inspec-core 2.1.67

data/docs/resources/directory.md.erb

@@ -0,0 +1,30 @@
+---
+title: About the directory Resource
+platform: os
+---
+
+# directory
+
+Use the `directory` InSpec audit resource to test if the file type is a directory. This is equivalent to using the `file` resource and the `be_directory` matcher, but provides a simpler and more direct way to test directories.
+
+<br>
+
+## Syntax
+
+A `directory` resource block declares the location of the directory to be tested, and then one (or more) matchers.
+
+    describe directory('path') do
+      its('property') { should cmp 'value' }
+    end
+
+<br>
+
+## Properties
+
+All of the properties available to `file` may be used with `directory`.
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

data/docs/resources/docker.md.erb

@@ -0,0 +1,219 @@
+---
+title: About the docker Resource
+platform: linux
+---
+
+# docker
+
+Use the `docker` InSpec audit resource to test configuration data for the Docker daemon. It is a very comprehensive resource. See also: [docker_container](https://www.inspec.io/docs/reference/resources/docker_container/) and [docker_image](https://www.inspec.io/docs/reference/resources/docker_image/), too.
+
+<br>
+
+## Syntax
+
+A `docker` resource block declares allows you to write test for many containers:
+
+    describe docker.containers do
+      its('images') { should_not include 'u12:latest' }
+    end
+
+or:
+
+    describe docker.containers.where { names == 'flamboyant_colden' } do
+      it { should be_running }
+    end
+
+where
+
+* `.where()` may specify a specific item and value, to which the resource parameters are compared
+* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes`  and `status` are valid parameters for `containers`
+
+The `docker` resource block also declares allows you to write test for many images:
+
+    describe docker.images do
+      its('repositories') { should_not include 'inssecure_image' }
+    end
+
+or if you want to query specific images:
+
+    describe docker.images.where { repository == 'ubuntu' && tag == '12.04' } do
+      it { should_not exist }
+    end
+
+where
+
+* `.where()` may specify a specific filter and expected value, against which parameters are compared
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Return all running containers
+
+    docker.containers.running?.ids.each do |id|
+      describe docker.object(id) do
+        its('State.Health.Status') { should eq 'healthy' }
+      end
+    end
+
+### Verify a Docker Server and Client version
+
+    describe docker.version do
+      its('Server.Version') { should cmp >= '1.12'}
+      its('Client.Version') { should cmp >= '1.12'}
+    end
+
+### Iterate over all containers to verify host coniguration
+
+    docker.containers.ids.each do |id|
+      # call Docker inspect for a specific container id
+      describe docker.object(id) do
+        its(%w(HostConfig Privileged)) { should cmp false }
+        its(%w(HostConfig Privileged)) { should_not cmp true }
+      end
+    end
+
+### Iterate over all images to verify the container was built without ADD instruction
+
+    docker.images.ids.each do |id|
+      describe command("docker history #{id}| grep 'ADD'") do
+        its('stdout') { should eq '' }
+      end
+    end
+
+### Verify that health-checks are enabled for a container
+
+    describe docker.object('71b5df59442b') do
+      its(%w(Config Healthcheck)) { should_not eq nil }
+    end
+
+<br>
+
+## How to run the DevSec Docker baseline profile
+
+There are two ways to run the `docker-baseline` profile to test Docker via the `docker` resource.
+
+Clone the profile:
+
+    $ git clone https://github.com/dev-sec/cis-docker-benchmark.git
+
+and then run:
+
+    $ inspec exec cis-docker-benchmark
+
+Or execute the profile directly via URL:
+
+    $ inspec exec https://github.com/dev-sec/cis-docker-benchmark
+
+<br>
+
+## Resource Parameters
+
+* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers`
+
+<br>
+
+## Resource Parameter Examples
+
+### containers
+
+`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/).
+
+    describe docker.containers do
+      its('ids') { should include 'sha:71b5df59...442b' }
+      its('commands') { should_not include '/bin/sh' }
+      its('images') { should_not include 'u12:latest' }
+      its('ports') { should include '0.0.0.0:1234->1234/tcp' }
+      its('labels') { should include 'License=GPLv2,Vendor=CentOS' }
+    end
+
+### object('id')
+
+`object` returns low-level information about Docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
+
+    describe docker.object(id) do
+      its('Configuration.Path') { should eq 'value' }
+    end
+
+### images
+
+`images` returns information about a Docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/).
+
+    describe docker.images do
+      its('ids') { should include 'sha:12b5df59...442b' }
+      its('repositories') { should_not include 'my_image' }
+      its('tags') { should_not include 'unwanted_tag' }
+      its('sizes') { should_not include "1.41 GB" }
+    end
+
+### info
+
+`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
+
+    describe docker.info do
+      its('Configuration.Path') { should eq 'value' }
+    end
+
+### version
+
+`info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/)
+
+    describe docker.version do
+      its('Server.Version') { should cmp >= '1.12'}
+      its('Client.Version') { should cmp >= '1.12'}
+    end
+
+<br>
+
+## Properties
+
+* `id`, `image`, `repo`, `tag`, `ports`, `command`
+
+<br>
+
+## Property Examples
+
+### id
+
+    describe docker_container(name: 'an-echo-server') do
+      its('id') { should_not eq '' }
+    end
+
+### image
+
+    describe docker_container(name: 'an-echo-server') do
+      its('image') { should eq 'busybox:latest' }
+    end
+
+### repo
+
+    describe docker_container(name: 'an-echo-server') do
+      its('repo') { should eq 'busybox' }
+    end
+
+### tag
+
+    describe docker_container(name: 'an-echo-server') do
+      its('tag') { should eq 'latest' }
+    end
+
+### ports
+
+    describe docker_container(name: 'an-echo-server') do
+      its('ports') { should eq "0.0.0.0:1234->1234/tcp" }
+    end
+
+### command
+
+    describe docker_container(name: 'an-echo-server') do
+      its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+

