inspec exec error on new install

[aaronlippold]

I am getting a strange error running some inspec profiles.

: inspec exec fails

: inspec json works

[ec2-user@ip-10-204-0-80 ssg-rhel6-c2s]$ inspec version
0.16.1

[ec2-user@ip-10-204-0-80 ssg-rhel6-c2s]$ rpm -q ruby
ruby-2.0.0.598-25.el7_1.x86_64
[ec2-user@ip-10-204-0-80 ssg-rhel6-c2s]$ rpm -q ruby-devel
ruby-devel-2.0.0.598-25.el7_1.x86_64
[ec2-user@ip-10-204-0-80 ssg-rhel6-c2s]$ rpm -q rubygems
rubygems-2.0.14-25.el7_1.noarch

ERROR

Installing ri documentation for inspec-0.16.1
35 gems installed
[ec2-user@ip-10-204-0-80 ~]$ inspec version
0.16.1
[ec2-user@ip-10-204-0-80 ~]$ ls
bin  cocreate-compliance
[ec2-user@ip-10-204-0-80 ~]$ pwd
/home/ec2-user
[ec2-user@ip-10-204-0-80 ~]$ cd cocreate-compliance/
[ec2-user@ip-10-204-0-80 cocreate-compliance]$ ls
baseimage  compliance-profiles  inspec-notes  README.md
[ec2-user@ip-10-204-0-80 cocreate-compliance]$ cd compliance-profiles/
[ec2-user@ip-10-204-0-80 compliance-profiles]$ ls
ssg-rhel6-c2s
[ec2-user@ip-10-204-0-80 compliance-profiles]$ cd ssg-rhel6-c2s/
[ec2-user@ip-10-204-0-80 ssg-rhel6-c2s]$ ls
controls  docs  inspec.yml  README.md
[ec2-user@ip-10-204-0-80 ssg-rhel6-c2s]$ inspec exec ./
/home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/resources/parse_config.rb:51:in `parse_file': undefined method `empty?' for nil:NilClass (NoMethodError)
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/resources/parse_config.rb:84:in `initialize'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/plugins/resource.rb:36:in `initialize'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/resource.rb:31:in `new'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/resource.rb:31:in `block (3 levels) in create_dsl'
    from ./controls/07_ipv6_spec.rb:75:in `block in load'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/rule.rb:29:in `instance_eval'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/rule.rb:29:in `initialize'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/profile_context.rb:123:in `new'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/profile_context.rb:123:in `block (2 levels) in create_context'
    from ./controls/07_ipv6_spec.rb:62:in `load'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/profile_context.rb:37:in `instance_eval'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/profile_context.rb:37:in `load'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:104:in `add_test_to_context'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:88:in `block in add_content'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:88:in `each'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:88:in `add_content'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:69:in `add_profile'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:52:in `add_target'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/utils/base_cli.rb:69:in `block in run_tests'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/utils/base_cli.rb:69:in `each'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/utils/base_cli.rb:69:in `run_tests'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/cli.rb:111:in `exec'
    from /home/ec2-user/.gem/ruby/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
    from /home/ec2-user/.gem/ruby/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
    from /home/ec2-user/.gem/ruby/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
    from /home/ec2-user/.gem/ruby/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/bin/inspec:9:in `<top (required)>'
    from /home/ec2-user/bin/inspec:23:in `load'
    from /home/ec2-user/bin/inspec:23:in `<main>'
[ec2-user@ip-10-204-0-80 ssg-rhel6-c2s]$ 

[aaronlippold]

title 'IPv6'

control 'ipv6-01' do
  impact 0.5
  tag severity: 'medium'

  title 'System must disable IPv6, for regular IPv4-only servers'
  desc 'Unless explicitly needed, do not enable IPv6 on the node to reduce the
        attack surface.'

  tag cce: 'CCE-27153-6'
  tag cci: nil
  tag disa: 'DISA FSO RHEL-06-000098'
  tag nist: 'CM-7'

  ref ' NSA-RH6-STIG Section 2.5.3.1.1'

  describe kernel_parameter('net.ipv6.conf.all.disable_ipv6') do
    its('value') { should eq 1 }
  end
end

#FIXME: SGA
control 'ipv6-02' do
  impact 0.5
  tag severity: 'medium'

  title 'The IPv6 protocol handler must not be bound to the network stack
        unless needed.'
  desc 'Any unnecessary network stacks - including IPv6 - should be disabled,
        to reduce the vulnerability to exploitation.'

  tag cce: 'CCE-27153-6'
  tag cci: 'CCI-000366'
  tag nist: 'CM-7'
  tag disa: 'RHEL-06-000098'

  ref 'NSA-RH6-STIG Section 2.5.3.1.3'

  describe command('grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d') do
    its('stdout') { should match /options ipv6 disable=1/ }
  end
end

control 'ipv6-03' do
  impact 0.5
  tag severity: 'medium'

  title 'System must disable Interface Usage of IPv6.'
  desc 'This prevents configuration of IPV6 for all interface.'
  tag cce: 'CCE-27161-9'
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'NSA-RH6-STIG Section 2.5.3.1.3'

  describe parse_config_file('/etc/sysconfig/network') do
    its('NETWORKING_IPV6') { should eq 'no' }
    its('IPV6INIT') { should eq 'no'}
    its('IPV6_AUTOCONF') { should eq 'no'}
  end
end

#FIXME: no mappings - nist,disa,cci,cce
control 'ipv6-04' do
  impact 0.5
  tag severity: 'medium'

  title 'System must allow only one global unicast address per interface'
  desc 'Avoid having different unicast addresses per interface.'

  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'NSA-RH6-STIG Section 2.5.3.2.5'

  describe kernel_parameter('net.ipv6.conf.default.max_addresses') do
    its('value') { should eq 1 }
  end
end

#FIXME: no reference
#FIXME: no mappings
control 'ipv6-05' do
  impact 0.5
  tag severity: 'medium'

  title 'System must disable IP forwarding on regular nodes'
  desc 'Regular nodes, which don\'t route/forward traffic should have this
        option disabled.'

  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'nil'

  describe kernel_parameter('net.ipv6.conf.all.forwarding') do
    its('value') { should eq 0 }
  end
end

control 'ipv6-06' do
  impact 0.5
  tag severity: 'medium'

  title 'System ipv6 configuration must disable accepting redirects by default'
  desc 'Disable all types of redirects on regular nodes which are not routers.'

  tag cce: 'CCE-27166-8'
  tag cci: 'CCI-000366'
  tag nist: 'CM-7'
  tag disa: 'DISA FSO RHEL-06-000099'

  ref 'NSA-RH6-STIG Section 2.5.3.2.5'

  describe kernel_parameter('net.ipv6.conf.default.accept_redirects') do
    its('value') { should eq 0 }
  end
end

#FIXME: no reference
#FIXME: no mappings
control 'ipv6-07' do
  impact 0.5
  tag severity: 'medium'

  title 'System ipv6 configuration must disable accepting redirects on
        all devices'
  desc 'Disable all types of redirects on regular nodes which are not
        routers.'

  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'nil'

  describe kernel_parameter('net.ipv6.conf.all.accept_redirects') do
    its('value') { should eq 0 }
  end
end

#FIXME: no mappings!
control 'ipv6-08' do
  impact 0.5
  title 'System ipv6 configuration must disable router solicitations'
  desc 'Disable all sysctl functions that are only relevant, if this machine
        is a router.'

  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'NSA-RH6-STIG Section 2.5.3.2.5'

  describe kernel_parameter('net.ipv6.conf.default.router_solicitations') do
    its('value') { should eq 0 }
  end
end

#FIXME: no mappings!
control 'ipv6-09' do
  impact 0.5
  tag severity: 'medium'

  title 'System ipv6 configuration must not accept router preference in router
        advertisement'
  desc 'Disable all sysctl functions that are only relevant, if this machine
        is a router.'

  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'NSA-RH6-STIG Section 2.5.3.2.5'

  describe kernel_parameter('net.ipv6.conf.default.accept_ra_rtr_pref') do
    its('value') { should eq 0 }
  end
end

#FIXME: no mappings!
control 'ipv6-10' do
  impact 0.5
  tag severity: 'medium'

  title 'System ipv6 configuration must not learn prefix information in router
        advertisement'
  desc 'Disable all sysctl functions that are only relevant, if this machine
        is a router.'

  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'NSA-RH6-STIG Section 2.5.3.2.5'

  describe kernel_parameter('net.ipv6.conf.default.accept_ra_pinfo') do
    its('value') { should eq 0 }
  end
end

#FIXME: no mappings!
control 'ipv6-11' do
  impact 0.5
  tag severity: 'medium'

  title 'System ipv6 configuration must not accept hop limit settings in
        router advertisement'
  desc 'Disable all sysctl functions that are only relevant, if this machine
        is a router.'

  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'NSA-RH6-STIG Section 2.5.3.2.5'

  describe kernel_parameter('net.ipv6.conf.default.accept_ra_defrtr') do
    its('value') { should eq 0 }
  end
end

#FIXME: no mapping!
control 'ipv6-12' do
  impact 0.5
  tag severity: 'medium'

  title 'System ipv6 configuration must not let router advertisements assign a
        global unicast address'
  desc 'Disable all sysctl functions that are only relevant, if this machine
        is a router.'

  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref ' NSA-RH6-STIG Section 2.5.3.2.5'

  describe kernel_parameter('net.ipv6.conf.default.autoconf') do
    its('value') { should eq 0 }
  end
end

#FIXME: No mappings!
control 'ipv6-13' do
  impact 0.5
  title 'System ipv6 configuration must not send neighborhood solicitations
        per address'
  desc 'Disable all sysctl functions that are only relevant, if this machine
        is a router.'

  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'NSA-RH6-STIG Section 2.5.3.2.5'

  describe kernel_parameter('net.ipv6.conf.default.dad_transmits') do
    its('value') { should eq 0 }
  end
end

#FIXME: No Mappings!
control 'ipv6-14' do
  impact 0.7
  tag severity: 'high'

  title 'System must Install TCP Wrappers'
  desc 'TCP Wrappers provides a simple access list and standardized logging
        method for services capable of supporting it. In the past, services
        that were called from inetd and xinetd supported the use of tcpwrappers.
        As inetd and xinetd have been falling in disuse,any service that can
        support tcp wrappers will have the libwrap.so library attached to it.'


  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'NSA-RH6-STIG Section 2.5.4.1'

  describe package('tcpd') do
    it { should be_installed }
  end
end

[aaronlippold]

drwxr-xr-x. 4 ec2-user 1000   65 Mar 22 12:53 .
drwxr-xr-x. 3 ec2-user 1000   26 Mar 22 12:53 ..
drwxr-xr-x. 2 ec2-user 1000 4.0K Mar 22 12:53 controls
drwxr-xr-x. 2 ec2-user 1000 4.0K Mar 22 12:53 docs
-rw-r--r--. 1 ec2-user 1000  421 Mar 22 12:53 inspec.yml
-rw-r--r--. 1 ec2-user 1000   81 Mar 22 12:53 README.md
[ec2-user@ip-10-204-0-80 ssg-rhel6-c2s]$ cd controls/
[ec2-user@ip-10-204-0-80 controls]$ ls
01_install_maintain_software_spec.rb     06_wireless_spec.rb
02_filepermission_mask_spec.rb           07_ipv6_spec.rb
03_account_access_controls_spec.rb       08_uncommon_network_protocol_spec.rb
04_selinux_spec.rb                       09_iptables_spec.rb
05_kernel_parameters_networking_spec.rb  controls_template
[ec2-user@ip-10-204-0-80 controls]$ ls -alh
total 116K
drwxr-xr-x. 2 ec2-user 1000 4.0K Mar 22 12:53 .
drwxr-xr-x. 4 ec2-user 1000   65 Mar 22 12:53 ..
-rw-r--r--. 1 ec2-user 1000 8.8K Mar 22 12:53 01_install_maintain_software_spec.rb
-rw-r--r--. 1 ec2-user 1000  19K Mar 22 12:53 02_filepermission_mask_spec.rb
-rw-r--r--. 1 ec2-user 1000  29K Mar 22 12:53 03_account_access_controls_spec.rb
-rw-r--r--. 1 ec2-user 1000 4.1K Mar 22 12:53 04_selinux_spec.rb
-rw-r--r--. 1 ec2-user 1000  14K Mar 22 12:53 05_kernel_parameters_networking_spec.rb
-rw-r--r--. 1 ec2-user 1000 2.5K Mar 22 12:53 06_wireless_spec.rb
-rw-r--r--. 1 ec2-user 1000 7.7K Mar 22 12:53 07_ipv6_spec.rb
-rw-r--r--. 1 ec2-user 1000 5.1K Mar 22 12:53 08_uncommon_network_protocol_spec.rb
-rw-r--r--. 1 ec2-user 1000 3.2K Mar 22 12:53 09_iptables_spec.rb
lrwxrwxrwx. 1 ec2-user 1000   24 Mar 22 12:53 controls_template -> ../docs/current_template

[aaronlippold]

[ec2-user@ip-10-204-0-80 controls]$ inspec exec ./08_uncommon_network_protocol_spec.rb 
/home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/resources/parse_config.rb:51:in `parse_file': undefined method `empty?' for nil:NilClass (NoMethodError)
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/resources/parse_config.rb:84:in `initialize'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/plugins/resource.rb:36:in `initialize'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/resource.rb:31:in `new'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/resource.rb:31:in `block (3 levels) in create_dsl'
    from ./08_uncommon_network_protocol_spec.rb:176:in `block in load'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/rule.rb:29:in `instance_eval'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/rule.rb:29:in `initialize'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/profile_context.rb:123:in `new'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/profile_context.rb:123:in `block (2 levels) in create_context'
    from ./08_uncommon_network_protocol_spec.rb:158:in `load'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/profile_context.rb:37:in `instance_eval'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/profile_context.rb:37:in `load'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:104:in `add_test_to_context'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:88:in `block in add_content'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:88:in `each'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:88:in `add_content'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:69:in `add_profile'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/runner.rb:52:in `add_target'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/utils/base_cli.rb:69:in `block in run_tests'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/utils/base_cli.rb:69:in `each'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/utils/base_cli.rb:69:in `run_tests'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/lib/inspec/cli.rb:111:in `exec'
    from /home/ec2-user/.gem/ruby/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
    from /home/ec2-user/.gem/ruby/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
    from /home/ec2-user/.gem/ruby/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
    from /home/ec2-user/.gem/ruby/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
    from /home/ec2-user/.gem/ruby/gems/inspec-0.16.1/bin/inspec:9:in `<top (required)>'
    from /home/ec2-user/bin/inspec:23:in `load'
    from /home/ec2-user/bin/inspec:23:in `<main>'

[aaronlippold]

title 'Uncommon Network Protocols'

control 'uncommon-np-01' do
  impact 0.7
  tag severity: 'high'

  title 'The System must disable the DCCP kernel module.'
  desc 'The Datagram Congestion Control Protocol (DCCP) is a transport layer
        protocol that supports streaming media and telephony. DCCP provides a
        way to gain access to congestion control, without having to do it at the
        application layer, but does not provide in-sequence delivery.'

  tag cce: 'CCE-26448-1'
  tag cci: 'CCI-000382'
  tag nist: 'CM-7'
  tag disa: 'DISA FSO RHEL-06-000124'

  ref 'NSA-RH6-STIG Section 2.5.7.1'

  describe kernel_module('dccp') do
    it { should_not be_loaded }
  end
end

#FIXME: reviw the impact level and severity level
control 'uncommon-np-02' do
  impact 0.0
  tag severity: 'low'

  title 'System Must Disable SCTP'
  desc 'The Stream Control Transmission Protocol (SCTP) is a transport layer
        protocol used to support message oriented communication, with several
        streams of messages in one connection. It serves a similar function as
        TCP and UDP, incorporating features of both. It is message-oriented
        like UDP, and ensures reliable in-sequence transport of messages with
        congestion control like TCP.'

  tag cce: 'CCE-26410-1'
  tag cci: 'CCI-000382'
  tag nist: 'CM-7'
  tag disa: 'DISA FSO RHEL-06-000125'

  ref 'NSA-RH6-STIG Section 2.5.7.2'

  describe kernel_module('sctp') do
    it { should_not be_loaded }
  end
end

#FIXME: reviw the impact level and severity level
control 'uncommon-np-03' do
  impact 0.0
  tag severity: 'low'

  title 'System Must Disable RDS'
  desc 'The Reliable Datagram Sockets (RDS) protocol is a transport layer
        protocol designed to provide low-latency, high-bandwidth communications
        between cluster nodes. It was developed by the Oracle corporation.'

  tag cce: 'CCE-26239-4'
  tag cci: 'CCI-000382'
  tag nist: 'CM-7'
  tag disa: 'DISA FSO RHEL-06-000126'

  ref 'NSA-RH6-STIG Section 2.5.7.3'

  describe kernel_module('rds') do
    it { should_not be_loaded }
  end
end

#FIXME: reviw the impact level and severity level
control 'uncommon-np-04' do
  impact 0.0
  tag severity: 'low'

  title 'System Must Disable TIPC'
  desc 'The Transparent Inter-Process Communication (TIPC) protocol is designed
        to provide communication between cluster nodes.'

  tag cce: 'CCE-26696-5'
  tag cci: 'CCI-000382'
  tag nist: 'CM-7'
  tag disa: 'DISA FSO RHEL-06-000127'

  ref 'NSA-RH6-STIG Section 2.5.7.4'

  describe kernel_module('tipc') do
    it { should_not be_loaded }
  end
end

# IPSec Support

control 'ipsec-01' do
  impact 0.5
  tag severity: 'medium'

  title 'System Must Have the Openswan Package For IPsec Installed.'
  desc 'The Openswan package provides an implementation of IPsec and IKE, which
        permits the creation of secure tunnels over untrusted networks.'

  tag cce: 'CCE-27626-1'
  tag cci: 'CCI-001130'
  tag nist: 'CM-7'
  tag disa: 'DISA FSO RHEL-06-000321'

  ref 'NSA-RH6-STIG Section 2.5.8.1.1'

  describe package('openswan') do
    it { should be_installed }
  end
end

#FIXME: reviw the impact level and severity level
#FIXME: No mappings!
control 'ipsec-02' do
  impact 0.0
  tag severity: 'low'

  title 'System Must Not Have ipsec-tools package if openswan package
        is installed.'
  desc 'Since the openswan package provides a superset of its functionality,
        ipsec-tools is not needed.'

  tag cce: nil
  tag cci: nil
  tag nist: nil
  tag disa: nil

  ref 'NSA-RH6-STIG Section 2.5.8.1.2'

  describe package('ipsec-tools') do
    it { should_not be_installed }
  end
end

#Network service

#FIXME: missing mappings
control 'network-service-01' do
  impact 0.5
  tag severity: 'medium'

  title 'System  Must Disable Zeroconf Networking.'

  desc 'Zeroconf networking allows the system to assign itself an IP address
        and engage in IP communication without a statically-assigned address or
        even a DHCP server. Automatic address assignment via Zeroconf (or DHCP)
        is not recommended.'

  tag cce: 'CCE-27151-0'
  tag cci: nil
  tag nist: 'CM-7'
  tag disa: nil

  ref 'NSA-RH6-STIG Section 3.3.9.3'

  describe parse_config_file('/etc/sysconfig/network') do
    its( 'NOZEROCONF')  { should match /true|yes/ }
  end
end