inspec 1.51.15 → 1.51.18

Sign up to get free protection for your applications and to get access to all the features.
Files changed (404) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +101 -101
  3. data/CHANGELOG.md +2922 -2915
  4. data/Gemfile +53 -53
  5. data/LICENSE +14 -14
  6. data/MAINTAINERS.md +31 -31
  7. data/MAINTAINERS.toml +47 -47
  8. data/README.md +419 -419
  9. data/Rakefile +167 -167
  10. data/bin/inspec +12 -12
  11. data/docs/.gitignore +2 -2
  12. data/docs/README.md +40 -40
  13. data/docs/dsl_inspec.md +258 -258
  14. data/docs/dsl_resource.md +93 -93
  15. data/docs/glossary.md +99 -99
  16. data/docs/habitat.md +191 -191
  17. data/docs/inspec_and_friends.md +107 -107
  18. data/docs/matchers.md +165 -165
  19. data/docs/migration.md +293 -293
  20. data/docs/plugin_kitchen_inspec.md +49 -49
  21. data/docs/profiles.md +370 -370
  22. data/docs/resources/aide_conf.md.erb +78 -78
  23. data/docs/resources/apache.md.erb +66 -66
  24. data/docs/resources/apache_conf.md.erb +67 -67
  25. data/docs/resources/apt.md.erb +70 -70
  26. data/docs/resources/audit_policy.md.erb +46 -46
  27. data/docs/resources/auditd.md.erb +78 -78
  28. data/docs/resources/auditd_conf.md.erb +68 -68
  29. data/docs/resources/auditd_rules.md.erb +116 -116
  30. data/docs/resources/bash.md.erb +74 -74
  31. data/docs/resources/bond.md.erb +89 -89
  32. data/docs/resources/bridge.md.erb +54 -54
  33. data/docs/resources/bsd_service.md.erb +65 -65
  34. data/docs/resources/command.md.erb +137 -137
  35. data/docs/resources/cpan.md.erb +77 -77
  36. data/docs/resources/cran.md.erb +63 -63
  37. data/docs/resources/crontab.md.erb +87 -87
  38. data/docs/resources/csv.md.erb +53 -53
  39. data/docs/resources/dh_params.md.erb +216 -216
  40. data/docs/resources/directory.md.erb +28 -28
  41. data/docs/resources/docker.md.erb +163 -163
  42. data/docs/resources/docker_container.md.erb +99 -99
  43. data/docs/resources/docker_image.md.erb +93 -93
  44. data/docs/resources/docker_service.md.erb +113 -113
  45. data/docs/resources/elasticsearch.md.erb +230 -230
  46. data/docs/resources/etc_fstab.md.erb +124 -124
  47. data/docs/resources/etc_group.md.erb +74 -74
  48. data/docs/resources/etc_hosts.md.erb +75 -75
  49. data/docs/resources/etc_hosts_allow.md.erb +73 -73
  50. data/docs/resources/etc_hosts_deny.md.erb +73 -73
  51. data/docs/resources/file.md.erb +512 -512
  52. data/docs/resources/filesystem.md.erb +40 -40
  53. data/docs/resources/firewalld.md.erb +105 -105
  54. data/docs/resources/gem.md.erb +78 -78
  55. data/docs/resources/group.md.erb +60 -60
  56. data/docs/resources/grub_conf.md.erb +101 -101
  57. data/docs/resources/host.md.erb +77 -77
  58. data/docs/resources/http.md.erb +104 -104
  59. data/docs/resources/iis_app.md.erb +120 -120
  60. data/docs/resources/iis_site.md.erb +132 -132
  61. data/docs/resources/inetd_conf.md.erb +95 -95
  62. data/docs/resources/ini.md.erb +72 -72
  63. data/docs/resources/interface.md.erb +55 -55
  64. data/docs/resources/iptables.md.erb +63 -63
  65. data/docs/resources/json.md.erb +61 -61
  66. data/docs/resources/kernel_module.md.erb +106 -106
  67. data/docs/resources/kernel_parameter.md.erb +58 -58
  68. data/docs/resources/key_rsa.md.erb +73 -73
  69. data/docs/resources/launchd_service.md.erb +56 -56
  70. data/docs/resources/limits_conf.md.erb +66 -66
  71. data/docs/resources/login_def.md.erb +62 -62
  72. data/docs/resources/mount.md.erb +68 -68
  73. data/docs/resources/mssql_session.md.erb +59 -59
  74. data/docs/resources/mysql_conf.md.erb +98 -98
  75. data/docs/resources/mysql_session.md.erb +73 -73
  76. data/docs/resources/nginx.md.erb +78 -78
  77. data/docs/resources/nginx_conf.md.erb +127 -127
  78. data/docs/resources/npm.md.erb +59 -59
  79. data/docs/resources/ntp_conf.md.erb +59 -59
  80. data/docs/resources/oneget.md.erb +52 -52
  81. data/docs/resources/oracledb_session.md.erb +51 -51
  82. data/docs/resources/os.md.erb +140 -140
  83. data/docs/resources/os_env.md.erb +77 -77
  84. data/docs/resources/package.md.erb +119 -119
  85. data/docs/resources/packages.md.erb +66 -66
  86. data/docs/resources/parse_config.md.erb +102 -102
  87. data/docs/resources/parse_config_file.md.erb +137 -137
  88. data/docs/resources/passwd.md.erb +140 -140
  89. data/docs/resources/pip.md.erb +66 -66
  90. data/docs/resources/port.md.erb +136 -136
  91. data/docs/resources/postgres_conf.md.erb +78 -78
  92. data/docs/resources/postgres_hba_conf.md.erb +92 -92
  93. data/docs/resources/postgres_ident_conf.md.erb +75 -75
  94. data/docs/resources/postgres_session.md.erb +68 -68
  95. data/docs/resources/powershell.md.erb +101 -101
  96. data/docs/resources/processes.md.erb +107 -107
  97. data/docs/resources/rabbitmq_config.md.erb +40 -40
  98. data/docs/resources/registry_key.md.erb +157 -157
  99. data/docs/resources/runit_service.md.erb +56 -56
  100. data/docs/resources/security_policy.md.erb +46 -46
  101. data/docs/resources/service.md.erb +120 -120
  102. data/docs/resources/shadow.md.erb +143 -143
  103. data/docs/resources/ssh_config.md.erb +79 -79
  104. data/docs/resources/sshd_config.md.erb +82 -82
  105. data/docs/resources/ssl.md.erb +118 -118
  106. data/docs/resources/sys_info.md.erb +41 -41
  107. data/docs/resources/systemd_service.md.erb +56 -56
  108. data/docs/resources/sysv_service.md.erb +56 -56
  109. data/docs/resources/upstart_service.md.erb +56 -56
  110. data/docs/resources/user.md.erb +139 -139
  111. data/docs/resources/users.md.erb +126 -126
  112. data/docs/resources/vbscript.md.erb +54 -54
  113. data/docs/resources/virtualization.md.erb +56 -56
  114. data/docs/resources/windows_feature.md.erb +46 -46
  115. data/docs/resources/windows_hotfix.md.erb +52 -52
  116. data/docs/resources/windows_task.md.erb +89 -89
  117. data/docs/resources/wmi.md.erb +80 -80
  118. data/docs/resources/x509_certificate.md.erb +150 -150
  119. data/docs/resources/xinetd_conf.md.erb +155 -155
  120. data/docs/resources/xml.md.erb +84 -84
  121. data/docs/resources/yaml.md.erb +68 -68
  122. data/docs/resources/yum.md.erb +97 -97
  123. data/docs/resources/zfs_dataset.md.erb +52 -52
