inspec 1.26.0 → 1.27.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fecbcfd7ae1d3b85d799bc71dc2eabe989f16136
-  data.tar.gz: 20bd1251717cd160dbd5b4b8884ca2d916838f3b
+  metadata.gz: a97d110626e91da96f74c2ade783985774f985c6
+  data.tar.gz: 9c6f406166b6e6592b1a43b69353c5bcaf8dc0ef
 SHA512:
-  metadata.gz: 3553ac4c21f7f73f70fcaed794292b013f7106a7b226ffb5500c1c9c6451d4355d10aa0526d28d32db926e6a281f5a1f48cf7bcb68255b893853020debfa8a42
-  data.tar.gz: 743f7fce23d0d50eb6d3df716c7f44d9ca1f8824fdc47df6940d77308a720146caf07eb1f6c3a47616cc230561e832b32aa89206d97ace6cea43a7e69abd5f13
+  metadata.gz: 9d6ec986d6914cd057869cce5ba76c3c13c31a8bd044aefcaed4cf6a01cc4cf91ac0b3c118519e7c58c98b8ddd63bef0e04780c8099e1c68bacbfca218d8ae88
+  data.tar.gz: 6b20ef3baa24b1e3de67373101f6c356189ac990fd7789d889ac50fb6d9272f2889f45d61edbdcbe12d9ae4b75d3b302837b043536e7d1d57c5064b95ffa6312

data/CHANGELOG.md

@@ -1,24 +1,48 @@
 # Change Log
 
-## [v1.26.0](https://github.com/chef/inspec/tree/v1.26.0) (2017-05-30)
+## [v1.27.0](https://github.com/chef/inspec/tree/v1.27.0) (2017-06-06)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.26.0...v1.27.0)
+
+**Implemented enhancements:**
+
+- Support special cases for crontab resource [\#1893](https://github.com/chef/inspec/pull/1893) ([arlimus](https://github.com/arlimus))
+- add the Nginx parser [\#1888](https://github.com/chef/inspec/pull/1888) ([arlimus](https://github.com/arlimus))
+- support FIPS 140-2 compliant digest calls [\#1887](https://github.com/chef/inspec/pull/1887) ([arlimus](https://github.com/arlimus))
+- Add windows support to the `processes` resource [\#1878](https://github.com/chef/inspec/pull/1878) ([username-is-already-taken2](https://github.com/username-is-already-taken2))
+- add bitbucket repo url handling [\#1866](https://github.com/chef/inspec/pull/1866) ([stubblyhead](https://github.com/stubblyhead))
+- Commenting the `contain\_duplicates` deprecation until we have a good alternative [\#1860](https://github.com/chef/inspec/pull/1860) ([alexpop](https://github.com/alexpop))
+- verifies that inspec.yml uses licenses in SPDX format [\#1858](https://github.com/chef/inspec/pull/1858) ([chris-rock](https://github.com/chris-rock))
+- funtion to get pgsql version, exposed version, cluster and fixed session [\#1758](https://github.com/chef/inspec/pull/1758) ([aaronlippold](https://github.com/aaronlippold))
+
+**Fixed bugs:**
+
+- Use RubyGems version for habitat plan [\#1883](https://github.com/chef/inspec/pull/1883) ([smith](https://github.com/smith))
+- Fix version method call for refresh token [\#1875](https://github.com/chef/inspec/pull/1875) ([ndobson](https://github.com/ndobson))
+- Add warningaction to test-netconnection [\#1869](https://github.com/chef/inspec/pull/1869) ([seththoenen](https://github.com/seththoenen))
+- Fix parameters to `find` commands [\#1856](https://github.com/chef/inspec/pull/1856) ([chris-rock](https://github.com/chris-rock))
+- Fix command exists check on Windows with full paths [\#1850](https://github.com/chef/inspec/pull/1850) ([username-is-already-taken2](https://github.com/username-is-already-taken2))
+- Fix compliance uploads when version is not present [\#1849](https://github.com/chef/inspec/pull/1849) ([adamleff](https://github.com/adamleff))
+
+## [v1.26.0](https://github.com/chef/inspec/tree/v1.26.0) (2017-05-31)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.25.1...v1.26.0)
 
 **Implemented enhancements:**
 
+- Bump default timeouts for `http` resource [\#1835](https://github.com/chef/inspec/pull/1835) ([schisamo](https://github.com/schisamo))
 - Improvements to Habitat plan [\#1820](https://github.com/chef/inspec/pull/1820) ([smith](https://github.com/smith))
 
 **Fixed bugs:**
 
-- bugfix: adjust localhost+sudo test output to train update [\#1873](https://github.com/chef/inspec/pull/1873) ([arlimus](https://github.com/arlimus))
+- adjust localhost+sudo test output to train update [\#1873](https://github.com/chef/inspec/pull/1873) ([arlimus](https://github.com/arlimus))
+- sudo-detection for target execution [\#1870](https://github.com/chef/inspec/pull/1870) ([arlimus](https://github.com/arlimus))
 - bugfix: do not send nil to command on unsupported OS [\#1865](https://github.com/chef/inspec/pull/1865) ([arlimus](https://github.com/arlimus))
 - bugfix: non-url servers with compliance login [\#1861](https://github.com/chef/inspec/pull/1861) ([arlimus](https://github.com/arlimus))
+- Raise exception if profile target URL cannot be parsed [\#1853](https://github.com/chef/inspec/pull/1853) ([adamleff](https://github.com/adamleff))
+- postgres relative path includes [\#1852](https://github.com/chef/inspec/pull/1852) ([aaronlippold](https://github.com/aaronlippold))
+- Amended the processes resource to skip on windows [\#1851](https://github.com/chef/inspec/pull/1851) ([username-is-already-taken2](https://github.com/username-is-already-taken2))
+- Fix assert that a gem is not installed [\#1844](https://github.com/chef/inspec/pull/1844) ([cattywampus](https://github.com/cattywampus))
 - Habitat Profiles: redirect stderr to stdout [\#1826](https://github.com/chef/inspec/pull/1826) ([adamleff](https://github.com/adamleff))
 
-**Closed issues:**
-
-- Using Automate - `compliance\_profile\_name': undefined method `\[\]' for nil:NilClass \(NoMethodError\) seeing 1.25.1 Inspec  [\#1848](https://github.com/chef/inspec/issues/1848)
-- Missing filesystem size check for InSpec [\#1843](https://github.com/chef/inspec/issues/1843)
-
 ## [v1.25.1](https://github.com/chef/inspec/tree/v1.25.1) (2017-05-20)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.25.0...v1.25.1)
 
@@ -41,7 +65,6 @@
 **Fixed bugs:**
 
 - read source code if profile is in tgz/zip [\#1816](https://github.com/chef/inspec/pull/1816) ([arlimus](https://github.com/arlimus))
-- Update postgresql conf resource to accept include\_dir as a string as well as an array [\#1727](https://github.com/chef/inspec/pull/1727) ([elliott-davis](https://github.com/elliott-davis))
 
 ## [v1.24.0](https://github.com/chef/inspec/tree/v1.24.0) (2017-05-11)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.23.0...v1.24.0)
@@ -56,7 +79,6 @@
 - Add support for Windows auth in mssql\_resourcet [\#1786](https://github.com/chef/inspec/pull/1786) ([arlimus](https://github.com/arlimus))
 - Allow mysql\_session to test databases on different hosts [\#1779](https://github.com/chef/inspec/pull/1779) ([aaronlippold](https://github.com/aaronlippold))
 - Handle parse errors for attrs/secrets [\#1775](https://github.com/chef/inspec/pull/1775) ([adamleff](https://github.com/adamleff))
-- Add an oracledb\_session resource [\#1751](https://github.com/chef/inspec/pull/1751) ([nsdavidson](https://github.com/nsdavidson))
 
 ## [v1.23.0](https://github.com/chef/inspec/tree/v1.23.0) (2017-05-04)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.22.0...v1.23.0)
@@ -64,37 +86,14 @@
 **Implemented enhancements:**
 
 - Add command-line completions for fish shell [\#1760](https://github.com/chef/inspec/pull/1760) ([smith](https://github.com/smith))
-- Error and exit when using --sudo locally [\#1741](https://github.com/chef/inspec/pull/1741) ([adamleff](https://github.com/adamleff))
-
-**Fixed bugs:**
-
-- Make the --no-color flag work for inspec exec [\#1749](https://github.com/chef/inspec/pull/1749) ([adamleff](https://github.com/adamleff))
-- Fix xinetd resource failing when file cannot be read [\#1746](https://github.com/chef/inspec/pull/1746) ([adamleff](https://github.com/adamleff))
-- Habitat profile bug fixes and improvements [\#1735](https://github.com/chef/inspec/pull/1735) ([rhass](https://github.com/rhass))
 
 **Merged pull requests:**
 
 - rake: lint before test [\#1755](https://github.com/chef/inspec/pull/1755) ([arlimus](https://github.com/arlimus))
-- rename old deprecations that were meant for 1.0 [\#1737](https://github.com/chef/inspec/pull/1737) ([arlimus](https://github.com/arlimus))
-- add `inspec.profile.file\(...\)` for profile files [\#1720](https://github.com/chef/inspec/pull/1720) ([arlimus](https://github.com/arlimus))
 
 ## [v1.22.0](https://github.com/chef/inspec/tree/v1.22.0) (2017-04-27)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.21.0...v1.22.0)
 
-**Implemented enhancements:**
-
-- rename `parse\_config` options for clarity [\#1709](https://github.com/chef/inspec/issues/1709)
-- rename SimpleConfig / parse\_config / parse\_config\_file options [\#1723](https://github.com/chef/inspec/pull/1723) ([arlimus](https://github.com/arlimus))
-- Add matchers help to shell, clean up help output [\#1722](https://github.com/chef/inspec/pull/1722) ([adamleff](https://github.com/adamleff))
-- provide `inspec.version` information [\#1719](https://github.com/chef/inspec/pull/1719) ([arlimus](https://github.com/arlimus))
-- provide the `inspec` keyword [\#1718](https://github.com/chef/inspec/pull/1718) ([arlimus](https://github.com/arlimus))
-- print and prettyprint the inspec backend class [\#1717](https://github.com/chef/inspec/pull/1717) ([arlimus](https://github.com/arlimus))
-
-**Fixed bugs:**
-
-- pretty-print multiline control descriptions [\#1711](https://github.com/chef/inspec/pull/1711) ([arlimus](https://github.com/arlimus))
-- bugfix: unindent description misbehaviors [\#1707](https://github.com/chef/inspec/pull/1707) ([arlimus](https://github.com/arlimus))
-
 ## [v1.21.0](https://github.com/chef/inspec/tree/v1.21.0) (2017-04-24)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.20.0...v1.21.0)
 

data/Rakefile

@@ -6,6 +6,7 @@ require 'bundler/gem_tasks'
 require 'rake/testtask'
 require_relative 'tasks/changelog'
 require_relative 'tasks/maintainers'
+require_relative 'tasks/spdx'
 
 # The docs tasks rely on ruby-progressbar. If we can't load it, then don't
 # load the docs tasks. This is necessary to allow this Rakefile to work
@@ -174,7 +175,7 @@ task :release_habitat do
         raise "Please set the HAB_AUTH_TOKEN environment variable"
     end
     cmd = "echo #{version} > ./habitat/VERSION && "\
-          "hab studio build ./habitat && " \
+          "hab pkg build . && " \
           "hab pkg upload ./results/*.hart"
     puts "--> #{cmd}"
     sh('sh', '-c', cmd)
@@ -195,4 +196,3 @@ namespace :www do
     exit(1)
   end
 end
-

data/docs/resources/crontab.md.erb

@@ -4,7 +4,7 @@ title: About the crontab Resource
 
 # crontab
 
-Use the `crontab` InSpec audit resource to test the crontab entries for a particular user on the system.
+Use the `crontab` InSpec audit resource to test the crontab entries for a particular user on the system. It recognizes special time strings (@yearly, @weekly, etc).
 
 ## Syntax
 
@@ -66,3 +66,19 @@ The following examples show how to use this InSpec audit resource.
     describe crontab.where { command =~ /a partial command string/ } do
       its('entries.length') { should cmp 1 }
     end
+
+### Test a special time string (i.e., @yearly /root/anual_report.sh)
+
+    describe crontab.commands('/root/anual_report.sh') do
+      its('hours') { should cmp '0' }
+      its('minutes') { should cmp '0' }
+      its('days') { should cmp '1' }
+      its('months') { should cmp '1' }
+    end
+
+### Test @reboot case
+
+    describe crontab.commands('/root/reboot.sh') do
+      its('hours') { should cmp '-1' }
+      its('minutes') { should cmp '-1' }
+    end

data/docs/resources/http.md.erb

@@ -14,7 +14,7 @@ This will be corrected in a future version of InSpec. New InSpec releases are po
 
 An `http` resource block declares the configuration settings to be tested:
 
-    describe http('url', auth: {user: 'user', pass: 'test'}, params: {params}, method: 'method', headers: {headers}, body: body) do
+    describe http('url', auth: {user: 'user', pass: 'test'}, params: {params}, method: 'method', headers: {headers}, data: data, open_timeout: 60, read_timeout: 60, ssl_verify: true) do
       its('status') { should eq number }
       its('body') { should eq 'body' }
       its('headers.name') { should eq 'header' }
@@ -23,11 +23,14 @@ An `http` resource block declares the configuration settings to be tested:
 where
 
 * `('url')` is the url to test
-* `{user: 'user', pass: 'test'}` may be specified for basic auth request
+* `auth: { user: 'user', pass: 'test' }` may be specified for basic auth request
 * `{params}` may be specified for http request parameters
 * `'method'` may be specified for http request method (default to 'GET')
 * `{headers}` may be specified for http request headers
-* `body` may be specified for http request body
+* `data` may be specified for http request body
+* `open_timeout` may be specified for a timeout for opening connections (default to 60)
+* `read_timeout` may be specified for a timeout for reading connections (default to 60)
+* `ssl_verify` may be specified to enable or disable verification of SSL certificates (default to `true`)
 
 ## Matchers
 

data/docs/resources/processes.md.erb

@@ -60,18 +60,33 @@ The following examples show how to use this InSpec audit resource.
       its('list.length') { should eq 1 }
     end
 
-### Test if the init process is owned by the root user
+### Test if the process is owned by a specifc user
 
     describe processes('init') do
       its('users') { should eq ['root'] }
     end
 
+    describe processes('winlogon') do
+      its('users') { should cmp "NT AUTHORITY\\SYSTEM" }
+    end
+
+
 ### Test if a high-priority process is running
 
-    describe processes('some_process') do
+    describe processes('linux_process') do
       its('states') { should eq ['R<'] }
     end
 
+    describe processes('windows_process') do
+      its('labels') { should cmp "High" }
+    end
+
+### Test if a process exists on the system
+
+    describe processes('some_process') do
+      it { should exist }
+    end
+
 ### Test for a process using a specific Regexp
 
 If the process name is too common for a string to uniquely find it,
@@ -81,3 +96,28 @@ needed.
     describe processes(Regexp.new("/usr/local/bin/swap -d")) do
       its('list.length') { should eq 1 }
     end
+
+### Notes for auditing Windows systems
+
+Sometimes with system properties there isn't a direct comparison between different operating systems.
+Most of the `property_name`'s do align between the different OS's.  
+
+There are however some exception's, for example, within linux `states` offers multiple properties. 
+Windows doesn't have direct comparison that is a single property so instead `states` is mapped to the property of `Responding`, This is a boolean true/false flag to help determine if the process is hung.
+
+Below is a mapping table to help you understand what property the unix field maps to the windows `Get-Process` Property
+
+| *unix ps field* | *windows PowerShell Property* |
+|:---------------:|:-----------------------------:|
+|labels           |PriorityClass|
+|pids             |Id|
+|cpus             |CPU|
+|mem              |PM|
+|vsz              |VirtualMemorySize|
+|rss              |NPM|
+|tty              |SessionId|
+|states           |Responding|
+|start            |StartTime|
+|time             |TotalProcessorTime|
+|users            |UserName|
+|commands         |Path|

data/examples/inheritance/inspec.yml

@@ -3,7 +3,7 @@ title: InSpec example inheritance
 maintainer: Chef Software, Inc.
 copyright: Chef Software, Inc.
 copyright_email: support@chef.io
-license: Apache 2 license
+license: Apache-2.0
 summary: Demonstrates the use of InSpec profile inheritance
 version: 1.0.0
 supports:

data/examples/meta-profile/inspec.yml

@@ -3,7 +3,7 @@ title: Meta Compliance Profile
 maintainer: InSpec Authors
 copyright: InSpec Authors
 copyright_email: support@chef.io
-license: Apache 2
+license: Apache-2.0
 summary: InSpec Profile that is only consuming dependencies
 version: 0.2.0
 depends:

data/examples/profile-attribute/inspec.yml

@@ -3,6 +3,6 @@ title: InSpec Profile
 maintainer: The Authors
 copyright: The Authors
 copyright_email: you@example.com
-license: All Rights Reserved
+license: Apache-2.0
 summary: An InSpec Compliance Profile
 version: 0.1.0

data/examples/profile/inspec.yml

@@ -3,7 +3,7 @@ title: InSpec Example Profile
 maintainer: Chef Software, Inc.
 copyright: Chef Software, Inc.
 copyright_email: support@chef.io
-license: Apache 2 license
+license: Apache-2.0
 summary: Demonstrates the use of InSpec Compliance Profile
 version: 1.0.0
 supports:

data/lib/bundles/inspec-compliance/api.rb

@@ -70,13 +70,14 @@ module Compliance
       headers = get_headers(config)
       response = Compliance::HTTP.get(url+'/version', headers, insecure)
       return {} if response.code == '404'
+
       data = response.body
+      return {} if data.nil? || data.empty?
 
-      if !data.nil?
-        JSON.parse(data)
-      else
-        {}
-      end
+      parsed = JSON.parse(data)
+      return {} unless parsed.key?('version') && !parsed['version'].empty?
+
+      parsed
     end
 
     # verifies that a profile
@@ -203,11 +204,11 @@ module Compliance
     end
 
     def self.is_automate_server_pre_080?(config)
-      config['server_type'] == 'automate' && config['version'].empty?
+      config['server_type'] == 'automate' && config['version'].nil?
     end
 
     def self.is_automate_server_080_and_later?(config)
-      config['server_type'] == 'automate' && !config['version'].empty?
+      config['server_type'] == 'automate' && !config['version'].nil?
     end
 
     def self.is_automate_server?(config)

data/lib/bundles/inspec-compliance/cli.rb

@@ -355,7 +355,7 @@ module Compliance
       config['user'] = user
       config['insecure'] = insecure
       config['server_type'] = 'compliance'
-      config['version'] = Compliance::API.version(url, insecure)
+      config['version'] = Compliance::API.version(config)
 
       if !verify
         config.store

data/lib/bundles/inspec-init/templates/profile/inspec.yml

@@ -3,6 +3,6 @@ title: InSpec Profile
 maintainer: The Authors
 copyright: The Authors
 copyright_email: you@example.com
-license: All Rights Reserved
+license: Apache-2.0
 summary: An InSpec Compliance Profile
 version: 0.1.0

data/lib/fetchers/local.rb

@@ -2,6 +2,8 @@
 # author: Dominik Richter
 # author: Christoph Hartmann
 
+require 'openssl'
+
 module Fetchers
   class Local < Inspec.fetcher(1)
     name 'local'
@@ -65,7 +67,8 @@ module Fetchers
 
     def sha256
       return nil if File.directory?(@target)
-      @archive_shasum ||= Digest::SHA256.hexdigest File.read(@target)
+      @archive_shasum ||=
+        OpenSSL::Digest::SHA256.digest(File.read(@target)).unpack('H*')[0]
     end
 
     def resolved_source

data/lib/fetchers/url.rb

@@ -3,7 +3,7 @@
 # author: Christoph Hartmann
 
 require 'uri'
-require 'digest'
+require 'openssl'
 require 'tempfile'
 require 'open-uri'
 
@@ -37,8 +37,8 @@ module Fetchers
       nil
     end
 
-    # Transforms a browser github url to github tar url
-    # We distinguish between three different Github URL types:
+    # Transforms a browser github/bitbucket url to github/bitbucket tar url
+    # We distinguish between three different Github/Bitbucket URL types:
     #  - Master URL
     #  - Branch URL
     #  - Commit URL
@@ -46,22 +46,39 @@ module Fetchers
     # master url:
     # https://github.com/nathenharvey/tmp_compliance_profile/ is transformed to
     # https://github.com/nathenharvey/tmp_compliance_profile/archive/master.tar.gz
+    # https://bitbucket.org/username/repo is transformed to
+    # https://bitbucket.org/username/repo/get/master.tar.gz
     #
-    # github branch:
+    # branch:
     # https://github.com/hardening-io/tests-os-hardening/tree/2.0 is transformed to
     # https://github.com/hardening-io/tests-os-hardening/archive/2.0.tar.gz
+    # https://bitbucket.org/username/repo/branch/branchname is transformed to
+    # https://bitbucket.org/username/repo/get/newbranch.tar.gz
     #
-    # github commit:
+    # commit:
     # https://github.com/hardening-io/tests-os-hardening/tree/48bd4388ddffde68badd83aefa654e7af3231876
     # is transformed to
     # https://github.com/hardening-io/tests-os-hardening/archive/48bd4388ddffde68badd83aefa654e7af3231876.tar.gz
+    # https://bitbucket.org/username/repo/commits/95ce1f83d5bbe9eec34c5973f6894617e8d6d8cc is transformed to
+    # https://bitbucket.org/username/repo/get/95ce1f83d5bbe9eec34c5973f6894617e8d6d8cc.tar.gz
+
     GITHUB_URL_REGEX = %r{^https?://(www\.)?github\.com/(?<user>[\w-]+)/(?<repo>[\w-]+)(\.git)?(/)?$}
     GITHUB_URL_WITH_TREE_REGEX = %r{^https?://(www\.)?github\.com/(?<user>[\w-]+)/(?<repo>[\w-]+)/tree/(?<commit>[\w\.]+)(/)?$}
+    BITBUCKET_URL_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)(\.git)?(/)?$}
+    BITBUCKET_URL_BRANCH_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)/branch/(?<branch>[\w\.]+)(/)?$}
+    BITBUCKET_URL_COMMIT_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?<user>[\w-]+)/(?<repo>[\w-]+)/commits/(?<commit>[\w\.]+)(/)?$}
+
     def self.transform(target)
       transformed_target = if m = GITHUB_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
                              "https://github.com/#{m[:user]}/#{m[:repo]}/archive/master.tar.gz"
                            elsif m = GITHUB_URL_WITH_TREE_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
                              "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{m[:commit]}.tar.gz"
+                           elsif m = BITBUCKET_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
+                             "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/master.tar.gz"
+                           elsif m = BITBUCKET_URL_BRANCH_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
+                             "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{m[:branch]}.tar.gz"
+                           elsif m = BITBUCKET_URL_COMMIT_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition
+                             "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{m[:commit]}.tar.gz"
                            end
 
       if transformed_target
@@ -101,7 +118,7 @@ module Fetchers
 
     def sha256
       file = @archive_path || temp_archive_path
-      Digest::SHA256.hexdigest File.read(file)
+      OpenSSL::Digest::SHA256.digest(File.read(file)).unpack('H*')[0]
     end
 
     def file_type_from_remote(remote)