inspec 0.16.3 → 0.16.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 099f28bc15ad81e92f9379b4ec5c5139bb5d15da
-  data.tar.gz: abc9fc258cc2dcb2aa3f63b07d7f4bb29b12f241
+  metadata.gz: dd9121f0f0fbdd3881f80534bb3fc91cb8256d9a
+  data.tar.gz: d83f04403f4157f117dd9b9ed413217c8554bfc2
 SHA512:
-  metadata.gz: 49c07980edfd876736a100b579e07c4c2ddeb1aaae5fbb101bd3aada2454a65bee2ffcfd38e42d2422914e287e59c355d68aa7d7a5d935b70c5cb92d212ed621
-  data.tar.gz: 1cdbffb6a1b6571e6f42cbc157b10de9b0517daef43552359cb627ad5d6c30aebf33484cf7db03a3b1087ac6c3ef638b5a976d0965c0deb26fc920bfcbbd7056
+  metadata.gz: faa3803af3c3f9d516ccafe00e8abb988ab594e8f2294926333cc8e3d3c4ceaa12dda942fb6edcf4ac7343948bc4ed9f94bfba19909c7c0f53205a0b204e8fef
+  data.tar.gz: a514b070ef2f9d72b631f5289b8d733000faf05fa9ae6538f31183599a72e582fb41c4a14fc819b69f6683db496a8f8995eaf9322e015de7ed621bb475f451ee

data/CHANGELOG.md

@@ -1,10 +1,34 @@
 # Change Log
 
-## [0.16.3](https://github.com/chef/inspec/tree/0.16.3) (2016-03-23)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.16.2...0.16.3)
+## [0.16.4](https://github.com/chef/inspec/tree/0.16.4) (2016-03-25)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.16.3...0.16.4)
+
+**Implemented enhancements:**
+
+- support --controls for inspec json [\#589](https://github.com/chef/inspec/pull/589) ([arlimus](https://github.com/arlimus))
+- dont fail with stacktrace on connection errors [\#588](https://github.com/chef/inspec/pull/588) ([arlimus](https://github.com/arlimus))
+
+**Fixed bugs:**
+
+- Escape whitespace for compliance upload [\#486](https://github.com/chef/inspec/issues/486)
+- inspec-compliance: url\_encode profile names [\#574](https://github.com/chef/inspec/pull/574) ([srenatus](https://github.com/srenatus))
+
+**Closed issues:**
+
+- --controls flag should be supported in all inspec commands [\#568](https://github.com/chef/inspec/issues/568)
+
+**Merged pull requests:**
+
+- Improvements to gordon example and docs [\#583](https://github.com/chef/inspec/pull/583) ([alexpop](https://github.com/alexpop))
+- bugfix: fix rare inspec shell missing all resources [\#582](https://github.com/chef/inspec/pull/582) ([alexpop](https://github.com/alexpop))
+- document tags and refs [\#561](https://github.com/chef/inspec/pull/561) ([chris-rock](https://github.com/chris-rock))
+
+## [v0.16.3](https://github.com/chef/inspec/tree/v0.16.3) (2016-03-23)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.16.2...v0.16.3)
 
 **Fixed bugs:**
 
+- 0.16.3 [\#575](https://github.com/chef/inspec/pull/575) ([srenatus](https://github.com/srenatus))
 - inspec-compliance: fix upload of profiles [\#573](https://github.com/chef/inspec/pull/573) ([srenatus](https://github.com/srenatus))
 
 **Closed issues:**

data/docs/dsl_inspec.rst

@@ -30,16 +30,23 @@ In various use cases like implementing IT compliance across different department
        Always specify which port the SSH server should listen to.
        Prevent unexpected settings.
      '
+     tag 'ssh','sshd','openssh-server'
+     tag cce: 'CCE-27072-8'
+     ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
+
      describe sshd_config do
        its('Port') { should eq('22') }
      end
    end
 
+
 where
 
 * ``'sshd-8'`` is the name of the control
 * ``impact``, ``title``, and ``desc`` define metadata that fully describes the importance of the control, its purpose, with a succinct and complete description
 * ``impact`` is an float that measures the importance of the compliance results and must be a value between ``0.0`` and ``1.0``.
+* ``tag`` is optional meta-information with with key or key-value pairs
+* ``ref`` is a reference to an external document
 * ``describe`` is a block that contains at least one test. A ``control`` block must contain at least one ``describe`` block, but may contain as many as required
 * ``sshd_config`` is an |inspec| resource. For the full list of InSpec resources, see |inspec| resource documentation
 * ``its('Port')`` is the matcher; ``{ should eq('22') }`` is the test. A ``describe`` block must contain at least one matcher, but may contain as many as required
@@ -185,6 +192,42 @@ The following test shows how to audit machines to ensure Safe DLL Seach Mode is
     end
   end
 
+
+
+Additional metadata for controls
+-----------------------------------------------------
+
+The following example illustrates various ways to add tags and references to `control`
+
+.. code-block:: ruby
+
+  control 'ssh-1' do
+      impact 1.0
+
+      title 'Allow only SSH Protocol 2'
+      desc 'Only SSH protocol version 2 connections should be permitted.
+            The default setting in /etc/ssh/sshd_config is correct, and can be
+            verified by ensuring that the following line appears: Protocol 2'
+
+      tag 'production','development'
+      tag 'ssh','sshd','openssh-server'
+
+      tag cce: 'CCE-27072-8'
+      tag disa: 'RHEL-06-000227'
+
+      tag remediation: 'stig_rhel6/recipes/sshd-config.rb'
+      tag remediation: 'https://supermarket.chef.io/cookbooks/ssh-hardening'
+
+      ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
+      ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
+
+      describe ssh_config do
+          its ('Protocol') { should eq '2'}
+      end
+   end`
+
+
+
 .. |inspec| replace:: InSpec
 .. |inspec resource| replace:: InSpec Resource
 .. |chef compliance| replace:: Chef Compliance

data/examples/inheritance/controls/example.rb

@@ -1,5 +1,5 @@
 # encoding: utf-8
-# copyright: 2015, Chef Software, Inc.
+# copyright: 2016, Chef Software, Inc.
 # license: All rights reserved
 
 include_controls 'profile' do

data/examples/inheritance/inspec.yml

@@ -7,4 +7,4 @@ license: Apache 2 license
 summary: Demonstrates the use of InSpec profile inheritance
 version: 1.0.0
 supports:
-  - os-family: linux
+  - os-family: unix

data/examples/profile/README.md

@@ -8,23 +8,41 @@ InSpec ships with built-in features to verify a profile structure.
 
 ```bash
 $ inspec check examples/profile
-I, [2015-11-21T12:44:50.851137 #20661]  INFO -- : Checking profile in examples/profile
-I, [2015-11-21T12:44:50.851216 #20661]  INFO -- : Metadata OK.
-D, [2015-11-21T12:44:50.851239 #20661] DEBUG -- : Found 2 rules.
-D, [2015-11-21T12:44:50.851251 #20661] DEBUG -- : Verify all rules in  examples/profile/controls/example_spec.rb
-D, [2015-11-21T12:44:50.851263 #20661] DEBUG -- : Verify all rules in  examples/profile/controls/gordon_spec.rb
-I, [2015-11-21T12:44:50.851317 #20661]  INFO -- : Rule definitions OK.
+Summary
+-------
+Location: examples/profile
+Profile: profile
+Controls: 3
+Timestamp: 2016-03-24T16:20:21+00:00
+Valid: true
+
+Errors
+------
+
+Warnings
+--------
 ```
 
 ## Execute a profile
 
-To run a profile on a local machine use `inspec exec /path/to/profile`.
+To run all **supported** controls on a local machine use `inspec exec /path/to/profile`.
 
 ```bash
 $ inspec exec examples/profile
 ..
 
 Finished in 0.0025 seconds (files took 0.12449 seconds to load)
-2 examples, 0 failures
+4 examples, 0 failures
+```
+
+## Execute a specific control from a profile
+
+To run one control from the profile use `inspec exec /path/to/profile --controls name`.
 
+```bash
+$ inspec exec examples/profile --controls tmp-1.0
+.
+
+Finished in 0.0025 seconds (files took 0.12449 seconds to load)
+1 examples, 0 failures
 ```

data/examples/profile/controls/gordon.rb

@@ -1,12 +1,13 @@
 # encoding: utf-8
-# copyright: 2015, Chef Software, Inc.
+# copyright: 2016, Chef Software, Inc.
 # license: All rights reserved
 
 title 'Gordon Config Checks'
 
 # To pass the test, create the following file
 # ```bash
-# cat <<EOF > /etc/gordon/config.yaml
+# mkdir -p /tmp/gordon
+# cat <<EOF > /tmp/gordon/config.yaml
 # version: '1.0'
 # EOF
 # ```
@@ -16,5 +17,6 @@ control 'gordon-1.0' do
   desc 'An optional description...'
   describe gordon_config do
     its('version') { should eq('1.0') }
+    its('size') { should <= 20 }
   end
 end

data/examples/profile/controls/meta.rb

@@ -0,0 +1,34 @@
+title 'SSH Server Configuration'
+
+control 'ssh-1' do
+  impact 1.0
+
+  title 'Allow only SSH Protocol 2'
+  desc 'Only SSH protocol version 2 connections should be permitted.
+        The default setting in /etc/ssh/sshd_config is correct, and can be
+        verified by ensuring that the following line appears: Protocol 2'
+
+  tag 'production','development'
+  tag 'ssh','sshd','openssh-server'
+
+  tag cce: 'CCE-27072-8'
+  tag disa: 'RHEL-06-000227'
+
+  tag nist: 'AC-3(10).i'
+  tag nist: 'IA-5(1)'
+
+  tag cci: 'CCI-000776'
+  tag cci: 'CCI-000774'
+  tag cci: 'CCI-001436'
+
+  tag remediation: 'stig_rhel6/recipes/sshd-config.rb'
+  tag remediation: 'https://supermarket.chef.io/cookbooks/ssh-hardening'
+
+  ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
+  ref 'DISA-RHEL6-SG - Section 9.2.1', url: 'http://iasecontent.disa.mil/stigs/zip/Jan2016/U_RedHat_6_V1R10_STIG.zip'
+  ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
+
+  describe file('/bin/sh') do
+    it { should be_owned_by 'root' }
+  end
+end

data/examples/profile/inspec.yml

@@ -7,4 +7,4 @@ license: Apache 2 license
 summary: Demonstrates the use of InSpec Compliance Profile
 version: 1.0.0
 supports:
-  - os-family: linux
+  - os-family: unix

data/examples/profile/libraries/gordon_config.rb

@@ -1,16 +1,42 @@
 require 'yaml'
 
+# Custom resource based on the InSpec resource DSL
 class GordonConfig < Inspec.resource(1)
   name 'gordon_config'
 
+  desc "
+    Gordon's resource description ...
+  "
+
+  example "
+    describe gordon_config do
+      its('version') { should eq('1.0') }
+      its('size') { should > 1 }
+    end
+  "
+
+  # Load the configuration file on initialization
   def initialize
-    @path = '/etc/gordon/config.yaml'
+    @path = '/tmp/gordon/config.yaml'
     @file = inspec.file(@path)
     return skip_resource "Can't find file \"#{@path}\"" if !@file.file?
 
-    @params = YAML.load(@file.content)
+    # Protect from invalid YAML content
+    begin
+      @params = YAML.load(@file.content)
+    rescue Exception
+      return skip_resource "#{@file}: #{$!}"
+    end
+    add_some_extra_params
+  end
+
+  # Extra Ruby helper method
+  def add_some_extra_params
+    @params['size'] = @file.size
+    @params['md5sum'] = @file.md5sum
   end
 
+  # Expose all parameters
   def method_missing(name)
     @params[name.to_s]
   end

data/lib/bundles/inspec-compliance/cli.rb

@@ -3,6 +3,7 @@
 # author: Dominik Richter
 
 require 'thor'
+require 'erb'
 
 module Compliance
   class ComplianceCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
@@ -106,9 +107,10 @@ module Compliance
       end
 
       puts "Start upload to #{owner}/#{profile_name}"
+      pname = ERB::Util.url_encode(profile_name)
 
       # upload the tar to Chef Compliance
-      url = "#{config['server']}/owners/#{owner}/compliance/#{profile_name}/tar"
+      url = "#{config['server']}/owners/#{owner}/compliance/#{pname}/tar"
 
       puts "Uploading to #{url}"
       success, msg = Compliance::API.post_file(url, config['token'], '', archive_path, config['insecure'])

data/lib/inspec/backend.rb

@@ -37,6 +37,11 @@ module Inspec
       end
 
       cls.new
+
+    rescue Train::ClientError => e
+      raise "Client error, can't connect to '#{name}' backend: #{e.message}"
+    rescue Train::TransportError => e
+      raise "Transport error, can't connect to '#{name}' backend: #{e.message}"
     end
   end
 end

data/lib/inspec/cli.rb

@@ -19,6 +19,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI # rubocop:disable Metrics/ClassLength
     desc: 'Attach a profile ID to all test results'
   option :output, aliases: :o, type: :string,
     desc: 'Save the created profile to a path'
+  option :controls, type: :array,
+    desc: 'A list of controls to include. Ignore all other tests.'
   profile_options
   def json(target)
     diagnose

data/lib/inspec/profile_context.rb

@@ -33,6 +33,8 @@ module Inspec
       @current_load = { file: source }
       if content.is_a? Proc
         @profile_context.instance_eval(&content)
+      elsif source.nil? && line.nil?
+        @profile_context.instance_eval(content)
       else
         @profile_context.instance_eval(content, source || 'unknown', line || 1)
       end

data/lib/inspec/runner.rb

@@ -101,7 +101,7 @@ module Inspec
     def add_test_to_context(test, ctx)
       content = test[:content]
       return if content.nil? || content.empty?
-      ctx.load(content, test[:ref], test[:line] || 1)
+      ctx.load(content, test[:ref], test[:line])
     end
 
     def filter_controls(controls_map, include_list)

data/lib/inspec/shell.rb

@@ -15,7 +15,7 @@ module Inspec
 
     def start
       # store context to run commands in this context
-      c = { content: 'binding.pry', ref: __FILE__, line: __LINE__ }
+      c = { content: 'binding.pry', ref: nil, line: nil }
       @runner.add_content(c, [])
       @runner.run
     end

data/lib/inspec/version.rb

@@ -3,5 +3,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '0.16.3'.freeze
+  VERSION = '0.16.4'.freeze
 end

data/test/functional/helper.rb

@@ -0,0 +1,36 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'helper'
+
+require 'minitest/hell'
+class Minitest::Test
+  parallelize_me!
+end
+
+class Module
+  include Minitest::Spec::DSL
+end
+
+module FunctionalHelper
+  let(:repo_path) { File.expand_path(File.join( __FILE__, '..', '..', '..')) }
+  let(:exec_inspec) { File.join(repo_path, 'bin', 'inspec') }
+  let(:profile_path) { File.join(repo_path, 'test', 'unit', 'mock', 'profiles') }
+  let(:examples_path) { File.join(repo_path, 'examples') }
+
+  let(:example_profile) { File.join(examples_path, 'profile') }
+  let(:inheritance_profile) { File.join(examples_path, 'profile') }
+
+  let(:dst) {
+    # create a temporary path, but we only want an auto-clean helper
+    # so remove the file and give back the path
+    res = Tempfile.new('inspec-shred')
+    FileUtils.rm(res.path)
+    TMP_CACHE[res.path] = res
+  }
+
+  def inspec(commandline)
+    CMD.run_command("#{exec_inspec} #{commandline}")
+  end
+end

data/test/functional/inheritance_test.rb

@@ -0,0 +1,49 @@
+# encoding: utf-8
+# author: Dominik Richter
+# author: Christoph Hartmann
+
+require 'functional/helper'
+
+describe 'example inheritance profile' do
+  include FunctionalHelper
+  let(:path) { File.join(examples_path, 'inheritance') }
+
+  [
+    'archive %s --overwrite',
+    'check %s',
+    'json %s',
+  ].each do |cmd|
+    it cmd[/^\w/] + ' fails without --profiles-path' do
+      out = inspec(format(cmd, path))
+      out.stderr.must_include 'You must supply a --profiles-path to inherit'
+      # out.stdout.must_equal '' => we still get partial output
+      out.exit_status.must_equal 1
+    end
+  end
+
+  it 'check succeeds with --profiles-path' do
+    out = inspec('check ' + path + ' --profiles-path ' + examples_path)
+    out.stderr.must_equal ''
+    out.stdout.must_match /Valid.*true/
+    out.exit_status.must_equal 0
+  end
+
+  it 'archive is successful with --profiles-path' do
+    out = inspec('archive ' + path + ' --output ' + dst.path + ' --profiles-path ' + examples_path)
+    out.stderr.must_equal ''
+    out.stdout.must_include 'Generate archive '+dst.path
+    out.stdout.must_include 'Finished archive generation.'
+    out.exit_status.must_equal 0
+    File.exist?(dst.path).must_equal true
+  end
+
+  it 'read the profile json with --profiles-path' do
+    out = inspec('json ' + path + ' --profiles-path '+examples_path)
+    out.stderr.must_equal ''
+    out.exit_status.must_equal 0
+    s = out.stdout
+    hm = JSON.load(s)
+    hm['name'].must_equal 'inheritance'
+    hm['rules'].length.must_equal 1 # TODO: flatten out or search deeper!
+  end
+end