inspec 2.2.27 → 2.2.34
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +33 -16
- data/docs/resources/shadow.md.erb +169 -64
- data/lib/bundles/inspec-init/cli.rb +7 -3
- data/lib/inspec/base_cli.rb +10 -2
- data/lib/inspec/formatters/base.rb +1 -1
- data/lib/inspec/metadata.rb +4 -7
- data/lib/inspec/profile.rb +21 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/apache_conf.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 29857224509b0eeb7fb9942ce70b5520b54d44b15cb996db137d24f09cb18b73
|
|
4
|
+
data.tar.gz: 95f7da542bd317544cd1ab5e225f7366cfc9d1430970b8fb976c1d71e79f0dec
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e1d5acf1b120e9dbeac94bbaaaa483ebeb8e08202b41c383ed7743e34f626e6d8915b67d6d8e59bd5648b9d497670ca032b3aaf10b9c8908a4bd0e68feb318bf
|
|
7
|
+
data.tar.gz: a838959692ee73761ec76d9a39659d875b592fd747c74e67b98e73357ae84a522c9013c0c790d1f9bccef552c9bb6a94cec69754f49dba456fc7b692c2f79e6e
|
data/CHANGELOG.md
CHANGED
|
@@ -1,32 +1,50 @@
|
|
|
1
1
|
# Change Log
|
|
2
2
|
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
|
|
3
|
-
<!-- latest_release 2.2.
|
|
4
|
-
## [v2.2.
|
|
3
|
+
<!-- latest_release 2.2.34 -->
|
|
4
|
+
## [v2.2.34](https://github.com/inspec/inspec/tree/v2.2.34) (2018-07-05)
|
|
5
5
|
|
|
6
|
-
####
|
|
7
|
-
-
|
|
6
|
+
#### Bug Fixes
|
|
7
|
+
- fix for apache_conf to handle quoted Includes [#3193](https://github.com/inspec/inspec/pull/3193) ([voroniys](https://github.com/voroniys))
|
|
8
8
|
<!-- latest_release -->
|
|
9
9
|
|
|
10
|
-
<!-- release_rollup since=2.2.
|
|
11
|
-
### Changes since 2.2.
|
|
10
|
+
<!-- release_rollup since=2.2.27 -->
|
|
11
|
+
### Changes since 2.2.27 release
|
|
12
12
|
|
|
13
13
|
#### New Features
|
|
14
|
-
-
|
|
15
|
-
- Set parent_profile field on child profiles (json report) [#3164](https://github.com/inspec/inspec/pull/3164) ([jquick](https://github.com/jquick)) <!-- 2.2.25 -->
|
|
14
|
+
- cli: Add `--insecure` option for `exec` and `shell` [#3195](https://github.com/inspec/inspec/pull/3195) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.31 -->
|
|
16
15
|
|
|
17
|
-
####
|
|
18
|
-
-
|
|
19
|
-
-
|
|
16
|
+
#### Bug Fixes
|
|
17
|
+
- fix for apache_conf to handle quoted Includes [#3193](https://github.com/inspec/inspec/pull/3193) ([voroniys](https://github.com/voroniys)) <!-- 2.2.34 -->
|
|
18
|
+
- Fix some issues with the vendor functional tests [#3196](https://github.com/inspec/inspec/pull/3196) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.2.30 -->
|
|
20
19
|
|
|
21
20
|
#### Merged Pull Requests
|
|
22
|
-
-
|
|
21
|
+
- Prevent Slashes in profile names [#3175](https://github.com/inspec/inspec/pull/3175) ([miah](https://github.com/miah)) <!-- 2.2.32 -->
|
|
22
|
+
- Fix vendor functional test to not validate a repo hash that can change. [#3198](https://github.com/inspec/inspec/pull/3198) ([miah](https://github.com/miah)) <!-- 2.2.29 -->
|
|
23
23
|
|
|
24
|
-
####
|
|
25
|
-
-
|
|
26
|
-
-
|
|
24
|
+
#### Enhancements
|
|
25
|
+
- Accept regexes for --controls option to inspec exec [#3179](https://github.com/inspec/inspec/pull/3179) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.2.33 -->
|
|
26
|
+
- Update the node platform issues to warn severity [#3186](https://github.com/inspec/inspec/pull/3186) ([jquick](https://github.com/jquick)) <!-- 2.2.28 -->
|
|
27
27
|
<!-- release_rollup -->
|
|
28
28
|
|
|
29
29
|
<!-- latest_stable_release -->
|
|
30
|
+
