inspec 1.36.1 → 1.37.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +30 -13
- data/docs/resources/etc_fstab.md.erb +117 -0
- data/docs/resources/mysql_conf.md.erb +11 -0
- data/docs/resources/nginx.md.erb +72 -0
- data/lib/bundles/inspec-compliance/README.md +11 -0
- data/lib/bundles/inspec-compliance/api.rb +19 -8
- data/lib/bundles/inspec-compliance/cli.rb +1 -1
- data/lib/inspec/exceptions.rb +2 -0
- data/lib/inspec/resource.rb +2 -0
- data/lib/inspec/runner.rb +20 -2
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/docker.rb +8 -1
- data/lib/resources/etc_fstab.rb +107 -0
- data/lib/resources/mysql_conf.rb +10 -0
- data/lib/resources/nginx.rb +97 -0
- data/lib/resources/package.rb +2 -1
- metadata +7 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2deb0a13ed78e24b3fdc0b02b85e08934ed94498
|
4
|
+
data.tar.gz: cc043ff4dbcc869b811e5a1cddfc982c3d167e96
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2b24779c8fed6870015055c52b2aa2a0eac19b2adeb0324a322125c6fb77bee0f9a432d75825cf8c3f1e6672af8ca90392c96590a9e4351724b5fce446849442
|
7
|
+
data.tar.gz: 316851c81278ba142874d01b3ab76ed2b8bc4005c5edd5f3c5a41d0756f010fabcfc612dd52ba2d1060aa6a5cd8af53f0d8773d9c0c3270bf3d01ff35bd320a6
|
data/CHANGELOG.md
CHANGED
@@ -1,25 +1,43 @@
|
|
1
1
|
# Change Log
|
2
|
+
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
|
3
|
+
<!-- latest_release 1.37.6 -->
|
4
|
+
## [v1.37.6](https://github.com/chef/inspec/tree/v1.37.6) (2017-09-14)
|
2
5
|
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
#### Enhancements
|
7
|
-
- add nginx_conf accessors for http, servers, and locations [#2119](https://github.com/chef/inspec/pull/2119) ([arlimus](https://github.com/arlimus))
|
6
|
+
#### Merged Pull Requests
|
7
|
+
- Bump Ruby to 2.3.5 [#2149](https://github.com/chef/inspec/pull/2149) ([adamleff](https://github.com/adamleff))
|
8
8
|
<!-- latest_release -->
|
9
9
|
|
10
|
-
<!-- release_rollup since=1.
|
11
|
-
### Changes since 1.
|
10
|
+
<!-- release_rollup since=1.36.1 -->
|
11
|
+
### Changes since 1.36.1 release
|
12
12
|
|
13
|
-
####
|
14
|
-
-
|
15
|
-
- Modify linux regular expression to handle process names with spaces [#2117](https://github.com/chef/inspec/pull/2117) ([ChadScott](https://github.com/ChadScott)) <!-- 1.35.3 -->
|
13
|
+
#### Merged Pull Requests
|
14
|
+
- Bump Ruby to 2.3.5 [#2149](https://github.com/chef/inspec/pull/2149) ([adamleff](https://github.com/adamleff)) <!-- 1.37.6 -->
|
16
15
|
|
17
16
|
#### Enhancements
|
18
|
-
-
|
19
|
-
-
|
17
|
+
- Show versions for inspec compliance profiles [#2143](https://github.com/chef/inspec/pull/2143) ([alexpop](https://github.com/alexpop)) <!-- 1.37.5 -->
|
18
|
+
- Support profile versions for automate profiles storage [#2128](https://github.com/chef/inspec/pull/2128) ([alexpop](https://github.com/alexpop)) <!-- 1.37.4 -->
|
19
|
+
|
20
|
+
#### Bug Fixes
|
21
|
+
- package resource: assume a default Homebrew path [#2140](https://github.com/chef/inspec/pull/2140) ([adamleff](https://github.com/adamleff)) <!-- 1.37.3 -->
|
22
|
+
- Ignore linked container names when parsing docker containers [#2134](https://github.com/chef/inspec/pull/2134) ([adamleff](https://github.com/adamleff)) <!-- 1.37.2 -->
|
23
|
+
|
24
|
+
#### New Resources
|
25
|
+
- nginx resource: audit the nginx binary and how it was compiled [#1958](https://github.com/chef/inspec/pull/1958) ([rx294](https://github.com/rx294)) <!-- 1.37.1 -->
|
26
|
+
- etc_fstab resource: test contents of the /etc/fstab file [#2064](https://github.com/chef/inspec/pull/2064) ([dromazmj](https://github.com/dromazmj)) <!-- 1.37.0 -->
|
20
27
|
<!-- release_rollup -->
|
21
28
|
|
22
29
|
<!-- latest_stable_release -->
|
30
|
+
## [v1.36.1](https://github.com/chef/inspec/tree/v1.36.1) (2017-09-07)
|
