inspec 1.29.0 → 1.30.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +19 -0
- data/bin/inspec +1 -1
- data/docs/profiles.md +14 -5
- data/docs/resources/iptables.md.erb +12 -5
- data/docs/resources/mssql_session.md.erb +11 -28
- data/docs/resources/mysql_session.md.erb +12 -0
- data/docs/resources/oracledb_session.md.erb +10 -28
- data/docs/resources/package.md.erb +6 -0
- data/docs/resources/postgres_conf.md.erb +2 -0
- data/examples/inheritance/controls/example.rb +0 -1
- data/examples/meta-profile/controls/example.rb +0 -1
- data/examples/profile/controls/example.rb +0 -1
- data/examples/profile/controls/gordon.rb +0 -1
- data/inspec.gemspec +1 -0
- data/lib/bundles/inspec-compliance/api.rb +12 -10
- data/lib/bundles/inspec-init/templates/profile/controls/example.rb +0 -1
- data/lib/inspec.rb +0 -1
- data/lib/inspec/backend.rb +0 -1
- data/lib/inspec/cli.rb +1 -1
- data/lib/inspec/metadata.rb +1 -1
- data/lib/inspec/polyfill.rb +0 -1
- data/lib/inspec/profile.rb +1 -1
- data/lib/inspec/resource.rb +1 -1
- data/lib/inspec/rule.rb +0 -1
- data/lib/inspec/runner.rb +0 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +0 -1
- data/lib/resources/apache.rb +0 -1
- data/lib/resources/apache_conf.rb +0 -1
- data/lib/resources/audit_policy.rb +0 -1
- data/lib/resources/auditd_conf.rb +0 -1
- data/lib/resources/auditd_rules.rb +0 -1
- data/lib/resources/command.rb +0 -1
- data/lib/resources/directory.rb +7 -3
- data/lib/resources/docker.rb +30 -3
- data/lib/resources/etc_group.rb +0 -1
- data/lib/resources/file.rb +0 -1
- data/lib/resources/grub_conf.rb +0 -1
- data/lib/resources/inetd_conf.rb +0 -1
- data/lib/resources/kernel_module.rb +0 -1
- data/lib/resources/kernel_parameter.rb +0 -1
- data/lib/resources/limits_conf.rb +0 -1
- data/lib/resources/login_def.rb +0 -1
- data/lib/resources/mssql_session.rb +62 -14
- data/lib/resources/mysql.rb +0 -1
- data/lib/resources/mysql_conf.rb +0 -1
- data/lib/resources/mysql_session.rb +15 -6
- data/lib/resources/nginx_conf.rb +95 -0
- data/lib/resources/ntp_conf.rb +0 -1
- data/lib/resources/oracledb_session.rb +109 -12
- data/lib/resources/os_env.rb +0 -1
- data/lib/resources/package.rb +47 -3
- data/lib/resources/packages.rb +0 -1
- data/lib/resources/parse_config.rb +0 -1
- data/lib/resources/passwd.rb +0 -1
- data/lib/resources/postgres.rb +9 -5
- data/lib/resources/postgres_conf.rb +12 -3
- data/lib/resources/postgres_session.rb +0 -1
- data/lib/resources/powershell.rb +0 -1
- data/lib/resources/processes.rb +0 -1
- data/lib/resources/registry_key.rb +0 -1
- data/lib/resources/service.rb +1 -1
- data/lib/resources/ssh_conf.rb +0 -1
- data/lib/resources/ssl.rb +0 -1
- data/lib/utils/database_helpers.rb +77 -0
- data/lib/utils/filter_array.rb +0 -1
- data/lib/utils/find_files.rb +0 -1
- data/lib/utils/nginx_parser.rb +4 -2
- data/lib/utils/simpleconfig.rb +0 -1
- metadata +18 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 745f9c48fb9d28298944aef579f3d8d24255acf5
|
4
|
+
data.tar.gz: 0e69074ae2ba59b6fd09c6f09ddb784a97fd4fee
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: '043509ac03b2be5d7025476cbe33ffff43cf8cc6b5176b4f2519317ef8c3190302b3edc2d870a218c10192699b927b4e6027806fdd3ff677bdcbbf51d605d051'
|
7
|
+
data.tar.gz: '009d85fe8d9e0f0e778286b229e1ef4ad70ee18e023bfd638143cf2a68db068272fc862bc17161151842e3e0fd7b16cb516c0b9079a73f13ad327baf1e171aa9'
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,24 @@
|
|
1
1
|
# Change Log
|
2
2
|
|
3
|
+
## [v1.30.0](https://github.com/chef/inspec/tree/v1.30.0) (2017-06-29)
|
4
|
+
[Full Changelog](https://github.com/chef/inspec/compare/v1.29.0...v1.30.0)
|
5
|
+
|
6
|
+