## [v2.2.27](https://github.com/inspec/inspec/tree/v2.2.27) (2018-06-29)
|
|
31
|
+
|
|
32
|
+
#### New Features
|
|
33
|
+
- Set parent_profile field on child profiles (json report) [#3164](https://github.com/inspec/inspec/pull/3164) ([jquick](https://github.com/jquick))
|
|
34
|
+
- Document exit codes for 'inspec exec' and add --no-distinct-exit option [#3178](https://github.com/inspec/inspec/pull/3178) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
|
35
|
+
|
|
36
|
+
#### Enhancements
|
|
37
|
+
- apache_conf resource: Strip quotes from values [#3142](https://github.com/inspec/inspec/pull/3142) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
|
|
38
|
+
- Update core resources with filtertable API changes [#3117](https://github.com/inspec/inspec/pull/3117) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
|
39
|
+
|
|
40
|
+
#### Bug Fixes
|
|
41
|
+
- Add support for shallow link paths [#3168](https://github.com/inspec/inspec/pull/3168) ([ColinHebert](https://github.com/ColinHebert))
|
|
42
|
+
- Detect inspec-core mode and do not attempt to load cloud resources [#3163](https://github.com/inspec/inspec/pull/3163) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
|
43
|
+
|
|
44
|
+
#### Merged Pull Requests
|
|
45
|
+
- Add functional tests for nested attributes [#3157](https://github.com/inspec/inspec/pull/3157) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
|
46
|
+
<!-- latest_stable_release -->
|
|
47
|
+
|
|
30
48
|
## [v2.2.20](https://github.com/inspec/inspec/tree/v2.2.20) (2018-06-21)
|
|
31
49
|
|
|
32
50
|
#### Enhancements
|
|
@@ -36,7 +54,6 @@
|
|
|
36
54
|
|
|
37
55
|
#### Merged Pull Requests
|
|
38
56
|
- Accept symbols and downcased criteria in aws_iam_policy have_statement matcher [#3129](https://github.com/inspec/inspec/pull/3129) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
|
39
|
-
<!-- latest_stable_release -->
|
|
40
57
|
|
|
41
58
|
## [v2.2.16](https://github.com/inspec/inspec/tree/v2.2.16) (2018-06-15)
|
|
42
59
|
|
|
@@ -5,148 +5,253 @@ platform: linux
|
|
|
5
5
|
|
|
6
6
|
# shadow
|
|
7
7
|
|
|
8
|
-
Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are only
|
|
8
|
+
Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are readable only by the `root` user. `shadow` is a [plural resource](https://www.inspec.io/docs/reference/glossary/#plural_resource). Like all plural resources, it functions by performing searches across multiple entries in the shadow file.
|
|
9
|
+
|
|
10
|
+
The format for `/etc/shadow` includes:
|
|
9
11
|
|
|
10
12
|
* A username
|
|
11
13
|
* The hashed password for that user
|
|
12
|
-
* The last
|
|
14
|
+
* The last date a password was changed, as the number of days since Jan 1 1970
|
|
13
15
|
* The minimum number of days a password must exist, before it may be changed
|
|
14
16
|
* The maximum number of days after which a password must be changed
|
|
15
17
|
* The number of days a user is warned about an expiring password
|
|
16
18
|
* The number of days a user must be inactive before the user account is disabled
|
|
17
|
-
* The
|
|
19
|
+
* The date on which a user account was disabled, as the number of days since Jan 1 1970
|
|
18
20
|
|
|
19
21
|
These entries are defined as a colon-delimited row in the file, one row per user:
|
|
20
22
|
|
|
21
23
|
dannos:Gb7crrO5CDF.:10063:0:99999:7:::
|
|
22
24
|
|
|
25
|
+
The `shadow` resource understands this format, allows you to search on the fields, and exposes the selected users' properties.
