Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-22 20:53:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'main' into ns/fully_waived

Browse source
This commit is contained in:
Clinton Wolfe 2021-10-20 17:51:09 -04:00 committed by GitHub
commit 43980e438d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
357 changed files with 7383 additions and 2178 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.expeditor/buildkite/artifact.habitat.test.sh
View file

@ -16,7 +16,7 @@ uname -a
echo "--- Installing Habitat"
id -a
curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | bash
curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh | bash
echo "--- Generating fake origin key"

51
.expeditor/buildkite/bk_linux_exec.sh Executable file
View file

@ -0,0 +1,51 @@
#!/bin/bash
# Enable IPv6 in docker
echo "--- Enabling ipv6 on docker"
sudo systemctl stop docker
dockerd_config="/etc/docker/daemon.json"
sudo echo "$(jq '. + {"ipv6": true, "fixed-cidr-v6": "2001:2019:6002::/80", "ip-forward": false}' $dockerd_config)" > $dockerd_config
sudo systemctl start docker
# Install C and C++
echo "--- Installing package deps"
sudo yum install -y gcc gcc-c++ openssl-devel readline-devel zlib-devel
# Install ASDF
echo "--- Installing asdf to ${HOME}/.asdf"
git clone https://github.com/asdf-vm/asdf.git "${HOME}/.asdf"
cd "${HOME}/.asdf"; git checkout "$(git describe --abbrev=0 --tags)"; cd -
. "${HOME}/.asdf/asdf.sh"
# Install Ruby
ruby_version=$(sed -n '/"ruby"/{s/.*version: "//;s/"//;p;}' omnibus_overrides.rb)
echo "--- Installing Ruby $ruby_version"
asdf plugin add ruby
asdf install ruby $ruby_version
asdf global ruby $ruby_version
# Set Environment Variables
export BUNDLE_GEMFILE=$PWD/Gemfile
export FORCE_FFI_YAJL=ext
export CHEF_LICENSE="accept-silent"
# Update Gems
echo "--- Installing Gems"
echo 'gem: --no-document' >> ~/.gemrc
sudo iptables -L DOCKER || ( echo "DOCKER iptables chain missing" ; sudo iptables -N DOCKER )
bundle install --jobs=3 --retry=3 --path=../vendor/bundle
echo "--- Config information"
echo "!!!! RUBY VERSION !!!!"
ruby --version
echo "!!!! BUNDLER LOCATION !!!!"
which bundle
echo "!!!! BUNDLER VERSION !!!!"
bundle -v
echo "!!!! DOCKER VERSION !!!!"
docker version
echo "!!!! DOCKER STATUS !!!!"
sudo service docker status
echo "+++ Running tests"

70
.expeditor/buildkite/coverage.sh
View file

@ -1,70 +0,0 @@
#!/bin/bash
set -ueo pipefail
export LANG=C.UTF-8 LANGUAGE=C.UTF-8
# test-reporter expects reporter identifier under this environment variable
CC_TEST_REPORTER_ID="$COVERAGE_ID"
export CC_TEST_REPORTER_ID
TEST_REPORTER_VERSION="0.6.3"
S3_URL="s3://public-cd-buildkite-cache/$BUILDKITE_PIPELINE_SLUG/$BUILDKITE_LABEL"
download_test_reporter() {
curl -o test-reporter -L https://codeclimate.com/downloads/test-reporter/test-reporter-"$TEST_REPORTER_VERSION"-linux-amd64
chmod +x test-reporter
touch new_test-reporter
}
download_s3_file() {
aws s3 cp "$S3_URL/$1" "$1"
}
upload_s3_file() {
if [ -f "$1" ]; then
aws s3 cp "$1" "$S3_URL/$1" || echo "Could not push $1 to S3 for caching."
fi
}
echo "--- downloading coverage tool"
download_s3_file test-reporter || download_test_reporter
download_s3_file test-reporter.sha || echo -e "\nCould not download test-reporter.sha"
echo "--- updating rubygems"
gem update --system -N
echo "--- system details"
uname -a
gem env
bundle --version
echo "--- setting up test coverage before build"
./test-reporter before-build
echo "--- bundle install"
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
echo "+++ bundle exec rake"
bundle exec rake test
EXIT_CODE=$?
echo "+++ formatting and uploading test coverage"
./test-reporter sum-coverage
./test-reporter after-build -t simplecov --exit-code "$EXIT_CODE"
echo "--- uploading test-reporter.sha to s3"
if [ -f "new_test-reporter" ]; then
echo "new test-reporter detected. uploading."
shasum -a 256 test-reporter > test-reporter.sha
for i in "test-reporter" "test-reporter.sha"; do
upload_s3_file "$i"
done
fi
if shasum --check test-reporter.sha --status; then
echo "test-reporter shasum mismatch. uploading."
shasum -a 256 test-reporter > test-reporter.sha
for i in "test-reporter" "test-reporter.sha"; do
upload_s3_file "$i"
done
fi

3
.expeditor/buildkite/verify.ps1
View file

@ -5,7 +5,8 @@ ruby -v
bundle --version
echo "--- bundle install"
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
bundle config set --local without tools maintenance deploy
bundle install --jobs=7 --retry=3
echo "+++ bundle exec rake test:parallel"
bundle exec rake test:parallel K=4

3
.expeditor/buildkite/verify.sh
View file

@ -25,7 +25,8 @@ pull_bundle
echo "--- bundle"
bundle config --local path vendor/bundle
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
bundle config set --local without tools maintenance deploy
bundle install --jobs=7 --retry=3
echo "--- push bundle cache"
push_bundle

3
.expeditor/buildkite/wwwrelease.sh
View file

@ -7,7 +7,8 @@ set -ue
echo "--- bundle install"
cd www
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
bundle config set --local without tools maintenance deploy
bundle install --jobs=7 --retry=3
echo "+++ bundle exec rake"
bundle exec rake www V=1 PUSH=1

185
.expeditor/config.yml
View file

@ -31,15 +31,10 @@ pipelines:
- SLOW: 1
- NO_AWS: 1
- MT_CPU: 5
- coverage:
description: Generate test coverage report
env:
- CI_ENABLE_COVERAGE: true
- LANG: "C.UTF-8"
- SLOW: 1
- integration/resources:
description: Test core resources with test-kitchen.
definition: .expeditor/integration.resources.yml
trigger: pull_request
# This breaks expeditor as it does not yet exist
# - integration/libraries:
# description: Integration with plugins, gems, resource packs.
@ -75,8 +70,9 @@ github:
minor_bump_labels:
- "Expeditor: Bump Minor Version"
version_tag_format: v{{version}}
release_branch:
- master:
release_branches:
- main:
version_constraint: 4.*
- 1-stable:
version_constraint: 1.*
@ -95,90 +91,91 @@ changelog:
- "Type: Enhancement": "Enhancements"
- "Type: Bug": "Bug Fixes"
merge_actions:
- built_in:bump_version:
ignore_labels:
- "Expeditor: Skip All"
- "Expeditor: Skip Version Bump"
only_if_modified:
- .expeditor/*
- docs-chef-io/*
- etc/*
- habitat/*
- inspec-bin/*
- lib/*
- omnibus/*
- support/*
- tasks/*
- test/*
- Gemfile*
- LICENSE
- "*.gemspec"
- "*.md"
- bash:.expeditor/update_version.sh:
only_if: built_in:bump_version
- built_in:update_changelog:
ignore_labels:
- "Expeditor: Skip All"
- "Expeditor: Skip Changelog"
- trigger_pipeline:omnibus/adhoc:
not_if: built_in:bump_version
ignore_labels:
- "Expeditor: Skip Omnibus"
- "Expeditor: Skip All"
- trigger_pipeline:artifact/habitat:
only_if: built_in:bump_version
ignore_labels:
- "Expeditor: Skip Habitat"
- "Expeditor: Skip All"
- trigger_pipeline:omnibus/release:
only_if: built_in:bump_version
ignore_labels:
- "Expeditor: Skip Omnibus"
- "Expeditor: Skip All"
- trigger_pipeline:habitat/build:
only_if: built_in:bump_version
ignore_labels:
- "Expeditor: Skip Habitat"
- "Expeditor: Skip All"
- built_in:build_gem:
only_if:
- built_in:bump_version
subscriptions:
- workload: artifact_published:unstable:inspec:{{version_constraint}}
actions:
- trigger_pipeline:docker/build
- bash:.expeditor/buildkite/wwwrelease.sh:
post_commit: true
- workload: artifact_published:current:inspec:{{version_constraint}}
actions:
- built_in:promote_docker_images
- built_in:promote_habitat_packages
- workload: artifact_published:stable:inspec:{{version_constraint}}
actions:
- bash:.expeditor/update_dockerfile.sh
- built_in:rollover_changelog
- built_in:publish_rubygems
- built_in:create_github_release
- built_in:promote_docker_images
- built_in:promote_habitat_packages
- bash:.expeditor/publish-release-notes.sh:
post_commit: true
- purge_packages_chef_io_fastly:{{target_channel}}/inspec/latest:
post_commit: true
- bash:.expeditor/announce-release.sh:
post_commit: true
- built_in:notify_chefio_slack_channels
- workload: pull_request_opened:{{agent_id}}:*
actions:
- post_github_comment:.expeditor/templates/pull_request.mustache:
ignore_team_members:
- inspec/owners
- inspec/inspec-core-team
- built_in:github_auto_assign_author:
only_if_team_member:
- inspec/owners
- inspec/inspec-core-team
- trigger_pipeline:coverage
- trigger_pipeline:artifact/habitat
- workload: pull_request_merged:{{github_repo}}:{{release_branch}}:*
actions:
- built_in:bump_version:
ignore_labels:
- "Expeditor: Skip All"
- "Expeditor: Skip Version Bump"
only_if_modified:
- .expeditor/*
- docs-chef-io/*
- etc/*
- habitat/*
- inspec-bin/*
- lib/*
- omnibus/*
- support/*
- tasks/*
- test/*
- Gemfile*
- LICENSE
- "*.gemspec"
- "*.md"
- bash:.expeditor/update_version.sh:
only_if: built_in:bump_version
- built_in:update_changelog:
ignore_labels:
- "Expeditor: Skip All"
- "Expeditor: Skip Changelog"
- trigger_pipeline:omnibus/adhoc:
not_if: built_in:bump_version
ignore_labels:
- "Expeditor: Skip Omnibus"
- "Expeditor: Skip All"
- trigger_pipeline:artifact/habitat:
only_if: built_in:bump_version
ignore_labels:
- "Expeditor: Skip Habitat"
- "Expeditor: Skip All"
- trigger_pipeline:omnibus/release:
only_if: built_in:bump_version
ignore_labels:
- "Expeditor: Skip Omnibus"
- "Expeditor: Skip All"
- trigger_pipeline:habitat/build:
only_if: built_in:bump_version
ignore_labels:
- "Expeditor: Skip Habitat"
- "Expeditor: Skip All"
- built_in:build_gem:
only_if:
- built_in:bump_version
- workload: artifact_published:unstable:inspec:{{version_constraint}}
actions:
- trigger_pipeline:docker/build
- bash:.expeditor/buildkite/wwwrelease.sh:
post_commit: true
- workload: artifact_published:current:inspec:{{version_constraint}}
actions:
- built_in:promote_docker_images
- built_in:promote_habitat_packages
- workload: project_promoted:{{agent_id}}:*
actions:
- built_in:promote_artifactory_artifact
- workload: artifact_published:stable:inspec:{{version_constraint}}
actions:
- bash:.expeditor/update_dockerfile.sh
- built_in:rollover_changelog
- built_in:publish_rubygems
- built_in:create_github_release
- built_in:promote_docker_images
- built_in:promote_habitat_packages
- bash:.expeditor/publish-release-notes.sh:
post_commit: true
- purge_packages_chef_io_fastly:{{target_channel}}/inspec/latest:
post_commit: true
- bash:.expeditor/announce-release.sh:
post_commit: true
- built_in:notify_chefio_slack_channels
- workload: pull_request_opened:{{github_repo}}:{{release_branch}}:*
actions:
- post_github_comment:.expeditor/templates/pull_request.mustache:
ignore_team_members:
- inspec/owners
- inspec/inspec-core-team
- built_in:github_auto_assign_author:
only_if_team_member:
- inspec/owners
- inspec/inspec-core-team

19
.expeditor/coverage.pipeline.yml
View file

@ -1,19 +0,0 @@
---
expeditor:
defaults:
buildkite:
timeout_in_minutes: 30
steps:
- label: coverage
commands:
- .expeditor/buildkite/coverage.sh
expeditor:
executor:
docker:
secrets:
COVERAGE_ID:
path: secret/coveralls/inspec/inspec
field: reporter_id

202
.expeditor/integration.resources.yml
View file

@ -1 +1,201 @@
#
---
expeditor:
defaults:
buildkite:
timeout_in_minutes: 60
retry:
automatic:
limit: 1
steps:
- label: "Kitchen: resources-amazonlinux-2"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-amazonlinux-2
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-centos-7"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-centos-7
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-centos-8"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-centos-8
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-debian-9"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-debian-9
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-debian-10"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-debian-10
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-fedora-latest"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-fedora-latest
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-oraclelinux-7"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-oraclelinux-7
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-oraclelinux-8"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-oraclelinux-8
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-opensuse-leap"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-opensuse-leap
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-ubuntu-1604"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-ubuntu-1604
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-ubuntu-1804"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-ubuntu-1804
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-ubuntu-2004"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-ubuntu-2004
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true

13
.expeditor/release.omnibus.yml
View file

@ -6,28 +6,35 @@ test-path-windows: omnibus/omnibus-test.ps1
fips-platforms:
- el-*-x86_64
- windows-*
- ubuntu-*-x86_64
builder-to-testers-map:
debian-9-x86_64:
- debian-9-x86_64
- debian-10-x86_64
- debian-11-x86_64
debian-10-aarch64:
- debian-10-aarch64
- debian-11-aarch64
el-6-x86_64:
- el-6-x86_64
el-7-aarch64:
- el-7-aarch64
- el-8-aarch64
- amazon-2-aarch64
el-7-x86_64:
- el-7-x86_64
- el-8-x86_64
- amazon-2-x86_64
el-8-aarch64:
- el-8-aarch64
el-8-x86_64:
- el-8-x86_64
mac_os_x-10.14-x86_64:
- mac_os_x-10.14-x86_64
- mac_os_x-10.15-x86_64
- mac_os_x-11-x86_64
- mac_os_x-12-x86_64
mac_os_x-11-arm64:
- mac_os_x-11-arm64
- mac_os_x-12-arm64
sles-12-x86_64:
- sles-12-x86_64
- sles-15-x86_64
@ -45,5 +52,7 @@ builder-to-testers-map:
- windows-2012r2-x86_64
- windows-2016-x86_64
- windows-2019-x86_64
- windows-2022-x86_64
- windows-8-x86_64
- windows-10-x86_64
- windows-11-x86_64

2
.expeditor/update_dockerfile.sh
View file

@ -3,7 +3,7 @@
# This file updates the default VERSION build argument in the Dockerfile to the
# VERSION passed in to the file via environment variables.
#
# This ensures the Dockerfile in inspec master will list the version of the latest
# This ensures the Dockerfile in inspec main will list the version of the latest
# stable release for any community member who wishes to build their own container
# from scratch.
#

12
.github/dependabot.yml vendored Normal file
View file

@ -0,0 +1,12 @@
version: 2
updates:
- package-ecosystem: bundler
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 10
- package-ecosystem: bundler
directory: "/omnibus"
schedule:
interval: daily
open-pull-requests-limit: 10

3
.github/labeler.yml vendored Normal file
View file

@ -0,0 +1,3 @@
documentation:
- 'docs-chef-io/**/*'

11
.github/workflows/labeler.yml vendored Normal file
View file

@ -0,0 +1,11 @@
name: "Pull Request Labeler"
on:
- pull_request_target
jobs:
triage:
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@main
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"

4
.gitignore vendored
View file

@ -36,6 +36,4 @@ results/
terraform.tfstate*
terraform.tfstate.backup
terraform.tfvars
test/**/*.lock
www/Gemfile.lock
www/source/index.html.slim
test/**/*.lock

0
.gitmodules vendored
View file

245
CHANGELOG.md
View file

@ -1,22 +1,250 @@
# Change Log
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
<!-- latest_release 4.30.0 -->
## [v4.30.0](https://github.com/inspec/inspec/tree/v4.30.0) (2021-04-05)
<!-- latest_release 4.47.8 -->
## [v4.47.8](https://github.com/inspec/inspec/tree/v4.47.8) (2021-10-19)
#### Merged Pull Requests
- Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Oracle db session resource fix - when invoking query using os user and db role [#5702](https://github.com/inspec/inspec/pull/5702) ([Nik08](https://github.com/Nik08))
<!-- latest_release -->
<!-- release_rollup since=4.29.3 -->
### Changes since 4.29.3 release
<!-- release_rollup since=4.46.13 -->
### Changes since 4.46.13 release
#### New Features
- Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) <!-- 4.47.0 -->
#### Merged Pull Requests
- Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.30.0 -->
- Update inputs.md [#5449](https://github.com/inspec/inspec/pull/5449) ([IanMadd](https://github.com/IanMadd)) <!-- 4.29.5 -->
- Fix for Deprecation warning and FilterTable::ExceptionCatcher to show exact failure message. [#5441](https://github.com/inspec/inspec/pull/5441) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.29.4 -->
- Oracle db session resource fix - when invoking query using os user and db role [#5702](https://github.com/inspec/inspec/pull/5702) ([Nik08](https://github.com/Nik08)) <!-- 4.47.8 -->
- Enable repeatable builds by bundling Gemfile.lock [#5688](https://github.com/inspec/inspec/pull/5688) ([tas50](https://github.com/tas50)) <!-- 4.47.7 -->
- Fix google_container_node_pool.md [#5696](https://github.com/inspec/inspec/pull/5696) ([pradeepbhadani](https://github.com/pradeepbhadani)) <!-- 4.47.6 -->
- Renamed Inspec DSL to Inspec Language [#5694](https://github.com/inspec/inspec/pull/5694) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) <!-- 4.47.5 -->
- Group &amp; User Resources - Resolve name case-sensitivity issue for windows [#5667](https://github.com/inspec/inspec/pull/5667) ([Nik08](https://github.com/Nik08)) <!-- 4.47.4 -->
- Update GCS Storage class list [#5676](https://github.com/inspec/inspec/pull/5676) ([pradeepbhadani](https://github.com/pradeepbhadani)) <!-- 4.47.3 -->
- Improvements to the inspec.yml docs [#5679](https://github.com/inspec/inspec/pull/5679) ([tas50](https://github.com/tas50)) <!-- 4.47.2 -->
- Update the unit test files to use latest versions of OS rather than the older. [#5681](https://github.com/inspec/inspec/pull/5681) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.47.1 -->
- Update OpenSSL on macOS to 1.1.1l [#5687](https://github.com/inspec/inspec/pull/5687) ([tas50](https://github.com/tas50)) <!-- 4.47.0 -->
- Add back Ubuntu 16.04 packages + testing [#5689](https://github.com/inspec/inspec/pull/5689) ([tas50](https://github.com/tas50)) <!-- 4.46.15 -->
- Replaced /main/ from /master/ [#5678](https://github.com/inspec/inspec/pull/5678) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) <!-- 4.46.14 -->
<!-- release_rollup -->
<!-- latest_stable_release -->
## [v4.46.13](https://github.com/inspec/inspec/tree/v4.46.13) (2021-09-30)
#### New Features
- Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Add ibmdb2_conf and ibmdb2_session resource [#5614](https://github.com/inspec/inspec/pull/5614) ([Vasu1105](https://github.com/Vasu1105))
- adds chrony_conf InSpec resource [#5589](https://github.com/inspec/inspec/pull/5589) ([collinmcneese](https://github.com/collinmcneese))
#### Enhancements
- Add csv without headers support in csv resource [#5665](https://github.com/inspec/inspec/pull/5665) ([Vasu1105](https://github.com/Vasu1105))
- Add option in `postgres_session` resource to establish socket connection [#5664](https://github.com/inspec/inspec/pull/5664) ([Nik08](https://github.com/Nik08))
#### Bug Fixes
- Fix main in expeditor script [#5669](https://github.com/inspec/inspec/pull/5669) ([kagarmoe](https://github.com/kagarmoe))
- Fix --tags filter for dependent profiles [#5657](https://github.com/inspec/inspec/pull/5657) ([Nik08](https://github.com/Nik08))
#### Merged Pull Requests
- Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd))
- Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd))
- Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd))
- Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105))
- Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08))
- Add support for Oracle Configuration Resources (Oracle Db Conf &amp; Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08))
- Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08))
- Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw))
- Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105))
- Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd))
- Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp))
- Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus))
- Build packages for debian 11, macos 12, windows 11/2022 [#5675](https://github.com/inspec/inspec/pull/5675) ([tas50](https://github.com/tas50))
- Fix --controls option was not working for dependent profile [#5656](https://github.com/inspec/inspec/pull/5656) ([Vasu1105](https://github.com/Vasu1105))
- Fix opa_cli and opa_api resource unable to verify empty result {} [#5671](https://github.com/inspec/inspec/pull/5671) ([Vasu1105](https://github.com/Vasu1105))
<!-- latest_stable_release -->
## [v4.41.20](https://github.com/inspec/inspec/tree/v4.41.20) (2021-09-01)
#### Merged Pull Requests
- Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08))
- Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08))
- Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08))
- Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08))
- Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08))
- Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105))
- Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08))
- Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal))
- Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08))
- Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105))
- Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105))
- Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105))
- Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08))
- Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105))
- Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen))
- Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Fix url fetcher when default git profile branch is not master [#5638](https://github.com/inspec/inspec/pull/5638) ([Nik08](https://github.com/Nik08))
- Fix tags processing issue in profiles [#5643](https://github.com/inspec/inspec/pull/5643) ([Nik08](https://github.com/Nik08))
## [v4.41.2](https://github.com/inspec/inspec/tree/v4.41.2) (2021-08-16)
#### New Features
- Add support for OPA: add resource opa_cli and opa_api [#5592](https://github.com/inspec/inspec/pull/5592) ([Vasu1105](https://github.com/Vasu1105))
#### Bug Fixes
- Pin mongo gem to 2.13.2 to avoid broken symlink [#5615](https://github.com/inspec/inspec/pull/5615) ([clintoncwolfe](https://github.com/clintoncwolfe))
#### Merged Pull Requests
- Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105))
- Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08))
- Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield))
- Fix the typo in documentation file for opa_api resource [#5608](https://github.com/inspec/inspec/pull/5608) ([Vasu1105](https://github.com/Vasu1105))
## [v4.38.9](https://github.com/inspec/inspec/tree/v4.38.9) (2021-07-22)
#### Enhancements
- Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08))
- Update postgresql resources to normalize it for platform supports [#5576](https://github.com/inspec/inspec/pull/5576) ([Vasu1105](https://github.com/Vasu1105))
#### Merged Pull Requests
- Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08))
- Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08))
- Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105))
- Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Remove mention of AWS tests from README [#5603](https://github.com/inspec/inspec/pull/5603) ([clintoncwolfe](https://github.com/clintoncwolfe))
## [v4.38.3](https://github.com/inspec/inspec/tree/v4.38.3) (2021-07-02)
#### Merged Pull Requests
- Add support for mongodb_conf resource in InSpec [#5562](https://github.com/inspec/inspec/pull/5562) ([Vasu1105](https://github.com/Vasu1105))
- Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin))
- Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd))
- Misc updates to the README [#5526](https://github.com/inspec/inspec/pull/5526) ([clintoncwolfe](https://github.com/clintoncwolfe))
## [v4.37.30](https://github.com/inspec/inspec/tree/v4.37.30) (2021-06-16)
#### Bug Fixes
- Include x25519 KEX module in omnibus build [#5563](https://github.com/inspec/inspec/pull/5563) ([clintoncwolfe](https://github.com/clintoncwolfe))
#### Merged Pull Requests
- Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd))
- Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105))
- Fix postgres_session resource to raise exception if there is a error in connection or in query [#5553](https://github.com/inspec/inspec/pull/5553) ([Vasu1105](https://github.com/Vasu1105))
- Restrict x25519 gem to x86 architectures [#5564](https://github.com/inspec/inspec/pull/5564) ([clintoncwolfe](https://github.com/clintoncwolfe))
## [v4.37.25](https://github.com/inspec/inspec/tree/v4.37.25) (2021-06-10)
#### Merged Pull Requests
- sshd_config is for daemon, not client - typo [#5549](https://github.com/inspec/inspec/pull/5549) ([jblaine](https://github.com/jblaine))
- Fix related to loading dependent profiles from a profile in shell [#5547](https://github.com/inspec/inspec/pull/5547) ([Nik08](https://github.com/Nik08))
## [v4.37.23](https://github.com/inspec/inspec/tree/v4.37.23) (2021-06-03)
#### Merged Pull Requests
- Update inspec init plugin [#5536](https://github.com/inspec/inspec/pull/5536) ([Vasu1105](https://github.com/Vasu1105))
- Removed support for compliance and a1 server from InSpec compliance [#5534](https://github.com/inspec/inspec/pull/5534) ([Nik08](https://github.com/Nik08))
- Add Ubuntu to list of FIPS platforms [#5533](https://github.com/inspec/inspec/pull/5533) ([clintoncwolfe](https://github.com/clintoncwolfe))
## [v4.37.20](https://github.com/inspec/inspec/tree/v4.37.20) (2021-05-26)
#### Merged Pull Requests
- Added new automate doc link for login tokens in `inspec automate login --help` command [#5529](https://github.com/inspec/inspec/pull/5529) ([Nik08](https://github.com/Nik08))
- Bugfix for `inspec detect --no-color` to not return colourful output [#5530](https://github.com/inspec/inspec/pull/5530) ([Nik08](https://github.com/Nik08))
- Drop EOL Ubuntu 16.04, build on 18.04 [#5532](https://github.com/inspec/inspec/pull/5532) ([clintoncwolfe](https://github.com/clintoncwolfe))
## [v4.37.17](https://github.com/inspec/inspec/tree/v4.37.17) (2021-05-20)
#### Enhancements
- Fix for port resource performance: adding more specific search while using ss command [#5522](https://github.com/inspec/inspec/pull/5522) ([Vasu1105](https://github.com/Vasu1105))
#### Merged Pull Requests
- Fix the lint and failing test for windows_feature resource [#5524](https://github.com/inspec/inspec/pull/5524) ([Vasu1105](https://github.com/Vasu1105))
- Support zfs_pool and zfs_dataset resources on Linux. Handled #5075 [#5523](https://github.com/inspec/inspec/pull/5523) ([kannanr](https://github.com/kannanr))
- Add basic docs for toml resource [#5514](https://github.com/inspec/inspec/pull/5514) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Add CI-CD docs [#5489](https://github.com/inspec/inspec/pull/5489) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08))
- Update control-eval Readme docs. [#5516](https://github.com/inspec/inspec/pull/5516) ([Vasu1105](https://github.com/Vasu1105))
- Added Common Errors page doc [#5517](https://github.com/inspec/inspec/pull/5517) ([Nik08](https://github.com/Nik08))
## [v4.37.8](https://github.com/inspec/inspec/tree/v4.37.8) (2021-05-12)
#### Merged Pull Requests
- Update `bond0` example to use params properly [#5518](https://github.com/inspec/inspec/pull/5518) ([gscho](https://github.com/gscho))
- HTTP resource response body coerced into UTF-8 [#5510](https://github.com/inspec/inspec/pull/5510) ([Nik08](https://github.com/Nik08))
- Fixed `automate login` fake feedback on failure [#5509](https://github.com/inspec/inspec/pull/5509) ([Nik08](https://github.com/Nik08))
- Document auxiliary reporter options on the reporter docs page [#5504](https://github.com/inspec/inspec/pull/5504) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Update chefstyle requirement from ~&gt; 1.7.1 to ~&gt; 2.0.3 [#5508](https://github.com/inspec/inspec/pull/5508) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Update Hugo and correct how build previews are generated [#5507](https://github.com/inspec/inspec/pull/5507) ([IanMadd](https://github.com/IanMadd))
- Modified windows_feature to indicate enabled rather than just available [#5506](https://github.com/inspec/inspec/pull/5506) ([jwdean](https://github.com/jwdean))
- Remove outdated instructions about testing AWS and Azure resources [#5499](https://github.com/inspec/inspec/pull/5499) ([clintoncwolfe](https://github.com/clintoncwolfe))
## [v4.37.0](https://github.com/inspec/inspec/tree/v4.37.0) (2021-05-05)
#### Enhancements
- Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe))
#### Bug Fixes
- Fix : windows_firewall_rule fails to validate more than 1 rule depending on how it&#39;s executed [#5502](https://github.com/inspec/inspec/pull/5502) ([Vasu1105](https://github.com/Vasu1105))
#### Merged Pull Requests
- Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50))
- Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50))
- Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50))
- Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot]))
- Fixes for the integration-resources pipeline [#5501](https://github.com/inspec/inspec/pull/5501) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Fix bad link [#5498](https://github.com/inspec/inspec/pull/5498) ([IanMadd](https://github.com/IanMadd))
- Fix undefined method `+&#39; for nil:NilClass\n\nProfile: - when using profile dependencies and require_controls [#5487](https://github.com/inspec/inspec/pull/5487) ([Vasu1105](https://github.com/Vasu1105))
- Remove coverage testing [#5500](https://github.com/inspec/inspec/pull/5500) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Added alias command `automate` for `inspec compliance` [#5490](https://github.com/inspec/inspec/pull/5490) ([Nik08](https://github.com/Nik08))
## [v4.36.4](https://github.com/inspec/inspec/tree/v4.36.4) (2021-04-29)
#### New Features
- Add selinux resource with basic feature support [#5458](https://github.com/inspec/inspec/pull/5458) ([Vasu1105](https://github.com/Vasu1105))
- New input option `pattern` added for DSL and metadata inputs [#5466](https://github.com/inspec/inspec/pull/5466) ([Nik08](https://github.com/Nik08))
#### Enhancements
- Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105))
#### Bug Fixes
- Fix for group resource when member does not exist [#5470](https://github.com/inspec/inspec/pull/5470) ([Nik08](https://github.com/Nik08))
#### Merged Pull Requests
- Update faraday requirement from &gt;= 0.9.0, &lt; 1.4 to &gt;= 0.9.0, &lt; 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot]))
- Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105))
- updating Gemfile to support environment variables [#5485](https://github.com/inspec/inspec/pull/5485) ([jayashrig158](https://github.com/jayashrig158))
- Group &amp; Groups doc updated - about using local and etc groups [#5483](https://github.com/inspec/inspec/pull/5483) ([Nik08](https://github.com/Nik08))
- Added new property `members_array` for group &amp; groups resources. [#5479](https://github.com/inspec/inspec/pull/5479) ([Nik08](https://github.com/Nik08))
## [v4.33.1](https://github.com/inspec/inspec/tree/v4.33.1) (2021-04-21)
#### New Features
- Optionally include controls source code in CLI reporter [#5465](https://github.com/inspec/inspec/pull/5465) ([clintoncwolfe](https://github.com/clintoncwolfe))
#### Merged Pull Requests
- Update postgres_ident_conf.md [#5461](https://github.com/inspec/inspec/pull/5461) ([tobiasbp](https://github.com/tobiasbp))
- Remove default of 3600 seconds for command timeout [#5472](https://github.com/inspec/inspec/pull/5472) ([clintoncwolfe](https://github.com/clintoncwolfe))
## [v4.32.0](https://github.com/inspec/inspec/tree/v4.32.0) (2021-04-14)
#### New Features
- Added ability to pass inputs to InSpec shell using input file and cli [#5452](https://github.com/inspec/inspec/pull/5452) ([Nik08](https://github.com/Nik08))
## [v4.31.1](https://github.com/inspec/inspec/tree/v4.31.1) (2021-04-08)
#### Bug Fixes
- Use default command timeout value if timeout is 0 [#5455](https://github.com/inspec/inspec/pull/5455) ([clintoncwolfe](https://github.com/clintoncwolfe))
## [v4.31.0](https://github.com/inspec/inspec/tree/v4.31.0) (2021-04-07)
#### New Features
- Add --docker-url CLI option [#5445](https://github.com/inspec/inspec/pull/5445) ([clintoncwolfe](https://github.com/clintoncwolfe))
#### Merged Pull Requests
- Fix for Deprecation warning and FilterTable::ExceptionCatcher to show exact failure message. [#5441](https://github.com/inspec/inspec/pull/5441) ([Vasu1105](https://github.com/Vasu1105))
- Update inputs.md [#5449](https://github.com/inspec/inspec/pull/5449) ([IanMadd](https://github.com/IanMadd))
- Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Update platforms doc [#5442](https://github.com/inspec/inspec/pull/5442) ([IanMadd](https://github.com/IanMadd))
- Bug fix for loading hashmap inputs consistently [#5446](https://github.com/inspec/inspec/pull/5446) ([Nik08](https://github.com/Nik08))
## [v4.29.3](https://github.com/inspec/inspec/tree/v4.29.3) (2021-03-25)
#### Bug Fixes
@ -31,7 +259,6 @@
- Update codeowners for docs [#5440](https://github.com/inspec/inspec/pull/5440) ([IanMadd](https://github.com/IanMadd))
- Improve resource page menu titles [#5439](https://github.com/inspec/inspec/pull/5439) ([IanMadd](https://github.com/IanMadd))
- Add m1 support to MacOS build list [#5432](https://github.com/inspec/inspec/pull/5432) ([clintoncwolfe](https://github.com/clintoncwolfe))
<!-- latest_stable_release -->
## [v4.28.0](https://github.com/inspec/inspec/tree/v4.28.0) (2021-03-17)

2
CONTRIBUTING.md
View file

@ -26,7 +26,7 @@ We have a 3 step process for contributions:
Chef Projects are built to last. We strive to ensure high quality throughout the experience. In order to ensure this, we require that all pull requests to Chef projects meet these specifications:
1. **Tests:** To ensure high quality code and protect against future regressions, we require all the code in Chef Projects to have at least unit test coverage. See the [test/unit](https://github.com/inspec/inspec/tree/master/test/unit)
directory for the existing tests and use ```bundle exec rake test``` to run them.
directory for the existing tests and use ```bundle exec rake test``` to run them. It should be good to know InSpec uses [minitest](https://github.com/seattlerb/minitest) as a testing framework.
2. **Green CI Tests:** We use [Travis CI](https://travis-ci.org/) and/or [AppVeyor](https://www.appveyor.com/) CI systems to test all pull requests. We require these test runs to succeed on every pull request before being merged.
3. **Up-to-date Documentation:** Every code change should be reflected in an update for our [documentation](https://github.com/inspec/inspec/tree/master/docs-chef-io). We expect PRs to update the documentation with the code change.

2
Dockerfile
View file

@ -1,7 +1,7 @@
FROM ubuntu:18.04
LABEL maintainer="Chef Software, Inc. <docker@chef.io>"
ARG VERSION=4.29.3
ARG VERSION=4.46.13
ARG CHANNEL=stable
ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

22
Gemfile
View file

@ -28,9 +28,13 @@ group :omnibus do
end
group :test do
gem "chefstyle", "~> 1.7.1"
gem "chefstyle", "~> 2.0.3"
gem "concurrent-ruby", "~> 1.0"
gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
if Gem.ruby_version.to_s.start_with?("2.5")
gem "html-proofer", "= 3.19.1" , platforms: :ruby # do not attempt to run proofer on windows
else
gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
end
gem "json_schemer", ">= 0.2.1", "< 0.2.19"
gem "m"
gem "minitest-sprint", "~> 1.0"
@ -48,3 +52,17 @@ end
group :deploy do
gem "inquirer"
end
# Only include Test Kitchen support if we are on Ruby 2.7 or higher
# as chef-zero support requires Ruby 2.6
# See https://github.com/inspec/inspec/pull/5341
if Gem.ruby_version >= Gem::Version.new("2.7.0")
group :kitchen do
gem "berkshelf"
gem "chef", ">= 16.0" # Required to allow net-ssh > 6
gem "test-kitchen", ">= 2.8"
gem "kitchen-inspec", ">= 2.0"
gem "kitchen-dokken", ">= 2.11"
gem "git"
end
end

80
README.md
View file

@ -78,7 +78,9 @@ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
### Install it via rubygems.org
When installing from source, gem dependencies may require ruby build tools to be installed.
Installing Chef InSpec from source may require installing ruby build tools to manage gem dependencies. (A compiler-free variant is available with reduced functionality; use `inspec-core-bin` and `inspec-core`.)
To install build tools, use your package manager.
For CentOS/RedHat/Fedora:
@ -177,17 +179,18 @@ You should now be able to run:
```bash
$ inspec --help
Commands:
inspec archive PATH # archive a profile to tar.gz (default) ...
inspec check PATH # verify all tests at the specified PATH
inspec compliance SUBCOMMAND ... # Chef Compliance commands
inspec detect # detect the target OS
inspec exec PATH(S) # run all test files at the specified PATH.
inspec help [COMMAND] # Describe available commands or one spe...
inspec init TEMPLATE ... # Scaffolds a new project
inspec json PATH # read all tests in PATH and generate a ...
inspec shell # open an interactive debugging shell
inspec supermarket SUBCOMMAND ... # Supermarket commands
inspec version # prints the version of this tool
inspec archive PATH # archive a profile to tar.gz (default) ...
inspec check PATH # verify all tests at the specified PATH
inspec automate SUBCOMMAND ... # Chef Automate commands
inspec compliance SUBCOMMAND ... # Chef Automate commands (backwards compatible alias)
inspec detect # detect the target OS
inspec exec PATH(S) # run all test files at the specified PATH.
inspec help [COMMAND] # Describe available commands or one spe...
inspec init TEMPLATE ... # Scaffolds a new project
inspec json PATH # read all tests in PATH and generate a ...
inspec shell # open an interactive debugging shell
inspec supermarket SUBCOMMAND ... # Supermarket commands
inspec version # prints the version of this tool
Options:
[--diagnose], [--no-diagnose] # Show diagnostics (versions, configurations)
@ -208,14 +211,6 @@ describe port(443) do
end
```
* Use approved strong ciphers - This test ensures that only enterprise-compliant ciphers are used for SSH servers.
```ruby
describe sshd_config do
   its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
end
```
* Test your `kitchen.yml` file to verify that only Vagrant is configured as the driver. The %w() formatting will
pass rubocop linting and allow you to access nested mappings.
@ -337,6 +332,7 @@ In addition, runtime support is provided for:
| macOS | 10.14+ | x86_64 |
| Debian | 9, 10 | x86_64 |
| RHEL | 6, 7, 8 | x86_64 |
| Fedora | 29+ | x86_64 |
| Ubuntu | 16.04+ | x86_64 |
| Windows | 8+ | x86_64 |
| Windows | 2012+ | x86_64 |
@ -365,6 +361,8 @@ You may also [browse the Supermarket for shared Compliance Profiles](https://sup
## Kudos
Chef InSpec was originally created by Christoph Hartmann ([@chris-rock](https://github.com/chris-rock)) and Dominik Richter ([@arlimus](https://github.com/arlimus)).
Chef InSpec is inspired by the wonderful [Serverspec](http://serverspec.org) project. Kudos to [mizzy](https://github.com/mizzy) and [all contributors](https://github.com/mizzy/serverspec/graphs/contributors)!
The AWS resources were inspired by [inspec-aws](https://github.com/arothian/inspec-aws) from [arothian](https://github.com/arothian).
@ -387,11 +385,10 @@ As a reminder, all participants are expected to follow the [Code of Conduct](htt
## Testing Chef InSpec
We offer `unit`, `integration`, and `aws` tests.
We offer `unit` and `integration` tests.
- `unit` tests ensure the intended behaviour of the implementation
- `integration` tests run against Docker-based VMs via test-kitchen and [kitchen-inspec](https://github.com/chef/kitchen-inspec)
- `aws` tests exercise the AWS resources against real AWS accounts
### Unit tests
@ -430,42 +427,35 @@ In addition, these test require Docker to be available on your machine or a remo
List the various test instances available:
```bash
bundle exec kitchen list
KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen list
```
The platforms and test suites are configured in the `.kitchen.yml` file. Once you know which instance you wish to test, test that instance:
The platforms and test suites are configured in the `kitchen.dokken.yml` file. Once you know which instance you wish to test, test that instance:
```bash
bundle exec kitchen test <INSTANCE_NAME>
KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen test <INSTANCE_NAME>
```
You may test all instances in parallel with:
```bash
bundle exec kitchen test -c
KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen test -c 3
```
### AWS Tests
Use the rake task `bundle exec rake test:aws` to test the AWS resources against a pair of real AWS accounts.
Please see [TESTING_AGAINST_AWS.md](./test/integration/aws/TESTING_AGAINST_AWS.md) for details on how to setup the needed AWS accounts to perform testing.
### Azure Tests
Use the rake task `bundle exec rake test:azure` to test the Azure resources against an Azure account.
Please see [TESTING_AGAINST_AZURE.md](./test/integration/azure/TESTING_AGAINST_AZURE.md) for details on how to setup the needed Azure accounts to perform testing.
## License
| | |
| -------------- | ----------------------------------------- |
| **Author:** | Dominik Richter (<drichter@chef.io>) |
| **Author:** | Christoph Hartmann (<chartmann@chef.io>) |
| **Copyright:** | Copyright (c) 2015 Vulcano Security GmbH. |
| **Copyright:** | Copyright (c) 2017-2018 Chef Software Inc.|
| **License:** | Apache License, Version 2.0 |
| | |
| -------------- | ---------------------------------------------- |
| **Author:** | Dominik Richter (<drichter@chef.io>) |
| **Author:** | Christoph Hartmann (<chartmann@chef.io>) |
| **Copyright:** | Copyright (c) 2015 Vulcano Security GmbH. |
| **Copyright:** | Copyright (c) 2017-2020 Chef Software Inc. |
| **Copyright:** | Copyright (c) 2020-2021 Progress Software Corp.|
| **License:** | Apache License, Version 2.0 |
| **License:** | Chef End User License Agreement |
Chef InSpec is distributed under the Apache License, Version 2.0.
Permission to use the software is governed by the [Chef EULA](https://docs.chef.io/chef_license_accept.html).
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

4
Rakefile
View file

@ -255,14 +255,14 @@ namespace :test do
# Inject a prerequisite task
task unit: [:accept_license]
task :integration, [:os] do |task, args|
task :kitchen, [:os] do |task, args|
concurrency = ENV["CONCURRENCY"] || 1
os = args[:os] || ENV["OS"] || ""
ENV["DOCKER"] = "true" if ENV["docker"].nil?
sh("bundle exec kitchen test -c #{concurrency} #{os}")
end
# Inject a prerequisite task
task integration: [:accept_license]
task kitchen: [:accept_license]
task :ssh, [:target] do |_t, args|
tests_path = File.join(File.dirname(__FILE__), "test", "integration", "test", "integration", "default")

