inspec 0.35.0 → 1.0.0.beta2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 861e8a137418a30cb36c3e9d51a32bb9e2e2ae2d
-  data.tar.gz: eeafd3a870d05e4f2ae67b3e299382eb6462d8b8
+  metadata.gz: 714356a44147a3ea6f876aa73a6e51e1abac60b3
+  data.tar.gz: 83e1f5f89edea538de7027ab4d0e07e161f0ee5d
 SHA512:
-  metadata.gz: 5f728850451314b6e5239013cf3bedabb5244b5e752c9b637d8655ea519310ed595c6e999aac09fb81d286c307a9ef0ef16cbbaf3ef11d9dbd2073d9bf5f8ca7
-  data.tar.gz: 5f0b35587277223728798d5de80c4bf8621558ec1af73fca28f23d7be08b39024f5ec90e06167baf7f5aef9df80d47b2b30745162224d0567bb475d7e332c19f
+  metadata.gz: ebf142830517de967349b6fb1fea90f2b7d7beca3f7630903dd2d92259b78c9a28576f431091b929d96bd26ce89a66dd6ee8d02b25649232453966f2fd197665
+  data.tar.gz: d9bca14a669035a4729a6de6b2ca6b1d4498498080915a94084190b3c40a7bf75124a75fec60b15e3257ac46f6d5f03ae2ce1734bebb1aed06c86eca42e3c0b3