|
|
26
|
+
|
|
23
27
|
<br>
|
|
24
28
|
|
|
25
|
-
##
|
|
29
|
+
## Resource Parameters
|
|
26
30
|
|
|
27
|
-
|
|
31
|
+
The `shadow` resource takes one optional parameter: the path to the shadow file. If omitted, `/etc/shadow` is assumed.
|
|
28
32
|
|
|
33
|
+
# Expect a file to exist at the default location and have 32 users
|
|
29
34
|
describe shadow do
|
|
30
|
-
its('
|
|
35
|
+
its('count') { should eq 32 }
|
|
31
36
|
end
|
|
32
37
|
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
its('count') { should eq 1 }
|
|
38
|
+
# Use a custom location
|
|
39
|
+
describe shadow('/etc/my-custom-place/shadow') do
|
|
40
|
+
its('count') { should eq 32 }
|
|
37
41
|
end
|
|
38
42
|
|
|
39
|
-
|
|
43
|
+
## Examples
|
|
40
44
|
|
|
41
|
-
|
|
42
|
-
its ('users') { should include 'nfs' }
|
|
43
|
-
end
|
|
45
|
+
A `shadow` resource block uses `where` to filter entries from the shadow file. If `where` is omitted, all entries are selected.
|
|
44
46
|
|
|
45
|
-
|
|
46
|
-
|
|
47
|
+
# Select all users. Among them, there should not be a user with the name 'forbidden_user'.
|
|
48
|
+
describe shadow do
|
|
49
|
+
its('users') { should_not include 'forbidden_user' }
|
|
47
50
|
end
|
|
48
51
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
* `last_changes`
|
|
54
|
-
* `min_days`
|
|
55
|
-
* `max_days`
|
|
56
|
-
* `warn_days`
|
|
57
|
-
* `inactive_days`
|
|
58
|
-
* `expiry_dates`
|
|
59
|
-
* `reserved`
|
|
60
|
-
|
|
61
|
-
<br>
|
|
62
|
-
|
|
63
|
-
## Examples
|
|
64
|
-
|
|
65
|
-
The following examples show how to use this InSpec audit resource.
|
|
52
|
+
# Ensure there is only one user named 'root' (Select all with name 'root', then count them).
|
|
53
|
+
describe shadow.where(user: 'root') do
|
|
54
|
+
its('count') { should eq 1 }
|
|
55
|
+
end
|
|
66
56
|
|
|
67
|
-
|
|
57
|
+
Use `where` to match any of the supported [filter criteria](#filter_criteria). `where` has a method form for simple equality and a block form for more complex queries.
|
|
68
58
|
|
|
69
|
-
|
|
70
|
-
|
|
59
|
+
# Method form, simple
|
|
60
|
+
# Select just the root user (direct equality)
|
|
61
|
+
describe shadow.where(user: 'root') do
|
|
62
|
+
its ('count') { should eq 1 }
|
|
71
63
|
end
|
|
72
64
|
|
|
73
|
-
|
|
65
|
+
# Method form, with a regex
|
|
66
|
+
# Select all users whose names begin with smb
|
|
67
|
+
describe shadow.where(user: /^smb/) do
|
|
68
|
+
its ('count') { should eq 2 }
|
|
69
|
+
end
|
|
74
70
|
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
71
|
+
# Block form
|
|
72
|
+
# Select users whose passwords have expired
|
|
73
|
+
describe shadow.where { expiry_date > 0 } do
|
|
74
|
+
# This test directly asserts that there should be 0 such users
|
|
75
|
+
its('count') { should eq 0 }
|
|
76
|
+
# But if the count test fails, this test outputs the users that are causing the failure.
|
|
77
|
+
its('users') { should be_empty }
|
|
78
78
|
end
|
|
79
79
|
|
|
80
80
|
<br>
|
|
81
81
|
|
|
82
82
|
## Properties
|
|
83
83
|
|
|
84
|
+
As a [plural resource](https://www.inspec.io/docs/reference/glossary/#plural_resource), all of `shadow`'s properties return lists (that is, Ruby Arrays). `include` and `be_empty` are two useful matchers when working with lists. You can also perform manipulation of the lists, such as calling `uniq`, `sort`, `count`, `first`, `last`, `min`, and `max`.
|
|
85
|
+
|
|
84
86
|
### users
|
|
85
87
|
|
|
86
|
-
|
|
88
|
+
A list of strings, representing the usernames matched by the filter.
|
|
87
89
|
|
|
88
|
-
|
|
90
|
+
describe shadow
|
|
91
|
+
its('users') { should include 'root' }
|
|
92
|
+
end
|
|
89
93
|
|
|
90
94
|
### passwords
|
|
91
95
|
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
For example:
|
|
96
|
+
A list of strings, representing the encrypted password strings for entries matched by the `where` filter. Each string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed. Different operating systems use different flags here (such as `*LK*` to indicate the account is locked).
|
|
95
97
|
|
|
96
|
-
|
|
98
|
+
# Use uniq to remove duplicates, then determine
|
|
99
|
+
# if the only password left on the list is '*'
|
|
100
|
+
describe shadow.where(user: /adm$/) do
|
|
101
|
+
its('passwords.uniq.first') { should cmp '*' }
|
|
102
|
+
its('passwords.uniq.count') { should eq 1 }
|
|
103
|
+
end
|
|
97
104
|
|
|
98
105
|
### last\_changes
|
|
99
106
|
|
|
100
|
-
|
|
107
|
+
A list of integers, indicating the number of days since Jan 1 1970 since the password for each matching entry was changed.
|
|
101
108
|
|
|
102
|
-
|
|
109
|
+
# Ensure all entries have changed their password in the last 90 days. (Probably want a filter on that)
|
|
110
|
+
describe shadow do
|
|
111
|
+
its('last_changes.min') { should be < Date.today - 90 - Date.new(1970,1,1) }
|
|
112
|
+
end
|
|
103
113
|
|
|
104
114
|
### min\_days
|
|
105
115
|
|
|
106
|
-
|
|
116
|
+
A list of integers reflecting the minimum number of days a password must exist, before it may be changed, for the users that matched the filter.
|
|
107
117
|
|
|
108
|
-
|
|
118
|
+
# min_days seems crazy today; make sure it is zero for everyone
|
|
119
|
+
describe shadow do
|
|
120
|
+
its('min_days.uniq') { should eq [0] }
|
|
121
|
+
end
|
|
109
122
|
|
|
110
123
|
### max\_days
|
|
111
124
|
|
|
112
|
-
|
|
125
|
+
A list of integers reflecting the maximum number of days after which the password must be changed for each user matching the filter.
|
|
113
126
|
|
|
114
|
-
|
|
127
|
+
# Make sure there is no policy allowing longer than 90 days
|
|
128
|
+
describe shadow do
|
|
129
|
+
its('max_days.max') { should be < 90 }
|
|
130
|
+
end
|
|
115
131
|
|
|
116
132
|
### warn\_days
|
|
117
133
|
|
|
118
|
-
|
|
134
|
+
A list of integers reflecting the number of days a user is warned about an expiring password for each user matching the filter.
|
|
119
135
|
|
|
120
|
-
|
|
136
|
+
# Ensure everyone gets the same 7-day policy
|
|
137
|
+
describe shadow do
|
|
138
|
+
its('warn_days.uniq.count') { should eq 1 }
|
|
139
|
+
its('warn_days.uniq.first') { should eq 7 }
|
|
140
|
+
end
|
|
121
141
|
|
|
122
142
|
### inactive\_days
|
|
123
143
|
|
|
124
|
-
|
|
144
|
+
A list of integers reflecting the number of days a user must be inactive before the user account is disabled for each user matching the filter.
|
|
125
145
|
|
|
126
|
-
|
|
146
|
+
# Ensure everyone except admins has an stale policy of no more than 14 days
|
|
147
|
+
describe shadow.where { user !~ /adm$/ } do
|
|
148
|
+
its('inactive_days.max') { should be <= 14 }
|
|
149
|
+
end
|
|
127
150
|
|
|
128
151
|
### expiry\_dates
|
|
129
152
|
|
|
130
|
-
|
|
153
|
+
A list of integers reflecting the number of days since Jan 1 1970 that a user account has been disabled, for each user matching the filter. Value is `nil` if the account has not expired.
