inspec 1.38.8 → 1.39.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a11293dc2aaa9e66285a63b04a476b03ebe6a703
-  data.tar.gz: 5498bd736298eab2b16776a92ebb1921b848e4fd
+  metadata.gz: 97699693b6d62f4d9e4c0a0bba1976a9336e45f5
+  data.tar.gz: e63ab2af1bf3052abcac967c638ebdfb433e4ba3
 SHA512:
-  metadata.gz: 001f1e34e039a7eb24f433ecb54fb2afab16f1b6ac4ed86658b9a71db66c958b4b24532feecb072d988d37e3be6a3b37821ab46cbd8457fcd6c1fae47ca0cd96
-  data.tar.gz: 35f44d8abafac513133c35844bc1f907263e6023acf5003a48000248d620095a755b2ccf4236e373c67c7273713460b2f930d0895e2db7e37e5a8096413eabae
+  metadata.gz: c002fbc3e01f146eb0626a0848a57cb3d51e50cd10fbec05d39712f887765fd0b48fda1136ad467e84e72ec2d5c99ed64bd5899a64faeee2c801a89d762b1fbb
+  data.tar.gz: 7bdcbd01f32a11d195fc2f84c092e6584fd8f0d0632feb981e923d96f8a7f05ccdf0c2100a1d078b5ea778bc76b605f52329e087ef830d710322e2927953f85b

data/CHANGELOG.md

@@ -1,39 +1,48 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 1.38.8 -->
-## [v1.38.5](https://github.com/chef/inspec/tree/v1.38.5) (2017-09-23)
+<!-- latest_release 1.39.1 -->
+## [v1.39.0](https://github.com/chef/inspec/tree/v1.39.0) (2017-09-25)
 
 #### Merged Pull Requests
-- Bump train to 0.27 [#2180](https://github.com/chef/inspec/pull/2180) ([adamleff](https://github.com/adamleff))
+- Bump train to 0.28 to allow for more net-ssh versions [#2185](https://github.com/chef/inspec/pull/2185) ([adamleff](https://github.com/adamleff))
 <!-- latest_release -->
 
-<!-- release_rollup since=1.37.6 -->
+<!-- release_rollup since=1.38.8 -->
 ### Changes since 1.37.6 release
 
-#### Bug Fixes
-- Modify Upstart enabled check to use config file [#2163](https://github.com/chef/inspec/pull/2163) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 1.38.2 -->
-- Support `false` for attribute value [#2168](https://github.com/chef/inspec/pull/2168) ([adamleff](https://github.com/adamleff)) <!-- 1.38.1 -->
-- quote username and hostname in mssql_session.rb [#2151](https://github.com/chef/inspec/pull/2151) ([bratdim](https://github.com/bratdim)) <!-- 1.37.11 -->
-- Update method in which Pry hooks are removed [#2170](https://github.com/chef/inspec/pull/2170) ([adamleff](https://github.com/adamleff)) <!-- 1.37.13 -->
+#### Merged Pull Requests
+- Bump train to 0.28 to allow for more net-ssh versions [#2185](https://github.com/chef/inspec/pull/2185) ([adamleff](https://github.com/adamleff)) <!-- 1.39.1 -->
+
+#### New Resources
+- etc_hosts_allow and etc_hosts_deny resources: test the content of the tcpwrappers configuration files [#2073](https://github.com/chef/inspec/pull/2073) ([dromazmj](https://github.com/dromazmj)) <!-- 1.39.0 -->
+- windows_hotfix resource: test whether a Windows HotFix is installed [#2178](https://github.com/chef/inspec/pull/2178) ([mattray](https://github.com/mattray)) <!-- 1.38.9 -->
+<!-- release_rollup -->
+
+<!-- latest_stable_release -->
+## [v1.38.8](https://github.com/chef/inspec/tree/v1.38.8) (2017-09-23)
 
 #### New Resources
-- auditd resource: test active auditd configuration against the audit daemon [#2133](https://github.com/chef/inspec/pull/2133) ([jburns12](https://github.com/jburns12)) <!-- 1.37.9 -->
+- auditd resource: test active auditd configuration against the audit daemon [#2133](https://github.com/chef/inspec/pull/2133) ([jburns12](https://github.com/jburns12))
 
