inspec 1.29.0 → 1.30.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a517bb883e12e171576ca6d64da4005fc89eb117
-  data.tar.gz: '04879fa4af63f6e2274b2965d1167bc5971c9b59'
+  metadata.gz: 745f9c48fb9d28298944aef579f3d8d24255acf5
+  data.tar.gz: 0e69074ae2ba59b6fd09c6f09ddb784a97fd4fee
 SHA512:
-  metadata.gz: f97bd24162ff420b55122fdfe53abecdb06085d2fce6dddbea87eb47f140e30785e1d607ddd081dcf45a0ed3ff11112a9a48eca02ed2c22d2b6023492cc9294a
-  data.tar.gz: 20b0a7c4dc401b382d99c9bbb6c691bf4ffbbe147dda7c1d2e24076a851ed746b3bbf89539b12a1329cec87f8fe04c2e8f699fb736d31478b2bf53d92f736b4f
+  metadata.gz: '043509ac03b2be5d7025476cbe33ffff43cf8cc6b5176b4f2519317ef8c3190302b3edc2d870a218c10192699b927b4e6027806fdd3ff677bdcbbf51d605d051'
+  data.tar.gz: '009d85fe8d9e0f0e778286b229e1ef4ad70ee18e023bfd638143cf2a68db068272fc862bc17161151842e3e0fd7b16cb516c0b9079a73f13ad327baf1e171aa9'

data/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Change Log
 
+## [v1.30.0](https://github.com/chef/inspec/tree/v1.30.0) (2017-06-29)
+[Full Changelog](https://github.com/chef/inspec/compare/v1.29.0...v1.30.0)
+
+**Implemented enhancements:**
+
+- Ensure docker resource works with docker 1.13+ [\#1966](https://github.com/chef/inspec/pull/1966) ([chris-rock](https://github.com/chris-rock))
+- Add `rpm\_dbpath` support to the package resource [\#1960](https://github.com/chef/inspec/pull/1960) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Allow mysql resource to accept socket path [\#1933](https://github.com/chef/inspec/pull/1933) ([rshade](https://github.com/rshade))
+- add nginx\_conf resource [\#1889](https://github.com/chef/inspec/pull/1889) ([arlimus](https://github.com/arlimus))
+- oracle\_session and mssql\_session improvement [\#1857](https://github.com/chef/inspec/pull/1857) ([chris-rock](https://github.com/chris-rock))
+
+**Fixed bugs:**
+
+- Fix socket handling in mysql resource [\#1971](https://github.com/chef/inspec/pull/1971) ([chris-rock](https://github.com/chris-rock))
+- Fix typo in the version\_from\_dir method in postgres\_session resource [\#1962](https://github.com/chef/inspec/pull/1962) ([aaronlippold](https://github.com/aaronlippold))
+- make postgres resource working in mock runner \(for inspec check\) [\#1961](https://github.com/chef/inspec/pull/1961) ([chris-rock](https://github.com/chris-rock))
+- Fix directory resource output and exists check [\#1950](https://github.com/chef/inspec/pull/1950) ([adamleff](https://github.com/adamleff))
+- Fix postgres\_conf ability to test parameters that have a dot in them [\#1938](https://github.com/chef/inspec/pull/1938) ([aaronlippold](https://github.com/aaronlippold))
+
 ## [v1.29.0](https://github.com/chef/inspec/tree/v1.29.0) (2017-06-22)
 [Full Changelog](https://github.com/chef/inspec/compare/v1.28.1...v1.29.0)
 

data/bin/inspec

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 # encoding: utf-8
-# Copyright 2015 Dominik Richter. All rights reserved.
+# Copyright 2015 Dominik Richter
 # author: Dominik Richter
 # author: Christoph Hartmann
 

data/docs/profiles.md

@@ -282,15 +282,24 @@ Attributes may be used in profiles to define secrets, such as user names and pas
 
 For example, a control:
 
+    # define these attributes on the top-level of your file and re-use them across all tests!
     val_user = attribute('user', default: 'alice', description: 'An identification for the user')
     val_password = attribute('password', description: 'A value for the password')
 
-    describe val_user do
-      it { should eq 'bob' }
-    end
+    control 'system-users' do
+      impact 0.8
+      desc '
+        This test assures that the user "Bob" has a user installed on the system, along with a
+        specified password.
+      '
+
+      describe val_user do
+        it { should eq 'bob' }
+      end
 
-    describe val_password do
-      it { should eq 'secret' }
+      describe val_password do
+        it { should eq 'secret' }
+      end
     end
 
 And a Yaml file named `profile-attribute.yml`:

data/docs/resources/iptables.md.erb

@@ -20,8 +20,7 @@ where
 * `rule:'name'` is the name of a rule that matches a set of packets
 * `table:'name'` is the packet matching table against which the test is run
 * `chain: 'name'` is the name of a user-defined chain or one of `ACCEPT`, `DROP`, `QUEUE`, or `RETURN`
-* `have_rule('RULE')` tests that rule in the iptables file
-
+* `have_rule('RULE')` tests that rule in the iptables list. This must match the entire line taken from `iptables -S CHAIN`.
 
 ## Matchers
 
@@ -57,14 +56,22 @@ The `have_rule` matcher tests the named rule against the information in the `ipt
 
 The following examples show how to use this InSpec audit resource.
 
-### Test if the IP table allows a packet through
+### Test if the INPUT chain is in default ACCEPT mode
 
     describe iptables do
       it { should have_rule('-P INPUT ACCEPT') }
     end
 
-### Test if the IP table allows a packet through, for a specific table and chain
+### Test if the INPUT chain from the mangle table is in ACCEPT mode
 
-    describe iptables(table:'mangle', chain: 'input') do
+    describe iptables(table:'mangle', chain: 'INPUT') do
       it { should have_rule('-P INPUT ACCEPT') }
     end
+
+### Test if there is a rule allowing Postgres (5432/TCP) traffic
+
+    describe iptables do
+      it { should have_rule('-A INPUT -p tcp -m tcp -m multiport --dports 5432 -m comment --comment "postgres" -j ACCEPT') }
+    end
+
+Note that the rule specification must exactly match what's in the output of `iptables -S INPUT`, which will depend on how you've built your rules.

data/docs/resources/mssql_session.md.erb

@@ -10,24 +10,20 @@ Use the `mssql_session` InSpec audit resource to test SQL commands run against a
 
 A `mssql_session` resource block declares the username and password to use for the session, and then the command to be run:
 
-    describe mssql_session(user: 'username', pass: 'password').query('QUERY') do
-      its('output') { should eq('') }
+    describe mssql_session(user: 'username', password: 'password').query('QUERY').row(0).column('result') do
+      its('value') { should eq('') }
     end
 
 where
 
 * `mssql_session` declares a username and password with permission to run the query.  Omitting the username or password parameters results in the use of Windows authentication as the user InSpec is executing as.  You may also optionally pass a host and instance name.  If omitted, they will default to host: localhost and the default instance.
 * `query('QUERY')` contains the query to be run
-* `its('output') { should eq('') }` compares the results of the query against the expected result in the test
+* `its('value') { should eq('') }` compares the results of the query against the expected result in the test
 
 ## Matchers
 
 This InSpec audit resource has the following matchers:
 
-### be
-
-<%= partial "/shared/matcher_be" %>
-
 ### cmp
 
 <%= partial "/shared/matcher_cmp" %>
@@ -36,19 +32,6 @@ This InSpec audit resource has the following matchers:
 
 <%= partial "/shared/matcher_eq" %>
 
-### include
-
-<%= partial "/shared/matcher_include" %>
-
-### match
-
-<%= partial "/shared/matcher_match" %>
-
-### output
-
-The `output` matcher tests the results of the query:
-
-    its('output') { should eq(/^0/) }
 
 ## Examples
 
@@ -56,24 +39,24 @@ The following examples show how to use this InSpec audit resource.
 
 ### Test for matching databases
 
-    sql = mssql_session(user: 'my_user', pass: 'password')
+    sql = mssql_session(user: 'my_user', password: 'password')
 
-    describe sql.query('show databases like \'test\';') do
-      its('stdout') { should_not match(/test/) }
+    describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
+      its("value") { should cmp > '12.00.4457' }
     end
 
 ### Test using Windows authentication
 
     sql = mssql_session
 
-    describe sql.query('show databases like \'test\';') do
-      its('stdout') { should_not match(/test/) }
+    describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
+      its("value") { should cmp > '12.00.4457' }
     end
 
 ### Test a specific host and instance
 
-    sql = mssql_session(user: 'my_user', pass: 'password', host: 'mssqlserver', instance: 'foo')
+    sql = mssql_session(user: 'my_user', password: 'password', host: 'mssqlserver', instance: 'foo')
 
-    describe sql.query('show databases like \'test\';') do
-      its('stdout') { should_not match(/test/) }
+    describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
+      its("value") { should cmp > '12.00.4457' }
     end

data/docs/resources/mysql_session.md.erb

@@ -61,3 +61,15 @@ The following examples show how to use this InSpec audit resource.
     describe sql.query('show databases like \'test\';') do
       its('stdout') { should_not match(/test/) }
     end
+
+### Alternate Connection: Different Host
+
+  sql = mysql_session('my_user','password','db.example.com')
+
+### Alternate Connection: Different Port
+
+  sql = mysql_seesion('my_user','password','localhost',3307)
+
+### Alternate Connection: Using a socket
+
+  sql = mysql_session('my_user','password', nil, nil, '/var/lib/mysql-default/mysqld.sock')

data/docs/resources/oracledb_session.md.erb

@@ -10,24 +10,20 @@ Use the `oracledb_session` InSpec audit resource to test SQL commands run agains
 
 A `oracledb_session` resource block declares the username and password to use for the session with an optional service to connect to, and then the command to be run:
 
-    describe oracledb_session(user: 'username', pass: 'password').query('QUERY') do
-      its('output') { should eq('') }
+    describe oracledb_session(user: 'username', password: 'password', service: 'ORCL.localdomain').query('QUERY').row(0).column('result') do
+      its('value') { should eq('') }
     end
 
 where
 
-* `oracledb_session` declares a username and password with permission to run the query (required), and an optional parameters for host (default: `localhost`), SID (default: `nil`, which uses the default SID, and path to the sqlplus binary (default: `sqlplus`).  
+* `oracledb_session` declares a username and password with permission to run the query (required), and an optional parameters for host (default: `localhost`), SID (default: `nil`, which uses the default SID, and path to the sqlplus binary (default: `sqlplus`).
 * `query('QUERY')` contains the query to be run
-* `its('output') { should eq('') }` compares the results of the query against the expected result in the test
+* `its('value') { should eq('') }` compares the results of the query against the expected result in the test
 
 ## Matchers
 
 This InSpec audit resource has the following matchers:
 
-### be
-
-<%= partial "/shared/matcher_be" %>
-
 ### cmp
 
 <%= partial "/shared/matcher_cmp" %>
@@ -36,20 +32,6 @@ This InSpec audit resource has the following matchers:
 
 <%= partial "/shared/matcher_eq" %>
 
-### include
-
-<%= partial "/shared/matcher_include" %>
-
-### match
-
-<%= partial "/shared/matcher_match" %>
-
-### output
-
-The `output` matcher tests the results of the query:
-
-    its('output') { should eq(/^0/) }
-
 ## Examples
 
 The following examples show how to use this InSpec audit resource.
@@ -57,15 +39,15 @@ The following examples show how to use this InSpec audit resource.
 ### Test for matching databases
 
     sql = oracledb_session(user: 'my_user', pass: 'password')
-    
-    describe sql.query('SELECT NAME FROM v$database;') do
-      its('stdout') { should_not match(/test/) }
+
+    describe sql.query('SELECT NAME AS VALUE FROM v$database;').row(0).column('value') do
+      its('value') { should cmp 'ORCL' }
     end
 
 ### Test for matching databases with custom host, SID and sqlplus binary location
 
     sql = oracledb_session(user: 'my_user', pass: 'password', host: 'oraclehost', sid: 'mysid', sqlplus_bin: '/u01/app/oracle/product/12.1.0/dbhome_1/bin/sqlplus')
-    
-    describe sql.query('SELECT NAME FROM v$database;') do
-      its('stdout') { should_not match(/test/) }
+
+    describe sql.query('SELECT NAME FROM v$database;').row(0).column('name') do
+      its('value') { should cmp 'ORCL' }
     end

data/docs/resources/package.md.erb

@@ -96,6 +96,12 @@ The following examples show how to use this InSpec audit resource.
       it { should_not be_running }
     end
 
+### Verify if some_package is installed according to my_rpmdb
+
+   describe package('some_package', rpm_dbpath: '/var/lib/my_rpmdb') do
+     it { should be_installed }
+   end
+
 ### Verify if Memcached is installed, enabled, and running
 
 Memcached is an in-memory key-value store that helps improve the performance of database-driven websites and can be installed, maintained, and tested using the `memcached` cookbook (maintained by Chef). The following example is from the `memcached` cookbook and shows how to use a combination of the `package`, `service`, and `port` InSpec audit resources to test if Memcached is installed, enabled, and running:

data/docs/resources/postgres_conf.md.erb

@@ -14,6 +14,7 @@ A `postgres_conf` resource block declares one (or more) settings in the `postgre
       its('setting') { should eq 'value' }
     end
 
+
 where
 
 * `'setting'` specifies a setting in the `postgresql.conf` file
@@ -71,6 +72,7 @@ The following examples show how to use this InSpec audit resource.
       its('log_duration') { should eq 'on' }
       its('log_hostname') { should eq 'on' }
       its('log_line_prefix') { should eq '%t %u %d %h' }
+      its(['pgaudit.log_parameter']) { should cmp 'on' }
     end
 
 ### Test the port on which PostgreSQL listens

data/examples/inheritance/controls/example.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # copyright: 2016, Chef Software, Inc.
-# license: All rights reserved
 
 # manipulate controls of `profile`
 include_controls 'profile' do

data/examples/meta-profile/controls/example.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # copyright: 2015, The Authors
-# license: All rights reserved
 
 # import full profile
 include_controls 'dev-sec/ssh-baseline'

data/examples/profile/controls/example.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # copyright: 2015, Chef Software, Inc.
-# license: All rights reserved
 
 title '/tmp profile'
 

data/examples/profile/controls/gordon.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # copyright: 2016, Chef Software, Inc.
-# license: All rights reserved
 
 title 'Gordon Config Checks'
 

data/inspec.gemspec

@@ -44,4 +44,5 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'addressable', '~> 2.4'
   spec.add_dependency 'parslet', '~> 1.5'
   spec.add_dependency 'semverse'
+  spec.add_dependency 'htmlentities'
 end

data/lib/bundles/inspec-compliance/api.rb

@@ -204,26 +204,28 @@ module Compliance
     end
 
     def self.is_automate_server_pre_080?(config)
-      # Automate versions before 0.8.x may have a "version" key in the config.
-      # Unless it's a hash that also contains a "version" key, it came from
-      # an Automate server that is pre-0.8.x.
+      # Automate versions before 0.8.x do not have a valid version in the config
       return false unless config['server_type'] == 'automate'
-      return true unless config.key?('version')
-      return true unless config['version'].is_a?(Hash)
-      config['version']['version'].nil?
+      server_version_from_config(config).nil?
     end
 
     def self.is_automate_server_080_and_later?(config)
       # Automate versions 0.8.x and later will have a "version" key in the config
-      # that looks like: "version":{"api":"compliance","version":"0.8.24"}
+      # that is properly parsed out via server_version_from_config below
       return false unless config['server_type'] == 'automate'
-      return false unless config.key?('version')
-      return false unless config['version'].is_a?(Hash)
-      !config['version']['version'].nil?
+      !server_version_from_config(config).nil?
     end
 
     def self.is_automate_server?(config)
       config['server_type'] == 'automate'
     end
+
+    def self.server_version_from_config(config)
+      # Automate versions 0.8.x and later will have a "version" key in the config
+      # that looks like: "version":{"api":"compliance","version":"0.8.24"}
+      return nil unless config.key?('version')
+      return nil unless config['version'].is_a?(Hash)
+      config['version']['version']
+    end
   end
 end

data/lib/bundles/inspec-init/templates/profile/controls/example.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # copyright: 2015, The Authors
-# license: All rights reserved
 
 title 'sample section'
 

data/lib/inspec.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # copyright: 2015, Dominik Richter
-# license: All rights reserved
 # author: Dominik Richter
 # author: Christoph Hartmann
 

data/lib/inspec/backend.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # copyright: 2015, Dominik Richter
-# license: All rights reserved
 # author: Dominik Richter
 # author: Christoph Hartmann
 

data/lib/inspec/cli.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 # encoding: utf-8
-# Copyright 2015 Dominik Richter. All rights reserved.
+# Copyright 2015 Dominik Richter
 # author: Dominik Richter
 # author: Christoph Hartmann
 

data/lib/inspec/metadata.rb

@@ -1,5 +1,5 @@
 # encoding: utf-8
-# Copyright 2015 Dominik Richter. All rights reserved.
+# Copyright 2015 Dominik Richter
 # author: Dominik Richter
 # author: Christoph Hartmann
 

data/lib/inspec/polyfill.rb

@@ -2,7 +2,6 @@
 # copyright: 2016, Chef Software Inc.
 # author: Dominik Richter
 # author: Christoph Hartmann
-# license: All rights reserved
 
 class Struct
   unless instance_methods.include? :to_h