|
|
131
154
|
|
|
132
|
-
|
|
155
|
+
# No one should have an expired account.
|
|
156
|
+
describe shadow do
|
|
157
|
+
its('expiry_dates.compact') { should be_empty }
|
|
158
|
+
end
|
|
133
159
|
|
|
134
160
|
### count
|
|
135
161
|
|
|
136
|
-
The `count` property tests the number of
|
|
162
|
+
The `count` property tests the number of records that the filter matched.
|
|
137
163
|
|
|
164
|
+
# Should probably only have one root user
|
|
138
165
|
describe shadow.user('root') do
|
|
139
166
|
its('count') { should eq 1 }
|
|
140
167
|
end
|
|
141
168
|
|
|
142
|
-
|
|
169
|
+
<br>
|
|
143
170
|
|
|
144
|
-
|
|
145
|
-
|
|
171
|
+
## Filter Criteria
|
|
172
|
+
|
|
173
|
+
You may use any of these filter criteria with the `where` function. They are named after the columns in the shadow file. Each has a related list [property](#properties).
|
|
174
|
+
|
|
175
|
+
### user
|
|
176
|
+
|
|
177
|
+
The string username of a user. Always present. Not required to be unique.
|
|
178
|
+
|
|
179
|
+
# Expect all users whose name ends in adm to have a disabled password via the '*' flag
|
|
180
|
+
describe shadow.where(user: /adm$/) do
|
|
181
|
+
its('password.uniq') { should eq ['*'] }
|
|
146
182
|
end
|
|
147
183
|
|
|
148
|
-
|
|
184
|
+
### password
|
|
185
|
+
|
|
186
|
+
The encrypted password strings, or an account status string. Each string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed. Different operating systems use other flags here (such as `*LK*` to indicate the account is locked).
|
|
187
|
+
|
|
188
|
+
# Find 'locked' accounts and ensure 'nobody' is on the list
|
|
189
|
+
describe shadow.where(password: '*LK*') do
|
|
190
|
+
its('users') { should include 'nobody' }
|
|
191
|
+
end
|
|
192
|
+
|
|
193
|
+
### last_change
|
|
194
|
+
|
|
195
|
+
An integer reflecting the number of days since Jan 1 1970 since the user's password was changed.
|
|
196
|
+
|
|
197
|
+
# Find users who have not changed their password within 90 days
|
|
198
|
+
describe shadow.where { last_change > Date.today - 90 - Date.new(1970,1,1) } do
|
|
199
|
+
its('users') { should be_empty }
|
|
200
|
+
end
|
|
201
|
+
|
|
202
|
+
### min_days
|
|
203
|
+
|
|
204
|
+
An integer reflecting the minimum number of days a user is required to wait before
|
|
205
|
+
changing their password again.
|
|
206
|
+
|
|
207
|
+
# Find users who have a nonzero wait time
|
|
208
|
+
describe shadow.where { min_days > 0 } do
|
|
209
|
+
its('users') { should be_empty }
|
|
210
|
+
end
|
|
211
|
+
|
|
212
|
+
### max_days
|
|
213
|
+
|
|
214
|
+
An integer reflecting the maximum number of days a user may go without changing their password.
|
|
215
|
+
|
|
216
|
+
# All users should have a 30-day policy
|
|
217
|
+
describe shadow.where { max_days != 30 } do
|
|
218
|
+
its('users') { should be_empty }
|
|
219
|
+
end
|
|
220
|
+
|
|
221
|
+
### warn_days
|
|
222
|
+
|
|
223
|
+
An integer reflecting the number of days before a password expiration that a user recieves an alert.
|
|
224
|
+
|
|
225
|
+
# All users should have a 7-day warning policy
|
|
226
|
+
describe shadow.where { warn_days != 7 } do
|
|
227
|
+
its('users') { should be_empty }
|
|
228
|
+
end
|
|
229
|
+
|
|
230
|
+
### inactive_days
|
|
231
|
+
|
|
232
|
+
An integer reflecting the number of days that must pass before a user who has not logged in will be disabled.
|
|
233
|
+
|
|
234
|
+
# Ensure everyone has a stale policy of no more than 14 days.
|
|
235
|
+
describe shadow.where { inactive_days.nil? || inactive_days > 14 } do
|
|
236
|
+
its('users') { should be_empty }
|
|
237
|
+
end
|
|
238
|
+
|
|
239
|
+
### expiry_date
|
|
240
|
+
|
|
241
|
+
An integer reflecting the number of days since Jan 1, 1970 on which the user was disabled. The `expiry_date` criterion is `nil` for enabled users.
|
|
242
|
+
|
|
243
|
+
# Ensure no one is disabled due to a old password
|
|
244
|
+
describe shadow.where { !expiry_date.nil? } do
|
|
245
|
+
its('users') { should be_empty }
|
|
246
|
+
end
|
|
247
|
+
|
|
248
|
+
# Ensure no one is disabled for more than 14 days
|
|
249
|
+
describe shadow.where { !expiry_date.nil? && expiry_date - Date.new(1970,1,1) > 14} do
|
|
250
|
+
its('users') { should be_empty }
|
|
251
|
+
end
|
|
149
252
|
|
|
150
253
|
## Matchers
|
|
151
254
|
|
|
152
|
-
|
|
255
|
+
This resource has no resource-specific matchers.
|
|
256
|
+
|
|
257
|
+
For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
|
|
@@ -1,5 +1,4 @@
|
|
|
1
1
|
# encoding: utf-8
|
|
2
|
-
# author: Christoph Hartmann
|
|
3
2
|
|
|
4
3
|
require 'pathname'
|
|
5
4
|
|
|
@@ -42,8 +41,13 @@ module Init
|
|
|
42
41
|
base_dir = File.join(dir, 'templates', type)
|
|
43
42
|
# prepare glob for all subdirectories and files
|
|
44
43
|
template = File.join(base_dir, '**', '{*,.*}')
|
|
45
|
-
#
|
|
46
|
-
|
|
44
|
+
# Use the name attribute to define the path to the profile.
|
|
45
|
+
profile_path = attributes[:name]
|
|
46
|
+
# Use slashes (\, /) to split up the name into an Array then use the last entry
|
|
47
|
+
# to reset the name of the profile.
|
|
48
|
+
attributes[:name] = attributes[:name].split(%r{\\|\/}).last
|
|
49
|
+
# Generate the full target path on disk
|
|
50
|
+
target = Pathname.new(Dir.pwd).join(profile_path)
|
|
47
51
|
puts "Create new #{type} at #{mark_text(target)}"
|
|
48
52
|
|
|
49
53
|
# check that the directory does not exist
|
data/lib/inspec/base_cli.rb
CHANGED
|
@@ -13,7 +13,7 @@ module Inspec
|
|
|
13
13
|
true
|
|
14
14
|
end
|
|
15
15
|
|
|
16
|
-
def self.target_options
|
|
16
|
+
def self.target_options # rubocop:disable MethodLength
|
|
17
17
|
option :target, aliases: :t, type: :string,
|
|
18
18
|
desc: 'Simple targeting option using URIs, e.g. ssh://user:pass@host:port'
|
|
19
19
|
option :backend, aliases: :b, type: :string,
|
|
@@ -54,6 +54,14 @@ module Inspec
|
|
|
54
54
|
desc: 'Read configuration from JSON file (`-` reads from stdin).'
|
|
55
55
|
option :proxy_command, type: :string,
|
|
56
56
|
desc: 'Specifies the command to use to connect to the server'
|
|
57
|
+
option :bastion_host, type: :string,
|
|
58
|
+
desc: 'Specifies the bastion host if applicable'
|
|
59
|
+
option :bastion_user, type: :string,
|
|
60
|
+
desc: 'Specifies the bastion user if applicable'
|
|
61
|
+
option :bastion_port, type: :string,
|
|
62
|
+
desc: 'Specifies the bastion port if applicable'
|
|
63
|
+
option :insecure, type: :boolean, default: false,
|
|
64
|
+
desc: 'Disable SSL verification on select targets'
|
|
57
65
|
end
|
|
58
66
|
|
|
59
67
|
def self.profile_options
|
|
@@ -65,7 +73,7 @@ module Inspec
|
|
|
65
73
|
target_options
|
|
66
74
|
profile_options
|
|
67
75
|
option :controls, type: :array,
|
|
68
|
-
desc: 'A list of
|
|
76
|
+
desc: 'A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests.'
