inspec 1.50.1 → 1.51.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3e1a10fa109bd6acf6791160ec84a2b00541332f
-  data.tar.gz: 0ca5fa62d228cc13b973f272fd9ac55635cafba7
+  metadata.gz: e4952aa70e173665e538c1e9a462da104c533ad1
+  data.tar.gz: a2b79c2109ade3f8f96afbb95104a71ea9d8b16c
 SHA512:
-  metadata.gz: 47dec2f9f7653e27b31489524ccb93ab364a8683f66ce00e7eec849a0fcc1cc0b5cbf773cb673e6ac4a532c0c3ccabffa5446c9feb50674f4cd130e46d5ccfb6
-  data.tar.gz: 385cbd5d676ef7f3bfb5905a23da6a2359abbdf5fc025e77ebb885bb20dde32172573df4b51176919edba5425bab9c95b6b8b02188b3941dc77f9f05940b2338
+  metadata.gz: e5444459f580693c6cce709ffb6cb99e47d817e1ddd35064a1636a299899165da235197640edb3cc2766d5b93d8fae7194996e731303c63df69f057527e02555
+  data.tar.gz: c866512ba5541fcb0b4dc2fb44c47f3ea22233b9d80590894e646e654f649160fbe0042dabb48941a7b500a709ee1c0d5f73c1725806083ce85713593d0b9939

data/CHANGELOG.md

@@ -1,33 +1,50 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release unreleased -->
-## Unreleased
+<!-- latest_release 1.51.0 -->
+## [v1.51.0](https://github.com/chef/inspec/tree/v1.51.0) (2018-01-25)
 
-#### Merged Pull Requests
-- Bump version manually to trigger Habitat build [#2466](https://github.com/chef/inspec/pull/2466) ([adamleff](https://github.com/adamleff))
+#### New Resources
+- filesystem resource: inspect linux filesystems [#2441](https://github.com/chef/inspec/pull/2441) ([tarcinil](https://github.com/tarcinil))
 <!-- latest_release -->
 
-<!-- release_rollup since=1.49.2 -->
-### Changes since 1.49.2 release
-
-#### Bug Fixes
-- http resource: make header keys case insensitive [#2457](https://github.com/chef/inspec/pull/2457) ([adamleff](https://github.com/adamleff)) <!-- 1.49.10 -->
-- package resource: fix NilClass errors on arch linux [#2437](https://github.com/chef/inspec/pull/2437) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 1.49.8 -->
-- firewalld resource: prepend rule string only when necessary [#2430](https://github.com/chef/inspec/pull/2430) ([tarcinil](https://github.com/tarcinil)) <!-- 1.49.6 -->
+<!-- release_rollup since=1.50.1 -->
+### Changes since 1.50.1 release
 
 #### Enhancements
-- xml resource: support fetching attributes [#2423](https://github.com/chef/inspec/pull/2423) ([tarcinil](https://github.com/tarcinil)) <!-- 1.49.7 -->
-- mssql_session resource: add port parameter [#2429](https://github.com/chef/inspec/pull/2429) ([tarcinil](https://github.com/tarcinil)) <!-- 1.49.5 -->
+- Update security_policy resource to return Names, not SIDs [#2462](https://github.com/chef/inspec/pull/2462) ([ViolentOr](https://github.com/ViolentOr)) <!-- 1.50.5 -->
+
+#### New Resources
+- filesystem resource: inspect linux filesystems [#2441](https://github.com/chef/inspec/pull/2441) ([tarcinil](https://github.com/tarcinil)) <!-- 1.51.0 -->
+- new docker_service resource to inspect Docker Swarm services [#2456](https://github.com/chef/inspec/pull/2456) ([mattlqx](https://github.com/mattlqx)) <!-- 1.50.4 -->
 
 #### Merged Pull Requests
-- Bump version manually to trigger Habitat build [#2466](https://github.com/chef/inspec/pull/2466) ([adamleff](https://github.com/adamleff)) <!-- 1.50.1 -->
-- Bump minor version [#2465](https://github.com/chef/inspec/pull/2465) ([adamleff](https://github.com/adamleff)) <!-- 1.50.0 -->
-- Bump Omnibus Ruby (and Travis Rubies) to 2.4.3 [#2452](https://github.com/chef/inspec/pull/2452) ([adamleff](https://github.com/adamleff)) <!-- 1.49.9 -->
-- Update the inspec support check to warn to stderr. [#2446](https://github.com/chef/inspec/pull/2446) ([jquick](https://github.com/jquick)) <!-- 1.49.4 -->
-- Fix package manager detection on Arch Linux [#2436](https://github.com/chef/inspec/pull/2436) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 1.49.3 -->
+- Sort library files before loading them so load order is predictable [#2475](https://github.com/chef/inspec/pull/2475) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 1.50.3 -->
+
+#### Bug Fixes
+- service resource: attempt a SysV fallback if SystemD unit file is not found [#2473](https://github.com/chef/inspec/pull/2473) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 1.50.6 -->
+- grub_conf resource: fix menuentry detection [#2408](https://github.com/chef/inspec/pull/2408) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 1.50.2 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v1.50.1](https://github.com/chef/inspec/tree/v1.50.1) (2018-01-17)
+
+#### Enhancements
+- mssql_session resource: add port parameter [#2429](https://github.com/chef/inspec/pull/2429) ([tarcinil](https://github.com/tarcinil))
+- xml resource: support fetching attributes [#2423](https://github.com/chef/inspec/pull/2423) ([tarcinil](https://github.com/tarcinil))
+
+#### Bug Fixes
+- firewalld resource: prepend rule string only when necessary [#2430](https://github.com/chef/inspec/pull/2430) ([tarcinil](https://github.com/tarcinil))
+- package resource: fix NilClass errors on arch linux [#2437](https://github.com/chef/inspec/pull/2437) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- http resource: make header keys case insensitive [#2457](https://github.com/chef/inspec/pull/2457) ([adamleff](https://github.com/adamleff))
+
+#### Merged Pull Requests
+- Fix package manager detection on Arch Linux [#2436](https://github.com/chef/inspec/pull/2436) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
+- Update the inspec support check to warn to stderr. [#2446](https://github.com/chef/inspec/pull/2446) ([jquick](https://github.com/jquick))
+- Bump Omnibus Ruby (and Travis Rubies) to 2.4.3 [#2452](https://github.com/chef/inspec/pull/2452) ([adamleff](https://github.com/adamleff))
+- Bump minor version [#2465](https://github.com/chef/inspec/pull/2465) ([adamleff](https://github.com/adamleff))
+- Bump version manually to trigger Habitat build [#2466](https://github.com/chef/inspec/pull/2466) ([adamleff](https://github.com/adamleff))
+<!-- latest_stable_release -->
+
 ## [v1.49.2](https://github.com/chef/inspec/tree/v1.49.2) (2018-01-04)
 
 #### Enhancements
@@ -51,7 +68,6 @@
 #### Merged Pull Requests
 - Split unit tests from functional [#2391](https://github.com/chef/inspec/pull/2391) ([adamleff](https://github.com/adamleff))
 - Bump minor version and cleanup changelog for release [#2440](https://github.com/chef/inspec/pull/2440) ([adamleff](https://github.com/adamleff))
-<!-- latest_stable_release -->
 
 ## [v1.48.0](https://github.com/chef/inspec/tree/v1.48.0) (2017-12-07)
 

data/docs/resources/docker_service.md.erb

@@ -0,0 +1,107 @@
+---
+title: About the docker_service Resource
+---
+
+# docker_service
+
+Use the `docker_service` InSpec audit resource to verify a docker swarm service.
+
+<br>
+
+## Syntax
+
+A `docker_service` resource block declares the service by name:
+
+    describe docker_service('foo') do
+      it { should exist }
+      its('id') { should eq '2ghswegspre1' }
+      its('repo') { should eq 'alpine' }
+      its('tag') { should eq 'latest' }
+    end
+
+The resource allows you to pass in a service id:
+
+    describe docker_service(id: '2ghswegspre1') do
+      ...
+    end
+
+You can also pass in the fully-qualified image:
+
+    describe docker_service(image: 'localhost:5000/alpine:latest') do
+      ...
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec `docker_service` resource.
+
+### Test a docker service
+
+    describe docker_service('foo') do
+      it { should exist }
+      its('id') { should eq '2ghswegspre1' }
+      its('repo') { should eq 'alpine' }
+      its('tag') { should eq 'latest' }
+    end
+
+<br>
+
+## Matchers
+
+This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### exist
+
+The `exist` matcher tests if the image is available on the node:
+
+    it { should exist }
+
+### id
+
+The `id` matcher returns the service id:
+
+    its('id') { should eq '2ghswegspre1' }
+
+### image
+
+The `image` matcher tests the value of the image. It is a combination of `repository:tag`:
+
+    its('image') { should eq 'alpine:latest' }
+
+### mode
+
+The `mode` matcher tests the value of the service mode:
+
+    its('mode') { should eq 'replicated' }
+
+### name
+
+The `name` matcher tests the value of the service name:
+
+    its('name') { should eq 'foo' }
+
+### ports
+
+The `ports` matcher tests the value of the service's published ports:
+
+    its('ports') { should include '*:8000->8000/tcp' }
+
+### repo
+
+The `repo` matcher tests the value of the repository name:
+
+    its('repo') { should eq 'alpine' }
+
+### replicas
+
+The `replicas` matcher tests the value of the service's replica count:
+
+    its('replicas') { should eq '3/3' }
+
+### tag
+
+The `tag` matcher tests the value of image tag:
+
+    its('tag') { should eq 'latest' }

data/docs/resources/filesystem.md.erb

@@ -0,0 +1,39 @@
+---
+title: About the filesystem Resource
+---
+
+# filesystem
+
+Use the `filesystem` InSpec resource to audit filesystem disk space usage
+<br>
+
+## Syntax
+
+A `filesystem` resource block declares tests for disk space in a partion:
+
+    describe filesystem('/') do
+      its('size') { should be >= 32000 }
+    end
+
+where
+
+* `filesystem('/')` states that it will be looking at the root (/) partition
+* `size` is measured in megabytes (MB)
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test if the root partition is greater thank 32000 MB
+
+    describe filesystem('/') do
+      its('size') { should be >= 32000 }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

data/docs/resources/ini.md.erb

@@ -52,13 +52,14 @@ The following examples show how to use this InSpec audit resource.
 
 For example, a PHP INI file located at contains the following settings:
 
-    ; SMTP = smtp.gmail.com
-    ; smtp_port = 465
+    [mail function]
+    SMTP = smtp.gmail.com
+    smtp_port = 465
 
 and can be tested like this:
 
-    describe ini(/etc/php5/apache2/php.ini) do
-      its('smtp_port') { should eq('465') }
+    describe ini('/etc/php5/apache2/php.ini') do
+      its('mail function.smtp_port') { should eq('465') }
     end
 
 <br>

data/docs/resources/pip.md.erb

@@ -40,6 +40,13 @@ The following examples show how to use this InSpec audit resource.
       its('version') { should eq '2.8' }
     end
 
+### Test packages installed into a non-default location (e.g. virtualenv) by passing a custom path to pip executable
+
+    describe pip('Jinja2', '/path/to/bin/pip') do
+      it { should be_installed }
+      its('version') { should eq '2.8' }
+    end
+
 <br>
 
 ## Matchers

data/lib/inspec/profile_context.rb

@@ -116,6 +116,7 @@ module Inspec
       lib_prefix = 'libraries' + File::SEPARATOR
       autoloads = []
 
+      libs.sort_by! { |l| l[1] } # Sort on source path so load order is deterministic
       libs.each do |content, source, line|
         path = source
         if source.start_with?(lib_prefix)

data/lib/inspec/resource.rb

@@ -94,12 +94,14 @@ require 'resources/directory'
 require 'resources/docker'
 require 'resources/docker_container'
 require 'resources/docker_image'
+require 'resources/docker_service'
 require 'resources/elasticsearch'
 require 'resources/etc_fstab'
 require 'resources/etc_group'
 require 'resources/etc_hosts_allow_deny'
 require 'resources/etc_hosts'
 require 'resources/file'
+require 'resources/filesystem'
 require 'resources/firewalld'
 require 'resources/gem'
 require 'resources/groups'

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.50.1'
+  VERSION = '1.51.0'
 end

data/lib/resources/docker.rb

@@ -59,6 +59,25 @@ module Inspec::Resources
     end
   end
 
+  class DockerServiceFilter
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:ids,              field: 'id')
+          .add(:names,            field: 'name')
+          .add(:modes,            field: 'mode')
+          .add(:replicas,         field: 'replicas')
+          .add(:images,           field: 'image')
+          .add(:ports,            field: 'ports')
+          .add(:exists?) { |x| !x.entries.empty? }
+    filter.connect(self, :services)
+
+    attr_reader :services
+    def initialize(services)
+      @services = services
+    end
+  end
+
   # This resource helps to parse information from the docker host
   # For compatability with Serverspec we also offer the following resouses:
   # - docker_container
@@ -79,6 +98,10 @@ module Inspec::Resources
         its('repositories') { should_not include 'inssecure_image' }
       end
 
+      describe docker.services do
+        its('images') { should_not include 'inssecure_image' }
+      end
+
       describe docker.version do
         its('Server.Version') { should cmp >= '1.12'}
         its('Client.Version') { should cmp >= '1.12'}
@@ -105,6 +128,10 @@ module Inspec::Resources
       DockerImageFilter.new(parse_images)
     end
 
+    def services
+      DockerServiceFilter.new(parse_services)
+    end
+
     def version
       return @version if defined?(@version)
       data = {}
@@ -142,48 +169,55 @@ module Inspec::Resources
 
     private
 
-    def parse_containers
-      # @see https://github.com/moby/moby/issues/20625, works for docker 1.13+
-      # raw_containers = inspec.command('docker ps -a --no-trunc --format \'{{ json . }}\'').stdout
-      # therefore we stick with older approach
-      labels = %w{Command CreatedAt ID Image Labels Mounts Names Ports RunningFor Size Status}
-
-      # Networks LocalVolumes work with 1.13+ only
-      if !version.empty? && Gem::Version.new(version['Client']['Version']) >= Gem::Version.new('1.13')
-        labels.push('Networks')
-        labels.push('LocalVolumes')
-      end
+    def parse_json_command(labels, subcommand)
       # build command
       format = labels.map { |label| "\"#{label}\": {{json .#{label}}}" }
-      raw_containers = inspec.command("docker ps -a --no-trunc --format '{#{format.join(', ')}}'").stdout
-      ps = []
+      raw = inspec.command("docker #{subcommand} --format '{#{format.join(', ')}}'").stdout
+      output = []
       # since docker is not outputting valid json, we need to parse each row
-      raw_containers.each_line { |entry|
-        j = JSON.parse(entry)
+      raw.each_line { |entry|
         # convert all keys to lower_case to work well with ruby and filter table
-        j = j.map { |k, v|
+        j = JSON.parse(entry).map { |k, v|
           [k.downcase, v]
         }.to_h
 
         # ensure all keys are there
-        j = ensure_container_keys(j)
+        j = ensure_keys(j, labels)
 
         # strip off any linked container names
         # Depending on how it was linked, the actual container name may come before
         # or after the link information, so we'll just look for the first name that
         # does not include a slash since that is not a valid character in a container name
-        j['names'] = j['names'].split(',').find { |c| !c.include?('/') }
+        j['names'] = j['names'].split(',').find { |c| !c.include?('/') } if j.key?('names')
 
-        ps.push(j)
+        output.push(j)
       }
-      ps
+      output
     rescue JSON::ParserError => _e
-      warn 'Could not parse `docker ps` output'
+      warn "Could not parse `docker #{subcommand}` output"
       []
     end
 
-    def ensure_container_keys(entry)
-      %w{Command CreatedAt ID Image Labels Mounts Names Ports RunningFor Size Status Networks LocalVolumes}.each { |key|
+    def parse_containers
+      # @see https://github.com/moby/moby/issues/20625, works for docker 1.13+
+      # raw_containers = inspec.command('docker ps -a --no-trunc --format \'{{ json . }}\'').stdout
+      # therefore we stick with older approach
+      labels = %w{Command CreatedAt ID Image Labels Mounts Names Ports RunningFor Size Status}
+
+      # Networks LocalVolumes work with 1.13+ only
+      if !version.empty? && Gem::Version.new(version['Client']['Version']) >= Gem::Version.new('1.13')
+        labels.push('Networks')
+        labels.push('LocalVolumes')
+      end
+      parse_json_command(labels, 'ps -a --no-trunc')
+    end
+
+    def parse_services
+      parse_json_command(%w{ID Name Mode Replicas Image Ports}, 'service ls')
+    end
+
+    def ensure_keys(entry, labels)
+      labels.each { |key|
         entry[key.downcase] = nil if !entry.key?(key.downcase)
       }
       entry

data/lib/resources/docker_container.rb

@@ -6,8 +6,12 @@
 # author: Patrick Muench
 # author: Dominik Richter
 
+require_relative 'docker_object'
+
 module Inspec::Resources
   class DockerContainer < Inspec.resource(1)
+    include Inspec::Resources::DockerObject
+
     name 'docker_container'
     desc ''
     example "
@@ -37,55 +41,39 @@ module Inspec::Resources
       end
     end
 
-    def exist?
-      container_info.exists?
-    end
-
-    # is allways returning the full id
-    def id
-      container_info.ids[0] if container_info.entries.length == 1
-    end
-
     def running?
-      status.downcase.start_with?('up') if container_info.entries.length == 1
+      status.downcase.start_with?('up') if object_info.entries.length == 1
     end
 
     def status
-      container_info.status[0] if container_info.entries.length == 1
+      object_info.status[0] if object_info.entries.length == 1
     end
 
     def labels
-      container_info.labels[0] if container_info.entries.length == 1
+      object_info.labels[0] if object_info.entries.length == 1
     end
 
     def ports
-      container_info.ports[0] if container_info.entries.length == 1
+      object_info.ports[0] if object_info.entries.length == 1
     end
 
     def command
-      return unless container_info.entries.length == 1
+      return unless object_info.entries.length == 1
 
-      cmd = container_info.commands[0]
+      cmd = object_info.commands[0]
       cmd.slice(1, cmd.length - 2)
     end
 
     def image
-      container_info.images[0] if container_info.entries.length == 1
+      object_info.images[0] if object_info.entries.length == 1
     end
 
     def repo
-      return if image.nil? || image_name_from_image.nil?
-      if image.include?('/')                       # host:port/ubuntu:latest
-        repo_part, image_part = image.split('/')   # host:port, ubuntu:latest
-        repo_part + '/' + image_part.split(':')[0] # host:port + / + ubuntu
-      else
-        image_name_from_image.split(':')[0]
-      end
+      parse_components_from_image(image)[:repo] if object_info.entries.size == 1
     end
 
     def tag
-      return if image_name_from_image.nil?
-      image_name_from_image.split(':')[1]
+      parse_components_from_image(image)[:tag] if object_info.entries.size == 1
     end
 
     def to_s
@@ -95,17 +83,7 @@ module Inspec::Resources
 
     private
 
-    def image_name_from_image
-      return if image.nil?
-      # possible image names include:
-      #   alpine
-      #   ubuntu:14.04
-      #   repo.example.com:5000/ubuntu
-      #   repo.example.com:5000/ubuntu:1404
-      image.include?('/') ? image.split('/')[1] : image
-    end
-
-    def container_info
+    def object_info
       return @info if defined?(@info)
       opts = @opts
       @info = inspec.docker.containers.where { names == opts[:name] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id]))) }

data/lib/resources/docker_image.rb

@@ -6,8 +6,12 @@
 # author: Patrick Muench
 # author: Dominik Richter
 
+require_relative 'docker_object'
+
 module Inspec::Resources
   class DockerImage < Inspec.resource(1)
+    include Inspec::Resources::DockerObject
+
     name 'docker_image'
     desc ''
     example "
@@ -35,24 +39,16 @@ module Inspec::Resources
       @opts = sanitize_options(o)
     end
 
-    def exist?
-      image_info.exists?
-    end
-
-    def id
-      image_info.ids[0] if image_info.entries.size == 1
-    end
-
     def image
-      "#{repo}:#{tag}" if image_info.entries.size == 1
+      "#{repo}:#{tag}" if object_info.entries.size == 1
     end
 
     def repo
-      image_info.repositories[0] if image_info.entries.size == 1
+      object_info.repositories[0] if object_info.entries.size == 1
     end
 
     def tag
-      image_info.tags[0] if image_info.entries.size == 1
+      object_info.tags[0] if object_info.entries.size == 1
     end
 
     def to_s
@@ -79,46 +75,12 @@ module Inspec::Resources
       opts
     end
 
-    def image_info
+    def object_info
       return @info if defined?(@info)
       opts = @opts
       @info = inspec.docker.images.where {
         (repository == opts[:repo] && tag == opts[:tag]) || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id])))
       }
     end
-
-    def parse_components_from_image(image_string)
-      # if the user did not supply an image string, they likely supplied individual
-      # option parameters, such as repo and tag. Return empty data back to the caller.
-      return {} if image_string.nil?
-
-      first_colon = image_string.index(':') || -1
-      first_slash = image_string.index('/') || -1
-
-      if image_string.count(':') == 2
-        # If there are two colons in the image string, it contains a repo-with-port and a tag.
-        # example: localhost:5000/chef/inspec:1.46.3
-        partitioned_string = image_string.rpartition(':')
-        repo = partitioned_string.first
-        tag = partitioned_string.last
-      elsif image_string.count(':') == 1 && first_colon < first_slash
-        # If there's one colon in the image string, and it comes before a forward-slash,
-        # it contains a repo-with-port but no tag.
-        # example: localhost:5000/ubuntu
-        repo = image_string
-        tag = nil
-      else
-        # If there's one colon in the image string and it doesn't preceed a slash, or if
-        # there is no colon at all, then it separates the repo from the tag, if there is a tag.
-        # example: chef/inspec:1.46.3
-        # example: chef/inspec
-        # example: ubuntu:14.04
-        repo, tag = image_string.split(':')
-      end
-
-      # return the repo and tag parsed from the string, which can be merged into
-      # the rest of the user-supplied options
-      { repo: repo, tag: tag }
-    end
   end
 end

data/lib/resources/docker_object.rb

@@ -0,0 +1,57 @@
+# encoding: utf-8
+#
+# Copyright 2017, Christoph Hartmann
+#
+# author: Christoph Hartmann
+# author: Patrick Muench
+# author: Dominik Richter
+# author: Matt Kulka
+
+module Inspec::Resources::DockerObject
+  def exist?
+    object_info.exists?
+  end
+
+  def id
+    object_info.ids[0] if object_info.entries.size == 1
+  end
+
+  private
+
+  def parse_components_from_image(image_string)
+    # if the user did not supply an image string, they likely supplied individual
+    # option parameters, such as repo and tag. Return empty data back to the caller.
+    return {} if image_string.nil?
+
+    first_colon = image_string.index(':') || -1
+    first_slash = image_string.index('/') || -1
+
+    if image_string.count(':') == 2
+      # If there are two colons in the image string, it contains a repo-with-port and a tag.
+      # example: localhost:5000/chef/inspec:1.46.3
+      partitioned_string = image_string.rpartition(':')
+      repo = partitioned_string.first
+      tag = partitioned_string.last
+      image_name = repo.split('/')[1..-1].join
+    elsif image_string.count(':') == 1 && first_colon < first_slash
+      # If there's one colon in the image string, and it comes before a forward-slash,
+      # it contains a repo-with-port but no tag.
+      # example: localhost:5000/ubuntu
+      repo = image_string
+      tag = nil
+      image_name = repo.split('/')[1..-1].join
+    else
+      # If there's one colon in the image string and it doesn't preceed a slash, or if
+      # there is no colon at all, then it separates the repo from the tag, if there is a tag.
+      # example: chef/inspec:1.46.3
+      # example: chef/inspec
+      # example: ubuntu:14.04
+      repo, tag = image_string.split(':')
+      image_name = repo
+    end
+
+    # return the repo, image_name and tag parsed from the string, which can be merged into
+    # the rest of the user-supplied options
+    { repo: repo, image_name: image_name, tag: tag }
+  end
+end

data/lib/resources/docker_service.rb

@@ -0,0 +1,94 @@
+# encoding: utf-8
+#
+# Copyright 2017, Christoph Hartmann
+#
+# author: Christoph Hartmann
+# author: Patrick Muench
+# author: Dominik Richter
+# author: Matt Kulka
+
+require_relative 'docker_object'
+
+module Inspec::Resources
+  class DockerService < Inspec.resource(1)
+    include Inspec::Resources::DockerObject
+
+    name 'docker_service'
+    desc 'Swarm-mode service'
+    example "
+      describe docker_service('service1') do
+        it { should exist }
+        its('id') { should_not eq '' }
+        its('image') { should eq 'alpine:latest' }
+        its('repo') { should eq 'alpine' }
+        its('tag') { should eq 'latest' }
+      end
+
+      describe docker_service(id: '4a415e366388') do
+        it { should exist }
+      end
+
+      describe docker_service(image: 'alpine:latest') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # do sanitizion of input values
+      o = opts.dup
+      o = { name: opts } if opts.is_a?(String)
+      @opts = sanitize_options(o)
+    end
+
+    def name
+      object_info.names[0] if object_info.entries.size == 1
+    end
+
+    def image
+      object_info.images[0] if object_info.entries.size == 1
+    end
+
+    def image_name
+      parse_components_from_image(image)[:image_name] if object_info.entries.size == 1
+    end
+
+    def repo
+      parse_components_from_image(image)[:repo] if object_info.entries.size == 1
+    end
+
+    def tag
+      parse_components_from_image(image)[:tag] if object_info.entries.size == 1
+    end
+
+    def mode
+      object_info.modes[0] if object_info.entries.size == 1
+    end
+
+    def replicas
+      object_info.replicas[0] if object_info.entries.size == 1
+    end
+
+    def ports
+      object_info.ports[0] if object_info.entries.size == 1
+    end
+
+    def to_s
+      service = @opts[:name] || @opts[:id]
+      "Docker Service #{service}"
+    end
+
+    private
+
+    def sanitize_options(opts)
+      opts.merge(parse_components_from_image(opts[:image]))
+    end
+
+    def object_info
+      return @info if defined?(@info)
+      opts = @opts
+      @info = inspec.docker.services.where {
+        name == opts[:name] || image == opts[:image] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id])))
+      }
+    end
+  end
+end

data/lib/resources/filesystem.rb

@@ -0,0 +1,31 @@
+module Inspec::Resources
+  class FileSystemResource < Inspec.resource(1)
+    name 'filesystem'
+    supports os_family: 'linux'
+    desc 'Use the filesystem InSpec resource to test file system'
+    example "
+      describe filesystem('/') do
+        its('size') { should be >= 32000 }
+      end
+    "
+    attr_reader :partition
+
+    def initialize(partition)
+      @partition = partition
+    end
+
+    def size
+      @size ||= begin
+        cmd = inspec.command("df #{partition} --output=size")
+        raise Inspec::Exceptions::ResourceFailed, "Unable to get available space for partition #{partition}" if cmd.stdout.nil? || cmd.stdout.empty? || !cmd.exit_status.zero?
+
+        value = cmd.stdout.gsub(/\dK-blocks[\r\n]/, '').strip
+        value.to_i
+      end
+    end
+
+    def to_s
+      "Filesystem #{partition}"
+    end
+  end
+end

data/lib/resources/grub_conf.rb

@@ -36,6 +36,7 @@ class GrubConfig < Inspec.resource(1)
     elsif os.debian?
       @conf_path = path || '/boot/grub/grub.cfg'
       @defaults_path = '/etc/default/grub'
+      @grubenv_path = '/boot/grub2/grubenv'
       @version = 'grub2'
     elsif os[:name] == 'amazon'
       @conf_path = path || '/etc/grub.conf'
@@ -52,6 +53,7 @@ class GrubConfig < Inspec.resource(1)
     else
       @conf_path = path || '/boot/grub2/grub.cfg'
       @defaults_path = '/etc/default/grub'
+      @grubenv_path = '/boot/grub2/grubenv'
       @version = 'grub2'
     end
   end
@@ -71,35 +73,73 @@ class GrubConfig < Inspec.resource(1)
   ######################################################################
 
   def grub2_parse_kernel_lines(content, conf)
-    # Find all "menuentry" lines and then parse them into arrays
-    menu_entry = 0
+    menu_entries = extract_menu_entries(content)
+
+    if @kernel == 'default'
+      default_menu_entry(menu_entries, conf['GRUB_DEFAULT'])
+    else
+      menu_entries.find { |entry| entry['name'] == @kernel }
+    end
+  end
+
+  def extract_menu_entries(content)
+    menu_entries = []
+
     lines = content.split("\n")
-    kernel_opts = {}
-    kernel_opts['insmod'] = []
-    lines.each_with_index do |file_line, index|
-      next unless file_line =~ /(^|\s)menuentry\s.*/
-      lines.drop(index+1).each do |kernel_line|
-        next if kernel_line =~ /(^|\s)(menu|}).*/
-        if menu_entry == conf['GRUB_DEFAULT'].to_i && @kernel == 'default'
-          if kernel_line =~ /(^|\s)initrd.*/
-            kernel_opts['initrd'] = kernel_line.split(' ')[1]
-          end
-          if kernel_line =~ /(^|\s)linux.*/
-            kernel_opts['kernel'] = kernel_line.split
-          end
-          if kernel_line =~ /(^|\s)set root=.*/
-            kernel_opts['root'] = kernel_line.split('=')[1].tr('\'', '')
-          end
-          if kernel_line =~ /(^|\s)insmod.*/
-            kernel_opts['insmod'].push(kernel_line.split(' ')[1])
-          end
-        else
-          menu_entry += 1
-          break
+    lines.each_with_index do |line, index|
+      next unless line =~ /^menuentry\s+.*/
+      entry = {}
+      entry['insmod'] = []
+
+      # Extract name from menuentry line
+      capture_data = line.match(/(?:^|\s+).*menuentry\s*['|"](.*)['|"]\s*--/)
+      if capture_data.nil? || capture_data.captures[0].nil?
+        raise Inspec::Exceptions::ResourceFailed "Failed to extract menuentry name from #{line}"
+      end
+
+      entry['name'] = capture_data.captures[0]
+
+      # Begin processing from index forward until a `}` line is met
+      lines.drop(index+1).each do |mline|
+        break if mline =~ /^\s*}\s*$/
+        case mline
+        when /(?:^|\s*)initrd.*/
+          entry['initrd'] = mline.split(' ')[1]
+        when /(?:^|\s*)linux.*/
+          entry['kernel'] = mline.split
+        when /(?:^|\s*)set root=.*/
+          entry['root'] = mline.split('=')[1].tr('\'', '')
+        when /(?:^|\s*)insmod.*/
+          entry['insmod'] << mline.split(' ')[1]
         end
       end
+
+      menu_entries << entry
     end
-    kernel_opts
+
+    menu_entries
+  end
+
+  def default_menu_entry(menu_entries, default)
+    # If the default entry isn't `saved` then a number is used as an index.
+    # By default this is `0`, which would be the first item in the list.
+    return menu_entries[default.to_i] unless default == 'saved'
+
+    grubenv_contents = inspec.file(@grubenv_path).content
+
+    # The location of the grubenv file is not guaranteed. In the case that
+    # the file does not exist this will return the 0th entry. This will also
+    # return the 0th entry if InSpec lacks permission to read the file. Both
+    # of these reflect the default Grub2 behavior.
+    return menu_entries[0] if grubenv_contents.nil?
+
+    default_name = SimpleConfig.new(grubenv_contents).params['saved_entry']
+    default_entry = menu_entries.select { |k| k['name'] == default_name }[0]
+    return default_entry unless default_entry.nil?
+
+    # It is possible for the saved entry to not be valid . For example, grubenv
+    # not being up to date. If so, the 0th entry is the default.
+    menu_entries[0]
   end
 
   ###################################################################

data/lib/resources/security_policy.rb

@@ -74,8 +74,16 @@ module Inspec::Resources
       describe security_policy do
         its('SeNetworkLogonRight') { should include 'S-1-5-11' }
       end
+
+      describe security_policy(translate_sid: true) do
+        its('SeNetworkLogonRight') { should include 'NT AUTHORITY\\Authenticated Users' }
+      end
     "
 
+    def initialize(opts = {})
+      @translate_sid = opts[:translate_sid] || false
+    end
+
     def content
       read_content
     end
@@ -142,10 +150,17 @@ module Inspec::Resources
       if val =~ /^\d+$/
         val.to_i
       # special handling for SID array
-      elsif val =~ /^\*\S/
-        val.split(',').map { |v|
-          v.sub('*S', 'S')
-        }
+      elsif val =~ /[,]{0,1}\*\S/
+        if @translate_sid
+          val.split(',').map { |v|
+            object_name = inspec.command("(New-Object System.Security.Principal.SecurityIdentifier(\"#{v.sub('*S', 'S')}\")).Translate( [System.Security.Principal.NTAccount]).Value").stdout.to_s.strip
+            object_name.empty? || object_name.nil? ? v.sub('*S', 'S') : object_name
+          }
+        else
+          val.split(',').map { |v|
+            v.sub('*S', 'S')
+          }
+        end
       # special handling for string values with "
       elsif !(m = /^\"(.*)\"$/.match(val)).nil?
         m[1]

data/lib/resources/service.rb

@@ -250,7 +250,17 @@ module Inspec::Resources
     end
 
     def is_enabled?(service_name)
-      inspec.command("#{service_ctl} is-enabled #{service_name} --quiet").exit_status == 0
+      result = inspec.command("#{service_ctl} is-enabled #{service_name} --quiet")
+      return true if result.exit_status == 0
+
+      # Some systems may not have a `.service` file for a particular service
+      # which causes the `systemctl is-enabled` check to fail despite the
+      # service being enabled. In that event we fallback to `sysv_service`.
+      if result.stderr =~ /Failed to get.*No such file or directory/
+        return inspec.sysv_service(service_name).enabled?
+      end
+
+      false
     end
 
     def is_active?(service_name)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.50.1
+  version: 1.51.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-01-17 00:00:00.000000000 Z
+date: 2018-01-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -319,6 +319,7 @@ files:
 - docs/resources/docker.md.erb
 - docs/resources/docker_container.md.erb
 - docs/resources/docker_image.md.erb
+- docs/resources/docker_service.md.erb
 - docs/resources/elasticsearch.md.erb
 - docs/resources/etc_fstab.md.erb
 - docs/resources/etc_group.md.erb
@@ -326,6 +327,7 @@ files:
 - docs/resources/etc_hosts_allow.md.erb
 - docs/resources/etc_hosts_deny.md.erb
 - docs/resources/file.md.erb
+- docs/resources/filesystem.md.erb
 - docs/resources/firewalld.md.erb
 - docs/resources/gem.md.erb
 - docs/resources/group.md.erb
@@ -571,12 +573,15 @@ files:
 - lib/resources/docker.rb
 - lib/resources/docker_container.rb
 - lib/resources/docker_image.rb
+- lib/resources/docker_object.rb
+- lib/resources/docker_service.rb
 - lib/resources/elasticsearch.rb
 - lib/resources/etc_fstab.rb
 - lib/resources/etc_group.rb
 - lib/resources/etc_hosts.rb
 - lib/resources/etc_hosts_allow_deny.rb
 - lib/resources/file.rb
+- lib/resources/filesystem.rb
 - lib/resources/firewalld.rb
 - lib/resources/gem.rb
 - lib/resources/groups.rb