inspec 2.0.17 → 2.0.32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +28 -7
- data/MAINTAINERS.md +3 -1
- data/MAINTAINERS.toml +6 -1
- data/README.md +3 -4
- data/Rakefile +60 -22
- data/docs/matchers.md +15 -12
- data/docs/resources/auditd.md.erb +3 -3
- data/docs/resources/aws_config_recorder.md.erb +71 -0
- data/docs/resources/aws_ec2_instance.md.erb +1 -1
- data/docs/resources/aws_iam_policy.md.erb +2 -4
- data/docs/resources/aws_iam_role.md.erb +12 -14
- data/docs/resources/aws_route_table.md.erb +12 -12
- data/docs/resources/aws_security_group.md.erb +5 -6
- data/docs/resources/aws_security_groups.md.erb +2 -3
- data/docs/resources/aws_sns_topic.md.erb +12 -12
- data/docs/resources/crontab.md.erb +2 -1
- data/docs/resources/dh_params.md.erb +1 -13
- data/docs/resources/docker.md.erb +74 -19
- data/docs/resources/host.md.erb +17 -9
- data/docs/resources/http.md.erb +113 -17
- data/docs/resources/json.md.erb +6 -5
- data/docs/resources/kernel_module.md.erb +29 -16
- data/docs/shell.md +62 -19
- data/lib/inspec/plugins/resource.rb +9 -7
- data/lib/inspec/runner.rb +3 -2
- data/lib/inspec/runner_rspec.rb +1 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/resource_support/aws.rb +1 -0
- data/lib/resources/aws/aws_config_recorder.rb +98 -0
- data/lib/resources/http.rb +1 -1
- data/lib/resources/package.rb +8 -1
- data/lib/resources/parse_config.rb +1 -1
- data/lib/resources/virtualization.rb +4 -8
- data/lib/utils/database_helpers.rb +1 -1
- metadata +4 -2
@@ -43,7 +43,7 @@ module Inspec
|
|
43
43
|
Inspec::Resource.registry
|
44
44
|
end
|
45
45
|
|
46
|
-
def __register(name, obj) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
46
|
+
def __register(name, obj) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
|
47
47
|
cl = Class.new(obj) do # rubocop:disable Metrics/BlockLength
|
48
48
|
attr_reader :resource_exception_message
|
49
49
|
|
@@ -59,12 +59,9 @@ module Inspec
|
|
59
59
|
# check resource supports
|
60
60
|
supported = true
|
61
61
|
supported = check_supports unless @supports.nil?
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
# do not run resource initalize if we are unsupported
|
66
|
-
return
|
67
|
-
end
|
62
|
+
test_backend = defined?(Train::Transports::Mock::Connection) && backend.backend.class == Train::Transports::Mock::Connection
|
63
|
+
# do not return if we are supported, or for tests
|
64
|
+
return unless supported || test_backend
|
68
65
|
|
69
66
|
# call the resource initializer
|
70
67
|
begin
|
@@ -73,6 +70,11 @@ module Inspec
|
|
73
70
|
skip_resource(e.message)
|
74
71
|
rescue Inspec::Exceptions::ResourceFailed => e
|
75
72
|
fail_resource(e.message)
|
73
|
+
rescue NoMethodError => e
|
74
|
+
# The new platform resources have methods generated on the fly
|
75
|
+
# for inspec check to work we need to skip these train errors
|
76
|
+
raise unless test_backend && e.receiver.class == Train::Transports::Mock::Connection
|
77
|
+
skip_resource(e.message)
|
76
78
|
end
|
77
79
|
end
|
78
80
|
|
data/lib/inspec/runner.rb
CHANGED
@@ -129,8 +129,9 @@ module Inspec
|
|
129
129
|
end
|
130
130
|
|
131
131
|
def run_tests(with = nil)
|
132
|
-
run_data = @test_collector.run(with)
|
133
|
-
|
132
|
+
@run_data = @test_collector.run(with)
|
133
|
+
# dont output anything if we want a report
|
134
|
+
render_output(@run_data) unless @conf['report']
|
134
135
|
@test_collector.exit_code
|
135
136
|
end
|
136
137
|
|
data/lib/inspec/runner_rspec.rb
CHANGED
data/lib/inspec/version.rb
CHANGED
data/lib/resource_support/aws.rb
CHANGED
@@ -16,6 +16,7 @@ require 'resources/aws/aws_cloudtrail_trail'
|
|
16
16
|
require 'resources/aws/aws_cloudtrail_trails'
|
17
17
|
require 'resources/aws/aws_cloudwatch_alarm'
|
18
18
|
require 'resources/aws/aws_cloudwatch_log_metric_filter'
|
19
|
+
require 'resources/aws/aws_config_recorder'
|
19
20
|
require 'resources/aws/aws_ec2_instance'
|
20
21
|
require 'resources/aws/aws_iam_access_key'
|
21
22
|
require 'resources/aws/aws_iam_access_keys'
|
@@ -0,0 +1,98 @@
|
|
1
|
+
class AwsConfigurationRecorder < Inspec.resource(1)
|
2
|
+
name 'aws_config_recorder'
|
3
|
+
desc 'Verifies settings for AWS Configuration Recorder'
|
4
|
+
example "
|
5
|
+
describe aws_config_recorder('My_Recorder') do
|
6
|
+
it { should exist }
|
7
|
+
it { should be_recording }
|
8
|
+
it { should be_all_supported }
|
9
|
+
it { should have_include_global_resource_types }
|
10
|
+
end
|
11
|
+
"
|
12
|
+
supports platform: 'aws'
|
13
|
+
|
14
|
+
include AwsSingularResourceMixin
|
15
|
+
attr_reader :role_arn, :resource_types, :recorder_name, :resp
|
16
|
+
|
17
|
+
def to_s
|
18
|
+
"Configuration_Recorder: #{@recorder_name}"
|
19
|
+
end
|
20
|
+
|
21
|
+
def recording_all_resource_types?
|
22
|
+
@recording_all_resource_types
|
23
|
+
end
|
24
|
+
|
25
|
+
def recording_all_global_types?
|
26
|
+
@recording_all_global_types
|
27
|
+
end
|
28
|
+
|
29
|
+
def status
|
30
|
+
return unless @exists
|
31
|
+
backend = BackendFactory.create(inspec_runner)
|
32
|
+
catch_aws_errors do
|
33
|
+
@resp = backend.describe_configuration_recorder_status(@query)
|
34
|
+
@status = @resp.configuration_recorders_status.first.to_h
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
def recording?
|
39
|
+
return unless @exists
|
40
|
+
status[:recording]
|
41
|
+
end
|
42
|
+
|
43
|
+
private
|
44
|
+
|
45
|
+
def validate_params(raw_params)
|
46
|
+
validated_params = check_resource_param_names(
|
47
|
+
raw_params: raw_params,
|
48
|
+
allowed_params: [:recorder_name],
|
49
|
+
allowed_scalar_name: :recorder_name,
|
50
|
+
allowed_scalar_type: String,
|
51
|
+
)
|
52
|
+
|
53
|
+
# Must give it a recorder_name
|
54
|
+
if validated_params[:recorder_name].nil?
|
55
|
+
raise ArgumentError, 'You must provide recorder_name to aws_config_recorder'
|
56
|
+
end
|
57
|
+
|
58
|
+
validated_params
|
59
|
+
end
|
60
|
+
|
61
|
+
def fetch_from_api
|
62
|
+
backend = BackendFactory.create(inspec_runner)
|
63
|
+
@query = { configuration_recorder_names: [@recorder_name] }
|
64
|
+
|
65
|
+
catch_aws_errors do
|
66
|
+
begin
|
67
|
+
@resp = backend.describe_configuration_recorders(@query)
|
68
|
+
rescue Aws::ConfigService::Errors::NoSuchConfigurationRecorderException
|
69
|
+
@exists = false
|
70
|
+
return
|
71
|
+
end
|
72
|
+
@exists = !@resp.empty?
|
73
|
+
return unless @exists
|
74
|
+
|
75
|
+
@recorder = @resp.configuration_recorders.first.to_h
|
76
|
+
@recorder_name = @recorder[:name]
|
77
|
+
@role_arn = @recorder[:role_arn]
|
78
|
+
@recording_all_resource_types = @recorder[:recording_group][:all_supported]
|
79
|
+
@recording_all_global_types = @recorder[:recording_group][:include_global_resource_types]
|
80
|
+
@resource_types = @recorder[:recording_group][:resource_types]
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
class Backend
|
85
|
+
class AwsClientApi < AwsBackendBase
|
86
|
+
BackendFactory.set_default_backend(self)
|
87
|
+
self.aws_client_class = Aws::ConfigService::Client
|
88
|
+
|
89
|
+
def describe_configuration_recorders(query)
|
90
|
+
aws_service_client.describe_configuration_recorders(query)
|
91
|
+
end
|
92
|
+
|
93
|
+
def describe_configuration_recorder_status(query)
|
94
|
+
aws_service_client.describe_configuration_recorder_status(query)
|
95
|
+
end
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
data/lib/resources/http.rb
CHANGED
@@ -137,7 +137,7 @@ module Inspec::Resources
|
|
137
137
|
conn.options.timeout = read_timeout # open/read timeout in seconds
|
138
138
|
conn.options.open_timeout = open_timeout # connection open timeout in seconds
|
139
139
|
|
140
|
-
@response = conn.
|
140
|
+
@response = conn.run_request(http_method.downcase.to_sym, nil, nil, nil) do |req|
|
141
141
|
req.body = request_body
|
142
142
|
end
|
143
143
|
end
|
data/lib/resources/package.rb
CHANGED
@@ -194,9 +194,16 @@ module Inspec::Resources
|
|
194
194
|
def info(package_name)
|
195
195
|
brew_path = inspec.command('brew').exist? ? 'brew' : '/usr/local/bin/brew'
|
196
196
|
cmd = inspec.command("#{brew_path} info --json=v1 #{package_name}")
|
197
|
+
|
198
|
+
# If no available formula exists, then `brew` will exit non-zero
|
197
199
|
return {} if cmd.exit_status.to_i != 0
|
198
|
-
|
200
|
+
|
199
201
|
pkg = JSON.parse(cmd.stdout)[0]
|
202
|
+
|
203
|
+
# If package exists but is not installed, then `brew` output will not
|
204
|
+
# contain `pkg['installed'][0]['version']
|
205
|
+
return {} unless pkg.dig('installed', 0, 'version')
|
206
|
+
|
200
207
|
{
|
201
208
|
name: pkg['name'],
|
202
209
|
installed: true,
|
@@ -97,7 +97,7 @@ module Inspec::Resources
|
|
97
97
|
|
98
98
|
class PConfigFile < PConfig
|
99
99
|
name 'parse_config_file'
|
100
|
-
desc 'Use the parse_config_file InSpec
|
100
|
+
desc 'Use the parse_config_file InSpec resource to test arbitrary configuration files. It works identically to parse_config. Instead of using a command output, this resource works with files.'
|
101
101
|
example "
|
102
102
|
describe parse_config_file('/path/to/file') do
|
103
103
|
its('setting') { should eq 1 }
|
@@ -5,7 +5,7 @@ require 'hashie/mash'
|
|
5
5
|
module Inspec::Resources
|
6
6
|
class Virtualization < Inspec.resource(1)
|
7
7
|
name 'virtualization'
|
8
|
-
supports platform: '
|
8
|
+
supports platform: 'linux'
|
9
9
|
desc 'Use the virtualization InSpec audit resource to test the virtualization platform on which the system is running'
|
10
10
|
example "
|
11
11
|
describe virtualization do
|
@@ -25,11 +25,8 @@ module Inspec::Resources
|
|
25
25
|
"
|
26
26
|
|
27
27
|
def initialize
|
28
|
-
|
29
|
-
|
30
|
-
else
|
31
|
-
collect_data_linux
|
32
|
-
end
|
28
|
+
@virtualization_data = Hashie::Mash.new
|
29
|
+
collect_data_linux
|
33
30
|
end
|
34
31
|
|
35
32
|
# add helper methods for easy access of properties
|
@@ -229,8 +226,7 @@ module Inspec::Resources
|
|
229
226
|
end
|
230
227
|
|
231
228
|
def collect_data_linux # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity
|
232
|
-
#
|
233
|
-
@virtualization_data ||= Hashie::Mash.new
|
229
|
+
# This avoids doing multiple detections in a single test
|
234
230
|
return unless @virtualization_data.empty?
|
235
231
|
|
236
232
|
# each detect method will return true if it matched and was successfully
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.32
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dominik Richter
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-03-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: train
|
@@ -312,6 +312,7 @@ files:
|
|
312
312
|
- docs/resources/aws_cloudtrail_trails.md.erb
|
313
313
|
- docs/resources/aws_cloudwatch_alarm.md.erb
|
314
314
|
- docs/resources/aws_cloudwatch_log_metric_filter.md.erb
|
315
|
+
- docs/resources/aws_config_recorder.md.erb
|
315
316
|
- docs/resources/aws_ec2_instance.md.erb
|
316
317
|
- docs/resources/aws_iam_access_key.md.erb
|
317
318
|
- docs/resources/aws_iam_access_keys.md.erb
|
@@ -622,6 +623,7 @@ files:
|
|
622
623
|
- lib/resources/aws/aws_cloudtrail_trails.rb
|
623
624
|
- lib/resources/aws/aws_cloudwatch_alarm.rb
|
624
625
|
- lib/resources/aws/aws_cloudwatch_log_metric_filter.rb
|
626
|
+
- lib/resources/aws/aws_config_recorder.rb
|
625
627
|
- lib/resources/aws/aws_ec2_instance.rb
|
626
628
|
- lib/resources/aws/aws_iam_access_key.rb
|
627
629
|
- lib/resources/aws/aws_iam_access_keys.rb
|