inspec 3.7.1 → 3.7.11

data/lib/plugins/inspec-init/templates/profiles/azure/README.md

@@ -0,0 +1,56 @@
+# Example InSpec Profile For Azure
+
+This example shows the implementation of an InSpec profile for Azure. See [https://github.com/inspec/inspec-azure](https://github.com/inspec/inspec-azure) for details on how to configure credentials for your subscription.
+
+##  Create a profile 
+
+```
+$ inspec init profile --platform azure my-profile
+
+ ─────────────────────────── InSpec Code Generator ───────────────────────────
+
+Creating new profile at /Users/spaterson/my-profile
+ • Creating directory libraries
+ • Creating file README.md
+ • Creating directory controls
+ • Creating file controls/example.rb
+ • Creating file inspec.yml
+ • Creating file libraries/.gitkeep
+ 
+```
+
+## Run the tests
+
+```
+$ cd  my-profile/
+$ inspec exec . -t azure://
+
+
+Profile: Azure InSpec Profile (my-profile)
+Version: 0.1.0
+Target:  azure://12345abc-987d-654e-fg21-abcdef23324r
+
+  ×  azure-virtual-machines-exist-check: Check resource groups to see if any VMs exist. (4 failed)
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ×  Azure Virtual Machines should exist
+     expected Azure Virtual Machines to exist
+     ✔  Azure Virtual Machines should exist
+     ✔  Azure Virtual Machines should exist
+     ✔  Azure Virtual Machines should exist
+
+
+Profile: Azure Resource Pack (inspec-azure)
+Version: 1.2.0
+Target:  azure://12345abc-987d-654e-fg21-abcdef23324r
+
+     No tests executed.
+
+Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
+Test Summary: 3 successful, 4 failures, 0 skipped
+
+```

data/lib/plugins/inspec-init/templates/profiles/azure/controls/example.rb

@@ -0,0 +1,15 @@
+# encoding: utf-8
+# copyright: 2018, The Authors
+
+title 'Sample Section'
+
+# you add controls here
+control 'azure-virtual-machines-exist-check' do                                # A unique ID for this control.
+  impact 1.0                                                                   # The criticality, if this control fails.
+  title 'Check resource groups to see if any VMs exist.'                       # A human-readable title
+  azurerm_resource_groups.names.each do |resource_group_name|                  # Plural resources can be leveraged to loop across many resources
+    describe azurerm_virtual_machines(resource_group: resource_group_name) do
+       it { should exist }                                                     # The test itself.
+    end
+  end
+end

data/lib/plugins/inspec-init/templates/profiles/azure/inspec.yml

@@ -0,0 +1,14 @@
+name: <%= name %>
+title: Azure InSpec Profile
+maintainer: The Authors
+copyright: The Authors
+copyright_email: you@example.com
+license: Apache-2.0
+summary: An InSpec Compliance Profile For Azure
+version: 0.1.0
+inspec_version: '>= 2.2.7'
+depends:
+- name: inspec-azure
+  url: https://github.com/inspec/inspec-azure/archive/master.tar.gz
+supports:
+- platform: azure

data/lib/plugins/inspec-init/test/functional/inspec_init_profile_test.rb

@@ -74,6 +74,18 @@ class InitCli < MiniTest::Test
     end
   end
 
+  def test_generating_inspec_profile_azure
+    Dir.mktmpdir do |dir|
+      profile = File.join(dir, 'test-azure-profile')
+      out = run_inspec_process("init profile --platform azure test-azure-profile", prefix: "cd #{dir} &&")
+      assert_equal 0, out.exit_status
+      assert_includes out.stdout, 'Creating new profile at'
+      assert_includes out.stdout, profile
+      assert_includes Dir.entries(profile).join, 'inspec.yml'
+      assert_includes Dir.entries(profile).join, 'README.md'
+    end
+  end
+
   def test_generating_inspec_profile_os
     Dir.mktmpdir do |dir|
       profile = File.join(dir, 'test-os-profile')