 #### Enhancements
-- forgiving default attributes [#2177](https://github.com/chef/inspec/pull/2177) ([arlimus](https://github.com/arlimus)) <!-- 1.38.4 -->
-- Support array syntax for registry_key resource [#2160](https://github.com/chef/inspec/pull/2160) ([adamleff](https://github.com/adamleff)) <!-- 1.37.12 -->
-- Add wildcard/multiple server support to nginx_conf resource [#2141](https://github.com/chef/inspec/pull/2141) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 1.37.8 -->
+- Add wildcard support to `Utils::FindFiles` [#2159](https://github.com/chef/inspec/pull/2159) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Add wildcard/multiple server support to nginx_conf resource [#2141](https://github.com/chef/inspec/pull/2141) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Support array syntax for registry_key resource [#2160](https://github.com/chef/inspec/pull/2160) ([adamleff](https://github.com/adamleff))
+- forgiving default attributes [#2177](https://github.com/chef/inspec/pull/2177) ([arlimus](https://github.com/arlimus))
 
-#### Merged Pull Requests
-- Bump train to 0.27 [#2180](https://github.com/chef/inspec/pull/2180) ([adamleff](https://github.com/adamleff)) <!-- 1.38.8 -->
-- Properly return postgres query errors on failure [#2179](https://github.com/chef/inspec/pull/2179) ([adamleff](https://github.com/adamleff)) <!-- 1.38.7 -->
-- Add wildcard support to `Utils::FindFiles` [#2159](https://github.com/chef/inspec/pull/2159) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 1.38.6 -->
-- Modify `DirProvider` to allow special characters [#2174](https://github.com/chef/inspec/pull/2174) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 1.38.5 -->
-- Update changelog for v1.38.2 release [#2173](https://github.com/chef/inspec/pull/2173) ([adamleff](https://github.com/adamleff)) <!-- 1.37.13 -->
-- Add deprecation warning to auditd_rules resource [#2156](https://github.com/chef/inspec/pull/2156) ([adamleff](https://github.com/adamleff)) <!-- 1.37.10 -->
-<!-- release_rollup -->
+#### Bug Fixes
+- Modify `DirProvider` to allow special characters [#2174](https://github.com/chef/inspec/pull/2174) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Properly return postgres query errors on failure [#2179](https://github.com/chef/inspec/pull/2179) ([adamleff](https://github.com/adamleff))
+- Update method in which Pry hooks are removed [#2170](https://github.com/chef/inspec/pull/2170) ([adamleff](https://github.com/adamleff))
+- quote username and hostname in mssql_session.rb [#2151](https://github.com/chef/inspec/pull/2151) ([bratdim](https://github.com/bratdim))
+- Support `false` for attribute value [#2168](https://github.com/chef/inspec/pull/2168) ([adamleff](https://github.com/adamleff))
+- Modify Upstart enabled check to use config file [#2163](https://github.com/chef/inspec/pull/2163) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
 
+#### Merged Pull Requests
+- Add deprecation warning to auditd_rules resource [#2156](https://github.com/chef/inspec/pull/2156) ([adamleff](https://github.com/adamleff))
+- Bump train to 0.27 [#2180](https://github.com/chef/inspec/pull/2180) ([adamleff](https://github.com/adamleff))
 <!-- latest_stable_release -->
+
 ## [v1.37.6](https://github.com/chef/inspec/tree/v1.37.6) (2017-09-14)
 
 #### New Resources
@@ -50,7 +59,6 @@
 
 #### Merged Pull Requests
 - Bump Ruby to 2.3.5 for Omnibus build [#2149](https://github.com/chef/inspec/pull/2149) ([adamleff](https://github.com/adamleff))
-<!-- latest_stable_release -->
 
 ## [v1.36.1](https://github.com/chef/inspec/tree/v1.36.1) (2017-09-07)
 

data/docs/resources/etc_hosts_allow.md.erb

@@ -0,0 +1,64 @@
+---
+title: About the etc_hosts_allow Resource
+---
+
+# etc_hosts_allow
+
+Use the `etc_hosts_allow` InSpec audit resource to test rules set to accept daemon and client traffic set in /etc/hosts.allow file.
+
+## Syntax
+
+An etc/hosts.allow rule specifies one or more daemons mapped to one or more clients,
+with zero or more options to use to accept traffic when found.
+
+## Syntax
+
+Use the where clause to match a property to one or more rules in the hosts.allow file.
+
+    describe etc_hosts_allow.where { daemon == 'value' } do
+      its ('client_list') { should include ['values'] }
+      its ('options') { should include ['values'] }
+    end
+
+Use the optional constructor parameter to give an alternative path to hosts.allow
+
+    describe etc_hosts_allow(hosts_path).where { daemon == 'value' } do
+      its ('client_list') { should include ['values'] }
+      its ('options') { should include ['values'] }
+    end
+
+where
+
+* `daemon` is a daemon that will be allowed to pass traffic in.
+* `client_list` is a list of clients will be allowed to pass traffic in.
+* `options` is a list of tasks that to be done with the rule when traffic is found.
+
+## Supported Properties
+
+    'daemon', 'client_list', 'options'
+
+## Property Examples and Return Types
+
+### daemon
+
+`daemon` returns a string containing the daemon that is allowed in the rule.
+
+    describe etc_hosts_allow.where { client_list == ['127.0.1.154',  '[:fff:fAb0::]'] } do
+      its('daemon') { should eq ['vsftpd', 'sshd'] }
+    end
+
+### client_list
+
+`client_list` returns a 2d string array where each entry contains the clients specified for the rule.
+
+    describe etc_hosts_allow.where { daemon == 'sshd' } do
+      its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
+    end
+
+### options
+
+`options` returns a 2d string array where each entry contains any options specified for the rule.
+
+    describe etc_hosts_allow.where { daemon == 'sshd' } do
+      its('options') { should include ['deny', 'echo "REJECTED"'] }
+    end

data/docs/resources/etc_hosts_deny.md.erb

@@ -0,0 +1,64 @@
+---
+title: About the etc_hosts_deny Resource
+---
+
+# etc_hosts_deny
+
+Use the `etc_hosts_deny` InSpec audit resource to test rules set to reject daemon and client traffic set in /etc/hosts.deny.
+
+## Syntax
+
+An etc/hosts.deny rule specifies one or more daemons mapped to one or more clients,
+with zero or more options to use to reject traffic when found.
+
+## Syntax
+
+Use the where clause to match a property to one or more rules in the hosts.deny file.
+
+    describe etc_hosts_deny.where { daemon == 'value' } do
+      its ('client_list') { should include ['values'] }
+      its ('options') { should include ['values'] }
+    end
+
+Use the optional constructor parameter to give an alternative path to hosts.deny
+
+    describe etc_hosts_deny(hosts_path).where { daemon == 'value' } do
+      its ('client_list') { should include ['values'] }
+      its ('options') { should include ['values'] }
+    end
+
+where
+
+* `daemon` is a daemon that will be rejected to pass traffic in.
+* `client_list` is a list of clients will be rejected to pass traffic in.
+* `options` is a list of tasks that to be done with the rule when traffic is found.
+
+## Supported Properties
+
+    'daemon', 'client_list', 'options'
+
+## Property Examples and Return Types
+
+### daemon
+
+`daemon` returns a string containing the daemon that is allowed in the rule.
+
+    describe etc_hosts_deny.where { client_list == ['127.0.1.154',  '[:fff:fAb0::]'] } do
+      its('daemon') { should eq ['vsftpd', 'sshd'] }
+    end
+
+### client_list
+
+`client_list` returns a 2d string array where each entry contains the clients specified for the rule.
+
+    describe etc_hosts_deny.where { daemon == 'sshd' } do
+      its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
+    end
+
+### options
+
+`options` returns a 2d string array where each entry contains any options specified for the rule.
+
+    describe etc_hosts_deny.where { daemon == 'sshd' } do
+      its('options') { should include ['deny', 'echo "REJECTED"'] }
+    end

data/docs/resources/windows_hotfix.md.erb

@@ -0,0 +1,44 @@
+---
+title: About the windows_hotfix Resource
+---
+
+Use the `windows_hotfix` InSpec audit resource to test if the hotfix has been installed on a Windows system.
+
+## Syntax
+
+A `windows_hotfix` resource block declares a hotfix to validate:
+
+    describe windows_hotfix('name') do
+      it { should be_installed }
+    end
+
+where
+
+* `('name')` must specify the name of a hotfix, such as `'KB4012213'`
+* `be_installed` is a valid matcher for this resource
+
+## Matcher
+
+This InSpec audit resource has the following matcher:
+
+### be_installed
+
+The `be_installed` matcher tests if the named hotfix is installed on the system:
+
+    it { should be_installed }
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test if KB4012213 is installed
+
+    describe windows_hotfix('KB4012213') do
+      it { should be_installed }
+    end
+
+### Test that a hotfix is not installed
+
+    describe windows_hotfix('KB9999999') do
+      it { should_not be_installed }
+    end

data/inspec.gemspec

@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.1'
 
-  spec.add_dependency 'train', '~> 0.27'
+  spec.add_dependency 'train', '~> 0.28'
   spec.add_dependency 'thor', '~> 0.19'
   spec.add_dependency 'json', '>= 1.8', '< 3.0'
   spec.add_dependency 'rainbow', '~> 2'

data/lib/inspec/resource.rb

@@ -88,10 +88,11 @@ require 'resources/crontab'
 require 'resources/dh_params'
 require 'resources/directory'
 require 'resources/docker'
-require 'resources/docker_image'
 require 'resources/docker_container'
+require 'resources/docker_image'
 require 'resources/etc_fstab'
 require 'resources/etc_group'
+require 'resources/etc_hosts_allow_deny'
 require 'resources/etc_hosts'
 require 'resources/file'
 require 'resources/gem'
@@ -127,12 +128,12 @@ require 'resources/package'
 require 'resources/packages'
 require 'resources/parse_config'
 require 'resources/passwd'
-require 'resources/postgres_hba_conf'
-require 'resources/postgres_ident_conf'
 require 'resources/pip'
 require 'resources/port'
 require 'resources/postgres'
 require 'resources/postgres_conf'
+require 'resources/postgres_hba_conf'
+require 'resources/postgres_ident_conf'
 require 'resources/postgres_session'
 require 'resources/powershell'
 require 'resources/processes'
@@ -141,18 +142,19 @@ require 'resources/registry_key'
 require 'resources/security_policy'
 require 'resources/service'
 require 'resources/shadow'
-require 'resources/ssl'
 require 'resources/ssh_conf'
+require 'resources/ssl'
 require 'resources/sys_info'
 require 'resources/toml'
 require 'resources/users'
 require 'resources/vbscript'
 require 'resources/virtualization'
 require 'resources/windows_feature'
+require 'resources/windows_hotfix'
 require 'resources/windows_task'
-require 'resources/xinetd'
 require 'resources/wmi'
 require 'resources/x509_certificate'
+require 'resources/xinetd'
 require 'resources/yum'
 require 'resources/zfs_dataset'
 require 'resources/zfs_pool'

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.38.8'.freeze
+  VERSION = '1.39.1'.freeze
 end

data/lib/resources/etc_hosts_allow_deny.rb

@@ -0,0 +1,122 @@
+# encoding: utf-8
+# author: Matthew Dromazos
+
+require 'utils/parser'
+
+module Inspec::Resources
+  class EtcHostsAllow < Inspec.resource(1)
+    name 'etc_hosts_allow'
+    desc 'Use the etc_hosts_allow InSpec audit resource to test the connections
+          the client will allow. Controlled by the /etc/hosts.allow file.'
+    example "
+      describe etc_hosts_allow.where { daemon == 'ALL' } do
+        its('client_list') { should include ['127.0.0.1', '[::1]'] }
+        its('options') { should eq [[]] }
+      end
+    "
+
+    attr_reader :params
+
+    include CommentParser
+
+    def initialize(hosts_allow_path = nil)
+      return skip_resource 'The `etc_hosts_allow` resource is not supported on your OS.' unless inspec.os.linux?
+      @conf_path      = hosts_allow_path || '/etc/hosts.allow'
+      @content        = nil
+      @params         = nil
+      read_content
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:daemon,      field: 'daemon')
+          .add(:client_list, field: 'client_list')
+          .add(:options,     field: 'options')
+
+    filter.connect(self, :params)
+
+    private
+
+    def read_content
+      @content = ''
+      @params  = {}
+      @content = split_daemons(read_file(@conf_path))
+      @params  = parse_conf(@content)
+    end
+
+    def split_daemons(content)
+      split_daemons_list = []
+      content.each do |line|
+        data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
+        next unless data != ''
+        data.split(':')[0].split(',').each do |daemon|
+          split_daemons_list.push("#{daemon} : " + line.split(':', 2)[1])
+        end
+      end
+      split_daemons_list
+    end
+
+    def parse_conf(content)
+      content.map do |line|
+        data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
+        parse_line(data) unless data == ''
+      end.compact
+    end
+
+    def parse_line(line)
+      daemon, clients_and_options = line.split(/:\s+/, 2)
+      daemon = daemon.strip
+
+      clients_and_options ||= ''
+      clients, options = clients_and_options.split(/\s+:\s+/, 2)
+      client_list = clients.split(/,/).map(&:strip)
+
+      options ||= ''
+      options_list = options.split(/:\s+/).map(&:strip)
+
+      {
+        'daemon'      => daemon,
+        'client_list' => client_list,
+        'options'     => options_list,
+      }
+    end
+
+    def read_file(conf_path = @conf_path)
+      # Determine if the file exists and contains anything, if not
+      # then access control is turned off.
+      file = inspec.file(conf_path)
+      if !file.file?
+        return skip_resource "Can't find file at \"#{@conf_path}\""
+      end
+      raw_conf = file.content
+      if raw_conf.empty? && !file.empty?
+        return skip_resource("Unable to read file \"#{@conf_path}\"")
+      end
+
+      # If there is a file and it contains content, continue
+      raw_conf.lines
+    end
+  end
+
+  class EtcHostsDeny < EtcHostsAllow
+    name 'etc_hosts_deny'
+    desc 'Use the etc_hosts_deny InSpec audit resource to test the connections
+          the client will deny. Controlled by the /etc/hosts.deny file.'
+    example "
+      describe etc_hosts_deny.where { daemon_list == 'ALL' } do
+        its('client_list') { should eq [['127.0.0.1', '[::1]']] }
+        its('options') { should eq [] }
+      end
+    "
+
+    def initialize(path = nil)
+      return skip_resource '`etc_hosts_deny` is not supported on your OS' unless inspec.os.linux?
+      super(path || '/etc/hosts.deny')
+    end
+
+    def to_s
+      'hosts.deny Configuration'
+    end
+  end
+end

data/lib/resources/windows_hotfix.rb

@@ -0,0 +1,35 @@
+# encoding: utf-8
+# author: Matt Ray
+
+module Inspec::Resources
+  class WindowsHotfix < Inspec.resource(1)
+    name 'windows_hotfix'
+    desc 'Use the windows_hotfix InSpec audit resource to test if the hotfix has been installed on the Windows system.'
+    example "
+      describe windows_hotfix('KB4012212') do
+        it { should be_installed }
+      end
+    "
+
+    attr_accessor :content
+
+    def initialize(hotfix_id = nil)
+      @id = hotfix_id.upcase
+      @content = nil
+      os = inspec.os
+      return skip_resource 'The `windows_hotfix` resource is not a feature of your OS.' unless os.windows?
+      query = "Get-WmiObject -class \"win32_quickfixengineering\" -filter \"HotFixID = '" + @id + "'\""
+      cmd = inspec.powershell(query)
+      @content = cmd.stdout
+    end
+
+    def to_s
+      "Windows Hotfix #{@id}"
+    end
+
+    def installed?
+      return false if @content.nil?
+      @content.include?(@id)
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.38.8
+  version: 1.39.1
 platform: ruby
 authors:
 - Dominik Richter
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.27'
+        version: '0.28'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.27'
+        version: '0.28'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -334,6 +334,8 @@ files:
 - docs/resources/etc_fstab.md.erb
 - docs/resources/etc_group.md.erb
 - docs/resources/etc_hosts.md.erb
+- docs/resources/etc_hosts_allow.md.erb
+- docs/resources/etc_hosts_deny.md.erb
 - docs/resources/file.md.erb
 - docs/resources/gem.md.erb
 - docs/resources/group.md.erb
@@ -395,6 +397,7 @@ files:
 - docs/resources/vbscript.md.erb
 - docs/resources/virtualization.md.erb
 - docs/resources/windows_feature.md.erb
+- docs/resources/windows_hotfix.md.erb
 - docs/resources/windows_task.md.erb
 - docs/resources/wmi.md.erb
 - docs/resources/x509_certificate.md.erb
@@ -578,6 +581,7 @@ files:
 - lib/resources/etc_fstab.rb
 - lib/resources/etc_group.rb
 - lib/resources/etc_hosts.rb
+- lib/resources/etc_hosts_allow_deny.rb
 - lib/resources/file.rb
 - lib/resources/gem.rb
 - lib/resources/groups.rb
@@ -635,6 +639,7 @@ files:
 - lib/resources/vbscript.rb
 - lib/resources/virtualization.rb
 - lib/resources/windows_feature.rb
+- lib/resources/windows_hotfix.rb
 - lib/resources/windows_task.rb
 - lib/resources/wmi.rb
 - lib/resources/x509_certificate.rb