mirror of
https://github.com/inspec/inspec
synced 2024-11-26 22:50:36 +00:00
Merge branch 'main' into ns/fully_waived
This commit is contained in:
commit
43980e438d
357 changed files with 7383 additions and 2178 deletions
|
@ -16,7 +16,7 @@ uname -a
|
||||||
|
|
||||||
echo "--- Installing Habitat"
|
echo "--- Installing Habitat"
|
||||||
id -a
|
id -a
|
||||||
curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | bash
|
curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh | bash
|
||||||
|
|
||||||
|
|
||||||
echo "--- Generating fake origin key"
|
echo "--- Generating fake origin key"
|
||||||
|
|
51
.expeditor/buildkite/bk_linux_exec.sh
Executable file
51
.expeditor/buildkite/bk_linux_exec.sh
Executable file
|
@ -0,0 +1,51 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Enable IPv6 in docker
|
||||||
|
echo "--- Enabling ipv6 on docker"
|
||||||
|
sudo systemctl stop docker
|
||||||
|
dockerd_config="/etc/docker/daemon.json"
|
||||||
|
sudo echo "$(jq '. + {"ipv6": true, "fixed-cidr-v6": "2001:2019:6002::/80", "ip-forward": false}' $dockerd_config)" > $dockerd_config
|
||||||
|
sudo systemctl start docker
|
||||||
|
|
||||||
|
# Install C and C++
|
||||||
|
echo "--- Installing package deps"
|
||||||
|
sudo yum install -y gcc gcc-c++ openssl-devel readline-devel zlib-devel
|
||||||
|
|
||||||
|
# Install ASDF
|
||||||
|
echo "--- Installing asdf to ${HOME}/.asdf"
|
||||||
|
git clone https://github.com/asdf-vm/asdf.git "${HOME}/.asdf"
|
||||||
|
cd "${HOME}/.asdf"; git checkout "$(git describe --abbrev=0 --tags)"; cd -
|
||||||
|
. "${HOME}/.asdf/asdf.sh"
|
||||||
|
|
||||||
|
# Install Ruby
|
||||||
|
ruby_version=$(sed -n '/"ruby"/{s/.*version: "//;s/"//;p;}' omnibus_overrides.rb)
|
||||||
|
echo "--- Installing Ruby $ruby_version"
|
||||||
|
asdf plugin add ruby
|
||||||
|
asdf install ruby $ruby_version
|
||||||
|
asdf global ruby $ruby_version
|
||||||
|
|
||||||
|
# Set Environment Variables
|
||||||
|
export BUNDLE_GEMFILE=$PWD/Gemfile
|
||||||
|
export FORCE_FFI_YAJL=ext
|
||||||
|
export CHEF_LICENSE="accept-silent"
|
||||||
|
|
||||||
|
# Update Gems
|
||||||
|
echo "--- Installing Gems"
|
||||||
|
echo 'gem: --no-document' >> ~/.gemrc
|
||||||
|
sudo iptables -L DOCKER || ( echo "DOCKER iptables chain missing" ; sudo iptables -N DOCKER )
|
||||||
|
bundle install --jobs=3 --retry=3 --path=../vendor/bundle
|
||||||
|
|
||||||
|
echo "--- Config information"
|
||||||
|
|
||||||
|
echo "!!!! RUBY VERSION !!!!"
|
||||||
|
ruby --version
|
||||||
|
echo "!!!! BUNDLER LOCATION !!!!"
|
||||||
|
which bundle
|
||||||
|
echo "!!!! BUNDLER VERSION !!!!"
|
||||||
|
bundle -v
|
||||||
|
echo "!!!! DOCKER VERSION !!!!"
|
||||||
|
docker version
|
||||||
|
echo "!!!! DOCKER STATUS !!!!"
|
||||||
|
sudo service docker status
|
||||||
|
|
||||||
|
echo "+++ Running tests"
|
|
@ -1,70 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
set -ueo pipefail
|
|
||||||
|
|
||||||
export LANG=C.UTF-8 LANGUAGE=C.UTF-8
|
|
||||||
# test-reporter expects reporter identifier under this environment variable
|
|
||||||
CC_TEST_REPORTER_ID="$COVERAGE_ID"
|
|
||||||
export CC_TEST_REPORTER_ID
|
|
||||||
TEST_REPORTER_VERSION="0.6.3"
|
|
||||||
S3_URL="s3://public-cd-buildkite-cache/$BUILDKITE_PIPELINE_SLUG/$BUILDKITE_LABEL"
|
|
||||||
|
|
||||||
download_test_reporter() {
|
|
||||||
curl -o test-reporter -L https://codeclimate.com/downloads/test-reporter/test-reporter-"$TEST_REPORTER_VERSION"-linux-amd64
|
|
||||||
chmod +x test-reporter
|
|
||||||
touch new_test-reporter
|
|
||||||
}
|
|
||||||
|
|
||||||
download_s3_file() {
|
|
||||||
aws s3 cp "$S3_URL/$1" "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
upload_s3_file() {
|
|
||||||
if [ -f "$1" ]; then
|
|
||||||
aws s3 cp "$1" "$S3_URL/$1" || echo "Could not push $1 to S3 for caching."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
echo "--- downloading coverage tool"
|
|
||||||
download_s3_file test-reporter || download_test_reporter
|
|
||||||
download_s3_file test-reporter.sha || echo -e "\nCould not download test-reporter.sha"
|
|
||||||
|
|
||||||
|
|
||||||
echo "--- updating rubygems"
|
|
||||||
gem update --system -N
|
|
||||||
|
|
||||||
echo "--- system details"
|
|
||||||
uname -a
|
|
||||||
gem env
|
|
||||||
bundle --version
|
|
||||||
|
|
||||||
echo "--- setting up test coverage before build"
|
|
||||||
./test-reporter before-build
|
|
||||||
|
|
||||||
echo "--- bundle install"
|
|
||||||
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
|
|
||||||
|
|
||||||
echo "+++ bundle exec rake"
|
|
||||||
bundle exec rake test
|
|
||||||
EXIT_CODE=$?
|
|
||||||
|
|
||||||
echo "+++ formatting and uploading test coverage"
|
|
||||||
./test-reporter sum-coverage
|
|
||||||
./test-reporter after-build -t simplecov --exit-code "$EXIT_CODE"
|
|
||||||
|
|
||||||
echo "--- uploading test-reporter.sha to s3"
|
|
||||||
if [ -f "new_test-reporter" ]; then
|
|
||||||
echo "new test-reporter detected. uploading."
|
|
||||||
shasum -a 256 test-reporter > test-reporter.sha
|
|
||||||
for i in "test-reporter" "test-reporter.sha"; do
|
|
||||||
upload_s3_file "$i"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
if shasum --check test-reporter.sha --status; then
|
|
||||||
echo "test-reporter shasum mismatch. uploading."
|
|
||||||
shasum -a 256 test-reporter > test-reporter.sha
|
|
||||||
for i in "test-reporter" "test-reporter.sha"; do
|
|
||||||
upload_s3_file "$i"
|
|
||||||
done
|
|
||||||
fi
|
|
|
@ -5,7 +5,8 @@ ruby -v
|
||||||
bundle --version
|
bundle --version
|
||||||
|
|
||||||
echo "--- bundle install"
|
echo "--- bundle install"
|
||||||
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
|
bundle config set --local without tools maintenance deploy
|
||||||
|
bundle install --jobs=7 --retry=3
|
||||||
|
|
||||||
echo "+++ bundle exec rake test:parallel"
|
echo "+++ bundle exec rake test:parallel"
|
||||||
bundle exec rake test:parallel K=4
|
bundle exec rake test:parallel K=4
|
||||||
|
|
|
@ -25,7 +25,8 @@ pull_bundle
|
||||||
|
|
||||||
echo "--- bundle"
|
echo "--- bundle"
|
||||||
bundle config --local path vendor/bundle
|
bundle config --local path vendor/bundle
|
||||||
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
|
bundle config set --local without tools maintenance deploy
|
||||||
|
bundle install --jobs=7 --retry=3
|
||||||
|
|
||||||
echo "--- push bundle cache"
|
echo "--- push bundle cache"
|
||||||
push_bundle
|
push_bundle
|
||||||
|
|
|
@ -7,7 +7,8 @@ set -ue
|
||||||
echo "--- bundle install"
|
echo "--- bundle install"
|
||||||
|
|
||||||
cd www
|
cd www
|
||||||
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
|
bundle config set --local without tools maintenance deploy
|
||||||
|
bundle install --jobs=7 --retry=3
|
||||||
|
|
||||||
echo "+++ bundle exec rake"
|
echo "+++ bundle exec rake"
|
||||||
bundle exec rake www V=1 PUSH=1
|
bundle exec rake www V=1 PUSH=1
|
||||||
|
|
|
@ -31,15 +31,10 @@ pipelines:
|
||||||
- SLOW: 1
|
- SLOW: 1
|
||||||
- NO_AWS: 1
|
- NO_AWS: 1
|
||||||
- MT_CPU: 5
|
- MT_CPU: 5
|
||||||
- coverage:
|
|
||||||
description: Generate test coverage report
|
|
||||||
env:
|
|
||||||
- CI_ENABLE_COVERAGE: true
|
|
||||||
- LANG: "C.UTF-8"
|
|
||||||
- SLOW: 1
|
|
||||||
- integration/resources:
|
- integration/resources:
|
||||||
description: Test core resources with test-kitchen.
|
description: Test core resources with test-kitchen.
|
||||||
definition: .expeditor/integration.resources.yml
|
definition: .expeditor/integration.resources.yml
|
||||||
|
trigger: pull_request
|
||||||
# This breaks expeditor as it does not yet exist
|
# This breaks expeditor as it does not yet exist
|
||||||
# - integration/libraries:
|
# - integration/libraries:
|
||||||
# description: Integration with plugins, gems, resource packs.
|
# description: Integration with plugins, gems, resource packs.
|
||||||
|
@ -75,8 +70,9 @@ github:
|
||||||
minor_bump_labels:
|
minor_bump_labels:
|
||||||
- "Expeditor: Bump Minor Version"
|
- "Expeditor: Bump Minor Version"
|
||||||
version_tag_format: v{{version}}
|
version_tag_format: v{{version}}
|
||||||
release_branch:
|
|
||||||
- master:
|
release_branches:
|
||||||
|
- main:
|
||||||
version_constraint: 4.*
|
version_constraint: 4.*
|
||||||
- 1-stable:
|
- 1-stable:
|
||||||
version_constraint: 1.*
|
version_constraint: 1.*
|
||||||
|
@ -95,90 +91,91 @@ changelog:
|
||||||
- "Type: Enhancement": "Enhancements"
|
- "Type: Enhancement": "Enhancements"
|
||||||
- "Type: Bug": "Bug Fixes"
|
- "Type: Bug": "Bug Fixes"
|
||||||
|
|
||||||
merge_actions:
|
|
||||||
- built_in:bump_version:
|
|
||||||
ignore_labels:
|
|
||||||
- "Expeditor: Skip All"
|
|
||||||
- "Expeditor: Skip Version Bump"
|
|
||||||
only_if_modified:
|
|
||||||
- .expeditor/*
|
|
||||||
- docs-chef-io/*
|
|
||||||
- etc/*
|
|
||||||
- habitat/*
|
|
||||||
- inspec-bin/*
|
|
||||||
- lib/*
|
|
||||||
- omnibus/*
|
|
||||||
- support/*
|
|
||||||
- tasks/*
|
|
||||||
- test/*
|
|
||||||
- Gemfile*
|
|
||||||
- LICENSE
|
|
||||||
- "*.gemspec"
|
|
||||||
- "*.md"
|
|
||||||
- bash:.expeditor/update_version.sh:
|
|
||||||
only_if: built_in:bump_version
|
|
||||||
- built_in:update_changelog:
|
|
||||||
ignore_labels:
|
|
||||||
- "Expeditor: Skip All"
|
|
||||||
- "Expeditor: Skip Changelog"
|
|
||||||
- trigger_pipeline:omnibus/adhoc:
|
|
||||||
not_if: built_in:bump_version
|
|
||||||
ignore_labels:
|
|
||||||
- "Expeditor: Skip Omnibus"
|
|
||||||
- "Expeditor: Skip All"
|
|
||||||
- trigger_pipeline:artifact/habitat:
|
|
||||||
only_if: built_in:bump_version
|
|
||||||
ignore_labels:
|
|
||||||
- "Expeditor: Skip Habitat"
|
|
||||||
- "Expeditor: Skip All"
|
|
||||||
- trigger_pipeline:omnibus/release:
|
|
||||||
only_if: built_in:bump_version
|
|
||||||
ignore_labels:
|
|
||||||
- "Expeditor: Skip Omnibus"
|
|
||||||
- "Expeditor: Skip All"
|
|
||||||
- trigger_pipeline:habitat/build:
|
|
||||||
only_if: built_in:bump_version
|
|
||||||
ignore_labels:
|
|
||||||
- "Expeditor: Skip Habitat"
|
|
||||||
- "Expeditor: Skip All"
|
|
||||||
- built_in:build_gem:
|
|
||||||
only_if:
|
|
||||||
- built_in:bump_version
|
|
||||||
|
|
||||||
subscriptions:
|
subscriptions:
|
||||||
- workload: artifact_published:unstable:inspec:{{version_constraint}}
|
- workload: pull_request_merged:{{github_repo}}:{{release_branch}}:*
|
||||||
actions:
|
actions:
|
||||||
- trigger_pipeline:docker/build
|
- built_in:bump_version:
|
||||||
- bash:.expeditor/buildkite/wwwrelease.sh:
|
ignore_labels:
|
||||||
post_commit: true
|
- "Expeditor: Skip All"
|
||||||
- workload: artifact_published:current:inspec:{{version_constraint}}
|
- "Expeditor: Skip Version Bump"
|
||||||
actions:
|
only_if_modified:
|
||||||
- built_in:promote_docker_images
|
- .expeditor/*
|
||||||
- built_in:promote_habitat_packages
|
- docs-chef-io/*
|
||||||
- workload: artifact_published:stable:inspec:{{version_constraint}}
|
- etc/*
|
||||||
actions:
|
- habitat/*
|
||||||
- bash:.expeditor/update_dockerfile.sh
|
- inspec-bin/*
|
||||||
- built_in:rollover_changelog
|
- lib/*
|
||||||
- built_in:publish_rubygems
|
- omnibus/*
|
||||||
- built_in:create_github_release
|
- support/*
|
||||||
- built_in:promote_docker_images
|
- tasks/*
|
||||||
- built_in:promote_habitat_packages
|
- test/*
|
||||||
- bash:.expeditor/publish-release-notes.sh:
|
- Gemfile*
|
||||||
post_commit: true
|
- LICENSE
|
||||||
- purge_packages_chef_io_fastly:{{target_channel}}/inspec/latest:
|
- "*.gemspec"
|
||||||
post_commit: true
|
- "*.md"
|
||||||
- bash:.expeditor/announce-release.sh:
|
- bash:.expeditor/update_version.sh:
|
||||||
post_commit: true
|
only_if: built_in:bump_version
|
||||||
- built_in:notify_chefio_slack_channels
|
- built_in:update_changelog:
|
||||||
- workload: pull_request_opened:{{agent_id}}:*
|
ignore_labels:
|
||||||
actions:
|
- "Expeditor: Skip All"
|
||||||
- post_github_comment:.expeditor/templates/pull_request.mustache:
|
- "Expeditor: Skip Changelog"
|
||||||
ignore_team_members:
|
- trigger_pipeline:omnibus/adhoc:
|
||||||
- inspec/owners
|
not_if: built_in:bump_version
|
||||||
- inspec/inspec-core-team
|
ignore_labels:
|
||||||
- built_in:github_auto_assign_author:
|
- "Expeditor: Skip Omnibus"
|
||||||
only_if_team_member:
|
- "Expeditor: Skip All"
|
||||||
- inspec/owners
|
- trigger_pipeline:artifact/habitat:
|
||||||
- inspec/inspec-core-team
|
only_if: built_in:bump_version
|
||||||
- trigger_pipeline:coverage
|
ignore_labels:
|
||||||
- trigger_pipeline:artifact/habitat
|
- "Expeditor: Skip Habitat"
|
||||||
|
- "Expeditor: Skip All"
|
||||||
|
- trigger_pipeline:omnibus/release:
|
||||||
|
only_if: built_in:bump_version
|
||||||
|
ignore_labels:
|
||||||
|
- "Expeditor: Skip Omnibus"
|
||||||
|
- "Expeditor: Skip All"
|
||||||
|
- trigger_pipeline:habitat/build:
|
||||||
|
only_if: built_in:bump_version
|
||||||
|
ignore_labels:
|
||||||
|
- "Expeditor: Skip Habitat"
|
||||||
|
- "Expeditor: Skip All"
|
||||||
|
- built_in:build_gem:
|
||||||
|
only_if:
|
||||||
|
- built_in:bump_version
|
||||||
|
- workload: artifact_published:unstable:inspec:{{version_constraint}}
|
||||||
|
actions:
|
||||||
|
- trigger_pipeline:docker/build
|
||||||
|
- bash:.expeditor/buildkite/wwwrelease.sh:
|
||||||
|
post_commit: true
|
||||||
|
- workload: artifact_published:current:inspec:{{version_constraint}}
|
||||||
|
actions:
|
||||||
|
- built_in:promote_docker_images
|
||||||
|
- built_in:promote_habitat_packages
|
||||||
|
- workload: project_promoted:{{agent_id}}:*
|
||||||
|
actions:
|
||||||
|
- built_in:promote_artifactory_artifact
|
||||||
|
- workload: artifact_published:stable:inspec:{{version_constraint}}
|
||||||
|
actions:
|
||||||
|
- bash:.expeditor/update_dockerfile.sh
|
||||||
|
- built_in:rollover_changelog
|
||||||
|
- built_in:publish_rubygems
|
||||||
|
- built_in:create_github_release
|
||||||
|
- built_in:promote_docker_images
|
||||||
|
- built_in:promote_habitat_packages
|
||||||
|
- bash:.expeditor/publish-release-notes.sh:
|
||||||
|
post_commit: true
|
||||||
|
- purge_packages_chef_io_fastly:{{target_channel}}/inspec/latest:
|
||||||
|
post_commit: true
|
||||||
|
- bash:.expeditor/announce-release.sh:
|
||||||
|
post_commit: true
|
||||||
|
- built_in:notify_chefio_slack_channels
|
||||||
|
- workload: pull_request_opened:{{github_repo}}:{{release_branch}}:*
|
||||||
|
actions:
|
||||||
|
- post_github_comment:.expeditor/templates/pull_request.mustache:
|
||||||
|
ignore_team_members:
|
||||||
|
- inspec/owners
|
||||||
|
- inspec/inspec-core-team
|
||||||
|
- built_in:github_auto_assign_author:
|
||||||
|
only_if_team_member:
|
||||||
|
- inspec/owners
|
||||||
|
- inspec/inspec-core-team
|
|
@ -1,19 +0,0 @@
|
||||||
---
|
|
||||||
expeditor:
|
|
||||||
defaults:
|
|
||||||
buildkite:
|
|
||||||
timeout_in_minutes: 30
|
|
||||||
|
|
||||||
|
|
||||||
steps:
|
|
||||||
|
|
||||||
- label: coverage
|
|
||||||
commands:
|
|
||||||
- .expeditor/buildkite/coverage.sh
|
|
||||||
expeditor:
|
|
||||||
executor:
|
|
||||||
docker:
|
|
||||||
secrets:
|
|
||||||
COVERAGE_ID:
|
|
||||||
path: secret/coveralls/inspec/inspec
|
|
||||||
field: reporter_id
|
|
|
@ -1 +1,201 @@
|
||||||
#
|
---
|
||||||
|
expeditor:
|
||||||
|
defaults:
|
||||||
|
buildkite:
|
||||||
|
timeout_in_minutes: 60
|
||||||
|
retry:
|
||||||
|
automatic:
|
||||||
|
limit: 1
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- label: "Kitchen: resources-amazonlinux-2"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-amazonlinux-2
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-centos-7"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-centos-7
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-centos-8"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-centos-8
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-debian-9"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-debian-9
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-debian-10"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-debian-10
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-fedora-latest"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-fedora-latest
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-oraclelinux-7"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-oraclelinux-7
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-oraclelinux-8"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-oraclelinux-8
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-opensuse-leap"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-opensuse-leap
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-ubuntu-1604"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-ubuntu-1604
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-ubuntu-1804"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-ubuntu-1804
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
||||||
|
- label: "Kitchen: resources-ubuntu-2004"
|
||||||
|
commands:
|
||||||
|
- .expeditor/buildkite/bk_linux_exec.sh
|
||||||
|
- . /var/lib/buildkite-agent/.asdf/asdf.sh
|
||||||
|
- bundle exec kitchen test resources-ubuntu-2004
|
||||||
|
artifact_paths:
|
||||||
|
- $PWD/.kitchen/logs/kitchen.log
|
||||||
|
env:
|
||||||
|
KITCHEN_YAML: kitchen.dokken.yml
|
||||||
|
DOCKER: 1
|
||||||
|
expeditor:
|
||||||
|
executor:
|
||||||
|
linux:
|
||||||
|
privileged: true
|
||||||
|
single-use: true
|
||||||
|
|
|
@ -6,28 +6,35 @@ test-path-windows: omnibus/omnibus-test.ps1
|
||||||
fips-platforms:
|
fips-platforms:
|
||||||
- el-*-x86_64
|
- el-*-x86_64
|
||||||
- windows-*
|
- windows-*
|
||||||
|
- ubuntu-*-x86_64
|
||||||
builder-to-testers-map:
|
builder-to-testers-map:
|
||||||
debian-9-x86_64:
|
debian-9-x86_64:
|
||||||
- debian-9-x86_64
|
- debian-9-x86_64
|
||||||
- debian-10-x86_64
|
- debian-10-x86_64
|
||||||
|
- debian-11-x86_64
|
||||||
debian-10-aarch64:
|
debian-10-aarch64:
|
||||||
- debian-10-aarch64
|
- debian-10-aarch64
|
||||||
|
- debian-11-aarch64
|
||||||
el-6-x86_64:
|
el-6-x86_64:
|
||||||
- el-6-x86_64
|
- el-6-x86_64
|
||||||
el-7-aarch64:
|
el-7-aarch64:
|
||||||
- el-7-aarch64
|
- el-7-aarch64
|
||||||
- el-8-aarch64
|
|
||||||
- amazon-2-aarch64
|
- amazon-2-aarch64
|
||||||
el-7-x86_64:
|
el-7-x86_64:
|
||||||
- el-7-x86_64
|
- el-7-x86_64
|
||||||
- el-8-x86_64
|
|
||||||
- amazon-2-x86_64
|
- amazon-2-x86_64
|
||||||
|
el-8-aarch64:
|
||||||
|
- el-8-aarch64
|
||||||
|
el-8-x86_64:
|
||||||
|
- el-8-x86_64
|
||||||
mac_os_x-10.14-x86_64:
|
mac_os_x-10.14-x86_64:
|
||||||
- mac_os_x-10.14-x86_64
|
- mac_os_x-10.14-x86_64
|
||||||
- mac_os_x-10.15-x86_64
|
- mac_os_x-10.15-x86_64
|
||||||
- mac_os_x-11-x86_64
|
- mac_os_x-11-x86_64
|
||||||
|
- mac_os_x-12-x86_64
|
||||||
mac_os_x-11-arm64:
|
mac_os_x-11-arm64:
|
||||||
- mac_os_x-11-arm64
|
- mac_os_x-11-arm64
|
||||||
|
- mac_os_x-12-arm64
|
||||||
sles-12-x86_64:
|
sles-12-x86_64:
|
||||||
- sles-12-x86_64
|
- sles-12-x86_64
|
||||||
- sles-15-x86_64
|
- sles-15-x86_64
|
||||||
|
@ -45,5 +52,7 @@ builder-to-testers-map:
