inspec 2.1.30 → 2.1.43

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (503) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +0 -0
  3. data/CHANGELOG.md +39 -18
  4. data/Gemfile +0 -0
  5. data/LICENSE +0 -0
  6. data/MAINTAINERS.md +0 -0
  7. data/MAINTAINERS.toml +0 -0
  8. data/README.md +2 -2
  9. data/Rakefile +4 -2
  10. data/docs/.gitignore +0 -0
  11. data/docs/README.md +0 -0
  12. data/docs/dsl_inspec.md +0 -0
  13. data/docs/dsl_resource.md +0 -0
  14. data/docs/glossary.md +0 -0
  15. data/docs/habitat.md +0 -0
  16. data/docs/inspec_and_friends.md +0 -0
  17. data/docs/matchers.md +0 -0
  18. data/docs/migration.md +0 -0
  19. data/docs/platforms.md +0 -0
  20. data/docs/plugin_kitchen_inspec.md +0 -0
  21. data/docs/profiles.md +2 -0
  22. data/docs/reporters.md +0 -0
  23. data/docs/resources/aide_conf.md.erb +0 -0
  24. data/docs/resources/apache.md.erb +0 -0
  25. data/docs/resources/apache_conf.md.erb +0 -0
  26. data/docs/resources/apt.md.erb +0 -0
  27. data/docs/resources/audit_policy.md.erb +0 -0
  28. data/docs/resources/auditd.md.erb +0 -0
  29. data/docs/resources/auditd_conf.md.erb +0 -0
  30. data/docs/resources/aws_cloudtrail_trail.md.erb +9 -0
  31. data/docs/resources/aws_cloudtrail_trails.md.erb +0 -0
  32. data/docs/resources/aws_cloudwatch_alarm.md.erb +1 -1
  33. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +0 -0
  34. data/docs/resources/aws_config_delivery_channel.md +0 -0
  35. data/docs/resources/aws_config_recorder.md.erb +0 -0
  36. data/docs/resources/aws_ec2_instance.md.erb +0 -0
  37. data/docs/resources/aws_iam_access_key.md.erb +0 -0
  38. data/docs/resources/aws_iam_access_keys.md.erb +0 -0
  39. data/docs/resources/aws_iam_group.md.erb +12 -0
  40. data/docs/resources/aws_iam_groups.md.erb +0 -0
  41. data/docs/resources/aws_iam_password_policy.md.erb +0 -0
  42. data/docs/resources/aws_iam_policies.md.erb +0 -0
  43. data/docs/resources/aws_iam_policy.md.erb +99 -4
  44. data/docs/resources/aws_iam_role.md.erb +0 -0
  45. data/docs/resources/aws_iam_root_user.md.erb +2 -2
  46. data/docs/resources/aws_iam_user.md.erb +0 -0
  47. data/docs/resources/aws_iam_users.md.erb +0 -0
  48. data/docs/resources/aws_kms_key.md.erb +0 -0
  49. data/docs/resources/aws_kms_keys.md.erb +0 -0
  50. data/docs/resources/aws_rds_instance.md.erb +0 -0
  51. data/docs/resources/aws_route_table.md.erb +0 -0
  52. data/docs/resources/aws_route_tables.md.erb +0 -0
  53. data/docs/resources/aws_s3_bucket.md.erb +0 -0
  54. data/docs/resources/aws_s3_bucket_object.md.erb +0 -0
  55. data/docs/resources/aws_s3_buckets.md.erb +0 -0
  56. data/docs/resources/aws_security_group.md.erb +160 -21
  57. data/docs/resources/aws_security_groups.md.erb +0 -0
  58. data/docs/resources/aws_sns_subscription.md.erb +0 -0
  59. data/docs/resources/aws_sns_topic.md.erb +0 -0
  60. data/docs/resources/aws_sns_topics.md.erb +0 -0
  61. data/docs/resources/aws_subnet.md.erb +0 -0
  62. data/docs/resources/aws_subnets.md.erb +0 -0
  63. data/docs/resources/aws_vpc.md.erb +0 -0
  64. data/docs/resources/aws_vpcs.md.erb +73 -2
  65. data/docs/resources/azure_generic_resource.md.erb +0 -0
  66. data/docs/resources/azure_resource_group.md.erb +0 -0
  67. data/docs/resources/azure_virtual_machine.md.erb +0 -0
  68. data/docs/resources/azure_virtual_machine_data_disk.md.erb +0 -0
  69. data/docs/resources/bash.md.erb +0 -0
  70. data/docs/resources/bond.md.erb +0 -0
  71. data/docs/resources/bridge.md.erb +0 -0
  72. data/docs/resources/bsd_service.md.erb +0 -0
  73. data/docs/resources/chocolatey_package.md.erb +0 -0
  74. data/docs/resources/command.md.erb +0 -0
  75. data/docs/resources/cpan.md.erb +0 -0
  76. data/docs/resources/cran.md.erb +0 -0
  77. data/docs/resources/crontab.md.erb +0 -0
  78. data/docs/resources/csv.md.erb +0 -0
  79. data/docs/resources/dh_params.md.erb +0 -0
  80. data/docs/resources/directory.md.erb +0 -0
  81. data/docs/resources/docker.md.erb +0 -0
  82. data/docs/resources/docker_container.md.erb +0 -0
  83. data/docs/resources/docker_image.md.erb +0 -0
  84. data/docs/resources/docker_service.md.erb +0 -0
  85. data/docs/resources/elasticsearch.md.erb +0 -0
  86. data/docs/resources/etc_fstab.md.erb +0 -0
  87. data/docs/resources/etc_group.md.erb +0 -0
  88. data/docs/resources/etc_hosts.md.erb +0 -0
  89. data/docs/resources/etc_hosts_allow.md.erb +0 -0
  90. data/docs/resources/etc_hosts_deny.md.erb +0 -0
  91. data/docs/resources/file.md.erb +0 -0
  92. data/docs/resources/filesystem.md.erb +1 -1
  93. data/docs/resources/firewalld.md.erb +0 -0
  94. data/docs/resources/gem.md.erb +0 -0
  95. data/docs/resources/group.md.erb +0 -0
  96. data/docs/resources/grub_conf.md.erb +0 -0
  97. data/docs/resources/host.md.erb +0 -0
  98. data/docs/resources/http.md.erb +0 -0
  99. data/docs/resources/iis_app.md.erb +0 -0
  100. data/docs/resources/iis_site.md.erb +0 -0
  101. data/docs/resources/inetd_conf.md.erb +0 -0
  102. data/docs/resources/ini.md.erb +0 -0
  103. data/docs/resources/interface.md.erb +0 -0
  104. data/docs/resources/iptables.md.erb +0 -0
  105. data/docs/resources/json.md.erb +0 -0
  106. data/docs/resources/kernel_module.md.erb +0 -0
  107. data/docs/resources/kernel_parameter.md.erb +0 -0
