inspec 1.0.0.beta2 → 1.0.0.beta3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 714356a44147a3ea6f876aa73a6e51e1abac60b3
-  data.tar.gz: 83e1f5f89edea538de7027ab4d0e07e161f0ee5d
+  metadata.gz: 75fea2e790e0dcea3951df73e3ad7976a5e8e659
+  data.tar.gz: b7bd822fd9b85f6da803b2078481089cb9801b83
 SHA512:
-  metadata.gz: ebf142830517de967349b6fb1fea90f2b7d7beca3f7630903dd2d92259b78c9a28576f431091b929d96bd26ce89a66dd6ee8d02b25649232453966f2fd197665
-  data.tar.gz: d9bca14a669035a4729a6de6b2ca6b1d4498498080915a94084190b3c40a7bf75124a75fec60b15e3257ac46f6d5f03ae2ce1734bebb1aed06c86eca42e3c0b3
+  metadata.gz: 705b7694c8d6dbecea6646f6f71c691774ae5946106e9381f47fdfb276848e7e0b1ca1c80e7c3db5ee3dbf6b8958ed0a1fa94b6f75d5abea19ac555bfc44f095
+  data.tar.gz: fd38cbdb8d6f3d9063283a9c9f774e7d0f412e5bc1d697dc9cbeeed29dd911b239470b18d273d691fe7ddf53c3699359895cdb8a0b354f6a6f38205ae890d738

data/CHANGELOG.md

@@ -1,7 +1,46 @@
 # Change Log
 
-## [1.0.0.beta2](https://github.com/chef/inspec/tree/1.0.0.beta2) (2016-09-22)
-[Full Changelog](https://github.com/chef/inspec/compare/v1.0.0.pre.beta1...1.0.0.beta2)
+## [1.0.0.beta3](https://github.com/chef/inspec/tree/1.0.0.beta3) (2016-09-25)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.0.0.beta2...1.0.0.beta3)
+
+**Implemented enhancements:**
+
+- Improve lockfile handling [\#1070](https://github.com/chef/inspec/issues/1070)
+- Show skip\_message and correct title [\#1109](https://github.com/chef/inspec/pull/1109) ([alexpop](https://github.com/alexpop))
+
+**Fixed bugs:**
+
+- InSpec CLI output not showing skip message when control title is defined [\#1097](https://github.com/chef/inspec/issues/1097)
+- bugfix: there is one more button to start the online demo [\#1140](https://github.com/chef/inspec/pull/1140) ([arlimus](https://github.com/arlimus))
+
+**Closed issues:**
+
+- add docs to inspec.io [\#1119](https://github.com/chef/inspec/issues/1119)
+- Cache key for dependencies needs to be based on content hash for urls [\#1066](https://github.com/chef/inspec/issues/1066)
+
+**Merged pull requests:**
+
+- Enable builds on both Windows and \*nix [\#1145](https://github.com/chef/inspec/pull/1145) ([scotthain](https://github.com/scotthain))
+- Website: Minor edits in preparation for launch [\#1144](https://github.com/chef/inspec/pull/1144) ([magwalk](https://github.com/magwalk))
+- Truncate long filename. Temporary fix [\#1143](https://github.com/chef/inspec/pull/1143) ([stevendanna](https://github.com/stevendanna))
+- add variables to each loops [\#1142](https://github.com/chef/inspec/pull/1142) ([chris-rock](https://github.com/chris-rock))
+- embed tutorial in website [\#1139](https://github.com/chef/inspec/pull/1139) ([arlimus](https://github.com/arlimus))
+- scope all tutorial assets [\#1138](https://github.com/chef/inspec/pull/1138) ([arlimus](https://github.com/arlimus))
+- add build task for online tutorial with all assets [\#1137](https://github.com/chef/inspec/pull/1137) ([arlimus](https://github.com/arlimus))
+- implement filter table for group/groups resource [\#1135](https://github.com/chef/inspec/pull/1135) ([chris-rock](https://github.com/chris-rock))
+- fix minor typos in user resource [\#1134](https://github.com/chef/inspec/pull/1134) ([chris-rock](https://github.com/chris-rock))
+- Website Copy Edits [\#1133](https://github.com/chef/inspec/pull/1133) ([magwalk](https://github.com/magwalk))
+- add build tasks for www [\#1132](https://github.com/chef/inspec/pull/1132) ([arlimus](https://github.com/arlimus))
+- add resources.md doc generation [\#1130](https://github.com/chef/inspec/pull/1130) ([arlimus](https://github.com/arlimus))
+- add all resources to docs [\#1129](https://github.com/chef/inspec/pull/1129) ([arlimus](https://github.com/arlimus))
+- reorder and fix sidebar contents for docs [\#1128](https://github.com/chef/inspec/pull/1128) ([arlimus](https://github.com/arlimus))
+- add ruby usage in inspec as markdown [\#1127](https://github.com/chef/inspec/pull/1127) ([arlimus](https://github.com/arlimus))
+- Add markdown docs [\#1125](https://github.com/chef/inspec/pull/1125) ([arlimus](https://github.com/arlimus))
+- Avoid spurious downloads during dependency management [\#1124](https://github.com/chef/inspec/pull/1124) ([stevendanna](https://github.com/stevendanna))
+- Website Design Fixes [\#1123](https://github.com/chef/inspec/pull/1123) ([magwalk](https://github.com/magwalk))
+
+## [v1.0.0.beta2](https://github.com/chef/inspec/tree/v1.0.0.beta2) (2016-09-22)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.0.0.pre.beta1...v1.0.0.beta2)
 