31
|
+
|
32
|
+
#### Enhancements
|
33
|
+
- File Resource: add be_setgid, be_setuid, be_sticky matchers [#2104](https://github.com/chef/inspec/pull/2104) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
34
|
+
- add nginx_conf accessors for http, servers, and locations [#2119](https://github.com/chef/inspec/pull/2119) ([arlimus](https://github.com/arlimus))
|
35
|
+
|
36
|
+
#### Bug Fixes
|
37
|
+
- Modify linux regular expression to handle process names with spaces [#2117](https://github.com/chef/inspec/pull/2117) ([ChadScott](https://github.com/ChadScott))
|
38
|
+
- Fix alternate path profile chaining [#2121](https://github.com/chef/inspec/pull/2121) ([trevor-vaughan](https://github.com/trevor-vaughan))
|
39
|
+
<!-- latest_stable_release -->
|
40
|
+
|
23
41
|
## [v1.35.1](https://github.com/chef/inspec/tree/v1.35.1) (2017-08-31)
|
24
42
|
|
25
43
|
#### New Resources
|
@@ -38,7 +56,6 @@
|
|
38
56
|
|
39
57
|
#### Merged Pull Requests
|
40
58
|
- Add sensitive flag to resources to restrict logging output [#2017](https://github.com/chef/inspec/pull/2017) ([arothian](https://github.com/arothian))
|
41
|
-
<!-- latest_stable_release -->
|
42
59
|
|
43
60
|
## [v1.34.1](https://github.com/chef/inspec/tree/v1.34.1) (2017-08-24)
|
44
61
|
|
@@ -0,0 +1,117 @@
|
|
1
|
+
---
|
2
|
+
title: About the etc_fstab Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# etc_fstab
|
6
|
+
|
7
|
+
Use the `etc_fstab` InSpec audit resource to test information about all partitions and storage devices on a system.
|
8
|
+
## Syntax
|
9
|
+
|
10
|
+
An etc_fstab rule specifies a device name, its mount point, its mount type, the options its mounted with,
|
11
|
+
its dump options, and the order the files system should be checked.
|
12
|
+
|
13
|
+
## Syntax
|
14
|
+
|
15
|
+
Use the where clause to match a property to one or more rules in the fstab file.
|
16
|
+
|
17
|
+
describe etc_fstab.where { device_name == 'value' } do
|
18
|
+
its('mount_point') { should cmp 'hostname' }
|
19
|
+
its('file_system_type') { should cmp 'list' }
|
20
|
+
its('mount_options') { should cmp 'list' }
|
21
|
+
its('dump_options') { should cmp 'list' }
|
22
|
+
its('file_system_options') { should cmp 'list' }
|
23
|
+
end
|
24
|
+
|
25
|
+
Use the optional constructor parameter to give an alternative path to fstab file
|
26
|
+
|
27
|
+
describe etc_fstab(hosts_path).where { device_name == 'value' } do
|
28
|
+
its('mount_point') { should cmp 'hostname' }
|
29
|
+
its('file_system_type') { should cmp 'list' }
|
30
|
+
its('mount_options') { should cmp 'list' }
|
31
|
+
its('dump_options') { should cmp 'list' }
|
32
|
+
its('file_system_options') { should cmp 'list ' }
|
33
|
+
end
|
34
|
+
|
35
|
+
where
|
36
|
+
|
37
|
+
* `device_name` is the name associated with the device.
|
38
|
+
* `mount_point` is the directory at which the filesystem is configured to be mounted.
|
39
|
+
* `file_system_type` is the type of file system of the device or partition.
|
40
|
+
* `mount_options` is the options for the device or partition.
|
41
|
+
* `dump_options` is a number used by dump to decide if a file system should be backed up.
|
42
|
+
* `file_system_options` is a number that specifies the order the file system should be checked.
|
43
|
+
|
44
|
+
## Property Examples and Return Types
|
45
|
+
|
46
|
+
### device_name
|
47
|
+
|
48
|
+
`device_name` returns a string array of device names mounted on the system.
|
49
|
+
|
50
|
+
describe etc_fstab.where { mount_point == '/mnt/sr0' } do
|
51
|
+
its('device_name') { should cmp '/dev/sr0' }
|
52
|
+
end
|
53
|
+
|
54
|
+
### mount_point
|
55
|
+
|
56
|
+
`mount_point` returns a string array of directorys at which filesystems are configured to be mounted.
|
57
|
+
|
58
|
+
describe etc_fstab.where { device_name == '/dev/sr0' } do
|
59
|
+
its('mount_point') { should cmp '/mnt/sr0' }
|
60
|
+
end
|
61
|
+
|
62
|
+
### file_system_type
|
63
|
+
|
64
|
+
`file_system_type` returns a String array of each partitions file system type.
|
65
|
+
|
66
|
+
describe etc_fstab.where { device_name == '/dev/sr0' } do
|
67
|
+
its('file_system_type') { should cmp 'iso9660' }
|
68
|
+
end
|
69
|
+
|
70
|
+
### mount_options
|
71
|
+
|
72
|
+
`mount_options` returns a two dimensional array of each partitions mount options.
|
73
|
+
|
74
|
+
describe etc_fstab.where { mount_point == '/' } do
|
75
|
+
its('mount_options') { should eq [['defaults', 'x-systemd.device-timeout=0']] }
|
76
|
+
end
|
77
|
+
|
78
|
+
### dump_options
|
79
|
+
|
80
|
+
`dump_options` returns a integer array of each partitions dump option.
|
81
|
+
|
82
|
+
describe etc_fstab.where { device_name == '/dev/sr0' } do
|
83
|
+
its('dump_options') { should cmp 0 }
|
84
|
+
end
|
85
|
+
|
86
|
+
### file_system_options
|
87
|
+
|
88
|
+
`file_system_options` returns a integer array of each partitions file system option.
|
89
|
+
|
90
|
+
describe etc_fstab.where { device_name == '/dev/sr0' } do
|
91
|
+
its('file_system_options') { should cmp 0 }
|
92
|
+
end
|
93
|
+
|
94
|
+
## Examples
|
95
|
+
|
96
|
+
The following examples show how to use this InSpec resource.
|
97
|
+
|
98
|
+
### Check all partitions that have type of 'nfs'.
|
99
|
+
|
100
|
+
nfs_systems = etc_fstab.nfs_file_systems
|
101
|
+
nfs_systems.each do |partition|
|
102
|
+
describe partition do
|
103
|
+
its('mount_options') { should include 'nosuid' }
|
104
|
+
end
|
105
|
+
end
|
106
|
+
|
107
|
+
### Check the partition mounted at /home contains 'nosuid' in its mount_options.
|
108
|
+
|
109
|
+
describe etc_fstab do
|
110
|
+
its('home_mount_options') { should include 'nosuid' }
|
111
|
+
end
|
112
|
+
|
113
|
+
### Check if a partition is mounted at a point.
|
114
|
+
|
115
|
+
describe etc_fstab.where { mount_point == '/home' } do
|
116
|
+
it { should be_configured }
|
117
|
+
end
|
@@ -14,9 +14,20 @@ A `mysql_conf` resource block declares one (or more) settings in the `my.cnf` fi
|
|
14
14
|
its('setting') { should eq 'value' }
|
15
15
|
end
|
16
16
|
|
17
|
+
# Test a parameter set within the [mysqld] section
|
18
|
+
describe mysql_conf do
|
19
|
+
its('mysqld.port') { should cmp 3306 }
|
20
|
+
end
|
21
|
+
|
22
|
+
# Test a parameter set within the [mariadb] section using array notation
|
23
|
+
describe mysql_conf do
|
24
|
+
its(['mariadb', 'max-connections']) { should_not be_nil }
|
25
|
+
end
|
26
|
+
|
17
27
|
where
|
18
28
|
|
19
29
|
* `'setting'` specifies a setting in the `my.cnf` file, such as `max_connections`
|
30
|
+
* when checking a setting within sections, such as `[mysqld]`, the section name must be included
|
20
31
|
* `('path')` is the non-default path to the `my.cnf` file
|
21
32
|
* `should eq 'value'` is the value that is expected
|
22
33
|
|
@@ -0,0 +1,72 @@
|
|
1
|
+
---
|
2
|
+
title: The Nginx Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# nginx
|
6
|
+
|
7
|
+
Use the `nginx` InSpec audit resource to test the fields and validity of nginx.