data/docs/resources/docker_container.md.erb

@@ -0,0 +1,103 @@
+---
+title: About the docker_container Resource
+platform: linux
+---
+
+# docker_container
+
+Use the `docker_container` InSpec audit resource to test a Docker container.
+
+<br>
+
+## Syntax
+
+A `docker_container` resource block declares the configuration data to be tested:
+
+    describe docker_container('container') do
+      it { should exist }
+      it { should be_running }
+      its('id') { should_not eq '' }
+      its('image') { should eq 'busybox:latest' }
+      its('repo') { should eq 'busybox' }
+      its('tag') { should eq 'latest' }
+      its('ports') { should eq [] }
+      its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
+    end
+
+<br>
+
+## Resource Parameter Examples
+
+### name
+
+The container name can also be passed with the `name` resource parameter:
+
+    describe docker_container(name: 'an-echo-server') do
+      it { should exist }
+      it { should be_running }
+    end
+
+### id
+
+Alternatively, you can pass in the container id:
+
+    describe docker_container(id: '71b5df59442b') do
+      it { should exist }
+      it { should be_running }
+    end
+
+<br>
+
+## Property Examples
+
+The following examples show how to use this InSpec resource.
+
+### id
+
+The `id` property tests the container id:
+
+    its('id') { should eq 'sha:71b5df59...442b' }
+
+### repo
+
+The `repo` property tests the value of the image repository:
+
+    its('repo') { should eq 'busybox' }
+
+### tag
+
+The `tag` property tests the value of the image tag:
+
+    its('tag') { should eq 'latest' }
+
+### ports
+
+The `ports` property tests the value the Docker ports:
+
+    its('ports') { should eq '0.0.0.0:1234->1234/tcp' }
+
+### command
+
+The `command` property tests the value of the container run command:
+
+    its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
+
+
+### Verify a running container:
+
+    describe docker_container('an-echo-server') do
+      it { should exist }
+      it { should be_running }
+      its('id') { should_not eq '' }
+      its('image') { should eq 'busybox:latest' }
+      its('repo') { should eq 'busybox' }
+      its('tag') { should eq 'latest' }
+      its('ports') { should eq [] }
+      its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