2
VERSION
View file

@ -1 +1 @@
4.30.0
4.47.8

133
dev-docs/ci-cd.md Normal file
View file

@ -0,0 +1,133 @@
# About InSpec's Continuous Integration and Continuous Delivery Setup
## Major Components
### Expeditor
[Expeditor](https://expeditor.chef.io/) is the main coordinator of all CI-CD activity at Chef. It is configured through a [YAML file](https://github.com/inspec/inspec/blob/master/.expeditor/config.yml).
### BuildKite
[Buildkite](https://buildkite.com/chef) is the engine that actually executes all of the tests and builds for InSpec. While Buildkite coordinates all of the work, the actual infrastructure is managed by Chef in a variety of locations, including various clouds and datacenters.
Buildkite is divided into two orgs, [Chef](https://buildkite.com/chef) and [Chef-OSS](https://buildkite.com/chef-oss) (Open Source Software). Chef is private and Chef-OSS is public.
You will need to have an account on BuildKite and be a member of both orgs to fully utilize the system.
### Rakefile
The [Rakefile](https://github.com/inspec/inspec/blob/master/Rakefile) defines the tests harness to be run. Most of the test scripts come down to executing "rake test" or similar.
### Omnibus
Omnibus is a system for building OS-specific packages of software, including all dependencies including Ruby runtimes. We use Omnibus to make RPMs, DEBs, MSIs, DMGs, and several other OS-specific formats that deploy inspec and its dependencies natively to the OS.
The omnibus configuration for InSpec is stored at https://github.com/inspec/inspec/tree/master/omnibus and the main configuration file is [inspec.rb](https://github.com/inspec/inspec/blob/master/omnibus/config/projects/inspec.rb).
### Rubygems
InSpec is published as a set of 4 gems - inspec, inspec-core, inspec-bin, and inspec-core-bin. When we release a new version to the public (a process we call "promotion" and typically happens on Wednesdays), we publish to rubygems.org.
Rubygems are configured by declaring them in the expeditor configuration file in the `rubygems` section.
### Artifactory
Artifactory stores build artifacts (such as RPMs, MSIs, and gems) on a temporary basis. Artifactory is protected by the Progress VPN. [Artifactory inspec package search](http://artifactory.chef.co/ui/packages?name=inspec&type=packages).
## What Happens when...
### A PR is opened
When a PR is opened, the subscription [workload: pull_request_opened:{{agent_id}}:*](https://github.com/inspec/inspec/blob/cb2abf2e10906bba4df24b2ed18ec51b0931eff2/.expeditor/config.yml#L173) is activated. In addition, several defaults also apply.
One default pipeline that gets activated is the Buildkite [master verify pipeline](https://buildkite.com/chef-oss/inspec-inspec-master-verify). This default is documented [here](https://expeditor.chef.io/docs/pipelines/verify/).
#### verify pipeline
The verify pipeline runs the linter, the unit tests, and the functional tests. It verifies that the code being submitted is sound.
The verify pipeline is defined first in the [verify.pipeline.yml](https://github.com/inspec/inspec/blob/master/.expeditor/verify.pipeline.yml) file, which defines the separate Ruby versions, platforms, and environment variables to be passed to each one. Each runner calls a shell script, either [verify.sh](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/verify.sh) or [verify.ps1](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/verify.ps1). These scripts are thin wrappers that install Bundler dependencies from a cache, then call into the Rakefile.
#### habitat artifact pipeline
The habitat artifact pipeline runs a smoke test to verify that the habitat build of inspec is valid.
The habitat artifact pipeline is defined first in the [artifact.habitat.yml](https://github.com/inspec/inspec/blob/master/.expeditor/artifact.habitat.yml) file. It simply defines a linux runner and a windows runner, each with a dedicated script, [artifact.habitat.test.sh](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/artifact.habitat.test.sh) or [artifact.habitat.test.ps1](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/artifact.habitat.test.ps1). The scripts install habitat, setup an origin key, build the package, and then run a [Rakefile](https://github.com/inspec/inspec/blob/master/test/artifact/Rakefile)
### A PR is merged
When a PR is merged, the Expeditor actions under `merge_actions` are executed.
Watch the Slack channel #inspec-notify for messages about the success or failure of various steps.
Connect to the Progress VPN to fetch Expeditor logs in the event of a failure.
#### Version Bumping
This is controlled by the `built_in:bump_version` and `bash:.expeditor/update_version.sh` subscriptions.
If there are no GitHub labels on the PR, the patchlevel of the version will be bumped by executing the [.expeditor/update_version.sh](https://github.com/inspec/inspec/blob/master/.expeditor/update_version.sh) script. First the VERSION file is updated, then the script runs to update the versions in the Ruby files.
`built_in:bump_version` is in charge of bumping versions in VERSION, and is controlled by GitHub labels on the PR. Most, though not all, PRs should not have any Expeditor control labels.
Here are the Expeditor control labels, and the circumstances under which they should be used:
* Expeditor: Bump Minor Version - Use when a significant new feature is being released.
* Expeditor: Bump Major Version - Use when a major release is made - rarely used.
* Expeditor: Skip Version Bump - Use for non-code-change PRs, such as website or CI changes.
#### Build Omnibus Packages
This is controlled by the `trigger_pipeline:omnibus/release` subscription.
The Omnibus build creates operating-system-specific packages for each platform on which we release Chef InSpec. Its [expeditor configuration](https://github.com/inspec/inspec/blob/44fe144732e1e0abb2594957a880c5f1821e7774/.expeditor/config.yml#L133) drives a [Buildkite configuration](https://github.com/inspec/inspec/blob/master/.expeditor/release.omnibus.yml), which lists exactly which platforms to build.
The Omnibus build is generally reliable, if somewhat slow.
When the omnibus build succeeds, omnitruck delivers the packages to various package repos in `unstable` channels for public consumption. The packages are also delivered to [Artifactory](http://artifactory.chef.co/ui/repos/tree/General/omnibus-unstable-local%2Fcom%2Fgetchef%2Finspec) (VPN required)
#### Chef Habitat Build
The Chef Habitat build creates Habitat .hart packages for Linux and Windows. The [Expeditor configuration](https://github.com/inspec/inspec/blob/44fe144732e1e0abb2594957a880c5f1821e7774/.expeditor/config.yml#L138) drives a [Buildkite configuration](https://github.com/inspec/inspec/blob/master/.expeditor/build.habitat.yml).
When the hab build succeeds, the packages will be placed on the Hab builder in the `unstable` channel for public consumption.
#### Docker Image Built and Released
We also release a Docker image (see [expeditor config](https://github.com/inspec/inspec/blob/44fe144732e1e0abb2594957a880c5f1821e7774/.expeditor/config.yml#L150)), which contains a Linux system and Chef InSpec installed from a gem, with the ENTRYPOINT of the Docker image being `inspec` (see [Dockerfile](https://github.com/inspec/inspec/blob/master/Dockerfile)). It's a simple way to ship the dependencies of `inspec`.
When it succeeds, the Docker build is labeled as `current`.
#### Gems Built and Placed on Artifactory
The `inspec`, `inspec-bin`, `inspec-core`, and `inspec-core-bin` gems are all built and placed on the internal Chef [Artifactory](http://artifactory.chef.co/ui/packages?name=inspec&type=packages) (VPN required) server. During promotion later, they publish to rubygems.org.
The difference between the gems is as follows:
* `inspec` is a library gem, with full heavyweight dependencies, not encumbered by commercial licensing
* `inspec-bin` contains an `inspec` executable and is encumbered by commercial licensing
* `inspec-core` is a library gem, with lightweight dependencies and no compilation required at install time, and is not encumbered by commercial licensing
* `inspec-core-bin` contains an `inspec` executable and is encumbered by commercial licensing
### A release is promoted
When expeditor is told to promote a release, using the slack command `/expeditor promote inspec/inspec:master 4.36.4` (for example), Expeditor automatically promotes the Omnibus packages from the unstable channel to the stable channel, publishing them to the various downloads sites. It also creates the `artifact_published:stable` event, which has numerous [actions subscribed](https://github.com/inspec/inspec/blob/8a93f08a13d6bde8f87e447ff4246801bef80f8c/.expeditor/config.yml#L158).
Some of the more important ones:
#### Update and publish the docker image
The Dockerfile is updated - mainly to update version numbers - and then the published Docker image is tagged with the labels "stable" and "latest".
#### Rubygems are published to rubygems,org
The gems are taken from Artifactory and published to Rubygems.org. This is done using an Expeditor built-in action. The gems must be owned by the user `chef`.
#### Release notes are published
The [pending release notes](https://github.com/inspec/inspec/wiki/Pending-Release-Notes) are copied to AWS S3 by a [script](https://github.com/inspec/inspec/blob/master/.expeditor/publish-release-notes.sh), and then reset back to an empty state. Another [script](https://github.com/inspec/inspec/blob/master/.expeditor/announce-release.sh) takes the release notes from S3 and creates a post on Discourse.

13
dev-docs/compliance.md
View file

@ -2,11 +2,13 @@
## Purpose
The `compliance` set of subcommands handle user-initiated communication with Chef Automate. The commands are provided so that a user can interact with an Automate installation.
The `automate` set of subcommands handle user-initiated communication with Chef Automate. The commands are provided so that a user can interact with an Automate installation.
`inspec compliance` is somewhat analogous to `knife` in that it can be used to upload, download, and manage profiles for distribution to other clients.
`inspec automate` is somewhat analogous to `knife` in that it can be used to upload, download, and manage profiles for distribution to other clients.
When Automate initiates scans, the `compliance` subcommand is not used.
When Automate initiates scans, the `automate` subcommand is not used.
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way
## Operational Notes
@ -53,7 +55,7 @@ Actual HTTP communication is handled by `InspecPlugins::Compliance::HTTP`, again
#### lib/http.rb
This is probably unneccesary. It is a wrapper around Net:HTTP. Instead, we should probably be using a REST API wrapper or something similar.
This is probably unnecessary. It is a wrapper around Net:HTTP. Instead, we should probably be using a REST API wrapper or something similar.
#### lib/support.rb
@ -65,8 +67,9 @@ There are several other minor commands not listed here - see `lib/cli.rb` for a
### login
Saves a credentials file locally. Future invocations of `inspec compliance` use the credentials file to authenticate.
Saves a credentials file locally. Future invocations of `inspec automate` or `inspec compliance` use the credentials file to authenticate.
`be inspec automate login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test` or
`be inspec compliance login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test`
Here are the results of running login, from `.inspec/compliance/config.json`:

58
dev-docs/control-eval.md
View file

@ -6,33 +6,55 @@
## Tips
* In the early days of Chef InSpec / ServerSpec, controls were called "rules". Throughout various places in the code, the word "rule" is used to mean "control". Make the mental subsitution.
* In the early days of Chef InSpec / ServerSpec, controls were called "rules". Throughout various places in the code, the word "rule" is used to mean "control". Make the mental substitution.
* Chef InSpec supports reading profiles from tarballs, local files, git repos, etc. So, don't count on local file reading; instead it uses a special source reader to obtain the contents of the files.
## The basics of the stack
#5 Inspec::Profile.collect_tests(include_list#Array) at lib/inspec/profile.rb:167
#4 Hash.each at lib/inspec/profile.rb:167
#3 block in Inspec::Profile.block in collect_tests(include_list#Array) at lib/inspec/profile.rb:170
#2 Inspec::ProfileContext.load_control_file(*args#Array) at lib/inspec/profile_context.rb:141
#1 Inspec::ProfileContext.control_eval_context at lib/inspec/profile_context.rb:58
#0 #<Class:Inspec::ControlEvalContext>.create(profile_context#Inspec::ProfileContext, resources_dsl#Module) at lib/inspec/control_eval_context.rb:41
## A profile context is created
Like many things in Chef InSpec core, a profile context is an anonymous class. (verify)
Profile context gets instantiated as soon as the Profile gets created.
Additionally, a control_eval_context is created. It is an instance of an anonymous class; it has a class<->relationship with its profile context. See `lib/inspec/control_eval_context.rb`.
0 Inspec::ProfileContext.initialize(profile_id#String, backend#Inspec::Backend, conf#Hash) at inspec/lib/inspec/profile_context.rb:20
ͱ-- #1 Class.new(*args) at inspec/lib/inspec/profile_context.rb:13
#2 #<Class:Inspec::ProfileContext>.for_profile(profile#Inspec::Profile, backend#Inspec::Backend) at inspec/lib/inspec/profile_context.rb:13
#3 Inspec::Profile.initialize(source_reader#SourceReaders::InspecReader, options#Hash) at inspec/lib/inspec/profile.rb:149
ͱ-- #4 Class.new(*args) at inspec/lib/inspec/profile.rb:61
#5 #<Class:Inspec::Profile>.for_path(path#String, opts#Hash) at inspec/lib/inspec/profile.rb:61
#6 #<Class:Inspec::Profile>.for_fetcher(fetcher#Inspec::CachedFetcher, config#Hash) at inspec/lib/inspec/profile.rb:68
#7 #<Class:Inspec::Profile>.for_target(target#String, opts#Hash) at inspec/lib/inspec/profile.rb:74
#8 Inspec::Runner.add_target(target#String, _opts#Array) at inspec/lib/inspec/runner.rb:198
#9 block in Inspec::InspecCLI.block in exec(*targets#Array) at inspec/lib/inspec/cli.rb:283
ͱ-- #10 Array.each at inspec/lib/inspec/cli.rb:283
#11 Inspec::InspecCLI.exec(*targets#Array) at inspec/lib/inspec/cli.rb:283
When run method of the runner gets called, it loads control [file](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L151) which instantiates the control_eval_context object [here](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L61) and creates dsl, and the adds profile_context as dsl class methods [here](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L243)
#0 Inspec::ProfileContext::DomainSpecificLunacy::ClassMethods.add_methods(profile_context#Inspec::ProfileContext) at /inspec/lib/inspec/profile_context.rb:242
#1 block in #<Class:Inspec::ProfileContext::DomainSpecificLunacy>.block in create_dsl(profile_context#Inspec::ProfileContext) at /inspec/lib/inspec/profile_context.rb:220
ͱ-- #2 Module.initialize at inspec/lib/inspec/profile_context.rb:218
ͱ-- #3 Class.new(*args) at inspec/lib/inspec/profile_context.rb:218
#4 #<Class:Inspec::ProfileContext::DomainSpecificLunacy>.create_dsl(profile_context#Inspec::ProfileContext) at inspec/lib/inspec/profile_context.rb:218
#5 Inspec::ProfileContext.to_resources_dsl at inspec/lib/inspec/profile_context.rb:56
#6 Inspec::ProfileContext.control_eval_context at inspec/lib/inspec/profile_context.rb:63
#7 Inspec::ProfileContext.load_control_file(*args#Array) at inspec/lib/inspec/profile_context.rb:154
#8 block in Inspec::Profile.block in collect_tests(include_list#Array) at inspec/lib/inspec/profile.rb:222
ͱ-- #9 Hash.each at inspec/lib/inspec/profile.rb:216
#10 Inspec::Profile.collect_tests(include_list#Array) at inspec/lib/inspec/profile.rb:216
#11 block in Inspec::Runner.block in load at inspec/lib/inspec/runner.rb:119
ͱ-- #12 Array.each at inspec/lib/inspec/runner.rb:101
#13 Inspec::Runner.load at inspec/lib/inspec/runner.rb:101
#14 Inspec::Runner.run(with#NilClass) at inspec/lib/inspec/runner.rb:135
#15 Inspec::InspecCLI.exec(*targets#Array) at inspec/lib/inspec/cli.rb:286
## Each file's contents are instance eval'd against the control_eval_context
### DSL methods are executed at this time
So, if you have a control file with `title` in it, that will call the title method that was defined at `lib/inspec/control_eval_context.rb:60`. Importantly, this also includes the `control` DSL keyword, and also the `describe` keyword (used for bare describes).
So, if you have a control file with `title` in it, that will call the title method that was defined [here](https://github.com/inspec/inspec/blob/master/lib/inspec/control_eval_context.rb#L46). Importantly, this also includes the `control` DSL keyword, and also the `describe` keyword (used for bare describes).
### Each control and their block are wrapped in an anonymous class
### Each control get registered as rule.
The anonymous class generator is located at `lib/inspec/control_eval_context.rb:24`. At this point, the terminology switches from `control` to `rule`. Each context class inherits from Inspec::Rule, which provides the constructor.
Each control gets registerd and the terminology switches from `control` to `rule` [here](https://github.com/inspec/inspec/blob/master/lib/inspec/control_eval_context.rb#L57)
The control context class also gets extended with the resource DSL, so anything in the source code for the control can use the resource DSL. This includes all resource names, but importantly, the `describe` DSL keyword.
@ -40,7 +62,7 @@ Finally, Inspec::Rule provides the control DSL - impact, title, desc, ref, and t
### The block is instance_eval'd against the control context class
See `lib/inspec/rule.rb:50`. We're now in two levels of instance eval'ing - the file is gradually being eval'd against the profile context anonymous class, and the current control's block is being instance eval'd against a control context anonymous class.
See `https://github.com/inspec/inspec/blob/master/lib/inspec/rule.rb#L46`. We're now in two levels of instance eval'ing - the file is gradually being eval'd against the profile context and the current control's block is being instance eval'd against a control context.
At this stage, control-level metadata (impact, title, refs, tags, desc) are evaluated and set as instance vars on the control.
@ -54,9 +76,9 @@ And, the describe and describe.one blocks are executed.
Using the method register_control (dynamically defined on the control eval context), we check for various skip conditions. If none of them apply, the control is then registered with the profile context using register_rule.
ProfileContext.register_rule's main job is to determine the full ID of the control (within the context of the profile) and either add it to the controls list, or (if another control with the same ID exists), merge it. (This is where overriding happens).
[ProfileContext.register_rule's](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L183) main job is to determine the full ID of the control (within the context of the profile) and either add it to the controls list, or (if another control with the same ID exists), merge it. (This is where overriding happens).
Note: can skip a control with:
Inspec::Rule.set_skip_rule(control, msg)
## What else?
## What else?

4
dev-docs/filtertable-usage.md
View file

@ -40,7 +40,7 @@ class Thing < Inspec.resource(1)
filter_table_config.install_filter_methods_on_resource(self, :fetch_data)
def fetch_data
# This method should return an array of hashes - the raw data. We'll hardcode it here.
# This method should return an array of hashes - the raw data. We'll hard code it here.
[
{ thing_id: 1, color: :red },
{ thing_id: 2, color: :blue, tackiness: 'very' },
@ -301,7 +301,7 @@ This method behaves just like `thing_ids`, except that it returns the values of
You also get this for `thing_ids`. This is unrelated to `style: :simple` for `colors`.
People definitely use this in the wild. It reads badly to me; I think this is a legacy usage that we should consider deprecating. To me, this seems to imply that there is a sub-resource (here, colors) we are auditing. At least two core resouces (`xinetd_conf` and `users`) advocate this as their primary use.
People definitely use this in the wild. It reads badly to me; I think this is a legacy usage that we should consider deprecating. To me, this seems to imply that there is a sub-resource (here, colors) we are auditing. At least two core resources (`xinetd_conf` and `users`) advocate this as their primary use.
```ruby
# Filter on colors

55
dev-docs/inspec-init-plugin.md Normal file
View file

@ -0,0 +1,55 @@
# About `inspec init plugin` CLI command
## Purpose
`inspec init plugin` generates the scaffold of InSpec plugin, which can extend the functionality of InSpec itself.
## Operational Notes
### Generating InSpec Plugin
`inspec init plugin --help`
```
Usage:
inspec init plugin PLUGIN_NAME [options]
Options:
[--prompt], [--no-prompt] # Interactively prompt for information to put in your generated plugin.
# Default: true
[--detail=DETAIL] # How detailed of a plugin to generate. 'full' is a normal full gem with tests; 'core' has tests but no gemspec; 'test-fixture' is stripped down for a test fixture.
# Default: full
[--author-email=AUTHOR_EMAIL] # Author Email for gemspec
# Default: you@example.com
[--author-name=AUTHOR_NAME] # Author Name for gemspec
# Default: Your Name
[--description=DESCRIPTION] # Multi-line description of the plugin
[--summary=SUMMARY] # One-line summary of your plugin
# Default: A plugin with a default summary
[--license-name=LICENSE_NAME] # The name of a license
# Default: Apache-2.0
[--activator=one two three] # A list of plugin activator, in the form type1:name1, type2:name2, etc
# Default: ["cli_command:my_command"]
[--hook=one two three] # Legacy name for --activator - Deprecated.
[--homepage=HOMEPAGE] # A URL for your project, often a GitHub link
[--module-name=MODULE_NAME] # Module Name for your plugin package. Will change plugin name to CamelCase by default.
[--copyright=COPYRIGHT] # A copyright statement, to be added to LICENSE
[--log-level=LOG_LEVEL] # Set the log level: info (default), debug, warn, error
[--log-location=LOG_LOCATION] # Location to send diagnostic log messages to. (default: $stdout or Inspec::Log.error)
Generates an InSpec plugin, which can extend the functionality of InSpec itself.
```
### Options
`inspec init plugin` command requires few details about the plugin to be added. This can be added using command line prompt or by passing them as the options like for e.g `--author-name`,`--author-email`, `--description`, `--module-name`, etc.
`--detail` This option can be used to skip generation of test files or gemspec file. Available values `full`, `core` or `test-fixture`.
`--activator` Available activator type are `cli_command` and `reporter`. The default activator type is "cli_command".
Usage: `inspec init pluign <inspec-plugin-name> --activator "cli_command:my_test"`
`OR`
`inspec init plugin <inspec-plugin-reporter-name> --activator "reporter:my_reporter"`
**Note:** The InSpec plugin generator can currently only generate one activator of each type.
`--hook` Legacy name for `--activator` - Deprecated.

8
dev-docs/integration-testing.md
View file

@ -2,7 +2,7 @@
## Introduction
Chef InSpec uses Test Kitchen for its integration testing. Our current testing uses Docker as our backend. You should install and have Docker running befor you run any tests.
Chef InSpec uses Test Kitchen for its integration testing. Our current testing uses Docker (kitchen-dokken) as our backend. You should install and have Docker running before you run any tests.
### How to run specific integrations
@ -23,8 +23,6 @@ bundle exec rake test:integration[default-ubuntu-1604]
We run the test/integration/default profile at the end of each integration test in the verify stage. This confirms that our current code is compatible with test kitchen.
### Audit Testing
### Why no audit cookbook testing?
For Audit cookbook testing Chef InSpec sets up some special hooks. The integration rake command will bundle up the current checkout into a gem which is passed along to test kitchen in the os_prepare cookbook. When this cookbook is run it will install the local inspec gem. Audit will then use this gem accordingly when running in the post chef-client validators. The .kitchen.yml is setup to export the audit report to a json file which we look for and confirm the structure in the test/integration/default/controls/audit_spec.rb file.
In the validation file we confirm that the file was created from audit and that the structure looks correct. We also validate that the inspec ran with audit is the same that the current branch is using. This validates that audit did not use a older version for some reason.
Audit cookbook testing is handled in the audit cookbook repo. In addition, the audit cookbook restricts which InSpec gem can be installed, forcing the installation from Rubygems for Chef clients 15+. Since we need to test with the from-source inspec gem, we can't use that approach. Instead, we don't test using audit cookbook here.

3
dobi.yaml
View file

@ -18,4 +18,5 @@ image=chef:
CHANNEL: unstable
annotations:
tags:
- expeditor:final-channel-tags={{major}},{{major}}.{{minor}}
- expeditor:default-tags={{channel}}
- expeditor:final-channel-tags=latest,{{major}},{{major}}.{{minor}}

2
docs-chef-io/Makefile
View file

@ -14,7 +14,7 @@ serve: chef_web_docs
chef_web_docs:
if [ -d "chef-web-docs/" ]; then \
pushd chef-web-docs && git reset HEAD --hard; git pull origin master && popd; \
pushd chef-web-docs && git reset HEAD --hard; git clean -fd; git pull --ff-only origin main; rm -rf public && popd; \
else \
git clone https://github.com/chef/chef-web-docs.git; \
fi

4
docs-chef-io/README.md
View file

@ -20,7 +20,7 @@ the top of the page that you want to edit. The link takes you to that topic's Gi
page. In GitHub, click on the pencil icon and make your changes. You can preview
how they'll look right on the page ("Preview Changes" tab).
We also require contributors to include their [DCO signoff](https://github.com/chef/chef/blob/master/CONTRIBUTING.md#developer-certification-of-origin-dco)
We also require contributors to include their [DCO signoff](https://github.com/chef/chef/blob/main/CONTRIBUTING.md#developer-certification-of-origin-dco)
in the comment section of every pull request, except for obvious fixes. You can
add your DCO signoff to the comments by including `Signed-off-by:`, followed by
your name and email address, like this:
@ -52,7 +52,7 @@ before the next promotion.
## Local Development Environment
We use [Hugo](https://gohugo.io/), [Go](https://golang.org/), and[NPM](https://www.npmjs.com/)
to build the Chef Documentation website. You will need Hugo 0.78.1 or higher
to build the Chef Documentation website. You will need Hugo 0.83.1 or higher
installed and running to build and view our documentation properly.
To install Hugo, NPM, and Go on Windows and macOS:

2
docs-chef-io/config.toml
View file

@ -1,2 +1,2 @@
[params.inspec]
gh_path = "https://github.com/inspec/inspec/tree/master/docs-chef-io/content/"
gh_path = "https://github.com/inspec/inspec/tree/main/docs-chef-io/content/"

213
docs-chef-io/content/inspec/cli.md
View file

@ -15,7 +15,7 @@ Use the InSpec CLI to run tests and audits against targets using local, SSH, Win
## archive
Archive a profile to tar.gz (default) or zip
Archive a profile to tar.gz (default) or zip.
### Syntax
@ -27,14 +27,14 @@ inspec archive PATH
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``--airgap``, ``--no-airgap``
Fallback to using local archives if fetching fails.
* ``--ignore-errors``, ``--no-ignore-errors``
Ignore profile warnings.
* ``-o``, ``--output=OUTPUT``
Save the archive to a path
Save the archive to a path.
* ``--overwrite``, ``--no-overwrite``
Overwrite existing archive.
* ``--profiles-path=PROFILES_PATH``
@ -42,14 +42,25 @@ This subcommand has additional options:
* ``--tar``, ``--no-tar``
Generates a tar.gz archive.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies. (default: ~/.inspec/cache)
Use the given path for caching dependencies, (default: ~/.inspec/cache).
* ``--zip``, ``--no-zip``
Generates a zip archive.
## automate
Communicate with Chef Automate.
### Syntax
This subcommand has the following syntax:
```bash
inspec automate SUBCOMMAND
```
## check
Verify metadata in inspec.yml. Verify control data has fields (title, description,
impact) defined and that all controls have visible tests.
Verify metadata in inspec.yml. Verify control data has fields (title, description, impact) defined and that all controls have visible tests.
### Syntax
@ -61,18 +72,18 @@ inspec check PATH
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``--format=FORMAT``
The output format to use. Valid values: `json` and `doc`. Default value: `doc`.
* ``--profiles-path=PROFILES_PATH``
Folder which contains referenced profiles.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies. (default: ~/.inspec/cache)
Use the given path for caching dependencies, (default: ~/.inspec/cache).
## detect
Detect the target os
Detect the target OS.
### Syntax
@ -84,18 +95,20 @@ inspec detect
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``-b``, ``--backend=BACKEND``
Choose a backend: local, ssh, winrm, docker.
* ``--bastion-host=BASTION_HOST``
Specifies the bastion host if applicable
Specifies the bastion host if applicable.
* ``--bastion-port=BASTION_PORT``
Specifies the bastion port if applicable
Specifies the bastion port if applicable.
* ``--bastion-user=BASTION_USER``
Specifies the bastion user if applicable
Specifies the bastion user if applicable.
* ``--config=CONFIG``
Read configuration from JSON file (`-` reads from stdin).
* ``--docker-url``
Provides path to Docker API endpoint (Docker).
* ``--enable-password=ENABLE_PASSWORD``
Password for enable mode on Cisco IOS devices.
* ``--format=FORMAT``
@ -103,7 +116,7 @@ This subcommand has additional options:
* ``--host=HOST``
Specify a remote host which is tested.
* ``--insecure``, ``--no-insecure``
Disable SSL verification on select targets
Disable SSL verification on select targets.
* ``-i``, ``--key-files=one two three``
Login key or certificate file for a remote scan.
* ``--password=PASSWORD``
@ -113,7 +126,7 @@ This subcommand has additional options:
* ``-p``, ``--port=N``
Specify the login port for a remote scan.
* ``--proxy-command=PROXY_COMMAND``
Specifies the command to use to connect to the server
Specifies the command to use to connect to the server.
* ``--self-signed``, ``--no-self-signed``
Allow remote scans with self-signed certificates (WinRM).
* ``--shell``, ``--no-shell``
@ -133,9 +146,9 @@ This subcommand has additional options:
* ``--sudo-password=SUDO_PASSWORD``
Specify a sudo password, if it is required.
* ``-t``, ``--target=TARGET``
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
Simple targeting option using URIs, e.g. ssh://user:pass@host:port.
* ``--target-id=TARGET_ID``
Provide a ID which will be included on reports
Provide a ID which will be included on reports.
* ``--user=USER``
The login user for a remote scan.
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
@ -149,7 +162,7 @@ This subcommand has additional options:
## env
Output shell-appropriate completion configuration
Output shell-appropriate completion configuration.
### Syntax
@ -163,11 +176,9 @@ inspec env
Run all test files at the specified locations.
The subcommand loads the given profiles, fetches their dependencies if needed, then
connects to the target and executes any controls contained in the profiles.
One or more reporters are used to generate the output.
The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls contained in the profiles. One or more reporters are used to generate the output.
```
``` ruby
exit codes:
0 normal exit, all tests passed
1 usage or general error
@ -181,38 +192,51 @@ exit codes:
Below are some examples of using `exec` with different test locations:
Chef Automate:
```
inspec compliance login
``` ruby
inspec automate login
inspec exec compliance://username/linux-baseline
```
Chef Supermarket:
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
``` ruby
inspec compliance login
```
Chef Supermarket:
``` ruby
inspec exec supermarket://username/linux-baseline
```
Local profile (executes all tests in `controls/`):
```
``` ruby
inspec exec /path/to/profile
```
Local single test (doesn't allow inputs or custom resources):
```
``` ruby
inspec exec /path/to/a_test.rb
```
Git via SSH:
```
``` ruby
inspec exec git@github.com:dev-sec/linux-baseline.git
```
Git via HTTPS (.git suffix is required):
```
``` ruby
inspec exec https://github.com/dev-sec/linux-baseline.git
```
Private Git via HTTPS (.git suffix is required):
```
``` ruby
inspec exec https://api_token@github.com/dev-sec/linux-baseline.git
```
@ -233,7 +257,6 @@ Web-hosted file with basic authentication (supports .zip):
inspec exec https://username:password@webserver/linux-baseline.tar.gz
```
### Syntax
This subcommand has the following syntax:
@ -244,30 +267,32 @@ inspec exec LOCATIONS
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``--attrs=one two three``
Legacy name for --input-file - deprecated.
* ``-b``, ``--backend=BACKEND``
Choose a backend: local, ssh, winrm, docker.
* ``--backend-cache``, ``--no-backend-cache``
Allow caching for backend command output. (default: true)
Allow caching for backend command output. (default: true).
* ``--bastion-host=BASTION_HOST``
Specifies the bastion host if applicable
Specifies the bastion host if applicable.
* ``--bastion-port=BASTION_PORT``
Specifies the bastion port if applicable
Specifies the bastion port if applicable.
* ``--bastion-user=BASTION_USER``
Specifies the bastion user if applicable
Specifies the bastion user if applicable.
* ``--command-timeout=SECONDS``
Maximum seconds to allow a command to run. Default 3600.
Maximum seconds to allow a command to run.
* ``--config=CONFIG``
Read configuration from JSON file (`-` reads from stdin).
* ``--controls=one two three``
A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests.
* ``--create-lockfile``, ``--no-create-lockfile``
Write out a lockfile based on this execution (unless one already exists)
Write out a lockfile based on this execution (unless one already exists).
* ``--distinct-exit``, ``--no-distinct-exit``
Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures.
* ``--docker-url``
Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows.
* ``--enable-password=ENABLE_PASSWORD``
Password for enable mode on Cisco IOS devices.
* ``--filter-empty-profiles``, ``--no-filter-empty-profiles``
@ -279,9 +304,9 @@ This subcommand has additional options:
* ``--input=name1=value1 name2=value2``
Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures.
* ``--input-file=one two three``
Load one or more input files, a YAML file with values for the profile to use
Load one or more input files, a YAML file with values for the profile to use.
* ``--insecure``, ``--no-insecure``
Disable SSL verification on select targets
Disable SSL verification on select targets.
* ``-i``, ``--key-files=one two three``
Login key or certificate file for a remote scan.
* ``--password=PASSWORD``
@ -293,13 +318,15 @@ This subcommand has additional options:
* ``--profiles-path=PROFILES_PATH``
Folder which contains referenced profiles.
* ``--proxy-command=PROXY_COMMAND``
Specifies the command to use to connect to the server
Specifies the command to use to connect to the server.
* ``--reporter=one two:/output/file/path``
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml.
* ``--reporter-backtrace-inclusion``, ``--no-reporter-backtrace-inclusion``
Include a code backtrace in report data (default: true)
Include a code backtrace in report data (default: true).
* ``--reporter-include-source``
Include full source code of controls in the CLI report.
* ``--reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION``
Number of characters to truncate failure messages in report data to (default: no truncation)
Number of characters to truncate failure messages in report data to (default: no truncation).
* ``--self-signed``, ``--no-self-signed``
Allow remote scans with self-signed certificates (WinRM).
* ``--shell``, ``--no-shell``
@ -323,13 +350,15 @@ This subcommand has additional options:
* ``--sudo-password=SUDO_PASSWORD``
Specify a sudo password, if it is required.
* ``-t``, ``--target=TARGET``
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
Simple targeting option using URIs, e.g. ssh://user:pass@host:port.
* ``--target-id=TARGET_ID``
Provide a ID which will be included on reports
Provide a ID which will be included on reports.
* ``--tags=one two three``
A list of tags or a list of regular expressions that match tags. `exec` will run controls referenced by the listed or matching tags.
* ``--user=USER``
The login user for a remote scan.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies. (default: ~/.inspec/cache)
Use the given path for caching dependencies. (default: ~/.inspec/cache).
* ``--waiver-file=one two three``
Load one or more waiver files.
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
@ -339,9 +368,21 @@ This subcommand has additional options:
* ``--winrm-transport=WINRM_TRANSPORT``
Specify which transport to use, defaults to negotiate (WinRM).
## habitat
Create a Chef Habitat package.
### Syntax
This subcommand has the following syntax:
```bash
inspec habitat SUBCOMMAND
```
## help
Describe available commands or one specific command
Describe available commands or one specific command.
### Syntax
@ -351,9 +392,21 @@ This subcommand has the following syntax:
inspec help [COMMAND]
```
## init
Scaffold a new project.
### Syntax
This subcommand has the following syntax:
```bash
inspec init TEMPLATE
```
## json
Read all tests in path and generate a json summary
Read all tests in path and generate a json summary.
### Syntax
@ -365,20 +418,22 @@ inspec json PATH
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``--controls=one two three``
A list of controls to include. Ignore all other tests.
* ``-o``, ``--output=OUTPUT``
Save the created profile to a path
Save the created profile to a path.
* ``--profiles-path=PROFILES_PATH``
Folder which contains referenced profiles.
* ``--tags=one two three``
A list of tags that reference certain controls. Other controls are ignored.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies. (default: ~/.inspec/cache)
Use the given path for caching dependencies. (default: ~/.inspec/cache).
## nothing
Does nothing
Does nothing.
### Syntax
@ -388,9 +443,21 @@ This subcommand has the following syntax:
inspec nothing
```
## plugin
Install and manage [Chef InSpec plugins](/inspec/plugins/).
### Syntax
This subcommand has the following syntax:
```bash
inspec plugin SUBCOMMAND
```
## schema
Print the json schema
Print the json schema.
### Syntax
@ -402,7 +469,7 @@ inspec schema NAME
## shell
Open an interactive debugging shell
Open an interactive debugging shell.
### Syntax
@ -414,32 +481,34 @@ inspec shell
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``-b``, ``--backend=BACKEND``
Choose a backend: local, ssh, winrm, docker.
* ``--bastion-host=BASTION_HOST``
Specifies the bastion host if applicable
Specifies the bastion host if applicable.
* ``--bastion-port=BASTION_PORT``
Specifies the bastion port if applicable
Specifies the bastion port if applicable.
* ``--bastion-user=BASTION_USER``
Specifies the bastion user if applicable
Specifies the bastion user if applicable.
* ``-c``, ``--command=COMMAND``
A single command string to run instead of launching the shell
A single command string to run instead of launching the shell.
* ``--command-timeout=SECONDS``
Maximum seconds to allow a command to run. Default 3600.
Maximum seconds to allow a command to run.
* ``--config=CONFIG``
Read configuration from JSON file (`-` reads from stdin).
* ``--depends=one two three``
A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell
A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell.
* ``--distinct-exit``, ``--no-distinct-exit``
Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures.
* ``--docker-url``
Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows.
* ``--enable-password=ENABLE_PASSWORD``
Password for enable mode on Cisco IOS devices.
* ``--host=HOST``
Specify a remote host which is tested.
* ``--insecure``, ``--no-insecure``
Disable SSL verification on select targets
Disable SSL verification on select targets.
* ``--inspect``, ``--no-inspect``
Use verbose/debugging output for resources.
* ``-i``, ``--key-files=one two three``
@ -451,9 +520,9 @@ This subcommand has additional options:
* ``-p``, ``--port=N``
Specify the login port for a remote scan.
* ``--proxy-command=PROXY_COMMAND``
Specifies the command to use to connect to the server
Specifies the command to use to connect to the server.
* ``--reporter=one two:/output/file/path``
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit.
* ``--self-signed``, ``--no-self-signed``
Allow remote scans with self-signed certificates (WinRM).
* ``--shell``, ``--no-shell``
@ -473,9 +542,9 @@ This subcommand has additional options:
* ``--sudo-password=SUDO_PASSWORD``
Specify a sudo password, if it is required.
* ``-t``, ``--target=TARGET``
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
Simple targeting option using URIs, e.g. ssh://user:pass@host:port.
* ``--target-id=TARGET_ID``
Provide a ID which will be included on reports
Provide a ID which will be included on reports.
* ``--user=USER``
The login user for a remote scan.
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
@ -487,7 +556,7 @@ This subcommand has additional options:
## supermarket
Supermarket commands
Supermarket commands.
### Syntax
@ -499,7 +568,7 @@ inspec supermarket SUBCOMMAND ...
## vendor
Download all dependencies and generate a lockfile in a `vendor` directory
Download all dependencies and generate a lockfile in a `vendor` directory.
### Syntax
@ -518,7 +587,7 @@ This subcommand has additional options:
## version
Prints the version of this tool
Prints the version of this tool.
### Syntax
@ -530,6 +599,6 @@ inspec version
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``--format=FORMAT``

10
docs-chef-io/content/inspec/dsl_inspec.md
View file

@ -1,12 +1,12 @@
+++
title = "Chef InSpec DSL"
title = "Chef InSpec Language"
draft = false
gh_repo = "inspec"
[menu]
[menu.inspec]
title = "Chef InSpec DSL"
identifier = "inspec/reference/dsl_inspec.md Chef InSpec DSL"
title = "Chef InSpec Language"
identifier = "inspec/reference/dsl_inspec.md Chef InSpec Language"
parent = "inspec/reference"
weight = 70
+++
@ -17,7 +17,7 @@ you write auditing controls quickly and easily. The syntax used by both open sou
and [Chef compliance](/compliance/) auditing is the same. The open source [Chef InSpec resource](/inspec/resources/)
framework is compatible with [Chef compliance](/compliance/).
The Chef InSpec DSL is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
The Chef InSpec Language is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
The following sections describe the syntax and show some simple examples of using the Chef InSpec resources.
@ -336,7 +336,7 @@ end
## Using Ruby in InSpec
The Chef InSpec DSL is a Ruby based language. This allows you to be flexible with
The Chef InSpec Language is a Ruby based language. This allows you to be flexible with
Ruby code in controls:
```ruby

2
docs-chef-io/content/inspec/dsl_resource.md
View file

@ -104,7 +104,7 @@ class ExampleConfig < Inspec.resource(1)
end
```
For a full example, see our [example resource](https://github.com/chef/inspec/blob/master/examples/profile/libraries/example_config.rb).
For a full example, see our [example resource](https://github.com/chef/inspec/blob/main/examples/profile/libraries/example_config.rb).
## Lazy Loading

116
docs-chef-io/content/inspec/glossary.md
View file

@ -30,7 +30,7 @@ Let's look at some simple examples.
### Singular Resource Example
```inspec
```ruby
describe car(owner: 'Tony Clifton') do
it { should exist }
its('license_plate') { should cmp 'MOONMAN' }
@ -73,7 +73,7 @@ _should\_not_ indicates this is a negated test. So, this test passes if the matc
### Plural Resource Example
```inspec
```ruby
describe cars.where(color: /^b/) do
it { should exist }
its('manufacturers') { should include 'Cadillac' }
@ -113,35 +113,35 @@ _'Cadillac'_ is an [expected result](#expected-result). Some matchers take an ex
#### its('count') { should _be >=_ 10 }
_be >=_ is an [operator matcher](#operator matcher). It allows you to perform numeric comparisons. All plural resources have a `count` property.
_be >=_ is an [operator matcher](#operator-matcher). It allows you to perform numeric comparisons. All plural resources have a `count` property.
## Text Glossary
### attribute
### Attribute
Deprecated name for [input](#input).
### control
### Control
### control block
### Control Block
The _`control`_ keyword is used to declare a _`control block`_. Here, the word 'control' means a 'regulatory control, recommendation, or requirement' - not a software engineering construct. A `control block` has a name (which usually refers to the assigned ID of the regulatory recommendation it implements), metadata such as descriptions, references, and tags, and finally groups together related [describe blocks](#describe-block) to implement the checks.
### core resource
### Core Resource
A [resource](#resource) that is included with InSpec; you are not required to install additional [plugins](#plugin) or depend on a [resource pack](#resource pack) to use the resource.
A [resource](#resource) that is included with InSpec; you are not required to install additional [plugins](#plugin) or depend on a [resource pack](#resource-pack) to use the resource.
### custom resource
### Custom Resource
A [resource](#resource) that is _not_ included with InSpec. It may be a resource of your own creation, or one you obtain by depending on a [resource pack](#resource pack).
A [resource](#resource) that is _not_ included with InSpec. It may be a resource of your own creation, or one you obtain by depending on a [resource pack](#resource-pack).
### describe
### Describe
### describe block
### Describe Block
The _`describe`_ keyword is used with a _`describe block`_ to refer to a Chef InSpec resource. You use the `describe` keyword along with the name of a [resource](#resource) to enclose related [tests](#test) that apply to the resource. Multiple describe blocks are usually grouped together in a [control](#control), but you can also use them outside of a control.
```Ruby
```ruby
control 'Rule 1.1 - Color restrictions' do
# Count only blue cars
describe cars.where(color: 'blue') do
@ -152,23 +152,23 @@ end
### DSL
_DSL_ is an acronym for _Domain Specific Language_. It refers to the language extensions Chef InSpec provides to make authoring resources and controls easier. While Chef InSpec control files are use Ruby, the _Control DSL_ makes it easy to write controls without knowledge of Ruby by providing DSL keywords such as [describe](#describe), [control](#control), [it](#it) and [its](#its). See the [Chef InSpec DSL page](/inspec/dsl_inspec/) for details about keywords available to control authors.
_DSL_ is an acronym for _Domain Specific Language_. It refers to the language extensions Chef InSpec provides to make authoring resources and controls easier. While Chef InSpec control files are use Ruby, the _Control DSL_ makes it easy to write controls without knowledge of Ruby by providing DSL keywords such as [describe](#describe), [control](#control), [it](#it) and [its](#its). See the [Chef InSpec Language page](/inspec/dsl_inspec/) for details about keywords available to control authors.
For [custom resource](#custom-resource) authors, an additional DSL is available - see the [Resource DSL page](/inspec/dsl_resource/).
For [custom resource](#custom-resource) authors, an additional DSL is available - see the [Resource Language page](/inspec/dsl_resource/).
### expected result
### Expected Result
When using a [matcher](#matcher), the _`expected result`_ is the value the matcher will compare against the [property](#property) being accessed.
In this example, the [`cmp`](/inspec/matchers/#cmp) matcher is being used to compare the `color` property to the expected result 'black'.
```Ruby
```ruby
describe car(owner: 'Bruce Wayne') do
its('color') { should cmp 'black' }
end
```
### filter statement
### Filter Statement
When using a [plural resource](#plural-resource), a _`filter statement`_ is used to select individual test subjects using [filter criteria](#filter-criteria). A filter statement almost always is indicated by the keyword `where`, and may be repeated using method chaining.
@ -176,16 +176,16 @@ A filter statement may use method call syntax (which allows basic criteria opera
In this example, `where(...)` is the filter statement.
```Ruby
```ruby
# Count only blue cars
describe cars.where(color: 'blue') do
its('count') { should eq 20 }
end
```
### filter criterion
### Filter Criterion
### filter criteria
### Filter Criteria
When using a [plural resource](#plural-resource), a _`filter criterion`_ is used to select individual test subjects within a [filter statement](#filter-statement). You may use multiple _`filter criteria`_ in a single filter statement.
@ -193,7 +193,7 @@ When method-call syntax is used with the filter statement, you provide filter cr
Here, `(color: blue)` is a single filter criterion being used with a filter statement in method-call syntax.
```Ruby
```ruby
# Count only blue cars
describe cars.where(color: 'blue') do
its('count') { should eq 20 }
@ -204,14 +204,14 @@ When block-method syntax is used with the filter statement, you provide a block.
Here, `{ engine_cylinders >= 6 }` is a block-syntax filter statement referring to one filter criterion.
```Ruby
```ruby
# Vroom!
describe cars.where { engine_cylinders >= 6 } do
its('city_mpg_ratings') { should_not include '4-star' }
end
```
### input
### Input
An _`input`_ is a value that Chef InSpec can source from a number of providers, including from the command line, profile metadata, or within the control file DSL itself. You can use this feature either to change a [profile's](#profile) behavior by passing different attribute files or to store secrets that should not be directly present in a profile.
@ -221,7 +221,7 @@ The CLI syntax for inputs is documented under the [`inspec exec`](/inspec/cli/#e
Inputs are documented in detail in the [input documentation](/inspec/inputs/).
### it
### It
Within a [describe block](#describe), _`it`_ declares an individual [test](#test) directly against the [resource](#resource) (as opposed to testing against one of the resource's [properties](#property), as [its](#its) does). Though it is possible to use [universal matchers](#universal-matcher) with `it`, it is much more typical to use [resource-specific matchers](#resource-specific-matchers).
@ -229,13 +229,13 @@ Within a [describe block](#describe), _`it`_ declares an individual [test](#test
Here, `it { should ... }` declares a test, calling the `classy?` matcher on Tony Clifton's car.
```Ruby
```ruby
describe car(owner: 'Tony Clifton') do
it { should be_classy }
end
```
### its
### Its
Within a [describe block](#describe), _`its`_ declares an individual [test](#test) against a property of the [resource](#resource) (as opposed to testing directly against the resource itself, as [it](#it) does). You must use [universal matchers](#universal-matcher) with `its`; you cannot use [resource-specific matchers](#resource-specific-matchers).
@ -245,7 +245,7 @@ The property to access is passed as a single string argument to `its`. As an adv
Here, `its('fuzzy_dice') { should ... }` declares a test, testing against the `fuzzy_dice` property of Tony Clifton's car. Let's assume - Tony being Tony - that `fuzzy_dice` will return an Array.
```Ruby
```ruby
describe car(owner: 'Tony Clifton') do
its('fuzzy_dice') { should_not be_empty }
its('fuzzy_dice.count') { should be >= 2 }
@ -253,7 +253,7 @@ describe car(owner: 'Tony Clifton') do
end
```
### matcher
### Matcher
A _`matcher`_ performs the actual assertions against [resources](#resource) or the [properties](#property) of resources. Matchers always return a true/false value. Matchers fall into two camps:
@ -266,13 +266,33 @@ For information on how RSpec matchers are related o Chef InSpec matchers, see [C
Here, `be_classy` is a resource-specific matcher operating directly on the `car`, while `cmp` is a universal matcher operating on the `manufacturer` property.
```Ruby
```ruby
describe car(owner: 'Tony Clifton') do
it { should be_classy }
its('manufacturer') { should cmp 'Cadillac' }
end
```
### Operator Matcher
An operator matcher allows you to use operators to compare numerical [expected results](#expected-result) against a [property](#property). All plural resources have a `count` property.
For example:
```ruby
describe cars do
its('count') { should be >= 10 }
end
```
Operators include:
- `==`
- `>=`
- `<=`
- `>`
- `<`
### plural resource
A _`plural resource`_ is a [resource](#resource) that specializes in performing searches and represents multiple occurrences of the resource on the [target](#target) platform. Plural resources are used to audit counts, inspect group properties, and have the unique ability to enforce negative tests ("nothing like this should exist") often required by compliance standards. Plural resources are not intended to perform in-depth auditing of an individual; use [singular resources](#singular-resource) for that.
@ -283,7 +303,7 @@ Plural resources support [filter statements](#filter-statement). See the [resour
Here, `cars` is a plural resource.
```Ruby
```ruby
describe cars.where(color: 'blue') do
its('count') { should eq 20 }
its('license_plates') { should include 'AUTOAZUL' }
@ -297,7 +317,7 @@ describe cars.where(color: 'blue') do
end
```
### profile
### Profile
A _`profile`_ is a set of related [controls](#control) in a distributable form. You might have a locally-developed profile that your organization uses to define baseline security on all machines, or you might use a pre-defined profile that implements the requirements of a specific compliance standard. For full details about the capabilities of a profile, see the [profile documentation](/inspec/profiles/).
@ -305,7 +325,7 @@ Profiles may be distributed locally as a directory tree, as a tarball or zipfile
Aside from controls, profiles can also contain [custom resources](#custom-resource). If the profile contains only custom resources and no controls, we call it a [resource pack](#resource-pack).
### property
### Property
A fact about a [resource](#resource). Typically, you use the [its](#its) keyword to access the property and write a [test](#test) within a [describe block](#describe-block), and then use a [universal matcher](#universal-matcher) to make assertions about the value of the property.
@ -313,17 +333,17 @@ Each resource has different properties. See the [resource documentation](/inspec
Here, `manufacturer` is a property of the `car` resource.
```Ruby
```ruby
describe car(owner: 'Tony Clifton') do
its('manufacturer') { should cmp 'Cadillac' }
end
```
### reporter
### Reporter
An output format for the `inspec exec` command line. Several reporters are available, including JSON and JUnit; see the [inspec exec documentation](/inspec/cli/#exec).
### resource
### Resource
A _`resource`_ represents a category of things on the [target](#target) you wish to examine. For example, to check for the existence and permissions of a file, you would use the [`file`](/inspec/resources/file/) resource. Chef InSpec offers dozens of different resources, from the highly specialized (such as `aws_security_group`, which examines firewall rules in AWS) to the very general (such as `command`, which runs a command and lets you examine its output).
@ -333,17 +353,17 @@ Resources are used within a [describe block](#describe-block) to perform [tests]
Here, `car` is a resource.
```Ruby
```ruby
describe car(owner: 'Tony Clifton') do
it { should be_classy }
end
```
### resource pack
### Resource Pack
A _resource pack_ is a type of [profile](#profile) that is used to distribute [custom resources](#custom-resource). This specialized type of profile contains no [controls](#control), but it does contain a `libraries` directory within which Ruby files define custom resources.
### resource parameter
### Resource Parameter
_`resource parameters`_ are information passed to the resource when they are declared. Typically, resource parameters provide identifying information or connectivity information. Resource parameters are not the same as a [filter statement](#filter-statement).
@ -351,39 +371,39 @@ Resource parameters vary from resource to resource; refer to the [resource docum
Here, `owner: 'Tony Clifton'` is a resource parameter.
```Ruby
```ruby
describe car(owner: 'Tony Clifton') do
it { should be_classy }
end
```
### resource-specific matcher
### Resource-Specific Matcher
A [matcher](#matcher) that operates directly on the [resource](#resource), as opposed to operating on a property as a [universal matcher](#universal matcher) does.
A [matcher](#matcher) that operates directly on the [resource](#resource), as opposed to operating on a property as a [universal matcher](#universal-matcher) does.
Resource-specific matchers often provide highly customized behavior. Check the [resource documentation](#/inspec/resources/) to discover which resource-specific matchers are available for your resource.
For example, the hypothetical `car` resource defines a `classy?` method, which is exposed as the `be_classy` matcher in Chef InSpec tests.
```Ruby
```ruby
describe car(owner: 'Tony Clifton') do
it { should be_classy }
end
```
### singular resource
### Singular Resource
A [resource](#resource) intended to uniquely identify a single object on the [target](#target). Singular resources specialize in providing richer auditing capabilities via resource-specific matchers. Compare to [plural resources](#plural-resource).
### target
### Target
The _`target`_ is the OS or API on which Chef InSpec is performing audits. In Chef InSpec 1.x, this was always an operating system target (a bare metal machine, VM, or container). In Chef InSpec 2.x and later, this can be an OS target, or an API target, including cloud providers such as AWS. Chef InSpec is agentless, meaning that the Chef InSpec code and profiles remain on your workstation, and the target is remotely interrogated without installing anything.
### test
### Test
A _`test`_ is an individual assertion about the state of the [resource](#resource) or one of its [properties](#property). All tests begin with the keyword [it](#it) or [its](#its). Tests are grouped within a [describe block](#describe-block).
### universal matcher
### Universal Matcher
A _universal matcher_ is a [matcher](#matcher) that can be used on the [properties](#property) of any type of [resource](#resource). For example, you can use the `cmp` matcher to check the value of properties without having to worry about Ruby type-casting. Universal matchers are almost always used with the [its](#its) keyword.
@ -391,7 +411,7 @@ Universal matchers are documented on the [Universal Matchers](/inspec/matchers/)
Here, we access the 'color' property, then use the `cmp` universal matcher to compare the property to the 'black' [expected result](#expected-result).
```Ruby
```ruby
describe car(owner: 'Bruce Wayne') do
its('color') { should cmp 'black' }
end

6
docs-chef-io/content/inspec/inputs.md
View file

@ -416,6 +416,12 @@ input values that are used as test results.
Allowed in: Metadata
### Pattern
Optional, `Regexp`. This feature validates the input by matching it with the provided regular expression.
Allowed in: DSL, Metadata
## Advanced Topics
### Debugging Inputs with the Event Log

14
docs-chef-io/content/inspec/platforms.md
View file

@ -35,7 +35,7 @@ create an IAM user specifically for auditing activities.
#### Using Environment Variables to provide credentials
You may provide the credentials to Chef InSpec by setting the following environment
variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_KEY_ID`. You may
variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY`. You may
also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the
[AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html)
for details.
@ -163,7 +163,7 @@ version is 3.0.25.
With a version of InSpec above 4.0.0, it is possible to create a profile with the
following command:
```
```bash
$ inspec init profile --platform gcp my-profile
Create new profile at /Users/me/my-profile
* Creating directory libraries
@ -171,15 +171,15 @@ Create new profile at /Users/me/my-profile
* Creating directory controls
* Creating file controls/example.rb
* Creating file inspec.yml
* Creating file attributes.yml
* Creating file inputs.yml
* Creating file libraries/.gitkeep
```
Assuming the attributes yml file contains your GCP project ID, this sample
Assuming the `inputs.yml` file contains your GCP project ID, this sample
profile can then be executed using the following command:
```
inspec exec my-profile --attrs my-profile/attributes.yml -t gcp://
```bash
inspec exec my-profile --input-file=my-profile/inputs.yml -t gcp://
```
#### Setting up the GCP Credentials File
@ -216,4 +216,4 @@ $ inspec detect -t gcp://
Name: gcp
Families: cloud, api
Release: google-cloud-v
```
```

8
docs-chef-io/content/inspec/plugin_kitchen_inspec.md
View file

@ -35,11 +35,17 @@ suites:
and then run the following command:
```bash
inspec compliance login https://compliance.test --user admin --insecure --token ''
inspec automate login https://compliance.test --user admin --insecure --token ''
```
where `--insecure` is required when using self-signed certificates.
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
```bash
inspec compliance login https://compliance.test --user admin --insecure --token ''
```
Use a compliance profile from the Chef Supermarket:
```YML

4
docs-chef-io/content/inspec/plugins.md
View file

@ -76,9 +76,9 @@ inspec plugin install --source https://my.private.server inspec-private-plugin
### Chef InSpec Plugins
For details on how to author a Chef InSpec Plugin, see the
[developer documentation](https://github.com/inspec/inspec/blob/master/dev-docs/plugins.md)
[developer documentation](https://github.com/inspec/inspec/blob/main/dev-docs/plugins.md)
### Train Plugins
For details on how to author a Train Plugin, see the
[developer documentation](https://github.com/inspec/train/blob/master/docs/plugins.md)
[developer documentation](https://github.com/inspec/train/blob/main/docs/plugins.md)

16
docs-chef-io/content/inspec/profiles.md
View file

@ -41,7 +41,7 @@ where:
- `README.md` should be used to explain the profile, its scope, and usage
See a complete example profile in the Chef InSpec open source repository:
[Example Chef InSpec Profile](https://github.com/chef/inspec/tree/master/examples/profile)
[Example Chef InSpec Profile](https://github.com/chef/inspec/tree/main/examples/profile)
Also check out [Explore Chef InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/)
on Learn Chef Rally to learn more about how profiles are structured with hands-on-examples.
@ -132,25 +132,25 @@ supports:
- platform-name: debian
```
To target only Ubuntu version 14.04, use:
To target only Ubuntu version 20.04, use:
```YAML
name: ssh
supports:
- platform-name: ubuntu
release: 14.04
release: 20.04
```
To target the entire release of Ubuntu version 14.x, use:
To target the entire release of Ubuntu version 20.x, use:
```YAML
name: ssh
supports:
- platform-name: ubuntu
release: 14.*
release: 20.*
```
To target the entire RedHat platform (including CentOS and Oracle Linux), use:
To target the Red Hat and derivitive platforms such as CentOS and Oracle Linux, use:
```YAML
name: ssh
@ -158,7 +158,7 @@ supports:
- platform-family: redhat
```
To target the entire Windows 2019 platform family including Datcenter and Core Servers, use:
To target the entire Windows 2019 platform family including Datacenter and Core Servers, use:
```YAML
name: ssh
@ -181,7 +181,7 @@ name: ssh
supports:
- platform-name: debian
- platform-name: ubuntu
release: 14.04
release: 20.04
- platform-family: redhat
- platform: aws
```

31
docs-chef-io/content/inspec/reporters.md
View file

@ -90,6 +90,35 @@ Output cli to screen and write json to a file.
}
}
```
## Reporter Options
The following are CLI options that may be used to modify reporter behavior. Many of these options allow you to limit the size of the report, because some reporters (such as the json-automate reporter) have a limit on the total size of the report that can be processed.
`--diff`, `--no-diff`
: Include a `diff` comparison of textual differences in failed test output (default: `true`).
: Use `--no-diff` to limit the size of the report output when tests contain large amounts of text output.
`--filter-empty-profiles`
: Remove empty profiles (those containing zero controls, such as resource packs) from the output of the reporter.
`--reporter-backtrace-inclusion`, `--no-reporter-backtrace-inclusion`
: Include a code backtrace in report data (default: `true`).
: The `--no-reporter-backtrace-inclusion` option may be used to limit report size when large code stack traces are present in the output.
`--reporter-include-source`
: (CLI reporter only) Include full source code of controls in the report.
`--reporter-message-truncation=N`
: Number of characters to truncate failure messages in report data (default: no truncation).
: This may be used to limit the size of reports when failure messages are exceptionally large.
## Supported Reporters
@ -101,7 +130,7 @@ This is the basic text base report. It includes details about which tests passed
### json
This reporter includes all information about the profiles and test results in standard JSON format. You may optionally pass through arbitrary structured JSON data by setting a JSON configuration with the `--config` parameter.
This reporter includes all information about the profiles and test results in standard JSON format. You may optionally pass through arbitrary structured JSON data by setting a JSON configuration with the `--config` parameter.
For example:

4
docs-chef-io/content/inspec/resources/apache_conf.md
View file

@ -19,6 +19,10 @@ Use the `apache_conf` Chef InSpec audit resource to test the configuration setti
This resource is distributed along with Chef InSpec itself. You can use it automatically.
### Requirements
`ServerRoot` must be included in an Apache configuration file. If not present, the included configurations will not be accessible to the resource.
### Version
This resource first became available in v1.0.0 of InSpec.

1
docs-chef-io/content/inspec/resources/aws_ecr_repository.md
View file

@ -11,7 +11,6 @@ platform = "aws"
parent = "inspec/resources/aws"
+++
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_ecr_repository.md)
Use the `aws_ecr_repository` InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository.
This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards.

1
docs-chef-io/content/inspec/resources/aws_efs_file_system.md
View file

@ -11,7 +11,6 @@ platform = "aws"
parent = "inspec/resources/aws"
+++
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/inspec/rources/aws_efs_file_system.md)
Use the `aws_efs_file_system` InSpec audit resource to test the properties of a single AWS EFS file system.
This resource is added to InSpec AWS resource pack in version **[1.10.0](https://github.com/inspec/inspec-aws/releases/tag/v1.10.0)** and it is available with InSpec **[4.18.108](https://github.com/inspec/inspec/releases/tag/v4.18.108)** and later versions.

1
docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md
View file

@ -11,7 +11,6 @@ platform = "aws"
parent = "inspec/resources/aws"
+++
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_elasticache_cluster.md)
Use the `aws_elasticache_cluster` InSpec audit resource to test the properties of a single AWS ElastiCache cluster.

2
docs-chef-io/content/inspec/resources/aws_nat_gateway.md
View file

@ -102,7 +102,7 @@ There are also additional properties available. For a comprehensive list, see [t
its('nat_gateway_address_set') { should include(:private_ip => '10.0.1.68') }
end
For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/master/test/integration/verify/controls/aws_nat_gateway.rb).
For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/main/test/integration/verify/controls/aws_nat_gateway.rb).
## Matchers

4
docs-chef-io/content/inspec/resources/aws_nat_gateways.md
View file

@ -56,7 +56,7 @@ using `aws_nat_gateway` InSpec singular AWS resource.
end
end
For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/master/test/integration/verify/controls/aws_nat_gateways.rb).
For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/main/test/integration/verify/controls/aws_nat_gateways.rb).
## Matchers
@ -77,7 +77,7 @@ Use `should_not` to test the entity should not exist.
it { should_not exist }
end
Please see [here](https://github.com/inspec/inspec/blob/master/docs/dev/filtertable-usage.md) for more information on how to use filter table.
Please see [here](https://github.com/inspec/inspec/blob/main/docs/dev/filtertable-usage.md) for more information on how to use filter table.
## AWS Permissions

2
docs-chef-io/content/inspec/resources/aws_organizations_member.md
View file

@ -50,7 +50,7 @@ _**If the current Account is the Master Account, the following properties are al
| ------------- | ------------------------------------------------------ |
| account_id | The ID of the current Account. |
| account_arn | The ARN of the current Account. |
| account_name | The Name of the current Acccount. |
| account_name | The Name of the current Account. |
| account_email | The Email address associated with the current Account. |
## Examples

4
docs-chef-io/content/inspec/resources/aws_sns_subscription.md
View file

@ -11,7 +11,7 @@ platform = "aws"
parent = "inspec/resources/aws"
+++
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_sns_subscription.md)
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/main/docs-chef-io/content/aws_sns_subscription.md)
Use the `aws_sns_subscription` InSpec audit resource to test detailed properties of a AWS SNS Subscription.
@ -52,7 +52,7 @@ See also the [AWS documentation on SNS](https://docs.aws.amazon.com/sns/latest/d
its('endpoint') { should cmp '+16105551234' }
# If protocol is 'email' or 'email-json', endpoint should be an email address
its('endpoint') { should cmp 'myemail@example.com' }
# If protocal is 'http', endpoint should be a URL beginning with 'https://'
# If protocol is 'http', endpoint should be a URL beginning with 'https://'
its('endpoint') { should cmp 'https://www.exampleurl.com' }
# If the protocol is 'lambda', its endpoint should be the ARN of a AWS Lambda function
its('endpoint') { should cmp 'rn:aws:lambda:us-east-1:account-id:function:myfunction' }

2
docs-chef-io/content/inspec/resources/azure_generic_resource.md
View file

@ -178,4 +178,4 @@ This Chef InSpec audit resource has the following special matchers. For a full l
Please see the integration tests for in depth examples of how this resource can be used.
[Chef InSpec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/master/test/integration/azure/verify/controls)
[Chef InSpec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/main/test/integration/azure/verify/controls)

2
docs-chef-io/content/inspec/resources/azure_resource_group.md
View file

@ -291,5 +291,5 @@ Note: The tag name is case sensitive which makes the test case sensitive. E.g. `
For more information on Azure Ruby SDK resources, see:
- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_resources)
- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/main/management/azure_mgmt_resources)
- [Resource Group](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/resource_group.rb)

2
docs-chef-io/content/inspec/resources/azure_virtual_machine.md
View file

@ -348,6 +348,6 @@ Note: The tag name is case sensitive which makes the test case sensitive. E.g. `
## References
- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_resources)
- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/main/management/azure_mgmt_resources)
- [Virtual Machine External VM](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/virtual_machine_external_vm.rb)
- [Virtual Machine Internal VM](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/virtual_machine_internal_vm.rb)

6
docs-chef-io/content/inspec/resources/azure_virtual_machine_data_disk.md
View file

@ -221,6 +221,6 @@ Returns a boolean stating if the machine has Managed Disks for data disks.
## References
- [Azure Ruby SDK - Compute](https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_compute)
- [Linux Internal Data Disks](https://github.com/chef/inspec/blob/master/test/azure/verify/controls/virtual_machine_linux_external_vm_datadisk.rb)
- [Windows Internal Data Disk](https://github.com/chef/inspec/blob/master/test/azure/verify/controls/virtual_machine_windows_internal_vm_datadisk.rb)
- [Azure Ruby SDK - Compute](https://github.com/Azure/azure-sdk-for-ruby/tree/main/management/azure_mgmt_compute)
- [Linux Internal Data Disks](https://github.com/chef/inspec/blob/main/test/azure/verify/controls/virtual_machine_linux_external_vm_datadisk.rb)
- [Windows Internal Data Disk](https://github.com/chef/inspec/blob/main/test/azure/verify/controls/virtual_machine_windows_internal_vm_datadisk.rb)

2
docs-chef-io/content/inspec/resources/azurerm_monitor_activity_log_alert.md
View file

@ -69,7 +69,7 @@ name and resource group.
## Parameter Examples
The resource group as well as the Activty Log Alert
The resource group as well as the Activity Log Alert
name.
describe azurerm_monitor_activity_log_alert(resource_group: 'example', name: 'AlertName') do

6
docs-chef-io/content/inspec/resources/azurerm_network_security_group.md
View file

@ -99,21 +99,21 @@ The default_security_rules property contains the set of Default Security Rules.
### allow_ssh_from_internet
The allow_ssh_from_internet property contains a boolean value determined by analysing
The allow_ssh_from_internet property contains a boolean value determined by analyzing
the Security Rules and Default Security Rules for unrestricted SSH access.
it { should_not allow_ssh_from_internet }
### allow_rdp_from_internet
The allow_rdp_from_internet property contains a boolean value determined by analysing
The allow_rdp_from_internet property contains a boolean value determined by analyzing
the Security Rules and Default Security Rules for unrestricted RDP access.
it { should_not allow_rdp_from_internet }
### allow\port_from_internet
The allow_port_from_internet property contains a boolean value determined by analysing
The allow_port_from_internet property contains a boolean value determined by analyzing
the Security Rules and Default Security Rules for unrestricted access to a specified port.
it { should_not allow_port_from_internet('443') }

9
docs-chef-io/content/inspec/resources/bond.md
View file

@ -75,11 +75,10 @@ The `params` matcher tests arbitrary parameters for the bonded network interface
describe bond('bond0') do
its('mode') { should eq 'IEEE 802.3ad Dynamic link aggregation' }
its('Transmit Hash Policy') { should eq 'layer3+4 (1)' }
its('MII Status') { should eq 'up' }
its('MII Polling Interval (ms)') { should eq '100' }
its('Up Delay (ms)') { should eq '0' }
its('Down Delay (ms)') { should eq '0' }
its('params') { should have_key 'Transmit Hash Policy' }
its('params') { should include 'Transmit Hash Policy' => 'layer3+4 (1)' }
its('params') { should have_key 'MII Status' }
its('params') { should include 'MII Status' => 'up' }
end
## Matchers

45
docs-chef-io/content/inspec/resources/cassandradb_conf.md Normal file
View file

@ -0,0 +1,45 @@
+++
title = "cassandradb_conf resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "cassandradb_conf"
identifier = "inspec/resources/os/cassandradb_conf.md cassandradb_conf resource"
parent = "inspec/resources/os"
+++
Use the `cassandradb_conf` Chef InSpec audit resource to test the configuration of a Cassandra database, which is typically located at `$CASSANDRA_HOME/cassandra.yaml` or `$CASSANDRA_HOME\conf\cassandra.yaml` depending upon the platform.
## Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Requirements
- The value of the `CASSANDRA_HOME` environment variable must be set in the system.
## Syntax
A `cassandradb_conf` resource block fetches configurations in the `cassandra.yaml` file, and then compares them with the value stated in the test:
describe cassandradb_conf do
its('config item') { should eq 'value' }
end
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test parameters set within the configuration file
describe cassandradb_conf do
its('listen_address') { should eq 'localhost' }
its('num_tokens') { should eq 16 }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

76
docs-chef-io/content/inspec/resources/cassandradb_session.md Normal file
View file

@ -0,0 +1,76 @@
+++
title = "cassandradb_session resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "cassandradb_session"
identifier = "inspec/resources/os/cassandradb_session.md cassandradb_session resource"
parent = "inspec/resources/os"
+++
Use the `cassandradb_session` Chef InSpec audit resource to test Cassandra Query Language (CQL) commands run against a Cassandra database.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Syntax
A `cassandradb_session` resource block declares the username, password, host, and port to use for the session, and then the command to be run:
describe cassandradb_session(user: 'USERNAME', password: 'PASSWORD', host: 'localhost', port: 9042).query('QUERY') do
its('value') { should eq('EXPECTED') }
end
where
- `cassandradb_session` declares a username, password, host and port to run the query.
- `query('QUERY')` contains the query to be run.
- `its('value') { should eq('expected') }` compares the results of the query against the expected result in the test.
### Optional Parameters
The `cassandradb_session` InSpec resource accepts `user`, `password`, `host`, and `port` parameters.
In Particular:
#### `user`
Default value: `cassandra`.
#### `password`
Default value: `cassandra`.
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test for matching values using a Cassandra query
```ruby
cql = cassandradb_session(user: 'MY_USER', password: 'PASSWORD', host: 'localhost', port: 9042)
describe cql.query("SELECT cluster_name FROM system.local") do
its('output') { should match /Test Cluster/ }
end
```
### Test for matching values using a Cassandra query from a sample database
```ruby
cql = cassandradb_session(user: 'MY_USER', password: 'PASSWORD', host: 'localhost', port: 9042)
describe cql.query("use SAMPLEDB; SELECT name FROM SAMPLETABLE") do
its('output') { should match /Test Name/ }
end
```
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

75
docs-chef-io/content/inspec/resources/chrony_conf.md Normal file
View file

@ -0,0 +1,75 @@
+++
title = "chrony_conf resource"
draft = false
gh_repo = "inspec"
platform = "linux"
[menu]
[menu.inspec]
title = "chrony_conf"
identifier = "inspec/resources/os/chrony_conf.md chrony_conf resource"
parent = "inspec/resources/os"
+++
Use the `chrony_conf` Chef InSpec audit resource to test the synchronization settings defined in the `chrony.conf` file. This file is typically located at `/etc/chrony.conf`.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
<!-- TODO: needs version number -->
<!-- ### Version
This resource first became available in v of InSpec. -->
## Syntax
An `chrony_conf` resource block declares the synchronization settings that should be tested:
```ruby
describe chrony_conf('PATH') do
its('setting_name') { should eq 'VALUE' }
end
```
where:
- `'setting_name'` is a synchronization setting defined in the `chrony.conf` file.
- `('path')` is the non-default path to the `chrony.conf` file (default path is `/etc/chrony.conf`).
- `{ should eq 'value' }` is the value that is expected.
## Examples
The following examples show how to use this Chef InSpec audit resource.
This resource matches any service listed in the `chrony.conf` file.
### Test for clock drift against named servers
```ruby
describe chrony_conf do
its('driftfile') { should cmp '/var/lib/chrony/drift' }
its('server') do
should cmp [
'0.ubuntu.pool.ntp.org',
'1.ubuntu.pool.ntp.org',
'2.ubuntu.pool.ntp.org'
]
end
end
```
### Test that an NTP server exists and a specific subnet is specified from which NTP clients are accessible
```ruby
describe chrony_conf do
its('server') { should_not eq nil }
its('allow') { should include '192.168.0.0/16'}
end
```
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

17
docs-chef-io/content/inspec/resources/csv.md
View file

@ -27,20 +27,35 @@ This resource first became available in v1.0.0 of InSpec.
A `csv` resource block declares the configuration data to be tested:
describe csv('file') do
describe csv('file', true) do
its('name') { should cmp 'foo' }
end
Test `csv` file without headers
describe csv('file', false).params do
its([0]) { should cmp 'name' }
end
where
- `'file'` is the path to a CSV file
- `true` or `false` tests a CSV file with or without headers. Default value: `true`.
- `name` is a configuration setting in a CSV file
- `should eq 'foo'` tests a value of `name` as read from a CSV file versus the value declared in the test
- `params` is the method for fetching data from a CSV file without headers.
- `[0]` is the array element position.
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test a CSV file without headers
describe csv('some_file.csv', false).params do
its([0]) { should eq ["name"] }
end
### Test a CSV file
describe csv('some_file.csv') do

64
docs-chef-io/content/inspec/resources/google_container_node_pool.md
View file

@ -41,19 +41,19 @@ end
### Test GCP container node pool disk size in GB is as expected
describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do
its('node_config.disk_size_gb'){should eq 100}
its('config.disk_size_gb'){should eq 100}
end
### Test GCP container node pool machine type is as expected
describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do
its('node_config.machine_type'){should eq "n1-standard-1"}
its('config.machine_type'){should eq "n1-standard-1"}
end
### Test GCP container node pool node image type is as expected
describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do
its('node_config.image_type'){should eq "COS"}
its('config.image_type'){should eq "COS"}
end
### Test GCP container node pool initial node count is as expected
@ -72,61 +72,61 @@ Properties that can be accessed from the `google_container_node_pool` resource:
`config`
: The node configuration of the pool.
`machine_type`
* `machine_type`
: The name of a Google Compute Engine machine type (e.g. n1-standard-1). If unspecified, the default machine type is n1-standard-1.
`disk_size_gb`
* `disk_size_gb`
: Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB. If unspecified, the default disk size is 100GB.
`oauth_scopes`
* `oauth_scopes`
: The set of Google API scopes to be made available on all of the node VMs under the "default" service account. The following scopes are recommended, but not required, and by default are not included: https://www.googleapis.com/auth/compute is required for mounting persistent storage on your nodes. https://www.googleapis.com/auth/devstorage.read_only is required for communicating with gcr.io (the Google Container Registry). If unspecified, no scopes are added, unless Cloud Logging or Cloud Monitoring are enabled, in which case their required scopes will be added.
`service_account`
* `service_account`
: The Google Cloud Platform Service Account to be used by the node VMs. If no Service Account is specified, the "default" service account is used.
`metadata`
* `metadata`
: The metadata key/value pairs assigned to instances in the cluster. Keys must conform to the regexp [a-zA-Z0-9-_]+ and be less than 128 bytes in length. These are reflected as part of a URL in the metadata server. Additionally, to avoid ambiguity, keys must not conflict with any other metadata keys for the project or be one of the four reserved keys: "instance-template", "kube-env", "startup-script", and "user-data" Values are free-form strings, and only have meaning as interpreted by the image running in the instance. The only restriction placed on them is that each value's size must be less than or equal to 32 KB. The total size of all keys and values must be less than 512 KB. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
`image_type`
* `image_type`
: The image type to use for this node. Note that for a given image type, the latest version of it will be used.
`labels`
* `labels`
: The map of Kubernetes labels (key/value pairs) to be applied to each node. These will added in addition to any default label(s) that Kubernetes may apply to the node. In case of conflict in label keys, the applied set may differ depending on the Kubernetes version -- it's best to assume the behavior is undefined and conflicts should be avoided. For more information, including usage and the valid values, see: http://kubernetes.io/v1.1/docs/user-guide/labels.html An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
`local_ssd_count`
* `local_ssd_count`
: The number of local SSD disks to be attached to the node. The limit for this value is dependant upon the maximum number of disks available on a machine per zone. See: https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_limits for more information.
`tags`
* `tags`
: The list of instance tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during cluster or node pool creation. Each tag within the list must comply with RFC1035.
`preemptible`
* `preemptible`
: Whether the nodes are created as preemptible VM instances. See: https://cloud.google.com/compute/docs/instances/preemptible for more information about preemptible VM instances.
`accelerators`
* `accelerators`
: A list of hardware accelerators to be attached to each node
`accelerator_count`
* `accelerator_count`
: The number of the accelerator cards exposed to an instance.
`accelerator_type`
* `accelerator_type`
: The accelerator type resource name
`disk_type`
* `disk_type`
: Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') If unspecified, the default disk type is 'pd-standard'
`min_cpu_platform`
* `min_cpu_platform`
: Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform
`taints`
* `taints`
: List of kubernetes taints to be applied to each node.
`key`
* `key`
: Key for taint
`value`
* `value`
: Value for taint
`effect`
* `effect`
: Effect for taint
`initial_node_count`
@ -144,43 +144,43 @@ Properties that can be accessed from the `google_container_node_pool` resource:
`autoscaling`
: Autoscaler configuration for this NodePool. Autoscaler is enabled only if a valid configuration is present.
`enabled`
* `enabled`
: Is autoscaling enabled for this node pool.
`min_node_count`
* `min_node_count`
: Minimum number of nodes in the NodePool. Must be >= 1 and <= maxNodeCount.
`max_node_count`
* `max_node_count`
: Maximum number of nodes in the NodePool. Must be >= minNodeCount. There has to enough quota to scale up the cluster.
`management`
: Management configuration for this NodePool.
`auto_upgrade`
* `auto_upgrade`
: A flag that specifies whether node auto-upgrade is enabled for the node pool. If enabled, node auto-upgrade helps keep the nodes in your node pool up to date with the latest release version of Kubernetes.
`auto_repair`
* `auto_repair`
: A flag that specifies whether the node auto-repair is enabled for the node pool. If enabled, the nodes in this node pool will be monitored and, if they fail health checks too many times, an automatic repair action will be triggered.
`upgrade_options`
* `upgrade_options`
: Specifies the Auto Upgrade knobs for the node pool.
`auto_upgrade_start_time`
* `auto_upgrade_start_time`
: This field is set when upgrades are about to commence with the approximate start time for the upgrades, in RFC3339 text format.
`description`
* `description`
: This field is set when upgrades are about to commence with the description of the upgrade.
`max_pods_constraint`
: The constraint on the maximum number of pods that can be run simultaneously on a node in the node pool.
`max_pods_per_node`
* `max_pods_per_node`
: Constraint enforced on the max num of pods per node.
`conditions`
: Which conditions caused the current node pool state.
`code`
* `code`
: Machine-friendly representation of the condition.
Possible values:

16
docs-chef-io/content/inspec/resources/google_project_alert_policy.md
View file

@ -19,8 +19,8 @@ A `google_project_alert_policy` is used to test a Google AlertPolicy resource
```ruby
describe.one do
google_project_alert_policies(project: 'chef-gcp-inspec').policy_names do |policy_name|
describe google_project_alert_policy(project: 'chef-gcp-inspec', name: policy_name) do
google_project_alert_policies(project: 'chef-gcp-inspec').policy_names.each do |policy_name|
describe google_project_alert_policy(project: 'chef-gcp-inspec', name: policy_name.split('/').last) do
it { should exist }
its('display_name') { should cmp 'Display'}
its('combiner') { should cmp 'OR'}
@ -32,15 +32,15 @@ end
### Test that a GCP alert policy is enabled
describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do
it { should be_enabled }
end
describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do
it { should be_enabled }
end
### Test that a GCP compute alert policy display name is correct
describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do
its('display_name') { should eq 'policy name' }
end
describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do
its('display_name') { should eq 'policy name' }
end
## Properties

7
docs-chef-io/content/inspec/resources/google_storage_bucket.md
View file

@ -180,7 +180,7 @@ Properties that can be accessed from the `google_storage_bucket` resource:
`type`
: Type of the action. Currently, only Delete and SetStorageClass are supported.
Possible values:
- Delete
- SetStorageClass
@ -198,7 +198,7 @@ Properties that can be accessed from the `google_storage_bucket` resource:
: Relevant only for versioned objects. If the value is true, this condition matches live objects; if the value is false, it matches archived objects.
`matches_storage_class`
: Objects having any of the storage classes specified by this condition will be matched. Values include MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, and DURABLE_REDUCED_AVAILABILITY.
: Objects having any of the storage classes specified by this condition will be matched. Values include MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, ARCHIVE, and DURABLE_REDUCED_AVAILABILITY.
`num_newer_versions`
: Relevant only for versioned objects. If the value is N, this condition is satisfied when there are at least N versions (including the live version) newer than this version of the object.
@ -234,7 +234,7 @@ Properties that can be accessed from the `google_storage_bucket` resource:
: The project number of the project the bucket belongs to.
`storage_class`
: The bucket's default storage class, used whenever no storageClass is specified for a newly-created object. This defines how objects in the bucket are stored and determines the SLA and the cost of storage. Values include MULTI_REGIONAL, REGIONAL, STANDARD, NEARLINE, COLDLINE, and DURABLE_REDUCED_AVAILABILITY. If this value is not specified when the bucket is created, it will default to STANDARD. For more information, see storage classes.
: The bucket's default storage class, used whenever no storageClass is specified for a newly-created object. This defines how objects in the bucket are stored and determines the SLA and the cost of storage. Values include MULTI_REGIONAL, REGIONAL, STANDARD, NEARLINE, COLDLINE, ARCHIVE, and DURABLE_REDUCED_AVAILABILITY. If this value is not specified when the bucket is created, it will default to STANDARD. For more information, see storage classes.
Possible values:
@ -243,6 +243,7 @@ Properties that can be accessed from the `google_storage_bucket` resource:
- STANDARD
- NEARLINE
- COLDLINE
- ARCHIVE
- DURABLE_REDUCED_AVAILABILITY

26
docs-chef-io/content/inspec/resources/group.md
View file

@ -13,6 +13,13 @@ platform = "os"
Use the `group` Chef InSpec audit resource to test a single group on the system.
The `group` resource uses the following system groups:
- On **non-Windows** systems the group resource tests a local group defined in the`/etc/group` file.
- On **Windows** systems the group resource tests a local group defined by Local Users and Groups.
## Availability
### Installation
@ -62,6 +69,25 @@ The `members` property tests the members that belong to the group:
its('members') { should include 'root' }
where `members` returns:
- an array of group members for **Windows Platform**.
Example: `["member1", "member2"]`
- a CSV formatted string of group members for **Non-Windows Platforms**.
Example: `"member1,member2"`
### members_array
The `members_array` property tests the members that belong to a group just like the
`members` property,
but the value returned by this property is always an array of group members.
its('members_array') { should include 'root' }
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

24
docs-chef-io/content/inspec/resources/groups.md
View file

@ -13,6 +13,12 @@ platform = "os"
Use the `groups` Chef InSpec audit resource to test multiple groups on the system.
The `groups` resource uses the following system groups:
- On **non-Windows** systems the group resource tests local groups defined in the`/etc/group` file.
- On **Windows** systems the group resource tests local groups defined by Local Users and Groups.
## Availability
### Installation
@ -74,6 +80,24 @@ The `members` property tests the members that belong to a group:
its('members') { should include 'root' }
its('members') { should include 'Administrator' }
where `members` returns:
- an array of group members for **Windows Platform**.
Example: `["member1", "member2"]`
- a single element array that contains a CSV string of group members for **Non-Windows Platforms**.
Example: `["member1,member2"]`
### members_array
The `members_array` property tests the group members just like the `members` property,
but the value returned by this property is always an array of group members.
its('members_array') { should include 'root' }
its('members_array') { should include 'Administrator' }
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

58
docs-chef-io/content/inspec/resources/ibmdb2_conf.md Normal file
View file

@ -0,0 +1,58 @@
+++
title = "ibmdb2_conf resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "ibmdb2_conf"
identifier = "inspec/resources/os/ibmdb2_conf.md ibmdb2_conf resource"
parent = "inspec/resources/os"
+++
Use the `ibmdb2_conf` Chef InSpec audit resource to test the configuration settings. Make sure you are using the IBM Db2 database instance user credentials to run the InSpec test.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Syntax
A `ibmdb2_conf` resource block declares db2_executable_file_path, db_instance to connect and then runs command to get the configuration values and compares it to the value stated in the test:
describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do
its("output") { should_not be_empty }
its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")}
end
Windows
describe ibmdb2_conf do
its("output") { should_not be_empty }
its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")}
end
where
- `ibmdb2_session` declares a db2_executable_file_path, db_instance and db_name to connect.
- `db2_executable_file_path` is the path of the db2 binary file. For Windows this is not required.
- `db_instance` is the name of the database instance. For Windows this is not required.
- `its("output") { should include("expected_settings")}` compares the results of the output against the expected result in the test.
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test the audit buffer size configuration settings of IBM Db2 database
describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do
its("output") { should_not be_empty }
its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 1000")}
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

64
docs-chef-io/content/inspec/resources/ibmdb2_session.md Normal file
View file

@ -0,0 +1,64 @@
+++
title = "ibmdb2_session resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "ibmdb2_session"
identifier = "inspec/resources/os/ibmdb2_session.md ibmdb2_session resource"
parent = "inspec/resources/os"
+++
Use the `ibmdb2_session` Chef InSpec audit resource to test SQL commands run against an IBM Db2 database.
Make sure you are using the IBM Db2 database instance user credentials to run the InSpec test.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Syntax
A `ibmdb2_session` resource block declares the db2_executable_file_path, db_instance and db_name to use for the session, and then the query to be run:
describe ibmdb2_session(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample").query("select rolename from syscat.roleauth") do
its("output") { should match(/SYSTS_MGR/) }
end
Windows
describe ibmdb2_session(db_name: "sample").query("select rolename from syscat.roleauth") do
its("output") { should match(/SYSTS_MGR/) }
end
where
- `ibmdb2_session` declares a db2_executable_file_path, db_instance and db_name to connect.
- `db2_executable_file_path` is the path of the db2 binary file. For Windows this is not required.
- `db_instance` is the name of the database instance. For Windows this is not required.
- `db_name` is the name of the database to query on.
- `query('QUERY')` contains the query to be run.
- `its('output') { should eq(/expected-result/) }` compares the results of the query against the expected result in the test.
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test for matching role name
describe ibmdb2_session(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample").query("select rolename from syscat.roleauth") do
its("output") { should match(/SYSTS_MGR/) }
end
### Test for matching database
describe ibmdb2_session(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample").query("list database directory") do
its("output") { should match(/SAMPLE/) }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

62
docs-chef-io/content/inspec/resources/mongodb_conf.md Normal file
View file

@ -0,0 +1,62 @@
+++
title = "mongodb_conf resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "mongodb_conf"
identifier = "inspec/resources/os/mongodb_conf.md mongodb_conf resource"
parent = "inspec/resources/os"
+++
Use the `mongodb_conf` Chef InSpec audit resource to test the contents of the configuration file for MongoDB, typically located at `/etc/mongod.conf` or `C:\Program Files\MongoDB\Server\<version>\bin\mongod.cfg`, depending on the platform.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Syntax
A `mongodb_conf` resource block declares one (or more) settings in the `mongodb.conf` file, and then compares the setting in the configuration file to the value stated in the test:
describe mongodb_conf('path') do
its('setting') { should eq 'value' }
end
where
- `'setting'` specifies a setting in the `mongodb.conf` file
- `('path')` is the non-default path to the `mongodb.conf` file (optional)
- `should eq 'value'` is the value that is expected
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test the key management configuration options
describe mongodb_conf do
its(["security", "enableEncryption"]) { should eq true }
end
### Test the port on which MongoDB listens
describe mongodb_conf do
its(["net", "port"]) { should eq 27017 }
end
### Test the security configuration options
describe mongodb_conf do
its(["security", "authorization"]) { should eq "enabled" }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

113
docs-chef-io/content/inspec/resources/mongodb_session.md Normal file
View file

@ -0,0 +1,113 @@
+++
title = "mongodb_session resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "mongodb_session"
identifier = "inspec/resources/os/mongodb_session.md mongodb_session resource"
parent = "inspec/resources/os"
+++
Use the `mongodb_session` Chef InSpec audit resource to run MongoDB command against a MongoDB Database.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Syntax
A `mongodb_session` resource block declares the `user`, `password`, and `database` to use for the session and then the command to be run:
describe mongodb_session(user: "username", password: "password", database: "test").query(key: value) do
its("params") { should match(/expected-result/) }
end
where
- `mongodb_session` declares a user, password, and database, connecting locally, with permission to run the query.
- `query` contains the query to be run.
- `its("params") { should eq(/expected-result/) }` compares the results of the query against the expected result in the test
### Optional Parameters
The `mongodb_session` InSpec resource accepts `user`, `password`, `host`, `port`, `auth_source`, `auth_mech`, `ssl`, `ssl_cert`, `ssl_ca_cert`, and `auth_mech_properties` parameters.
In Particular:
#### `host`
The server host IP address. Default value: `127.0.0.1`.
#### `port`
The server port. Default value: `27017`.
#### `auth_mech`
The authentication mechanism. The available options are: `:scram`, `:scram256`, `:mongodb_x509`, and `:aws`. Default value: `:scram`.
See the MongoDB documentation on [Ruby driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) for more information.
#### `auth_source`
The database where the users authentication credentials are stored. The default value is the database name that is passed as a parameter to the resource.
#### `ssl`
Whether to use the SSL security protocol or not. Set to `true` to use SSL transport, default value: `false`. See the MongoDB documentation on [Ruby Driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#client-certificate-x-509) for more information.
#### 'ssl_cert'
Path to the SSL certificate file.
#### `ssl_ca_cert`
Path to the SSL Certificate Authority (CA) certificate file.
#### `ssl_key`
Path to SSL key file.
#### `auth_mech_properties`
A hash of the authentication mechanism properties. This option is generally used with the AWS authentication mechanism. See the MongoDB documentation on [Ruby Driver authentication using AWS](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#aws) for more information.
### MongodDB Query Reference Documentation
This resource uses the [MongoDB Ruby Driver](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) to fetch the data.
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test the roles information using the `rolesInfo` command in MongoDB.
describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin").params["roles"].first do
its(["role"]) { should eq "dbAdmin" }
end
### Test the MongoDB user role.
describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "foo").params["users"].first["roles"].first do
its(["role"]) { should eq "readWrite" }
end
### Test the database parameters.
describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin") do
its("params") { should_not be_empty }
its("params") { should include "roles" }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### params
The `params` contains all the query data.

62
docs-chef-io/content/inspec/resources/mssql_sys_conf.md Normal file
View file

@ -0,0 +1,62 @@
+++
title = "mssql_sys_conf resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "mssql_sys_conf"
identifier = "inspec/resources/os/mssql_sys_conf.md mssql_sys_conf resource"
parent = "inspec/resources/os"
+++
Use the `mssql_sys_conf` Chef InSpec audit resource to test the configuration of a Microsoft SQL Server database.
## Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Requirements
You must have database access.
## Syntax
A `mssql_sys_conf` resource block declares the configuration item, user, and password to test.
```ruby
describe mssql_sys_conf("CONFIGURATION ITEM TO TEST", user: 'USER', password: 'PASSWORD') do
its("value_in_use") { should cmp "EXPECTED_VALUE" }
its("value_configured") { should cmp "EXPECTED_VALUE" }
end
```
where:
- `mssql_sys_conf` declares a configuration item, `user`, and `password` with permission to use `sys.configurations`.
- `its('value_in_use') { should cmp 'EXPECTED_VALUE' }` compares the current running value of the configuration item against an expected value.
- `its('value_configured') { should cmp 'EXPECTED_VALUE' }` compares the saved value of the configuration item against an expected value.
### Optional Parameters
`mssql_sys_conf` is based on the `mssql_session` resource and accepts all the parameters that `mssql_session` accepts.
#### `username`
The user name. Default value: `SA`.
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test parameters set within the database view
describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do
its("value_in_use") { should cmp "0" }
its("value_configured") { should cmp "0" }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

76
docs-chef-io/content/inspec/resources/opa_api.md Normal file
View file

@ -0,0 +1,76 @@
+++
title = "opa_api resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "opa_api"
identifier = "inspec/resources/os/opa_api.md opa_api resource"
parent = "inspec/resources/os"
+++
Use the `opa_api` Chef InSpec audit resource to query Open Policy Agent (OPA) using the OPA URL and data.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Syntax
An `opa_api` resource block declares OPA policy configurations that can be tested.
describe opa_api(url: "localhost:8181/v1/data/example/violation", data: "input.json") do
its(["result"]) { should eq 'value' }
end
where
- `'url'` specifies the url of the OPA server on which OPA is running.
- `'data'` specifies the json formatted data or json file.
- `its(["returned_result"]) { should eq 'expected_result' }` compares the results of the query against the expected result in the test.
## parameters
The `opa_api` resource InSpec resource requires a `url` and `data` as a JSON file or a string in JSON format.
### `url` _(required)_
The URL of the OPA API server.
### `data` _(required)_
An OPA query as a JSON data file or a string in JSON format.
## Examples
The following examples show how to use this Chef InSpec audit resource.
describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do
its("result") { shoule_not be nil }
its(["result"]) { should eq true }
its("allow") { should eq "true" }
end
The above example shows how the `allow` value can be fetched in two ways.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
## Properties
### result
The `result` property checks whether the resource query returns an empty result.
its('result') { should be nil }
### allow
The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.
its('allow') { should eq 'value' }

85
docs-chef-io/content/inspec/resources/opa_cli.md Normal file
View file

@ -0,0 +1,85 @@
+++
title = "opa_cli resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "opa_cli"
identifier = "inspec/resources/os/opa_cli.md opa_cli resource"
parent = "inspec/resources/os"
+++
Use the `opa_cli` Chef InSpec audit resource to query Open Policy Agent (OPA) using an OPA policy file, a data file, and a query.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Syntax
An `opa_cli` resource block declares OPA policy configurations that can be tested.
describe opa_cli(policy: "example.rego", data: "input.json", query: "data.example.allow") do
its(["result"]) { should eq "value" }
end
where
- `data` specifies the json formatted input data or file path.
- `policy` the path to policy file.
- `query` specifies the query to be run.
- `its(["result"]) { should eq "value" }` compares the results of the query against the expected result in the test
## parameters
The `opa_cli` resource InSpec resource accepts `policy`, `data`, `query`, and `opa_executable_path` as parameters.
### `policy` _(required)_
The path to the OPA policy file.
### `data` _(required)_
An OPA query as a JSON data file or a string in JSON format.
### `query` _(required)_
The query to be evaluated against policy and input data.
### `opa_executable_path`
This is the full path to the OPA binary or EXE file used for running the OPA CLI or OPA commands. By default it will consider that the path is added in PATH variable.
## Examples
The following examples show how to use this Chef InSpec audit resource:
describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do
its("result") { shoule_not be nil }
its(["result", 0, "expressions", 0, "value"]) { should eq true }
its("allow") { should eq "true" }
end
The above example shows how the `allow` value can be fetched in two ways.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
## Properties
### result
The `result` property checks whether the resource query returns an empty result.
its('result') { should be nil }
### allow
The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.
its('allow') { should eq 'value' }

49
docs-chef-io/content/inspec/resources/oracledb_conf.md Normal file
View file

@ -0,0 +1,49 @@
+++
title = "oracledb_conf resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "oracledb_conf"
identifier = "inspec/resources/os/oracledb_conf.md oracledb_conf resource"
parent = "inspec/resources/os"
+++
Use the `oracledb_conf` Chef InSpec audit resource to test the Oracle system parameters.
## Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Requirements
You must have access to a database user with `DBA` role.
## Syntax
A `oracledb_conf` resource block declares user and password to use. It fetches system parameters which are defined in the `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test:
describe oracledb_conf(user: 'USER', password: 'PASSWORD') do
its("config item") { should cmp "value" }
end
### Optional Parameters
`oracledb_conf` is based on `oracledb_session`, and accepts all parameters that `oracledb_session` accepts.
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test parameters set within the database view
describe oracledb_conf(user: 'USER', password: 'PASSWORD') do
its("audit_sys_operations") { should cmp "true" }
its("sql92_security") { should cmp "true" }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

46
docs-chef-io/content/inspec/resources/oracledb_listener_conf.md Normal file
View file

@ -0,0 +1,46 @@
+++
title = "oracledb_listener_conf resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "oracledb_listener_conf"
identifier = "inspec/resources/os/oracledb_listener_conf.md oracledb_listener_conf resource"
parent = "inspec/resources/os"
+++
Use the `oracledb_listener_conf` Chef InSpec audit resource to test the listeners settings of Oracle DB, typically located at `$ORACLE_HOME/network/admin/listener.ora` or `$ORACLE_HOME\network\admin\listener.ora` depending upon the platform.
## Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Requirements
- You must have sufficient permission to access listener settings defined in `listener.ora` file.
- Value for environment variable `ORACLE_HOME` should be set in the system.
## Syntax
A `oracledb_listener_conf` resource block fetches listeners settings in the `listener.ora` file, and then compares them with the value stated in the test:
describe oracledb_listener_conf do
its('config item') { should eq 'value' }
end
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test parameters set within the listener file
describe oracledb_listener_conf do
its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' }
its('EM_EXPRESS_PORT') { should eq '5500' }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

6
docs-chef-io/content/inspec/resources/postgres_ident_conf.md
View file

@ -47,7 +47,7 @@ where
`address` returns a an array of strings that matches the where condition of the filter table
describe pg_ident_conf.where { pg_username == 'name' } do
describe postgres_ident_conf.where { pg_username == 'name' } do
its('map_name') { should eq ['value'] }
end
@ -55,7 +55,7 @@ where
`pg_username` returns a an array of strings that matches the where condition of the filter table
describe pg_ident_conf.where { pg_username == 'name' } do
describe postgres_ident_conf.where { pg_username == 'name' } do
its('pg_username') { should eq ['value'] }
end
@ -63,7 +63,7 @@ where
`system_username` returns a an array of strings that matches the where condition of the filter table
describe pg_ident_conf.where { pg_username == 'name' } do
describe postgres_ident_conf.where { pg_username == 'name' } do
its('system_username') { should eq ['value'] }
end

9
docs-chef-io/content/inspec/resources/postgres_session.md
View file

@ -28,24 +28,27 @@ This resource first became available in v1.0.0 of InSpec.
A `postgres_session` resource block declares the username and password to use for the session, and then the command to be run:
# Create a PostgreSQL session:
sql = postgres_session('username', 'password', 'host', 'port')
sql = postgres_session('username', 'password', 'host', 'port', 'socketpath')
# default values:
# username: 'postgres'
# host: 'localhost'
# port: 5432
# socketpath (optional): nil
# Run an SQL query with an optional database to execute
sql.query('sql_query', ['database_name'])`
A full example is:
sql = postgres_session('username', 'password', 'host', 'port')
sql = postgres_session('username', 'password', 'host', 'port', 'socketpath')
describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
its('output') { should eq '' }
end
where `its('output') { should eq '' }` compares the results of the query against the expected result in the test
where
- `its('output') { should eq '' }` compares the results of the query against the expected result in the test
- `socketpath` is an optional parameter. Use `socketpath` to establish a socket connection with Postgres by specifying one of the Postgres Unix domain socket paths. Only supported on Unix-based platforms.
## Examples

5
docs-chef-io/content/inspec/resources/security_policy.md
View file

@ -31,10 +31,15 @@ A `security_policy` resource block declares the name of a security policy and th
its('policy_name') { should eq 'value' }
end
describe security_policy(translate_sid: true) do
its('policy_name') { should include 'sid_name' }
end
where
- `'policy_name'` must specify a security policy
- `{ should eq 'value' }` tests the value of `policy_name` against the value declared in the test
- `translate_sid` converts the security identifier (SID) into a human readable SID name if `true`. Default value is `false`.
## Examples

173
docs-chef-io/content/inspec/resources/selinux.md Normal file
View file

@ -0,0 +1,173 @@
+++
title = "selinux resource"
draft = false
gh_repo = "inspec"
platform = "linux"
[menu]
[menu.inspec]
title = "selinux"
identifier = "inspec/resources/os/selinux.md selinux resource"
parent = "inspec/resources/os"
+++
Use the `selinux` Chef InSpec audit resource to test the configuration data of the SELinux policy, SELinux modules and SELinux booleans.
The `selinux` resource extracts and exposes data reported by the `sestatus`, `semodule -lfull`, and `semanage boolean -l -n` command.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
### Version
This resource first became available in v4.35.1 of InSpec.
## Syntax
The `selinux` Chef InSpec resource block tests the state and mode of SELinux policy.
describe selinux do
it { should be_installed }
it { should_not be_disabled }
it { should be_enforcing }
it { should_not be_permissive }
end
The `selinux` resource block also allows you to write tests for multiple modules:
describe selinux.modules.where("zebra") do
it { should exist }
it { should be_installed }
it { should be_enabled }
end
or:
describe selinux.modules.where(status: "installed") do
it { should exist }
its('count') { should cmp 404 }
end
where:
- `.where()` specifies the parameter and expected value.
- `name`, `status`, `state`, and `priority` are valid parameters.
The `selinux` resource block also allows you to write tests for multiple booleans:
describe selinux.booleans.where(name: "httpd_enable_homedirs") do
it { should_not be_on }
end
or:
describe selinux.booleans.where(name: "xend_run_blktap", state: "on") do
it { should exist }
its('defaults') { should cmp "on" }
end
- `.where()` specifies the parameter and expected value.
- `name`, `state`, and `default` are valid parameters for `booleans`.
## Examples
The following examples show how to use this Chef InSpec selinux resource.
### Test if SELinux is installed and enabled
describe selinux do
it { should be_installed }
it { should_not be_disabled }
end
### Test if SELinux is enabled and running in enforcing mode
describe selinux do
it { should_not be_disabled }
it { should be_enforcing }
end
### Test the selinux policy type
describe selinux do
its('policy') { should eq "targeted"}
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### be_installed
The `be_installed` matcher tests if the SElinux policy or SElinux modules are installed on the system:
it { should be_installed }
### be_disabled
The `be_disabled` matcher tests if the SELinux is disabled on the system:
it { should be_disabled }
### be_enforcing
The `be_enforcing` matcher tests if the SELinux mode is set to enforcing:
it { should be_enforcing }
### be_permissive
The `be_permissive` matcher tests if the SELinux mode is set to permissive:
it { should be_permissive }
### be_on
The `be_on` matcher tests if the SELinux boolean is on:
it { should be_on }
### be_enabled
The `be_enabled` matcher tests if the SElinux module is enabled:
it { should be_enabled }
## Resource Parameters
- `names`, `status`, `states`, and `priorities` are valid parameters for SELinux policy modules.
- `names`, `status`, `states`, and `defaults` are valid parameters for SELinux `booleans`.
## Resource Parameter Examples
### modules
`modules` returns information about SELinux modules using the [semodule -lfull](https://man7.org/linux/man-pages/man8/semodule.8.html) command.
Note: The `semodule -l` command [does not provide version information](https://access.redhat.com/solutions/2760071) for newer versions of Linux-based systems like RHEL8 and Centos8, so we do not support that option.
```ruby
describe selinux.modules do
its("names") { should include "zebra" }
its("status") { should include "installed" }
its("states") { should include "enabled" }
its("priorities") { should include "100" }
end
```
### booleans
`booleans` returns information about SELinux booleans using the [semanage boolean -l -n](https://man7.org/linux/man-pages/man8/semanage-boolean.8.html) command.
```ruby
describe selinux.booleans do
its("names") { should include "httpd_enable_homedirs" }
its("states") { should include "on" }
its("states") { should include "off" }
its("defaults") { should include "on" }
its("defaults") { should include "off" }
end
```

2
docs-chef-io/content/inspec/resources/sshd_config.md
View file

@ -25,7 +25,7 @@ This resource first became available in v1.0.0 of InSpec.
## Syntax
An `sshd_config` resource block declares the client OpenSSH configuration data to be tested:
An `sshd_config` resource block declares the OpenSSH daemon configuration data to be tested:
describe sshd_config('path') do
its('name') { should include('foo') }

72
docs-chef-io/content/inspec/resources/sybase_conf.md Normal file
View file

@ -0,0 +1,72 @@
+++
title = "sybase_conf resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "sybase_conf"
identifier = "inspec/resources/os/sybase_conf.md sybase_conf resource"
parent = "inspec/resources/os"
+++
Use the `sybase_conf` Chef InSpec audit resource to test the configuration of an SAP Adaptive Server Enterprise (ASE) database.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
### Requirements
The `isql` command line tool must be installed on the target system.
You must have access to a database user that has access to the `sa` role on the `master` database.
## Syntax
A `sybase_conf` resource block declares the configuration item name, server, and password to use.
describe sybase_session('config item', server: 'SYBASE', password: 'PASSWORD') do
its('run_value') { should cmp 'EXPECTED' }
its('config_value') { should cmp 'EXPECTED' }
end
where
- `sybase_conf` declares a configuration item, server, and password with permission to run `sp_configure`.
- `its('run_value') { should cmp 'expected' }` compares the current running value of the configuration item against an expected value.
- `its('config_value') { should cmp 'expected' }` compares the saved value of the configuration item against an expected value.
### Optional Parameters
The `sybase_conf` resource is based on the `sybase_session` resource and accepts all parameters that `sybase_session` accepts, including optional parameters `username`, `database`, `sybase_home`, and `bin`.
In particular:
#### `database`
Defaults to `master`.
#### `username`
Defaults to `sa`.
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test for max memory configuration
```ruby
describe sybase_session('max memory', server: 'SYBASE', password: 'PASSWORD') do
its('run_value') { should cmp 180224 }
its('config_value') { should cmp 180224 }
end
```
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

88
docs-chef-io/content/inspec/resources/sybase_session.md Normal file
View file

@ -0,0 +1,88 @@
+++
title = "sybase_session resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "sybase_session"
identifier = "inspec/resources/os/sybase_session.md sybase_session resource"
parent = "inspec/resources/os"
+++
Use the `sybase_session` Chef InSpec audit resource to test the SQL commands run against an SAP Adaptive Server Enterprise (ASE) database.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
### Requirements
The `isql` command line tool must be installed on the target system.
## Syntax
A `sybase_session` resource block declares the server, database, username and password to use for the session, and then the command to be run:
describe sybase_session(database: 'pubs2', server: 'SYBASE', username: 'USERNAME', password: 'PASSWORD').query('QUERY').row(0).column('RESULT') do
its('value') { should eq('EXPECTED') }
end
where
- `sybase_session` declares a server, database, username, and password with permission to run the query.
- `query('QUERY')` contains the query to be run.
- `its('value') { should eq('expected') }` compares the results of the query against the expected result in the test.
### Optional Parameters
#### bin
You may use the `bin` parameter to specify the path to the `isql` cli tool.
```ruby
describe sybase_session(database: 'pubs2',
server: 'SYBASE',
username: 'USERNAME',
password: 'PASSWORD',
bin: '/opt/sap/OCS-16_0/bin/isql',
).query('QUERY').row(0).column('RESULT') do
its('value') { should eq('EXPECTED') }
end
```
#### sybase_home
You may use the `sybase_home` parameter to specify the path to the sybase installation.
```ruby
describe sybase_session(database: 'pubs2',
server: 'SYBASE',
username: 'USERNAME',
password: 'PASSWORD',
sybase_home: '/opt/sap',
).query('QUERY').row(0).column('RESULT') do
its('value') { should eq('EXPECTED') }
end
```
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test for matching values in the pubs2 sample database
```ruby
sql = sybase_session(database: 'pubs2', server: 'SYBASE', username: 'MY_USER', password: 'PASSWORD')
describe sql.query("SELECT au_lname FROM authors").row(0).column('AU_LNAME') do
its("value") { should eq 'BENNET' }
end
```
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

85
docs-chef-io/content/inspec/resources/toml.md Normal file
View file

@ -0,0 +1,85 @@
+++
title = "toml resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "toml"
identifier = "inspec/resources/os/toml.md toml resource"
parent = "inspec/resources/os"
+++
Use the `toml` Chef InSpec audit resource to test settings in a TOML file.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
### Version
This resource first became available in v1.0.0 of InSpec.
## Syntax
An `toml` resource block declares the configuration settings to be tested:
```ruby
describe toml('path') do
its('setting_name') { should eq 'value' }
end
```
where:
- `'setting_name'` is a setting key defined in the TOML file.
- `('path')` is the path to the TOML file.
- `{ should eq 'value' }` is the value that is expected.
## Examples
In the examples below, the `example.toml` file contains the following data:
```toml
port = 8080
fruits = ["apple", "banana", "cantaloupe"]
[section]
key1 = "value1"
```
**Verify the port number:**
```ruby
describe toml('path/to/example.toml') do
its('port') { should eq 8080 }
end
```
**Verify the value of an array using brackets:**
```ruby
describe toml('path/to/example.toml') do
its(['fruits', 0]) { should eq 'apple' }
end
```
**Verify the value of a key in a table using brackets:**
```ruby
describe toml('path/to/example.toml') do
its(['section', 'key1']) { should cmp 'value1' }
end
```
## Properties
This resource supports any of the settings listed in a TOML file as properties.
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

2
docs-chef-io/content/inspec/resources/zfs_dataset.md
View file

@ -11,7 +11,7 @@ platform = "linux"
parent = "inspec/resources/os"
+++
Use the `zfs_dataset` Chef InSpec audit resource to test the ZFS datasets on FreeBSD systems.
Use the `zfs_dataset` Chef InSpec audit resource to test the ZFS datasets on FreeBSD & Linux (Check [OS Family Details](https://docs.chef.io/inspec/resources/os/#osfamily-helpers) for more details).
## Availability

2
docs-chef-io/content/inspec/resources/zfs_pool.md
View file

@ -11,7 +11,7 @@ platform = "linux"
parent = "inspec/resources/os"
+++
Use the `zfs_pool` Chef InSpec audit resource to test the ZFS pools on FreeBSD systems.
Use the `zfs_pool` Chef InSpec audit resource to test the ZFS pools on FreeBSD & Linux (Centos, RHEL, Ubuntu, CloudLinux, Debian) systems.
## Availability

54
docs-chef-io/content/inspec/shell.md
View file

@ -14,7 +14,7 @@ gh_repo = "inspec"
The Chef InSpec interactive shell is a pry based REPL that can be used to
quickly run Chef InSpec controls and tests without having to write it to a
file. Its functionality is similar to [chef-shell](/chef_shell/) as it provides a way
to exercise the Chef InSpec DSL, its resources, tests, and plugins without
to exercise the Chef InSpec Language, its resources, tests, and plugins without
having to create a profile or write a test file. See
[http://pryrepl.org/](http://pryrepl.org/) for an introduction to what pry is and what it can
do.
@ -57,9 +57,9 @@ Use resource packs to share custom resources with other Chef InSpec users.
A resource pack is a Chef InSpec profile that contains only custom resources and
no other controls or tests.
For example, the profile in [`examples/profile`](https://github.com/chef/inspec/tree/master/examples/profile)
For example, the profile in [`examples/profile`](https://github.com/chef/inspec/tree/main/examples/profile)
in the Chef InSpec GitHub repository defines an
[`example_config` resource](https://github.com/chef/inspec/blob/master/examples/profile/controls/example.rb).
[`example_config` resource](https://github.com/chef/inspec/blob/main/examples/profile/controls/example.rb).
To use these resources within the Chef InSpec shell, you will need to download
and specify them as a dependency.
@ -94,7 +94,7 @@ inspec> 1 + 2
inspec> exit
```
## Using Chef InSpec DSL in Chef InSpec shell
## Using Chef InSpec Language in Chef InSpec shell
Chef InSpec shell will automatically evaluate the result of every command as
if it were a test file. If you type in a Ruby command that is not an
@ -230,3 +230,49 @@ $ inspec shell --format json -c 'describe file("/Users/test") do it { should exi
}
}
```
## Running Chef InSpec Shell With Inputs
With InSpec [profiles that support inputs]({{< relref "inputs/#which-profiles-support-inputs" >}}),
you can set inputs using the InSpec `shell` command. This allows you to work more consistently with
InSpec profiles when switching between the `shell` and `exec` commands.
For more details on inputs, see the [inputs reference](/inspec/inputs/).
### Set Inputs with Command-line Options
The `shell` command accepts one or more inputs in the command line as single-quoted YAML or JSON structures.
```bash
$ inspec shell --input=input_name=input_value
Welcome to the interactive InSpec Shell
To find out how to use it, type: help
inspec> control 'my_control' do
inspec> describe input('input_name') do
inspec> it { should cmp 'input_value' }
inspec> end
inspec> end
Profile: inspec-shell
✔ my_control: input_value
✔ input_value is expected to cmp == "input_value"
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
Test Summary: 1 successful, 0 failures, 0 skipped
inspec> exit
```
### Set Inputs with YAML File
You can also save inputs and values to one or more YAML files and pass them to `shell` in the command line.
For example:
```yaml
input_name: input_value
another_input: another_value
```
```bash
inspec shell --input-file=<path>
```

24
docs-chef-io/content/inspec/troubleshooting.md Normal file
View file

@ -0,0 +1,24 @@
+++
title = "Chef InSpec Troubleshooting"
draft = false
gh_repo = "inspec"
[menu]
[menu.inspec]
title = "Troubleshooting"
identifier = "inspec/Troubleshooting"
parent = "inspec"
weight = 55
+++
## Undefined Local Variable or Method Error for Cloud Resource
This error is a result of invoking a resource from one of the cloud resource packs without initializing an InSpec profile with that resource pack (AWS, Azure, or GCP) as a dependency.
InSpec profiles that use **any cloud resource** must have the resource pack defined as a dependency.
See the relevant resource pack readme for instructions:
- [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources)
- [inspec-azure README](https://github.com/inspec/inspec-azure#use-the-resources)
- [inspec-gcp README](https://github.com/inspec/inspec-gcp#use-the-resources)

2
docs-chef-io/netlify.toml
View file

@ -1,7 +1,7 @@
[build]
[build.environment]
HUGO_VERSION = "0.78.1"
HUGO_VERSION = "0.83.1"
HUGO_ENABLEGITINFO = "true"
GO_VERSION = "1.15"
NODE_ENV = "development"

7
etc/deprecations.json
View file

@ -4,7 +4,7 @@
"groups": {
"attrs_value_replaces_default": {
"action": "warn",
"prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead."
"prefix": "The 'default' option for inputs is being replaced by 'value' - please use it instead."
},
"attrs_dsl": {
"action": "ignore",
@ -120,6 +120,11 @@
"object_classes": {
"action": "warn",
"suffix": "These classes will be removed in InSpec 5.0."
},
"cli_option_hook":{
"action": "warn",
"prefix": "The --hook option is being replaced by the --activator option.",
"suffix": "This options will be removed in InSpec 4.0."
}
}
}

2
inspec-bin/lib/inspec-bin/version.rb
View file

@ -1,5 +1,5 @@
# This file managed by automation - do not edit manually
module InspecBin
INSPECBIN_ROOT = File.expand_path("..", __dir__)
VERSION = "4.30.0".freeze
VERSION = "4.47.8".freeze
end

4
inspec-core.gemspec
View file

@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
.reject { |f| File.directory?(f) }
# Implementation dependencies
spec.add_dependency "chef-telemetry", "~> 1.0"
spec.add_dependency "chef-telemetry", "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
spec.add_dependency "thor", ">= 0.20", "< 2.0"
spec.add_dependency "method_source", ">= 0.8", "< 2.0"
@ -35,7 +35,7 @@ Gem::Specification.new do |spec|
spec.add_dependency "mixlib-log", "~> 3.0"
spec.add_dependency "sslshake", "~> 1.2"
spec.add_dependency "parallel", "~> 1.9"
spec.add_dependency "faraday", ">= 0.9.0", "< 1.4"
spec.add_dependency "faraday", ">= 0.9.0", "< 1.5"
spec.add_dependency "faraday_middleware", "~> 1.0"
spec.add_dependency "tty-table", "~> 0.10"
spec.add_dependency "tty-prompt", "~> 0.17"

3
inspec.gemspec
View file

@ -31,6 +31,7 @@ Gem::Specification.new do |spec|
# Train plugins we ship with InSpec
spec.add_dependency "train-habitat", "~> 0.1"
spec.add_dependency "train-aws", "~> 0.1"
spec.add_dependency "train-aws", "~> 0.2"
spec.add_dependency "train-winrm", "~> 0.2"
spec.add_dependency "mongo", "= 2.13.2" # 2.14 introduces a broken symlink in mongo-2.14.0/spec/support/ocsp
end

79
kitchen.yml → kitchen.dokken.yml
View file

@ -1,49 +1,38 @@
---
driver:
name: dokken
chef_version: 14.12.9
chef_version: :latest
privileged: true # because Docker and SystemD/Upstart
transport:
name: dokken
lifecycle:
pre_converge:
- local: cd inspec-bin && gem build inspec-core-bin.gemspec --output ../test/kitchen/cookbooks/install_inspec/files/inspec-core-bin.gem
- local: gem build inspec-core.gemspec --output test/kitchen/cookbooks/install_inspec/files/inspec-core.gem
provisioner:
name: dokken
client_rb:
data_collector.server_url: <%= ENV['COLLECTOR_URL'] %>
data_collector.token: <%= ENV['COLLECTOR_TOKEN'] %>
ssl_verify_mode: :verify_none
verify_api_cert: false
verifier:
name: inspec
sudo: true
# Test against every supported target platform for which we have a dokken image.
# If we don't have a dokken image, see kitchen.chef.yml for Vagrant-based testing.
# Try to keep this list up to date!
# Visit https://hub.docker.com/search and https://github.com/test-kitchen/dokken-images to search for new images
platforms:
- name: amazonlinux
driver:
image: dokken/amazonlinux
pid_one_command: /sbin/init
- name: amazonlinux-2
driver:
image: dokken/amazonlinux-2
pid_one_command: /usr/lib/systemd/systemd
- name: centos-6
driver:
image: dokken/centos-6
pid_one_command: /sbin/init
- name: centos-7
driver:
image: dokken/centos-7
pid_one_command: /usr/lib/systemd/systemd
- name: centos-8
driver:
image: dokken/centos-8
pid_one_command: /usr/lib/systemd/systemd
- name: debian-9
driver:
@ -51,7 +40,6 @@ platforms:
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
- name: debian-10
driver:
image: dokken/debian-10
@ -59,24 +47,23 @@ platforms:
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
- name: fedora-29
- name: fedora-latest
driver:
image: dokken/fedora-29
image: dokken/fedora-latest
pid_one_command: /usr/lib/systemd/systemd
- name: oraclelinux-6
driver:
image: dokken/oraclelinux-6
pid_one_command: /sbin/init
- name: oraclelinux-7
driver:
image: dokken/oraclelinux-7
pid_one_command: /usr/lib/systemd/systemd
- name: oraclelinux-8
driver:
image: dokken/oraclelinux-8
pid_one_command: /usr/lib/systemd/systemd
- name: opensuse-leap
driver:
image: dokken/opensuse-leap-42
image: dokken/opensuse-leap-15
pid_one_command: /bin/systemd
- name: ubuntu-16.04
@ -93,30 +80,30 @@ platforms:
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
- name: ubuntu-20.04
driver:
image: dokken/ubuntu-20.04
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update -y
suites:
- name: resources-core
- name: resources
run_list:
- recipe[os_prepare]
- recipe[audit]
verifier:
inspec_tests:
- test/kitchen/policies/resources-core
# TODO - split these out into core, database, unix, and windows resources
- test/kitchen/policies/default
attributes:
audit:
attributes:
audit_attribute: 'Attribute Override!'
insecure: true
reporter: ['json-file','chef-automate']
fetcher: 'chef-automate'
json_file:
location: /tmp/json_export.json
profiles:
- name: integration
url: https://github.com/inspec/inspec-integration-profile/archive/master.zip
osprepare:
docker: true
application: false
- name: resources-database
- name: resources-unix
- name: resources-windows
# These are planned for the future
# Suites which exercise resources that exercise databases
# - name: resources-database
# Unix-only resources
# - name: resources-unix
# Windows-only resources
# - name: resources-windows

22
lib/inspec/base_cli.rb
View file

@ -43,11 +43,15 @@ module Inspec
begin
if (allowed_commands & ARGV.map(&:downcase)).empty? && # Did they use a non-exempt command?
!ARGV.empty? # Did they supply at least one command?
LicenseAcceptance::Acceptor.check_and_persist(
license_acceptor_output = LicenseAcceptance::Acceptor.check_and_persist(
Inspec::Dist::EXEC_NAME,
Inspec::VERSION,
logger: Inspec::Log
)
if license_acceptor_output && ARGV.count == 1 && (ARGV.first.include? "--chef-license")
Inspec::UI.new.exit
end
license_acceptor_output
end
rescue LicenseAcceptance::LicenseNotAcceptedError
Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without accepting the license"
@ -120,6 +124,8 @@ module Inspec
desc: "Provide a ID which will be included on reports"
option :winrm_shell_type, type: :string, default: "powershell",
desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
option :docker_url, type: :string,
desc: "Provides path to Docker API endpoint (Docker)"
end
def self.profile_options
@ -134,6 +140,8 @@ module Inspec
profile_options
option :controls, type: :array,
desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
option :tags, type: :array,
desc: "A list of tags names that are part of controls to filter and run controls, or a list of /regexes/ to match against tags names of controls. Ignore all other tests."
option :reporter, type: :array,
banner: "one two:/output/file/path",
desc: "Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml"
@ -166,13 +174,15 @@ module Inspec
desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
option :filter_empty_profiles, type: :boolean, default: false,
desc: "Filter empty profiles (profiles without controls) from the report."
option :command_timeout, type: :numeric, default: 3600,
desc: "Maximum seconds to allow commands to run during execution. Default 3600.",
long_desc: "Maximum seconds to allow commands to run during execution. Default 3600. A timed out command is considered an error."
option :filter_waived_controls, type: :boolean,
desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores `run` setting of waiver file."
option :retain_waiver_data, type: :boolean,
desc: "EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped"
option :command_timeout, type: :numeric,
desc: "Maximum seconds to allow commands to run during execution.",
long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."
option :reporter_include_source, type: :boolean, default: false,
desc: "Include full source code of controls in the CLI report"
end
def self.help(*args)
@ -181,7 +191,7 @@ module Inspec
puts " Patents: chef.io/patents\n\n"
end
def self.format_platform_info(params: {}, indent: 0, color: 39)
def self.format_platform_info(params: {}, indent: 0, color: 39, enable_color: true)
str = ""
params.each do |item, info|
data = info
@ -192,7 +202,7 @@ module Inspec
# Do not output fields of data is missing ('unknown' is fine)
next if data.nil?
data = "\e[1m\e[#{color}m#{data}\e[0m"
data = "\e[1m\e[#{color}m#{data}\e[0m" if enable_color
str << format("#{" " * indent}%-10s %s\n", item.to_s.capitalize + ":", data)
end
str

4
lib/inspec/cached_fetcher.rb
View file

@ -6,9 +6,9 @@ module Inspec
extend Forwardable
attr_reader :cache, :target, :fetcher
def initialize(target, cache)
def initialize(target, cache, opts = {})
@target = target
@fetcher = Inspec::Fetcher::Registry.resolve(target)
@fetcher = Inspec::Fetcher::Registry.resolve(target, opts)
if @fetcher.nil?
raise("Could not fetch inspec profile in #{target.inspect}.")

23
lib/inspec/cli.rb
View file

@ -65,6 +65,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
desc: "Save the created profile to a path"
option :controls, type: :array,
desc: "A list of controls to include. Ignore all other tests."
option :tags, type: :array,
desc: "A list of tags to filter controls and include only those. Ignore all other tests."
profile_options
def json(target)
require "json" unless defined?(JSON)
@ -91,7 +93,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
end
desc "check PATH", "verify all tests at the specified PATH"
option :format, type: :string
option :format, type: :string,
desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
profile_options
def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
o = config
@ -218,9 +221,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
Automate:
```
#{Inspec::Dist::EXEC_NAME} compliance login
#{Inspec::Dist::EXEC_NAME} automate login
#{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline
```
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
```
#{Inspec::Dist::EXEC_NAME} compliance login
```
Supermarket:
```
@ -301,7 +308,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
puts res.to_json
else
ui.headline("Platform Details")
ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36)
ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36, enable_color: ui.color?)
end
rescue ArgumentError, RuntimeError, Train::UserError => e
$stderr.puts e.message
@ -321,10 +328,14 @@ class Inspec::InspecCLI < Inspec::BaseCLI
desc: "A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell"
option :distinct_exit, type: :boolean, default: true,
desc: "Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures."
option :command_timeout, type: :numeric, default: 3600,
desc: "Maximum seconds to allow a command to run. Default 3600.",
long_desc: "Maximum seconds to allow commands to run. Default 3600. A timed out command is considered an error."
option :command_timeout, type: :numeric,
desc: "Maximum seconds to allow a command to run.",
long_desc: "Maximum seconds to allow commands to run. A timed out command is considered an error."
option :inspect, type: :boolean, default: false, desc: "Use verbose/debugging output for resources."
option :input_file, type: :array,
desc: "Load one or more input files, a YAML file with values for the shell to use"
option :input, type: :array, banner: "name1=value1 name2=value2",
desc: "Specify one or more inputs directly on the command line to the shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
def shell_func
o = config
diagnose(o)

80
lib/inspec/control_eval_context.rb
View file

@ -18,6 +18,7 @@ module Inspec
attr_accessor :skip_file
attr_accessor :profile_context
attr_accessor :resources_dsl
attr_accessor :conf
def initialize(profile_context, resources_dsl, backend, conf, dependencies, require_loader, skip_only_if_eval)
@profile_context = profile_context
@ -53,12 +54,30 @@ module Inspec
def control(id, opts = {}, &block)
opts[:skip_only_if_eval] = @skip_only_if_eval
if control_exist_in_controls_list?(id) || controls_list_empty?
if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id)
register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
elsif !tags_list_empty?
# Inside elsif rule is initialised before registering it because it enables fetching of control tags
# This condition is only true when --tags option is used
inspec_rule = Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block)
tag_ids = control_tags(inspec_rule)
register_control(inspec_rule) if tag_exist_in_control_tags?(tag_ids)
end
end
alias rule control
def control_tags(inspec_rule)
all_tags = []
inspec_rule.tag.each do |key, value|
all_tags.push(key)
all_tags.push(value) unless value.nil?
end
all_tags.flatten.compact.uniq.map(&:to_s)
rescue
[]
end
# Describe allows users to write rspec-like bare describe
# blocks without declaring an inclosing control. Here, we
# generate a control for them automatically and then execute
@ -74,7 +93,7 @@ module Inspec
res = describe(*args, &block)
end
if control_exist_in_controls_list?(id) || controls_list_empty?
if controls_list_empty? || control_exist_in_controls_list?(id)
register_control(rule, &block)
end
@ -171,6 +190,47 @@ module Inspec
@skip_file = true
end
# Check if the given control exist in the --tags option
def tag_exist_in_control_tags?(tag_ids)
tag_option_matches_with_list = false
if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist?
tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty?
unless tag_option_matches_with_list
@conf["profile"].include_tags_list.any? do |inclusion|
# Try to see if the inclusion is a regex, and if it matches
if inclusion.is_a?(Regexp)
tag_ids.each do |id|
tag_option_matches_with_list = (inclusion =~ id)
break if tag_option_matches_with_list
end
end
end
end
end
tag_option_matches_with_list
end
def tags_list_empty?
!@conf.empty? && @conf.key?("profile") && @conf["profile"].include_tags_list.empty? || @conf.empty?
end
# Check if the given control exist in the --controls option
def control_exist_in_controls_list?(id)
id_exist_in_list = false
if profile_config_exist?
id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
# Try to see if the inclusion is a regex, and if it matches
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
end
end
id_exist_in_list
end
# Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
def controls_list_empty?
!@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
end
private
def block_location(block, alternate_caller)
@ -187,20 +247,8 @@ module Inspec
!@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
end
# Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
def controls_list_empty?
!@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
end
# Check if the given control exist in the --controls option
def control_exist_in_controls_list?(id)
if profile_config_exist?
id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
# Try to see if the inclusion is a regex, and if it matches
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
end
end
id_exist_in_list
def profile_tag_config_exist?
!@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty?
end
end
end

21
lib/inspec/dsl.rb
View file

@ -93,23 +93,38 @@ module Inspec::DSL
context = dep_entry.profile.runner_context
# if we don't want all the rules, then just make 1 pass to get all rule_IDs
# that we want to keep from the original
filter_included_controls(context, dep_entry.profile, &block) unless opts[:include_all]
if !opts[:include_all] || !(opts[:conf]["profile"].include_tags_list.empty?) || !opts[:conf]["profile"].include_controls_list.empty?
filter_included_controls(context, dep_entry.profile, opts, &block)
end
# interpret the block and skip/modify as required
context.load(block) if block_given?
bind_context.add_subcontext(context)
end
def self.filter_included_controls(context, profile, &block)
def self.filter_included_controls(context, profile, opts, &block)
mock = Inspec::Backend.create(Inspec::Config.mock)
include_ctx = Inspec::ProfileContext.for_profile(profile, mock)
include_ctx.load(block) if block_given?
include_ctx.control_eval_context.conf = opts[:conf]
control_eval_ctx = include_ctx.control_eval_context
# remove all rules that were not registered
context.all_rules.each do |r|
id = Inspec::Rule.rule_id(r)
fid = Inspec::Rule.profile_id(r) + "/" + id
unless include_ctx.rules[id] || include_ctx.rules[fid]
if !opts[:include_all] && !(include_ctx.rules[id] || include_ctx.rules[fid])
context.remove_rule(fid)
end
unless control_eval_ctx.controls_list_empty?
# filter the dependent profile controls which are not in the --controls options list
context.remove_rule(fid) unless control_eval_ctx.control_exist_in_controls_list?(id)
end
unless control_eval_ctx.tags_list_empty?
# filter included controls using --tags
tag_ids = control_eval_ctx.control_tags(r)
context.remove_rule(fid) unless control_eval_ctx.tag_exist_in_control_tags?(tag_ids)
end
end
end
end

6
lib/inspec/fetcher.rb
View file

@ -2,12 +2,12 @@ require "inspec/plugin/v1"
module Inspec
class FetcherRegistry < PluginRegistry
def resolve(target)
def resolve(target, opts = {})
if fetcher_specified?(target)
super(target)
super(target, opts)
else
Inspec::Log.debug("Assuming default supermarket source for #{target}")
super(with_default_fetcher(target))
super(with_default_fetcher(target), opts)
end
end

Some files were not shown because too many files have changed in this diff Show more