inspec 1.33.1 → 1.33.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7b38759460677daa85d3475e4e3fad6e1034178b
-  data.tar.gz: f2b20500e11fe15f329d151e2e9d6cafd48ef817
+  metadata.gz: f226b9d3651d0f220a203377ab9144850da1f060
+  data.tar.gz: 949dc3f2d16a4c7206ca6c8724897ed1a8406b08
 SHA512:
-  metadata.gz: 75da431c0f765aa468b166d4dd36bd37c5019e664224a6acd2467cca571861153e8dbfcaa4be8cf20f2cf5bc0fc3e3ae297b196da89368c123c5c1859d3d4d75
-  data.tar.gz: 93cdf53999b2618fca0af4e316a61fdaae22397cb53563d318c5bf8b42ad21fe4504ba41877fff1587c0a51f15c15af64c657df9cba41c6b4e4ee7f474b8c464
+  metadata.gz: 130d871eb491b561820541fd4541b1669135cbb736ebb2436c8412320629b5b3f2a35bb1855d774982ea27f3a194c3b2be9ea656d2cf923eede98d70807245b5
+  data.tar.gz: d273d6b721bd2a97efdc9c175f47fe1045ed3cf85f428f55ce922e453a2d47a35b472b1c8b41b93d11d33bc9f1aa2044cd029feeaef71f177739d49a5ef079c8

data/CHANGELOG.md

@@ -1,24 +1,38 @@
 # Change Log
 
-<!-- latest_release 1.33.1 -->
-## [v1.33.1](https://github.com/chef/inspec/tree/v1.33.1) (2017-08-10)
-
-#### Merged Pull Requests
-- Bump project minor version, bump train dependency version [#2058](https://github.com/chef/inspec/pull/2058) ([adamleff](https://github.com/adamleff))
+<!-- latest_release -->
 <!-- latest_release -->
 
-<!-- release_rollup since=1.32.1 -->
-### Changes since 1.32.1 release
+<!-- release_rollup -->
+<!-- release_rollup -->
+
+<!-- latest_stable_release -->
+## [v1.33.12](https://github.com/chef/inspec/tree/v1.33.12) (2017-08-18)
+
+#### Bug Fixes
+- fix command.exists for mock environments [#2056](https://github.com/chef/inspec/pull/2056) ([chris-rock](https://github.com/chris-rock))
+- Add missing command mocks to fix tests after train 0.26.1 upgrade [#2069](https://github.com/chef/inspec/pull/2069) ([adamleff](https://github.com/adamleff))
+- Assume sqlplus as oracle_session as default for mock environments  [#2057](https://github.com/chef/inspec/pull/2057) ([chris-rock](https://github.com/chris-rock))
+- add mock support for os_env resource [#2070](https://github.com/chef/inspec/pull/2070) ([chris-rock](https://github.com/chris-rock))
+- Moves logic from os_env from initialize phase to runtime phase [#2072](https://github.com/chef/inspec/pull/2072) ([chris-rock](https://github.com/chris-rock))
+- fix case where skip is called for os_env [#2078](https://github.com/chef/inspec/pull/2078) ([chris-rock](https://github.com/chris-rock))
+- [docker_container] fix repo property [#2083](https://github.com/chef/inspec/pull/2083) ([srenatus](https://github.com/srenatus))
+- Properly handle held packages on dpkg-flavored OS [#2087](https://github.com/chef/inspec/pull/2087) ([adamleff](https://github.com/adamleff))
 
 #### Merged Pull Requests
-- Bump project minor version, bump train dependency version [#2058](https://github.com/chef/inspec/pull/2058) ([adamleff](https://github.com/adamleff)) <!-- 1.33.1 -->
-- Fix docker_container.tag to use last element of image [#2052](https://github.com/chef/inspec/pull/2052) ([mattlqx](https://github.com/mattlqx)) <!-- 1.32.3 -->
+- add functional tests for inspec check [#2077](https://github.com/chef/inspec/pull/2077) ([chris-rock](https://github.com/chris-rock))
+- Move bug fixes in CHANGELOG to correct header [#2089](https://github.com/chef/inspec/pull/2089) ([adamleff](https://github.com/adamleff))
+<!-- latest_stable_release -->
+
+## [v1.33.1](https://github.com/chef/inspec/tree/v1.33.1) (2017-08-10)
 