  108. data/docs/resources/key_rsa.md.erb +0 -0
  109. data/docs/resources/launchd_service.md.erb +0 -0
  110. data/docs/resources/limits_conf.md.erb +0 -0
  111. data/docs/resources/login_defs.md.erb +0 -0
  112. data/docs/resources/mount.md.erb +0 -0
  113. data/docs/resources/mssql_session.md.erb +0 -0
  114. data/docs/resources/mysql_conf.md.erb +0 -0
  115. data/docs/resources/mysql_session.md.erb +0 -0
  116. data/docs/resources/nginx.md.erb +0 -0
  117. data/docs/resources/nginx_conf.md.erb +0 -0
  118. data/docs/resources/npm.md.erb +0 -0
  119. data/docs/resources/ntp_conf.md.erb +0 -0
  120. data/docs/resources/oneget.md.erb +0 -0
  121. data/docs/resources/oracledb_session.md.erb +0 -0
  122. data/docs/resources/os.md.erb +0 -0
  123. data/docs/resources/os_env.md.erb +0 -0
  124. data/docs/resources/package.md.erb +4 -4
  125. data/docs/resources/packages.md.erb +0 -0
  126. data/docs/resources/parse_config.md.erb +0 -0
  127. data/docs/resources/parse_config_file.md.erb +0 -0
  128. data/docs/resources/passwd.md.erb +0 -0
  129. data/docs/resources/pip.md.erb +0 -0
  130. data/docs/resources/port.md.erb +0 -0
  131. data/docs/resources/postgres_conf.md.erb +0 -0
  132. data/docs/resources/postgres_hba_conf.md.erb +0 -0
  133. data/docs/resources/postgres_ident_conf.md.erb +0 -0
  134. data/docs/resources/postgres_session.md.erb +0 -0
  135. data/docs/resources/powershell.md.erb +0 -0
  136. data/docs/resources/processes.md.erb +0 -0
  137. data/docs/resources/rabbitmq_config.md.erb +0 -0
  138. data/docs/resources/registry_key.md.erb +0 -0
  139. data/docs/resources/runit_service.md.erb +0 -0
  140. data/docs/resources/security_policy.md.erb +0 -0
  141. data/docs/resources/service.md.erb +0 -0
  142. data/docs/resources/shadow.md.erb +0 -0
  143. data/docs/resources/ssh_config.md.erb +0 -0
  144. data/docs/resources/sshd_config.md.erb +0 -0
  145. data/docs/resources/ssl.md.erb +0 -0
  146. data/docs/resources/sys_info.md.erb +0 -0
  147. data/docs/resources/systemd_service.md.erb +0 -0
  148. data/docs/resources/sysv_service.md.erb +0 -0
  149. data/docs/resources/upstart_service.md.erb +0 -0
  150. data/docs/resources/user.md.erb +0 -0
  151. data/docs/resources/users.md.erb +0 -0
  152. data/docs/resources/vbscript.md.erb +0 -0
  153. data/docs/resources/virtualization.md.erb +0 -0
  154. data/docs/resources/windows_feature.md.erb +0 -0
  155. data/docs/resources/windows_hotfix.md.erb +0 -0
  156. data/docs/resources/windows_task.md.erb +0 -0
  157. data/docs/resources/wmi.md.erb +0 -0
  158. data/docs/resources/x509_certificate.md.erb +0 -0
  159. data/docs/resources/xinetd_conf.md.erb +0 -0
  160. data/docs/resources/xml.md.erb +0 -0
  161. data/docs/resources/yaml.md.erb +0 -0
  162. data/docs/resources/yum.md.erb +0 -0
  163. data/docs/resources/zfs_dataset.md.erb +0 -0
  164. data/docs/resources/zfs_pool.md.erb +0 -0
  165. data/docs/ruby_usage.md +0 -0
  166. data/docs/shared/matcher_be.md.erb +0 -0
  167. data/docs/shared/matcher_cmp.md.erb +0 -0
  168. data/docs/shared/matcher_eq.md.erb +0 -0
  169. data/docs/shared/matcher_include.md.erb +0 -0
  170. data/docs/shared/matcher_match.md.erb +0 -0
  171. data/docs/shell.md +0 -0
  172. data/examples/README.md +0 -0
  173. data/examples/inheritance/README.md +0 -0
  174. data/examples/inheritance/controls/example.rb +0 -0
  175. data/examples/inheritance/inspec.yml +0 -0
  176. data/examples/kitchen-ansible/.kitchen.yml +0 -0
  177. data/examples/kitchen-ansible/Gemfile +0 -0
  178. data/examples/kitchen-ansible/README.md +0 -0
  179. data/examples/kitchen-ansible/files/nginx.repo +0 -0
  180. data/examples/kitchen-ansible/tasks/main.yml +0 -0
  181. data/examples/kitchen-ansible/test/integration/default/default.yml +0 -0
  182. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -0
  183. data/examples/kitchen-chef/.kitchen.yml +0 -0
  184. data/examples/kitchen-chef/Berksfile +0 -0
  185. data/examples/kitchen-chef/Gemfile +0 -0
  186. data/examples/kitchen-chef/README.md +0 -0
  187. data/examples/kitchen-chef/metadata.rb +0 -0
  188. data/examples/kitchen-chef/recipes/default.rb +0 -0
  189. data/examples/kitchen-chef/recipes/nginx.rb +0 -0
  190. data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -0
  191. data/examples/kitchen-puppet/.kitchen.yml +0 -0
  192. data/examples/kitchen-puppet/Gemfile +0 -0
  193. data/examples/kitchen-puppet/Puppetfile +0 -0
  194. data/examples/kitchen-puppet/README.md +0 -0
  195. data/examples/kitchen-puppet/manifests/site.pp +0 -0
  196. data/examples/kitchen-puppet/metadata.json +0 -0
  197. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -0
  198. data/examples/meta-profile/README.md +0 -0
  199. data/examples/meta-profile/controls/example.rb +0 -0
  200. data/examples/meta-profile/inspec.yml +0 -0
  201. data/examples/profile-attribute.yml +0 -0
  202. data/examples/profile-attribute/README.md +0 -0
  203. data/examples/profile-attribute/controls/example.rb +0 -0
  204. data/examples/profile-attribute/inspec.yml +0 -0
  205. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +0 -0
  206. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +0 -0
  207. data/examples/profile-aws/controls/iam_root_user_mfa.rb +0 -0
  208. data/examples/profile-aws/controls/iam_users_access_key_age.rb +0 -0
  209. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +0 -0
  210. data/examples/profile-aws/inspec.yml +0 -0
  211. data/examples/profile-azure/controls/azure_resource_group_example.rb +0 -0
  212. data/examples/profile-azure/controls/azure_vm_example.rb +0 -0
  213. data/examples/profile-azure/inspec.yml +0 -0
  214. data/examples/profile-sensitive/README.md +0 -0
  215. data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -0
  216. data/examples/profile-sensitive/controls/sensitive.rb +0 -0
  217. data/examples/profile-sensitive/inspec.yml +0 -0
  218. data/examples/profile/README.md +0 -0
  219. data/examples/profile/controls/example.rb +0 -0
  220. data/examples/profile/controls/gordon.rb +0 -0
  221. data/examples/profile/controls/meta.rb +0 -0
  222. data/examples/profile/inspec.yml +0 -0
  223. data/examples/profile/libraries/gordon_config.rb +0 -0
  224. data/inspec.gemspec +1 -1
  225. data/lib/bundles/README.md +0 -0
  226. data/lib/bundles/inspec-artifact.rb +0 -0
  227. data/lib/bundles/inspec-artifact/README.md +0 -0
  228. data/lib/bundles/inspec-artifact/cli.rb +0 -0
  229. data/lib/bundles/inspec-compliance.rb +0 -0
  230. data/lib/bundles/inspec-compliance/.kitchen.yml +0 -0
  231. data/lib/bundles/inspec-compliance/README.md +0 -0
  232. data/lib/bundles/inspec-compliance/api/login.rb +0 -0
  233. data/lib/bundles/inspec-compliance/bootstrap.sh +0 -0
  234. data/lib/bundles/inspec-compliance/cli.rb +0 -0
  235. data/lib/bundles/inspec-compliance/configuration.rb +0 -0
  236. data/lib/bundles/inspec-compliance/http.rb +0 -0
  237. data/lib/bundles/inspec-compliance/images/cc-token.png +0 -0
  238. data/lib/bundles/inspec-compliance/support.rb +0 -0
  239. data/lib/bundles/inspec-compliance/target.rb +0 -0
  240. data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +0 -0
  241. data/lib/bundles/inspec-habitat.rb +0 -0
  242. data/lib/bundles/inspec-habitat/cli.rb +0 -0
  243. data/lib/bundles/inspec-habitat/log.rb +0 -0
  244. data/lib/bundles/inspec-habitat/profile.rb +0 -0
  245. data/lib/bundles/inspec-init.rb +0 -0
  246. data/lib/bundles/inspec-init/README.md +0 -0
  247. data/lib/bundles/inspec-init/cli.rb +0 -0
  248. data/lib/bundles/inspec-init/templates/profile/README.md +0 -0
  249. data/lib/bundles/inspec-init/templates/profile/controls/example.rb +0 -0
  250. data/lib/bundles/inspec-init/templates/profile/inspec.yml +0 -0
  251. data/lib/bundles/inspec-init/templates/profile/libraries/.gitkeep +0 -0
  252. data/lib/bundles/inspec-supermarket.rb +0 -0
  253. data/lib/bundles/inspec-supermarket/README.md +0 -0
  254. data/lib/bundles/inspec-supermarket/api.rb +0 -0
  255. data/lib/bundles/inspec-supermarket/cli.rb +0 -0
  256. data/lib/bundles/inspec-supermarket/target.rb +0 -0
  257. data/lib/fetchers/git.rb +0 -0
  258. data/lib/fetchers/local.rb +0 -0
  259. data/lib/fetchers/mock.rb +0 -0
  260. data/lib/fetchers/url.rb +0 -0
  261. data/lib/inspec.rb +0 -0
  262. data/lib/inspec/archive/tar.rb +0 -0
  263. data/lib/inspec/archive/zip.rb +0 -0
  264. data/lib/inspec/backend.rb +0 -0
  265. data/lib/inspec/base_cli.rb +2 -0
  266. data/lib/inspec/cached_fetcher.rb +0 -0
  267. data/lib/inspec/cli.rb +0 -0
  268. data/lib/inspec/completions/bash.sh.erb +0 -0
  269. data/lib/inspec/completions/fish.sh.erb +0 -0
  270. data/lib/inspec/completions/zsh.sh.erb +0 -0
  271. data/lib/inspec/control_eval_context.rb +0 -0
  272. data/lib/inspec/dependencies/cache.rb +0 -0
  273. data/lib/inspec/dependencies/dependency_set.rb +0 -0
  274. data/lib/inspec/dependencies/lockfile.rb +0 -0
  275. data/lib/inspec/dependencies/requirement.rb +0 -0
  276. data/lib/inspec/dependencies/resolver.rb +0 -0
  277. data/lib/inspec/describe.rb +0 -0
  278. data/lib/inspec/dsl.rb +0 -0
  279. data/lib/inspec/dsl_shared.rb +0 -0
  280. data/lib/inspec/env_printer.rb +0 -0
  281. data/lib/inspec/errors.rb +0 -0
  282. data/lib/inspec/exceptions.rb +0 -0
  283. data/lib/inspec/expect.rb +0 -0
  284. data/lib/inspec/fetcher.rb +0 -0
  285. data/lib/inspec/file_provider.rb +0 -0
  286. data/lib/inspec/formatters.rb +0 -0
  287. data/lib/inspec/formatters/base.rb +0 -0
  288. data/lib/inspec/formatters/json_rspec.rb +0 -0
  289. data/lib/inspec/formatters/show_progress.rb +0 -0
  290. data/lib/inspec/library_eval_context.rb +0 -0
  291. data/lib/inspec/log.rb +0 -0
  292. data/lib/inspec/metadata.rb +0 -0
  293. data/lib/inspec/method_source.rb +0 -0
  294. data/lib/inspec/objects.rb +0 -0
  295. data/lib/inspec/objects/attribute.rb +11 -1
  296. data/lib/inspec/objects/control.rb +0 -0
  297. data/lib/inspec/objects/describe.rb +0 -0
  298. data/lib/inspec/objects/each_loop.rb +0 -0
  299. data/lib/inspec/objects/list.rb +0 -0
  300. data/lib/inspec/objects/or_test.rb +0 -0
  301. data/lib/inspec/objects/ruby_helper.rb +0 -0
  302. data/lib/inspec/objects/tag.rb +0 -0
  303. data/lib/inspec/objects/test.rb +0 -0
  304. data/lib/inspec/objects/value.rb +0 -0
  305. data/lib/inspec/plugins.rb +0 -0
  306. data/lib/inspec/plugins/cli.rb +0 -0
  307. data/lib/inspec/plugins/fetcher.rb +0 -0
  308. data/lib/inspec/plugins/resource.rb +0 -0
  309. data/lib/inspec/plugins/secret.rb +0 -0
  310. data/lib/inspec/plugins/source_reader.rb +0 -0
  311. data/lib/inspec/polyfill.rb +0 -0
  312. data/lib/inspec/profile.rb +0 -0
  313. data/lib/inspec/profile_context.rb +0 -0
  314. data/lib/inspec/profile_vendor.rb +0 -0
  315. data/lib/inspec/reporters.rb +0 -0
  316. data/lib/inspec/reporters/automate.rb +0 -0
  317. data/lib/inspec/reporters/base.rb +0 -0
  318. data/lib/inspec/reporters/cli.rb +0 -0
  319. data/lib/inspec/reporters/json.rb +0 -0
  320. data/lib/inspec/reporters/json_min.rb +0 -0
  321. data/lib/inspec/reporters/junit.rb +1 -0
  322. data/lib/inspec/require_loader.rb +0 -0
  323. data/lib/inspec/resource.rb +0 -0
  324. data/lib/inspec/rule.rb +0 -0
  325. data/lib/inspec/runner.rb +0 -0
  326. data/lib/inspec/runner_mock.rb +0 -0
  327. data/lib/inspec/runner_rspec.rb +0 -0
  328. data/lib/inspec/runtime_profile.rb +0 -0
  329. data/lib/inspec/schema.rb +0 -0
  330. data/lib/inspec/secrets.rb +0 -0
  331. data/lib/inspec/secrets/yaml.rb +0 -0
  332. data/lib/inspec/shell.rb +0 -0
  333. data/lib/inspec/shell_detector.rb +0 -0
  334. data/lib/inspec/source_reader.rb +0 -0
  335. data/lib/inspec/version.rb +1 -1
  336. data/lib/matchers/matchers.rb +0 -0
  337. data/lib/resource_support/aws.rb +0 -0
  338. data/lib/resource_support/aws/aws_backend_base.rb +0 -0
  339. data/lib/resource_support/aws/aws_backend_factory_mixin.rb +0 -0
  340. data/lib/resource_support/aws/aws_plural_resource_mixin.rb +0 -0
  341. data/lib/resource_support/aws/aws_resource_mixin.rb +0 -0
  342. data/lib/resource_support/aws/aws_singular_resource_mixin.rb +0 -0
  343. data/lib/resources/aide_conf.rb +0 -0
  344. data/lib/resources/apache.rb +0 -0
  345. data/lib/resources/apache_conf.rb +0 -0
  346. data/lib/resources/apt.rb +0 -0
  347. data/lib/resources/audit_policy.rb +0 -0
  348. data/lib/resources/auditd.rb +0 -0
  349. data/lib/resources/auditd_conf.rb +0 -0
  350. data/lib/resources/aws/aws_cloudtrail_trail.rb +16 -0
  351. data/lib/resources/aws/aws_cloudtrail_trails.rb +0 -0
  352. data/lib/resources/aws/aws_cloudwatch_alarm.rb +1 -1
  353. data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +0 -0
  354. data/lib/resources/aws/aws_config_delivery_channel.rb +0 -0
  355. data/lib/resources/aws/aws_config_recorder.rb +0 -0
  356. data/lib/resources/aws/aws_ec2_instance.rb +0 -0
  357. data/lib/resources/aws/aws_iam_access_key.rb +0 -0
  358. data/lib/resources/aws/aws_iam_access_keys.rb +0 -0
  359. data/lib/resources/aws/aws_iam_group.rb +4 -2
  360. data/lib/resources/aws/aws_iam_groups.rb +0 -0
  361. data/lib/resources/aws/aws_iam_password_policy.rb +0 -0
  362. data/lib/resources/aws/aws_iam_policies.rb +0 -0
  363. data/lib/resources/aws/aws_iam_policy.rb +148 -0
  364. data/lib/resources/aws/aws_iam_role.rb +0 -0
  365. data/lib/resources/aws/aws_iam_root_user.rb +0 -0
  366. data/lib/resources/aws/aws_iam_user.rb +0 -0
  367. data/lib/resources/aws/aws_iam_users.rb +0 -0
  368. data/lib/resources/aws/aws_kms_key.rb +0 -0
  369. data/lib/resources/aws/aws_kms_keys.rb +0 -0
  370. data/lib/resources/aws/aws_rds_instance.rb +0 -0
  371. data/lib/resources/aws/aws_route_table.rb +0 -0
  372. data/lib/resources/aws/aws_route_tables.rb +0 -0
  373. data/lib/resources/aws/aws_s3_bucket.rb +0 -0
  374. data/lib/resources/aws/aws_s3_bucket_object.rb +0 -0
  375. data/lib/resources/aws/aws_s3_buckets.rb +0 -0
  376. data/lib/resources/aws/aws_security_group.rb +163 -7
  377. data/lib/resources/aws/aws_security_groups.rb +0 -0
  378. data/lib/resources/aws/aws_sns_subscription.rb +0 -0
  379. data/lib/resources/aws/aws_sns_topic.rb +0 -0
  380. data/lib/resources/aws/aws_sns_topics.rb +0 -0
  381. data/lib/resources/aws/aws_subnet.rb +0 -0
  382. data/lib/resources/aws/aws_subnets.rb +0 -0
  383. data/lib/resources/aws/aws_vpc.rb +12 -8
  384. data/lib/resources/aws/aws_vpcs.rb +8 -1
  385. data/lib/resources/azure/azure_backend.rb +0 -0
  386. data/lib/resources/azure/azure_generic_resource.rb +0 -0
  387. data/lib/resources/azure/azure_resource_group.rb +0 -0
  388. data/lib/resources/azure/azure_virtual_machine.rb +0 -0
  389. data/lib/resources/azure/azure_virtual_machine_data_disk.rb +0 -0
  390. data/lib/resources/bash.rb +0 -0
  391. data/lib/resources/bond.rb +0 -0
  392. data/lib/resources/bridge.rb +0 -0
  393. data/lib/resources/chocolatey_package.rb +0 -0
  394. data/lib/resources/command.rb +0 -0
  395. data/lib/resources/cpan.rb +0 -0
  396. data/lib/resources/cran.rb +0 -0
  397. data/lib/resources/crontab.rb +0 -0
  398. data/lib/resources/csv.rb +0 -0
  399. data/lib/resources/dh_params.rb +0 -0
  400. data/lib/resources/directory.rb +0 -0
  401. data/lib/resources/docker.rb +0 -0
  402. data/lib/resources/docker_container.rb +0 -0
  403. data/lib/resources/docker_image.rb +0 -0
  404. data/lib/resources/docker_object.rb +0 -0
  405. data/lib/resources/docker_service.rb +0 -0
  406. data/lib/resources/elasticsearch.rb +0 -0
  407. data/lib/resources/etc_fstab.rb +0 -0
  408. data/lib/resources/etc_group.rb +0 -0
  409. data/lib/resources/etc_hosts.rb +0 -0
  410. data/lib/resources/etc_hosts_allow_deny.rb +0 -0
  411. data/lib/resources/file.rb +0 -0
  412. data/lib/resources/filesystem.rb +0 -0
  413. data/lib/resources/firewalld.rb +0 -0
  414. data/lib/resources/gem.rb +0 -0
  415. data/lib/resources/groups.rb +0 -0
  416. data/lib/resources/grub_conf.rb +0 -0
  417. data/lib/resources/host.rb +0 -0
  418. data/lib/resources/http.rb +0 -0
  419. data/lib/resources/iis_app.rb +0 -0
  420. data/lib/resources/iis_site.rb +0 -0
  421. data/lib/resources/inetd_conf.rb +0 -0
  422. data/lib/resources/ini.rb +0 -0
  423. data/lib/resources/interface.rb +0 -0
  424. data/lib/resources/iptables.rb +0 -0
  425. data/lib/resources/json.rb +0 -0
  426. data/lib/resources/kernel_module.rb +0 -0
  427. data/lib/resources/kernel_parameter.rb +0 -0
  428. data/lib/resources/key_rsa.rb +3 -1
  429. data/lib/resources/limits_conf.rb +0 -0
  430. data/lib/resources/login_def.rb +0 -0
  431. data/lib/resources/mount.rb +0 -0
  432. data/lib/resources/mssql_session.rb +0 -0
  433. data/lib/resources/mysql.rb +0 -0
  434. data/lib/resources/mysql_conf.rb +0 -0
  435. data/lib/resources/mysql_session.rb +0 -0
  436. data/lib/resources/nginx.rb +0 -0
  437. data/lib/resources/nginx_conf.rb +0 -0
  438. data/lib/resources/npm.rb +0 -0
  439. data/lib/resources/ntp_conf.rb +0 -0
  440. data/lib/resources/oneget.rb +0 -0
  441. data/lib/resources/oracledb_session.rb +0 -0
  442. data/lib/resources/os.rb +0 -0
  443. data/lib/resources/os_env.rb +0 -0
  444. data/lib/resources/package.rb +0 -0
  445. data/lib/resources/packages.rb +0 -0
  446. data/lib/resources/parse_config.rb +0 -0
  447. data/lib/resources/passwd.rb +0 -0
  448. data/lib/resources/pip.rb +0 -0
  449. data/lib/resources/platform.rb +0 -0
  450. data/lib/resources/port.rb +0 -0
  451. data/lib/resources/postgres.rb +0 -0
  452. data/lib/resources/postgres_conf.rb +0 -0
  453. data/lib/resources/postgres_hba_conf.rb +0 -0
  454. data/lib/resources/postgres_ident_conf.rb +0 -0
  455. data/lib/resources/postgres_session.rb +0 -0
  456. data/lib/resources/powershell.rb +1 -0
  457. data/lib/resources/processes.rb +0 -0
  458. data/lib/resources/rabbitmq_conf.rb +0 -0
  459. data/lib/resources/registry_key.rb +0 -0
  460. data/lib/resources/security_policy.rb +0 -0
  461. data/lib/resources/service.rb +0 -0
  462. data/lib/resources/shadow.rb +20 -10
  463. data/lib/resources/ssh_conf.rb +0 -0
  464. data/lib/resources/ssl.rb +0 -0
  465. data/lib/resources/sys_info.rb +0 -0
  466. data/lib/resources/toml.rb +0 -0
  467. data/lib/resources/users.rb +0 -0
  468. data/lib/resources/vbscript.rb +0 -0
  469. data/lib/resources/virtualization.rb +0 -0
  470. data/lib/resources/windows_feature.rb +0 -0
  471. data/lib/resources/windows_hotfix.rb +0 -0
  472. data/lib/resources/windows_task.rb +0 -0
  473. data/lib/resources/wmi.rb +0 -0
  474. data/lib/resources/x509_certificate.rb +0 -0
  475. data/lib/resources/xinetd.rb +0 -0
  476. data/lib/resources/xml.rb +0 -0
  477. data/lib/resources/yaml.rb +0 -0
  478. data/lib/resources/yum.rb +0 -0
  479. data/lib/resources/zfs_dataset.rb +0 -0
  480. data/lib/resources/zfs_pool.rb +0 -0
  481. data/lib/source_readers/flat.rb +0 -0
  482. data/lib/source_readers/inspec.rb +0 -0
  483. data/lib/utils/command_wrapper.rb +0 -0
  484. data/lib/utils/convert.rb +0 -0
  485. data/lib/utils/database_helpers.rb +0 -0
  486. data/lib/utils/erlang_parser.rb +0 -0
  487. data/lib/utils/file_reader.rb +0 -0
  488. data/lib/utils/filter.rb +0 -0
  489. data/lib/utils/filter_array.rb +0 -0
  490. data/lib/utils/find_files.rb +0 -0
  491. data/lib/utils/hash.rb +0 -0
  492. data/lib/utils/json_log.rb +0 -0
  493. data/lib/utils/latest_version.rb +0 -0
  494. data/lib/utils/modulator.rb +0 -0
  495. data/lib/utils/nginx_parser.rb +0 -0
  496. data/lib/utils/object_traversal.rb +0 -0
  497. data/lib/utils/parser.rb +0 -0
  498. data/lib/utils/pkey_reader.rb +15 -0
  499. data/lib/utils/plugin_registry.rb +0 -0
  500. data/lib/utils/simpleconfig.rb +0 -0
  501. data/lib/utils/spdx.rb +0 -0
  502. data/lib/utils/spdx.txt +0 -0
  503. metadata +5 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6b4b3b2ec605fc42cd9a7dc81ae0c375305b3534
4
- data.tar.gz: ebbf91548c3fce0ba05c5b0db69549d21d0cf9df
3
+ metadata.gz: 20615575585069d827d93b1bda43540f5cb7b0fc
4
+ data.tar.gz: ba4ce3f0d578f97e2aee6304326bc81f40cc50f7
5
5
  SHA512:
6
- metadata.gz: c3a997662221b2ae6bfb7c212410f8fb7b1dc52f772dea4e25dc2bdaf63678c323b196bba38c1d9444d173f6b62b3b02a8fc86f7ae3f6e13a528e890fccd90dd
7
- data.tar.gz: 98b00b3345172cd4031a2e77a83129d3a71593be6d55ac417c1821d1e44e65486065112e4a1aa1b3a98b32b95df6fab48f51a8ffb6a93068572cb8e4ab0faabf
6
+ metadata.gz: e55df70b1b8dd5bc9f86029354cbf3c179237a5a777dd73e60351286900ba13e97d9d2a60a5446928e2b1296563696e951cd2fca7c050a8c855a4e91950726f3
7
+ data.tar.gz: f98ba1d732e28565113d7bc5eb91440736abc4c847954a0663cf9313773039cbef11814ad4d7b087cfd1a06fa094e33c67b832128dee504533a67abde8803017
data/.rubocop.yml CHANGED
File without changes
data/CHANGELOG.md CHANGED
@@ -1,32 +1,54 @@
1
1
  # Change Log
2
2
  <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
3
- <!-- latest_release 2.1.30 -->
4
- ## [v2.1.30](https://github.com/chef/inspec/tree/v2.1.30) (2018-04-05)
3
+ <!-- latest_release 2.1.43 -->
4
+ ## [v2.1.43](https://github.com/chef/inspec/tree/v2.1.43) (2018-04-12)
5
5
 
6
- #### New Resources
7
- - New Skeletal Resource aws_route_tables [#2643](https://github.com/chef/inspec/pull/2643) ([dromazmj](https://github.com/dromazmj))
6
+ #### Merged Pull Requests
7
+ - powershell resource: Add support line for Unix [#2952](https://github.com/chef/inspec/pull/2952) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
8
8
  <!-- latest_release -->
9
9
 
10
- <!-- release_rollup since=2.1.21 -->
11
- ### Changes since 2.1.21 release
10
+ <!-- release_rollup since=2.1.30 -->
11
+ ### Changes since 2.1.30 release
12
12
 
13
- #### New Resources
14
- - New Skeletal Resource aws_route_tables [#2643](https://github.com/chef/inspec/pull/2643) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.30 -->
15
- - New Skeletal Resource aws_s3_buckets [#2653](https://github.com/chef/inspec/pull/2653) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.29 -->
16
- - New Resource: Chocolatey Package [#2793](https://github.com/chef/inspec/pull/2793) ([TheLonelyGhost](https://github.com/TheLonelyGhost)) <!-- 2.1.28 -->
13
+ #### Enhancements
14
+ - Add Cisco IOS `enable_password` support [#2905](https://github.com/chef/inspec/pull/2905) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.1.42 -->
15
+ - Require a key attribute for the key_rsa resource [#2891](https://github.com/chef/inspec/pull/2891) ([omar-irizarry](https://github.com/omar-irizarry)) <!-- 2.1.41 -->
16
+ - Ensure @params in shadow resource always has a valid value. [#2939](https://github.com/chef/inspec/pull/2939) ([miah](https://github.com/miah)) <!-- 2.1.39 -->
17
+ - Add warning when returning DEFAULT_ATTRIBUTE [#2934](https://github.com/chef/inspec/pull/2934) ([TrevorBramble](https://github.com/TrevorBramble)) <!-- 2.1.35 -->
17
18
 
18
19
  #### Merged Pull Requests
19
- - Add automate reporter [#2902](https://github.com/chef/inspec/pull/2902) ([jquick](https://github.com/jquick)) <!-- 2.1.27 -->
20
- - Update example resource syntax [#2904](https://github.com/chef/inspec/pull/2904) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.1.26 -->
21
- - Added a description to steer people to correct resource [#2908](https://github.com/chef/inspec/pull/2908) ([username-is-already-taken2](https://github.com/username-is-already-taken2)) <!-- 2.1.24 -->
22
- - Wrong matcher name in example for aws_config_recorder [#2899](https://github.com/chef/inspec/pull/2899) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.23 -->
20
+ - powershell resource: Add support line for Unix [#2952](https://github.com/chef/inspec/pull/2952) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 2.1.43 -->
21
+ - Fixes configuration for Azure integrationt tests [#2941](https://github.com/chef/inspec/pull/2941) ([dmccown](https://github.com/dmccown)) <!-- 2.1.36 -->
22
+ - Update filesystem.md.erb [#2909](https://github.com/chef/inspec/pull/2909) ([tlmikulski](https://github.com/tlmikulski)) <!-- 2.1.34 -->
23
23
 
24
- #### Enhancements
25
- - add systemd service for amazon linux 2 [#2901](https://github.com/chef/inspec/pull/2901) ([zakhark](https://github.com/zakhark)) <!-- 2.1.25 -->
26
- - Add AWS hardware MFA matcher [#2892](https://github.com/chef/inspec/pull/2892) ([pwelch](https://github.com/pwelch)) <!-- 2.1.22 -->
24
+ #### New Features
25
+ - Basic fields for aws_vpcs [#2930](https://github.com/chef/inspec/pull/2930) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.40 -->
26
+ - Policy Statement Search capability for aws_iam_policy [#2918](https://github.com/chef/inspec/pull/2918) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.38 -->
27
+ - New attribute JUnit reporter - target [#2839](https://github.com/chef/inspec/pull/2839) ([piotrgo](https://github.com/piotrgo)) <!-- 2.1.37 -->
28
+ - AWS Security Group Rules properties and matchers [#2876](https://github.com/chef/inspec/pull/2876) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 2.1.33 -->
29
+ - aws_cloudtrail_trail feature: test how many days ago logs were delivered [#2887](https://github.com/chef/inspec/pull/2887) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.32 -->
30
+ - aws_iam_group feature: test users in an iam group [#2888](https://github.com/chef/inspec/pull/2888) ([dromazmj](https://github.com/dromazmj)) <!-- 2.1.31 -->
27
31
  <!-- release_rollup -->
28
32
 
29
33
  <!-- latest_stable_release -->
34
+ ## [v2.1.30](https://github.com/chef/inspec/tree/v2.1.30) (2018-04-05)
35
+
36
+ #### New Resources
37
+ - New Resource: Chocolatey Package [#2793](https://github.com/chef/inspec/pull/2793) ([TheLonelyGhost](https://github.com/TheLonelyGhost))
38
+ - New Skeletal Resource aws_s3_buckets [#2653](https://github.com/chef/inspec/pull/2653) ([dromazmj](https://github.com/dromazmj))
39
+ - New Skeletal Resource aws_route_tables [#2643](https://github.com/chef/inspec/pull/2643) ([dromazmj](https://github.com/dromazmj))
40
+
41
+ #### Enhancements
42
+ - Add AWS hardware MFA matcher [#2892](https://github.com/chef/inspec/pull/2892) ([pwelch](https://github.com/pwelch))
43
+ - add systemd service for amazon linux 2 [#2901](https://github.com/chef/inspec/pull/2901) ([zakhark](https://github.com/zakhark))
44
+
45
+ #### Merged Pull Requests
46
+ - Wrong matcher name in example for aws_config_recorder [#2899](https://github.com/chef/inspec/pull/2899) ([clintoncwolfe](https://github.com/clintoncwolfe))
47
+ - Added a description to steer people to correct resource [#2908](https://github.com/chef/inspec/pull/2908) ([username-is-already-taken2](https://github.com/username-is-already-taken2))
48
+ - Update example resource syntax [#2904](https://github.com/chef/inspec/pull/2904) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
49
+ - Add automate reporter [#2902](https://github.com/chef/inspec/pull/2902) ([jquick](https://github.com/jquick))
50
+ <!-- latest_stable_release -->
51
+
30
52
  ## [v2.1.21](https://github.com/chef/inspec/tree/v2.1.21) (2018-03-29)
31
53
 
32
54
  #### New Resources
@@ -47,7 +69,6 @@
47
69
  - Mitigate trivial warning output on test [#2872](https://github.com/chef/inspec/pull/2872) ([eramoto](https://github.com/eramoto))
48
70
  - Add `pry-byebug` to our Gemfile. [#2889](https://github.com/chef/inspec/pull/2889) ([miah](https://github.com/miah))
49
71
  - Pin to Train 1.3.0. [#2898](https://github.com/chef/inspec/pull/2898) ([jquick](https://github.com/jquick))
50
- <!-- latest_stable_release -->
51
72
 
