From 4cb40e90018fde940b1f13254550b50631be344f Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Tue, 14 Nov 2023 08:20:01 -0500 Subject: [PATCH] Add InSpec 6 docs Signed-off-by: Ian Maddaus --- .../inspec/inspec/docs-chef-io/config.toml | 72 ++ .../docs-chef-io/content/inspec/audit_log.md | 51 + .../inspec/docs-chef-io/content/inspec/cli.md | 1069 +++++++++-------- .../content/inspec/cloud_platforms.md | 207 ++++ .../docs-chef-io/content/inspec/dsl_inspec.md | 9 +- .../docs-chef-io/content/inspec/install.md | 113 +- .../docs-chef-io/content/inspec/license.md | 213 ++++ .../docs-chef-io/content/inspec/migration.md | 2 +- .../docs-chef-io/content/inspec/parallel.md | 237 ++++ .../docs-chef-io/content/inspec/platforms.md | 205 +--- .../docs-chef-io/content/inspec/profiles.md | 4 +- .../content/inspec/resources/file.md | 4 +- .../content/inspec/resources/podman.md | 2 +- .../content/inspec/reusable/index.md | 5 + .../md/support_commercial_platforms.md | 10 + .../reusable/md/support_derived_platforms.md | 6 + .../docs-chef-io/content/inspec/signing.md | 13 +- .../content/inspec/troubleshooting.md | 72 +- .../docs-chef-io/content/inspec/uninstall.md | 63 + _vendor/modules.txt | 2 +- config/_default/menu.toml | 66 - go.mod | 2 +- go.sum | 4 +- 23 files changed, 1592 insertions(+), 839 deletions(-) create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/audit_log.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cloud_platforms.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/license.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/parallel.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/index.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_commercial_platforms.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_derived_platforms.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/uninstall.md diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/config.toml b/_vendor/github.com/inspec/inspec/docs-chef-io/config.toml index 32905346150..3bf0a712fec 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/config.toml +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/config.toml @@ -1,2 +1,74 @@ [params.inspec] gh_path = "https://github.com/inspec/inspec/tree/main/docs-chef-io/content/" + +#### +# Chef InSpec Menu +#### + +[[menu.inspec]] +title = "Chef InSpec" +identifier = "inspec" + + [[menu.inspec]] + title = "Install" + identifier = "inspec/install" + parent = "inspec" + weight = 20 + + [[menu.inspec]] + title = "Chef InSpec Reference" + identifier = "inspec/reference" + parent = "inspec" + weight = 500 + + [[menu.inspec]] + title = "Chef InSpec Resources" + identifier = "inspec/resources" + parent = "inspec" + weight = 999 + + [[menu.inspec]] + title = "OS Resources" + identifier = "inspec/resources/os" + parent = "inspec/resources" + weight = 20 + + [[menu.inspec]] + title = "Alibaba Resources" + identifier = "inspec/resources/alicloud" + parent = "inspec/resources" + weight = 25 + + [[menu.inspec]] + title = "AWS Resources" + identifier = "inspec/resources/aws" + parent = "inspec/resources" + weight = 30 + + [[menu.inspec]] + title = "Azure Resources" + identifier = "inspec/resources/azure" + parent = "inspec/resources" + weight = 40 + + [[menu.inspec]] + title = "GCP Resources" + identifier = "inspec/resources/gcp" + parent = "inspec/resources" + weight = 50 + + [[menu.inspec]] + title = "Habitat Resources" + identifier = "inspec/resources/habitat" + parent = "inspec/resources" + weight = 60 + + [[menu.inspec]] + title = "Kubernetes Resources" + identifier = "inspec/resources/k8s" + parent = "inspec/resources" + weight = 70 + +#### +# End Chef InSpec Menu +#### diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/audit_log.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/audit_log.md new file mode 100644 index 00000000000..3ad881335f3 --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/audit_log.md @@ -0,0 +1,51 @@ ++++ +title = "Chef InSpec Audit Log" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "Audit Log" + identifier = "inspec/reference/audit_logging.md InSpec audit log" + parent = "inspec/reference" + weight = 60 ++++ + +This page documents Chef InSpec's audit log. This is a preview feature starting in **Chef InSpec 6**. + +The Chef InSpec audit log uses the Train library to capture activity between the scanning workstation and the scanned target environment. + +The InSpec audit log captures the following event types: + +- command events +- file use events + +## Audit log limitations + +The audit log has the following limitations: + +- no support for API activity capture +- limited support for file operations: while file access is captured, specific operations may not be +- inconsistent and opt-in support across Train transports +- limited support for Test Kitchen + +## Enable audit logging + +The audit log is a preview feature in Chef InSpec 6. + +Enable the audit logging by setting an environment variable, `CHEF_PREVIEW_AUDIT_LOGGING` to any non-empty value. The next time you run `inspec exec` or `inspec shell`, InSpec will create a log file at `~/.inspec/logs/inspec-audit-TIMESTAMP-PID.log`. + +## Configure the audit log + +The following options are available inside `inspec exec` and `inspec shell` to configure Chef InSpec's audit log. + +`--audit-log-location=AUDIT_LOG_LOCATION` +: The directory that the audit log saves diagnostic log files to. + + Default: `~/.inspec/logs`. + + InSpec creates log files in the set directory using the following format: `inspec-audit-TIMESTAMP-PID.log`. + +## More information + +For details of the audit log format and implementation, refer to the (Train documentation)[https://github.com/inspec/train/blob/main/docs/audit_log.md]. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cli.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cli.md index 11b4a730fc3..58ead0b9432 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cli.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cli.md @@ -31,101 +31,98 @@ inspec archive PATH This subcommand has the following additional options: -
-
--airgap, --no-airgap
-
Fallback to using local archives if fetching fails.
+`--airgap` +`--no-airgap` +: Fallback to using local archives if fetching fails. -
--auto-install-gems, --no-auto-install-gems
-
Auto installs gem dependencies of the profile or resource pack.
+`--check` +`--no-check` +: Before running archive, run `inspec check`. Default: do not check. -
--check, --no-check
-
Before running archive, run `inspec check`. Default: do not check.
+`--export` +`--no-export` +: Include an inspec.json file in the archive, the results of running `inspec export`. -
--export, --no-export
-
Include an inspec.json file in the archive, the results of running `inspec export`.
+`--legacy-export` +`--no-legacy-export` +: Include an inspec.json file in the archive by utilizing information from the legacy export procedure, the results of running `inspec export --legacy-export`. -
--ignore-errors, --no-ignore-errors
-
Ignore profile warnings.
+`--ignore-errors` +`--no-ignore-errors` +: Ignore profile warnings. -
-o, --output=OUTPUT
-
Save the archive to a path.
+`-o` +`--output=OUTPUT` +: Save the archive to a path. -
--overwrite, --no-overwrite
-
Overwrite existing archive.
+`--overwrite` +`--no-overwrite` +: Overwrite existing archive. -
--profiles-path=PROFILES_PATH
-
Folder which contains referenced profiles.
+`--profiles-path=PROFILES_PATH` +: Folder which contains referenced profiles. -
--tar, --no-tar
-
Generates a tar.gz archive.
+`--tar` +`--no-tar` +: Generates a tar.gz archive. -
--vendor-cache=VENDOR_CACHE
-
Use the given path for caching dependencies, (default: ~/.inspec/cache).
+`--vendor-cache=VENDOR_CACHE` +: Use the given path for caching dependencies, (default: `~/.inspec/cache`). -
--zip, --no-zip
-
Generates a zip archive.
+`--zip` +`--no-zip` +: Generates a zip archive. -
-## check -Verify the metadata in the `inspec.yml` file, verify that control blocks have the correct fields (title, description, impact), and define that all controls have visible tests and the controls are not using deprecated inspec dsl code +## automate + +Communicates with Chef Automate. ### Syntax This subcommand has the following syntax: ```bash -inspec check PATH +inspec automate SUBCOMMAND ``` -### Options - -This subcommand has the following additional options: - -
-
--auto-install-gems, --no-auto-install-gems
-
Auto installs gem dependencies of the profile or resource pack.
- -
--format=FORMAT
-
The output format to use. Valid values: `json` and `doc`. Default value: `doc`.
- -
--profiles-path=PROFILES_PATH
-
Folder which contains referenced profiles.
- -
--vendor-cache=VENDOR_CACHE
-
Use the given path for caching dependencies, (default: ~/.inspec/cache).
- -
--with-cookstyle, --no-with-cookstyle
-
Enable or disable cookstyle checks.
- -
- -## clear_cache +## check -Clears the inspec cache. useful for debugging. +Verify the metadata in the `inspec.yml` file, verify that control blocks have the correct fields (title, description, impact), and define that all controls have visible tests and the controls are not using deprecated InSpec DSL code. ### Syntax This subcommand has the following syntax: ```bash -inspec clear_cache +inspec check PATH ``` ### Options This subcommand has the following additional options: -
-
--vendor-cache=VENDOR_CACHE
-
Use the given path for caching dependencies, (default: `~/.inspec/cache`).
+`--format=FORMAT` +: The output format to use. Valid values: `json` and `doc`. Default value: `doc`. -
+`--profiles-path=PROFILES_PATH` +: Folder which contains referenced profiles. + +`--vendor-cache=VENDOR_CACHE` +: Use the given path for caching dependencies, (default: `~/.inspec/cache`). + +`--with-cookstyle` +`--no-with-cookstyle` +: Enable or disable cookstyle checks. + +`--legacy-check` +`--no-legacy-check` +: Run check in legacy mode, which examines the profile in a different way. Default: use newer parser-based method. ## detect -Detects the target os. +Detects the target OS. ### Syntax @@ -139,120 +136,126 @@ inspec detect This subcommand has the following additional options: -
-
-b, --backend=BACKEND
-
Choose a backend: local, ssh, winrm, docker.
- -
--bastion-host=BASTION_HOST
-
Specifies the bastion host if applicable.
+`-b` +`--backend=BACKEND` +: Choose a backend: local, ssh, winrm, docker. -
--bastion-port=BASTION_PORT
-
Specifies the bastion port if applicable.
+`--bastion-host=BASTION_HOST` +: Specifies the bastion host if applicable. -
--bastion-user=BASTION_USER
-
Specifies the bastion user if applicable.
+`--bastion-port=BASTION_PORT` +: Specifies the bastion port if applicable. -
--ca-trust-file=CA_TRUST_FILE
-
Specify CA certificate required for SSL authentication (WinRM).
+`--bastion-user=BASTION_USER` +: Specifies the bastion user if applicable. -
--client-cert=CLIENT_CERT
-
Specify client certificate for SSL authentication
+`--ca-trust-file=PATH_TO_CA_TRUST_FILE` +: Specify CA certificate required for SSL authentication (WinRM). -
--client-key=CLIENT_KEY
-
Specify client key required with client cert for SSL authentication
+`--client-cert=PATH_TO_CLIENT_CERTIFICATE` +: Specify client certificate required for SSL authentication (WinRM). -
--client-key-pass=CLIENT_KEY_PASS
-
Specify client cert password, if required for SSL authentication
+`--client-key=PATH_TO_CLIENT_KEY` +: Specify client key required with client certificate for SSL authentication (WinRM). -
--config=CONFIG
-
Read configuration from JSON file (`-` reads from stdin).
+`--client-key-pass=CLIENT_CERT_PASSWORD` +: Specify client certificate password, if required for SSL authentication (WinRM). -
--docker-url=DOCKER_URL
-
Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows.
+`--config=CONFIG` +: Read configuration from the JSON file (`-` reads from stdin). -
--enable-password=ENABLE_PASSWORD
-
Password for enable mode on Cisco IOS devices.
+`--docker-url` +: Provides a path to the Docker API endpoint (Docker). -
--format=FORMAT
-
--host=HOST
-
Specify a remote host which is tested.
+`--enable-password=ENABLE_PASSWORD` +: Password for enable mode on Cisco IOS devices. -
--insecure, --no-insecure
-
Disable SSL verification on select targets.
+`--format=FORMAT` -
-i, --key-files=one two three
-
Login key or certificate file for a remote scan.
+`--host=HOST` +: Specify a remote host which is tested. -
--password=PASSWORD
-
Login password for a remote scan, if required.
+`--insecure` +`--no-insecure` +: Disable SSL verification on select targets. -
--path=PATH
-
Login path to use when connecting to the target (WinRM).
+`-i` +`--key-files=one two three` +: Login key or certificate file for a remote scan. -
--podman-url=PODMAN_URL
-
Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user).
+`--password=PASSWORD` +: Login password for a remote scan, if required. -
-p, --port=N
-
Specify the login port for a remote scan.
+`--path=PATH` +: Login path to use when connecting to the target (WinRM). -
--proxy-command=PROXY_COMMAND
-
Specifies the command to use to connect to the server.
+`-p` +`--port=N` +: Specify the login port for a remote scan. -
--self-signed, --no-self-signed
-
Allow remote scans with self-signed certificates (WinRM).
+`--podman-url` +: Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user). -
--shell, --no-shell
-
Run scans in a subshell. Only activates on Unix.
+`--proxy-command=PROXY_COMMAND` +: Specifies the command to use to connect to the server. -
--shell-command=SHELL_COMMAND
-
Specify a particular shell to use.
+`--self-signed` +`--no-self-signed` +: Allow remote scans with self-signed certificates (WinRM). -
--shell-options=SHELL_OPTIONS
-
Additional shell options.
+`--shell` +`--no-shell` +: Run scans in a subshell. Only activates on Unix. -
--ssh-config-file=one two three
-
A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config.
+`--shell-command=SHELL_COMMAND` +: Specify a particular shell to use. -
--ssl, --no-ssl
-
Use SSL for transport layer encryption (WinRM).
+`--shell-options=SHELL_OPTIONS` +: Additional shell options. -
--ssl-peer-fingerprint=SSL_PEER_FINGERPRINT
-
Specify SSL peer fingerprint in place of certificates for SSL authentication (WinRM).
+`--ssl` +`--no-ssl` +: Use SSL for transport layer encryption (WinRM). -
--sudo, --no-sudo
-
Run scans with sudo. Only activates on Unix and non-root user.
+`--ssl-peer-fingerprint` +: Specify SSL peer fingerprint in place of certificates for SSL authentication (WinRM). -
--sudo-command=SUDO_COMMAND
-
Alternate command for sudo.
+`--sudo` +`--no-sudo` +: Run scans with sudo. Only activates on Unix and non-root user. -
--sudo-options=SUDO_OPTIONS
-
Additional sudo options for a remote scan.
+`--sudo-command=SUDO_COMMAND` +: Alternate command for sudo. -
--sudo-password=SUDO_PASSWORD
-
Specify a sudo password, if it is required.
+`--sudo-options=SUDO_OPTIONS` +: Additional sudo options for a remote scan. -
-t, --target=TARGET
-
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
+`--sudo-password=SUDO_PASSWORD` +: Specify a sudo password, if it is required. -
--target-id=TARGET_ID
-
Provide an ID which will be included on reports - deprecated
+`-t` +`--target=TARGET` +: Simple targeting option using URIs, e.g. ssh://user:pass@host:port. -
--user=USER
-
The login user for a remote scan.
+`--target-id=TARGET_ID` +: Provide a ID which will be included on reports. -
--winrm-basic-auth-only, --no-winrm-basic-auth-only
-
Whether to use basic authentication, defaults to false (WinRM).
+`--user=USER` +: The login user for a remote scan. -
--winrm-disable-sspi, --no-winrm-disable-sspi
-
Whether to use disable sspi authentication, defaults to false (WinRM).
+`--winrm-basic-auth-only` +`--no-winrm-basic-auth-only` +: Whether to use basic authentication, defaults to false (WinRM). -
--winrm-shell-type=WINRM_SHELL_TYPE
-
Specify which shell type to use (powershell, elevated, or cmd), which defaults to powershell (WinRM).
+`--winrm-disable-sspi` +`--no-winrm-disable-sspi` +: Whether to use disable sspi authentication, defaults to false (WinRM). -
--winrm-transport=WINRM_TRANSPORT
-
Specify which transport to use, defaults to negotiate (WinRM).
+`--winrm-transport=WINRM_TRANSPORT` +: Specify which transport to use, defaults to negotiate (WinRM). -
+`--winrm-shell-type=WINRM_SHELL_TYPE` +: Specify which shell type to use (powershell, elevated, or cmd), which defaults to powershell (WinRM). ## env @@ -270,78 +273,100 @@ inspec env Run all test files at the specified locations. -The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls in the profiles. -One or more reporters are used to generate the output. -``` -Exit codes: - 0 Normal exit, all tests passed - 1 Usage or general error - 2 Error in plugin system - 3 Fatal deprecation encountered - 100 Normal exit, at least one test failed - 101 Normal exit, at least one test skipped but none failed - 172 Chef License not accepted +The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls in the profiles. One or more reporters are used to generate the output. + +```ruby +exit codes: + 0 normal exit, all tests passed + 1 usage or general error + 2 error in plugin system + 3 fatal deprecation encountered + 5 invalid profile signature + 6 mandatory profile signing mode enabled and no signature found + 100 normal exit, at least one test failed + 101 normal exit, at least one test skipped but none failed + 172 chef license not accepted ``` -Below are some examples of using `exec` with different test LOCATIONS: +### Examples + +Below are some examples of using `exec` with different test locations. Chef Automate: - ``` - inspec automate login - inspec exec compliance://username/linux-baseline - ``` - `inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way: - ``` - inspec compliance login - ``` + +```ruby +inspec automate login +inspec exec compliance://username/linux-baselinem +``` + +`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way: + +```ruby +inspec compliance login +``` Chef Supermarket: - ``` - inspec exec supermarket://username/linux-baseline - ``` + +```ruby +inspec exec supermarket://username/linux-baseline +inspec exec supermarket://username/linux-baseline --supermarket_url="https://privatesupermarket.example.com" +``` Local profile (executes all tests in `controls/`): - ``` - inspec exec /path/to/profile - ``` -Local single test (doesn't allow inputs or custom resources) - ``` - inspec exec /path/to/a_test.rb - ``` +```ruby +inspec exec /path/to/profile +``` + +Local single test (doesn't allow inputs or custom resources): -Git via SSH - ``` - inspec exec git@github.com:dev-sec/linux-baseline.git - ``` +```ruby +inspec exec /path/to/a_test.rb +``` + +Git via SSH: + +```ruby +inspec exec git@github.com:dev-sec/linux-baseline.git +``` Git via HTTPS (.git suffix is required): - ``` - inspec exec https://github.com/dev-sec/linux-baseline.git - ``` + +```ruby +inspec exec https://github.com/dev-sec/linux-baseline.git +``` Private Git via HTTPS (.git suffix is required): - ``` - inspec exec https://API_TOKEN@github.com/dev-sec/linux-baseline.git - ``` + +```ruby +inspec exec https://api_token@github.com/dev-sec/linux-baseline.git +``` Private Git via HTTPS and cached credentials (.git suffix is required): - ``` - git config credential.helper cache - git ls-remote https://github.com/dev-sec/linux-baseline.git - inspec exec https://github.com/dev-sec/linux-baseline.git - ``` -Web hosted file (also supports .zip): - ``` - inspec exec https://webserver/linux-baseline.tar.gz - ``` +```bash +git config credential.helper cache +git ls-remote https://github.com/dev-sec/linux-baseline.git +inspec exec https://github.com/dev-sec/linux-baseline.git +``` + +Web-hosted file (also supports .zip): + +```bash +inspec exec https://webserver/linux-baseline.tar.gz +``` + +Web-hosted file with basic authentication (supports .zip): -Web hosted file with basic authentication (supports .zip): - ``` - inspec exec https://username:password@webserver/linux-baseline.tar.gz - ``` +```bash +inspec exec https://username:password@webserver/linux-baseline.tar.gz +``` +Web-hosted signed profile: + +```bash +inspec exec https://username:password@webserver/linux-baseline.iaf +``` ### Syntax @@ -355,253 +380,292 @@ inspec exec LOCATIONS This subcommand has the following additional options: -
-
--attrs=one two three
-
Legacy name for --input-file - deprecated.
+`--allow-unsigned-profiles` +: Allow InSpec to execute unsigned profiles if mandatory profile signing is enabled. Defaults to false. -
--auto-install-gems, --no-auto-install-gems
-
Auto installs gem dependencies of the profile or resource pack.
+ **Chef InSpec 6** and greater has an optional setting that requires signed profiles. + If you try to execute an unsigned profile with this feature enabled, InSpec won't execute the profile and returns exit code 6. + Use `--allow-unsigned-profiles` to execute unsigned profiles if mandatory profile signing is enabled. -
-b, --backend=BACKEND
-
Choose a backend: local, ssh, winrm, docker.
+ For more information, see [Signed InSpec Profiles](/inspec/signing/). -
--backend-cache, --no-backend-cache
-
Allow caching for backend command output. (default: true).
+`--attrs=one two three` +: Legacy name for --input-file - deprecated. -
--bastion-host=BASTION_HOST
-
Specifies the bastion host if applicable.
+`--audit-log-location=AUDIT_LOG_LOCATION` +: The directory that the audit log saves diagnostic log files to. + You must enable audit logging to use this feature. See the [Audit Log documentation](/inspec/audit_log/) for details. -
--bastion-port=BASTION_PORT
-
Specifies the bastion port if applicable.
+ Default: `~/.inspec/logs`. -
--bastion-user=BASTION_USER
-
Specifies the bastion user if applicable.
+ InSpec creates log files in the set directory using the following format: `inspec-audit-TIMESTAMP-PID.log`. -
--ca-trust-file=CA_TRUST_FILE
-
Specify CA certificate required for SSL authentication (WinRM).
+`--auto-install-gems` +: Auto installs gem dependencies of the profile or resource pack. -
--client-cert=CLIENT_CERT
-
Specify client certificate for SSL authentication
+`-b` +`--backend=BACKEND` +: Choose a backend: local, ssh, winrm, docker. -
--client-key=CLIENT_KEY
-
Specify client key required with client cert for SSL authentication
+`--backend-cache` +`--no-backend-cache` +: Allow caching for backend command output. (default: true). -
--client-key-pass=CLIENT_KEY_PASS
-
Specify client cert password, if required for SSL authentication
+`--bastion-host=BASTION_HOST` +: Specifies the bastion host if applicable. -
--command-timeout=N
-
Maximum seconds to allow commands to run during execution.
+`--bastion-port=BASTION_PORT` +: Specifies the bastion port if applicable. -
--config=CONFIG
-
Read configuration from JSON file (`-` reads from stdin).
+`--bastion-user=BASTION_USER` +: Specifies the bastion user if applicable. -
--controls=one two three
-
A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests.
+`--ca-trust-file=PATH_TO_CA_TRUST_FILE` +: Specify CA certificate required for SSL authentication (WinRM). -
--create-lockfile, --no-create-lockfile
-
Write out a lockfile based on this execution (unless one already exists)
+`--client-cert=PATH_TO_CLIENT_CERTIFICATE` +: Specify client certificate required for SSL authentication (WinRM). -
--diff, --no-diff
-
Use --no-diff to suppress 'diff' output of failed textual test results.
+`--client-key=PATH_TO_CLIENT_KEY` +: Specify client key required with client certificate for SSL authentication (WinRM). -
--distinct-exit, --no-distinct-exit
-
Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures.
+`--client-key-pass=CLIENT_CERT_PASSWORD` +: Specify client certificate password, if required for SSL authentication (WinRM). -
--docker-url=DOCKER_URL
-
Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows.
+`--command-timeout=SECONDS` +: Maximum seconds to allow a command to run. -
--enable-password=ENABLE_PASSWORD
-
Password for enable mode on Cisco IOS devices.
+`--config=CONFIG` +: Read configuration from the JSON file (`-` reads from stdin). -
--enhanced-outcomes, --no-enhanced-outcomes
-
Show enhanced outcomes in output
+`--controls=one two three` +: A list of control names to run or a list of /regexes/ to match against control names. Ignore all other tests. -
--filter-empty-profiles, --no-filter-empty-profiles
-
Filter empty profiles (profiles without controls) from the report.
+`--create-lockfile` +`--no-create-lockfile` +: Write out a lockfile based on this execution (unless one already exists). -
--filter-waived-controls, --no-filter-waived-controls
-
Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores the `run` setting of the waiver file.
+`--distinct-exit` +`--no-distinct-exit` +: Exit with code 101 if any tests fail and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures. -
--host=HOST
-
Specify a remote host which is tested.
+`--docker-url` +: Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows. -
--input=name1=value1 name2=value2
-
Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures.
+`--enable-password=ENABLE_PASSWORD` +: Password for enable mode on Cisco IOS devices. -
--input-file=one two three
-
Load one or more input files, a YAML file with values for the profile to use.
+`--filter-empty-profiles` +`--no-filter-empty-profiles` +: Filter empty profiles (profiles without controls) from the report. -
--insecure, --no-insecure
-
Disable SSL verification on select targets.
+`--filter-waived-controls` +: Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores the `run` setting of the waiver file. -
-i, --key-files=one two three
-
Login key or certificate file for a remote scan.
+`--host=HOST` +: Specify a remote host which is tested. -
--password=PASSWORD
-
Login password for a remote scan, if required.
+`--input=name1=value1 name2=value2` +: Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures. -
--path=PATH
-
Login path to use when connecting to the target (WinRM).
+`--input-file=one two three` +: Load one or more input files, a YAML file with values for the profile to use. -
--podman-url=PODMAN_URL
-
Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user).
+`--insecure` +`--no-insecure` +: Disable SSL verification on select targets. -
-p, --port=N
-
Specify the login port for a remote scan.
+`-i` +`--key-files=one two three` +: Login key or certificate file for a remote scan. -
--profiles-path=PROFILES_PATH
-
Folder which contains referenced profiles.
+`--password=PASSWORD` +: Login password for a remote scan, if required. -
--proxy-command=PROXY_COMMAND
-
Specifies the command to use to connect to the server.
+`--path=PATH` +: Login path to use when connecting to the target (WinRM). -
--reporter=one two:/output/file/path
-
Enable one or more output reporters: cli, documentation, html, progress, progress-bar, json, json-min, json-rspec, junit, yaml
+`-p` +`--port=N` +: Specify the login port for a remote scan. -
--reporter-backtrace-inclusion, --no-reporter-backtrace-inclusion
-
Include a code backtrace in report data (default: true)
+`--podman-url` +: Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user). -
--reporter-include-source, --no-reporter-include-source
-
Include full source code of controls in the CLI report
+`--profiles-path=PROFILES_PATH` +: Folder which contains referenced profiles. -
--reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION
-
Number of characters to truncate failure messages and code_desc in report data to (default: no truncation)
+`--proxy-command=PROXY_COMMAND` +: Specifies the command to use to connect to the server. -
--retain-waiver-data, --no-retain-waiver-data
-
EXPERIMENTAL: Only works in conjunction with --filter-waived-controls, retains waiver data about controls that were skipped
+`--reporter=one two:/output/file/path` +: Enable one or more output reporters: cli, documentation, html2, progress, progress-bar, json, json-min, json-rspec, junit2, yaml. -
--self-signed, --no-self-signed
-
Allow remote scans with self-signed certificates (WinRM).
+`--reporter-backtrace-inclusion` +`--no-reporter-backtrace-inclusion` +: Include a code backtrace in report data (default: true). -
--shell, --no-shell
-
Run scans in a subshell. Only activates on Unix.
+`--reporter-include-source` +: Include full source code of controls in the CLI report. -
--shell-command=SHELL_COMMAND
-
Specify a particular shell to use.
+`--reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION` +: Number of characters to truncate failure messages in report data (default: no truncation). -
--shell-options=SHELL_OPTIONS
-
Additional shell options.
+`--self-signed` +`--no-self-signed` +: Allow remote scans with self-signed certificates (WinRM). -
--show-progress, --no-show-progress
-
Show progress while executing tests.
+`--shell` +`--no-shell` +: Run scans in a subshell. Only activates on Unix. -
--silence-deprecations=all|GROUP GROUP...
-
Suppress deprecation warnings. See install_dir/etc/deprecations.json for a list of GROUPs or use 'all'.
+`--shell-command=SHELL_COMMAND` +: Specify a particular shell to use. -
--sort-results-by=--sort-results-by=none|control|file|random
-
After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode.
+`--shell-options=SHELL_OPTIONS` +: Additional shell options. -
--ssh-config-file=one two three
-
A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config.
+`--show-progress` +`--no-show-progress` +: Show progress while executing tests. -
--ssl, --no-ssl
-
Use SSL for transport layer encryption (WinRM).
+`--silence-deprecations=all|GROUP GROUP...` +: Suppress deprecation warnings. See install_dir/etc/deprecations.json for a list of GROUPs or use 'all'. -
--ssl-peer-fingerprint=SSL_PEER_FINGERPRINT
-
Specify SSL peer fingerprint in place of certificates for SSL authentication (WinRM).
+`--ssh-config-file=one two three` +: A list of paths to the SSH configuration file, for example: `~/.ssh/config` or `/etc/ssh/ssh_config`. -
--sudo, --no-sudo
-
Run scans with sudo. Only activates on Unix and non-root user.
+`--ssl` +`--no-ssl` +: Use SSL for transport layer encryption (WinRM). -
--sudo-command=SUDO_COMMAND
-
Alternate command for sudo.
+`--ssl-peer-fingerprint` +: Specify SSL peer fingerprint in place of certificates for SSL authentication (WinRM). -
--sudo-options=SUDO_OPTIONS
-
Additional sudo options for a remote scan.
+`--sudo` +`--no-sudo` +: Run scans with sudo. Only activates on Unix and non-root user. -
--sudo-password=SUDO_PASSWORD
-
Specify a sudo password, if it is required.
+`--sudo-command=SUDO_COMMAND` +: Alternate command for sudo. -
--supermarket-url=SUPERMARKET_URL
-
Specify the URL of a private Chef Supermarket.
+`--sudo-options=SUDO_OPTIONS` +: Additional sudo options for a remote scan. -
--tags=one two three
-
A list of tags names that are part of controls to filter and run controls, or a list of /regexes/ to match against tags names of controls. Ignore all other tests.
+`--sudo-password=SUDO_PASSWORD` +: Specify a sudo password, if it is required. -
-t, --target=TARGET
-
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
+`-t` +`--target=TARGET` +: Simple targeting option using URIs, e.g. ssh://user:pass@host:port. -
--target-id=TARGET_ID
-
Provide an ID which will be included on reports - deprecated
+`--target-id=TARGET_ID` +: Provide an ID that is included on reports - deprecated. -
--user=USER
-
The login user for a remote scan.
+`--tags=one two three` +: A list of tags or regular expressions that match tags. `exec` will run controls referenced by the listed or matching tags. -
--vendor-cache=VENDOR_CACHE
-
Use the given path for caching dependencies, (default: ~/.inspec/cache).
+`--user=USER` +: The login user for a remote scan. -
--waiver-file=one two three
-
Load one or more waiver files.
+`--vendor-cache=VENDOR_CACHE` +: Use the given path for caching dependencies. (default: `~/.inspec/cache`). -
--winrm-basic-auth-only, --no-winrm-basic-auth-only
-
Whether to use basic authentication, defaults to false (WinRM).
+`--waiver-file=one two three` +: Load one or more waiver files. -
--winrm-disable-sspi, --no-winrm-disable-sspi
-
Whether to use disable sspi authentication, defaults to false (WinRM).
+`--winrm-basic-auth-only` +`--no-winrm-basic-auth-only` +: Whether to use basic authentication, defaults to false (WinRM). -
--winrm-shell-type=WINRM_SHELL_TYPE
-
Specify which shell type to use (powershell, elevated, or cmd), which defaults to powershell (WinRM).
+`--winrm-disable-sspi` +`--no-winrm-disable-sspi` +: Whether to use disable sspi authentication, defaults to false (WinRM). -
--winrm-transport=WINRM_TRANSPORT
-
Specify which transport to use, defaults to negotiate (WinRM).
+`--winrm-transport=WINRM_TRANSPORT` +: Specify which transport to use, defaults to negotiate (WinRM). -
+`--enhanced-outcomes` +: Includes enhanced outcome of controls in report data. -## export +## habitat -Read the profile in path and generate a summary in the given format. +Create a Chef Habitat package. ### Syntax This subcommand has the following syntax: ```bash -inspec export PATH +inspec habitat SUBCOMMAND ``` -### Options - -This subcommand has the following additional options: +## help -
-
--auto-install-gems, --no-auto-install-gems
-
Auto installs gem dependencies of the profile or resource pack.
+Describe available commands or one specific command. -
--controls=one two three
-
For --what=profile, a list of controls to include. Ignore all other tests.
+### Syntax -
--format=FORMAT
-
The output format to use: json, raw, yaml. If valid format is not provided then it will use the default for the given 'what'.
+This subcommand has the following syntax: -
-o, --output=OUTPUT
-
Save the created output to a path.
+```bash +inspec help [COMMAND] +``` -
--profiles-path=PROFILES_PATH
-
Folder which contains referenced profiles.
+## init -
--tags=one two three
-
For --what=profile, a list of tags to filter controls and include only those. Ignore all other tests.
+Scaffold a new project. -
--vendor-cache=VENDOR_CACHE
-
Use the given path for caching dependencies, (default: ~/.inspec/cache).
+### Syntax -
--what=WHAT
-
What to export: profile (default), readme, metadata.
+This subcommand has the following syntax: -
+```bash +inspec init TEMPLATE +``` -## help +## export -Describe available commands or one specific command +Read the profile in path and generate a summary in the given format. ### Syntax This subcommand has the following syntax: ```bash -inspec help [COMMAND] +inspec export PATH ``` +### Options + +This subcommand has the following additional options: + +`--what=WHAT` +: What to export: profile (default), readme, metadata. + +`--controls=one two three` +: For --what=profile, a list of controls to include. Other controls are ignored.. + +`--format=FORMAT` +: The output format to use: json, raw, yaml. If valid format is not provided then it will use the default for the given 'what'. + +`--legacy-export` +`--no-legacy-export` +: Run with legacy export. + +`-o` +`--output=OUTPUT` +: Save the created output to a path. + +`--profiles-path=PROFILES_PATH` +: Folder which contains referenced profiles. + +`--tags=one two three` +: For --what=profile, a list of tags to filter controls and include only those. Other controls are ignored. + +`--vendor-cache=VENDOR_CACHE` +: Use the given path for caching dependencies, (default: `~/.inspec/cache`). + ## json Read all tests in the path and generate a json summary. @@ -618,42 +682,90 @@ inspec json PATH This subcommand has the following additional options: -
-
--auto-install-gems, --no-auto-install-gems
-
Auto installs gem dependencies of the profile or resource pack.
+`--allow-unsigned-profiles` +: Allow InSpec to read unsigned profiles if [mandatory profile signing](/inspec/signing/) is enabled. Defaults to false. + + **Chef InSpec 6** and greater has an optional setting that requires signed profiles. + If you try to read an unsigned profile with this feature enabled, InSpec won't read the profile and returns exit code 6. + Use `--allow-unsigned-profiles` to read unsigned profiles if mandatory profile signing is enabled. + + For more information, see [Signed InSpec Profiles](/inspec/signing/). + +`--controls=one two three` +: A list of controls to include. Ignore all other tests. + +`--legacy-export` +`--no-legacy-export` +: Run with legacy export. + +`-o` +`--output=OUTPUT` +: Save the created profile to a path. + +`--profiles-path=PROFILES_PATH` +: Folder which contains referenced profiles. + +`--tags=one two three` +: A list of tags that reference specific controls. Other controls are ignored. -
--controls=one two three
-
A list of controls to include. Ignore all other tests.
+`--vendor-cache=VENDOR_CACHE` +: Use the given path for caching dependencies. (default: `~/.inspec/cache`). -
-o, --output=OUTPUT
-
Save the created profile to a path.
+## license -
--profiles-path=PROFILES_PATH
-
Folder which contains referenced profiles.
+Subcommands for interacting with the Chef licensing system. -
--tags=one two three
-
A list of tags to filter controls and include only those. Ignore all other tests.
+`inspec license` supports two subcommands, `add` and `list`. -
--vendor-cache=VENDOR_CACHE
-
Use the given path for caching dependencies, (default: ~/.inspec/cache).
+### license add -
+Add a Chef license. -## run_context +Not applicable for users running a Chef Private Licensing Service. -Used to test run-context detection +#### Syntax + +```bash +inspec license add +``` + +### license list + +Run license diagnostics and output the details of your current Chef license configuration. + +#### Syntax + +```bash +inspec license list +``` + +## nothing + +Does nothing. + +### Syntax + +This subcommand has the following syntax: + +```bash +inspec nothing +``` + +## plugin + +Install and manage [Chef InSpec plugins](/inspec/plugins/). ### Syntax This subcommand has the following syntax: ```bash -inspec run_context +inspec plugin SUBCOMMAND ``` ## schema -Print the json schema +Print the json schema. ### Syntax @@ -665,13 +777,10 @@ inspec schema NAME ### Options -This subcommand has the following additional options: - -
-
--enhanced-outcomes, --no-enhanced-outcomes
-
Show enhanced outcomes output
+This subcommand has the following additional option: -
+`--enhanced-outcomes` +: Includes enhanced outcome of controls in report data. ## shell @@ -689,150 +798,160 @@ inspec shell This subcommand has the following additional options: -
-
-b, --backend=BACKEND
-
Choose a backend: local, ssh, winrm, docker.
- -
--bastion-host=BASTION_HOST
-
Specifies the bastion host if applicable.
+`--audit-log-location=AUDIT_LOG_LOCATION` +: The directory that the audit log saves diagnostic log files to. + You must enable audit logging to use this feature. See the [Audit Log documentation](/inspec/audit_log/) for details. -
--bastion-port=BASTION_PORT
-
Specifies the bastion port if applicable.
+ Default: `~/.inspec/logs`. -
--bastion-user=BASTION_USER
-
Specifies the bastion user if applicable.
+ InSpec creates log files in the set directory using the following format: `inspec-audit-TIMESTAMP-PID.log`. -
--ca-trust-file=CA_TRUST_FILE
-
Specify CA certificate required for SSL authentication (WinRM).
+`-b` +`--backend=BACKEND` +: Choose a backend: local, ssh, winrm, docker. -
--client-cert=CLIENT_CERT
-
Specify client certificate for SSL authentication
+`--bastion-host=BASTION_HOST` +: Specifies the bastion host if applicable. -
--client-key=CLIENT_KEY
-
Specify client key required with client cert for SSL authentication
+`--bastion-port=BASTION_PORT` +: Specifies the bastion port if applicable. -
--client-key-pass=CLIENT_KEY_PASS
-
Specify client cert password, if required for SSL authentication
+`--bastion-user=BASTION_USER` +: Specifies the bastion user if applicable. -
-c, --command=COMMAND
-
A single command string to run instead of launching the shell
+`-c` +`--command=COMMAND` +: A single command string to run instead of launching the shell. -
--command-timeout=N
-
Maximum seconds to allow a command to run.
+`--command-timeout=SECONDS` +: Maximum seconds to allow a command to run. -
--config=CONFIG
-
Read configuration from JSON file (`-` reads from stdin).
+`--ca-trust-file=PATH_TO_CA_TRUST_FILE` +: Specify CA certificate required for SSL authentication (WinRM). -
--depends=one two three
-
A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell
+`--client-cert=PATH_TO_CLIENT_CERTIFICATE` +: Specify client certificate required for SSL authentication (WinRM). -
--distinct-exit, --no-distinct-exit
-
Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures.
+`--client-key=PATH_TO_CLIENT_KEY` +: Specify client key required with client certificate for SSL authentication (WinRM). -
--docker-url=DOCKER_URL
-
Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows.
+`--client-key-pass=CLIENT_CERT_PASSWORD` +: Specify client certificate password, if required for SSL authentication (WinRM). -
--enable-password=ENABLE_PASSWORD
-
Password for enable mode on Cisco IOS devices.
+`--config=CONFIG` +: Read configuration from the JSON file (`-` reads from stdin). -
--enhanced-outcomes, --no-enhanced-outcomes
-
Show enhanced outcomes in output
+`--depends=one two three` +: A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell. -
--host=HOST
-
Specify a remote host which is tested.
+`--distinct-exit` +`--no-distinct-exit` +: Exit with code 100 if any tests fail and 101 if any are skipped, but none failed (default). If disabled, exit 0 on skips and 1 for failures. -
--input=name1=value1 name2=value2
-
Specify one or more inputs directly on the command line to the shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures.
+`--docker-url` +: Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows. -
--input-file=one two three
-
Load one or more input files, a YAML file with values for the shell to use
+`--enable-password=ENABLE_PASSWORD` +: Password for enable mode on Cisco IOS devices. -
--insecure, --no-insecure
-
Disable SSL verification on select targets.
+`--host=HOST` +: Specify a remote host which is tested. -
--inspect, --no-inspect
-
Use verbose/debugging output for resources.
+`--insecure` +`--no-insecure` +: Disable SSL verification on select targets. -
-i, --key-files=one two three
-
Login key or certificate file for a remote scan.
+`--inspect` +`--no-inspect` +: Use verbose/debugging output for resources. -
--password=PASSWORD
-
Login password for a remote scan, if required.
+`-i` +`--key-files=one two three` +: Login key or certificate file for a remote scan. -
--path=PATH
-
Login path to use when connecting to the target (WinRM).
+`--password=PASSWORD` +: Login password for a remote scan, if required. -
--podman-url=PODMAN_URL
-
Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user).
+`--path=PATH` +: Login path to use when connecting to the target (WinRM). -
-p, --port=N
-
Specify the login port for a remote scan.
+`-p` +`--port=N` +: Specify the login port for a remote scan. -
--proxy-command=PROXY_COMMAND
-
Specifies the command to use to connect to the server.
+`--podman-url` +: Provides the path to the Podman API endpoint. Defaults to unix:///run/user/$UID/podman/podman.sock for rootless container, unix:///run/podman/podman.sock for rootful container (for this you need to execute inspec as root user). -
--reporter=one two:/output/file/path
-
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit
+`--proxy-command=PROXY_COMMAND` +: Specifies the command to use to connect to the server. -
--self-signed, --no-self-signed
-
Allow remote scans with self-signed certificates (WinRM).
+`--reporter=one two:/output/file/path` +: Enable one or more output reporters: cli, documentation, html2, progress, json, json-min, json-rspec, junit2. -
--shell, --no-shell
-
Run scans in a subshell. Only activates on Unix.
+`--self-signed` +`--no-self-signed` +: Allow remote scans with self-signed certificates (WinRM). -
--shell-command=SHELL_COMMAND
-
Specify a particular shell to use.
+`--shell` +`--no-shell` +: Run scans in a subshell. Only activates on Unix. -
--shell-options=SHELL_OPTIONS
-
Additional shell options.
+`--shell-command=SHELL_COMMAND` +: Specify a particular shell to use. -
--ssh-config-file=one two three
-
A list of paths to the ssh config file, e.g ~/.ssh/config or /etc/ssh/ssh_config.
+`--shell-options=SHELL_OPTIONS` +: Additional shell options. -
--ssl, --no-ssl
-
Use SSL for transport layer encryption (WinRM).
+`--ssh-config-file=one two three` +: A list of paths to the SSH configuration file, for example: `~/.ssh/config` or `/etc/ssh/ssh_config`. -
--ssl-peer-fingerprint=SSL_PEER_FINGERPRINT
-
Specify SSL peer fingerprint in place of certificates for SSL authentication (WinRM).
+`--ssl` +`--no-ssl` +: Use SSL for transport layer encryption (WinRM). -
--sudo, --no-sudo
-
Run scans with sudo. Only activates on Unix and non-root user.
+`--ssl-peer-fingerprint=SSL_PEER_FINGERPRINT` +: Specify SSL peer fingerprint in place of certificates for SSL authentication (WinRM). -
--sudo-command=SUDO_COMMAND
-
Alternate command for sudo.
+`--sudo` +`--no-sudo` +: Run scans with sudo. Only activates on Unix and non-root user. -
--sudo-options=SUDO_OPTIONS
-
Additional sudo options for a remote scan.
+`--sudo-command=SUDO_COMMAND` +: Alternate command for sudo. -
--sudo-password=SUDO_PASSWORD
-
Specify a sudo password, if it is required.
+`--sudo-options=SUDO_OPTIONS` +: Additional sudo options for a remote scan. -
-t, --target=TARGET
-
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
+`--sudo-password=SUDO_PASSWORD` +: Specify a sudo password, if it is required. -
--target-id=TARGET_ID
-
Provide an ID which will be included on reports - deprecated
+`-t` +`--target=TARGET` +: Simple targeting option using URIs, e.g. ssh://user:pass@host:port. -
--user=USER
-
The login user for a remote scan.
+`--target-id=TARGET_ID` +: Provide a ID which will be included on reports. -
--winrm-basic-auth-only, --no-winrm-basic-auth-only
-
Whether to use basic authentication, defaults to false (WinRM).
+`--user=USER` +: The login user for a remote scan. -
--winrm-disable-sspi, --no-winrm-disable-sspi
-
Whether to use disable sspi authentication, defaults to false (WinRM).
+`--winrm-basic-auth-only` +`--no-winrm-basic-auth-only` +: Whether to use basic authentication, defaults to false (WinRM). -
--winrm-shell-type=WINRM_SHELL_TYPE
-
Specify which shell type to use (powershell, elevated, or cmd), which defaults to powershell (WinRM).
+`--winrm-disable-sspi` +`--no-winrm-disable-sspi` +: Whether to use disable sspi authentication, defaults to false (WinRM). -
--winrm-transport=WINRM_TRANSPORT
-
Specify which transport to use, defaults to negotiate (WinRM).
+`--winrm-transport=WINRM_TRANSPORT` +: Specify which transport to use, defaults to negotiate (WinRM). -
+`--enhanced-outcomes` +: Includes enhanced outcome of controls in report data. ## supermarket -Supermarket commands +Supermarket commands. ### Syntax @@ -842,9 +961,16 @@ This subcommand has the following syntax: inspec supermarket SUBCOMMAND ... ``` +### Options + +This subcommand has additional options: + +`--supermarket_url` +: Specify the URL of a private Chef Supermarket. + ## vendor -Download all dependencies and generate a lockfile in a `vendor` directory +Download all dependencies and generate a lockfile in a `vendor` directory. ### Syntax @@ -856,13 +982,11 @@ inspec vendor PATH ### Options -This subcommand has the following additional options: - -
-
--overwrite, --no-overwrite
-
Overwrite existing vendored dependencies and lockfile.
+This subcommand has additional options: -
+`--overwrite` +`--no-overwrite` +: Overwrite existing vendored dependencies and lockfiles. ## version @@ -880,7 +1004,4 @@ inspec version This subcommand has the following additional options: -
-
--format=FORMAT
-
- +`--format=FORMAT` diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cloud_platforms.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cloud_platforms.md new file mode 100644 index 00000000000..13712be7e5a --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cloud_platforms.md @@ -0,0 +1,207 @@ ++++ +title = "Using Chef InSpec on Cloud Platforms" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "Chef InSpec for the Cloud" + identifier = "inspec/Chef InSpec on Cloud Platforms" + parent = "inspec" + weight = 30 ++++ + +As of Chef InSpec 2.0, we have expanded our platform support beyond individual machines and now include support for select AWS, Azure, GCP, and AliCloud resources. + +Using InSpec, you can use several Chef InSpec resources to audit properties of your cloud infrastructure - for example, an Amazon Web Services S3 bucket. + +## AWS Platform Support in InSpec + +### Setting up AWS credentials for InSpec + +Chef InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities. + +1. Create an IAM user in the AWS console, with your choice of username. Check the box marked "Programmatic Access." + +1. On the Permissions screen, choose Direct Attach. Select the AWS-managed IAM Profile named "ReadOnlyAccess." If you wish to restrict the user further, you may do so; see individual Chef InSpec resources to identify which permissions are required. + +1. After generating the key, record the Access Key ID and Secret Key. + +#### Using Environment Variables to provide credentials + +You may provide the credentials to Chef InSpec by setting the following environment variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY`. You may also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the [AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) for details. + +Once you have your environment variables set, you can verify your credentials by running: + +```bash +$ inspec detect -t aws:// + +== Platform Details +Name: aws +Families: cloud, api +Release: aws-sdk-v2.10.125 +``` + +#### Using the Chef InSpec target option to provide credentials on AWS + +Look for a file in your home directory named `~/.aws/credentials`. If it does not exist, create it. Choose a name for your profile; here, we're using the name 'auditing'. Add your credentials as a new profile, in INI format: + +```bash +[auditing] +aws_access_key_id = AKIA.... +aws_secret_access_key = 1234....abcd +``` + +You may now run Chef InSpec using the `--target` / `-t` option, using the format `-t aws://region/profile`. For example, to connect to the Ohio region using a profile named 'auditing', use `-t aws://us-east-2/auditing`. + +To verify your credentials, run: + +```bash +$ inspec detect -t aws:// + +== Platform Details +Name: aws +Families: cloud, api +Release: aws-sdk-v2.10.125 +``` + +## Azure Platform Support in InSpec + +### Setting up Azure credentials for InSpec + +To use Chef InSpec Azure resources, you will need to create a Service Principal Name (SPN) for auditing an Azure subscription. + +This can be done on the command line or from the Azure Portal: + +- [Azure CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-cli) +- [PowerShell](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal) +- [Azure Portal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) + +The information from the SPN can be specified either in the file `~/.azure/credentials`, as environment variables, or by using Chef InSpec target URIs. + +#### Setting up the Azure Credentials File + +By default, Chef InSpec is configured to look at `~/.azure/credentials`, and it should contain: + +```powershell +[] +client_id = "" +client_secret = "" +tenant_id = "" +``` + +{{< note >}} + +In the Azure web portal, these values are labeled differently: + +- The client_id is referred to as the 'Application ID' +- The client_secret is referred to as the 'Key (Password Type)' +- The tenant_id is referred to as the 'Directory ID' + +{{< /note >}} + +With the credentials are in place, you may now execute InSpec: + +```bash +inspec exec my-inspec-profile -t azure:// +``` + +#### Using Environment variables to provide credentials + +You may also set the Azure credentials via environment variables: + +- `AZURE_SUBSCRIPTION_ID` +- `AZURE_CLIENT_ID` +- `AZURE_CLIENT_SECRET` +- `AZURE_TENANT_ID` + +For example: + +```bash +AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \ +AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \ +AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \ +AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure:// +``` + +#### Using the Chef InSpec target option to provide credentials on Azure + +If you have created a `~/.azure/credentials` file as above, you may also use the Chef InSpec command line `--target` / `-t` option to select a subscription ID. For example: + +```bash +inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3 +``` + +## AliCloud Platform Support in InSpec + +You will need to install AliCloud SDK version 0.8.0 and require AliCloud credentials to use the Chef InSpec AliCloud resources. + +### Setting up AliCloud credentials for InSpec + +You can configure AliCloud credentials in an [.envrc file](https://github.com/inspec/inspec-alicloud#:~:text=shell.%20(See%20example-,.envrc%20file,-)) or export them in your shell. + +```bash +# Example configuration +export ALICLOUD_ACCESS_KEY="anaccesskey" +export ALICLOUD_SECRET_KEY="asecretkey" +export ALICLOUD_REGION="eu-west-1" +``` + +## GCP Platform Support in InSpec + +### Setting up GCP credentials for InSpec + +To use Chef InSpec GCP resources, you will need to install and configure the Google Cloud SDK. Instructions for this pre-requisite can be found in the +[Google CLoud SDK documentation](https://cloud.google.com/sdk/docs/). Be sure that your InSpec installation is the latest version. The minimal required InSpec version is 3.0.25. + +### Create an InSpec profile that makes use of `inspec-gcp` + +With a version of InSpec above 4.0.0, it is possible to create a profile with the following command: + +```bash +$ inspec init profile --platform gcp my-profile +Create new profile at /Users/me/my-profile + * Creating directory libraries + * Creating file README.md + * Creating directory controls + * Creating file controls/example.rb + * Creating file inspec.yml + * Creating file inputs.yml + * Creating file libraries/.gitkeep +``` + +Assuming the `inputs.yml` file contains your GCP project ID, this sample profile can then be executed using the following command: + +```bash +inspec exec my-profile --input-file=my-profile/inputs.yml -t gcp:// +``` + +#### Setting up the GCP Credentials File + +While InSpec can use user accounts for authentication, [Google Cloud documentation](https://cloud.google.com/docs/authentication/) recommends using service accounts. Following GCP best practices, first create a service account with the scopes appropriate for your needs. See [these instructions](https://cloud.google.com/docs/authentication/getting-started) on creating a service account. + +Then, download the credential JSON file, e.g. `project-credentials.json`, to your workspace and run the following command to activate your service account: + +```bash +gcloud auth activate-service-account --key-file project-credentials.json +``` + +#### Using Environment variables for providing credentials + +You may also set the GCP credentials json file via the `GOOGLE_APPLICATION_CREDENTIALS` environment variable. + +```bash +export GOOGLE_APPLICATION_CREDENTIALS='/Users/me/.config/gcloud/myproject-1-feb7993e8660.json' +``` + +Once you have your environment variables set, you can verify your credentials by running: + +```bash +$ inspec detect -t gcp:// + +== Platform Details + +Name: gcp +Families: cloud, api +Release: google-cloud-v +``` diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/dsl_inspec.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/dsl_inspec.md index 557a63b395f..541d00e4d0f 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/dsl_inspec.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/dsl_inspec.md @@ -11,11 +11,10 @@ gh_repo = "inspec" weight = 70 +++ -Chef InSpec is a run-time framework and rule language used to specify compliance, -security, and policy requirements. It includes a collection of resources that help -you write auditing controls quickly and easily. The syntax used by both open source -and [Chef compliance](/compliance/) auditing is the same. The open source [Chef InSpec resource](/inspec/resources/) -framework is compatible with [Chef compliance](https://docs.chef.io/chef_compliance_phase/). +Chef InSpec is a run-time framework and rule language used to specify compliance, security, and policy requirements. +It includes a collection of resources that help you write auditing controls quickly and easily. +The syntax used by both open source and [Chef compliance](https://www.chef.io/products/chef-compliance) auditing is the same. +The open source [Chef InSpec resource](/inspec/resources/) framework is compatible with [Chef compliance](https://docs.chef.io/chef_compliance_phase/). The Chef InSpec Language is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/install.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/install.md index 77d7275f462..17d1ed7b6e8 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/install.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/install.md @@ -1,70 +1,51 @@ +++ -title = "Install and Uninstall" +title = "Install Chef InSpec" draft = false gh_repo = "inspec" [menu] [menu.inspec] - title = "Install and Uninstall" - identifier = "inspec/install.md Install and Uninstall" - parent = "inspec" + title = "Install" + identifier = "inspec/install/install" + parent = "inspec/install" weight = 20 +++ -Users can choose between operating systems of MacOS, Windows, and Linux for Chef InSpec. +Use [Chef Downloads](https://www.chef.io/downloads), an installer, script, or package manager to install Chef InSpec. -## Install Chef InSpec +To see which platforms and platform versions Chef InSpec is supported on, see the [InSpec's platforms documentation](/inspec/platforms/). -You can download the latest Chef InSpec package relevant to your operating system -at [our Downloads Page](https://www.chef.io/downloads/tools/inspec). +## macOS -Alternatively, Chef InSpec can be installed via installer, script, or package -manager, according to your operating system and method as listed below. +### CLI -### macOS - -#### Homebrew - -Chef InSpec is available as a standalone [Homebrew](https://brew.sh/) package. -Run the following command in your terminal to install Chef InSpec: - -```bash -brew install chef/chef/inspec -``` - -While this command is running, you may be prompted to enter your macOS user account -password for installation to complete. - -#### CLI - -You can download Chef InSpec via curl script: +You can install Chef InSpec using a curl script. ```bash curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec ``` -### Windows +## Windows -#### Installer +### Installer -Once you downloaded the latest [Chef InSpec package](https://www.chef.io/downloads/tools/inspec) -relevant to your Microsoft version, double-click the `.msi` file to launch the -installer and follow the prompts. +Download a Windows Chef InSpec package from [Chef Downloads](https://www.chef.io/downloads), +then double-click on the `.msi` file to launch the installer and follow the prompts. -#### Powershell +### Powershell -Use the following command to install Chef InSpec via Powershell script: +You can install Chef InSpec using the following Powershell script. ```powershell . { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project inspec ``` -Once Chef InSpec is installed, run `inspec version` to verify that the installation +Once you have installed Chef InSpec, run `inspec version` to verify that the installation was successful. -### Linux +## Linux -#### CLI +### CLI The following curl script will install Chef InSpec for Ubuntu and Red Hat Enterprise Linux: @@ -73,7 +54,7 @@ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec ``` If you prefer, you can use a package manager to install Chef InSpec. -Once you downloaded the latest [Chef InSpec package](https://www.chef.io/downloads/tools/inspec) +Once you downloaded the latest [Chef InSpec package](https://www.chef.io/downloads) relevant to your Linux-based platform, use the command for the respective package manager listed below. Replace the example file path with the file path leading to your downloaded package. @@ -96,57 +77,7 @@ For SUSE Linux Enterprise Server, use the following command to install Chef InSp sudo zypper install /path-to/inspec.rpm ``` +## Next steps -## Uninstall Chef InSpec - -Chef InSpec can be uninstalled using the steps below that are appropriate for the -method of Chef InSpec installation. - -### macOS - -#### Homebrew - -Use the following *destructive* command to remove the Chef InSpec standalone Homebrew package: - -```bash -brew cask uninstall inspec -``` - -#### CLI - -Use the following *destructive* command in your terminal to remove the Chef InSpec package: - -```bash -sudo rm -rf /opt/inspec -``` - -### Windows - -#### Installer - -Use *Add / Remove Programs* to remove Chef InSpec. - -### Linux - -#### CLI - -The supported Linux-based platforms and their respective *destructive* command -for their package manager are listed below. - -For Ubuntu, use the following *destructive* command to uninstall: - -```bash -sudo dpkg -P inspec -``` - -For Red Hat Enterprise Linux, use the following *destructive* command to uninstall: - -```bash -sudo rpm -e inspec -``` - -For SUSE Linux Enterprise Server, use the following *destructive* command to uninstall Chef InSpec: - -```bash -sudo zypper remove inspec -``` +After installing Chef InSpec, you must accept the Chef EULA and---starting with **Chef InSpec 6**---add a license key. +See the [Chef InSpec license documentation](/inspec/license/) to complete these tasks. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/license.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/license.md new file mode 100644 index 00000000000..e0e93030701 --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/license.md @@ -0,0 +1,213 @@ ++++ +title = "License Chef InSpec" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "License" + identifier = "inspec/install/license" + parent = "inspec/install" + weight = 30 ++++ + +Before running Chef InSpec, you must accept the Chef EULA and---starting with **Chef InSpec 6**---add a license key. + +Chef InSpec accepts a license key using one of two methods: + +- by setting a license key with an [environment variable or using the InSpec CLI](#license-key) +- by retrieving a license key from a [Chef Local License Service URL](#chef-local-license-service) + +For more information on Chef licenses, see [Chef's licensing documentation](/licensing/). + +You can [request a trial license](https://www.chef.io/licensing/inspec/license-generation-free-trial) if you'd like to try out InSpec. + +## Accept the Chef EULA + +You must accept the [Chef End User License Agreement (EULA)](https://www.chef.io/end-user-license-agreement) before running Chef InSpec using one of two methods. + +- [command line option](#command-line-option) +- [environment variable](#environment-variable) + +If no command line argument or environment variable is set, Chef InSpec requests acceptance through an interactive prompt. If the prompt can't be displayed, then the product will fail with exit code 172. + +If the product attempts to persist the accepted license and fails, Chef InSpec sends a message to STDOUT and continues to run. In a future invocation, you will need to accept the license again. + +### Command line option + +Use the `--chef-license ` argument to accept the Chef EULA. + +```sh +inspec exec --chef-license +``` + +Replace `` with one of the following options. + +`accept` +: Accept the license and attempts to persist a marker file locally. Persisting these marker files means future invocations don't require accepting the license again. + +`accept-silent` +: Similar to `accept`, but no messaging is sent to STDOUT. + +`accept-no-persist` +: Similar to `accept-silent`, but no marker file is persisted. Future invocation will require accepting the license again. + +### Environment variable + +Use the `CHEF_LICENSE=""` environment variable to accept the Chef EULA. + +```sh +export CHEF_LICENSE="" +inspec exec +``` + +Replace `` with one of the following options. + +`accept` +: Accept the license and attempts to persist a marker file locally. Persisting these marker files means future invocations don't require accepting the license again. + +`accept-silent` +: Similar to `accept`, but no messaging is sent to STDOUT. + +`accept-no-persist` +: Similar to `accept-silent`, but no marker file is persisted. Future invocation will require accepting the license again. + +## License key + +Set a license key for Chef InSpec using one of three methods. + +- [interactive license dialog](#interactive-license-dialog) +- [command line option](#command-line-option-1) +- [environment variable](#environment-variable-1) + +{{< note >}} + +Existing commercial customers of Progress Chef may use an asset serial number from the [Progress support portal](https://community.progress.com/s/products/chef) as a license key. + +{{< /note >}} + +### Interactive license dialog + +The easiest way to provide a license key to Chef InSpec is to run Chef InSpec. +Run any major top-level command (such as `inspec exec`, `inspec check`, or `inspec shell`) and InSpec will start an interactive licensing dialog +if no license key is already set and it doesn't detect an automated method of setting the license key. + +1. To start the interactive licensing dialog, run a top-level command such as `inspec shell`. + +1. At the first prompt, select **I already have a license ID**. + + ```bash + inspec shell + ------------------------------------------------------------ + License ID Validation + + To continue using Chef InSpec, a license ID is required. + (Free, Trial, or Commercial) + + If you generated a license previously, you might + have received it in an email. + + If you are a commercial user, you can also find it in the + supportlink.chef.io portal. + ------------------------------------------------------------ + + Please choose one of the options below (Press ↑/↓ arrow to move and Enter to select) + ‣ I already have a license ID + I don't have a license ID and would like to generate a new license ID + Skip + ``` + +1. Enter your license key at the second prompt. + + ```bash + Please choose one of the options below I already have a license ID + Please enter your license ID: + ✔ [Success] License validated successfully. + ------------------------------------------------------------ + License Details + Asset Name : InSpec + License ID : + Type : Trial + Status : Active + Validity : Unlimited + No. Of Units : 10 Targets + ------------------------------------------------------------ + Welcome to the interactive InSpec Shell + To find out how to use it, type: help + + You are currently running on: + + Name: mac_os_x + Families: darwin, bsd, unix, os + Release: 22.5.0 + Arch: arm64 + + inspec> exit + ``` + +Chef InSpec validates the license key, displays information about the license entitlements, and then runs `inspec shell` as requested. +Chef InSpec stores license keys for future use and will not prompt you for the license key for the duration of your license. + +### Command line option + +You can set the license key in the command line using the `--chef-license-key` option. +You may provide this argument to most Chef InSpec CLI main commands, however some plugins may not support the flag. + +```bash +inspec exec --chef-license-key +``` + +### Environment variable + +You can set the license key using the `CHEF_LICENSE_KEY` environment variable. +Chef InSpec will read the license key from the variable and attempt to validate the key. +If successful, InSpec saves the key and will not prompt you for it the next time you run InSpec. + +```bash +export CHEF_LICENSE_KEY= +inspec exec +``` + +## Chef Local License Service + +For large or isolated (air-gapped) fleets, Chef InSpec can retrieve a license key from a [Chef Local License Service](/licensing/local_license_service/). +With Chef Local License Service, InSpec users do not need to know a license key---only the service URL(s). + +Chef InSpec sends a request to the Local License Service for a list of license keys and then uses that response to license itself during execution. +InSpec will not prompt you for a license key. +Chef InSpec does not store license keys for long-term use when they are retrieved from a Chef Local License Service. + +Use one of the following methods to set a Local License Service URL. + +- [command line option](#command-line-option-2) +- [environment variable](#environment-variable-2) + +### Command line option + +Use the `--chef-license-server` command line option to set a Chef Local License Service URL. + +```bash +inspec exec --chef-license-server https://license-server.example.com +``` + +### Environment variable + +Use the `CHEF_LICENSE_SERVER` environment variable to set a Chef Local License Service URL. + +```bash +export CHEF_LICENSE_SERVER=https://license-server.example.com +inspec exec +``` + +#### Multiple license servers + +You can set multiple Chef Local License Services, which provides resiliency and redundancy for managing licenses. + +Enter up to five Chef Local License Service URLs as a comma-separated list. Chef InSpec will try each URL and use the first one that works. + +```bash +export CHEF_LICENSE_SERVER=https://license-server-01.example.com,https://license-server-02.example.com +inspec exec +``` + +This capability is basic and you must synchronize the license servers, otherwise you may get inconsistent results. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/migration.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/migration.md index 73b231c14ec..cb1d0e43a5c 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/migration.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/migration.md @@ -13,7 +13,7 @@ gh_repo = "inspec" ## How is Chef InSpec different from Serverspec -We've written a complete blog post about that topic: [The Road to InSpec](https://blog.chef.io/2015/11/04/the-road-to-inspec/) +We've written a complete blog post about that topic: [The Road to InSpec](https://www.chef.io/blog/the-road-to-inspec) ## Is Chef InSpec suitable for infrastructure testing? diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/parallel.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/parallel.md new file mode 100644 index 00000000000..936b6bd5836 --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/parallel.md @@ -0,0 +1,237 @@ ++++ +title = "InSpec Parallel" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "InSpec Parallel" + identifier = "inspec/parallel.md InSpec Parallel" + parent = "inspec" + weight = 25 ++++ + +Chef InSpec Parallel can automatically manage multiple profile executions in parallel on a system targeting several remote systems and environments. +It manages multiple processes, their status updates, their exit codes, and user updates. +All target operating systems and environments that can be addressed using `--target` are supported, and it is supported on Windows, MacOS, and Linux environments. + +InSpec Parallel is a new feature in **Chef InSpec 6**. + +{{< note >}} + +Currently, `inspec parallel` only supports the `exec` command. + +{{< /note >}} + +## How to use InSpec Parallel + +The following example shows you how to execute the **Dev-Sec SSH Baseline** profile against five servers in parallel using `inpec parallel exec`. + +1. Create an [option file](#option-file) that contains the CLI options that are passed to `inspec exec parallel`. + + The option file contains one invocation per line and specifies all options in each invocation. + + ```text + # five-servers.txt + # Option file for running against multiple SSH targets + -t ssh://server1 --reporter cli:server1.out + -t ssh://server2 --reporter cli:server2.out + -t ssh://server3 --reporter cli:server3.out + -t ssh://server4 --reporter cli:server4.out + -t ssh://server5 --reporter cli:server5.out + ``` + +1. Specify the option file that InSpec Parallel executes using the `-o` or `--option_file` flag in the InSpec CLI. + + ```bash + inspec parallel exec https://github.com/dev-sec/ssh-baseline -o five-servers.txt -i file_name.pem + ``` + +As InSpec Parallel runs, it shows the progress (percentage of controls completed) of each invocation, the process ID of each job, and writes log and error data to the `logs/` directory with each log file named after the process ID. + +```bash +Press CTL+C to stop + InSpec Parallel + Running 5 invocations in 4 slots +----------------------------------------------------------------------------------------------------------------------------------------- + Slot 1 Slot 2 Slot 3 Slot 4 +----------------------------------------------------------------------------------------------------------------------------------------- + 50132: 0.0% 50133: 12.5% 50134: 12.5% Done +``` + +## Option file + +An option file is a text file that contains options passed to `inspec parallel`. +Chef InSpec ignores comments (starting with a `#`) and blank lines in an option file. +Chef InSpec invokes `inspec parallel` on each non-commented and non-blank line. + +The only requirement is that every invocation in an option file must have a `--reporter` option. +The reporter option must write to a file or use the `automate` reporter to send an API post to a Chef Automate service. +For details of the available reporters and the full syntax of the reporter option, see the [Chef InSpec Reporter documentation]({{< relref "/inspec/reporters" >}}). + +The simplest option file might look like this: + +```text +# simple.txt +# Run five invocations, saving the output as ordinal names +--reporter cli:first.out +--reporter cli:second.out +--reporter cli:third.out +--reporter cli:fourth.out +--reporter cli:fifth.out +``` + +For this example, InSpec Parallel would run the same profile on the same target five times, it would send the output to each of the five reporters listed in the option file, and you would specify the target and profile when you invoke `inspec parallel exec` in the command line. + +You can pass any options on the invocation line, including `--controls` (to divide a profile into sections), `--input` (to parameterize a profile and possibly target different resources), and `--target` (to target different machines or environments). + +See the [Examples section](#examples) for more detail on how you can use an option file. + +### Embedded Ruby templating + +You can add Embedded RuBy (ERB) template escapes and Chef InSpec will evaluate it as an ERB template. +You can directly embed Ruby code into your option file, including loops and conditionals. +The rendered output of the option file is used as invocations. +This is especially useful with the `--dry-run` option. + +The most common ERB templating is to use the `pid` variable to reference the process ID of the child process. +See the [Examples](#name-json-output-files-with-process-id) section for more information. + +### Executable script + +If the name of the option file ends in `.sh` (MacOS, Linux) or `.ps1` (Windows), InSpec Parallel executes the script and uses the standard output as the option file. + +{{< note >}} + +This feature is experimental and we would love to hear [feedback](https://github.com/inspec/inspec/issues/new/choose) from you. + +{{< /note >}} + +## Options + +InSpec Parallel accepts options from the subcommand that it's managing. It also accepts the following options: + +`--bg` +: The `--bg` option silences all output from the command and runs it in the background. InSpec Parallel will still write log files with the `--bg` option. + +`--dry-run` +: The `--dry-run` option interprets the option file but does not execute it. Chef InSpec outputs the lines that would have been executed to the standard output. If you add `--verbose`, you can see all the CLI defaults that implicitly get added. + +: {{< note >}} + + When calling `--dry-run`, you may notice that an extra reporter gets added to your invocation, `--reporter child-status`. This reporter is a special streaming reporter used to report status from the running child processes to the parent process and is a necessary part of the plumbing of InSpec Parallel. + + {{< /note >}} + +`-j` +`--jobs` +: Use the `-j` or `--jobs` option to specify how many job slots InSpec Parallel uses. + InSpec Parallel defaults to the number of hyperthreaded cores on your machine (for example, a dual-core machine with hyperthreading defaults to four jobs). + The default is usually reasonable, but experimentation may be rewarding. + +`-o` +`--option_file` +: Use the `-o` or `--option_file` option in the command line to specify the option file that InSpec Parallel will run. + +## Examples + +### Use the same options for each invocation + +`inspec parallel exec` accepts all options that `inspec exec` does and passes them to each invocation as defaults. +This means that you do not have to specify repetitive options that are constant across all the invocations in an option file. + +For example, if all machines take the same SSH key, you can specify it once on the top-level command line. + +```text +# three-servers.txt +# Option file for running against multiple SSH targets +-t ssh://server1 --reporter cli:server1.out +-t ssh://server2 --reporter cli:server2.out +-t ssh://server3 --reporter cli:server3.out +``` + +```bash +inspec parallel exec profile_name -o three-servers.txt -i file_name.pem +``` + +### Name JSON output files with process ID + +In this example, the `json` reporter saves output log files in the `logs` directory and names each one after the process ID using the `pid` ERB variable. +This technique would work with any [reporter]({{< relref "/inspec/reporters" >}}) that can write to a file. + +```text +# pid-named-output.txt +# Option file in which the output is named after the PID of the process +--reporter json:logs/<%= pid %>.json +--reporter json:logs/<%= pid %>.json +--reporter json:logs/<%= pid %>.json +--reporter json:logs/<%= pid %>.json +``` + +After this profile is executed, the `logs` directory would have the following files: + +- 1000.log +- 1000.json +- 1001.log +- 1001.json +- 1002.log +- 1002.json +- 1003.log +- 1003.json + +### Run the same profile on different targets + +You can run the same profile on multiple targets by specifying each target in the option file using the `-t` or `--target` option. + +```text +# five-servers.txt +# Option file for running against multiple SSH targets +-t ssh://server1 --reporter cli:server1.out +-t ssh://server2 --reporter cli:server2.out +-t ssh://server3 --reporter cli:server3.out +-t ssh://server4 --reporter cli:server4.out +-t ssh://server5 --reporter cli:server5.out +``` + +Then specify the profile and the option file in the command line. + +```bash +inspec parallel exec https://github.com/dev-sec/ssh-baseline -o five-servers.txt -i file_name.pem +``` + +If you have many or variable targets to run against, consider using ERB templating to read the list of targets after reading them from a CSV file or connecting to an API. You can also use a script to list your targets. + +### Run different profiles on the same target + +To run different profiles on the same target, specify the profile at the front of the invocation in the option file. + +```text +# multi-profile.txt +https://github.com/dev-sec/ssh-baseline --reporter cli:ssh-baseline.out +https://github.com/dev-sec/linux-baseline --reporter cli:linux-baseline.out +``` + +Then invoke InSpec parallel by passing the target as a top-level option and a dummy name for the profile. + +```bash +inspec parallel exec dummy -o multi-profile.txt -t ssh://server +``` + +### Run different parts of a profile in parallel + +If your profile has well-named control IDs, you can use the `--controls` option to divide the profile into sections. +Suppose that your profile has sections named **C**, **S**, and **N** and the controls in each section have control IDs that start with the given letter, +then you can create an option file that divides the profile as follows: + +```text +# divide-aws-bp.txt +--reporter cli:C.out --controls /^C/ +--reporter cli:S.out --controls /^S/ +--reporter cli:N.out --controls /^N/ +``` + +When you run the following command, `inspec exec` runs three times, once for each of the **C**, **S**, and **N** sections of the profile. + +```bash +inspec parallel exec aws-best-practices -o divide-aws-bp.txt -t aws://profile_name@us-east-2 +``` diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/platforms.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/platforms.md index dc3a1b13eff..d1c659f1a5f 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/platforms.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/platforms.md @@ -1,207 +1,28 @@ +++ -title = "Using Chef InSpec on Cloud Platforms" +title = "Supported Platforms" draft = false gh_repo = "inspec" [menu] [menu.inspec] - title = "Chef InSpec for the Cloud" - identifier = "inspec/platforms.md Using Chef InSpec on Cloud Platforms" - parent = "inspec" - weight = 30 + title = "Platforms" + identifier = "inspec/install/platforms" + parent = "inspec/install" + weight = 10 +++ -As of Chef InSpec 2.0, we have expanded our platform support beyond individual machines and now include support for select AWS, Azure, GCP, and AliCloud resources. +Chef InSpec is supported on the operating systems (platforms) listed below. -Using InSpec, you can use several Chef InSpec resources to audit properties of your cloud infrastructure - for example, an Amazon Web Services S3 bucket. +## Commercially supported platforms -## AWS Platform Support in InSpec +The following table lists the commercially-supported platforms and versions for Chef InSpec. -### Setting up AWS credentials for InSpec +{{< readfile file="content/inspec/reusable/md/support_commercial_platforms.md" >}} -Chef InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities. +## Derived platforms -1. Create an IAM user in the AWS console, with your choice of username. Check the box marked "Programmatic Access." +The following table lists supported derived platforms and versions for Chef InSpec. -1. On the Permissions screen, choose Direct Attach. Select the AWS-managed IAM Profile named "ReadOnlyAccess." If you wish to restrict the user further, you may do so; see individual Chef InSpec resources to identify which permissions are required. +See our policy on [support for derived platforms](/platforms/#support-for-derived-platforms) for more information. -1. After generating the key, record the Access Key ID and Secret Key. - -#### Using Environment Variables to provide credentials - -You may provide the credentials to Chef InSpec by setting the following environment variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY`. You may also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the [AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) for details. - -Once you have your environment variables set, you can verify your credentials by running: - -```bash -$ inspec detect -t aws:// - -== Platform Details -Name: aws -Families: cloud, api -Release: aws-sdk-v2.10.125 -``` - -#### Using the Chef InSpec target option to provide credentials on AWS - -Look for a file in your home directory named `~/.aws/credentials`. If it does not exist, create it. Choose a name for your profile; here, we're using the name 'auditing'. Add your credentials as a new profile, in INI format: - -```bash -[auditing] -aws_access_key_id = AKIA.... -aws_secret_access_key = 1234....abcd -``` - -You may now run Chef InSpec using the `--target` / `-t` option, using the format `-t aws://region/profile`. For example, to connect to the Ohio region using a profile named 'auditing', use `-t aws://us-east-2/auditing`. - -To verify your credentials, run: - -```bash -$ inspec detect -t aws:// - -== Platform Details -Name: aws -Families: cloud, api -Release: aws-sdk-v2.10.125 -``` - -## Azure Platform Support in InSpec - -### Setting up Azure credentials for InSpec - -To use Chef InSpec Azure resources, you will need to create a Service Principal Name (SPN) for auditing an Azure subscription. - -This can be done on the command line or from the Azure Portal: - -- [Azure CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-cli) -- [PowerShell](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal) -- [Azure Portal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) - -The information from the SPN can be specified either in the file `~/.azure/credentials`, as environment variables, or by using Chef InSpec target URIs. - -#### Setting up the Azure Credentials File - -By default, Chef InSpec is configured to look at `~/.azure/credentials`, and it should contain: - -```powershell -[] -client_id = "" -client_secret = "" -tenant_id = "" -``` - -{{< note >}} - -In the Azure web portal, these values are labeled differently: - -- The client_id is referred to as the 'Application ID' -- The client_secret is referred to as the 'Key (Password Type)' -- The tenant_id is referred to as the 'Directory ID' - -{{< /note >}} - -With the credentials are in place, you may now execute InSpec: - -```bash -inspec exec my-inspec-profile -t azure:// -``` - -#### Using Environment variables to provide credentials - -You may also set the Azure credentials via environment variables: - -- `AZURE_SUBSCRIPTION_ID` -- `AZURE_CLIENT_ID` -- `AZURE_CLIENT_SECRET` -- `AZURE_TENANT_ID` - -For example: - -```bash -AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \ -AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \ -AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \ -AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure:// -``` - -#### Using the Chef InSpec target option to provide credentials on Azure - -If you have created a `~/.azure/credentials` file as above, you may also use the Chef InSpec command line `--target` / `-t` option to select a subscription ID. For example: - -```bash -inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3 -``` - -## AliCloud Platform Support in InSpec - -You will need to install AliCloud SDK version 0.8.0 and require AliCloud credentials to use the Chef InSpec AliCloud resources. - -### Setting up AliCloud credentials for InSpec - -You can configure AliCloud credentials in an [.envrc file](https://github.com/inspec/inspec-alicloud#:~:text=shell.%20(See%20example-,.envrc%20file,-)) or export them in your shell. - -```bash -# Example configuration -export ALICLOUD_ACCESS_KEY="anaccesskey" -export ALICLOUD_SECRET_KEY="asecretkey" -export ALICLOUD_REGION="eu-west-1" -``` - -## GCP Platform Support in InSpec - -### Setting up GCP credentials for InSpec - -To use Chef InSpec GCP resources, you will need to install and configure the Google Cloud SDK. Instructions for this pre-requisite can be found in the -[Google CLoud SDK documentation](https://cloud.google.com/sdk/docs/). Be sure that your InSpec installation is the latest version. The minimal required InSpec version is 3.0.25. - -### Create an InSpec profile that makes use of `inspec-gcp` - -With a version of InSpec above 4.0.0, it is possible to create a profile with the following command: - -```bash -$ inspec init profile --platform gcp my-profile -Create new profile at /Users/me/my-profile - * Creating directory libraries - * Creating file README.md - * Creating directory controls - * Creating file controls/example.rb - * Creating file inspec.yml - * Creating file inputs.yml - * Creating file libraries/.gitkeep -``` - -Assuming the `inputs.yml` file contains your GCP project ID, this sample profile can then be executed using the following command: - -```bash -inspec exec my-profile --input-file=my-profile/inputs.yml -t gcp:// -``` - -#### Setting up the GCP Credentials File - -While InSpec can use user accounts for authentication, [Google Cloud documentation](https://cloud.google.com/docs/authentication/) recommends using service accounts. Following GCP best practices, first create a service account with the scopes appropriate for your needs. See [these instructions](https://cloud.google.com/docs/authentication/getting-started) on creating a service account. - -Then, download the credential JSON file, e.g. `project-credentials.json`, to your workspace and run the following command to activate your service account: - -```bash -gcloud auth activate-service-account --key-file project-credentials.json -``` - -#### Using Environment variables for providing credentials - -You may also set the GCP credentials json file via the `GOOGLE_APPLICATION_CREDENTIALS` environment variable. - -```bash -export GOOGLE_APPLICATION_CREDENTIALS='/Users/me/.config/gcloud/myproject-1-feb7993e8660.json' -``` - -Once you have your environment variables set, you can verify your credentials by running: - -```bash -$ inspec detect -t gcp:// - -== Platform Details - -Name: gcp -Families: cloud, api -Release: google-cloud-v -``` +{{< readfile file="content/inspec/reusable/md/support_derived_platforms.md" >}} diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/profiles.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/profiles.md index fbad75d9f9f..8ff312954fd 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/profiles.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/profiles.md @@ -122,6 +122,8 @@ Use the `supports` setting in the `inspec.yml` file to specify one (or more) pla - Use `release` to restrict to a specific platform version, and use together with `platform-name`. `release` supports asterisk (`*`) wildcard use. - Use `platform` to restrict on either platform-name or platform-family. +To get a list of all valid values for `platform-name` and `platform-family`, run `inspec schema platforms`, which returns the supported list in JSON format. + For compatibility we support `os-name` and `os-family`. We recommend all users to change `os-name` to `platform-name` and `os-family` to `platform-family`. @@ -196,7 +198,7 @@ A Chef InSpec profile can bring in the controls and custom resources from anothe Chef InSpec profile. Additionally, when inheriting the controls of another profile, a profile can skip or even modify those included controls. -For hands-on examples, check out [Create a custom Chef InSpec profile](https://learn.chef.io/modules/create-a-custom-profile#/) +For hands-on examples, check out [Test Expectations with Chef InSpec](https://learn.chef.io/courses/course-v1:chef+Inspec101+Perpetual/about) on Learn Chef Rally. ### Defining the Dependencies diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/file.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/file.md index 59212443894..656c57a87c8 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/file.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/file.md @@ -299,13 +299,13 @@ The `size` property tests if a file's size matches, is greater than, or is less Greater than: ```ruby - its('size') { should > 64 } + its('size') { should be > 64 } ``` Less than: ```ruby - its('size') { should < 10240 } + its('size') { should be < 10240 } ``` ### type diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/podman.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/podman.md index 406a95173be..6864cbb7b71 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/podman.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/podman.md @@ -26,7 +26,7 @@ Use the `podman` Chef InSpec audit resource to test multiple Podman containers. ```ruby describe podman.containers do its('ids') { should include "591270d8d80d26671fd6ed622f367fbe19004d16e3b519c292313feb5f22e7f7" } - its('images) { should include "docker.io/library/ubuntu:latest" } + its('images') { should include "docker.io/library/ubuntu:latest" } end ``` diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/index.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/index.md new file mode 100644 index 00000000000..41de90ae49b --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/index.md @@ -0,0 +1,5 @@ ++++ +headless = true +## headless = true makes this directory a headless bundle. +## See https://gohugo.io/content-management/page-bundles/#headless-bundle ++++ diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_commercial_platforms.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_commercial_platforms.md new file mode 100644 index 00000000000..cc7d600543f --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_commercial_platforms.md @@ -0,0 +1,10 @@ +| Platform | Architecture | Version | +| --- | --- | --- | +| Amazon Linux | `x86_64`, `aarch64` | `2.x` | +| Debian | `x86_64`, `aarch64` (10.x only) | `9`, `10`, `11` | +| macOS | `x86_64`, `aarch64` (M1 processors) | `11.x`, `12.x` | +| Oracle Enterprise Linux | `x86_64`, `aarch64` (7.x / 8.x only) | `6.x`, `7.x`, `8.x` | +| Red Hat Enterprise Linux | `x86_64`, `aarch64` (7.x, 8.x and 9.x only) | `7.x`, `8.x`, `9.x` | +| SUSE Linux Enterprise Server | `x86_64`, `aarch64` (15.x only) | `12.x`, `15.x` | +| Ubuntu | `x86_64` | `16.04`, `18.04`, `20.04` | +| Windows | `x86_64` | `8.1`, `2012`, `2012 R2`, `2016`, `10` (all channels except "insider" builds), `2019`, `11`, `2022` | diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_derived_platforms.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_derived_platforms.md new file mode 100644 index 00000000000..c2d24dd9478 --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_derived_platforms.md @@ -0,0 +1,6 @@ +| Platform | Architecture | Version | Parent platform | +| --- | --- | --- | --- | +| AlmaLinux | `x86_64`, `aarch64` | `8.x` | CentOS | +| Rocky Linux | `x86_64`, `aarch64` | `8.x` | CentOS | + +Chef InSpec Target Mode (`inspec --target`) may be functional on additional platforms, versions, and architectures but aren’t validated by Chef. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/signing.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/signing.md index c0b5db587d7..bc005734a23 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/signing.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/signing.md @@ -11,7 +11,7 @@ gh_repo = "inspec" weight = 60 +++ -This page documents the `inspec sign` command introduced in InSpec 5 and details some methods to work with signed profiles. +This page documents the `inspec sign` command introduced in InSpec 5, the mandatory profile signing feature introduced in InSpec 6, and details some methods to work with signed profiles. ## Usage @@ -19,6 +19,17 @@ This page documents the `inspec sign` command introduced in InSpec 5 and details A signed profile, or `.iaf` file, is an InSpec profile with a digital signature that attests to its authenticity. Progress Chef authored profiles are available as signed profiles starting from 2022. +IAF files are not human-readable, but may be viewed using `inspec export`. Support for IAF v2.0 was added to InSpec 5. + +### Mandatory profile signing + +**Chef InSpec 6** and above has an optional setting that requires that all profiles are signed. +If mandatory profile signing is enabled, InSpec will not execute functions with an un-signed profile and exits with exit code 6. + +To enable mandatory profile signing, set the environment variable `CHEF_PREVIEW_MANDATORY_PROFILE_SIGNING` to any non-empty value. + +If you need to bypass mandatory profile signing, use the `--allow-unsigned-profiles` CLI option or set the `CHEF_ALLOW_UNSIGNED_PROFILES` environment variable. + ### How does Profile Signing Work? Profile signing uses a matched pair of keys. The _signing key_ is secret and is used to sign the profile. The _validation key_ is widely distributed and verifies the signed profile signature. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/troubleshooting.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/troubleshooting.md index dd2ec3e5322..6fe947ec945 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/troubleshooting.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/troubleshooting.md @@ -11,14 +11,84 @@ gh_repo = "inspec" weight = 55 +++ +## Exit code 5 + +You tried to execute a function with a signed profile, but the signature is either bad or InSpec couldn't find the validation key. +For more information, see the [profile signing documentation](/inspec/signing/). + +## Exit code 6 + +You enabled mandatory profile signing and tried to execute a function with an unsigned profile. +For more information, see the [profile signing documentation](/inspec/signing/). + +## Exit code 174 + +Exit code 174 comes from running Chef InSpec 6 or greater without setting a Chef License key. +See the [InSpec install documentation](/inspec/install/) for setting a Chef License key. +See the [Chef License documentation](/licensing/) for more information about Chef licensing. + ## Undefined Local Variable or Method Error for Cloud Resource This error is a result of invoking a resource from one of the cloud resource packs without initializing an InSpec profile with that resource pack (AWS, Azure, or GCP) as a dependency. -InSpec profiles that use **any cloud resource** must have the resource pack defined as a dependency. +Chef InSpec profiles that use **any cloud resource** must have the resource pack defined as a dependency. See the relevant resource pack readme for instructions: - [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources) - [inspec-azure README](https://github.com/inspec/inspec-azure#use-the-resources) - [inspec-gcp README](https://github.com/inspec/inspec-gcp#use-the-resources) + +## License is not entitled to use InSpec + +The license key set with Chef InSpec is not entitled to use Chef InSpec. Each license key is entitled to one or more Chef products. To view the products that your key is entitled to, run the `inspec license list` command, which will list your license entitlements. + +To resolve this issue, set a license key that is entitled to Chef InSpec. + +See the [Chef Licensing documentation](/licensing/) for more information. + +## Unable to connect to the licensing server. InSpec requires server communication to operate + +Chef InSpec cannot connect to Chef's licensing service or a user-deployed Chef Local License Service. +This service is responsible for validating the Chef license key set with Chef InSpec. + +Check the following possible causes of this issue: + +- Network Connectivity + + Ensure that the machine running Chef InSpec has proper network connectivity. It should be able to connect to Chef's licensing service or a user-deployed Chef Local License Service. This includes checking firewall settings and network configuration. + +- Service Availability + + If you're using a user-deployed Chef Local License Service, verify that it's correctly configured and operational. Any misconfigurations or issues with the Chef Local License Service could lead to connection problems. + +- URL Configuration + + If you're using a Chef Local License Service to manage Chef licenses, verify that the URL to the server is correct. + + If you configured the URL using an environment variable, check the value for environment variable `CHEF_LICENSE_SERVER` to confirm the configured URL. + + If you configured the URL using the `--chef-license-server` InSpec CLI option, reset the URL using the same InSpec CLI option. + +- Logs and Debugging + + Check the logs generated by Chef InSpec by using `--log-level debug` for more detailed error messages. Pay close attention to the URL that Chef InSpec is attempting to connect to. + +If the issue persists, please reach out to Chef's Customer Success managers or Support Team. + +## Invalid File Format Version + +Chef licensing data is stored on the `$HOME/.chef/licenses.yaml` file. + +The file format version used in the `licenses.yaml` file is unsupported or invalid. +The `licenses.yaml` file must have the latest supported file format version. + +Restore the file to the original state to resolve this issue. + +## License file contents are corrupted + +Chef licensing data is stored on the `$HOME/.chef/licenses.yaml` file. + +The `licenses.yaml` file is malformed and corrupt. + +Restore the file content to its original state to resolve this issue. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/uninstall.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/uninstall.md new file mode 100644 index 00000000000..a2fc1f08fda --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/uninstall.md @@ -0,0 +1,63 @@ ++++ +title = "Uninstall Chef InSpec" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "Uninstall" + identifier = "inspec/install/uninstall" + parent = "inspec/install" + weight = 40 ++++ + +You can uninstall Chef InSpec using the steps below that are appropriate for the +method of Chef InSpec installation. + +## macOS + +### Homebrew + +Use the following *destructive* command to remove the Chef InSpec standalone Homebrew package: + +```bash +brew cask uninstall inspec +``` + +### CLI + +Use the following *destructive* command in your terminal to remove the Chef InSpec package: + +```bash +sudo rm -rf /opt/inspec +``` + +## Windows + +### Installer + +Use *Add / Remove Programs* to remove Chef InSpec. + +## Linux + +### CLI + +Use the following *destructive* commands to uninstall Chef InSpec from Linux-based platforms. + +For Ubuntu, use the following *destructive* command to uninstall Chef InSpec: + +```bash +sudo dpkg -P inspec +``` + +For Red Hat Enterprise Linux, use the following *destructive* command to uninstall Chef InSpec: + +```bash +sudo rpm -e inspec +``` + +For SUSE Linux Enterprise Server, use the following *destructive* command to uninstall Chef InSpec: + +```bash +sudo zypper remove inspec +``` diff --git a/_vendor/modules.txt b/_vendor/modules.txt index 6c74d876148..ee5fdd66984 100644 --- a/_vendor/modules.txt +++ b/_vendor/modules.txt @@ -2,7 +2,7 @@ # github.com/chef/desktop-config/docs-chef-io v0.0.0-20230711052355-bad26ce3ac0b # github.com/habitat-sh/habitat/components/docs-chef-io v0.0.0-20230808222519-d0c20bbe8c45 # github.com/chef/chef-server/docs-chef-io v0.0.0-20230929110551-e5bebd3e433d -# github.com/inspec/inspec/docs-chef-io v0.0.0-20231024163740-0eb1d36b0765 +# github.com/inspec/inspec/docs-chef-io v0.0.0-20231114034545-e9853e10a3f2 # github.com/inspec/inspec-alicloud/docs-chef-io v0.0.0-20220614123852-e453ba687370 # github.com/inspec/inspec-aws/docs-chef-io v0.0.0-20220228151600-69aa036b1527 # github.com/inspec/inspec-azure/docs-chef-io v0.0.0-20220228040450-e1b23e65979a diff --git a/config/_default/menu.toml b/config/_default/menu.toml index 403097f1720..cb989f74bcd 100644 --- a/config/_default/menu.toml +++ b/config/_default/menu.toml @@ -655,72 +655,6 @@ identifier = "chef_infra" # End Chef Infra Menu #### -#### -# Chef InSpec Menu -#### - -[[inspec]] -title = "Chef InSpec" -identifier = "inspec" - - [[inspec]] - title = "Chef InSpec Reference" - identifier = "inspec/reference" - parent = "inspec" - weight = 500 - - [[inspec]] - title = "Chef InSpec Resources" - identifier = "inspec/resources" - parent = "inspec" - weight = 999 - - [[inspec]] - title = "OS Resources" - identifier = "inspec/resources/os" - parent = "inspec/resources" - weight = 20 - - [[inspec]] - title = "Alibaba Resources" - identifier = "inspec/resources/alicloud" - parent = "inspec/resources" - weight = 25 - - [[inspec]] - title = "AWS Resources" - identifier = "inspec/resources/aws" - parent = "inspec/resources" - weight = 30 - - [[inspec]] - title = "Azure Resources" - identifier = "inspec/resources/azure" - parent = "inspec/resources" - weight = 40 - - [[inspec]] - title = "GCP Resources" - identifier = "inspec/resources/gcp" - parent = "inspec/resources" - weight = 50 - - [[inspec]] - title = "Habitat Resources" - identifier = "inspec/resources/habitat" - parent = "inspec/resources" - weight = 60 - - [[inspec]] - title = "Kubernetes Resources" - identifier = "inspec/resources/k8s" - parent = "inspec/resources" - weight = 70 - -#### -# End Chef InSpec Menu -#### - #### # Chef Workstation Menu #### diff --git a/go.mod b/go.mod index 87eea9c03ac..976691ec7d1 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/inspec/inspec-azure/docs-chef-io v0.0.0-20220228040450-e1b23e65979a // indirect github.com/inspec/inspec-habitat/docs-chef-io v0.0.0-20220218210405-bfd542da49fd // indirect github.com/inspec/inspec-k8s/docs-chef-io v0.0.0-20230522203306-c23ca61f913f // indirect - github.com/inspec/inspec/docs-chef-io v0.0.0-20231024163740-0eb1d36b0765 // indirect + github.com/inspec/inspec/docs-chef-io v0.0.0-20231114034545-e9853e10a3f2 // indirect github.com/swiftype/swiftype-autocomplete-jquery v0.0.0-20190222215504-a90008d64b30 // indirect github.com/swiftype/swiftype-search-jquery v1.1.0 // indirect github.com/twitter/hogan.js v3.0.2+incompatible // indirect diff --git a/go.sum b/go.sum index d0e7b89a4c3..94d983e3594 100644 --- a/go.sum +++ b/go.sum @@ -51,8 +51,8 @@ github.com/inspec/inspec-habitat/docs-chef-io v0.0.0-20220218210405-bfd542da49fd github.com/inspec/inspec-habitat/docs-chef-io v0.0.0-20220218210405-bfd542da49fd/go.mod h1:Q4E7QBY4b7HDE2psfGT9jqvnLq1yfg5e9KWK4VTtI/M= github.com/inspec/inspec-k8s/docs-chef-io v0.0.0-20230522203306-c23ca61f913f h1:eJqWm/xPdUtbxEF3dewePl7ahkob0IoSfs93QEcykt0= github.com/inspec/inspec-k8s/docs-chef-io v0.0.0-20230522203306-c23ca61f913f/go.mod h1:JwjkNHKgELWxc9esXuK3ELEGL371pK496OKrK+te3Lk= -github.com/inspec/inspec/docs-chef-io v0.0.0-20231024163740-0eb1d36b0765 h1:gTtGdSh3oeCtrz3hmU149Lro9GBApRkxMqsLObiNduw= -github.com/inspec/inspec/docs-chef-io v0.0.0-20231024163740-0eb1d36b0765/go.mod h1:oudFvipU0DTMkp8+MiwdUGerVEoWcJG0MQciDEOd6G8= +github.com/inspec/inspec/docs-chef-io v0.0.0-20231114034545-e9853e10a3f2 h1:LEBKNM0LJqCvw0/qq1O1oLKlUjae87DKmhgfgzuoDCA= +github.com/inspec/inspec/docs-chef-io v0.0.0-20231114034545-e9853e10a3f2/go.mod h1:k41HVhnK+v9/X2qCX+axYBM6eME3kFeatloWoMLxXQU= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/swiftype/swiftype-autocomplete-jquery v0.0.0-20190222215504-a90008d64b30 h1:dhqLFBINtD1rMwwd5s9INu4BkciCvQUd+r+CWUYWIB4= github.com/swiftype/swiftype-autocomplete-jquery v0.0.0-20190222215504-a90008d64b30/go.mod h1:qnxTyatkwE84LvoaQLPaLB4h5M3n6Q2z+SB/96DcAK8=