|
||||||
- windows-2012r2-x86_64
|
- windows-2012r2-x86_64
|
||||||
- windows-2016-x86_64
|
- windows-2016-x86_64
|
||||||
- windows-2019-x86_64
|
- windows-2019-x86_64
|
||||||
|
- windows-2022-x86_64
|
||||||
- windows-8-x86_64
|
- windows-8-x86_64
|
||||||
- windows-10-x86_64
|
- windows-10-x86_64
|
||||||
|
- windows-11-x86_64
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
# This file updates the default VERSION build argument in the Dockerfile to the
|
# This file updates the default VERSION build argument in the Dockerfile to the
|
||||||
# VERSION passed in to the file via environment variables.
|
# VERSION passed in to the file via environment variables.
|
||||||
#
|
#
|
||||||
# This ensures the Dockerfile in inspec master will list the version of the latest
|
# This ensures the Dockerfile in inspec main will list the version of the latest
|
||||||
# stable release for any community member who wishes to build their own container
|
# stable release for any community member who wishes to build their own container
|
||||||
# from scratch.
|
# from scratch.
|
||||||
#
|
#
|
||||||
|
|
12
.github/dependabot.yml
vendored
Normal file
12
.github/dependabot.yml
vendored
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
version: 2
|
||||||
|
updates:
|
||||||
|
- package-ecosystem: bundler
|
||||||
|
directory: "/"
|
||||||
|
schedule:
|
||||||
|
interval: daily
|
||||||
|
open-pull-requests-limit: 10
|
||||||
|
- package-ecosystem: bundler
|
||||||
|
directory: "/omnibus"
|
||||||
|
schedule:
|
||||||
|
interval: daily
|
||||||
|
open-pull-requests-limit: 10
|
3
.github/labeler.yml
vendored
Normal file
3
.github/labeler.yml
vendored
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
documentation:
|
||||||
|
- 'docs-chef-io/**/*'
|
||||||
|
|
11
.github/workflows/labeler.yml
vendored
Normal file
11
.github/workflows/labeler.yml
vendored
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
name: "Pull Request Labeler"
|
||||||
|
on:
|
||||||
|
- pull_request_target
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
triage:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/labeler@main
|
||||||
|
with:
|
||||||
|
repo-token: "${{ secrets.GITHUB_TOKEN }}"
|
4
.gitignore
vendored
4
.gitignore
vendored
|
@ -36,6 +36,4 @@ results/
|
||||||
terraform.tfstate*
|
terraform.tfstate*
|
||||||
terraform.tfstate.backup
|
terraform.tfstate.backup
|
||||||
terraform.tfvars
|
terraform.tfvars
|
||||||
test/**/*.lock
|
test/**/*.lock
|
||||||
www/Gemfile.lock
|
|
||||||
www/source/index.html.slim
|
|
0
.gitmodules
vendored
0
.gitmodules
vendored
245
CHANGELOG.md
245
CHANGELOG.md
|
@ -1,22 +1,250 @@
|
||||||
# Change Log
|
# Change Log
|
||||||
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
|
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
|
||||||
<!-- latest_release 4.30.0 -->
|
<!-- latest_release 4.47.8 -->
|
||||||
## [v4.30.0](https://github.com/inspec/inspec/tree/v4.30.0) (2021-04-05)
|
## [v4.47.8](https://github.com/inspec/inspec/tree/v4.47.8) (2021-10-19)
|
||||||
|
|
||||||
#### Merged Pull Requests
|
#### Merged Pull Requests
|
||||||
- Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
- Oracle db session resource fix - when invoking query using os user and db role [#5702](https://github.com/inspec/inspec/pull/5702) ([Nik08](https://github.com/Nik08))
|
||||||
<!-- latest_release -->
|
<!-- latest_release -->
|
||||||
|
|
||||||
<!-- release_rollup since=4.29.3 -->
|
<!-- release_rollup since=4.46.13 -->
|
||||||
### Changes since 4.29.3 release
|
### Changes since 4.46.13 release
|
||||||
|
|
||||||
|
#### New Features
|
||||||
|
- Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) <!-- 4.47.0 -->
|
||||||
|
|
||||||
#### Merged Pull Requests
|
#### Merged Pull Requests
|
||||||
- Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.30.0 -->
|
- Oracle db session resource fix - when invoking query using os user and db role [#5702](https://github.com/inspec/inspec/pull/5702) ([Nik08](https://github.com/Nik08)) <!-- 4.47.8 -->
|
||||||
- Update inputs.md [#5449](https://github.com/inspec/inspec/pull/5449) ([IanMadd](https://github.com/IanMadd)) <!-- 4.29.5 -->
|
- Enable repeatable builds by bundling Gemfile.lock [#5688](https://github.com/inspec/inspec/pull/5688) ([tas50](https://github.com/tas50)) <!-- 4.47.7 -->
|
||||||
- Fix for Deprecation warning and FilterTable::ExceptionCatcher to show exact failure message. [#5441](https://github.com/inspec/inspec/pull/5441) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.29.4 -->
|
- Fix google_container_node_pool.md [#5696](https://github.com/inspec/inspec/pull/5696) ([pradeepbhadani](https://github.com/pradeepbhadani)) <!-- 4.47.6 -->
|
||||||
|
- Renamed Inspec DSL to Inspec Language [#5694](https://github.com/inspec/inspec/pull/5694) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) <!-- 4.47.5 -->
|
||||||
|
- Group & User Resources - Resolve name case-sensitivity issue for windows [#5667](https://github.com/inspec/inspec/pull/5667) ([Nik08](https://github.com/Nik08)) <!-- 4.47.4 -->
|
||||||
|
- Update GCS Storage class list [#5676](https://github.com/inspec/inspec/pull/5676) ([pradeepbhadani](https://github.com/pradeepbhadani)) <!-- 4.47.3 -->
|
||||||
|
- Improvements to the inspec.yml docs [#5679](https://github.com/inspec/inspec/pull/5679) ([tas50](https://github.com/tas50)) <!-- 4.47.2 -->
|
||||||
|
- Update the unit test files to use latest versions of OS rather than the older. [#5681](https://github.com/inspec/inspec/pull/5681) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.47.1 -->
|
||||||
|
- Update OpenSSL on macOS to 1.1.1l [#5687](https://github.com/inspec/inspec/pull/5687) ([tas50](https://github.com/tas50)) <!-- 4.47.0 -->
|
||||||
|
- Add back Ubuntu 16.04 packages + testing [#5689](https://github.com/inspec/inspec/pull/5689) ([tas50](https://github.com/tas50)) <!-- 4.46.15 -->
|
||||||
|
- Replaced /main/ from /master/ [#5678](https://github.com/inspec/inspec/pull/5678) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) <!-- 4.46.14 -->
|
||||||
<!-- release_rollup -->
|
<!-- release_rollup -->
|
||||||
|
|
||||||
<!-- latest_stable_release -->
|
<!-- latest_stable_release -->
|
||||||
|
## [v4.46.13](https://github.com/inspec/inspec/tree/v4.46.13) (2021-09-30)
|
||||||
|
|
||||||
|
#### New Features
|
||||||
|
- Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
- Add ibmdb2_conf and ibmdb2_session resource [#5614](https://github.com/inspec/inspec/pull/5614) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- adds chrony_conf InSpec resource [#5589](https://github.com/inspec/inspec/pull/5589) ([collinmcneese](https://github.com/collinmcneese))
|
||||||
|
|
||||||
|
#### Enhancements
|
||||||
|
- Add csv without headers support in csv resource [#5665](https://github.com/inspec/inspec/pull/5665) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Add option in `postgres_session` resource to establish socket connection [#5664](https://github.com/inspec/inspec/pull/5664) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
|
#### Bug Fixes
|
||||||
|
- Fix main in expeditor script [#5669](https://github.com/inspec/inspec/pull/5669) ([kagarmoe](https://github.com/kagarmoe))
|
||||||
|
- Fix --tags filter for dependent profiles [#5657](https://github.com/inspec/inspec/pull/5657) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd))
|
||||||
|
- Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd))
|
||||||
|
- Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd))
|
||||||
|
- Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Add support for Oracle Configuration Resources (Oracle Db Conf & Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw))
|
||||||
|
- Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd))
|
||||||
|
- Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp))
|
||||||
|
- Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus))
|
||||||
|
- Build packages for debian 11, macos 12, windows 11/2022 [#5675](https://github.com/inspec/inspec/pull/5675) ([tas50](https://github.com/tas50))
|
||||||
|
- Fix --controls option was not working for dependent profile [#5656](https://github.com/inspec/inspec/pull/5656) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Fix opa_cli and opa_api resource unable to verify empty result {} [#5671](https://github.com/inspec/inspec/pull/5671) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
<!-- latest_stable_release -->
|
||||||
|
|
||||||
|
## [v4.41.20](https://github.com/inspec/inspec/tree/v4.41.20) (2021-09-01)
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal))
|
||||||
|
- Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen))
|
||||||
|
- Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
- Fix url fetcher when default git profile branch is not master [#5638](https://github.com/inspec/inspec/pull/5638) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Fix tags processing issue in profiles [#5643](https://github.com/inspec/inspec/pull/5643) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
|
## [v4.41.2](https://github.com/inspec/inspec/tree/v4.41.2) (2021-08-16)
|
||||||
|
|
||||||
|
#### New Features
|
||||||
|
- Add support for OPA: add resource opa_cli and opa_api [#5592](https://github.com/inspec/inspec/pull/5592) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
|
||||||
|
#### Bug Fixes
|
||||||
|
- Pin mongo gem to 2.13.2 to avoid broken symlink [#5615](https://github.com/inspec/inspec/pull/5615) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield))
|
||||||
|
- Fix the typo in documentation file for opa_api resource [#5608](https://github.com/inspec/inspec/pull/5608) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
|
||||||
|
## [v4.38.9](https://github.com/inspec/inspec/tree/v4.38.9) (2021-07-22)
|
||||||
|
|
||||||
|
#### Enhancements
|
||||||
|
- Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Update postgresql resources to normalize it for platform supports [#5576](https://github.com/inspec/inspec/pull/5576) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
- Remove mention of AWS tests from README [#5603](https://github.com/inspec/inspec/pull/5603) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
## [v4.38.3](https://github.com/inspec/inspec/tree/v4.38.3) (2021-07-02)
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Add support for mongodb_conf resource in InSpec [#5562](https://github.com/inspec/inspec/pull/5562) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin))
|
||||||
|
- Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd))
|
||||||
|
- Misc updates to the README [#5526](https://github.com/inspec/inspec/pull/5526) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
## [v4.37.30](https://github.com/inspec/inspec/tree/v4.37.30) (2021-06-16)
|
||||||
|
|
||||||
|
#### Bug Fixes
|
||||||
|
- Include x25519 KEX module in omnibus build [#5563](https://github.com/inspec/inspec/pull/5563) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd))
|
||||||
|
- Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Fix postgres_session resource to raise exception if there is a error in connection or in query [#5553](https://github.com/inspec/inspec/pull/5553) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Restrict x25519 gem to x86 architectures [#5564](https://github.com/inspec/inspec/pull/5564) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
## [v4.37.25](https://github.com/inspec/inspec/tree/v4.37.25) (2021-06-10)
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- sshd_config is for daemon, not client - typo [#5549](https://github.com/inspec/inspec/pull/5549) ([jblaine](https://github.com/jblaine))
|
||||||
|
- Fix related to loading dependent profiles from a profile in shell [#5547](https://github.com/inspec/inspec/pull/5547) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
|
## [v4.37.23](https://github.com/inspec/inspec/tree/v4.37.23) (2021-06-03)
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Update inspec init plugin [#5536](https://github.com/inspec/inspec/pull/5536) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Removed support for compliance and a1 server from InSpec compliance [#5534](https://github.com/inspec/inspec/pull/5534) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Add Ubuntu to list of FIPS platforms [#5533](https://github.com/inspec/inspec/pull/5533) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
## [v4.37.20](https://github.com/inspec/inspec/tree/v4.37.20) (2021-05-26)
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Added new automate doc link for login tokens in `inspec automate login --help` command [#5529](https://github.com/inspec/inspec/pull/5529) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Bugfix for `inspec detect --no-color` to not return colourful output [#5530](https://github.com/inspec/inspec/pull/5530) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Drop EOL Ubuntu 16.04, build on 18.04 [#5532](https://github.com/inspec/inspec/pull/5532) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
## [v4.37.17](https://github.com/inspec/inspec/tree/v4.37.17) (2021-05-20)
|
||||||
|
|
||||||
|
#### Enhancements
|
||||||
|
- Fix for port resource performance: adding more specific search while using ss command [#5522](https://github.com/inspec/inspec/pull/5522) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Fix the lint and failing test for windows_feature resource [#5524](https://github.com/inspec/inspec/pull/5524) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Support zfs_pool and zfs_dataset resources on Linux. Handled #5075 [#5523](https://github.com/inspec/inspec/pull/5523) ([kannanr](https://github.com/kannanr))
|
||||||
|
- Add basic docs for toml resource [#5514](https://github.com/inspec/inspec/pull/5514) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
- Add CI-CD docs [#5489](https://github.com/inspec/inspec/pull/5489) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
- Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
- Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Update control-eval Readme docs. [#5516](https://github.com/inspec/inspec/pull/5516) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Added Common Errors page doc [#5517](https://github.com/inspec/inspec/pull/5517) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
|
## [v4.37.8](https://github.com/inspec/inspec/tree/v4.37.8) (2021-05-12)
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Update `bond0` example to use params properly [#5518](https://github.com/inspec/inspec/pull/5518) ([gscho](https://github.com/gscho))
|
||||||
|
- HTTP resource response body coerced into UTF-8 [#5510](https://github.com/inspec/inspec/pull/5510) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Fixed `automate login` fake feedback on failure [#5509](https://github.com/inspec/inspec/pull/5509) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Document auxiliary reporter options on the reporter docs page [#5504](https://github.com/inspec/inspec/pull/5504) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
- Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 [#5508](https://github.com/inspec/inspec/pull/5508) ([dependabot[bot]](https://github.com/dependabot[bot]))
|
||||||
|
- Update Hugo and correct how build previews are generated [#5507](https://github.com/inspec/inspec/pull/5507) ([IanMadd](https://github.com/IanMadd))
|
||||||
|
- Modified windows_feature to indicate enabled rather than just available [#5506](https://github.com/inspec/inspec/pull/5506) ([jwdean](https://github.com/jwdean))
|
||||||
|
- Remove outdated instructions about testing AWS and Azure resources [#5499](https://github.com/inspec/inspec/pull/5499) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
## [v4.37.0](https://github.com/inspec/inspec/tree/v4.37.0) (2021-05-05)
|
||||||
|
|
||||||
|
#### Enhancements
|
||||||
|
- Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
#### Bug Fixes
|
||||||
|
- Fix : windows_firewall_rule fails to validate more than 1 rule depending on how it's executed [#5502](https://github.com/inspec/inspec/pull/5502) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50))
|
||||||
|
- Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50))
|
||||||
|
- Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50))
|
||||||
|
- Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot]))
|
||||||
|
- Fixes for the integration-resources pipeline [#5501](https://github.com/inspec/inspec/pull/5501) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
- Fix bad link [#5498](https://github.com/inspec/inspec/pull/5498) ([IanMadd](https://github.com/IanMadd))
|
||||||
|
- Fix undefined method `+' for nil:NilClass\n\nProfile: - when using profile dependencies and require_controls [#5487](https://github.com/inspec/inspec/pull/5487) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Remove coverage testing [#5500](https://github.com/inspec/inspec/pull/5500) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
- Added alias command `automate` for `inspec compliance` [#5490](https://github.com/inspec/inspec/pull/5490) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
|
## [v4.36.4](https://github.com/inspec/inspec/tree/v4.36.4) (2021-04-29)
|
||||||
|
|
||||||
|
#### New Features
|
||||||
|
- Add selinux resource with basic feature support [#5458](https://github.com/inspec/inspec/pull/5458) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- New input option `pattern` added for DSL and metadata inputs [#5466](https://github.com/inspec/inspec/pull/5466) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
|
#### Enhancements
|
||||||
|
- Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
|
||||||
|
#### Bug Fixes
|
||||||
|
- Fix for group resource when member does not exist [#5470](https://github.com/inspec/inspec/pull/5470) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot]))
|
||||||
|
- Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- updating Gemfile to support environment variables [#5485](https://github.com/inspec/inspec/pull/5485) ([jayashrig158](https://github.com/jayashrig158))
|
||||||
|
- Group & Groups doc updated - about using local and etc groups [#5483](https://github.com/inspec/inspec/pull/5483) ([Nik08](https://github.com/Nik08))
|
||||||
|
- Added new property `members_array` for group & groups resources. [#5479](https://github.com/inspec/inspec/pull/5479) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
|
## [v4.33.1](https://github.com/inspec/inspec/tree/v4.33.1) (2021-04-21)
|
||||||
|
|
||||||
|
#### New Features
|
||||||
|
- Optionally include controls source code in CLI reporter [#5465](https://github.com/inspec/inspec/pull/5465) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Update postgres_ident_conf.md [#5461](https://github.com/inspec/inspec/pull/5461) ([tobiasbp](https://github.com/tobiasbp))
|
||||||
|
- Remove default of 3600 seconds for command timeout [#5472](https://github.com/inspec/inspec/pull/5472) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
## [v4.32.0](https://github.com/inspec/inspec/tree/v4.32.0) (2021-04-14)
|
||||||
|
|
||||||
|
#### New Features
|
||||||
|
- Added ability to pass inputs to InSpec shell using input file and cli [#5452](https://github.com/inspec/inspec/pull/5452) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
|
## [v4.31.1](https://github.com/inspec/inspec/tree/v4.31.1) (2021-04-08)
|
||||||
|
|
||||||
|
#### Bug Fixes
|
||||||
|
- Use default command timeout value if timeout is 0 [#5455](https://github.com/inspec/inspec/pull/5455) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
## [v4.31.0](https://github.com/inspec/inspec/tree/v4.31.0) (2021-04-07)
|
||||||
|
|
||||||
|
#### New Features
|
||||||
|
- Add --docker-url CLI option [#5445](https://github.com/inspec/inspec/pull/5445) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
|
||||||
|
#### Merged Pull Requests
|
||||||
|
- Fix for Deprecation warning and FilterTable::ExceptionCatcher to show exact failure message. [#5441](https://github.com/inspec/inspec/pull/5441) ([Vasu1105](https://github.com/Vasu1105))
|
||||||
|
- Update inputs.md [#5449](https://github.com/inspec/inspec/pull/5449) ([IanMadd](https://github.com/IanMadd))
|
||||||
|
- Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
|
- Update platforms doc [#5442](https://github.com/inspec/inspec/pull/5442) ([IanMadd](https://github.com/IanMadd))
|
||||||
|
- Bug fix for loading hashmap inputs consistently [#5446](https://github.com/inspec/inspec/pull/5446) ([Nik08](https://github.com/Nik08))
|
||||||
|
|
||||||
## [v4.29.3](https://github.com/inspec/inspec/tree/v4.29.3) (2021-03-25)
|
## [v4.29.3](https://github.com/inspec/inspec/tree/v4.29.3) (2021-03-25)
|
||||||
|
|
||||||
#### Bug Fixes
|
#### Bug Fixes
|
||||||
|
@ -31,7 +259,6 @@
|
||||||
- Update codeowners for docs [#5440](https://github.com/inspec/inspec/pull/5440) ([IanMadd](https://github.com/IanMadd))
|
- Update codeowners for docs [#5440](https://github.com/inspec/inspec/pull/5440) ([IanMadd](https://github.com/IanMadd))
|
||||||
- Improve resource page menu titles [#5439](https://github.com/inspec/inspec/pull/5439) ([IanMadd](https://github.com/IanMadd))
|
- Improve resource page menu titles [#5439](https://github.com/inspec/inspec/pull/5439) ([IanMadd](https://github.com/IanMadd))
|
||||||
- Add m1 support to MacOS build list [#5432](https://github.com/inspec/inspec/pull/5432) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
- Add m1 support to MacOS build list [#5432](https://github.com/inspec/inspec/pull/5432) ([clintoncwolfe](https://github.com/clintoncwolfe))
|
||||||
<!-- latest_stable_release -->
|
|
||||||
|
|
||||||
## [v4.28.0](https://github.com/inspec/inspec/tree/v4.28.0) (2021-03-17)
|
## [v4.28.0](https://github.com/inspec/inspec/tree/v4.28.0) (2021-03-17)
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ We have a 3 step process for contributions:
|
||||||
Chef Projects are built to last. We strive to ensure high quality throughout the experience. In order to ensure this, we require that all pull requests to Chef projects meet these specifications:
|
Chef Projects are built to last. We strive to ensure high quality throughout the experience. In order to ensure this, we require that all pull requests to Chef projects meet these specifications:
|
||||||
|
|
||||||
1. **Tests:** To ensure high quality code and protect against future regressions, we require all the code in Chef Projects to have at least unit test coverage. See the [test/unit](https://github.com/inspec/inspec/tree/master/test/unit)
|
1. **Tests:** To ensure high quality code and protect against future regressions, we require all the code in Chef Projects to have at least unit test coverage. See the [test/unit](https://github.com/inspec/inspec/tree/master/test/unit)
|
||||||
directory for the existing tests and use ```bundle exec rake test``` to run them.
|
directory for the existing tests and use ```bundle exec rake test``` to run them. It should be good to know InSpec uses [minitest](https://github.com/seattlerb/minitest) as a testing framework.
|
||||||
2. **Green CI Tests:** We use [Travis CI](https://travis-ci.org/) and/or [AppVeyor](https://www.appveyor.com/) CI systems to test all pull requests. We require these test runs to succeed on every pull request before being merged.
|
2. **Green CI Tests:** We use [Travis CI](https://travis-ci.org/) and/or [AppVeyor](https://www.appveyor.com/) CI systems to test all pull requests. We require these test runs to succeed on every pull request before being merged.
|
||||||
3. **Up-to-date Documentation:** Every code change should be reflected in an update for our [documentation](https://github.com/inspec/inspec/tree/master/docs-chef-io). We expect PRs to update the documentation with the code change.
|
3. **Up-to-date Documentation:** Every code change should be reflected in an update for our [documentation](https://github.com/inspec/inspec/tree/master/docs-chef-io). We expect PRs to update the documentation with the code change.
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
FROM ubuntu:18.04
|
FROM ubuntu:18.04
|
||||||
LABEL maintainer="Chef Software, Inc. <docker@chef.io>"
|
LABEL maintainer="Chef Software, Inc. <docker@chef.io>"
|
||||||
|
|
||||||
ARG VERSION=4.29.3
|
ARG VERSION=4.46.13
|
||||||
ARG CHANNEL=stable
|
ARG CHANNEL=stable
|
||||||
|
|
||||||
ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
|
|
22
Gemfile
22
Gemfile
|
@ -28,9 +28,13 @@ group :omnibus do
|
||||||
end
|
end
|
||||||
|
|
||||||
group :test do
|
group :test do
|
||||||
gem "chefstyle", "~> 1.7.1"
|
gem "chefstyle", "~> 2.0.3"
|
||||||
gem "concurrent-ruby", "~> 1.0"
|
gem "concurrent-ruby", "~> 1.0"
|
||||||
gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
|
if Gem.ruby_version.to_s.start_with?("2.5")
|
||||||
|
gem "html-proofer", "= 3.19.1" , platforms: :ruby # do not attempt to run proofer on windows
|
||||||
|
else
|
||||||
|
gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows
|
||||||
|
end
|
||||||
gem "json_schemer", ">= 0.2.1", "< 0.2.19"
|
gem "json_schemer", ">= 0.2.1", "< 0.2.19"
|
||||||
gem "m"
|
gem "m"
|
||||||
gem "minitest-sprint", "~> 1.0"
|
gem "minitest-sprint", "~> 1.0"
|
||||||
|
@ -48,3 +52,17 @@ end
|
||||||
group :deploy do
|
group :deploy do
|
||||||
gem "inquirer"
|
gem "inquirer"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Only include Test Kitchen support if we are on Ruby 2.7 or higher
|
||||||
|
# as chef-zero support requires Ruby 2.6
|
||||||
|
# See https://github.com/inspec/inspec/pull/5341
|
||||||
|
if Gem.ruby_version >= Gem::Version.new("2.7.0")
|
||||||
|
group :kitchen do
|
||||||
|
gem "berkshelf"
|
||||||
|
gem "chef", ">= 16.0" # Required to allow net-ssh > 6
|
||||||
|
gem "test-kitchen", ">= 2.8"
|
||||||
|
gem "kitchen-inspec", ">= 2.0"
|
||||||
|
gem "kitchen-dokken", ">= 2.11"
|
||||||
|
gem "git"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
80
README.md
80
README.md
|
@ -78,7 +78,9 @@ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
|
||||||
|
|
||||||
### Install it via rubygems.org
|
### Install it via rubygems.org
|
||||||
|
|
||||||
When installing from source, gem dependencies may require ruby build tools to be installed.
|
Installing Chef InSpec from source may require installing ruby build tools to manage gem dependencies. (A compiler-free variant is available with reduced functionality; use `inspec-core-bin` and `inspec-core`.)
|
||||||
|
|
||||||
|
To install build tools, use your package manager.
|
||||||
|
|
||||||
For CentOS/RedHat/Fedora:
|
For CentOS/RedHat/Fedora:
|
||||||
|
|
||||||
|
@ -177,17 +179,18 @@ You should now be able to run:
|
||||||
```bash
|
```bash
|
||||||
$ inspec --help
|
$ inspec --help
|
||||||
Commands:
|
Commands:
|
||||||
inspec archive PATH # archive a profile to tar.gz (default) ...
|
inspec archive PATH # archive a profile to tar.gz (default) ...
|
||||||
inspec check PATH # verify all tests at the specified PATH
|
inspec check PATH # verify all tests at the specified PATH
|
||||||
inspec compliance SUBCOMMAND ... # Chef Compliance commands
|
inspec automate SUBCOMMAND ... # Chef Automate commands
|
||||||
inspec detect # detect the target OS
|
inspec compliance SUBCOMMAND ... # Chef Automate commands (backwards compatible alias)
|
||||||
inspec exec PATH(S) # run all test files at the specified PATH.
|
inspec detect # detect the target OS
|
||||||
inspec help [COMMAND] # Describe available commands or one spe...
|
inspec exec PATH(S) # run all test files at the specified PATH.
|
||||||
inspec init TEMPLATE ... # Scaffolds a new project
|
inspec help [COMMAND] # Describe available commands or one spe...
|
||||||
inspec json PATH # read all tests in PATH and generate a ...
|
inspec init TEMPLATE ... # Scaffolds a new project
|
||||||
inspec shell # open an interactive debugging shell
|
inspec json PATH # read all tests in PATH and generate a ...
|
||||||
inspec supermarket SUBCOMMAND ... # Supermarket commands
|
inspec shell # open an interactive debugging shell
|
||||||
inspec version # prints the version of this tool
|
inspec supermarket SUBCOMMAND ... # Supermarket commands
|
||||||
|
inspec version # prints the version of this tool
|
||||||
|
|
||||||
Options:
|
Options:
|
||||||
[--diagnose], [--no-diagnose] # Show diagnostics (versions, configurations)
|
[--diagnose], [--no-diagnose] # Show diagnostics (versions, configurations)
|
||||||
|
@ -208,14 +211,6 @@ describe port(443) do
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
* Use approved strong ciphers - This test ensures that only enterprise-compliant ciphers are used for SSH servers.
|
|
||||||
|
|
||||||
```ruby
|
|
||||||
describe sshd_config do
|
|
||||||
its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
|
|
||||||
end
|
|
||||||
```
|
|
||||||
|
|
||||||
* Test your `kitchen.yml` file to verify that only Vagrant is configured as the driver. The %w() formatting will
|
* Test your `kitchen.yml` file to verify that only Vagrant is configured as the driver. The %w() formatting will
|
||||||
pass rubocop linting and allow you to access nested mappings.
|
pass rubocop linting and allow you to access nested mappings.
|
||||||
|
|
||||||
|
@ -337,6 +332,7 @@ In addition, runtime support is provided for:
|
||||||
| macOS | 10.14+ | x86_64 |
|
| macOS | 10.14+ | x86_64 |
|
||||||
| Debian | 9, 10 | x86_64 |
|
| Debian | 9, 10 | x86_64 |
|
||||||
| RHEL | 6, 7, 8 | x86_64 |
|
| RHEL | 6, 7, 8 | x86_64 |
|
||||||
|
| Fedora | 29+ | x86_64 |
|
||||||
| Ubuntu | 16.04+ | x86_64 |
|
| Ubuntu | 16.04+ | x86_64 |
|
||||||
| Windows | 8+ | x86_64 |
|
| Windows | 8+ | x86_64 |
|
||||||
| Windows | 2012+ | x86_64 |
|
| Windows | 2012+ | x86_64 |
|
||||||
|
@ -365,6 +361,8 @@ You may also [browse the Supermarket for shared Compliance Profiles](https://sup
|
||||||
|
|
||||||
## Kudos
|
## Kudos
|
||||||
|
|
||||||
|
Chef InSpec was originally created by Christoph Hartmann ([@chris-rock](https://github.com/chris-rock)) and Dominik Richter ([@arlimus](https://github.com/arlimus)).
|
||||||
|
|
||||||
Chef InSpec is inspired by the wonderful [Serverspec](http://serverspec.org) project. Kudos to [mizzy](https://github.com/mizzy) and [all contributors](https://github.com/mizzy/serverspec/graphs/contributors)!
|
Chef InSpec is inspired by the wonderful [Serverspec](http://serverspec.org) project. Kudos to [mizzy](https://github.com/mizzy) and [all contributors](https://github.com/mizzy/serverspec/graphs/contributors)!
|
||||||
|
|
||||||
The AWS resources were inspired by [inspec-aws](https://github.com/arothian/inspec-aws) from [arothian](https://github.com/arothian).
|
The AWS resources were inspired by [inspec-aws](https://github.com/arothian/inspec-aws) from [arothian](https://github.com/arothian).
|
||||||
|
@ -387,11 +385,10 @@ As a reminder, all participants are expected to follow the [Code of Conduct](htt
|
||||||
|
|
||||||
## Testing Chef InSpec
|
## Testing Chef InSpec
|
||||||
|
|
||||||
We offer `unit`, `integration`, and `aws` tests.
|
We offer `unit` and `integration` tests.
|
||||||
|
|
||||||
- `unit` tests ensure the intended behaviour of the implementation
|
- `unit` tests ensure the intended behaviour of the implementation
|
||||||
- `integration` tests run against Docker-based VMs via test-kitchen and [kitchen-inspec](https://github.com/chef/kitchen-inspec)
|
- `integration` tests run against Docker-based VMs via test-kitchen and [kitchen-inspec](https://github.com/chef/kitchen-inspec)
|
||||||
- `aws` tests exercise the AWS resources against real AWS accounts
|
|
||||||
|
|
||||||
### Unit tests
|
### Unit tests
|
||||||
|
|
||||||
|
@ -430,42 +427,35 @@ In addition, these test require Docker to be available on your machine or a remo
|
||||||
List the various test instances available:
|
List the various test instances available:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
bundle exec kitchen list
|
KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen list
|
||||||
```
|
```
|
||||||
|
|
||||||
The platforms and test suites are configured in the `.kitchen.yml` file. Once you know which instance you wish to test, test that instance:
|
The platforms and test suites are configured in the `kitchen.dokken.yml` file. Once you know which instance you wish to test, test that instance:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
bundle exec kitchen test <INSTANCE_NAME>
|
KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen test <INSTANCE_NAME>
|
||||||
```
|
```
|
||||||
|
|
||||||
You may test all instances in parallel with:
|
You may test all instances in parallel with:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
bundle exec kitchen test -c
|
KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen test -c 3
|
||||||
```
|
```
|
||||||
|
|
||||||
### AWS Tests
|
|
||||||
|
|
||||||
Use the rake task `bundle exec rake test:aws` to test the AWS resources against a pair of real AWS accounts.
|
|
||||||
|
|
||||||
Please see [TESTING_AGAINST_AWS.md](./test/integration/aws/TESTING_AGAINST_AWS.md) for details on how to setup the needed AWS accounts to perform testing.
|
|
||||||
|
|
||||||
### Azure Tests
|
|
||||||
|
|
||||||
Use the rake task `bundle exec rake test:azure` to test the Azure resources against an Azure account.
|
|
||||||
|
|
||||||
Please see [TESTING_AGAINST_AZURE.md](./test/integration/azure/TESTING_AGAINST_AZURE.md) for details on how to setup the needed Azure accounts to perform testing.
|
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
| | |
|
| | |
|
||||||
| -------------- | ----------------------------------------- |
|
| -------------- | ---------------------------------------------- |
|
||||||
| **Author:** | Dominik Richter (<drichter@chef.io>) |
|
| **Author:** | Dominik Richter (<drichter@chef.io>) |
|
||||||
| **Author:** | Christoph Hartmann (<chartmann@chef.io>) |
|
| **Author:** | Christoph Hartmann (<chartmann@chef.io>) |
|
||||||
| **Copyright:** | Copyright (c) 2015 Vulcano Security GmbH. |
|
| **Copyright:** | Copyright (c) 2015 Vulcano Security GmbH. |
|
||||||
| **Copyright:** | Copyright (c) 2017-2018 Chef Software Inc.|
|
| **Copyright:** | Copyright (c) 2017-2020 Chef Software Inc. |
|
||||||
| **License:** | Apache License, Version 2.0 |
|
| **Copyright:** | Copyright (c) 2020-2021 Progress Software Corp.|
|
||||||
|
| **License:** | Apache License, Version 2.0 |
|
||||||
|
| **License:** | Chef End User License Agreement |
|
||||||
|
|
||||||
|
Chef InSpec is distributed under the Apache License, Version 2.0.
|
||||||
|
Permission to use the software is governed by the [Chef EULA](https://docs.chef.io/chef_license_accept.html).
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
|
|
4
Rakefile
4
Rakefile
|
@ -255,14 +255,14 @@ namespace :test do
|
||||||
# Inject a prerequisite task
|
# Inject a prerequisite task
|
||||||
task unit: [:accept_license]
|
task unit: [:accept_license]
|
||||||
|
|
||||||
task :integration, [:os] do |task, args|
|
task :kitchen, [:os] do |task, args|
|
||||||
concurrency = ENV["CONCURRENCY"] || 1
|
concurrency = ENV["CONCURRENCY"] || 1
|
||||||
os = args[:os] || ENV["OS"] || ""
|
os = args[:os] || ENV["OS"] || ""
|
||||||
ENV["DOCKER"] = "true" if ENV["docker"].nil?
|
ENV["DOCKER"] = "true" if ENV["docker"].nil?
|
||||||
sh("bundle exec kitchen test -c #{concurrency} #{os}")
|
sh("bundle exec kitchen test -c #{concurrency} #{os}")
|
||||||
end
|
end
|
||||||
# Inject a prerequisite task
|
# Inject a prerequisite task
|
||||||
task integration: [:accept_license]
|
task kitchen: [:accept_license]
|
||||||
|
|
||||||
task :ssh, [:target] do |_t, args|
|
task :ssh, [:target] do |_t, args|
|
||||||
tests_path = File.join(File.dirname(__FILE__), "test", "integration", "test", "integration", "default")
|
tests_path = File.join(File.dirname(__FILE__), "test", "integration", "test", "integration", "default")
|
||||||
|
|
2
VERSION
2
VERSION
|
@ -1 +1 @@
|
||||||
4.30.0
|
4.47.8
|
133
dev-docs/ci-cd.md
Normal file
133
dev-docs/ci-cd.md
Normal file
|
@ -0,0 +1,133 @@
|
||||||
|
# About InSpec's Continuous Integration and Continuous Delivery Setup
|
||||||
|
|
||||||
|
## Major Components
|
||||||
|
|
||||||
|
### Expeditor
|
||||||
|
|
||||||
|
[Expeditor](https://expeditor.chef.io/) is the main coordinator of all CI-CD activity at Chef. It is configured through a [YAML file](https://github.com/inspec/inspec/blob/master/.expeditor/config.yml).
|
||||||
|
|
||||||
|
### BuildKite
|
||||||
|
|
||||||
|
[Buildkite](https://buildkite.com/chef) is the engine that actually executes all of the tests and builds for InSpec. While Buildkite coordinates all of the work, the actual infrastructure is managed by Chef in a variety of locations, including various clouds and datacenters.
|
||||||
|
|
||||||
|
Buildkite is divided into two orgs, [Chef](https://buildkite.com/chef) and [Chef-OSS](https://buildkite.com/chef-oss) (Open Source Software). Chef is private and Chef-OSS is public.
|
||||||
|
|
||||||
|
You will need to have an account on BuildKite and be a member of both orgs to fully utilize the system.
|
||||||
|
|
||||||
|
### Rakefile
|
||||||
|
|
||||||
|
The [Rakefile](https://github.com/inspec/inspec/blob/master/Rakefile) defines the tests harness to be run. Most of the test scripts come down to executing "rake test" or similar.
|
||||||
|
|
||||||
|
### Omnibus
|
||||||
|
|
||||||
|
Omnibus is a system for building OS-specific packages of software, including all dependencies including Ruby runtimes. We use Omnibus to make RPMs, DEBs, MSIs, DMGs, and several other OS-specific formats that deploy inspec and its dependencies natively to the OS.
|
||||||
|
|
||||||
|
The omnibus configuration for InSpec is stored at https://github.com/inspec/inspec/tree/master/omnibus and the main configuration file is [inspec.rb](https://github.com/inspec/inspec/blob/master/omnibus/config/projects/inspec.rb).
|
||||||
|
|
||||||
|
### Rubygems
|
||||||
|
|
||||||
|
InSpec is published as a set of 4 gems - inspec, inspec-core, inspec-bin, and inspec-core-bin. When we release a new version to the public (a process we call "promotion" and typically happens on Wednesdays), we publish to rubygems.org.
|
||||||
|
|
||||||
|
Rubygems are configured by declaring them in the expeditor configuration file in the `rubygems` section.
|
||||||
|
|
||||||
|
### Artifactory
|
||||||
|
|
||||||
|
Artifactory stores build artifacts (such as RPMs, MSIs, and gems) on a temporary basis. Artifactory is protected by the Progress VPN. [Artifactory inspec package search](http://artifactory.chef.co/ui/packages?name=inspec&type=packages).
|
||||||
|
|
||||||
|
## What Happens when...
|
||||||
|
|
||||||
|
### A PR is opened
|
||||||
|
|
||||||
|
When a PR is opened, the subscription [workload: pull_request_opened:{{agent_id}}:*](https://github.com/inspec/inspec/blob/cb2abf2e10906bba4df24b2ed18ec51b0931eff2/.expeditor/config.yml#L173) is activated. In addition, several defaults also apply.
|
||||||
|
|
||||||
|
One default pipeline that gets activated is the Buildkite [master verify pipeline](https://buildkite.com/chef-oss/inspec-inspec-master-verify). This default is documented [here](https://expeditor.chef.io/docs/pipelines/verify/).
|
||||||
|
|
||||||
|
#### verify pipeline
|
||||||
|
|
||||||
|
The verify pipeline runs the linter, the unit tests, and the functional tests. It verifies that the code being submitted is sound.
|
||||||
|
|
||||||
|
The verify pipeline is defined first in the [verify.pipeline.yml](https://github.com/inspec/inspec/blob/master/.expeditor/verify.pipeline.yml) file, which defines the separate Ruby versions, platforms, and environment variables to be passed to each one. Each runner calls a shell script, either [verify.sh](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/verify.sh) or [verify.ps1](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/verify.ps1). These scripts are thin wrappers that install Bundler dependencies from a cache, then call into the Rakefile.
|
||||||
|
|
||||||
|
#### habitat artifact pipeline
|
||||||
|
|
||||||
|
The habitat artifact pipeline runs a smoke test to verify that the habitat build of inspec is valid.
|
||||||
|
|
||||||
|
The habitat artifact pipeline is defined first in the [artifact.habitat.yml](https://github.com/inspec/inspec/blob/master/.expeditor/artifact.habitat.yml) file. It simply defines a linux runner and a windows runner, each with a dedicated script, [artifact.habitat.test.sh](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/artifact.habitat.test.sh) or [artifact.habitat.test.ps1](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/artifact.habitat.test.ps1). The scripts install habitat, setup an origin key, build the package, and then run a [Rakefile](https://github.com/inspec/inspec/blob/master/test/artifact/Rakefile)
|
||||||
|
|
||||||
|
|
||||||
|
### A PR is merged
|
||||||
|
|
||||||
|
When a PR is merged, the Expeditor actions under `merge_actions` are executed.
|
||||||
|
|
||||||
|
Watch the Slack channel #inspec-notify for messages about the success or failure of various steps.
|
||||||
|
|
||||||
|
Connect to the Progress VPN to fetch Expeditor logs in the event of a failure.
|
||||||
|
|
||||||
|
#### Version Bumping
|
||||||
|
|
||||||
|
This is controlled by the `built_in:bump_version` and `bash:.expeditor/update_version.sh` subscriptions.
|
||||||
|
|
||||||
|
If there are no GitHub labels on the PR, the patchlevel of the version will be bumped by executing the [.expeditor/update_version.sh](https://github.com/inspec/inspec/blob/master/.expeditor/update_version.sh) script. First the VERSION file is updated, then the script runs to update the versions in the Ruby files.
|
||||||
|
|
||||||
|
`built_in:bump_version` is in charge of bumping versions in VERSION, and is controlled by GitHub labels on the PR. Most, though not all, PRs should not have any Expeditor control labels.
|
||||||
|
|
||||||
|
Here are the Expeditor control labels, and the circumstances under which they should be used:
|
||||||
|
|
||||||
|
* Expeditor: Bump Minor Version - Use when a significant new feature is being released.
|
||||||
|
* Expeditor: Bump Major Version - Use when a major release is made - rarely used.
|
||||||
|
* Expeditor: Skip Version Bump - Use for non-code-change PRs, such as website or CI changes.
|
||||||
|
|
||||||
|
#### Build Omnibus Packages
|
||||||
|
|
||||||
|
This is controlled by the `trigger_pipeline:omnibus/release` subscription.
|
||||||
|
|
||||||
|
The Omnibus build creates operating-system-specific packages for each platform on which we release Chef InSpec. Its [expeditor configuration](https://github.com/inspec/inspec/blob/44fe144732e1e0abb2594957a880c5f1821e7774/.expeditor/config.yml#L133) drives a [Buildkite configuration](https://github.com/inspec/inspec/blob/master/.expeditor/release.omnibus.yml), which lists exactly which platforms to build.
|
||||||
|
|
||||||
|
The Omnibus build is generally reliable, if somewhat slow.
|
||||||
|
|
||||||
|
When the omnibus build succeeds, omnitruck delivers the packages to various package repos in `unstable` channels for public consumption. The packages are also delivered to [Artifactory](http://artifactory.chef.co/ui/repos/tree/General/omnibus-unstable-local%2Fcom%2Fgetchef%2Finspec) (VPN required)
|
||||||
|
|
||||||
|
#### Chef Habitat Build
|
||||||
|
|
||||||
|
The Chef Habitat build creates Habitat .hart packages for Linux and Windows. The [Expeditor configuration](https://github.com/inspec/inspec/blob/44fe144732e1e0abb2594957a880c5f1821e7774/.expeditor/config.yml#L138) drives a [Buildkite configuration](https://github.com/inspec/inspec/blob/master/.expeditor/build.habitat.yml).
|
||||||
|
|
||||||
|
When the hab build succeeds, the packages will be placed on the Hab builder in the `unstable` channel for public consumption.
|
||||||
|
|
||||||
|
#### Docker Image Built and Released
|
||||||
|
|
||||||
|
We also release a Docker image (see [expeditor config](https://github.com/inspec/inspec/blob/44fe144732e1e0abb2594957a880c5f1821e7774/.expeditor/config.yml#L150)), which contains a Linux system and Chef InSpec installed from a gem, with the ENTRYPOINT of the Docker image being `inspec` (see [Dockerfile](https://github.com/inspec/inspec/blob/master/Dockerfile)). It's a simple way to ship the dependencies of `inspec`.
|
||||||
|
|
||||||
|
When it succeeds, the Docker build is labeled as `current`.
|
||||||
|
|
||||||
|
#### Gems Built and Placed on Artifactory
|
||||||
|
|
||||||
|
The `inspec`, `inspec-bin`, `inspec-core`, and `inspec-core-bin` gems are all built and placed on the internal Chef [Artifactory](http://artifactory.chef.co/ui/packages?name=inspec&type=packages) (VPN required) server. During promotion later, they publish to rubygems.org.