  124. data/docs/resources/zfs_pool.md.erb +46 -46
  125. data/docs/ruby_usage.md +203 -203
  126. data/docs/shared/matcher_be.md.erb +1 -1
  127. data/docs/shared/matcher_cmp.md.erb +43 -43
  128. data/docs/shared/matcher_eq.md.erb +3 -3
  129. data/docs/shared/matcher_include.md.erb +1 -1
  130. data/docs/shared/matcher_match.md.erb +1 -1
  131. data/docs/shell.md +172 -172
  132. data/examples/README.md +8 -8
  133. data/examples/inheritance/README.md +65 -65
  134. data/examples/inheritance/controls/example.rb +14 -14
  135. data/examples/inheritance/inspec.yml +15 -15
  136. data/examples/kitchen-ansible/.kitchen.yml +25 -25
  137. data/examples/kitchen-ansible/Gemfile +19 -19
  138. data/examples/kitchen-ansible/README.md +53 -53
  139. data/examples/kitchen-ansible/files/nginx.repo +6 -6
  140. data/examples/kitchen-ansible/tasks/main.yml +16 -16
  141. data/examples/kitchen-ansible/test/integration/default/default.yml +5 -5
  142. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +28 -28
  143. data/examples/kitchen-chef/.kitchen.yml +20 -20
  144. data/examples/kitchen-chef/Berksfile +3 -3
  145. data/examples/kitchen-chef/Gemfile +19 -19
  146. data/examples/kitchen-chef/README.md +27 -27
  147. data/examples/kitchen-chef/metadata.rb +7 -7
  148. data/examples/kitchen-chef/recipes/default.rb +6 -6
  149. data/examples/kitchen-chef/recipes/nginx.rb +30 -30
  150. data/examples/kitchen-chef/test/integration/default/web_spec.rb +28 -28
  151. data/examples/kitchen-puppet/.kitchen.yml +22 -22
  152. data/examples/kitchen-puppet/Gemfile +20 -20
  153. data/examples/kitchen-puppet/Puppetfile +25 -25
  154. data/examples/kitchen-puppet/README.md +53 -53
  155. data/examples/kitchen-puppet/manifests/site.pp +33 -33
  156. data/examples/kitchen-puppet/metadata.json +11 -11
  157. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +28 -28
  158. data/examples/meta-profile/README.md +37 -37
  159. data/examples/meta-profile/controls/example.rb +13 -13
  160. data/examples/meta-profile/inspec.yml +13 -13
  161. data/examples/profile-attribute.yml +2 -2
  162. data/examples/profile-attribute/README.md +14 -14
  163. data/examples/profile-attribute/controls/example.rb +11 -11
  164. data/examples/profile-attribute/inspec.yml +8 -8
  165. data/examples/profile-sensitive/README.md +29 -29
  166. data/examples/profile-sensitive/controls/sensitive-failures.rb +9 -9
  167. data/examples/profile-sensitive/controls/sensitive.rb +9 -9
  168. data/examples/profile-sensitive/inspec.yml +8 -8
  169. data/examples/profile/README.md +48 -48
  170. data/examples/profile/controls/example.rb +23 -23
  171. data/examples/profile/controls/gordon.rb +36 -36
  172. data/examples/profile/controls/meta.rb +34 -34
  173. data/examples/profile/inspec.yml +10 -10
  174. data/examples/profile/libraries/gordon_config.rb +53 -53
  175. data/inspec.gemspec +47 -47
  176. data/lib/bundles/README.md +3 -3
  177. data/lib/bundles/inspec-artifact.rb +7 -7
  178. data/lib/bundles/inspec-artifact/README.md +1 -1
  179. data/lib/bundles/inspec-artifact/cli.rb +277 -277
  180. data/lib/bundles/inspec-compliance.rb +16 -16
  181. data/lib/bundles/inspec-compliance/.kitchen.yml +20 -20
  182. data/lib/bundles/inspec-compliance/README.md +185 -185
  183. data/lib/bundles/inspec-compliance/api.rb +316 -316
  184. data/lib/bundles/inspec-compliance/api/login.rb +152 -152
  185. data/lib/bundles/inspec-compliance/bootstrap.sh +41 -41
  186. data/lib/bundles/inspec-compliance/cli.rb +277 -277
  187. data/lib/bundles/inspec-compliance/configuration.rb +103 -103
  188. data/lib/bundles/inspec-compliance/http.rb +86 -86
  189. data/lib/bundles/inspec-compliance/support.rb +36 -36
  190. data/lib/bundles/inspec-compliance/target.rb +98 -98
  191. data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +93 -93
  192. data/lib/bundles/inspec-habitat.rb +12 -12
  193. data/lib/bundles/inspec-habitat/cli.rb +36 -36
  194. data/lib/bundles/inspec-habitat/log.rb +10 -10
  195. data/lib/bundles/inspec-habitat/profile.rb +390 -390
  196. data/lib/bundles/inspec-init.rb +8 -8
  197. data/lib/bundles/inspec-init/README.md +31 -31
  198. data/lib/bundles/inspec-init/cli.rb +97 -97
  199. data/lib/bundles/inspec-init/templates/profile/README.md +3 -3
  200. data/lib/bundles/inspec-init/templates/profile/controls/example.rb +19 -19
  201. data/lib/bundles/inspec-init/templates/profile/inspec.yml +8 -8
  202. data/lib/bundles/inspec-supermarket.rb +13 -13
  203. data/lib/bundles/inspec-supermarket/README.md +45 -45
  204. data/lib/bundles/inspec-supermarket/api.rb +84 -84
  205. data/lib/bundles/inspec-supermarket/cli.rb +65 -65
  206. data/lib/bundles/inspec-supermarket/target.rb +34 -34
  207. data/lib/fetchers/git.rb +163 -163
  208. data/lib/fetchers/local.rb +74 -74
  209. data/lib/fetchers/mock.rb +35 -35
  210. data/lib/fetchers/url.rb +204 -204
  211. data/lib/inspec.rb +24 -24
  212. data/lib/inspec/archive/tar.rb +29 -29
  213. data/lib/inspec/archive/zip.rb +19 -19
  214. data/lib/inspec/backend.rb +92 -92
  215. data/lib/inspec/base_cli.rb +327 -324
  216. data/lib/inspec/cached_fetcher.rb +66 -66
  217. data/lib/inspec/cli.rb +298 -298
  218. data/lib/inspec/completions/bash.sh.erb +45 -45
  219. data/lib/inspec/completions/fish.sh.erb +34 -34
  220. data/lib/inspec/completions/zsh.sh.erb +61 -61
  221. data/lib/inspec/control_eval_context.rb +179 -179
  222. data/lib/inspec/dependencies/cache.rb +72 -72
  223. data/lib/inspec/dependencies/dependency_set.rb +92 -92
  224. data/lib/inspec/dependencies/lockfile.rb +115 -115
  225. data/lib/inspec/dependencies/requirement.rb +123 -123
  226. data/lib/inspec/dependencies/resolver.rb +86 -86
  227. data/lib/inspec/describe.rb +27 -27
  228. data/lib/inspec/dsl.rb +66 -66
  229. data/lib/inspec/dsl_shared.rb +33 -33
  230. data/lib/inspec/env_printer.rb +157 -157
  231. data/lib/inspec/errors.rb +13 -13
  232. data/lib/inspec/exceptions.rb +12 -12
  233. data/lib/inspec/expect.rb +45 -45
  234. data/lib/inspec/fetcher.rb +45 -45
  235. data/lib/inspec/file_provider.rb +275 -275
  236. data/lib/inspec/formatters.rb +3 -3
  237. data/lib/inspec/formatters/base.rb +208 -208
  238. data/lib/inspec/formatters/json_rspec.rb +20 -20
  239. data/lib/inspec/formatters/show_progress.rb +12 -12
  240. data/lib/inspec/library_eval_context.rb +58 -58
  241. data/lib/inspec/log.rb +11 -11
  242. data/lib/inspec/metadata.rb +253 -253
  243. data/lib/inspec/method_source.rb +24 -24
  244. data/lib/inspec/objects.rb +14 -14
  245. data/lib/inspec/objects/attribute.rb +65 -65
  246. data/lib/inspec/objects/control.rb +61 -61
  247. data/lib/inspec/objects/describe.rb +92 -92
  248. data/lib/inspec/objects/each_loop.rb +36 -36
  249. data/lib/inspec/objects/list.rb +15 -15
  250. data/lib/inspec/objects/or_test.rb +40 -40
  251. data/lib/inspec/objects/ruby_helper.rb +15 -15
  252. data/lib/inspec/objects/tag.rb +27 -27
  253. data/lib/inspec/objects/test.rb +87 -87
  254. data/lib/inspec/objects/value.rb +27 -27
  255. data/lib/inspec/plugins.rb +60 -60
  256. data/lib/inspec/plugins/cli.rb +24 -24
  257. data/lib/inspec/plugins/fetcher.rb +86 -86
  258. data/lib/inspec/plugins/resource.rb +132 -132
  259. data/lib/inspec/plugins/secret.rb +15 -15
  260. data/lib/inspec/plugins/source_reader.rb +40 -40
  261. data/lib/inspec/polyfill.rb +12 -12
  262. data/lib/inspec/profile.rb +510 -510
  263. data/lib/inspec/profile_context.rb +207 -207
  264. data/lib/inspec/profile_vendor.rb +66 -66
  265. data/lib/inspec/reporters.rb +50 -50
  266. data/lib/inspec/reporters/base.rb +24 -24
  267. data/lib/inspec/reporters/cli.rb +395 -395
  268. data/lib/inspec/reporters/json.rb +138 -134
  269. data/lib/inspec/reporters/json_min.rb +48 -48
  270. data/lib/inspec/reporters/junit.rb +77 -77
  271. data/lib/inspec/require_loader.rb +33 -33
  272. data/lib/inspec/resource.rb +176 -176
  273. data/lib/inspec/rule.rb +266 -266
  274. data/lib/inspec/runner.rb +342 -340
  275. data/lib/inspec/runner_mock.rb +41 -41
  276. data/lib/inspec/runner_rspec.rb +163 -163
  277. data/lib/inspec/runtime_profile.rb +26 -26
  278. data/lib/inspec/schema.rb +192 -186
  279. data/lib/inspec/secrets.rb +19 -19
  280. data/lib/inspec/secrets/yaml.rb +30 -30
  281. data/lib/inspec/shell.rb +223 -223
  282. data/lib/inspec/shell_detector.rb +90 -90
  283. data/lib/inspec/source_reader.rb +29 -29
  284. data/lib/inspec/version.rb +8 -8
  285. data/lib/matchers/matchers.rb +397 -397
  286. data/lib/resources/aide_conf.rb +160 -160
  287. data/lib/resources/apache.rb +49 -49
  288. data/lib/resources/apache_conf.rb +158 -158
  289. data/lib/resources/apt.rb +150 -150
  290. data/lib/resources/audit_policy.rb +64 -64
  291. data/lib/resources/auditd.rb +233 -233
  292. data/lib/resources/auditd_conf.rb +56 -56
  293. data/lib/resources/auditd_rules.rb +205 -205
  294. data/lib/resources/bash.rb +36 -36
  295. data/lib/resources/bond.rb +69 -69
  296. data/lib/resources/bridge.rb +123 -123
  297. data/lib/resources/command.rb +69 -69
  298. data/lib/resources/cpan.rb +60 -60
  299. data/lib/resources/cran.rb +66 -66
  300. data/lib/resources/crontab.rb +169 -169
  301. data/lib/resources/csv.rb +58 -58
  302. data/lib/resources/dh_params.rb +83 -83
  303. data/lib/resources/directory.rb +25 -25
  304. data/lib/resources/docker.rb +239 -239
  305. data/lib/resources/docker_container.rb +92 -92
  306. data/lib/resources/docker_image.rb +86 -86
  307. data/lib/resources/docker_object.rb +57 -57
  308. data/lib/resources/docker_service.rb +94 -94
  309. data/lib/resources/elasticsearch.rb +168 -168
  310. data/lib/resources/etc_fstab.rb +102 -102
  311. data/lib/resources/etc_group.rb +157 -157
  312. data/lib/resources/etc_hosts.rb +81 -81
  313. data/lib/resources/etc_hosts_allow_deny.rb +122 -122
  314. data/lib/resources/file.rb +298 -298
  315. data/lib/resources/filesystem.rb +31 -31
  316. data/lib/resources/firewalld.rb +144 -144
  317. data/lib/resources/gem.rb +71 -71
  318. data/lib/resources/groups.rb +213 -213
  319. data/lib/resources/grub_conf.rb +237 -237
  320. data/lib/resources/host.rb +300 -300
  321. data/lib/resources/http.rb +252 -252
  322. data/lib/resources/iis_app.rb +103 -103
  323. data/lib/resources/iis_site.rb +147 -147
  324. data/lib/resources/inetd_conf.rb +63 -63
  325. data/lib/resources/ini.rb +29 -29
  326. data/lib/resources/interface.rb +130 -130
  327. data/lib/resources/iptables.rb +70 -70
  328. data/lib/resources/json.rb +115 -115
  329. data/lib/resources/kernel_module.rb +110 -110
  330. data/lib/resources/kernel_parameter.rb +58 -58
  331. data/lib/resources/key_rsa.rb +67 -67
  332. data/lib/resources/limits_conf.rb +56 -56
  333. data/lib/resources/login_def.rb +67 -67
  334. data/lib/resources/mount.rb +90 -90
  335. data/lib/resources/mssql_session.rb +103 -103
  336. data/lib/resources/mysql.rb +82 -82
  337. data/lib/resources/mysql_conf.rb +133 -133
  338. data/lib/resources/mysql_session.rb +72 -72
  339. data/lib/resources/nginx.rb +97 -97
  340. data/lib/resources/nginx_conf.rb +228 -228
  341. data/lib/resources/npm.rb +48 -48
  342. data/lib/resources/ntp_conf.rb +59 -59
  343. data/lib/resources/oneget.rb +72 -72
  344. data/lib/resources/oracledb_session.rb +140 -140
  345. data/lib/resources/os.rb +46 -46
  346. data/lib/resources/os_env.rb +76 -76
  347. data/lib/resources/package.rb +357 -357
  348. data/lib/resources/packages.rb +112 -112
  349. data/lib/resources/parse_config.rb +116 -116
  350. data/lib/resources/passwd.rb +96 -96
  351. data/lib/resources/pip.rb +89 -89
  352. data/lib/resources/platform.rb +112 -112
  353. data/lib/resources/port.rb +771 -771
  354. data/lib/resources/postgres.rb +132 -132
  355. data/lib/resources/postgres_conf.rb +122 -122
  356. data/lib/resources/postgres_hba_conf.rb +101 -101
  357. data/lib/resources/postgres_ident_conf.rb +79 -79
  358. data/lib/resources/postgres_session.rb +72 -72
  359. data/lib/resources/powershell.rb +58 -58
  360. data/lib/resources/processes.rb +204 -204
  361. data/lib/resources/rabbitmq_conf.rb +53 -53
  362. data/lib/resources/registry_key.rb +296 -296
  363. data/lib/resources/security_policy.rb +181 -181
  364. data/lib/resources/service.rb +784 -784
  365. data/lib/resources/shadow.rb +141 -141
  366. data/lib/resources/ssh_conf.rb +102 -102
  367. data/lib/resources/ssl.rb +99 -99
  368. data/lib/resources/sys_info.rb +26 -26
  369. data/lib/resources/toml.rb +32 -32
  370. data/lib/resources/users.rb +652 -652
  371. data/lib/resources/vbscript.rb +70 -70
  372. data/lib/resources/virtualization.rb +251 -251
  373. data/lib/resources/windows_feature.rb +85 -85
  374. data/lib/resources/windows_hotfix.rb +35 -35
  375. data/lib/resources/windows_task.rb +106 -106
  376. data/lib/resources/wmi.rb +114 -114
  377. data/lib/resources/x509_certificate.rb +143 -143
  378. data/lib/resources/xinetd.rb +112 -112
  379. data/lib/resources/xml.rb +45 -45
  380. data/lib/resources/yaml.rb +45 -45
  381. data/lib/resources/yum.rb +181 -181
  382. data/lib/resources/zfs_dataset.rb +60 -60
  383. data/lib/resources/zfs_pool.rb +49 -49
  384. data/lib/source_readers/flat.rb +39 -39
  385. data/lib/source_readers/inspec.rb +75 -75
  386. data/lib/utils/command_wrapper.rb +27 -27
  387. data/lib/utils/convert.rb +12 -12
  388. data/lib/utils/database_helpers.rb +77 -77
  389. data/lib/utils/erlang_parser.rb +192 -192
  390. data/lib/utils/filter.rb +272 -272
  391. data/lib/utils/filter_array.rb +27 -27
  392. data/lib/utils/find_files.rb +44 -44
  393. data/lib/utils/hash.rb +41 -41
  394. data/lib/utils/json_log.rb +18 -18
  395. data/lib/utils/latest_version.rb +22 -22
  396. data/lib/utils/modulator.rb +12 -12
  397. data/lib/utils/nginx_parser.rb +85 -85
  398. data/lib/utils/object_traversal.rb +49 -49
  399. data/lib/utils/parser.rb +274 -274
  400. data/lib/utils/plugin_registry.rb +93 -93
  401. data/lib/utils/simpleconfig.rb +132 -132
  402. data/lib/utils/spdx.rb +13 -13
  403. data/lib/utils/spdx.txt +343 -343
  404. metadata +2 -2
data/Rakefile CHANGED
@@ -1,167 +1,167 @@
1
- #!/usr/bin/env rake
2
- # encoding: utf-8
3
-
4
- require 'bundler'
5
- require 'bundler/gem_tasks'
6
- require 'rake/testtask'
7
- require_relative 'tasks/maintainers'
8
- require_relative 'tasks/spdx'
9
-
10
- # The docs tasks rely on ruby-progressbar. If we can't load it, then don't
11
- # load the docs tasks. This is necessary to allow this Rakefile to work
12
- # when the "tests" gem group in the Gemfile has been excluded, such as
13
- # during an appbundle-updater run.
14
- begin
15
- require 'ruby-progressbar'
16
- require_relative 'tasks/docs'
17
- rescue LoadError
18
- puts 'docs tasks are unavailable because the ruby-progressbar gem is not available.'
19
- end
20
-
21
- # Rubocop
22
- begin
23
- require 'rubocop/rake_task'
24
- RuboCop::RakeTask.new(:lint)
25
- rescue LoadError
26
- puts 'rubocop is not available. Install the rubocop gem to run the lint tests.'
27
- end
28
-
29
- # update command output for demo
30
- desc 'Run inspec commands and save results to www/app/responses'
31
- task :update_demo do
32
- ruby 'www/tutorial/scripts/build_simulator_runtime.rb'
33
- ruby 'www/tutorial/scripts/run_simulator_recording.rb'
34
- end
35
-
36
- # run tests
37
- task default: [:lint, :test]
38
-
39
- Rake::TestTask.new do |t|
40
- t.libs << 'test'
41
- t.pattern = 'test/unit/**/*_test.rb'
42
- t.warning = true
43
- t.verbose = true
44
- t.ruby_opts = ['--dev'] if defined?(JRUBY_VERSION)
45
- end
46
-
47
- namespace :test do
48
- task :isolated do
49
- Dir.glob('test/unit/*_test.rb').all? do |file|
50
- sh(Gem.ruby, '-w', '-Ilib:test', file)
51
- end or fail 'Failures'
52
- end
53
-
54
- Rake::TestTask.new(:functional) do |t|
55
- t.libs << 'test'
56
- t.pattern = 'test/functional/**/*_test.rb'
57
- t.warning = true
58
- t.verbose = true
59
- t.ruby_opts = ['--dev'] if defined?(JRUBY_VERSION)
60
- end
61
-
62
- task :resources do
63
- tests = Dir['test/resource/*_test.rb']
64
- return if tests.empty?
65
- sh(Gem.ruby, 'test/docker_test.rb', *tests)
66
- end
67
-
68
- task :integration do
69
- concurrency = ENV['CONCURRENCY'] || 1
70
- os = ENV['OS'] || ''
71
- sh("bundle exec kitchen test -c #{concurrency} #{os}")
72
- end
73
-
74
- task :ssh, [:target] do |_t, args|
75
- tests_path = File.join(File.dirname(__FILE__), 'test', 'integration', 'test', 'integration', 'default')
76
- key_files = ENV['key_files'] || File.join(ENV['HOME'], '.ssh', 'id_rsa')
77
-
78
- sh_cmd = "bin/inspec exec #{tests_path}/"
79
- sh_cmd += ENV['test'] ? "#{ENV['test']}_spec.rb" : '*'
80
- sh_cmd += " --sudo" unless args[:target].split('@')[0] == 'root'
81
- sh_cmd += " -t ssh://#{args[:target]}"
82
- sh_cmd += " --key_files=#{key_files}"
83
- sh_cmd += " --format=#{ENV['format']}" if ENV['format']
84
-
85
- sh('sh', '-c', sh_cmd)
86
- end
87
- end
88
-
89
- # Print the current version of this gem or update it.
90
- #
91
- # @param [Type] target the new version you want to set, or nil if you only want to show
92
- def inspec_version(target = nil)
93
- path = 'lib/inspec/version.rb'
94
- require_relative path.sub(/.rb$/, '')
95
-
96
- nu_version = target.nil? ? '' : " -> #{target}"
97
- puts "Inspec: #{Inspec::VERSION}#{nu_version}"
98
-
99
- unless target.nil?
100
- raw = File.read(path)
101
- nu = raw.sub(/VERSION.*/, "VERSION = '#{target}'.freeze")
102
- File.write(path, nu)
103
- load(path)
104
- end
105
- end
106
-
107
- # Check if a command is available
108
- #
109
- # @param [Type] x the command you are interested in
110
- # @param [Type] msg the message to display if the command is missing
111
- def require_command(x, msg = nil)
112
- return if system("command -v #{x} || exit 1")
113
- msg ||= 'Please install it first!'
114
- puts "\033[31;1mCan't find command #{x.inspect}. #{msg}\033[0m"
115
- exit 1
116
- end
117
-
118
- # Check if a required environment variable has been set
119
- #
120
- # @param [String] x the variable you are interested in
121
- # @param [String] msg the message you want to display if the variable is missing
122
- def require_env(x, msg = nil)
123
- exists = `env | grep "^#{x}="`
124
- return unless exists.empty?
125
- puts "\033[31;1mCan't find environment variable #{x.inspect}. #{msg}\033[0m"
126
- exit 1
127
- end
128
-
129
- # Check the requirements for running an update of this repository.
130
- def check_update_requirements
131
- require_command 'git'
132
- end
133
-
134
- # Show the current version of this gem.
135
- desc 'Show the version of this gem'
136
- task :version do
137
- inspec_version
138
- end
139
-
140
- desc 'Release a new docker image'
141
- task :release_docker do
142
- version = Inspec::VERSION
143
- cmd = "rm *.gem; gem build *gemspec && "\
144
- "mv *.gem inspec.gem && "\
145
- "docker build -t chef/inspec:#{version} . && "\
146
- "docker push chef/inspec:#{version} && "\
147
- "docker tag chef/inspec:#{version} chef/inspec:latest &&"\
148
- "docker push chef/inspec:latest"
149
- puts "--> #{cmd}"
150
- sh('sh', '-c', cmd)
151
- end
152
-
153
- desc 'Release the website [deprecated]'
154
- task :www do
155
- puts 'The Rake tasks for releasing the website are now in the www/ directory.'
156
- puts 'Run `cd www` and then `rake --tasks` for a list of the www-related tasks available.'
157
- exit(1)
158
- end
159
-
160
- namespace :www do
161
- desc 'Release the website [deprecated]'
162
- task :release do
163
- puts 'The Rake tasks for releasing the website are now in the www/ directory.'
164
- puts 'Run `cd www` and then `rake --tasks` for a list of the www-related tasks available.'
165
- exit(1)
166
- end
167
- end
1
+ #!/usr/bin/env rake
2
+ # encoding: utf-8
3
+
4
+ require 'bundler'
5
+ require 'bundler/gem_tasks'
6
+ require 'rake/testtask'
7
+ require_relative 'tasks/maintainers'
8
+ require_relative 'tasks/spdx'
9
+
10
+ # The docs tasks rely on ruby-progressbar. If we can't load it, then don't
11
+ # load the docs tasks. This is necessary to allow this Rakefile to work
12
+ # when the "tests" gem group in the Gemfile has been excluded, such as
13
+ # during an appbundle-updater run.
14
+ begin
15
+ require 'ruby-progressbar'
16
+ require_relative 'tasks/docs'
17
+ rescue LoadError
18
+ puts 'docs tasks are unavailable because the ruby-progressbar gem is not available.'
19
+ end
20
+
21
+ # Rubocop
22
+ begin
23
+ require 'rubocop/rake_task'
24
+ RuboCop::RakeTask.new(:lint)
25
+ rescue LoadError
26
+ puts 'rubocop is not available. Install the rubocop gem to run the lint tests.'
27
+ end
28
+
29
+ # update command output for demo
30
+ desc 'Run inspec commands and save results to www/app/responses'
31
+ task :update_demo do
32
+ ruby 'www/tutorial/scripts/build_simulator_runtime.rb'
33
+ ruby 'www/tutorial/scripts/run_simulator_recording.rb'
34
+ end
35
+
36
+ # run tests
37
+ task default: [:lint, :test]
38
+
39
+ Rake::TestTask.new do |t|
40
+ t.libs << 'test'
41
+ t.pattern = 'test/unit/**/*_test.rb'
42
+ t.warning = true
43
+ t.verbose = true
44
+ t.ruby_opts = ['--dev'] if defined?(JRUBY_VERSION)
45
+ end
46
+
47
+ namespace :test do
48
+ task :isolated do
49
+ Dir.glob('test/unit/*_test.rb').all? do |file|
50
+ sh(Gem.ruby, '-w', '-Ilib:test', file)
51
+ end or fail 'Failures'
52
+ end
53
+
54
+ Rake::TestTask.new(:functional) do |t|
55
+ t.libs << 'test'
56
+ t.pattern = 'test/functional/**/*_test.rb'
57
+ t.warning = true
58
+ t.verbose = true
59
+ t.ruby_opts = ['--dev'] if defined?(JRUBY_VERSION)
60
+ end
61
+
62
+ task :resources do
63
+ tests = Dir['test/resource/*_test.rb']
64
+ return if tests.empty?
65
+ sh(Gem.ruby, 'test/docker_test.rb', *tests)
66
+ end
67
+
68
+ task :integration do
69
+ concurrency = ENV['CONCURRENCY'] || 1
70
+ os = ENV['OS'] || ''
71
+ sh("bundle exec kitchen test -c #{concurrency} #{os}")
72
+ end
73
+
74
+ task :ssh, [:target] do |_t, args|
75
+ tests_path = File.join(File.dirname(__FILE__), 'test', 'integration', 'test', 'integration', 'default')
76
+ key_files = ENV['key_files'] || File.join(ENV['HOME'], '.ssh', 'id_rsa')
77
+
78
+ sh_cmd = "bin/inspec exec #{tests_path}/"
79
+ sh_cmd += ENV['test'] ? "#{ENV['test']}_spec.rb" : '*'
80
+ sh_cmd += " --sudo" unless args[:target].split('@')[0] == 'root'
81
+ sh_cmd += " -t ssh://#{args[:target]}"
82
+ sh_cmd += " --key_files=#{key_files}"
83
+ sh_cmd += " --format=#{ENV['format']}" if ENV['format']
84
+
85
+ sh('sh', '-c', sh_cmd)
86
+ end
87
+ end
88
+
89
+ # Print the current version of this gem or update it.
90
+ #
91
+ # @param [Type] target the new version you want to set, or nil if you only want to show
92
+ def inspec_version(target = nil)
93
+ path = 'lib/inspec/version.rb'
94
+ require_relative path.sub(/.rb$/, '')
95
+
96
+ nu_version = target.nil? ? '' : " -> #{target}"
97
+ puts "Inspec: #{Inspec::VERSION}#{nu_version}"
98
+
99
+ unless target.nil?
100
+ raw = File.read(path)
101
+ nu = raw.sub(/VERSION.*/, "VERSION = '#{target}'.freeze")
102
+ File.write(path, nu)
103
+ load(path)
104
+ end
105
+ end
106
+
107
+ # Check if a command is available
108
+ #
109
+ # @param [Type] x the command you are interested in
110
+ # @param [Type] msg the message to display if the command is missing
111
+ def require_command(x, msg = nil)
112
+ return if system("command -v #{x} || exit 1")
113
+ msg ||= 'Please install it first!'
114
+ puts "\033[31;1mCan't find command #{x.inspect}. #{msg}\033[0m"
115
+ exit 1
116
+ end
117
+
118
+ # Check if a required environment variable has been set
119
+ #
120
+ # @param [String] x the variable you are interested in
121
+ # @param [String] msg the message you want to display if the variable is missing
122
+ def require_env(x, msg = nil)
123
+ exists = `env | grep "^#{x}="`
124
+ return unless exists.empty?
125
+ puts "\033[31;1mCan't find environment variable #{x.inspect}. #{msg}\033[0m"
126
+ exit 1
127
+ end
128
+
129
+ # Check the requirements for running an update of this repository.
130
+ def check_update_requirements
131
+ require_command 'git'
132
+ end
133
+
134
+ # Show the current version of this gem.
135
+ desc 'Show the version of this gem'
136
+ task :version do
137
+ inspec_version
138
+ end
139
+
140
+ desc 'Release a new docker image'
141
+ task :release_docker do
142
+ version = Inspec::VERSION
143
+ cmd = "rm *.gem; gem build *gemspec && "\
144
+ "mv *.gem inspec.gem && "\
145
+ "docker build -t chef/inspec:#{version} . && "\
146
+ "docker push chef/inspec:#{version} && "\
147
+ "docker tag chef/inspec:#{version} chef/inspec:latest &&"\
148
+ "docker push chef/inspec:latest"
149
+ puts "--> #{cmd}"
150
+ sh('sh', '-c', cmd)
151
+ end
152
+
153
+ desc 'Release the website [deprecated]'
154
+ task :www do
155
+ puts 'The Rake tasks for releasing the website are now in the www/ directory.'
156
+ puts 'Run `cd www` and then `rake --tasks` for a list of the www-related tasks available.'
157
+ exit(1)
158
+ end
159
+
160
+ namespace :www do
161
+ desc 'Release the website [deprecated]'
162
+ task :release do
163
+ puts 'The Rake tasks for releasing the website are now in the www/ directory.'
164
+ puts 'Run `cd www` and then `rake --tasks` for a list of the www-related tasks available.'
165
+ exit(1)
166
+ end
167
+ end
data/bin/inspec CHANGED
@@ -1,12 +1,12 @@
1
- #!/usr/bin/env ruby
2
- # encoding: utf-8
3
- # Copyright 2015 Dominik Richter
4
- # author: Dominik Richter
5
- # author: Christoph Hartmann
6
-
7
- Encoding.default_external = Encoding::UTF_8
8
- Encoding.default_internal = Encoding::UTF_8
9
-
10
- require_relative '../lib/inspec'
11
- require_relative '../lib/inspec/cli'
12
- Inspec::InspecCLI.start(ARGV)
1
+ #!/usr/bin/env ruby
2
+ # encoding: utf-8
3
+ # Copyright 2015 Dominik Richter
4
+ # author: Dominik Richter
5
+ # author: Christoph Hartmann
6
+
7
+ Encoding.default_external = Encoding::UTF_8
8
+ Encoding.default_internal = Encoding::UTF_8
9
+
10
+ require_relative '../lib/inspec'
11
+ require_relative '../lib/inspec/cli'
12
+ Inspec::InspecCLI.start(ARGV)
@@ -1,2 +1,2 @@
1
- resources.md
2
- cli.md
1
+ resources.md
2
+ cli.md
@@ -1,40 +1,40 @@
1
- # InSpec documentation
2
-
3
- This is the home of the InSpec documentation. This documentation provides an introduction to this mechanism and shows how to write custom tests.
4
-
5
- The goal of this folder is for any community member to clone these docs, make the changes, check if they are valid, and contribute to the project.
6
-
7
- ## How to build docs
8
-
9
- We build docs by:
10
-
11
- 1. Auto-generating docs from code
12
- 2. Transforming markdown+snippets in this folder into pure markdown in `www/source/docs`
13
- 3. Rendering them to the website via instructions in `www/`
14
-
15
- For development, you **only need step 1**!
16
-
17
- **1 Generate docs**
18
-
19
- To generate all docs run:
20
-
21
- ```
22
- bundle exec rake docs
23
- ```
24
-
25
- You can run tasks individually. For a list of tasks run:
26
-
27
- ```
28
- bundle exec rake --tasks docs
29
- ```
30
-
31
- ## Stability Index
32
-
33
- Every available InSpec resource will indicate its stability. As InSpec matures, certain parts are more reliable than others. Brand new features are likely to be redesigned and marked as such.
34
-
35
- The stability indices are as follows:
36
-
37
- * `Stability: Deprecated` - This features will be removed in future versions, because its known for being problematic. Do not rely on it.
38
- * `Stability: Experimental` - New features may change or are removed in future versions
39
- * `Stability: Stable` - API is well established and proofed. Maintaining compatibility is a high priority
40
- * `Stability: Locked` - Only security and performance fixes are allowed
1
+ # InSpec documentation
2
+
3
+ This is the home of the InSpec documentation. This documentation provides an introduction to this mechanism and shows how to write custom tests.
4
+
5
+ The goal of this folder is for any community member to clone these docs, make the changes, check if they are valid, and contribute to the project.
6
+
7
+ ## How to build docs
8
+
9
+ We build docs by:
10
+
11
+ 1. Auto-generating docs from code
12
+ 2. Transforming markdown+snippets in this folder into pure markdown in `www/source/docs`
13
+ 3. Rendering them to the website via instructions in `www/`
14
+
15
+ For development, you **only need step 1**!
16
+
17
+ **1 Generate docs**
18
+
19
+ To generate all docs run:
20
+
21
+ ```
22
+ bundle exec rake docs
23
+ ```
24
+
25
+ You can run tasks individually. For a list of tasks run:
26
+
27
+ ```
28
+ bundle exec rake --tasks docs
29
+ ```
30
+
31
+ ## Stability Index
32
+
33
+ Every available InSpec resource will indicate its stability. As InSpec matures, certain parts are more reliable than others. Brand new features are likely to be redesigned and marked as such.
34
+
35
+ The stability indices are as follows:
36
+
37
+ * `Stability: Deprecated` - This features will be removed in future versions, because its known for being problematic. Do not rely on it.
38
+ * `Stability: Experimental` - New features may change or are removed in future versions
39
+ * `Stability: Stable` - API is well established and proofed. Maintaining compatibility is a high priority
40
+ * `Stability: Locked` - Only security and performance fixes are allowed
@@ -1,258 +1,258 @@
1
- ---
2
- title: InSpec DSL
3
- ---
4
-
5
- # InSpec DSL
6
-
7
- InSpec is a run-time framework and rule language used to specify compliance, security, and policy requirements. It includes a collection of resources that help you write auditing controls quickly and easily. The syntax used by both open source and |chef compliance| auditing is the same. The open source |inspec resource| framework is compatible with |chef compliance|.
8
-
9
- The InSpec DSL is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
10
-
11
- The following sections describe the syntax and show some simple examples of using the InSpec resources.
12
-
13
- ## Syntax
14
-
15
- The following resource tests |ssh| server configuration. For example, a simple control may described as:
16
-
17
- ```ruby
18
- describe sshd_config do
19
- its('Port') { should eq('22') }
20
- end
21
- ```
22
-
23
- In various use cases like implementing IT compliance across different departments, it becomes handy to extend the control with metadata. Each control may define an additional ``impact``, ``title`` or ``desc``. An example looks like:
24
-
25
- ```ruby
26
- control 'sshd-8' do
27
- impact 0.6
28
- title 'Server: Configure the service port'
29
- desc '
30
- Always specify which port the SSH server should listen to.
31
- Prevent unexpected settings.
32
- '
33
- tag 'ssh','sshd','openssh-server'
34
- tag cce: 'CCE-27072-8'
35
- ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
36
-
37
- describe sshd_config do
38
- its('Port') { should eq('22') }
39
- end
40
- end
41
- ```
42
-
43
- where
44
-
45
- * `'sshd-8'` is the name of the control
46
- * `impact`, `title`, and `desc` define metadata that fully describes the importance of the control, its purpose, with a succinct and complete description
47
- * `impact` is an float that measures the importance of the compliance results and must be a value between `0.0` and `1.0`. The value ranges are:
48
- * `0.0 to <0.4` these are controls with minor criticality
49
- * `0.4 to <0.7` these are controls with major criticality
50
- * `0.7 to 1.0` these are critical controls
51
- * `tag` is optional meta-information with with key or key-value pairs
52
- * `ref` is a reference to an external document
53
- * `describe` is a block that contains at least one test. A `control` block must contain at least one `describe` block, but may contain as many as required
54
- * `sshd_config` is an InSpec resource. For the full list of InSpec resources, see InSpec resource documentation
55
- * `its('Port')` is the matcher; `{ should eq('22') }` is the test. A `describe` block must contain at least one matcher, but may contain as many as required
56
-
57
-
58
- ## Advanced concepts
59
-
60
- With inspec it is possible to check if at least one of a collection of checks is true. For example: If a setting is configured in two different locations, you may want to test if either configuration A or configuration B have been set. This is accomplished via `describe.one`. It defines a block of tests with at least one valid check.
61
-
62
- ```ruby
63
- describe.one do
64
- describe ConfigurationA do
65
- its('setting_1') { should eq true }
66
- end
67
-
68
- describe ConfigurationB do
69
- its('setting_2') { should eq true }
70
- end
71
- end
72
- ```
73
-
74
- #### Sensitive resources
75
-
76
- In some scenarios, you may be writing checks involving resources with sensitive content (e.g. a file resource). In the case of failures, it may be desired to suppress output. This can be done by adding the `:sensitive` flag to the resource definition
77
-
78
- ```ruby
79
- describe file('/tmp/mysecretfile'), :sensitive do
80
- its('content') { should contain 'secret_info' }
81
- end
82
- ```
83
-
84
- ## Examples
85
-
86
- The following examples show simple compliance tests using a single `control` block.
87
-
88
- ## Test System Event Log
89
-
90
- The following test shows how to audit machines running Windows 2012 R2 that password complexity is enabled:
91
-
92
- ```ruby
93
- control 'windows-account-102' do
94
- impact 1.0
95
- title 'Windows Password Complexity is Enabled'
96
- desc 'Password must meet complexity requirement'
97
- describe security_policy do
98
- its('PasswordComplexity') { should eq 1 }
99
- end
100
- end
101
- ```
102
-
103
- ## Are PosgtreSQL passwords empty?
104
-
105
- The following test shows how to audit machines running PostgreSQL to ensure that passwords are not empty.
106
-
107
- ```ruby
108
- control 'postgres-7' do
109
- impact 1.0
110
- title 'Don't allow empty passwords'
111
- describe postgres_session('user', 'pass').query("SELECT * FROM pg_shadow WHERE passwd IS NULL;") do
112
- its('output') { should eq('') }
113
- end
114
- end
115
- ```
116
-
117
- ## Are MySQL passwords in ENV?
118
-
119
- The following test shows how to audit machines running MySQL to ensure that passwords are not stored in `ENV`:
120
-
121
- ```ruby
122
- control 'mysql-3' do
123
- impact 1.0
124
- title 'Do not store your MySQL password in your ENV'
125
- desc '
126
- Storing credentials in your ENV may easily expose
127
- them to an attacker. Prevent this at all costs.
128
- '
129
- describe command('env') do
130
- its('stdout') { should_not match(/^MYSQL_PWD=/) }
131
- end
132
- end
133
- ```
134
-
135
- ## Is `/etc/ssh` a Directory?
136
-
137
- The following test shows how to audit machines to ensure that `/etc/ssh` is a directory:
138
-
139
- ```ruby
140
- control 'basic-1' do
141
- impact 1.0
142
- title '/etc/ssh should be a directory'
143
- desc '
144
- In order for OpenSSH to function correctly, its
145
- configuration path must be a folder.
146
- '
147
- describe file('/etc/ssh') do
148
- it { should be_directory }
149
- end
150
- end
151
- ```
152
-
153
- ## Is Apache running?
154
-
155
- The following test shows how to audit machines to ensure that Apache is enabled and running:
156
-
157
- ```ruby
158
- control 'apache-1' do
159
- impact 0.3
160
- title 'Apache2 should be configured and running'
161
- describe service(apache.service) do
162
- it { should be_enabled }
163
- it { should be_running }
164
- end
165
- end
166
- ```
167
-
168
- ## Are insecure packages installed ?
169
-
170
- The following test shows how to audit machines for insecure packages:
171
-
172
- ```ruby
173
- control 'cis-os-services-5.1.3' do
174
- impact 0.7
175
- title '5.1.3 Ensure rsh client is not installed'
176
-
177
- describe package('rsh') do
178
- it { should_not be_installed }
179
- end
180
-
181
- describe package('rsh-redone-client') do
182
- it { should_not be_installed }
183
- end
184
- end
185
- ```
186
-
187
- ## Test Windows Registry Keys
188
-
189
- The following test shows how to audit machines to ensure Safe DLL Search Mode is enabled:
190
-
191
- ```ruby
192
- control 'windows-base-101' do
193
- impact 1.0
194
- title 'Safe DLL Search Mode is Enabled'
195
- desc '
196
- @link: https://msdn.microsoft.com/en-us/library/ms682586(v=vs.85).aspx
197
- '
198
- describe registry_key('HKLM\\System\\CurrentControlSet\\Control\\Session Manager') do
199
- it { should exist }
200
- it { should_not have_property_value('SafeDllSearchMode', :type_dword, '0') }
201
- end
202
- end
203
- ```
204
-
205
- ## Exclude specific test
206
-
207
- This shows how to allow skipping certain tests if conditions are not met, by using `only_if`.
208
- In this example the test will not be performed if `redis-cli` command does not exist, because for example package on remote host was not installed.
209
-
210
- ```ruby
211
- control 'nutcracker-connect-redis-001' do
212
- impact 1.0
213
- title 'Check if nutcracker can pass commands to redis'
214
- desc 'execute redis-cli set key command, to check connectivity of the service'
215
-
216
- only_if do
217
- command('redis-cli').exist?
218
- end
219
-
220
- describe command('redis-cli SET test_inspec "HELLO"') do
221
- its(:stdout) { should match(/OK/) }
222
- end
223
- end
224
- ```
225
-
226
- Mixing this with other conditionals (like checking existence of the files etc.) can help to test different test paths using inspec. This way you can skip certain tests which would 100% fail due to the way servers are prepared, but you know that the same test suites are reused later in different circumstances by different teams.
227
-
228
- ## Additional metadata for controls
229
-
230
-
231
- The following example illustrates various ways to add tags and references to `control`
232
-
233
- ```ruby
234
- control 'ssh-1' do
235
- impact 1.0
236
-
237
- title 'Allow only SSH Protocol 2'
238
- desc 'Only SSH protocol version 2 connections should be permitted.
239
- The default setting in /etc/ssh/sshd_config is correct, and can be
240
- verified by ensuring that the following line appears: Protocol 2'
241
-
242
- tag 'production','development'
243
- tag 'ssh','sshd','openssh-server'
244
-
245
- tag cce: 'CCE-27072-8'
246
- tag disa: 'RHEL-06-000227'
247
-
248
- tag remediation: 'stig_rhel6/recipes/sshd-config.rb'
249
- tag remediation: 'https://supermarket.chef.io/cookbooks/ssh-hardening'
250
-
251
- ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
252
- ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
253
-
254
- describe ssh_config do
255
- its ('Protocol') { should eq '2'}
256
- end
257
- end
258
- ```
1
+ ---
2
+ title: InSpec DSL
3
+ ---
4
+
5
+ # InSpec DSL
6
+
7
+ InSpec is a run-time framework and rule language used to specify compliance, security, and policy requirements. It includes a collection of resources that help you write auditing controls quickly and easily. The syntax used by both open source and |chef compliance| auditing is the same. The open source |inspec resource| framework is compatible with |chef compliance|.
8
+
9
+ The InSpec DSL is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
10
+
11
+ The following sections describe the syntax and show some simple examples of using the InSpec resources.
12
+
13
+ ## Syntax
14
+
15
+ The following resource tests |ssh| server configuration. For example, a simple control may described as:
16
+
17
+ ```ruby
18
+ describe sshd_config do
19
+ its('Port') { should eq('22') }
20
+ end
21
+ ```
22
+
23
+ In various use cases like implementing IT compliance across different departments, it becomes handy to extend the control with metadata. Each control may define an additional ``impact``, ``title`` or ``desc``. An example looks like:
24
+
25
+ ```ruby
26
+ control 'sshd-8' do
27
+ impact 0.6
28
+ title 'Server: Configure the service port'
29
+ desc '
30
+ Always specify which port the SSH server should listen to.
31
+ Prevent unexpected settings.
32
+ '
33
+ tag 'ssh','sshd','openssh-server'
34
+ tag cce: 'CCE-27072-8'
35
+ ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
36
+
37
+ describe sshd_config do
38
+ its('Port') { should eq('22') }
39
+ end
40
+ end
41
+ ```
42
+
43
+ where
44
+
45
+ * `'sshd-8'` is the name of the control
46
+ * `impact`, `title`, and `desc` define metadata that fully describes the importance of the control, its purpose, with a succinct and complete description
47
+ * `impact` is an float that measures the importance of the compliance results and must be a value between `0.0` and `1.0`. The value ranges are:
48
+ * `0.0 to <0.4` these are controls with minor criticality
49
+ * `0.4 to <0.7` these are controls with major criticality
50
+ * `0.7 to 1.0` these are critical controls
51
+ * `tag` is optional meta-information with with key or key-value pairs
52
+ * `ref` is a reference to an external document
53
+ * `describe` is a block that contains at least one test. A `control` block must contain at least one `describe` block, but may contain as many as required
54
+ * `sshd_config` is an InSpec resource. For the full list of InSpec resources, see InSpec resource documentation
55
+ * `its('Port')` is the matcher; `{ should eq('22') }` is the test. A `describe` block must contain at least one matcher, but may contain as many as required
56
+
57
+
58
+ ## Advanced concepts
59
+
60
+ With inspec it is possible to check if at least one of a collection of checks is true. For example: If a setting is configured in two different locations, you may want to test if either configuration A or configuration B have been set. This is accomplished via `describe.one`. It defines a block of tests with at least one valid check.
61
+
62
+ ```ruby
63
+ describe.one do
64
+ describe ConfigurationA do
65
+ its('setting_1') { should eq true }
66
+ end
67
+
68
+ describe ConfigurationB do
69
+ its('setting_2') { should eq true }
70
+ end
71
+ end
72
+ ```
73
+
74
+ #### Sensitive resources
75
+
76
+ In some scenarios, you may be writing checks involving resources with sensitive content (e.g. a file resource). In the case of failures, it may be desired to suppress output. This can be done by adding the `:sensitive` flag to the resource definition
77
+
78
+ ```ruby
79
+ describe file('/tmp/mysecretfile'), :sensitive do
80
+ its('content') { should contain 'secret_info' }
81
+ end
82
+ ```
83
+
84
+ ## Examples
85
+
86
+ The following examples show simple compliance tests using a single `control` block.
87
+
88
+ ## Test System Event Log
89
+
90
+ The following test shows how to audit machines running Windows 2012 R2 that password complexity is enabled:
91
+
92
+ ```ruby
93
+ control 'windows-account-102' do
94
+ impact 1.0
95
+ title 'Windows Password Complexity is Enabled'
96
+ desc 'Password must meet complexity requirement'
97
+ describe security_policy do
98
+ its('PasswordComplexity') { should eq 1 }
99
+ end
100
+ end
101
+ ```
102
+
103
+ ## Are PosgtreSQL passwords empty?
104
+
105
+ The following test shows how to audit machines running PostgreSQL to ensure that passwords are not empty.
106
+
107
+ ```ruby
108
+ control 'postgres-7' do
109
+ impact 1.0
110
+ title 'Don't allow empty passwords'
111
+ describe postgres_session('user', 'pass').query("SELECT * FROM pg_shadow WHERE passwd IS NULL;") do
112
+ its('output') { should eq('') }
113
+ end
114
+ end
115
+ ```
116
+
117
+ ## Are MySQL passwords in ENV?
118
+
119
+ The following test shows how to audit machines running MySQL to ensure that passwords are not stored in `ENV`:
120
+
121
+ ```ruby
122
+ control 'mysql-3' do
123
+ impact 1.0
124
+ title 'Do not store your MySQL password in your ENV'
125
+ desc '
126
+ Storing credentials in your ENV may easily expose
127
+ them to an attacker. Prevent this at all costs.
128
+ '
129
+ describe command('env') do
130
+ its('stdout') { should_not match(/^MYSQL_PWD=/) }
131
+ end
132
+ end
133
+ ```
134
+
135
+ ## Is `/etc/ssh` a Directory?
136
+
137
+ The following test shows how to audit machines to ensure that `/etc/ssh` is a directory:
138
+
139
+ ```ruby
140
+ control 'basic-1' do
141
+ impact 1.0
142
+ title '/etc/ssh should be a directory'
143
+ desc '
144
+ In order for OpenSSH to function correctly, its
145
+ configuration path must be a folder.
146
+ '
147
+ describe file('/etc/ssh') do
148
+ it { should be_directory }
149
+ end
150
+ end
151
+ ```
152
+
153
+ ## Is Apache running?
154
+
155
+ The following test shows how to audit machines to ensure that Apache is enabled and running:
156
+
157
+ ```ruby
158
+ control 'apache-1' do
159
+ impact 0.3
160
+ title 'Apache2 should be configured and running'
161
+ describe service(apache.service) do
162
+ it { should be_enabled }
163
+ it { should be_running }
164
+ end
165
+ end
166
+ ```
167
+
168
+ ## Are insecure packages installed ?
169
+
170
+ The following test shows how to audit machines for insecure packages:
171
+
172
+ ```ruby
173
+ control 'cis-os-services-5.1.3' do
174
+ impact 0.7
175
+ title '5.1.3 Ensure rsh client is not installed'
176
+
177
+ describe package('rsh') do
178
+ it { should_not be_installed }
179
+ end
180
+
181
+ describe package('rsh-redone-client') do
182
+ it { should_not be_installed }
183
+ end
184
+ end
185
+ ```
186
+
187
+ ## Test Windows Registry Keys
188
+
189
+ The following test shows how to audit machines to ensure Safe DLL Search Mode is enabled:
190
+
191
+ ```ruby
192
+ control 'windows-base-101' do
193
+ impact 1.0
194
+ title 'Safe DLL Search Mode is Enabled'
195
+ desc '
196
+ @link: https://msdn.microsoft.com/en-us/library/ms682586(v=vs.85).aspx
197
+ '
198
+ describe registry_key('HKLM\\System\\CurrentControlSet\\Control\\Session Manager') do
199
+ it { should exist }
200
+ it { should_not have_property_value('SafeDllSearchMode', :type_dword, '0') }
201
+ end
202
+ end
203
+ ```
204
+
205
+ ## Exclude specific test
206
+
207
+ This shows how to allow skipping certain tests if conditions are not met, by using `only_if`.
208
+ In this example the test will not be performed if `redis-cli` command does not exist, because for example package on remote host was not installed.
209
+
210
+ ```ruby
211
+ control 'nutcracker-connect-redis-001' do
212
+ impact 1.0
213
+ title 'Check if nutcracker can pass commands to redis'
214
+ desc 'execute redis-cli set key command, to check connectivity of the service'
215
+
216
+ only_if do
217
+ command('redis-cli').exist?
218
+ end
219
+
220
+ describe command('redis-cli SET test_inspec "HELLO"') do
221
+ its(:stdout) { should match(/OK/) }
222
+ end
223
+ end
224
+ ```
225
+
226
+ Mixing this with other conditionals (like checking existence of the files etc.) can help to test different test paths using inspec. This way you can skip certain tests which would 100% fail due to the way servers are prepared, but you know that the same test suites are reused later in different circumstances by different teams.
227
+
228
+ ## Additional metadata for controls
229
+
230
+
231
+ The following example illustrates various ways to add tags and references to `control`
232
+
233
+ ```ruby
234
+ control 'ssh-1' do
235
+ impact 1.0
236
+
237
+ title 'Allow only SSH Protocol 2'
238
+ desc 'Only SSH protocol version 2 connections should be permitted.
239
+ The default setting in /etc/ssh/sshd_config is correct, and can be
240
+ verified by ensuring that the following line appears: Protocol 2'
241
+
242
+ tag 'production','development'
243
+ tag 'ssh','sshd','openssh-server'
244
+
245
+ tag cce: 'CCE-27072-8'
246
+ tag disa: 'RHEL-06-000227'
247
+
248
+ tag remediation: 'stig_rhel6/recipes/sshd-config.rb'
249
+ tag remediation: 'https://supermarket.chef.io/cookbooks/ssh-hardening'
250
+
251
+ ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
252
+ ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
253
+
254
+ describe ssh_config do
255
+ its ('Protocol') { should eq '2'}
256
+ end
257
+ end
258
+ ```