data/CHANGELOG.md

@@ -1,7 +1,88 @@
 # Change Log
 
-## [0.35.0](https://github.com/chef/inspec/tree/0.35.0) (2016-09-16)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.34.1...0.35.0)
+## [1.0.0.beta2](https://github.com/chef/inspec/tree/1.0.0.beta2) (2016-09-22)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.0.0.pre.beta1...1.0.0.beta2)
+
+**Implemented enhancements:**
+
+- kernel\_parameter does not show fully info when test fails [\#1093](https://github.com/chef/inspec/issues/1093)
+- InSpec html demo [\#851](https://github.com/chef/inspec/issues/851)
+- Counting and status of controls without tests [\#849](https://github.com/chef/inspec/issues/849)
+- supports does not mark resources as skipped [\#354](https://github.com/chef/inspec/issues/354)
+- `include Inspec::DSL` anywhere [\#271](https://github.com/chef/inspec/issues/271)
+- Suse Support [\#113](https://github.com/chef/inspec/issues/113)
+- Update the username and password login method [\#1095](https://github.com/chef/inspec/pull/1095) ([alexpop](https://github.com/alexpop))
+
+**Fixed bugs:**
+
+- InSpec in Workflow [\#1115](https://github.com/chef/inspec/issues/1115)
+- uninstalled package shows as installed [\#1092](https://github.com/chef/inspec/issues/1092)
+- undefined method `send\_request' for Compliance::API:Class [\#1088](https://github.com/chef/inspec/issues/1088)
+- safari inspec online demo bug! [\#1086](https://github.com/chef/inspec/issues/1086)
+- \[package\] Regression on Windows 2008R2 [\#998](https://github.com/chef/inspec/issues/998)
+- \[script\] Is there a limit on the number of char's within a script block [\#539](https://github.com/chef/inspec/issues/539)
+- Use parenthesis when passing regular expressions [\#1106](https://github.com/chef/inspec/pull/1106) ([alexpop](https://github.com/alexpop))
+- Include code description in the output of failed controls [\#1096](https://github.com/chef/inspec/pull/1096) ([alexpop](https://github.com/alexpop))
+- Update the username and password login method [\#1095](https://github.com/chef/inspec/pull/1095) ([alexpop](https://github.com/alexpop))
+
+**Closed issues:**
+
+- Package Resource isn't searching 64-bit Registry Hives [\#1100](https://github.com/chef/inspec/issues/1100)
+- demo improvements [\#1089](https://github.com/chef/inspec/issues/1089)
+- Dependencies: All resources are scoped [\#1058](https://github.com/chef/inspec/issues/1058)
+- Improve InSpec tutorial [\#1045](https://github.com/chef/inspec/issues/1045)
+- 1.10.2 has an extra space in pip package output [\#1043](https://github.com/chef/inspec/issues/1043)
+- Follow up to 1013: find\_files\(\) errors still occurring for apache\_conf resource after 0.33.0 upgrade [\#1030](https://github.com/chef/inspec/issues/1030)
+- MVP in-browser inspec demo [\#957](https://github.com/chef/inspec/issues/957)
+- Failing tests in inherited tests are not displayed [\#899](https://github.com/chef/inspec/issues/899)
+
+**Merged pull requests:**
+
+- Use the gem version for the omnibus package version [\#1122](https://github.com/chef/inspec/pull/1122) ([yzl](https://github.com/yzl))
+- Add legal pages [\#1121](https://github.com/chef/inspec/pull/1121) ([magwalk](https://github.com/magwalk))
+- update docs to markdown [\#1120](https://github.com/chef/inspec/pull/1120) ([arlimus](https://github.com/arlimus))
+- add readme to www-build [\#1118](https://github.com/chef/inspec/pull/1118) ([arlimus](https://github.com/arlimus))
+- Always write lockfiles for local top-level profiles  [\#1116](https://github.com/chef/inspec/pull/1116) ([stevendanna](https://github.com/stevendanna))
+- Add `--cache` option to `inspec exec` [\#1113](https://github.com/chef/inspec/pull/1113) ([stevendanna](https://github.com/stevendanna))
+- fix double-space in pip to\_s resource [\#1112](https://github.com/chef/inspec/pull/1112) ([chris-rock](https://github.com/chris-rock))
+- fixes debian package manager and some of the code examples [\#1111](https://github.com/chef/inspec/pull/1111) ([Anirudh-Gupta](https://github.com/Anirudh-Gupta))
+- Add main site footer [\#1110](https://github.com/chef/inspec/pull/1110) ([magwalk](https://github.com/magwalk))
+- Add community and tutorials pages [\#1108](https://github.com/chef/inspec/pull/1108) ([magwalk](https://github.com/magwalk))
+- Add homepage content and styles [\#1107](https://github.com/chef/inspec/pull/1107) ([magwalk](https://github.com/magwalk))
+- Styling setup and main navigation [\#1105](https://github.com/chef/inspec/pull/1105) ([magwalk](https://github.com/magwalk))
+- docs task and rst/md formatter separation [\#1104](https://github.com/chef/inspec/pull/1104) ([arlimus](https://github.com/arlimus))
+- Fail if a remote source content doesn't match lockfile [\#1103](https://github.com/chef/inspec/pull/1103) ([stevendanna](https://github.com/stevendanna))
+- Optimize tutorial [\#1101](https://github.com/chef/inspec/pull/1101) ([chris-rock](https://github.com/chris-rock))
+- Build with master of omnibus [\#1099](https://github.com/chef/inspec/pull/1099) ([yzl](https://github.com/yzl))
+- use Gem::Version instead of a regular expression for a test version bump [\#1098](https://github.com/chef/inspec/pull/1098) ([chris-rock](https://github.com/chris-rock))
+- fix demo instructions [\#1094](https://github.com/chef/inspec/pull/1094) ([vjeffrey](https://github.com/vjeffrey))
+- Allow users to reference resources from dependencies [\#1080](https://github.com/chef/inspec/pull/1080) ([stevendanna](https://github.com/stevendanna))
+- In ApacheConf\#include\_files, check for abs paths [\#1042](https://github.com/chef/inspec/pull/1042) ([davidcpell](https://github.com/davidcpell))
+
+## [v1.0.0.pre.beta1](https://github.com/chef/inspec/tree/v1.0.0.pre.beta1) (2016-09-19)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.35.0...v1.0.0.pre.beta1)
+
+**Implemented enhancements:**
+
+- InSpec output for summary needs to count controls [\#852](https://github.com/chef/inspec/issues/852)
+- ssl resource to use inspec.backend.hostname and require train 0.19.1 [\#1084](https://github.com/chef/inspec/pull/1084) ([alexpop](https://github.com/alexpop))
+- optimize command simulator auto-generation [\#1078](https://github.com/chef/inspec/pull/1078) ([chris-rock](https://github.com/chris-rock))
+
+**Closed issues:**
+
+- proper scrolling of terminal [\#1053](https://github.com/chef/inspec/issues/1053)
+
+**Merged pull requests:**
+
+- fix inspec shell handling [\#1090](https://github.com/chef/inspec/pull/1090) ([vjeffrey](https://github.com/vjeffrey))
+- update responses [\#1087](https://github.com/chef/inspec/pull/1087) ([vjeffrey](https://github.com/vjeffrey))
+- print profile summary and test summary [\#1083](https://github.com/chef/inspec/pull/1083) ([vjeffrey](https://github.com/vjeffrey))
+- Fix minor typo in documentation [\#1082](https://github.com/chef/inspec/pull/1082) ([Dispader](https://github.com/Dispader))
+- uglify wepack content, kudos @chris-rock [\#1081](https://github.com/chef/inspec/pull/1081) ([arlimus](https://github.com/arlimus))
+- Static keys in all json [\#811](https://github.com/chef/inspec/pull/811) ([arlimus](https://github.com/arlimus))
+
+## [v0.35.0](https://github.com/chef/inspec/tree/v0.35.0) (2016-09-16)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.34.1...v0.35.0)
 
 **Fixed bugs:**
 

data/Gemfile

@@ -35,6 +35,12 @@ group :integration do
   gem 'kitchen-dokken'
 end
 
+group :simulator do
+  gem 'github-markup'
+  gem 'redcarpet'
+  gem 'docker-api'
+end
+
 group :tools do
   gem 'pry', '~> 0.10'
   gem 'rb-readline'

data/Rakefile

@@ -6,6 +6,7 @@ require 'bundler/gem_tasks'
 require 'rake/testtask'
 require 'rubocop/rake_task'
 require_relative 'tasks/maintainers'
+require_relative 'tasks/docs'
 
 # Rubocop
 desc 'Run Rubocop lint checks'
@@ -20,8 +21,8 @@ task lint: [:rubocop]
 # update command output for demo
 desc 'Run inspec commands and save results to www/app/responses'
 task :update_demo do
-  commands = 'tasks/command_simulator.rb'
-  ruby commands
+  ruby 'www/tutorial/scripts/build_simulator_runtime.rb'
+  ruby 'www/tutorial/scripts/run_simulator_recording.rb'
 end
 
 # run tests
@@ -165,56 +166,3 @@ task :release_docker do
   puts "--> #{cmd}"
   sh('sh', '-c', cmd)
 end
-
-namespace :docs do
-  desc 'Create cli docs'
-  task :cli do
-    res = "=====================================================\n"\
-          "InSpec CLI\n"\
-          "=====================================================\n\n"\
-          "Use the InSpec CLI to run tests and audits against targets "\
-          "using local, SSH, WinRM, or Docker connections.\n\n"
-
-    require 'inspec/cli'
-    cmds = Inspec::InspecCLI.all_commands
-    cmds.keys.sort.each do |key|
-      cmd = cmds[key]
-
-      res << "#{cmd.usage.split.first}\n"\
-             "=====================================================\n\n"
-
-      res << cmd.description.capitalize
-      res << "\n\n"
-
-      res << "Syntax\n"\
-             "-----------------------------------------------------\n\n"
-
-      res << "This subcommand has the following syntax:\n\n"\
-             ".. code-block:: bash\n\n"\
-             "   $ inspec #{cmd.usage}\n\n"
-
-      opts = cmd.options.select { |_, o| !o.hide }
-      unless opts.empty?
-        res << "Options\n"\
-               "-----------------------------------------------------\n\n"\
-               "This subcommand has additional options:\n\n"
-
-        opts.keys.sort.each do |option|
-          opt = cmd.options[option]
-          # TODO: remove when UX of help is reworked 1.0
-          usage = opt.usage.split(', ')
-                     .map { |x| x.tr('[]', '') }
-                     .map { |x| x.start_with?('-') ? x : '-'+x }
-                     .map { |x| '``' + x + '``' }
-          res << "#{usage.join(', ')}\n   #{opt.description}\n\n"
-        end
-
-      end
-      res << "\n\n"
-    end
-
-    dst = 'docs/cli.rst'
-    File.write(dst, res)
-    puts "Documentation generated in #{dst.inspect}"
-  end
-end

data/docs/README.md

@@ -0,0 +1,20 @@
+# InSpec documentation
+
+This is the home of the InSpec documentation. This documentation provides an introduction to this mechanism and shows how to write custom tests.
+
+The goal of this folder is for any community member to clone these docs, make the changes, check if they are valid, and contribute to the project.
+
+## How to build docs
+
+TODO
+
+## Stability Index
+
+Every available InSpec resource will indicate its stability. As InSpec matures, certain parts are more reliable than others. Brand new features are likely to be redesigned and marked as such.
+
+The stability indices are as follows:
+
+* `Stability: Deprecated` - This features will be removed in future versions, because its known for being problematic. Do not rely on it.
+* `Stability: Experimental` - New features may change or are removed in future versions
+* `Stability: Stable` - API is well established and proofed. Maintaining compatibility is a high priority
+* `Stability: Locked` - Only security and performance fixes are allowed

data/docs/cli.rst

@@ -199,12 +199,18 @@ This subcommand has additional options:
 ``-b``, ``--backend=BACKEND``
    Choose a backend: local, ssh, winrm, docker.
 
+``--cache=CACHE``
+   Use the given path for caching dependencies. (default: ~/.inspec/cache)
+
 ``--color``, ``--no-color``
    Use colors in output.
 
 ``--controls=one two three``
    A list of controls to run. Ignore all other tests.
 
+``--create-lockfile``, ``--no-create-lockfile``
+   Write out a lockfile based on this execution (unless one already exists)
+
 ``--format=FORMAT``
    Which formatter to use: cli, progress, documentation, json, json-min
 

data/docs/dsl_inspec.md

@@ -0,0 +1,245 @@
+---
+title: InSpec DSL
+---
+
+# InSpec DSL
+
+InSpec is a run-time framework and rule language used to specify compliance, security, and policy requirements. It includes a collection of resources that help you write auditing controls quickly and easily. The syntax used by both open source and |chef compliance| auditing is the same. The open source |inspec resource| framework is compatible with |chef compliance|.
+
+The InSpec DSL is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
+
+The following sections describe the syntax and show some simple examples of using the InSpec resources.
+
+## Syntax
+
+The following resource tests |ssh| server configuration. For example, a simple control may described as:
+
+```ruby
+describe sshd_config do
+  its('Port') { should eq('22') }
+end
+```
+
+In various use cases like implementing IT compliance across different departments, it becomes handy to extend the control with metadata. Each control may define an additional ``impact``, ``title`` or ``desc``. An example looks like:
+
+```ruby
+control 'sshd-8' do
+  impact 0.6
+  title 'Server: Configure the service port'
+  desc '
+   Always specify which port the SSH server should listen to.
+   Prevent unexpected settings.
+  '
+  tag 'ssh','sshd','openssh-server'
+  tag cce: 'CCE-27072-8'
+  ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
+
+  describe sshd_config do
+   its('Port') { should eq('22') }
+  end
+end
+```
+
+where
+
+* `'sshd-8'` is the name of the control
+* `impact`, `title`, and `desc` define metadata that fully describes the importance of the control, its purpose, with a succinct and complete description
+* `impact` is an float that measures the importance of the compliance results and must be a value between `0.0` and `1.0`.
+* `tag` is optional meta-information with with key or key-value pairs
+* `ref` is a reference to an external document
+* `describe` is a block that contains at least one test. A `control` block must contain at least one `describe` block, but may contain as many as required
+* `sshd_config` is an InSpec resource. For the full list of InSpec resources, see InSpec resource documentation
+* `its('Port')` is the matcher; `{ should eq('22') }` is the test. A `describe` block must contain at least one matcher, but may contain as many as required
+
+
+## Advanced concepts
+
+With inspec it is possible to check if at least one of a collection of checks is true. For example: If a setting is configured in two different locations, you may want to test if either configuration A or configuration B have been set. This is accomplished via `describe.one`. It defines a block of tests with at least one valid check.
+
+```ruby
+describe.one do
+  describe ConfigurationA do
+   its('setting_1') { should eq true }
+  end
+
+  describe ConfigurationB do
+   its('setting_2') { should eq true }
+  end
+end
+```
+
+## Examples
+
+The following examples show simple compliance tests using a single `control` block.
+
+## Test System Event Log
+
+The following test shows how to audit machines running Windows 2012 R2 that pwassword complexity is enabled:
+
+```ruby
+control 'windows-account-102' do
+  impact 1.0
+  title 'Windows Password Complexity is Enabled'
+  desc 'Password must meet complexity requirement'
+  describe security_policy do
+    its('PasswordComplexity') { should eq 1 }
+  end
+end
+```
+
+## Are PosgtreSQL passwords empty?
+
+The following test shows how to audit machines running PostgerSQL to ensure that passwords are not empty.
+
+```ruby
+control 'postgres-7' do
+  impact 1.0
+  title 'Don't allow empty passwords'
+  describe postgres_session('user', 'pass').query("SELECT * FROM pg_shadow WHERE passwd IS NULL;") do
+   its('output') { should eq('') }
+  end
+end
+```
+
+## Are MySQL passwords in ENV?
+
+The following test shows how to audit machines running MySQL to ensure that passwords are not stored in `ENV`:
+
+```ruby
+control 'mysql-3' do
+  impact 1.0
+  title 'Do not store your MySQL password in your ENV'
+  desc '
+   Storing credentials in your ENV may easily expose
+   them to an attacker. Prevent this at all costs.
+  '
+  describe command('env') do
+   its('stdout') { should_not match(/^MYSQL_PWD=/) }
+  end
+end
+```
+
+## Is `/etc/ssh` a Directory?
+
+The following test shows how to audit machines to ensure that `/etc/ssh` is a directory:
+
+```ruby
+control 'basic-1' do
+  impact 1.0
+  title '/etc/ssh should be a directory'
+  desc '
+   In order for OpenSSH to function correctly, its
+   configuration path must be a folder.
+  '
+  describe file('/etc/ssh') do
+   it { should be_directory }
+  end
+end
+```
+
+## Is Apache running?
+
+The following test shows how to audit machines to ensure that Apache is enabled and running:
+
+```ruby
+control 'apache-1' do
+  impact 0.3
+  title 'Apache2 should be configured and running'
+  describe service(apache.service) do
+   it { should be_enabled }
+   it { should be_running }
+  end
+end
+```
+
+## Are insecure packages installed ?
+
+The following test shows how to audit machines for insecure packages:
+
+```ruby
+control 'cis-os-services-5.1.3' do
+  impact 0.7
+  title '5.1.3 Ensure rsh client is not installed'
+
+  describe package('rsh') do
+    it { should_not be_installed }
+  end
+
+  describe package('rsh-redone-client') do
+    it { should_not be_installed }
+  end
+end
+```
+
+## Test Windows Registry Keys
+
+The following test shows how to audit machines to ensure Safe DLL Seach Mode is enabled:
+
+```ruby
+control 'windows-base-101' do
+  impact 1.0
+  title 'Safe DLL Search Mode is Enabled'
+  desc '
+    @link: https://msdn.microsoft.com/en-us/library/ms682586(v=vs.85).aspx
+  '
+  describe registry_key('HKLM\\System\\CurrentControlSet\\Control\\Session Manager') do
+    it { should exist }
+    it { should_not have_property_value('SafeDllSearchMode', :type_dword, '0') }
+  end
+end
+```
+
+## Exclude specific test
+
+This shows how to allow skipping certain tests if conditions are not met, by using `only_if`.
+In this example the test will not be performed if `redis-cli` command does not exist, because for example package on remote host was not installed.
+
+```ruby
+control 'nutcracker-connect-redis-001' do
+  impact 1.0
+  title 'Check if nutcracker can pass commands to redis'
+  desc 'execute redis-cli set key command, to check connectivity of the service'
+
+  only_if do
+    command('redis-cli').exist?
+  end
+
+  describe command('redis-cli SET test_inspec "HELLO"') do
+    its(:stdout) { should match(/OK/) }
+  end
+end
+```
+
+Mixing this with other conditionals (like checking existence of the files etc.) can help to test different test paths using inspec. This way you can skip certain tests which would 100% fail due to the way servers are prepared, but you know that the same test suites are reused later in different circumstances by different teams.
+
+## Additional metadata for controls
+
+
+The following example illustrates various ways to add tags and references to `control`
+
+```ruby
+control 'ssh-1' do
+  impact 1.0
+
+  title 'Allow only SSH Protocol 2'
+  desc 'Only SSH protocol version 2 connections should be permitted.
+        The default setting in /etc/ssh/sshd_config is correct, and can be
+        verified by ensuring that the following line appears: Protocol 2'
+
+  tag 'production','development'
+  tag 'ssh','sshd','openssh-server'
+
+  tag cce: 'CCE-27072-8'
+  tag disa: 'RHEL-06-000227'
+
+  tag remediation: 'stig_rhel6/recipes/sshd-config.rb'
+  tag remediation: 'https://supermarket.chef.io/cookbooks/ssh-hardening'
+
+  ref 'NSA-RH6-STIG - Section 3.5.2.1', url: 'https://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf'
+  ref 'http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/ssg-centos6-guide-C2S.html'
+
+  describe ssh_config do
+    its ('Protocol') { should eq '2'}
+  end
+end
+```