|
||||||
|
|
||||||
|
The difference between the gems is as follows:
|
||||||
|
|
||||||
|
* `inspec` is a library gem, with full heavyweight dependencies, not encumbered by commercial licensing
|
||||||
|
* `inspec-bin` contains an `inspec` executable and is encumbered by commercial licensing
|
||||||
|
* `inspec-core` is a library gem, with lightweight dependencies and no compilation required at install time, and is not encumbered by commercial licensing
|
||||||
|
* `inspec-core-bin` contains an `inspec` executable and is encumbered by commercial licensing
|
||||||
|
|
||||||
|
### A release is promoted
|
||||||
|
|
||||||
|
When expeditor is told to promote a release, using the slack command `/expeditor promote inspec/inspec:master 4.36.4` (for example), Expeditor automatically promotes the Omnibus packages from the unstable channel to the stable channel, publishing them to the various downloads sites. It also creates the `artifact_published:stable` event, which has numerous [actions subscribed](https://github.com/inspec/inspec/blob/8a93f08a13d6bde8f87e447ff4246801bef80f8c/.expeditor/config.yml#L158).
|
||||||
|
|
||||||
|
Some of the more important ones:
|
||||||
|
|
||||||
|
#### Update and publish the docker image
|
||||||
|
|
||||||
|
The Dockerfile is updated - mainly to update version numbers - and then the published Docker image is tagged with the labels "stable" and "latest".
|
||||||
|
|
||||||
|
#### Rubygems are published to rubygems,org
|
||||||
|
|
||||||
|
The gems are taken from Artifactory and published to Rubygems.org. This is done using an Expeditor built-in action. The gems must be owned by the user `chef`.
|
||||||
|
|
||||||
|
#### Release notes are published
|
||||||
|
|
||||||
|
The [pending release notes](https://github.com/inspec/inspec/wiki/Pending-Release-Notes) are copied to AWS S3 by a [script](https://github.com/inspec/inspec/blob/master/.expeditor/publish-release-notes.sh), and then reset back to an empty state. Another [script](https://github.com/inspec/inspec/blob/master/.expeditor/announce-release.sh) takes the release notes from S3 and creates a post on Discourse.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -2,11 +2,13 @@
|
||||||
|
|
||||||
## Purpose
|
## Purpose
|
||||||
|
|
||||||
The `compliance` set of subcommands handle user-initiated communication with Chef Automate. The commands are provided so that a user can interact with an Automate installation.
|
The `automate` set of subcommands handle user-initiated communication with Chef Automate. The commands are provided so that a user can interact with an Automate installation.
|
||||||
|
|
||||||
`inspec compliance` is somewhat analogous to `knife` in that it can be used to upload, download, and manage profiles for distribution to other clients.
|
`inspec automate` is somewhat analogous to `knife` in that it can be used to upload, download, and manage profiles for distribution to other clients.
|
||||||
|
|
||||||
When Automate initiates scans, the `compliance` subcommand is not used.
|
When Automate initiates scans, the `automate` subcommand is not used.
|
||||||
|
|
||||||
|
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way
|
||||||
|
|
||||||
## Operational Notes
|
## Operational Notes
|
||||||
|
|
||||||
|
@ -53,7 +55,7 @@ Actual HTTP communication is handled by `InspecPlugins::Compliance::HTTP`, again
|
||||||
|
|
||||||
#### lib/http.rb
|
#### lib/http.rb
|
||||||
|
|
||||||
This is probably unneccesary. It is a wrapper around Net:HTTP. Instead, we should probably be using a REST API wrapper or something similar.
|
This is probably unnecessary. It is a wrapper around Net:HTTP. Instead, we should probably be using a REST API wrapper or something similar.
|
||||||
|
|
||||||
#### lib/support.rb
|
#### lib/support.rb
|
||||||
|
|
||||||
|
@ -65,8 +67,9 @@ There are several other minor commands not listed here - see `lib/cli.rb` for a
|
||||||
|
|
||||||
### login
|
### login
|
||||||
|
|
||||||
Saves a credentials file locally. Future invocations of `inspec compliance` use the credentials file to authenticate.
|
Saves a credentials file locally. Future invocations of `inspec automate` or `inspec compliance` use the credentials file to authenticate.
|
||||||
|
|
||||||
|
`be inspec automate login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test` or
|
||||||
`be inspec compliance login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test`
|
`be inspec compliance login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test`
|
||||||
|
|
||||||
Here are the results of running login, from `.inspec/compliance/config.json`:
|
Here are the results of running login, from `.inspec/compliance/config.json`:
|
||||||
|
|
|
@ -6,33 +6,55 @@
|
||||||
|
|
||||||
## Tips
|
## Tips
|
||||||
|
|
||||||
* In the early days of Chef InSpec / ServerSpec, controls were called "rules". Throughout various places in the code, the word "rule" is used to mean "control". Make the mental subsitution.
|
* In the early days of Chef InSpec / ServerSpec, controls were called "rules". Throughout various places in the code, the word "rule" is used to mean "control". Make the mental substitution.
|
||||||
* Chef InSpec supports reading profiles from tarballs, local files, git repos, etc. So, don't count on local file reading; instead it uses a special source reader to obtain the contents of the files.
|
* Chef InSpec supports reading profiles from tarballs, local files, git repos, etc. So, don't count on local file reading; instead it uses a special source reader to obtain the contents of the files.
|
||||||
|
|
||||||
## The basics of the stack
|
|
||||||
|
|
||||||
#5 Inspec::Profile.collect_tests(include_list#Array) at lib/inspec/profile.rb:167
|
|
||||||
#4 Hash.each at lib/inspec/profile.rb:167
|
|
||||||
#3 block in Inspec::Profile.block in collect_tests(include_list#Array) at lib/inspec/profile.rb:170
|
|
||||||
#2 Inspec::ProfileContext.load_control_file(*args#Array) at lib/inspec/profile_context.rb:141
|
|
||||||
#1 Inspec::ProfileContext.control_eval_context at lib/inspec/profile_context.rb:58
|
|
||||||
#0 #<Class:Inspec::ControlEvalContext>.create(profile_context#Inspec::ProfileContext, resources_dsl#Module) at lib/inspec/control_eval_context.rb:41
|
|
||||||
|
|
||||||
## A profile context is created
|
## A profile context is created
|
||||||
|
|
||||||
Like many things in Chef InSpec core, a profile context is an anonymous class. (verify)
|
Profile context gets instantiated as soon as the Profile gets created.
|
||||||
|
|
||||||
Additionally, a control_eval_context is created. It is an instance of an anonymous class; it has a class<->relationship with its profile context. See `lib/inspec/control_eval_context.rb`.
|
0 Inspec::ProfileContext.initialize(profile_id#String, backend#Inspec::Backend, conf#Hash) at inspec/lib/inspec/profile_context.rb:20
|
||||||
|
ͱ-- #1 Class.new(*args) at inspec/lib/inspec/profile_context.rb:13
|
||||||
|
#2 #<Class:Inspec::ProfileContext>.for_profile(profile#Inspec::Profile, backend#Inspec::Backend) at inspec/lib/inspec/profile_context.rb:13
|
||||||
|
#3 Inspec::Profile.initialize(source_reader#SourceReaders::InspecReader, options#Hash) at inspec/lib/inspec/profile.rb:149
|
||||||
|
ͱ-- #4 Class.new(*args) at inspec/lib/inspec/profile.rb:61
|
||||||
|
#5 #<Class:Inspec::Profile>.for_path(path#String, opts#Hash) at inspec/lib/inspec/profile.rb:61
|
||||||
|
#6 #<Class:Inspec::Profile>.for_fetcher(fetcher#Inspec::CachedFetcher, config#Hash) at inspec/lib/inspec/profile.rb:68
|
||||||
|
#7 #<Class:Inspec::Profile>.for_target(target#String, opts#Hash) at inspec/lib/inspec/profile.rb:74
|
||||||
|
#8 Inspec::Runner.add_target(target#String, _opts#Array) at inspec/lib/inspec/runner.rb:198
|
||||||
|
#9 block in Inspec::InspecCLI.block in exec(*targets#Array) at inspec/lib/inspec/cli.rb:283
|
||||||
|
ͱ-- #10 Array.each at inspec/lib/inspec/cli.rb:283
|
||||||
|
#11 Inspec::InspecCLI.exec(*targets#Array) at inspec/lib/inspec/cli.rb:283
|
||||||
|
|
||||||
|
|
||||||
|
When run method of the runner gets called, it loads control [file](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L151) which instantiates the control_eval_context object [here](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L61) and creates dsl, and the adds profile_context as dsl class methods [here](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L243)
|
||||||
|
|
||||||
|
#0 Inspec::ProfileContext::DomainSpecificLunacy::ClassMethods.add_methods(profile_context#Inspec::ProfileContext) at /inspec/lib/inspec/profile_context.rb:242
|
||||||
|
#1 block in #<Class:Inspec::ProfileContext::DomainSpecificLunacy>.block in create_dsl(profile_context#Inspec::ProfileContext) at /inspec/lib/inspec/profile_context.rb:220
|
||||||
|
ͱ-- #2 Module.initialize at inspec/lib/inspec/profile_context.rb:218
|
||||||
|
ͱ-- #3 Class.new(*args) at inspec/lib/inspec/profile_context.rb:218
|
||||||
|
#4 #<Class:Inspec::ProfileContext::DomainSpecificLunacy>.create_dsl(profile_context#Inspec::ProfileContext) at inspec/lib/inspec/profile_context.rb:218
|
||||||
|
#5 Inspec::ProfileContext.to_resources_dsl at inspec/lib/inspec/profile_context.rb:56
|
||||||
|
#6 Inspec::ProfileContext.control_eval_context at inspec/lib/inspec/profile_context.rb:63
|
||||||
|
#7 Inspec::ProfileContext.load_control_file(*args#Array) at inspec/lib/inspec/profile_context.rb:154
|
||||||
|
#8 block in Inspec::Profile.block in collect_tests(include_list#Array) at inspec/lib/inspec/profile.rb:222
|
||||||
|
ͱ-- #9 Hash.each at inspec/lib/inspec/profile.rb:216
|
||||||
|
#10 Inspec::Profile.collect_tests(include_list#Array) at inspec/lib/inspec/profile.rb:216
|
||||||
|
#11 block in Inspec::Runner.block in load at inspec/lib/inspec/runner.rb:119
|
||||||
|
ͱ-- #12 Array.each at inspec/lib/inspec/runner.rb:101
|
||||||
|
#13 Inspec::Runner.load at inspec/lib/inspec/runner.rb:101
|
||||||
|
#14 Inspec::Runner.run(with#NilClass) at inspec/lib/inspec/runner.rb:135
|
||||||
|
#15 Inspec::InspecCLI.exec(*targets#Array) at inspec/lib/inspec/cli.rb:286
|
||||||
|
|
||||||
## Each file's contents are instance eval'd against the control_eval_context
|
## Each file's contents are instance eval'd against the control_eval_context
|
||||||
|
|
||||||
### DSL methods are executed at this time
|
### DSL methods are executed at this time
|
||||||
|
|
||||||
So, if you have a control file with `title` in it, that will call the title method that was defined at `lib/inspec/control_eval_context.rb:60`. Importantly, this also includes the `control` DSL keyword, and also the `describe` keyword (used for bare describes).
|
So, if you have a control file with `title` in it, that will call the title method that was defined [here](https://github.com/inspec/inspec/blob/master/lib/inspec/control_eval_context.rb#L46). Importantly, this also includes the `control` DSL keyword, and also the `describe` keyword (used for bare describes).
|
||||||
|
|
||||||
### Each control and their block are wrapped in an anonymous class
|
### Each control get registered as rule.
|
||||||
|
|
||||||
The anonymous class generator is located at `lib/inspec/control_eval_context.rb:24`. At this point, the terminology switches from `control` to `rule`. Each context class inherits from Inspec::Rule, which provides the constructor.
|
Each control gets registerd and the terminology switches from `control` to `rule` [here](https://github.com/inspec/inspec/blob/master/lib/inspec/control_eval_context.rb#L57)
|
||||||
|
|
||||||
The control context class also gets extended with the resource DSL, so anything in the source code for the control can use the resource DSL. This includes all resource names, but importantly, the `describe` DSL keyword.
|
The control context class also gets extended with the resource DSL, so anything in the source code for the control can use the resource DSL. This includes all resource names, but importantly, the `describe` DSL keyword.
|
||||||
|
|
||||||
|
@ -40,7 +62,7 @@ Finally, Inspec::Rule provides the control DSL - impact, title, desc, ref, and t
|
||||||
|
|
||||||
### The block is instance_eval'd against the control context class
|
### The block is instance_eval'd against the control context class
|
||||||
|
|
||||||
See `lib/inspec/rule.rb:50`. We're now in two levels of instance eval'ing - the file is gradually being eval'd against the profile context anonymous class, and the current control's block is being instance eval'd against a control context anonymous class.
|
See `https://github.com/inspec/inspec/blob/master/lib/inspec/rule.rb#L46`. We're now in two levels of instance eval'ing - the file is gradually being eval'd against the profile context and the current control's block is being instance eval'd against a control context.
|
||||||
|
|
||||||
At this stage, control-level metadata (impact, title, refs, tags, desc) are evaluated and set as instance vars on the control.
|
At this stage, control-level metadata (impact, title, refs, tags, desc) are evaluated and set as instance vars on the control.
|
||||||
|
|
||||||
|
@ -54,9 +76,9 @@ And, the describe and describe.one blocks are executed.
|
||||||
|
|
||||||
Using the method register_control (dynamically defined on the control eval context), we check for various skip conditions. If none of them apply, the control is then registered with the profile context using register_rule.
|
Using the method register_control (dynamically defined on the control eval context), we check for various skip conditions. If none of them apply, the control is then registered with the profile context using register_rule.
|
||||||
|
|
||||||
ProfileContext.register_rule's main job is to determine the full ID of the control (within the context of the profile) and either add it to the controls list, or (if another control with the same ID exists), merge it. (This is where overriding happens).
|
[ProfileContext.register_rule's](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L183) main job is to determine the full ID of the control (within the context of the profile) and either add it to the controls list, or (if another control with the same ID exists), merge it. (This is where overriding happens).
|
||||||
|
|
||||||
Note: can skip a control with:
|
Note: can skip a control with:
|
||||||
Inspec::Rule.set_skip_rule(control, msg)
|
Inspec::Rule.set_skip_rule(control, msg)
|
||||||
|
|
||||||
## What else?
|
## What else?
|
||||||
|
|
|
@ -40,7 +40,7 @@ class Thing < Inspec.resource(1)
|
||||||
filter_table_config.install_filter_methods_on_resource(self, :fetch_data)
|
filter_table_config.install_filter_methods_on_resource(self, :fetch_data)
|
||||||
|
|
||||||
def fetch_data
|
def fetch_data
|
||||||
# This method should return an array of hashes - the raw data. We'll hardcode it here.
|
# This method should return an array of hashes - the raw data. We'll hard code it here.
|
||||||
[
|
[
|
||||||
{ thing_id: 1, color: :red },
|
{ thing_id: 1, color: :red },
|
||||||
{ thing_id: 2, color: :blue, tackiness: 'very' },
|
{ thing_id: 2, color: :blue, tackiness: 'very' },
|
||||||
|
@ -301,7 +301,7 @@ This method behaves just like `thing_ids`, except that it returns the values of
|
||||||
|
|
||||||
You also get this for `thing_ids`. This is unrelated to `style: :simple` for `colors`.
|
You also get this for `thing_ids`. This is unrelated to `style: :simple` for `colors`.
|
||||||
|
|
||||||
People definitely use this in the wild. It reads badly to me; I think this is a legacy usage that we should consider deprecating. To me, this seems to imply that there is a sub-resource (here, colors) we are auditing. At least two core resouces (`xinetd_conf` and `users`) advocate this as their primary use.
|
People definitely use this in the wild. It reads badly to me; I think this is a legacy usage that we should consider deprecating. To me, this seems to imply that there is a sub-resource (here, colors) we are auditing. At least two core resources (`xinetd_conf` and `users`) advocate this as their primary use.
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
# Filter on colors
|
# Filter on colors
|
||||||
|
|
55
dev-docs/inspec-init-plugin.md
Normal file
55
dev-docs/inspec-init-plugin.md
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
# About `inspec init plugin` CLI command
|
||||||
|
|
||||||
|
## Purpose
|
||||||
|
|
||||||
|
`inspec init plugin` generates the scaffold of InSpec plugin, which can extend the functionality of InSpec itself.
|
||||||
|
|
||||||
|
## Operational Notes
|
||||||
|
|
||||||
|
### Generating InSpec Plugin
|
||||||
|
|
||||||
|
`inspec init plugin --help`
|
||||||
|
|
||||||
|
```
|
||||||
|
Usage:
|
||||||
|
inspec init plugin PLUGIN_NAME [options]
|
||||||
|
|
||||||
|
Options:
|
||||||
|
[--prompt], [--no-prompt] # Interactively prompt for information to put in your generated plugin.
|
||||||
|
# Default: true
|
||||||
|
[--detail=DETAIL] # How detailed of a plugin to generate. 'full' is a normal full gem with tests; 'core' has tests but no gemspec; 'test-fixture' is stripped down for a test fixture.
|
||||||
|
# Default: full
|
||||||
|
[--author-email=AUTHOR_EMAIL] # Author Email for gemspec
|
||||||
|
# Default: you@example.com
|
||||||
|
[--author-name=AUTHOR_NAME] # Author Name for gemspec
|
||||||
|
# Default: Your Name
|
||||||
|
[--description=DESCRIPTION] # Multi-line description of the plugin
|
||||||
|
[--summary=SUMMARY] # One-line summary of your plugin
|
||||||
|
# Default: A plugin with a default summary
|
||||||
|
[--license-name=LICENSE_NAME] # The name of a license
|
||||||
|
# Default: Apache-2.0
|
||||||
|
[--activator=one two three] # A list of plugin activator, in the form type1:name1, type2:name2, etc
|
||||||
|
# Default: ["cli_command:my_command"]
|
||||||
|
[--hook=one two three] # Legacy name for --activator - Deprecated.
|
||||||
|
[--homepage=HOMEPAGE] # A URL for your project, often a GitHub link
|
||||||
|
[--module-name=MODULE_NAME] # Module Name for your plugin package. Will change plugin name to CamelCase by default.
|
||||||
|
[--copyright=COPYRIGHT] # A copyright statement, to be added to LICENSE
|
||||||
|
[--log-level=LOG_LEVEL] # Set the log level: info (default), debug, warn, error
|
||||||
|
[--log-location=LOG_LOCATION] # Location to send diagnostic log messages to. (default: $stdout or Inspec::Log.error)
|
||||||
|
|
||||||
|
Generates an InSpec plugin, which can extend the functionality of InSpec itself.
|
||||||
|
```
|
||||||
|
|
||||||
|
### Options
|
||||||
|
`inspec init plugin` command requires few details about the plugin to be added. This can be added using command line prompt or by passing them as the options like for e.g `--author-name`,`--author-email`, `--description`, `--module-name`, etc.
|
||||||
|
|
||||||
|
`--detail` This option can be used to skip generation of test files or gemspec file. Available values `full`, `core` or `test-fixture`.
|
||||||
|
|
||||||
|
`--activator` Available activator type are `cli_command` and `reporter`. The default activator type is "cli_command".
|
||||||
|
Usage: `inspec init pluign <inspec-plugin-name> --activator "cli_command:my_test"`
|
||||||
|
`OR`
|
||||||
|
`inspec init plugin <inspec-plugin-reporter-name> --activator "reporter:my_reporter"`
|
||||||
|
|
||||||
|
**Note:** The InSpec plugin generator can currently only generate one activator of each type.
|
||||||
|
|
||||||
|
`--hook` Legacy name for `--activator` - Deprecated.
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
|
|
||||||
Chef InSpec uses Test Kitchen for its integration testing. Our current testing uses Docker as our backend. You should install and have Docker running befor you run any tests.
|
Chef InSpec uses Test Kitchen for its integration testing. Our current testing uses Docker (kitchen-dokken) as our backend. You should install and have Docker running before you run any tests.
|
||||||
|
|
||||||
### How to run specific integrations
|
### How to run specific integrations
|
||||||
|
|
||||||
|
@ -23,8 +23,6 @@ bundle exec rake test:integration[default-ubuntu-1604]
|
||||||
|
|
||||||
We run the test/integration/default profile at the end of each integration test in the verify stage. This confirms that our current code is compatible with test kitchen.
|
We run the test/integration/default profile at the end of each integration test in the verify stage. This confirms that our current code is compatible with test kitchen.
|
||||||
|
|
||||||
### Audit Testing
|
### Why no audit cookbook testing?
|
||||||
|
|
||||||
For Audit cookbook testing Chef InSpec sets up some special hooks. The integration rake command will bundle up the current checkout into a gem which is passed along to test kitchen in the os_prepare cookbook. When this cookbook is run it will install the local inspec gem. Audit will then use this gem accordingly when running in the post chef-client validators. The .kitchen.yml is setup to export the audit report to a json file which we look for and confirm the structure in the test/integration/default/controls/audit_spec.rb file.
|
Audit cookbook testing is handled in the audit cookbook repo. In addition, the audit cookbook restricts which InSpec gem can be installed, forcing the installation from Rubygems for Chef clients 15+. Since we need to test with the from-source inspec gem, we can't use that approach. Instead, we don't test using audit cookbook here.
|
||||||
|
|
||||||
In the validation file we confirm that the file was created from audit and that the structure looks correct. We also validate that the inspec ran with audit is the same that the current branch is using. This validates that audit did not use a older version for some reason.
|
|
||||||
|
|
|
@ -18,4 +18,5 @@ image=chef:
|
||||||
CHANNEL: unstable
|
CHANNEL: unstable
|
||||||
annotations:
|
annotations:
|
||||||
tags:
|
tags:
|
||||||
- expeditor:final-channel-tags={{major}},{{major}}.{{minor}}
|
- expeditor:default-tags={{channel}}
|
||||||
|
- expeditor:final-channel-tags=latest,{{major}},{{major}}.{{minor}}
|
||||||
|
|
|
@ -14,7 +14,7 @@ serve: chef_web_docs
|
||||||
|
|
||||||
chef_web_docs:
|
chef_web_docs:
|
||||||
if [ -d "chef-web-docs/" ]; then \
|
if [ -d "chef-web-docs/" ]; then \
|
||||||
pushd chef-web-docs && git reset HEAD --hard; git pull origin master && popd; \
|
pushd chef-web-docs && git reset HEAD --hard; git clean -fd; git pull --ff-only origin main; rm -rf public && popd; \
|
||||||
else \
|
else \
|
||||||
git clone https://github.com/chef/chef-web-docs.git; \
|
git clone https://github.com/chef/chef-web-docs.git; \
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -20,7 +20,7 @@ the top of the page that you want to edit. The link takes you to that topic's Gi
|
||||||
page. In GitHub, click on the pencil icon and make your changes. You can preview
|
page. In GitHub, click on the pencil icon and make your changes. You can preview
|
||||||
how they'll look right on the page ("Preview Changes" tab).
|
how they'll look right on the page ("Preview Changes" tab).
|
||||||
|
|
||||||
We also require contributors to include their [DCO signoff](https://github.com/chef/chef/blob/master/CONTRIBUTING.md#developer-certification-of-origin-dco)
|
We also require contributors to include their [DCO signoff](https://github.com/chef/chef/blob/main/CONTRIBUTING.md#developer-certification-of-origin-dco)
|
||||||
in the comment section of every pull request, except for obvious fixes. You can
|
in the comment section of every pull request, except for obvious fixes. You can
|
||||||
add your DCO signoff to the comments by including `Signed-off-by:`, followed by
|
add your DCO signoff to the comments by including `Signed-off-by:`, followed by
|
||||||
your name and email address, like this:
|
your name and email address, like this:
|
||||||
|
@ -52,7 +52,7 @@ before the next promotion.
|
||||||
## Local Development Environment
|
## Local Development Environment
|
||||||
|
|
||||||
We use [Hugo](https://gohugo.io/), [Go](https://golang.org/), and[NPM](https://www.npmjs.com/)
|
We use [Hugo](https://gohugo.io/), [Go](https://golang.org/), and[NPM](https://www.npmjs.com/)
|
||||||
to build the Chef Documentation website. You will need Hugo 0.78.1 or higher
|
to build the Chef Documentation website. You will need Hugo 0.83.1 or higher
|
||||||
installed and running to build and view our documentation properly.
|
installed and running to build and view our documentation properly.
|
||||||
|
|
||||||
To install Hugo, NPM, and Go on Windows and macOS:
|
To install Hugo, NPM, and Go on Windows and macOS:
|
||||||
|
|
|
@ -1,2 +1,2 @@
|
||||||
[params.inspec]
|
[params.inspec]
|
||||||
gh_path = "https://github.com/inspec/inspec/tree/master/docs-chef-io/content/"
|
gh_path = "https://github.com/inspec/inspec/tree/main/docs-chef-io/content/"
|
||||||
|
|
|
@ -15,7 +15,7 @@ Use the InSpec CLI to run tests and audits against targets using local, SSH, Win
|
||||||
|
|
||||||
## archive
|
## archive
|
||||||
|
|
||||||
Archive a profile to tar.gz (default) or zip
|
Archive a profile to tar.gz (default) or zip.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -27,14 +27,14 @@ inspec archive PATH
|
||||||
|
|
||||||
### Options
|
### Options
|
||||||
|
|
||||||
This subcommand has additional options:
|
This subcommand has the following additional options:
|
||||||
|
|
||||||
* ``--airgap``, ``--no-airgap``
|
* ``--airgap``, ``--no-airgap``
|
||||||
Fallback to using local archives if fetching fails.
|
Fallback to using local archives if fetching fails.
|
||||||
* ``--ignore-errors``, ``--no-ignore-errors``
|
* ``--ignore-errors``, ``--no-ignore-errors``
|
||||||
Ignore profile warnings.
|
Ignore profile warnings.
|
||||||
* ``-o``, ``--output=OUTPUT``
|
* ``-o``, ``--output=OUTPUT``
|
||||||
Save the archive to a path
|
Save the archive to a path.
|
||||||
* ``--overwrite``, ``--no-overwrite``
|
* ``--overwrite``, ``--no-overwrite``
|
||||||
Overwrite existing archive.
|
Overwrite existing archive.
|
||||||
* ``--profiles-path=PROFILES_PATH``
|
* ``--profiles-path=PROFILES_PATH``
|
||||||
|
@ -42,14 +42,25 @@ This subcommand has additional options:
|
||||||
* ``--tar``, ``--no-tar``
|
* ``--tar``, ``--no-tar``
|
||||||
Generates a tar.gz archive.
|
Generates a tar.gz archive.
|
||||||
* ``--vendor-cache=VENDOR_CACHE``
|
* ``--vendor-cache=VENDOR_CACHE``
|
||||||
Use the given path for caching dependencies. (default: ~/.inspec/cache)
|
Use the given path for caching dependencies, (default: ~/.inspec/cache).
|
||||||
* ``--zip``, ``--no-zip``
|
* ``--zip``, ``--no-zip``
|
||||||
Generates a zip archive.
|
Generates a zip archive.
|
||||||
|
|
||||||
|
## automate
|
||||||
|
|
||||||
|
Communicate with Chef Automate.
|
||||||
|
|
||||||
|
### Syntax
|
||||||
|
|
||||||
|
This subcommand has the following syntax:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
inspec automate SUBCOMMAND
|
||||||
|
```
|
||||||
|
|
||||||
## check
|
## check
|
||||||
|
|
||||||
Verify metadata in inspec.yml. Verify control data has fields (title, description,
|
Verify metadata in inspec.yml. Verify control data has fields (title, description, impact) defined and that all controls have visible tests.
|
||||||
impact) defined and that all controls have visible tests.
|
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -61,18 +72,18 @@ inspec check PATH
|
||||||
|
|
||||||
### Options
|
### Options
|
||||||
|
|
||||||
This subcommand has additional options:
|
This subcommand has the following additional options:
|
||||||
|
|
||||||
* ``--format=FORMAT``
|
* ``--format=FORMAT``
|
||||||
|
The output format to use. Valid values: `json` and `doc`. Default value: `doc`.
|
||||||
* ``--profiles-path=PROFILES_PATH``
|
* ``--profiles-path=PROFILES_PATH``
|
||||||
Folder which contains referenced profiles.
|
Folder which contains referenced profiles.
|
||||||
* ``--vendor-cache=VENDOR_CACHE``
|
* ``--vendor-cache=VENDOR_CACHE``
|
||||||
Use the given path for caching dependencies. (default: ~/.inspec/cache)
|
Use the given path for caching dependencies, (default: ~/.inspec/cache).
|
||||||
|
|
||||||
## detect
|
## detect
|
||||||
|
|
||||||
Detect the target os
|
Detect the target OS.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -84,18 +95,20 @@ inspec detect
|
||||||
|
|
||||||
### Options
|
### Options
|
||||||
|
|
||||||
This subcommand has additional options:
|
This subcommand has the following additional options:
|
||||||
|
|
||||||
* ``-b``, ``--backend=BACKEND``
|
* ``-b``, ``--backend=BACKEND``
|
||||||
Choose a backend: local, ssh, winrm, docker.
|
Choose a backend: local, ssh, winrm, docker.
|
||||||
* ``--bastion-host=BASTION_HOST``
|
* ``--bastion-host=BASTION_HOST``
|
||||||
Specifies the bastion host if applicable
|
Specifies the bastion host if applicable.
|
||||||
* ``--bastion-port=BASTION_PORT``
|
* ``--bastion-port=BASTION_PORT``
|
||||||
Specifies the bastion port if applicable
|
Specifies the bastion port if applicable.
|
||||||
* ``--bastion-user=BASTION_USER``
|
* ``--bastion-user=BASTION_USER``
|
||||||
Specifies the bastion user if applicable
|
Specifies the bastion user if applicable.
|
||||||
* ``--config=CONFIG``
|
* ``--config=CONFIG``
|
||||||
Read configuration from JSON file (`-` reads from stdin).
|
Read configuration from JSON file (`-` reads from stdin).
|
||||||
|
* ``--docker-url``
|
||||||
|
Provides path to Docker API endpoint (Docker).
|
||||||
* ``--enable-password=ENABLE_PASSWORD``
|
* ``--enable-password=ENABLE_PASSWORD``
|
||||||
Password for enable mode on Cisco IOS devices.
|
Password for enable mode on Cisco IOS devices.
|
||||||
* ``--format=FORMAT``
|
* ``--format=FORMAT``
|
||||||
|
@ -103,7 +116,7 @@ This subcommand has additional options:
|
||||||
* ``--host=HOST``
|
* ``--host=HOST``
|
||||||
Specify a remote host which is tested.
|
Specify a remote host which is tested.
|
||||||
* ``--insecure``, ``--no-insecure``
|
* ``--insecure``, ``--no-insecure``
|
||||||
Disable SSL verification on select targets
|
Disable SSL verification on select targets.
|
||||||
* ``-i``, ``--key-files=one two three``
|
* ``-i``, ``--key-files=one two three``
|
||||||
Login key or certificate file for a remote scan.
|
Login key or certificate file for a remote scan.
|
||||||
* ``--password=PASSWORD``
|
* ``--password=PASSWORD``
|
||||||
|
@ -113,7 +126,7 @@ This subcommand has additional options:
|
||||||
* ``-p``, ``--port=N``
|
* ``-p``, ``--port=N``
|
||||||
Specify the login port for a remote scan.
|
Specify the login port for a remote scan.
|
||||||
* ``--proxy-command=PROXY_COMMAND``
|
* ``--proxy-command=PROXY_COMMAND``
|
||||||
Specifies the command to use to connect to the server
|
Specifies the command to use to connect to the server.
|
||||||
* ``--self-signed``, ``--no-self-signed``
|
* ``--self-signed``, ``--no-self-signed``
|
||||||
Allow remote scans with self-signed certificates (WinRM).
|
Allow remote scans with self-signed certificates (WinRM).
|
||||||
* ``--shell``, ``--no-shell``
|
* ``--shell``, ``--no-shell``
|
||||||
|
@ -133,9 +146,9 @@ This subcommand has additional options:
|
||||||
* ``--sudo-password=SUDO_PASSWORD``
|
* ``--sudo-password=SUDO_PASSWORD``
|
||||||
Specify a sudo password, if it is required.
|
Specify a sudo password, if it is required.
|
||||||
* ``-t``, ``--target=TARGET``
|
* ``-t``, ``--target=TARGET``
|
||||||
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
|
Simple targeting option using URIs, e.g. ssh://user:pass@host:port.
|
||||||
* ``--target-id=TARGET_ID``
|
* ``--target-id=TARGET_ID``
|
||||||
Provide a ID which will be included on reports
|
Provide a ID which will be included on reports.
|
||||||
* ``--user=USER``
|
* ``--user=USER``
|
||||||
The login user for a remote scan.
|
The login user for a remote scan.
|
||||||
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
|
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
|
||||||
|
@ -149,7 +162,7 @@ This subcommand has additional options:
|
||||||
|
|
||||||
## env
|
## env
|
||||||
|
|
||||||
Output shell-appropriate completion configuration
|
Output shell-appropriate completion configuration.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -163,11 +176,9 @@ inspec env
|
||||||
|
|
||||||
Run all test files at the specified locations.
|
Run all test files at the specified locations.
|
||||||
|
|
||||||
The subcommand loads the given profiles, fetches their dependencies if needed, then
|
The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls contained in the profiles. One or more reporters are used to generate the output.
|
||||||
connects to the target and executes any controls contained in the profiles.
|
|
||||||
One or more reporters are used to generate the output.
|
|
||||||
|
|
||||||
```
|
``` ruby
|
||||||
exit codes:
|
exit codes:
|
||||||
0 normal exit, all tests passed
|
0 normal exit, all tests passed
|
||||||
1 usage or general error
|
1 usage or general error
|
||||||
|
@ -181,38 +192,51 @@ exit codes:
|
||||||
Below are some examples of using `exec` with different test locations:
|
Below are some examples of using `exec` with different test locations:
|
||||||
|
|
||||||
Chef Automate:
|
Chef Automate:
|
||||||
```
|
|
||||||
inspec compliance login
|
``` ruby
|
||||||
|
inspec automate login
|
||||||
inspec exec compliance://username/linux-baseline
|
inspec exec compliance://username/linux-baseline
|
||||||
```
|
```
|
||||||
|
|
||||||
Chef Supermarket:
|
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
|
||||||
|
|
||||||
|
``` ruby
|
||||||
|
inspec compliance login
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Chef Supermarket:
|
||||||
|
|
||||||
|
``` ruby
|
||||||
inspec exec supermarket://username/linux-baseline
|
inspec exec supermarket://username/linux-baseline
|
||||||
```
|
```
|
||||||
|
|
||||||
Local profile (executes all tests in `controls/`):
|
Local profile (executes all tests in `controls/`):
|
||||||
```
|
|
||||||
|
``` ruby
|
||||||
inspec exec /path/to/profile
|
inspec exec /path/to/profile
|
||||||
```
|
```
|
||||||
|
|
||||||
Local single test (doesn't allow inputs or custom resources):
|
Local single test (doesn't allow inputs or custom resources):
|
||||||
```
|
|
||||||
|
``` ruby
|
||||||
inspec exec /path/to/a_test.rb
|
inspec exec /path/to/a_test.rb
|
||||||
```
|
```
|
||||||
|
|
||||||
Git via SSH:
|
Git via SSH:
|
||||||
```
|
|
||||||
|
``` ruby
|
||||||
inspec exec git@github.com:dev-sec/linux-baseline.git
|
inspec exec git@github.com:dev-sec/linux-baseline.git
|
||||||
```
|
```
|
||||||
|
|
||||||
Git via HTTPS (.git suffix is required):
|
Git via HTTPS (.git suffix is required):
|
||||||
```
|
|
||||||
|
``` ruby
|
||||||
inspec exec https://github.com/dev-sec/linux-baseline.git
|
inspec exec https://github.com/dev-sec/linux-baseline.git
|
||||||
```
|
```
|
||||||
|
|
||||||
Private Git via HTTPS (.git suffix is required):
|
Private Git via HTTPS (.git suffix is required):
|
||||||
```
|
|
||||||
|
``` ruby
|
||||||
inspec exec https://api_token@github.com/dev-sec/linux-baseline.git
|
inspec exec https://api_token@github.com/dev-sec/linux-baseline.git
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -233,7 +257,6 @@ Web-hosted file with basic authentication (supports .zip):
|
||||||
inspec exec https://username:password@webserver/linux-baseline.tar.gz
|
inspec exec https://username:password@webserver/linux-baseline.tar.gz
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
This subcommand has the following syntax:
|
This subcommand has the following syntax:
|
||||||
|
@ -244,30 +267,32 @@ inspec exec LOCATIONS
|
||||||
|
|
||||||
### Options
|
### Options
|
||||||
|
|
||||||
This subcommand has additional options:
|
This subcommand has the following additional options:
|
||||||
|
|
||||||
* ``--attrs=one two three``
|
* ``--attrs=one two three``
|
||||||
Legacy name for --input-file - deprecated.
|
Legacy name for --input-file - deprecated.
|
||||||
* ``-b``, ``--backend=BACKEND``
|
* ``-b``, ``--backend=BACKEND``
|
||||||
Choose a backend: local, ssh, winrm, docker.
|
Choose a backend: local, ssh, winrm, docker.
|
||||||
* ``--backend-cache``, ``--no-backend-cache``
|
* ``--backend-cache``, ``--no-backend-cache``
|
||||||
Allow caching for backend command output. (default: true)
|
Allow caching for backend command output. (default: true).
|
||||||
* ``--bastion-host=BASTION_HOST``
|
* ``--bastion-host=BASTION_HOST``
|
||||||
Specifies the bastion host if applicable
|
Specifies the bastion host if applicable.
|
||||||
* ``--bastion-port=BASTION_PORT``
|
* ``--bastion-port=BASTION_PORT``
|
||||||
Specifies the bastion port if applicable
|
Specifies the bastion port if applicable.
|
||||||
* ``--bastion-user=BASTION_USER``
|
* ``--bastion-user=BASTION_USER``
|
||||||
Specifies the bastion user if applicable
|
Specifies the bastion user if applicable.
|
||||||
* ``--command-timeout=SECONDS``
|
* ``--command-timeout=SECONDS``
|
||||||
Maximum seconds to allow a command to run. Default 3600.
|
Maximum seconds to allow a command to run.
|
||||||
* ``--config=CONFIG``
|
* ``--config=CONFIG``
|
||||||
Read configuration from JSON file (`-` reads from stdin).
|
Read configuration from JSON file (`-` reads from stdin).
|
||||||
* ``--controls=one two three``
|
* ``--controls=one two three``
|
||||||
A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests.
|
A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests.
|
||||||
* ``--create-lockfile``, ``--no-create-lockfile``
|
* ``--create-lockfile``, ``--no-create-lockfile``
|
||||||
Write out a lockfile based on this execution (unless one already exists)
|
Write out a lockfile based on this execution (unless one already exists).
|
||||||
* ``--distinct-exit``, ``--no-distinct-exit``
|
* ``--distinct-exit``, ``--no-distinct-exit``
|
||||||
Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures.
|
Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures.
|
||||||
|
* ``--docker-url``
|
||||||
|
Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows.
|
||||||
* ``--enable-password=ENABLE_PASSWORD``
|
* ``--enable-password=ENABLE_PASSWORD``
|
||||||
Password for enable mode on Cisco IOS devices.
|
Password for enable mode on Cisco IOS devices.
|
||||||
* ``--filter-empty-profiles``, ``--no-filter-empty-profiles``
|
* ``--filter-empty-profiles``, ``--no-filter-empty-profiles``
|
||||||
|
@ -279,9 +304,9 @@ This subcommand has additional options:
|
||||||
* ``--input=name1=value1 name2=value2``
|
* ``--input=name1=value1 name2=value2``
|
||||||
Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures.
|
Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures.
|
||||||
* ``--input-file=one two three``
|
* ``--input-file=one two three``
|
||||||
Load one or more input files, a YAML file with values for the profile to use
|
Load one or more input files, a YAML file with values for the profile to use.
|
||||||
* ``--insecure``, ``--no-insecure``
|
* ``--insecure``, ``--no-insecure``
|
||||||
Disable SSL verification on select targets
|
Disable SSL verification on select targets.
|
||||||
* ``-i``, ``--key-files=one two three``
|
* ``-i``, ``--key-files=one two three``
|
||||||
Login key or certificate file for a remote scan.
|
Login key or certificate file for a remote scan.
|
||||||
* ``--password=PASSWORD``
|
* ``--password=PASSWORD``
|
||||||
|
@ -293,13 +318,15 @@ This subcommand has additional options:
|
||||||
* ``--profiles-path=PROFILES_PATH``
|
* ``--profiles-path=PROFILES_PATH``
|
||||||
Folder which contains referenced profiles.
|
Folder which contains referenced profiles.
|
||||||
* ``--proxy-command=PROXY_COMMAND``
|
* ``--proxy-command=PROXY_COMMAND``
|
||||||
Specifies the command to use to connect to the server
|
Specifies the command to use to connect to the server.
|
||||||
* ``--reporter=one two:/output/file/path``
|
* ``--reporter=one two:/output/file/path``
|
||||||
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml
|
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml.
|
||||||
* ``--reporter-backtrace-inclusion``, ``--no-reporter-backtrace-inclusion``
|
* ``--reporter-backtrace-inclusion``, ``--no-reporter-backtrace-inclusion``
|
||||||
Include a code backtrace in report data (default: true)
|
Include a code backtrace in report data (default: true).
|
||||||
|
* ``--reporter-include-source``
|
||||||
|
Include full source code of controls in the CLI report.
|
||||||
* ``--reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION``
|
* ``--reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION``
|
||||||
Number of characters to truncate failure messages in report data to (default: no truncation)
|
Number of characters to truncate failure messages in report data to (default: no truncation).
|
||||||
* ``--self-signed``, ``--no-self-signed``
|
* ``--self-signed``, ``--no-self-signed``
|
||||||
Allow remote scans with self-signed certificates (WinRM).
|
Allow remote scans with self-signed certificates (WinRM).
|
||||||
* ``--shell``, ``--no-shell``
|
* ``--shell``, ``--no-shell``
|
||||||
|
@ -323,13 +350,15 @@ This subcommand has additional options:
|
||||||
* ``--sudo-password=SUDO_PASSWORD``
|
* ``--sudo-password=SUDO_PASSWORD``
|
||||||
Specify a sudo password, if it is required.
|
Specify a sudo password, if it is required.
|
||||||
* ``-t``, ``--target=TARGET``
|
* ``-t``, ``--target=TARGET``
|
||||||
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
|
Simple targeting option using URIs, e.g. ssh://user:pass@host:port.
|
||||||
* ``--target-id=TARGET_ID``
|
* ``--target-id=TARGET_ID``
|
||||||
Provide a ID which will be included on reports
|
Provide a ID which will be included on reports.
|
||||||
|
* ``--tags=one two three``
|
||||||
|
A list of tags or a list of regular expressions that match tags. `exec` will run controls referenced by the listed or matching tags.
|
||||||
* ``--user=USER``
|
* ``--user=USER``
|
||||||
The login user for a remote scan.
|
The login user for a remote scan.
|
||||||
* ``--vendor-cache=VENDOR_CACHE``
|
* ``--vendor-cache=VENDOR_CACHE``
|
||||||
Use the given path for caching dependencies. (default: ~/.inspec/cache)
|
Use the given path for caching dependencies. (default: ~/.inspec/cache).
|
||||||
* ``--waiver-file=one two three``
|
* ``--waiver-file=one two three``
|
||||||
Load one or more waiver files.
|
Load one or more waiver files.
|
||||||
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
|
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
|
||||||
|
@ -339,9 +368,21 @@ This subcommand has additional options:
|
||||||
* ``--winrm-transport=WINRM_TRANSPORT``
|
* ``--winrm-transport=WINRM_TRANSPORT``
|
||||||
Specify which transport to use, defaults to negotiate (WinRM).
|
Specify which transport to use, defaults to negotiate (WinRM).
|
||||||
|
|
||||||
|
## habitat
|
||||||
|
|
||||||
|
Create a Chef Habitat package.
|
||||||
|
|
||||||
|
### Syntax
|
||||||
|
|
||||||
|
This subcommand has the following syntax:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
inspec habitat SUBCOMMAND
|
||||||
|
```
|
||||||
|
|
||||||
## help
|
## help
|
||||||
|
|
||||||
Describe available commands or one specific command
|
Describe available commands or one specific command.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -351,9 +392,21 @@ This subcommand has the following syntax:
|
||||||
inspec help [COMMAND]
|
inspec help [COMMAND]
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## init
|
||||||
|
|
||||||
|
Scaffold a new project.
|
||||||
|
|
||||||
|
### Syntax
|
||||||
|
|
||||||
|
This subcommand has the following syntax:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
inspec init TEMPLATE
|
||||||
|
```
|
||||||
|
|
||||||
## json
|
## json
|
||||||
|
|
||||||
Read all tests in path and generate a json summary
|
Read all tests in path and generate a json summary.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -365,20 +418,22 @@ inspec json PATH
|
||||||
|
|
||||||
### Options
|
### Options
|
||||||
|
|
||||||
This subcommand has additional options:
|
This subcommand has the following additional options:
|
||||||
|
|
||||||
* ``--controls=one two three``
|
* ``--controls=one two three``
|
||||||
A list of controls to include. Ignore all other tests.
|
A list of controls to include. Ignore all other tests.
|
||||||
* ``-o``, ``--output=OUTPUT``
|
* ``-o``, ``--output=OUTPUT``
|
||||||
Save the created profile to a path
|
Save the created profile to a path.
|
||||||
* ``--profiles-path=PROFILES_PATH``
|
* ``--profiles-path=PROFILES_PATH``
|
||||||
Folder which contains referenced profiles.
|
Folder which contains referenced profiles.
|
||||||
|
* ``--tags=one two three``
|
||||||
|
A list of tags that reference certain controls. Other controls are ignored.
|
||||||
* ``--vendor-cache=VENDOR_CACHE``
|
* ``--vendor-cache=VENDOR_CACHE``
|
||||||
Use the given path for caching dependencies. (default: ~/.inspec/cache)
|
Use the given path for caching dependencies. (default: ~/.inspec/cache).
|
||||||
|
|
||||||
## nothing
|
## nothing
|
||||||
|
|
||||||
Does nothing
|
Does nothing.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -388,9 +443,21 @@ This subcommand has the following syntax:
|
||||||
inspec nothing
|
inspec nothing
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## plugin
|
||||||
|
|
||||||
|
Install and manage [Chef InSpec plugins](/inspec/plugins/).
|
||||||
|
|
||||||
|
### Syntax
|
||||||
|
|
||||||
|
This subcommand has the following syntax:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
inspec plugin SUBCOMMAND
|
||||||
|
```
|
||||||
|
|
||||||
## schema
|
## schema
|
||||||
|
|
||||||
Print the json schema
|
Print the json schema.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -402,7 +469,7 @@ inspec schema NAME
|
||||||
|
|
||||||
## shell
|
## shell
|
||||||
|
|
||||||
Open an interactive debugging shell
|
Open an interactive debugging shell.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -414,32 +481,34 @@ inspec shell
|
||||||
|
|
||||||
### Options
|
### Options
|
||||||
|
|
||||||
This subcommand has additional options:
|
This subcommand has the following additional options:
|
||||||
|
|
||||||
* ``-b``, ``--backend=BACKEND``
|
* ``-b``, ``--backend=BACKEND``
|
||||||
Choose a backend: local, ssh, winrm, docker.
|
Choose a backend: local, ssh, winrm, docker.
|
||||||
* ``--bastion-host=BASTION_HOST``
|
* ``--bastion-host=BASTION_HOST``
|
||||||
Specifies the bastion host if applicable
|
Specifies the bastion host if applicable.
|
||||||
* ``--bastion-port=BASTION_PORT``
|
* ``--bastion-port=BASTION_PORT``
|
||||||
Specifies the bastion port if applicable
|
Specifies the bastion port if applicable.
|
||||||
* ``--bastion-user=BASTION_USER``
|
* ``--bastion-user=BASTION_USER``
|
||||||
Specifies the bastion user if applicable
|
Specifies the bastion user if applicable.
|
||||||
* ``-c``, ``--command=COMMAND``
|
* ``-c``, ``--command=COMMAND``
|
||||||
A single command string to run instead of launching the shell
|
A single command string to run instead of launching the shell.
|
||||||
* ``--command-timeout=SECONDS``
|
* ``--command-timeout=SECONDS``
|
||||||
Maximum seconds to allow a command to run. Default 3600.
|
Maximum seconds to allow a command to run.
|
||||||
* ``--config=CONFIG``
|
* ``--config=CONFIG``
|
||||||
Read configuration from JSON file (`-` reads from stdin).
|
Read configuration from JSON file (`-` reads from stdin).
|
||||||
* ``--depends=one two three``
|
* ``--depends=one two three``
|
||||||
A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell
|
A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell.
|
||||||
* ``--distinct-exit``, ``--no-distinct-exit``
|
* ``--distinct-exit``, ``--no-distinct-exit``
|
||||||
Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures.
|
Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures.
|
||||||
|
* ``--docker-url``
|
||||||
|
Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows.
|
||||||
* ``--enable-password=ENABLE_PASSWORD``
|
* ``--enable-password=ENABLE_PASSWORD``
|
||||||
Password for enable mode on Cisco IOS devices.
|
Password for enable mode on Cisco IOS devices.
|
||||||
* ``--host=HOST``
|
* ``--host=HOST``
|
||||||
Specify a remote host which is tested.
|
Specify a remote host which is tested.
|
||||||
* ``--insecure``, ``--no-insecure``
|
* ``--insecure``, ``--no-insecure``
|
||||||
Disable SSL verification on select targets
|
Disable SSL verification on select targets.
|
||||||
* ``--inspect``, ``--no-inspect``
|
* ``--inspect``, ``--no-inspect``
|
||||||
Use verbose/debugging output for resources.
|
Use verbose/debugging output for resources.
|
||||||
* ``-i``, ``--key-files=one two three``
|
* ``-i``, ``--key-files=one two three``
|
||||||
|
@ -451,9 +520,9 @@ This subcommand has additional options:
|
||||||
* ``-p``, ``--port=N``
|
* ``-p``, ``--port=N``
|
||||||
Specify the login port for a remote scan.
|
Specify the login port for a remote scan.
|
||||||
* ``--proxy-command=PROXY_COMMAND``
|
* ``--proxy-command=PROXY_COMMAND``
|
||||||
Specifies the command to use to connect to the server
|
Specifies the command to use to connect to the server.
|
||||||
* ``--reporter=one two:/output/file/path``
|
* ``--reporter=one two:/output/file/path``
|
||||||
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit
|
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit.
|
||||||
* ``--self-signed``, ``--no-self-signed``
|
* ``--self-signed``, ``--no-self-signed``
|
||||||
Allow remote scans with self-signed certificates (WinRM).
|
Allow remote scans with self-signed certificates (WinRM).
|
||||||
* ``--shell``, ``--no-shell``
|
* ``--shell``, ``--no-shell``
|
||||||
|
@ -473,9 +542,9 @@ This subcommand has additional options:
|
||||||
* ``--sudo-password=SUDO_PASSWORD``
|
* ``--sudo-password=SUDO_PASSWORD``
|
||||||
Specify a sudo password, if it is required.
|
Specify a sudo password, if it is required.
|
||||||
* ``-t``, ``--target=TARGET``
|
* ``-t``, ``--target=TARGET``
|
||||||
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
|
Simple targeting option using URIs, e.g. ssh://user:pass@host:port.
|
||||||
* ``--target-id=TARGET_ID``
|
* ``--target-id=TARGET_ID``
|
||||||
Provide a ID which will be included on reports
|
Provide a ID which will be included on reports.
|
||||||
* ``--user=USER``
|
* ``--user=USER``
|
||||||
The login user for a remote scan.
|
The login user for a remote scan.
|
||||||
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
|
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
|
||||||
|
@ -487,7 +556,7 @@ This subcommand has additional options:
|
||||||
|
|
||||||
## supermarket
|
## supermarket
|
||||||
|
|
||||||
Supermarket commands
|
Supermarket commands.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -499,7 +568,7 @@ inspec supermarket SUBCOMMAND ...
|
||||||
|
|
||||||
## vendor
|
## vendor
|
||||||
|
|
||||||
Download all dependencies and generate a lockfile in a `vendor` directory
|
Download all dependencies and generate a lockfile in a `vendor` directory.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -518,7 +587,7 @@ This subcommand has additional options:
|
||||||
|
|
||||||
## version
|
## version
|
||||||
|
|
||||||
Prints the version of this tool
|
Prints the version of this tool.
|
||||||
|
|
||||||
### Syntax
|
### Syntax
|
||||||
|
|
||||||
|
@ -530,6 +599,6 @@ inspec version
|
||||||
|
|
||||||
### Options
|
### Options
|
||||||
|
|
||||||
This subcommand has additional options:
|
This subcommand has the following additional options:
|
||||||
|
|
||||||
* ``--format=FORMAT``
|
* ``--format=FORMAT``
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
+++
|
+++
|
||||||
title = "Chef InSpec DSL"
|
title = "Chef InSpec Language"
|
||||||
draft = false
|
draft = false
|
||||||
gh_repo = "inspec"
|
gh_repo = "inspec"
|
||||||
|
|
||||||
[menu]
|
[menu]
|
||||||
[menu.inspec]
|
[menu.inspec]
|
||||||
title = "Chef InSpec DSL"
|
title = "Chef InSpec Language"
|
||||||
identifier = "inspec/reference/dsl_inspec.md Chef InSpec DSL"
|
identifier = "inspec/reference/dsl_inspec.md Chef InSpec Language"
|
||||||
parent = "inspec/reference"
|
parent = "inspec/reference"
|
||||||
weight = 70
|
weight = 70
|
||||||
+++
|
+++
|
||||||
|
@ -17,7 +17,7 @@ you write auditing controls quickly and easily. The syntax used by both open sou
|
||||||
and [Chef compliance](/compliance/) auditing is the same. The open source [Chef InSpec resource](/inspec/resources/)
|
and [Chef compliance](/compliance/) auditing is the same. The open source [Chef InSpec resource](/inspec/resources/)
|
||||||
framework is compatible with [Chef compliance](/compliance/).
|
framework is compatible with [Chef compliance](/compliance/).
|
||||||
|
|
||||||
The Chef InSpec DSL is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
|
The Chef InSpec Language is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
|
||||||
|
|
||||||
The following sections describe the syntax and show some simple examples of using the Chef InSpec resources.
|
The following sections describe the syntax and show some simple examples of using the Chef InSpec resources.
|
||||||
|
|
||||||
|
@ -336,7 +336,7 @@ end
|
||||||
|
|
||||||
## Using Ruby in InSpec
|
## Using Ruby in InSpec
|
||||||
|
|
||||||
The Chef InSpec DSL is a Ruby based language. This allows you to be flexible with
|
The Chef InSpec Language is a Ruby based language. This allows you to be flexible with
|
||||||
Ruby code in controls:
|
Ruby code in controls:
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
|
|
|
@ -104,7 +104,7 @@ class ExampleConfig < Inspec.resource(1)
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
For a full example, see our [example resource](https://github.com/chef/inspec/blob/master/examples/profile/libraries/example_config.rb).
|
For a full example, see our [example resource](https://github.com/chef/inspec/blob/main/examples/profile/libraries/example_config.rb).
|
||||||
|
|
||||||
## Lazy Loading
|
## Lazy Loading
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,7 @@ Let's look at some simple examples.
|
||||||
|
|
||||||
### Singular Resource Example
|
### Singular Resource Example
|
||||||
|
|
||||||
```inspec
|
```ruby
|
||||||
describe car(owner: 'Tony Clifton') do
|
describe car(owner: 'Tony Clifton') do
|
||||||
it { should exist }
|
it { should exist }
|
||||||
its('license_plate') { should cmp 'MOONMAN' }
|
its('license_plate') { should cmp 'MOONMAN' }
|
||||||
|
@ -73,7 +73,7 @@ _should\_not_ indicates this is a negated test. So, this test passes if the matc
|
||||||
|
|
||||||
### Plural Resource Example
|
### Plural Resource Example
|
||||||
|
|
||||||
```inspec
|
```ruby
|
||||||
describe cars.where(color: /^b/) do
|
describe cars.where(color: /^b/) do
|
||||||
it { should exist }
|
it { should exist }
|
||||||
its('manufacturers') { should include 'Cadillac' }
|
its('manufacturers') { should include 'Cadillac' }
|
||||||
|
@ -113,35 +113,35 @@ _'Cadillac'_ is an [expected result](#expected-result). Some matchers take an ex
|
||||||
|
|
||||||
#### its('count') { should _be >=_ 10 }
|
#### its('count') { should _be >=_ 10 }
|
||||||
|
|
||||||
_be >=_ is an [operator matcher](#operator matcher). It allows you to perform numeric comparisons. All plural resources have a `count` property.
|
_be >=_ is an [operator matcher](#operator-matcher). It allows you to perform numeric comparisons. All plural resources have a `count` property.
|
||||||
|
|
||||||
## Text Glossary
|
## Text Glossary
|
||||||
|
|
||||||
### attribute
|
### Attribute
|
||||||
|
|
||||||
Deprecated name for [input](#input).
|
Deprecated name for [input](#input).
|
||||||
|
|
||||||
### control
|
### Control
|
||||||
|
|
||||||
### control block
|
### Control Block
|
||||||
|
|
||||||
The _`control`_ keyword is used to declare a _`control block`_. Here, the word 'control' means a 'regulatory control, recommendation, or requirement' - not a software engineering construct. A `control block` has a name (which usually refers to the assigned ID of the regulatory recommendation it implements), metadata such as descriptions, references, and tags, and finally groups together related [describe blocks](#describe-block) to implement the checks.
|
The _`control`_ keyword is used to declare a _`control block`_. Here, the word 'control' means a 'regulatory control, recommendation, or requirement' - not a software engineering construct. A `control block` has a name (which usually refers to the assigned ID of the regulatory recommendation it implements), metadata such as descriptions, references, and tags, and finally groups together related [describe blocks](#describe-block) to implement the checks.
|
||||||
|
|
||||||
### core resource
|
### Core Resource
|
||||||
|
|
||||||
A [resource](#resource) that is included with InSpec; you are not required to install additional [plugins](#plugin) or depend on a [resource pack](#resource pack) to use the resource.
|
A [resource](#resource) that is included with InSpec; you are not required to install additional [plugins](#plugin) or depend on a [resource pack](#resource-pack) to use the resource.
|
||||||
|
|
||||||
### custom resource
|
### Custom Resource
|
||||||
|
|
||||||
A [resource](#resource) that is _not_ included with InSpec. It may be a resource of your own creation, or one you obtain by depending on a [resource pack](#resource pack).
|
A [resource](#resource) that is _not_ included with InSpec. It may be a resource of your own creation, or one you obtain by depending on a [resource pack](#resource-pack).
|
||||||
|
|
||||||
### describe
|
### Describe
|
||||||
|
|
||||||
### describe block
|
### Describe Block
|
||||||
|
|
||||||
The _`describe`_ keyword is used with a _`describe block`_ to refer to a Chef InSpec resource. You use the `describe` keyword along with the name of a [resource](#resource) to enclose related [tests](#test) that apply to the resource. Multiple describe blocks are usually grouped together in a [control](#control), but you can also use them outside of a control.
|
The _`describe`_ keyword is used with a _`describe block`_ to refer to a Chef InSpec resource. You use the `describe` keyword along with the name of a [resource](#resource) to enclose related [tests](#test) that apply to the resource. Multiple describe blocks are usually grouped together in a [control](#control), but you can also use them outside of a control.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
control 'Rule 1.1 - Color restrictions' do
|
control 'Rule 1.1 - Color restrictions' do
|
||||||
# Count only blue cars
|
# Count only blue cars
|
||||||
describe cars.where(color: 'blue') do
|
describe cars.where(color: 'blue') do
|
||||||
|
@ -152,23 +152,23 @@ end
|
||||||
|
|
||||||
### DSL
|
### DSL
|
||||||
|
|
||||||
_DSL_ is an acronym for _Domain Specific Language_. It refers to the language extensions Chef InSpec provides to make authoring resources and controls easier. While Chef InSpec control files are use Ruby, the _Control DSL_ makes it easy to write controls without knowledge of Ruby by providing DSL keywords such as [describe](#describe), [control](#control), [it](#it) and [its](#its). See the [Chef InSpec DSL page](/inspec/dsl_inspec/) for details about keywords available to control authors.
|
_DSL_ is an acronym for _Domain Specific Language_. It refers to the language extensions Chef InSpec provides to make authoring resources and controls easier. While Chef InSpec control files are use Ruby, the _Control DSL_ makes it easy to write controls without knowledge of Ruby by providing DSL keywords such as [describe](#describe), [control](#control), [it](#it) and [its](#its). See the [Chef InSpec Language page](/inspec/dsl_inspec/) for details about keywords available to control authors.
|
||||||
|
|
||||||
For [custom resource](#custom-resource) authors, an additional DSL is available - see the [Resource DSL page](/inspec/dsl_resource/).
|
For [custom resource](#custom-resource) authors, an additional DSL is available - see the [Resource Language page](/inspec/dsl_resource/).
|
||||||
|
|
||||||
### expected result
|
### Expected Result
|
||||||
|
|
||||||
When using a [matcher](#matcher), the _`expected result`_ is the value the matcher will compare against the [property](#property) being accessed.
|
When using a [matcher](#matcher), the _`expected result`_ is the value the matcher will compare against the [property](#property) being accessed.
|
||||||
|
|
||||||
In this example, the [`cmp`](/inspec/matchers/#cmp) matcher is being used to compare the `color` property to the expected result 'black'.
|
In this example, the [`cmp`](/inspec/matchers/#cmp) matcher is being used to compare the `color` property to the expected result 'black'.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
describe car(owner: 'Bruce Wayne') do
|
describe car(owner: 'Bruce Wayne') do
|
||||||
its('color') { should cmp 'black' }
|
its('color') { should cmp 'black' }
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
### filter statement
|
### Filter Statement
|
||||||
|
|
||||||
When using a [plural resource](#plural-resource), a _`filter statement`_ is used to select individual test subjects using [filter criteria](#filter-criteria). A filter statement almost always is indicated by the keyword `where`, and may be repeated using method chaining.
|
When using a [plural resource](#plural-resource), a _`filter statement`_ is used to select individual test subjects using [filter criteria](#filter-criteria). A filter statement almost always is indicated by the keyword `where`, and may be repeated using method chaining.
|
||||||
|
|
||||||
|
@ -176,16 +176,16 @@ A filter statement may use method call syntax (which allows basic criteria opera
|
||||||
|
|
||||||
In this example, `where(...)` is the filter statement.
|
In this example, `where(...)` is the filter statement.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
# Count only blue cars
|
# Count only blue cars
|
||||||
describe cars.where(color: 'blue') do
|
describe cars.where(color: 'blue') do
|
||||||
its('count') { should eq 20 }
|
its('count') { should eq 20 }
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
### filter criterion
|
### Filter Criterion
|
||||||
|
|
||||||
### filter criteria
|
### Filter Criteria
|
||||||
|
|
||||||
When using a [plural resource](#plural-resource), a _`filter criterion`_ is used to select individual test subjects within a [filter statement](#filter-statement). You may use multiple _`filter criteria`_ in a single filter statement.
|
When using a [plural resource](#plural-resource), a _`filter criterion`_ is used to select individual test subjects within a [filter statement](#filter-statement). You may use multiple _`filter criteria`_ in a single filter statement.
|
||||||
|
|
||||||
|
@ -193,7 +193,7 @@ When method-call syntax is used with the filter statement, you provide filter cr
|
||||||
|
|
||||||
Here, `(color: blue)` is a single filter criterion being used with a filter statement in method-call syntax.
|
Here, `(color: blue)` is a single filter criterion being used with a filter statement in method-call syntax.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
# Count only blue cars
|
# Count only blue cars
|
||||||
describe cars.where(color: 'blue') do
|
describe cars.where(color: 'blue') do
|
||||||
its('count') { should eq 20 }
|
its('count') { should eq 20 }
|
||||||
|
@ -204,14 +204,14 @@ When block-method syntax is used with the filter statement, you provide a block.
|
||||||
|
|
||||||
Here, `{ engine_cylinders >= 6 }` is a block-syntax filter statement referring to one filter criterion.
|
Here, `{ engine_cylinders >= 6 }` is a block-syntax filter statement referring to one filter criterion.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
# Vroom!
|
# Vroom!
|
||||||
describe cars.where { engine_cylinders >= 6 } do
|
describe cars.where { engine_cylinders >= 6 } do
|
||||||
its('city_mpg_ratings') { should_not include '4-star' }
|
its('city_mpg_ratings') { should_not include '4-star' }
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
### input
|
### Input
|
||||||
|
|
||||||
An _`input`_ is a value that Chef InSpec can source from a number of providers, including from the command line, profile metadata, or within the control file DSL itself. You can use this feature either to change a [profile's](#profile) behavior by passing different attribute files or to store secrets that should not be directly present in a profile.
|
An _`input`_ is a value that Chef InSpec can source from a number of providers, including from the command line, profile metadata, or within the control file DSL itself. You can use this feature either to change a [profile's](#profile) behavior by passing different attribute files or to store secrets that should not be directly present in a profile.
|
||||||
|
|
||||||
|
@ -221,7 +221,7 @@ The CLI syntax for inputs is documented under the [`inspec exec`](/inspec/cli/#e
|
||||||
|
|
||||||
Inputs are documented in detail in the [input documentation](/inspec/inputs/).
|
Inputs are documented in detail in the [input documentation](/inspec/inputs/).
|
||||||
|
|
||||||
### it
|
### It
|
||||||
|
|
||||||
Within a [describe block](#describe), _`it`_ declares an individual [test](#test) directly against the [resource](#resource) (as opposed to testing against one of the resource's [properties](#property), as [its](#its) does). Though it is possible to use [universal matchers](#universal-matcher) with `it`, it is much more typical to use [resource-specific matchers](#resource-specific-matchers).
|
Within a [describe block](#describe), _`it`_ declares an individual [test](#test) directly against the [resource](#resource) (as opposed to testing against one of the resource's [properties](#property), as [its](#its) does). Though it is possible to use [universal matchers](#universal-matcher) with `it`, it is much more typical to use [resource-specific matchers](#resource-specific-matchers).
|
||||||
|
|
||||||
|
@ -229,13 +229,13 @@ Within a [describe block](#describe), _`it`_ declares an individual [test](#test
|
||||||
|
|
||||||
Here, `it { should ... }` declares a test, calling the `classy?` matcher on Tony Clifton's car.
|
Here, `it { should ... }` declares a test, calling the `classy?` matcher on Tony Clifton's car.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
describe car(owner: 'Tony Clifton') do
|
describe car(owner: 'Tony Clifton') do
|
||||||
it { should be_classy }
|
it { should be_classy }
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
### its
|
### Its
|
||||||
|
|
||||||
Within a [describe block](#describe), _`its`_ declares an individual [test](#test) against a property of the [resource](#resource) (as opposed to testing directly against the resource itself, as [it](#it) does). You must use [universal matchers](#universal-matcher) with `its`; you cannot use [resource-specific matchers](#resource-specific-matchers).
|
Within a [describe block](#describe), _`its`_ declares an individual [test](#test) against a property of the [resource](#resource) (as opposed to testing directly against the resource itself, as [it](#it) does). You must use [universal matchers](#universal-matcher) with `its`; you cannot use [resource-specific matchers](#resource-specific-matchers).
|
||||||
|
|
||||||
|
@ -245,7 +245,7 @@ The property to access is passed as a single string argument to `its`. As an adv
|
||||||
|
|
||||||
Here, `its('fuzzy_dice') { should ... }` declares a test, testing against the `fuzzy_dice` property of Tony Clifton's car. Let's assume - Tony being Tony - that `fuzzy_dice` will return an Array.
|
Here, `its('fuzzy_dice') { should ... }` declares a test, testing against the `fuzzy_dice` property of Tony Clifton's car. Let's assume - Tony being Tony - that `fuzzy_dice` will return an Array.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
describe car(owner: 'Tony Clifton') do
|
describe car(owner: 'Tony Clifton') do
|
||||||
its('fuzzy_dice') { should_not be_empty }
|
its('fuzzy_dice') { should_not be_empty }
|
||||||
its('fuzzy_dice.count') { should be >= 2 }
|
its('fuzzy_dice.count') { should be >= 2 }
|
||||||
|
@ -253,7 +253,7 @@ describe car(owner: 'Tony Clifton') do
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
### matcher
|
### Matcher
|
||||||
|
|
||||||
A _`matcher`_ performs the actual assertions against [resources](#resource) or the [properties](#property) of resources. Matchers always return a true/false value. Matchers fall into two camps:
|
A _`matcher`_ performs the actual assertions against [resources](#resource) or the [properties](#property) of resources. Matchers always return a true/false value. Matchers fall into two camps:
|
||||||
|
|
||||||
|
@ -266,13 +266,33 @@ For information on how RSpec matchers are related o Chef InSpec matchers, see [C
|
||||||
|
|
||||||
Here, `be_classy` is a resource-specific matcher operating directly on the `car`, while `cmp` is a universal matcher operating on the `manufacturer` property.
|
Here, `be_classy` is a resource-specific matcher operating directly on the `car`, while `cmp` is a universal matcher operating on the `manufacturer` property.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
describe car(owner: 'Tony Clifton') do
|
describe car(owner: 'Tony Clifton') do
|
||||||
it { should be_classy }
|
it { should be_classy }
|
||||||
its('manufacturer') { should cmp 'Cadillac' }
|
its('manufacturer') { should cmp 'Cadillac' }
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Operator Matcher
|
||||||
|
|
||||||
|
An operator matcher allows you to use operators to compare numerical [expected results](#expected-result) against a [property](#property). All plural resources have a `count` property.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe cars do
|
||||||
|
its('count') { should be >= 10 }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
Operators include:
|
||||||
|
|
||||||
|
- `==`
|
||||||
|
- `>=`
|
||||||
|
- `<=`
|
||||||
|
- `>`
|
||||||
|
- `<`
|
||||||
|
|
||||||
### plural resource
|
### plural resource
|
||||||
|
|
||||||
A _`plural resource`_ is a [resource](#resource) that specializes in performing searches and represents multiple occurrences of the resource on the [target](#target) platform. Plural resources are used to audit counts, inspect group properties, and have the unique ability to enforce negative tests ("nothing like this should exist") often required by compliance standards. Plural resources are not intended to perform in-depth auditing of an individual; use [singular resources](#singular-resource) for that.
|
A _`plural resource`_ is a [resource](#resource) that specializes in performing searches and represents multiple occurrences of the resource on the [target](#target) platform. Plural resources are used to audit counts, inspect group properties, and have the unique ability to enforce negative tests ("nothing like this should exist") often required by compliance standards. Plural resources are not intended to perform in-depth auditing of an individual; use [singular resources](#singular-resource) for that.
|
||||||
|
@ -283,7 +303,7 @@ Plural resources support [filter statements](#filter-statement). See the [resour
|
||||||
|
|
||||||
Here, `cars` is a plural resource.
|
Here, `cars` is a plural resource.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
describe cars.where(color: 'blue') do
|
describe cars.where(color: 'blue') do
|
||||||
its('count') { should eq 20 }
|
its('count') { should eq 20 }
|
||||||
its('license_plates') { should include 'AUTOAZUL' }
|
its('license_plates') { should include 'AUTOAZUL' }
|
||||||
|
@ -297,7 +317,7 @@ describe cars.where(color: 'blue') do
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
### profile
|
### Profile
|
||||||
|
|
||||||
A _`profile`_ is a set of related [controls](#control) in a distributable form. You might have a locally-developed profile that your organization uses to define baseline security on all machines, or you might use a pre-defined profile that implements the requirements of a specific compliance standard. For full details about the capabilities of a profile, see the [profile documentation](/inspec/profiles/).
|
A _`profile`_ is a set of related [controls](#control) in a distributable form. You might have a locally-developed profile that your organization uses to define baseline security on all machines, or you might use a pre-defined profile that implements the requirements of a specific compliance standard. For full details about the capabilities of a profile, see the [profile documentation](/inspec/profiles/).
|
||||||
|
|
||||||
|
@ -305,7 +325,7 @@ Profiles may be distributed locally as a directory tree, as a tarball or zipfile
|
||||||
|
|
||||||
Aside from controls, profiles can also contain [custom resources](#custom-resource). If the profile contains only custom resources and no controls, we call it a [resource pack](#resource-pack).
|
Aside from controls, profiles can also contain [custom resources](#custom-resource). If the profile contains only custom resources and no controls, we call it a [resource pack](#resource-pack).
|
||||||
|
|
||||||
### property
|
### Property
|
||||||
|
|
||||||
A fact about a [resource](#resource). Typically, you use the [its](#its) keyword to access the property and write a [test](#test) within a [describe block](#describe-block), and then use a [universal matcher](#universal-matcher) to make assertions about the value of the property.
|
A fact about a [resource](#resource). Typically, you use the [its](#its) keyword to access the property and write a [test](#test) within a [describe block](#describe-block), and then use a [universal matcher](#universal-matcher) to make assertions about the value of the property.
|
||||||
|
|
||||||
|
@ -313,17 +333,17 @@ Each resource has different properties. See the [resource documentation](/inspec
|
||||||
|
|
||||||
Here, `manufacturer` is a property of the `car` resource.
|
Here, `manufacturer` is a property of the `car` resource.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
describe car(owner: 'Tony Clifton') do
|
describe car(owner: 'Tony Clifton') do
|
||||||
its('manufacturer') { should cmp 'Cadillac' }
|
its('manufacturer') { should cmp 'Cadillac' }
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
### reporter
|
### Reporter
|
||||||
|
|
||||||
An output format for the `inspec exec` command line. Several reporters are available, including JSON and JUnit; see the [inspec exec documentation](/inspec/cli/#exec).
|
An output format for the `inspec exec` command line. Several reporters are available, including JSON and JUnit; see the [inspec exec documentation](/inspec/cli/#exec).
|
||||||
|
|
||||||
### resource
|
### Resource
|
||||||
|
|
||||||
A _`resource`_ represents a category of things on the [target](#target) you wish to examine. For example, to check for the existence and permissions of a file, you would use the [`file`](/inspec/resources/file/) resource. Chef InSpec offers dozens of different resources, from the highly specialized (such as `aws_security_group`, which examines firewall rules in AWS) to the very general (such as `command`, which runs a command and lets you examine its output).
|
A _`resource`_ represents a category of things on the [target](#target) you wish to examine. For example, to check for the existence and permissions of a file, you would use the [`file`](/inspec/resources/file/) resource. Chef InSpec offers dozens of different resources, from the highly specialized (such as `aws_security_group`, which examines firewall rules in AWS) to the very general (such as `command`, which runs a command and lets you examine its output).
|
||||||
|
|
||||||
|
@ -333,17 +353,17 @@ Resources are used within a [describe block](#describe-block) to perform [tests]
|
||||||
|
|
||||||
Here, `car` is a resource.
|
Here, `car` is a resource.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
describe car(owner: 'Tony Clifton') do
|
describe car(owner: 'Tony Clifton') do
|
||||||
it { should be_classy }
|
it { should be_classy }
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
### resource pack
|
### Resource Pack
|
||||||
|
|
||||||
A _resource pack_ is a type of [profile](#profile) that is used to distribute [custom resources](#custom-resource). This specialized type of profile contains no [controls](#control), but it does contain a `libraries` directory within which Ruby files define custom resources.
|
A _resource pack_ is a type of [profile](#profile) that is used to distribute [custom resources](#custom-resource). This specialized type of profile contains no [controls](#control), but it does contain a `libraries` directory within which Ruby files define custom resources.
|
||||||
|
|
||||||
### resource parameter
|
### Resource Parameter
|
||||||
|
|
||||||
_`resource parameters`_ are information passed to the resource when they are declared. Typically, resource parameters provide identifying information or connectivity information. Resource parameters are not the same as a [filter statement](#filter-statement).
|
_`resource parameters`_ are information passed to the resource when they are declared. Typically, resource parameters provide identifying information or connectivity information. Resource parameters are not the same as a [filter statement](#filter-statement).
|
||||||
|
|
||||||
|
@ -351,39 +371,39 @@ Resource parameters vary from resource to resource; refer to the [resource docum
|
||||||
|
|
||||||
Here, `owner: 'Tony Clifton'` is a resource parameter.
|
Here, `owner: 'Tony Clifton'` is a resource parameter.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
describe car(owner: 'Tony Clifton') do
|
describe car(owner: 'Tony Clifton') do
|
||||||
it { should be_classy }
|
it { should be_classy }
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
### resource-specific matcher
|
### Resource-Specific Matcher
|
||||||
|
|
||||||
A [matcher](#matcher) that operates directly on the [resource](#resource), as opposed to operating on a property as a [universal matcher](#universal matcher) does.
|
A [matcher](#matcher) that operates directly on the [resource](#resource), as opposed to operating on a property as a [universal matcher](#universal-matcher) does.
|
||||||
|
|
||||||
Resource-specific matchers often provide highly customized behavior. Check the [resource documentation](#/inspec/resources/) to discover which resource-specific matchers are available for your resource.
|
Resource-specific matchers often provide highly customized behavior. Check the [resource documentation](#/inspec/resources/) to discover which resource-specific matchers are available for your resource.
|
||||||
|
|
||||||
For example, the hypothetical `car` resource defines a `classy?` method, which is exposed as the `be_classy` matcher in Chef InSpec tests.
|
For example, the hypothetical `car` resource defines a `classy?` method, which is exposed as the `be_classy` matcher in Chef InSpec tests.
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
describe car(owner: 'Tony Clifton') do
|
describe car(owner: 'Tony Clifton') do
|
||||||
it { should be_classy }
|
it { should be_classy }
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
### singular resource
|
### Singular Resource
|
||||||
|
|
||||||
A [resource](#resource) intended to uniquely identify a single object on the [target](#target). Singular resources specialize in providing richer auditing capabilities via resource-specific matchers. Compare to [plural resources](#plural-resource).
|
A [resource](#resource) intended to uniquely identify a single object on the [target](#target). Singular resources specialize in providing richer auditing capabilities via resource-specific matchers. Compare to [plural resources](#plural-resource).
|
||||||
|
|
||||||
### target
|
### Target
|
||||||
|
|
||||||
The _`target`_ is the OS or API on which Chef InSpec is performing audits. In Chef InSpec 1.x, this was always an operating system target (a bare metal machine, VM, or container). In Chef InSpec 2.x and later, this can be an OS target, or an API target, including cloud providers such as AWS. Chef InSpec is agentless, meaning that the Chef InSpec code and profiles remain on your workstation, and the target is remotely interrogated without installing anything.
|
The _`target`_ is the OS or API on which Chef InSpec is performing audits. In Chef InSpec 1.x, this was always an operating system target (a bare metal machine, VM, or container). In Chef InSpec 2.x and later, this can be an OS target, or an API target, including cloud providers such as AWS. Chef InSpec is agentless, meaning that the Chef InSpec code and profiles remain on your workstation, and the target is remotely interrogated without installing anything.
|
||||||
|
|
||||||
### test
|
### Test
|
||||||
|
|
||||||
A _`test`_ is an individual assertion about the state of the [resource](#resource) or one of its [properties](#property). All tests begin with the keyword [it](#it) or [its](#its). Tests are grouped within a [describe block](#describe-block).
|
A _`test`_ is an individual assertion about the state of the [resource](#resource) or one of its [properties](#property). All tests begin with the keyword [it](#it) or [its](#its). Tests are grouped within a [describe block](#describe-block).
|
||||||
|
|
||||||
### universal matcher
|
### Universal Matcher
|
||||||
|
|
||||||
A _universal matcher_ is a [matcher](#matcher) that can be used on the [properties](#property) of any type of [resource](#resource). For example, you can use the `cmp` matcher to check the value of properties without having to worry about Ruby type-casting. Universal matchers are almost always used with the [its](#its) keyword.
|
A _universal matcher_ is a [matcher](#matcher) that can be used on the [properties](#property) of any type of [resource](#resource). For example, you can use the `cmp` matcher to check the value of properties without having to worry about Ruby type-casting. Universal matchers are almost always used with the [its](#its) keyword.
|
||||||
|
|
||||||
|
@ -391,7 +411,7 @@ Universal matchers are documented on the [Universal Matchers](/inspec/matchers/)
|
||||||
|
|
||||||
Here, we access the 'color' property, then use the `cmp` universal matcher to compare the property to the 'black' [expected result](#expected-result).
|
Here, we access the 'color' property, then use the `cmp` universal matcher to compare the property to the 'black' [expected result](#expected-result).
|
||||||
|
|
||||||
```Ruby
|
```ruby
|
||||||
describe car(owner: 'Bruce Wayne') do
|
describe car(owner: 'Bruce Wayne') do
|
||||||
its('color') { should cmp 'black' }
|
its('color') { should cmp 'black' }
|
||||||
end
|
end
|
||||||
|
|
|
@ -416,6 +416,12 @@ input values that are used as test results.
|
||||||
|
|
||||||
Allowed in: Metadata
|
Allowed in: Metadata
|
||||||
|
|
||||||
|
### Pattern
|
||||||
|
|
||||||
|
Optional, `Regexp`. This feature validates the input by matching it with the provided regular expression.
|
||||||
|
|
||||||
|
Allowed in: DSL, Metadata
|
||||||
|
|
||||||
## Advanced Topics
|
## Advanced Topics
|
||||||
|
|
||||||
### Debugging Inputs with the Event Log
|
### Debugging Inputs with the Event Log
|
||||||
|
|
|
@ -35,7 +35,7 @@ create an IAM user specifically for auditing activities.
|
||||||
#### Using Environment Variables to provide credentials
|
#### Using Environment Variables to provide credentials
|
||||||
|
|
||||||
You may provide the credentials to Chef InSpec by setting the following environment
|
You may provide the credentials to Chef InSpec by setting the following environment
|
||||||
variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_KEY_ID`. You may
|
variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY`. You may
|
||||||
also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the
|
also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the
|
||||||
[AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html)
|
[AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html)
|
||||||
for details.
|
for details.
|
||||||
|
@ -163,7 +163,7 @@ version is 3.0.25.
|
||||||
With a version of InSpec above 4.0.0, it is possible to create a profile with the
|
With a version of InSpec above 4.0.0, it is possible to create a profile with the
|
||||||
following command:
|
following command:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
$ inspec init profile --platform gcp my-profile
|
$ inspec init profile --platform gcp my-profile
|
||||||
Create new profile at /Users/me/my-profile
|
Create new profile at /Users/me/my-profile
|
||||||
* Creating directory libraries
|
* Creating directory libraries
|
||||||
|
@ -171,15 +171,15 @@ Create new profile at /Users/me/my-profile
|
||||||
* Creating directory controls
|
* Creating directory controls
|
||||||
* Creating file controls/example.rb
|
* Creating file controls/example.rb
|
||||||
* Creating file inspec.yml
|
* Creating file inspec.yml
|
||||||
* Creating file attributes.yml
|
* Creating file inputs.yml
|
||||||
* Creating file libraries/.gitkeep
|
* Creating file libraries/.gitkeep
|
||||||
```
|
```
|
||||||
|
|
||||||
Assuming the attributes yml file contains your GCP project ID, this sample
|
Assuming the `inputs.yml` file contains your GCP project ID, this sample
|
||||||
profile can then be executed using the following command:
|
profile can then be executed using the following command:
|
||||||
|
|
||||||
```
|
```bash
|
||||||
inspec exec my-profile --attrs my-profile/attributes.yml -t gcp://
|
inspec exec my-profile --input-file=my-profile/inputs.yml -t gcp://
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Setting up the GCP Credentials File
|
#### Setting up the GCP Credentials File
|
||||||
|
@ -216,4 +216,4 @@ $ inspec detect -t gcp://
|
||||||
Name: gcp
|
Name: gcp
|
||||||
Families: cloud, api
|
Families: cloud, api
|
||||||
Release: google-cloud-v
|
Release: google-cloud-v
|
||||||
```
|
```
|
||||||
|
|
|
@ -35,11 +35,17 @@ suites:
|
||||||
and then run the following command:
|
and then run the following command:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
inspec compliance login https://compliance.test --user admin --insecure --token ''
|
inspec automate login https://compliance.test --user admin --insecure --token ''
|
||||||
```
|
```
|
||||||
|
|
||||||
where `--insecure` is required when using self-signed certificates.
|
where `--insecure` is required when using self-signed certificates.
|
||||||
|
|
||||||
|
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
inspec compliance login https://compliance.test --user admin --insecure --token ''
|
||||||
|
```
|
||||||
|
|
||||||
Use a compliance profile from the Chef Supermarket:
|
Use a compliance profile from the Chef Supermarket:
|
||||||
|
|
||||||
```YML
|
```YML
|
||||||
|
|
|
@ -76,9 +76,9 @@ inspec plugin install --source https://my.private.server inspec-private-plugin
|
||||||
### Chef InSpec Plugins
|
### Chef InSpec Plugins
|
||||||
|
|
||||||
For details on how to author a Chef InSpec Plugin, see the
|
For details on how to author a Chef InSpec Plugin, see the
|
||||||
[developer documentation](https://github.com/inspec/inspec/blob/master/dev-docs/plugins.md)
|
[developer documentation](https://github.com/inspec/inspec/blob/main/dev-docs/plugins.md)
|
||||||
|
|
||||||
### Train Plugins
|
### Train Plugins
|
||||||
|
|
||||||
For details on how to author a Train Plugin, see the
|
For details on how to author a Train Plugin, see the
|
||||||
[developer documentation](https://github.com/inspec/train/blob/master/docs/plugins.md)
|
[developer documentation](https://github.com/inspec/train/blob/main/docs/plugins.md)
|
||||||
|
|
|
@ -41,7 +41,7 @@ where:
|
||||||
- `README.md` should be used to explain the profile, its scope, and usage
|
- `README.md` should be used to explain the profile, its scope, and usage
|
||||||
|
|
||||||
See a complete example profile in the Chef InSpec open source repository:
|
See a complete example profile in the Chef InSpec open source repository:
|
||||||
[Example Chef InSpec Profile](https://github.com/chef/inspec/tree/master/examples/profile)
|
[Example Chef InSpec Profile](https://github.com/chef/inspec/tree/main/examples/profile)
|
||||||
|
|
||||||
Also check out [Explore Chef InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/)
|
Also check out [Explore Chef InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/)
|
||||||
on Learn Chef Rally to learn more about how profiles are structured with hands-on-examples.
|
on Learn Chef Rally to learn more about how profiles are structured with hands-on-examples.
|
||||||
|
@ -132,25 +132,25 @@ supports:
|
||||||
- platform-name: debian
|
- platform-name: debian
|
||||||
```
|
```
|
||||||
|
|
||||||
To target only Ubuntu version 14.04, use:
|
To target only Ubuntu version 20.04, use:
|
||||||
|
|
||||||
```YAML
|
```YAML
|
||||||
name: ssh
|
name: ssh
|
||||||
supports:
|
supports:
|
||||||
- platform-name: ubuntu
|
- platform-name: ubuntu
|
||||||
release: 14.04
|
release: 20.04
|
||||||
```
|
```
|
||||||
|
|
||||||
To target the entire release of Ubuntu version 14.x, use:
|
To target the entire release of Ubuntu version 20.x, use:
|
||||||
|
|
||||||
```YAML
|
```YAML
|
||||||
name: ssh
|
name: ssh
|
||||||
supports:
|
supports:
|
||||||
- platform-name: ubuntu
|
- platform-name: ubuntu
|
||||||
release: 14.*
|
release: 20.*
|
||||||
```
|
```
|
||||||
|
|
||||||
To target the entire RedHat platform (including CentOS and Oracle Linux), use:
|
To target the Red Hat and derivitive platforms such as CentOS and Oracle Linux, use:
|
||||||
|
|
||||||
```YAML
|
```YAML
|
||||||
name: ssh
|
name: ssh
|
||||||
|
@ -158,7 +158,7 @@ supports:
|
||||||
- platform-family: redhat
|
- platform-family: redhat
|
||||||
```
|
```
|
||||||
|
|
||||||
To target the entire Windows 2019 platform family including Datcenter and Core Servers, use:
|
To target the entire Windows 2019 platform family including Datacenter and Core Servers, use:
|
||||||
|
|
||||||
```YAML
|
```YAML
|
||||||
name: ssh
|
name: ssh
|
||||||
|
@ -181,7 +181,7 @@ name: ssh
|
||||||
supports:
|
supports:
|
||||||
- platform-name: debian
|
- platform-name: debian
|
||||||
- platform-name: ubuntu
|
- platform-name: ubuntu
|
||||||
release: 14.04
|
release: 20.04
|
||||||
- platform-family: redhat
|
- platform-family: redhat
|
||||||
- platform: aws
|
- platform: aws
|
||||||
```
|
```
|
||||||
|
|
|
@ -90,6 +90,35 @@ Output cli to screen and write json to a file.
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
## Reporter Options
|
||||||
|
|
||||||
|
The following are CLI options that may be used to modify reporter behavior. Many of these options allow you to limit the size of the report, because some reporters (such as the json-automate reporter) have a limit on the total size of the report that can be processed.
|
||||||
|
|
||||||
|
`--diff`, `--no-diff`
|
||||||
|
|
||||||
|
: Include a `diff` comparison of textual differences in failed test output (default: `true`).
|
||||||
|
|
||||||
|
: Use `--no-diff` to limit the size of the report output when tests contain large amounts of text output.
|
||||||
|
|
||||||
|
`--filter-empty-profiles`
|
||||||
|
|
||||||
|
: Remove empty profiles (those containing zero controls, such as resource packs) from the output of the reporter.
|
||||||
|
|
||||||
|
`--reporter-backtrace-inclusion`, `--no-reporter-backtrace-inclusion`
|
||||||
|
|
||||||
|
: Include a code backtrace in report data (default: `true`).
|
||||||
|
|
||||||
|
: The `--no-reporter-backtrace-inclusion` option may be used to limit report size when large code stack traces are present in the output.
|
||||||
|
|
||||||
|
`--reporter-include-source`
|
||||||
|
|
||||||
|
: (CLI reporter only) Include full source code of controls in the report.
|
||||||
|
|
||||||
|
`--reporter-message-truncation=N`
|
||||||
|
|
||||||
|
: Number of characters to truncate failure messages in report data (default: no truncation).
|
||||||
|
|
||||||
|
: This may be used to limit the size of reports when failure messages are exceptionally large.
|
||||||
|
|
||||||
## Supported Reporters
|
## Supported Reporters
|
||||||
|
|
||||||
|
@ -101,7 +130,7 @@ This is the basic text base report. It includes details about which tests passed
|
||||||
|
|
||||||
### json
|
### json
|
||||||
|
|
||||||
This reporter includes all information about the profiles and test results in standard JSON format. You may optionally pass through arbitrary structured JSON data by setting a JSON configuration with the `--config` parameter.
|
This reporter includes all information about the profiles and test results in standard JSON format. You may optionally pass through arbitrary structured JSON data by setting a JSON configuration with the `--config` parameter.
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
|
|
||||||
|
|
|
@ -19,6 +19,10 @@ Use the `apache_conf` Chef InSpec audit resource to test the configuration setti
|
||||||
|
|
||||||
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
### Requirements
|
||||||
|
|
||||||
|
`ServerRoot` must be included in an Apache configuration file. If not present, the included configurations will not be accessible to the resource.
|
||||||
|
|
||||||
### Version
|
### Version
|
||||||
|
|
||||||
This resource first became available in v1.0.0 of InSpec.
|
This resource first became available in v1.0.0 of InSpec.
|
||||||
|
|
|
@ -11,7 +11,6 @@ platform = "aws"
|
||||||
parent = "inspec/resources/aws"
|
parent = "inspec/resources/aws"
|
||||||
+++
|
+++
|
||||||
|
|
||||||
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_ecr_repository.md)
|
|
||||||
|
|
||||||
Use the `aws_ecr_repository` InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository.
|
Use the `aws_ecr_repository` InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository.
|
||||||
This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards.
|
This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards.
|
||||||
|
|
|
@ -11,7 +11,6 @@ platform = "aws"
|
||||||
parent = "inspec/resources/aws"
|
parent = "inspec/resources/aws"
|
||||||
+++
|
+++
|
||||||
|
|
||||||
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/inspec/rources/aws_efs_file_system.md)
|
|
||||||
|
|
||||||
Use the `aws_efs_file_system` InSpec audit resource to test the properties of a single AWS EFS file system.
|
Use the `aws_efs_file_system` InSpec audit resource to test the properties of a single AWS EFS file system.
|
||||||
This resource is added to InSpec AWS resource pack in version **[1.10.0](https://github.com/inspec/inspec-aws/releases/tag/v1.10.0)** and it is available with InSpec **[4.18.108](https://github.com/inspec/inspec/releases/tag/v4.18.108)** and later versions.
|
This resource is added to InSpec AWS resource pack in version **[1.10.0](https://github.com/inspec/inspec-aws/releases/tag/v1.10.0)** and it is available with InSpec **[4.18.108](https://github.com/inspec/inspec/releases/tag/v4.18.108)** and later versions.
|
||||||
|
|
|
@ -11,7 +11,6 @@ platform = "aws"
|
||||||
parent = "inspec/resources/aws"
|
parent = "inspec/resources/aws"
|
||||||
+++
|
+++
|
||||||
|
|
||||||
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_elasticache_cluster.md)
|
|
||||||
|
|
||||||
Use the `aws_elasticache_cluster` InSpec audit resource to test the properties of a single AWS ElastiCache cluster.
|
Use the `aws_elasticache_cluster` InSpec audit resource to test the properties of a single AWS ElastiCache cluster.
|
||||||
|
|
||||||
|
|
|
@ -102,7 +102,7 @@ There are also additional properties available. For a comprehensive list, see [t
|
||||||
its('nat_gateway_address_set') { should include(:private_ip => '10.0.1.68') }
|
its('nat_gateway_address_set') { should include(:private_ip => '10.0.1.68') }
|
||||||
end
|
end
|
||||||
|
|
||||||
For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/master/test/integration/verify/controls/aws_nat_gateway.rb).
|
For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/main/test/integration/verify/controls/aws_nat_gateway.rb).
|
||||||
|
|
||||||
## Matchers
|
## Matchers
|
||||||
|
|
||||||
|
|
|
@ -56,7 +56,7 @@ using `aws_nat_gateway` InSpec singular AWS resource.
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/master/test/integration/verify/controls/aws_nat_gateways.rb).
|
For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/main/test/integration/verify/controls/aws_nat_gateways.rb).
|
||||||
|
|
||||||
## Matchers
|
## Matchers
|
||||||
|
|
||||||
|
@ -77,7 +77,7 @@ Use `should_not` to test the entity should not exist.
|
||||||
it { should_not exist }
|
it { should_not exist }
|
||||||
end
|
end
|
||||||
|
|
||||||
Please see [here](https://github.com/inspec/inspec/blob/master/docs/dev/filtertable-usage.md) for more information on how to use filter table.
|
Please see [here](https://github.com/inspec/inspec/blob/main/docs/dev/filtertable-usage.md) for more information on how to use filter table.
|
||||||
|
|
||||||
## AWS Permissions
|
## AWS Permissions
|
||||||
|
|
||||||
|
|
|
@ -50,7 +50,7 @@ _**If the current Account is the Master Account, the following properties are al
|
||||||
| ------------- | ------------------------------------------------------ |
|
| ------------- | ------------------------------------------------------ |
|
||||||
| account_id | The ID of the current Account. |
|
| account_id | The ID of the current Account. |
|
||||||
| account_arn | The ARN of the current Account. |
|
| account_arn | The ARN of the current Account. |
|
||||||
| account_name | The Name of the current Acccount. |
|
| account_name | The Name of the current Account. |
|
||||||
| account_email | The Email address associated with the current Account. |
|
| account_email | The Email address associated with the current Account. |
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
|
@ -11,7 +11,7 @@ platform = "aws"
|
||||||
parent = "inspec/resources/aws"
|
parent = "inspec/resources/aws"
|
||||||
+++
|
+++
|
||||||
|
|
||||||
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_sns_subscription.md)
|
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/main/docs-chef-io/content/aws_sns_subscription.md)
|
||||||
|
|
||||||
Use the `aws_sns_subscription` InSpec audit resource to test detailed properties of a AWS SNS Subscription.
|
Use the `aws_sns_subscription` InSpec audit resource to test detailed properties of a AWS SNS Subscription.
|
||||||
|
|
||||||
|
@ -52,7 +52,7 @@ See also the [AWS documentation on SNS](https://docs.aws.amazon.com/sns/latest/d
|
||||||
its('endpoint') { should cmp '+16105551234' }
|
its('endpoint') { should cmp '+16105551234' }
|
||||||
# If protocol is 'email' or 'email-json', endpoint should be an email address
|
# If protocol is 'email' or 'email-json', endpoint should be an email address
|
||||||
its('endpoint') { should cmp 'myemail@example.com' }
|
its('endpoint') { should cmp 'myemail@example.com' }
|
||||||
# If protocal is 'http', endpoint should be a URL beginning with 'https://'
|
# If protocol is 'http', endpoint should be a URL beginning with 'https://'
|
||||||
its('endpoint') { should cmp 'https://www.exampleurl.com' }
|
its('endpoint') { should cmp 'https://www.exampleurl.com' }
|
||||||
# If the protocol is 'lambda', its endpoint should be the ARN of a AWS Lambda function
|
# If the protocol is 'lambda', its endpoint should be the ARN of a AWS Lambda function
|
||||||
its('endpoint') { should cmp 'rn:aws:lambda:us-east-1:account-id:function:myfunction' }
|
its('endpoint') { should cmp 'rn:aws:lambda:us-east-1:account-id:function:myfunction' }
|
||||||
|
|
|
@ -178,4 +178,4 @@ This Chef InSpec audit resource has the following special matchers. For a full l
|
||||||
|
|
||||||
Please see the integration tests for in depth examples of how this resource can be used.
|
Please see the integration tests for in depth examples of how this resource can be used.
|
||||||
|
|
||||||
[Chef InSpec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/master/test/integration/azure/verify/controls)
|
[Chef InSpec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/main/test/integration/azure/verify/controls)
|
||||||
|
|
|
@ -291,5 +291,5 @@ Note: The tag name is case sensitive which makes the test case sensitive. E.g. `
|
||||||
|
|
||||||
For more information on Azure Ruby SDK resources, see:
|
For more information on Azure Ruby SDK resources, see:
|
||||||
|
|
||||||
- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_resources)
|
- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/main/management/azure_mgmt_resources)
|
||||||
- [Resource Group](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/resource_group.rb)
|
- [Resource Group](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/resource_group.rb)
|
||||||
|
|
|
@ -348,6 +348,6 @@ Note: The tag name is case sensitive which makes the test case sensitive. E.g. `
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_resources)
|
- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/main/management/azure_mgmt_resources)
|
||||||
- [Virtual Machine External VM](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/virtual_machine_external_vm.rb)
|
- [Virtual Machine External VM](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/virtual_machine_external_vm.rb)
|
||||||
- [Virtual Machine Internal VM](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/virtual_machine_internal_vm.rb)
|
- [Virtual Machine Internal VM](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/virtual_machine_internal_vm.rb)
|
||||||
|
|
|
@ -221,6 +221,6 @@ Returns a boolean stating if the machine has Managed Disks for data disks.
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [Azure Ruby SDK - Compute](https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_compute)
|
- [Azure Ruby SDK - Compute](https://github.com/Azure/azure-sdk-for-ruby/tree/main/management/azure_mgmt_compute)
|
||||||
- [Linux Internal Data Disks](https://github.com/chef/inspec/blob/master/test/azure/verify/controls/virtual_machine_linux_external_vm_datadisk.rb)
|
- [Linux Internal Data Disks](https://github.com/chef/inspec/blob/main/test/azure/verify/controls/virtual_machine_linux_external_vm_datadisk.rb)
|
||||||
- [Windows Internal Data Disk](https://github.com/chef/inspec/blob/master/test/azure/verify/controls/virtual_machine_windows_internal_vm_datadisk.rb)
|
- [Windows Internal Data Disk](https://github.com/chef/inspec/blob/main/test/azure/verify/controls/virtual_machine_windows_internal_vm_datadisk.rb)
|
||||||
|
|
|
@ -69,7 +69,7 @@ name and resource group.
|
||||||
|
|
||||||
## Parameter Examples
|
## Parameter Examples
|
||||||
|
|
||||||
The resource group as well as the Activty Log Alert
|
The resource group as well as the Activity Log Alert
|
||||||
name.
|
name.
|
||||||
|
|
||||||
describe azurerm_monitor_activity_log_alert(resource_group: 'example', name: 'AlertName') do
|
describe azurerm_monitor_activity_log_alert(resource_group: 'example', name: 'AlertName') do
|
||||||
|
|
|
@ -99,21 +99,21 @@ The default_security_rules property contains the set of Default Security Rules.
|
||||||
|
|
||||||
### allow_ssh_from_internet
|
### allow_ssh_from_internet
|
||||||
|
|
||||||
The allow_ssh_from_internet property contains a boolean value determined by analysing
|
The allow_ssh_from_internet property contains a boolean value determined by analyzing
|
||||||
the Security Rules and Default Security Rules for unrestricted SSH access.
|
the Security Rules and Default Security Rules for unrestricted SSH access.
|
||||||
|
|
||||||
it { should_not allow_ssh_from_internet }
|
it { should_not allow_ssh_from_internet }
|
||||||
|
|
||||||
### allow_rdp_from_internet
|
### allow_rdp_from_internet
|
||||||
|
|
||||||
The allow_rdp_from_internet property contains a boolean value determined by analysing
|
The allow_rdp_from_internet property contains a boolean value determined by analyzing
|
||||||
the Security Rules and Default Security Rules for unrestricted RDP access.
|
the Security Rules and Default Security Rules for unrestricted RDP access.
|
||||||
|
|
||||||
it { should_not allow_rdp_from_internet }
|
it { should_not allow_rdp_from_internet }
|
||||||
|
|
||||||
### allow\port_from_internet
|
### allow\port_from_internet
|
||||||
|
|
||||||
The allow_port_from_internet property contains a boolean value determined by analysing
|
The allow_port_from_internet property contains a boolean value determined by analyzing
|
||||||
the Security Rules and Default Security Rules for unrestricted access to a specified port.
|
the Security Rules and Default Security Rules for unrestricted access to a specified port.
|
||||||
|
|
||||||
it { should_not allow_port_from_internet('443') }
|
it { should_not allow_port_from_internet('443') }
|
||||||
|
|
|
@ -75,11 +75,10 @@ The `params` matcher tests arbitrary parameters for the bonded network interface
|
||||||
|
|
||||||
describe bond('bond0') do
|
describe bond('bond0') do
|
||||||
its('mode') { should eq 'IEEE 802.3ad Dynamic link aggregation' }
|
its('mode') { should eq 'IEEE 802.3ad Dynamic link aggregation' }
|
||||||
its('Transmit Hash Policy') { should eq 'layer3+4 (1)' }
|
its('params') { should have_key 'Transmit Hash Policy' }
|
||||||
its('MII Status') { should eq 'up' }
|
its('params') { should include 'Transmit Hash Policy' => 'layer3+4 (1)' }
|
||||||
its('MII Polling Interval (ms)') { should eq '100' }
|
its('params') { should have_key 'MII Status' }
|
||||||
its('Up Delay (ms)') { should eq '0' }
|
its('params') { should include 'MII Status' => 'up' }
|
||||||
its('Down Delay (ms)') { should eq '0' }
|
|
||||||
end
|
end
|
||||||
|
|
||||||
## Matchers
|
## Matchers
|
||||||
|
|
45
docs-chef-io/content/inspec/resources/cassandradb_conf.md
Normal file
45
docs-chef-io/content/inspec/resources/cassandradb_conf.md
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
+++
|
||||||
|
title = "cassandradb_conf resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "cassandradb_conf"
|
||||||
|
identifier = "inspec/resources/os/cassandradb_conf.md cassandradb_conf resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `cassandradb_conf` Chef InSpec audit resource to test the configuration of a Cassandra database, which is typically located at `$CASSANDRA_HOME/cassandra.yaml` or `$CASSANDRA_HOME\conf\cassandra.yaml` depending upon the platform.
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
- The value of the `CASSANDRA_HOME` environment variable must be set in the system.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `cassandradb_conf` resource block fetches configurations in the `cassandra.yaml` file, and then compares them with the value stated in the test:
|
||||||
|
|
||||||
|
describe cassandradb_conf do
|
||||||
|
its('config item') { should eq 'value' }
|
||||||
|
end
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test parameters set within the configuration file
|
||||||
|
|
||||||
|
describe cassandradb_conf do
|
||||||
|
its('listen_address') { should eq 'localhost' }
|
||||||
|
its('num_tokens') { should eq 16 }
|
||||||
|
end
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
76
docs-chef-io/content/inspec/resources/cassandradb_session.md
Normal file
76
docs-chef-io/content/inspec/resources/cassandradb_session.md
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
+++
|
||||||
|
title = "cassandradb_session resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "cassandradb_session"
|
||||||
|
identifier = "inspec/resources/os/cassandradb_session.md cassandradb_session resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `cassandradb_session` Chef InSpec audit resource to test Cassandra Query Language (CQL) commands run against a Cassandra database.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `cassandradb_session` resource block declares the username, password, host, and port to use for the session, and then the command to be run:
|
||||||
|
|
||||||
|
describe cassandradb_session(user: 'USERNAME', password: 'PASSWORD', host: 'localhost', port: 9042).query('QUERY') do
|
||||||
|
its('value') { should eq('EXPECTED') }
|
||||||
|
end
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
- `cassandradb_session` declares a username, password, host and port to run the query.
|
||||||
|
- `query('QUERY')` contains the query to be run.
|
||||||
|
- `its('value') { should eq('expected') }` compares the results of the query against the expected result in the test.
|
||||||
|
|
||||||
|
### Optional Parameters
|
||||||
|
|
||||||
|
The `cassandradb_session` InSpec resource accepts `user`, `password`, `host`, and `port` parameters.
|
||||||
|
|
||||||
|
In Particular:
|
||||||
|
|
||||||
|
#### `user`
|
||||||
|
|
||||||
|
Default value: `cassandra`.
|
||||||
|
|
||||||
|
#### `password`
|
||||||
|
|
||||||
|
Default value: `cassandra`.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test for matching values using a Cassandra query
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
cql = cassandradb_session(user: 'MY_USER', password: 'PASSWORD', host: 'localhost', port: 9042)
|
||||||
|
|
||||||
|
describe cql.query("SELECT cluster_name FROM system.local") do
|
||||||
|
its('output') { should match /Test Cluster/ }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
### Test for matching values using a Cassandra query from a sample database
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
cql = cassandradb_session(user: 'MY_USER', password: 'PASSWORD', host: 'localhost', port: 9042)
|
||||||
|
|
||||||
|
describe cql.query("use SAMPLEDB; SELECT name FROM SAMPLETABLE") do
|
||||||
|
its('output') { should match /Test Name/ }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
75
docs-chef-io/content/inspec/resources/chrony_conf.md
Normal file
75
docs-chef-io/content/inspec/resources/chrony_conf.md
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
+++
|
||||||
|
title = "chrony_conf resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "linux"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "chrony_conf"
|
||||||
|
identifier = "inspec/resources/os/chrony_conf.md chrony_conf resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `chrony_conf` Chef InSpec audit resource to test the synchronization settings defined in the `chrony.conf` file. This file is typically located at `/etc/chrony.conf`.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
<!-- TODO: needs version number -->
|
||||||
|
<!-- ### Version
|
||||||
|
|
||||||
|
This resource first became available in v of InSpec. -->
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
An `chrony_conf` resource block declares the synchronization settings that should be tested:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe chrony_conf('PATH') do
|
||||||
|
its('setting_name') { should eq 'VALUE' }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
where:
|
||||||
|
|
||||||
|
- `'setting_name'` is a synchronization setting defined in the `chrony.conf` file.
|
||||||
|
- `('path')` is the non-default path to the `chrony.conf` file (default path is `/etc/chrony.conf`).
|
||||||
|
- `{ should eq 'value' }` is the value that is expected.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
This resource matches any service listed in the `chrony.conf` file.
|
||||||
|
|
||||||
|
### Test for clock drift against named servers
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe chrony_conf do
|
||||||
|
its('driftfile') { should cmp '/var/lib/chrony/drift' }
|
||||||
|
its('server') do
|
||||||
|
should cmp [
|
||||||
|
'0.ubuntu.pool.ntp.org',
|
||||||
|
'1.ubuntu.pool.ntp.org',
|
||||||
|
'2.ubuntu.pool.ntp.org'
|
||||||
|
]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
### Test that an NTP server exists and a specific subnet is specified from which NTP clients are accessible
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe chrony_conf do
|
||||||
|
its('server') { should_not eq nil }
|
||||||
|
its('allow') { should include '192.168.0.0/16'}
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
|
@ -27,20 +27,35 @@ This resource first became available in v1.0.0 of InSpec.
|
||||||
|
|
||||||
A `csv` resource block declares the configuration data to be tested:
|
A `csv` resource block declares the configuration data to be tested:
|
||||||
|
|
||||||
describe csv('file') do
|
describe csv('file', true) do
|
||||||
its('name') { should cmp 'foo' }
|
its('name') { should cmp 'foo' }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
Test `csv` file without headers
|
||||||
|
|
||||||
|
describe csv('file', false).params do
|
||||||
|
its([0]) { should cmp 'name' }
|
||||||
|
end
|
||||||
|
|
||||||
where
|
where
|
||||||
|
|
||||||
- `'file'` is the path to a CSV file
|
- `'file'` is the path to a CSV file
|
||||||
|
- `true` or `false` tests a CSV file with or without headers. Default value: `true`.
|
||||||
- `name` is a configuration setting in a CSV file
|
- `name` is a configuration setting in a CSV file
|
||||||
- `should eq 'foo'` tests a value of `name` as read from a CSV file versus the value declared in the test
|
- `should eq 'foo'` tests a value of `name` as read from a CSV file versus the value declared in the test
|
||||||
|
- `params` is the method for fetching data from a CSV file without headers.
|
||||||
|
- `[0]` is the array element position.
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
The following examples show how to use this Chef InSpec audit resource.
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test a CSV file without headers
|
||||||
|
|
||||||
|
describe csv('some_file.csv', false).params do
|
||||||
|
its([0]) { should eq ["name"] }
|
||||||
|
end
|
||||||
|
|
||||||
### Test a CSV file
|
### Test a CSV file
|
||||||
|
|
||||||
describe csv('some_file.csv') do
|
describe csv('some_file.csv') do
|
||||||
|
|
|
@ -41,19 +41,19 @@ end
|
||||||
### Test GCP container node pool disk size in GB is as expected
|
### Test GCP container node pool disk size in GB is as expected
|
||||||
|
|
||||||
describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do
|
describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do
|
||||||
its('node_config.disk_size_gb'){should eq 100}
|
its('config.disk_size_gb'){should eq 100}
|
||||||
end
|
end
|
||||||
|
|
||||||
### Test GCP container node pool machine type is as expected
|
### Test GCP container node pool machine type is as expected
|
||||||
|
|
||||||
describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do
|
describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do
|
||||||
its('node_config.machine_type'){should eq "n1-standard-1"}
|
its('config.machine_type'){should eq "n1-standard-1"}
|
||||||
end
|
end
|
||||||
|
|
||||||
### Test GCP container node pool node image type is as expected
|
### Test GCP container node pool node image type is as expected
|
||||||
|
|
||||||
describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do
|
describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do
|
||||||
its('node_config.image_type'){should eq "COS"}
|
its('config.image_type'){should eq "COS"}
|
||||||
end
|
end
|
||||||
|
|
||||||
### Test GCP container node pool initial node count is as expected
|
### Test GCP container node pool initial node count is as expected
|
||||||
|
@ -72,61 +72,61 @@ Properties that can be accessed from the `google_container_node_pool` resource:
|
||||||
`config`
|
`config`
|
||||||
: The node configuration of the pool.
|
: The node configuration of the pool.
|
||||||
|
|
||||||
`machine_type`
|
* `machine_type`
|
||||||
: The name of a Google Compute Engine machine type (e.g. n1-standard-1). If unspecified, the default machine type is n1-standard-1.
|
: The name of a Google Compute Engine machine type (e.g. n1-standard-1). If unspecified, the default machine type is n1-standard-1.
|
||||||
|
|
||||||
`disk_size_gb`
|
* `disk_size_gb`
|
||||||
: Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB. If unspecified, the default disk size is 100GB.
|
: Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB. If unspecified, the default disk size is 100GB.
|
||||||
|
|
||||||
`oauth_scopes`
|
* `oauth_scopes`
|
||||||
: The set of Google API scopes to be made available on all of the node VMs under the "default" service account. The following scopes are recommended, but not required, and by default are not included: https://www.googleapis.com/auth/compute is required for mounting persistent storage on your nodes. https://www.googleapis.com/auth/devstorage.read_only is required for communicating with gcr.io (the Google Container Registry). If unspecified, no scopes are added, unless Cloud Logging or Cloud Monitoring are enabled, in which case their required scopes will be added.
|
: The set of Google API scopes to be made available on all of the node VMs under the "default" service account. The following scopes are recommended, but not required, and by default are not included: https://www.googleapis.com/auth/compute is required for mounting persistent storage on your nodes. https://www.googleapis.com/auth/devstorage.read_only is required for communicating with gcr.io (the Google Container Registry). If unspecified, no scopes are added, unless Cloud Logging or Cloud Monitoring are enabled, in which case their required scopes will be added.
|
||||||
|
|
||||||
`service_account`
|
* `service_account`
|
||||||
: The Google Cloud Platform Service Account to be used by the node VMs. If no Service Account is specified, the "default" service account is used.
|
: The Google Cloud Platform Service Account to be used by the node VMs. If no Service Account is specified, the "default" service account is used.
|
||||||
|
|
||||||
`metadata`
|
* `metadata`
|
||||||
: The metadata key/value pairs assigned to instances in the cluster. Keys must conform to the regexp [a-zA-Z0-9-_]+ and be less than 128 bytes in length. These are reflected as part of a URL in the metadata server. Additionally, to avoid ambiguity, keys must not conflict with any other metadata keys for the project or be one of the four reserved keys: "instance-template", "kube-env", "startup-script", and "user-data" Values are free-form strings, and only have meaning as interpreted by the image running in the instance. The only restriction placed on them is that each value's size must be less than or equal to 32 KB. The total size of all keys and values must be less than 512 KB. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
|
: The metadata key/value pairs assigned to instances in the cluster. Keys must conform to the regexp [a-zA-Z0-9-_]+ and be less than 128 bytes in length. These are reflected as part of a URL in the metadata server. Additionally, to avoid ambiguity, keys must not conflict with any other metadata keys for the project or be one of the four reserved keys: "instance-template", "kube-env", "startup-script", and "user-data" Values are free-form strings, and only have meaning as interpreted by the image running in the instance. The only restriction placed on them is that each value's size must be less than or equal to 32 KB. The total size of all keys and values must be less than 512 KB. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
|
||||||
|
|
||||||
`image_type`
|
* `image_type`
|
||||||
: The image type to use for this node. Note that for a given image type, the latest version of it will be used.
|
: The image type to use for this node. Note that for a given image type, the latest version of it will be used.
|
||||||
|
|
||||||
`labels`
|
* `labels`
|
||||||
: The map of Kubernetes labels (key/value pairs) to be applied to each node. These will added in addition to any default label(s) that Kubernetes may apply to the node. In case of conflict in label keys, the applied set may differ depending on the Kubernetes version -- it's best to assume the behavior is undefined and conflicts should be avoided. For more information, including usage and the valid values, see: http://kubernetes.io/v1.1/docs/user-guide/labels.html An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
|
: The map of Kubernetes labels (key/value pairs) to be applied to each node. These will added in addition to any default label(s) that Kubernetes may apply to the node. In case of conflict in label keys, the applied set may differ depending on the Kubernetes version -- it's best to assume the behavior is undefined and conflicts should be avoided. For more information, including usage and the valid values, see: http://kubernetes.io/v1.1/docs/user-guide/labels.html An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
|
||||||
|
|
||||||
`local_ssd_count`
|
* `local_ssd_count`
|
||||||
: The number of local SSD disks to be attached to the node. The limit for this value is dependant upon the maximum number of disks available on a machine per zone. See: https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_limits for more information.
|
: The number of local SSD disks to be attached to the node. The limit for this value is dependant upon the maximum number of disks available on a machine per zone. See: https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_limits for more information.
|
||||||
|
|
||||||
`tags`
|
* `tags`
|
||||||
: The list of instance tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during cluster or node pool creation. Each tag within the list must comply with RFC1035.
|
: The list of instance tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during cluster or node pool creation. Each tag within the list must comply with RFC1035.
|
||||||
|
|
||||||
`preemptible`
|
* `preemptible`
|
||||||
: Whether the nodes are created as preemptible VM instances. See: https://cloud.google.com/compute/docs/instances/preemptible for more information about preemptible VM instances.
|
: Whether the nodes are created as preemptible VM instances. See: https://cloud.google.com/compute/docs/instances/preemptible for more information about preemptible VM instances.
|
||||||
|
|
||||||
`accelerators`
|
* `accelerators`
|
||||||
: A list of hardware accelerators to be attached to each node
|
: A list of hardware accelerators to be attached to each node
|
||||||
|
|
||||||
`accelerator_count`
|
* `accelerator_count`
|
||||||
: The number of the accelerator cards exposed to an instance.
|
: The number of the accelerator cards exposed to an instance.
|
||||||
|
|
||||||
`accelerator_type`
|
* `accelerator_type`
|
||||||
: The accelerator type resource name
|
: The accelerator type resource name
|
||||||
|
|
||||||
`disk_type`
|
* `disk_type`
|
||||||
: Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') If unspecified, the default disk type is 'pd-standard'
|
: Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') If unspecified, the default disk type is 'pd-standard'
|
||||||
|
|
||||||
`min_cpu_platform`
|
* `min_cpu_platform`
|
||||||
: Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform
|
: Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform
|
||||||
|
|
||||||
`taints`
|
* `taints`
|
||||||
: List of kubernetes taints to be applied to each node.
|
: List of kubernetes taints to be applied to each node.
|
||||||
|
|
||||||
`key`
|
* `key`
|
||||||
: Key for taint
|
: Key for taint
|
||||||
|
|
||||||
`value`
|
* `value`
|
||||||
: Value for taint
|
: Value for taint
|
||||||
|
|
||||||
`effect`
|
* `effect`
|
||||||
: Effect for taint
|
: Effect for taint
|
||||||
|
|
||||||
`initial_node_count`
|
`initial_node_count`
|
||||||
|
@ -144,43 +144,43 @@ Properties that can be accessed from the `google_container_node_pool` resource:
|
||||||
`autoscaling`
|
`autoscaling`
|
||||||
: Autoscaler configuration for this NodePool. Autoscaler is enabled only if a valid configuration is present.
|
: Autoscaler configuration for this NodePool. Autoscaler is enabled only if a valid configuration is present.
|
||||||
|
|
||||||
`enabled`
|
* `enabled`
|
||||||
: Is autoscaling enabled for this node pool.
|
: Is autoscaling enabled for this node pool.
|
||||||
|
|
||||||
`min_node_count`
|
* `min_node_count`
|
||||||
: Minimum number of nodes in the NodePool. Must be >= 1 and <= maxNodeCount.
|
: Minimum number of nodes in the NodePool. Must be >= 1 and <= maxNodeCount.
|
||||||
|
|
||||||
`max_node_count`
|
* `max_node_count`
|
||||||
: Maximum number of nodes in the NodePool. Must be >= minNodeCount. There has to enough quota to scale up the cluster.
|
: Maximum number of nodes in the NodePool. Must be >= minNodeCount. There has to enough quota to scale up the cluster.
|
||||||
|
|
||||||
`management`
|
`management`
|
||||||
: Management configuration for this NodePool.
|
: Management configuration for this NodePool.
|
||||||
|
|
||||||
`auto_upgrade`
|
* `auto_upgrade`
|
||||||
: A flag that specifies whether node auto-upgrade is enabled for the node pool. If enabled, node auto-upgrade helps keep the nodes in your node pool up to date with the latest release version of Kubernetes.
|
: A flag that specifies whether node auto-upgrade is enabled for the node pool. If enabled, node auto-upgrade helps keep the nodes in your node pool up to date with the latest release version of Kubernetes.
|
||||||
|
|
||||||
`auto_repair`
|
* `auto_repair`
|
||||||
: A flag that specifies whether the node auto-repair is enabled for the node pool. If enabled, the nodes in this node pool will be monitored and, if they fail health checks too many times, an automatic repair action will be triggered.
|
: A flag that specifies whether the node auto-repair is enabled for the node pool. If enabled, the nodes in this node pool will be monitored and, if they fail health checks too many times, an automatic repair action will be triggered.
|
||||||
|
|
||||||
`upgrade_options`
|
* `upgrade_options`
|
||||||
: Specifies the Auto Upgrade knobs for the node pool.
|
: Specifies the Auto Upgrade knobs for the node pool.
|
||||||
|
|
||||||
`auto_upgrade_start_time`
|
* `auto_upgrade_start_time`
|
||||||
: This field is set when upgrades are about to commence with the approximate start time for the upgrades, in RFC3339 text format.
|
: This field is set when upgrades are about to commence with the approximate start time for the upgrades, in RFC3339 text format.
|
||||||
|
|
||||||
`description`
|
* `description`
|
||||||
: This field is set when upgrades are about to commence with the description of the upgrade.
|
: This field is set when upgrades are about to commence with the description of the upgrade.
|
||||||
|
|
||||||
`max_pods_constraint`
|
`max_pods_constraint`
|
||||||
: The constraint on the maximum number of pods that can be run simultaneously on a node in the node pool.
|
: The constraint on the maximum number of pods that can be run simultaneously on a node in the node pool.
|
||||||
|
|
||||||
`max_pods_per_node`
|
* `max_pods_per_node`
|
||||||
: Constraint enforced on the max num of pods per node.
|
: Constraint enforced on the max num of pods per node.
|
||||||
|
|
||||||
`conditions`
|
`conditions`
|
||||||
: Which conditions caused the current node pool state.
|
: Which conditions caused the current node pool state.
|
||||||
|
|
||||||
`code`
|
* `code`
|
||||||
: Machine-friendly representation of the condition.
|
: Machine-friendly representation of the condition.
|
||||||
|
|
||||||
Possible values:
|
Possible values:
|
||||||
|
|
|
@ -19,8 +19,8 @@ A `google_project_alert_policy` is used to test a Google AlertPolicy resource
|
||||||
|
|
||||||
```ruby
|
```ruby
|
||||||
describe.one do
|
describe.one do
|
||||||
google_project_alert_policies(project: 'chef-gcp-inspec').policy_names do |policy_name|
|
google_project_alert_policies(project: 'chef-gcp-inspec').policy_names.each do |policy_name|
|
||||||
describe google_project_alert_policy(project: 'chef-gcp-inspec', name: policy_name) do
|
describe google_project_alert_policy(project: 'chef-gcp-inspec', name: policy_name.split('/').last) do
|
||||||
it { should exist }
|
it { should exist }
|
||||||
its('display_name') { should cmp 'Display'}
|
its('display_name') { should cmp 'Display'}
|
||||||
its('combiner') { should cmp 'OR'}
|
its('combiner') { should cmp 'OR'}
|
||||||
|
@ -32,15 +32,15 @@ end
|
||||||
|
|
||||||
### Test that a GCP alert policy is enabled
|
### Test that a GCP alert policy is enabled
|
||||||
|
|
||||||
describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do
|
describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do
|
||||||
it { should be_enabled }
|
it { should be_enabled }
|
||||||
end
|
end
|
||||||
|
|
||||||
### Test that a GCP compute alert policy display name is correct
|
### Test that a GCP compute alert policy display name is correct
|
||||||
|
|
||||||
describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do
|
describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do
|
||||||
its('display_name') { should eq 'policy name' }
|
its('display_name') { should eq 'policy name' }
|
||||||
end
|
end
|
||||||
|
|
||||||
## Properties
|
## Properties
|
||||||
|
|
||||||
|
|
|
@ -180,7 +180,7 @@ Properties that can be accessed from the `google_storage_bucket` resource:
|
||||||
|
|
||||||
`type`
|
`type`
|
||||||
: Type of the action. Currently, only Delete and SetStorageClass are supported.
|
: Type of the action. Currently, only Delete and SetStorageClass are supported.
|
||||||
|
|
||||||
Possible values:
|
Possible values:
|
||||||
- Delete
|
- Delete
|
||||||
- SetStorageClass
|
- SetStorageClass
|
||||||
|
@ -198,7 +198,7 @@ Properties that can be accessed from the `google_storage_bucket` resource:
|
||||||
: Relevant only for versioned objects. If the value is true, this condition matches live objects; if the value is false, it matches archived objects.
|
: Relevant only for versioned objects. If the value is true, this condition matches live objects; if the value is false, it matches archived objects.
|
||||||
|
|
||||||
`matches_storage_class`
|
`matches_storage_class`
|
||||||
: Objects having any of the storage classes specified by this condition will be matched. Values include MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, and DURABLE_REDUCED_AVAILABILITY.
|
: Objects having any of the storage classes specified by this condition will be matched. Values include MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, ARCHIVE, and DURABLE_REDUCED_AVAILABILITY.
|
||||||
|
|
||||||
`num_newer_versions`
|
`num_newer_versions`
|
||||||
: Relevant only for versioned objects. If the value is N, this condition is satisfied when there are at least N versions (including the live version) newer than this version of the object.
|
: Relevant only for versioned objects. If the value is N, this condition is satisfied when there are at least N versions (including the live version) newer than this version of the object.
|
||||||
|
@ -234,7 +234,7 @@ Properties that can be accessed from the `google_storage_bucket` resource:
|
||||||
: The project number of the project the bucket belongs to.
|
: The project number of the project the bucket belongs to.
|
||||||
|
|
||||||
`storage_class`
|
`storage_class`
|
||||||
: The bucket's default storage class, used whenever no storageClass is specified for a newly-created object. This defines how objects in the bucket are stored and determines the SLA and the cost of storage. Values include MULTI_REGIONAL, REGIONAL, STANDARD, NEARLINE, COLDLINE, and DURABLE_REDUCED_AVAILABILITY. If this value is not specified when the bucket is created, it will default to STANDARD. For more information, see storage classes.
|
: The bucket's default storage class, used whenever no storageClass is specified for a newly-created object. This defines how objects in the bucket are stored and determines the SLA and the cost of storage. Values include MULTI_REGIONAL, REGIONAL, STANDARD, NEARLINE, COLDLINE, ARCHIVE, and DURABLE_REDUCED_AVAILABILITY. If this value is not specified when the bucket is created, it will default to STANDARD. For more information, see storage classes.
|
||||||
|
|
||||||
Possible values:
|
Possible values:
|
||||||
|
|
||||||
|
@ -243,6 +243,7 @@ Properties that can be accessed from the `google_storage_bucket` resource:
|
||||||
- STANDARD
|
- STANDARD
|
||||||
- NEARLINE
|
- NEARLINE
|
||||||
- COLDLINE
|
- COLDLINE
|
||||||
|
- ARCHIVE
|
||||||
- DURABLE_REDUCED_AVAILABILITY
|
- DURABLE_REDUCED_AVAILABILITY
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,13 @@ platform = "os"
|
||||||
|
|
||||||
Use the `group` Chef InSpec audit resource to test a single group on the system.
|
Use the `group` Chef InSpec audit resource to test a single group on the system.
|
||||||
|
|
||||||
|
The `group` resource uses the following system groups:
|
||||||
|
|
||||||
|
- On **non-Windows** systems the group resource tests a local group defined in the`/etc/group` file.
|
||||||
|
|
||||||
|
- On **Windows** systems the group resource tests a local group defined by Local Users and Groups.
|
||||||
|
|
||||||
|
|
||||||
## Availability
|
## Availability
|
||||||
|
|
||||||
### Installation
|
### Installation
|
||||||
|
@ -62,6 +69,25 @@ The `members` property tests the members that belong to the group:
|
||||||
|
|
||||||
its('members') { should include 'root' }
|
its('members') { should include 'root' }
|
||||||
|
|
||||||
|
where `members` returns:
|
||||||
|
|
||||||
|
- an array of group members for **Windows Platform**.
|
||||||
|
|
||||||
|
Example: `["member1", "member2"]`
|
||||||
|
|
||||||
|
- a CSV formatted string of group members for **Non-Windows Platforms**.
|
||||||
|
|
||||||
|
Example: `"member1,member2"`
|
||||||
|
|
||||||
|
|
||||||
|
### members_array
|
||||||
|
|
||||||
|
The `members_array` property tests the members that belong to a group just like the
|
||||||
|
`members` property,
|
||||||
|
but the value returned by this property is always an array of group members.
|
||||||
|
|
||||||
|
its('members_array') { should include 'root' }
|
||||||
|
|
||||||
## Matchers
|
## Matchers
|
||||||
|
|
||||||
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||||
|
|
|
@ -13,6 +13,12 @@ platform = "os"
|
||||||
|
|
||||||
Use the `groups` Chef InSpec audit resource to test multiple groups on the system.
|
Use the `groups` Chef InSpec audit resource to test multiple groups on the system.
|
||||||
|
|
||||||
|
The `groups` resource uses the following system groups:
|
||||||
|
|
||||||
|
- On **non-Windows** systems the group resource tests local groups defined in the`/etc/group` file.
|
||||||
|
|
||||||
|
- On **Windows** systems the group resource tests local groups defined by Local Users and Groups.
|
||||||
|
|
||||||
## Availability
|
## Availability
|
||||||
|
|
||||||
### Installation
|
### Installation
|
||||||
|
@ -74,6 +80,24 @@ The `members` property tests the members that belong to a group:
|
||||||
its('members') { should include 'root' }
|
its('members') { should include 'root' }
|
||||||
its('members') { should include 'Administrator' }
|
its('members') { should include 'Administrator' }
|
||||||
|
|
||||||
|
where `members` returns:
|
||||||
|
|
||||||
|
- an array of group members for **Windows Platform**.
|
||||||
|
|
||||||
|
Example: `["member1", "member2"]`
|
||||||
|
|
||||||
|
- a single element array that contains a CSV string of group members for **Non-Windows Platforms**.
|
||||||
|
|
||||||
|
Example: `["member1,member2"]`
|
||||||
|
|
||||||
|
### members_array
|
||||||
|
|
||||||
|
The `members_array` property tests the group members just like the `members` property,
|
||||||
|
but the value returned by this property is always an array of group members.
|
||||||
|
|
||||||
|
its('members_array') { should include 'root' }
|
||||||
|
its('members_array') { should include 'Administrator' }
|
||||||
|
|
||||||
## Matchers
|
## Matchers
|
||||||
|
|
||||||
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||||
|
|
58
docs-chef-io/content/inspec/resources/ibmdb2_conf.md
Normal file
58
docs-chef-io/content/inspec/resources/ibmdb2_conf.md
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
+++
|
||||||
|
title = "ibmdb2_conf resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "ibmdb2_conf"
|
||||||
|
identifier = "inspec/resources/os/ibmdb2_conf.md ibmdb2_conf resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `ibmdb2_conf` Chef InSpec audit resource to test the configuration settings. Make sure you are using the IBM Db2 database instance user credentials to run the InSpec test.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `ibmdb2_conf` resource block declares db2_executable_file_path, db_instance to connect and then runs command to get the configuration values and compares it to the value stated in the test:
|
||||||
|
|
||||||
|
describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do
|
||||||
|
its("output") { should_not be_empty }
|
||||||
|
its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")}
|
||||||
|
end
|
||||||
|
|
||||||
|
Windows
|
||||||
|
|
||||||
|
describe ibmdb2_conf do
|
||||||
|
its("output") { should_not be_empty }
|
||||||
|
its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")}
|
||||||
|
end
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
- `ibmdb2_session` declares a db2_executable_file_path, db_instance and db_name to connect.
|
||||||
|
- `db2_executable_file_path` is the path of the db2 binary file. For Windows this is not required.
|
||||||
|
- `db_instance` is the name of the database instance. For Windows this is not required.
|
||||||
|
- `its("output") { should include("expected_settings")}` compares the results of the output against the expected result in the test.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test the audit buffer size configuration settings of IBM Db2 database
|
||||||
|
|
||||||
|
describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do
|
||||||
|
its("output") { should_not be_empty }
|
||||||
|
its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 1000")}
|
||||||
|
end
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
64
docs-chef-io/content/inspec/resources/ibmdb2_session.md
Normal file
64
docs-chef-io/content/inspec/resources/ibmdb2_session.md
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
+++
|
||||||
|
title = "ibmdb2_session resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "ibmdb2_session"
|
||||||
|
identifier = "inspec/resources/os/ibmdb2_session.md ibmdb2_session resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `ibmdb2_session` Chef InSpec audit resource to test SQL commands run against an IBM Db2 database.
|
||||||
|
Make sure you are using the IBM Db2 database instance user credentials to run the InSpec test.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `ibmdb2_session` resource block declares the db2_executable_file_path, db_instance and db_name to use for the session, and then the query to be run:
|
||||||
|
|
||||||
|
describe ibmdb2_session(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample").query("select rolename from syscat.roleauth") do
|
||||||
|
its("output") { should match(/SYSTS_MGR/) }
|
||||||
|
end
|
||||||
|
|
||||||
|
Windows
|
||||||
|
|
||||||
|
describe ibmdb2_session(db_name: "sample").query("select rolename from syscat.roleauth") do
|
||||||
|
its("output") { should match(/SYSTS_MGR/) }
|
||||||
|
end
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
- `ibmdb2_session` declares a db2_executable_file_path, db_instance and db_name to connect.
|
||||||
|
- `db2_executable_file_path` is the path of the db2 binary file. For Windows this is not required.
|
||||||
|
- `db_instance` is the name of the database instance. For Windows this is not required.
|
||||||
|
- `db_name` is the name of the database to query on.
|
||||||
|
- `query('QUERY')` contains the query to be run.
|
||||||
|
- `its('output') { should eq(/expected-result/) }` compares the results of the query against the expected result in the test.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test for matching role name
|
||||||
|
|
||||||
|
describe ibmdb2_session(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample").query("select rolename from syscat.roleauth") do
|
||||||
|
its("output") { should match(/SYSTS_MGR/) }
|
||||||
|
end
|
||||||
|
|
||||||
|
### Test for matching database
|
||||||
|
|
||||||
|
describe ibmdb2_session(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample").query("list database directory") do
|
||||||
|
its("output") { should match(/SAMPLE/) }
|
||||||
|
end
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
62
docs-chef-io/content/inspec/resources/mongodb_conf.md
Normal file
62
docs-chef-io/content/inspec/resources/mongodb_conf.md
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
+++
|
||||||
|
title = "mongodb_conf resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "mongodb_conf"
|
||||||
|
identifier = "inspec/resources/os/mongodb_conf.md mongodb_conf resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `mongodb_conf` Chef InSpec audit resource to test the contents of the configuration file for MongoDB, typically located at `/etc/mongod.conf` or `C:\Program Files\MongoDB\Server\<version>\bin\mongod.cfg`, depending on the platform.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `mongodb_conf` resource block declares one (or more) settings in the `mongodb.conf` file, and then compares the setting in the configuration file to the value stated in the test:
|
||||||
|
|
||||||
|
describe mongodb_conf('path') do
|
||||||
|
its('setting') { should eq 'value' }
|
||||||
|
end
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
- `'setting'` specifies a setting in the `mongodb.conf` file
|
||||||
|
- `('path')` is the non-default path to the `mongodb.conf` file (optional)
|
||||||
|
- `should eq 'value'` is the value that is expected
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test the key management configuration options
|
||||||
|
|
||||||
|
describe mongodb_conf do
|
||||||
|
its(["security", "enableEncryption"]) { should eq true }
|
||||||
|
end
|
||||||
|
|
||||||
|
### Test the port on which MongoDB listens
|
||||||
|
|
||||||
|
describe mongodb_conf do
|
||||||
|
its(["net", "port"]) { should eq 27017 }
|
||||||
|
end
|
||||||
|
|
||||||
|
### Test the security configuration options
|
||||||
|
|
||||||
|
describe mongodb_conf do
|
||||||
|
its(["security", "authorization"]) { should eq "enabled" }
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||||
|
|
113
docs-chef-io/content/inspec/resources/mongodb_session.md
Normal file
113
docs-chef-io/content/inspec/resources/mongodb_session.md
Normal file
|
@ -0,0 +1,113 @@
|
||||||
|
+++
|
||||||
|
title = "mongodb_session resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "mongodb_session"
|
||||||
|
identifier = "inspec/resources/os/mongodb_session.md mongodb_session resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `mongodb_session` Chef InSpec audit resource to run MongoDB command against a MongoDB Database.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `mongodb_session` resource block declares the `user`, `password`, and `database` to use for the session and then the command to be run:
|
||||||
|
|
||||||
|
describe mongodb_session(user: "username", password: "password", database: "test").query(key: value) do
|
||||||
|
its("params") { should match(/expected-result/) }
|
||||||
|
end
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
- `mongodb_session` declares a user, password, and database, connecting locally, with permission to run the query.
|
||||||
|
- `query` contains the query to be run.
|
||||||
|
- `its("params") { should eq(/expected-result/) }` compares the results of the query against the expected result in the test
|
||||||
|
|
||||||
|
### Optional Parameters
|
||||||
|
|
||||||
|
The `mongodb_session` InSpec resource accepts `user`, `password`, `host`, `port`, `auth_source`, `auth_mech`, `ssl`, `ssl_cert`, `ssl_ca_cert`, and `auth_mech_properties` parameters.
|
||||||
|
|
||||||
|
In Particular:
|
||||||
|
|
||||||
|
#### `host`
|
||||||
|
|
||||||
|
The server host IP address. Default value: `127.0.0.1`.
|
||||||
|
|
||||||
|
#### `port`
|
||||||
|
|
||||||
|
The server port. Default value: `27017`.
|
||||||
|
|
||||||
|
#### `auth_mech`
|
||||||
|
|
||||||
|
The authentication mechanism. The available options are: `:scram`, `:scram256`, `:mongodb_x509`, and `:aws`. Default value: `:scram`.
|
||||||
|
|
||||||
|
See the MongoDB documentation on [Ruby driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) for more information.
|
||||||
|
|
||||||
|
#### `auth_source`
|
||||||
|
|
||||||
|
The database where the user’s authentication credentials are stored. The default value is the database name that is passed as a parameter to the resource.
|
||||||
|
|
||||||
|
#### `ssl`
|
||||||
|
|
||||||
|
Whether to use the SSL security protocol or not. Set to `true` to use SSL transport, default value: `false`. See the MongoDB documentation on [Ruby Driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#client-certificate-x-509) for more information.
|
||||||
|
|
||||||
|
#### 'ssl_cert'
|
||||||
|
|
||||||
|
Path to the SSL certificate file.
|
||||||
|
|
||||||
|
#### `ssl_ca_cert`
|
||||||
|
|
||||||
|
Path to the SSL Certificate Authority (CA) certificate file.
|
||||||
|
|
||||||
|
#### `ssl_key`
|
||||||
|
|
||||||
|
Path to SSL key file.
|
||||||
|
|
||||||
|
#### `auth_mech_properties`
|
||||||
|
|
||||||
|
A hash of the authentication mechanism properties. This option is generally used with the AWS authentication mechanism. See the MongoDB documentation on [Ruby Driver authentication using AWS](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#aws) for more information.
|
||||||
|
|
||||||
|
### MongodDB Query Reference Documentation
|
||||||
|
|
||||||
|
This resource uses the [MongoDB Ruby Driver](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) to fetch the data.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test the roles information using the `rolesInfo` command in MongoDB.
|
||||||
|
|
||||||
|
describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin").params["roles"].first do
|
||||||
|
its(["role"]) { should eq "dbAdmin" }
|
||||||
|
end
|
||||||
|
|
||||||
|
### Test the MongoDB user role.
|
||||||
|
|
||||||
|
describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "foo").params["users"].first["roles"].first do
|
||||||
|
its(["role"]) { should eq "readWrite" }
|
||||||
|
end
|
||||||
|
|
||||||
|
### Test the database parameters.
|
||||||
|
|
||||||
|
describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin") do
|
||||||
|
its("params") { should_not be_empty }
|
||||||
|
its("params") { should include "roles" }
|
||||||
|
end
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||||
|
|
||||||
|
### params
|
||||||
|
|
||||||
|
The `params` contains all the query data.
|
62
docs-chef-io/content/inspec/resources/mssql_sys_conf.md
Normal file
62
docs-chef-io/content/inspec/resources/mssql_sys_conf.md
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
+++
|
||||||
|
title = "mssql_sys_conf resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "mssql_sys_conf"
|
||||||
|
identifier = "inspec/resources/os/mssql_sys_conf.md mssql_sys_conf resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `mssql_sys_conf` Chef InSpec audit resource to test the configuration of a Microsoft SQL Server database.
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
You must have database access.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `mssql_sys_conf` resource block declares the configuration item, user, and password to test.
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe mssql_sys_conf("CONFIGURATION ITEM TO TEST", user: 'USER', password: 'PASSWORD') do
|
||||||
|
its("value_in_use") { should cmp "EXPECTED_VALUE" }
|
||||||
|
its("value_configured") { should cmp "EXPECTED_VALUE" }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
where:
|
||||||
|
|
||||||
|
- `mssql_sys_conf` declares a configuration item, `user`, and `password` with permission to use `sys.configurations`.
|
||||||
|
- `its('value_in_use') { should cmp 'EXPECTED_VALUE' }` compares the current running value of the configuration item against an expected value.
|
||||||
|
- `its('value_configured') { should cmp 'EXPECTED_VALUE' }` compares the saved value of the configuration item against an expected value.
|
||||||
|
|
||||||
|
### Optional Parameters
|
||||||
|
|
||||||
|
`mssql_sys_conf` is based on the `mssql_session` resource and accepts all the parameters that `mssql_session` accepts.
|
||||||
|
|
||||||
|
#### `username`
|
||||||
|
|
||||||
|
The user name. Default value: `SA`.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test parameters set within the database view
|
||||||
|
|
||||||
|
describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do
|
||||||
|
its("value_in_use") { should cmp "0" }
|
||||||
|
its("value_configured") { should cmp "0" }
|
||||||
|
end
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
76
docs-chef-io/content/inspec/resources/opa_api.md
Normal file
76
docs-chef-io/content/inspec/resources/opa_api.md
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
+++
|
||||||
|
title = "opa_api resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "opa_api"
|
||||||
|
identifier = "inspec/resources/os/opa_api.md opa_api resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `opa_api` Chef InSpec audit resource to query Open Policy Agent (OPA) using the OPA URL and data.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
An `opa_api` resource block declares OPA policy configurations that can be tested.
|
||||||
|
|
||||||
|
describe opa_api(url: "localhost:8181/v1/data/example/violation", data: "input.json") do
|
||||||
|
its(["result"]) { should eq 'value' }
|
||||||
|
end
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
- `'url'` specifies the url of the OPA server on which OPA is running.
|
||||||
|
- `'data'` specifies the json formatted data or json file.
|
||||||
|
- `its(["returned_result"]) { should eq 'expected_result' }` compares the results of the query against the expected result in the test.
|
||||||
|
|
||||||
|
## parameters
|
||||||
|
|
||||||
|
The `opa_api` resource InSpec resource requires a `url` and `data` as a JSON file or a string in JSON format.
|
||||||
|
|
||||||
|
### `url` _(required)_
|
||||||
|
|
||||||
|
The URL of the OPA API server.
|
||||||
|
|
||||||
|
### `data` _(required)_
|
||||||
|
|
||||||
|
An OPA query as a JSON data file or a string in JSON format.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do
|
||||||
|
its("result") { shoule_not be nil }
|
||||||
|
its(["result"]) { should eq true }
|
||||||
|
its("allow") { should eq "true" }
|
||||||
|
end
|
||||||
|
|
||||||
|
The above example shows how the `allow` value can be fetched in two ways.
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||||
|
|
||||||
|
## Properties
|
||||||
|
|
||||||
|
### result
|
||||||
|
|
||||||
|
The `result` property checks whether the resource query returns an empty result.
|
||||||
|
|
||||||
|
its('result') { should be nil }
|
||||||
|
|
||||||
|
### allow
|
||||||
|
|
||||||
|
The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.
|
||||||
|
|
||||||
|
its('allow') { should eq 'value' }
|
85
docs-chef-io/content/inspec/resources/opa_cli.md
Normal file
85
docs-chef-io/content/inspec/resources/opa_cli.md
Normal file
|
@ -0,0 +1,85 @@
|
||||||
|
+++
|
||||||
|
title = "opa_cli resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "opa_cli"
|
||||||
|
identifier = "inspec/resources/os/opa_cli.md opa_cli resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `opa_cli` Chef InSpec audit resource to query Open Policy Agent (OPA) using an OPA policy file, a data file, and a query.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
An `opa_cli` resource block declares OPA policy configurations that can be tested.
|
||||||
|
|
||||||
|
describe opa_cli(policy: "example.rego", data: "input.json", query: "data.example.allow") do
|
||||||
|
its(["result"]) { should eq "value" }
|
||||||
|
end
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
- `data` specifies the json formatted input data or file path.
|
||||||
|
- `policy` the path to policy file.
|
||||||
|
- `query` specifies the query to be run.
|
||||||
|
- `its(["result"]) { should eq "value" }` compares the results of the query against the expected result in the test
|
||||||
|
|
||||||
|
## parameters
|
||||||
|
|
||||||
|
The `opa_cli` resource InSpec resource accepts `policy`, `data`, `query`, and `opa_executable_path` as parameters.
|
||||||
|
|
||||||
|
### `policy` _(required)_
|
||||||
|
|
||||||
|
The path to the OPA policy file.
|
||||||
|
|
||||||
|
### `data` _(required)_
|
||||||
|
|
||||||
|
An OPA query as a JSON data file or a string in JSON format.
|
||||||
|
|
||||||
|
### `query` _(required)_
|
||||||
|
|
||||||
|
The query to be evaluated against policy and input data.
|
||||||
|
|
||||||
|
### `opa_executable_path`
|
||||||
|
|
||||||
|
This is the full path to the OPA binary or EXE file used for running the OPA CLI or OPA commands. By default it will consider that the path is added in PATH variable.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource:
|
||||||
|
|
||||||
|
describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do
|
||||||
|
its("result") { shoule_not be nil }
|
||||||
|
its(["result", 0, "expressions", 0, "value"]) { should eq true }
|
||||||
|
its("allow") { should eq "true" }
|
||||||
|
end
|
||||||
|
|
||||||
|
The above example shows how the `allow` value can be fetched in two ways.
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||||
|
|
||||||
|
## Properties
|
||||||
|
|
||||||
|
### result
|
||||||
|
|
||||||
|
The `result` property checks whether the resource query returns an empty result.
|
||||||
|
|
||||||
|
its('result') { should be nil }
|
||||||
|
|
||||||
|
### allow
|
||||||
|
|
||||||
|
The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work.
|
||||||
|
|
||||||
|
its('allow') { should eq 'value' }
|
49
docs-chef-io/content/inspec/resources/oracledb_conf.md
Normal file
49
docs-chef-io/content/inspec/resources/oracledb_conf.md
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
+++
|
||||||
|
title = "oracledb_conf resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "oracledb_conf"
|
||||||
|
identifier = "inspec/resources/os/oracledb_conf.md oracledb_conf resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `oracledb_conf` Chef InSpec audit resource to test the Oracle system parameters.
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
You must have access to a database user with `DBA` role.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `oracledb_conf` resource block declares user and password to use. It fetches system parameters which are defined in the `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test:
|
||||||
|
|
||||||
|
describe oracledb_conf(user: 'USER', password: 'PASSWORD') do
|
||||||
|
its("config item") { should cmp "value" }
|
||||||
|
end
|
||||||
|
|
||||||
|
### Optional Parameters
|
||||||
|
|
||||||
|
`oracledb_conf` is based on `oracledb_session`, and accepts all parameters that `oracledb_session` accepts.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test parameters set within the database view
|
||||||
|
|
||||||
|
describe oracledb_conf(user: 'USER', password: 'PASSWORD') do
|
||||||
|
its("audit_sys_operations") { should cmp "true" }
|
||||||
|
its("sql92_security") { should cmp "true" }
|
||||||
|
end
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
|
@ -0,0 +1,46 @@
|
||||||
|
+++
|
||||||
|
title = "oracledb_listener_conf resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "oracledb_listener_conf"
|
||||||
|
identifier = "inspec/resources/os/oracledb_listener_conf.md oracledb_listener_conf resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `oracledb_listener_conf` Chef InSpec audit resource to test the listeners settings of Oracle DB, typically located at `$ORACLE_HOME/network/admin/listener.ora` or `$ORACLE_HOME\network\admin\listener.ora` depending upon the platform.
|
||||||
|
|
||||||
|
## Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
- You must have sufficient permission to access listener settings defined in `listener.ora` file.
|
||||||
|
- Value for environment variable `ORACLE_HOME` should be set in the system.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `oracledb_listener_conf` resource block fetches listeners settings in the `listener.ora` file, and then compares them with the value stated in the test:
|
||||||
|
|
||||||
|
describe oracledb_listener_conf do
|
||||||
|
its('config item') { should eq 'value' }
|
||||||
|
end
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test parameters set within the listener file
|
||||||
|
|
||||||
|
describe oracledb_listener_conf do
|
||||||
|
its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' }
|
||||||
|
its('EM_EXPRESS_PORT') { should eq '5500' }
|
||||||
|
end
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
|
@ -47,7 +47,7 @@ where
|
||||||
|
|
||||||
`address` returns a an array of strings that matches the where condition of the filter table
|
`address` returns a an array of strings that matches the where condition of the filter table
|
||||||
|
|
||||||
describe pg_ident_conf.where { pg_username == 'name' } do
|
describe postgres_ident_conf.where { pg_username == 'name' } do
|
||||||
its('map_name') { should eq ['value'] }
|
its('map_name') { should eq ['value'] }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -55,7 +55,7 @@ where
|
||||||
|
|
||||||
`pg_username` returns a an array of strings that matches the where condition of the filter table
|
`pg_username` returns a an array of strings that matches the where condition of the filter table
|
||||||
|
|
||||||
describe pg_ident_conf.where { pg_username == 'name' } do
|
describe postgres_ident_conf.where { pg_username == 'name' } do
|
||||||
its('pg_username') { should eq ['value'] }
|
its('pg_username') { should eq ['value'] }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -63,7 +63,7 @@ where
|
||||||
|
|
||||||
`system_username` returns a an array of strings that matches the where condition of the filter table
|
`system_username` returns a an array of strings that matches the where condition of the filter table
|
||||||
|
|
||||||
describe pg_ident_conf.where { pg_username == 'name' } do
|
describe postgres_ident_conf.where { pg_username == 'name' } do
|
||||||
its('system_username') { should eq ['value'] }
|
its('system_username') { should eq ['value'] }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -28,24 +28,27 @@ This resource first became available in v1.0.0 of InSpec.
|
||||||
A `postgres_session` resource block declares the username and password to use for the session, and then the command to be run:
|
A `postgres_session` resource block declares the username and password to use for the session, and then the command to be run:
|
||||||
|
|
||||||
# Create a PostgreSQL session:
|
# Create a PostgreSQL session:
|
||||||
sql = postgres_session('username', 'password', 'host', 'port')
|
sql = postgres_session('username', 'password', 'host', 'port', 'socketpath')
|
||||||
|
|
||||||
# default values:
|
# default values:
|
||||||
# username: 'postgres'
|
# username: 'postgres'
|
||||||
# host: 'localhost'
|
# host: 'localhost'
|
||||||
# port: 5432
|
# port: 5432
|
||||||
|
# socketpath (optional): nil
|
||||||
|
|
||||||
# Run an SQL query with an optional database to execute
|
# Run an SQL query with an optional database to execute
|
||||||
sql.query('sql_query', ['database_name'])`
|
sql.query('sql_query', ['database_name'])`
|
||||||
|
|
||||||
A full example is:
|
A full example is:
|
||||||
|
|
||||||
sql = postgres_session('username', 'password', 'host', 'port')
|
sql = postgres_session('username', 'password', 'host', 'port', 'socketpath')
|
||||||
describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
|
describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
|
||||||
its('output') { should eq '' }
|
its('output') { should eq '' }
|
||||||
end
|
end
|
||||||
|
|
||||||
where `its('output') { should eq '' }` compares the results of the query against the expected result in the test
|
where
|
||||||
|
- `its('output') { should eq '' }` compares the results of the query against the expected result in the test
|
||||||
|
- `socketpath` is an optional parameter. Use `socketpath` to establish a socket connection with Postgres by specifying one of the Postgres Unix domain socket paths. Only supported on Unix-based platforms.
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
|
|
|
@ -31,10 +31,15 @@ A `security_policy` resource block declares the name of a security policy and th
|
||||||
its('policy_name') { should eq 'value' }
|
its('policy_name') { should eq 'value' }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe security_policy(translate_sid: true) do
|
||||||
|
its('policy_name') { should include 'sid_name' }
|
||||||
|
end
|
||||||
|
|
||||||
where
|
where
|
||||||
|
|
||||||
- `'policy_name'` must specify a security policy
|
- `'policy_name'` must specify a security policy
|
||||||
- `{ should eq 'value' }` tests the value of `policy_name` against the value declared in the test
|
- `{ should eq 'value' }` tests the value of `policy_name` against the value declared in the test
|
||||||
|
- `translate_sid` converts the security identifier (SID) into a human readable SID name if `true`. Default value is `false`.
|
||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
|
|
173
docs-chef-io/content/inspec/resources/selinux.md
Normal file
173
docs-chef-io/content/inspec/resources/selinux.md
Normal file
|
@ -0,0 +1,173 @@
|
||||||
|
+++
|
||||||
|
title = "selinux resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "linux"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "selinux"
|
||||||
|
identifier = "inspec/resources/os/selinux.md selinux resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `selinux` Chef InSpec audit resource to test the configuration data of the SELinux policy, SELinux modules and SELinux booleans.
|
||||||
|
|
||||||
|
The `selinux` resource extracts and exposes data reported by the `sestatus`, `semodule -lfull`, and `semanage boolean -l -n` command.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
### Version
|
||||||
|
|
||||||
|
This resource first became available in v4.35.1 of InSpec.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
The `selinux` Chef InSpec resource block tests the state and mode of SELinux policy.
|
||||||
|
|
||||||
|
describe selinux do
|
||||||
|
it { should be_installed }
|
||||||
|
it { should_not be_disabled }
|
||||||
|
it { should be_enforcing }
|
||||||
|
it { should_not be_permissive }
|
||||||
|
end
|
||||||
|
|
||||||
|
The `selinux` resource block also allows you to write tests for multiple modules:
|
||||||
|
|
||||||
|
describe selinux.modules.where("zebra") do
|
||||||
|
it { should exist }
|
||||||
|
it { should be_installed }
|
||||||
|
it { should be_enabled }
|
||||||
|
end
|
||||||
|
|
||||||
|
or:
|
||||||
|
|
||||||
|
describe selinux.modules.where(status: "installed") do
|
||||||
|
it { should exist }
|
||||||
|
its('count') { should cmp 404 }
|
||||||
|
end
|
||||||
|
|
||||||
|
where:
|
||||||
|
|
||||||
|
- `.where()` specifies the parameter and expected value.
|
||||||
|
- `name`, `status`, `state`, and `priority` are valid parameters.
|
||||||
|
|
||||||
|
The `selinux` resource block also allows you to write tests for multiple booleans:
|
||||||
|
|
||||||
|
describe selinux.booleans.where(name: "httpd_enable_homedirs") do
|
||||||
|
it { should_not be_on }
|
||||||
|
end
|
||||||
|
|
||||||
|
or:
|
||||||
|
|
||||||
|
describe selinux.booleans.where(name: "xend_run_blktap", state: "on") do
|
||||||
|
it { should exist }
|
||||||
|
its('defaults') { should cmp "on" }
|
||||||
|
end
|
||||||
|
|
||||||
|
- `.where()` specifies the parameter and expected value.
|
||||||
|
- `name`, `state`, and `default` are valid parameters for `booleans`.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec selinux resource.
|
||||||
|
|
||||||
|
### Test if SELinux is installed and enabled
|
||||||
|
|
||||||
|
describe selinux do
|
||||||
|
it { should be_installed }
|
||||||
|
it { should_not be_disabled }
|
||||||
|
end
|
||||||
|
|
||||||
|
### Test if SELinux is enabled and running in enforcing mode
|
||||||
|
|
||||||
|
describe selinux do
|
||||||
|
it { should_not be_disabled }
|
||||||
|
it { should be_enforcing }
|
||||||
|
end
|
||||||
|
|
||||||
|
### Test the selinux policy type
|
||||||
|
|
||||||
|
describe selinux do
|
||||||
|
its('policy') { should eq "targeted"}
|
||||||
|
end
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||||
|
|
||||||
|
### be_installed
|
||||||
|
|
||||||
|
The `be_installed` matcher tests if the SElinux policy or SElinux modules are installed on the system:
|
||||||
|
|
||||||
|
it { should be_installed }
|
||||||
|
|
||||||
|
### be_disabled
|
||||||
|
|
||||||
|
The `be_disabled` matcher tests if the SELinux is disabled on the system:
|
||||||
|
|
||||||
|
it { should be_disabled }
|
||||||
|
|
||||||
|
### be_enforcing
|
||||||
|
|
||||||
|
The `be_enforcing` matcher tests if the SELinux mode is set to enforcing:
|
||||||
|
|
||||||
|
it { should be_enforcing }
|
||||||
|
|
||||||
|
### be_permissive
|
||||||
|
|
||||||
|
The `be_permissive` matcher tests if the SELinux mode is set to permissive:
|
||||||
|
|
||||||
|
it { should be_permissive }
|
||||||
|
|
||||||
|
### be_on
|
||||||
|
|
||||||
|
The `be_on` matcher tests if the SELinux boolean is on:
|
||||||
|
|
||||||
|
it { should be_on }
|
||||||
|
|
||||||
|
### be_enabled
|
||||||
|
|
||||||
|
The `be_enabled` matcher tests if the SElinux module is enabled:
|
||||||
|
|
||||||
|
it { should be_enabled }
|
||||||
|
|
||||||
|
## Resource Parameters
|
||||||
|
|
||||||
|
- `names`, `status`, `states`, and `priorities` are valid parameters for SELinux policy modules.
|
||||||
|
|
||||||
|
- `names`, `status`, `states`, and `defaults` are valid parameters for SELinux `booleans`.
|
||||||
|
|
||||||
|
## Resource Parameter Examples
|
||||||
|
|
||||||
|
### modules
|
||||||
|
|
||||||
|
`modules` returns information about SELinux modules using the [semodule -lfull](https://man7.org/linux/man-pages/man8/semodule.8.html) command.
|
||||||
|
|
||||||
|
Note: The `semodule -l` command [does not provide version information](https://access.redhat.com/solutions/2760071) for newer versions of Linux-based systems like RHEL8 and Centos8, so we do not support that option.
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe selinux.modules do
|
||||||
|
its("names") { should include "zebra" }
|
||||||
|
its("status") { should include "installed" }
|
||||||
|
its("states") { should include "enabled" }
|
||||||
|
its("priorities") { should include "100" }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
### booleans
|
||||||
|
|
||||||
|
`booleans` returns information about SELinux booleans using the [semanage boolean -l -n](https://man7.org/linux/man-pages/man8/semanage-boolean.8.html) command.
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe selinux.booleans do
|
||||||
|
its("names") { should include "httpd_enable_homedirs" }
|
||||||
|
its("states") { should include "on" }
|
||||||
|
its("states") { should include "off" }
|
||||||
|
its("defaults") { should include "on" }
|
||||||
|
its("defaults") { should include "off" }
|
||||||
|
end
|
||||||
|
```
|
|
@ -25,7 +25,7 @@ This resource first became available in v1.0.0 of InSpec.
|
||||||
|
|
||||||
## Syntax
|
## Syntax
|
||||||
|
|
||||||
An `sshd_config` resource block declares the client OpenSSH configuration data to be tested:
|
An `sshd_config` resource block declares the OpenSSH daemon configuration data to be tested:
|
||||||
|
|
||||||
describe sshd_config('path') do
|
describe sshd_config('path') do
|
||||||
its('name') { should include('foo') }
|
its('name') { should include('foo') }
|
||||||
|
|
72
docs-chef-io/content/inspec/resources/sybase_conf.md
Normal file
72
docs-chef-io/content/inspec/resources/sybase_conf.md
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
+++
|
||||||
|
title = "sybase_conf resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "sybase_conf"
|
||||||
|
identifier = "inspec/resources/os/sybase_conf.md sybase_conf resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `sybase_conf` Chef InSpec audit resource to test the configuration of an SAP Adaptive Server Enterprise (ASE) database.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
### Requirements
|
||||||
|
|
||||||
|
The `isql` command line tool must be installed on the target system.
|
||||||
|
|
||||||
|
You must have access to a database user that has access to the `sa` role on the `master` database.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `sybase_conf` resource block declares the configuration item name, server, and password to use.
|
||||||
|
|
||||||
|
describe sybase_session('config item', server: 'SYBASE', password: 'PASSWORD') do
|
||||||
|
its('run_value') { should cmp 'EXPECTED' }
|
||||||
|
its('config_value') { should cmp 'EXPECTED' }
|
||||||
|
end
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
- `sybase_conf` declares a configuration item, server, and password with permission to run `sp_configure`.
|
||||||
|
- `its('run_value') { should cmp 'expected' }` compares the current running value of the configuration item against an expected value.
|
||||||
|
- `its('config_value') { should cmp 'expected' }` compares the saved value of the configuration item against an expected value.
|
||||||
|
|
||||||
|
### Optional Parameters
|
||||||
|
|
||||||
|
The `sybase_conf` resource is based on the `sybase_session` resource and accepts all parameters that `sybase_session` accepts, including optional parameters `username`, `database`, `sybase_home`, and `bin`.
|
||||||
|
|
||||||
|
In particular:
|
||||||
|
|
||||||
|
#### `database`
|
||||||
|
|
||||||
|
Defaults to `master`.
|
||||||
|
|
||||||
|
#### `username`
|
||||||
|
|
||||||
|
Defaults to `sa`.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test for max memory configuration
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe sybase_session('max memory', server: 'SYBASE', password: 'PASSWORD') do
|
||||||
|
its('run_value') { should cmp 180224 }
|
||||||
|
its('config_value') { should cmp 180224 }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
88
docs-chef-io/content/inspec/resources/sybase_session.md
Normal file
88
docs-chef-io/content/inspec/resources/sybase_session.md
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
+++
|
||||||
|
title = "sybase_session resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "sybase_session"
|
||||||
|
identifier = "inspec/resources/os/sybase_session.md sybase_session resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `sybase_session` Chef InSpec audit resource to test the SQL commands run against an SAP Adaptive Server Enterprise (ASE) database.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
### Requirements
|
||||||
|
|
||||||
|
The `isql` command line tool must be installed on the target system.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
A `sybase_session` resource block declares the server, database, username and password to use for the session, and then the command to be run:
|
||||||
|
|
||||||
|
describe sybase_session(database: 'pubs2', server: 'SYBASE', username: 'USERNAME', password: 'PASSWORD').query('QUERY').row(0).column('RESULT') do
|
||||||
|
its('value') { should eq('EXPECTED') }
|
||||||
|
end
|
||||||
|
|
||||||
|
where
|
||||||
|
|
||||||
|
- `sybase_session` declares a server, database, username, and password with permission to run the query.
|
||||||
|
- `query('QUERY')` contains the query to be run.
|
||||||
|
- `its('value') { should eq('expected') }` compares the results of the query against the expected result in the test.
|
||||||
|
|
||||||
|
### Optional Parameters
|
||||||
|
|
||||||
|
#### bin
|
||||||
|
|
||||||
|
You may use the `bin` parameter to specify the path to the `isql` cli tool.
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe sybase_session(database: 'pubs2',
|
||||||
|
server: 'SYBASE',
|
||||||
|
username: 'USERNAME',
|
||||||
|
password: 'PASSWORD',
|
||||||
|
bin: '/opt/sap/OCS-16_0/bin/isql',
|
||||||
|
).query('QUERY').row(0).column('RESULT') do
|
||||||
|
its('value') { should eq('EXPECTED') }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
#### sybase_home
|
||||||
|
|
||||||
|
You may use the `sybase_home` parameter to specify the path to the sybase installation.
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe sybase_session(database: 'pubs2',
|
||||||
|
server: 'SYBASE',
|
||||||
|
username: 'USERNAME',
|
||||||
|
password: 'PASSWORD',
|
||||||
|
sybase_home: '/opt/sap',
|
||||||
|
).query('QUERY').row(0).column('RESULT') do
|
||||||
|
its('value') { should eq('EXPECTED') }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
The following examples show how to use this Chef InSpec audit resource.
|
||||||
|
|
||||||
|
### Test for matching values in the pubs2 sample database
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
sql = sybase_session(database: 'pubs2', server: 'SYBASE', username: 'MY_USER', password: 'PASSWORD')
|
||||||
|
|
||||||
|
describe sql.query("SELECT au_lname FROM authors").row(0).column('AU_LNAME') do
|
||||||
|
its("value") { should eq 'BENNET' }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
85
docs-chef-io/content/inspec/resources/toml.md
Normal file
85
docs-chef-io/content/inspec/resources/toml.md
Normal file
|
@ -0,0 +1,85 @@
|
||||||
|
+++
|
||||||
|
title = "toml resource"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
platform = "os"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "toml"
|
||||||
|
identifier = "inspec/resources/os/toml.md toml resource"
|
||||||
|
parent = "inspec/resources/os"
|
||||||
|
+++
|
||||||
|
|
||||||
|
Use the `toml` Chef InSpec audit resource to test settings in a TOML file.
|
||||||
|
|
||||||
|
## Availability
|
||||||
|
|
||||||
|
### Installation
|
||||||
|
|
||||||
|
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||||
|
|
||||||
|
### Version
|
||||||
|
|
||||||
|
This resource first became available in v1.0.0 of InSpec.
|
||||||
|
|
||||||
|
## Syntax
|
||||||
|
|
||||||
|
An `toml` resource block declares the configuration settings to be tested:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe toml('path') do
|
||||||
|
its('setting_name') { should eq 'value' }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
where:
|
||||||
|
|
||||||
|
- `'setting_name'` is a setting key defined in the TOML file.
|
||||||
|
- `('path')` is the path to the TOML file.
|
||||||
|
- `{ should eq 'value' }` is the value that is expected.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
In the examples below, the `example.toml` file contains the following data:
|
||||||
|
|
||||||
|
```toml
|
||||||
|
port = 8080
|
||||||
|
fruits = ["apple", "banana", "cantaloupe"]
|
||||||
|
|
||||||
|
[section]
|
||||||
|
key1 = "value1"
|
||||||
|
```
|
||||||
|
|
||||||
|
**Verify the port number:**
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe toml('path/to/example.toml') do
|
||||||
|
its('port') { should eq 8080 }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
**Verify the value of an array using brackets:**
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe toml('path/to/example.toml') do
|
||||||
|
its(['fruits', 0]) { should eq 'apple' }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
**Verify the value of a key in a table using brackets:**
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
describe toml('path/to/example.toml') do
|
||||||
|
its(['section', 'key1']) { should cmp 'value1' }
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Properties
|
||||||
|
|
||||||
|
This resource supports any of the settings listed in a TOML file as properties.
|
||||||
|
|
||||||
|
## Matchers
|
||||||
|
|
||||||
|
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
|
@ -11,7 +11,7 @@ platform = "linux"
|
||||||
parent = "inspec/resources/os"
|
parent = "inspec/resources/os"
|
||||||
+++
|
+++
|
||||||
|
|
||||||
Use the `zfs_dataset` Chef InSpec audit resource to test the ZFS datasets on FreeBSD systems.
|
Use the `zfs_dataset` Chef InSpec audit resource to test the ZFS datasets on FreeBSD & Linux (Check [OS Family Details](https://docs.chef.io/inspec/resources/os/#osfamily-helpers) for more details).
|
||||||
|
|
||||||
## Availability
|
## Availability
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@ platform = "linux"
|
||||||
parent = "inspec/resources/os"
|
parent = "inspec/resources/os"
|
||||||
+++
|
+++
|
||||||
|
|
||||||
Use the `zfs_pool` Chef InSpec audit resource to test the ZFS pools on FreeBSD systems.
|
Use the `zfs_pool` Chef InSpec audit resource to test the ZFS pools on FreeBSD & Linux (Centos, RHEL, Ubuntu, CloudLinux, Debian) systems.
|
||||||
|
|
||||||
## Availability
|
## Availability
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ gh_repo = "inspec"
|
||||||
The Chef InSpec interactive shell is a pry based REPL that can be used to
|
The Chef InSpec interactive shell is a pry based REPL that can be used to
|
||||||
quickly run Chef InSpec controls and tests without having to write it to a
|
quickly run Chef InSpec controls and tests without having to write it to a
|
||||||
file. Its functionality is similar to [chef-shell](/chef_shell/) as it provides a way
|
file. Its functionality is similar to [chef-shell](/chef_shell/) as it provides a way
|
||||||
to exercise the Chef InSpec DSL, its resources, tests, and plugins without
|
to exercise the Chef InSpec Language, its resources, tests, and plugins without
|
||||||
having to create a profile or write a test file. See
|
having to create a profile or write a test file. See
|
||||||
[http://pryrepl.org/](http://pryrepl.org/) for an introduction to what pry is and what it can
|
[http://pryrepl.org/](http://pryrepl.org/) for an introduction to what pry is and what it can
|
||||||
do.
|
do.
|
||||||
|
@ -57,9 +57,9 @@ Use resource packs to share custom resources with other Chef InSpec users.
|
||||||
A resource pack is a Chef InSpec profile that contains only custom resources and
|
A resource pack is a Chef InSpec profile that contains only custom resources and
|
||||||
no other controls or tests.
|
no other controls or tests.
|
||||||
|
|
||||||
For example, the profile in [`examples/profile`](https://github.com/chef/inspec/tree/master/examples/profile)
|
For example, the profile in [`examples/profile`](https://github.com/chef/inspec/tree/main/examples/profile)
|
||||||
in the Chef InSpec GitHub repository defines an
|
in the Chef InSpec GitHub repository defines an
|
||||||
[`example_config` resource](https://github.com/chef/inspec/blob/master/examples/profile/controls/example.rb).
|
[`example_config` resource](https://github.com/chef/inspec/blob/main/examples/profile/controls/example.rb).
|
||||||
To use these resources within the Chef InSpec shell, you will need to download
|
To use these resources within the Chef InSpec shell, you will need to download
|
||||||
and specify them as a dependency.
|
and specify them as a dependency.
|
||||||
|
|
||||||
|
@ -94,7 +94,7 @@ inspec> 1 + 2
|
||||||
inspec> exit
|
inspec> exit
|
||||||
```
|
```
|
||||||
|
|
||||||
## Using Chef InSpec DSL in Chef InSpec shell
|
## Using Chef InSpec Language in Chef InSpec shell
|
||||||
|
|
||||||
Chef InSpec shell will automatically evaluate the result of every command as
|
Chef InSpec shell will automatically evaluate the result of every command as
|
||||||
if it were a test file. If you type in a Ruby command that is not an
|
if it were a test file. If you type in a Ruby command that is not an
|
||||||
|
@ -230,3 +230,49 @@ $ inspec shell --format json -c 'describe file("/Users/test") do it { should exi
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Running Chef InSpec Shell With Inputs
|
||||||
|
|
||||||
|
With InSpec [profiles that support inputs]({{< relref "inputs/#which-profiles-support-inputs" >}}),
|
||||||
|
you can set inputs using the InSpec `shell` command. This allows you to work more consistently with
|
||||||
|
InSpec profiles when switching between the `shell` and `exec` commands.
|
||||||
|
|
||||||
|
For more details on inputs, see the [inputs reference](/inspec/inputs/).
|
||||||
|
|
||||||
|
### Set Inputs with Command-line Options
|
||||||
|
|
||||||
|
The `shell` command accepts one or more inputs in the command line as single-quoted YAML or JSON structures.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ inspec shell --input=input_name=input_value
|
||||||
|
Welcome to the interactive InSpec Shell
|
||||||
|
To find out how to use it, type: help
|
||||||
|
|
||||||
|
inspec> control 'my_control' do
|
||||||
|
inspec> describe input('input_name') do
|
||||||
|
inspec> it { should cmp 'input_value' }
|
||||||
|
inspec> end
|
||||||
|
inspec> end
|
||||||
|
Profile: inspec-shell
|
||||||
|
|
||||||
|
✔ my_control: input_value
|
||||||
|
✔ input_value is expected to cmp == "input_value"
|
||||||
|
|
||||||
|
Profile Summary: 1 successful control, 0 control failures, 0 controls skipped
|
||||||
|
Test Summary: 1 successful, 0 failures, 0 skipped
|
||||||
|
inspec> exit
|
||||||
|
```
|
||||||
|
|
||||||
|
### Set Inputs with YAML File
|
||||||
|
|
||||||
|
You can also save inputs and values to one or more YAML files and pass them to `shell` in the command line.
|
||||||
|
For example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
input_name: input_value
|
||||||
|
another_input: another_value
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
inspec shell --input-file=<path>
|
||||||
|
```
|
||||||
|
|
24
docs-chef-io/content/inspec/troubleshooting.md
Normal file
24
docs-chef-io/content/inspec/troubleshooting.md
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
+++
|
||||||
|
title = "Chef InSpec Troubleshooting"
|
||||||
|
draft = false
|
||||||
|
gh_repo = "inspec"
|
||||||
|
|
||||||
|
[menu]
|
||||||
|
[menu.inspec]
|
||||||
|
title = "Troubleshooting"
|
||||||
|
identifier = "inspec/Troubleshooting"
|
||||||
|
parent = "inspec"
|
||||||
|
weight = 55
|
||||||
|
+++
|
||||||
|
|
||||||
|
## Undefined Local Variable or Method Error for Cloud Resource
|
||||||
|
|
||||||
|
This error is a result of invoking a resource from one of the cloud resource packs without initializing an InSpec profile with that resource pack (AWS, Azure, or GCP) as a dependency.
|
||||||
|
|
||||||
|
InSpec profiles that use **any cloud resource** must have the resource pack defined as a dependency.
|
||||||
|
|
||||||
|
See the relevant resource pack readme for instructions:
|
||||||
|
|
||||||
|
- [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources)
|
||||||
|
- [inspec-azure README](https://github.com/inspec/inspec-azure#use-the-resources)
|
||||||
|
- [inspec-gcp README](https://github.com/inspec/inspec-gcp#use-the-resources)
|
|
@ -1,7 +1,7 @@
|
||||||
[build]
|
[build]
|
||||||
|
|
||||||
[build.environment]
|
[build.environment]
|
||||||
HUGO_VERSION = "0.78.1"
|
HUGO_VERSION = "0.83.1"
|
||||||
HUGO_ENABLEGITINFO = "true"
|
HUGO_ENABLEGITINFO = "true"
|
||||||
GO_VERSION = "1.15"
|
GO_VERSION = "1.15"
|
||||||
NODE_ENV = "development"
|
NODE_ENV = "development"
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
"groups": {
|
"groups": {
|
||||||
"attrs_value_replaces_default": {
|
"attrs_value_replaces_default": {
|
||||||
"action": "warn",
|
"action": "warn",
|
||||||
"prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead."
|
"prefix": "The 'default' option for inputs is being replaced by 'value' - please use it instead."
|
||||||
},
|
},
|
||||||
"attrs_dsl": {
|
"attrs_dsl": {
|
||||||
"action": "ignore",
|
"action": "ignore",
|
||||||
|
@ -120,6 +120,11 @@
|
||||||
"object_classes": {
|
"object_classes": {
|
||||||
"action": "warn",
|
"action": "warn",
|
||||||
"suffix": "These classes will be removed in InSpec 5.0."
|
"suffix": "These classes will be removed in InSpec 5.0."
|
||||||
|
},
|
||||||
|
"cli_option_hook":{
|
||||||
|
"action": "warn",
|
||||||
|
"prefix": "The --hook option is being replaced by the --activator option.",
|
||||||
|
"suffix": "This options will be removed in InSpec 4.0."
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# This file managed by automation - do not edit manually
|
# This file managed by automation - do not edit manually
|
||||||
module InspecBin
|
module InspecBin
|
||||||
INSPECBIN_ROOT = File.expand_path("..", __dir__)
|
INSPECBIN_ROOT = File.expand_path("..", __dir__)
|
||||||
VERSION = "4.30.0".freeze
|
VERSION = "4.47.8".freeze
|
||||||
end
|
end
|
||||||
|
|
|
@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
|
||||||
.reject { |f| File.directory?(f) }
|
.reject { |f| File.directory?(f) }
|
||||||
|
|
||||||
# Implementation dependencies
|
# Implementation dependencies
|
||||||
spec.add_dependency "chef-telemetry", "~> 1.0"
|
spec.add_dependency "chef-telemetry", "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep
|
||||||
spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
|
spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0"
|
||||||
spec.add_dependency "thor", ">= 0.20", "< 2.0"
|
spec.add_dependency "thor", ">= 0.20", "< 2.0"
|
||||||
spec.add_dependency "method_source", ">= 0.8", "< 2.0"
|
spec.add_dependency "method_source", ">= 0.8", "< 2.0"
|
||||||
|
@ -35,7 +35,7 @@ Gem::Specification.new do |spec|
|
||||||
spec.add_dependency "mixlib-log", "~> 3.0"
|
spec.add_dependency "mixlib-log", "~> 3.0"
|
||||||
spec.add_dependency "sslshake", "~> 1.2"
|
spec.add_dependency "sslshake", "~> 1.2"
|
||||||
spec.add_dependency "parallel", "~> 1.9"
|
spec.add_dependency "parallel", "~> 1.9"
|
||||||
spec.add_dependency "faraday", ">= 0.9.0", "< 1.4"
|
spec.add_dependency "faraday", ">= 0.9.0", "< 1.5"
|
||||||
spec.add_dependency "faraday_middleware", "~> 1.0"
|
spec.add_dependency "faraday_middleware", "~> 1.0"
|
||||||
spec.add_dependency "tty-table", "~> 0.10"
|
spec.add_dependency "tty-table", "~> 0.10"
|
||||||
spec.add_dependency "tty-prompt", "~> 0.17"
|
spec.add_dependency "tty-prompt", "~> 0.17"
|
||||||
|
|
|
@ -31,6 +31,7 @@ Gem::Specification.new do |spec|
|
||||||
|
|
||||||
# Train plugins we ship with InSpec
|
# Train plugins we ship with InSpec
|
||||||
spec.add_dependency "train-habitat", "~> 0.1"
|
spec.add_dependency "train-habitat", "~> 0.1"
|
||||||
spec.add_dependency "train-aws", "~> 0.1"
|
spec.add_dependency "train-aws", "~> 0.2"
|
||||||
spec.add_dependency "train-winrm", "~> 0.2"
|
spec.add_dependency "train-winrm", "~> 0.2"
|
||||||
|
spec.add_dependency "mongo", "= 2.13.2" # 2.14 introduces a broken symlink in mongo-2.14.0/spec/support/ocsp
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,49 +1,38 @@
|
||||||
---
|
---
|
||||||
driver:
|
driver:
|
||||||
name: dokken
|
name: dokken
|
||||||
chef_version: 14.12.9
|
chef_version: :latest
|
||||||
privileged: true # because Docker and SystemD/Upstart
|
privileged: true # because Docker and SystemD/Upstart
|
||||||
|
|
||||||
transport:
|
transport:
|
||||||
name: dokken
|
name: dokken
|
||||||
|
|
||||||
lifecycle:
|
|
||||||
pre_converge:
|
|
||||||
- local: cd inspec-bin && gem build inspec-core-bin.gemspec --output ../test/kitchen/cookbooks/install_inspec/files/inspec-core-bin.gem
|
|
||||||
- local: gem build inspec-core.gemspec --output test/kitchen/cookbooks/install_inspec/files/inspec-core.gem
|
|
||||||
|
|
||||||
provisioner:
|
provisioner:
|
||||||
name: dokken
|
name: dokken
|
||||||
client_rb:
|
|
||||||
data_collector.server_url: <%= ENV['COLLECTOR_URL'] %>
|
|
||||||
data_collector.token: <%= ENV['COLLECTOR_TOKEN'] %>
|
|
||||||
ssl_verify_mode: :verify_none
|
|
||||||
verify_api_cert: false
|
|
||||||
|
|
||||||
verifier:
|
verifier:
|
||||||
name: inspec
|
name: inspec
|
||||||
sudo: true
|
sudo: true
|
||||||
|
|
||||||
|
# Test against every supported target platform for which we have a dokken image.
|
||||||
|
# If we don't have a dokken image, see kitchen.chef.yml for Vagrant-based testing.
|
||||||
|
# Try to keep this list up to date!
|
||||||
|
# Visit https://hub.docker.com/search and https://github.com/test-kitchen/dokken-images to search for new images
|
||||||
platforms:
|
platforms:
|
||||||
- name: amazonlinux
|
|
||||||
driver:
|
|
||||||
image: dokken/amazonlinux
|
|
||||||
pid_one_command: /sbin/init
|
|
||||||
|
|
||||||
- name: amazonlinux-2
|
- name: amazonlinux-2
|
||||||
driver:
|
driver:
|
||||||
image: dokken/amazonlinux-2
|
image: dokken/amazonlinux-2
|
||||||
pid_one_command: /usr/lib/systemd/systemd
|
pid_one_command: /usr/lib/systemd/systemd
|
||||||
|
|
||||||
- name: centos-6
|
|
||||||
driver:
|
|
||||||
image: dokken/centos-6
|
|
||||||
pid_one_command: /sbin/init
|
|
||||||
|
|
||||||
- name: centos-7
|
- name: centos-7
|
||||||
driver:
|
driver:
|
||||||
image: dokken/centos-7
|
image: dokken/centos-7
|
||||||
pid_one_command: /usr/lib/systemd/systemd
|
pid_one_command: /usr/lib/systemd/systemd
|
||||||
|
- name: centos-8
|
||||||
|
driver:
|
||||||
|
image: dokken/centos-8
|
||||||
|
pid_one_command: /usr/lib/systemd/systemd
|
||||||
|
|
||||||
- name: debian-9
|
- name: debian-9
|
||||||
driver:
|
driver:
|
||||||
|
@ -51,7 +40,6 @@ platforms:
|
||||||
pid_one_command: /bin/systemd
|
pid_one_command: /bin/systemd
|
||||||
intermediate_instructions:
|
intermediate_instructions:
|
||||||
- RUN /usr/bin/apt-get update -y
|
- RUN /usr/bin/apt-get update -y
|
||||||
|
|
||||||
- name: debian-10
|
- name: debian-10
|
||||||
driver:
|
driver:
|
||||||
image: dokken/debian-10
|
image: dokken/debian-10
|
||||||
|
@ -59,24 +47,23 @@ platforms:
|
||||||
intermediate_instructions:
|
intermediate_instructions:
|
||||||
- RUN /usr/bin/apt-get update -y
|
- RUN /usr/bin/apt-get update -y
|
||||||
|
|
||||||
- name: fedora-29
|
- name: fedora-latest
|
||||||
driver:
|
driver:
|
||||||
image: dokken/fedora-29
|
image: dokken/fedora-latest
|
||||||
pid_one_command: /usr/lib/systemd/systemd
|
pid_one_command: /usr/lib/systemd/systemd
|
||||||
|
|
||||||
- name: oraclelinux-6
|
|
||||||
driver:
|
|
||||||
image: dokken/oraclelinux-6
|
|
||||||
pid_one_command: /sbin/init
|
|
||||||
|
|
||||||
- name: oraclelinux-7
|
- name: oraclelinux-7
|
||||||
driver:
|
driver:
|
||||||
image: dokken/oraclelinux-7
|
image: dokken/oraclelinux-7
|
||||||
pid_one_command: /usr/lib/systemd/systemd
|
pid_one_command: /usr/lib/systemd/systemd
|
||||||
|
- name: oraclelinux-8
|
||||||
|
driver:
|
||||||
|
image: dokken/oraclelinux-8
|
||||||
|
pid_one_command: /usr/lib/systemd/systemd
|
||||||
|
|
||||||
- name: opensuse-leap
|
- name: opensuse-leap
|
||||||
driver:
|
driver:
|
||||||
image: dokken/opensuse-leap-42
|
image: dokken/opensuse-leap-15
|
||||||
pid_one_command: /bin/systemd
|
pid_one_command: /bin/systemd
|
||||||
|
|
||||||
- name: ubuntu-16.04
|
- name: ubuntu-16.04
|
||||||
|
@ -93,30 +80,30 @@ platforms:
|
||||||
intermediate_instructions:
|
intermediate_instructions:
|
||||||
- RUN /usr/bin/apt-get update -y
|
- RUN /usr/bin/apt-get update -y
|
||||||
|
|
||||||
|
- name: ubuntu-20.04
|
||||||
|
driver:
|
||||||
|
image: dokken/ubuntu-20.04
|
||||||
|
pid_one_command: /bin/systemd
|
||||||
|
intermediate_instructions:
|
||||||
|
- RUN /usr/bin/apt-get update -y
|
||||||
|
|
||||||
suites:
|
suites:
|
||||||
- name: resources-core
|
- name: resources
|
||||||
run_list:
|
run_list:
|
||||||
- recipe[os_prepare]
|
- recipe[os_prepare]
|
||||||
- recipe[audit]
|
|
||||||
verifier:
|
verifier:
|
||||||
inspec_tests:
|
inspec_tests:
|
||||||
- test/kitchen/policies/resources-core
|
# TODO - split these out into core, database, unix, and windows resources
|
||||||
|
- test/kitchen/policies/default
|
||||||
attributes:
|
attributes:
|
||||||
audit:
|
|
||||||
attributes:
|
|
||||||
audit_attribute: 'Attribute Override!'
|
|
||||||
insecure: true
|
|
||||||
reporter: ['json-file','chef-automate']
|
|
||||||
fetcher: 'chef-automate'
|
|
||||||
json_file:
|
|
||||||
location: /tmp/json_export.json
|
|
||||||
profiles:
|
|
||||||
- name: integration
|
|
||||||
url: https://github.com/inspec/inspec-integration-profile/archive/master.zip
|
|
||||||
osprepare:
|
osprepare:
|
||||||
docker: true
|
docker: true
|
||||||
application: false
|
application: false
|
||||||
|
|
||||||
- name: resources-database
|
# These are planned for the future
|
||||||
- name: resources-unix
|
# Suites which exercise resources that exercise databases
|
||||||
- name: resources-windows
|
# - name: resources-database
|
||||||
|
# Unix-only resources
|
||||||
|
# - name: resources-unix
|
||||||
|
# Windows-only resources
|
||||||
|
# - name: resources-windows
|
|
@ -43,11 +43,15 @@ module Inspec
|
||||||
begin
|
begin
|
||||||
if (allowed_commands & ARGV.map(&:downcase)).empty? && # Did they use a non-exempt command?
|
if (allowed_commands & ARGV.map(&:downcase)).empty? && # Did they use a non-exempt command?
|
||||||
!ARGV.empty? # Did they supply at least one command?
|
!ARGV.empty? # Did they supply at least one command?
|
||||||
LicenseAcceptance::Acceptor.check_and_persist(
|
license_acceptor_output = LicenseAcceptance::Acceptor.check_and_persist(
|
||||||
Inspec::Dist::EXEC_NAME,
|
Inspec::Dist::EXEC_NAME,
|
||||||
Inspec::VERSION,
|
Inspec::VERSION,
|
||||||
logger: Inspec::Log
|
logger: Inspec::Log
|
||||||
)
|
)
|
||||||
|
if license_acceptor_output && ARGV.count == 1 && (ARGV.first.include? "--chef-license")
|
||||||
|
Inspec::UI.new.exit
|
||||||
|
end
|
||||||
|
license_acceptor_output
|
||||||
end
|
end
|
||||||
rescue LicenseAcceptance::LicenseNotAcceptedError
|
rescue LicenseAcceptance::LicenseNotAcceptedError
|
||||||
Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without accepting the license"
|
Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without accepting the license"
|
||||||
|
@ -120,6 +124,8 @@ module Inspec
|
||||||
desc: "Provide a ID which will be included on reports"
|
desc: "Provide a ID which will be included on reports"
|
||||||
option :winrm_shell_type, type: :string, default: "powershell",
|
option :winrm_shell_type, type: :string, default: "powershell",
|
||||||
desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
|
desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')"
|
||||||
|
option :docker_url, type: :string,
|
||||||
|
desc: "Provides path to Docker API endpoint (Docker)"
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.profile_options
|
def self.profile_options
|
||||||
|
@ -134,6 +140,8 @@ module Inspec
|
||||||
profile_options
|
profile_options
|
||||||
option :controls, type: :array,
|
option :controls, type: :array,
|
||||||
desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
|
desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests."
|
||||||
|
option :tags, type: :array,
|
||||||
|
desc: "A list of tags names that are part of controls to filter and run controls, or a list of /regexes/ to match against tags names of controls. Ignore all other tests."
|
||||||
option :reporter, type: :array,
|
option :reporter, type: :array,
|
||||||
banner: "one two:/output/file/path",
|
banner: "one two:/output/file/path",
|
||||||
desc: "Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml"
|
desc: "Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml"
|
||||||
|
@ -166,13 +174,15 @@ module Inspec
|
||||||
desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
|
desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode."
|
||||||
option :filter_empty_profiles, type: :boolean, default: false,
|
option :filter_empty_profiles, type: :boolean, default: false,
|
||||||
desc: "Filter empty profiles (profiles without controls) from the report."
|
desc: "Filter empty profiles (profiles without controls) from the report."
|
||||||
option :command_timeout, type: :numeric, default: 3600,
|
|
||||||
desc: "Maximum seconds to allow commands to run during execution. Default 3600.",
|
|
||||||
long_desc: "Maximum seconds to allow commands to run during execution. Default 3600. A timed out command is considered an error."
|
|
||||||
option :filter_waived_controls, type: :boolean,
|
option :filter_waived_controls, type: :boolean,
|
||||||
desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores `run` setting of waiver file."
|
desc: "Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores `run` setting of waiver file."
|
||||||
option :retain_waiver_data, type: :boolean,
|
option :retain_waiver_data, type: :boolean,
|
||||||
desc: "EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped"
|
desc: "EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped"
|
||||||
|
option :command_timeout, type: :numeric,
|
||||||
|
desc: "Maximum seconds to allow commands to run during execution.",
|
||||||
|
long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error."
|
||||||
|
option :reporter_include_source, type: :boolean, default: false,
|
||||||
|
desc: "Include full source code of controls in the CLI report"
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.help(*args)
|
def self.help(*args)
|
||||||
|
@ -181,7 +191,7 @@ module Inspec
|
||||||
puts " Patents: chef.io/patents\n\n"
|
puts " Patents: chef.io/patents\n\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.format_platform_info(params: {}, indent: 0, color: 39)
|
def self.format_platform_info(params: {}, indent: 0, color: 39, enable_color: true)
|
||||||
str = ""
|
str = ""
|
||||||
params.each do |item, info|
|
params.each do |item, info|
|
||||||
data = info
|
data = info
|
||||||
|
@ -192,7 +202,7 @@ module Inspec
|
||||||
# Do not output fields of data is missing ('unknown' is fine)
|
# Do not output fields of data is missing ('unknown' is fine)
|
||||||
next if data.nil?
|
next if data.nil?
|
||||||
|
|
||||||
data = "\e[1m\e[#{color}m#{data}\e[0m"
|
data = "\e[1m\e[#{color}m#{data}\e[0m" if enable_color
|
||||||
str << format("#{" " * indent}%-10s %s\n", item.to_s.capitalize + ":", data)
|
str << format("#{" " * indent}%-10s %s\n", item.to_s.capitalize + ":", data)
|
||||||
end
|
end
|
||||||
str
|
str
|
||||||
|
|
|
@ -6,9 +6,9 @@ module Inspec
|
||||||
extend Forwardable
|
extend Forwardable
|
||||||
|
|
||||||
attr_reader :cache, :target, :fetcher
|
attr_reader :cache, :target, :fetcher
|
||||||
def initialize(target, cache)
|
def initialize(target, cache, opts = {})
|
||||||
@target = target
|
@target = target
|
||||||
@fetcher = Inspec::Fetcher::Registry.resolve(target)
|
@fetcher = Inspec::Fetcher::Registry.resolve(target, opts)
|
||||||
|
|
||||||
if @fetcher.nil?
|
if @fetcher.nil?
|
||||||
raise("Could not fetch inspec profile in #{target.inspect}.")
|
raise("Could not fetch inspec profile in #{target.inspect}.")
|
||||||
|
|
|
@ -65,6 +65,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
||||||
desc: "Save the created profile to a path"
|
desc: "Save the created profile to a path"
|
||||||
option :controls, type: :array,
|
option :controls, type: :array,
|
||||||
desc: "A list of controls to include. Ignore all other tests."
|
desc: "A list of controls to include. Ignore all other tests."
|
||||||
|
option :tags, type: :array,
|
||||||
|
desc: "A list of tags to filter controls and include only those. Ignore all other tests."
|
||||||
profile_options
|
profile_options
|
||||||
def json(target)
|
def json(target)
|
||||||
require "json" unless defined?(JSON)
|
require "json" unless defined?(JSON)
|
||||||
|
@ -91,7 +93,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
||||||
end
|
end
|
||||||
|
|
||||||
desc "check PATH", "verify all tests at the specified PATH"
|
desc "check PATH", "verify all tests at the specified PATH"
|
||||||
option :format, type: :string
|
option :format, type: :string,
|
||||||
|
desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
|
||||||
profile_options
|
profile_options
|
||||||
def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
|
def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
|
||||||
o = config
|
o = config
|
||||||
|
@ -218,9 +221,13 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
||||||
|
|
||||||
Automate:
|
Automate:
|
||||||
```
|
```
|
||||||
#{Inspec::Dist::EXEC_NAME} compliance login
|
#{Inspec::Dist::EXEC_NAME} automate login
|
||||||
#{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline
|
#{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline
|
||||||
```
|
```
|
||||||
|
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
|
||||||
|
```
|
||||||
|
#{Inspec::Dist::EXEC_NAME} compliance login
|
||||||
|
```
|
||||||
|
|
||||||
Supermarket:
|
Supermarket:
|
||||||
```
|
```
|
||||||
|
@ -301,7 +308,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
||||||
puts res.to_json
|
puts res.to_json
|
||||||
else
|
else
|
||||||
ui.headline("Platform Details")
|
ui.headline("Platform Details")
|
||||||
ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36)
|
ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36, enable_color: ui.color?)
|
||||||
end
|
end
|
||||||
rescue ArgumentError, RuntimeError, Train::UserError => e
|
rescue ArgumentError, RuntimeError, Train::UserError => e
|
||||||
$stderr.puts e.message
|
$stderr.puts e.message
|
||||||
|
@ -321,10 +328,14 @@ class Inspec::InspecCLI < Inspec::BaseCLI
|
||||||
desc: "A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell"
|
desc: "A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell"
|
||||||
option :distinct_exit, type: :boolean, default: true,
|
option :distinct_exit, type: :boolean, default: true,
|
||||||
desc: "Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures."
|
desc: "Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures."
|
||||||
option :command_timeout, type: :numeric, default: 3600,
|
option :command_timeout, type: :numeric,
|
||||||
desc: "Maximum seconds to allow a command to run. Default 3600.",
|
desc: "Maximum seconds to allow a command to run.",
|
||||||
long_desc: "Maximum seconds to allow commands to run. Default 3600. A timed out command is considered an error."
|
long_desc: "Maximum seconds to allow commands to run. A timed out command is considered an error."
|
||||||
option :inspect, type: :boolean, default: false, desc: "Use verbose/debugging output for resources."
|
option :inspect, type: :boolean, default: false, desc: "Use verbose/debugging output for resources."
|
||||||
|
option :input_file, type: :array,
|
||||||
|
desc: "Load one or more input files, a YAML file with values for the shell to use"
|
||||||
|
option :input, type: :array, banner: "name1=value1 name2=value2",
|
||||||
|
desc: "Specify one or more inputs directly on the command line to the shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures."
|
||||||
def shell_func
|
def shell_func
|
||||||
o = config
|
o = config
|
||||||
diagnose(o)
|
diagnose(o)
|
||||||
|
|
|
@ -18,6 +18,7 @@ module Inspec
|
||||||
attr_accessor :skip_file
|
attr_accessor :skip_file
|
||||||
attr_accessor :profile_context
|
attr_accessor :profile_context
|
||||||
attr_accessor :resources_dsl
|
attr_accessor :resources_dsl
|
||||||
|
attr_accessor :conf
|
||||||
|
|
||||||
def initialize(profile_context, resources_dsl, backend, conf, dependencies, require_loader, skip_only_if_eval)
|
def initialize(profile_context, resources_dsl, backend, conf, dependencies, require_loader, skip_only_if_eval)
|
||||||
@profile_context = profile_context
|
@profile_context = profile_context
|
||||||
|
@ -53,12 +54,30 @@ module Inspec
|
||||||
|
|
||||||
def control(id, opts = {}, &block)
|
def control(id, opts = {}, &block)
|
||||||
opts[:skip_only_if_eval] = @skip_only_if_eval
|
opts[:skip_only_if_eval] = @skip_only_if_eval
|
||||||
if control_exist_in_controls_list?(id) || controls_list_empty?
|
if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id)
|
||||||
register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
|
register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block))
|
||||||
|
elsif !tags_list_empty?
|
||||||
|
# Inside elsif rule is initialised before registering it because it enables fetching of control tags
|
||||||
|
# This condition is only true when --tags option is used
|
||||||
|
inspec_rule = Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block)
|
||||||
|
tag_ids = control_tags(inspec_rule)
|
||||||
|
register_control(inspec_rule) if tag_exist_in_control_tags?(tag_ids)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
alias rule control
|
alias rule control
|
||||||
|
|
||||||
|
def control_tags(inspec_rule)
|
||||||
|
all_tags = []
|
||||||
|
inspec_rule.tag.each do |key, value|
|
||||||
|
all_tags.push(key)
|
||||||
|
all_tags.push(value) unless value.nil?
|
||||||
|
end
|
||||||
|
all_tags.flatten.compact.uniq.map(&:to_s)
|
||||||
|
rescue
|
||||||
|
[]
|
||||||
|
end
|
||||||
|
|
||||||
# Describe allows users to write rspec-like bare describe
|
# Describe allows users to write rspec-like bare describe
|
||||||
# blocks without declaring an inclosing control. Here, we
|
# blocks without declaring an inclosing control. Here, we
|
||||||
# generate a control for them automatically and then execute
|
# generate a control for them automatically and then execute
|
||||||
|
@ -74,7 +93,7 @@ module Inspec
|
||||||
res = describe(*args, &block)
|
res = describe(*args, &block)
|
||||||
end
|
end
|
||||||
|
|
||||||
if control_exist_in_controls_list?(id) || controls_list_empty?
|
if controls_list_empty? || control_exist_in_controls_list?(id)
|
||||||
register_control(rule, &block)
|
register_control(rule, &block)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -171,6 +190,47 @@ module Inspec
|
||||||
@skip_file = true
|
@skip_file = true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Check if the given control exist in the --tags option
|
||||||
|
def tag_exist_in_control_tags?(tag_ids)
|
||||||
|
tag_option_matches_with_list = false
|
||||||
|
if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist?
|
||||||
|
tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty?
|
||||||
|
unless tag_option_matches_with_list
|
||||||
|
@conf["profile"].include_tags_list.any? do |inclusion|
|
||||||
|
# Try to see if the inclusion is a regex, and if it matches
|
||||||
|
if inclusion.is_a?(Regexp)
|
||||||
|
tag_ids.each do |id|
|
||||||
|
tag_option_matches_with_list = (inclusion =~ id)
|
||||||
|
break if tag_option_matches_with_list
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
tag_option_matches_with_list
|
||||||
|
end
|
||||||
|
|
||||||
|
def tags_list_empty?
|
||||||
|
!@conf.empty? && @conf.key?("profile") && @conf["profile"].include_tags_list.empty? || @conf.empty?
|
||||||
|
end
|
||||||
|
|
||||||
|
# Check if the given control exist in the --controls option
|
||||||
|
def control_exist_in_controls_list?(id)
|
||||||
|
id_exist_in_list = false
|
||||||
|
if profile_config_exist?
|
||||||
|
id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
|
||||||
|
# Try to see if the inclusion is a regex, and if it matches
|
||||||
|
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
id_exist_in_list
|
||||||
|
end
|
||||||
|
|
||||||
|
# Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
|
||||||
|
def controls_list_empty?
|
||||||
|
!@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def block_location(block, alternate_caller)
|
def block_location(block, alternate_caller)
|
||||||
|
@ -187,20 +247,8 @@ module Inspec
|
||||||
!@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
|
!@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
|
||||||
end
|
end
|
||||||
|
|
||||||
# Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
|
def profile_tag_config_exist?
|
||||||
def controls_list_empty?
|
!@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty?
|
||||||
!@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
|
|
||||||
end
|
|
||||||
|
|
||||||
# Check if the given control exist in the --controls option
|
|
||||||
def control_exist_in_controls_list?(id)
|
|
||||||
if profile_config_exist?
|
|
||||||
id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion|
|
|
||||||
# Try to see if the inclusion is a regex, and if it matches
|
|
||||||
inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
id_exist_in_list
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -93,23 +93,38 @@ module Inspec::DSL
|
||||||
context = dep_entry.profile.runner_context
|
context = dep_entry.profile.runner_context
|
||||||
# if we don't want all the rules, then just make 1 pass to get all rule_IDs
|
# if we don't want all the rules, then just make 1 pass to get all rule_IDs
|
||||||
# that we want to keep from the original
|
# that we want to keep from the original
|
||||||
filter_included_controls(context, dep_entry.profile, &block) unless opts[:include_all]
|
if !opts[:include_all] || !(opts[:conf]["profile"].include_tags_list.empty?) || !opts[:conf]["profile"].include_controls_list.empty?
|
||||||
|
filter_included_controls(context, dep_entry.profile, opts, &block)
|
||||||
|
end
|
||||||
# interpret the block and skip/modify as required
|
# interpret the block and skip/modify as required
|
||||||
context.load(block) if block_given?
|
context.load(block) if block_given?
|
||||||
bind_context.add_subcontext(context)
|
bind_context.add_subcontext(context)
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.filter_included_controls(context, profile, &block)
|
def self.filter_included_controls(context, profile, opts, &block)
|
||||||
mock = Inspec::Backend.create(Inspec::Config.mock)
|
mock = Inspec::Backend.create(Inspec::Config.mock)
|
||||||
include_ctx = Inspec::ProfileContext.for_profile(profile, mock)
|
include_ctx = Inspec::ProfileContext.for_profile(profile, mock)
|
||||||
include_ctx.load(block) if block_given?
|
include_ctx.load(block) if block_given?
|
||||||
|
include_ctx.control_eval_context.conf = opts[:conf]
|
||||||
|
control_eval_ctx = include_ctx.control_eval_context
|
||||||
# remove all rules that were not registered
|
# remove all rules that were not registered
|
||||||
context.all_rules.each do |r|
|
context.all_rules.each do |r|
|
||||||
id = Inspec::Rule.rule_id(r)
|
id = Inspec::Rule.rule_id(r)
|
||||||
fid = Inspec::Rule.profile_id(r) + "/" + id
|
fid = Inspec::Rule.profile_id(r) + "/" + id
|
||||||
unless include_ctx.rules[id] || include_ctx.rules[fid]
|
if !opts[:include_all] && !(include_ctx.rules[id] || include_ctx.rules[fid])
|
||||||
context.remove_rule(fid)
|
context.remove_rule(fid)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
unless control_eval_ctx.controls_list_empty?
|
||||||
|
# filter the dependent profile controls which are not in the --controls options list
|
||||||
|
context.remove_rule(fid) unless control_eval_ctx.control_exist_in_controls_list?(id)
|
||||||
|
end
|
||||||
|
|
||||||
|
unless control_eval_ctx.tags_list_empty?
|
||||||
|
# filter included controls using --tags
|
||||||
|
tag_ids = control_eval_ctx.control_tags(r)
|
||||||
|
context.remove_rule(fid) unless control_eval_ctx.tag_exist_in_control_tags?(tag_ids)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -2,12 +2,12 @@ require "inspec/plugin/v1"
|
||||||
|
|
||||||
module Inspec
|
module Inspec
|
||||||
class FetcherRegistry < PluginRegistry
|
class FetcherRegistry < PluginRegistry
|
||||||
def resolve(target)
|
def resolve(target, opts = {})
|
||||||
if fetcher_specified?(target)
|
if fetcher_specified?(target)
|
||||||
super(target)
|
super(target, opts)
|
||||||
else
|
else
|
||||||
Inspec::Log.debug("Assuming default supermarket source for #{target}")
|
Inspec::Log.debug("Assuming default supermarket source for #{target}")
|
||||||
super(with_default_fetcher(target))
|
super(with_default_fetcher(target), opts)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue