RubyGems - inspec - Versions diffs - 1.51.25 → 2.0.16 - Mend

inspec 1.51.25 → 2.0.16

Files changed (482) hide show

checksums.yaml +4 -4
data/.rubocop.yml +1 -1
data/CHANGELOG.md +24 -19
data/Gemfile +3 -1
data/LICENSE +0 -0
data/MAINTAINERS.md +0 -0
data/MAINTAINERS.toml +0 -0
data/README.md +22 -3
data/Rakefile +117 -0
data/docs/.gitignore +0 -0
data/docs/README.md +0 -0
data/docs/dsl_inspec.md +0 -0
data/docs/dsl_resource.md +0 -0
data/docs/glossary.md +0 -0
data/docs/habitat.md +0 -0
data/docs/inspec_and_friends.md +0 -0
data/docs/matchers.md +0 -0
data/docs/migration.md +0 -0
data/docs/platforms.md +119 -0
data/docs/plugin_kitchen_inspec.md +0 -0
data/docs/profiles.md +0 -0
data/docs/reporters.md +0 -0
data/docs/resources/aide_conf.md.erb +6 -8
data/docs/resources/apache.md.erb +2 -1
data/docs/resources/apache_conf.md.erb +2 -1
data/docs/resources/apt.md.erb +2 -1
data/docs/resources/audit_policy.md.erb +3 -2
data/docs/resources/auditd.md.erb +2 -1
data/docs/resources/auditd_conf.md.erb +3 -3
data/docs/resources/aws_cloudtrail_trail.md.erb +140 -0
data/docs/resources/aws_cloudtrail_trails.md.erb +81 -0
data/docs/resources/aws_cloudwatch_alarm.md.erb +86 -0
data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +151 -0
data/docs/resources/aws_ec2_instance.md.erb +106 -0
data/docs/resources/aws_iam_access_key.md.erb +123 -0
data/docs/resources/aws_iam_access_keys.md.erb +198 -0
data/docs/resources/aws_iam_group.md.erb +46 -0
data/docs/resources/aws_iam_groups.md.erb +43 -0
data/docs/resources/aws_iam_password_policy.md.erb +76 -0
data/docs/resources/aws_iam_policies.md.erb +82 -0
data/docs/resources/aws_iam_policy.md.erb +146 -0
data/docs/resources/aws_iam_role.md.erb +65 -0
data/docs/resources/aws_iam_root_user.md.erb +58 -0
data/docs/resources/aws_iam_user.md.erb +64 -0
data/docs/resources/aws_iam_users.md.erb +90 -0
data/docs/resources/aws_kms_keys.md.erb +84 -0
data/docs/resources/aws_route_table.md.erb +47 -0
data/docs/resources/aws_s3_bucket.md.erb +134 -0
data/docs/resources/aws_security_group.md.erb +152 -0
data/docs/resources/aws_security_groups.md.erb +92 -0
data/docs/resources/aws_sns_topic.md.erb +63 -0
data/docs/resources/aws_subnet.md.erb +134 -0
data/docs/resources/aws_subnets.md.erb +126 -0
data/docs/resources/aws_vpc.md.erb +120 -0
data/docs/resources/aws_vpcs.md.erb +48 -0
data/docs/resources/azure_generic_resource.md.erb +140 -0
data/docs/resources/azure_resource_group.md.erb +284 -0
data/docs/resources/azure_virtual_machine.md.erb +314 -0
data/docs/resources/azure_virtual_machine_data_disk.md.erb +182 -0
data/docs/resources/bash.md.erb +2 -1
data/docs/resources/bond.md.erb +2 -1
data/docs/resources/bridge.md.erb +5 -2
data/docs/resources/bsd_service.md.erb +3 -1
data/docs/resources/command.md.erb +2 -1
data/docs/resources/cpan.md.erb +4 -3
data/docs/resources/cran.md.erb +2 -1
data/docs/resources/crontab.md.erb +2 -1
data/docs/resources/csv.md.erb +2 -1
data/docs/resources/dh_params.md.erb +2 -1
data/docs/resources/directory.md.erb +4 -2
data/docs/resources/docker.md.erb +2 -1
data/docs/resources/docker_container.md.erb +5 -2
data/docs/resources/docker_image.md.erb +2 -1
data/docs/resources/docker_service.md.erb +2 -1
data/docs/resources/elasticsearch.md.erb +12 -1
data/docs/resources/etc_fstab.md.erb +2 -1
data/docs/resources/etc_group.md.erb +2 -1
data/docs/resources/etc_hosts.md.erb +4 -1
data/docs/resources/etc_hosts_allow.md.erb +2 -1
data/docs/resources/etc_hosts_deny.md.erb +2 -1
data/docs/resources/file.md.erb +6 -3
data/docs/resources/filesystem.md.erb +2 -1
data/docs/resources/firewalld.md.erb +4 -3
data/docs/resources/gem.md.erb +2 -1
data/docs/resources/group.md.erb +2 -1
data/docs/resources/grub_conf.md.erb +2 -2
data/docs/resources/host.md.erb +2 -1
data/docs/resources/http.md.erb +4 -7
data/docs/resources/iis_app.md.erb +3 -1
data/docs/resources/iis_site.md.erb +4 -1
data/docs/resources/inetd_conf.md.erb +2 -3
data/docs/resources/ini.md.erb +6 -2
data/docs/resources/interface.md.erb +5 -2
data/docs/resources/iptables.md.erb +2 -1
data/docs/resources/json.md.erb +2 -1
data/docs/resources/kernel_module.md.erb +2 -1
data/docs/resources/kernel_parameter.md.erb +3 -3
data/docs/resources/key_rsa.md.erb +5 -3
data/docs/resources/launchd_service.md.erb +2 -1
data/docs/resources/limits_conf.md.erb +4 -2
data/docs/resources/login_def.md.erb +2 -2
data/docs/resources/mount.md.erb +2 -1
data/docs/resources/mssql_session.md.erb +2 -1
data/docs/resources/mysql_conf.md.erb +2 -1
data/docs/resources/mysql_session.md.erb +2 -1
data/docs/resources/nginx.md.erb +1 -0
data/docs/resources/nginx_conf.md.erb +2 -1
data/docs/resources/npm.md.erb +2 -1
data/docs/resources/ntp_conf.md.erb +2 -1
data/docs/resources/oneget.md.erb +2 -1
data/docs/resources/oracledb_session.md.erb +2 -1
data/docs/resources/os.md.erb +4 -3
data/docs/resources/os_env.md.erb +2 -1
data/docs/resources/package.md.erb +3 -2
data/docs/resources/packages.md.erb +2 -1
data/docs/resources/parse_config.md.erb +2 -1
data/docs/resources/parse_config_file.md.erb +3 -2
data/docs/resources/passwd.md.erb +2 -1
data/docs/resources/pip.md.erb +2 -1
data/docs/resources/port.md.erb +2 -1
data/docs/resources/postgres_conf.md.erb +2 -1
data/docs/resources/postgres_hba_conf.md.erb +2 -1
data/docs/resources/postgres_ident_conf.md.erb +2 -1
data/docs/resources/postgres_session.md.erb +2 -1
data/docs/resources/powershell.md.erb +2 -1
data/docs/resources/processes.md.erb +3 -1
data/docs/resources/rabbitmq_config.md.erb +2 -1
data/docs/resources/registry_key.md.erb +2 -1
data/docs/resources/runit_service.md.erb +2 -1
data/docs/resources/security_policy.md.erb +2 -1
data/docs/resources/service.md.erb +2 -1
data/docs/resources/shadow.md.erb +2 -1
data/docs/resources/ssh_config.md.erb +2 -1
data/docs/resources/sshd_config.md.erb +2 -1
data/docs/resources/ssl.md.erb +2 -1
data/docs/resources/sys_info.md.erb +2 -1
data/docs/resources/systemd_service.md.erb +2 -1
data/docs/resources/sysv_service.md.erb +2 -1
data/docs/resources/upstart_service.md.erb +2 -1
data/docs/resources/user.md.erb +3 -1
data/docs/resources/users.md.erb +2 -1
data/docs/resources/vbscript.md.erb +2 -1
data/docs/resources/virtualization.md.erb +2 -1
data/docs/resources/windows_feature.md.erb +2 -1
data/docs/resources/windows_hotfix.md.erb +2 -1
data/docs/resources/windows_task.md.erb +49 -43
data/docs/resources/wmi.md.erb +2 -1
data/docs/resources/x509_certificate.md.erb +1 -0
data/docs/resources/xinetd_conf.md.erb +2 -1
data/docs/resources/xml.md.erb +2 -1
data/docs/resources/yaml.md.erb +2 -1
data/docs/resources/yum.md.erb +2 -1
data/docs/resources/zfs_dataset.md.erb +2 -1
data/docs/resources/zfs_pool.md.erb +2 -1
data/docs/ruby_usage.md +0 -0
data/docs/shared/matcher_be.md.erb +0 -0
data/docs/shared/matcher_cmp.md.erb +0 -0
data/docs/shared/matcher_eq.md.erb +0 -0
data/docs/shared/matcher_include.md.erb +0 -0
data/docs/shared/matcher_match.md.erb +0 -0
data/docs/shell.md +0 -0
data/examples/README.md +0 -0
data/examples/inheritance/README.md +0 -0
data/examples/inheritance/controls/example.rb +0 -0
data/examples/inheritance/inspec.yml +0 -0
data/examples/kitchen-ansible/.kitchen.yml +0 -0
data/examples/kitchen-ansible/Gemfile +0 -0
data/examples/kitchen-ansible/README.md +0 -0
data/examples/kitchen-ansible/files/nginx.repo +0 -0
data/examples/kitchen-ansible/tasks/main.yml +0 -0
data/examples/kitchen-ansible/test/integration/default/default.yml +0 -0
data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -0
data/examples/kitchen-chef/.kitchen.yml +0 -0
data/examples/kitchen-chef/Berksfile +0 -0
data/examples/kitchen-chef/Gemfile +0 -0
data/examples/kitchen-chef/README.md +0 -0
data/examples/kitchen-chef/metadata.rb +0 -0
data/examples/kitchen-chef/recipes/default.rb +0 -0
data/examples/kitchen-chef/recipes/nginx.rb +0 -0
data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -0
data/examples/kitchen-puppet/.kitchen.yml +0 -0
data/examples/kitchen-puppet/Gemfile +0 -0
data/examples/kitchen-puppet/Puppetfile +0 -0
data/examples/kitchen-puppet/README.md +0 -0
data/examples/kitchen-puppet/manifests/site.pp +0 -0
data/examples/kitchen-puppet/metadata.json +0 -0
data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -0
data/examples/meta-profile/README.md +0 -0
data/examples/meta-profile/controls/example.rb +0 -0
data/examples/meta-profile/inspec.yml +0 -0
data/examples/profile-attribute.yml +0 -0
data/examples/profile-attribute/README.md +0 -0
data/examples/profile-attribute/controls/example.rb +0 -0
data/examples/profile-attribute/inspec.yml +0 -0
data/examples/profile-aws/controls/iam_password_policy_expiration.rb +8 -0
data/examples/profile-aws/controls/iam_password_policy_max_age.rb +8 -0
data/examples/profile-aws/controls/iam_root_user_mfa.rb +8 -0
data/examples/profile-aws/controls/iam_users_access_key_age.rb +8 -0
data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +8 -0
data/examples/profile-aws/inspec.yml +11 -0
data/examples/profile-azure/controls/azure_resource_group_example.rb +24 -0
data/examples/profile-azure/controls/azure_vm_example.rb +29 -0
data/examples/profile-azure/inspec.yml +11 -0
data/examples/profile-sensitive/README.md +0 -0
data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -0
data/examples/profile-sensitive/controls/sensitive.rb +0 -0
data/examples/profile-sensitive/inspec.yml +0 -0
data/examples/profile/README.md +0 -0
data/examples/profile/controls/example.rb +0 -0
data/examples/profile/controls/gordon.rb +0 -0
data/examples/profile/controls/meta.rb +0 -0
data/examples/profile/inspec.yml +0 -0
data/examples/profile/libraries/gordon_config.rb +0 -0
data/inspec.gemspec +1 -1
data/lib/bundles/README.md +0 -0
data/lib/bundles/inspec-artifact.rb +0 -0
data/lib/bundles/inspec-artifact/README.md +0 -0
data/lib/bundles/inspec-artifact/cli.rb +0 -0
data/lib/bundles/inspec-compliance.rb +0 -0
data/lib/bundles/inspec-compliance/.kitchen.yml +0 -0
data/lib/bundles/inspec-compliance/README.md +0 -0
data/lib/bundles/inspec-compliance/api/login.rb +0 -0
data/lib/bundles/inspec-compliance/bootstrap.sh +0 -0
data/lib/bundles/inspec-compliance/cli.rb +12 -35
data/lib/bundles/inspec-compliance/configuration.rb +0 -0
data/lib/bundles/inspec-compliance/http.rb +0 -0
data/lib/bundles/inspec-compliance/images/cc-token.png +0 -0
data/lib/bundles/inspec-compliance/support.rb +0 -0
data/lib/bundles/inspec-compliance/target.rb +0 -0
data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +0 -0
data/lib/bundles/inspec-habitat.rb +0 -0
data/lib/bundles/inspec-habitat/cli.rb +0 -0
data/lib/bundles/inspec-habitat/log.rb +0 -0
data/lib/bundles/inspec-habitat/profile.rb +0 -0
data/lib/bundles/inspec-init.rb +0 -0
data/lib/bundles/inspec-init/README.md +0 -0
data/lib/bundles/inspec-init/cli.rb +0 -0
data/lib/bundles/inspec-init/templates/profile/README.md +0 -0
data/lib/bundles/inspec-init/templates/profile/controls/example.rb +1 -1
data/lib/bundles/inspec-init/templates/profile/inspec.yml +0 -0
data/lib/bundles/inspec-init/templates/profile/libraries/.gitkeep +0 -0
data/lib/bundles/inspec-supermarket.rb +0 -0
data/lib/bundles/inspec-supermarket/README.md +0 -0
data/lib/bundles/inspec-supermarket/api.rb +0 -0
data/lib/bundles/inspec-supermarket/cli.rb +11 -3
data/lib/bundles/inspec-supermarket/target.rb +0 -0
data/lib/fetchers/git.rb +0 -0
data/lib/fetchers/local.rb +0 -0
data/lib/fetchers/mock.rb +0 -0
data/lib/fetchers/url.rb +0 -0
data/lib/inspec.rb +0 -0
data/lib/inspec/archive/tar.rb +0 -0
data/lib/inspec/archive/zip.rb +0 -0
data/lib/inspec/backend.rb +0 -0
data/lib/inspec/base_cli.rb +2 -4
data/lib/inspec/cached_fetcher.rb +0 -0
data/lib/inspec/cli.rb +15 -11
data/lib/inspec/completions/bash.sh.erb +0 -0
data/lib/inspec/completions/fish.sh.erb +0 -0
data/lib/inspec/completions/zsh.sh.erb +0 -0
data/lib/inspec/control_eval_context.rb +0 -0
data/lib/inspec/dependencies/cache.rb +0 -0
data/lib/inspec/dependencies/dependency_set.rb +0 -0
data/lib/inspec/dependencies/lockfile.rb +0 -0
data/lib/inspec/dependencies/requirement.rb +0 -0
data/lib/inspec/dependencies/resolver.rb +0 -0
data/lib/inspec/describe.rb +0 -0
data/lib/inspec/dsl.rb +0 -0
data/lib/inspec/dsl_shared.rb +0 -0
data/lib/inspec/env_printer.rb +0 -0
data/lib/inspec/errors.rb +0 -0
data/lib/inspec/exceptions.rb +0 -0
data/lib/inspec/expect.rb +0 -0
data/lib/inspec/fetcher.rb +0 -0
data/lib/inspec/file_provider.rb +0 -0
data/lib/inspec/formatters.rb +0 -0
data/lib/inspec/formatters/base.rb +43 -1
data/lib/inspec/formatters/json_rspec.rb +0 -0
data/lib/inspec/formatters/show_progress.rb +0 -0
data/lib/inspec/library_eval_context.rb +0 -0
data/lib/inspec/log.rb +0 -0
data/lib/inspec/metadata.rb +3 -9
data/lib/inspec/method_source.rb +0 -0
data/lib/inspec/objects.rb +0 -0
data/lib/inspec/objects/attribute.rb +0 -0
data/lib/inspec/objects/control.rb +0 -0
data/lib/inspec/objects/describe.rb +0 -0
data/lib/inspec/objects/each_loop.rb +0 -0
data/lib/inspec/objects/list.rb +0 -0
data/lib/inspec/objects/or_test.rb +0 -0
data/lib/inspec/objects/ruby_helper.rb +0 -0
data/lib/inspec/objects/tag.rb +0 -0
data/lib/inspec/objects/test.rb +0 -0
data/lib/inspec/objects/value.rb +0 -0
data/lib/inspec/plugins.rb +0 -0
data/lib/inspec/plugins/cli.rb +0 -0
data/lib/inspec/plugins/fetcher.rb +0 -0
data/lib/inspec/plugins/resource.rb +10 -9
data/lib/inspec/plugins/secret.rb +0 -0
data/lib/inspec/plugins/source_reader.rb +0 -0
data/lib/inspec/polyfill.rb +0 -0
data/lib/inspec/profile.rb +0 -0
data/lib/inspec/profile_context.rb +0 -0
data/lib/inspec/profile_vendor.rb +0 -0
data/lib/inspec/reporters.rb +0 -0
data/lib/inspec/reporters/base.rb +0 -0
data/lib/inspec/reporters/cli.rb +12 -51
data/lib/inspec/reporters/json.rb +3 -26
data/lib/inspec/reporters/json_min.rb +0 -0
data/lib/inspec/reporters/junit.rb +0 -0
data/lib/inspec/require_loader.rb +0 -0
data/lib/inspec/resource.rb +11 -1
data/lib/inspec/rule.rb +0 -0
data/lib/inspec/runner.rb +10 -8
data/lib/inspec/runner_mock.rb +0 -0
data/lib/inspec/runner_rspec.rb +18 -2
data/lib/inspec/runtime_profile.rb +0 -0
data/lib/inspec/schema.rb +25 -4
data/lib/inspec/secrets.rb +0 -0
data/lib/inspec/secrets/yaml.rb +0 -0
data/lib/inspec/shell.rb +0 -0
data/lib/inspec/shell_detector.rb +0 -0
data/lib/inspec/source_reader.rb +0 -0
data/lib/inspec/version.rb +1 -1
data/lib/matchers/matchers.rb +1 -59
data/lib/resource_support/aws.rb +40 -0
data/lib/resource_support/aws/aws_backend_base.rb +12 -0
data/lib/resource_support/aws/aws_backend_factory_mixin.rb +12 -0
data/lib/resource_support/aws/aws_plural_resource_mixin.rb +21 -0
data/lib/resource_support/aws/aws_resource_mixin.rb +66 -0
data/lib/resource_support/aws/aws_singular_resource_mixin.rb +24 -0
data/lib/resources/aide_conf.rb +1 -1
data/lib/resources/apache.rb +1 -2
data/lib/resources/apache_conf.rb +2 -4
data/lib/resources/apt.rb +1 -2
data/lib/resources/audit_policy.rb +1 -2
data/lib/resources/auditd.rb +1 -3
data/lib/resources/auditd_conf.rb +1 -2
data/lib/resources/aws/aws_cloudtrail_trail.rb +77 -0
data/lib/resources/aws/aws_cloudtrail_trails.rb +47 -0
data/lib/resources/aws/aws_cloudwatch_alarm.rb +62 -0
data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +100 -0
data/lib/resources/aws/aws_ec2_instance.rb +157 -0
data/lib/resources/aws/aws_iam_access_key.rb +106 -0
data/lib/resources/aws/aws_iam_access_keys.rb +144 -0
data/lib/resources/aws/aws_iam_group.rb +56 -0
data/lib/resources/aws/aws_iam_groups.rb +45 -0
data/lib/resources/aws/aws_iam_password_policy.rb +116 -0
data/lib/resources/aws/aws_iam_policies.rb +46 -0
data/lib/resources/aws/aws_iam_policy.rb +119 -0
data/lib/resources/aws/aws_iam_role.rb +51 -0
data/lib/resources/aws/aws_iam_root_user.rb +60 -0
data/lib/resources/aws/aws_iam_user.rb +111 -0
data/lib/resources/aws/aws_iam_users.rb +96 -0
data/lib/resources/aws/aws_kms_keys.rb +46 -0
data/lib/resources/aws/aws_route_table.rb +61 -0
data/lib/resources/aws/aws_s3_bucket.rb +115 -0
data/lib/resources/aws/aws_security_group.rb +93 -0
data/lib/resources/aws/aws_security_groups.rb +68 -0
data/lib/resources/aws/aws_sns_topic.rb +53 -0
data/lib/resources/aws/aws_subnet.rb +88 -0
data/lib/resources/aws/aws_subnets.rb +53 -0
data/lib/resources/aws/aws_vpc.rb +69 -0
data/lib/resources/aws/aws_vpcs.rb +45 -0
data/lib/resources/azure/azure_backend.rb +377 -0
data/lib/resources/azure/azure_generic_resource.rb +59 -0
data/lib/resources/azure/azure_resource_group.rb +152 -0
data/lib/resources/azure/azure_virtual_machine.rb +264 -0
data/lib/resources/azure/azure_virtual_machine_data_disk.rb +136 -0
data/lib/resources/bash.rb +1 -2
data/lib/resources/bond.rb +1 -2
data/lib/resources/bridge.rb +1 -2
data/lib/resources/command.rb +2 -2
data/lib/resources/cpan.rb +1 -3
data/lib/resources/cran.rb +1 -3
data/lib/resources/crontab.rb +1 -0
data/lib/resources/csv.rb +4 -2
data/lib/resources/dh_params.rb +1 -2
data/lib/resources/directory.rb +2 -2
data/lib/resources/docker.rb +1 -4
data/lib/resources/docker_container.rb +1 -4
data/lib/resources/docker_image.rb +1 -4
data/lib/resources/docker_object.rb +0 -0
data/lib/resources/docker_service.rb +1 -5
data/lib/resources/elasticsearch.rb +1 -0
data/lib/resources/etc_fstab.rb +1 -1
data/lib/resources/etc_group.rb +1 -2
data/lib/resources/etc_hosts.rb +1 -1
data/lib/resources/etc_hosts_allow_deny.rb +2 -1
data/lib/resources/file.rb +2 -2
data/lib/resources/filesystem.rb +1 -1
data/lib/resources/firewalld.rb +1 -1
data/lib/resources/gem.rb +2 -3
data/lib/resources/groups.rb +4 -2
data/lib/resources/grub_conf.rb +1 -1
data/lib/resources/host.rb +2 -2
data/lib/resources/http.rb +20 -22
data/lib/resources/iis_app.rb +1 -0
data/lib/resources/iis_site.rb +1 -0
data/lib/resources/inetd_conf.rb +1 -2
data/lib/resources/ini.rb +2 -2
data/lib/resources/interface.rb +2 -3
data/lib/resources/iptables.rb +1 -2
data/lib/resources/json.rb +4 -2
data/lib/resources/kernel_module.rb +1 -4
data/lib/resources/kernel_parameter.rb +1 -1
data/lib/resources/key_rsa.rb +2 -2
data/lib/resources/limits_conf.rb +1 -2
data/lib/resources/login_def.rb +1 -2
data/lib/resources/mount.rb +1 -3
data/lib/resources/mssql_session.rb +1 -3
data/lib/resources/mysql.rb +1 -2
data/lib/resources/mysql_conf.rb +2 -1
data/lib/resources/mysql_session.rb +2 -3
data/lib/resources/nginx.rb +1 -2
data/lib/resources/nginx_conf.rb +1 -2
data/lib/resources/npm.rb +2 -2
data/lib/resources/ntp_conf.rb +1 -2
data/lib/resources/oneget.rb +1 -2
data/lib/resources/oracledb_session.rb +2 -3
data/lib/resources/os.rb +2 -12
data/lib/resources/os_env.rb +2 -2
data/lib/resources/package.rb +2 -2
data/lib/resources/packages.rb +1 -2
data/lib/resources/parse_config.rb +2 -2
data/lib/resources/passwd.rb +1 -23
data/lib/resources/pip.rb +2 -2
data/lib/resources/platform.rb +19 -22
data/lib/resources/port.rb +2 -2
data/lib/resources/postgres.rb +1 -3
data/lib/resources/postgres_conf.rb +2 -3
data/lib/resources/postgres_hba_conf.rb +1 -2
data/lib/resources/postgres_ident_conf.rb +1 -2
data/lib/resources/postgres_session.rb +2 -3
data/lib/resources/powershell.rb +1 -2
data/lib/resources/processes.rb +2 -2
data/lib/resources/rabbitmq_conf.rb +1 -2
data/lib/resources/registry_key.rb +1 -1
data/lib/resources/security_policy.rb +1 -2
data/lib/resources/service.rb +8 -3
data/lib/resources/shadow.rb +1 -2
data/lib/resources/ssh_conf.rb +2 -2
data/lib/resources/ssl.rb +2 -2
data/lib/resources/sys_info.rb +2 -0
data/lib/resources/toml.rb +0 -0
data/lib/resources/users.rb +4 -2
data/lib/resources/vbscript.rb +1 -2
data/lib/resources/virtualization.rb +1 -1
data/lib/resources/windows_feature.rb +1 -2
data/lib/resources/windows_hotfix.rb +1 -1
data/lib/resources/windows_task.rb +1 -2
data/lib/resources/wmi.rb +1 -2
data/lib/resources/x509_certificate.rb +2 -2
data/lib/resources/xinetd.rb +1 -2
data/lib/resources/xml.rb +2 -1
data/lib/resources/yaml.rb +4 -2
data/lib/resources/yum.rb +1 -2
data/lib/resources/zfs_dataset.rb +1 -1
data/lib/resources/zfs_pool.rb +1 -1
data/lib/source_readers/flat.rb +0 -0
data/lib/source_readers/inspec.rb +0 -0
data/lib/utils/command_wrapper.rb +0 -0
data/lib/utils/convert.rb +0 -0
data/lib/utils/database_helpers.rb +0 -0
data/lib/utils/erlang_parser.rb +0 -0
data/lib/utils/filter.rb +0 -0
data/lib/utils/filter_array.rb +0 -0
data/lib/utils/find_files.rb +0 -0
data/lib/utils/hash.rb +0 -0
data/lib/utils/json_log.rb +0 -0
data/lib/utils/latest_version.rb +0 -0
data/lib/utils/modulator.rb +0 -0
data/lib/utils/nginx_parser.rb +0 -0
data/lib/utils/object_traversal.rb +0 -0
data/lib/utils/parser.rb +0 -0
data/lib/utils/plugin_registry.rb +0 -0
data/lib/utils/simpleconfig.rb +0 -12
data/lib/utils/spdx.rb +0 -0
data/lib/utils/spdx.txt +0 -0
metadata +81 -6
data/docs/resources/auditd_rules.md.erb +0 -116
data/lib/resources/auditd_rules.rb +0 -205

@@ -1,11 +1,10 @@
 # encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
-# author: Christoph Hartmann
-# author: Dominik Richter
 module Inspec::Resources
   class Apache < Inspec.resource(1)
     name 'apache'
+    supports platform: 'unix'
     desc 'Use the apache InSpec audit resource to retrieve Apache environment settings.'
     example "
       describe apache do

data/lib/resources/apache_conf.rb CHANGED

@@ -1,7 +1,5 @@
 # encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
-# author: Dominik Richter
-# author: Christoph Hartmann
 require 'utils/simpleconfig'
 require 'utils/find_files'
@@ -9,8 +7,8 @@ require 'utils/find_files'
 module Inspec::Resources
   class ApacheConf < Inspec.resource(1)
     name 'apache_conf'
-    supports os_family: 'linux'
-    supports os_family: 'debian'
+    supports platform: 'linux'
+    supports platform: 'debian'
     desc 'Use the apache_conf InSpec audit resource to test the configuration settings for Apache. This file is typically located under /etc/apache2 on the Debian and Ubuntu platforms and under /etc/httpd on the Fedora, CentOS, Red Hat Enterprise Linux, and Arch Linux platforms. The configuration settings may vary significantly from platform to platform.'
     example "
       describe apache_conf do

data/lib/resources/apt.rb CHANGED

@@ -1,6 +1,4 @@
 # encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
 # Verifies apt and ppa repositories
 #
@@ -31,6 +29,7 @@ require 'uri'
 module Inspec::Resources
   class AptRepository < Inspec.resource(1)
     name 'apt'
+    supports platform: 'unix'
     desc 'Use the apt InSpec audit resource to verify Apt repositories on the Debian and Ubuntu platforms, and also PPA repositories on the Ubuntu platform.'
     example "
       describe apt('nginx/stable') do

data/lib/resources/audit_policy.rb CHANGED

@@ -1,7 +1,5 @@
 # encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
-# author: Christoph Hartmann
-# author: Dominik Richter
 # Advanced Auditing:
 # As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.
@@ -26,6 +24,7 @@
 module Inspec::Resources
   class AuditPolicy < Inspec.resource(1)
     name 'audit_policy'
+    supports platform: 'unix'
     desc 'Use the audit_policy InSpec audit resource to test auditing policies on the Microsoft Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each enabled auditing category property, the auditing level may be set to No Auditing, Not Specified, Success, Success and Failure, or Failure.'
     example "
       describe audit_policy do

data/lib/resources/auditd.rb CHANGED

@@ -1,7 +1,4 @@
 # encoding: utf-8
-# author: Christoph Hartmann
-# author: Dominik Richter
-# author: Jen Burns
 require 'forwardable'
 require 'utils/filter_array'
@@ -15,6 +12,7 @@ module Inspec::Resources
     attr_reader :params
     name 'auditd'
+    supports platform: 'unix'
     desc 'Use the auditd InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditcl -l command.'
     example "
       describe auditd.syscall('chown').where {arch == 'b32'} do

data/lib/resources/auditd_conf.rb CHANGED

@@ -1,13 +1,12 @@
 # encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
-# author: Christoph Hartmann
-# author: Dominik Richter
 require 'utils/simpleconfig'
 module Inspec::Resources
   class AuditDaemonConf < Inspec.resource(1)
     name 'auditd_conf'
+    supports platform: 'unix'
     desc "Use the auditd_conf InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under /etc/audit/auditd.conf' on UNIX and Linux platforms."
     example "
       describe auditd_conf do

data/lib/resources/aws/aws_cloudtrail_trail.rb ADDED

@@ -0,0 +1,77 @@
+class AwsCloudTrailTrail < Inspec.resource(1)
+  name 'aws_cloudtrail_trail'
+  desc 'Verifies settings for an individual AWS CloudTrail Trail'
+  example "
+    describe aws_cloudtrail_trail('trail-name') do
+      it { should exist }
+    end
+  "
+  supports platform: 'aws'
+  include AwsSingularResourceMixin
+  attr_reader :cloud_watch_logs_log_group_arn, :cloud_watch_logs_role_arn, :home_region,
+              :kms_key_id, :s3_bucket_name, :trail_arn
+  def to_s
+    "CloudTrail #{@trail_name}"
+  end
+  def multi_region_trail?
+    @is_multi_region_trail
+  end
+  def log_file_validation_enabled?
+    @log_file_validation_enabled
+  end
+  def encrypted?
+    !kms_key_id.nil?
+  end
+  private
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:trail_name],
+      allowed_scalar_name: :trail_name,
+      allowed_scalar_type: String,
+    )
+    if validated_params.empty?
+      raise ArgumentError, "You must provide the parameter 'trail_name' to aws_cloudtrail_trail."
+    end
+    validated_params
+  end
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    query = { trail_name_list: [@trail_name] }
+    resp = backend.describe_trails(query)
+    @trail = resp.trail_list[0].to_h
+    @exists = !@trail.empty?
+    @s3_bucket_name = @trail[:s3_bucket_name]
+    @is_multi_region_trail = @trail[:is_multi_region_trail]
+    @trail_arn = @trail[:trail_arn]
+    @log_file_validation_enabled = @trail[:log_file_validation_enabled]
+    @cloud_watch_logs_role_arn = @trail[:cloud_watch_logs_role_arn]
+    @cloud_watch_logs_log_group_arn = @trail[:cloud_watch_logs_log_group_arn]
+    @kms_key_id = @trail[:kms_key_id]
+    @home_region = @trail[:home_region]
+  end
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsCloudTrailTrail::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CloudTrail::Client
+      def describe_trails(query)
+        aws_service_client.describe_trails(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_cloudtrail_trails.rb ADDED

@@ -0,0 +1,47 @@
+class AwsCloudTrailTrails < Inspec.resource(1)
+  name 'aws_cloudtrail_trails'
+  desc 'Verifies settings for AWS CloudTrail Trails in bulk'
+  example '
+    describe aws_cloudtrail_trails do
+      it { should exist }
+    end
+  '
+  supports platform: 'aws'
+  include AwsPluralResourceMixin
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, 'aws_cloudtrail_trails does not accept resource parameters.'
+    end
+    resource_params
+  end
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.add_accessor(:entries)
+        .add(:exists?) { |x| !x.entries.empty? }
+        .add(:names, field: :name)
+        .add(:trail_arns, field: :trail_arn)
+  filter.connect(self, :table)
+  def to_s
+    'CloudTrail Trails'
+  end
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = backend.describe_trails({}).to_h[:trail_list]
+  end
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsCloudTrailTrails::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CloudTrail::Client
+      def describe_trails(query)
+        aws_service_client.describe_trails(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_cloudwatch_alarm.rb ADDED

@@ -0,0 +1,62 @@
+class AwsCloudwatchAlarm < Inspec.resource(1)
+  name 'aws_cloudwatch_alarm'
+  desc <<-EOD
+  # Look for a specific alarm
+  aws_cloudwatch_alarm(
+    metric: 'my-metric-name',
+    metric_namespace: 'my-metric-namespace',
+  ) do
+    it { should exist }
+  end
+  EOD
+  supports platform: 'aws'
+  include AwsSingularResourceMixin
+  attr_reader :alarm_actions, :alarm_name, :metric_name, :metric_namespace
+  private
+  def validate_params(raw_params)
+    recognized_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:metric_name, :metric_namespace],
+    )
+    validated_params = {}
+    # Currently you must specify exactly metric_name and metric_namespace
+    [:metric_name, :metric_namespace].each do |param|
+      raise ArgumentError, "Missing resource param #{param}" unless recognized_params.key?(param)
+      validated_params[param] = recognized_params.delete(param)
+    end
+    validated_params
+  end
+  def fetch_from_api
+    aws_alarms = BackendFactory.create(inspec_runner).describe_alarms_for_metric(
+      metric_name: @metric_name,
+      namespace: @metric_namespace,
+    )
+    if aws_alarms.metric_alarms.empty?
+      @exists = false
+    elsif aws_alarms.metric_alarms.count > 1
+      alarms = aws_alarms.metric_alarms.map(&:alarm_name)
+      raise 'More than one Cloudwatch Alarm was matched. Try using ' \
+        "more specific resource parameters. Alarms matched: #{alarms.join(', ')}"
+    else
+      @alarm_actions = aws_alarms.metric_alarms.first.alarm_actions
+      @alarm_name = aws_alarms.metric_alarms.first.alarm_name
+      @exists = true
+    end
+  end
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsCloudwatchAlarm::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CloudWatch::Client
+      def describe_alarms_for_metric(query)
+        aws_service_client.describe_alarms_for_metric(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb ADDED

@@ -0,0 +1,100 @@
+class AwsCloudwatchLogMetricFilter < Inspec.resource(1)
+  name 'aws_cloudwatch_log_metric_filter'
+  desc 'Verifies individual Cloudwatch Log Metric Filters'
+  example <<-EOX
+  # Look for a LMF by its filter name and log group name.  This combination
+  # will always either find at most one LMF - no duplicates.
+  describe aws_cloudwatch_log_metric_filter(
+    filter_name: 'my-filter',
+    log_group_name: 'my-log-group'
+  ) do
+    it { should exist }
+  end
+  # Search for an LMF by pattern and log group.
+  # This could result in an error if the results are not unique.
+  describe aws_cloudwatch_log_metric_filter(
+    log_group_name:  'my-log-group',
+    pattern: 'my-filter'
+  ) do
+    it { should exist }
+  end
+EOX
+  supports platform: 'aws'
+  include AwsSingularResourceMixin
+  attr_reader :filter_name, :log_group_name, :metric_name, :metric_namespace, :pattern
+  private
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:filter_name, :log_group_name, :pattern],
+    )
+    if validated_params.empty?
+      raise ArgumentError, 'You must provide either filter_name, log_group, or pattern to aws_cloudwatch_log_metric_filter.'
+    end
+    validated_params
+  end
+  def fetch_from_api
+    # get a backend
+    backend = BackendFactory.create(inspec_runner)
+    # Perform query with remote filtering
+    aws_search_criteria = {}
+    aws_search_criteria[:filter_name] = filter_name if filter_name
+    aws_search_criteria[:log_group_name] = log_group_name if log_group_name
+    begin
+      aws_results = backend.describe_metric_filters(aws_search_criteria)
+    rescue Aws::CloudWatchLogs::Errors::ResourceNotFoundException
+      @exists = false
+      return
+    end
+    # Then perform local filtering
+    if pattern
+      aws_results.select! { |lmf| lmf.filter_pattern == pattern }
+    end
+    # Check result count.  We're a singular resource and can tolerate
+    # 0 or 1 results, not multiple.
+    if aws_results.count > 1
+      raise 'More than one result was returned, but aws_cloudwatch_log_metric_filter '\
+            'can only handle a single AWS resource.  Consider passing more resource '\
+            'parameters to narrow down the search.'
+    elsif aws_results.empty?
+      @exists = false
+    else
+      @exists = true
+      # Unpack the funny-shaped object we got back from AWS into our instance vars
+      lmf = aws_results.first
+      @filter_name = lmf.filter_name
+      @log_group_name = lmf.log_group_name
+      @pattern = lmf.filter_pattern # Note inconsistent name
+      # AWS SDK returns an array of metric transformations
+      # but only allows one (mandatory) entry, let's flatten that
+      @metric_name = lmf.metric_transformations.first.metric_name
+      @metric_namespace = lmf.metric_transformations.first.metric_namespace
+    end
+  end
+  class Backend
+    # Uses the cloudwatch API to really talk to AWS
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CloudWatchLogs::Client
+      def describe_metric_filters(criteria)
+        query = {}
+        query[:filter_name_prefix] = criteria[:filter_name] if criteria[:filter_name]
+        query[:log_group_name] = criteria[:log_group_name] if criteria[:log_group_name]
+        # 'pattern' is not available as a remote filter,
+        # we filter it after the fact locally
+        # TODO: handle pagination?  Max 50/page.  Maybe you want a plural resource?
+        aws_response = aws_service_client.describe_metric_filters(query)
+        aws_response.metric_filters
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_ec2_instance.rb ADDED

@@ -0,0 +1,157 @@
+# author: Christoph Hartmann
+class AwsEc2Instance < Inspec.resource(1)
+  name 'aws_ec2_instance'
+  desc 'Verifies settings for an EC2 instance'
+  example <<-EOX
+    describe aws_ec2_instance('i-123456') do
+      it { should be_running }
+      it { should have_roles }
+    end
+    describe aws_ec2_instance(name: 'my-instance') do
+      it { should be_running }
+      it { should have_roles }
+    end
+EOX
+  supports platform: 'aws'
+  # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
+  def initialize(opts, conn = nil)
+    @opts = opts
+    @opts.is_a?(Hash) ? @display_name = @opts[:name] : @display_name = opts
+    @ec2_client = conn ? conn.ec2_client : inspec_runner.backend.aws_client(Aws::EC2::Client)
+    @ec2_resource = conn ? conn.ec2_resource : inspec_runner.backend.aws_resource(Aws::EC2::Resource, {})
+    @iam_resource = conn ? conn.iam_resource : inspec_runner.backend.aws_resource(Aws::IAM::Resource, {})
+  end
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_resource_mixin.rb
+  def catch_aws_errors
+    yield
+  rescue Aws::Errors::MissingCredentialsError
+    # The AWS error here is unhelpful:
+    # "unable to sign request without credentials set"
+    Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details."
+    fail_resource('No AWS credentials available')
+  rescue Aws::Errors::ServiceError => e
+    fail_resource e.message
+  end
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_singular_resource_mixin.rb
+  def inspec_runner
+    # When running under inspec-cli, we have an 'inspec' method that
+    # returns the runner. When running under unit tests, we don't
+    # have that, but we still have to call this to pass something
+    # (nil is OK) to the backend.
+    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
+    # TODO: remove after rewrite to include AwsSingularResource
+    inspec if respond_to?(:inspec)
+  end
+  def id
+    return @instance_id if defined?(@instance_id)
+    catch_aws_errors do
+      if @opts.is_a?(Hash)
+        first = @ec2_resource.instances(
+          {
+            filters: [{
+              name: 'tag:Name',
+              values: [@opts[:name]],
+            }],
+          },
+        ).first
+        # catch case where the instance is not known
+        @instance_id = first.id unless first.nil?
+      else
+        @instance_id = @opts
+      end
+    end
+  end
+  alias instance_id id
+  def exists?
+    return false if instance.nil?
+    instance.exists?
+  end
+  # returns the instance state
+  def state
+    catch_aws_errors do
+      instance&.state&.name
+    end
+  end
+  # helper methods for each state
+  %w{
+    pending running shutting-down
+    terminated stopping stopped unknown
+  }.each do |state_name|
+    define_method state_name.tr('-', '_') + '?' do
+      state == state_name
+    end
+  end
+  # attributes that we want to expose
+  %w{
+    public_ip_address private_ip_address key_name private_dns_name
+    public_dns_name subnet_id architecture root_device_type
+    root_device_name virtualization_type client_token launch_time
+    instance_type image_id vpc_id
+  }.each do |attribute|
+    define_method attribute do
+      catch_aws_errors do
+        instance.send(attribute) if instance
+      end
+    end
+  end
+  # Don't document this - it's a bit hard to use.  Our current doctrine
+  # is to use dumb things, like arrays of strings - use security_group_ids instead.
+  def security_groups
+    catch_aws_errors do
+      @security_groups ||= instance.security_groups.map { |sg|
+        { id: sg.group_id, name: sg.group_name }
+      }
+    end
+  end
+  def security_group_ids
+    catch_aws_errors do
+      @security_group_ids ||= instance.security_groups.map(&:group_id)
+    end
+  end
+  def tags
+    catch_aws_errors do
+      @tags ||= instance.tags.map { |tag| { key: tag.key, value: tag.value } }
+    end
+  end
+  def to_s
+    "EC2 Instance #{@display_name}"
+  end
+  def has_roles?
+    catch_aws_errors do
+      instance_profile = instance.iam_instance_profile
+      if instance_profile
+        roles = @iam_resource.instance_profile(
+          instance_profile.arn.gsub(%r{^.*\/}, ''),
+        ).roles
+      else
+        roles = nil
+      end
+      roles && !roles.empty?
+    end
+  end
+  private
+  def instance
+    catch_aws_errors { @instance ||= @ec2_resource.instance(id) }
+  end
+end