inspec 1.27.0 → 1.28.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a97d110626e91da96f74c2ade783985774f985c6
-  data.tar.gz: 9c6f406166b6e6592b1a43b69353c5bcaf8dc0ef
+  metadata.gz: a0d407da61108e3110902410c9250bb1aa65727d
+  data.tar.gz: '08e3dfe5818627298ae9fada47ebdb20295be3d3'
 SHA512:
-  metadata.gz: 9d6ec986d6914cd057869cce5ba76c3c13c31a8bd044aefcaed4cf6a01cc4cf91ac0b3c118519e7c58c98b8ddd63bef0e04780c8099e1c68bacbfca218d8ae88
-  data.tar.gz: 6b20ef3baa24b1e3de67373101f6c356189ac990fd7789d889ac50fb6d9272f2889f45d61edbdcbe12d9ae4b75d3b302837b043536e7d1d57c5064b95ffa6312
+  metadata.gz: 00b4a96e07c8b54024b756c1abfe4fe0334d16817177ae538902ddb76cc9e21fbd604a473c41fc3538b2a26491872f8ae30c02af82cf913c430238fe526a07d9
+  data.tar.gz: a020a8a48d76d26da019ea92ad298b9e1c70d5a22dc8d3f691457201649d5108c85fb49ff90f37d1112f6b5710db2c5296a20d09ab9512fc5281a68535ba218a

data/CHANGELOG.md

@@ -1,5 +1,30 @@
 # Change Log
 
+## [v1.28.0](https://github.com/chef/inspec/tree/v1.28.0) (2017-06-15)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.27.0...v1.28.0)
+
+**Implemented enhancements:**
+
+- Add support for CoreOS to the service resource [\#1928](https://github.com/chef/inspec/pull/1928) ([rarenerd](https://github.com/rarenerd))
+- Host resource ping method should return stdout [\#1927](https://github.com/chef/inspec/pull/1927) ([justincmoy](https://github.com/justincmoy))
+- Add TCP reachability support on Linux for host resource [\#1915](https://github.com/chef/inspec/pull/1915) ([adamleff](https://github.com/adamleff))
+- Adds support for iis\_app InSpec testing [\#1905](https://github.com/chef/inspec/pull/1905) ([EasyAsABC123](https://github.com/EasyAsABC123))
+- Add support for virtualization resource [\#1803](https://github.com/chef/inspec/pull/1803) ([tkak](https://github.com/tkak))
+
+**Fixed bugs:**
+
+- Error when listing compliance profiles against Automate pre 0.8 [\#1921](https://github.com/chef/inspec/issues/1921)
+- Unexpected `nil` authentication with `inspec exec -t` and WinRM [\#1901](https://github.com/chef/inspec/issues/1901)
+- inspec exec with --json-config option having multiple node information [\#1897](https://github.com/chef/inspec/issues/1897)
+- describe package failing in newer version [\#1797](https://github.com/chef/inspec/issues/1797)
+- Fix detection of Automate pre-0.8.x in Compliance::API [\#1922](https://github.com/chef/inspec/pull/1922) ([adamleff](https://github.com/adamleff))
+- bugfix: reading tgz files with binread [\#1920](https://github.com/chef/inspec/pull/1920) ([arlimus](https://github.com/arlimus))
+- fix intermitten functional vendor test failures [\#1919](https://github.com/chef/inspec/pull/1919) ([arlimus](https://github.com/arlimus))
+- enforce option values where needed [\#1918](https://github.com/chef/inspec/pull/1918) ([arlimus](https://github.com/arlimus))
+- inspec archive for tgz files on windows [\#1907](https://github.com/chef/inspec/pull/1907) ([arlimus](https://github.com/arlimus))
+- reading binary profile data on windows [\#1906](https://github.com/chef/inspec/pull/1906) ([arlimus](https://github.com/arlimus))
+- remove duplicate message in describe.one blocks [\#1896](https://github.com/chef/inspec/pull/1896) ([arlimus](https://github.com/arlimus))
+
 ## [v1.27.0](https://github.com/chef/inspec/tree/v1.27.0) (2017-06-06)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.26.0...v1.27.0)
 

data/docs/resources/host.md.erb

@@ -12,7 +12,7 @@ A `host` resource block declares a host name, and then (depending on what is to
 
 .. code-block:: ruby
 
-   describe host('example.com', port: 80, proto: 'tcp') do
+   describe host('example.com', port: 80, protocol: 'tcp') do
      it { should be_reachable }
    end
 
@@ -21,7 +21,7 @@ where
 * `host()` must specify a host name and may specify a port number and/or a protocol
 * `'example.com'` is the host name
 * `port:` is the port number
-* `proto: 'name'` is the Internet protocol: TCP (`proto: 'tcp'`), UDP (`proto: 'udp'` or  ICMP (`proto: 'icmp'`))
+* `protocol: 'name'` is the Internet protocol: TCP (`protocol: 'tcp'`), UDP (`protocol: 'udp'` or  ICMP (`protocol: 'icmp'`))
 * `be_reachable` is a valid matcher for this resource
 
 
@@ -73,13 +73,13 @@ The following examples show how to use this InSpec audit resource.
 
 ### Verify host name is reachable over a specific protocol and port number
 
-    describe host('example.com', port: 53, proto: 'udp') do
+    describe host('example.com', port: 80, protocol: 'tcp') do
       it { should be_reachable }
     end
 
 ### Verify that a specific IP address can be resolved
 
-    describe host('example.com', port: 80, proto: 'tcp') do
+    describe host('example.com') do
       it { should be_resolvable }
       its('ipaddress') { should include '192.168.1.1' }
     end

data/docs/resources/iis_app.md.erb

@@ -0,0 +1,126 @@
+---
+title: About the iis_app Resource
+---
+
+# iis_app
+
+Use the `iis_app` InSpec audit resource to test the state of IIS on Windows Server 2012 (and later).
+
+## Syntax
+
+An `iis_app` resource block declares details about the named site:
+
+    describe iis_app('application_path', 'site_name') do
+      it { should exist }
+      it { should have_application_pool('application_pool') }
+      it { should have_protocols('protocol') }
+      it { should have_site_name('site') }
+      it { should have_physical_path('physical_path') }
+      it { should have_path('application_path') }
+    end
+
+where
+
+* `'application_path'` is the path to the application, such as `'/myapp'`
+* `'site_name'` is the name of the site, such as `'Default Web Site'`
+* `('application_pool')` is the name of the application pool in which the site's root application is run, such as `'DefaultAppPool'`
+* `('protocols')` is a binding for the site, such as `'http'`. A site may have multiple bindings; therefore, use a `have_protocol` matcher for each site protocol to be tested
+* `('physical_path') is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
+
+For example:
+
+    describe iis_app('/myapp', 'Default Web Site') do
+      it { should exist }
+      it { should have_application_pool('MyAppPool') }
+      it { should have_protocols('http') }
+      it { should have_site_name('Default Web Site') }
+      it { should have_physical_path('C:\\inetpub\\wwwroot\\myapp') }
+      it { should have_path('\\My Application') }
+    end
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+### eq
+
+<%= partial "/shared/matcher_eq" %>
+
+### exist
+
+The `exist` matcher tests if the site exists:
+
+    it { should exist }
+
+### have\_application\_pool
+
+The `have_application_pool` matcher tests if the named application pool exists for the web application:
+
+    it { should have_application_pool('DefaultAppPool') }
+
+### have_protocol
+
+The `have_protocol` matcher tests if the specified protocol exists for the web application:
+
+    it { should have_protocol('http') }
+
+or:
+
+    it { should have_protocol('https') }
+
+A web application may have multiple bindings; use a `have_protocol` matcher for each unique web application binding to be tested.
+
+##### Protocol Attributes
+
+The `have_protocol` matcher can also test attributes that are defined for a web application enabledProtocols.
+
+    it { should have_protocol('http') }
+
+For example, testing a site that doesn't have https enabled:
+
+    it { should_not have_protocol('https') }
+    it { should have_protocol('http') }
+
+Testing a web application with https enabled and http enabled:
+
+    it { should have_protocol('https') }
+    it { should have_protocol('http') }
+
+### have_physical_path
+
+The `have_physical_path` matcher tests if the named path is defined for the web application:
+
+    it { should have_physical_path('C:\\inetpub\\wwwroot') }
+
+### include
+
+<%= partial "/shared/matcher_include" %>
+
+### match
+
+<%= partial "/shared/matcher_match" %>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test a default IIS web application
+
+    describe iis_app('Default Web Site') do
+      it { should exist }
+      it { should be_running }
+      it { should have_app_pool('DefaultAppPool') }
+      it { should have_binding('http *:80:') }
+      it { should have_path('%SystemDrive%\\inetpub\\wwwroot') }
+    end
+
+### Test if IIS service is running
+
+    describe service('W3SVC') do
+      it { should be_installed }
+      it { should be_running }
+    end

data/docs/resources/virtualization.md.erb

@@ -0,0 +1,71 @@
+---
+title: About the virtualization Resource
+---
+
+# virtualization
+
+Use the `virtualization` InSpec audit resource to test the virtualization platform on which the system is running.
+
+## Syntax
+
+An `virtualization` resource block declares the virtualization platform that should be tested:
+
+    describe virtualization do
+      its('system') { should MATCHER 'value' }
+    end
+
+where
+
+* `('system')` is the name of the system information of the virtualization platform (e.g. docker, lxc, vbox, kvm, etc)
+* `MATCHER` is a valid matcher for this resource
+* `'value'` is the value to be tested
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### be
+
+<%= partial "/shared/matcher_be" %>
+
+### cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+### eq
+
+<%= partial "/shared/matcher_eq" %>
+
+### include
+
+<%= partial "/shared/matcher_include" %>
+
+### match
+
+<%= partial "/shared/matcher_match" %>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test for Docker
+
+    describe virtualization do
+      its('system') { should eq 'docker' }
+    end
+
+### Test for VirtualBox
+
+    describe virtualization do
+      its('system') { should eq 'vbox' }
+      its('role') { should eq 'guest' }
+    end
+
+### Detect the virtualization platform
+
+    if virtualization.system == 'vbox'
+      describe package('name') do
+        it { should be_installed }
+      end
+    end
+

data/examples/inheritance/inspec.lock

@@ -0,0 +1,11 @@
+---
+lockfile_version: 1
+depends:
+- name: profile
+  resolved_source:
+    path: "/Users/aleff/projects/inspec/examples/profile"
+  version_constraints: ">= 0"
+- name: profile-attribute
+  resolved_source:
+    path: "/Users/aleff/projects/inspec/examples/profile-attribute"
+  version_constraints: ">= 0"

data/examples/meta-profile/inspec.lock

@@ -0,0 +1,18 @@
+---
+lockfile_version: 1
+depends:
+- name: dev-sec/ssh-baseline
+  resolved_source:
+    url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz
+    sha256: 403580959915ea24bc176b9ebdc555aeda5e2c957604b48d5f32b43554423582
+  version_constraints: ">= 0"
+- name: ssl-baseline
+  resolved_source:
+    url: https://github.com/dev-sec/ssl-baseline/archive/master.tar.gz
+    sha256: 0e6d170415e120af5f1dda113f96f7e0d156e49f82706ac41d13da00599f9b25
+  version_constraints: ">= 0"
+- name: windows-patch-benchmark
+  resolved_source:
+    url: https://github.com/chris-rock/windows-patch-benchmark/archive/master.tar.gz
+    sha256: d08d3cc35debff04e708147cdd07739876c5d1c8357afb5e58adfaad92dd650f
+  version_constraints: ">= 0"

data/lib/bundles/inspec-compliance/api.rb

@@ -204,11 +204,22 @@ module Compliance
     end
 
     def self.is_automate_server_pre_080?(config)
-      config['server_type'] == 'automate' && config['version'].nil?
+      # Automate versions before 0.8.x may have a "version" key in the config.
+      # Unless it's a hash that also contains a "version" key, it came from
+      # an Automate server that is pre-0.8.x.
+      return false unless config['server_type'] == 'automate'
+      return true unless config.key?('version')
+      return true unless config['version'].is_a?(Hash)
+      config['version']['version'].nil?
     end
 
     def self.is_automate_server_080_and_later?(config)
-      config['server_type'] == 'automate' && !config['version'].nil?
+      # Automate versions 0.8.x and later will have a "version" key in the config
+      # that looks like: "version":{"api":"compliance","version":"0.8.24"}
+      return false unless config['server_type'] == 'automate'
+      return false unless config.key?('version')
+      return false unless config['version'].is_a?(Hash)
+      !config['version']['version'].nil?
     end
 
     def self.is_automate_server?(config)

data/lib/bundles/inspec-compliance/configuration.rb

@@ -28,6 +28,10 @@ module Compliance
       @config[key] = value
     end
 
+    def key?(key)
+      @config.key?(key)
+    end
+
     def clean
       @config = {}
     end

data/lib/fetchers/url.rb

@@ -96,6 +96,8 @@ module Fetchers
       @insecure = opts['insecure']
       @token = opts['token']
       @config = opts
+      @archive_path = nil
+      @temp_archive_path = nil
     end
 
     def fetch(path)

data/lib/inspec/archive/tar.rb

@@ -17,7 +17,7 @@ module Inspec::Archive
                 tar.mkdir(input_filename, stat.mode)
               else
                 tar.add_file_simple(input_filename, stat.mode, stat.size) do |io|
-                  io.write(File.read(path))
+                  io.write(File.binread(path))
                 end
               end
             end

data/lib/inspec/base_cli.rb

@@ -19,7 +19,7 @@ module Inspec
         desc: 'Specify the login port for a remote scan.'
       option :user, type: :string,
         desc: 'The login user for a remote scan.'
-      option :password, type: :string,
+      option :password, type: :string, lazy_default: -1,
         desc: 'Login password for a remote scan, if required.'
       option :key_files, aliases: :i, type: :array,
         desc: 'Login key or certificate file for a remote scan.'
@@ -27,7 +27,7 @@ module Inspec
         desc: 'Login path to use when connecting to the target (WinRM).'
       option :sudo, type: :boolean,
         desc: 'Run scans with sudo. Only activates on Unix and non-root user.'
-      option :sudo_password, type: :string,
+      option :sudo_password, type: :string, lazy_default: -1,
         desc: 'Specify a sudo password, if it is required.'
       option :sudo_options, type: :string,
         desc: 'Additional sudo options for a remote scan.'
@@ -100,6 +100,23 @@ module Inspec
     end
 
     def opts
+      o = merged_opts
+
+      # Due to limitations in Thor it is not possible to set an argument to be
+      # both optional and its value to be mandatory. E.g. the user supplying
+      # the --password argument is optional and not always required, but
+      # whenever it is used, it requires a value. Handle options that were
+      # defined above and require a value here:
+      %w{password sudo-password}.each do |v|
+        id = v.tr('-', '_').to_sym
+        next unless o[id] == -1
+        raise ArgumentError, "Please provide a value for --#{v}. For example: --#{v}=hello."
+      end
+
+      o
+    end
+
+    def merged_opts
       # argv overrides json
       Thor::CoreExt::HashWithIndifferentAccess.new(options_json.merge(options))
     end

data/lib/inspec/file_provider.rb

@@ -24,12 +24,29 @@ module Inspec
     def initialize(_path)
     end
 
+    # List all files that are offered.
+    #
+    # @return [Array[String]] list of file paths that are included
+    def files
+      raise "Fetcher #{self} does not implement `files()`. This is required."
+    end
+
+    # Read the contents of a file. This will typically refer to a text
+    # file reading a string.
+    #
+    # @param _file [String] path of the file to be read
+    # @return [String] contents of the file described
     def read(_file)
       raise "#{self} does not implement `read(...)`. This is required."
     end
 
-    def files
-      raise "Fetcher #{self} does not implement `files()`. This is required."
+    # Provide a method for reading binary contents from a file.
+    # It will default to #read if not defined. For most streams that implement
+    # it, it will be the same. For some special cases, it will add change the
+    # way in which encoding of the returned data structure is handled.
+    # Does not work with alias nor alias_method.
+    def binread(file)
+      read(file)
     end
 
     def relative_provider
@@ -65,6 +82,12 @@ module Inspec
       return nil unless File.file?(file)
       File.read(file)
     end
+
+    def binread(file)
+      return nil unless files.include?(file)
+      return nil unless File.file?(file)
+      File.binread(file)
+    end
   end
 
   class ZipProvider < FileProvider
@@ -163,6 +186,10 @@ module Inspec
       parent.read(abs_path(file))
     end
 
+    def binread(file)
+      parent.binread(abs_path(file))
+    end
+
     private
 
     def get_prefix(fs)

data/lib/inspec/plugins/resource.rb

@@ -58,7 +58,7 @@ module Inspec
         end
 
         def resource_skipped
-          @resource_skipped
+          @resource_skipped if defined?(@resource_skipped)
         end
 
         def skip_resource(message)

data/lib/inspec/profile.rb

@@ -37,7 +37,7 @@ module Inspec
       cache = file_provider.files.find_all do |entry|
         entry.start_with?('vendor')
       end
-      content = Hash[cache.map { |x| [x, file_provider.read(x)] }]
+      content = Hash[cache.map { |x| [x, file_provider.binread(x)] }]
       keys = content.keys
       keys.each do |key|
         next if content[key].nil?
@@ -47,7 +47,7 @@ module Inspec
 
         FileUtils.mkdir_p tar.dirname.to_s
         Inspec::Log.debug "Copy #{tar} to cache directory"
-        File.write(tar.to_s, content[key].force_encoding('UTF-8'))
+        File.binwrite(tar.to_s, content[key])
       end
     end
 

data/lib/inspec/resource.rb

@@ -96,6 +96,7 @@ require 'resources/groups'
 require 'resources/grub_conf'
 require 'resources/host'
 require 'resources/http'
+require 'resources/iis_app'
 require 'resources/iis_site'
 require 'resources/inetd_conf'
 require 'resources/interface'
@@ -138,6 +139,7 @@ require 'resources/ssh_conf'
 require 'resources/sys_info'
 require 'resources/users'
 require 'resources/vbscript'
+require 'resources/virtualization'
 require 'resources/windows_feature'
 require 'resources/windows_task'
 require 'resources/xinetd'

data/lib/inspec/rspec_json_formatter.rb

@@ -52,7 +52,7 @@ class InspecRspecMiniJson < RSpec::Core::Formatters::JsonFormatter
       format_example(example).tap do |hash|
         e = example.exception
         next unless e
-        hash[:message] = e.message
+        hash[:message] = exception_message(e)
 
         next if e.is_a? RSpec::Expectations::ExpectationNotMetError
         hash[:exception] = e.class.name
@@ -63,6 +63,14 @@ class InspecRspecMiniJson < RSpec::Core::Formatters::JsonFormatter
 
   private
 
+  def exception_message(exception)
+    if exception.is_a?(RSpec::Core::MultipleExceptionError)
+      exception.all_exceptions.map(&:message).uniq.join("\n\n")
+    else
+      exception.message
+    end
+  end
+
   def format_example(example)
     if !example.metadata[:description_args].empty? && example.metadata[:skip]
       # For skipped profiles, rspec returns in full_description the skip_message as well. We don't want

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.27.0'.freeze
+  VERSION = '1.28.0'.freeze
 end

data/lib/resources/auditd_rules.rb

@@ -86,6 +86,7 @@ module Inspec::Resources
         @legacy = AuditdRulesLegacy.new(@content)
       else
         parse_content
+        @legacy = nil
       end
     end
 

data/lib/resources/host.rb

@@ -10,7 +10,7 @@
 # end
 #
 # To verify a hostname with protocol and port
-# describe host('example.com', port: 53, proto: 'udp') do
+# describe host('example.com', port: 443, protocol: 'tcp') do
 #   it { should be_reachable }
 # end
 #
@@ -33,17 +33,26 @@ module Inspec::Resources
         it { should be_reachable }
       end
 
-      describe host('example.com', port: '80') do
+      describe host('example.com', port: '80', protocol: 'tcp') do
         it { should be_reachable }
       end
     "
 
+    attr_reader :hostname, :port, :protocol
+
     def initialize(hostname, params = {})
       @hostname = hostname
-      @port = params[:port]   || nil
-      @proto = params[:proto] || nil
+      @port = params[:port]
 
-      return skip_resource 'The UDP protocol for the `host` resource is not supported yet.' if @proto == 'udp'
+      if params[:proto]
+        warn '[DEPRECATION] The `proto` parameter is deprecated. Use `protocol` instead.'
+        @protocol = params[:proto]
+      else
+        @protocol = params.fetch(:protocol, 'icmp')
+      end
+
+      return skip_resource 'Invalid protocol: only `tcp` and `icmp` protocols are support for the `host` resource.' unless
+        %w{icmp tcp}.include?(@protocol)
 
       @host_provider = nil
       if inspec.os.linux?
@@ -55,6 +64,16 @@ module Inspec::Resources
       else
         return skip_resource 'The `host` resource is not supported on your OS yet.'
       end
+
+      missing_requirements = @host_provider.missing_requirements(protocol)
+      unless missing_requirements.empty?
+        return skip_resource "The following requirements are not met for this resource: #{missing_requirements.join(', ')}"
+      end
+    end
+
+    def proto
+      warn '[DEPRECATION] The `proto` method is deprecated. Use `protocol` instead.'
+      protocol
     end
 
     # if we get the IP address, the host is resolvable
@@ -63,9 +82,25 @@ module Inspec::Resources
       resolve.nil? || resolve.empty? ? false : true
     end
 
-    def reachable?(port = nil, proto = nil, timeout = nil)
-      raise "Use `host` resource with host('#{@hostname}', port: #{port}, proto: '#{proto}') parameters." if !port.nil? || !proto.nil? || !timeout.nil?
-      ping.nil? ? false : ping
+    def reachable?
+      # ping checks do not require port or protocol
+      return ping.fetch(:success, false) if protocol == 'icmp'
+
+      # if either port or protocol are specified but not both, we cannot proceed.
+      if port.nil? || protocol.nil?
+        raise "Protocol required with port. Use `host` resource with host('#{hostname}', port: 1234, proto: 'tcp') parameters." if port.nil? || protocol.nil?
+      end
+
+      # perform the protocol-specific reachability test
+      ping.fetch(:success, false)
+    end
+
+    def connection
+      ping[:connection]
+    end
+
+    def socket
+      ping[:socket]
     end
 
     # returns all A records of the IP address, will return an array
@@ -74,19 +109,21 @@ module Inspec::Resources
     end
 
     def to_s
-      "Host #{@hostname}"
+      "Host #{hostname}"
     end
 
     private
 
     def ping
       return @ping_cache if defined?(@ping_cache)
-      @ping_cache = @host_provider.ping(@hostname, @port, @proto) if !@host_provider.nil?
+      return {} if @host_provider.nil?
+
+      @ping_cache = @host_provider.ping(hostname, port, protocol)
     end
 
     def resolve
       return @ip_cache if defined?(@ip_cache)
-      @ip_cache = @host_provider.resolve(@hostname) if !@host_provider.nil?
+      @ip_cache = @host_provider.resolve(hostname) if !@host_provider.nil?
     end
   end
 
@@ -95,16 +132,37 @@ module Inspec::Resources
     def initialize(inspec)
       @inspec = inspec
     end
+
+    def missing_requirements(_protocol)
+      # each provider can return an array of missing requirements that can
+      # be enumerated in a skip_resource message
+      []
+    end
   end
 
   class DarwinHostProvider < HostProvider
-    def ping(hostname, port = nil, proto = nil)
-      if proto == 'tcp'
+    def missing_requirements(protocol)
+      missing = []
+
+      if protocol == 'tcp'
+        missing << 'netcat must be installed' unless inspec.command('nc').exist?
+      end
+
+      missing
+    end
+
+    def ping(hostname, port, protocol)
+      if protocol == 'tcp'
         resp = inspec.command("nc -vz -G 1 #{hostname} #{port}")
       else
         resp = inspec.command("ping -W 1 -c 1 #{hostname}")
       end
-      resp.exit_status.to_i != 0 ? false : true
+
+      {
+        success: resp.exit_status.to_i.zero?,
+        connection: resp.stderr,
+        socket: resp.stdout,
+      }
     end
 
     def resolve(hostname)
@@ -121,12 +179,29 @@ module Inspec::Resources
   end
 
   class LinuxHostProvider < HostProvider
-    # ping is difficult to achieve, since we are not sure
-    def ping(hostname, _port = nil, _proto = nil)
-      # fall back to ping, but we can only test ICMP packages with ping
-      # therefore we have to skip the test, if we do not have everything on the node to run the test
-      ping = inspec.command("ping -w 1 -c 1 #{hostname}")
-      ping.exit_status.to_i != 0 ? false : true
+    def missing_requirements(protocol)
+      missing = []
+
+      if protocol == 'tcp'
+        missing << 'netcat must be installed' unless inspec.command('nc').exist?
+      end
+
+      missing
+    end
+
+    def ping(hostname, port, protocol)
+      if protocol == 'tcp'
+        resp = inspec.command("echo | nc -v -w 1 #{hostname} #{port}")
+      else
+        # fall back to ping, but we can only test ICMP packages with ping
+        resp = inspec.command("ping -w 1 -c 1 #{hostname}")
+      end
+
+      {
+        success: resp.exit_status.to_i.zero?,
+        connection: resp.stderr,
+        socket: resp.stdout,
+      }
     end
 
     def resolve(hostname)
@@ -156,15 +231,10 @@ module Inspec::Resources
       begin
         ping = JSON.parse(cmd.stdout)
       rescue JSON::ParserError => _e
-        return nil
+        return {}
       end
 
-      # Logic being if you provided a port you wanted to check it was open
-      if port.nil?
-        ping['PingSucceeded']
-      else
-        ping['TcpTestSucceeded']
-      end
+      { success: port.nil? ? ping['PingSucceeded'] : ping['TcpTestSucceeded'] }
     end
 
     def resolve(hostname)

data/lib/resources/iis_app.rb

@@ -0,0 +1,103 @@
+# encoding: utf-8
+# frozen_string_literal: true
+# check for web applications in IIS
+# Note: this is only supported in windows 2012 and later
+module Inspec::Resources
+  class IisApp < Inspec.resource(1)
+    name 'iis_app'
+    desc 'Tests IIS application configuration on windows. Supported in server 2012+ only'
+    example "
+      describe iis_app('/myapp', 'Default Web Site') do
+        it { should exist }
+        it { should have_application_pool('MyAppPool') }
+        it { should have_protocols('http') }
+        it { should have_site_name('Default Web Site') }
+        it { should have_physical_path('C:\\inetpub\\wwwroot\\myapp') }
+        it { should have_path('\\My Application') }
+      end
+    "
+
+    def initialize(path, site_name)
+      @path = path
+      @site_name = site_name
+      @cache = nil
+      @inspec = inspec
+
+      # verify that this resource is only supported on Windows
+      return skip_resource 'The `iis_app` resource is not supported on your OS.' unless inspec.os.windows?
+    end
+
+    def application_pool
+      iis_app[:application_pool]
+    end
+
+    def protocols
+      iis_app[:protocols]
+    end
+
+    def site_name
+      iis_app[:site_name]
+    end
+
+    def path
+      iis_app[:path]
+    end
+
+    def physical_path
+      iis_app[:physical_path]
+    end
+
+    def exists?
+      !iis_app[:path].empty?
+    end
+
+    def has_site_name?(site_name)
+      iis_app[:site_name] == site_name
+    end
+
+    def has_application_pool?(application_pool)
+      iis_app[:application_pool] == application_pool
+    end
+
+    def has_path?(path)
+      iis_app[:path] == path
+    end
+
+    def has_physical_path?(physical_path)
+      iis_app[:physical_path] == physical_path
+    end
+
+    def has_protocol?(protocol)
+      iis_app[:protocols].include?(protocol)
+    end
+
+    def to_s
+      "iis_app '#{@site_name}#{@path}'"
+    end
+
+    private
+
+    def iis_app
+      return @cache unless @cache.nil?
+      command = "Import-Module WebAdministration; Get-WebApplication -Name '#{@path}' -Site '#{@site_name}' | Select-Object * | ConvertTo-Json"
+      cmd = @inspec.command(command)
+
+      begin
+        app = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return {}
+      end
+
+      # map our values to a hash table
+      info = {
+        site_name: @site_name,
+        path: @path,
+        application_pool: app['applicationPool'],
+        physical_path: app['PhysicalPath'],
+        protocols: app['enabledProtocols'],
+      }
+
+      @cache = info unless info.nil?
+    end
+  end
+end

data/lib/resources/service.rb

@@ -151,6 +151,8 @@ module Inspec::Resources
         BSDInit.new(inspec, service_ctl)
       elsif %w{arch}.include?(platform)
         Systemd.new(inspec, service_ctl)
+      elsif %w{coreos}.include?(platform)
+        Systemd.new(inspec, service_ctl)
       elsif %w{suse opensuse}.include?(platform)
         if os[:release].to_i >= 12
           Systemd.new(inspec, service_ctl)

data/lib/resources/virtualization.rb

@@ -0,0 +1,252 @@
+# encoding: utf-8
+# author: Takaaki Furukawa
+
+require 'hashie/mash'
+
+module Inspec::Resources
+  class Virtualization < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
+    name 'virtualization'
+    desc 'Use the virtualization InSpec audit resource to test the virtualization platform on which the system is running'
+    example "
+      describe virtualization do
+        its('system') { should eq 'docker' }
+      end
+
+      describe virtualization do
+        its('role') { should eq 'guest' }
+      end
+
+      control 'test' do
+        describe file('/var/tmp/foo') do
+          it { should be_file }
+        end
+        only_if { virtualization.system == 'docker' }
+      end
+    "
+
+    def initialize
+      unless inspec.os.linux?
+        skip_resource 'The `virtualization` resource is not supported on your OS yet.'
+      else
+        collect_data_linux
+      end
+    end
+
+    # add helper methods for easy access of properties
+    # allows users to use virtualization.role, virtualization.system
+    %w{role system}.each do |property|
+      define_method(property.to_sym) do
+        @virtualization_data[property.to_sym]
+      end
+    end
+
+    def params
+      collect_data_linux
+    end
+
+    def to_s
+      'Virtualization Detection'
+    end
+
+    private
+
+    def lxc_version_exists?
+      inspec.command('lxc-version').exist?
+    end
+
+    def docker_exists?
+      inspec.command('docker').exist?
+    end
+
+    def nova_exists?
+      inspec.command('nova').exist?
+    end
+
+    # Detect Xen
+    # /proc/xen is an empty dir for EL6 + Linode Guests + Paravirt EC2 instances
+    # Notes:
+    # - cpuid of guests, if we could get it, would also be a clue
+    # - may be able to determine if under paravirt from /dev/xen/evtchn (See OHAI-253)
+    # - Additional edge cases likely should not change the above assumptions
+    #   but rather be additive - btm
+    def detect_xen
+      return false unless inspec.file('/proc/xen').exist?
+      @virtualization_data[:system] = 'xen'
+      @virtualization_data[:role] = 'guest'
+
+      # This file should exist on most Xen systems, normally empty for guests
+      if inspec.file('/proc/xen/capabilities').exist? &&
+          inspec.file('/proc/xen/capabilities').content =~ /control_d/i # rubocop:disable Style/MultilineOperationIndentation
+        @virtualization_data[:role] = 'host'
+      end
+      true
+    end
+
+    # Detect Virtualbox from kernel module
+    def detect_virtualbox
+      return false unless inspec.file('/proc/modules').exist?
+      modules = inspec.file('/proc/modules').content
+      if modules =~ /^vboxdrv/
+        Inspec::Log.debug('Plugin Virtualization: /proc/modules contains vboxdrv. Detecting as vbox host')
+        @virtualization_data[:system] = 'vbox'
+        @virtualization_data[:role] = 'host'
+      elsif modules =~ /^vboxguest/
+        Inspec::Log.debug('Plugin Virtualization: /proc/modules contains vboxguest. Detecting as vbox guest')
+        @virtualization_data[:system] = 'vbox'
+        @virtualization_data[:role] = 'guest'
+      else
+        return false
+      end
+      true
+    end
+
+    # if nova binary is present we're on an openstack host
+    def detect_openstack
+      return false unless nova_exists?
+      @virtualization_data[:system] = 'openstack'
+      @virtualization_data[:role] = 'host'
+      true
+    end
+
+    # Detect paravirt KVM/QEMU from cpuinfo, report as KVM
+    def detect_kvm_from_cpuinfo
+      return false unless inspec.file('/proc/cpuinfo').content =~ /QEMU Virtual CPU|Common KVM processor|Common 32-bit KVM processor/
+      @virtualization_data[:system] = 'kvm'
+      @virtualization_data[:role] = 'guest'
+      true
+    end
+
+    # Detect KVM systems via /sys
+    # guests will have the hypervisor cpu feature that hosts don't have
+    def detect_kvm_from_sys
+      return false unless inspec.file('/sys/devices/virtual/misc/kvm').exist?
+      if inspec.file('/proc/cpuinfo').content =~ /hypervisor/
+        @virtualization_data[:system] = 'kvm'
+        @virtualization_data[:role] = 'guest'
+      else
+        @virtualization_data[:system] = 'kvm'
+        @virtualization_data[:role] = 'host'
+      end
+      true
+    end
+
+    # Detect OpenVZ / Virtuozzo.
+    # http://wiki.openvz.org/BC_proc_entries
+    def detect_openvz
+      if inspec.file('/proc/bc/0').exist?
+        @virtualization_data[:system] = 'openvz'
+        @virtualization_data[:role] = 'host'
+      elsif inspec.file('/proc/vz').exist?
+        @virtualization_data[:system] = 'openvz'
+        @virtualization_data[:role] = 'guest'
+      else
+        return false
+      end
+      true
+    end
+
+    # Detect Parallels virtual machine from pci devices
+    def detect_parallels
+      return false unless inspec.file('/proc/bus/pci/devices').content =~ /1ab84000/
+      @virtualization_data[:system] = 'parallels'
+      @virtualization_data[:role] = 'guest'
+      true
+    end
+
+    # Detect Linux-VServer
+    def detect_linux_vserver
+      return false unless inspec.file('/proc/self/status').exist?
+      proc_self_status = inspec.file('/proc/self/status').content
+      vxid = proc_self_status.match(/^(s_context|VxID):\s*(\d+)$/)
+      return false unless vxid && vxid[2]
+      @virtualization_data[:system] = 'linux-vserver'
+      if vxid[2] == '0'
+        @virtualization_data[:role] = 'host'
+      else
+        @virtualization_data[:role] = 'guest'
+      end
+      true
+    end
+
+    # Detect LXC/Docker
+    #
+    # /proc/self/cgroup will look like this inside a docker container:
+    # <index #>:<subsystem>:/lxc/<hexadecimal container id>
+    #
+    # /proc/self/cgroup could have a name including alpha/digit/dashes
+    # <index #>:<subsystem>:/lxc/<named container id>
+    #
+    # /proc/self/cgroup could have a non-lxc cgroup name indicating other uses
+    # of cgroups.  This is probably not LXC/Docker.
+    # <index #>:<subsystem>:/Charlie
+    #
+    # A host which supports cgroups, and has capacity to host lxc containers,
+    # will show the subsystems and root (/) namespace.
+    # <index #>:<subsystem>:/
+    #
+    # Full notes, https://tickets.opscode.com/browse/OHAI-551
+    # Kernel docs, https://www.kernel.org/doc/Documentation/cgroups
+    def detect_lxc_docker
+      return false unless inspec.file('/proc/self/cgroup').exist?
+      cgroup_content = inspec.file('/proc/self/cgroup').content
+      if cgroup_content =~ %r{^\d+:[^:]+:/(lxc|docker)/.+$} ||
+          cgroup_content =~ %r{^\d+:[^:]+:/[^/]+/(lxc|docker)-.+$} # rubocop:disable Style/MultilineOperationIndentation
+        @virtualization_data[:system] = $1 # rubocop:disable Style/PerlBackrefs
+        @virtualization_data[:role] = 'guest'
+      elsif lxc_version_exists? && cgroup_content =~ %r{\d:[^:]+:/$}
+        # lxc-version shouldn't be installed by default
+        # Even so, it is likely we are on an LXC capable host that is not being used as such
+        # So we're cautious here to not overwrite other existing values (OHAI-573)
+        unless @virtualization_data[:system] && @virtualization_data[:role]
+          @virtualization_data[:system] = 'lxc'
+          @virtualization_data[:role] = 'host'
+        end
+      else
+        return false
+      end
+      true
+    end
+
+    def detect_docker
+      return false unless inspec.file('/.dockerenv').exist? || inspec.file('/.dockerinit').exist?
+      @virtualization_data[:system] = 'docker'
+      @virtualization_data[:role] = 'guest'
+      true
+    end
+
+    # Detect LXD
+    # See https://github.com/lxc/lxd/blob/master/doc/dev-lxd.md
+    def detect_lxd
+      if inspec.file('/dev/lxd/sock').exist?
+        @virtualization_data[:system] = 'lxd'
+        @virtualization_data[:role] = 'guest'
+      elsif inspec.file('/var/lib/lxd/devlxd').exist?
+        @virtualization_data[:system] = 'lxd'
+        @virtualization_data[:role] = 'host'
+      else
+        return false
+      end
+      true
+    end
+
+    def collect_data_linux # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity
+      # cache data in an instance var to avoid doing multiple detections for a single test
+      @virtualization_data ||= Hashie::Mash.new
+      return unless @virtualization_data.empty?
+
+      # each detect method will return true if it matched and was successfully
+      # able to populate @virtualization_data with stuff.
+      return if detect_xen
+      return if detect_virtualbox
+      return if detect_openstack
+      return if detect_kvm_from_cpuinfo
+      return if detect_kvm_from_sys
+      return if detect_openvz
+      return if detect_parallels
+      return if detect_linux_vserver
+      return if detect_lxc_docker
+      return if detect_docker
+      return if detect_lxd
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.27.0
+  version: 1.28.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-06 00:00:00.000000000 Z
+date: 2017-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -305,6 +305,7 @@ files:
 - docs/migration.md
 - docs/plugin_kitchen_inspec.md
 - docs/profiles.md
+- docs/resources.md
 - docs/resources/apache_conf.md.erb
 - docs/resources/apt.md.erb
 - docs/resources/audit_policy.md.erb
@@ -331,6 +332,7 @@ files:
 - docs/resources/grub_conf.md.erb
 - docs/resources/host.md.erb
 - docs/resources/http.md.erb
+- docs/resources/iis_app.md.erb
 - docs/resources/iis_site.md.erb
 - docs/resources/inetd_conf.md.erb
 - docs/resources/ini.md.erb
@@ -377,6 +379,7 @@ files:
 - docs/resources/user.md.erb
 - docs/resources/users.md.erb
 - docs/resources/vbscript.md.erb
+- docs/resources/virtualization.md.erb
 - docs/resources/windows_feature.md.erb
 - docs/resources/windows_task.md.erb
 - docs/resources/wmi.md.erb
@@ -396,6 +399,7 @@ files:
 - examples/README.md
 - examples/inheritance/README.md
 - examples/inheritance/controls/example.rb
+- examples/inheritance/inspec.lock
 - examples/inheritance/inspec.yml
 - examples/kitchen-ansible/.kitchen.yml
 - examples/kitchen-ansible/Gemfile
@@ -421,7 +425,11 @@ files:
 - examples/kitchen-puppet/test/integration/default/web_spec.rb
 - examples/meta-profile/README.md
 - examples/meta-profile/controls/example.rb
+- examples/meta-profile/inspec.lock
 - examples/meta-profile/inspec.yml
+- examples/meta-profile/vendor/0e6d170415e120af5f1dda113f96f7e0d156e49f82706ac41d13da00599f9b25.tar.gz
+- examples/meta-profile/vendor/403580959915ea24bc176b9ebdc555aeda5e2c957604b48d5f32b43554423582.tar.gz
+- examples/meta-profile/vendor/d08d3cc35debff04e708147cdd07739876c5d1c8357afb5e58adfaad92dd650f.tar.gz
 - examples/profile-attribute.yml
 - examples/profile-attribute/README.md
 - examples/profile-attribute/controls/example.rb
@@ -558,6 +566,7 @@ files:
 - lib/resources/grub_conf.rb
 - lib/resources/host.rb
 - lib/resources/http.rb
+- lib/resources/iis_app.rb
 - lib/resources/iis_site.rb
 - lib/resources/inetd_conf.rb
 - lib/resources/ini.rb
@@ -601,6 +610,7 @@ files:
 - lib/resources/sys_info.rb
 - lib/resources/users.rb
 - lib/resources/vbscript.rb
+- lib/resources/virtualization.rb
 - lib/resources/windows_feature.rb
 - lib/resources/windows_task.rb
 - lib/resources/wmi.rb