52
73
  ## [v2.1.10](https://github.com/chef/inspec/tree/v2.1.10) (2018-03-22)
53
74
 
data/Gemfile CHANGED
File without changes
data/LICENSE CHANGED
File without changes
data/MAINTAINERS.md CHANGED
File without changes
data/MAINTAINERS.toml CHANGED
File without changes
data/README.md CHANGED
@@ -293,7 +293,7 @@ Remote Targets
293
293
  | Oracle Enterprise Linux | 5, 6, 7 | i386, x86_64 |
294
294
  | Red Hat Enterprise Linux | 5, 6, 7 | i386, x86_64 |
295
295
  | Solaris | 10, 11 | sparc, x86 |
296
- | Windows | 7, 8, 8.1, 10, 2008, 2008R2 , 2012, 2012R2, 2016 | x86, x86_64 |
296
+ | Windows\* | 7, 8, 8.1, 10, 2008, 2008R2 , 2012, 2012R2, 2016 | x86, x86_64 |
297
297
  | Ubuntu Linux | | x86, x86_64 |
298
298
  | SUSE Linux Enterprise Server | 11, 12 | x86_64 |
299
299
  | Scientific Linux | 5.x, 6.x and 7.x | i386, x86_64 |
@@ -304,7 +304,7 @@ Remote Targets
304
304
  | Arch Linux | | x86_64 |
305
305
  | HP-UX | 11.31 | ia64 |
306
306
 
307
- *For Windows, PowerShell 3.0 or above is required.*
307
+ \**For Windows, PowerShell 5.0 or above is required.*
308
308
 
309
309
  In addition, runtime support is provided for:
310
310
 
data/Rakefile CHANGED
@@ -162,7 +162,8 @@ namespace :test do
162
162
  sh("cd #{integration_dir}/build/ && terraform workspace new #{tf_workspace}")
163
163
 
164
164
  # Generate Azure crendentials
165
- creds = Train.create('azure').connection.connect
165
+ connection = Train.create('azure').connection
166
+ creds = connection.options
166
167
 
167
168
  # Determine the storage account name and the admin password
168
169
  sa_name = (0...15).map { (65 + rand(26)).chr }.join.downcase
@@ -208,7 +209,8 @@ namespace :test do
208
209
  abort("You must either call the top-level test:azure task, or set the INSPEC_TERRAFORM_ENV variable.") unless tf_workspace
209
210
  puts '----> Cleanup'
210
211
 
211
- creds = Train.create('azure').connection.connect
212
+ connection = Train.create('azure').connection
213
+ creds = connection.options
212
214
 
213
215
  cmd = ""
214
216
  cmd += "cd #{integration_dir}/build/ && terraform destroy -force "
data/docs/.gitignore CHANGED
File without changes
data/docs/README.md CHANGED
File without changes
data/docs/dsl_inspec.md CHANGED
File without changes
data/docs/dsl_resource.md CHANGED
File without changes
data/docs/glossary.md CHANGED
File without changes
data/docs/habitat.md CHANGED
File without changes
File without changes
data/docs/matchers.md CHANGED
File without changes
data/docs/migration.md CHANGED
File without changes
data/docs/platforms.md CHANGED
File without changes
File without changes
data/docs/profiles.md CHANGED
@@ -46,6 +46,7 @@ Each profile must have an `inspec.yml` file that defines the following informati
46
46
  * Use `summary` to specify a one line summary for the profile.
47
47
  * Use `description` to specify a multiple line description of the profile.
48
48
  * Use `version` to specify the profile version.
49
+ * Use `inspec_version` to place SemVer constraints on the version of InSpec that the profile can run under.
49
50
  * Use `supports` to specify a list of supported platform targets.
50
51
  * Use `depends` to define a list of profiles on which this profile depends.
51
52
 
@@ -64,6 +65,7 @@ Each profile must have an `inspec.yml` file that defines the following informati
64
65
  depends:
65
66
  - name: profile
66
67
  path: ../path/to/profile
68
+ inspec_version: "~> 2.1"
67
69
 
68
70
  ## Verify Profiles
69
71
 
data/docs/reporters.md CHANGED
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
@@ -108,6 +108,15 @@ Specifies the region in which the trail was created.
108
108
  describe aws_cloudtrail_trail('trail-name') do
109
109
  its('home_region') { should include "us-east-1" }
110
110
  end
111
+
112
+ ### delivered\_logs\_days\_ago
113
+
114
+ Specifies the number of days ago the CloudTrail delivered logs to CloudWatch Logs.
115
+
116
+ # Ensure the latest delivery time was recent
117
+ describe aws_cloudtrail_trail('trail-name') do
118
+ its('delivered_logs_days_ago') { should eq 0 }
119
+ end
111
120
 
112
121
  <br>
113
122
 
File without changes
@@ -17,7 +17,7 @@ An `aws_cloudwatch_alarm` resource block searches for a Cloudwatch Alarm, specif
17
17
 
18
18
  # Look for a specific alarm
19
19
  aws_cloudwatch_alarm(
20
- metric: 'my-metric-name',
20
+ metric_name: 'my-metric-name',
21
21
  metric_namespace: 'my-metric-namespace',
22
22
  ) do
23
23
  it { should exist }
File without changes
File without changes
File without changes
File without changes
File without changes
@@ -35,6 +35,18 @@ As this is the initial release of `aws_iam_group`, its limited functionality pre
35
35
 
36
36
  <br>
37
37
 
38
+ ## Properties
39
+
40
+ ### users
41
+
42
+ Provides a list of the users that are attached to the group
43
+
44
+ describe aws_iam_group('mygroup')
45
+ its('users') { should include 'iam_user_name' }
46
+ end
47
+
48
+ <br>
49
+
38
50
  ## Matchers
39
51
 
40
52
  ### exists
File without changes
File without changes
File without changes
@@ -5,9 +5,9 @@ platform: aws
5
5
 
6
6
  # aws\_iam\_policy
7
7
 
8
- Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy.
8
+ Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy. Use `aws_iam_policies` to audit IAM policies in bulk.
9
9
 
10
- A policy is an entity in AWS that, when attached to an identity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine if the request is allowed or denied.
10
+ A policy defines the permissions of an identity or resource within AWS. AWS evaluates these policies when a principal, such as a user, makes a request. Policy permissions, also called "policy statements" in AWS, determine if a request is authorized -- and allow or deny it accordingly.
11
11
 
12
12
  Each IAM Policy is uniquely identified by either its policy\_name or arn.
13
13
 
@@ -50,11 +50,22 @@ The following examples show how to use this InSpec audit resource.
50
50
  it { should be_attached }
51
51
  end
52
52
 
53
+ ### Examine the policy statements
54
+
55
+ describe aws_iam_policy('my-policy') do
56
+ # Verify that there is at least one statement allowing access to S3
57
+ it { should have_statement(Action: 's3:PutObject', Effect: 'allow') }
58
+
59
+ # have_statement does not expand wildcards. If you want to verify
60
+ # they are absent, an explicit check is required.
61
+ it { should_not have_statement(Action: 's3:*') }
62
+ end
63
+
53
64
  <br>
54
65
 
55
66
  ## Properties
56
67
 
57
- * `arn`, `attachment_count`, `attached_groups`, `attached_roles`,`attached_users`, `default_version_id`
68
+ * `arn`, `attachment_count`, `attached_groups`, `attached_roles`,`attached_users`, `default_version_id`, `policy`, `statement_count`
58
69
 
59
70
  ## Property Examples
60
71
 
@@ -106,10 +117,38 @@ The 'default_version_id' value of the specified policy.
106
117
  its('default_version_id') { should cmp "v1" }
107
118
  end
108
119
 
120
+ ### policy
121
+
122
+ This is a low-level, unsupported property.
123
+
124
+ Returns the default version of the policy document after decoding as a Ruby hash. This hash contains the policy statements and is useful for performing checks that cannot be expressed using higher-level matchers like `have_statement`.
125
+
126
+ For details regarding the contents of this structure, refer to the [AWS IAM Policy JSON Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html). A set of examples is [also available](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html).
127
+
128
+ Example:
129
+
130
+ # Fetch the policy structure as a Ruby object
131
+ policy_struct = aws_iam_policy('my-policy').policy
132
+ # Write a manually-constructed test to check that the policy
133
+ # has an IP constraint on the first statement
134
+ # ( Based on https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html )
135
+ describe 'Check that we are restricting IP access' do
136
+ subject { policy_struct['Statement'].first['Condition'] }
137
+ it { should include 'NotIpAddress' }
138
+ end
139
+
140
+ ### statement\_count
141
+
142
+ Returns the number of statements present in the `policy`.
143
+
144
+ # Make sure there are exactly two statements.
145
+ describe aws_iam_policy('my-policy') do
146
+ its('statement_count') { should cmp 2 }
147
+ end
109
148
 
110
149
  ## Matchers
111
150
 
112
- This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
151
+ This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
113
152
 
114
153
  ### be\_attached
115
154
 
@@ -142,3 +181,59 @@ The test will pass if the identified policy attached the specified role.
142
181
  describe aws_iam_policy('AWSSupportAccess') do
143
182
  it { should be_attached_to_role(ROLENAME) }
144
183
  end
184
+
185
+ ### have\_statement
186
+
187
+ Examines the list of statements contained in the policy and passes if at least one of the statements matches. This matcher does _not_ interpret the policy in a request authorization context, as AWS does when a request processed. Rather, `have_statement` examines the literal contents of the IAM policy, and reports on what is present (or absent, when used with `should_not`).
188
+
189
+ `have_statement` accepts the following criteria to search for matching statements. If any statement matches all the criteria, the test is successful.
190
+
191
+ * `Action` - Expresses the requested operation. Acceptable literal values are any AWS operation name, including the '*' wildcard character. `Action` may also use a list of AWS operation names.
192
+ * `Effect` - Expresses if the operation is permitted. Acceptable values are 'Deny' and 'Allow'.
193
+ * `Sid` - A user-provided string identifier for the statement.
194
+ * `Resource` - Expresses the operation's target. Acceptable values are ARNs, including the '*' wildcard. `Resource` may also use a list of ARN values.
195
+
196
+ Please note the following about the behavior of `have_statement`:
197
+ * `Action`, `Sid`, and `Resource` allow using a regular expression as the search critera instead of a string literal.
198
+ * it does not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with `"Action": "s3:*"` and the test checks for `Action: "s3:PutObject"`, the test _will not match_. You must write an additional test checking for the wildcard case.
199
+ * it supports searching list values. For example, if a statement contains a list of 3 resources, and a `have_statement` test specifes _one_ of those resources, it will match.
200
+ * `Action` and `Resource` allow using a list of string literals or regular expressions in a test, in which case _all_ must match on the _same_ statement for the test to match. Order is ignored.
201
+ * it does not support the `Principal` or `Conditional` key, or any of `NotAction`, `NotPrincipal`, or `NotResource`.
202
+
203
+ Examples:
204
+
205
+ # Verify there is no full-admin statement
206
+ describe aws_iam_policy('kryptonite') do
207
+ it { should_not have_statement(Effect: 'Allow', Resource: '*', Action: '*')}
208
+ end
209
+
210
+ # Verify bob is allowed to manage things on S3 buckets that start with bobs-stuff
211
+ describe aws_iam_policy('bob-is-a-packrat') do
212
+ it { should have_statement(Effect: 'Allow',
213
+ # Using the AWS wildcard - this must match exactly
214
+ Resource: 'arn:aws:s3:::bobs-stuff*',
215
+ # Specify a list of actions - all must match, no others, order isn't important
216
+ Action: ['s3:PutObject', 's3:GetObject', 's3:DeleteObject'])}
217
+
218
+ # Bob would make new buckets constantly if we let him.
219
+ it { should_not have_statement(Effect: 'Allow', Action: 's3:CreateBucket')}
220
+ it { should_not have_statement(Effect: 'Allow', Action: 's3:*')}
221
+ it { should_not have_statement(Effect: 'Allow', Action: '*')}
222
+
223
+ # An alternative to checking for wildcards is to specify the
224
+ # statements you expect, then restrict statement count
225
+ its('statement_count') { should cmp 1 }
226
+ end
227
+
228
+ # Use regular expressions to examine the policy
229
+ describe aws_iam_policy('regex-demo') do
230
+ # Check to see if anything mentions RDS at all.
231
+ # This catches `rds:CreateDBinstance` and `rds:*`, but would not catch '*'.
232
+ it { should_not have_statement(Action: /^rds:.+$/)}
233
+
234
+ # This policy should refer to both sally and kim's s3 buckets.
235
+ # This will only match if there is a statement that refers to both resources.
236
+ it { should have_statement(Resource: [/arn:aws:s3.+:sally/, /arn:aws:s3.+:kim/]) }
237
+ # The following also matches on a statement mentioning only one of them
238
+ it { should have_statement(Resource: /arn:aws:s3.+:(sally|kim)/) }
239
+ end
File without changes
@@ -15,10 +15,10 @@ To test properties of a specific AWS user use the `aws_iam_user` resource.
15
15
 
16
16
  ## Syntax
17
17
 
18
- An `aws_iam_root_user` resource block requires no parameters but has several matchers
18
+ An `aws_iam_root_user` resource block requires no parameters but has several matchers.
19
19
 
20
20
  describe aws_iam_root_user do
21
- its { should have_mfa_enabled }
21
+ it { should have_mfa_enabled }
22
22
  end
23
23
 
24
24
  <br>
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes