Commit graph

306 commits

Author SHA1 Message Date
Markus Grobelin
c626dfdbd9 cpan resource: check for Perl module installation (#2254)
* Added CPAN resource to check Perl modules

control 'cpan-1' do
  impact 1.0
  desc '
    Ensure Perl modules DBI and DBD::Pg are installed.
  '

  describe cpan('DBI') do
    it { should be_installed }
  end

  describe cpan('DBD::Pg') do
    it { should be_installed }
    its('version') { should cmp >= '3.0' }
  end
end

Signed-off-by: Markus Grobelin <grobi@koppzu.de>

* cpan resource: fixed unit test for non-installed module

Signed-off-by: Markus Grobelin <grobi@koppzu.de>
2017-10-25 16:01:26 +02:00
Adam Leff
8dc48533aa new resource: elasticsearch resource, test cluster/node state (#2261)
* new resource: elasticsearch resource, test cluster/node state

This is a new resource for testing an Elasticsearch cluster. It operates
by fetching the `_nodes` endpoint from a given Elasticsearch node and
collects data about each node in a cluster, even if there's only a
single node.

This work is based on inspiration from an initial PR #1956 submitted by
@rx294.

Signed-off-by: Rony Xavier <rx294@nyu.edu>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Adam Leff <adam@leff.co>

* Reduce mock data on non-default tests

Signed-off-by: Adam Leff <adam@leff.co>
2017-10-20 17:28:48 -04:00
narkaTee
4f005d8510 Fix port ressource ss line parsing (#2243)
Fixes the 'ss -tulpen' command parsing when multiple processes use the
same fd.

Signed-off-by: Jan Ullrich <narkat@gmail.com>
2017-10-17 14:45:37 +02:00
Keith Walters
2a8d6e0e91 Uses netstat to detect open ports on AIX (#2210)
* Uses netstat to detect open ports on AIX

Signed-off-by: Keith Walters <keith.walters@cattywamp.us>

* Adds unit tests for AIX port resource

Signed-off-by: Keith Walters <keith.walters@cattywamp.us>
2017-10-10 10:54:18 +02:00
Adam Leff
939ee5ecfc processes resource: support busybox ps (#2222)
This change enhances the processes resource to support the busybox
ps command which is common on Alpine, for example. The way we
map ps fields to the structs needed by FilterTable have also been
refactored to be more flexible so we can support multiple formats
in the future.

Also, the processes resource now allows the grep argument to be optional
thus allowing a user to query all resources without passing in a
match-all regex.

Signed-off-by: Adam Leff <adam@leff.co>
2017-10-06 19:32:39 +02:00
Adam Leff
9d8c53cf31 Support symbol keys in ObjectTraverser (#2221)
As detected in #2036, it is not possible to extract values from
a YAML file if the key is a symbol. This change refactors ObjectTraverser
to support symbol keys before attempting to stringify them.

Signed-off-by: Adam Leff <adam@leff.co>
2017-10-06 19:24:31 +02:00
Jared Quick
7bb7767dae Add nil check for sshd config file (#2217)
* Add nil check for sshd config file

This fixes #1778. There was a issue where if the user did not have read
permissions on /etc/ssh/sshd_config it would error out on the empty?
check. The fix here is to also look for nil on the file content. Along
with this I refactored the inspec file empty? check as it does not exist
and was also erroring during my testing.

Signed-off-by: Jared Quick <jquick@chef.io>

* Add emptyfile test object and refactor tests

Signed-off-by: Jared Quick <jquick@chef.io>
2017-10-06 15:41:48 +02:00
Adam Leff
21ba43d6a5 http resource: properly execute tests on remote target (#2209)
Currently, the http resource always executes locally, even when scanning
a remote machine with `--target` which leads to undesireable behavior.

This change adds the ability to remotely execute tests with curl. This
behavior is currently opt-in with the `enable_remote_worker` flag, but
will become the default behavior in InSpec 2.0. Deprecation warnings
are emitted if the user is scanning a remote target but has not opted
in to the new behavior.

Signed-off-by: Adam Leff <adam@leff.co>
2017-10-04 22:44:09 +02:00
dromazmj
7fc7942ab1 firewalld resource: inspect the status and configuration of firewalld (#2074)
* New Resource - firewalld

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* New Resource - firewalld

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* New Resource - firewalld

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* New Resource - firewalld

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* Modifications to new resourec - firewalld

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* Modifications to new resource - firewalld

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* Modifications to new resource firewalld

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>

* Modifications to new resource - firewalld

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>

* Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse.

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>

* Modifications made
	* installed? method now tells by checking if firewall-cmd is a command on the system
	* The firewalld_command method now strips the stdout of the return
	* added another test for testing multiple active zones

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>

* Fixing rake lint issue

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>

* Fixing match and returning boolean for seeing if firewalld is running

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>

* Fixing lint issues

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>

* Empty commit to rerun.  Accidentally updated branch.

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>

* Rerunning test, accidentally updated branch. needs sign off commit

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
2017-09-27 14:05:35 +02:00
dromazmj
b23a58b573 etc_hosts_allow and etc_hosts_deny resources: test the content of the tcpwrappers configuration files (#2073)
* New Resource-combined etc_hosts_allow etc_hosts_deny

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
2017-09-25 13:49:04 -04:00
Matt Ray
e23249d635 windows_hotfix resource: test whether a Windows HotFix is installed (#2178)
* Add hotfix resource for Windows

Signed-off-by: Matt Ray <matthewhray@gmail.com>

* Renamed hotfix to windows_hotfix

Added additional unit test checking for KB that is not present on a box

Signed-off-by: Matt Ray <matthewhray@gmail.com>

* Integration test to spot-check for hotfixes

Queries the Windows operating system via Powershell for a list of all
installed hotfixes and spot-checks every 10th one with the
windows_hotfix resource. Checking hundreds is time-consuming. Also
checks to ensure a non-installed hotfix is not present.

Signed-off-by: Matt Ray <matthewhray@gmail.com>
2017-09-25 19:09:22 +02:00
Jerry Aldrich III
125e0915b2 Modify DirProvider to allow special characters (#2174)
This modifies `Inspec::DirProvider` to allow special characters in the
file glob by escaping those characters via `Shellwords.shellescape`.

This fixes #2111 (`inspec check` on path with special characters)

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-09-23 09:16:25 +02:00
Jerry Aldrich III
cbcca9f39e Modify Upstart enabled check to use config file (#2163)
This modifies the enabled check for the `service` resource to use the
service's config file instead of `initctl show-config`.

`initctl show-config` does not accurately show the state of a service if
that service's config file is modified while the service is running.

This fixes #1834.

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
2017-09-21 12:21:34 -04:00
Adam Leff
adf25ae783 Support array syntax for registry_key resource (#2160)
Users cannot query for registry keys that have periods in them because of
how rspec-its works. This change enables Array-style syntax for the
registry_key resource so users can use that as a workaround.

Signed-off-by: Adam Leff <adam@leff.co>
2017-09-19 18:26:53 +02:00
Jennifer Burns
ec18dce62b auditd resource: test active auditd configuration against the audit daemon (#2133)
* Added auditd resource and documentation.

Signed-off-by: Jennifer Burns <jburns@mitre.org>

* Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl

Signed-off-by: Jennifer Burns <jburns@mitre.org>

* Removed all legacy code for audit < 2.3. Removed parens to create consistency.

Signed-off-by: Jennifer Burns <jburns@mitre.org>

* Updated method names and removed unnecessary content based on review

Signed-off-by: Jennifer Burns <jburns@mitre.org>
2017-09-18 21:47:18 +02:00
Jerry Aldrich III
9773e1cd94 Add wildcard/multiple server support to nginx_conf resource (#2141)
* Add wildcard/multiple server support to nginx_conf

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* separate the merge function for maps in nginx_conf

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-09-15 16:37:57 -04:00
Adam Leff
d4790f7f5a Ignore linked container names when parsing docker containers (#2134)
* Ignore linked container names when parsing docker containers

If a container is linked to another container, the normal `docker ps` output
does not include this information. However, when pulling the `.Names` field
with `docker ps --format`, the linked container is listed in the name. This
is confusing for users trying to use InSpec to audit a container.

This change strips any linked container names from the actual container name.

Signed-off-by: Adam Leff <adam@leff.co>

* Linked container names aren't guaranteed to be last depending on how they were linked

Signed-off-by: Adam Leff <adam@leff.co>
2017-09-13 08:16:53 -04:00
Rony Xavier
7d2da0c199 nginx resource: audit the nginx binary and how it was compiled (#1958)
* nginx base resource

Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Rony Xavier <rx294@gmail.com>
2017-09-13 08:15:09 -04:00
dromazmj
70548ab754 etc_fstab resource: test contents of the /etc/fstab file (#2064)
* Adding support for fstab

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* New Resource - etc_fstab

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* New Resource - etc_fstab

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* Modifications to new resource - etc_fstab

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* Modifications to new resource - etc_fstab

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* Modifications to new resource - etc_fstab

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>

* Modifications to docs of new resource etc_fstab

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>

* Modifications to new resource etc_fstab

Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
2017-09-11 15:55:03 +02:00
ChadScott
09b145122d Modify linux regular expression to handle process names with spaces (#2117)
* Modify linux regular expression to handle process names with spaces

Signed-off-by: Chad Scott <cscott@chadikins.com>

* Add mocks, tests, etc.

Signed-off-by: Chad Scott <cscott@chadikins.com>
2017-09-05 14:36:55 +02:00
dromazmj
cb5b475bb1 etc_hosts resource: test the contents of the /etc/hosts file (#2065)
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
2017-08-31 09:51:39 -04:00
Jonathan Morley
3e7d47505c Add support for XML files (#2107)
* Add support for XML files

Signed-off-by: Morley, Jonathan <jmorley@cvent.com>

* Use REXML instead of nokogiri

Signed-off-by: Morley, Jonathan <jmorley@cvent.com>
2017-08-31 09:56:14 +02:00
Adam Leff
e2fa0b5e73 port resource: support ss instead of netstat (#2110)
* port resource: support ss instead of netstat

`netstat` is officially deprecated and is replaced with `ss`. This PR
changes the port resource to use `ss` if it's available on the target
system.

Signed-off-by: Adam Leff <adam@leff.co>

* Disable Metrics/ClassLength cop on the LinuxPorts class

Signed-off-by: Adam Leff <adam@leff.co>
2017-08-31 09:53:08 +02:00
Anthony Shaw
d5f33f0b99 pip resource: support non-default pip locations, such as virtualenvs (#2097)
* Update pip resource for #516 allow user to set path to pip executable

Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>

* support virtualenv path, pip file exec and better logic

Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>

* add tests for the change to the pip path and resource

Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>

* tests are case sensitive, although command line is not

Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>

* use a path verification method instead of a class method

Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>

* use guard clauses instead of conditionals

Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>

* change the control flow to return nil when commands are not available

Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>

* fix the return values when custom pip path is not valid

Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>

* Refactor pip path detection to fix unit tests

Signed-off-by: Adam Leff <adam@leff.co>
2017-08-30 22:04:22 +02:00
Adam Leff
c383175417 Support mixed-case group entries (#2101)
* Support mixed-case group entries

The `group` resource downcased the input parameter unless the target
was a Windows node. However, it's completely legitimate for a Unix-y
node to have mixed case group and passwd entries.

This change does have the potential to break people that did not carefully
match their case when searching for a group, but we're currently blocking
people from using the group resource properly if they have mixed-case
entries.

Signed-off-by: Adam Leff <adam@leff.co>

* Fix unit tests

Signed-off-by: Adam Leff <adam@leff.co>
2017-08-30 22:02:45 +02:00
Jennifer Burns
3b2bf52b1d auditd_rules resource: fix get_keys error on lines that have no keys (#2103)
* Added line to fix bug when no key in file rule and updated test to validate bug fix

Signed-off-by: Jennifer Burns <jburns@mitre.org>

* Updated to consider corner case

Signed-off-by: Jennifer Burns <jburns@mitre.org>
2017-08-29 07:11:14 +02:00
Jennifer Burns
2cef15aec3 aide_conf resource: test configuration of the AIDE file integrity tool (#2063)
* Added aide_conf resource and subsequent files

* Updated to match on all selection lines

Signed-off-by: Jennifer Burns <jburns@mitre.org>

* Changed to use CommentParser and fixed typo

Signed-off-by: Jennifer Burns <jburns@mitre.org>

* Fix typo in test file

Signed-off-by: Jennifer Burns <jburns@mitre.org>

* Updated to address PR feedback

Signed-off-by: Jennifer Burns <jburns@mitre.org>
2017-08-25 22:13:43 +02:00
Adam Leff
367d42fb3a Properly handle held packages on dpkg-flavored OS (#2087)
* check the proper field for dpkg installation state fixes #2006

Signed-off-by: Mathieu Sauve-Frankel <msf@kisoku.net>

* Properly handle held packages on dpkg-flavored OS

InSpec was looking at the wrong field in `dpkg -s` output to determine
whether a package was installed or not. An installed, held package was
incorrectly reported as uninstalled.

This adds the proper unit tests and also adds a `be_held` matcher.

Thanks to @kisoku for the initial work in #2007.

Signed-off-by: Adam Leff <adam@leff.co>
2017-08-18 17:29:23 +02:00
Matt Kulka
0fc870de30 Fix docker_container.tag to properly fetch from image name (#2052)
Fixes #2051

Images with repos containing port numbers will have multiple colons.

Signed-off-by: Matt Kulka <mkulka@parchment.com>
2017-08-10 14:57:45 +02:00
Dominik Richter
805a0eeb89 catch newline issues in xinet.d (#2043)
The fix is already provided here: https://github.com/chef/inspec/pull/2040

This PR only adds a unit test to catch it

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-08-02 16:43:55 +02:00
Adam Leff
9580732814 Source reader should not hand back files with nil contents (#2003)
If a profile has a data files directory that looks like this:

```
files/platforms/one/data.json
files/platforms/two/data.json
files/platforms/three/data.json
```

... the source reader will return the directories in the list of files but with
nil contents. This causes an issue when Inspec::Profile tries to create a sha256
checksum of the profile contents only to try to cast nil to a string when
building the null-delimited profile contents string.

Files that are empty will have an empty string as its contents, so it's safe to
assume that file entries with nil contents are actually a directory and have no
affect on the profile's checksum. Therefore, this change will eliminate any file
entries in responses from the source readers where the contents are nil.

Signed-off-by: Adam Leff <adam@leff.co>
2017-07-11 21:33:55 +02:00
Adam Leff
1ea06ac3ea Change host resource to use getent ahosts on Linux (#2002)
* Change host resource to use getent ahosts on Linux

In InSpec 1.31, we changed the `host` resource to use `dig` instead of `getent
hosts` for name resolution because `getent hosts` does not return all entries
(only the first v6 entry if it exists, then the first v4 entry) and we wanted to
keep the Darwin and Linux implementation as close as possible. Unfortunately,
this affected users' ability to do resolution checks for entried stored in their
/etc/hosts file.

This change goes back to using `getent` for Linux and changes to `getent ahosts`
which returns both v4 and v6 records. Additionally, the Darwin provider's dig
implementation was reordered to return v4 addresses before v6 addresses to be
consistent with how `getent ahosts` returns records.

Signed-off-by: Adam Leff <adam@leff.co>

* Update unit tests for resolve_with_getent with proper output

Signed-off-by: Adam Leff <adam@leff.co>
2017-07-11 21:32:52 +02:00
Adam Leff
c280e9a816 Fix host resolution on Darwin, use dig wherever possible (#1986)
* Fix host resolution on Darwin, use dig wherever possible

The `host` and `dig` commands do not return non-zero if a query returns NXDOMAIN
or NOERROR, but the DarwinHostProvider was expecting it when deciding whether to
fall back to IPv4 if a IPv6 query failed. Therefore, the `host` resource would
not function properly when resolving hostnames on Darwin. The logic has been
changed to use `dig` short output and query for both v6 and v4 addresses.

Additionally, the LinuxHostProvider has been modified to prefer `dig` if it's
available to keep behavior similar between Darwin and Linux whenever possible.
This has the added benefit of providing v6 and v4 resolution if possible where
`getent hosts` only returns v6 if v6 records exist.

Signed-off-by: Adam Leff <adam@leff.co>
2017-07-05 10:45:30 -04:00
Aaron Lippold
cc7ed38d09 kernel_module resource: added blacklisting, enabled, disabled, docs and unit tests (#1798)
* Fix up methods, add command mock, do string matching in ruby instead of command

Fixes #1643
Fixes #1673

Signed-off-by: Aaron Lippold <lippold@gmail.com>
2017-07-05 11:41:44 +02:00
Aaron Lippold
224935e9cf New postgres_hba_conf resource (#1964)
* Created pg_hba_conf resource

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Created pg_hba_conf resource

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Corrections

* updated to parse auth-options

Signed-off-by: Aaron Lippold <lippold@gmail.com>

* updated `conf_path` instance var to `conf_file` for consistancy.

Signed-off-by: Aaron Lippold <lippold@gmail.com>

* pg_hba_conf - updated the parse_line method
added test and doc files

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Updated few bugs on pg_hba_conf
updated test files and docs

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Updated docs

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Made updates based on the reccomendations

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* PR commit

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* PR Commit

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Update Gemfile.lock

* PR Commit

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Updated doc file for postgres_hba_conf resource to use
'cmp' matcher instead of 'eq'

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Made requested changes, except for SimpleConfig - will address that later.

Signed-off-by: Aaron Lippold <lippold@gmail.com>
2017-07-03 20:13:51 +02:00
Aaron Lippold
57864f1488 New postgres_ident_conf resource (#1963)
* Initial commit of pg_ident_conf resource

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Initial commit of pg_ident_conf resource

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Small updates to organization of code

Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Rony Xaiver <rx294@nyu.edu>

* updated `conf_path` instance var to `conf_file` since we are returning
a file.

Signed-off-by: Aaron Lippold <lippold@gmail.com>

* Updated few bugs on pg_ident_conf
added test files and docs

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Updated docs

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Added mock folders

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Added mock folders

Signed-off-by: Rony Xavier <rx294@nyu.edu>
Signed-off-by: Aaron Lippold <lippold@gmail.com>

* Added mock folders

Signed-off-by: Rony Xavier <rx294@nyu.edu>
Signed-off-by: Aaron Lippold <lippold@gmail.com>

* Added OS check

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Added mock file

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Added mock folders

Signed-off-by: Rony Xavier <rx294@nyu.edu>
Signed-off-by: Aaron Lippold <lippold@gmail.com>

* added windows mock file

Signed-off-by: Aaron Lippold <lippold@gmail.com>

* Changed resource name from pg_ident_conf to postgres_ident_conf

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* Completed corrections reccomended on PR

Signed-off-by: Rony Xavier <rx294@nyu.edu>

* removed copyright information

Signed-off-by: Aaron Lippold <lippold@gmail.com>
2017-07-03 20:01:40 +02:00
Christoph Hartmann
0839be50d6 oracle_session and mssql_session improvement (#1857)
* improve database parsing
* support sqlcli
* ensure headers are downcast
* externalize database helper
* use password as argument
* feedback from @adamleff
* inline docs update + linting
* stay backwards compatible
* implement tests
2017-06-29 11:01:32 -04:00
Adam Leff
a6582bea9b Remove any "All Rights Reserved" references (#1969)
* Remove any "All Rights Reserved" references

InSpec is licensed and released under the Apache 2.0 license. This
change removes all reference to legacy code files that still had
any Copyright or License lines referring to "All Rights Reserved".

Signed-off-by: Adam Leff <adam@leff.co>

* fix functional tests

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-06-28 04:14:19 -07:00
Dominik Richter
56549aed82 add nginx_conf resource (#1889)
The resource itself only offers contents and params right now. It resolved
all include calls it can find and creates the aggregated config object.

This is limited in functionality. One last (set of) PR(s) is needed to
add an interface that makes querying this config file easier. It is due
to the file's inherent complexity that I want to explore which methods
are needed to be effective. In the meantime, this resource offers accessors
to the underlying data that are stable.

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-06-26 06:37:41 -07:00
Aaron Lippold
3bb98fa1e8 Fixes the postgres_conf parsing of complex paramerters (#1938)
Fixes #1671

Signed-off-by: Aaron Lippold <lippold@gmail.com>
2017-06-23 08:31:27 -07:00
Nolan Davidson
52cc27dd06 Adding toml resource (#1924)
* Adding toml resource

This adds a `toml` resource that inherits from the json resource and
behaves the same way as the JSON and YAML resources.

Signed-off-by: Nolan Davidson <ndavidson@chef.io>
2017-06-15 16:54:12 -04:00
Adam Leff
12a495c631 Add TCP reachability support on Linux for host resource (#1915)
* Add TCP reachability support on Linux for host resource

This enhances the `host` resource on Linux targets by using netcat
(if installed) to perform TCP reachability checks.

Signed-off-by: Adam Leff <adam@leff.co>

* documentation updates

Signed-off-by: Adam Leff <adam@leff.co>

* Appease rubocop

Signed-off-by: Adam Leff <adam@leff.co>
2017-06-09 18:18:51 +02:00
Juan Carlos Castillo Cano
1c98ff13f6 Support special cases for crontab resource
Signed-off-by: Juan Carlos Castillo Cano <jccastillocano@gmail.com>
2017-06-06 15:12:12 +02:00
username-is-already-taken2
9d9baeb09f Added windows support to the processes resource
Signed-off-by: username-is-already-taken2 <digitalgaz@hotmail.com>
2017-06-05 23:41:02 +01:00
Christoph Hartmann
687f1a5827 update unit tests
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-05-31 00:21:05 -05:00
Keith Walters
215ef38ee9 Fix installed? check for gem resource
The gem resource used to determine if a gem is installed based on the exit
status of the `gem` command, however that command will return zero
if the package was found or not. This patch checks to ensure that the
`gem list` command actually includes the gem name or is empty to
determine if the gem is in fact installed.

If the gem command returns something other than a `0` exit code, then
it'll skip the resource.

Signed-off-by: Keith Walters <keith.walters@cattywamp.us>
2017-05-22 15:34:01 -05:00
Christoph Hartmann
b0ab35d941
throw an error during inspec check if the version is not correct
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-05-18 09:13:37 -04:00
Dominik Richter
5d1765c9bb add inspec.profile.file(...) for profile files
Fixes https://github.com/chef/inspec/issues/1396

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-05-03 20:39:27 +02:00
Christoph Hartmann
218bda9c34 Docker resource (#1566)
* add docker, docker_container, and docker_image resources

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-04-24 10:47:03 -04:00
Tor Magnus Rakvåg
96bb596bc4 fetch user groups while building user object
Signed-off-by: Tor Magnus Rakvåg <tm@intility.no>
2017-04-20 16:02:21 +02:00
Ryan Gerstenkorn
5e0cab08a0 Add OSX support for host resource (#1608)
* Add OSX support for host resource

Signed-off-by: Ryan Gerstenkorn <ryan_gerstenkorn@fastmail.fm>
2017-04-13 11:32:04 -04:00
Dominik Richter
02e435b6d0 add rabbitmq config resource
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-04-12 20:51:12 +02:00
Doc Walker
692e660140 Fix #1617 Add dh_params resource (#1618)
* Fix #1617 Add dh_params resource

Signed-off-by: Doc Walker <4-20ma@wvfans.net>
2017-04-04 10:34:09 -04:00
Adam Leff
68a930f141 Merge pull request #1406 from carldjohnston/apache_conf-symlinks
Allow apache_conf to include symlinked configuration files
2017-04-03 10:38:22 -04:00
Adam Leff
8e693a4ad9 Fix port resource for invalid IP address in netstat output
Netstat will sometimes output an IPv6 address that is not
formatted correctly; the address is either truncated or uses
or implies the `::` shorthand notation twice. This yields an
invalid IPv6 address and causes IPAddr.new to choke.

This change guards against invalid IP addresses and ensures they
do not end up in the port resource's entries list.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 08:33:50 +02:00
joe.nuspl
1ab80ea052 Extend gem to take an optional gem_binary
Allows one to test whether gems are installed into an omnibus environment.

Signed-off-by: Joe Nuspl <nuspl@nvwls.com>
2017-03-24 22:28:42 -07:00
Richard Nixon
f66f0b3a18 Initial support for x509_certificate and rsa_key
* Includes unit tests
* Includes 2 new resources
* Includes documentation

Signed-off-by: Richard Nixon <richard.nixon@btinternet.com>
2017-03-22 10:00:48 +01:00
Adam Leff
4f2b66302d Fix ObjectTraverser when accessing array values
When attempting to access array values via the `json` resource:

```
describe json('/tmp/test.json') do
      its(['array',0]) { should eq "zero" }
end
```

... the resulting data would be an array of the size of the original array
with all the values replaced with nils:

```
     expected: "zero"
          got: [nil, nil, nil]
```

This was due to a bug in the ObjectTraverser mixin that mapped array values
back through `extract_value` rather than properly handling the passed-in
key(s). This worked fine for the specific data format created by the `csv`
resource but did not work `json` or any other resource that subclassed the
`JsonConfig` resource.

This change fixes the logic when dealing with an array when it's encountered,
and fixes up the `csv` resource with its own `value` method.

This change also adds tests for ObjectTraverser.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-15 11:35:55 +01:00
Adam Leff
dfce561276 Provide better error message when inspec.yml is invalid
Currently, if the inspec.yml for a profile is invalid (such as including
an improperly-defined multi-line string), InSpec will throw an exception
from the YAML parser that does not given a clear indication that the
issue was encountered while parsing the inspec.yml file.

This change introduces a better exception message to clue the user into
where the problem actually lies.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-09 18:03:01 +01:00
Adam Leff
037f08beb2 Fixing port check with v4 IPs in a v6 netstat line
On Linux, netstat may show a tcp6/udp6 protocol line but include a
v4 address. This happens with AF_INET6 sockets that can accept
both v4 and v6 traffic. The port check was not properly handling
this situation and trying to pass a v4 address to URI bracketed as
if it was a v6 address.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-06 22:03:41 -07:00
Carl Johnston
3bdf1563e8 Added unit tests for apache_conf inclusion of symlinked files.
Same test added to both Ubuntu and Centos for consistency.

Signed-off-by: Carl Johnston <carldjohnston@gmail.com>
2017-02-24 16:13:22 +11:00
Joseph Benden
1fdecc6680 Add FreeBSD support for ZFS datasets and pools
The following new resources have been added; however, they
presently only support FreeBSD and similar.

* `zfs_dataset`: tests if a named ZFS dataset is present
  and/or has certain properties.
* `zfs_pool`: tests if a named ZFS pool is present and/or
  has certain properties.

Additionally, the `mount` resource has been reworked to
include support for FreeBSD; while the existing class
was renamed to LinuxMountParser.

Unit-tests were added for all of the above.

Signed-off-by: Joseph Benden <joe@benden.us>
2017-02-22 10:29:49 -07:00
Alex Pop
88975bff2a Switch package resource to os.redhat detection and use two spaces as fileds delimited
Signed-off-by: Alex Pop <apop@chef.io>
2017-02-15 11:07:10 +00:00
Alex Pop
fae96f6249 Add RedHat support for packages resource
Fix dpkg trimming of first line
Signed-off-by: Alex Pop <apop@chef.io>
2017-02-15 11:07:10 +00:00
Adam Leff
417b791baa Adding new crontab resource
The crontab resource parses a particular user's crontab file into
individual entries and allows the user to assert information about
each entry as needed.

Signed-off-by: Adam Leff <adam@leff.co>
2017-02-10 09:33:31 -05:00
jtimberman
d7fad68541 add "packages" resource
This pull request adds a packages resource so that we can check for pattern matches against all the packages on a system. This initially implements only dpkg support for debian-based platforms so we can cover this use case:

```ruby
describe packages(/^xserver-xorg.*/) do
  its("list") { should be_empty }
end
```

This uses FilterTable so we can supply additional queries, too.

```ruby
describe packages(/vi.+/).where { status != 'installed' } do
  its('statuses') { should be_empty }
end
```

Users can specify the name as a string or a regular expression. If it is a string, we will escape it and convert it to a regular expression to use in matching against the full returned list of packages. If it is a regular expression, we take that as is and use it to filter the results.

While some package management systems such as `dpkg` can take a shell glob argument to filter their results, we eschew this and require a regular expression to match multiple package names because we will need this to work across other platforms in the future. This means that the following:

```ruby
packages("vim")
```

Will return *all* the "vim" packages on the system. The `packages` resource will take `"vim"`, turn it into `/vim/`, and greedily match anything with "vim" in the name. To match only a single package named `vim`, it needs to be an anchored regular expression.

```ruby
packages(/^vim$/)
```

Signed-off-by: Joshua Timberman <joshua@chef.io>

Use entries instead of list

Added a few more tests and non installed package in output
Signed-off-by: Alex Pop <apop@chef.io>

fix lint

Signed-off-by: Alex Pop <apop@chef.io>

Signed-off-by: Joshua Timberman <joshua@chef.io>
2017-02-07 10:29:11 +00:00
Alex Pop
6f3a9d22d7 define protocol as done in CentOS
Signed-off-by: Alex Pop <apop@chef.io>
2017-01-31 14:47:21 +00:00
Alex Pop
a3de32ad04 Fix xinetd parsing of services from the same file. Expose resource.protocols
Signed-off-by: Alex Pop <apop@chef.io>
2017-01-31 12:40:29 +00:00
Andrey Aleksandrov
3783357e50
Add version method to kernel_module
Signed-off-by: Andrey Aleksandrov <postgred@gmail.com>
2017-01-27 13:33:41 +03:00
Christoph Hartmann
efab62ef00 optimize regular expression for postgres config parsing
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-01-05 13:16:47 +01:00
Javier Palomo Almena
3f1986eb6f Mock 'brew info --json=v1 curl' to facilitate unit testing the package resource for the darwin platform
Signed-off-by: Javier Palomo Almena <javier.palomo.almena@gmail.com>
2017-01-02 17:57:20 +01:00
Wei, He
fd04daf77c add testcase for #1332
Signed-off-by: Wei, He <weihe924stephen@gmail.com>
2016-11-30 13:25:44 +09:00
username-is-already-taken2
e6e47eec4c Added unit tests, only took most of the night :) 2016-11-20 20:07:59 +00:00
Alex Pop
70416a35b4 use command instead of comm and set user column width on linux
Signed-off-by: Alex Pop <apop@chef.io>
2016-10-17 15:39:13 +01:00
Anirudh Gupta
8efec7ac6c fix processes resource for os's where username is long to avoid truncation 2016-10-17 11:46:16 +01:00
Alex Pop
5d51b7a0aa dot inspect actual value to match the expected string one 2016-10-13 07:13:51 -07:00
Alex Pop
6719cf544d add tests for cmp output 2016-10-10 05:40:22 -07:00
Steven Danna
7aa4c6da8e Fix require_controls DSL method
Previous, require_controls was including all controls from the named
profile, despite the documented behavior being that it only includes
controls explicitly pulled in by the user.  The cause was two-fold:

1) A previous refactor meant that we weren't removing the rule from the
correct context, and

2) We weren't descending down the dependency tree when filtering rules.

This commit fixes the require_controls DSL method and adds a test to
help prevent future regressions.

Signed-off-by: Steven Danna <steve@chef.io>
2016-09-26 15:20:56 +02:00
Christoph Hartmann
dab8ff5c13 replace wmi win32_useraccount with adsi users 2016-09-26 01:31:44 +02:00
Alex Pop
13da437dcc Show skip_message and correct title 2016-09-23 07:47:21 +01:00
Christoph Hartmann
f7ec24a337 implement filter table for group/groups resource 2016-09-23 00:53:24 +02:00
David Pell
155995adfd In ApacheConf#include_files, check for abs paths
If the path is absolute, just use what was passed, otherwise build an
absolute path using `@conf_dir`.

Fixes #1013
2016-09-20 09:11:09 -04:00
Steven Danna
b2146d8758 Allow users to reference resources from dependencies
All resources from deps are added into the control_eval_context used by
the current profile. However, if there is a name conflict, the last
loaded resource wins. The new `require_resource` dsl method allows the
user to do the following:

    require_resource(profile: 'profile_name',
                     resource: 'other',
                    as: 'renamed')

    describe renamed do
      ...
    end

Signed-off-by: Steven Danna <steve@chef.io>
2016-09-19 19:08:43 +02:00
Steven Danna
f2e587f6d5
Skip controls from profile's that don't support the current platform
Any controls included from profiles that don't support our current
platform are now marked as skipped.

Fixes #1049
2016-09-14 09:57:53 +01:00
Steven Danna
8f10ee53c5 Provide inspec.yml shortcut syntax
- Allow users to elide the `name` attributes
- Assume a default source of supermarket

Fixes #1048

Signed-off-by: Steven Danna <steve@chef.io>
2016-09-14 08:46:06 +02:00
Christoph Hartmann
a2143b8249 identify enabled/disabled accounts for windows 2016-09-12 11:40:25 +02:00
Christoph Hartmann
e61f71143d add unit tests 2016-09-09 12:43:03 +02:00
Steven Danna
5fdf659df1 Load all dependent libraries, even if include_context isn't called
The goal of these changes is to ensure that the libraries from
dependencies are loaded even if their controls are never included.  To
facilitate this, we break up the loading into seperate steps, and move
the loading code into the Profile which has acceess to the dependency
information.

Signed-off-by: Steven Danna <steve@chef.io>
2016-09-04 20:55:20 +02:00
Steven Danna
384ccb610c Initial attempt at isolating resources between dependencies
Previously, all resources were loaded into a single resource registry.
Now, each profile context has a resource registry, when a profile's
library is loaded into the profile context, we update the
profile-context-specific resource registry.  This local registry is
then used to populate the execution context that the rules are
evaluated in.

Signed-off-by: Steven Danna <steve@chef.io>
2016-09-04 20:55:20 +02:00
Christoph Hartmann
a116406b4e Merge pull request #1014 from jeremymv2/fix_apache_conf
Fix apache conf
2016-09-04 20:18:16 +02:00
Victoria Jeffrey
99ce09c4ac fix inherited profile cli report 2016-09-04 18:28:01 +02:00
Jeremy J. Miller
03cb244e84 removed superflous Listen 80 2016-09-02 22:02:47 -04:00
Jeremy J. Miller
1b92d15d8f added unit tests 2016-09-02 21:55:28 -04:00
Victoria Jeffrey
5d5aa6354d fix and add test 2016-09-01 20:39:52 -04:00
Steven Danna
3a6e610de9 Allow functional tests to pass on OSX
A few minor issues were causing 3 functional test failures on OS X.
These were not program errors but where rather the result of the
profiles under test assuming a linux environment.

Since many of the developers who will work on this project in the future
will be running OS X, let's ensure they can run the functional tests
easily.

Signed-off-by: Steven Danna <steve@chef.io>
2016-08-26 15:25:59 +02:00
Christoph Hartmann
64a5a4d082 switch from os-hardening to ssh-hardening profile 2016-08-25 14:42:55 +02:00
Steven Danna
6034ece853 Initial control isolation support
The goal of this change is to provide an isolated view of the available
profiles when the user calls the include_controls or require_controls
APIs.  Namely,

- A profile should only be able to reference profiles that are part of
  its transitive dependency tree. That is, if the dependency tree for a
  profile looks like the following:

  A
  |- B --> C
  |
  |- D --> E

  Then profile B should only be able to see profile C and fail if it
  tries to reference A, D, or E.

- The same profile should be include-able at different versions from
  different parts of the tree without conflict.  That is, if the
  dependency tree for a profile looks like the following:

  A
  |- B --> C@1.0
  |
  |- D --> C@2.0

  Then profile B should see the 1.0 version of C and profile D should
  see the 2.0 profile C with respect to the included controls.

To achieve these goals we:

- Ensure that we construct ProfileContext objects with respect to the
  correct dependencies in Inspec::DSL.

- Provide a method of accessing all transitively defined rules on a
  ProfileContext without pushing all of the rules onto the same global
  namespace.

This does not yet handle attributes or libraries.
2016-08-25 14:42:55 +02:00
Christoph Hartmann
956d3b7292 add unit test for new package resource 2016-08-24 14:40:26 +02:00
Christoph Hartmann
95029203cd unique controls for dependency tests 2016-08-19 09:47:41 +02:00
Steven Danna
d779dd53ae Move all dependency related classes into inspec/dependencies
Signed-off-by: Steven Danna <steve@chef.io>
2016-08-19 09:47:40 +02:00
Steven Danna
2041a08aa2 Fetch deps based on urls
This extends the dependency feature to include support for url-based
dependencies.  It takes some deviations from the current support for
URLs that we'll likely want to make more consistent.

By default, we store downloaded archives in the cache rather than the
unpacked archive. However, to facilitate debugging, we will prefer the
unpacked archive if we find it in the cache.

Signed-off-by: Steven Danna <steve@chef.io>
2016-08-19 09:47:40 +02:00
Steven Danna
34ae3122e9 Fix recursive deps for path-based deps
Signed-off-by: Steven Danna <steve@chef.io>
2016-08-18 16:02:16 +02:00
Victoria Jeffrey
cf771ab967 ssh_config parse should be case insensitive 2016-08-16 10:01:10 +02:00
Alex Pop
353dcf10ec make netstat default for getting ports and get only listening ones 2016-08-12 16:02:56 +01:00
Christoph Hartmann
d9a1a500d0 add params and content method to parse_config 2016-08-05 12:13:56 +02:00
Dominik Richter
c2f34932ad add port resource for windows 2008
using `netstat -an`
2016-07-21 14:58:43 +02:00
Dominik Richter
c6644ebdfe check service running by ActiveState
See http://unix.stackexchange.com/questions/159174/differences-between-inactive-vs-disabled-and-active-vs-enabled-services
2016-07-06 12:57:04 +02:00
Christoph Hartmann
9bdb01f1d5 improve wmi resource 2016-06-19 23:40:45 +02:00
Dominik Richter
f93084520f introduce cli report formatter 2016-06-15 17:11:29 +02:00
Dominik Richter
2db8d83d56 support intra-libraries file referencing + loading
solves https://github.com/chef/inspec/issues/779
2016-06-03 22:54:35 +02:00
Victoria Jeffrey
1811eb6666 Expose label for processes only on linux 2016-05-10 13:59:13 -04:00
Alex Pop
f78afe0d75 Use only strings in resource examples, docs and tests 2016-05-03 23:27:18 +01:00
Anirudh Gupta
738ef69bcf prefixed hpux to cmd file name 2016-05-03 21:38:39 +05:30
Anirudh Gupta
d839f218bf hpux support for basic port properties 2016-05-03 14:30:59 +05:30
Anirudh Gupta
75534fdaa5 added hpux user and package resource support 2016-04-21 14:01:56 +05:30
Thomas Cate
3051ead64d added tests for grub_conf resource 2016-04-17 10:46:29 -04:00
Dominik Richter
14995534cd skip profiles if the platform isnt supported 2016-04-16 15:34:23 -04:00
Jacob McCann
9dbf5354e5 Add 'static' value as enabled to systemd service enabled check 2016-04-13 14:44:28 -05:00
Dominik Richter
fb54c4ea24 api: inspec.yml supports now adds tests w/o running
Instead of just removing all tests because of OS support, supports now acts by adding all tests to the execution context, but doesnt actually execute them. Instead tests are set to skip before they get to the actual execution context
2016-04-06 11:28:52 +02:00
Christoph Hartmann
cd57b26bd0 wmi unit test 2016-03-20 11:53:56 +01:00
Dominik Richter
e617f74bcd filter xinetd fields by regex 2016-02-26 14:46:51 +01:00
Dominik Richter
4a39275fc0 add xinetd_conf resource 2016-02-26 13:19:16 +01:00
Dominik Richter
f023d02bbb add inspec source reader 2016-02-22 11:24:35 +01:00
Dominik Richter
1e096c7181 add shadow resource for /etc/shadow 2016-02-19 14:26:04 +01:00
Dominik Richter
83fcc35d2a expose all fields + deprecate singular accessors 2016-02-18 16:10:42 +01:00
Stephan Renatus
e184347c6d iptables unit test: add comment examples
this is not broken; but it should stay not broken ;)
2016-02-10 09:57:32 +01:00
Stephan Renatus
cd5f47ed33 auditd_rules: unit tests, meet the real world 2016-02-09 11:51:52 +01:00
Stephan Renatus
664561aa80 auditd_rules: status querying (old/new) and unit tests
TODO: unit tests for the legacy format
2016-02-09 11:51:52 +01:00
Stephan Renatus
4afb22565e auditd_rules: teach old dog new tricks 2016-02-09 11:51:52 +01:00
Stephan Renatus
688709356c upstart_service: add version mock for ubuntu 2016-02-05 13:49:18 +01:00
Christoph Hartmann
62844eee0c add unit tests 2016-01-28 18:30:38 +01:00
Dominik Richter
cac102aeac add profile tests (non-legacy) 2016-01-20 21:57:23 +01:00
Dominik Richter
611487e956 clearly identify legacy profile tests and fix identification 2016-01-19 15:48:06 +01:00
Dominik Richter
8c464965c1 extract example group creation
and restore profile tests that had been completely mocked until now
2016-01-19 15:48:06 +01:00
Dominik Richter
acbc345321 make metadata.rb legacy mode consistent for supports
Before introducing InSpec profiles in https://github.com/chef/inspec/pull/252 we had `metadata.rb` keep all information. This included an undisclosed field called `supports`. However, this field was never actually used in practice. So for legacy profiles, this means that `supports` was ignored. In order to keep old profiles running in exactly the way they were before, ignore this field when reading from metadata.rb
2016-01-15 18:58:18 +01:00
Jeremy W. Chalfant
a2ea1da6e3 move all lsof to formmated output (-F) 2016-01-14 23:03:24 -05:00
Jeremy W. Chalfant
b363e1d147 formatted lsof mockup 2016-01-14 23:03:24 -05:00
Mark Harrison
f5780b69a4 Correctly detect UDP ports on linux
netstat on UDP lines doesn't display a port state (e.g. LISTEN), so make this
field optional when parsing the netstat line.
2016-01-14 22:53:38 -05:00
Jacob McCann
f25ab3a373 Fix systemd service enabled check 2016-01-11 15:32:33 -06:00
Stephan Renatus
a26dbe146d fix reading profiles bug
For reading the profiles metadata, we're using the train mock backend
through Inspec::Runner. The new `supports` feature never agrees with the
mock backend.

Now, it we figure out if this is a mock class and then just say that it
supports whatever we're asking for.

Tl;dr: there's probably a more beautiful solution to this.

Added a test case, but it fails -- while the command line interface
works fine.
2016-01-07 15:16:49 -08:00
Christoph Hartmann
a72ba94f10 handle mount results with multiple entries 2016-01-03 00:03:24 +01:00
Christoph Hartmann
a5acb03e49 add mount resource 2016-01-03 00:03:24 +01:00
Dominik Richter
b2e0fac625 change check errors on summary+title to warnings 2015-12-23 09:18:59 +01:00
Stephan Renatus
7a1cd660c3 [resources/processes] add users, states attribute; update docs
processes('bash').user does not actually make much sense for a resource
that is a list -- different entries can belong to different users.
Analogous for processes('bash').state.

The attributes 'users' and 'states' expose the unique values
corresponding to that property of entries in the process list.

Fixes #295.
2015-12-08 13:06:27 +01:00
Stephan Renatus
79f48afa6c [resources/apache_conf]: add tests, fix bug
before, the resource would throw an exception when include_files
returned nil (i.e., [].flatten!)

added basic unit tests capturing the include_files behaviour
2015-12-07 10:50:48 +01:00
Christoph Hartmann
9231833cad add unit tests for user resource that cover ldap groups 2015-11-24 18:35:10 +01:00
Christoph Hartmann
0531976a40 implement unit tests for ini resource 2015-11-24 16:46:17 +01:00
Seth Chisamore
beade346bf Add Windows support to the os_env resource
This change allows checks like:

```
describe os_env('PATH') do
  its('split') { should include('C:\wix') }
end
```
2015-11-19 15:41:00 +01:00
Christoph Hartmann
27de925c2b update mock command for registry key 2015-11-17 22:28:11 +01:00
Dominik Richter
17ce88b63d api: don't force root on os_env 2015-11-13 12:10:22 +01:00