**Implemented enhancements:**
|
7
|
+
|
8
|
+
- Ensure docker resource works with docker 1.13+ [\#1966](https://github.com/chef/inspec/pull/1966) ([chris-rock](https://github.com/chris-rock))
|
9
|
+
- Add `rpm\_dbpath` support to the package resource [\#1960](https://github.com/chef/inspec/pull/1960) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
|
10
|
+
- Allow mysql resource to accept socket path [\#1933](https://github.com/chef/inspec/pull/1933) ([rshade](https://github.com/rshade))
|
11
|
+
- add nginx\_conf resource [\#1889](https://github.com/chef/inspec/pull/1889) ([arlimus](https://github.com/arlimus))
|
12
|
+
- oracle\_session and mssql\_session improvement [\#1857](https://github.com/chef/inspec/pull/1857) ([chris-rock](https://github.com/chris-rock))
|
13
|
+
|
14
|
+
**Fixed bugs:**
|
15
|
+
|
16
|
+
- Fix socket handling in mysql resource [\#1971](https://github.com/chef/inspec/pull/1971) ([chris-rock](https://github.com/chris-rock))
|
17
|
+
- Fix typo in the version\_from\_dir method in postgres\_session resource [\#1962](https://github.com/chef/inspec/pull/1962) ([aaronlippold](https://github.com/aaronlippold))
|
18
|
+
- make postgres resource working in mock runner \(for inspec check\) [\#1961](https://github.com/chef/inspec/pull/1961) ([chris-rock](https://github.com/chris-rock))
|
19
|
+
- Fix directory resource output and exists check [\#1950](https://github.com/chef/inspec/pull/1950) ([adamleff](https://github.com/adamleff))
|
20
|
+
- Fix postgres\_conf ability to test parameters that have a dot in them [\#1938](https://github.com/chef/inspec/pull/1938) ([aaronlippold](https://github.com/aaronlippold))
|
21
|
+
|
3
22
|
## [v1.29.0](https://github.com/chef/inspec/tree/v1.29.0) (2017-06-22)
|
4
23
|
[Full Changelog](https://github.com/chef/inspec/compare/v1.28.1...v1.29.0)
|
5
24
|
|
data/bin/inspec
CHANGED
data/docs/profiles.md
CHANGED
@@ -282,15 +282,24 @@ Attributes may be used in profiles to define secrets, such as user names and pas
|
|
282
282
|
|
283
283
|
For example, a control:
|
284
284
|
|
285
|
+
# define these attributes on the top-level of your file and re-use them across all tests!
|
285
286
|
val_user = attribute('user', default: 'alice', description: 'An identification for the user')
|
286
287
|
val_password = attribute('password', description: 'A value for the password')
|
287
288
|
|
288
|
-
|
289
|
-
|
290
|
-
|
289
|
+
control 'system-users' do
|
290
|
+
impact 0.8
|
291
|
+
desc '
|
292
|
+
This test assures that the user "Bob" has a user installed on the system, along with a
|
293
|
+
specified password.
|
294
|
+
'
|
295
|
+
|
296
|
+
describe val_user do
|
297
|
+
it { should eq 'bob' }
|
298
|
+
end
|
291
299
|
|
292
|
-
|
293
|
-
|
300
|
+
describe val_password do
|
301
|
+
it { should eq 'secret' }
|
302
|
+
end
|
294
303
|
end
|
295
304
|
|
296
305
|
And a Yaml file named `profile-attribute.yml`:
|
@@ -20,8 +20,7 @@ where
|
|
20
20
|
* `rule:'name'` is the name of a rule that matches a set of packets
|
21
21
|
* `table:'name'` is the packet matching table against which the test is run
|
22
22
|
* `chain: 'name'` is the name of a user-defined chain or one of `ACCEPT`, `DROP`, `QUEUE`, or `RETURN`
|
23
|
-
* `have_rule('RULE')` tests that rule in the iptables
|
24
|
-
|
23
|
+
* `have_rule('RULE')` tests that rule in the iptables list. This must match the entire line taken from `iptables -S CHAIN`.
|
25
24
|
|
26
25
|
## Matchers
|
27
26
|
|
@@ -57,14 +56,22 @@ The `have_rule` matcher tests the named rule against the information in the `ipt
|
|
57
56
|
|
58
57
|
The following examples show how to use this InSpec audit resource.
|
59
58
|
|
60
|
-
### Test if the
|
59
|
+
### Test if the INPUT chain is in default ACCEPT mode
|
61
60
|
|
62
61
|
describe iptables do
|
63
62
|
it { should have_rule('-P INPUT ACCEPT') }
|
64
63
|
end
|
65
64
|
|
66
|
-
### Test if the
|
65
|
+
### Test if the INPUT chain from the mangle table is in ACCEPT mode
|
67
66
|
|
68
|
-
describe iptables(table:'mangle', chain: '
|
67
|
+
describe iptables(table:'mangle', chain: 'INPUT') do
|
69
68
|
it { should have_rule('-P INPUT ACCEPT') }
|
70
69
|
end
|
70
|
+
|
71
|
+
### Test if there is a rule allowing Postgres (5432/TCP) traffic
|
72
|
+
|
73
|
+
describe iptables do
|
74
|
+
it { should have_rule('-A INPUT -p tcp -m tcp -m multiport --dports 5432 -m comment --comment "postgres" -j ACCEPT') }
|
75
|
+
end
|
76
|
+
|
77
|
+
Note that the rule specification must exactly match what's in the output of `iptables -S INPUT`, which will depend on how you've built your rules.
|
@@ -10,24 +10,20 @@ Use the `mssql_session` InSpec audit resource to test SQL commands run against a
|
|
10
10
|
|
11
11
|
A `mssql_session` resource block declares the username and password to use for the session, and then the command to be run:
|
12
12
|
|
13
|
-
describe mssql_session(user: 'username',
|
14
|
-
its('
|
13
|
+
describe mssql_session(user: 'username', password: 'password').query('QUERY').row(0).column('result') do
|
14
|
+
its('value') { should eq('') }
|
15
15
|
end
|
16
16
|
|
17
17
|
where
|
18
18
|
|
19
19
|
* `mssql_session` declares a username and password with permission to run the query. Omitting the username or password parameters results in the use of Windows authentication as the user InSpec is executing as. You may also optionally pass a host and instance name. If omitted, they will default to host: localhost and the default instance.
|
20
20
|
* `query('QUERY')` contains the query to be run
|
21
|
-
* `its('
|
21
|
+
* `its('value') { should eq('') }` compares the results of the query against the expected result in the test
|
22
22
|
|
23
23
|
## Matchers
|
24
24
|
|
25
25
|
This InSpec audit resource has the following matchers:
|
26
26
|
|
27
|
-
### be
|
28
|
-
|
29
|
-
<%= partial "/shared/matcher_be" %>
|
30
|
-
|
31
27
|
### cmp
|
32
28
|
|
33
29
|
<%= partial "/shared/matcher_cmp" %>
|
@@ -36,19 +32,6 @@ This InSpec audit resource has the following matchers:
|
|
36
32
|
|
37
33
|
<%= partial "/shared/matcher_eq" %>
|
38
34
|
|
39
|
-
### include
|
40
|
-
|
41
|
-
<%= partial "/shared/matcher_include" %>
|
42
|
-
|
43
|
-
### match
|
44
|
-
|
45
|
-
<%= partial "/shared/matcher_match" %>
|
46
|
-
|
47
|
-
### output
|
48
|
-
|
49
|
-
The `output` matcher tests the results of the query:
|
50
|
-
|
51
|
-
its('output') { should eq(/^0/) }
|
52
35
|
|
53
36
|
## Examples
|
54
37
|
|
@@ -56,24 +39,24 @@ The following examples show how to use this InSpec audit resource.
|
|
56
39
|
|
57
40
|
### Test for matching databases
|
58
41
|
|
59
|
-
sql = mssql_session(user: 'my_user',
|
42
|
+
sql = mssql_session(user: 'my_user', password: 'password')
|
60
43
|
|
61
|
-
describe sql.query('
|
62
|
-
its(
|
44
|
+
describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
|
45
|
+
its("value") { should cmp > '12.00.4457' }
|
63
46
|
end
|
64
47
|
|
65
48
|
### Test using Windows authentication
|
66
49
|
|
67
50
|
sql = mssql_session
|
68
51
|
|
69
|
-
describe sql.query('
|
70
|
-
its(
|
52
|
+
describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
|
53
|
+
its("value") { should cmp > '12.00.4457' }
|
71
54
|
end
|
72
55
|
|
73
56
|
### Test a specific host and instance
|
74
57
|
|
75
|
-
sql = mssql_session(user: 'my_user',
|
58
|
+
sql = mssql_session(user: 'my_user', password: 'password', host: 'mssqlserver', instance: 'foo')
|
76
59
|
|
77
|
-
describe sql.query('
|
78
|
-
its(
|
60
|
+
describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
|
61
|
+
its("value") { should cmp > '12.00.4457' }
|
79
62
|
end
|
@@ -61,3 +61,15 @@ The following examples show how to use this InSpec audit resource.
|
|
61
61
|
describe sql.query('show databases like \'test\';') do
|
62
62
|
its('stdout') { should_not match(/test/) }
|
63
63
|
end
|
64
|
+
|
65
|
+
### Alternate Connection: Different Host
|
66
|
+
|
67
|
+
sql = mysql_session('my_user','password','db.example.com')
|
68
|
+
|
69
|
+
### Alternate Connection: Different Port
|
70
|
+
|
71
|
+
sql = mysql_seesion('my_user','password','localhost',3307)
|
72
|
+
|
73
|
+
### Alternate Connection: Using a socket
|
74
|
+
|
75
|
+
sql = mysql_session('my_user','password', nil, nil, '/var/lib/mysql-default/mysqld.sock')
|
@@ -10,24 +10,20 @@ Use the `oracledb_session` InSpec audit resource to test SQL commands run agains
|
|
10
10
|
|
11
11
|
A `oracledb_session` resource block declares the username and password to use for the session with an optional service to connect to, and then the command to be run:
|
12
12
|
|
13
|
-
describe oracledb_session(user: 'username',
|
14
|
-
its('
|
13
|
+
describe oracledb_session(user: 'username', password: 'password', service: 'ORCL.localdomain').query('QUERY').row(0).column('result') do
|
14
|
+
its('value') { should eq('') }
|
15
15
|
end
|
16
16
|
|
17
17
|
where
|
18
18
|
|
19
|
-
* `oracledb_session` declares a username and password with permission to run the query (required), and an optional parameters for host (default: `localhost`), SID (default: `nil`, which uses the default SID, and path to the sqlplus binary (default: `sqlplus`).
|
19
|
+
* `oracledb_session` declares a username and password with permission to run the query (required), and an optional parameters for host (default: `localhost`), SID (default: `nil`, which uses the default SID, and path to the sqlplus binary (default: `sqlplus`).
|
20
20
|
* `query('QUERY')` contains the query to be run
|
21
|
-
* `its('
|
21
|
+
* `its('value') { should eq('') }` compares the results of the query against the expected result in the test
|
22
22
|
|
23
23
|
## Matchers
|
24
24
|
|
25
25
|
This InSpec audit resource has the following matchers:
|
26
26
|
|
27
|
-
### be
|
28
|
-
|
29
|
-
<%= partial "/shared/matcher_be" %>
|
30
|
-
|
31
27
|
### cmp
|
32
28
|
|
33
29
|
<%= partial "/shared/matcher_cmp" %>
|
@@ -36,20 +32,6 @@ This InSpec audit resource has the following matchers:
|
|
36
32
|
|
37
33
|
<%= partial "/shared/matcher_eq" %>
|
38
34
|
|
39
|
-
### include
|
40
|
-
|
41
|
-
<%= partial "/shared/matcher_include" %>
|
42
|
-
|
43
|
-
### match
|
44
|
-
|
45
|
-
<%= partial "/shared/matcher_match" %>
|
46
|
-
|
47
|
-
### output
|
48
|
-
|
49
|
-
The `output` matcher tests the results of the query:
|
50
|
-
|
51
|
-
its('output') { should eq(/^0/) }
|
52
|
-
|
53
35
|
## Examples
|
54
36
|
|
55
37
|
The following examples show how to use this InSpec audit resource.
|
@@ -57,15 +39,15 @@ The following examples show how to use this InSpec audit resource.
|
|
57
39
|
### Test for matching databases
|
58
40
|
|
59
41
|
sql = oracledb_session(user: 'my_user', pass: 'password')
|
60
|
-
|
61
|
-
describe sql.query('SELECT NAME FROM v$database;') do
|
62
|
-
its('
|
42
|
+
|
43
|
+
describe sql.query('SELECT NAME AS VALUE FROM v$database;').row(0).column('value') do
|
44
|
+
its('value') { should cmp 'ORCL' }
|
63
45
|
end
|
64
46
|
|
65
47
|
### Test for matching databases with custom host, SID and sqlplus binary location
|
66
48
|
|
67
49
|
sql = oracledb_session(user: 'my_user', pass: 'password', host: 'oraclehost', sid: 'mysid', sqlplus_bin: '/u01/app/oracle/product/12.1.0/dbhome_1/bin/sqlplus')
|
68
|
-
|
69
|
-
describe sql.query('SELECT NAME FROM v$database;') do
|
70
|
-
its('
|
50
|
+
|
51
|
+
describe sql.query('SELECT NAME FROM v$database;').row(0).column('name') do
|
52
|
+
its('value') { should cmp 'ORCL' }
|
71
53
|
end
|
@@ -96,6 +96,12 @@ The following examples show how to use this InSpec audit resource.
|
|
96
96
|
it { should_not be_running }
|
97
97
|
end
|
98
98
|
|
99
|
+
### Verify if some_package is installed according to my_rpmdb
|
100
|
+
|
101
|
+
describe package('some_package', rpm_dbpath: '/var/lib/my_rpmdb') do
|
102
|
+
it { should be_installed }
|
103
|
+
end
|
104
|
+
|
99
105
|
### Verify if Memcached is installed, enabled, and running
|
100
106
|
|
101
107
|
Memcached is an in-memory key-value store that helps improve the performance of database-driven websites and can be installed, maintained, and tested using the `memcached` cookbook (maintained by Chef). The following example is from the `memcached` cookbook and shows how to use a combination of the `package`, `service`, and `port` InSpec audit resources to test if Memcached is installed, enabled, and running:
|
@@ -14,6 +14,7 @@ A `postgres_conf` resource block declares one (or more) settings in the `postgre
|
|
14
14
|
its('setting') { should eq 'value' }
|
15
15
|
end
|
16
16
|
|
17
|
+
|
17
18
|
where
|
18
19
|
|
19
20
|
* `'setting'` specifies a setting in the `postgresql.conf` file
|
@@ -71,6 +72,7 @@ The following examples show how to use this InSpec audit resource.
|
|
71
72
|
its('log_duration') { should eq 'on' }
|
72
73
|
its('log_hostname') { should eq 'on' }
|
73
74
|
its('log_line_prefix') { should eq '%t %u %d %h' }
|
75
|
+
its(['pgaudit.log_parameter']) { should cmp 'on' }
|
74
76
|
end
|
75
77
|
|
76
78
|
### Test the port on which PostgreSQL listens
|
data/inspec.gemspec
CHANGED
@@ -204,26 +204,28 @@ module Compliance
|
|
204
204
|
end
|
205
205
|
|
206
206
|
def self.is_automate_server_pre_080?(config)
|
207
|
-
# Automate versions before 0.8.x
|
208
|
-
# Unless it's a hash that also contains a "version" key, it came from
|
209
|
-
# an Automate server that is pre-0.8.x.
|
207
|
+
# Automate versions before 0.8.x do not have a valid version in the config
|
210
208
|
return false unless config['server_type'] == 'automate'
|
211
|
-
|
212
|
-
return true unless config['version'].is_a?(Hash)
|
213
|
-
config['version']['version'].nil?
|
209
|
+
server_version_from_config(config).nil?
|
214
210
|
end
|
215
211
|
|
216
212
|
def self.is_automate_server_080_and_later?(config)
|
217
213
|
# Automate versions 0.8.x and later will have a "version" key in the config
|
218
|
-
# that
|
214
|
+
# that is properly parsed out via server_version_from_config below
|
219
215
|
return false unless config['server_type'] == 'automate'
|
220
|
-
|
221
|
-
return false unless config['version'].is_a?(Hash)
|
222
|
-
!config['version']['version'].nil?
|
216
|
+
!server_version_from_config(config).nil?
|
223
217
|
end
|
224
218
|
|
225
219
|
def self.is_automate_server?(config)
|
226
220
|
config['server_type'] == 'automate'
|
227
221
|
end
|
222
|
+
|
223
|
+
def self.server_version_from_config(config)
|
224
|
+
# Automate versions 0.8.x and later will have a "version" key in the config
|
225
|
+
# that looks like: "version":{"api":"compliance","version":"0.8.24"}
|
226
|
+
return nil unless config.key?('version')
|
227
|
+
return nil unless config['version'].is_a?(Hash)
|
228
|
+
config['version']['version']
|
229
|
+
end
|
228
230
|
end
|
229
231
|
end
|
data/lib/inspec.rb
CHANGED
data/lib/inspec/backend.rb
CHANGED
data/lib/inspec/cli.rb
CHANGED
data/lib/inspec/metadata.rb
CHANGED