inspec 2.1.84 → 2.2.10

data/docs/resources/os.md.erb

@@ -120,22 +120,24 @@ Use `os.family` to enable more granular testing of platforms, platform names, ar
 
 For example, both of the following tests should have the same result:
 
-    if os.family == 'debian'
-      describe port(69) do
-        its('processes') { should include 'in.tftpd' }
-      end
-    elsif os.family == 'redhat'
-      describe port(69) do
-        its('processes') { should include 'xinetd' }
-      end
-    end
-
-    if os.debian?
-      describe port(69) do
-        its('processes') { should include 'in.tftpd' }
-      end
-    elsif os.redhat?
-      describe port(69) do
-        its('processes') { should include 'xinetd' }
-      end
-    end
+```ruby
+if os.family == 'debian'
+  describe port(69) do
+    its('processes') { should include 'in.tftpd' }
+  end
+elsif os.family == 'redhat'
+  describe port(69) do
+    its('processes') { should include 'xinetd' }
+  end
+end
+
+if os.debian?
+  describe port(69) do
+    its('processes') { should include 'in.tftpd' }
+  end
+elsif os.redhat?
+  describe port(69) do
+    its('processes') { should include 'xinetd' }
+  end
+end
+```

data/docs/resources/shadow.md.erb

@@ -8,7 +8,7 @@ platform: linux
 Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are only readable by the `root` user. The format for `/etc/shadow` includes:
 
 * A username
-* The password for that user (on newer systems passwords should be stored in `/etc/shadow` )
+* The hashed password for that user
 * The last time a password was changed
 * The minimum number of days a password must exist, before it may be changed
 * The maximum number of days after which a password must be changed
@@ -24,22 +24,26 @@ These entries are defined as a colon-delimited row in the file, one row per user
 
 ## Syntax
 
-A `shadow` resource block declares one (or more) users and associated user information to be tested:
+A `shadow` resource block declares user properties to be tested:
 
     describe shadow do
       its('user') { should_not include 'forbidden_user' }
     end
 
-or with a single query:
+Properties can be used as a single query:
 
     describe shadow.user('root') do
       its('count') { should eq 1 }
     end
 
-or with a filter:
+Use the `.where` method to find properties that match a value:
 
-    describe shadow.filter(min_days: '0', max_days: '99999') do
-      its('count') { should eq 1 }
+    describe shadow.where { min_days == '0' } do
+      its ('user') { should include 'nfs' }
+    end
+
+    describe shadow.where { password =~ /[x|!|*]/ } do
+      its('count') { should eq 0 }
     end
 
 The following properties are available:
@@ -54,8 +58,6 @@ The following properties are available:
 * `expiry_date`
 * `reserved`
 
-Properties can be used as a single query or can be joined together with the `.filter` method.
-
 <br>
 
 ## Examples
@@ -77,31 +79,17 @@ The following examples show how to use this InSpec audit resource.
 
 <br>
 
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### count
-
-The `count` matcher tests the number of times the named user appears in `/etc/shadow`:
-
-    its('count') { should eq 1 }
-
-This matcher is best used in conjunction with filters. For example:
-
-    describe shadow.user('dannos') do
-       its('count') { should eq 1 }
-    end
+## Properties
 
 ### user
 
-The `user` matcher tests if the username exists `/etc/shadow`:
+The `user` property tests if the username exists `/etc/shadow`:
 
     its('user') { should eq 'root' }
 
 ### password
 
-The `password` matcher returns the encrypted password string from the shadow file. The returned string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed.
+The `password` property returns the encrypted password string from the shadow file. The returned string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed.
 
 For example:
 
@@ -109,38 +97,56 @@ For example:
 
 ### last_change
 
-The `last_change` matcher tests the last time a password was changed:
+The `last_change` property tests the last time a password was changed:
 
     its('last_change') { should be_empty }
 
 ### min_days
 
-The `min_days` matcher tests the minimum number of days a password must exist, before it may be changed:
+The `min_days` property tests the minimum number of days a password must exist, before it may be changed:
 
     its('min_days') { should eq 0 }
 
 ### max_days
 
-The `max_days` matcher tests the maximum number of days after which a password must be changed:
+The `max_days` property tests the maximum number of days after which a password must be changed:
 
     its('max_days') { should eq 90 }
 
 ### warn_days
 
-The `warn_days` matcher tests the number of days a user is warned about an expiring password:
+The `warn_days` property tests the number of days a user is warned about an expiring password:
 
     its('warn_days') { should eq 7 }
 
 ### inactive_days
 
-The `inactive_days` matcher tests the number of days a user must be inactive before the user account is disabled:
+The `inactive_days` property tests the number of days a user must be inactive before the user account is disabled:
 
     its('inactive_days') { should be_empty }
 
 ### expiry_date
 
-The `expiry_date` matcher tests the number of days a user account has been disabled:
+The `expiry_date` property tests the number of days a user account has been disabled:
 
     its('expiry_date') { should be_empty }
 
+### count
+
+The `count` property tests the number of times the named property appears:
+
+    describe shadow.user('root') do
+      its('count') { should eq 1 }
+    end
+
+This property is best used in conjunction with filters. For example:
 
+    describe shadow.where { password =~ /[x|!|*]/ } do
+      its('count') { should eq 0 }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

data/docs/resources/x509_certificate.md.erb

@@ -92,7 +92,7 @@ sign the certificate.
     end
 
 
-### validity_in_days (Float)
+### validity\_in\_days (Float)
 
 The `validity_in_days` property can be used to check that certificates are not in
 danger of expiring soon.
@@ -101,7 +101,7 @@ danger of expiring soon.
       its('validity_in_days') { should be > 30 }
     end
 
-### not_before and not_after (Time)
+### not\_before and not\_after (Time)
 
 The `not_before` and `not_after` properties expose the start and end dates of certificate
 validity. They are exposed as ruby Time class so that date arithmetic can be easily performed.

data/examples/custom-resource/README.md

@@ -0,0 +1,3 @@
+# Example Custom Resource Profile
+
+This example shows the implementation of an InSpec profile with custom resources.

data/examples/custom-resource/controls/example.rb

@@ -0,0 +1,7 @@
+# encoding: utf-8
+
+describe gordon do
+  its('crime_rate') { should be < 5 }
+  it { should have_a_fabulous_mustache }
+end
+

data/examples/custom-resource/inspec.yml

@@ -0,0 +1,8 @@
+name: custom_resource_example
+title: InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile
+version: 0.1.0

data/examples/custom-resource/libraries/batsignal.rb

@@ -0,0 +1,20 @@
+class Batsignal < Inspec.resource(1)
+  name 'batsignal'
+
+  example "
+      describe batsignal do
+        its('number_of_sightings)') { should eq '4' }
+      end
+  "
+
+  def number_of_sightings
+    local_command_call
+  end
+
+  private
+
+  def local_command_call
+    # call out to a core resource
+    inspec.command('echo 4').stdout.to_i
+  end
+end

data/examples/custom-resource/libraries/gordon.rb

@@ -0,0 +1,21 @@
+class Gordon < Inspec.resource(1)
+  name 'gordon'
+
+  example "
+    describe gordon do
+      its('crime_rate') { should be < 2 }
+      it { should have_a_fabulous_mustache }
+    end
+  "
+
+  def crime_rate
+    # call out ot another custom resource
+    inspec.batsignal.number_of_sightings
+  end
+
+  def has_a_fabulous_mustache?
+    # always true
+    true
+  end
+end
+

data/lib/inspec/reporters/junit.rb

@@ -27,6 +27,7 @@ module Inspec::Reporters
       profile_xml.add_attribute('name', profile[:name])
       profile_xml.add_attribute('tests', count_profile_tests(profile))
       profile_xml.add_attribute('failed', count_profile_failed_tests(profile))
+      profile_xml.add_attribute('failures', count_profile_failed_tests(profile))
 
       profile[:controls].each do |control|
         next if control[:results].nil?

data/lib/inspec/resource.rb

@@ -50,8 +50,16 @@ module Inspec
           define_method id.to_sym do |*args|
             r.new(backend, id.to_s, *args)
           end
+
+          # confirm backend custom resources have access to other custom resources
+          next if backend.respond_to?(id)
+          backend.class.send(:define_method, id.to_sym) do |*args|
+            r.new(backend, id.to_s, *args)
+          end
         end
 
+        # attach backend so we have access to all resources and
+        # the train connection object
         define_method :inspec do
           backend
         end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '2.1.84'
+  VERSION = '2.2.10'
 end

data/lib/resource_support/aws.rb

@@ -19,7 +19,10 @@ require 'resources/aws/aws_cloudwatch_log_metric_filter'
 require 'resources/aws/aws_config_delivery_channel'
 require 'resources/aws/aws_config_recorder'
 require 'resources/aws/aws_ec2_instance'
+require 'resources/aws/aws_flow_log'
 require 'resources/aws/aws_ec2_instances'
+require 'resources/aws/aws_elb'
+require 'resources/aws/aws_elbs'
 require 'resources/aws/aws_iam_access_key'
 require 'resources/aws/aws_iam_access_keys'
 require 'resources/aws/aws_iam_group'

data/lib/resources/aws/aws_elb.rb

@@ -0,0 +1,81 @@
+class AwsElb < Inspec.resource(1)
+  name 'aws_elb'
+  desc 'Verifies settings for AWS Elastic Load Balancer'
+  example "
+    describe aws_elb('myelb') do
+      it { should exist }
+    end
+  "
+  supports platform: 'aws'
+
+  include AwsSingularResourceMixin
+  attr_reader :availability_zones, :dns_name, :elb_name, :external_ports,
+              :instance_ids, :internal_ports, :security_group_ids,
+              :subnet_ids, :vpc_id
+
+  def to_s
+    "AWS ELB #{elb_name}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:elb_name],
+      allowed_scalar_name: :elb_name,
+      allowed_scalar_type: String,
+    )
+
+    if validated_params.empty?
+      raise ArgumentError, 'You must provide a elb_name to aws_elb.'
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    begin
+      lbs = backend.describe_load_balancers(load_balancer_names: [elb_name]).load_balancer_descriptions
+      @exists = true
+      # Load balancer names are uniq; we will either have 0 or 1 result
+      unpack_describe_elbs_response(lbs.first)
+    rescue Aws::ElasticLoadBalancing::Errors::LoadBalancerNotFound
+      @exists = false
+      populate_as_missing
+    end
+  end
+
+  def unpack_describe_elbs_response(lb_struct)
+    @availability_zones = lb_struct.availability_zones
+    @dns_name = lb_struct.dns_name
+    @external_ports = lb_struct.listener_descriptions.map { |ld| ld.listener.load_balancer_port }
+    @instance_ids = lb_struct.instances.map(&:instance_id)
+    @internal_ports = lb_struct.listener_descriptions.map { |ld| ld.listener.instance_port }
+    @elb_name = lb_struct.load_balancer_name
+    @security_group_ids = lb_struct.security_groups
+    @subnet_ids = lb_struct.subnets
+    @vpc_id = lb_struct.vpc_id
+  end
+
+  def populate_as_missing
+    @availability_zones = []
+    @external_ports = []
+    @instance_ids = []
+    @internal_ports = []
+    @security_group_ids = []
+    @subnet_ids = []
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::ElasticLoadBalancing::Client
+
+      def describe_load_balancers(query = {})
+        aws_service_client.describe_load_balancers(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_elbs.rb

@@ -0,0 +1,78 @@
+class AwsElbs < Inspec.resource(1)
+  name 'aws_elbs'
+  desc 'Verifies settings for AWS ELBs (classic Elastic Load Balancers) in bulk'
+  example '
+    describe aws_elbs do
+      it { should exist }
+    end
+  '
+  supports platform: 'aws'
+
+  include AwsPluralResourceMixin
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, 'aws_elbs does not accept resource parameters.'
+    end
+    resource_params
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.add_accessor(:entries)
+        .add_accessor(:where)
+        .add(:exists?) { |table| !table.params.empty? }
+        .add(:count) { |table| table.params.count }
+        .add(:availability_zones, field: :availability_zones, style: :simple)
+        .add(:dns_names, field: :dns_name)
+        .add(:external_ports, field: :external_ports, style: :simple)
+        .add(:instance_ids, field: :instance_ids, style: :simple)
+        .add(:internal_ports, field: :internal_ports, style: :simple)
+        .add(:elb_names, field: :elb_name)
+        .add(:security_group_ids, field: :security_group_ids, style: :simple)
+        .add(:subnet_ids, field: :subnet_ids, style: :simple)
+        .add(:vpc_ids, field: :vpc_id, style: :simple)
+  filter.connect(self, :table)
+
+  def to_s
+    'AWS ELBs'
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = []
+    pagination_opts = {}
+    loop do
+      api_result = backend.describe_load_balancers(pagination_opts)
+      @table += unpack_describe_elbs_response(api_result.load_balancer_descriptions)
+      break unless api_result.next_marker
+      pagination_opts = { marker: api_result.next_marker }
+    end
+  end
+
+  def unpack_describe_elbs_response(load_balancers)
+    load_balancers.map do |lb_struct|
+      {
+        availability_zones: lb_struct.availability_zones,
+        dns_name: lb_struct.dns_name,
+        external_ports: lb_struct.listener_descriptions.map { |ld| ld.listener.load_balancer_port },
+        instance_ids: lb_struct.instances.map(&:instance_id),
+        internal_ports: lb_struct.listener_descriptions.map { |ld| ld.listener.instance_port },
+        elb_name: lb_struct.load_balancer_name,
+        security_group_ids: lb_struct.security_groups,
+        subnet_ids: lb_struct.subnets,
+        vpc_id: lb_struct.vpc_id,
+      }
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::ElasticLoadBalancing::Client
+
+      def describe_load_balancers(query = {})
+        aws_service_client.describe_load_balancers(query)
+      end
+    end
+  end
+end