|
8
|
+
|
9
|
+
Nginx resource extracts and exposes data reported by the command 'nginx -V'
|
10
|
+
|
11
|
+
## Syntax
|
12
|
+
|
13
|
+
An `nginx` InSpec audit resource block extracts configuration settings that should be tested:
|
14
|
+
|
15
|
+
describe nginx do
|
16
|
+
its('attribute') { should eq 'value' }
|
17
|
+
end
|
18
|
+
|
19
|
+
describe nginx('path to nginx') do
|
20
|
+
its('attribute') { should eq 'value' }
|
21
|
+
end
|
22
|
+
|
23
|
+
where
|
24
|
+
|
25
|
+
* `'attribute'` is a configuration parsed from result of the command 'nginx -V'
|
26
|
+
* `'value'` is the value that is expected of the attribute
|
27
|
+
|
28
|
+
## Supported Properties
|
29
|
+
|
30
|
+
* 'compiler_info', 'error_log_path', 'http_client_body_temp_path', 'http_fastcgi_temp_path', 'http_log_path', 'http_proxy_temp_path', 'http_scgi_temp_path', 'http_uwsgi_temp_path', 'lock_path', 'modules', 'modules_path', 'openssl_version', 'prefix', 'sbin_path', 'service', 'support_info', 'version'
|
31
|
+
|
32
|
+
## Property Examples and Return Types
|
33
|
+
|
34
|
+
### version(String)
|
35
|
+
|
36
|
+
`version` returns a string of the version of the running nginx instance
|
37
|
+
|
38
|
+
describe nginx do
|
39
|
+
its('version') { should eq '1.12.0' }
|
40
|
+
end
|
41
|
+
|
42
|
+
### modules(String)
|
43
|
+
|
44
|
+
`modules` returns a array modules in the running nginx instance
|
45
|
+
|
46
|
+
describe nginx do
|
47
|
+
its('modules') { should include 'my_module' }
|
48
|
+
end
|
49
|
+
|
50
|
+
### openssl_version(Hash)
|
51
|
+
|
52
|
+
`openssl_version ` returns a hash with 'version' and 'date' as keys
|
53
|
+
|
54
|
+
describe nginx do
|
55
|
+
its('openssl_version.date') { should eq '11 Feb 2013' }
|
56
|
+
end
|
57
|
+
|
58
|
+
### compiler_info(Hash)
|
59
|
+
|
60
|
+
`compiler_info ` returns a hash with 'compiler' , version' and 'date' as keys
|
61
|
+
|
62
|
+
describe nginx do
|
63
|
+
its('compiler_info.compiler') { should eq 'gcc' }
|
64
|
+
end
|
65
|
+
|
66
|
+
### support_info(String)
|
67
|
+
|
68
|
+
`support_info ` returns a string containing supported protocols
|
69
|
+
|
70
|
+
describe nginx do
|
71
|
+
its('support_info') { should match /TLS/ }
|
72
|
+
end
|
@@ -148,6 +148,17 @@ Finished in 0.02862 seconds (files took 0.62628 seconds to load)
|
|
148
148
|
5 examples, 0 failures, 1 pending
|
149
149
|
```
|
150
150
|
|
151
|
+
Exec a specific version(2.0.1) of a profile when logged in with Automate:
|
152
|
+
|
153
|
+
```
|
154
|
+
$ inspec exec compliance://admin/apache-baseline#2.0.1
|
155
|
+
```
|
156
|
+
|
157
|
+
Download a specific version(2.0.2) of a profile when logged in with Automate:
|
158
|
+
```
|
159
|
+
$ inspec compliance download compliance://admin/apache-baseline#2.0.2
|
160
|
+
```
|
161
|
+
|
151
162
|
### To Logout from Chef Compliance
|
152
163
|
|
153
164
|
```
|
@@ -83,9 +83,13 @@ module Compliance
|
|
83
83
|
# verifies that a profile
|
84
84
|
def self.exist?(config, profile)
|
85
85
|
_msg, profiles = Compliance::API.profiles(config)
|
86
|
+
owner, id, ver = profile_split(profile)
|
86
87
|
if !profiles.empty?
|
87
|
-
|
88
|
-
|
88
|
+
profiles.any? do |p|
|
89
|
+
p['owner_id'] == owner &&
|
90
|
+
p['name'] == id &&
|
91
|
+
(ver.nil? || p['version'] == ver)
|
92
|
+
end
|
89
93
|
else
|
90
94
|
false
|
91
95
|
end
|
@@ -179,14 +183,21 @@ module Compliance
|
|
179
183
|
end
|
180
184
|
|
181
185
|
def self.target_url(config, profile)
|
182
|
-
|
183
|
-
|
184
|
-
|
186
|
+
owner, id, ver = profile_split(profile)
|
187
|
+
|
188
|
+
return "#{config['server']}/owners/#{owner}/compliance/#{id}/tar" unless is_automate_server?(config)
|
189
|
+
|
190
|
+
if ver.nil?
|
191
|
+
"#{config['server']}/profiles/#{owner}/#{id}/tar"
|
185
192
|
else
|
186
|
-
owner
|
187
|
-
target = "#{config['server']}/owners/#{owner}/compliance/#{id}/tar"
|
193
|
+
"#{config['server']}/profiles/#{owner}/#{id}/version/#{ver}/tar"
|
188
194
|
end
|
189
|
-
|
195
|
+
end
|
196
|
+
|
197
|
+
def self.profile_split(profile)
|
198
|
+
owner, id = profile.split('/')
|
199
|
+
id, version = id.split('#')
|
200
|
+
[owner, id, version]
|
190
201
|
end
|
191
202
|
|
192
203
|
# returns a parsed url for `admin/profile` or `compliance://admin/profile`
|
@@ -104,7 +104,7 @@ module Compliance
|
|
104
104
|
# iterate over profiles
|
105
105
|
headline('Available profiles:')
|
106
106
|
profiles.each { |profile|
|
107
|
-
li("#{profile['title']} #{mark_text(profile['owner_id'] + '/' + profile['name'])}")
|
107
|
+
li("#{profile['title']} v#{profile['version']} (#{mark_text(profile['owner_id'] + '/' + profile['name'])})")
|
108
108
|
}
|
109
109
|
else
|
110
110
|
puts msg, 'Could not find any profiles'
|
data/lib/inspec/exceptions.rb
CHANGED
data/lib/inspec/resource.rb
CHANGED
@@ -89,6 +89,7 @@ require 'resources/directory'
|
|
89
89
|
require 'resources/docker'
|
90
90
|
require 'resources/docker_image'
|
91
91
|
require 'resources/docker_container'
|
92
|
+
require 'resources/etc_fstab'
|
92
93
|
require 'resources/etc_group'
|
93
94
|
require 'resources/etc_hosts'
|
94
95
|
require 'resources/file'
|
@@ -113,6 +114,7 @@ require 'resources/mssql_session'
|
|
113
114
|
require 'resources/mysql'
|
114
115
|
require 'resources/mysql_conf'
|
115
116
|
require 'resources/mysql_session'
|
117
|
+
require 'resources/nginx'
|
116
118
|
require 'resources/nginx_conf'
|
117
119
|
require 'resources/npm'
|
118
120
|
require 'resources/ntp_conf'
|
data/lib/inspec/runner.rb
CHANGED
@@ -124,11 +124,13 @@ module Inspec
|
|
124
124
|
return options[:attributes] if secrets_targets.nil?
|
125
125
|
|
126
126
|
secrets_targets.each do |target|
|
127
|
+
validate_attributes_file_readability!(target)
|
128
|
+
|
127
129
|
secrets = Inspec::SecretsBackend.resolve(target)
|
128
130
|
if secrets.nil?
|
129
131
|
raise Inspec::Exceptions::SecretsBackendNotFound,
|
130
|
-
"
|
131
|
-
'Check to make sure
|
132
|
+
"Cannot find parser for attributes file '#{target}'. " \
|
133
|
+
'Check to make sure file has the appropriate extension.'
|
132
134
|
end
|
133
135
|
|
134
136
|
next if secrets.attributes.nil?
|
@@ -270,5 +272,21 @@ module Inspec
|
|
270
272
|
|
271
273
|
examples.each { |e| @test_collector.add_test(e, rule) }
|
272
274
|
end
|
275
|
+
|
276
|
+
def validate_attributes_file_readability!(target)
|
277
|
+
unless File.exist?(target)
|
278
|
+
raise Inspec::Exceptions::AttributesFileDoesNotExist,
|
279
|
+
"Cannot find attributes file '#{target}'. " \
|
280
|
+
'Check to make sure file exists.'
|
281
|
+
end
|
282
|
+
|
283
|
+
unless File.readable?(target)
|
284
|
+
raise Inspec::Exceptions::AttributesFileNotReadable,
|
285
|
+
"Cannot read attributes file '#{target}'. " \
|
286
|
+
'Check to make sure file is readable.'
|
287
|
+
end
|
288
|
+
|
289
|
+
true
|
290
|
+
end
|
273
291
|
end
|
274
292
|
end
|
data/lib/inspec/version.rb
CHANGED
data/lib/resources/docker.rb
CHANGED
@@ -63,7 +63,7 @@ module Inspec::Resources
|
|
63
63
|
# For compatability with Serverspec we also offer the following resouses:
|
64
64
|
# - docker_container
|
65
65
|
# - docker_image
|
66
|
-
class Docker < Inspec.resource(1)
|
66
|
+
class Docker < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
|
67
67
|
name 'docker'
|
68
68
|
|
69
69
|
desc "
|
@@ -167,6 +167,13 @@ module Inspec::Resources
|
|
167
167
|
|
168
168
|
# ensure all keys are there
|
169
169
|
j = ensure_container_keys(j)
|
170
|
+
|
171
|
+
# strip off any linked container names
|
172
|
+
# Depending on how it was linked, the actual container name may come before
|
173
|
+
# or after the link information, so we'll just look for the first name that
|
174
|
+
# does not include a slash since that is not a valid character in a container name
|
175
|
+
j['names'] = j['names'].split(',').find { |c| !c.include?('/') }
|
176
|
+
|
170
177
|
ps.push(j)
|
171
178
|
}
|
172
179
|
ps
|
@@ -0,0 +1,107 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
# copyright:
|
3
|
+
# author: Matthew Dromazos
|
4
|
+
|
5
|
+
require 'utils/parser'
|
6
|
+
|
7
|
+
class EtcFstab < Inspec.resource(1)
|
8
|
+
name 'etc_fstab'
|
9
|
+
desc 'Use the etc_fstab InSpec audit resource to check the configuration of the etc/fstab file.'
|
10
|
+
example "
|
11
|
+
removable_media = etc_fstab.removable_media_file_systems
|
12
|
+
removable_media.each do |media|
|
13
|
+
describe media do
|
14
|
+
its ('mount_options') { should include 'nosuid' }
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
nfs_systems = etc_fstab.nfs_file_systems
|
19
|
+
nfs_systems.each do |file_system|
|
20
|
+
describe file_system do
|
21
|
+
its ('mount_options') { should include 'nosuid' }
|
22
|
+
its ('mount_options') { should include 'noexec' }
|
23
|
+
its ('mount_options') { should include '\'sec=krb5:krb5i:krb5p\'' }
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
describe etc_fstab do
|
28
|
+
its ('home_mount_options') { should include 'nosuid' }
|
29
|
+
end
|
30
|
+
"
|
31
|
+
|
32
|
+
attr_reader :params
|
33
|
+
|
34
|
+
include CommentParser
|
35
|
+
|
36
|
+
def initialize(fstab_path = nil)
|
37
|
+
return skip_resource 'The `etc_fstab` resource is not supported on your OS.' unless inspec.os.linux?
|
38
|
+
@conf_path = fstab_path || '/etc/fstab'
|
39
|
+
@files_contents = {}
|
40
|
+
@content = nil
|
41
|
+
@params = nil
|
42
|
+
read_content
|
43
|
+
end
|
44
|
+
|
45
|
+
filter = FilterTable.create
|
46
|
+
filter.add_accessor(:where)
|
47
|
+
.add_accessor(:entries)
|
48
|
+
.add(:device_name, field: 'device_name')
|
49
|
+
.add(:mount_point, field: 'mount_point')
|
50
|
+
.add(:file_system_type, field: 'file_system_type')
|
51
|
+
.add(:mount_options, field: 'mount_options')
|
52
|
+
.add(:dump_options, field: 'dump_options')
|
53
|
+
.add(:file_system_options, field: 'file_system_options')
|
54
|
+
.add(:configured?) { |x| x.entries.any? }
|
55
|
+
|
56
|
+
filter.connect(self, :params)
|
57
|
+
|
58
|
+
def nfs_file_systems
|
59
|
+
where { file_system_type.match(/nfs/) }
|
60
|
+
end
|
61
|
+
|
62
|
+
def home_mount_options
|
63
|
+
return nil unless where { mount_point == '/home' }.configured?
|
64
|
+
where { mount_point == '/home' }.entries[0].mount_options
|
65
|
+
end
|
66
|
+
|
67
|
+
private
|
68
|
+
|
69
|
+
def read_content
|
70
|
+
@content = ''
|
71
|
+
@params = {}
|
72
|
+
@content = read_file(@conf_path)
|
73
|
+
@params = parse_conf(@content)
|
74
|
+
end
|
75
|
+
|
76
|
+
def parse_conf(content)
|
77
|
+
content.map do |line|
|
78
|
+
data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
|
79
|
+
parse_line(data) unless data == ''
|
80
|
+
end.compact
|
81
|
+
end
|
82
|
+
|
83
|
+
def parse_line(line)
|
84
|
+
attributes = line.split
|
85
|
+
{
|
86
|
+
'device_name' => attributes[0],
|
87
|
+
'mount_point' => attributes[1],
|
88
|
+
'file_system_type' => attributes[2],
|
89
|
+
'mount_options' => attributes[3].split(','),
|
90
|
+
'dump_options' => attributes[4].to_i,
|
91
|
+
'file_system_options' => attributes[5].to_i,
|
92
|
+
}
|
93
|
+
end
|
94
|
+
|
95
|
+
def read_file(conf_path = @conf_path)
|
96
|
+
file = inspec.file(conf_path)
|
97
|
+
if !file.file?
|
98
|
+
return skip_resource "Can't find \"#{@conf_path}\""
|
99
|
+
end
|
100
|
+
|
101
|
+
raw_conf = file.content
|
102
|
+
if raw_conf.empty? && !file.empty?
|
103
|
+
return skip_resource("File is empty or unable to read file at path:\"#{@conf_path}\"")
|
104
|
+
end
|
105
|
+
raw_conf.lines
|
106
|
+
end
|
107
|
+
end
|
data/lib/resources/mysql_conf.rb
CHANGED
@@ -33,6 +33,16 @@ module Inspec::Resources
|
|
33
33
|
describe mysql_conf('path') do
|
34
34
|
its('setting') { should eq 'value' }
|
35
35
|
end
|
36
|
+
|
37
|
+
# Test a parameter set within the [mysqld] section
|
38
|
+
describe mysql_conf do
|
39
|
+
its('mysqld.port') { should cmp 3306 }
|
40
|
+
end
|
41
|
+
|
42
|
+
# Test a parameter set within the [mariadb] section using array notation
|
43
|
+
describe mysql_conf do
|
44
|
+
its(['mariadb', 'max-connections']) { should_not be_nil }
|
45
|
+
end
|
36
46
|
"
|
37
47
|
|
38
48
|
include FindFiles
|
@@ -0,0 +1,97 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
# author: Aaron Lippold, lippold@gmail.com
|
3
|
+
# author: Rony Xavier, rx294@gmail.com
|
4
|
+
|
5
|
+
require 'pathname'
|
6
|
+
require 'hashie/mash'
|
7
|
+
|
8
|
+
module Inspec::Resources
|
9
|
+
class Nginx < Inspec.resource(1)
|
10
|
+
name 'nginx'
|
11
|
+
desc 'Use the nginx InSpec audit resource to test information about your NGINX instance.'
|
12
|
+
example "
|
13
|
+
describe nginx do
|
14
|
+
its('conf_path') { should cmp '/etc/nginx/nginx.conf' }
|
15
|
+
end
|
16
|
+
describe nginx('/etc/sbin/') do
|
17
|
+
its('version') { should be >= '1.0.0' }
|
18
|
+
end
|
19
|
+
describe nginx do
|
20
|
+
its('modules') { should include 'my_module' }
|
21
|
+
end
|
22
|
+
"
|
23
|
+
attr_reader :params, :bin_dir
|
24
|
+
|
25
|
+
def initialize(nginx_path = '/usr/sbin/nginx')
|
26
|
+
return skip_resource 'The `nginx` resource is not yet available on your OS.' if inspec.os.windows?
|
27
|
+
return skip_resource 'The `nginx` binary not found in the path provided.' unless inspec.command(nginx_path).exist?
|
28
|
+
|
29
|
+
cmd = inspec.command("#{nginx_path} -V 2>&1")
|
30
|
+
if !cmd.exit_status.zero?
|
31
|
+
return skip_resource 'Error using the command nginx -V'
|
32
|
+
end
|
33
|
+
@data = cmd.stdout
|
34
|
+
@params = {}
|
35
|
+
read_content
|
36
|
+
end
|
37
|
+
|
38
|
+
%w{compiler_info error_log_path http_client_body_temp_path http_fastcgi_temp_path http_log_path http_proxy_temp_path http_scgi_temp_path http_uwsgi_temp_path lock_path modules_path openssl_version prefix sbin_path service support_info version}.each do |property|
|
39
|
+
define_method(property.to_sym) do
|
40
|
+
@params[property.to_sym]
|
41
|
+
end
|
42
|
+
end
|
43
|
+
|
44
|
+
def openssl_version
|
45
|
+
result = @data.scan(/built with OpenSSL\s(\S+)\s(\d+\s\S+\s\d{4})/).flatten
|
46
|
+
Hashie::Mash.new({ 'version' => result[0], 'date' => result[1] })
|
47
|
+
end
|
48
|
+
|
49
|
+
def compiler_info
|
50
|
+
result = @data.scan(/built by (\S+)\s(\S+)\s(\S+)/).flatten
|
51
|
+
Hashie::Mash.new({ 'compiler' => result[0], 'version' => result[1], 'date' => result[2] })
|
52
|
+
end
|
53
|
+
|
54
|
+
def support_info
|
55
|
+
support_info = @data.scan(/(.*\S+) support enabled/).flatten
|
56
|
+
support_info.empty? ? nil : support_info.join(' ')
|
57
|
+
end
|
58
|
+
|
59
|
+
def modules
|
60
|
+
@data.scan(/--with-(\S+)_module/).flatten
|
61
|
+
end
|
62
|
+
|
63
|
+
def to_s
|
64
|
+
'Nginx Environment'
|
65
|
+
end
|
66
|
+
|
67
|
+
private
|
68
|
+
|
69
|
+
def read_content
|
70
|
+
parse_config
|
71
|
+
parse_path
|
72
|
+
parse_http_path
|
73
|
+
end
|
74
|
+
|
75
|
+
def parse_config
|
76
|
+
@params[:prefix] = @data.scan(/--prefix=(\S+)\s/).flatten.first
|
77
|
+
@params[:service] = 'nginx'
|
78
|
+
@params[:version] = @data.scan(%r{nginx version: nginx\/(\S+)\s}).flatten.first
|
79
|
+
end
|
80
|
+
|
81
|
+
def parse_path
|
82
|
+
@params[:sbin_path] = @data.scan(/--sbin-path=(\S+)\s/).flatten.first
|
83
|
+
@params[:modules_path] = @data.scan(/--modules-path=(\S+)\s/).flatten.first
|
84
|
+
@params[:error_log_path] = @data.scan(/--error-log-path=(\S+)\s/).flatten.first
|
85
|
+
@params[:http_log_path] = @data.scan(/--http-log-path=(\S+)\s/).flatten.first
|
86
|
+
@params[:lock_path] = @data.scan(/--lock-path=(\S+)\s/).flatten.first
|
87
|
+
end
|
88
|
+
|
89
|
+
def parse_http_path
|
90
|
+
@params[:http_client_body_temp_path] = @data.scan(/--http-client-body-temp-path=(\S+)\s/).flatten.first
|
91
|
+
@params[:http_proxy_temp_path] = @data.scan(/--http-proxy-temp-path=(\S+)\s/).flatten.first
|
92
|
+
@params[:http_fastcgi_temp_path] = @data.scan(/--http-fastcgi-temp-path=(\S+)\s/).flatten.first
|
93
|
+
@params[:http_uwsgi_temp_path] = @data.scan(/--http-uwsgi-temp-path=(\S+)\s/).flatten.first
|
94
|
+
@params[:http_scgi_temp_path] = @data.scan(/--http-scgi-temp-path=(\S+)\s/).flatten.first
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
data/lib/resources/package.rb
CHANGED
@@ -193,7 +193,8 @@ module Inspec::Resources
|
|
193
193
|
# MacOS / Darwin implementation
|
194
194
|
class Brew < PkgManagement
|
195
195
|
def info(package_name)
|
196
|
-
|
196
|
+
brew_path = inspec.command('brew').exist? ? 'brew' : '/usr/local/bin/brew'
|
197
|
+
cmd = inspec.command("#{brew_path} info --json=v1 #{package_name}")
|
197
198
|
return nil if cmd.exit_status.to_i != 0
|
198
199
|
# parse data
|
199
200
|
pkg = JSON.parse(cmd.stdout)[0]
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.37.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dominik Richter
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-09-
|
11
|
+
date: 2017-09-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: train
|
@@ -330,6 +330,7 @@ files:
|
|
330
330
|
- docs/resources/docker.md.erb
|
331
331
|
- docs/resources/docker_container.md.erb
|
332
332
|
- docs/resources/docker_image.md.erb
|
333
|
+
- docs/resources/etc_fstab.md.erb
|
333
334
|
- docs/resources/etc_group.md.erb
|
334
335
|
- docs/resources/etc_hosts.md.erb
|
335
336
|
- docs/resources/file.md.erb
|
@@ -355,6 +356,7 @@ files:
|
|
355
356
|
- docs/resources/mssql_session.md.erb
|
356
357
|
- docs/resources/mysql_conf.md.erb
|
357
358
|
- docs/resources/mysql_session.md.erb
|
359
|
+
- docs/resources/nginx.md.erb
|
358
360
|
- docs/resources/nginx_conf.md.erb
|
359
361
|
- docs/resources/npm.md.erb
|
360
362
|
- docs/resources/ntp_conf.md.erb
|
@@ -571,6 +573,7 @@ files:
|
|
571
573
|
- lib/resources/docker.rb
|
572
574
|
- lib/resources/docker_container.rb
|
573
575
|
- lib/resources/docker_image.rb
|
576
|
+
- lib/resources/etc_fstab.rb
|
574
577
|
- lib/resources/etc_group.rb
|
575
578
|
- lib/resources/etc_hosts.rb
|
576
579
|
- lib/resources/file.rb
|
@@ -596,6 +599,7 @@ files:
|
|
596
599
|
- lib/resources/mysql.rb
|
597
600
|
- lib/resources/mysql_conf.rb
|
598
601
|
- lib/resources/mysql_session.rb
|
602
|
+
- lib/resources/nginx.rb
|
599
603
|
- lib/resources/nginx_conf.rb
|
600
604
|
- lib/resources/npm.rb
|
601
605
|
- lib/resources/ntp_conf.rb
|
@@ -678,7 +682,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
678
682
|
version: '0'
|
679
683
|
requirements: []
|
680
684
|
rubyforge_project:
|
681
|
-
rubygems_version: 2.6.
|
685
|
+
rubygems_version: 2.6.13
|
682
686
|
signing_key:
|
683
687
|
specification_version: 4
|
684
688
|
summary: Infrastructure and compliance testing.
|