 **Implemented enhancements:**
 

data/Gemfile

@@ -6,6 +6,7 @@ gemspec
 # detecting that net-ssh 3 does not work with 1.9.3
 if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new('1.9.3')
   gem 'net-ssh', '~> 2.9'
+  gem 'tins', '~> 1.6.0'
 end
 
 if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2.2')
@@ -23,6 +24,9 @@ group :test do
   gem 'simplecov', '~> 0.10'
   gem 'concurrent-ruby', '~> 0.9'
   gem 'mocha', '~> 1.1'
+  gem 'ruby-progressbar', '~> 1.8'
+  gem 'inquirer'
+  gem 'nokogiri', '~> 1.6'
 end
 
 group :integration do

data/Rakefile

@@ -5,8 +5,9 @@ require 'bundler'
 require 'bundler/gem_tasks'
 require 'rake/testtask'
 require 'rubocop/rake_task'
-require_relative 'tasks/maintainers'
 require_relative 'tasks/docs'
+require_relative 'tasks/maintainers'
+require_relative 'tasks/www'
 
 # Rubocop
 desc 'Run Rubocop lint checks'

data/docs/.gitignore

@@ -0,0 +1,2 @@
+resources.md
+cli.md

data/docs/README.md

@@ -6,7 +6,27 @@ The goal of this folder is for any community member to clone these docs, make th
 
 ## How to build docs
 
-TODO
+We build docs by:
+
+1. Auto-generating docs from code
+2. Transforming markdown+snippets in this folder into pure markdown in `www/source/docs`
+3. Rendering them to the website via instructions in `www/`
+
+For development, you **only need step 1**!
+
+**1 Generate docs**
+
+To generate all docs run:
+
+```
+bundle exec rake docs
+```
+
+You can run tasks individually. For a list of tasks run:
+
+```
+bundle exec rake --tasks docs
+```
 
 ## Stability Index
 

data/docs/resources/apache_conf.md.erb

@@ -0,0 +1,75 @@
+---
+title: About the apache_conf Resource
+---
+
+# apache_conf
+
+Use the `apache_conf` InSpec audit resource to test the configuration settings for Apache. This file is typically located under `/etc/apache2` on the Debian and Ubuntu platforms and under `/etc/httpd` on the Fedora, CentOS, RedHat Enterprise Linux, and ArchLinux platforms. The configuration settings may vary significantly from platform to platform.
+
+# Syntax
+
+An `apache_conf` InSpec audit resource block declares configuration settings that should be tested:
+
+    describe apache_conf('path') do
+      its('setting_name') { should eq 'value' }
+    end
+
+where
+
+* `'setting_name'` is a configuration setting defined in the Apache configuration file
+* `('path')` is the non-default path to the Apache configuration file
+* `{ should eq 'value' }` is the value that is expected
+
+# Matchers
+
+This InSpec audit resource matches any service that is listed in the Apache configuration file:
+
+    its('PidFile') { should_not eq '/var/run/httpd.pid' }
+
+or:
+
+    its('Timeout') { should eq 300 }
+
+For example:
+
+    describe apache_conf do
+      its('MaxClients') { should eq 100 }
+      its('Listen') { should eq '443'}
+    end
+
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test for blocking .htaccess files on CentOS
+
+    describe apache_conf do
+      its('AllowOverride') { should eq 'None' }
+    end
+
+## Test ports for SSL
+
+    describe apache_conf do
+      its('Listen') { should eq '443'}
+    end

data/docs/resources/apt.md.erb

@@ -0,0 +1,84 @@
+---
+title: About the apt Resource
+---
+
+# apt
+
+Use the `apt` InSpec audit resource to verify Apt repositories on the Debian and Ubuntu platforms, and also PPA repositories on the Ubuntu platform.
+
+# Syntax
+
+An `apt` resource block tests the contents of Apt and PPA repositories:
+
+    describe apt('path') do
+      it { should exist }
+      it { should be_enabled }
+    end
+
+where
+
+* `apt('path')` must specify an Apt or PPA repository
+* `('path')` may be an `http://` address, a `ppa:` address, or a short `repo-name/ppa` address
+* `exist` and `be_enabled` are a valid matchers for this resource
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## be_enabled
+
+The `be_enabled` matcher tests if a package exists in the repository:
+
+    it { should be_enabled }
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## exist
+
+The `exist` matcher tests if a package exists on the system:
+
+    it { should exist }
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test if apt repository exists and is enabled
+
+    describe apt('http://ppa.launchpad.net/juju/stable/ubuntu') do
+      it { should exist }
+      it { should be_enabled }
+    end
+
+## Verify that a PPA repository exists and is enabled
+
+    describe apt('ppa:nginx/stable') do
+      it { should exist }
+      it { should be_enabled }
+    end
+
+## Verify that a repository is not present
+
+    describe apt('ubuntu-wine/ppa') do
+      it { should_not exist }
+      it { should_not be_enabled }
+    end

data/docs/resources/audit_policy.md.erb

@@ -0,0 +1,61 @@
+---
+title: About the audit_policy Resource
+---
+
+# audit_policy
+
+Use the `audit_policy` Inspec audit resource to test auditing policies on the Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to `No Auditing`, `Not Specified`, `Success`, `Success and Failure`, or `Failure`.
+
+# Syntax
+
+An `audit_policy` resource block declares a parameter that belongs to an audit policy category or subcategory:
+
+    describe audit_policy do
+      its('parameter') { should eq 'value' }
+    end
+
+where
+
+* `'parameter'` must specify a parameter
+* `'value'` must be one of `No Auditing`, `Not Specified`, `Success`, `Success and Failure`, or `Failure`
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test that a parameter is not set to "No Auditing"
+
+    describe audit_policy do
+      its('Other Account Logon Events') { should_not eq 'No Auditing' }
+    end
+
+## Test that a parameter is set to "Success"
+
+    describe audit_policy do
+      its('User Account Management') { should eq 'Success' }
+    end

data/docs/resources/auditd_conf.md.erb

@@ -0,0 +1,79 @@
+---
+title: About the auditd_conf Resource
+---
+
+# auditd_conf
+
+Use the `auditd_conf` InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under `/etc/audit/auditd.conf'` on Unix and Linux platforms.
+
+# Syntax
+
+A `auditd_conf` resource block declares configuration settings that should be tested:
+
+    describe auditd_conf('path') do
+      its('keyword') { should cmp 'value' }
+    end
+
+where
+
+* `'keyword'` is a configuration setting defined in the `auditd.conf` configuration file
+* `('path')` is the non-default path to the `auditd.conf` configuration file
+* `{ should cmp 'value' }` is the value that is expected
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## keyword
+
+This matcher will matche any keyword that is listed in the `auditd.conf` configuration file. Option names and values are case-insensitive:
+
+    its('log_format') { should cmp 'raw' }
+
+or:
+
+    its('max_log_file') { should cmp 6 }
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test the auditd.conf file
+
+    describe auditd_conf do
+      its('log_file') { should cmp '/full/path/to/file' }
+      its('log_format') { should cmp 'raw' }
+      its('flush') { should cmp 'none' }
+      its('freq') { should cmp 1 }
+      its('num_logs') { should cmp 0 }
+      its('max_log_file') { should cmp 6 }
+      its('max_log_file_action') { should cmp 'email' }
+      its('space_left') { should cmp 2 }
+      its('action_mail_acct') { should cmp 'root' }
+      its('space_left_action') { should cmp 'email' }
+      its('admin_space_left') { should cmp 1 }
+      its('admin_space_left_action') { should cmp 'halt' }
+      its('disk_full_action') { should cmp 'halt' }
+      its('disk_error_action') { should cmp 'halt' }
+    end

data/docs/resources/auditd_rules.md.erb

@@ -0,0 +1,132 @@
+---
+title: About the auditd_rules Resource
+---
+
+# auditd_rules
+
+Use the `auditd_rules` InSpec audit resource to test the rules for logging that exist on the system. The `audit.rules` file is typically located under `/etc/audit/` and contains the list of rules that define what is captured in log files. This resource uses `auditctl` to query the run-time `auditd` rules setup, which may be different from `audit.rules`.
+
+
+# Syntax
+
+An `auditd_rules` resource block declares one (or more) rules to be tested, and then what that rule should do. The syntax depends on the version of `audit`:
+
+For `audit` >= 2.3:
+
+    describe auditd_rules do
+      its('lines') { should contain_match(rule) }
+    end
+
+For `audit` < 2.3:
+
+    describe audit_daemon_rules do
+      its("LIST_RULES") {
+        rule
+      }
+    end
+
+For example:
+
+    describe auditd_rules do
+      its('LIST_RULES') { should eq [
+        'exit,always syscall=rmdir,unlink',
+        'exit,always auid=1001 (0x3e9) syscall=open',
+        'exit,always watch=/etc/group perm=wa',
+        'exit,always watch=/etc/passwd perm=wa',
+        'exit,always watch=/etc/shadow perm=wa',
+        'exit,always watch=/etc/sudoers perm=wa',
+        'exit,always watch=/etc/secret_directory perm=r',
+      ] }
+    end
+
+or test that individual rules are defined:
+
+    describe auditd_rules do
+      its('LIST_RULES') {
+        should contain_match(/^exit,always watch=\/etc\/group perm=wa key=identity/)
+      }
+      its('LIST_RULES') {
+        should contain_match(/^exit,always watch=\/etc\/passwd perm=wa key=identity/)
+      }
+      its('LIST_RULES') {
+        should contain_match(/^exit,always watch=\/etc\/gshadow perm=wa key=identity/)
+      }
+      its('LIST_RULES') {
+        should contain_match(/^exit,always watch=\/etc\/shadow perm=wa key=identity/)
+      }
+      its('LIST_RULES') {
+        should contain_match(/^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)
+      }
+    end
+
+where each test must declare one (or more) rules to be tested.
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test if a rule contains a matching element that is identified by a regular expression
+
+For `audit` >= 2.3:
+
+    describe auditd_rules do
+      its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
+    end
+
+For `audit` < 2.3:
+
+    describe audit_daemon_rules do
+      its("LIST_RULES") {
+        should contain_match(/^exit,always arch=.*\
+        key=time-change\
+        syscall=adjtimex,settimeofday/)
+      }
+    end
+
+
+## Query the audit daemon status
+
+    describe auditd_rules.status('backlog') do
+      it { should cmp 0 }
+    end
+
+## Query properties of rules targeting specific syscalls or files
+
+    describe auditd_rules.syscall('open').action do
+      it { should eq(['always']) }
+    end
+
+    describe auditd_rules.key('sshd_config') do
+      its('permissions') { should contain_match(/x/) }
+    end
+
+Filters may be chained. For example:
+
+    describe auditd_rules.syscall('open').action('always').list do
+      it { should eq(['exit']) }
+    end