Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 23:24:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'main' into vasundhara/docs-update-for-resource-properties

Browse source
This commit is contained in:
Clinton Wolfe 2021-11-20 01:59:14 -05:00 committed by GitHub
commit 6c7bcdc97f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
35 changed files with 174 additions and 136 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
CHANGELOG.md
View file

@ -1,28 +1,37 @@
# Change Log
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
<!-- latest_release 4.50.2 -->
## [v4.50.2](https://github.com/inspec/inspec/tree/v4.50.2) (2021-11-18)
<!-- latest_release 4.50.6 -->
## [v4.50.6](https://github.com/inspec/inspec/tree/v4.50.6) (2021-11-20)
#### Merged Pull Requests
- Move rake and cookstyle deps out of inspec core gemspec [#5732](https://github.com/inspec/inspec/pull/5732) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Remove the instance_eval and eval_gemfile calls in omnibus [#5733](https://github.com/inspec/inspec/pull/5733) ([tas50](https://github.com/tas50))
<!-- latest_release -->
<!-- release_rollup since=4.49.0 -->
### Changes since 4.49.0 release
#### New Features
- Add Windows support for http resource. [#5697](https://github.com/inspec/inspec/pull/5697) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.50.0 -->
<!-- release_rollup since=4.50.3 -->
### Changes since 4.50.3 release
#### Merged Pull Requests
- Move rake and cookstyle deps out of inspec core gemspec [#5732](https://github.com/inspec/inspec/pull/5732) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.50.2 -->
- Disable CookStyle integration on Windows [#5724](https://github.com/inspec/inspec/pull/5724) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.50.1 -->
- Move cookstyle dep from inspec gemspec to inspec-core, add rake [#5722](https://github.com/inspec/inspec/pull/5722) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.49.2 -->
#### Bug Fixes
- Updates habitat test for windows to match install logic for linux [#5718](https://github.com/inspec/inspec/pull/5718) ([collinmcneese](https://github.com/collinmcneese)) <!-- 4.49.1 -->
- Remove the instance_eval and eval_gemfile calls in omnibus [#5733](https://github.com/inspec/inspec/pull/5733) ([tas50](https://github.com/tas50)) <!-- 4.50.6 -->
- Update dsl_inspec.md [#5721](https://github.com/inspec/inspec/pull/5721) ([paulcalabro](https://github.com/paulcalabro)) <!-- 4.50.5 -->
- Fix typos and improve code highlighting in docs [#5692](https://github.com/inspec/inspec/pull/5692) ([tas50](https://github.com/tas50)) <!-- 4.50.4 -->
<!-- release_rollup -->
<!-- latest_stable_release -->
## [v4.50.3](https://github.com/inspec/inspec/tree/v4.50.3) (2021-11-19)
#### New Features
- Add Windows support for http resource. [#5697](https://github.com/inspec/inspec/pull/5697) ([Vasu1105](https://github.com/Vasu1105))
#### Bug Fixes
- Updates habitat test for windows to match install logic for linux [#5718](https://github.com/inspec/inspec/pull/5718) ([collinmcneese](https://github.com/collinmcneese))
#### Merged Pull Requests
- Move cookstyle dep from inspec gemspec to inspec-core, add rake [#5722](https://github.com/inspec/inspec/pull/5722) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Disable CookStyle integration on Windows [#5724](https://github.com/inspec/inspec/pull/5724) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Move rake and cookstyle deps out of inspec core gemspec [#5732](https://github.com/inspec/inspec/pull/5732) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Remove license note + update resource count in main docs page [#5639](https://github.com/inspec/inspec/pull/5639) ([tas50](https://github.com/tas50))
<!-- latest_stable_release -->
## [v4.49.0](https://github.com/inspec/inspec/tree/v4.49.0) (2021-10-27)
#### New Features
@ -44,7 +53,6 @@
- InSpec Waivers: --filter-waived-controls [#5327](https://github.com/inspec/inspec/pull/5327) ([Schwad](https://github.com/Schwad))
- Fix windows_firewall resource fails to validate more than 1 rule depending on how it&#39;s executed [#5704](https://github.com/inspec/inspec/pull/5704) ([Vasu1105](https://github.com/Vasu1105))
- Integrate InSpec check with Cookstyle [#5618](https://github.com/inspec/inspec/pull/5618) ([Nik08](https://github.com/Nik08))
<!-- latest_stable_release -->
## [v4.46.13](https://github.com/inspec/inspec/tree/v4.46.13) (2021-09-30)

2
Dockerfile
View file

@ -1,7 +1,7 @@
FROM ubuntu:18.04
LABEL maintainer="Chef Software, Inc. <docker@chef.io>"
ARG VERSION=4.49.0
ARG VERSION=4.50.3
ARG CHANNEL=stable
ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

2
VERSION
View file

@ -1 +1 @@
4.50.2
4.50.6

11
docs-chef-io/content/inspec/_index.md
View file

@ -16,13 +16,6 @@ gh_repo = "inspec"
Chef InSpec is an open-source framework for testing and auditing your applications and infrastructure. Chef InSpec works by comparing the actual state of your system with the desired state that you express in easy-to-read and easy-to-write Chef InSpec code. Chef InSpec detects violations and displays findings in the form of a report, but puts you in control of remediation.
{{< note >}}
Versions of Chef InSpec 4.0 and later require accepting the EULA. Please
visit the [license acceptance page](/chef_license_accept/) for more information.
{{< /note >}}
## Getting started with Chef InSpec
Below are some of the core concepts that make up Chef InSpec.
@ -40,7 +33,7 @@ including tests from the [Chef Supermarket](https://supermarket.chef.io/)
or by adding tests from the [Dev-Sec Project](http://dev-sec.io/) as dependencies.
You can also customize your tests--pulling in the tests from our Supermarket and
change them to suit your unique needs with the easy-to-read and easy-to-write Chef
InSpec domain specific language.
InSpec language.
### Target your system
@ -52,6 +45,6 @@ InSpec to target applications and services running on AWS and Azure.
### Resources
Chef InSpec has 80+ [resources](/inspec/resources/) ready use--apache to zfs pool.
Chef InSpec nearly 500 [resources](/inspec/resources/) ready use--Apache2 to ZFS pool.
If you need a solution that we havent provided, you can write your own [custom
resource](/inspec/dsl_resource/).

2
docs-chef-io/content/inspec/config.md
View file

@ -104,7 +104,7 @@ Version 1.2 adds a top-level field, "plugins".
Use the `plugins` top-level configuration field to provide configuration settings to plugins that you use with Chef InSpec. Refer to the documentation of the plugin you are using for details regarding what settings are available.
To use this new feature, add a new top-level key in your config file named `plugins`. Then create a sub-key named for each plugin you wish to configure. Each plugin will have a key-value are that it may use as it sees fit - Chef Inspec does not specify the structure. Here is an example, using contrived plugins:
To use this new feature, add a new top-level key in your config file named `plugins`. Then create a sub-key named for each plugin you wish to configure. Each plugin will have a key-value are that it may use as it sees fit - Chef InSpec does not specify the structure. Here is an example, using contrived plugins:
```
{

2
docs-chef-io/content/inspec/dsl_inspec.md
View file

@ -62,7 +62,7 @@ where
* `0.4 to <0.7` these are controls with medium impact
* `0.7 to <0.9` these are controls with high impact
* `0.9 to 1.0` these are critical controls
* `tag` is optional meta-information with with key or key-value pairs
* `tag` is optional meta-information with key or key-value pairs
* `ref` is a reference to an external document
* `describe` is a block that contains at least one test. A `control` block must contain at least one `describe` block, but may contain as many as required
* `sshd_config` is a Chef InSpec resource. For the full list of Chef InSpec resources, see Chef InSpec resource documentation

8
docs-chef-io/content/inspec/inspec_and_friends.md
View file

@ -89,7 +89,7 @@ Lessons learned from Serverspec include:
- A command line interface (CLI) is required for faster iteration of test code.
You can also watch this [podcast](http://foodfightshow.org/2016/02/inspec.html)
to find out more on the relationship of Chef InSpec and Serverspec.
to find out more on the relationship between Chef InSpec and Serverspec.
### How is Chef InSpec different from Serverspec
@ -125,12 +125,12 @@ fork was not practical so a new project was born.
**Will Chef InSpec only work on machines managed by Chef?**
No, Chef InSpec can be used on any machine. It doesnt matter if that machine
was configured by Chef or configured lovingly by the hands of your local
No, Chef InSpec can be used on any machine. It does not matter if that machine
was configured by Chef Infra or configured lovingly by the hands of your local
System Administrator.
**Is Chef InSpec a replacement of Serverspec?**
Chef InSpec is intended to be a drop-in replacement of Serverspec. Popular
Serverspec resources have been ported to InSpec. It changed some
behaviour as documented in our migration guide.
behavior as documented in our migration guide.

4
docs-chef-io/content/inspec/profiles.md
View file

@ -150,7 +150,7 @@ supports:
release: 20.*
```
To target the Red Hat and derivitive platforms such as CentOS and Oracle Linux, use:
To target the Red Hat and derivative platforms such as CentOS and Oracle Linux, use:
```YAML
name: ssh
@ -158,7 +158,7 @@ supports:
- platform-family: redhat
```
To target the entire Windows 2019 platform family including Datacenter and Core Servers, use:
To target the entire Windows 2019 platform family, including Datacenter and Core Servers, use:
```YAML
name: ssh

2
docs-chef-io/content/inspec/resources/aws_alb.md
View file

@ -39,7 +39,7 @@ See also the [AWS documentation on Elastic Load Balancing](https://docs.aws.amaz
| Property | Description |
| ------------------------ | ---------------------------------------------------------------------------------- |
| load_balancer_name | The name of the load balancer. |
| load_balancer_addresses | A collectionm of the load balancer addresses. |
| load_balancer_addresses | A collection of the load balancer addresses. |
| canonical_hosted_zone_id | The ID of the Amazon Route 53 hosted zone for the load balancer. |
| dns_name | The DNS name of the load balancer. |
| availability_zones | The Availability Zones for the load balancer. |

6
docs-chef-io/content/inspec/resources/aws_sqs_queue.md
View file

@ -33,13 +33,13 @@ See also the [AWS documentation on SQS](https://docs.aws.amazon.com/AWSSimpleQue
| Property | Description |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------ |
| arn | The ARN of the SQS Queue. |
| is_fifo_queue | A boolean value indicate if this queue is a FIFO queue |
| is_fifo_queue | A boolean value indicating if this queue is a FIFO queue |
| visibility_timeout | An integer indicating the visibility timeout of the message in seconds |
| maximum_message_size | An integer indicating the maximum message size in bytes |
| message_retention_period | An integer indicating the maximum retention period for a message in seconds |
| delay_seconds | An integer indicating the delay in seconds for the queue |
| receive_message_wait_timeout_seconds | An integer indicating the number of seconds an attempt to recieve a message will wait before returning |
| content_based_deduplication | A boolean value indicate if content based dedcuplication is enabled or not |
| receive_message_wait_timeout_seconds | An integer indicating the number of seconds an attempt to receive a message will wait before returning |
| content_based_deduplication | A boolean value indicating if content based dedcuplication is enabled or not |
| redrive_policy | A string indicating the redrive policy |
## Examples

6
docs-chef-io/content/inspec/resources/aws_sqs_queues.md
View file

@ -30,13 +30,13 @@ See also the [AWS documentation on SQS](https://docs.aws.amazon.com/AWSSimpleQue
| Property | Description |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------ |
| arns | The ARNs of the SQS Queues. |
| is_fifo_queues | A boolean value indicate if queues are a FIFO queues |
| is_fifo_queues | A boolean value indicating if queues are FIFO queues |
| visibility_timeouts | An integer indicating the visibility timeout of the message in seconds |
| maximum_message_sizes | An integer indicating the maximum message size in bytes |
| message_retention_periods | An integer indicating the maximum retention period for a message in seconds |
| delay_seconds | An integer indicating the delay in seconds for the queues |
| receive_message_wait_timeout_seconds | An integer indicating the number of seconds an attempt to recieve a message will wait before returning |
| content_based_deduplications | A boolean value indicate if content based dedcuplication is enabled or not |
| receive_message_wait_timeout_seconds | An integer indicating the number of seconds an attempt to receive a message will wait before returning |
| content_based_deduplications | A boolean value indicating if content based deduplication is enabled or not |
## Examples

2
docs-chef-io/content/inspec/resources/aws_sts_caller_identity.md
View file

@ -15,7 +15,7 @@ Use the `aws_sts_caller_identity` InSpec audit resource to test properties of AW
## Syntax
An `aws_sts_caller_identity` resource block may be used to perform tests on details of the AWS credentials being used in the current Inspec scan. You can also test if the credentials belong to a GovCloud account or not.
An `aws_sts_caller_identity` resource block may be used to perform tests on details of the AWS credentials being used in the current InSpec scan. You can also test if the credentials belong to a GovCloud account or not.
describe aws_sts_caller_identity do
it { should exist }

4
docs-chef-io/content/inspec/resources/azure_virtual_machine.md
View file

@ -244,7 +244,7 @@ This only applies to Linux machines and will always return `0` on Windows.
### ssh_keys
Returns an array of the keys that are assigned to the machine. This is check if the correct keys are assigned.
Returns an array of the keys that are assigned to the machine. This checks if the correct keys are assigned.
Most SSH public keys have a signature at the end of them that can be tested. For example:
@ -292,7 +292,7 @@ This test can be used in the following way:
Returns a boolean to state if the machine has NICs connected or not.
This has can be used in the following way:
This can be used in the following way:
it { should have_nics }

2
docs-chef-io/content/inspec/resources/azurerm_ad_user.md
View file

@ -238,7 +238,7 @@ page](/inspec/matchers/).
## Azure Permissions
The Client/Active Directory Application you have configured Inspec Azure to use (`AZURE_CLIENT_ID`) must
The Client/Active Directory Application you have configured InSpec Azure to use (`AZURE_CLIENT_ID`) must
have permissions to read User data from the Azure Graph RBAC API.
Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application)

2
docs-chef-io/content/inspec/resources/azurerm_ad_users.md
View file

@ -127,7 +127,7 @@ The control will pass if the filter returns at least one result. Use
## Azure Permissions
The Client/Active Directory Application you have configured Inspec Azure to use (`AZURE_CLIENT_ID`) must
The Client/Active Directory Application you have configured InSpec Azure to use (`AZURE_CLIENT_ID`) must
have permissions to read User data from the Azure Graph RBAC API.
Please refer to the [Microsoft Documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-applications#updating-an-application)

4
docs-chef-io/content/inspec/resources/azurerm_aks_cluster.md
View file

@ -81,9 +81,9 @@ The Resource Group as well as the AKS Cluster name.
## Attributes
All of the attributes are avialable via dot notation. This is an example of the currently available attributes.
All of the attributes are available via dot notation. This is an example of the currently available attributes.
```
```ruby
control 'azurerm_aks_cluster' do
describe azurerm_aks_cluster(resource_group: 'example', name: 'ClusterName') do
it { should exist }

2
docs-chef-io/content/inspec/resources/azurerm_aks_clusters.md
View file

@ -40,7 +40,7 @@ You'll also need to setup your Azure credentials; see the resource pack
## Syntax
An `azurerm_aks_clusters` resource block identifies AKS Clustesr by
An `azurerm_aks_clusters` resource block identifies AKS Clusters by
Resource Group.
describe azurerm_aks_clusters(resource_group: 'ExampleGroup') do

2
docs-chef-io/content/inspec/resources/azurerm_subscription.md
View file

@ -45,7 +45,7 @@ This resource first became available in 1.7.0 of the inspec-azure resource pack.
## Syntax
The resource will retrieve the current subscription which Inspec is using, which is
The resource will retrieve the current subscription which InSpec is using, which is
specified in your environment/service principal.
describe azurerm_subscription do

20
docs-chef-io/content/inspec/resources/gem.md
View file

@ -59,14 +59,14 @@ The following examples show how to use this Chef InSpec audit resource.
describe gem('rubocop') do
it { should be_installed }
its('version') { should eq '0.33.0' }
its('version') { should eq '1.22.0' }
end
### Verify that a particular version is installed when there are multiple versions installed
describe gem('rubocop') do
it { should be_installed }
its('versions') { should include /0.51.0/ }
its('versions') { should include /1.21.0/ }
its('versions.count') { should_not be > 3 }
end
@ -78,7 +78,7 @@ The following examples show how to use this Chef InSpec audit resource.
### Verify that a gem package is installed in an omnibus environment
describe gem('pry', '/opt/ruby-2.3.1/embedded/bin/gem') do
describe gem('pry', '/opt/ruby-3.0.2/embedded/bin/gem') do
it { should be_installed }
end
@ -94,6 +94,20 @@ The following examples show how to use this Chef InSpec audit resource.
it { should be_installed }
end
## Properties
### version (String)
The `version` property returns a string of the default version on the system:
its('version') { should eq '1.22.0' }
### versions
The `versions` property returns an array of strings of all the versions of the gem installed on the system:
its('versions') { should include /1.22/ }
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

2
docs-chef-io/content/inspec/resources/google_cloudfunctions_cloud_function.md
View file

@ -48,7 +48,7 @@ Properties that can be accessed from the `google_cloudfunctions_cloud_function`
Possible values:
- CLOUD_FUNCTION_STATUS_UNSPECIFIED
- ACTOVE
- ACTIVE
- OFFLINE
- DEPLOY_IN_PROGRESS
- DELETE_IN_PROGRESS

2
docs-chef-io/content/inspec/resources/google_compute_instances.md
View file

@ -43,7 +43,7 @@ end
### Test that an instance with a particular name exists in the project and zone
describe google_compute_instances(project: 'chef-inspec-gcp', zone: 'europe-west2-a') do
its('instance_names') { should include "my-favourite-instance" }
its('instance_names') { should include "my-favorite-instance" }
end
## Properties

2
docs-chef-io/content/inspec/resources/google_runtime_config_config_iam_policy.md
View file

@ -13,7 +13,7 @@ platform = "gcp"
## Syntax
A `google_runtime_config_config_iam_policy` is used to test a Google Config Iam Policy resource
A `google_runtime_config_config_iam_policy` is used to test a Google Config IAM Policy resource
## Examples

24
docs-chef-io/content/inspec/resources/google_service_account.md
View file

@ -30,21 +30,27 @@ end
### Test that a GCP project IAM service account has the expected unique identifier
describe google_service_account(project: 'sample-project', name: 'sample-account@sample-project.iam.gserviceaccount.com') do
its('unique_id') { should eq 12345678 }
end
```ruby
describe google_service_account(project: 'sample-project', name: 'sample-account@sample-project.iam.gserviceaccount.com') do
its('unique_id') { should eq 12345678 }
end
```
### Test that a GCP project IAM service account has the expected oauth2 client identifier
describe google_service_account(project: 'sample-project', name: 'sample-account@sample-project.iam.gserviceaccount.com') do
its('oauth2_client_id') { should eq 12345678 }
end
```ruby
describe google_service_account(project: 'sample-project', name: 'sample-account@sample-project.iam.gserviceaccount.com') do
its('oauth2_client_id') { should eq 12345678 }
end
```
### Test that a GCP project IAM service account does not have user managed keys
describe google_service_account_keys(project: 'chef-gcp-inspec', service_account: "display-name@project-id.iam.gserviceaccount.com") do
its('key_types') { should_not include 'USER_MANAGED' }
end
```ruby
describe google_service_account_keys(project: 'chef-gcp-inspec', service_account: "display-name@project-id.iam.gserviceaccount.com") do
its('key_types') { should_not include 'USER_MANAGED' }
end
```
## Properties

29
docs-chef-io/content/inspec/resources/google_storage_bucket.md
View file

@ -34,21 +34,27 @@ end
### Test that a GCP storage bucket is in the expected location
describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
its('location') { should eq "EUROPE-WEST2" }
end
```ruby
describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
its('location') { should eq "EUROPE-WEST2" }
end
```
### Test that a GCP storage bucket has the expected project number
describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
its('project_number') {should eq 12345678 }
end
```ruby
describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
its('project_number') {should eq 12345678 }
end
```
### Test that a GCP storage bucket has the expected storage class
describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
its('storage_class') { should eq 'STANDARD' }
end
```ruby
describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
its('storage_class') { should eq 'STANDARD' }
end
```
## Properties
@ -164,7 +170,7 @@ Properties that can be accessed from the `google_storage_bucket` resource:
- READER
`id`
: The ID of the bucket. For buckets, the id and name properities are the same.
: The ID of the bucket. For buckets, the id and name properties are the same.
`lifecycle`
: The bucket's lifecycle configuration. See https://developers.google.com/storage/docs/lifecycle for more information.
@ -260,7 +266,7 @@ Properties that can be accessed from the `google_storage_bucket` resource:
: While set to true, versioning is fully enabled for this bucket.
`website`
: The bucket's website configuration, controlling how the service behaves when accessing bucket contents as a web site. See the Static Website Examples for more information.
: The bucket's website configuration, controlling how the service behaves when accessing bucket contents as a website. See the Static Website Examples for more information.
`main_page_suffix`
: If the requested object path is missing, the service will ensure the path has a trailing '/', append this suffix, and attempt to retrieve the resulting object. This allows the creation of index.html objects to represent directory pages.
@ -304,7 +310,6 @@ Properties that can be accessed from the `google_storage_bucket` resource:
- projectPrivate
- publicRead
## GCP Permissions
Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project.

24
docs-chef-io/content/inspec/resources/google_storage_bucket_iam_bindings.md
View file

@ -38,21 +38,27 @@ The following examples show how to use this InSpec audit resource.
### Test that there are no more than a specified number of IAM bindings roles available for the bucket
describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do
its('count') { should be <= 100}
end
```ruby
describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do
its('count') { should be <= 100}
end
```
### Test that an expected role is available for the bucket
describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do
its('iam_binding_roles') { should include "roles/storage.admin" }
end
```ruby
describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do
its('iam_binding_roles') { should include "roles/storage.admin" }
end
```
### Test that a particular role does not exist using filtering of the plural resource
describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz').where(iam_binding_role: "roles/iam.securityReviewer") do
it { should_not exist }
end
```ruby
describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz').where(iam_binding_role: "roles/iam.securityReviewer") do
it { should_not exist }
end
```
## Filter Criteria

36
docs-chef-io/content/inspec/resources/google_storage_bucket_objects.md
View file

@ -19,34 +19,42 @@ A `google_storage_bucket_objects` is used to test a Google BucketObject resource
```ruby
describe google_storage_bucket_objects(bucket: 'bucket-with-object') do
its('object_names') { should include 'image1' }
its('count') { should be <= 10 }
its('object_names') { should include 'image1' }
its('count') { should be <= 10 }
end
```
### Test that there are no more than a specified number of storage buckets for the project
describe google_storage_bucket_objects(bucket: 'bucket-name') do
its('count') { should be <= 100 }
end
```ruby
describe google_storage_bucket_objects(bucket: 'bucket-name') do
its('count') { should be <= 100 }
end
```
### Test that an expected named bucket is available
describe google_storage_bucket_objects(bucket: 'bucket-name') do
its('object_buckets'){ should include 'my_expected_bucket' }
end
```ruby
describe google_storage_bucket_objects(bucket: 'bucket-name') do
its('object_buckets'){ should include 'my_expected_bucket' }
end
```
### Test that an expected named bucket is available
describe google_storage_bucket_objects(bucket: 'bucket-name') do
its('object_names'){ should include 'my_expected_object' }
end
```ruby
describe google_storage_bucket_objects(bucket: 'bucket-name') do
its('object_names'){ should include 'my_expected_object' }
end
```
### Test a filtered group of bucket objects created within the last 24hrs
describe google_storage_bucket_objects(bucket: 'bucket-name').where(object_created_time > Time.now - 60*60*24) do
it { should exist }
end
```ruby
describe google_storage_bucket_objects(bucket: 'bucket-name').where(object_created_time > Time.now - 60*60*24) do
it { should exist }
end
```
## Properties

30
docs-chef-io/content/inspec/resources/google_storage_buckets.md
View file

@ -25,24 +25,30 @@ end
### Test that there are no more than a specified number of storage buckets for the project
describe google_storage_buckets(project: 'chef-inspec-gcp') do
its('count') { should be <= 100}
end
```ruby
describe google_storage_buckets(project: 'chef-inspec-gcp') do
its('count') { should be <= 100}
end
```
### Test that an expected named bucket is available
describe google_storage_buckets do
its('bucket_names'){ should include "my_expected_bucket" }
end
```ruby
describe google_storage_buckets do
its('bucket_names'){ should include "my_expected_bucket" }
end
```
### Test that all buckets belong to the expected project number
google_storage_buckets(project: 'chef-inspec-gcp').bucket_names.each do |bucket_name|
describe google_storage_bucket(name: bucket_name) do
it { should exist }
its('project_number'){ should eq 1122334455 }
end
end
```ruby
google_storage_buckets(project: 'chef-inspec-gcp').bucket_names.each do |bucket_name|
describe google_storage_bucket(name: bucket_name) do
it { should exist }
its('project_number'){ should eq 1122334455 }
end
end
```
## Properties

2
docs-chef-io/content/inspec/resources/mongodb_conf.md
View file

@ -55,8 +55,6 @@ The following examples show how to use this Chef InSpec audit resource.
its(["security", "authorization"]) { should eq "enabled" }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

8
docs-chef-io/content/inspec/resources/mongodb_session.md
View file

@ -77,7 +77,7 @@ Path to SSL key file.
A hash of the authentication mechanism properties. This option is generally used with the AWS authentication mechanism. See the MongoDB documentation on [Ruby Driver authentication using AWS](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#aws) for more information.
### MongodDB Query Reference Documentation
### MongoDB Query Reference Documentation
This resource uses the [MongoDB Ruby Driver](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) to fetch the data.
@ -85,19 +85,19 @@ This resource uses the [MongoDB Ruby Driver](https://docs.mongodb.com/ruby-drive
The following examples show how to use this Chef InSpec audit resource.
### Test the roles information using the `rolesInfo` command in MongoDB.
### Test the roles information using the `rolesInfo` command in MongoDB
describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin").params["roles"].first do
its(["role"]) { should eq "dbAdmin" }
end
### Test the MongoDB user role.
### Test the MongoDB user role
describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "foo").params["users"].first["roles"].first do
its(["role"]) { should eq "readWrite" }
end
### Test the database parameters.
### Test the database parameters
describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin") do
its("params") { should_not be_empty }

2
docs-chef-io/content/inspec/resources/passwd.md
View file

@ -133,7 +133,7 @@ or to find all users with the nologin shell:
### uids
The `uids` matcher tests if the user indentifiers in the test match user identifiers in `/etc/passwd`:
The `uids` matcher tests if the user identifiers in the test match user identifiers in `/etc/passwd`:
its('uids') { should eq ['1234', '1235'] }

14
docs-chef-io/content/inspec/resources/shadow.md
View file

@ -17,12 +17,12 @@ The format for `/etc/shadow` includes:
- A username
- The hashed password for that user
- The last date a password was changed, as the number of days since Jan 1 1970
- The minimum number of days a password must exist, before it may be changed
- The last date a password was changed, as the number of days since Jan 1, 1970
- The minimum number of days a password must exist before it may be changed
- The maximum number of days after which a password must be changed
- The number of days a user is warned about an expiring password
- The number of days a user must be inactive before the user account is disabled
- The date on which a user account was disabled, as the number of days since Jan 1 1970
- The date on which a user account was disabled, as the number of days since Jan 1, 1970
These entries are defined as a colon-delimited row in the file, one row per user:
@ -128,7 +128,7 @@ A list of strings, representing the encrypted password strings for entries match
### last_changes
A list of integers, indicating the number of days since Jan 1 1970 since the password for each matching entry was changed.
A list of integers, indicating the number of days since Jan 1, 1970 since the password for each matching entry was changed.
# Ensure all entries have changed their password in the last 90 days. (Probably want a filter on that)
describe shadow do
@ -174,7 +174,7 @@ A list of integers reflecting the number of days a user must be inactive before
### expiry_dates
A list of integers reflecting the number of days since Jan 1 1970 that a user account has been disabled, for each user matching the filter. Value is `nil` if the account has not expired.
A list of integers reflecting the number of days since Jan 1, 1970 that a user account has been disabled, for each user matching the filter. Value is `nil` if the account has not expired.
# No one should have an expired account.
describe shadow do
@ -214,7 +214,7 @@ The encrypted password strings, or an account status string. Each string may not
### last_change
An integer reflecting the number of days since Jan 1 1970 since the user's password was changed.
An integer reflecting the number of days since Jan 1, 1970 since the user's password was changed.
# Find users who have not changed their password within 90 days
describe shadow.where { last_change > Date.today - 90 - Date.new(1970,1,1) } do
@ -242,7 +242,7 @@ An integer reflecting the maximum number of days a user may go without changing
### warn_days
An integer reflecting the number of days before a password expiration that a user recieves an alert.
An integer reflecting the number of days before a password expiration that a user receives an alert.
# All users should have a 7-day warning policy
describe shadow.where { warn_days != 7 } do

2
docs-chef-io/content/inspec/resources/user.md
View file

@ -179,7 +179,7 @@ The `badpasswordattempts` matcher tests the count of bad password attempts for a
where `0` is the count of bad passwords for a user.
On Linux based operating systems it relies on `lastb` and for Windows it uses information stored for the user object.
These settings will be resetted to `0` depending on your operating system configuration.
These settings will be reset to `0` depending on your operating system configuration.
### lastlogin

2
inspec-bin/lib/inspec-bin/version.rb
View file

@ -1,5 +1,5 @@
# This file managed by automation - do not edit manually
module InspecBin
INSPECBIN_ROOT = File.expand_path("..", __dir__)
VERSION = "4.50.2".freeze
VERSION = "4.50.6".freeze
end

2
lib/inspec/version.rb
View file

@ -1,3 +1,3 @@
module Inspec
VERSION = "4.50.2".freeze
VERSION = "4.50.6".freeze
end

6
omnibus/Gemfile
View file

@ -19,9 +19,3 @@ group :development do
gem "test-kitchen", ">= 1.23"
gem "winrm-fs", "~> 1.0"
end
instance_eval(ENV["GEMFILE_MOD"]) if ENV["GEMFILE_MOD"]
# If you want to load debugging tools into the bundle exec sandbox,
# add these additional dependencies into Gemfile.local
eval_gemfile(__FILE__ + ".local") if File.exist?(__FILE__ + ".local")