Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 15:14:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'descriptions' of https://github.com/mitre/inspec into descriptions

Browse source
This commit is contained in:
Amndeep Singh Mann 2022-02-22 23:43:15 -05:00
commit 042d586ce4
132 changed files with 1798 additions and 843 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.expeditor/announce-release.sh
View file

@ -13,7 +13,7 @@ $(cat release-notes.md)
---
## Get the Build
You can download binaries directly from [downloads.chef.io](https://downloads.chef.io/$EXPEDITOR_PRODUCT_KEY/$EXPEDITOR_VERSION).
You can download binaries directly from [Chef Downloads](https://www.chef.io/downloads/tools/$EXPEDITOR_PRODUCT_KEY?v=$EXPEDITOR_VERSION).
EOH
)

3
.expeditor/release.omnibus.yml
View file

@ -27,8 +27,7 @@ builder-to-testers-map:
- el-8-aarch64
el-8-x86_64:
- el-8-x86_64
mac_os_x-10.14-x86_64:
- mac_os_x-10.14-x86_64
mac_os_x-10.15-x86_64:
- mac_os_x-10.15-x86_64
- mac_os_x-11-x86_64
- mac_os_x-12-x86_64

8
.expeditor/verify.pipeline.yml
View file

@ -17,14 +17,6 @@ steps:
docker:
image: ruby:2.6
- label: run-tests-ruby-2.5
command:
- /workdir/.expeditor/buildkite/verify.sh
expeditor:
executor:
docker:
image: ruby:2.5
- label: run-tests-ruby-2.6
command:
- /workdir/.expeditor/buildkite/verify.sh

2
.rubocop.yml
View file

@ -5,7 +5,7 @@ AllCops:
- 'test/fixtures/profiles/**/*.rb'
- 'test/fixtures/config_dirs/**/*.rb'
- 'lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/**/*'
- 'examples/**/controls/*.rb'
- 'examples/**/*.rb'
- 'vendor/bundle/**/*'
Layout/ArgumentAlignment:
EnforcedStyle: with_first_argument

78
CHANGELOG.md
View file

@ -1,32 +1,75 @@
# Change Log
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
<!-- latest_release 4.50.14 -->
## [v4.50.14](https://github.com/inspec/inspec/tree/v4.50.14) (2021-11-24)
<!-- latest_release 4.55.9 -->
## [v4.55.9](https://github.com/inspec/inspec/tree/v4.55.9) (2022-02-01)
#### Merged Pull Requests
- Bump kitchen-vagrant from 1.10.0 to 1.11.0 in /omnibus [#5740](https://github.com/inspec/inspec/pull/5740) ([dependabot[bot]](https://github.com/dependabot[bot]))
- CFINSPEC-15 Allows inheritance of core resource into the custom resource. [#5816](https://github.com/inspec/inspec/pull/5816) ([Vasu1105](https://github.com/Vasu1105))
<!-- latest_release -->
<!-- release_rollup since=4.50.3 -->
### Changes since 4.50.3 release
<!-- release_rollup since=4.52.9 -->
### Changes since 4.52.9 release
#### Bug Fixes
- Fix ibmdb2_session resource : Added double quotes around the IBM db2 query [#5742](https://github.com/inspec/inspec/pull/5742) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.50.13 -->
#### New Features
- Adds user_permissions property and be_inherited matcher to the file resource for Windows. [#5775](https://github.com/inspec/inspec/pull/5775) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.55.0 -->
- Adds user_permissions property and be_inherited matcher to the registry_key resource [#5778](https://github.com/inspec/inspec/pull/5778) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.54.0 -->
- Added Timezone Resource [#5758](https://github.com/inspec/inspec/pull/5758) ([Nik08](https://github.com/Nik08)) <!-- 4.53.0 -->
#### Merged Pull Requests
- Bump kitchen-vagrant from 1.10.0 to 1.11.0 in /omnibus [#5740](https://github.com/inspec/inspec/pull/5740) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.50.14 -->
- Fixes some minor docs formatting problems [#5739](https://github.com/inspec/inspec/pull/5739) ([IanMadd](https://github.com/IanMadd)) <!-- 4.50.12 -->
- Bump test-kitchen from 3.1.0 to 3.2.0 in /omnibus [#5737](https://github.com/inspec/inspec/pull/5737) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.50.11 -->
- Bump omnibus from `37897ad` to `2c309fa` in /omnibus [#5736](https://github.com/inspec/inspec/pull/5736) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.50.10 -->
- Bump omnibus-software from `24f508c` to `7501e20` in /omnibus [#5735](https://github.com/inspec/inspec/pull/5735) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.50.9 -->
- Fix FreeBSD service enabled check substring edge-case [#5606](https://github.com/inspec/inspec/pull/5606) ([zofrex](https://github.com/zofrex)) <!-- 4.50.8 -->
- Fix docs to make property listing in the website docs more useful. [#5677](https://github.com/inspec/inspec/pull/5677) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.50.7 -->
- Remove the instance_eval and eval_gemfile calls in omnibus [#5733](https://github.com/inspec/inspec/pull/5733) ([tas50](https://github.com/tas50)) <!-- 4.50.6 -->
- Update dsl_inspec.md [#5721](https://github.com/inspec/inspec/pull/5721) ([paulcalabro](https://github.com/paulcalabro)) <!-- 4.50.5 -->
- Fix typos and improve code highlighting in docs [#5692](https://github.com/inspec/inspec/pull/5692) ([tas50](https://github.com/tas50)) <!-- 4.50.4 -->
- CFINSPEC-15 Allows inheritance of core resource into the custom resource. [#5816](https://github.com/inspec/inspec/pull/5816) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.55.9 -->
- CFINSPEC-5 Added more detailed description about waivers expiration date. [#5806](https://github.com/inspec/inspec/pull/5806) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.55.8 -->
- CFINSPEC-4 Fix in grub_conf resource to capture non indented grub conf values [#5810](https://github.com/inspec/inspec/pull/5810) ([Nik08](https://github.com/Nik08)) <!-- 4.55.7 -->
- Bump ffi from 1.15.4 to 1.15.5 in /omnibus [#5791](https://github.com/inspec/inspec/pull/5791) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.55.6 -->
- Bump omnibus-software from `c2fb9a4` to `b646bed` in /omnibus [#5808](https://github.com/inspec/inspec/pull/5808) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.55.5 -->
- IP Table resource: Added option to ignore rule comments [#5777](https://github.com/inspec/inspec/pull/5777) ([Nik08](https://github.com/Nik08)) <!-- 4.55.4 -->
- Fix for dependent profiles to run with --insecure [#5799](https://github.com/inspec/inspec/pull/5799) ([Nik08](https://github.com/Nik08)) <!-- 4.55.3 -->
- Bump omnibus-software from `94ef29b` to `c2fb9a4` in /omnibus [#5804](https://github.com/inspec/inspec/pull/5804) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.55.2 -->
- Latest package version fetching regex fix - Package resource [#5797](https://github.com/inspec/inspec/pull/5797) ([Nik08](https://github.com/Nik08)) <!-- 4.55.1 -->
- Check for latest - package resource [#5771](https://github.com/inspec/inspec/pull/5771) ([Nik08](https://github.com/Nik08)) <!-- 4.52.17 -->
- Mssql session fix : Parsing multiline results [#5776](https://github.com/inspec/inspec/pull/5776) ([Nik08](https://github.com/Nik08)) <!-- 4.52.16 -->
- Fix broken link in README. Obvious fix. [#5772](https://github.com/inspec/inspec/pull/5772) ([guyzyl](https://github.com/guyzyl)) <!-- 4.52.15 -->
- Fix downloads links [#5773](https://github.com/inspec/inspec/pull/5773) ([IanMadd](https://github.com/IanMadd)) <!-- 4.52.14 -->
- Remove support for EOL Ruby 2.5 [#5783](https://github.com/inspec/inspec/pull/5783) ([tas50](https://github.com/tas50)) <!-- 4.52.13 -->
- Bump omnibus-software from `d2525ab` to `94ef29b` in /omnibus [#5788](https://github.com/inspec/inspec/pull/5788) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.52.12 -->
- Adds esx platform support for bash resource [#5785](https://github.com/inspec/inspec/pull/5785) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.52.11 -->
- Bump Hugo to 0.91.2 [#5780](https://github.com/inspec/inspec/pull/5780) ([IanMadd](https://github.com/IanMadd)) <!-- 4.52.10 -->
<!-- release_rollup -->
<!-- latest_stable_release -->
## [v4.52.9](https://github.com/inspec/inspec/tree/v4.52.9) (2021-12-20)
#### New Features
- Target support for Alpine Linux [#5744](https://github.com/inspec/inspec/pull/5744) ([Nik08](https://github.com/Nik08))
- Implemented CLI option for executing private supermarket profiles [#5749](https://github.com/inspec/inspec/pull/5749) ([Nik08](https://github.com/Nik08))
#### Bug Fixes
- Fix ibmdb2_session resource : Added double quotes around the IBM db2 query [#5742](https://github.com/inspec/inspec/pull/5742) ([Vasu1105](https://github.com/Vasu1105))
#### Merged Pull Requests
- Fix typos and improve code highlighting in docs [#5692](https://github.com/inspec/inspec/pull/5692) ([tas50](https://github.com/tas50))
- Update dsl_inspec.md [#5721](https://github.com/inspec/inspec/pull/5721) ([paulcalabro](https://github.com/paulcalabro))
- Remove the instance_eval and eval_gemfile calls in omnibus [#5733](https://github.com/inspec/inspec/pull/5733) ([tas50](https://github.com/tas50))
- Fix docs to make property listing in the website docs more useful. [#5677](https://github.com/inspec/inspec/pull/5677) ([Vasu1105](https://github.com/Vasu1105))
- Fix FreeBSD service enabled check substring edge-case [#5606](https://github.com/inspec/inspec/pull/5606) ([zofrex](https://github.com/zofrex))
- Bump omnibus-software from `24f508c` to `7501e20` in /omnibus [#5735](https://github.com/inspec/inspec/pull/5735) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Bump omnibus from `37897ad` to `2c309fa` in /omnibus [#5736](https://github.com/inspec/inspec/pull/5736) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Bump test-kitchen from 3.1.0 to 3.2.0 in /omnibus [#5737](https://github.com/inspec/inspec/pull/5737) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Fixes some minor docs formatting problems [#5739](https://github.com/inspec/inspec/pull/5739) ([IanMadd](https://github.com/IanMadd))
- Bump kitchen-vagrant from 1.10.0 to 1.11.0 in /omnibus [#5740](https://github.com/inspec/inspec/pull/5740) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Bump omnibus-software from `7501e20` to `8560231` in /omnibus [#5752](https://github.com/inspec/inspec/pull/5752) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Stop producing packages for macOS 10.14 [#5716](https://github.com/inspec/inspec/pull/5716) ([tas50](https://github.com/tas50))
- Bump test-kitchen from 3.2.0 to 3.2.2 in /omnibus [#5755](https://github.com/inspec/inspec/pull/5755) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Oracle session fix when nil in query output [#5717](https://github.com/inspec/inspec/pull/5717) ([Nik08](https://github.com/Nik08))
- Fix docs to make property listing in the website docs more useful. [#5746](https://github.com/inspec/inspec/pull/5746) ([Vasu1105](https://github.com/Vasu1105))
- Fix a bunch of docs formatting problems [#5763](https://github.com/inspec/inspec/pull/5763) ([IanMadd](https://github.com/IanMadd))
- Fix: Alpine packages list command to only list installed packages [#5765](https://github.com/inspec/inspec/pull/5765) ([Nik08](https://github.com/Nik08))
- Bump omnibus-software from `8560231` to `d2525ab` in /omnibus [#5767](https://github.com/inspec/inspec/pull/5767) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Bump omnibus from `2c309fa` to `2bf77bb` in /omnibus [#5764](https://github.com/inspec/inspec/pull/5764) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Active support version fix for ruby versions less then 2.7 [#5770](https://github.com/inspec/inspec/pull/5770) ([Nik08](https://github.com/Nik08))
- Apply cookstyle to the example profile [#5680](https://github.com/inspec/inspec/pull/5680) ([tas50](https://github.com/tas50))
- Adds tls1.3 support in ssl resource. [#5762](https://github.com/inspec/inspec/pull/5762) ([Vasu1105](https://github.com/Vasu1105))
<!-- latest_stable_release -->
## [v4.50.3](https://github.com/inspec/inspec/tree/v4.50.3) (2021-11-19)
#### New Features
@ -40,7 +83,6 @@
- Disable CookStyle integration on Windows [#5724](https://github.com/inspec/inspec/pull/5724) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Move rake and cookstyle deps out of inspec core gemspec [#5732](https://github.com/inspec/inspec/pull/5732) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Remove license note + update resource count in main docs page [#5639](https://github.com/inspec/inspec/pull/5639) ([tas50](https://github.com/tas50))
<!-- latest_stable_release -->
## [v4.49.0](https://github.com/inspec/inspec/tree/v4.49.0) (2021-10-27)

2
CONTRIBUTING.md
View file

@ -132,7 +132,7 @@ Date: Wed Sep 18 11:44:40 2015 -0700
### Release Formats
Our primary shipping vehicle is operating system specific packages that includes all the requirements of InSpec. We call these Omnibus packages, and they are available from [downloads.chef.io](https://downloads.chef.io/inspec). InSpec is also bundled with recent Chef Infra Client and Chef Workstation toolkits.
Our primary shipping vehicle is operating system specific packages that includes all the requirements of InSpec. We call these Omnibus packages, and they are available from [Chef Downloads](https://www.chef.io/downloads/tools/inspec). InSpec is also bundled with recent Chef Infra Client and Chef Workstation toolkits.
InSpec is also available as a [Docker image](https://hub.docker.com/r/chef/inspec) and a [Habitat package](https://bldr.habitat.sh/#/pkgs/chef/inspec/latest).

2
Dockerfile
View file

@ -1,7 +1,7 @@
FROM ubuntu:18.04
LABEL maintainer="Chef Software, Inc. <docker@chef.io>"
ARG VERSION=4.50.3
ARG VERSION=4.52.9
ARG CHANNEL=stable
ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

15
Gemfile
View file

@ -11,11 +11,6 @@ gem "inspec-bin", path: "./inspec-bin"
gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
if Gem.ruby_version.to_s.start_with?("2.5")
# 16.7.23 required ruby 2.6+
gem "chef-utils", "< 16.7.23" # TODO: remove when we drop ruby 2.5
end
# inspec tests depend text output that changed in the 3.10 release
# but our runtime dep is still 3.9+
gem "rspec", ">= 3.10"
@ -30,11 +25,7 @@ end
group :test do
gem "chefstyle", "~> 2.0.3"
gem "concurrent-ruby", "~> 1.0"
if Gem.ruby_version.to_s.start_with?("2.5")
gem "html-proofer", "= 3.19.1" , platforms: :ruby # do not attempt to run proofer on windows
else
gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
end
gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
gem "json_schemer", ">= 0.2.1", "< 0.2.19"
gem "m"
gem "minitest-sprint", "~> 1.0"
@ -66,3 +57,7 @@ if Gem.ruby_version >= Gem::Version.new("2.7.0")
gem "git"
end
end
if Gem.ruby_version < Gem::Version.new("2.7.0")
gem "activesupport", "6.1.4.4"
end

12
README.md
View file

@ -55,18 +55,13 @@ inspec exec test.rb -t docker://container_id
## Installation
Chef InSpec requires Ruby ( >= 2.6 ). Ruby 2.5 support is limited and requires Bundler with an entry in the Gemfile:
```
# 16.7.23 required ruby 2.6+
gem "chef-utils", "< 16.7.23"
```
Chef InSpec requires Ruby ( >= 2.6 ).
Note: Versions of Chef InSpec 4.0 and later require accepting the EULA to use. Please visit the [license acceptance page](https://docs.chef.io/chef_license_accept.html) on the Chef docs site for more information.
### Install as package
The Chef InSpec package is available for MacOS, RedHat, Ubuntu and Windows. Download the latest package at [Chef InSpec Downloads](https://downloads.chef.io/inspec) or install Chef InSpec via script:
The Chef InSpec package is available for MacOS, RedHat, Ubuntu and Windows. Download the latest package at [Chef InSpec Downloads](https://www.chef.io/downloads/tools/inspec) or install Chef InSpec via script:
```
# RedHat, Ubuntu, and macOS
@ -142,7 +137,7 @@ Finished in 0.04321 seconds (files took 0.54917 seconds to load)
### Install it from source
Note that installing from OS packages from [the download page](https://downloads.chef.io) is the preferred method.
Note that installing from OS packages from [the download page](https://www.chef.io/downloads/tools/inspec) is the preferred method.
That requires [bundler](http://bundler.io/):
@ -322,6 +317,7 @@ Remote Targets
| Gentoo Linux | | x86_64 |
| Arch Linux | | x86_64 |
| HP-UX | 11.31 | ia64 |
| Alpine Linux | | x86_64 |
\**For Windows, PowerShell 5.0 or above is required.*

2
VERSION
View file

@ -1 +1 @@
4.50.14
4.55.9

48
docs-chef-io/content/inspec/cli.md
View file

@ -42,7 +42,7 @@ This subcommand has the following additional options:
* ``--tar``, ``--no-tar``
Generates a tar.gz archive.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies, (default: ~/.inspec/cache).
Use the given path for caching dependencies, (default: `~/.inspec/cache`).
* ``--zip``, ``--no-zip``
Generates a zip archive.
@ -79,7 +79,7 @@ This subcommand has the following additional options:
* ``--profiles-path=PROFILES_PATH``
Folder which contains referenced profiles.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies, (default: ~/.inspec/cache).
Use the given path for caching dependencies, (default: `~/.inspec/cache`).
## detect
@ -178,7 +178,7 @@ Run all test files at the specified locations.
The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls contained in the profiles. One or more reporters are used to generate the output.
``` ruby
```ruby
exit codes:
0 normal exit, all tests passed
1 usage or general error
@ -193,67 +193,71 @@ Below are some examples of using `exec` with different test locations:
Chef Automate:
``` ruby
```ruby
inspec automate login
inspec exec compliance://username/linux-baseline
```
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
``` ruby
```ruby
inspec compliance login
```
Chef Supermarket:
``` ruby
```ruby
inspec exec supermarket://username/linux-baseline
inspec exec supermarket://username/linux-baseline --supermarket_url="https://privatesupermarket.example.com"
```
Local profile (executes all tests in `controls/`):
``` ruby
```ruby
inspec exec /path/to/profile
```
Local single test (doesn't allow inputs or custom resources):
``` ruby
```ruby
inspec exec /path/to/a_test.rb
```
Git via SSH:
``` ruby
```ruby
inspec exec git@github.com:dev-sec/linux-baseline.git
```
Git via HTTPS (.git suffix is required):
``` ruby
```ruby
inspec exec https://github.com/dev-sec/linux-baseline.git
```
Private Git via HTTPS (.git suffix is required):
``` ruby
```ruby
inspec exec https://api_token@github.com/dev-sec/linux-baseline.git
```
Private Git via HTTPS and cached credentials (.git suffix is required):
```
```bash
git config credential.helper cache
git ls-remote https://github.com/dev-sec/linux-baseline.git
inspec exec https://github.com/dev-sec/linux-baseline.git
```
Web-hosted file (also supports .zip):
```
```bash
inspec exec https://webserver/linux-baseline.tar.gz
```
Web-hosted file with basic authentication (supports .zip):
```
```bash
inspec exec https://username:password@webserver/linux-baseline.tar.gz
```
@ -339,6 +343,8 @@ This subcommand has the following additional options:
Show progress while executing tests.
* ``--silence-deprecations=all|GROUP GROUP...``
Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'.
* ``--ssh-config-file=one two three``
A list of paths to the SSH configuration file, for example: `~/.ssh/config` or `/etc/ssh/ssh_config`.
* ``--ssl``, ``--no-ssl``
Use SSL for transport layer encryption (WinRM).
* ``--sudo``, ``--no-sudo``
@ -358,7 +364,7 @@ This subcommand has the following additional options:
* ``--user=USER``
The login user for a remote scan.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies. (default: ~/.inspec/cache).
Use the given path for caching dependencies. (default: `~/.inspec/cache`).
* ``--waiver-file=one two three``
Load one or more waiver files.
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
@ -429,7 +435,7 @@ This subcommand has the following additional options:
* ``--tags=one two three``
A list of tags that reference certain controls. Other controls are ignored.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies. (default: ~/.inspec/cache).
Use the given path for caching dependencies. (default: `~/.inspec/cache`).
## nothing
@ -531,6 +537,8 @@ This subcommand has the following additional options:
Specify a particular shell to use.
* ``--shell-options=SHELL_OPTIONS``
Additional shell options.
* ``--ssh-config-file=one two three``
A list of paths to the SSH configuration file, for example: `~/.ssh/config` or `/etc/ssh/ssh_config`.
* ``--ssl``, ``--no-ssl``
Use SSL for transport layer encryption (WinRM).
* ``--sudo``, ``--no-sudo``
@ -566,6 +574,14 @@ This subcommand has the following syntax:
inspec supermarket SUBCOMMAND ...
```
### Options
This subcommand has additional options:
* ``--supermarket_url``
Specify the URL of a private Chef Supermarket.
## vendor
Download all dependencies and generate a lockfile in a `vendor` directory.

2
docs-chef-io/content/inspec/dsl_resource.md
View file

@ -52,7 +52,7 @@ The following attributes can be configured:
The following methods are available to the resource:
- inspec - Contains a registry of all other resources to interact with the operating system or target in general.
- skip\_resource - A resource may call this method to indicate that requirements aren't met. All tests that use this resource will be marked as skipped.
- skip_resource - A resource may call this method to indicate that requirements aren't met. All tests that use this resource will be marked as skipped.
The following example shows a full resource using attributes and methods
to provide simple access to a configuration file:

16
docs-chef-io/content/inspec/glossary.md
View file

@ -74,11 +74,11 @@ _should\_not_ indicates this is a negated test. So, this test passes if the matc
### Plural Resource Example
```ruby
describe cars.where(color: /^b/) do
it { should exist }
its('manufacturers') { should include 'Cadillac' }
its('count') { should be >= 10 }
end
describe cars.where(color: /^b/) do
it { should exist }
its('manufacturers') { should include 'Cadillac' }
its('count') { should be >= 10 }
end
```
#### describe _cars_.where(color: /^b/) do
@ -280,9 +280,9 @@ An operator matcher allows you to use operators to compare numerical [expected r
For example:
```ruby
describe cars do
its('count') { should be >= 10 }
end
describe cars do
its('count') { should be >= 10 }
end
```
Operators include:

12
docs-chef-io/content/inspec/habitat.md
View file

@ -51,7 +51,7 @@ HAB_INSPEC_PROFILE_FRONTEND1="interval = 60" hab start effortless/audit-baseline
The Chef Habitat Supervisor will display output like this:
```text
```bash
hab start effortless/audit-baseline
∵ Missing package for core/hab-sup/0.17.0
» Installing core/hab-sup/0.17.0
@ -85,7 +85,7 @@ The above sample output shows the supervisor starting, downloading the necessary
Chef InSpec will write a JSON file in the `${svc_var_path}/inspec_results` directory containing the results of the last Chef InSpec run. For example, for the `effortless/audit-baseline` package, the Chef InSpec results will be at:
```text
```
/hab/svc/inspec-profile-frontend1/var/inspec_results/inspec-profile-frontend1.json
```
@ -103,13 +103,13 @@ distributed to a host and installed via `hab pkg install`.
The package file will be named:
```text
```
HABITAT_ORIGIN-inspec-profile-PROFILE_NAME-PROFILE_VERSION-BUILD_ID-x86_64-linux.hart
```
For example:
```text
```
adamleff-inspec-profile-frontend1-0.1.0-20170328173005-x86_64-linux.hart
```
@ -127,7 +127,7 @@ inspec habitat profile create ~/profiles/frontend1
#### Example Output
```text
```bash
$ habitat profile create ~/profiles/frontend1
[2017-03-28T13:29:32-04:00] INFO: Creating a Habitat artifact for profile: /Users/aleff/profiles/frontend1
[2017-03-28T13:29:32-04:00] INFO: Checking to see if Habitat is installed...
@ -206,7 +206,7 @@ inspec habitat profile upload ~/profiles/frontend1
#### Example Output
```text
```bash
[2017-03-28T13:29:32-04:00] INFO: Creating a Habitat artifact for profile: /Users/aleff/profiles/frontend1
[2017-03-28T13:29:32-04:00] INFO: Checking to see if Habitat is installed...
[2017-03-28T13:29:32-04:00] INFO: Copying profile contents to the work directory...

6
docs-chef-io/content/inspec/inputs.md
View file

@ -47,7 +47,7 @@ end
When the above profile is executed by using `inspec exec rock_critic`, you would see something like:
```
```bash
× Big Rock Show: 10
× 10 is expected to cmp == 11
@ -62,7 +62,7 @@ That result clearly won't do. Let's override the input's default value.
We can now run that profile with `inspec exec rock_critic --input amplifier_max_volume=11`:
```
```bash
✔ Big Rock Show: 11
✔ 11 is expected to cmp == 11
@ -132,6 +132,7 @@ inputs:
```
To set a priority in DSL, use:
```ruby
input('also_important', value: 42, priority: 45)
```
@ -250,7 +251,6 @@ code to find the inputs.
When your profile relies on another profile using the `depends` key in the metadata file, you can set — that is, override — the value of the input in the dependent profile by including the `profile` option and naming the dependent profile.
```yaml
# child inspec.yml
name: child

28
docs-chef-io/content/inspec/install.md
View file

@ -16,7 +16,7 @@ Users can choose between operating systems of MacOS, Windows, and Linux for Chef
## Install Chef InSpec
You can download the latest Chef InSpec package relevant to your operating system
at [our Downloads Page](https://downloads.chef.io/inspec).
at [our Downloads Page](https://www.chef.io/downloads/tools/inspec).
Alternatively, Chef InSpec can be installed via installer, script, or package
manager, according to your operating system and method as listed below.
@ -28,7 +28,7 @@ manager, according to your operating system and method as listed below.
Chef InSpec is available as a standalone [Homebrew](https://brew.sh/) package.
Run the following command in your terminal to install Chef InSpec:
```
```bash
brew install chef/chef/inspec
```
@ -39,7 +39,7 @@ password for installation to complete.
You can download Chef InSpec via curl script:
```
```bash
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
```
@ -47,7 +47,7 @@ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
#### Installer
Once you downloaded the latest [Chef InSpec package](https://downloads.chef.io/inspec)
Once you downloaded the latest [Chef InSpec package](https://www.chef.io/downloads/tools/inspec)
relevant to your Microsoft version, double-click the `.msi` file to launch the
installer and follow the prompts.
@ -68,31 +68,31 @@ was successful.
The following curl script will install Chef InSpec for Ubuntu and Red Hat Enterprise Linux:
```
```bash
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
```
If you prefer, you can use a package manager to install Chef InSpec.
Once you downloaded the latest [Chef InSpec package](https://downloads.chef.io/inspec)
Once you downloaded the latest [Chef InSpec package](https://www.chef.io/downloads/tools/inspec)
relevant to your Linux-based platform, use the command for the respective package
manager listed below. Replace the example file path with the file path leading to
your downloaded package.
For Ubuntu, use the following command to install Chef InSpec:
```
```bash
sudo dpkg -i /path/to/inspec.deb
```
For Red Hat Enterprise Linux, use the following command to install Chef InSpec:
```
```bash
sudo rpm -U /path-to/inspec.rpm
```
For SUSE Linux Enterprise Server, use the following command to install Chef InSpec:
```
```bash
sudo zypper install /path-to/inspec.rpm
```
@ -108,7 +108,7 @@ method of Chef InSpec installation.
Use the following *destructive* command to remove the Chef InSpec standalone Homebrew package:
```
```bash
brew cask uninstall inspec
```
@ -116,7 +116,7 @@ brew cask uninstall inspec
Use the following *destructive* command in your terminal to remove the Chef InSpec package:
```
```bash
sudo rm -rf /opt/inspec
```
@ -135,18 +135,18 @@ for their package manager are listed below.
For Ubuntu, use the following *destructive* command to uninstall:
```
```bash
sudo dpkg -P inspec
```
For Red Hat Enterprise Linux, use the following *destructive* command to uninstall:
```
```bash
sudo rpm -e inspec
```
For SUSE Linux Enterprise Server, use the following *destructive* command to uninstall Chef InSpec:
```
```bash
sudo zypper remove inspec
```

12
docs-chef-io/content/inspec/matchers.md
View file

@ -60,7 +60,7 @@ end
`cmp` behaves in the following way:
* Compare strings to numbers
- Compare strings to numbers
```ruby
describe sshd_config do
@ -73,7 +73,7 @@ describe sshd_config do
end
```
* String comparisons are not case-sensitive
- String comparisons are not case-sensitive
```ruby
describe auditd_conf do
@ -82,7 +82,7 @@ describe auditd_conf do
end
```
* Recognize versions embedded in strings
- Recognize versions embedded in strings
```ruby
describe package('curl') do
@ -90,7 +90,7 @@ describe package('curl') do
end
```
* Compare arrays with only one entry to a value
- Compare arrays with only one entry to a value
```ruby
describe passwd.uids(0) do
@ -99,7 +99,7 @@ describe passwd.uids(0) do
end
```
* Single-value arrays of strings may also be compared to a regex
- Single-value arrays of strings may also be compared to a regex
```ruby
describe auditd_conf do
@ -107,7 +107,7 @@ describe auditd_conf do
end
```
* Improved printing of octal comparisons
- Improved printing of octal comparisons
```ruby
describe file('/proc/cpuinfo') do

16
docs-chef-io/content/inspec/migration.md
View file

@ -97,7 +97,7 @@ In addition Chef InSpec provides additional [resources](/inspec/resources/) that
For most cases, the migration to Chef InSpec is pretty straight forward. First, replace the current verifier in `kitchen.yml` configuration with:
```
```yaml
verifier:
name: inspec
```
@ -116,7 +116,7 @@ set :backend, :exec
Chef InSpec is now configured with Test-Kitchen:
```
```bash
kitchen verify package-install-centos-72
-----> Starting Kitchen (v1.14.2)
-----> Verifying <package-install-centos-72>...
@ -152,7 +152,7 @@ Some general recommendations:
Chef InSpec does not attach backend information to test files. All tests are defined independently of any backend. Therefore a Serverspec test file:
```
```ruby
require 'serverspec'
# Required by serverspec
@ -175,7 +175,7 @@ end
will become the following Chef InSpec test file:
```
```ruby
describe 'PHP' do
it 'has php' do
expect(command('php -v').exit_status).to eq(0)
@ -197,7 +197,7 @@ As you can see, the Chef InSpec test files just focuses on tests and tries to av
Serverspec and RSpec allow you to define nested describe blocks. We did a survey and found out that most users use nested describe blocks only to improve their output report. We believe the code structure should not change to improve the output of a report. Nevertheless we understand that nested describe blocks help you to structure test code. A sample code block looks like:
```
```ruby
describe 'chef-server-directories' do
describe file('/etc/opscode') do
it { should be_directory }
@ -234,7 +234,7 @@ tests
Each file can have a top-level description of its content:
```
```ruby
title "Chef Server Directories"
describe file('/etc/opscode') do
@ -267,7 +267,7 @@ Of course. We still prefer the `should` syntax for UX reasons. We did surveys wi
### `should` syntax with InSpec
```
```ruby
describe command('php -v') do
its('exit_status') { should eq 0 }
end
@ -283,7 +283,7 @@ end
### `expect` syntax with InSpec
```
```ruby
describe 'PHP' do
it 'has php' do
expect(command('php -v').exit_status).to eq(0)

4
docs-chef-io/content/inspec/platforms.md
View file

@ -43,7 +43,7 @@ for details.
Once you have your environment variables set, you can verify your credentials by running:
```bash
you$ inspec detect -t aws://
$ inspec detect -t aws://
== Platform Details
Name: aws
@ -70,7 +70,7 @@ profile named 'auditing', use `-t aws://us-east-2/auditing`.
To verify your credentials, run
```bash
you$ inspec detect -t aws://
$ inspec detect -t aws://
== Platform Details
Name: aws

6
docs-chef-io/content/inspec/profiles.md
View file

@ -440,7 +440,7 @@ With `services.yml` containing:
The tests in `example.rb` can now access this file:
```Ruby
```ruby
my_services = yaml(content: inspec.profile.file('services.yml')).params
my_services.each do |s|
@ -485,7 +485,7 @@ end
The output of both of the above examples looks like this:
```text
```bash
File /tmp/test.txt
✔ should be a file
```
@ -504,7 +504,7 @@ end
... which will render the following output:
```text
```bash
test file
✔ should be a file
```

5
docs-chef-io/content/inspec/resources/aws_config_recorder.md
View file

@ -65,9 +65,12 @@ See also the [AWS documentation on Configuration](https://docs.aws.amazon.com/co
### Ensure the role_arn is correct for the recorder
The role is used to grant permissions to S3 Buckets, SNS topics and to get configuration details for supported AWS resources.
```ruby
describe aws_config_recorder do
its('role_arn') { should eq 'arn:aws:iam::721741954427:role/My_Recorder' }
its('role_arn') { should eq 'arn:aws:iam::721741954427:role/My_Recorder' }
end
```
### Test the recorder is monitoring changes to the correct resources.

13
docs-chef-io/content/inspec/resources/aws_ebs_volumes.md
View file

@ -38,12 +38,15 @@ See also the [AWS documentation on EBS](https://docs.aws.amazon.com/AWSEC2/lates
## Examples
#####Ensure a specific volume exists
describe aws_ebs_volumes do
its('volume_ids') { should include 'vol-12345678' }
end
### Ensure a specific volume exists
##### Use the InSpec resource to request the IDs of all EBS volumes, then test in-depth using `aws_ebs_volume` to ensure all volumes are encrypted and have a sensible size.
```ruby
describe aws_ebs_volumes do
its('volume_ids') { should include 'vol-12345678' }
end
```
### Use the InSpec resource to request the IDs of all EBS volumes, then test in-depth using `aws_ebs_volume` to ensure all volumes are encrypted and have a sensible size.
aws_ebs_volumes.volume_ids.each do |volume_id|
describe aws_ebs_volume(volume_id) do

2
docs-chef-io/content/inspec/resources/azurerm_ad_user.md
View file

@ -213,7 +213,7 @@ dots (`.`). Given the example response in their documentation:
We may access `provisioningStatus` with:
```
```ruby
its('provisionedPlants.first.provisioningStatus') { should eq "Success" }
```

4
docs-chef-io/content/inspec/resources/azurerm_cosmosdb_database_account.md
View file

@ -132,9 +132,11 @@ page](/inspec/matchers/).
### exists
```ruby
describe azurerm_cosmosdb_database_account(resource_group: 'my-rg', cosmosdb_database_account 'my-cosmos-db') do
it { should exist }
it { should exist }
end
```
## Azure Permissions

4
docs-chef-io/content/inspec/resources/azurerm_load_balancer.md
View file

@ -130,9 +130,11 @@ page](/inspec/matchers/).
### exists
```ruby
describe azurerm_load_balancer(resource_group: 'my-rg', loadbalancer_name: 'lb-1') do
it { should exist }
it { should exist }
end
```
## Azure Permissions

12
docs-chef-io/content/inspec/resources/azurerm_management_groups.md
View file

@ -49,17 +49,21 @@ You'll also need to setup your Azure credentials; see the resource pack
### Check Attributes of All Management Groups
```ruby
describe azurerm_management_groups do
its('ids') { should include "/providers/Microsoft.Management/managementGroups/mg_id" }
its('names') { should include "parent_mg" }
its('types') { should include '/providers/Microsoft.Management/managementGroups' }
its('ids') { should include "/providers/Microsoft.Management/managementGroups/mg_id" }
its('names') { should include "parent_mg" }
its('types') { should include '/providers/Microsoft.Management/managementGroups' }
end
```
### Filter Results to Inspect the Properties of Specific Management Group
```ruby
describe azurerm_management_groups.where(name: 'mg_parent').entries.first do
its('properties') { should have_attributes(:tenantId => tenant_id, :displayName => parent_dn)}
its('properties') { should have_attributes(:tenantId => tenant_id, :displayName => parent_dn)}
end
```
## Parameters

4
docs-chef-io/content/inspec/resources/azurerm_role_definitions.md
View file

@ -57,9 +57,11 @@ The following examples show how to use this InSpec audit resource.
### Check a role has the correct permissions are present
```ruby
describe azurerm_role_definitions.where{name.eql?('Custom-Admin')} do
its ('properties.first.permissions.first') { should have_attributes(actions: ['*']) }
its ('properties.first.permissions.first') { should have_attributes(actions: ['*']) }
end
```
### Check a role does not have certain permissions

4
docs-chef-io/content/inspec/resources/azurerm_webapp.md
View file

@ -100,7 +100,7 @@ The Resource Group as well as the Webapp name.
All of the attributes are avialable via dot notation. This is an example of the currently available attributes.
```
```ruby
control 'azurerm_webapp' do
describe azurerm_webapp(resource_group: 'example', name: 'webapp_name') do
it { should exist }
@ -138,7 +138,7 @@ Asserts whether the deployed Azure WebApp is using the latest supported version
Supported stacks (i.e. python, java, php, node) can be found in the `properties`
section of WebApp Configuration [documentation](https://docs.microsoft.com/en-us/rest/api/appservice/webapps/getconfiguration#siteconfigresource).
```
```ruby
it { should be_using_latest('php') }
it { should be_using_latest('java') }
it { should be_using_latest('python') }

2
docs-chef-io/content/inspec/resources/etc_hosts.md
View file

@ -69,7 +69,7 @@ The `all_host_names` property returns a two-dimensional string array where each
its('all_host_names') { should cmp 'list' }
##Examples
## Examples
### Test the IP address of the given primary name 'localhost'.

17
docs-chef-io/content/inspec/resources/file.md
View file

@ -70,6 +70,7 @@ where
- `file_version`
- `product_version`
- `user_permissions`
## Resource Property Examples
@ -170,6 +171,14 @@ The `product_version` property tests if a Windows file's product version matches
its('product_version') { should eq '2.3.4' }
### user_permissions
The `user_permissions` property returns a hash containing a list of users or groups and their file permissions on Windows. For example:
its('user_permissions') { should cmp { "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" } }
its('user_permissions') { should include "NT AUTHORITY\\SYSTEM"=>"FullControl" }
### selinux_label
The `selinux_label` property tests if the SELinux label for a file matches the specified value.
@ -587,3 +596,11 @@ return `true` if your file has a mode with greater permissions than specified.
it { should_not be_more_permissive_than('0644') }
it { should be_more_permissive_than('0000') }
end
### `be_inherited`
`be_inherited` is a boolean matcher which returns `true` if a file or folder has inheritance enabled, otherwise `false`. This matcher only works on Windows systems.
describe file('C://Example') do
it { should be_inherited }
end

43
docs-chef-io/content/inspec/resources/google_compute_region.md
View file

@ -36,54 +36,53 @@ end
### Test that a GCP compute region exists
```ruby
describe google_compute_region(project: 'chef-inspec-gcp', region: 'europe-west2') do
it { should exist }
end
describe google_compute_region(project: 'chef-inspec-gcp', region: 'europe-west2') do
it { should exist }
end
```
### Test that a GCP compute region is in the expected state
```ruby
describe google_compute_region(project: 'chef-inspec-gcp', region: 'europe-west2') do
its('status') { should eq 'UP' }
# or equivalently
it { should be_up }
end
describe google_compute_region(project: 'chef-inspec-gcp', region: 'europe-west2') do
its('status') { should eq 'UP' }
# or equivalently
it { should be_up }
end
```
### Test a GCP compute region identifier
```ruby
describe google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1") do
its('id') { should eq "1220" }
end
describe google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1") do
its('id') { should eq "1220" }
end
```
### Check that a region is associated with the expected zone fully qualified name
```ruby
describe google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1") do
its('zones') { should include "https://www.googleapis.com/compute/v1/projects/spaterson-project/zones/asia-east1-a" }
end
describe google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1") do
its('zones') { should include "https://www.googleapis.com/compute/v1/projects/spaterson-project/zones/asia-east1-a" }
end
```
### Check that a region is associated with the expected zone short name
```ruby
describe google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1") do
its('zone_names') { should include "asia-east1-a" }
end
describe google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1") do
its('zone_names') { should include "asia-east1-a" }
end
```
The `zone_names` property is also useful for subsequently looping over associated `google_compute_zone` resources. For example:
```ruby
google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1").zone_names.each do |zone_name|
describe google_compute_zone(project: 'chef-inspec-gcp', name: zone_name) do
it { should be_up }
end
google_compute_region(project: 'chef-inspec-gcp', region: "asia-east1").zone_names.each do |zone_name|
describe google_compute_zone(project: 'chef-inspec-gcp', name: zone_name) do
it { should be_up }
end
end
```
## Properties

27
docs-chef-io/content/inspec/resources/google_compute_regions.md
View file

@ -43,36 +43,35 @@ end
### Test that there are more than a specified number of regions available for the project
```ruby
describe google_compute_regions(project: 'chef-inspec-gcp') do
its('count') { should be >= 10}
end
describe google_compute_regions(project: 'chef-inspec-gcp') do
its('count') { should be >= 10}
end
```
### Test that an expected region is available for the project
```ruby
describe google_compute_regions(project: 'chef-inspec-gcp') do
its('region_names') { should include 'europe-west2' }
end
describe google_compute_regions(project: 'chef-inspec-gcp') do
its('region_names') { should include 'europe-west2' }
end
```
### Test whether any regions are in status "DOWN"
```ruby
describe google_compute_regions(project: 'chef-inspec-gcp') do
its('region_statuses') { should_not include "DOWN" }
end
describe google_compute_regions(project: 'chef-inspec-gcp') do
its('region_statuses') { should_not include "DOWN" }
end
```
### Test that a subset of all regions matching "europe\*" are "UP"
```ruby
google_compute_regions(project: gcp_project_id).where(region_name: /^europe/).region_names.each do |region_name|
describe google_compute_region(project: 'chef-inspec-gcp', region: region_name) do
it { should be_up }
end
google_compute_regions(project: gcp_project_id).where(region_name: /^europe/).region_names.each do |region_name|
describe google_compute_region(project: 'chef-inspec-gcp', region: region_name) do
it { should be_up }
end
end
```
## Properties

2
docs-chef-io/content/inspec/resources/habitat_service.md
View file

@ -89,11 +89,9 @@ end
Required string. The name (unique within the namespace of the origin) of the package that provides the service.
```ruby
describe habitat_service(origin: 'core', name: 'httpd') do
it { should exist }
end
```
## Properties

38
docs-chef-io/content/inspec/resources/http.md
View file

@ -168,9 +168,43 @@ Beginning with Chef InSpec 1.41, you can enable the ability to have the HTTP tes
...
end
## Properties
### proxy
- `body`, `headers`, `http_method`, `status`
Specify a `proxy` to test by passing in the proxy URI or a hash of the proxy URI, a username, and password. Specify `disable` to ignore a proxy set as an environment variable.
You can include the username and password in the `proxy` parameter:
describe http('http://localhost:8080/ping', proxy: "http://username:password@www.example.com:3128") do
...
end
The `proxy` parameter also accepts proxy options in hash format:
describe http('http://localhost:8080/ping', proxy: { uri: 'http://www.example.com:3128', user: 'username', password: 'proxypassword'}) do
...
end
Use `disable` to ignore the proxy set in the environment variable:
describe http('http://localhost:8080/ping', proxy: 'disable') do
...
end
{{< note >}}
Windows remote targets do not accept username and password values in a string; use the hash format instead.
{{< /note >}}
{{< note >}}
Special characters in the URI must be converted to their UTF-8 equivalent when passed in to the `proxy` parameter as a string. For example, the string `http://username:bar@123@www.example.com:3128` must be passed in as `http://username:bar%40123@www.example.com:3128` instead.
Special characters may be passed into the hash format without conversion to UTF-8 characters.
{{< /note >}}
## Properties
### body

2
docs-chef-io/content/inspec/resources/iis_app.md
View file

@ -54,8 +54,6 @@ For example:
## Properties
## Examples
### application pool
`application_pool` property returns the name of the application pool in which the site's root application is run, such as `DefaultAppPool`.

4
docs-chef-io/content/inspec/resources/interface.md
View file

@ -40,10 +40,6 @@ An `interface` resource block declares network interface properties to be tested
## Properties
`ipv4_address`, `ipv4_addresses`, `ipv4_addresses_netmask`, `ipv4_cidrs`, `ipv6_addresses`, `ipv6_cidrs`, `name`, `speed`
## Resource Property Examples
### ipv4_address
Returns the first `ipv4_addresses` entry as a String. Note: this property is incompatible with ServerSpec, which returns the value including the CIDR range, such as '10.0.0.5/32'.

9
docs-chef-io/content/inspec/resources/iptables.md
View file

@ -27,7 +27,7 @@ This resource first became available in v1.0.0 of InSpec.
A `iptables` resource block declares tests for rules in IP tables:
describe iptables(rule:'name', table:'name', chain: 'name') do
describe iptables(rule:'name', table:'name', chain: 'name', ignore_comments: true) do
it { should have_rule('RULE') }
end
@ -37,6 +37,7 @@ where
- `rule:'name'` is the name of a rule that matches a set of packets
- `table:'name'` is the packet matching table against which the test is run
- `chain: 'name'` is the name of a user-defined chain or one of `ACCEPT`, `DROP`, `QUEUE`, or `RETURN`
- `ignore_comments: true` is a boolean flag that ignores comments in a rule.
- `have_rule('RULE')` tests that rule in the iptables list. This must match the entire line taken from `iptables -S CHAIN`.
## Examples
@ -61,6 +62,12 @@ The following examples show how to use this Chef InSpec audit resource.
it { should have_rule('-A INPUT -p tcp -m tcp -m multiport --dports 5432 -m comment --comment "postgres" -j ACCEPT') }
end
### Test a rule without comments
describe iptables(ignore_comments: true) do
it { should have_rule('-A INPUT -p tcp -m tcp -m multiport --dports 5432 -j ACCEPT') }
end
Note that the rule specification must exactly match what's in the output of `iptables -S INPUT`, which will depend on how you've built your rules.
## Matchers

4
docs-chef-io/content/inspec/resources/key_rsa.md
View file

@ -44,10 +44,6 @@ You can use an optional passphrase with `key_rsa`
## Properties
- `public_key`, `private_key`, `key_length`
## Property Examples
### public_key (String)
The `public_key` property returns the public part of the RSA key pair

8
docs-chef-io/content/inspec/resources/limits_conf.md
View file

@ -53,19 +53,13 @@ where
## Properties
- `domain`
## Examples
The following examples show how to use this Chef InSpec audit resource.
### domain
The `domain` property tests the domain in the `limits.conf` file, along with associated type, item, and value:
its('domain') { should include ['type', 'item', 'value'] }
`
For example:
its('grantmc') { should include ['hard', 'nofile', '63536'] }

14
docs-chef-io/content/inspec/resources/mysql_conf.md
View file

@ -48,6 +48,12 @@ where
- `('path')` is the non-default path to the `my.cnf` file
- `should eq 'value'` is the value that is expected
## Properties
This resource supports any settings listed in a `my.cnf` file as properties. For example, `max_connections`.
its('max_connections') { should eq '505' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -99,11 +105,3 @@ The following examples show how to use this Chef InSpec audit resource.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### setting
The `setting` matcher tests specific, named settings in the `my.cnf` file:
its('setting') { should eq 'value' }
Use a `setting` matcher for each setting to be tested.

25
docs-chef-io/content/inspec/resources/ntp_conf.md
View file

@ -37,9 +37,18 @@ where
- `('path')` is the non-default path to the `ntp.conf` file
- `{ should eq 'value' }` is the value that is expected
## Properties
This resource supports any of the settings listed in an `ntp.conf` file as properties.
## Examples
The following examples show how to use this Chef InSpec audit resource.
The following examples show how to use this Chef InSpec audit resource
describe ntp_conf do
its('server') { should_not eq nil }
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
end
### Test for clock drift against named servers
@ -56,17 +65,5 @@ The following examples show how to use this Chef InSpec audit resource.
## Matchers
This resource matches any service that is listed in the `ntp.conf` file. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
its('server') { should_not eq nil }
or:
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
For example:
describe ntp_conf do
its('server') { should_not eq nil }
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
end

13
docs-chef-io/content/inspec/resources/oneget.md
View file

@ -36,6 +36,14 @@ where
- `('name')` must specify the name of a package, such as `'VLC'`
- `be_installed` is a valid matcher for this resource
## Properties
### version
The `version` property tests if the named package version is on the system:
its('version') { should eq '1.2.3' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -56,8 +64,3 @@ The `be_installed` matcher tests if the named package is installed on the system
it { should be_installed }
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '1.2.3' }

28
docs-chef-io/content/inspec/resources/opa_api.md
View file

@ -45,6 +45,20 @@ The URL of the OPA API server.
An OPA query as a JSON data file or a string in JSON format.
## Properties
### result
The `result` property checks whether the resource query returns an empty result.
its('result') { should be nil }
### allow
The `allow` property checks if a specific input matches the policy defined in OPA. This matcher will not work if `allow` is not defined in the policy file.
its('allow') { should eq 'value' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -60,17 +74,3 @@ The above example shows how the `allow` value can be fetched in two ways.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
## Properties
### result
The `result` property checks whether the resource query returns an empty result.
its('result') { should be nil }
### allow
The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.
its('allow') { should eq 'value' }

28
docs-chef-io/content/inspec/resources/opa_cli.md
View file

@ -54,6 +54,20 @@ The query to be evaluated against policy and input data.
This is the full path to the OPA binary or EXE file used for running the OPA CLI or OPA commands. By default it will consider that the path is added in PATH variable.
## Properties
### result
The `result` property checks whether the resource query returns an empty result.
its('result') { should be nil }
### allow
The `allow` property checks if specific input matches the policy defined in OPA. This matcher will not work if `allow` is not defined in the policy file.
its('allow') { should eq 'value' }
## Examples
The following examples show how to use this Chef InSpec audit resource:
@ -69,17 +83,3 @@ The above example shows how the `allow` value can be fetched in two ways.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
## Properties
### result
The `result` property checks whether the resource query returns an empty result.
its('result') { should be nil }
### allow
The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.
its('allow') { should eq 'value' }

33
docs-chef-io/content/inspec/resources/package.md
View file

@ -36,6 +36,21 @@ where
- `('name')` must specify the name of a package, such as `'nginx'`
- `be_installed` is a valid matcher for this resource
## Properties
### version
The `version` property tests if the named package version is on the system:
its('version') { should eq '1.2.3' }
You can also use the `cmp` matcher to perform comparisons using the version attribute:
its('version') { should cmp >= '7.35.0-1ubuntu3.10' }
`cmp` understands version numbers using Gem::Version, and can use the operators `==, <, <=, >=, and >`. It will compare versions by each segment, not as a string - so '7.4' is smaller than '7.30', for example.
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -63,7 +78,7 @@ The following examples show how to use this Chef InSpec audit resource.
its('telnet') { should eq nil }
end
### Test if ClamAV (an antivirus engine) is installed and running
### Test if ClamAV (an antivirus engine) is installed, latest and running
describe package('clamav') do
it { should be_installed }
@ -73,6 +88,7 @@ The following examples show how to use this Chef InSpec audit resource.
describe service('clamd') do
it { should be_enabled }
it { should be_installed }
it { should be_latest }
it { should be_running }
end
@ -82,7 +98,7 @@ The following examples show how to use this Chef InSpec audit resource.
it { should be_installed }
end
### Verify if Memcached is installed, enabled, and running
### Verify if Memcached is installed, latest, enabled, and running
Memcached is an in-memory key-value store that helps improve the performance of database-driven websites and can be installed, maintained, and tested using the `memcached` cookbook (maintained by Chef). The following example is from the `memcached` cookbook and shows how to use a combination of the `package`, `service`, and `port` Chef InSpec audit resources to test if Memcached is installed, enabled, and running:
@ -92,6 +108,7 @@ Memcached is an in-memory key-value store that helps improve the performance of
describe service('memcached') do
it { should be_installed }
it { should be_latest }
it { should be_enabled }
it { should be_running }
end
@ -117,14 +134,8 @@ The `be_installed` matcher tests if the named package is installed on the system
it { should be_installed }
### version
### be_latest
The `version` matcher tests if the named package version is on the system:
The `be_latest` matcher tests if the named installed package is latest on the system. It is not supported in Oracle Solaris, IBM AIX and HP UX operating systems.
its('version') { should eq '1.2.3' }
You can also use the `cmp OPERATOR` matcher to perform comparisons using the version attribute:
its('version') { should cmp >= '7.35.0-1ubuntu3.10' }
`cmp` understands version numbers using Gem::Version, and can use the operators `==, <, <=, >=, and >`. It will compare versions by each segment, not as a string - so '7.4' is smaller than '7.30', for example.
it { should be_latest }

38
docs-chef-io/content/inspec/resources/packages.md
View file

@ -31,6 +31,26 @@ A `packages` resource block declares a regular expression search to select packa
its('statuses') { should cmp 'installed' }
end
## Properties
### statuses
The `statuses` property tests if packages are installed on the system:
its('statuses') { should cmp 'installed' }
### versions
The `versions` property tests the versions of the packages installed on the system
its('versions') { should cmp '3.4.0.2-4.el7' }
### architectures
The `architectures` property tests the architecture of packages installed on the system
its('architectures') { should include 'i686' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -57,21 +77,3 @@ The following examples show how to use this Chef InSpec audit resource.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### statuses
The `statuses` matcher tests if packages are installed on the system
its('statuses') { should cmp 'installed' }
### versions
The `versions` matcher tests the versions of the packages installed on the system
its('versions') { should cmp '3.4.0.2-4.el7' }
### architectures
The `architectures` matcher tests the architecture of packages installed on the system
its('architectures') { should include 'i686' }

140
docs-chef-io/content/inspec/resources/passwd.md
View file

@ -54,6 +54,77 @@ where
- `filter` one (or more) arguments, for example: `passwd.users(/name/)` used to define filtering
- `filter` may take any of the following arguments: `count` (retrieves the number of entries), `lines` (provides raw `passwd` lines), and `params` (returns an array of maps for all entries)
## Properties
### gids
The `gids` property tests if the group indentifiers in the test match group identifiers in `/etc/passwd`:
its('gids') { should include 1234 }
its('gids') { should cmp 0 }
### homes
The `homes` property tests the absolute path to a user's home directory:
its('home') { should eq '/' }
### length
The `length` property tests the length of a password that appears in `/etc/passwd`:
its('length') { should be <= 32 }
This matcher is best used in conjunction with filters. For example:
describe passwd.users('highlander') do
its('length') { should_not be < 16 }
end
### passwords
The `passwords` property tests if passwords are
- Encrypted
- Have direct logins disabled, as indicated by an asterisk (`*`)
- In the `/etc/shadow` file, as indicated by the letter x (`x`)
For example:
its('passwords') { should eq ['x'] }
its('passwords') { should cmp '*' }
### shells
The `shells` property tests the absolute path of a shell (or command) to which a user has access:
its('shells') { should_not include 'user' }
or to find all users with the nologin shell:
describe passwd.shells(/nologin/) do
its('users') { should_not include 'my_login_user' }
end
### uids
The `uids` property tests if the user identifiers in the test match user identifiers in `/etc/passwd`:
its('uids') { should eq ['1234', '1235'] }
or:
describe passwd.uids(0) do
its('users') { should cmp 'root' }
its('count') { should eq 1 }
end
### users
The `users` property tests if the user names in the test match user names in `/etc/passwd`:
its('users') { should eq ['root', 'www-data'] }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -80,72 +151,3 @@ The following examples show how to use this Chef InSpec audit resource.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### gids
The `gids` matcher tests if the group indentifiers in the test match group identifiers in `/etc/passwd`:
its('gids') { should include 1234 }
its('gids') { should cmp 0 }
### homes
The `homes` matcher tests the absolute path to a user's home directory:
its('home') { should eq '/' }
### length
The `length` matcher tests the length of a password that appears in `/etc/passwd`:
its('length') { should be <= 32 }
This matcher is best used in conjunction with filters. For example:
describe passwd.users('highlander') do
its('length') { should_not be < 16 }
end
### passwords
The `passwords` matcher tests if passwords are
- Encrypted
- Have direct logins disabled, as indicated by an asterisk (`*`)
- In the `/etc/shadow` file, as indicated by the letter x (`x`)
For example:
its('passwords') { should eq ['x'] }
its('passwords') { should cmp '*' }
### shells
The `shells` matcher tests the absolute path of a shell (or command) to which a user has access:
its('shells') { should_not include 'user' }
or to find all users with the nologin shell:
describe passwd.shells(/nologin/) do
its('users') { should_not include 'my_login_user' }
end
### uids
The `uids` matcher tests if the user identifiers in the test match user identifiers in `/etc/passwd`:
its('uids') { should eq ['1234', '1235'] }
or:
describe passwd.uids(0) do
its('users') { should cmp 'root' }
its('count') { should eq 1 }
end
### users
The `users` matcher tests if the user names in the test match user names in `/etc/passwd`:
its('users') { should eq ['root', 'www-data'] }

13
docs-chef-io/content/inspec/resources/pip.md
View file

@ -36,6 +36,14 @@ where
- `'package_name'` is the name of the package, such as `'Jinja2'`
- `be_installed` tests to see if the package described above is installed
## Properties
### version
The `version` property tests if the named package version is on the system:
its('version') { should eq '1.2.3' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -70,8 +78,3 @@ The `be_installed` matcher tests if the named package is installed on the system
it { should be_installed }
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '1.2.3' }

70
docs-chef-io/content/inspec/resources/port.md
View file

@ -52,6 +52,42 @@ For example, to test if the SSH daemon is available on a Linux machine via the d
its('addresses') { should include '0.0.0.0' }
end
## Properties
### address
The `addresses` property tests if the specified address is associated with a port:
its('addresses') { should include '0.0.0.0' }
### be_listening
The `be_listening` property tests if the port is listening for traffic:
it { should be_listening }
### pids
The `pids` property tests the process identifiers (PIDs):
its('pids') { should cmp 27808 }
### processes
The `processes` property tests if the named process is running on the system:
its('processes') { should cmp 'syslog' }
### protocols
The `protocols` property tests the Internet protocol: ICMP (`'icmp'`), TCP (`'tcp'` or `'tcp6'`), or UDP (`'udp'` or `'udp6'`):
its('protocols') { should include 'tcp' }
or for the IPv6 protocol:
its('protocols') { should include 'tcp6' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -111,37 +147,3 @@ or:
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### address
The `addresses` matcher tests if the specified address is associated with a port:
its('addresses') { should include '0.0.0.0' }
### be_listening
The `be_listening` matcher tests if the port is listening for traffic:
it { should be_listening }
### pids
The `pids` matcher tests the process identifiers (PIDs):
its('pids') { should cmp 27808 }
### processes
The `processes` matcher tests if the named process is running on the system:
its('processes') { should cmp 'syslog' }
### protocols
The `protocols` matcher tests the Internet protocol: ICMP (`'icmp'`), TCP (`'tcp'` or `'tcp6'`), or UDP (`'udp'` or `'udp6'`):
its('protocols') { should include 'tcp' }
or for the IPv6 protocol:
its('protocols') { should include 'tcp6' }

14
docs-chef-io/content/inspec/resources/postgres_conf.md
View file

@ -37,6 +37,12 @@ where
- `('path')` is the non-default path to the `postgresql.conf` file (optional)
- `should eq 'value'` is the value that is expected
## Properties
This resource supports any of the settings listed in an postgresql.conf file as properties for e.g. max_connections
its('max_connections') { should eq '5' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -78,11 +84,3 @@ where `unix_socket_group` is set to the PostgreSQL default setting (the group to
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### setting
The `setting` matcher tests specific, named settings in the `postgresql.conf` file:
its('setting') { should eq 'value' }
Use a `setting` matcher for each setting to be tested.

