@@ -0,0 +1,9 @@
+# encoding: utf-8
+
+describe 'bob' do
+  it { should eq 'billy' }
+end
+
+describe 'sensitivepassword', :sensitive do
+  it { should eq 'secret' }
+end

data/examples/profile-sensitive/controls/sensitive.rb

@@ -0,0 +1,9 @@
+# encoding: utf-8
+
+describe 'bob' do
+  it { should eq 'bob' }
+end
+
+describe 'sensitivepassword', :sensitive do
+  it { should eq 'sensitivepassword' }
+end

data/examples/profile-sensitive/inspec.yml

@@ -0,0 +1,8 @@
+name: profile-sensitive
+title: InSpec Sensitive Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile
+version: 0.1.0

data/lib/inspec/resource.rb

@@ -72,6 +72,7 @@ module Inspec
   end
 end
 
+require 'resources/aide_conf'
 require 'resources/apache'
 require 'resources/apache_conf'
 require 'resources/apt'
@@ -89,6 +90,7 @@ require 'resources/docker'
 require 'resources/docker_image'
 require 'resources/docker_container'
 require 'resources/etc_group'
+require 'resources/etc_hosts'
 require 'resources/file'
 require 'resources/gem'
 require 'resources/groups'
@@ -157,3 +159,4 @@ require 'resources/json'
 require 'resources/yaml'
 require 'resources/csv'
 require 'resources/ini'
+require 'resources/xml'

data/lib/inspec/rspec_json_formatter.rb

@@ -52,7 +52,12 @@ class InspecRspecMiniJson < RSpec::Core::Formatters::JsonFormatter
       format_example(example).tap do |hash|
         e = example.exception
         next unless e
-        hash[:message] = exception_message(e)
+
+        if example.metadata[:sensitive]
+          hash[:message] = '*** sensitive output suppressed ***'
+        else
+          hash[:message] = exception_message(e)
+        end
 
         next if e.is_a? RSpec::Expectations::ExpectationNotMetError
         hash[:exception] = e.class.name
@@ -341,7 +346,7 @@ class InspecRspecCli < InspecRspecJson # rubocop:disable Metrics/ClassLength
   # This method is called through the RSpec Formatter interface for every
   # example found in the test suite.
   #
-  # Within #format_example we are getting and example and:
+  # Within #format_example we are getting an example and:
   #    * if this is an example, within a control, within a profile then we want
   #      to display the profile header, display the control, and then display
   #      the example.

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.34.1'.freeze
+  VERSION = '1.35.1'.freeze
 end

data/lib/resources/aide_conf.rb

@@ -0,0 +1,162 @@
+# encoding: utf-8
+# author: Jen Burns, burnsjennifere@gmail.com
+
+require 'utils/filter'
+require 'utils/parser'
+
+# rubocop:disable Metrics/ClassLength
+module Inspec::Resources
+  class AideConf < Inspec.resource(1)
+    name 'aide_conf'
+    desc 'Use the aide_conf InSpec audit resource to test the rules established for
+      the file integrity tool AIDE. Controlled by the aide.conf file typically at /etc/aide.conf.'
+    example "
+      describe aide_conf do
+        its('selection_lines') { should include '/sbin' }
+      end
+
+      describe aide_conf.where { selection_line == '/bin' } do
+        its('rules.flatten') { should include 'r' }
+      end
+
+      describe aide_conf.all_have_rule('sha512') do
+        it { should eq true }
+      end
+    "
+
+    attr_reader :params
+
+    include CommentParser
+
+    def initialize(aide_conf_path = nil)
+      return skip_resource 'The `aide_conf` resource is not supported on your OS.' unless inspec.os.linux?
+      @conf_path = aide_conf_path || '/etc/aide.conf'
+      @content = nil
+      @rules = nil
+      read_content
+    end
+
+    def all_have_rule(rule)
+      # Case when file didn't exist or perms didn't allow an open
+      return false if @content.nil?
+
+      lines = @params.reject { |line| line['rules'].include? rule }
+      lines.empty?
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:selection_lines, field: 'selection_line')
+          .add(:rules,           field: 'rules')
+
+    filter.connect(self, :params)
+
+    private
+
+    def read_content
+      return @content unless @content.nil?
+      @rules = {}
+
+      file = inspec.file(@conf_path)
+      if !file.file?
+        return skip_resource "Can't find file \"#{@conf_path}\""
+      end
+      raw_conf = file.content
+      if raw_conf.nil?
+        return skip_resource "File can't be opened or is empty \"#{@conf_path}\""
+      end
+      if raw_conf.empty? && !file.empty?
+        return skip_resource "Can't read file \"#{@conf_path}\""
+      end
+
+      # If there is a file and it contains content, continue
+      @content = filter_comments(inspec.file(@conf_path).content.lines)
+      @params = parse_conf(@content)
+    end
+
+    def filter_comments(data)
+      content = []
+      data.each do |line|
+        content_line, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
+        content.push(content_line)
+      end
+      content
+    end
+
+    def parse_conf(content)
+      params = []
+      content.each do |line|
+        param = parse_line(line)
+        if !param['selection_line'].nil?
+          params.push(param)
+        end
+      end
+      params
+    end
+
+    def parse_line(line)
+      line_and_rules = {}
+      # Case when line is a rule line
+      if line.include?(' = ')
+        parse_rule_line(line)
+      # Case when line is a selection line
+      elsif line.start_with?('/', '!', '=')
+        line_and_rules = parse_selection_line(line)
+      end
+      line_and_rules
+    end
+
+    def parse_rule_line(line)
+      line.gsub!(/\s+/, '')
+      rule_line_arr = line.split('=')
+      rules_list = rule_line_arr.last.split('+')
+      rule_name = rule_line_arr.first
+      rules_list.each_index do |i|
+        # Cases where rule respresents one or more other rules
+        if @rules.key?(rules_list[i])
+          rules_list[i] = @rules[rules_list[i]]
+        end
+        rules_list[i] = handle_multi_rule(rules_list, i)
+      end
+      @rules[rule_name] = rules_list.flatten
+    end
+
+    def parse_selection_line(line)
+      selec_line_arr = line.split(' ')
+      selection_line = selec_line_arr.first
+      selection_line.chop! if selection_line.end_with?('/')
+      rule_list = selec_line_arr.last.split('+')
+      rule_list.each_index do |i|
+        hash_list = @rules[rule_list[i]]
+        # Cases where rule respresents one or more other rules
+        if !hash_list.nil?
+          rule_list[i] = hash_list
+        end
+        rule_list[i] = handle_multi_rule(rule_list, i)
+      end
+      rule_list.flatten!
+      {
+        'selection_line' => selection_line,
+        'rules' => rule_list,
+      }
+    end
+
+    def handle_multi_rule(rule_list, i)
+      # Rules that represent multiple rules (R,L,>)
+      r_rules = %w{p i l n u g s m c md5}
+      l_rules = %w{p i l n u g}
+      grow_log_rules = %w{p l u g i n S}
+
+      case rule_list[i]
+      when 'R'
+        return r_rules
+      when 'L'
+        return l_rules
+      when '>'
+        return grow_log_rules
+      end
+      rule_list[i]
+    end
+  end
+end

data/lib/resources/auditd_rules.rb

@@ -177,7 +177,7 @@ module Inspec::Resources
 
     # NB only in file lines
     def get_key(line)
-      line.match(/-k ([^ ]+)/)[1]
+      line.match(/-k ([^ ]+)/)[1] if line.include?('-k ')
     end
 
     # NOTE there are NO precautions wrt. filenames containing spaces in auditctl

data/lib/resources/etc_hosts.rb

@@ -0,0 +1,81 @@
+# encoding: utf-8
+# author: Matthew Dromazos
+
+require 'utils/parser'
+
+class EtcHosts < Inspec.resource(1)
+  name 'etc_hosts'
+  desc 'Use the etc_hosts InSpec audit resource to find an
+    ip_address and its associated hosts'
+  example "
+    describe etc_hosts.where { ip_address == '127.0.0.1' } do
+      its('ip_address') { should cmp '127.0.0.1' }
+      its('primary_name') { should cmp 'localhost' }
+      its('all_host_names') { should eq [['localhost', 'localhost.localdomain', 'localhost4', 'localhost4.localdomain4']] }
+    end
+  "
+
+  attr_reader :params
+
+  include CommentParser
+
+  def initialize(hosts_path = nil)
+    return skip_resource 'The `etc_hosts` resource is not supported on your OS.' unless inspec.os.linux? || inspec.os.windows?
+    @conf_path      = hosts_path || default_hosts_file_path
+    @content        = nil
+    @params         = nil
+    read_content
+  end
+
+  filter = FilterTable.create
+  filter.add_accessor(:where)
+        .add_accessor(:entries)
+        .add(:ip_address,     field: 'ip_address')
+        .add(:primary_name,   field: 'primary_name')
+        .add(:all_host_names, field: 'all_host_names')
+
+  filter.connect(self, :params)
+
+  private
+
+  def default_hosts_file_path
+    inspec.os.windows? ? 'C:\windows\system32\drivers\etc\hosts' : '/etc/hosts'
+  end
+
+  def read_content
+    @content = ''
+    @params  = {}
+    @content = read_file(@conf_path)
+    @params  = parse_conf(@content)
+  end
+
+  def parse_conf(content)
+    content.map do |line|
+      data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
+      parse_line(data) unless data == ''
+    end.compact
+  end
+
+  def parse_line(line)
+    line_parts = line.split
+    return nil unless line_parts.length >= 2
+    {
+      'ip_address'     => line_parts[0],
+      'primary_name'   => line_parts[1],
+      'all_host_names' => line_parts[1..-1],
+    }
+  end
+
+  def read_file(conf_path = @conf_path)
+    file = inspec.file(conf_path)
+    if !file.file?
+      return skip_resource "Can't find file. \"#{@conf_path}\""
+    end
+
+    raw_conf = file.content
+    if raw_conf.empty? && !file.empty?
+      return skip_resource("Could not read file contents\" #{@conf_path}\"")
+    end
+    raw_conf.lines
+  end
+end

data/lib/resources/groups.rb

@@ -90,7 +90,6 @@ module Inspec::Resources
 
     def initialize(groupname)
       @group = groupname
-      @group = @group.downcase unless inspec.os.windows?
 
       # select group manager
       @group_provider = select_group_manager(inspec.os)

data/lib/resources/http.rb

@@ -55,6 +55,7 @@ module Inspec::Resources
     private
 
     def response
+      return @response if @response
       conn = Faraday.new url: @url, headers: @headers, params: @params, ssl: { verify: @ssl_verify }
 
       # set basic authentication

data/lib/resources/pip.rb

@@ -7,6 +7,7 @@
 #   it { should be_installed }
 # end
 #
+
 module Inspec::Resources
   class PipPackage < Inspec.resource(1)
     name 'pip'
@@ -15,10 +16,17 @@ module Inspec::Resources
       describe pip('Jinja2') do
         it { should be_installed }
       end
+
+      describe pip('django', '/path/to/virtualenv/bin/pip') do
+        it { should be_installed }
+        its('version') { should eq('1.11.4')}
+      end
     "
 
-    def initialize(package_name)
+    def initialize(package_name, pip_path = nil)
       @package_name = package_name
+      @pip_cmd = pip_path || default_pip_path
+      return skip_resource 'pip not found' unless inspec.command(@pip_cmd).exist?
     end
 
     def info
@@ -26,7 +34,7 @@ module Inspec::Resources
 
       @info = {}
       @info[:type] = 'pip'
-      cmd = inspec.command("#{pip_cmd} show #{@package_name}")
+      cmd = inspec.command("#{@pip_cmd} show #{@package_name}")
       return @info if cmd.exit_status != 0
 
       params = SimpleConfig.new(
@@ -54,28 +62,28 @@ module Inspec::Resources
 
     private
 
-    def pip_cmd
+    def default_pip_path
+      return 'pip' unless inspec.os.windows?
+
       # Pip is not on the default path for Windows, therefore we do some logic
       # to find the binary on Windows
-      if inspec.os.windows?
-        # we need to detect the pip command on Windows
-        cmd = inspec.command('New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Pip -Value (Invoke-Command -ScriptBlock {where.exe pip}) -PassThru | Add-Member -MemberType NoteProperty -Name Python -Value (Invoke-Command -ScriptBlock {where.exe python}) -PassThru | ConvertTo-Json')
-        begin
-          paths = JSON.parse(cmd.stdout)
-          # use pip if it on system path
-          pipcmd = paths['Pip']
-          # calculate path on windows
-          if defined?(paths['Python']) && pipcmd.nil?
-            pipdir = paths['Python'].split('\\')
-            # remove python.exe
-            pipdir.pop
-            pipcmd = pipdir.push('Scripts').push('pip.exe').join('/')
-          end
-        rescue JSON::ParserError => _e
-          return nil
+      cmd = inspec.command('New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Pip -Value (Invoke-Command -ScriptBlock {where.exe pip}) -PassThru | Add-Member -MemberType NoteProperty -Name Python -Value (Invoke-Command -ScriptBlock {where.exe python}) -PassThru | ConvertTo-Json')
+      begin
+        paths = JSON.parse(cmd.stdout)
+        # use pip if it on system path
+        pipcmd = paths['Pip']
+        # calculate path on windows
+        if defined?(paths['Python']) && pipcmd.nil?
+          pipdir = paths['Python'].split('\\')
+          # remove python.exe
+          pipdir.pop
+          pipcmd = pipdir.push('Scripts').push('pip.exe').join('/')
         end
+      rescue JSON::ParserError => _e
+        return nil
       end
-      pipcmd || 'pip'
+
+      pipcmd
     end
   end
 end

data/lib/resources/port.rb

@@ -264,10 +264,34 @@ module Inspec::Resources
   end
 
   # extract port information from netstat
-  class LinuxPorts < PortsInfo
+  class LinuxPorts < PortsInfo # rubocop:disable Metrics/ClassLength
+    ALLOWED_PROTOCOLS = %w{tcp tcp6 udp udp6}.freeze
+
     def info
+      ports_via_ss || ports_via_netstat
+    end
+
+    def ports_via_ss
+      return nil unless inspec.command('ss').exist?
+
+      cmd = inspec.command('ss -tulpen')
+      return nil unless cmd.exit_status.to_i.zero?
+
+      ports = []
+
+      cmd.stdout.each_line do |line|
+        parsed_line = parse_ss_line(line)
+        ports << parsed_line unless parsed_line.nil?
+      end
+
+      ports
+    end
+
+    def ports_via_netstat
+      return nil unless inspec.command('netstat').exist?
+
       cmd = inspec.command('netstat -tulpen')
-      return nil if cmd.exit_status.to_i != 0
+      return nil unless cmd.exit_status.to_i.zero?
 
       ports = []
       # parse all lines
@@ -362,6 +386,66 @@ module Inspec::Resources
         'pid'      => pid,
       }
     end
+
+    def parse_ss_line(line)
+      parsed = line.split(/\s+/, 7)
+
+      # ss only returns "tcp" and "udp" as the protocol. However, netstat would return
+      # "tcp6" and "udp6" as necessary. In order to maintain backward compatibility, we
+      # will manually modify the protocol value if the line we're parsing is an IPv6
+      # entry.
+      process_info = parsed[6]
+      protocol = parsed[0]
+      protocol += '6' if process_info.include?('v6only:1')
+      return nil unless ALLOWED_PROTOCOLS.include?(protocol)
+
+      # parse the Local Address:Port
+      # examples:
+      #   *:22
+      #   :::22
+      #   10.0.2.15:1234
+      #   ::ffff:10.0.2.15:9300
+      #   fe80::a00:27ff:fe32:ed09%enp0s3:9200
+      parsed_net_address = parsed[4].match(/(\S+):(\*|\d+)$/)
+      return nil if parsed_net_address.nil?
+      host = parsed_net_address[1]
+      port = parsed_net_address[2]
+      return nil if host.nil? && port.nil?
+
+      # For backward compatibility with the netstat output, ensure the
+      # port is stored as an integer
+      port = port.to_i
+
+      # for those "v4-but-listed-in-v6" entries, strip off the
+      # leading IPv6 value at the beginning
+      # example: ::ffff:10.0.2.15:9200
+      host.delete!('::ffff:') if host.start_with?('::ffff:')
+
+      # if there's an interface name in the local address, which is common for
+      # IPv6 listeners, strip that out too.
+      # example: fe80::a00:27ff:fe32:ed09%enp0s3
+      host = host.split('%').first
+
+      # if host is "*", replace with "0.0.0.0" to maintain backward compatibility with
+      # the netstat-provided data
+      host = '0.0.0.0' if host == '*'
+
+      # parse the process name from the processes information
+      process_match = parsed[6].match(/users:\(\(\"(\S+)\"/)
+      process = process_match.nil? ? nil : process_match[1]
+
+      # parse the PID from the processes information
+      pid_match = parsed[6].match(/pid=(\d+)/)
+      pid = pid_match.nil? ? nil : pid_match[1].to_i
+
+      {
+        'port'     => port,
+        'address'  => host,
+        'protocol' => protocol,
+        'process'  => process,
+        'pid'      => pid,
+      }
+    end
   end
 
   # extracts information from sockstat

data/lib/resources/xml.rb

@@ -0,0 +1,27 @@
+# encoding: utf-8
+# author: Jonathan Morley
+
+module Inspec::Resources
+  class XmlConfig < JsonConfig
+    name 'xml'
+    desc 'Use the xml InSpec resource to test configuration data in an XML file'
+    example "
+      describe xml('default.xml') do
+        its('key/sub_key') { should eq(['value']) }
+      end
+    "
+
+    def parse(content)
+      require 'rexml/document'
+      REXML::Document.new(content)
+    end
+
+    def value(key)
+      REXML::XPath.each(@params, key.first.to_s).map(&:text)
+    end
+
+    def to_s
+      "XML #{@path}"
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.34.1
+  version: 1.35.1
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-23 00:00:00.000000000 Z
+date: 2017-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -312,6 +312,7 @@ files:
 - docs/migration.md
 - docs/plugin_kitchen_inspec.md
 - docs/profiles.md
+- docs/resources/aide_conf.md.erb
 - docs/resources/apache_conf.md.erb
 - docs/resources/apt.md.erb
 - docs/resources/audit_policy.md.erb
@@ -330,6 +331,7 @@ files:
 - docs/resources/docker_container.md.erb
 - docs/resources/docker_image.md.erb
 - docs/resources/etc_group.md.erb
+- docs/resources/etc_hosts.md.erb
 - docs/resources/file.md.erb
 - docs/resources/gem.md.erb
 - docs/resources/group.md.erb
@@ -393,6 +395,7 @@ files:
 - docs/resources/wmi.md.erb
 - docs/resources/x509_certificate.md.erb
 - docs/resources/xinetd_conf.md.erb
+- docs/resources/xml.md.erb
 - docs/resources/yaml.md.erb
 - docs/resources/yum.md.erb
 - docs/resources/zfs_dataset.md.erb
@@ -437,6 +440,10 @@ files:
 - examples/profile-attribute/README.md
 - examples/profile-attribute/controls/example.rb
 - examples/profile-attribute/inspec.yml
+- examples/profile-sensitive/README.md
+- examples/profile-sensitive/controls/sensitive-failures.rb
+- examples/profile-sensitive/controls/sensitive.rb
+- examples/profile-sensitive/inspec.yml
 - examples/profile/README.md
 - examples/profile/controls/example.rb
 - examples/profile/controls/gordon.rb
@@ -545,6 +552,7 @@ files:
 - lib/inspec/source_reader.rb
 - lib/inspec/version.rb
 - lib/matchers/matchers.rb
+- lib/resources/aide_conf.rb
 - lib/resources/apache.rb
 - lib/resources/apache_conf.rb
 - lib/resources/apt.rb
@@ -563,6 +571,7 @@ files:
 - lib/resources/docker_container.rb
 - lib/resources/docker_image.rb
 - lib/resources/etc_group.rb
+- lib/resources/etc_hosts.rb
 - lib/resources/file.rb
 - lib/resources/gem.rb
 - lib/resources/groups.rb
@@ -623,6 +632,7 @@ files:
 - lib/resources/wmi.rb
 - lib/resources/x509_certificate.rb
 - lib/resources/xinetd.rb
+- lib/resources/xml.rb
 - lib/resources/yaml.rb
 - lib/resources/yum.rb
 - lib/resources/zfs_dataset.rb