From efcb1ff2f3df1d0dbfa12405e4d5aba745d7e678 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 14 Nov 2023 13:55:22 +0000 Subject: [PATCH] Bump Hugo module inspec to 6.6.0. This pull request was triggered automatically via Expeditor. This change falls under the obvious fix policy so no Developer Certificate of Origin (DCO) sign-off is required. --- .../inspec/inspec/docs-chef-io/config.toml | 72 ++++++ .../docs-chef-io/content/inspec/audit_log.md | 51 ++++ .../inspec/docs-chef-io/content/inspec/cli.md | 48 +++- .../content/inspec/cloud_platforms.md | 207 +++++++++++++++ .../docs-chef-io/content/inspec/dsl_inspec.md | 9 +- .../docs-chef-io/content/inspec/install.md | 113 ++------- .../docs-chef-io/content/inspec/license.md | 213 ++++++++++++++++ .../docs-chef-io/content/inspec/migration.md | 2 +- .../docs-chef-io/content/inspec/parallel.md | 237 ++++++++++++++++++ .../docs-chef-io/content/inspec/platforms.md | 205 +-------------- .../docs-chef-io/content/inspec/profiles.md | 2 +- .../content/inspec/resources/file.md | 4 +- .../content/inspec/resources/podman.md | 2 +- .../content/inspec/reusable/index.md | 5 + .../md/support_commercial_platforms.md | 10 + .../reusable/md/support_derived_platforms.md | 6 + .../docs-chef-io/content/inspec/signing.md | 13 +- .../content/inspec/troubleshooting.md | 72 +++++- .../docs-chef-io/content/inspec/uninstall.md | 63 +++++ _vendor/modules.txt | 2 +- go.mod | 2 +- go.sum | 4 +- 22 files changed, 1041 insertions(+), 301 deletions(-) create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/audit_log.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cloud_platforms.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/license.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/parallel.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/index.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_commercial_platforms.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_derived_platforms.md create mode 100644 _vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/uninstall.md diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/config.toml b/_vendor/github.com/inspec/inspec/docs-chef-io/config.toml index 3290534615..3bf0a712fe 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/config.toml +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/config.toml @@ -1,2 +1,74 @@ [params.inspec] gh_path = "https://github.com/inspec/inspec/tree/main/docs-chef-io/content/" + +#### +# Chef InSpec Menu +#### + +[[menu.inspec]] +title = "Chef InSpec" +identifier = "inspec" + + [[menu.inspec]] + title = "Install" + identifier = "inspec/install" + parent = "inspec" + weight = 20 + + [[menu.inspec]] + title = "Chef InSpec Reference" + identifier = "inspec/reference" + parent = "inspec" + weight = 500 + + [[menu.inspec]] + title = "Chef InSpec Resources" + identifier = "inspec/resources" + parent = "inspec" + weight = 999 + + [[menu.inspec]] + title = "OS Resources" + identifier = "inspec/resources/os" + parent = "inspec/resources" + weight = 20 + + [[menu.inspec]] + title = "Alibaba Resources" + identifier = "inspec/resources/alicloud" + parent = "inspec/resources" + weight = 25 + + [[menu.inspec]] + title = "AWS Resources" + identifier = "inspec/resources/aws" + parent = "inspec/resources" + weight = 30 + + [[menu.inspec]] + title = "Azure Resources" + identifier = "inspec/resources/azure" + parent = "inspec/resources" + weight = 40 + + [[menu.inspec]] + title = "GCP Resources" + identifier = "inspec/resources/gcp" + parent = "inspec/resources" + weight = 50 + + [[menu.inspec]] + title = "Habitat Resources" + identifier = "inspec/resources/habitat" + parent = "inspec/resources" + weight = 60 + + [[menu.inspec]] + title = "Kubernetes Resources" + identifier = "inspec/resources/k8s" + parent = "inspec/resources" + weight = 70 + +#### +# End Chef InSpec Menu +#### diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/audit_log.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/audit_log.md new file mode 100644 index 0000000000..3ad881335f --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/audit_log.md @@ -0,0 +1,51 @@ ++++ +title = "Chef InSpec Audit Log" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "Audit Log" + identifier = "inspec/reference/audit_logging.md InSpec audit log" + parent = "inspec/reference" + weight = 60 ++++ + +This page documents Chef InSpec's audit log. This is a preview feature starting in **Chef InSpec 6**. + +The Chef InSpec audit log uses the Train library to capture activity between the scanning workstation and the scanned target environment. + +The InSpec audit log captures the following event types: + +- command events +- file use events + +## Audit log limitations + +The audit log has the following limitations: + +- no support for API activity capture +- limited support for file operations: while file access is captured, specific operations may not be +- inconsistent and opt-in support across Train transports +- limited support for Test Kitchen + +## Enable audit logging + +The audit log is a preview feature in Chef InSpec 6. + +Enable the audit logging by setting an environment variable, `CHEF_PREVIEW_AUDIT_LOGGING` to any non-empty value. The next time you run `inspec exec` or `inspec shell`, InSpec will create a log file at `~/.inspec/logs/inspec-audit-TIMESTAMP-PID.log`. + +## Configure the audit log + +The following options are available inside `inspec exec` and `inspec shell` to configure Chef InSpec's audit log. + +`--audit-log-location=AUDIT_LOG_LOCATION` +: The directory that the audit log saves diagnostic log files to. + + Default: `~/.inspec/logs`. + + InSpec creates log files in the set directory using the following format: `inspec-audit-TIMESTAMP-PID.log`. + +## More information + +For details of the audit log format and implementation, refer to the (Train documentation)[https://github.com/inspec/train/blob/main/docs/audit_log.md]. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cli.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cli.md index f1ca0944e9..58ead0b943 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cli.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cli.md @@ -281,18 +281,22 @@ exit codes: 1 usage or general error 2 error in plugin system 3 fatal deprecation encountered + 5 invalid profile signature + 6 mandatory profile signing mode enabled and no signature found 100 normal exit, at least one test failed 101 normal exit, at least one test skipped but none failed 172 chef license not accepted ``` -Below are some examples of using `exec` with different test locations: +### Examples + +Below are some examples of using `exec` with different test locations. Chef Automate: ```ruby inspec automate login -inspec exec compliance://username/linux-baseline +inspec exec compliance://username/linux-baselinem ``` `inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way: @@ -358,6 +362,12 @@ Web-hosted file with basic authentication (supports .zip): inspec exec https://username:password@webserver/linux-baseline.tar.gz ``` +Web-hosted signed profile: + +```bash +inspec exec https://username:password@webserver/linux-baseline.iaf +``` + ### Syntax This subcommand has the following syntax: @@ -370,9 +380,26 @@ inspec exec LOCATIONS This subcommand has the following additional options: +`--allow-unsigned-profiles` +: Allow InSpec to execute unsigned profiles if mandatory profile signing is enabled. Defaults to false. + + **Chef InSpec 6** and greater has an optional setting that requires signed profiles. + If you try to execute an unsigned profile with this feature enabled, InSpec won't execute the profile and returns exit code 6. + Use `--allow-unsigned-profiles` to execute unsigned profiles if mandatory profile signing is enabled. + + For more information, see [Signed InSpec Profiles](/inspec/signing/). + `--attrs=one two three` : Legacy name for --input-file - deprecated. +`--audit-log-location=AUDIT_LOG_LOCATION` +: The directory that the audit log saves diagnostic log files to. + You must enable audit logging to use this feature. See the [Audit Log documentation](/inspec/audit_log/) for details. + + Default: `~/.inspec/logs`. + + InSpec creates log files in the set directory using the following format: `inspec-audit-TIMESTAMP-PID.log`. + `--auto-install-gems` : Auto installs gem dependencies of the profile or resource pack. @@ -655,6 +682,15 @@ inspec json PATH This subcommand has the following additional options: +`--allow-unsigned-profiles` +: Allow InSpec to read unsigned profiles if [mandatory profile signing](/inspec/signing/) is enabled. Defaults to false. + + **Chef InSpec 6** and greater has an optional setting that requires signed profiles. + If you try to read an unsigned profile with this feature enabled, InSpec won't read the profile and returns exit code 6. + Use `--allow-unsigned-profiles` to read unsigned profiles if mandatory profile signing is enabled. + + For more information, see [Signed InSpec Profiles](/inspec/signing/). + `--controls=one two three` : A list of controls to include. Ignore all other tests. @@ -762,6 +798,14 @@ inspec shell This subcommand has the following additional options: +`--audit-log-location=AUDIT_LOG_LOCATION` +: The directory that the audit log saves diagnostic log files to. + You must enable audit logging to use this feature. See the [Audit Log documentation](/inspec/audit_log/) for details. + + Default: `~/.inspec/logs`. + + InSpec creates log files in the set directory using the following format: `inspec-audit-TIMESTAMP-PID.log`. + `-b` `--backend=BACKEND` : Choose a backend: local, ssh, winrm, docker. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cloud_platforms.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cloud_platforms.md new file mode 100644 index 0000000000..13712be7e5 --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/cloud_platforms.md @@ -0,0 +1,207 @@ ++++ +title = "Using Chef InSpec on Cloud Platforms" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "Chef InSpec for the Cloud" + identifier = "inspec/Chef InSpec on Cloud Platforms" + parent = "inspec" + weight = 30 ++++ + +As of Chef InSpec 2.0, we have expanded our platform support beyond individual machines and now include support for select AWS, Azure, GCP, and AliCloud resources. + +Using InSpec, you can use several Chef InSpec resources to audit properties of your cloud infrastructure - for example, an Amazon Web Services S3 bucket. + +## AWS Platform Support in InSpec + +### Setting up AWS credentials for InSpec + +Chef InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities. + +1. Create an IAM user in the AWS console, with your choice of username. Check the box marked "Programmatic Access." + +1. On the Permissions screen, choose Direct Attach. Select the AWS-managed IAM Profile named "ReadOnlyAccess." If you wish to restrict the user further, you may do so; see individual Chef InSpec resources to identify which permissions are required. + +1. After generating the key, record the Access Key ID and Secret Key. + +#### Using Environment Variables to provide credentials + +You may provide the credentials to Chef InSpec by setting the following environment variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY`. You may also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the [AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) for details. + +Once you have your environment variables set, you can verify your credentials by running: + +```bash +$ inspec detect -t aws:// + +== Platform Details +Name: aws +Families: cloud, api +Release: aws-sdk-v2.10.125 +``` + +#### Using the Chef InSpec target option to provide credentials on AWS + +Look for a file in your home directory named `~/.aws/credentials`. If it does not exist, create it. Choose a name for your profile; here, we're using the name 'auditing'. Add your credentials as a new profile, in INI format: + +```bash +[auditing] +aws_access_key_id = AKIA.... +aws_secret_access_key = 1234....abcd +``` + +You may now run Chef InSpec using the `--target` / `-t` option, using the format `-t aws://region/profile`. For example, to connect to the Ohio region using a profile named 'auditing', use `-t aws://us-east-2/auditing`. + +To verify your credentials, run: + +```bash +$ inspec detect -t aws:// + +== Platform Details +Name: aws +Families: cloud, api +Release: aws-sdk-v2.10.125 +``` + +## Azure Platform Support in InSpec + +### Setting up Azure credentials for InSpec + +To use Chef InSpec Azure resources, you will need to create a Service Principal Name (SPN) for auditing an Azure subscription. + +This can be done on the command line or from the Azure Portal: + +- [Azure CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-cli) +- [PowerShell](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal) +- [Azure Portal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) + +The information from the SPN can be specified either in the file `~/.azure/credentials`, as environment variables, or by using Chef InSpec target URIs. + +#### Setting up the Azure Credentials File + +By default, Chef InSpec is configured to look at `~/.azure/credentials`, and it should contain: + +```powershell +[] +client_id = "" +client_secret = "" +tenant_id = "" +``` + +{{< note >}} + +In the Azure web portal, these values are labeled differently: + +- The client_id is referred to as the 'Application ID' +- The client_secret is referred to as the 'Key (Password Type)' +- The tenant_id is referred to as the 'Directory ID' + +{{< /note >}} + +With the credentials are in place, you may now execute InSpec: + +```bash +inspec exec my-inspec-profile -t azure:// +``` + +#### Using Environment variables to provide credentials + +You may also set the Azure credentials via environment variables: + +- `AZURE_SUBSCRIPTION_ID` +- `AZURE_CLIENT_ID` +- `AZURE_CLIENT_SECRET` +- `AZURE_TENANT_ID` + +For example: + +```bash +AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \ +AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \ +AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \ +AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure:// +``` + +#### Using the Chef InSpec target option to provide credentials on Azure + +If you have created a `~/.azure/credentials` file as above, you may also use the Chef InSpec command line `--target` / `-t` option to select a subscription ID. For example: + +```bash +inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3 +``` + +## AliCloud Platform Support in InSpec + +You will need to install AliCloud SDK version 0.8.0 and require AliCloud credentials to use the Chef InSpec AliCloud resources. + +### Setting up AliCloud credentials for InSpec + +You can configure AliCloud credentials in an [.envrc file](https://github.com/inspec/inspec-alicloud#:~:text=shell.%20(See%20example-,.envrc%20file,-)) or export them in your shell. + +```bash +# Example configuration +export ALICLOUD_ACCESS_KEY="anaccesskey" +export ALICLOUD_SECRET_KEY="asecretkey" +export ALICLOUD_REGION="eu-west-1" +``` + +## GCP Platform Support in InSpec + +### Setting up GCP credentials for InSpec + +To use Chef InSpec GCP resources, you will need to install and configure the Google Cloud SDK. Instructions for this pre-requisite can be found in the +[Google CLoud SDK documentation](https://cloud.google.com/sdk/docs/). Be sure that your InSpec installation is the latest version. The minimal required InSpec version is 3.0.25. + +### Create an InSpec profile that makes use of `inspec-gcp` + +With a version of InSpec above 4.0.0, it is possible to create a profile with the following command: + +```bash +$ inspec init profile --platform gcp my-profile +Create new profile at /Users/me/my-profile + * Creating directory libraries + * Creating file README.md + * Creating directory controls + * Creating file controls/example.rb + * Creating file inspec.yml + * Creating file inputs.yml + * Creating file libraries/.gitkeep +``` + +Assuming the `inputs.yml` file contains your GCP project ID, this sample profile can then be executed using the following command: + +```bash +inspec exec my-profile --input-file=my-profile/inputs.yml -t gcp:// +``` + +#### Setting up the GCP Credentials File + +While InSpec can use user accounts for authentication, [Google Cloud documentation](https://cloud.google.com/docs/authentication/) recommends using service accounts. Following GCP best practices, first create a service account with the scopes appropriate for your needs. See [these instructions](https://cloud.google.com/docs/authentication/getting-started) on creating a service account. + +Then, download the credential JSON file, e.g. `project-credentials.json`, to your workspace and run the following command to activate your service account: + +```bash +gcloud auth activate-service-account --key-file project-credentials.json +``` + +#### Using Environment variables for providing credentials + +You may also set the GCP credentials json file via the `GOOGLE_APPLICATION_CREDENTIALS` environment variable. + +```bash +export GOOGLE_APPLICATION_CREDENTIALS='/Users/me/.config/gcloud/myproject-1-feb7993e8660.json' +``` + +Once you have your environment variables set, you can verify your credentials by running: + +```bash +$ inspec detect -t gcp:// + +== Platform Details + +Name: gcp +Families: cloud, api +Release: google-cloud-v +``` diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/dsl_inspec.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/dsl_inspec.md index 557a63b395..541d00e4d0 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/dsl_inspec.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/dsl_inspec.md @@ -11,11 +11,10 @@ gh_repo = "inspec" weight = 70 +++ -Chef InSpec is a run-time framework and rule language used to specify compliance, -security, and policy requirements. It includes a collection of resources that help -you write auditing controls quickly and easily. The syntax used by both open source -and [Chef compliance](/compliance/) auditing is the same. The open source [Chef InSpec resource](/inspec/resources/) -framework is compatible with [Chef compliance](https://docs.chef.io/chef_compliance_phase/). +Chef InSpec is a run-time framework and rule language used to specify compliance, security, and policy requirements. +It includes a collection of resources that help you write auditing controls quickly and easily. +The syntax used by both open source and [Chef compliance](https://www.chef.io/products/chef-compliance) auditing is the same. +The open source [Chef InSpec resource](/inspec/resources/) framework is compatible with [Chef compliance](https://docs.chef.io/chef_compliance_phase/). The Chef InSpec Language is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/install.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/install.md index 77d7275f46..17d1ed7b6e 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/install.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/install.md @@ -1,70 +1,51 @@ +++ -title = "Install and Uninstall" +title = "Install Chef InSpec" draft = false gh_repo = "inspec" [menu] [menu.inspec] - title = "Install and Uninstall" - identifier = "inspec/install.md Install and Uninstall" - parent = "inspec" + title = "Install" + identifier = "inspec/install/install" + parent = "inspec/install" weight = 20 +++ -Users can choose between operating systems of MacOS, Windows, and Linux for Chef InSpec. +Use [Chef Downloads](https://www.chef.io/downloads), an installer, script, or package manager to install Chef InSpec. -## Install Chef InSpec +To see which platforms and platform versions Chef InSpec is supported on, see the [InSpec's platforms documentation](/inspec/platforms/). -You can download the latest Chef InSpec package relevant to your operating system -at [our Downloads Page](https://www.chef.io/downloads/tools/inspec). +## macOS -Alternatively, Chef InSpec can be installed via installer, script, or package -manager, according to your operating system and method as listed below. +### CLI -### macOS - -#### Homebrew - -Chef InSpec is available as a standalone [Homebrew](https://brew.sh/) package. -Run the following command in your terminal to install Chef InSpec: - -```bash -brew install chef/chef/inspec -``` - -While this command is running, you may be prompted to enter your macOS user account -password for installation to complete. - -#### CLI - -You can download Chef InSpec via curl script: +You can install Chef InSpec using a curl script. ```bash curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec ``` -### Windows +## Windows -#### Installer +### Installer -Once you downloaded the latest [Chef InSpec package](https://www.chef.io/downloads/tools/inspec) -relevant to your Microsoft version, double-click the `.msi` file to launch the -installer and follow the prompts. +Download a Windows Chef InSpec package from [Chef Downloads](https://www.chef.io/downloads), +then double-click on the `.msi` file to launch the installer and follow the prompts. -#### Powershell +### Powershell -Use the following command to install Chef InSpec via Powershell script: +You can install Chef InSpec using the following Powershell script. ```powershell . { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project inspec ``` -Once Chef InSpec is installed, run `inspec version` to verify that the installation +Once you have installed Chef InSpec, run `inspec version` to verify that the installation was successful. -### Linux +## Linux -#### CLI +### CLI The following curl script will install Chef InSpec for Ubuntu and Red Hat Enterprise Linux: @@ -73,7 +54,7 @@ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec ``` If you prefer, you can use a package manager to install Chef InSpec. -Once you downloaded the latest [Chef InSpec package](https://www.chef.io/downloads/tools/inspec) +Once you downloaded the latest [Chef InSpec package](https://www.chef.io/downloads) relevant to your Linux-based platform, use the command for the respective package manager listed below. Replace the example file path with the file path leading to your downloaded package. @@ -96,57 +77,7 @@ For SUSE Linux Enterprise Server, use the following command to install Chef InSp sudo zypper install /path-to/inspec.rpm ``` +## Next steps -## Uninstall Chef InSpec - -Chef InSpec can be uninstalled using the steps below that are appropriate for the -method of Chef InSpec installation. - -### macOS - -#### Homebrew - -Use the following *destructive* command to remove the Chef InSpec standalone Homebrew package: - -```bash -brew cask uninstall inspec -``` - -#### CLI - -Use the following *destructive* command in your terminal to remove the Chef InSpec package: - -```bash -sudo rm -rf /opt/inspec -``` - -### Windows - -#### Installer - -Use *Add / Remove Programs* to remove Chef InSpec. - -### Linux - -#### CLI - -The supported Linux-based platforms and their respective *destructive* command -for their package manager are listed below. - -For Ubuntu, use the following *destructive* command to uninstall: - -```bash -sudo dpkg -P inspec -``` - -For Red Hat Enterprise Linux, use the following *destructive* command to uninstall: - -```bash -sudo rpm -e inspec -``` - -For SUSE Linux Enterprise Server, use the following *destructive* command to uninstall Chef InSpec: - -```bash -sudo zypper remove inspec -``` +After installing Chef InSpec, you must accept the Chef EULA and---starting with **Chef InSpec 6**---add a license key. +See the [Chef InSpec license documentation](/inspec/license/) to complete these tasks. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/license.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/license.md new file mode 100644 index 0000000000..e0e9303070 --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/license.md @@ -0,0 +1,213 @@ ++++ +title = "License Chef InSpec" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "License" + identifier = "inspec/install/license" + parent = "inspec/install" + weight = 30 ++++ + +Before running Chef InSpec, you must accept the Chef EULA and---starting with **Chef InSpec 6**---add a license key. + +Chef InSpec accepts a license key using one of two methods: + +- by setting a license key with an [environment variable or using the InSpec CLI](#license-key) +- by retrieving a license key from a [Chef Local License Service URL](#chef-local-license-service) + +For more information on Chef licenses, see [Chef's licensing documentation](/licensing/). + +You can [request a trial license](https://www.chef.io/licensing/inspec/license-generation-free-trial) if you'd like to try out InSpec. + +## Accept the Chef EULA + +You must accept the [Chef End User License Agreement (EULA)](https://www.chef.io/end-user-license-agreement) before running Chef InSpec using one of two methods. + +- [command line option](#command-line-option) +- [environment variable](#environment-variable) + +If no command line argument or environment variable is set, Chef InSpec requests acceptance through an interactive prompt. If the prompt can't be displayed, then the product will fail with exit code 172. + +If the product attempts to persist the accepted license and fails, Chef InSpec sends a message to STDOUT and continues to run. In a future invocation, you will need to accept the license again. + +### Command line option + +Use the `--chef-license ` argument to accept the Chef EULA. + +```sh +inspec exec --chef-license +``` + +Replace `` with one of the following options. + +`accept` +: Accept the license and attempts to persist a marker file locally. Persisting these marker files means future invocations don't require accepting the license again. + +`accept-silent` +: Similar to `accept`, but no messaging is sent to STDOUT. + +`accept-no-persist` +: Similar to `accept-silent`, but no marker file is persisted. Future invocation will require accepting the license again. + +### Environment variable + +Use the `CHEF_LICENSE=""` environment variable to accept the Chef EULA. + +```sh +export CHEF_LICENSE="" +inspec exec +``` + +Replace `` with one of the following options. + +`accept` +: Accept the license and attempts to persist a marker file locally. Persisting these marker files means future invocations don't require accepting the license again. + +`accept-silent` +: Similar to `accept`, but no messaging is sent to STDOUT. + +`accept-no-persist` +: Similar to `accept-silent`, but no marker file is persisted. Future invocation will require accepting the license again. + +## License key + +Set a license key for Chef InSpec using one of three methods. + +- [interactive license dialog](#interactive-license-dialog) +- [command line option](#command-line-option-1) +- [environment variable](#environment-variable-1) + +{{< note >}} + +Existing commercial customers of Progress Chef may use an asset serial number from the [Progress support portal](https://community.progress.com/s/products/chef) as a license key. + +{{< /note >}} + +### Interactive license dialog + +The easiest way to provide a license key to Chef InSpec is to run Chef InSpec. +Run any major top-level command (such as `inspec exec`, `inspec check`, or `inspec shell`) and InSpec will start an interactive licensing dialog +if no license key is already set and it doesn't detect an automated method of setting the license key. + +1. To start the interactive licensing dialog, run a top-level command such as `inspec shell`. + +1. At the first prompt, select **I already have a license ID**. + + ```bash + inspec shell + ------------------------------------------------------------ + License ID Validation + + To continue using Chef InSpec, a license ID is required. + (Free, Trial, or Commercial) + + If you generated a license previously, you might + have received it in an email. + + If you are a commercial user, you can also find it in the + supportlink.chef.io portal. + ------------------------------------------------------------ + + Please choose one of the options below (Press ↑/↓ arrow to move and Enter to select) + ‣ I already have a license ID + I don't have a license ID and would like to generate a new license ID + Skip + ``` + +1. Enter your license key at the second prompt. + + ```bash + Please choose one of the options below I already have a license ID + Please enter your license ID: + ✔ [Success] License validated successfully. + ------------------------------------------------------------ + License Details + Asset Name : InSpec + License ID : + Type : Trial + Status : Active + Validity : Unlimited + No. Of Units : 10 Targets + ------------------------------------------------------------ + Welcome to the interactive InSpec Shell + To find out how to use it, type: help + + You are currently running on: + + Name: mac_os_x + Families: darwin, bsd, unix, os + Release: 22.5.0 + Arch: arm64 + + inspec> exit + ``` + +Chef InSpec validates the license key, displays information about the license entitlements, and then runs `inspec shell` as requested. +Chef InSpec stores license keys for future use and will not prompt you for the license key for the duration of your license. + +### Command line option + +You can set the license key in the command line using the `--chef-license-key` option. +You may provide this argument to most Chef InSpec CLI main commands, however some plugins may not support the flag. + +```bash +inspec exec --chef-license-key +``` + +### Environment variable + +You can set the license key using the `CHEF_LICENSE_KEY` environment variable. +Chef InSpec will read the license key from the variable and attempt to validate the key. +If successful, InSpec saves the key and will not prompt you for it the next time you run InSpec. + +```bash +export CHEF_LICENSE_KEY= +inspec exec +``` + +## Chef Local License Service + +For large or isolated (air-gapped) fleets, Chef InSpec can retrieve a license key from a [Chef Local License Service](/licensing/local_license_service/). +With Chef Local License Service, InSpec users do not need to know a license key---only the service URL(s). + +Chef InSpec sends a request to the Local License Service for a list of license keys and then uses that response to license itself during execution. +InSpec will not prompt you for a license key. +Chef InSpec does not store license keys for long-term use when they are retrieved from a Chef Local License Service. + +Use one of the following methods to set a Local License Service URL. + +- [command line option](#command-line-option-2) +- [environment variable](#environment-variable-2) + +### Command line option + +Use the `--chef-license-server` command line option to set a Chef Local License Service URL. + +```bash +inspec exec --chef-license-server https://license-server.example.com +``` + +### Environment variable + +Use the `CHEF_LICENSE_SERVER` environment variable to set a Chef Local License Service URL. + +```bash +export CHEF_LICENSE_SERVER=https://license-server.example.com +inspec exec +``` + +#### Multiple license servers + +You can set multiple Chef Local License Services, which provides resiliency and redundancy for managing licenses. + +Enter up to five Chef Local License Service URLs as a comma-separated list. Chef InSpec will try each URL and use the first one that works. + +```bash +export CHEF_LICENSE_SERVER=https://license-server-01.example.com,https://license-server-02.example.com +inspec exec +``` + +This capability is basic and you must synchronize the license servers, otherwise you may get inconsistent results. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/migration.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/migration.md index 73b231c14e..cb1d0e43a5 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/migration.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/migration.md @@ -13,7 +13,7 @@ gh_repo = "inspec" ## How is Chef InSpec different from Serverspec -We've written a complete blog post about that topic: [The Road to InSpec](https://blog.chef.io/2015/11/04/the-road-to-inspec/) +We've written a complete blog post about that topic: [The Road to InSpec](https://www.chef.io/blog/the-road-to-inspec) ## Is Chef InSpec suitable for infrastructure testing? diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/parallel.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/parallel.md new file mode 100644 index 0000000000..936b6bd583 --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/parallel.md @@ -0,0 +1,237 @@ ++++ +title = "InSpec Parallel" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "InSpec Parallel" + identifier = "inspec/parallel.md InSpec Parallel" + parent = "inspec" + weight = 25 ++++ + +Chef InSpec Parallel can automatically manage multiple profile executions in parallel on a system targeting several remote systems and environments. +It manages multiple processes, their status updates, their exit codes, and user updates. +All target operating systems and environments that can be addressed using `--target` are supported, and it is supported on Windows, MacOS, and Linux environments. + +InSpec Parallel is a new feature in **Chef InSpec 6**. + +{{< note >}} + +Currently, `inspec parallel` only supports the `exec` command. + +{{< /note >}} + +## How to use InSpec Parallel + +The following example shows you how to execute the **Dev-Sec SSH Baseline** profile against five servers in parallel using `inpec parallel exec`. + +1. Create an [option file](#option-file) that contains the CLI options that are passed to `inspec exec parallel`. + + The option file contains one invocation per line and specifies all options in each invocation. + + ```text + # five-servers.txt + # Option file for running against multiple SSH targets + -t ssh://server1 --reporter cli:server1.out + -t ssh://server2 --reporter cli:server2.out + -t ssh://server3 --reporter cli:server3.out + -t ssh://server4 --reporter cli:server4.out + -t ssh://server5 --reporter cli:server5.out + ``` + +1. Specify the option file that InSpec Parallel executes using the `-o` or `--option_file` flag in the InSpec CLI. + + ```bash + inspec parallel exec https://github.com/dev-sec/ssh-baseline -o five-servers.txt -i file_name.pem + ``` + +As InSpec Parallel runs, it shows the progress (percentage of controls completed) of each invocation, the process ID of each job, and writes log and error data to the `logs/` directory with each log file named after the process ID. + +```bash +Press CTL+C to stop + InSpec Parallel + Running 5 invocations in 4 slots +----------------------------------------------------------------------------------------------------------------------------------------- + Slot 1 Slot 2 Slot 3 Slot 4 +----------------------------------------------------------------------------------------------------------------------------------------- + 50132: 0.0% 50133: 12.5% 50134: 12.5% Done +``` + +## Option file + +An option file is a text file that contains options passed to `inspec parallel`. +Chef InSpec ignores comments (starting with a `#`) and blank lines in an option file. +Chef InSpec invokes `inspec parallel` on each non-commented and non-blank line. + +The only requirement is that every invocation in an option file must have a `--reporter` option. +The reporter option must write to a file or use the `automate` reporter to send an API post to a Chef Automate service. +For details of the available reporters and the full syntax of the reporter option, see the [Chef InSpec Reporter documentation]({{< relref "/inspec/reporters" >}}). + +The simplest option file might look like this: + +```text +# simple.txt +# Run five invocations, saving the output as ordinal names +--reporter cli:first.out +--reporter cli:second.out +--reporter cli:third.out +--reporter cli:fourth.out +--reporter cli:fifth.out +``` + +For this example, InSpec Parallel would run the same profile on the same target five times, it would send the output to each of the five reporters listed in the option file, and you would specify the target and profile when you invoke `inspec parallel exec` in the command line. + +You can pass any options on the invocation line, including `--controls` (to divide a profile into sections), `--input` (to parameterize a profile and possibly target different resources), and `--target` (to target different machines or environments). + +See the [Examples section](#examples) for more detail on how you can use an option file. + +### Embedded Ruby templating + +You can add Embedded RuBy (ERB) template escapes and Chef InSpec will evaluate it as an ERB template. +You can directly embed Ruby code into your option file, including loops and conditionals. +The rendered output of the option file is used as invocations. +This is especially useful with the `--dry-run` option. + +The most common ERB templating is to use the `pid` variable to reference the process ID of the child process. +See the [Examples](#name-json-output-files-with-process-id) section for more information. + +### Executable script + +If the name of the option file ends in `.sh` (MacOS, Linux) or `.ps1` (Windows), InSpec Parallel executes the script and uses the standard output as the option file. + +{{< note >}} + +This feature is experimental and we would love to hear [feedback](https://github.com/inspec/inspec/issues/new/choose) from you. + +{{< /note >}} + +## Options + +InSpec Parallel accepts options from the subcommand that it's managing. It also accepts the following options: + +`--bg` +: The `--bg` option silences all output from the command and runs it in the background. InSpec Parallel will still write log files with the `--bg` option. + +`--dry-run` +: The `--dry-run` option interprets the option file but does not execute it. Chef InSpec outputs the lines that would have been executed to the standard output. If you add `--verbose`, you can see all the CLI defaults that implicitly get added. + +: {{< note >}} + + When calling `--dry-run`, you may notice that an extra reporter gets added to your invocation, `--reporter child-status`. This reporter is a special streaming reporter used to report status from the running child processes to the parent process and is a necessary part of the plumbing of InSpec Parallel. + + {{< /note >}} + +`-j` +`--jobs` +: Use the `-j` or `--jobs` option to specify how many job slots InSpec Parallel uses. + InSpec Parallel defaults to the number of hyperthreaded cores on your machine (for example, a dual-core machine with hyperthreading defaults to four jobs). + The default is usually reasonable, but experimentation may be rewarding. + +`-o` +`--option_file` +: Use the `-o` or `--option_file` option in the command line to specify the option file that InSpec Parallel will run. + +## Examples + +### Use the same options for each invocation + +`inspec parallel exec` accepts all options that `inspec exec` does and passes them to each invocation as defaults. +This means that you do not have to specify repetitive options that are constant across all the invocations in an option file. + +For example, if all machines take the same SSH key, you can specify it once on the top-level command line. + +```text +# three-servers.txt +# Option file for running against multiple SSH targets +-t ssh://server1 --reporter cli:server1.out +-t ssh://server2 --reporter cli:server2.out +-t ssh://server3 --reporter cli:server3.out +``` + +```bash +inspec parallel exec profile_name -o three-servers.txt -i file_name.pem +``` + +### Name JSON output files with process ID + +In this example, the `json` reporter saves output log files in the `logs` directory and names each one after the process ID using the `pid` ERB variable. +This technique would work with any [reporter]({{< relref "/inspec/reporters" >}}) that can write to a file. + +```text +# pid-named-output.txt +# Option file in which the output is named after the PID of the process +--reporter json:logs/<%= pid %>.json +--reporter json:logs/<%= pid %>.json +--reporter json:logs/<%= pid %>.json +--reporter json:logs/<%= pid %>.json +``` + +After this profile is executed, the `logs` directory would have the following files: + +- 1000.log +- 1000.json +- 1001.log +- 1001.json +- 1002.log +- 1002.json +- 1003.log +- 1003.json + +### Run the same profile on different targets + +You can run the same profile on multiple targets by specifying each target in the option file using the `-t` or `--target` option. + +```text +# five-servers.txt +# Option file for running against multiple SSH targets +-t ssh://server1 --reporter cli:server1.out +-t ssh://server2 --reporter cli:server2.out +-t ssh://server3 --reporter cli:server3.out +-t ssh://server4 --reporter cli:server4.out +-t ssh://server5 --reporter cli:server5.out +``` + +Then specify the profile and the option file in the command line. + +```bash +inspec parallel exec https://github.com/dev-sec/ssh-baseline -o five-servers.txt -i file_name.pem +``` + +If you have many or variable targets to run against, consider using ERB templating to read the list of targets after reading them from a CSV file or connecting to an API. You can also use a script to list your targets. + +### Run different profiles on the same target + +To run different profiles on the same target, specify the profile at the front of the invocation in the option file. + +```text +# multi-profile.txt +https://github.com/dev-sec/ssh-baseline --reporter cli:ssh-baseline.out +https://github.com/dev-sec/linux-baseline --reporter cli:linux-baseline.out +``` + +Then invoke InSpec parallel by passing the target as a top-level option and a dummy name for the profile. + +```bash +inspec parallel exec dummy -o multi-profile.txt -t ssh://server +``` + +### Run different parts of a profile in parallel + +If your profile has well-named control IDs, you can use the `--controls` option to divide the profile into sections. +Suppose that your profile has sections named **C**, **S**, and **N** and the controls in each section have control IDs that start with the given letter, +then you can create an option file that divides the profile as follows: + +```text +# divide-aws-bp.txt +--reporter cli:C.out --controls /^C/ +--reporter cli:S.out --controls /^S/ +--reporter cli:N.out --controls /^N/ +``` + +When you run the following command, `inspec exec` runs three times, once for each of the **C**, **S**, and **N** sections of the profile. + +```bash +inspec parallel exec aws-best-practices -o divide-aws-bp.txt -t aws://profile_name@us-east-2 +``` diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/platforms.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/platforms.md index dc3a1b13ef..d1c659f1a5 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/platforms.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/platforms.md @@ -1,207 +1,28 @@ +++ -title = "Using Chef InSpec on Cloud Platforms" +title = "Supported Platforms" draft = false gh_repo = "inspec" [menu] [menu.inspec] - title = "Chef InSpec for the Cloud" - identifier = "inspec/platforms.md Using Chef InSpec on Cloud Platforms" - parent = "inspec" - weight = 30 + title = "Platforms" + identifier = "inspec/install/platforms" + parent = "inspec/install" + weight = 10 +++ -As of Chef InSpec 2.0, we have expanded our platform support beyond individual machines and now include support for select AWS, Azure, GCP, and AliCloud resources. +Chef InSpec is supported on the operating systems (platforms) listed below. -Using InSpec, you can use several Chef InSpec resources to audit properties of your cloud infrastructure - for example, an Amazon Web Services S3 bucket. +## Commercially supported platforms -## AWS Platform Support in InSpec +The following table lists the commercially-supported platforms and versions for Chef InSpec. -### Setting up AWS credentials for InSpec +{{< readfile file="content/inspec/reusable/md/support_commercial_platforms.md" >}} -Chef InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities. +## Derived platforms -1. Create an IAM user in the AWS console, with your choice of username. Check the box marked "Programmatic Access." +The following table lists supported derived platforms and versions for Chef InSpec. -1. On the Permissions screen, choose Direct Attach. Select the AWS-managed IAM Profile named "ReadOnlyAccess." If you wish to restrict the user further, you may do so; see individual Chef InSpec resources to identify which permissions are required. +See our policy on [support for derived platforms](/platforms/#support-for-derived-platforms) for more information. -1. After generating the key, record the Access Key ID and Secret Key. - -#### Using Environment Variables to provide credentials - -You may provide the credentials to Chef InSpec by setting the following environment variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY`. You may also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the [AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) for details. - -Once you have your environment variables set, you can verify your credentials by running: - -```bash -$ inspec detect -t aws:// - -== Platform Details -Name: aws -Families: cloud, api -Release: aws-sdk-v2.10.125 -``` - -#### Using the Chef InSpec target option to provide credentials on AWS - -Look for a file in your home directory named `~/.aws/credentials`. If it does not exist, create it. Choose a name for your profile; here, we're using the name 'auditing'. Add your credentials as a new profile, in INI format: - -```bash -[auditing] -aws_access_key_id = AKIA.... -aws_secret_access_key = 1234....abcd -``` - -You may now run Chef InSpec using the `--target` / `-t` option, using the format `-t aws://region/profile`. For example, to connect to the Ohio region using a profile named 'auditing', use `-t aws://us-east-2/auditing`. - -To verify your credentials, run: - -```bash -$ inspec detect -t aws:// - -== Platform Details -Name: aws -Families: cloud, api -Release: aws-sdk-v2.10.125 -``` - -## Azure Platform Support in InSpec - -### Setting up Azure credentials for InSpec - -To use Chef InSpec Azure resources, you will need to create a Service Principal Name (SPN) for auditing an Azure subscription. - -This can be done on the command line or from the Azure Portal: - -- [Azure CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-cli) -- [PowerShell](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal) -- [Azure Portal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) - -The information from the SPN can be specified either in the file `~/.azure/credentials`, as environment variables, or by using Chef InSpec target URIs. - -#### Setting up the Azure Credentials File - -By default, Chef InSpec is configured to look at `~/.azure/credentials`, and it should contain: - -```powershell -[] -client_id = "" -client_secret = "" -tenant_id = "" -``` - -{{< note >}} - -In the Azure web portal, these values are labeled differently: - -- The client_id is referred to as the 'Application ID' -- The client_secret is referred to as the 'Key (Password Type)' -- The tenant_id is referred to as the 'Directory ID' - -{{< /note >}} - -With the credentials are in place, you may now execute InSpec: - -```bash -inspec exec my-inspec-profile -t azure:// -``` - -#### Using Environment variables to provide credentials - -You may also set the Azure credentials via environment variables: - -- `AZURE_SUBSCRIPTION_ID` -- `AZURE_CLIENT_ID` -- `AZURE_CLIENT_SECRET` -- `AZURE_TENANT_ID` - -For example: - -```bash -AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \ -AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \ -AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \ -AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure:// -``` - -#### Using the Chef InSpec target option to provide credentials on Azure - -If you have created a `~/.azure/credentials` file as above, you may also use the Chef InSpec command line `--target` / `-t` option to select a subscription ID. For example: - -```bash -inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3 -``` - -## AliCloud Platform Support in InSpec - -You will need to install AliCloud SDK version 0.8.0 and require AliCloud credentials to use the Chef InSpec AliCloud resources. - -### Setting up AliCloud credentials for InSpec - -You can configure AliCloud credentials in an [.envrc file](https://github.com/inspec/inspec-alicloud#:~:text=shell.%20(See%20example-,.envrc%20file,-)) or export them in your shell. - -```bash -# Example configuration -export ALICLOUD_ACCESS_KEY="anaccesskey" -export ALICLOUD_SECRET_KEY="asecretkey" -export ALICLOUD_REGION="eu-west-1" -``` - -## GCP Platform Support in InSpec - -### Setting up GCP credentials for InSpec - -To use Chef InSpec GCP resources, you will need to install and configure the Google Cloud SDK. Instructions for this pre-requisite can be found in the -[Google CLoud SDK documentation](https://cloud.google.com/sdk/docs/). Be sure that your InSpec installation is the latest version. The minimal required InSpec version is 3.0.25. - -### Create an InSpec profile that makes use of `inspec-gcp` - -With a version of InSpec above 4.0.0, it is possible to create a profile with the following command: - -```bash -$ inspec init profile --platform gcp my-profile -Create new profile at /Users/me/my-profile - * Creating directory libraries - * Creating file README.md - * Creating directory controls - * Creating file controls/example.rb - * Creating file inspec.yml - * Creating file inputs.yml - * Creating file libraries/.gitkeep -``` - -Assuming the `inputs.yml` file contains your GCP project ID, this sample profile can then be executed using the following command: - -```bash -inspec exec my-profile --input-file=my-profile/inputs.yml -t gcp:// -``` - -#### Setting up the GCP Credentials File - -While InSpec can use user accounts for authentication, [Google Cloud documentation](https://cloud.google.com/docs/authentication/) recommends using service accounts. Following GCP best practices, first create a service account with the scopes appropriate for your needs. See [these instructions](https://cloud.google.com/docs/authentication/getting-started) on creating a service account. - -Then, download the credential JSON file, e.g. `project-credentials.json`, to your workspace and run the following command to activate your service account: - -```bash -gcloud auth activate-service-account --key-file project-credentials.json -``` - -#### Using Environment variables for providing credentials - -You may also set the GCP credentials json file via the `GOOGLE_APPLICATION_CREDENTIALS` environment variable. - -```bash -export GOOGLE_APPLICATION_CREDENTIALS='/Users/me/.config/gcloud/myproject-1-feb7993e8660.json' -``` - -Once you have your environment variables set, you can verify your credentials by running: - -```bash -$ inspec detect -t gcp:// - -== Platform Details - -Name: gcp -Families: cloud, api -Release: google-cloud-v -``` +{{< readfile file="content/inspec/reusable/md/support_derived_platforms.md" >}} diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/profiles.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/profiles.md index fbad75d9f9..8a69fd04cd 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/profiles.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/profiles.md @@ -196,7 +196,7 @@ A Chef InSpec profile can bring in the controls and custom resources from anothe Chef InSpec profile. Additionally, when inheriting the controls of another profile, a profile can skip or even modify those included controls. -For hands-on examples, check out [Create a custom Chef InSpec profile](https://learn.chef.io/modules/create-a-custom-profile#/) +For hands-on examples, check out [Test Expectations with Chef InSpec](https://learn.chef.io/courses/course-v1:chef+Inspec101+Perpetual/about) on Learn Chef Rally. ### Defining the Dependencies diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/file.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/file.md index 5921244389..656c57a87c 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/file.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/file.md @@ -299,13 +299,13 @@ The `size` property tests if a file's size matches, is greater than, or is less Greater than: ```ruby - its('size') { should > 64 } + its('size') { should be > 64 } ``` Less than: ```ruby - its('size') { should < 10240 } + its('size') { should be < 10240 } ``` ### type diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/podman.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/podman.md index 406a95173b..6864cbb7b7 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/podman.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/resources/podman.md @@ -26,7 +26,7 @@ Use the `podman` Chef InSpec audit resource to test multiple Podman containers. ```ruby describe podman.containers do its('ids') { should include "591270d8d80d26671fd6ed622f367fbe19004d16e3b519c292313feb5f22e7f7" } - its('images) { should include "docker.io/library/ubuntu:latest" } + its('images') { should include "docker.io/library/ubuntu:latest" } end ``` diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/index.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/index.md new file mode 100644 index 0000000000..41de90ae49 --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/index.md @@ -0,0 +1,5 @@ ++++ +headless = true +## headless = true makes this directory a headless bundle. +## See https://gohugo.io/content-management/page-bundles/#headless-bundle ++++ diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_commercial_platforms.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_commercial_platforms.md new file mode 100644 index 0000000000..cc7d600543 --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_commercial_platforms.md @@ -0,0 +1,10 @@ +| Platform | Architecture | Version | +| --- | --- | --- | +| Amazon Linux | `x86_64`, `aarch64` | `2.x` | +| Debian | `x86_64`, `aarch64` (10.x only) | `9`, `10`, `11` | +| macOS | `x86_64`, `aarch64` (M1 processors) | `11.x`, `12.x` | +| Oracle Enterprise Linux | `x86_64`, `aarch64` (7.x / 8.x only) | `6.x`, `7.x`, `8.x` | +| Red Hat Enterprise Linux | `x86_64`, `aarch64` (7.x, 8.x and 9.x only) | `7.x`, `8.x`, `9.x` | +| SUSE Linux Enterprise Server | `x86_64`, `aarch64` (15.x only) | `12.x`, `15.x` | +| Ubuntu | `x86_64` | `16.04`, `18.04`, `20.04` | +| Windows | `x86_64` | `8.1`, `2012`, `2012 R2`, `2016`, `10` (all channels except "insider" builds), `2019`, `11`, `2022` | diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_derived_platforms.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_derived_platforms.md new file mode 100644 index 0000000000..c2d24dd947 --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/reusable/md/support_derived_platforms.md @@ -0,0 +1,6 @@ +| Platform | Architecture | Version | Parent platform | +| --- | --- | --- | --- | +| AlmaLinux | `x86_64`, `aarch64` | `8.x` | CentOS | +| Rocky Linux | `x86_64`, `aarch64` | `8.x` | CentOS | + +Chef InSpec Target Mode (`inspec --target`) may be functional on additional platforms, versions, and architectures but aren’t validated by Chef. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/signing.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/signing.md index c0b5db587d..bc005734a2 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/signing.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/signing.md @@ -11,7 +11,7 @@ gh_repo = "inspec" weight = 60 +++ -This page documents the `inspec sign` command introduced in InSpec 5 and details some methods to work with signed profiles. +This page documents the `inspec sign` command introduced in InSpec 5, the mandatory profile signing feature introduced in InSpec 6, and details some methods to work with signed profiles. ## Usage @@ -19,6 +19,17 @@ This page documents the `inspec sign` command introduced in InSpec 5 and details A signed profile, or `.iaf` file, is an InSpec profile with a digital signature that attests to its authenticity. Progress Chef authored profiles are available as signed profiles starting from 2022. +IAF files are not human-readable, but may be viewed using `inspec export`. Support for IAF v2.0 was added to InSpec 5. + +### Mandatory profile signing + +**Chef InSpec 6** and above has an optional setting that requires that all profiles are signed. +If mandatory profile signing is enabled, InSpec will not execute functions with an un-signed profile and exits with exit code 6. + +To enable mandatory profile signing, set the environment variable `CHEF_PREVIEW_MANDATORY_PROFILE_SIGNING` to any non-empty value. + +If you need to bypass mandatory profile signing, use the `--allow-unsigned-profiles` CLI option or set the `CHEF_ALLOW_UNSIGNED_PROFILES` environment variable. + ### How does Profile Signing Work? Profile signing uses a matched pair of keys. The _signing key_ is secret and is used to sign the profile. The _validation key_ is widely distributed and verifies the signed profile signature. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/troubleshooting.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/troubleshooting.md index dd2ec3e532..6fe947ec94 100644 --- a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/troubleshooting.md +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/troubleshooting.md @@ -11,14 +11,84 @@ gh_repo = "inspec" weight = 55 +++ +## Exit code 5 + +You tried to execute a function with a signed profile, but the signature is either bad or InSpec couldn't find the validation key. +For more information, see the [profile signing documentation](/inspec/signing/). + +## Exit code 6 + +You enabled mandatory profile signing and tried to execute a function with an unsigned profile. +For more information, see the [profile signing documentation](/inspec/signing/). + +## Exit code 174 + +Exit code 174 comes from running Chef InSpec 6 or greater without setting a Chef License key. +See the [InSpec install documentation](/inspec/install/) for setting a Chef License key. +See the [Chef License documentation](/licensing/) for more information about Chef licensing. + ## Undefined Local Variable or Method Error for Cloud Resource This error is a result of invoking a resource from one of the cloud resource packs without initializing an InSpec profile with that resource pack (AWS, Azure, or GCP) as a dependency. -InSpec profiles that use **any cloud resource** must have the resource pack defined as a dependency. +Chef InSpec profiles that use **any cloud resource** must have the resource pack defined as a dependency. See the relevant resource pack readme for instructions: - [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources) - [inspec-azure README](https://github.com/inspec/inspec-azure#use-the-resources) - [inspec-gcp README](https://github.com/inspec/inspec-gcp#use-the-resources) + +## License is not entitled to use InSpec + +The license key set with Chef InSpec is not entitled to use Chef InSpec. Each license key is entitled to one or more Chef products. To view the products that your key is entitled to, run the `inspec license list` command, which will list your license entitlements. + +To resolve this issue, set a license key that is entitled to Chef InSpec. + +See the [Chef Licensing documentation](/licensing/) for more information. + +## Unable to connect to the licensing server. InSpec requires server communication to operate + +Chef InSpec cannot connect to Chef's licensing service or a user-deployed Chef Local License Service. +This service is responsible for validating the Chef license key set with Chef InSpec. + +Check the following possible causes of this issue: + +- Network Connectivity + + Ensure that the machine running Chef InSpec has proper network connectivity. It should be able to connect to Chef's licensing service or a user-deployed Chef Local License Service. This includes checking firewall settings and network configuration. + +- Service Availability + + If you're using a user-deployed Chef Local License Service, verify that it's correctly configured and operational. Any misconfigurations or issues with the Chef Local License Service could lead to connection problems. + +- URL Configuration + + If you're using a Chef Local License Service to manage Chef licenses, verify that the URL to the server is correct. + + If you configured the URL using an environment variable, check the value for environment variable `CHEF_LICENSE_SERVER` to confirm the configured URL. + + If you configured the URL using the `--chef-license-server` InSpec CLI option, reset the URL using the same InSpec CLI option. + +- Logs and Debugging + + Check the logs generated by Chef InSpec by using `--log-level debug` for more detailed error messages. Pay close attention to the URL that Chef InSpec is attempting to connect to. + +If the issue persists, please reach out to Chef's Customer Success managers or Support Team. + +## Invalid File Format Version + +Chef licensing data is stored on the `$HOME/.chef/licenses.yaml` file. + +The file format version used in the `licenses.yaml` file is unsupported or invalid. +The `licenses.yaml` file must have the latest supported file format version. + +Restore the file to the original state to resolve this issue. + +## License file contents are corrupted + +Chef licensing data is stored on the `$HOME/.chef/licenses.yaml` file. + +The `licenses.yaml` file is malformed and corrupt. + +Restore the file content to its original state to resolve this issue. diff --git a/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/uninstall.md b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/uninstall.md new file mode 100644 index 0000000000..a2fc1f08fd --- /dev/null +++ b/_vendor/github.com/inspec/inspec/docs-chef-io/content/inspec/uninstall.md @@ -0,0 +1,63 @@ ++++ +title = "Uninstall Chef InSpec" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "Uninstall" + identifier = "inspec/install/uninstall" + parent = "inspec/install" + weight = 40 ++++ + +You can uninstall Chef InSpec using the steps below that are appropriate for the +method of Chef InSpec installation. + +## macOS + +### Homebrew + +Use the following *destructive* command to remove the Chef InSpec standalone Homebrew package: + +```bash +brew cask uninstall inspec +``` + +### CLI + +Use the following *destructive* command in your terminal to remove the Chef InSpec package: + +```bash +sudo rm -rf /opt/inspec +``` + +## Windows + +### Installer + +Use *Add / Remove Programs* to remove Chef InSpec. + +## Linux + +### CLI + +Use the following *destructive* commands to uninstall Chef InSpec from Linux-based platforms. + +For Ubuntu, use the following *destructive* command to uninstall Chef InSpec: + +```bash +sudo dpkg -P inspec +``` + +For Red Hat Enterprise Linux, use the following *destructive* command to uninstall Chef InSpec: + +```bash +sudo rpm -e inspec +``` + +For SUSE Linux Enterprise Server, use the following *destructive* command to uninstall Chef InSpec: + +```bash +sudo zypper remove inspec +``` diff --git a/_vendor/modules.txt b/_vendor/modules.txt index 1a4cf8fcba..dd92c773fb 100644 --- a/_vendor/modules.txt +++ b/_vendor/modules.txt @@ -2,7 +2,7 @@ # github.com/chef/desktop-config/docs-chef-io v0.0.0-20230711052355-bad26ce3ac0b # github.com/habitat-sh/habitat/components/docs-chef-io v0.0.0-20230808222519-d0c20bbe8c45 # github.com/chef/chef-server/docs-chef-io v0.0.0-20230929110551-e5bebd3e433d -# github.com/inspec/inspec/docs-chef-io v0.0.0-20231114134014-655f2932b1cd +# github.com/inspec/inspec/docs-chef-io v0.0.0-20231109152934-e3708cfa7d57 # github.com/inspec/inspec-alicloud/docs-chef-io v0.0.0-20220614123852-e453ba687370 # github.com/inspec/inspec-aws/docs-chef-io v0.0.0-20220228151600-69aa036b1527 # github.com/inspec/inspec-azure/docs-chef-io v0.0.0-20220228040450-e1b23e65979a diff --git a/go.mod b/go.mod index 5900beac49..df14edecbd 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/inspec/inspec-azure/docs-chef-io v0.0.0-20220228040450-e1b23e65979a // indirect github.com/inspec/inspec-habitat/docs-chef-io v0.0.0-20220218210405-bfd542da49fd // indirect github.com/inspec/inspec-k8s/docs-chef-io v0.0.0-20230522203306-c23ca61f913f // indirect - github.com/inspec/inspec/docs-chef-io v0.0.0-20231114134014-655f2932b1cd // indirect + github.com/inspec/inspec/docs-chef-io v0.0.0-20231109152934-e3708cfa7d57 // indirect github.com/swiftype/swiftype-autocomplete-jquery v0.0.0-20190222215504-a90008d64b30 // indirect github.com/swiftype/swiftype-search-jquery v1.1.0 // indirect github.com/twitter/hogan.js v3.0.2+incompatible // indirect diff --git a/go.sum b/go.sum index f730e37f4c..298ffe4658 100644 --- a/go.sum +++ b/go.sum @@ -49,8 +49,8 @@ github.com/inspec/inspec-habitat/docs-chef-io v0.0.0-20220218210405-bfd542da49fd github.com/inspec/inspec-habitat/docs-chef-io v0.0.0-20220218210405-bfd542da49fd/go.mod h1:Q4E7QBY4b7HDE2psfGT9jqvnLq1yfg5e9KWK4VTtI/M= github.com/inspec/inspec-k8s/docs-chef-io v0.0.0-20230522203306-c23ca61f913f h1:eJqWm/xPdUtbxEF3dewePl7ahkob0IoSfs93QEcykt0= github.com/inspec/inspec-k8s/docs-chef-io v0.0.0-20230522203306-c23ca61f913f/go.mod h1:JwjkNHKgELWxc9esXuK3ELEGL371pK496OKrK+te3Lk= -github.com/inspec/inspec/docs-chef-io v0.0.0-20231114134014-655f2932b1cd h1:iostV9gaDRSXPS2sT5pz8A/KWIJaZV3vZhyld150jtY= -github.com/inspec/inspec/docs-chef-io v0.0.0-20231114134014-655f2932b1cd/go.mod h1:oudFvipU0DTMkp8+MiwdUGerVEoWcJG0MQciDEOd6G8= +github.com/inspec/inspec/docs-chef-io v0.0.0-20231109152934-e3708cfa7d57 h1:9hLt4SfqRNK6dudamHmAsxBjWRgW4q7uu3Tg/6Od4rk= +github.com/inspec/inspec/docs-chef-io v0.0.0-20231109152934-e3708cfa7d57/go.mod h1:k41HVhnK+v9/X2qCX+axYBM6eME3kFeatloWoMLxXQU= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/swiftype/swiftype-autocomplete-jquery v0.0.0-20190222215504-a90008d64b30 h1:dhqLFBINtD1rMwwd5s9INu4BkciCvQUd+r+CWUYWIB4= github.com/swiftype/swiftype-autocomplete-jquery v0.0.0-20190222215504-a90008d64b30/go.mod h1:qnxTyatkwE84LvoaQLPaLB4h5M3n6Q2z+SB/96DcAK8=