 #### Features & Enhancements
-- New &#39;be_in&#39; matcher for matching against values in a list [#2022](https://github.com/chef/inspec/pull/2022) ([rx294](https://github.com/rx294)) <!-- 1.32.2 -->
-<!-- release_rollup -->
+- New &#39;be_in&#39; matcher for matching against values in a list [#2022](https://github.com/chef/inspec/pull/2022) ([rx294](https://github.com/rx294))
+
+#### Merged Pull Requests
+- Fix docker_container.tag to use last element of image [#2052](https://github.com/chef/inspec/pull/2052) ([mattlqx](https://github.com/mattlqx))
+- Bump project minor version, bump train dependency version [#2058](https://github.com/chef/inspec/pull/2058) ([adamleff](https://github.com/adamleff))
 
-<!-- latest_stable_release -->
 ## [v1.32.1](https://github.com/chef/inspec/tree/v1.32.1) (2017-08-03)
 
 #### Merged Pull Requests
@@ -29,7 +43,6 @@
 - Fix issue when xinetd.conf does not end in newline [#2040](https://github.com/chef/inspec/pull/2040) ([kareiva](https://github.com/kareiva))
 - catch newline issues in xinet.d [#2043](https://github.com/chef/inspec/pull/2043) ([arlimus](https://github.com/arlimus))
 - Prep for 1.32.0 release [#2046](https://github.com/chef/inspec/pull/2046) ([adamleff](https://github.com/adamleff))
-<!-- latest_stable_release -->
 
 
 

data/docs/profiles.md

@@ -109,18 +109,23 @@ and to target all of these examples in a single `inspec.yml` file:
 
 # Profile Dependencies
 
-A profile dependency is needed when:
+An InSpec profile can bring in the controls and custom resources from another InSpec profile. Additionally, when inheriting the controls of another profile, a profile can skip or even modify those included controls.
 
- * using `include_controls` or `require_controls` in order to load controls defined in another profile
- * using a custom InSpec resource defined in another profile
+## Defining the Dependencies
 
-Use the `depends` setting in the `inspec.yml` file to specify one (or more) profiles on which this profile depends. A profile dependency may be sourced from a path, URL, a git repo, a cookbook located on Chef Supermarket or on GitHub, or a profile located on the Chef Compliance server.
+Before a profile can use controls from another profile, the to-be-included profile needs to be specified in the including profile’s `inspec.yml` file in the `depends` section. For each profile to be included, a location for the profile from where to be fetched and a name for the profile should be included. For example:
 
-## Path
+    depends:
+    - name: linux-baseline
+      url: https://github.com/dev-sec/linux-baseline/archive/master.tar.gz
+    - name: ssh-baseline
+      url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz
 
-The `path` setting defines a profile that is located on disk. This setting is typically used during development of profiles and when debugging profiles. This setting does not support version constraints. If the location of the profile does not exist, an error is returned.
+InSpec supports a number of dependency sources.
 
-For example:
+### path
+
+The `path` setting defines a profile that is located on disk. This setting is typically used during development of profiles and when debugging profiles. 
 
     depends:
     - name: my-profile
@@ -128,19 +133,19 @@ For example:
     - name: another
       path: ../relative/path
 
-## URL
+### url
 
-The `url` setting specifies a profile that is located at an HTTP- or HTTPS-based URL. The profile must be accessible via a HTTP GET operation and must be a valid profile archive (zip, tar, tar.gz format). If the download fails, the profile is inaccessible, or not in the correct format, an error is returned.
-
-For example:
+The `url` setting specifies a profile that is located at an HTTP- or HTTPS-based URL. The profile must be accessible via a HTTP GET operation and must be a valid profile archive (zip, tar, or tar.gz format).
 
     depends:
     - name: my-profile
       url: https://my.domain/path/to/profile.tgz
+    - name: profile-via-git
+      url: https://github.com/myusername/myprofile-repo/archive/master.tar.gz
 
-## git
+### git
 
-A `git` setting specifies a profile that is located in a git repository, with optional settings for branch, tag, commit, and version. The source location is translated into a URL upon resolution. This type of dependency supports version indexing via semantic versioning as git tags.
+A `git` setting specifies a profile that is located in a git repository, with optional settings for branch, tag, commit, and version. The source location is translated into a URL upon resolution. This type of dependency supports version constraints via semantic versioning as git tags.
 
 For example:
 
@@ -152,7 +157,7 @@ For example:
       commit:  pinned_commit
       version: semver_via_tags
 
-## Chef Supermarket
+### supermarket
 
 A `supermarket` setting specifies a profile that is located in a cookbook hosted on Chef Supermarket. The source location is translated into a URL upon resolution.
 
@@ -164,27 +169,9 @@ For example:
 
 Available Supermarket profiles can be listed with `inspec supermarket profiles`.
 
-## GitHub
-
-A `github` setting specifies a profile that is located in a repository hosted on GitHub. The source location is translated into a URL upon resolution.
-
-For example:
-
-    depends:
-    - name: gh-profile
-      github: username/project
-
-A path to a Git commit or tag on GitHub can also be used:
-
-    dev-sec/linux-baseline
-    dev-sec/linux-baseline/tree/2.0
-    dev-sec/linux-baseline/tree/48bd4388ddffde68badd83aefa654e7af3231876
+### compliance
 
-would all download profiles corresponding to the GitHub URL, https://github.com/dev-sec/linux-baseline/tree/48bd4388ddffde68badd83aefa654e7af3231876, for example.
-
-## Chef Compliance
-
-A `compliance` setting specifies a profile that is located on the Chef Compliance server.
+A `compliance` setting specifies a profile that is located on the Chef Automate or Chef Compliance server.
 
 For example:
 
@@ -192,80 +179,76 @@ For example:
       - name: linux
         compliance: base/linux
 
-You need to `inspec vendor` the profile before uploading it to Chef Compliance version 1.7.7 or newer. The vendor subcommand fetches all dependent profiles and stores them in the `vendor` directory.
+## Vendoring Dependencies
 
-## Define in inspec.yml
+When you execute a local profile, the `inspec.yml` file will be read in order to source any profile dependencies. It will then cache the dependencies locally and generate an `inspec.lock` file.
 
-Use the `depends` setting in the `inspec.yml` file to define any combination of profile dependencies. For example:
+If you add or update dependencies in `inspec.yml`, dependencies may be re-vendored and the lockfile updated with `inspec vendor --overwrite`
 
-    depends:
-      - name: ssh-hardening
-        supermarket: hardening/ssh-hardening
-        version: '= 2.0.0'
-      - name: os-hardening
-        url: https://github.com/dev-sec/tests-os-hardening/archive/master.zip
-      - name: ssl-benchmark
-        git: https://github.com/dev-sec/ssl-benchmark.git
-        version: '< 2.0'
-      - name: windows-patch-benchmark
-        git: https://github.com/chris-rock/windows-patch-benchmark.git
-        version: '~> 0.6'
-      - name: linux
-        compliance: base/linux
+## Using Controls from an Included Profile
 
-## Vendoring Dependencies
+Once defined in the `inspec.yml`, controls from the included profiles can be used! Let’s look at some examples.
 
-When you execute a local profile, the `inspec.yml` file will be read in order to source any profile dependencies. It will then cache the dependencies locally and generate an `inspec.lock` file. If you add or update dependencies in `inspec.yml`, please refresh the lock file by either:
+### Including All Controls from a Profile
 
- * running `inspec vendor` inside the profile directory; or
- * deleting `inspec.lock` before running `inspec exec`
+With the `include_controls` command in a profile, all controls from the named profile will be executed every time the including profile is executed.
 
-# Profile Inheritance
+![Include Controls](/images/profile_inheritance/include_controls.png)
 
-When a profile is run, it may include controls that are defined in other profiles. Controls may also be required.
+In the example above, every time `my-app-profile` is executed, all the controls from `my-baseline` are also executed. Therefore, the following controls would be executed:
 
-This requires an `inspec.yml` dependency to the profile you inherit from.
+ * myapp-1
+ * myapp-2
+ * myapp-3
+ * baseline-1
+ * baseline-2
 
-## include_controls
+This is a great reminder that having a good naming convention for your controls is helpful to avoid confusion when 
+including controls from other profiles!
 
-The `include_controls` keyword may be used in a profile to import all rules from the named profile.
+### Skipping a Control from a Profile
 
-For example, to include controls from the `cis-level-1` profile when running the `cis-fs-2.7` profile:
+What if one of the controls from the included profile does not apply to your environment? Luckily, it is not necessary to maintain a slightly-modified copy of the included profile just to delete a control. The `skip_control` command tells InSpec to not run a particular control.
 
-    include_controls 'cis-level-1' do
+![Include Controls with Skip](/images/profile_inheritance/include_controls_with_skip.png)
 
-      control "cis-fs-2.7" do
-        impact 1.0
-      ...
+In the above example, all controls from `my-app-profile` and `my-baseline` profile will be executed every time `my-app-profile` is executed **except** for control `baseline-2` from the `my-baseline` profile.
 
-    end
+### Modifying a Control
 
-To include controls from the `cis-level-1` profile, but skipping two controls within that profile:
+Let's say a particular control from an included profile should still be run, but the impact isn't appropriate? Perhaps the test should still run, but if it fails, it should be treated as low severity instead of high severity?
 
-    include_controls 'cis-level-1' do
+When a control is included, it can also be modified!
 
-      skip_control "cis-fs-2.1"
-      skip_control "cis-fs-2.2"
+![Include Controls with Modification](/images/profile_inheritance/include_controls_with_mod.png)
 
-    end
+In the above example, all controls from `my-baseline` are executed along with all the controls from the including profile, `my-app-profile`. However, should control `baseline-1` fail, it will be raised with an impact of `0.5` instead of the originally-intended impact of `1.0`.
 
-## require_controls
+### Selectively Including Controls from a Profile
 
-The `require_controls` keyword may be used to load only specific controls from the named profile.
+If there are only a handful of controls that should be executed from an included profile, it's not necessarily to skip all the unneeded controls, or worse, copy/paste those controls bit-for-bit into your profile. Instead, use the `require_controls` command.
 
-For example, to require that controls `cis-fs-2.1` and `cis-fs-2.2` be loaded from the `cis-level-1` profile:
+![Require Controls](/images/profile_inheritance/require_controls.png)
 
-    require_controls 'cis-level-1' do
+Whenever `my-app-profile` is executed, in addition to its own controls, it will run only the controls specified in the `require_controls` block. In the case, the following controls would be executed:
 
-      control "cis-fs-2.1"
-      control "cis-fs-2.2"
+ * myapp-1
+ * myapp-2
+ * myapp-3
+ * baseline-2
+ * baseline-4
 
-    end
+Controls `baseline-1`, `baseline-3`, and `baseline-5` would not be run, just as if they were manually skipped. This method of including specific controls ensures only the controls specified are executed; if new controls are added to a later version of `my-baseline`, they would not be run.
+
+And, just the way its possible to modify controls when using `include_controls`, controls can be modified as well.
+
+![Require Controls with Modification](/images/profile_inheritance/require_controls_with_mod.png)
 
+As with the prior example, only `baseline-2` and `baseline-4` are executed, but if `baseline-2` fails, it will report with an impact of `0.5` instead of the originally-intended `1.0` impact.
 
-## require_resource
+## Using Resources from an Included Profile
 
-By default, all of the resources from a listed dependency are available
+By default, all of the custom resources from a listed dependency are available
 for use in your profile. If two of your dependencies provide a resource with
 the same name, you can use the `require_resource` DSL function to
 disambiguate the two:

data/docs/resources/package.md.erb

@@ -28,6 +28,13 @@ This InSpec audit resource has the following matchers:
 
 <%= partial "/shared/matcher_be" %>
 
+### be_held
+
+The `be_held` matcher tests if the named package is "held". On dpkg platforms, a "held" package
+will not be upgraded to a later version.
+
+    it { should be_held }
+
 ### be_installed
 
 The `be_installed` matcher tests if the named package is installed on the system:

data/examples/meta-profile/README.md

@@ -23,7 +23,7 @@ depends:
     compliance: base/linux
 ```
 
-You could use those dependencies in your `exmaple.rb`:
+You could use those dependencies in your `example.rb`:
 
 ```
 

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.33.1'.freeze
+  VERSION = '1.33.12'.freeze
 end

data/lib/resources/command.rb

@@ -47,7 +47,7 @@ module Inspec::Resources
 
     def exist?
       # silent for mock resources
-      return false if inspec.os[:name].to_s == 'unknown'
+      return false if inspec.os.name.nil?
 
       if inspec.os.linux?
         res = inspec.backend.run_command("bash -c 'type \"#{@command}\"'")

data/lib/resources/docker_container.rb

@@ -74,8 +74,13 @@ module Inspec::Resources
     end
 
     def repo
-      return if image_name_from_image.nil?
-      image_name_from_image.split(':')[0]
+      return if image.nil? || image_name_from_image.nil?
+      if image.include?('/')                       # host:port/ubuntu:latest
+        repo_part, image_part = image.split('/')   # host:port, ubuntu:latest
+        repo_part + '/' + image_part.split(':')[0] # host:port + / + ubuntu
+      else
+        image_name_from_image.split(':')[0]
+      end
     end
 
     def tag

data/lib/resources/oracledb_session.rb

@@ -49,18 +49,17 @@ module Inspec::Resources
       escaped_query = escaped_query.gsub('$', '\\$')
 
       p = nil
-      # check if sqlplus is available and prefer that
-      if inspec.command(@sqlplus_bin).exist?
-        bin = @sqlplus_bin
-        opts = "SET MARKUP HTML ON\nSET FEEDBACK OFF"
-        p = :parse_html_result
-      elsif inspec.command(@sqlcl_bin).exist?
+      # use sqlplus if sqlcl is not available
+      if inspec.command(@sqlcl_bin).exist?
         bin = @sqlcl_bin
         opts = "set sqlformat csv\nSET FEEDBACK OFF"
         p = :parse_csv_result
+      else
+        bin = @sqlplus_bin
+        opts = "SET MARKUP HTML ON\nSET FEEDBACK OFF"
+        p = :parse_html_result
       end
 
-      return skip_resource("Can't find suitable Oracle CLI") if p.nil?
       command = "echo \"#{opts}\n#{verify_query(escaped_query)}\nEXIT\" | #{bin} -s #{@user}/#{@password}@//#{@host}:#{@port}/#{@service}"
       cmd = inspec.command(command)
 

data/lib/resources/os_env.rb

@@ -25,8 +25,6 @@ module Inspec::Resources
     attr_reader :content
     def initialize(env = nil)
       @osenv = env
-      @content = nil
-      @content = value_for(env) unless env.nil?
     end
 
     def split
@@ -35,7 +33,12 @@ module Inspec::Resources
       path_separator = inspec.os.windows? ? ';' : ':'
       # -1 is required to catch cases like dir1::dir2:
       # where we have a trailing :
-      @content.nil? ? [] : @content.split(path_separator, -1)
+      content.nil? ? [] : content.split(path_separator, -1)
+    end
+
+    def content
+      return @content if defined?(@content)
+      @content = value_for(@osenv) unless @osenv.nil?
     end
 
     def to_s
@@ -58,7 +61,7 @@ module Inspec::Resources
       out = inspec.command(command)
 
       unless out.exit_status == 0
-        skip_resource "Can't read environment variables on #{os[:name]}. "\
+        skip_resource "Can't read environment variables on #{inspec.os.name}. "\
           "Tried `#{command}` which returned #{out.exit_status}"
       end
 

data/lib/resources/package.rb

@@ -15,6 +15,7 @@ module Inspec::Resources
     example "
       describe package('nginx') do
         it { should be_installed }
+        it { should_not be_held } # for dpkg platforms that support holding a version from being upgraded
         its('version') { should eq 1.9.5 }
       end
     "
@@ -56,6 +57,13 @@ module Inspec::Resources
       info[:installed] == true
     end
 
+    # returns true it the package is held (if the OS supports it)
+    def held?(_provider = nil, _version = nil)
+      return false if info.nil?
+      return false unless info.key?(:held)
+      info[:held] == true
+    end
+
     # returns the package description
     def info
       return @cache if !@cache.nil?
@@ -107,11 +115,14 @@ module Inspec::Resources
         assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
         multiple_values: false,
       ).params
+      # If the package is installed, Status is "install ok installed"
+      # If the package is installed and marked hold, Status is "hold ok installed"
       # If the package is removed and not purged, Status is "deinstall ok config-files" with exit_status 0
       # If the package is purged cmd fails with non-zero exit status
       {
         name: params['Package'],
-        installed: params['Status'].split(' ').first == 'install',
+        installed: params['Status'].split(' ')[2] == 'installed',
+        held: params['Status'].split(' ')[0] == 'hold',
         version: params['Version'],
         type: 'deb',
       }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.33.1
+  version: 1.33.12
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-08-10 00:00:00.000000000 Z
+date: 2017-08-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -332,8 +332,6 @@ files:
 - docs/resources/docker_container.md.erb
 - docs/resources/docker_image.md.erb
 - docs/resources/etc_group.md.erb
-- docs/resources/etc_passwd.md.erb
-- docs/resources/etc_shadow.md.erb
 - docs/resources/file.md.erb
 - docs/resources/gem.md.erb
 - docs/resources/group.md.erb
@@ -366,6 +364,7 @@ files:
 - docs/resources/package.md.erb
 - docs/resources/parse_config.md.erb
 - docs/resources/parse_config_file.md.erb
+- docs/resources/passwd.md.erb
 - docs/resources/pip.md.erb
 - docs/resources/port.md.erb
 - docs/resources/postgres_conf.md.erb
@@ -379,6 +378,7 @@ files:
 - docs/resources/runit_service.md.erb
 - docs/resources/security_policy.md.erb
 - docs/resources/service.md.erb
+- docs/resources/shadow.md.erb
 - docs/resources/ssh_config.md.erb
 - docs/resources/sshd_config.md.erb
 - docs/resources/ssl.md.erb