data/lib/resources/aide_conf.rb

@@ -9,7 +9,7 @@ module Inspec::Resources
     supports platform: 'unix'
     desc 'Use the aide_conf InSpec audit resource to test the rules established for
       the file integrity tool AIDE. Controlled by the aide.conf file typically at /etc/aide.conf.'
-    example "
+    example <<~EXAMPLE
       describe aide_conf do
         its('selection_lines') { should include '/sbin' }
       end
@@ -21,7 +21,7 @@ module Inspec::Resources
       describe aide_conf.all_have_rule('sha512') do
         it { should eq true }
       end
-    "
+    EXAMPLE
 
     attr_reader :params
 

data/lib/resources/apache.rb

@@ -6,7 +6,7 @@ module Inspec::Resources
     name 'apache'
     supports platform: 'unix'
     desc 'Use the apache InSpec audit resource to retrieve Apache environment settings.'
-    example "
+    example <<~EXAMPLE
       describe apache do
         its ('service') { should cmp 'apache2' }
       end
@@ -22,7 +22,7 @@ module Inspec::Resources
       describe apache do
         its ('user') { should cmp 'www-data' }
       end
-    "
+    EXAMPLE
 
     attr_reader :service, :conf_dir, :conf_path, :user
     def initialize

data/lib/resources/apache_conf.rb

@@ -11,11 +11,11 @@ module Inspec::Resources
     supports platform: 'linux'
     supports platform: 'debian'
     desc 'Use the apache_conf InSpec audit resource to test the configuration settings for Apache. This file is typically located under /etc/apache2 on the Debian and Ubuntu platforms and under /etc/httpd on the Fedora, CentOS, Red Hat Enterprise Linux, and Arch Linux platforms. The configuration settings may vary significantly from platform to platform.'
-    example "
+    example <<~EXAMPLE
       describe apache_conf do
         its('setting_name') { should eq 'value' }
       end
-    "
+    EXAMPLE
 
     include FindFiles
     include FileReader

data/lib/resources/apt.rb

@@ -31,12 +31,12 @@ module Inspec::Resources
     name 'apt'
     supports platform: 'unix'
     desc 'Use the apt InSpec audit resource to verify Apt repositories on the Debian and Ubuntu platforms, and also PPA repositories on the Ubuntu platform.'
-    example "
+    example <<~EXAMPLE
       describe apt('nginx/stable') do
         it { should exist }
         it { should be_enabled }
       end
-    "
+    EXAMPLE
 
     def initialize(ppa_name)
       @deb_url = nil

data/lib/resources/audit_policy.rb

@@ -26,11 +26,11 @@ module Inspec::Resources
     name 'audit_policy'
     supports platform: 'windows'
     desc 'Use the audit_policy InSpec audit resource to test auditing policies on the Microsoft Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each enabled auditing category property, the auditing level may be set to No Auditing, Not Specified, Success, Success and Failure, or Failure.'
-    example "
+    example <<~EXAMPLE
       describe audit_policy do
         its('parameter') { should eq 'value' }
       end
-    "
+    EXAMPLE
 
     def method_missing(method)
       key = method.to_s

data/lib/resources/auditd.rb

@@ -14,7 +14,7 @@ module Inspec::Resources
     name 'auditd'
     supports platform: 'unix'
     desc 'Use the auditd InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditcl -l command.'
-    example "
+    example <<~EXAMPLE
       describe auditd.syscall('chown').where {arch == 'b32'} do
         its('action') { should eq ['always'] }
         its('list') { should eq ['exit'] }
@@ -27,7 +27,7 @@ module Inspec::Resources
       describe auditd do
         its('lines') { should include %r(-w /etc/ssh/sshd_config) }
       end
-    "
+    EXAMPLE
 
     def initialize
       unless inspec.command('/sbin/auditctl').exist?

data/lib/resources/auditd_conf.rb

@@ -9,11 +9,11 @@ module Inspec::Resources
     name 'auditd_conf'
     supports platform: 'unix'
     desc "Use the auditd_conf InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under /etc/audit/auditd.conf' on UNIX and Linux platforms."
-    example "
+    example <<~EXAMPLE
       describe auditd_conf do
         its('space_left_action') { should eq 'email' }
       end
-    "
+    EXAMPLE
 
     include FileReader
 

data/lib/resources/aws/aws_billing_report.rb

@@ -2,7 +2,7 @@ class AwsBillingReport < Inspec.resource(1)
   name 'aws_billing_report'
   supports platform: 'aws'
   desc 'Verifies settings for AWS Cost and Billing Reports.'
-  example "
+  example <<~EXAMPLE
     describe aws_billing_report('inspec1') do
       its('report_name') { should cmp 'inspec1' }
       its('time_unit') { should cmp 'hourly' }
@@ -10,7 +10,8 @@ class AwsBillingReport < Inspec.resource(1)
 
     describe aws_billing_report(report: 'inspec1') do
       it { should exist }
-    end"
+    end
+  EXAMPLE
 
   include AwsSingularResourceMixin
 

data/lib/resources/aws/aws_billing_reports.rb

@@ -4,17 +4,18 @@ class AwsBillingReports < Inspec.resource(1)
   name 'aws_billing_reports'
   supports platform: 'aws'
   desc 'Verifies settings for AWS Cost and Billing Reports.'
-  example "
-      describe aws_billing_reports do
-        its('report_names') { should include 'inspec1' }
-        its('s3_buckets') { should include 'inspec1-s3-bucket' }
-      end
+  example <<~EXAMPLE
+    describe aws_billing_reports do
+      its('report_names') { should include 'inspec1' }
+      its('s3_buckets') { should include 'inspec1-s3-bucket' }
+    end
 
-     describe aws_billing_reports.where { report_name =~ /inspec.*/ } do
-       its ('report_names') { should include ['inspec1'] }
-       its ('time_units') { should include ['DAILY'] }
-       its ('s3_buckets') { should include ['inspec1-s3-bucket'] }
-     end"
+    describe aws_billing_reports.where { report_name =~ /inspec.*/ } do
+      its ('report_names') { should include ['inspec1'] }
+      its ('time_units') { should include ['DAILY'] }
+      its ('s3_buckets') { should include ['inspec1-s3-bucket'] }
+    end
+  EXAMPLE
 
   include AwsPluralResourceMixin
 

data/lib/resources/aws/aws_cloudtrail_trail.rb

@@ -1,11 +1,11 @@
 class AwsCloudTrailTrail < Inspec.resource(1)
   name 'aws_cloudtrail_trail'
   desc 'Verifies settings for an individual AWS CloudTrail Trail'
-  example "
+  example <<~EXAMPLE
     describe aws_cloudtrail_trail('trail-name') do
       it { should exist }
     end
-  "
+  EXAMPLE
 
   supports platform: 'aws'
 

data/lib/resources/aws/aws_cloudtrail_trails.rb

@@ -1,11 +1,11 @@
 class AwsCloudTrailTrails < Inspec.resource(1)
   name 'aws_cloudtrail_trails'
   desc 'Verifies settings for AWS CloudTrail Trails in bulk'
-  example '
+  example <<~EXAMPLE
     describe aws_cloudtrail_trails do
       it { should exist }
     end
-  '
+  EXAMPLE
   supports platform: 'aws'
 
   include AwsPluralResourceMixin

data/lib/resources/aws/aws_cloudwatch_alarm.rb

@@ -1,14 +1,14 @@
 class AwsCloudwatchAlarm < Inspec.resource(1)
   name 'aws_cloudwatch_alarm'
-  desc <<-EOD
-  # Look for a specific alarm
-  aws_cloudwatch_alarm(
-    metric_name: 'my-metric-name',
-    metric_namespace: 'my-metric-namespace',
-  ) do
-    it { should exist }
-  end
-  EOD
+  desc <<~EXAMPLE
+    # Look for a specific alarm
+    aws_cloudwatch_alarm(
+      metric_name: 'my-metric-name',
+      metric_namespace: 'my-metric-namespace',
+    ) do
+      it { should exist }
+    end
+  EXAMPLE
   supports platform: 'aws'
 
   include AwsSingularResourceMixin

data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb

@@ -1,25 +1,25 @@
 class AwsCloudwatchLogMetricFilter < Inspec.resource(1)
   name 'aws_cloudwatch_log_metric_filter'
   desc 'Verifies individual Cloudwatch Log Metric Filters'
-  example <<-EOX
-  # Look for a LMF by its filter name and log group name.  This combination
-  # will always either find at most one LMF - no duplicates.
-  describe aws_cloudwatch_log_metric_filter(
-    filter_name: 'my-filter',
-    log_group_name: 'my-log-group'
-  ) do
-    it { should exist }
-  end
+  example <<~EXAMPLE
+    # Look for a LMF by its filter name and log group name.  This combination
+    # will always either find at most one LMF - no duplicates.
+    describe aws_cloudwatch_log_metric_filter(
+      filter_name: 'my-filter',
+      log_group_name: 'my-log-group'
+    ) do
+      it { should exist }
+    end
 
-  # Search for an LMF by pattern and log group.
-  # This could result in an error if the results are not unique.
-  describe aws_cloudwatch_log_metric_filter(
-    log_group_name:  'my-log-group',
-    pattern: 'my-filter'
-  ) do
-    it { should exist }
-  end
-EOX
+    # Search for an LMF by pattern and log group.
+    # This could result in an error if the results are not unique.
+    describe aws_cloudwatch_log_metric_filter(
+      log_group_name:  'my-log-group',
+      pattern: 'my-filter'
+    ) do
+      it { should exist }
+    end
+  EXAMPLE
   supports platform: 'aws'
   include AwsSingularResourceMixin
   attr_reader :filter_name, :log_group_name, :metric_name, :metric_namespace, :pattern

data/lib/resources/aws/aws_config_delivery_channel.rb

@@ -1,13 +1,13 @@
 class AwsConfigDeliveryChannel < Inspec.resource(1)
   name 'aws_config_delivery_channel'
   desc 'Verifies settings for AWS Config Delivery Channel'
-  example "
+  example <<~EXAMPLE
     describe aws_config_delivery_channel do
       it { should exist }
       its('s3_bucket_name') { should eq 'my_bucket' }
       its('sns_topic_arn') { should eq arn:aws:sns:us-east-1:721741954427:sns_topic' }
     end
-  "
+  EXAMPLE
   supports platform: 'aws'
 
   include AwsSingularResourceMixin

data/lib/resources/aws/aws_config_recorder.rb

@@ -1,14 +1,14 @@
 class AwsConfigurationRecorder < Inspec.resource(1)
   name 'aws_config_recorder'
   desc 'Verifies settings for AWS Configuration Recorder'
-  example "
+  example <<~EXAMPLE
     describe aws_config_recorder('My_Recorder') do
       it { should exist }
       it { should be_recording }
       it { should be_all_supported }
       it { should have_include_global_resource_types }
     end
-  "
+  EXAMPLE
   supports platform: 'aws'
 
   include AwsSingularResourceMixin

data/lib/resources/aws/aws_ebs_volume.rb

@@ -2,7 +2,7 @@ class AwsEbsVolume < Inspec.resource(1)
   name 'aws_ebs_volume'
   desc 'Verifies settings for an EBS volume'
 
-  example <<-EOX
+  example <<~EXAMPLE
     describe aws_ebs_volume('vol-123456') do
       it { should be_encrypted }
       its('size') { should cmp 8 }
@@ -12,7 +12,7 @@ class AwsEbsVolume < Inspec.resource(1)
       its('encrypted') { should eq true }
       its('iops') { should cmp 100 }
     end
-EOX
+  EXAMPLE
   supports platform: 'aws'
 
   # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin

data/lib/resources/aws/aws_ebs_volumes.rb

@@ -1,11 +1,11 @@
 class AwsEbsVolumes < Inspec.resource(1)
   name 'aws_ebs_volumes'
   desc 'Verifies settings for AWS EBS Volumes in bulk'
-  example '
+  example <<~EXAMPLE
     describe aws_ebs_volumes do
       it { should exist }
     end
-  '
+  EXAMPLE
   supports platform: 'aws'
 
   include AwsPluralResourceMixin

data/lib/resources/aws/aws_ec2_instance.rb

@@ -3,7 +3,7 @@ class AwsEc2Instance < Inspec.resource(1)
   name 'aws_ec2_instance'
   desc 'Verifies settings for an EC2 instance'
 
-  example <<-EOX
+  example <<~EXAMPLE
     describe aws_ec2_instance('i-123456') do
       it { should be_running }
       it { should have_roles }
@@ -13,7 +13,7 @@ class AwsEc2Instance < Inspec.resource(1)
       it { should be_running }
       it { should have_roles }
     end
-EOX
+  EXAMPLE
   supports platform: 'aws'
 
   # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin