inspec / inspec Goto Github PK
View Code? Open in Web Editor NEWInSpec: Auditing and Testing Framework
Home Page: http://inspec.io
License: Other
InSpec: Auditing and Testing Framework
Home Page: http://inspec.io
License: Other
Use-case:
Platform: Windows 10/ChefDK 0.9/InSpec 0.9 + Test Kitchen/AzureRM driver/Windows 2012 R2 Datacenter instance.
As per https://docs.chef.io/release/compliance_1-0/inspec_os.html
Input:
describe os['family'] do
it { should eq 'windows' }
end
Outcome:
1) should eq "windows"
Failure/Error: it { should eq 'windows' }
expected: "windows"
got: nil
(compared using ==)
Correct usage appears to be:
describe os[:family] do
it { should eq 'windows' }
end
Submitting a doc PR for this shortly.
set :backend, :ssh
RSpec.configure do |conf|
conf.host = ...
conf.ssh_options = ...
end
I used os_env but i don't get a result from it. I tested it in inspec shell
command('echo $PATH').stdout => "/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl\n"
vs
os_env('PATH').content => nil
As reported by @schisamo :
%w(
candle.exe
heat.exe
light.exe
).each do |utility|
describe file("C:/wix/#{utility}") do
it { should be_file }
end
This will only register one describe call, not all 3.
Can the maintainers please update the CHANGELOG.md to a good format? It also appears that the CHANGELOG.md is currently out of date -- the most current version on Rubygems is 0.9.1, and the changelog only covers to 0.8.0.
Here is a good way to do a changelog:
Initial release of example_inspec
[#25] A github style reference to github issue 25.
[#431] Another github style reference.
Explain what is going on in the install instruction, what is being installed, and what the user can expect at the end.
the resource should cover cases like:
Dir.glob('c:/inetpub/wwwroot/**/*.htm') { |web_file|
..
}
describe docker.container('busybox') do
it { should exist }
it { should be_running }
end
describe docker.image('busybox:latest') do
it { should exist }
end
I've followed the setup instructions... gem install, simple file with example GordonConfig. Through debugging I see that the resource is listed in the registry. However, I am seeing:
app_server_spec.rb:19:in `load': undefined local variable or method `gordon_config' for #<#<Class:0x007fb204862a78>:0x007fb204862528> (NameError)
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/profile_context.rb:31:in `instance_eval'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/profile_context.rb:31:in `load'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/runner.rb:76:in `add_content'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/runner.rb:57:in `block in add_tests'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/runner.rb:56:in `each'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/lib/inspec/runner.rb:56:in `add_tests'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/bin/inspec:77:in `exec'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
from /Users/aiwilliams/.rbenv/versions/2.1.6/lib/ruby/gems/2.1.0/gems/inspec-0.9.2/bin/inspec:109:in `<top (required)>'
from /Users/aiwilliams/.rbenv/versions/2.1.6/bin/inspec:23:in `load'
from /Users/aiwilliams/.rbenv/versions/2.1.6/bin/inspec:23:in `<main>'
When a file does not match the intended mode value, the failure return does not list what the mode is in the typical fashion, i.e., 0644, 0777, etc. Instead, as in the following example, it returns that it should equal 416 but instead equals 420. I would expect it to return the file permissions.
root@997d17a0fd01:~# cat spec.rb
describe file('/root/file') do
its('mode') { should eq 0640 }
end
root@997d17a0fd01:~# ls -l file
-rw-r--r-- 1 root root 0 Nov 10 18:17 file
root@997d17a0fd01:~# inspec exec spec.rb
F
Failures:
1) File /root/file mode should eq 416
Failure/Error: its('mode') { should eq 0640 }
expected: 416
got: 420
(compared using ==)
# spec.rb:2:in `block (2 levels) in load'
# /var/lib/gems/1.9.1/gems/inspec-0.9.2/lib/inspec/runner.rb:89:in `run_with'
# /var/lib/gems/1.9.1/gems/inspec-0.9.2/lib/inspec/runner.rb:85:in `run'
# /var/lib/gems/1.9.1/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
# /var/lib/gems/1.9.1/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
# /var/lib/gems/1.9.1/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
# /var/lib/gems/1.9.1/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
Finished in 0.04819 seconds (files took 0.21259 seconds to load)
1 example, 1 failure
Failed examples:
rspec # File /root/file mode should eq 416
extend current test suits to run resources tests against real machines
The command line description of inspec check
says that it will verify the test structure. Used on the example in this repo, however, returns warnings and errors:
[test-kitchen]$ ll
total 48
drwxr-xr-x 11 tball staff 374B Nov 3 19:51 .
drwxr-xr-x 3 tball staff 102B Nov 3 10:49 ..
drwxr-xr-x 4 tball staff 136B Nov 3 13:40 .kitchen
-rw-r--r-- 1 tball staff 246B Nov 3 10:49 .kitchen.yml
-rw-r--r-- 1 tball staff 47B Nov 3 10:49 Berksfile
-rw------- 1 tball staff 145B Nov 3 13:39 Berksfile.lock
-rw-r--r-- 1 tball staff 498B Nov 3 19:51 Gemfile
-rw-r--r-- 1 tball staff 896B Nov 3 10:49 README.md
-rw-r--r-- 1 tball staff 191B Nov 3 10:49 metadata.rb
drwxr-xr-x 4 tball staff 136B Nov 3 10:49 recipes
drwxr-xr-x 3 tball staff 102B Nov 3 10:49 test
[test-kitchen]$ chef exec inspec check .
W, [2015-11-04T14:38:32.092497 #27616] WARN -- : metadata.rb doesn't support: depends ["apt"]
W, [2015-11-04T14:38:32.092578 #27616] WARN -- : metadata.rb doesn't support: depends ["yum"]
I, [2015-11-04T14:38:32.153793 #27616] INFO -- : Checking profile in .
E, [2015-11-04T14:38:32.154004 #27616] ERROR -- : Profile name must be defined as: OWNER/ID
D, [2015-11-04T14:38:32.154080 #27616] DEBUG -- : Found 7 rules.
D, [2015-11-04T14:38:32.154114 #27616] DEBUG -- : Verify all rules in ./test/integration/default/web_spec.rb
W, [2015-11-04T14:38:32.154173 #27616] WARN -- : Rule web_spec.rb:6 has no title
W, [2015-11-04T14:38:32.154226 #27616] WARN -- : Rule web_spec.rb:6 has no description
W, [2015-11-04T14:38:32.154279 #27616] WARN -- : Rule web_spec.rb:26 has no title
W, [2015-11-04T14:38:32.154320 #27616] WARN -- : Rule web_spec.rb:26 has no description
We should clean up the built in examples so they pass inspec check
Currently we have no built-in support to run long powershell scripts.
When using port on CentOS, the following is logged
The `port` resource is not supported on your OS yet.
See https://github.com/chef/inspec/blob/master/lib/resources/port.rb#L26-L38
I think 'centos' should be in the family list for Linux
All of the inspec exec
examples provide no hints as to what the expected outcome should be. For those who don't come from a Ruby universe, this is particularly confusing. Is it just a pass/fail as a return value? Is it JSON? Is it unformatted text? Is it rspec? Is it TAP?
It seems extremely realistic that someone would want to hook this up to, say, Jenkins. But with the lack of documentation on the consumer output, many will just take a pass and move on to something else.
Use http://ruby-doc.org/stdlib-2.0.0/libdoc/shellwords/rdoc/Shellwords.html for command escape
Reported by @alexmanly
Some of the resources have a name
that includes _config
(spelled out), whereas others are shortened to just _conf
.
Ones that have _config
:
inetd_config << suggest inetd_conf
parse_config
parse_config_file
ssh_config
sshd_config
_conf:
apache_conf
audit_daemon_conf << suggest auditd_conf
limits_conf
mysql_conf
ntp_conf
postgres_conf
Only two of them are truly inconsistent, with inetd_config
and audit_daemon_conf
not having a name directly similar to the actual filename, like ntp_conf
and the other _conf
resources. Naming suggestions listed above.
assignment_re
=> assign_regex
<< no more guessing as to what _re
might meankey_vals
=> key_values
(to be consistent with multiple_values
and to preserve the highest level of human readability)login_def
(file name) resource is login_defs
(resource name) << can both be the same (plural)? This suggestion changes the resource filename to login_defs.rbprocesses
resource << can it be shortened to just process
? It also seems that one can test just a single "process"/etc/group
=> etc_group
resource, there is an /etc/passwd
=> passwd
resource ... could the passwd
resource be named etc_passwd
? (Note that I see why it's etc_group
, specifically, so as to not conflict with the group resource.)On a Linux server that is joined to a Windows domain, users generaly are member of groups that contain spaces in their names. Eg "domain users". However, this currenly fails.
Test:
describe user('jfolmer') do
its('groups') { should eq ['domain users', 'domain admins', 'denied rodc password replication group'] }
end
Output:
Failures:
1) User jfolmer groups should eq ["domain users", "domain admins", "denied rodc password replication group"]
Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
expected: ["domain users", "domain admins", "denied rodc password replication group"]
got: ["domain"]
Some services, like ntp, don't show up in initctl on Ubuntu 14.04 and other pre-systemd platforms. They are visible in /etc/init.d and via the service command, but are not in initctl.
Currently, inspec checks initctl for all service resources on pre-15.04 hosts, so it will fail to detect running ntp processes, even though they are present and enabled.
I'm not sure what the proper fix here is, possibly checking /etc/init.d/, service, and initctl for a service, and or-ing the results together?
Currently, the os
resource only supports symbols. It should support strings as well. See #224
process, pid and protocol for port all get compared to an array instead of string/number causing weirdness like this
Port 22 pid should eq "957"
Failure/Error: DEFAULT_FAILURE_NOTIFIER = lambda { |failure, _opts| raise failure }
expected: "957"
got: [957]
Thanks for reporting Thomas Cate
Kudos for giving a nod to Serverspec.
It would be really helpful to explain why this is different from serverspec and why someone might choose to use inspec instead of serverspec.
At the moment it is not possible to start an inspec shell
and paste either a control
or a describe
block and have it execute and report results.
I.e:
inspec shell
And then enter:
describe file('/not/here') do
it { should_not exist }
end
which will only result in:
=> [["describe", [File /not/here], #<Proc:0x000000013f3850@(pry):1>]]
The desired output should be:
A print of the execution using the default cli formatter, without the additonal profile context and version. i.e.:
โ ssh-1: Allow only SSH Protocol 2
The test should return a result object, which has a result value embedded.
The Inspec service resource determines the process supervision type based on os release version and uses a single process supervision type to check if a process is running, enabled etc.
Given many chef cookbooks use many different process supervison tools (init, upstart, runit, etc etc) It would be better if you could override the service_mgmt instance variable to specify the specific one for your service.
Is this a design decision, or could this be changed?
Users cannot currently easily find their way to documentation when starting here on github.
Support reading XML files via a resource
The current package resource is reported to be very slow Windows:
describe package('Orca') do
it { should be_installed }
end
This code should be improved: https://github.com/chef/inspec/blob/master/lib/resources/package.rb#L187-L209 and we should not require wmi
describe user(nil) do
...
end
should throw an error and fail the test
Not sure if this means merely making sure inspec-specific things like |inspec resource|
exist in https://github.com/chef/chef-web-docs/blob/master/swaps/swap_names.txt or whether there should be a replacements file here.
Documentation for inspec command check
:
Use inspec check to run all tests at the specified path.
Documentation for inspec command exec
:
Use inspec exec to run all tests at the specified path.
What is the difference?
Reported by @alexmanly
describe login_defs do
its('PASS_MAX_DAYS') { should eq '180' }
end
When I attempt to run a simple inspec file (just contains the port 80 should not not be open example from the readme), I get the following error:
troyready@myworkstation:~/myscripts$ ~/.chefdk/gem/ruby/2.1.0/bin/inspec exec inspec_recent_patching.rb -b winrm --user Administrator --host mywinhost.myorg.com --password "mypa33w#rd" --ssl --self-signed
/opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/response_handler.rb:57:in `raise_if_auth_error': WinRM::WinRMAuthorizationError (WinRM::WinRMAuthorizationError)
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/response_handler.rb:50:in `raise_if_error'
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/response_handler.rb:35:in `parse_to_xml'
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/http/transport.rb:50:in `send_request'
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/winrm_service.rb:430:in `send_message'
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-1.3.4/lib/winrm/winrm_service.rb:126:in `open_shell'
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/winrm-transport-1.0.2/lib/winrm/transport/command_executor.rb:78:in `open'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:158:in `block in establish_shell'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:212:in `retryable'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:156:in `establish_shell'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:238:in `session'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:66:in `run_command'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_detect_windows.rb:60:in `detect_windows'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_common.rb:105:in `detect_family_type'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_common.rb:78:in `detect_family'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/extras/os_common.rb:26:in `initialize'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:254:in `initialize'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:54:in `new'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/r-train-0.9.1/lib/train/transports/winrm_connection.rb:54:in `os'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/resources/os.rb:16:in `[]'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/resources/port.rb:26:in `initialize'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/plugins/resource.rb:23:in `initialize'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:74:in `new'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:74:in `block (3 levels) in create_inner_dsl'
from inspec_recent_patching.rb:1:in `load'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:31:in `instance_eval'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/profile_context.rb:31:in `load'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:76:in `add_content'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:57:in `block in add_tests'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:56:in `each'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/lib/inspec/runner.rb:56:in `add_tests'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/bin/inspec:77:in `exec'
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
from /opt/chefdk/embedded/lib/ruby/gems/2.1.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
from /home/troyready/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.1/bin/inspec:109:in `<top (required)>'
from /home/troyready/.chefdk/gem/ruby/2.1.0/bin/inspec:23:in `load'
from /home/troyready/.chefdk/gem/ruby/2.1.0/bin/inspec:23:in `<main>'
I tried connecting directly with train though and I don't experience any errors:
require 'train'
train = Train.create(
'winrm',
host: 'mywinhost.myorg.com',
user: 'Administrator',
password: 'mypa33w#rd',
ssl: true,
self_signed: true
)
conn = train.connection
puts conn.run_command('ipconfig /all').stdout
conn.close
(^ outputs my ip info as expected)
I've tried debugging this for a bit and didn't come up with anything conclusive. Would greatly appreciate any advice/direction on troubleshooting it / improving the project.
The new OS detector does not play nice with Debian yet. detect.rb returns the following data:
{"os_name":null,"os_family":"debian","os_release":null,"os_arch":"x86_64"}
The version is missing.
PS C:\> Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0 -name NTLMMinServerSec
NtlmMinServerSec : 536870912
NTLMMinServerSec
to the desired value:registry_key 'HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0' do
values [{ name: 'NTLMMinServerSec', type: :dword, data: 537_395_200 }]
recursive true
action :create
end
PS C:\> Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0 -name NTLMMinServerSec
NtlmMinServerSec : 537395200
^ This shows that the chef-client registry_key
resource found the entry and set the desired value. Observe the case insensitive nature of the NTLM in the Powershell and chef-client context.
compliance-profiles/base/windows/test/base_spec.rb
:rule 'windows-base-203' do
impact 1.0
title 'Enable Strong Encryption for Windows Network Sessions on Servers'
describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0') do
it { should exist }
its('NTLMMinServerSec') { should eq 537395200 }
end
end
rule 'windows-base-203' do
impact 1.0
title 'Enable Strong Encryption for Windows Network Sessions on Servers'
describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0') do
it { should exist }
its('NtlmMinServerSec') { should eq 537395200 }
end
end
3) Registry Key HKLM\System\CurrentControlSet\Control\Lsa\MSV10 NTLMMinServerSec
Failure/Error: its('NTLMMinServerSec') { should eq 537395200 }
NoMethodError:
undefined method `[]' for nil:NilClass
# /Users/apop/.chefdk/gem/ruby/2.1.0/gems/inspec-0.9.3/lib/resources/registry_key.rb:56:in `method_missing'
# demo/windows/test/random.rb:48:in `block (3 levels) in load'
Test 4 fails because the registry_key
inspec resource is case sensitive.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.