inspec 2.1.80 → 2.1.81

Sign up to get free protection for your applications and to get access to all the features.
Files changed (510) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +101 -101
  3. data/CHANGELOG.md +3177 -3172
  4. data/Gemfile +56 -56
  5. data/LICENSE +14 -14
  6. data/MAINTAINERS.md +33 -33
  7. data/MAINTAINERS.toml +52 -52
  8. data/README.md +453 -453
  9. data/Rakefile +349 -349
  10. data/bin/inspec +12 -12
  11. data/docs/.gitignore +2 -2
  12. data/docs/README.md +40 -40
  13. data/docs/dev/control-eval.md +61 -61
  14. data/docs/dsl_inspec.md +258 -258
  15. data/docs/dsl_resource.md +100 -100
  16. data/docs/glossary.md +99 -99
  17. data/docs/habitat.md +191 -191
  18. data/docs/inspec_and_friends.md +114 -114
  19. data/docs/matchers.md +169 -169
  20. data/docs/migration.md +293 -293
  21. data/docs/platforms.md +118 -118
  22. data/docs/plugin_kitchen_inspec.md +50 -50
  23. data/docs/profiles.md +378 -378
  24. data/docs/reporters.md +105 -105
  25. data/docs/resources/aide_conf.md.erb +75 -75
  26. data/docs/resources/apache.md.erb +67 -67
  27. data/docs/resources/apache_conf.md.erb +68 -68
  28. data/docs/resources/apt.md.erb +71 -71
  29. data/docs/resources/audit_policy.md.erb +47 -47
  30. data/docs/resources/auditd.md.erb +79 -79
  31. data/docs/resources/auditd_conf.md.erb +68 -68
  32. data/docs/resources/aws_cloudtrail_trail.md.erb +155 -155
  33. data/docs/resources/aws_cloudtrail_trails.md.erb +86 -86
  34. data/docs/resources/aws_cloudwatch_alarm.md.erb +91 -91
  35. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +154 -154
  36. data/docs/resources/aws_config_delivery_channel.md.erb +101 -101
  37. data/docs/resources/aws_config_recorder.md.erb +86 -86
  38. data/docs/resources/aws_ec2_instance.md.erb +112 -112
  39. data/docs/resources/aws_ec2_instances.md.erb +79 -79
  40. data/docs/resources/aws_iam_access_key.md.erb +129 -129
  41. data/docs/resources/aws_iam_access_keys.md.erb +204 -204
  42. data/docs/resources/aws_iam_group.md.erb +64 -64
  43. data/docs/resources/aws_iam_groups.md.erb +49 -49
  44. data/docs/resources/aws_iam_password_policy.md.erb +82 -82
  45. data/docs/resources/aws_iam_policies.md.erb +87 -87
  46. data/docs/resources/aws_iam_policy.md.erb +245 -245
  47. data/docs/resources/aws_iam_role.md.erb +69 -69
  48. data/docs/resources/aws_iam_root_user.md.erb +76 -76
  49. data/docs/resources/aws_iam_user.md.erb +120 -120
  50. data/docs/resources/aws_iam_users.md.erb +279 -279
  51. data/docs/resources/aws_kms_key.md.erb +177 -177
  52. data/docs/resources/aws_kms_keys.md.erb +89 -89
  53. data/docs/resources/aws_rds_instance.md.erb +66 -66
  54. data/docs/resources/aws_route_table.md.erb +53 -53
  55. data/docs/resources/aws_route_tables.md.erb +55 -55
  56. data/docs/resources/aws_s3_bucket.md.erb +146 -146
  57. data/docs/resources/aws_s3_bucket_object.md.erb +89 -89
  58. data/docs/resources/aws_s3_buckets.md.erb +59 -59
  59. data/docs/resources/aws_security_group.md.erb +296 -296
  60. data/docs/resources/aws_security_groups.md.erb +97 -97
  61. data/docs/resources/aws_sns_subscription.md.erb +130 -130
  62. data/docs/resources/aws_sns_topic.md.erb +69 -69
  63. data/docs/resources/aws_sns_topics.md.erb +58 -58
  64. data/docs/resources/aws_subnet.md.erb +140 -140
  65. data/docs/resources/aws_subnets.md.erb +132 -132
  66. data/docs/resources/aws_vpc.md.erb +125 -125
  67. data/docs/resources/aws_vpcs.md.erb +125 -125
  68. data/docs/resources/azure_generic_resource.md.erb +171 -171
  69. data/docs/resources/azure_resource_group.md.erb +284 -284
  70. data/docs/resources/azure_virtual_machine.md.erb +347 -347
  71. data/docs/resources/azure_virtual_machine_data_disk.md.erb +224 -224
  72. data/docs/resources/bash.md.erb +75 -75
  73. data/docs/resources/bond.md.erb +90 -90
  74. data/docs/resources/bridge.md.erb +57 -57
  75. data/docs/resources/bsd_service.md.erb +67 -67
  76. data/docs/resources/chocolatey_package.md.erb +58 -58
  77. data/docs/resources/command.md.erb +138 -138
  78. data/docs/resources/cpan.md.erb +79 -79
  79. data/docs/resources/cran.md.erb +64 -64
  80. data/docs/resources/crontab.md.erb +89 -89
  81. data/docs/resources/csv.md.erb +54 -54
  82. data/docs/resources/dh_params.md.erb +205 -205
  83. data/docs/resources/directory.md.erb +30 -30
  84. data/docs/resources/docker.md.erb +219 -219
  85. data/docs/resources/docker_container.md.erb +103 -103
  86. data/docs/resources/docker_image.md.erb +94 -94
  87. data/docs/resources/docker_service.md.erb +114 -114
  88. data/docs/resources/elasticsearch.md.erb +242 -242
  89. data/docs/resources/etc_fstab.md.erb +125 -125
  90. data/docs/resources/etc_group.md.erb +75 -75
  91. data/docs/resources/etc_hosts.md.erb +78 -78
  92. data/docs/resources/etc_hosts_allow.md.erb +74 -74
  93. data/docs/resources/etc_hosts_deny.md.erb +74 -74
  94. data/docs/resources/file.md.erb +526 -526
  95. data/docs/resources/filesystem.md.erb +41 -41
  96. data/docs/resources/firewalld.md.erb +107 -107
  97. data/docs/resources/gem.md.erb +79 -79
  98. data/docs/resources/group.md.erb +61 -61
  99. data/docs/resources/grub_conf.md.erb +101 -101
  100. data/docs/resources/host.md.erb +86 -86
  101. data/docs/resources/http.md.erb +197 -197
  102. data/docs/resources/iis_app.md.erb +122 -122
  103. data/docs/resources/iis_site.md.erb +135 -135
  104. data/docs/resources/inetd_conf.md.erb +94 -94
  105. data/docs/resources/ini.md.erb +76 -76
  106. data/docs/resources/interface.md.erb +58 -58
  107. data/docs/resources/iptables.md.erb +64 -64
  108. data/docs/resources/json.md.erb +63 -63
  109. data/docs/resources/kernel_module.md.erb +120 -120
  110. data/docs/resources/kernel_parameter.md.erb +53 -53
  111. data/docs/resources/key_rsa.md.erb +85 -85
  112. data/docs/resources/launchd_service.md.erb +57 -57
  113. data/docs/resources/limits_conf.md.erb +75 -75
  114. data/docs/resources/login_defs.md.erb +71 -71
  115. data/docs/resources/mount.md.erb +69 -69
  116. data/docs/resources/mssql_session.md.erb +60 -60
  117. data/docs/resources/mysql_conf.md.erb +99 -99
  118. data/docs/resources/mysql_session.md.erb +74 -74
  119. data/docs/resources/nginx.md.erb +79 -79
  120. data/docs/resources/nginx_conf.md.erb +138 -138
  121. data/docs/resources/npm.md.erb +60 -60
  122. data/docs/resources/ntp_conf.md.erb +60 -60
  123. data/docs/resources/oneget.md.erb +53 -53
  124. data/docs/resources/oracledb_session.md.erb +52 -52
  125. data/docs/resources/os.md.erb +141 -141
  126. data/docs/resources/os_env.md.erb +91 -91
  127. data/docs/resources/package.md.erb +120 -120
  128. data/docs/resources/packages.md.erb +67 -67
  129. data/docs/resources/parse_config.md.erb +103 -103
  130. data/docs/resources/parse_config_file.md.erb +138 -138
  131. data/docs/resources/passwd.md.erb +141 -141
  132. data/docs/resources/pip.md.erb +67 -67
  133. data/docs/resources/port.md.erb +137 -137
  134. data/docs/resources/postgres_conf.md.erb +79 -79
  135. data/docs/resources/postgres_hba_conf.md.erb +93 -93
  136. data/docs/resources/postgres_ident_conf.md.erb +76 -76
  137. data/docs/resources/postgres_session.md.erb +69 -69
  138. data/docs/resources/powershell.md.erb +102 -102
  139. data/docs/resources/processes.md.erb +109 -109
  140. data/docs/resources/rabbitmq_config.md.erb +41 -41
  141. data/docs/resources/registry_key.md.erb +158 -158
  142. data/docs/resources/runit_service.md.erb +57 -57
  143. data/docs/resources/security_policy.md.erb +47 -47
  144. data/docs/resources/service.md.erb +121 -121
  145. data/docs/resources/shadow.md.erb +146 -146
  146. data/docs/resources/ssh_config.md.erb +73 -73
  147. data/docs/resources/sshd_config.md.erb +83 -83
  148. data/docs/resources/ssl.md.erb +119 -119
  149. data/docs/resources/sys_info.md.erb +42 -42
  150. data/docs/resources/systemd_service.md.erb +57 -57
  151. data/docs/resources/sysv_service.md.erb +57 -57
  152. data/docs/resources/upstart_service.md.erb +57 -57
  153. data/docs/resources/user.md.erb +140 -140
  154. data/docs/resources/users.md.erb +127 -127
  155. data/docs/resources/vbscript.md.erb +55 -55
  156. data/docs/resources/virtualization.md.erb +57 -57
  157. data/docs/resources/windows_feature.md.erb +47 -47
  158. data/docs/resources/windows_hotfix.md.erb +53 -53
  159. data/docs/resources/windows_task.md.erb +95 -95
  160. data/docs/resources/wmi.md.erb +81 -81
  161. data/docs/resources/x509_certificate.md.erb +151 -151
  162. data/docs/resources/xinetd_conf.md.erb +156 -156
  163. data/docs/resources/xml.md.erb +85 -85
  164. data/docs/resources/yaml.md.erb +69 -69
  165. data/docs/resources/yum.md.erb +98 -98
  166. data/docs/resources/zfs_dataset.md.erb +53 -53
  167. data/docs/resources/zfs_pool.md.erb +47 -47
  168. data/docs/ruby_usage.md +203 -203
  169. data/docs/shared/matcher_be.md.erb +1 -1
  170. data/docs/shared/matcher_cmp.md.erb +43 -43
  171. data/docs/shared/matcher_eq.md.erb +3 -3
  172. data/docs/shared/matcher_include.md.erb +1 -1
  173. data/docs/shared/matcher_match.md.erb +1 -1
  174. data/docs/shell.md +217 -217
  175. data/examples/README.md +8 -8
  176. data/examples/inheritance/README.md +65 -65
  177. data/examples/inheritance/controls/example.rb +14 -14
  178. data/examples/inheritance/inspec.yml +15 -15
  179. data/examples/kitchen-ansible/.kitchen.yml +25 -25
  180. data/examples/kitchen-ansible/Gemfile +19 -19
  181. data/examples/kitchen-ansible/README.md +53 -53
  182. data/examples/kitchen-ansible/files/nginx.repo +6 -6
  183. data/examples/kitchen-ansible/tasks/main.yml +16 -16
  184. data/examples/kitchen-ansible/test/integration/default/default.yml +5 -5
  185. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +28 -28
  186. data/examples/kitchen-chef/.kitchen.yml +20 -20
  187. data/examples/kitchen-chef/Berksfile +3 -3
  188. data/examples/kitchen-chef/Gemfile +19 -19
  189. data/examples/kitchen-chef/README.md +27 -27
  190. data/examples/kitchen-chef/metadata.rb +7 -7
  191. data/examples/kitchen-chef/recipes/default.rb +6 -6
  192. data/examples/kitchen-chef/recipes/nginx.rb +30 -30
  193. data/examples/kitchen-chef/test/integration/default/web_spec.rb +28 -28
  194. data/examples/kitchen-puppet/.kitchen.yml +23 -23
  195. data/examples/kitchen-puppet/Gemfile +20 -20
  196. data/examples/kitchen-puppet/Puppetfile +25 -25
  197. data/examples/kitchen-puppet/README.md +53 -53
  198. data/examples/kitchen-puppet/manifests/site.pp +33 -33
  199. data/examples/kitchen-puppet/metadata.json +11 -11
  200. data/examples/kitchen-puppet/modules/.gitkeep +0 -0
  201. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +28 -28
  202. data/examples/meta-profile/README.md +37 -37
  203. data/examples/meta-profile/controls/example.rb +13 -13
  204. data/examples/meta-profile/inspec.yml +13 -13
  205. data/examples/profile-attribute.yml +2 -2
  206. data/examples/profile-attribute/README.md +14 -14
  207. data/examples/profile-attribute/controls/example.rb +11 -11
  208. data/examples/profile-attribute/inspec.yml +8 -8
  209. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +8 -8
  210. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +8 -8
  211. data/examples/profile-aws/controls/iam_root_user_mfa.rb +8 -8
  212. data/examples/profile-aws/controls/iam_users_access_key_age.rb +8 -8
  213. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +8 -8
  214. data/examples/profile-aws/inspec.yml +11 -11
  215. data/examples/profile-azure/controls/azure_resource_group_example.rb +24 -24
  216. data/examples/profile-azure/controls/azure_vm_example.rb +29 -29
  217. data/examples/profile-azure/inspec.yml +11 -11
  218. data/examples/profile-sensitive/README.md +29 -29
  219. data/examples/profile-sensitive/controls/sensitive-failures.rb +9 -9
  220. data/examples/profile-sensitive/controls/sensitive.rb +9 -9
  221. data/examples/profile-sensitive/inspec.yml +8 -8
  222. data/examples/profile/README.md +48 -48
  223. data/examples/profile/controls/example.rb +23 -23
  224. data/examples/profile/controls/gordon.rb +36 -36
  225. data/examples/profile/controls/meta.rb +34 -34
  226. data/examples/profile/inspec.yml +10 -10
  227. data/examples/profile/libraries/gordon_config.rb +59 -59
  228. data/inspec.gemspec +49 -49
  229. data/lib/bundles/README.md +3 -3
  230. data/lib/bundles/inspec-artifact.rb +7 -7
  231. data/lib/bundles/inspec-artifact/README.md +1 -1
  232. data/lib/bundles/inspec-artifact/cli.rb +277 -277
  233. data/lib/bundles/inspec-compliance.rb +16 -16
  234. data/lib/bundles/inspec-compliance/.kitchen.yml +20 -20
  235. data/lib/bundles/inspec-compliance/README.md +193 -193
  236. data/lib/bundles/inspec-compliance/api.rb +360 -360
  237. data/lib/bundles/inspec-compliance/api/login.rb +193 -193
  238. data/lib/bundles/inspec-compliance/bootstrap.sh +41 -41
  239. data/lib/bundles/inspec-compliance/cli.rb +260 -260
  240. data/lib/bundles/inspec-compliance/configuration.rb +103 -103
  241. data/lib/bundles/inspec-compliance/http.rb +125 -125
  242. data/lib/bundles/inspec-compliance/images/cc-token.png +0 -0
  243. data/lib/bundles/inspec-compliance/support.rb +36 -36
  244. data/lib/bundles/inspec-compliance/target.rb +112 -112
  245. data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +93 -93
  246. data/lib/bundles/inspec-habitat.rb +12 -12
  247. data/lib/bundles/inspec-habitat/cli.rb +36 -36
  248. data/lib/bundles/inspec-habitat/log.rb +10 -10
  249. data/lib/bundles/inspec-habitat/profile.rb +391 -391
  250. data/lib/bundles/inspec-init.rb +8 -8
  251. data/lib/bundles/inspec-init/README.md +31 -31
  252. data/lib/bundles/inspec-init/cli.rb +97 -97
  253. data/lib/bundles/inspec-init/templates/profile/README.md +3 -3
  254. data/lib/bundles/inspec-init/templates/profile/controls/example.rb +19 -19
  255. data/lib/bundles/inspec-init/templates/profile/inspec.yml +8 -8
  256. data/lib/bundles/inspec-init/templates/profile/libraries/.gitkeep +0 -0
  257. data/lib/bundles/inspec-supermarket.rb +13 -13
  258. data/lib/bundles/inspec-supermarket/README.md +45 -45
  259. data/lib/bundles/inspec-supermarket/api.rb +84 -84
  260. data/lib/bundles/inspec-supermarket/cli.rb +73 -73
  261. data/lib/bundles/inspec-supermarket/target.rb +34 -34
  262. data/lib/fetchers/git.rb +163 -163
  263. data/lib/fetchers/local.rb +74 -74
  264. data/lib/fetchers/mock.rb +35 -35
  265. data/lib/fetchers/url.rb +247 -247
  266. data/lib/inspec.rb +24 -24
  267. data/lib/inspec/archive/tar.rb +29 -29
  268. data/lib/inspec/archive/zip.rb +19 -19
  269. data/lib/inspec/backend.rb +93 -93
  270. data/lib/inspec/base_cli.rb +368 -368
  271. data/lib/inspec/cached_fetcher.rb +66 -66
  272. data/lib/inspec/cli.rb +292 -292
  273. data/lib/inspec/completions/bash.sh.erb +45 -45
  274. data/lib/inspec/completions/fish.sh.erb +34 -34
  275. data/lib/inspec/completions/zsh.sh.erb +61 -61
  276. data/lib/inspec/control_eval_context.rb +179 -179
  277. data/lib/inspec/dependencies/cache.rb +72 -72
  278. data/lib/inspec/dependencies/dependency_set.rb +92 -92
  279. data/lib/inspec/dependencies/lockfile.rb +115 -115
  280. data/lib/inspec/dependencies/requirement.rb +123 -123
  281. data/lib/inspec/dependencies/resolver.rb +86 -86
  282. data/lib/inspec/describe.rb +27 -27
  283. data/lib/inspec/dsl.rb +66 -66
  284. data/lib/inspec/dsl_shared.rb +33 -33
  285. data/lib/inspec/env_printer.rb +157 -157
  286. data/lib/inspec/errors.rb +14 -14
  287. data/lib/inspec/exceptions.rb +12 -12
  288. data/lib/inspec/expect.rb +45 -45
  289. data/lib/inspec/fetcher.rb +45 -45
  290. data/lib/inspec/file_provider.rb +275 -275
  291. data/lib/inspec/formatters.rb +3 -3
  292. data/lib/inspec/formatters/base.rb +259 -259
  293. data/lib/inspec/formatters/json_rspec.rb +20 -20
  294. data/lib/inspec/formatters/show_progress.rb +12 -12
  295. data/lib/inspec/library_eval_context.rb +58 -58
  296. data/lib/inspec/log.rb +11 -11
  297. data/lib/inspec/metadata.rb +247 -247
  298. data/lib/inspec/method_source.rb +24 -24
  299. data/lib/inspec/objects.rb +14 -14
  300. data/lib/inspec/objects/attribute.rb +75 -75
  301. data/lib/inspec/objects/control.rb +61 -61
  302. data/lib/inspec/objects/describe.rb +92 -92
  303. data/lib/inspec/objects/each_loop.rb +36 -36
  304. data/lib/inspec/objects/list.rb +15 -15
  305. data/lib/inspec/objects/or_test.rb +40 -40
  306. data/lib/inspec/objects/ruby_helper.rb +15 -15
  307. data/lib/inspec/objects/tag.rb +27 -27
  308. data/lib/inspec/objects/test.rb +87 -87
  309. data/lib/inspec/objects/value.rb +27 -27
  310. data/lib/inspec/plugins.rb +60 -60
  311. data/lib/inspec/plugins/cli.rb +24 -24
  312. data/lib/inspec/plugins/fetcher.rb +86 -86
  313. data/lib/inspec/plugins/resource.rb +135 -135
  314. data/lib/inspec/plugins/secret.rb +15 -15
  315. data/lib/inspec/plugins/source_reader.rb +40 -40
  316. data/lib/inspec/polyfill.rb +12 -12
  317. data/lib/inspec/profile.rb +513 -513
  318. data/lib/inspec/profile_context.rb +208 -208
  319. data/lib/inspec/profile_vendor.rb +66 -66
  320. data/lib/inspec/reporters.rb +60 -60
  321. data/lib/inspec/reporters/automate.rb +76 -76
  322. data/lib/inspec/reporters/base.rb +25 -25
  323. data/lib/inspec/reporters/cli.rb +356 -356
  324. data/lib/inspec/reporters/json.rb +117 -117
  325. data/lib/inspec/reporters/json_min.rb +48 -48
  326. data/lib/inspec/reporters/junit.rb +78 -78
  327. data/lib/inspec/require_loader.rb +33 -33
  328. data/lib/inspec/resource.rb +190 -190
  329. data/lib/inspec/rule.rb +280 -280
  330. data/lib/inspec/runner.rb +345 -345
  331. data/lib/inspec/runner_mock.rb +41 -41
  332. data/lib/inspec/runner_rspec.rb +175 -175
  333. data/lib/inspec/runtime_profile.rb +26 -26
  334. data/lib/inspec/schema.rb +213 -213
  335. data/lib/inspec/secrets.rb +19 -19
  336. data/lib/inspec/secrets/yaml.rb +30 -30
  337. data/lib/inspec/shell.rb +220 -220
  338. data/lib/inspec/shell_detector.rb +90 -90
  339. data/lib/inspec/source_reader.rb +29 -29
  340. data/lib/inspec/version.rb +8 -8
  341. data/lib/matchers/matchers.rb +339 -339
  342. data/lib/resource_support/aws.rb +50 -50
  343. data/lib/resource_support/aws/aws_backend_base.rb +12 -12
  344. data/lib/resource_support/aws/aws_backend_factory_mixin.rb +12 -12
  345. data/lib/resource_support/aws/aws_plural_resource_mixin.rb +21 -21
  346. data/lib/resource_support/aws/aws_resource_mixin.rb +66 -66
  347. data/lib/resource_support/aws/aws_singular_resource_mixin.rb +24 -24
  348. data/lib/resources/aide_conf.rb +151 -151
  349. data/lib/resources/apache.rb +48 -48
  350. data/lib/resources/apache_conf.rb +149 -149
  351. data/lib/resources/apt.rb +149 -149
  352. data/lib/resources/audit_policy.rb +63 -63
  353. data/lib/resources/auditd.rb +231 -231
  354. data/lib/resources/auditd_conf.rb +46 -46
  355. data/lib/resources/aws/aws_cloudtrail_trail.rb +93 -93
  356. data/lib/resources/aws/aws_cloudtrail_trails.rb +47 -47
  357. data/lib/resources/aws/aws_cloudwatch_alarm.rb +62 -62
  358. data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +100 -100
  359. data/lib/resources/aws/aws_config_delivery_channel.rb +70 -70
  360. data/lib/resources/aws/aws_config_recorder.rb +93 -93
  361. data/lib/resources/aws/aws_ec2_instance.rb +157 -157
  362. data/lib/resources/aws/aws_ec2_instances.rb +64 -64
  363. data/lib/resources/aws/aws_iam_access_key.rb +106 -106
  364. data/lib/resources/aws/aws_iam_access_keys.rb +149 -149
  365. data/lib/resources/aws/aws_iam_group.rb +58 -58
  366. data/lib/resources/aws/aws_iam_groups.rb +52 -52
  367. data/lib/resources/aws/aws_iam_password_policy.rb +116 -116
  368. data/lib/resources/aws/aws_iam_policies.rb +53 -53
  369. data/lib/resources/aws/aws_iam_policy.rb +291 -291
  370. data/lib/resources/aws/aws_iam_role.rb +55 -55
  371. data/lib/resources/aws/aws_iam_root_user.rb +78 -78
  372. data/lib/resources/aws/aws_iam_user.rb +142 -142
  373. data/lib/resources/aws/aws_iam_users.rb +146 -146
  374. data/lib/resources/aws/aws_kms_key.rb +96 -96
  375. data/lib/resources/aws/aws_kms_keys.rb +53 -53
  376. data/lib/resources/aws/aws_rds_instance.rb +71 -71
  377. data/lib/resources/aws/aws_route_table.rb +63 -63
  378. data/lib/resources/aws/aws_route_tables.rb +60 -60
  379. data/lib/resources/aws/aws_s3_bucket.rb +137 -137
  380. data/lib/resources/aws/aws_s3_bucket_object.rb +82 -82
  381. data/lib/resources/aws/aws_s3_buckets.rb +51 -51
  382. data/lib/resources/aws/aws_security_group.rb +249 -249
  383. data/lib/resources/aws/aws_security_groups.rb +68 -68
  384. data/lib/resources/aws/aws_sns_subscription.rb +78 -78
  385. data/lib/resources/aws/aws_sns_topic.rb +53 -53
  386. data/lib/resources/aws/aws_sns_topics.rb +56 -56
  387. data/lib/resources/aws/aws_subnet.rb +88 -88
  388. data/lib/resources/aws/aws_subnets.rb +53 -53
  389. data/lib/resources/aws/aws_vpc.rb +73 -73
  390. data/lib/resources/aws/aws_vpcs.rb +52 -52
  391. data/lib/resources/azure/azure_backend.rb +377 -377
  392. data/lib/resources/azure/azure_generic_resource.rb +59 -59
  393. data/lib/resources/azure/azure_resource_group.rb +152 -152
  394. data/lib/resources/azure/azure_virtual_machine.rb +264 -264
  395. data/lib/resources/azure/azure_virtual_machine_data_disk.rb +134 -134
  396. data/lib/resources/bash.rb +35 -35
  397. data/lib/resources/bond.rb +69 -69
  398. data/lib/resources/bridge.rb +122 -122
  399. data/lib/resources/chocolatey_package.rb +78 -78
  400. data/lib/resources/command.rb +73 -73
  401. data/lib/resources/cpan.rb +58 -58
  402. data/lib/resources/cran.rb +64 -64
  403. data/lib/resources/crontab.rb +169 -169
  404. data/lib/resources/csv.rb +56 -56
  405. data/lib/resources/dh_params.rb +77 -77
  406. data/lib/resources/directory.rb +25 -25
  407. data/lib/resources/docker.rb +236 -236
  408. data/lib/resources/docker_container.rb +89 -89
  409. data/lib/resources/docker_image.rb +83 -83
  410. data/lib/resources/docker_object.rb +57 -57
  411. data/lib/resources/docker_service.rb +90 -90
  412. data/lib/resources/elasticsearch.rb +169 -169
  413. data/lib/resources/etc_fstab.rb +94 -94
  414. data/lib/resources/etc_group.rb +154 -154
  415. data/lib/resources/etc_hosts.rb +66 -66
  416. data/lib/resources/etc_hosts_allow_deny.rb +112 -112
  417. data/lib/resources/file.rb +298 -298
  418. data/lib/resources/filesystem.rb +31 -31
  419. data/lib/resources/firewalld.rb +143 -143
  420. data/lib/resources/gem.rb +70 -70
  421. data/lib/resources/groups.rb +215 -215
  422. data/lib/resources/grub_conf.rb +227 -227
  423. data/lib/resources/host.rb +306 -306
  424. data/lib/resources/http.rb +253 -253
  425. data/lib/resources/iis_app.rb +101 -101
  426. data/lib/resources/iis_site.rb +148 -148
  427. data/lib/resources/inetd_conf.rb +54 -54
  428. data/lib/resources/ini.rb +29 -29
  429. data/lib/resources/interface.rb +129 -129
  430. data/lib/resources/iptables.rb +80 -80
  431. data/lib/resources/json.rb +111 -111
  432. data/lib/resources/kernel_module.rb +107 -107
  433. data/lib/resources/kernel_parameter.rb +58 -58
  434. data/lib/resources/key_rsa.rb +63 -63
  435. data/lib/resources/limits_conf.rb +46 -46
  436. data/lib/resources/login_def.rb +57 -57
  437. data/lib/resources/mount.rb +88 -88
  438. data/lib/resources/mssql_session.rb +101 -101
  439. data/lib/resources/mysql.rb +82 -82
  440. data/lib/resources/mysql_conf.rb +127 -127
  441. data/lib/resources/mysql_session.rb +85 -85
  442. data/lib/resources/nginx.rb +96 -96
  443. data/lib/resources/nginx_conf.rb +226 -226
  444. data/lib/resources/npm.rb +48 -48
  445. data/lib/resources/ntp_conf.rb +51 -51
  446. data/lib/resources/oneget.rb +71 -71
  447. data/lib/resources/oracledb_session.rb +139 -139
  448. data/lib/resources/os.rb +36 -36
  449. data/lib/resources/os_env.rb +86 -86
  450. data/lib/resources/package.rb +370 -370
  451. data/lib/resources/packages.rb +111 -111
  452. data/lib/resources/parse_config.rb +112 -112
  453. data/lib/resources/passwd.rb +76 -76
  454. data/lib/resources/pip.rb +130 -130
  455. data/lib/resources/platform.rb +109 -109
  456. data/lib/resources/port.rb +771 -771
  457. data/lib/resources/postgres.rb +131 -131
  458. data/lib/resources/postgres_conf.rb +114 -114
  459. data/lib/resources/postgres_hba_conf.rb +90 -90
  460. data/lib/resources/postgres_ident_conf.rb +79 -79
  461. data/lib/resources/postgres_session.rb +71 -71
  462. data/lib/resources/powershell.rb +67 -67
  463. data/lib/resources/processes.rb +204 -204
  464. data/lib/resources/rabbitmq_conf.rb +51 -51
  465. data/lib/resources/registry_key.rb +297 -297
  466. data/lib/resources/security_policy.rb +180 -180
  467. data/lib/resources/service.rb +794 -794
  468. data/lib/resources/shadow.rb +159 -159
  469. data/lib/resources/ssh_conf.rb +97 -97
  470. data/lib/resources/ssl.rb +99 -99
  471. data/lib/resources/sys_info.rb +28 -28
  472. data/lib/resources/toml.rb +32 -32
  473. data/lib/resources/users.rb +654 -654
  474. data/lib/resources/vbscript.rb +68 -68
  475. data/lib/resources/virtualization.rb +247 -247
  476. data/lib/resources/windows_feature.rb +84 -84
  477. data/lib/resources/windows_hotfix.rb +35 -35
  478. data/lib/resources/windows_task.rb +102 -102
  479. data/lib/resources/wmi.rb +110 -110
  480. data/lib/resources/x509_certificate.rb +137 -137
  481. data/lib/resources/xinetd.rb +106 -106
  482. data/lib/resources/xml.rb +46 -46
  483. data/lib/resources/yaml.rb +43 -43
  484. data/lib/resources/yum.rb +180 -180
  485. data/lib/resources/zfs_dataset.rb +60 -60
  486. data/lib/resources/zfs_pool.rb +49 -49
  487. data/lib/source_readers/flat.rb +39 -39
  488. data/lib/source_readers/inspec.rb +75 -75
  489. data/lib/utils/command_wrapper.rb +27 -27
  490. data/lib/utils/convert.rb +12 -12
  491. data/lib/utils/database_helpers.rb +77 -77
  492. data/lib/utils/enumerable_delegation.rb +9 -9
  493. data/lib/utils/erlang_parser.rb +192 -192
  494. data/lib/utils/file_reader.rb +25 -25
  495. data/lib/utils/filter.rb +273 -273
  496. data/lib/utils/filter_array.rb +27 -27
  497. data/lib/utils/find_files.rb +47 -47
  498. data/lib/utils/hash.rb +41 -41
  499. data/lib/utils/json_log.rb +18 -18
  500. data/lib/utils/latest_version.rb +22 -22
  501. data/lib/utils/modulator.rb +12 -12
  502. data/lib/utils/nginx_parser.rb +105 -105
  503. data/lib/utils/object_traversal.rb +49 -49
  504. data/lib/utils/parser.rb +274 -274
  505. data/lib/utils/pkey_reader.rb +15 -15
  506. data/lib/utils/plugin_registry.rb +93 -93
  507. data/lib/utils/simpleconfig.rb +120 -120
  508. data/lib/utils/spdx.rb +13 -13
  509. data/lib/utils/spdx.txt +343 -343
  510. metadata +3 -3
@@ -1,119 +1,119 @@
1
- # Using InSpec 2.0 on Cloud Platforms
2
-
3
- We are pleased to announce that with this release of InSpec 2.0, we have expanded our platform support beyond individual machines and now include support for select AWS and Azure resources.
4
-
5
- With InSpec 2.0, you may now use several InSpec resources to audit properties of your cloud infrastructure - for example, an Amazon Web Services S3 bucket.
6
-
7
- <br>
8
-
9
- ## AWS Platform Support in InSpec 2.0
10
-
11
- ### Setting up AWS credentials for InSpec
12
-
13
- InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities.
14
-
15
- * 1 Create an IAM user in the AWS console, with your choice of username. Check the box marked "Programmatic Access."
16
- * 2 On the Permissions screen, choose Direct Attach. Select the AWS-managed IAM Profile named "ReadOnlyAccess." If you wish to restrict the user further, you may do so; see individual InSpec resources to identify which permissions are required.
17
- * 3 After generating the key, record the Access Key ID and Secret Key.
18
-
19
- #### Using Environment Variables to provide credentials
20
-
21
- You may provide the credentials to InSpec by setting the following environment variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_KEY_ID`. You may also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the [AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) for details.
22
-
23
- Once you have your environment variables set, you can verify your credentials by running:
24
-
25
- ```bash
26
- you$ inspec detect -t aws://
27
-
28
- == Platform Details
29
- Name: aws
30
- Families: cloud, api
31
- Release: aws-sdk-v2.10.125
32
- ```
33
-
34
- #### Using the InSpec target option to provide credentials on AWS
35
-
36
- Look for a file in your home directory named `~/.aws/credentials`. If it does not exist, create it. Choose a name for your profile; here, we're using the name 'auditing'. Add your credentials as a new profile, in INI format:
37
-
38
- ```bash
39
- [auditing]
40
- aws_access_key_id = AKIA....
41
- aws_secret_access_key = 1234....abcd
42
- ```
43
-
44
- You may now run InSpec using the `--target` / `-t` option, using the format `-t aws://region/profile`. For example, to connect to the Ohio region using a profile named 'auditing', use `-t aws://us-east-2/auditing`.
45
-
46
- To verify your credentials,
47
-
48
- ```bash
49
- you$ inspec detect -t aws://
50
-
51
- == Platform Details
52
- Name: aws
53
- Families: cloud, api
54
- Release: aws-sdk-v2.10.125
55
- ```
56
-
57
- <br>
58
-
59
- ## Azure Platform Support in InSpec 2.0
60
-
61
- ### Setting up Azure credentials for InSpec
62
-
63
- To use InSpec Azure resources, you will need to create a Service Principal Name (SPN) for auditing an Azure subscription.
64
-
65
- This can be done on the command line or from the Azure Portal:
66
-
67
- * [Azure CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-cli)
68
- * [PowerShell](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal)
69
- * [Azure Portal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal)
70
-
71
- The information from the SPN can be specified either in the file `~/.azure/credentials`, as environment variables, or by using InSpec target URIs.
72
-
73
- #### Setting up the Azure Credentials File
74
-
75
- By default InSpec is configured to look at ~/.azure/credentials, and it should contain:
76
-
77
- ```powershell
78
- [<SUBSCRIPTION_ID>]
79
- client_id = "<CLIENT_ID>"
80
- client_secret = "<CLIENT_SECRET>"
81
- tenant_id = "<TENANT_ID>"
82
- ```
83
-
84
- NOTE: In the Azure web portal, these values are labeled differently:
85
- * The client_id is referred to as the 'Application ID'
86
- * The client_secret is referred to as the 'Key (Password Type)'
87
- * The tenant_id is referred to as the 'Directory ID'
88
-
89
- With the credentials are in place you may now execute InSpec:
90
-
91
- ```bash
92
- inspec exec my-inspec-profile -t azure://
93
- ```
94
-
95
- #### Using Environment variables to provide credentials
96
-
97
- You may also set the Azure credentials via environment variables:
98
-
99
- * `AZURE_SUBSCRIPTION_ID`
100
- * `AZURE_CLIENT_ID`
101
- * `AZURE_CLIENT_SECRET`
102
- * `AZURE_TENANT_ID`
103
-
104
- For example:
105
-
106
- ```bash
107
- AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \
108
- AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \
109
- AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \
110
- AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure://
111
- ```
112
-
113
- #### Using the InSpec target option to provide credentials on Azure
114
-
115
- If you have created a `~/.azure/credentials` file as above, you may also use the InSpec command line `--target` / `-t` option to select a subscription ID. For example:
116
-
117
- ```bash
118
- inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3
1
+ # Using InSpec 2.0 on Cloud Platforms
2
+
3
+ We are pleased to announce that with this release of InSpec 2.0, we have expanded our platform support beyond individual machines and now include support for select AWS and Azure resources.
4
+
5
+ With InSpec 2.0, you may now use several InSpec resources to audit properties of your cloud infrastructure - for example, an Amazon Web Services S3 bucket.
6
+
7
+ <br>
8
+
9
+ ## AWS Platform Support in InSpec 2.0
10
+
11
+ ### Setting up AWS credentials for InSpec
12
+
13
+ InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities.
14
+
15
+ * 1 Create an IAM user in the AWS console, with your choice of username. Check the box marked "Programmatic Access."
16
+ * 2 On the Permissions screen, choose Direct Attach. Select the AWS-managed IAM Profile named "ReadOnlyAccess." If you wish to restrict the user further, you may do so; see individual InSpec resources to identify which permissions are required.
17
+ * 3 After generating the key, record the Access Key ID and Secret Key.
18
+
19
+ #### Using Environment Variables to provide credentials
20
+
21
+ You may provide the credentials to InSpec by setting the following environment variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_KEY_ID`. You may also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the [AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) for details.
22
+
23
+ Once you have your environment variables set, you can verify your credentials by running:
24
+
25
+ ```bash
26
+ you$ inspec detect -t aws://
27
+
28
+ == Platform Details
29
+ Name: aws
30
+ Families: cloud, api
31
+ Release: aws-sdk-v2.10.125
32
+ ```
33
+
34
+ #### Using the InSpec target option to provide credentials on AWS
35
+
36
+ Look for a file in your home directory named `~/.aws/credentials`. If it does not exist, create it. Choose a name for your profile; here, we're using the name 'auditing'. Add your credentials as a new profile, in INI format:
37
+
38
+ ```bash
39
+ [auditing]
40
+ aws_access_key_id = AKIA....
41
+ aws_secret_access_key = 1234....abcd
42
+ ```
43
+
44
+ You may now run InSpec using the `--target` / `-t` option, using the format `-t aws://region/profile`. For example, to connect to the Ohio region using a profile named 'auditing', use `-t aws://us-east-2/auditing`.
45
+
46
+ To verify your credentials,
47
+
48
+ ```bash
49
+ you$ inspec detect -t aws://
50
+
51
+ == Platform Details
52
+ Name: aws
53
+ Families: cloud, api
54
+ Release: aws-sdk-v2.10.125
55
+ ```
56
+
57
+ <br>
58
+
59
+ ## Azure Platform Support in InSpec 2.0
60
+
61
+ ### Setting up Azure credentials for InSpec
62
+
63
+ To use InSpec Azure resources, you will need to create a Service Principal Name (SPN) for auditing an Azure subscription.
64
+
65
+ This can be done on the command line or from the Azure Portal:
66
+
67
+ * [Azure CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-cli)
68
+ * [PowerShell](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal)
69
+ * [Azure Portal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal)
70
+
71
+ The information from the SPN can be specified either in the file `~/.azure/credentials`, as environment variables, or by using InSpec target URIs.
72
+
73
+ #### Setting up the Azure Credentials File
74
+
75
+ By default InSpec is configured to look at ~/.azure/credentials, and it should contain:
76
+
77
+ ```powershell
78
+ [<SUBSCRIPTION_ID>]
79
+ client_id = "<CLIENT_ID>"
80
+ client_secret = "<CLIENT_SECRET>"
81
+ tenant_id = "<TENANT_ID>"
82
+ ```
83
+
84
+ NOTE: In the Azure web portal, these values are labeled differently:
85
+ * The client_id is referred to as the 'Application ID'
86
+ * The client_secret is referred to as the 'Key (Password Type)'
87
+ * The tenant_id is referred to as the 'Directory ID'
88
+
89
+ With the credentials are in place you may now execute InSpec:
90
+
91
+ ```bash
92
+ inspec exec my-inspec-profile -t azure://
93
+ ```
94
+
95
+ #### Using Environment variables to provide credentials
96
+
97
+ You may also set the Azure credentials via environment variables:
98
+
99
+ * `AZURE_SUBSCRIPTION_ID`
100
+ * `AZURE_CLIENT_ID`
101
+ * `AZURE_CLIENT_SECRET`
102
+ * `AZURE_TENANT_ID`
103
+
104
+ For example:
105
+
106
+ ```bash
107
+ AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \
108
+ AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \
109
+ AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \
110
+ AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure://
111
+ ```
112
+
113
+ #### Using the InSpec target option to provide credentials on Azure
114
+
115
+ If you have created a `~/.azure/credentials` file as above, you may also use the InSpec command line `--target` / `-t` option to select a subscription ID. For example:
116
+
117
+ ```bash
118
+ inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3
119
119
  ```
@@ -1,50 +1,50 @@
1
- ---
2
- title: About kitchen-inspec
3
- ---
4
-
5
- # kitchen-inspec
6
-
7
- Use InSpec as a Kitchen verifier with `kitchen-inspec`.
8
-
9
- Add the InSpec verifier to the `.kitchen.yml` file:
10
-
11
- verifier:
12
- name: inspec
13
-
14
- Use a compliance profile from the Chef Compliance server:
15
-
16
- suites:
17
- - name: compliance
18
- run_list:
19
- - recipe[ssh-hardening::default]
20
- verifier:
21
- inspec_tests:
22
- - compliance://base/ssh
23
-
24
- and then run the following command:
25
-
26
- $ inspec compliance login https://compliance.test --user admin --insecure --token ''
27
-
28
- where `--insecure` is required when using self-signed certificates.
29
-
30
- Use a compliance profile from the Chef Supermarket:
31
-
32
- suites:
33
- - name: supermarket
34
- run_list:
35
- - recipe[ssh-hardening::default]
36
- verifier:
37
- inspec_tests:
38
- - supermarket://dev-sec/ssh-baseline
39
-
40
- Use InSpec tests from the local file system:
41
-
42
- suites:
43
- - name: local
44
- run_list:
45
- - recipe[my_cookbook::default]
46
- verifier:
47
- inspec_tests:
48
- - test/integration/default
49
-
50
- Check out [Detect and correct with Test Kitchen](https://learn.chef.io/modules/detect-correct-kitchen#/) on Learn Chef Rally for a hands-on look at how to use Test Kitchen to run InSpec profiles.
1
+ ---
2
+ title: About kitchen-inspec
3
+ ---
4
+
5
+ # kitchen-inspec
6
+
7
+ Use InSpec as a Kitchen verifier with `kitchen-inspec`.
8
+
9
+ Add the InSpec verifier to the `.kitchen.yml` file:
10
+
11
+ verifier:
12
+ name: inspec
13
+
14
+ Use a compliance profile from the Chef Compliance server:
15
+
16
+ suites:
17
+ - name: compliance
18
+ run_list:
19
+ - recipe[ssh-hardening::default]
20
+ verifier:
21
+ inspec_tests:
22
+ - compliance://base/ssh
23
+
24
+ and then run the following command:
25
+
26
+ $ inspec compliance login https://compliance.test --user admin --insecure --token ''
27
+
28
+ where `--insecure` is required when using self-signed certificates.
29
+
30
+ Use a compliance profile from the Chef Supermarket:
31
+
32
+ suites:
33
+ - name: supermarket
34
+ run_list:
35
+ - recipe[ssh-hardening::default]
36
+ verifier:
37
+ inspec_tests:
38
+ - supermarket://dev-sec/ssh-baseline
39
+
40
+ Use InSpec tests from the local file system:
41
+
42
+ suites:
43
+ - name: local
44
+ run_list:
45
+ - recipe[my_cookbook::default]
46
+ verifier:
47
+ inspec_tests:
48
+ - test/integration/default
49
+
50
+ Check out [Detect and correct with Test Kitchen](https://learn.chef.io/modules/detect-correct-kitchen#/) on Learn Chef Rally for a hands-on look at how to use Test Kitchen to run InSpec profiles.
@@ -1,378 +1,378 @@
1
- ---
2
- title: About InSpec Profiles
3
- ---
4
-
5
- # InSpec Profiles
6
-
7
- InSpec supports the creation of complex test and compliance profiles, which organize controls to support dependency management and code reuse. Each profile is a standalone structure with its own distribution and execution flow.
8
-
9
- # Profile Structure
10
-
11
- A profile should have the following structure::
12
-
13
- examples/profile
14
- ├── README.md
15
- ├── controls
16
- │ ├── example.rb
17
- │ └── control_etc.rb
18
- ├── libraries
19
- │ └── extension.rb
20
- |── files
21
- │ └── extras.conf
22
- └── inspec.yml
23
-
24
- where:
25
-
26
- * `inspec.yml` includes the profile description (required)
27
- * `controls` is the directory in which all tests are located (required)
28
- * `libraries` is the directory in which all InSpec resource extensions are located (optional)
29
- * `files` is the directory with additional files that a profile can access (optional)
30
- * `README.md` should be used to explain the profile, its scope, and usage
31
-
32
- See a complete example profile in the InSpec open source repository: [https://github.com/chef/inspec/tree/master/examples/profile](https://github.com/chef/inspec/tree/master/examples/profile)
33
-
34
- Also check out [Explore InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/) on Learn Chef Rally to learn more about how profiles are structured with hands-on examples.
35
-
36
- ## inspec.yml
37
-
38
- Each profile must have an `inspec.yml` file that defines the following information:
39
-
40
- * Use `name` to specify a unique name for the profile. Required.
41
- * Use `title` to specify a human-readable name for the profile.
42
- * Use `maintainer` to specify the profile maintainer.
43
- * Use `copyright` to specify the copyright holder.
44
- * Use `copyright_email` to specify support contact information for the profile, typically an email address.
45
- * Use `license` to specify the license for the profile.
46
- * Use `summary` to specify a one line summary for the profile.
47
- * Use `description` to specify a multiple line description of the profile.
48
- * Use `version` to specify the profile version.
49
- * Use `inspec_version` to place SemVer constraints on the version of InSpec that the profile can run under.
50
- * Use `supports` to specify a list of supported platform targets.
51
- * Use `depends` to define a list of profiles on which this profile depends.
52
-
53
- `name` is required; all other profile settings are optional. For example:
54
-
55
- name: ssh
56
- title: Basic SSH
57
- maintainer: Chef Software, Inc.
58
- copyright: Chef Software, Inc.
59
- copyright_email: support@chef.io
60
- license: Proprietary, All rights reserved
61
- summary: Verify that SSH Server and SSH Client are configured securely
62
- version: 1.0.0
63
- supports:
64
- - os-family: linux
65
- depends:
66
- - name: profile
67
- path: ../path/to/profile
68
- inspec_version: "~> 2.1"
69
-
70
- ## Verify Profiles
71
-
72
- Use the `inspec check` command to verify the implementation of a profile:
73
-
74
- $ inspec check examples/profile
75
-
76
- # Platform Support
77
-
78
- Use the `supports` setting in the `inspec.yml` file to specify one (or more) platforms for which a profile is targeting. The list of supported platforms may contain simple names, names and versions, or detailed flags, and may be combined arbitrarily. For example, to target anything running Debian Linux:
79
-
80
- name: ssh
81
- supports:
82
- - os-name: debian
83
-
84
- and to target only Ubuntu version 14.04
85
-
86
- name: ssh
87
- supports:
88
- - os-name: ubuntu
89
- release: 14.04
90
-
91
- and to target the entire RedHat platform (including CentOS and Oracle Linux):
92
-
93
- name: ssh
94
- supports:
95
- - os-family: redhat
96
-
97
- and to target anything running on Amazon AWS:
98
-
99
- name: ssh
100
- supports:
101
- - platform: aws
102
-
103
- and to target all of these examples in a single `inspec.yml` file:
104
-
105
- name: ssh
106
- supports:
107
- - os-name: debian
108
- - os-name: ubuntu
109
- release: 14.04
110
- - os-family: redhat
111
- - platform: aws
112
-
113
-
114
- # Profile Dependencies
115
-
116
- An InSpec profile can bring in the controls and custom resources from another InSpec profile. Additionally, when inheriting the controls of another profile, a profile can skip or even modify those included controls.
117
-
118
- For hands-on examples, check out [Create a custom InSpec profile](https://learn.chef.io/modules/create-a-custom-profile#/) on Learn Chef Rally.
119
-
120
- ## Defining the Dependencies
121
-
122
- Before a profile can use controls from another profile, the to-be-included profile needs to be specified in the including profile’s `inspec.yml` file in the `depends` section. For each profile to be included, a location for the profile from where to be fetched and a name for the profile should be included. For example:
123
-
124
- depends:
125
- - name: linux-baseline
126
- url: https://github.com/dev-sec/linux-baseline/archive/master.tar.gz
127
- - name: ssh-baseline
128
- url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz
129
-
130
- InSpec supports a number of dependency sources.
131
-
132
- ### path
133
-
134
- The `path` setting defines a profile that is located on disk. This setting is typically used during development of profiles and when debugging profiles.
135
-
136
- depends:
137
- - name: my-profile
138
- path: /absolute/path
139
- - name: another
140
- path: ../relative/path
141
-
142
- ### url
143
-
144
- The `url` setting specifies a profile that is located at an HTTP- or HTTPS-based URL. The profile must be accessible via a HTTP GET operation and must be a valid profile archive (zip, tar, or tar.gz format).
145
-
146
- depends:
147
- - name: my-profile
148
- url: https://my.domain/path/to/profile.tgz
149
- - name: profile-via-git
150
- url: https://github.com/myusername/myprofile-repo/archive/master.tar.gz
151
-
152
- ### git
153
-
154
- A `git` setting specifies a profile that is located in a git repository, with optional settings for branch, tag, commit, and version. The source location is translated into a URL upon resolution. This type of dependency supports version constraints via semantic versioning as git tags.
155
-
156
- For example:
157
-
158
- depends:
159
- - name: git-profile
160
- git: http://url/to/repo
161
- branch: desired_branch
162
- tag: desired_version
163
- commit: pinned_commit
164
- version: semver_via_tags
165
-
166
- ### supermarket
167
-
168
- A `supermarket` setting specifies a profile that is located in a cookbook hosted on Chef Supermarket. The source location is translated into a URL upon resolution.
169
-
170
- For example:
171
-
172
- depends:
173
- - name: supermarket-profile
174
- supermarket: supermarket-username/supermarket-profile
175
-
176
- Available Supermarket profiles can be listed with `inspec supermarket profiles`.
177
-
178
- ### compliance
179
-
180
- A `compliance` setting specifies a profile that is located on the Chef Automate or Chef Compliance server.
181
-
182
- For example:
183
-
184
- depends:
185
- - name: linux
186
- compliance: base/linux
187
-
188
- ## Vendoring Dependencies
189
-
190
- When you execute a local profile, the `inspec.yml` file will be read in order to source any profile dependencies. It will then cache the dependencies locally and generate an `inspec.lock` file.
191
-
192
- If you add or update dependencies in `inspec.yml`, dependencies may be re-vendored and the lockfile updated with `inspec vendor --overwrite`
193
-
194
- ## Using Controls from an Included Profile
195
-
196
- Once defined in the `inspec.yml`, controls from the included profiles can be used! Let’s look at some examples.
197
-
198
- ### Including All Controls from a Profile
199
-
200
- With the `include_controls` command in a profile, all controls from the named profile will be executed every time the including profile is executed.
201
-
202
- ![Include Controls](/images/profile_inheritance/include_controls.png)
203
-
204
- In the example above, every time `my-app-profile` is executed, all the controls from `my-baseline` are also executed. Therefore, the following controls would be executed:
205
-
206
- * myapp-1
207
- * myapp-2
208
- * myapp-3
209
- * baseline-1
210
- * baseline-2
211
-
212
- This is a great reminder that having a good naming convention for your controls is helpful to avoid confusion when
213
- including controls from other profiles!
214
-
215
- ### Skipping a Control from a Profile
216
-
217
- What if one of the controls from the included profile does not apply to your environment? Luckily, it is not necessary to maintain a slightly-modified copy of the included profile just to delete a control. The `skip_control` command tells InSpec to not run a particular control.
218
-
219
- ![Include Controls with Skip](/images/profile_inheritance/include_controls_with_skip.png)
220
-
221
- In the above example, all controls from `my-app-profile` and `my-baseline` profile will be executed every time `my-app-profile` is executed **except** for control `baseline-2` from the `my-baseline` profile.
222
-
223
- ### Modifying a Control
224
-
225
- Let's say a particular control from an included profile should still be run, but the impact isn't appropriate? Perhaps the test should still run, but if it fails, it should be treated as low severity instead of high severity?
226
-
227
- When a control is included, it can also be modified!
228
-
229
- ![Include Controls with Modification](/images/profile_inheritance/include_controls_with_mod.png)
230
-
231
- In the above example, all controls from `my-baseline` are executed along with all the controls from the including profile, `my-app-profile`. However, should control `baseline-1` fail, it will be raised with an impact of `0.5` instead of the originally-intended impact of `1.0`.
232
-
233
- ### Selectively Including Controls from a Profile
234
-
235
- If there are only a handful of controls that should be executed from an included profile, it's not necessarily to skip all the unneeded controls, or worse, copy/paste those controls bit-for-bit into your profile. Instead, use the `require_controls` command.
236
-
237
- ![Require Controls](/images/profile_inheritance/require_controls.png)
238
-
239
- Whenever `my-app-profile` is executed, in addition to its own controls, it will run only the controls specified in the `require_controls` block. In the case, the following controls would be executed:
240
-
241
- * myapp-1
242
- * myapp-2
243
- * myapp-3
244
- * baseline-2
245
- * baseline-4
246
-
247
- Controls `baseline-1`, `baseline-3`, and `baseline-5` would not be run, just as if they were manually skipped. This method of including specific controls ensures only the controls specified are executed; if new controls are added to a later version of `my-baseline`, they would not be run.
248
-
249
- And, just the way its possible to modify controls when using `include_controls`, controls can be modified as well.
250
-
251
- ![Require Controls with Modification](/images/profile_inheritance/require_controls_with_mod.png)
252
-
253
- As with the prior example, only `baseline-2` and `baseline-4` are executed, but if `baseline-2` fails, it will report with an impact of `0.5` instead of the originally-intended `1.0` impact.
254
-
255
- ## Using Resources from an Included Profile
256
-
257
- By default, all of the custom resources from a listed dependency are available
258
- for use in your profile. If two of your dependencies provide a resource with
259
- the same name, you can use the `require_resource` DSL function to
260
- disambiguate the two:
261
-
262
- require_resource(profile: 'my_dep', resource: 'my_res',
263
- as: 'my_res2')
264
-
265
- This will allow you to reference the resource `my_res` from the
266
- profile `my_dep` using the name `my_res2`.
267
-
268
- # Profile Attributes
269
-
270
- Attributes may be used in profiles to define secrets, such as user names and passwords, that should not otherwise be stored in plain-text in a cookbook. First specify a variable in the control for each secret, then add the secret to a Yaml file located on the local machine, and then run `inspec exec` and specify the path to that Yaml file using the `--attrs` attribute.
271
-
272
- For example, a control:
273
-
274
- # define these attributes on the top-level of your file and re-use them across all tests!
275
- val_user = attribute('user', default: 'alice', description: 'An identification for the user')
276
- val_password = attribute('password', description: 'A value for the password')
277
-
278
- control 'system-users' do
279
- impact 0.8
280
- desc '
281
- This test assures that the user "Bob" has a user installed on the system, along with a
282
- specified password.
283
- '
284
-
285
- describe val_user do
286
- it { should eq 'bob' }
287
- end
288
-
289
- describe val_password do
290
- it { should eq 'secret' }
291
- end
292
- end
293
-
294
- And a Yaml file named `profile-attribute.yml`:
295
-
296
- user: bob
297
- password: secret
298
-
299
- The following command runs the tests and applies the secrets specified in `profile-attribute.yml`:
300
-
301
- $ inspec exec examples/profile-attribute --attrs examples/profile-attribute.yml
302
-
303
- See the full example in the InSpec open source repository: https://github.com/chef/inspec/tree/master/examples/profile-attribute
304
-
305
- # Profile files
306
-
307
- An InSpec profile may contain additional files that can be accessed during tests. A profile file enables you to separate the logic of your tests from the data your tests check for, for example, the list of ports you require to be open.
308
-
309
- To access these files, they must be stored in the `files` directory at the root of a profile. They are accessed by their name relative to this folder with `inspec.profile.file(...)`.
310
-
311
- Here is an example for reading and testing a list of ports. The folder structure is:
312
-
313
- examples/profile
314
- ├── controls
315
- │ ├── example.rb
316
- |── files
317
- │ └── services.yml
318
- └── inspec.yml
319
-
320
- With `services.yml` containing:
321
-
322
- - service_name: httpd-alpha
323
- port: 80
324
- - service_name: httpd-beta
325
- port: 8080
326
-
327
- The tests in `example.rb` can now access this file:
328
-
329
- my_services = yaml(content: inspec.profile.file('services.yml')).params
330
-
331
- my_services.each do |s|
332
- describe service(s['service_name']) do
333
- it { should be_running }
334
- end
335
-
336
- describe port(s['port']) do
337
- it { should be_listening }
338
- end
339
- end
340
-
341
- For a more complete example that uses a profile file, see [Explore InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/) on Learn Chef Rally.
342
-
343
- # "should" vs. "expect" syntax
344
-
345
- Users familiar with the RSpec testing framework may know that there are two ways to write test statements: `should` and `expect`. The RSpec community decided that `expect` is the preferred syntax. However, InSpec recommends the `should` syntax as it tends to read more easily to those users who are not as technical.
346
-
347
- InSpec will continue to support both methods of writing tests. Consider this `file` test:
348
-
349
- describe file('/tmp/test.txt') do
350
- it { should be_file }
351
- end
352
-
353
- This can be re-written with `expect` syntax
354
-
355
- describe file('/tmp/test.txt') do
356
- it 'should be a file' do
357
- expect(subject).to(be_file)
358
- end
359
- end
360
-
361
- The output of both of the above examples looks like this:
362
-
363
- File /tmp/test.txt
364
- ✔ should be a file
365
-
366
- In addition, you can make use of the `subject` keyword to further control your output if you choose:
367
-
368
- describe 'test file' do
369
- subject { file('/tmp/test.txt') }
370
- it 'should be a file' do
371
- expect(subject).to(be_file)
372
- end
373
- end
374
-
375
- ... which will render the following output:
376
-
377
- test file
378
- ✔ should be a file
1
+ ---
2
+ title: About InSpec Profiles
3
+ ---
4
+
5
+ # InSpec Profiles
6
+
7
+ InSpec supports the creation of complex test and compliance profiles, which organize controls to support dependency management and code reuse. Each profile is a standalone structure with its own distribution and execution flow.
8
+
9
+ # Profile Structure
10
+
11
+ A profile should have the following structure::
12
+
13
+ examples/profile
14
+ ├── README.md
15
+ ├── controls
16
+ │ ├── example.rb
17
+ │ └── control_etc.rb
18
+ ├── libraries
19
+ │ └── extension.rb
20
+ |── files
21
+ │ └── extras.conf
22
+ └── inspec.yml
23
+
24
+ where:
25
+
26
+ * `inspec.yml` includes the profile description (required)
27
+ * `controls` is the directory in which all tests are located (required)
28
+ * `libraries` is the directory in which all InSpec resource extensions are located (optional)
29
+ * `files` is the directory with additional files that a profile can access (optional)
30
+ * `README.md` should be used to explain the profile, its scope, and usage
31
+
32
+ See a complete example profile in the InSpec open source repository: [https://github.com/chef/inspec/tree/master/examples/profile](https://github.com/chef/inspec/tree/master/examples/profile)
33
+
34
+ Also check out [Explore InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/) on Learn Chef Rally to learn more about how profiles are structured with hands-on examples.
35
+
36
+ ## inspec.yml
37
+
38
+ Each profile must have an `inspec.yml` file that defines the following information:
39
+
40
+ * Use `name` to specify a unique name for the profile. Required.
41
+ * Use `title` to specify a human-readable name for the profile.
42
+ * Use `maintainer` to specify the profile maintainer.
43
+ * Use `copyright` to specify the copyright holder.
44
+ * Use `copyright_email` to specify support contact information for the profile, typically an email address.
45
+ * Use `license` to specify the license for the profile.
46
+ * Use `summary` to specify a one line summary for the profile.
47
+ * Use `description` to specify a multiple line description of the profile.
48
+ * Use `version` to specify the profile version.
49
+ * Use `inspec_version` to place SemVer constraints on the version of InSpec that the profile can run under.
50
+ * Use `supports` to specify a list of supported platform targets.
51
+ * Use `depends` to define a list of profiles on which this profile depends.
52
+
53
+ `name` is required; all other profile settings are optional. For example:
54
+
55
+ name: ssh
56
+ title: Basic SSH
57
+ maintainer: Chef Software, Inc.
58
+ copyright: Chef Software, Inc.
59
+ copyright_email: support@chef.io
60
+ license: Proprietary, All rights reserved
61
+ summary: Verify that SSH Server and SSH Client are configured securely
62
+ version: 1.0.0
63
+ supports:
64
+ - os-family: linux
65
+ depends:
66
+ - name: profile
67
+ path: ../path/to/profile
68
+ inspec_version: "~> 2.1"
69
+
70
+ ## Verify Profiles
71
+
72
+ Use the `inspec check` command to verify the implementation of a profile:
73
+
74
+ $ inspec check examples/profile
75
+
76
+ # Platform Support
77
+
78
+ Use the `supports` setting in the `inspec.yml` file to specify one (or more) platforms for which a profile is targeting. The list of supported platforms may contain simple names, names and versions, or detailed flags, and may be combined arbitrarily. For example, to target anything running Debian Linux:
79
+
80
+ name: ssh
81
+ supports:
82
+ - os-name: debian
83
+
84
+ and to target only Ubuntu version 14.04
85
+
86
+ name: ssh
87
+ supports:
88
+ - os-name: ubuntu
89
+ release: 14.04
90
+
91
+ and to target the entire RedHat platform (including CentOS and Oracle Linux):
92
+
93
+ name: ssh
94
+ supports:
95
+ - os-family: redhat
96
+
97
+ and to target anything running on Amazon AWS:
98
+
99
+ name: ssh
100
+ supports:
101
+ - platform: aws
102
+
103
+ and to target all of these examples in a single `inspec.yml` file:
104
+
105
+ name: ssh
106
+ supports:
107
+ - os-name: debian
108
+ - os-name: ubuntu
109
+ release: 14.04
110
+ - os-family: redhat
111
+ - platform: aws
112
+
113
+
114
+ # Profile Dependencies
115
+
116
+ An InSpec profile can bring in the controls and custom resources from another InSpec profile. Additionally, when inheriting the controls of another profile, a profile can skip or even modify those included controls.
117
+
118
+ For hands-on examples, check out [Create a custom InSpec profile](https://learn.chef.io/modules/create-a-custom-profile#/) on Learn Chef Rally.
119
+
120
+ ## Defining the Dependencies
121
+
122
+ Before a profile can use controls from another profile, the to-be-included profile needs to be specified in the including profile’s `inspec.yml` file in the `depends` section. For each profile to be included, a location for the profile from where to be fetched and a name for the profile should be included. For example:
123
+
124
+ depends:
125
+ - name: linux-baseline
126
+ url: https://github.com/dev-sec/linux-baseline/archive/master.tar.gz
127
+ - name: ssh-baseline
128
+ url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz
129
+
130
+ InSpec supports a number of dependency sources.
131
+
132
+ ### path
133
+
134
+ The `path` setting defines a profile that is located on disk. This setting is typically used during development of profiles and when debugging profiles.
135
+
136
+ depends:
137
+ - name: my-profile
138
+ path: /absolute/path
139
+ - name: another
140
+ path: ../relative/path
141
+
142
+ ### url
143
+
144
+ The `url` setting specifies a profile that is located at an HTTP- or HTTPS-based URL. The profile must be accessible via a HTTP GET operation and must be a valid profile archive (zip, tar, or tar.gz format).
145
+
146
+ depends:
147
+ - name: my-profile
148
+ url: https://my.domain/path/to/profile.tgz
149
+ - name: profile-via-git
150
+ url: https://github.com/myusername/myprofile-repo/archive/master.tar.gz
151
+
152
+ ### git
153
+
154
+ A `git` setting specifies a profile that is located in a git repository, with optional settings for branch, tag, commit, and version. The source location is translated into a URL upon resolution. This type of dependency supports version constraints via semantic versioning as git tags.
155
+
156
+ For example:
157
+
158
+ depends:
159
+ - name: git-profile
160
+ git: http://url/to/repo
161
+ branch: desired_branch
162
+ tag: desired_version
163
+ commit: pinned_commit
164
+ version: semver_via_tags
165
+
166
+ ### supermarket
167
+
168
+ A `supermarket` setting specifies a profile that is located in a cookbook hosted on Chef Supermarket. The source location is translated into a URL upon resolution.
169
+
170
+ For example:
171
+
172
+ depends:
173
+ - name: supermarket-profile
174
+ supermarket: supermarket-username/supermarket-profile
175
+
176
+ Available Supermarket profiles can be listed with `inspec supermarket profiles`.
177
+
178
+ ### compliance
179
+
180
+ A `compliance` setting specifies a profile that is located on the Chef Automate or Chef Compliance server.
181
+
182
+ For example:
183
+
184
+ depends:
185
+ - name: linux
186
+ compliance: base/linux
187
+
188
+ ## Vendoring Dependencies
189
+
190
+ When you execute a local profile, the `inspec.yml` file will be read in order to source any profile dependencies. It will then cache the dependencies locally and generate an `inspec.lock` file.
191
+
192
+ If you add or update dependencies in `inspec.yml`, dependencies may be re-vendored and the lockfile updated with `inspec vendor --overwrite`
193
+
194
+ ## Using Controls from an Included Profile
195
+
196
+ Once defined in the `inspec.yml`, controls from the included profiles can be used! Let’s look at some examples.
197
+
198
+ ### Including All Controls from a Profile
199
+
200
+ With the `include_controls` command in a profile, all controls from the named profile will be executed every time the including profile is executed.
201
+
202
+ ![Include Controls](/images/profile_inheritance/include_controls.png)
203
+
204
+ In the example above, every time `my-app-profile` is executed, all the controls from `my-baseline` are also executed. Therefore, the following controls would be executed:
205
+
206
+ * myapp-1
207
+ * myapp-2
208
+ * myapp-3
209
+ * baseline-1
210
+ * baseline-2
211
+
212
+ This is a great reminder that having a good naming convention for your controls is helpful to avoid confusion when
213
+ including controls from other profiles!
214
+
215
+ ### Skipping a Control from a Profile
216
+
217
+ What if one of the controls from the included profile does not apply to your environment? Luckily, it is not necessary to maintain a slightly-modified copy of the included profile just to delete a control. The `skip_control` command tells InSpec to not run a particular control.
218
+
219
+ ![Include Controls with Skip](/images/profile_inheritance/include_controls_with_skip.png)
220
+
221
+ In the above example, all controls from `my-app-profile` and `my-baseline` profile will be executed every time `my-app-profile` is executed **except** for control `baseline-2` from the `my-baseline` profile.
222
+
223
+ ### Modifying a Control
224
+
225
+ Let's say a particular control from an included profile should still be run, but the impact isn't appropriate? Perhaps the test should still run, but if it fails, it should be treated as low severity instead of high severity?
226
+
227
+ When a control is included, it can also be modified!
228
+
229
+ ![Include Controls with Modification](/images/profile_inheritance/include_controls_with_mod.png)
230
+
231
+ In the above example, all controls from `my-baseline` are executed along with all the controls from the including profile, `my-app-profile`. However, should control `baseline-1` fail, it will be raised with an impact of `0.5` instead of the originally-intended impact of `1.0`.
232
+
233
+ ### Selectively Including Controls from a Profile
234
+
235
+ If there are only a handful of controls that should be executed from an included profile, it's not necessarily to skip all the unneeded controls, or worse, copy/paste those controls bit-for-bit into your profile. Instead, use the `require_controls` command.
236
+
237
+ ![Require Controls](/images/profile_inheritance/require_controls.png)
238
+
239
+ Whenever `my-app-profile` is executed, in addition to its own controls, it will run only the controls specified in the `require_controls` block. In the case, the following controls would be executed:
240
+
241
+ * myapp-1
242
+ * myapp-2
243
+ * myapp-3
244
+ * baseline-2
245
+ * baseline-4
246
+
247
+ Controls `baseline-1`, `baseline-3`, and `baseline-5` would not be run, just as if they were manually skipped. This method of including specific controls ensures only the controls specified are executed; if new controls are added to a later version of `my-baseline`, they would not be run.
248
+
249
+ And, just the way its possible to modify controls when using `include_controls`, controls can be modified as well.
250
+
251
+ ![Require Controls with Modification](/images/profile_inheritance/require_controls_with_mod.png)
252
+
253
+ As with the prior example, only `baseline-2` and `baseline-4` are executed, but if `baseline-2` fails, it will report with an impact of `0.5` instead of the originally-intended `1.0` impact.
254
+
255
+ ## Using Resources from an Included Profile
256
+
257
+ By default, all of the custom resources from a listed dependency are available
258
+ for use in your profile. If two of your dependencies provide a resource with
259
+ the same name, you can use the `require_resource` DSL function to
260
+ disambiguate the two:
261
+
262
+ require_resource(profile: 'my_dep', resource: 'my_res',
263
+ as: 'my_res2')
264
+
265
+ This will allow you to reference the resource `my_res` from the
266
+ profile `my_dep` using the name `my_res2`.
267
+
268
+ # Profile Attributes
269
+
270
+ Attributes may be used in profiles to define secrets, such as user names and passwords, that should not otherwise be stored in plain-text in a cookbook. First specify a variable in the control for each secret, then add the secret to a Yaml file located on the local machine, and then run `inspec exec` and specify the path to that Yaml file using the `--attrs` attribute.
271
+
272
+ For example, a control:
273
+
274
+ # define these attributes on the top-level of your file and re-use them across all tests!
275
+ val_user = attribute('user', default: 'alice', description: 'An identification for the user')
276
+ val_password = attribute('password', description: 'A value for the password')
277
+
278
+ control 'system-users' do
279
+ impact 0.8
280
+ desc '
281
+ This test assures that the user "Bob" has a user installed on the system, along with a
282
+ specified password.
283
+ '
284
+
285
+ describe val_user do
286
+ it { should eq 'bob' }
287
+ end
288
+
289
+ describe val_password do
290
+ it { should eq 'secret' }
291
+ end
292
+ end
293
+
294
+ And a Yaml file named `profile-attribute.yml`:
295
+
296
+ user: bob
297
+ password: secret
298
+
299
+ The following command runs the tests and applies the secrets specified in `profile-attribute.yml`:
300
+
301
+ $ inspec exec examples/profile-attribute --attrs examples/profile-attribute.yml
302
+
303
+ See the full example in the InSpec open source repository: https://github.com/chef/inspec/tree/master/examples/profile-attribute
304
+
305
+ # Profile files
306
+
307
+ An InSpec profile may contain additional files that can be accessed during tests. A profile file enables you to separate the logic of your tests from the data your tests check for, for example, the list of ports you require to be open.
308
+
309
+ To access these files, they must be stored in the `files` directory at the root of a profile. They are accessed by their name relative to this folder with `inspec.profile.file(...)`.
310
+
311
+ Here is an example for reading and testing a list of ports. The folder structure is:
312
+
313
+ examples/profile
314
+ ├── controls
315
+ │ ├── example.rb
316
+ |── files
317
+ │ └── services.yml
318
+ └── inspec.yml
319
+
320
+ With `services.yml` containing:
321
+
322
+ - service_name: httpd-alpha
323
+ port: 80
324
+ - service_name: httpd-beta
325
+ port: 8080
326
+
327
+ The tests in `example.rb` can now access this file:
328
+
329
+ my_services = yaml(content: inspec.profile.file('services.yml')).params
330
+
331
+ my_services.each do |s|
332
+ describe service(s['service_name']) do
333
+ it { should be_running }
334
+ end
335
+
336
+ describe port(s['port']) do
337
+ it { should be_listening }
338
+ end
339
+ end
340
+
341
+ For a more complete example that uses a profile file, see [Explore InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/) on Learn Chef Rally.
342
+
343
+ # "should" vs. "expect" syntax
344
+
345
+ Users familiar with the RSpec testing framework may know that there are two ways to write test statements: `should` and `expect`. The RSpec community decided that `expect` is the preferred syntax. However, InSpec recommends the `should` syntax as it tends to read more easily to those users who are not as technical.
346
+
347
+ InSpec will continue to support both methods of writing tests. Consider this `file` test:
348
+
349
+ describe file('/tmp/test.txt') do
350
+ it { should be_file }
351
+ end
352
+
353
+ This can be re-written with `expect` syntax
354
+
355
+ describe file('/tmp/test.txt') do
356
+ it 'should be a file' do
357
+ expect(subject).to(be_file)
358
+ end
359
+ end
360
+
361
+ The output of both of the above examples looks like this:
362
+
363
+ File /tmp/test.txt
364
+ ✔ should be a file
365
+
366
+ In addition, you can make use of the `subject` keyword to further control your output if you choose:
367
+
368
+ describe 'test file' do
369
+ subject { file('/tmp/test.txt') }
370
+ it 'should be a file' do
371
+ expect(subject).to(be_file)
372
+ end
373
+ end
374
+
375
+ ... which will render the following output:
376
+
377
+ test file
378
+ ✔ should be a file