|
|
69
77
|
option :format, type: :string,
|
|
70
78
|
desc: '[DEPRECATED] Please use --reporter - this will be removed in InSpec 3.0'
|
|
71
79
|
option :reporter, type: :array,
|
data/lib/inspec/metadata.rb
CHANGED
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
# encoding: utf-8
|
|
2
2
|
# Copyright 2015 Dominik Richter
|
|
3
|
-
# author: Dominik Richter
|
|
4
|
-
# author: Christoph Hartmann
|
|
5
3
|
|
|
6
4
|
require 'logger'
|
|
7
5
|
require 'rubygems/version'
|
|
@@ -78,10 +76,9 @@ module Inspec
|
|
|
78
76
|
errors.push("Missing profile #{field} in #{ref}")
|
|
79
77
|
end
|
|
80
78
|
|
|
81
|
-
if
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
'name in the `inspec.yml` file.')
|
|
79
|
+
if %r{[\/\\]} =~ params[:name]
|
|
80
|
+
errors.push("The profile name (#{params[:name]}) contains a slash" \
|
|
81
|
+
' which is not permitted. Please remove all slashes from `inspec.yml`.')
|
|
85
82
|
end
|
|
86
83
|
|
|
87
84
|
# if version is set, ensure it is correct
|
|
@@ -190,7 +187,7 @@ module Inspec
|
|
|
190
187
|
# unit tests that look for warning sequences
|
|
191
188
|
return if original_target.to_s.empty?
|
|
192
189
|
metadata.params[:title] = "tests from #{original_target}"
|
|
193
|
-
metadata.params[:name] = metadata.params[:title].gsub(%r{[
|
|
190
|
+
metadata.params[:name] = metadata.params[:title].gsub(%r{[\/\\]}, '.')
|
|
194
191
|
end
|
|
195
192
|
|
|
196
193
|
def self.finalize(metadata, profile_id, options, logger = nil)
|
data/lib/inspec/profile.rb
CHANGED
|
@@ -177,9 +177,29 @@ module Inspec
|
|
|
177
177
|
|
|
178
178
|
def filter_controls(controls_array, include_list)
|
|
179
179
|
return controls_array if include_list.nil? || include_list.empty?
|
|
180
|
+
|
|
181
|
+
# Check for anything that might be a regex in the list, and make it official
|
|
182
|
+
include_list.each_with_index do |inclusion, index|
|
|
183
|
+
next if inclusion.is_a?(Regexp)
|
|
184
|
+
# Insist the user wrap the regex in slashes to demarcate it as a regex
|
|
185
|
+
next unless inclusion.start_with?('/') && inclusion.end_with?('/')
|
|
186
|
+
inclusion = inclusion[1..-2] # Trim slashes
|
|
187
|
+
begin
|
|
188
|
+
re = Regexp.new(inclusion)
|
|
189
|
+
include_list[index] = re
|
|
190
|
+
rescue RegexpError => e
|
|
191
|
+
warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}"
|
|
192
|
+
include_list[index] = nil
|
|
193
|
+
end
|
|
194
|
+
end
|
|
195
|
+
include_list.compact!
|
|
196
|
+
|
|
180
197
|
controls_array.select do |c|
|
|
181
198
|
id = ::Inspec::Rule.rule_id(c)
|
|
182
|
-
include_list.
|
|
199
|
+
include_list.any? do |inclusion|
|
|
200
|
+
# Try to see if the inclusion is a regex, and if it matches
|
|
201
|
+
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
|
|
202
|
+
end
|
|
183
203
|
end
|
|
184
204
|
end
|
|
185
205
|
|
data/lib/inspec/version.rb
CHANGED
|
@@ -82,7 +82,7 @@ module Inspec::Resources
|
|
|
82
82
|
# The regex is terminated by an expression that matches zero or more spaces.
|
|
83
83
|
params = SimpleConfig.new(
|
|
84
84
|
raw_conf,
|
|
85
|
-
assignment_regex: /^\s*(\S+)\s+((?=.*\s+$)
|
|
85
|
+
assignment_regex: /^\s*(\S+)\s+['"]*((?=.*\s+$).*?|.*?)['"]*\s*$/,
|
|
86
86
|
multiple_values: true,
|
|
87
87
|
).params
|
|
88
88
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: inspec
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.34
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dominik Richter
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-07-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: train
|