19
docs-chef-io/content/inspec/resources/postgres_hba_conf.md
View file

@ -39,10 +39,6 @@ where
## Properties
'address', 'auth_method', 'auth_params', 'conf_dir' , 'conf_file' , 'database', 'params' ,'type', 'user'
## Property Examples
### address([String])
`address` returns a an array of strings that matches the where condition of the filter table
@ -85,17 +81,4 @@ where
## Matchers
This Chef InSpec audit resource matches any service that is listed in the HBA configuration file. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
its('auth_method') { should_not cmp 'peer' }
or:
its('auth_method') { should cmp 'peer' }
For example:
describe postgres_hba_conf.where { type == 'type' } do
its('auth_method') { should cmp 'value' }
its('user') { should cmp 'value' }
end
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

21
docs-chef-io/content/inspec/resources/postgres_ident_conf.md
View file

@ -39,13 +39,9 @@ where
## Properties
'conf_file', 'map_name', 'params', 'pg_username', 'system_username'
## Property Examples
### map_name([String])
`address` returns a an array of strings that matches the where condition of the filter table
`map_name` returns a an array of strings that matches the where condition of the filter table
describe postgres_ident_conf.where { pg_username == 'name' } do
its('map_name') { should eq ['value'] }
@ -69,17 +65,4 @@ where
## Matchers
This Chef InSpec audit resource matches any service that is listed in the pg ident configuration file. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
its('pg_username') { should_not eq ['peer'] }
or:
its('map_name') { should eq ['value'] }
For example:
describe postgres_ident_conf.where { pg_username == 'name' } do
its('system_username') { should eq ['value'] }
its('map_name') { should eq ['value'] }
end
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

14
docs-chef-io/content/inspec/resources/postgres_session.md
View file

@ -50,6 +50,14 @@ where
- `its('output') { should eq '' }` compares the results of the query against the expected result in the test
- `socketpath` is an optional parameter. Use `socketpath` to establish a socket connection with Postgres by specifying one of the Postgres Unix domain socket paths. Only supported on Unix-based platforms.
## Properties
### output
The `output` property tests the results of the query:
its('output') { should eq(/^0/) }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -75,9 +83,3 @@ The following examples show how to use this Chef InSpec audit resource.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### output
The `output` matcher tests the results of the query:
its('output') { should eq(/^0/) }

38
docs-chef-io/content/inspec/resources/powershell.md
View file

@ -41,6 +41,26 @@ where
- `'matcher'` is one of `exit_status`, `stderr`, or `stdout`
- `'output'` tests the output of the command run on the system versus the output value stated in the test
## Properties
### exit_status
The `exit_status` property tests the exit status for the command:
its('exit_status') { should eq 123 }
### stderr
The `stderr` property tests results of the command as returned in standard error (stderr):
its('stderr') { should eq 'error' }
### stdout
The `stdout` property tests results of the command as returned in standard output (stdout):
its('stdout') { should eq '/^1$/' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -92,21 +112,3 @@ No newline:
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exit_status
The `exit_status` matcher tests the exit status for the command:
its('exit_status') { should eq 123 }
### stderr
The `stderr` matcher tests results of the command as returned in standard error (stderr):
its('stderr') { should eq 'error' }
### stdout
The `stdout` matcher tests results of the command as returned in standard output (stdout):
its('stdout') { should eq '/^1$/' }

18
docs-chef-io/content/inspec/resources/registry_key.md
View file

@ -95,6 +95,16 @@ where `'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule'` is the f
its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ }
end
## Properties
### user_permissions
The `user_permissions` property returns a hash containing a list of users or groups and their registry key permissions on Windows. For example:
its('user_permissions') { should cmp { "NT AUTHORITY\\SYSTEM" => "FullControl", "NT AUTHORITY\\Authenticated Users" => "ReadAndExecute", "BUILTIN\\Administrators" => "FullControl" } }
its('user_permissions') { should include "NT AUTHORITY\\SYSTEM"=>"FullControl" }
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
@ -153,6 +163,14 @@ The `name` matcher tests the value for the specified registry setting:
its('name') { should eq 'value' }
### be_inherited
`be_inherited` is a boolean matcher which returns `true` if a registry key has inheritance enabled, otherwise `false`. This matcher only works on Windows systems.
registry_key('HKEY_USERS\S-1-5-20\Software\Policies\Microsoft\Windows\Control Panel\Desktop') do
it { should be_inherited }
end
**Warning**: Any name with a dot will not work as expected: <code>its('explorer.exe') { should eq 'test' }</code>. For details, see <a href="https://github.com/inspec/inspec/issues/1281">https://github.com/inspec/inspec/issues/1281</a>
# instead of:

4
docs-chef-io/content/inspec/resources/security_identifier.md
View file

@ -56,10 +56,6 @@ The following examples show how to use this Chef InSpec resource.
## Properties
- `sid`
## Property Examples
### sid
describe security_identifier(group: 'Everyone') do

12
docs-chef-io/content/inspec/resources/security_policy.md
View file

@ -41,6 +41,12 @@ where
- `{ should eq 'value' }` tests the value of `policy_name` against the value declared in the test
- `translate_sid` converts the security identifier (SID) into a human readable SID name if `true`. Default value is `false`.
## Properties
This resource supports any of the security policy name as properties for e.g. `SeNetworkLogonRigth`, `SeRemoteInteractiveLogonRight` etc.
its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -54,9 +60,3 @@ The following examples show how to use this Chef InSpec audit resource.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### policy_name
The `policy_name` matcher must be the name of a security policy:
its('SeNetworkLogonRight') { should eq '*S-1-5-11' }

35
docs-chef-io/content/inspec/resources/ssl.md
View file

@ -42,6 +42,32 @@ where
- `ssl(port: #)` is the port number, such as `ssl(port: 443)`
- `filter` may take any of the following arguments: `ciphers`, `protocols`, and `handshake`
## Properties
### ciphers
The `ciphers` property tests the named cipher:
its('ciphers') { should_not eq '/rc4/i' }
or:
describe ssl(port: 443).ciphers(/rc4/i) do
it { should_not be_enabled }
end
### protocols
The `protocols` property tests what protocol versions (SSLv3, TLSv1.1, etc) are enabled:
its('protocols') { should eq 'ssl2' }
or:
describe ssl(port: 443).protocols('ssl2') do
it { should_not be_enabled }
end
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -127,3 +153,12 @@ or:
describe ssl(port: 443).protocols('ssl2') do
it { should_not be_enabled }
end
Supported protocols:
- `ssl2`
- `ssl3`
- `tls1.0`
- `tls1.1`
- `tls1.2`
- `tls1.3`

62
docs-chef-io/content/inspec/resources/sys_info.md
View file

@ -31,37 +31,11 @@ An `sys_info` resource block declares the hostname to be tested:
its('hostname') { should eq 'value' }
end
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Get system information for example.com
describe sys_info do
its('hostname') { should eq 'example.com' }
end
### Compare content to hostname
describe file('/path/to/some/file') do
its('content') { should match sys_info.hostname }
end
Options can be passed as arguments to hostname as well.
describe file('/path/to/some/file') do
its('content') { should match sys_info.hostname('full') }
end
Currently supported arguments to `hostname` on Linux platforms are 'full'|'f'|'fqdn'|'long', 'domain'|'d', 'ip_address'|'i', and 'short'|'s'. Mac currently supports 'full'|'f'|'fqdn'|'long' and 'short'|'s'
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
## Properties
### hostname
The `hostname` matcher tests the host for which standard output is returned:
The `hostname` property tests the host for which standard output is returned:
its('hostname') { should eq 'value' }
@ -91,12 +65,40 @@ The `short` property tests the host name cut at the first dot:
### manufacturer
The `manufacturer` matcher tests the host for which standard output is returned:
The `manufacturer` property tests the host for which standard output is returned:
its('manufacturer') { should eq 'ACME Corp.' }
### model
The `model` matcher tests the host for which standard output is returned:
The `model` property tests the host for which standard output is returned:
its('model') { should eq 'Flux Capacitor' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Get system information for example.com
describe sys_info do
its('hostname') { should eq 'example.com' }
end
### Compare content to hostname
describe file('/path/to/some/file') do
its('content') { should match sys_info.hostname }
end
Options can be passed as arguments to hostname as well.
describe file('/path/to/some/file') do
its('content') { should match sys_info.hostname('full') }
end
Currently supported arguments to `hostname` on Linux platforms are 'full'|'f'|'fqdn'|'long', 'domain'|'d', 'ip_address'|'i', and 'short'|'s'. Mac currently supports 'full'|'f'|'fqdn'|'long' and 'short'|'s'
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

88
docs-chef-io/content/inspec/resources/timezone.md Normal file
View file

@ -0,0 +1,88 @@
+++
title = "timezone resource"
draft = false
gh_repo = "inspec"
platform = "linux"
[menu]
[menu.inspec]
title = "timezone"
identifier = "inspec/resources/os/timezone.md timezone resource"
parent = "inspec/resources/os"
+++
Use the `timezone` Chef InSpec audit resource to test timezone configurations of the system.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Syntax
A `timezone` resource block fetches the time zone configuration of a system and compares the output with the test:
describe timezone do
its('property') { should eq 'expected value' }
end
where
- `'property'` is one of `identifier` , `name` and `time_offset`
- `'expected value'` tests the output of the command run on the system versus the expected output stated in the test
For example:
describe timezone do
its('identifier') { should eq 'Asia/Kolkata' }
its('name') { should eq 'IST' }
its('time_offset') { should eq '+0530' }
end
## Properties
### identifier
The `identifier` property verifies the time zone name of a system.
An example of checking the **identifier** for the Asia/Kolkata time zone name:
its('identifier') { should eq 'Asia/Kolkata' }
### name
The `name` property verifies the time zone of a system.
{{< note >}}
The `name` property accepts the time zone abbreviation on Linux systems and the full time zone name on Windows systems.
{{< /note >}}
An example of verifying that the time zone is set to IST on a Linux system:
its('name') { should eq 'IST' }
{{< note >}}
Several time zones share the same time zone abbreviation. Use one of the other properties to verify a specific time zone with a common abbreviation.
{{< /note >}}
An example of verifying that the time zone is set to India Standard Time on a Windows system:
its('name') { should eq 'India Standard Time' }
### time_offset
The `time_offset` property verifies the time offset of a system from UTC (Coordinated Universal Time).
An example of verifying that the **time_offset** is UTC+05:30:
its('time_offset') { should eq '+0530' }
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

10
docs-chef-io/content/inspec/resources/toml.md
View file

@ -39,6 +39,11 @@ where:
- `('path')` is the path to the TOML file.
- `{ should eq 'value' }` is the value that is expected.
## Properties
This resource supports any of the settings listed in a TOML file as properties.
## Examples
In the examples below, the `example.toml` file contains the following data:
@ -75,11 +80,6 @@ describe toml('path/to/example.toml') do
end
```
## Properties
This resource supports any of the settings listed in a TOML file as properties.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

206
docs-chef-io/content/inspec/resources/user.md
View file

@ -50,6 +50,110 @@ where
- `it { should exist }` tests if the user exists
- `gid`, `group`, `groups`, `home`, `maxdays`, `mindays`, `shell`, `uid`, `warndays`´, `passwordage`, `maxbadpasswords`, `badpasswordattempts` and `lastlogin` are valid matchers for this resource
## Properties
### gid
The `gid` property tests the group identifier:
its('gid') { should eq 1234 }
where `1234` represents the user identifier.
The `gid` option is only available on Linux and will return `nil` for Windows os.
### group
The `group` property tests the group to which the user belongs:
its('group') { should eq 'root' }
where `root` represents the group.
The `group` option is only available on Linux and will return `nil` for Windows os.
### groups
The `groups` property tests two (or more) groups to which the user belongs:
its('groups') { should eq ['root', 'other'] }
### home
The `home` property tests the home directory path for the user:
its('home') { should eq '/root' }
### maxdays
The `maxdays` property tests the maximum number of days between password changes:
its('maxdays') { should eq 99 }
where `99` represents the maximum number of days.
### mindays
The `mindays` property tests the minimum number of days between password changes:
its('mindays') { should eq 0 }
where `0` represents the maximum number of days.
### shell
The `shell` property tests the path to the default shell for the user:
its('shell') { should eq '/bin/bash' }
### uid
The `uid` property tests the user identifier:
its('uid') { should eq 1234 }
where `1234` represents the user identifier.
### warndays
The `warndays` property tests the number of days a user is warned before a password must be changed:
its('warndays') { should eq 5 }
where `5` represents the number of days a user is warned.
### passwordage
The `passwordage` property tests the number of days a user changed its password:
its('passwordage') { should_be <= 365 }
where `365` represents the number of days since the last password change.
### maxbadpasswords
The `maxbadpasswords` property tests the count of max badpassword settings for a specific user.
its('maxbadpasswords') { should eq 7 }
where `7` is the count of maximum bad password attempts.
### badpasswordattempts
The `badpasswordattempts` property tests the count of bad password attempts for a user.
its('badpasswordattempts') { should eq 0 }
where `0` is the count of bad passwords for a user.
On Linux based operating systems it relies on `lastb` and for Windows it uses information stored for the user object.
These settings will be reset to `0` depending on your operating system configuration.
### lastlogin
The `lastlogin` property tests the last login date for a specific user.
its('lastlogin') { should eq nil }
The `nil` value means this user has never logged in.
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -86,105 +190,3 @@ For a full list of available matchers, please visit our [matchers page](/inspec/
The `exist` matcher tests if the named user exists:
it { should exist }
### gid
The `gid` matcher tests the group identifier:
its('gid') { should eq 1234 }
where `1234` represents the user identifier.
The `gid` option is only available on Linux and will return `nil` for Windows os.
### group
The `group` matcher tests the group to which the user belongs:
its('group') { should eq 'root' }
where `root` represents the group.
The `group` option is only available on Linux and will return `nil` for Windows os.
### groups
The `groups` matcher tests two (or more) groups to which the user belongs:
its('groups') { should eq ['root', 'other'] }
### home
The `home` matcher tests the home directory path for the user:
its('home') { should eq '/root' }
### maxdays
The `maxdays` matcher tests the maximum number of days between password changes:
its('maxdays') { should eq 99 }
where `99` represents the maximum number of days.
### mindays
The `mindays` matcher tests the minimum number of days between password changes:
its('mindays') { should eq 0 }
where `0` represents the maximum number of days.
### shell
The `shell` matcher tests the path to the default shell for the user:
its('shell') { should eq '/bin/bash' }
### uid
The `uid` matcher tests the user identifier:
its('uid') { should eq 1234 }
where `1234` represents the user identifier.
### warndays
The `warndays` matcher tests the number of days a user is warned before a password must be changed:
its('warndays') { should eq 5 }
where `5` represents the number of days a user is warned.
### passwordage
The `passwordage` matcher tests the number of days a user changed its password:
its('passwordage') { should_be <= 365 }
where `365` represents the number of days since the last password change.
### maxbadpasswords
The `maxbadpasswords` matcher tests the count of max badpassword settings for a specific user.
its('maxbadpasswords') { should eq 7 }
where `7` is the count of maximum bad password attempts.
### badpasswordattempts
The `badpasswordattempts` matcher tests the count of bad password attempts for a user.
its('badpasswordattempts') { should eq 0 }
where `0` is the count of bad passwords for a user.
On Linux based operating systems it relies on `lastb` and for Windows it uses information stored for the user object.
These settings will be reset to `0` depending on your operating system configuration.
### lastlogin
The `lastlogin` matcher tests the last login date for a specific user.
its('lastlogin') { should eq nil }
The `nil` value means this user has never logged in.

190
docs-chef-io/content/inspec/resources/users.md
View file

@ -50,17 +50,111 @@ or:
it { should exist }
end
## Properties
### gid
The `gid` property tests the group identifier:
its('gid') { should eq 1234 } }
where `1234` represents the user identifier.
### group
The `group` property tests the group to which the user belongs:
its('group') { should eq 'root' }
where `root` represents the group.
### groups
The `groups` property tests two (or more) groups to which the user belongs:
its('groups') { should eq ['root', 'other']}
### home
The `home` property tests the home directory path for the user:
its('home') { should eq '/root' }
### maxdays
The `maxdays` property tests the maximum number of days between password changes:
its('maxdays') { should eq 99 }
where `99` represents the maximum number of days.
### mindays
The `mindays` property tests the minimum number of days between password changes:
its('mindays') { should eq 0 }
where `0` represents the maximum number of days.
### shell
The `shell` property tests the path to the default shell for the user:
its('shells') { should eq ['/bin/bash'] }
### uid
The `uid` property tests the user identifier:
its('uid') { should eq 1234 } }
where `1234` represents the user identifier.
### warndays
The `warndays` property tests the number of days a user is warned before a password must be changed:
its('warndays') { should eq 5 }
where `5` represents the number of days a user is warned.
### passwordage
The `passwordage` property tests the number of days a user changed its password:
its('passwordage') { should_be <= 365 }
where `365` represents the number of days since the last password change.
### maxbadpasswords
The `maxbadpasswords` property tests the count of max badpassword settings for a specific user.
its('maxbadpasswords') { should eq 7 }
where `7` is the count of maximum bad password attempts.
### badpasswordattempts
The `badpasswordattempts` property tests the count of bad password attempts for a user.
its('badpasswordattempts') { should eq 0 }
where `0` is the count of bad passwords for a user.
On Linux based operating systems it relies on `lastb` and for Windows it uses information stored for the user object.
These settings will be resetted to `0` depending on your operating system configuration.
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Use a regular expression to find users
### Use a regular expression to find users:
describe users.where { uid =~ /S\-1\-5\-21\-\d+\-\d+\-\d+\-500/ } do
it { should exist }
end
### Test only allowed users exist
### Test that only allowed users exist:
allowed_users = %w(user1 user2 user3)
@ -83,95 +177,3 @@ For a full list of available matchers, please visit our [matchers page](/inspec/
The `exist` matcher tests if the named user exists:
it { should exist }
### gid
The `gid` matcher tests the group identifier:
its('gid') { should eq 1234 } }
where `1234` represents the user identifier.
### group
The `group` matcher tests the group to which the user belongs:
its('group') { should eq 'root' }
where `root` represents the group.
### groups
The `groups` matcher tests two (or more) groups to which the user belongs:
its('groups') { should eq ['root', 'other']}
### home
The `home` matcher tests the home directory path for the user:
its('home') { should eq '/root' }
### maxdays
The `maxdays` matcher tests the maximum number of days between password changes:
its('maxdays') { should eq 99 }
where `99` represents the maximum number of days.
### mindays
The `mindays` matcher tests the minimum number of days between password changes:
its('mindays') { should eq 0 }
where `0` represents the maximum number of days.
### shell
The `shell` matcher tests the path to the default shell for the user:
its('shells') { should eq ['/bin/bash'] }
### uid
The `uid` matcher tests the user identifier:
its('uid') { should eq 1234 } }
where `1234` represents the user identifier.
### warndays
The `warndays` matcher tests the number of days a user is warned before a password must be changed:
its('warndays') { should eq 5 }
where `5` represents the number of days a user is warned.
### passwordage
The `passwordage` matcher tests the number of days a user changed its password:
its('passwordage') { should_be <= 365 }
where `365` represents the number of days since the last password change.
### maxbadpasswords
The `maxbadpasswords` matcher tests the count of max badpassword settings for a specific user.
its('maxbadpasswords') { should eq 7 }
where `7` is the count of maximum bad password attempts.
### badpasswordattempts
The `badpasswordattempts` matcher tests the count of bad password attempts for a user.
its('badpasswordattempts') { should eq 0 }
where `0` is the count of bad passwords for a user.
On Linux based operating systems it relies on `lastb` and for Windows it uses information stored for the user object.
These settings will be resetted to `0` depending on your operating system configuration.

116
docs-chef-io/content/inspec/resources/xinetd_conf.md
View file

@ -38,6 +38,66 @@ where
- `('setting')` is a setting in the `xinetd.conf` file
- `should eq 'value'` is the value that is expected
## Properties
### ids
The `ids` property tests if the named service is located under `/etc/xinet.d`:
its('ids') { should include 'service_name' }
For example:
its('ids') { should include 'chargen-stream chargen-dgram'}
### services
The `services` property tests if the named service is listed under `/etc/xinet.d`:
its('services') { should include 'service_name' }
### socket_types
The `socket_types` property tests if a service listed under `/etc/xinet.d` is configured to use the named socket type.
Use `socket` if the socket type is `dgram`, `raw`, or `stream`:
its('socket_types') { should eq 'socket' }
For a UDP-based service:
its('socket_types') { should eq 'dgram' }
For a raw socket (such as a service using a non-standard protocol or a service that requires direct access to IP):
its('socket_types') { should eq 'raw' }
For a TCP-based service:
its('socket_types') { should eq 'stream' }
### types
The `types` property tests the service type:
its('type') { should eq 'TYPE' }
where `'TYPE'` is `INTERNAL` (for a service provided by xinetd), `RPC` (for a service based on remote procedure call), or `UNLISTED` (for services not under `/etc/services` or `/etc/rpc`).
### wait
The `wait` property tests how a service handles incoming connections.
For UDP (`dgram`) socket types, the `wait` property should test for `yes`:
its('socket_types') { should eq 'dgram' }
its('wait') { should eq 'yes' }
For TCP (`stream`) socket types, the `wait` property should test for `no`:
its('socket_types') { should eq 'stream' }
its('wait') { should eq 'no' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -108,59 +168,3 @@ For a full list of available matchers, please visit our [matchers page](/inspec/
The `be_enabled` matcher tests if a service listed under `/etc/xinet.d` is enabled:
it { should be_enabled }
### ids
The `ids` matcher tests if the named service is located under `/etc/xinet.d`:
its('ids') { should include 'service_name' }
For example:
its('ids') { should include 'chargen-stream chargen-dgram'}
### services
The `services` matcher tests if the named service is listed under `/etc/xinet.d`:
its('services') { should include 'service_name' }
### socket_types
The `socket_types` matcher tests if a service listed under `/etc/xinet.d` is configured to use the named socket type:
its('socket_types') { should eq 'socket' }
where `socket` is one of `dgram`, `raw`, or `stream`. For a UDP-based service:
its('socket_types') { should eq 'dgram' }
For a raw socket (such as a service using a non-standard protocol or a service that requires direct access to IP):
its('socket_types') { should eq 'raw' }
For a TCP-based service:
its('socket_types') { should eq 'stream' }
### types
The `types` matcher tests the service type:
its('type') { should eq 'TYPE' }
where `'TYPE'` is `INTERNAL` (for a service provided by xinetd), `RPC` (for a service based on remote procedure call), or `UNLISTED` (for services not under `/etc/services` or `/etc/rpc`).
### wait
The `wait` matcher tests how a service handles incoming connections.
For UDP (`dgram`) socket types the `wait` matcher should test for `yes`:
its('socket_types') { should eq 'dgram' }
its('wait') { should eq 'yes' }
For TCP (`stream`) socket types the `wait` matcher should test for `no`:
its('socket_types') { should eq 'stream' }
its('wait') { should eq 'no' }

6
docs-chef-io/content/inspec/resources/zfs_pool.md
View file

@ -37,6 +37,10 @@ where:
- `MATCHER` is a valid matcher for this resource
- `'value'` is the value to be tested
## Properties
This Chef InSpec audit resource dynamically exposes all ZFS pool properties available (see: `man zpool` for the list of supported properties).
## Examples
The following examples show how to use this Chef InSpec audit resource.
@ -54,4 +58,4 @@ The following examples show how to use this Chef InSpec audit resource.
## Matchers
This Chef InSpec audit resource dynamically exposes all ZFS pool properties available (see: `man zpool` for the list of supported properties). For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

2
docs-chef-io/content/inspec/waivers.md
View file

@ -40,7 +40,7 @@ control_id:
justification: "reason for waiving this control"
```
- `expiration_date` is optional. Absence means the waiver is permanent.
- `expiration_date` sets the day that the waiver file will expire in YYYY-MM-DD format. Waiver files expire at 00:00 at the local time of the system on the specified date. Waiver files without an expiration date are permanent. `expiration_date` is optional.
- `run` is optional. If absent or true, the control will run and be
reported, but failures in it won't make the overall run fail. If present and false, the control will not be run. You may use any of yes, no, true or false. To avoid confusion, it is good practice to explicitly specify whether the control should run.
- `justification` can be any text you want and might include a reason

2
docs-chef-io/netlify.toml
View file

@ -1,7 +1,7 @@
[build]
[build.environment]
HUGO_VERSION = "0.83.1"
HUGO_VERSION = "0.91.2"
HUGO_ENABLEGITINFO = "true"
GO_VERSION = "1.15"
NODE_ENV = "development"

14
examples/profile/controls/example-tmp.rb
View file

@ -3,14 +3,14 @@
title '/tmp profile'
# you add controls here
control "tmp-1.0" do # A unique ID for this control
control 'tmp-1.0' do # A unique ID for this control
impact 0.7 # The criticality, if this control fails.
title "Create /tmp directory" # A human-readable title
desc "An optional description..." # Describe why this is needed
desc "label", "An optional description with a label" # Pair a part of the description with a label
tag data: "temp data" # A tag allows you to associate key information
tag "security" # to the test
ref "Document A-12", url: 'http://...' # Additional references
title 'Create /tmp directory' # A human-readable title
desc 'An optional description...' # Describe why this is needed
desc 'label', 'An optional description with a label' # Pair a part of the description with a label
tag data: 'temp data' # A tag allows you to associate key information
tag 'security' # to the test
ref 'Document A-12', url: 'http://...' # Additional references
describe file('/tmp') do # The actual test
it { should be_directory }

4
examples/profile/controls/meta.rb
View file

@ -8,8 +8,8 @@ control 'ssh-1' do
The default setting in /etc/ssh/sshd_config is correct, and can be
verified by ensuring that the following line appears: Protocol 2'
tag 'production','development'
tag 'ssh','sshd','openssh-server'
tag 'production', 'development'
tag 'ssh', 'sshd', 'openssh-server'
tag cce: 'CCE-27072-8'
tag disa: 'RHEL-06-000227'

18
examples/profile/libraries/example_config.rb
View file

@ -1,11 +1,11 @@
require "yaml"
require 'yaml'
# Custom resource based on the InSpec resource DSL
class ExampleConfig < Inspec.resource(1)
name "example_config"
name 'example_config'
supports platform: "unix"
supports platform: "windows"
supports platform: 'unix'
supports platform: 'windows'
desc "
Example's resource description ...
@ -21,7 +21,7 @@ class ExampleConfig < Inspec.resource(1)
# Load the configuration file on initialization
def initialize
@params = {}
@path = "/tmp/example/config.yaml"
@path = '/tmp/example/config.yaml'
@file = inspec.file(@path)
unless @file.file?
@ -32,9 +32,9 @@ class ExampleConfig < Inspec.resource(1)
begin
@params = YAML.load(@file.content)
# Add two extra matchers
@params["file_size"] = @file.size
@params["file_path"] = @path
@params["ruby"] = "RUBY IS HERE TO HELP ME!"
@params['file_size'] = @file.size
@params['file_path'] = @path
@params['ruby'] = 'RUBY IS HERE TO HELP ME!'
rescue StandardError => e
raise Inspec::Exceptions::ResourceSkipped, "#{@file}: #{e.message}"
end
@ -49,7 +49,7 @@ class ExampleConfig < Inspec.resource(1)
# Example matcher for the number of commas in the file
def comma_count
text = @file.content
text.count(",")
text.count(',')
end
# Expose all parameters

2
inspec-bin/lib/inspec-bin/version.rb
View file

@ -1,5 +1,5 @@
# This file managed by automation - do not edit manually
module InspecBin
INSPECBIN_ROOT = File.expand_path("..", __dir__)
VERSION = "4.50.14".freeze
VERSION = "4.55.9".freeze
end

2
inspec-core.gemspec
View file

@ -13,7 +13,7 @@ Gem::Specification.new do |spec|
spec.license = "Apache-2.0"
spec.require_paths = ["lib"]
spec.required_ruby_version = ">= 2.5"
spec.required_ruby_version = ">= 2.6"
# the gemfile and gemspec are necessary for appbundler so don't remove it
spec.files =

2
inspec.gemspec
View file

@ -13,7 +13,7 @@ Gem::Specification.new do |spec|
spec.license = "Apache-2.0"
spec.require_paths = ["lib"]
spec.required_ruby_version = ">= 2.5"
spec.required_ruby_version = ">= 2.6"
# ONLY the aws/azure/gcp files. The rest will come in from inspec-core
# the gemspec is necessary for appbundler so don't remove it

23
lib/bundles/inspec-supermarket/README.md
View file

@ -8,8 +8,27 @@ To use the CLI, this InSpec add-on adds the following commands:
Compliance profiles from Supermarket can be executed in two ways:
- via supermarket exec: `inspec supermarket exec nathenharvey/tmp-compliance-profile`
- via supermarket scheme: `inspec exec supermarket://nathenharvey/tmp-compliance-profile`
- via supermarket exec:
**Public Supermarket**
`inspec supermarket exec nathenharvey/tmp-compliance-profile`
**Private Supermarket**
`inspec supermarket exec nathenharvey/tmp-compliance-profile --supermarket_url="PRIVATE_SUPERMARKET_URL"`
- via supermarket scheme:
**Public Supermarket**
`inspec exec supermarket://nathenharvey/tmp-compliance-profile`
**Private Supermarket**
`inspec exec supermarket://nathenharvey/tmp-compliance-profile --supermarket_url="PRIVATE_SUPERMARKET_URL"`
## Usage

23
lib/bundles/inspec-supermarket/cli.rb
View file

@ -15,10 +15,18 @@ module Supermarket
end
desc "profiles", "list all available profiles in Chef Supermarket"
supermarket_options
def profiles
# display profiles in format user/profile
supermarket_profiles = Supermarket::API.profiles
o = config
diagnose(o)
configure_logger(o)
# display profiles in format user/profile
supermarket_profiles = if o["supermarket_url"]
Supermarket::API.profiles(o["supermarket_url"])
else
Supermarket::API.profiles
end
headline("Available profiles:")
supermarket_profiles.each do |p|
li("#{p["tool_name"]} #{mark_text(p["tool_owner"] + "/" + p["slug"])}")
@ -45,9 +53,18 @@ module Supermarket
end
desc "info PROFILE", "display Supermarket profile details"
supermarket_options
def info(profile)
o = config
diagnose(o)
configure_logger(o)
# check that the profile is available
supermarket_profiles = Supermarket::API.profiles
supermarket_profiles = if o["supermarket_url"]
Supermarket::API.profiles(o["supermarket_url"])
else
Supermarket::API.profiles
end
found = supermarket_profiles.select do |p|
profile == "#{p["tool_owner"]}/#{p["slug"]}"
end

5
lib/bundles/inspec-supermarket/target.rb
View file

@ -9,10 +9,11 @@ module Supermarket
priority 500
def self.resolve(target, opts = {})
supermarket_url = opts["supermarket_url"] || Supermarket::API::SUPERMARKET_URL
supermarket_uri, supermarket_server = if target.is_a?(String) && URI(target).scheme == "supermarket"
[target, Supermarket::API::SUPERMARKET_URL]
[target, supermarket_url]
elsif target.respond_to?(:key?) && target.key?(:supermarket)
supermarket_server = target[:supermarket_url] || Supermarket::API::SUPERMARKET_URL
supermarket_server = target[:supermarket_url] || supermarket_url
["supermarket://#{target[:supermarket]}", supermarket_server]
end
return nil unless supermarket_uri

8
lib/inspec/base_cli.rb
View file

@ -126,6 +126,8 @@ module Inspec
desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
option :docker_url, type: :string,
desc: "Provides path to Docker API endpoint (Docker)"
option :ssh_config_file, type: :array,
desc: "A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config"
end
def self.profile_options
@ -135,9 +137,15 @@ module Inspec
desc: "Use the given path for caching dependencies. (default: ~/.inspec/cache)"
end
def self.supermarket_options
option :supermarket_url, type: :string,
desc: "Specify the URL of a private Chef Supermarket."
end
def self.exec_options
target_options
profile_options
supermarket_options
option :controls, type: :array,
desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
option :tags, type: :array,

3
lib/inspec/dependencies/requirement.rb
View file

@ -102,7 +102,8 @@ module Inspec
end
def fetcher
@fetcher ||= Inspec::CachedFetcher.new(opts, @cache)
@runner_options ||= (Inspec::Config.cached || {})
@fetcher ||= Inspec::CachedFetcher.new(opts, @cache, @runner_options)
end
# load dependencies of the dependency

2
lib/inspec/library_eval_context.rb
View file

@ -30,6 +30,8 @@ module Inspec
c3 = Class.new do
include Inspec::DSL::RequireOverride
include Inspec::Resources
def initialize(require_loader)
@require_loader = require_loader
@inspec_binding = nil

2
lib/inspec/plugin/v1/registry.rb
View file

@ -11,7 +11,7 @@ class PluginRegistry
# @return [Plugin] plugin instance if it can be resolved, nil otherwise
def resolve(target, opts = {})
modules.each do |m|
res = if Inspec::Fetcher::Url == m
res = if ["Inspec::Fetcher::Url", "Supermarket::Fetcher"].include? m.to_s
m.resolve(target, opts)
else
m.resolve(target)

7
lib/inspec/profile_context.rb
View file

@ -68,6 +68,7 @@ module Inspec
end
def reload_dsl
@resource_registry.merge!(Inspec::Resource.new_registry)
@control_eval_context = nil
end
@ -263,9 +264,3 @@ module Inspec
end # DomainSpecificLunacy
end # ProfileContext
end
if RUBY_VERSION < "2.5"
class Module
public :define_method
end
end

1
lib/inspec/resources.rb
View file

@ -41,6 +41,7 @@ require "inspec/resources/cassandradb_session"
require "inspec/resources/cassandradb_conf"
require "inspec/resources/cassandra"
require "inspec/resources/crontab"
require "inspec/resources/timezone"
require "inspec/resources/dh_params"
require "inspec/resources/directory"
require "inspec/resources/docker"

9
lib/inspec/resources/auditd.rb
View file

@ -28,12 +28,13 @@ module Inspec::Resources
EXAMPLE
def initialize
unless inspec.command("/sbin/auditctl").exist?
@auditctl_cmd_str = inspec.os.name.eql?("alpine") ? "/usr/sbin/auditctl" : "/sbin/auditctl"
unless inspec.command(@auditctl_cmd_str).exist?
raise Inspec::Exceptions::ResourceFailed,
"Command `/sbin/auditctl` does not exist"
"Command `#{@auditctl_cmd_str}` does not exist"
end
auditctl_cmd = "/sbin/auditctl -l"
auditctl_cmd = "#{@auditctl_cmd_str} -l"
result = inspec.command(auditctl_cmd)
if result.exit_status != 0
@ -68,7 +69,7 @@ module Inspec::Resources
filter.install_filter_methods_on_resource(self, :params)
def status(name = nil)
@status_content ||= inspec.command("/sbin/auditctl -s").stdout.chomp
@status_content ||= inspec.command("#{@auditctl_cmd_str} -s").stdout.chomp
# See: https://github.com/inspec/inspec/issues/3113
if @status_content =~ /^AUDIT_STATUS/

2
lib/inspec/resources/bash.rb
View file

@ -5,6 +5,8 @@ module Inspec::Resources
class Bash < Cmd
name "bash"
supports platform: "unix"
supports platform: "esx"
desc "Run a command or script in BASH."
example <<~EXAMPLE
describe bash('ls -al /') do

38
lib/inspec/resources/file.rb
View file

@ -61,6 +61,24 @@ module Inspec::Resources
res.force_encoding("utf-8")
end
# returns hash containing list of users/groups and their file permissions.
def user_permissions
return {} unless exist?
return skip_reource"`user_permissions` is not supported on your OS yet." unless inspec.os.windows?
@perms_provider.user_permissions(file)
end
# returns true if inheritance is enabled on file or folder
def inherited?
return false unless exist?
return skip_resource "`inherited?` is not supported on your OS yet." unless inspec.os.windows?
@perms_provider.inherited?(file)
end
def contain(*_)
raise "Contain is not supported. Please use standard RSpec matchers."
end
@ -244,6 +262,26 @@ module Inspec::Resources
end
class WindowsFilePermissions < FilePermissions
def user_permissions(file)
script = <<-EOH
$Acl = Get-Acl -Path #{file.path}
$Result = foreach ($Access in $acl.Access) {
[PSCustomObject]@{
$Access.IdentityReference.Value = $Access.FileSystemRights.ToString()
}
}
$Result | ConvertTo-Json
EOH
result = inspec.powershell(script)
JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
end
def inherited?(file)
cmd = inspec.command("(Get-Acl -Path #{file.path}).access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
cmd.stdout.chomp == "0" ? false : true
end
def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)
raise "`check_file_permission_by_mask` is not supported on Windows"
end

2
lib/inspec/resources/grub_conf.rb
View file

@ -162,7 +162,7 @@ module Inspec::Resources
current_kernel = file_line.split(" ", 2)[1]
lines.drop(index + 1).each do |kernel_line|
if kernel_line =~ /^\s.*/
if kernel_line =~ /(?:^\s*\w+)/ && !(kernel_line =~ /^title.*/)
option_type = kernel_line.split(" ")[0]
line_options = kernel_line.split(" ").drop(1)
if (menu_entry == conf["default"].to_i && @kernel == "default") || current_kernel == @kernel

33
lib/inspec/resources/http.rb
View file

@ -121,6 +121,10 @@ module Inspec::Resources
def max_redirects
opts.fetch(:max_redirects, nil)
end
def proxy
opts.fetch(:proxy, nil)
end
end
class Local < Base
@ -141,12 +145,18 @@ module Inspec::Resources
def response
return @response if @response
Faraday.ignore_env_proxy = true if proxy == "disable"
conn = Faraday.new(url: url, headers: request_headers, params: params, ssl: { verify: ssl_verify? }) do |builder|
builder.request :url_encoded
builder.use FaradayMiddleware::FollowRedirects, limit: max_redirects unless max_redirects.nil?
builder.adapter Faraday.default_adapter
end
unless proxy == "disable" || proxy.nil?
conn.proxy = proxy
end
# set basic authentication
conn.basic_auth username, password unless username.nil? || password.nil?
@ -252,6 +262,14 @@ module Inspec::Resources
cmd << "-X #{http_method}"
end
cmd << "--noproxy '*'" if proxy == "disable"
unless proxy == "disable" || proxy.nil?
if proxy.is_a?(Hash)
cmd << "--proxy #{proxy[:uri]} --proxy-user #{proxy[:user]}:#{proxy[:password]}"
else
cmd << "--proxy #{proxy}"
end
end
cmd << "--connect-timeout #{open_timeout}"
cmd << "--max-time #{open_timeout + read_timeout}"
cmd << "--user \'#{username}:#{password}\'" unless username.nil? || password.nil?
@ -292,6 +310,17 @@ module Inspec::Resources
else
cmd << "'#{url}?#{params.map { |e| e.join("=") }.join("&")}'"
end
proxy_script = ""
unless proxy == "disable" || proxy.nil?
cmd << "-Proxy #{proxy[:uri]}"
cmd << "-ProxyCredential $proxyCreds"
proxy_script = <<-EOH
$secPasswd = ConvertTo-SecureString "#{proxy[:password]}" -AsPlainText -Force
$proxyCreds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{proxy[:user]}",$secPasswd
EOH
end
command = cmd.join(" ")
body = "\'#{request_body}\'"
script = <<-EOH
@ -302,10 +331,10 @@ module Inspec::Resources
foreach ($property in $Body.PSObject.Properties) {
$HashTable[$property.Name] = $property.Value
}
$response = #{command} -Body $HashTable
$response = #{command} -Body $HashTable -UseBasicParsing
$response | Select-Object -Property * | ConvertTo-json # We use `Select-Object -Property * ` to get around an odd PowerShell error
EOH
script.strip
proxy_script.strip + "\n" + script.strip
end
end
end

20
lib/inspec/resources/iptables.rb
View file

@ -33,6 +33,7 @@ module Inspec::Resources
def initialize(params = {})
@table = params[:table]
@chain = params[:chain]
@ignore_comments = params[:ignore_comments] || false
# we're done if we are on linux
return if inspec.os.linux?
@ -59,8 +60,13 @@ module Inspec::Resources
cmd = inspec.command(iptables_cmd)
return [] if cmd.exit_status.to_i != 0
# split rules, returns array or rules
@iptables_cache = cmd.stdout.split("\n").map(&:strip)
if @ignore_comments
# split rules, returns array or rules without any comment
@iptables_cache = remove_comments_from_rules(cmd.stdout.split("\n"))
else
# split rules, returns array or rules
@iptables_cache = cmd.stdout.split("\n").map(&:strip)
end
end
def to_s
@ -69,6 +75,16 @@ module Inspec::Resources
private
def remove_comments_from_rules(rules)
rules.each do |rule|
next if rule.nil?
rule.gsub!(/ -m comment --comment "([^"]*)"/, "")
rule.strip
end
rules
end
def find_iptables_or_error
%w{/usr/sbin/iptables /sbin/iptables iptables}.each do |cmd|
return cmd if inspec.command(cmd).exist?

14
lib/inspec/resources/mssql_session.rb
View file

@ -76,7 +76,7 @@ module Inspec::Resources
if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/
raise Inspec::Exceptions::ResourceFailed, "Could not execute the sql query #{out}"
else
DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd))
DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd.stdout))
end
end
@ -94,9 +94,17 @@ module Inspec::Resources
!query("select getdate()").empty?
end
def parse_csv_result(cmd)
def parse_csv_result(stdout)
require "csv" unless defined?(CSV)
table = CSV.parse(cmd.stdout, headers: true)
# replaces \n with \r since multiline data in older versions of database returns faulty
# formatted multiline data, example name\r\n----\r\nThis is\na multiline field\r\n
out = stdout.gsub("\n", "\r")
out = out.gsub("\r\r", "\r")
# row separator used since row delimiters \n (in linux) or \r\n (in windows)
# are converted to \r for consistency and handling faulty formatted multiline data
table = CSV.parse(out, headers: true, row_sep: "\r")
# remove first row, since it will be a seperator line
table.delete(0)

4
lib/inspec/resources/oracledb_session.rb
View file

@ -118,7 +118,9 @@ module Inspec::Resources
output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
converter = ->(header) { header.downcase }
CSV.parse(output, headers: true, header_converters: converter).map do |row|
revised_row = row.entries.flatten.map { |entry| entry.gsub("comma_query_sub", ",") }
next if row.entries.flatten.empty?
revised_row = row.entries.flatten.map { |entry| entry&.gsub("comma_query_sub", ",") }
Hashie::Mash.new([revised_row].to_h)
end
end

75
lib/inspec/resources/package.rb
View file

@ -26,6 +26,7 @@ module Inspec::Resources
@cache = nil
# select package manager
@pkgman = nil
@latest_version = nil
os = inspec.os
if os.debian?
@ -60,6 +61,15 @@ module Inspec::Resources
info[:installed] == true
end
def latest?(_provider = nil, _version = nil)
os = inspec.os
if os.solaris? || (%w{hpux aix}.include? os[:family])
raise Inspec::Exceptions::ResourceSkipped, "The `be_latest` matcher is not supported on your OS yet."
end
(!info[:only_version_no].nil? && !latest_version.nil?) && (info[:only_version_no] == latest_version)
end
# returns true it the package is held (if the OS supports it)
def held?(_provider = nil, _version = nil)
info[:held] == true
@ -82,6 +92,10 @@ module Inspec::Resources
info[:version]
end
def latest_version
@latest_version ||= ( @pkgman.latest_version(@package_name) || info[:latest_version] )
end
def to_s
"System Package #{@package_name}"
end
@ -107,6 +121,21 @@ module Inspec::Resources
# combined into a `ResourceSkipped` exception message.
[]
end
private
def fetch_latest_version(cmd_string)
cmd = inspec.command(cmd_string)
if cmd.exit_status != 0
raise Inspec::Exceptions::ResourceFailed, "Failed to fetch latest version. Error: #{cmd.stderr}"
else
fetch_version_no(cmd.stdout)
end
end
def fetch_version_no(output)
output.scan(/(?:(?:\d+)[.]){2,}(?:\d+)/).max_by { |s| Gem::Version.new(s) } unless output.nil?
end
end
# Debian / Ubuntu
@ -124,14 +153,21 @@ module Inspec::Resources
# If the package is installed and marked hold, Status is "hold ok installed"
# If the package is removed and not purged, Status is "deinstall ok config-files" with exit_status 0
# If the package is purged cmd fails with non-zero exit status
{
name: params["Package"],
installed: params["Status"].split(" ")[2] == "installed",
held: params["Status"].split(" ")[0] == "hold",
version: params["Version"],
type: "deb",
only_version_no: fetch_version_no(params["Version"]),
}
end
def latest_version(package_name)
cmd_string = "apt list #{package_name} -a"
fetch_latest_version(cmd_string)
end
end
# RHEL family
@ -181,9 +217,15 @@ module Inspec::Resources
installed: true,
version: "#{v}-#{r}",
type: "rpm",
only_version_no: "#{v}",
}
end
def latest_version(package_name)
cmd_string = "yum list #{package_name}"
fetch_latest_version(cmd_string)
end
private
def rpm_command(package_name)
@ -216,11 +258,17 @@ module Inspec::Resources
installed: true,
version: pkg["installed"][0]["version"],
type: "brew",
latest_version: pkg["versions"]["stable"],
only_version_no: pkg["installed"][0]["version"],
}
rescue JSON::ParserError => e
raise Inspec::Exceptions::ResourceFailed,
"Failed to parse JSON from `brew` command. Error: #{e}"
end
def latest_version(package_name)
nil
end
end
# Arch Linux
@ -240,8 +288,14 @@ module Inspec::Resources
installed: true,
version: params["Version"],
type: "pacman",
only_version_no: fetch_version_no(params["Version"]),
}
end
def latest_version(package_name)
cmd_string = "pacman -Ss #{package_name} | grep #{package_name} | grep installed"
fetch_latest_version(cmd_string)
end
end
class HpuxPkg < PkgManagement
@ -267,13 +321,20 @@ module Inspec::Resources
pkg_info = cmd.stdout.split("\n").delete_if { |e| e =~ /^WARNING/i }
pkg = pkg_info[0].split(" - ")[0]
version = pkg.partition("-")[2]
{
name: pkg.partition("-")[0],
installed: true,
version: pkg.partition("-")[2],
version: version,
type: "pkg",
only_version_no: fetch_version_no(version),
}
end
def latest_version(package_name)
cmd_string = "apk info #{package_name}"
fetch_latest_version(cmd_string)
end
end
class FreebsdPkg < PkgManagement
@ -292,8 +353,14 @@ module Inspec::Resources
installed: true,
version: params["Version"],
type: "pkg",
only_version_no: params["Version"],
}
end
def latest_version(package_name)
cmd_string = "pkg version -v | grep #{package_name}"
fetch_latest_version(cmd_string)
end
end
# Determines the installed packages on Windows using the Windows package registry entries.
@ -339,8 +406,14 @@ module Inspec::Resources
installed: true,
version: package["DisplayVersion"],
type: "windows",
only_version_no: package["DisplayVersion"],
}
end
def latest_version(package_name)
cmd_string = "Get-Package #{package_name} -AllVersions"
fetch_latest_version(cmd_string)
end
end
# AIX

21
lib/inspec/resources/packages.rb
View file

@ -26,6 +26,8 @@ module Inspec::Resources
@pkgs = Debs.new(inspec)
elsif os.redhat? || %w{suse amazon fedora}.include?(os[:family])
@pkgs = Rpms.new(inspec)
elsif ["alpine"].include?(os[:name])
@pkgs = AlpinePkgs.new(inspec)
else
return skip_resource "The packages resource is not yet supported on OS #{inspec.os.name}"
end
@ -108,4 +110,23 @@ module Inspec::Resources
end
end
end
# RedHat family
class AlpinePkgs < PkgsManagement
def build_package_list
command = "apk list --no-network --installed"
cmd = inspec.command(command)
all = cmd.stdout.split("\n")
return [] if all.nil? || cmd.exit_status.to_i != 0
all.map do |m|
next if m =~ /^WARNING/i
a = m.split(" ")
version = a[0].split("-")[-2]
name = a[2].gsub(/[{}^]*/, "")
PackageStruct.new("installed", name, version, a[1])
end
end
end
end

30
lib/inspec/resources/registry_key.rb
View file

@ -105,6 +105,21 @@ module Inspec::Resources
children_keys(@options[:path], filter)
end
# returns hash containing users / groups and their permission
def user_permissions
return {} unless exists?
get_permissions(@options[:path])
end
# returns true if inheritance is enabled for registry key.
def inherited?
return false unless exists?
cmd = inspec.command("(Get-Acl -Path 'Registry::#{@options[:path]}').access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
cmd.stdout.chomp == "0" ? false : true
end
# returns nil, if not existent or value
def method_missing(*keys)
# allow the use of array syntax in an `its` block so that users
@ -283,6 +298,21 @@ module Inspec::Resources
key.start_with?("\\") ? key : "\\#{key}"
end
def get_permissions(path)
script = <<~EOH
$path = '#{path}'
$Acl = Get-Acl -Path ('Registry::' + $path)
$Result = foreach ($Access in $acl.Access) {
[PSCustomObject]@{
$Access.IdentityReference = $Access.RegistryRights.ToString()
}
}
$Result | ConvertTo-Json
EOH
result = inspec.powershell(script)
JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
end
end
class WindowsRegistryKey < RegistryKey

2
lib/inspec/resources/service.rb
View file

@ -191,6 +191,8 @@ module Inspec::Resources
Svcs.new(inspec)
when "yocto"
Systemd.new(inspec, service_ctl)
when "alpine"
SysV.new(inspec, service_ctl)
end
end

7
lib/inspec/resources/ssl.rb
View file

@ -38,6 +38,7 @@ module Inspec::Resources
"tls1.0",
"tls1.1",
"tls1.2",
"tls1.3",
].freeze
attr_reader :host, :port, :timeout, :retries
@ -72,6 +73,11 @@ module Inspec::Resources
protocol: proto, ciphers: e.map(&:cipher),
timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
end
if !res[0].empty? && res[0][1].key?("error") && res[0][1]["error"].include?("Connection error Errno::ECONNREFUSED")
raise "#{res[0][1]["error"]}"
end
Hash[res]
end
.install_filter_methods_on_resource(self, :scan_config)
@ -89,6 +95,7 @@ module Inspec::Resources
{ "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
{ "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
{ "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
{ "protocol" => "tls1.3", "ciphers" => SSLShake::TLS::TLS13_CIPHERS.keys },
].map do |line|
line["ciphers"].map do |cipher|
{ "protocol" => line["protocol"], "cipher" => cipher }

65
lib/inspec/resources/timezone.rb Normal file
View file

@ -0,0 +1,65 @@
require "inspec/resources/command"
module Inspec::Resources
class TimeZone < Cmd
name "timezone"
supports platform: "unix"
supports platform: "windows"
desc "Check for timezone configurations"
example <<~EXAMPLE
describe timezone do
its('identifier') { should eq 'Asia/Kolkata' }
its('name') { should eq 'IST' }
its('time_offset') { should eq '+0530' }
end
EXAMPLE
def initialize
@output = {}
os = inspec.os
cmd = if os.windows?
inspec.command("Get-TimeZone")
else
inspec.command("timedatectl status | grep -i 'Time zone'")
end
if cmd.exit_status != 0
raise Inspec::Exceptions::ResourceFailed, "Time Zone resource with error: #{cmd.stderr}"
else
if os.windows?
splitted_output = cmd.stdout.strip.gsub(/\r/, "").split("\n").select { |out| (out.include? "Id") || (out.include? "DisplayName") || (out.include? "BaseUtcOffset") }
@output["identifier"] = split_and_fetch_last(splitted_output[1])
@output["name"] = split_and_fetch_last(splitted_output[0])
@output["time_offset"] = split_and_fetch_last(splitted_output[2])
else
splitted_output = cmd.stdout.split(":")[-1]&.strip&.gsub(/[(),^]*/, "")&.split(" ") || []
@output["identifier"] = splitted_output[0]
@output["name"] = splitted_output[1]
@output["time_offset"] = splitted_output[2]
end
end
end
def identifier
@output["identifier"]
end
def name
@output["name"]
end
def time_offset
@output["time_offset"]
end
def to_s
"Time Zone resource"
end
private
def split_and_fetch_last(string_value)
string_value.split(" :")[-1].strip
end
end
end

2
lib/inspec/version.rb
View file

@ -1,3 +1,3 @@
module Inspec
VERSION = "4.50.14".freeze
VERSION = "4.55.9".freeze
end

40
omnibus/Gemfile.lock
View file

@ -1,6 +1,6 @@
GIT
remote: https://github.com/chef/omnibus-software.git
revision: 7501e2036a654e4918e9fffd8ee6ef69f3b7f633
revision: b646beda0dfb54efc14b0348cebd5de830cf2127
branch: main
specs:
omnibus-software (4.0.0)
@ -8,10 +8,10 @@ GIT
GIT
remote: https://github.com/chef/omnibus.git
revision: 2c309fa8df525e57f3c234fe23e47fb5133f0370
revision: 2bf77bb5515a13bb0ce745f3d4c074ee50a6bf24
branch: main
specs:
omnibus (8.2.6)
omnibus (8.2.7)
aws-sdk-s3 (~> 1)
chef-cleanroom (~> 1.0)
chef-utils (>= 15.4)
@ -33,17 +33,17 @@ GEM
artifactory (3.0.15)
awesome_print (1.9.2)
aws-eventstream (1.2.0)
aws-partitions (1.533.0)
aws-sdk-core (3.122.1)
aws-partitions (1.549.0)
aws-sdk-core (3.125.5)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.525.0)
aws-sigv4 (~> 1.1)
jmespath (~> 1.0)
aws-sdk-kms (1.51.0)
aws-sdk-core (~> 3, >= 3.122.0)
aws-sdk-kms (1.53.0)
aws-sdk-core (~> 3, >= 3.125.0)
aws-sigv4 (~> 1.1)
aws-sdk-s3 (1.106.0)
aws-sdk-core (~> 3, >= 3.122.0)
aws-sdk-s3 (1.111.2)
aws-sdk-core (~> 3, >= 3.125.0)
aws-sdk-kms (~> 1)
aws-sigv4 (~> 1.4)
aws-sigv4 (1.4.0)
@ -194,9 +194,9 @@ GEM
faraday-net_http_persistent (1.2.0)
faraday_middleware (1.1.0)
faraday (~> 1.0)
ffi (1.15.4)
ffi (1.15.4-x64-mingw32)
ffi (1.15.4-x86-mingw32)
ffi (1.15.5)
ffi (1.15.5-x64-mingw32)
ffi (1.15.5-x86-mingw32)
ffi-libarchive (1.1.3)
ffi (~> 1.0)
ffi-win32-extensions (1.0.4)
@ -238,7 +238,7 @@ GEM
iostruct (0.0.4)
ipaddress (0.8.3)
iso8601 (0.13.0)
jmespath (1.4.0)
jmespath (1.5.0)
json (2.6.1)
kitchen-vagrant (1.11.0)
test-kitchen (>= 1.4, < 4)
@ -248,7 +248,7 @@ GEM
tomlrb (>= 1.2, < 3.0)
tty-box (~> 0.6)
tty-prompt (~> 0.20)
license_scout (1.2.13)
license_scout (1.2.14)
ffi-yajl (~> 2.2)
mixlib-shellout (>= 2.2, < 4.0)
toml-rb (>= 1, < 3)
@ -313,7 +313,7 @@ GEM
parslet (1.8.2)
pastel (0.8.0)
tty-color (~> 0.5)
pedump (0.6.2)
pedump (0.6.3)
awesome_print
iostruct (>= 0.0.4)
multipart-post (>= 2.0.0)
@ -326,7 +326,7 @@ GEM
method_source (~> 1.0)
public_suffix (4.0.6)
rack (2.2.3)
rainbow (3.0.0)
rainbow (3.1.1)
retryable (3.0.5)
rspec (3.10.0)
rspec-core (~> 3.10.0)
@ -363,7 +363,7 @@ GEM
strings-ansi (0.2.0)
structured_warnings (0.4.0)
syslog-logger (1.6.8)
test-kitchen (3.2.0)
test-kitchen (3.2.2)
bcrypt_pbkdf (~> 1.0)
chef-utils (>= 16.4.35)
ed25519 (~> 1.2)
@ -377,11 +377,11 @@ GEM
winrm (~> 2.0)
winrm-elevated (~> 1.0)
winrm-fs (~> 1.1)
thor (1.1.0)
toml-rb (2.1.0)
thor (1.2.1)
toml-rb (2.1.1)
citrus (~> 3.0, > 3.0)
tomlrb (1.3.0)
train-core (3.8.1)
train-core (3.8.6)
addressable (~> 2.5)
ffi (!= 1.13.0)
json (>= 1.8, < 3.0)

6
test/fixtures/cmd/apk-info vendored Normal file
View file

@ -0,0 +1,6 @@
libxmu-1.1.2-r1 x86_64 {libxmu} (custom) [installed]
virtualbox-guest-modules-virt-4.14.167-r0 x86_64 {virtualbox-guest-modules-vanilla} (GPL-2.0 custom) [installed]
pkgconf-1.5.3-r0 x86_64 {pkgconf} (ISC) [installed]
nginx-1.14.2-r2 x86_64 {nginx} (BSD-2-Clause) [installed]
dmidecode-3.1-r0 x86_64 {dmidecode} (GPL) [installed]
syslinux-6.04_pre1-r1 x86_64 {syslinux} (GPL) [installed]

1
test/fixtures/cmd/apk-info-cmd vendored Normal file
View file

@ -0,0 +1 @@
git-2.18.4-r0 description:\nDistributed version control system\n\ngit-2.18.4-r0 webpage:\nhttps://www.git-scm.com/\n\ngit-2.18.4-r0 installed size:\n13213696\n\n

Some files were not shown because too many files have changed in this diff Show more