inspec 2.1.30 → 2.1.43

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6b4b3b2ec605fc42cd9a7dc81ae0c375305b3534
-  data.tar.gz: ebbf91548c3fce0ba05c5b0db69549d21d0cf9df
+  metadata.gz: 20615575585069d827d93b1bda43540f5cb7b0fc
+  data.tar.gz: ba4ce3f0d578f97e2aee6304326bc81f40cc50f7
 SHA512:
-  metadata.gz: c3a997662221b2ae6bfb7c212410f8fb7b1dc52f772dea4e25dc2bdaf63678c323b196bba38c1d9444d173f6b62b3b02a8fc86f7ae3f6e13a528e890fccd90dd
-  data.tar.gz: 98b00b3345172cd4031a2e77a83129d3a71593be6d55ac417c1821d1e44e65486065112e4a1aa1b3a98b32b95df6fab48f51a8ffb6a93068572cb8e4ab0faabf
+  metadata.gz: e55df70b1b8dd5bc9f86029354cbf3c179237a5a777dd73e60351286900ba13e97d9d2a60a5446928e2b1296563696e951cd2fca7c050a8c855a4e91950726f3
+  data.tar.gz: f98ba1d732e28565113d7bc5eb91440736abc4c847954a0663cf9313773039cbef11814ad4d7b087cfd1a06fa094e33c67b832128dee504533a67abde8803017

data/CHANGELOG.md

@@ -1,32 +1,54 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 2.1.30 -->
-## [v2.1.30](https://github.com/chef/inspec/tree/v2.1.30) (2018-04-05)
+<!-- latest_release 2.1.43 -->
+## [v2.1.43](https://github.com/chef/inspec/tree/v2.1.43) (2018-04-12)
 
-#### New Resources
-- New Skeletal Resource aws_route_tables [#2643](https://github.com/chef/inspec/pull/2643) ([dromazmj](https://github.com/dromazmj))
+#### Merged Pull Requests
+- powershell resource: Add support line for Unix [#2952](https://github.com/chef/inspec/pull/2952) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
 <!-- latest_release -->
 
-<!-- release_rollup since=2.1.21 -->
-### Changes since 2.1.21 release
+<!-- release_rollup since=2.1.30 -->
+### Changes since 2.1.30 release
 
-#### New Resources
-- New Skeletal Resource aws_route_tables [#2643](https://github.com/chef/inspec/pull/2643) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.30 -->
-- New Skeletal Resource aws_s3_buckets [#2653](https://github.com/chef/inspec/pull/2653) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.29 -->
-- New Resource: Chocolatey Package [#2793](https://github.com/chef/inspec/pull/2793) ([TheLonelyGhost](https://github.com/TheLonelyGhost)) <!-- 2.1.28 -->
+#### Enhancements
+- Add Cisco IOS `enable_password` support [#2905](https://github.com/chef/inspec/pull/2905) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.1.42 -->
+- Require a key attribute for the key_rsa resource [#2891](https://github.com/chef/inspec/pull/2891) ([omar-irizarry](https://github.com/omar-irizarry)) <!-- 2.1.41 -->
+- Ensure @params in shadow resource always has a valid value. [#2939](https://github.com/chef/inspec/pull/2939) ([miah](https://github.com/miah)) <!-- 2.1.39 -->
+- Add warning when returning DEFAULT_ATTRIBUTE [#2934](https://github.com/chef/inspec/pull/2934) ([TrevorBramble](https://github.com/TrevorBramble)) <!-- 2.1.35 -->
 
 #### Merged Pull Requests
-- Add automate reporter [#2902](https://github.com/chef/inspec/pull/2902) ([jquick](https://github.com/jquick)) <!-- 2.1.27 -->
-- Update example resource syntax [#2904](https://github.com/chef/inspec/pull/2904) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.1.26 -->
-- Added a description to steer people to correct resource [#2908](https://github.com/chef/inspec/pull/2908) ([username-is-already-taken2](https://github.com/username-is-already-taken2)) <!-- 2.1.24 -->
-- Wrong matcher name in example for aws_config_recorder [#2899](https://github.com/chef/inspec/pull/2899) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.23 -->
+- powershell resource: Add support line for Unix [#2952](https://github.com/chef/inspec/pull/2952) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.1.43 -->
+- Fixes configuration for Azure integrationt tests [#2941](https://github.com/chef/inspec/pull/2941) ([dmccown](https://github.com/dmccown)) <!-- 2.1.36 -->
+- Update filesystem.md.erb [#2909](https://github.com/chef/inspec/pull/2909) ([tlmikulski](https://github.com/tlmikulski)) <!-- 2.1.34 -->
 
-#### Enhancements
-- add systemd service for amazon linux 2 [#2901](https://github.com/chef/inspec/pull/2901) ([zakhark](https://github.com/zakhark)) <!-- 2.1.25 -->
-- Add AWS hardware MFA matcher [#2892](https://github.com/chef/inspec/pull/2892) ([pwelch](https://github.com/pwelch)) <!-- 2.1.22 -->
+#### New Features
+- Basic fields for aws_vpcs [#2930](https://github.com/chef/inspec/pull/2930) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.40 -->
+- Policy Statement Search capability for aws_iam_policy [#2918](https://github.com/chef/inspec/pull/2918) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.38 -->
+- New attribute JUnit reporter - target [#2839](https://github.com/chef/inspec/pull/2839) ([piotrgo](https://github.com/piotrgo)) <!-- 2.1.37 -->
+- AWS Security Group Rules properties and matchers [#2876](https://github.com/chef/inspec/pull/2876) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.33 -->
+- aws_cloudtrail_trail feature: test how many days ago logs were delivered [#2887](https://github.com/chef/inspec/pull/2887) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.32 -->
+- aws_iam_group feature: test users in an iam group [#2888](https://github.com/chef/inspec/pull/2888) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.31 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v2.1.30](https://github.com/chef/inspec/tree/v2.1.30) (2018-04-05)
+
+#### New Resources
+- New Resource: Chocolatey Package [#2793](https://github.com/chef/inspec/pull/2793) ([TheLonelyGhost](https://github.com/TheLonelyGhost))
+- New Skeletal Resource aws_s3_buckets [#2653](https://github.com/chef/inspec/pull/2653) ([dromazmj](https://github.com/dromazmj))
+- New Skeletal Resource aws_route_tables [#2643](https://github.com/chef/inspec/pull/2643) ([dromazmj](https://github.com/dromazmj))
+
+#### Enhancements
+- Add AWS hardware MFA matcher [#2892](https://github.com/chef/inspec/pull/2892) ([pwelch](https://github.com/pwelch))
+- add systemd service for amazon linux 2 [#2901](https://github.com/chef/inspec/pull/2901) ([zakhark](https://github.com/zakhark))
+
+#### Merged Pull Requests
+- Wrong matcher name in example for aws_config_recorder [#2899](https://github.com/chef/inspec/pull/2899) ([clintoncwolfe](https://github.com/clintoncwolfe))
+- Added a description to steer people to correct resource [#2908](https://github.com/chef/inspec/pull/2908) ([username-is-already-taken2](https://github.com/username-is-already-taken2))
+- Update example resource syntax [#2904](https://github.com/chef/inspec/pull/2904) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Add automate reporter [#2902](https://github.com/chef/inspec/pull/2902) ([jquick](https://github.com/jquick))
+<!-- latest_stable_release -->
+
 ## [v2.1.21](https://github.com/chef/inspec/tree/v2.1.21) (2018-03-29)
 
 #### New Resources
@@ -47,7 +69,6 @@
 - Mitigate trivial warning output on test [#2872](https://github.com/chef/inspec/pull/2872) ([eramoto](https://github.com/eramoto))
 - Add `pry-byebug` to our Gemfile.  [#2889](https://github.com/chef/inspec/pull/2889) ([miah](https://github.com/miah))
 - Pin to Train 1.3.0. [#2898](https://github.com/chef/inspec/pull/2898) ([jquick](https://github.com/jquick))
-<!-- latest_stable_release -->
 
 ## [v2.1.10](https://github.com/chef/inspec/tree/v2.1.10) (2018-03-22)
 

data/README.md

@@ -293,7 +293,7 @@ Remote Targets
 | Oracle Enterprise Linux      | 5, 6, 7                                          | i386, x86_64  |
 | Red Hat Enterprise Linux     | 5, 6, 7                                          | i386, x86_64  |
 | Solaris                      | 10, 11                                           | sparc, x86    |
-| Windows                      | 7, 8, 8.1, 10, 2008, 2008R2 , 2012, 2012R2, 2016 | x86, x86_64   |
+| Windows\*                    | 7, 8, 8.1, 10, 2008, 2008R2 , 2012, 2012R2, 2016 | x86, x86_64   |
 | Ubuntu Linux                 |                                                  | x86, x86_64   |
 | SUSE Linux Enterprise Server | 11, 12                                           | x86_64        |
 | Scientific Linux             | 5.x, 6.x and 7.x                                 | i386, x86_64  |
@@ -304,7 +304,7 @@ Remote Targets
 | Arch Linux                   |                                                  | x86_64        |
 | HP-UX                        | 11.31                                            | ia64          |
 
-*For Windows, PowerShell 3.0 or above is required.*
+\**For Windows, PowerShell 5.0 or above is required.*
 
 In addition, runtime support is provided for:
 

data/Rakefile

@@ -162,7 +162,8 @@ namespace :test do
       sh("cd #{integration_dir}/build/ && terraform workspace new #{tf_workspace}")
 
       # Generate Azure crendentials
-      creds = Train.create('azure').connection.connect
+      connection = Train.create('azure').connection
+      creds = connection.options
 
       # Determine the storage account name and the admin password
       sa_name = (0...15).map { (65 + rand(26)).chr }.join.downcase
@@ -208,7 +209,8 @@ namespace :test do
       abort("You must either call the top-level test:azure task, or set the INSPEC_TERRAFORM_ENV variable.") unless tf_workspace
       puts '----> Cleanup'
 
-      creds = Train.create('azure').connection.connect
+      connection = Train.create('azure').connection
+      creds = connection.options
 
       cmd  = ""
       cmd += "cd #{integration_dir}/build/ && terraform destroy -force "

data/docs/profiles.md

@@ -46,6 +46,7 @@ Each profile must have an `inspec.yml` file that defines the following informati
  * Use `summary` to specify a one line summary for the profile.
  * Use `description` to specify a multiple line description of the profile.
  * Use `version` to specify the profile version.
+ * Use `inspec_version` to place SemVer constraints on the version of InSpec that the profile can run under.
  * Use `supports` to specify a list of supported platform targets.
  * Use `depends` to define a list of profiles on which this profile depends.
 
@@ -64,6 +65,7 @@ Each profile must have an `inspec.yml` file that defines the following informati
     depends:
       - name: profile
         path: ../path/to/profile
+    inspec_version: "~> 2.1"
 
 ## Verify Profiles
 

data/docs/resources/aws_cloudtrail_trail.md.erb

@@ -108,6 +108,15 @@ Specifies the region in which the trail was created.
     describe aws_cloudtrail_trail('trail-name') do
       its('home_region') { should include "us-east-1" }
     end
+    
+### delivered\_logs\_days\_ago
+
+Specifies the number of days ago the CloudTrail delivered logs to CloudWatch Logs.
+    
+    # Ensure the latest delivery time was recent
+    describe aws_cloudtrail_trail('trail-name') do
+      its('delivered_logs_days_ago') { should eq 0 }
+    end
 
 <br>
 

data/docs/resources/aws_cloudwatch_alarm.md.erb

@@ -17,7 +17,7 @@ An `aws_cloudwatch_alarm` resource block searches for a Cloudwatch Alarm, specif
 
     # Look for a specific alarm
     aws_cloudwatch_alarm(
-      metric: 'my-metric-name',
+      metric_name: 'my-metric-name',
       metric_namespace: 'my-metric-namespace',
     ) do
       it { should exist }

data/docs/resources/aws_iam_group.md.erb

@@ -35,6 +35,18 @@ As this is the initial release of `aws_iam_group`, its limited functionality pre
 
 <br>
 
+## Properties
+
+### users
+
+Provides a list of the users that are attached to the group
+
+    describe aws_iam_group('mygroup')
+      its('users') { should include 'iam_user_name' }
+    end
+
+<br>
+
 ## Matchers
 
 ### exists

data/docs/resources/aws_iam_policy.md.erb

@@ -5,9 +5,9 @@ platform: aws
 
 # aws\_iam\_policy
 
-Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy.
+Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy. Use `aws_iam_policies` to audit IAM policies in bulk.
 
-A policy is an entity in AWS that, when attached to an identity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine if the request is allowed or denied.
+A policy defines the permissions of an identity or resource within AWS. AWS evaluates these policies when a principal, such as a user, makes a request. Policy permissions, also called "policy statements" in AWS, determine if a request is authorized -- and allow or deny it accordingly.
 
 Each IAM Policy is uniquely identified by either its policy\_name or arn.
 
@@ -50,11 +50,22 @@ The following examples show how to use this InSpec audit resource.
       it { should be_attached }
     end
 
+### Examine the policy statements
+
+    describe aws_iam_policy('my-policy') do
+      # Verify that there is at least one statement allowing access to S3
+      it { should have_statement(Action: 's3:PutObject', Effect: 'allow') }
+
+      # have_statement does not expand wildcards. If you want to verify 
+      # they are absent, an explicit check is required.
+      it { should_not have_statement(Action: 's3:*') }
+    end
+
 <br>
 
 ## Properties
 
-* `arn`, `attachment_count`, `attached_groups`, `attached_roles`,`attached_users`, `default_version_id`
+* `arn`, `attachment_count`, `attached_groups`, `attached_roles`,`attached_users`, `default_version_id`, `policy`, `statement_count`
 
 ## Property Examples
 
@@ -106,10 +117,38 @@ The 'default_version_id' value of the specified policy.
       its('default_version_id') { should cmp "v1" }
     end
 
+### policy
+
+This is a low-level, unsupported property.
+
+Returns the default version of the policy document after decoding as a Ruby hash. This hash contains the policy statements and is useful for performing checks that cannot be expressed using higher-level matchers like `have_statement`.
+
+For details regarding the contents of this structure, refer to the [AWS IAM Policy JSON Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html).  A set of examples is [also available](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html).
+
+Example: 
+
+    # Fetch the policy structure as a Ruby object
+    policy_struct = aws_iam_policy('my-policy').policy
+    # Write a manually-constructed test to check that the policy 
+    # has an IP constraint on the first statement
+    # ( Based on https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html )
+    describe 'Check that we are restricting IP access' do
+      subject { policy_struct['Statement'].first['Condition'] }
+      it { should include 'NotIpAddress' }
+    end
+
+### statement\_count
+
+Returns the number of statements present in the `policy`.
+
+    # Make sure there are exactly two statements.
+    describe aws_iam_policy('my-policy') do
+      its('statement_count') { should cmp 2 }
+    end
 
 ## Matchers
 
-This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
 
 ### be\_attached
 
@@ -142,3 +181,59 @@ The test will pass if the identified policy attached the specified role.
     describe aws_iam_policy('AWSSupportAccess') do
       it { should be_attached_to_role(ROLENAME) }
     end
+
+### have\_statement
+
+Examines the list of statements contained in the policy and passes if at least one of the statements matches. This matcher does _not_ interpret the policy in a request authorization context, as AWS does when a request processed. Rather, `have_statement` examines the literal contents of the IAM policy, and reports on what is present (or absent, when used with `should_not`).
+
+`have_statement` accepts the following criteria to search for matching statements. If any statement matches all the criteria, the test is successful.
+
+* `Action` - Expresses the requested operation. Acceptable literal values are any AWS operation name, including the '*' wildcard character. `Action` may also use a list of AWS operation names.
+* `Effect` - Expresses if the operation is permitted. Acceptable values are 'Deny' and 'Allow'.
+* `Sid` - A user-provided string identifier for the statement.
+* `Resource` - Expresses the operation's target. Acceptable values are ARNs, including the '*' wildcard. `Resource` may also use a list of ARN values.
+
+Please note the following about the behavior of `have_statement`:
+* `Action`, `Sid`, and `Resource` allow using a regular expression as the search critera instead of a string literal.
+* it does not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with `"Action": "s3:*"` and the test checks for `Action: "s3:PutObject"`, the test _will not match_. You must write an additional test checking for the wildcard case. 
+* it supports searching list values. For example, if a statement contains a list of 3 resources, and a `have_statement` test specifes _one_ of those resources, it will match.
+* `Action` and `Resource` allow using a list of string literals or regular expressions in a test, in which case _all_ must match on the _same_ statement for the test to match. Order is ignored.
+* it does not support the `Principal` or `Conditional` key, or any of `NotAction`, `NotPrincipal`, or `NotResource`.
+
+Examples:
+
+    # Verify there is no full-admin statement
+    describe aws_iam_policy('kryptonite') do
+      it { should_not have_statement(Effect: 'Allow', Resource: '*', Action: '*')}
+    end
+
+    # Verify bob is allowed to manage things on S3 buckets that start with bobs-stuff
+    describe aws_iam_policy('bob-is-a-packrat') do
+      it { should have_statement(Effect: 'Allow',
+                                 # Using the AWS wildcard - this must match exactly 
+                                 Resource: 'arn:aws:s3:::bobs-stuff*',
+                                 # Specify a list of actions - all must match, no others, order isn't important
+                                 Action: ['s3:PutObject', 's3:GetObject', 's3:DeleteObject'])}
+
+      # Bob would make new buckets constantly if we let him.
+      it { should_not have_statement(Effect: 'Allow', Action: 's3:CreateBucket')}
+      it { should_not have_statement(Effect: 'Allow', Action: 's3:*')}
+      it { should_not have_statement(Effect: 'Allow', Action: '*')}
+
+      # An alternative to checking for wildcards is to specify the 
+      # statements you expect, then restrict statement count
+      its('statement_count') { should cmp 1 }
+    end
+
+    # Use regular expressions to examine the policy
+    describe aws_iam_policy('regex-demo') do
+      # Check to see if anything mentions RDS at all.
+      # This catches `rds:CreateDBinstance` and `rds:*`, but would not catch '*'.
+      it { should_not have_statement(Action: /^rds:.+$/)}
+      
+      # This policy should refer to both sally and kim's s3 buckets.
+      # This will only match if there is a statement that refers to both resources.
+      it { should have_statement(Resource: [/arn:aws:s3.+:sally/, /arn:aws:s3.+:kim/]) }
+      # The following also matches on a statement mentioning only one of them
+      it { should have_statement(Resource: /arn:aws:s3.+:(sally|kim)/) }
+    end

data/docs/resources/aws_iam_root_user.md.erb

@@ -15,10 +15,10 @@ To test properties of a specific AWS user use the `aws_iam_user` resource.
 
 ## Syntax
 
-An `aws_iam_root_user` resource block requires no parameters but has several matchers
+An `aws_iam_root_user` resource block requires no parameters but has several matchers.
 
     describe aws_iam_root_user do
-      its { should have_mfa_enabled }
+      it { should have_mfa_enabled }
     end
 
 <br>