data/docs/resources/docker_image.md.erb

@@ -0,0 +1,94 @@
+---
+title: About the docker_image Resource
+platform: linux
+---
+
+# docker_image
+
+Use the `docker_image` InSpec audit resource to verify a Docker image.
+
+<br>
+
+## Syntax
+
+A `docker_image` resource block declares the image:
+
+    describe docker_image('alpine:latest') do
+      it { should exist }
+      its('id') { should eq 'sha256:4a415e...a526' }
+      its('repo') { should eq 'alpine' }
+      its('tag') { should eq 'latest' }
+    end
+
+<br>
+
+## Resource Parameter Examples
+
+The resource allows you to pass in an image id:
+
+    describe docker_image(id: alpine_id) do
+      ...
+    end
+
+If the tag is missing for an image, `latest` is assumed as default:
+
+    describe docker_image('alpine') do
+      ...
+    end
+
+You can also pass in repository and tag as separate values
+
+    describe docker_image(repo: 'alpine', tag: 'latest') do
+      ...
+    end
+
+<br>
+
+## Property Examples
+
+### id
+
+The `id` property returns the full image id:
+
+    its('id') { should eq 'sha256:4a415e3663882fbc554ee830889c68a33b3585503892cc718a4698e91ef2a526' }
+
+### image
+
+The `image` property tests the value of the image. It is a combination of `repository/tag`:
+
+    its('image') { should eq 'alpine:latest' }
+
+### repo
+
+The `repo` property tests the value of the repository name:
+
+    its('repo') { should eq 'alpine' }
+
+### tag
+
+The `tag` property tests the value of image tag:
+
+    its('tag') { should eq 'latest' }
+
+### Test a Docker image
+
+    describe docker_image('alpine:latest') do
+      it { should exist }
+      its('id') { should eq 'sha256:4a415e...a526' }
+      its('image') { should eq 'alpine:latest' }
+      its('repo') { should eq 'alpine' }
+      its('tag') { should eq 'latest' }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### exist
+
+The `exist` matcher tests if the image is available on the node:
+
+    it { should exist }
+

data/docs/resources/docker_service.md.erb

@@ -0,0 +1,114 @@
+---
+title: About the docker_service Resource
+platform: linux
+---
+
+# docker_service
+
+Use the `docker_service` InSpec audit resource to verify a docker swarm service.
+
+<br>
+
+## Syntax
+
+A `docker_service` resource block declares the service by name:
+
+    describe docker_service('foo') do
+      it { should exist }
+      its('id') { should eq '2ghswegspre1' }
+      its('repo') { should eq 'alpine' }
+      its('tag') { should eq 'latest' }
+    end
+
+<br>
+
+## Resource Parameter Examples
+
+The resource allows you to pass in a service id:
+
+    describe docker_service(id: '2ghswegspre1') do
+      ...
+    end
+
+You can also pass in the fully-qualified image:
+
+    describe docker_service(image: 'localhost:5000/alpine:latest') do
+      ...
+    end
+
+<br>
+
+## Property Examples
+
+The following examples show how to use InSpec `docker_service` resource.
+
+### id
+
+The `id` property returns the service id:
+
+    its('id') { should eq '2ghswegspre1' }
+
+### image
+
+The `image` property tests the value of the image. It is a combination of `repository:tag`:
+
+    its('image') { should eq 'alpine:latest' }
+
+### mode
+
+The `mode` property tests the value of the service mode:
+
+    its('mode') { should eq 'replicated' }
+
+### name
+
+The `name` property tests the value of the service name:
+
+    its('name') { should eq 'foo' }
+
+### ports
+
+The `ports` property tests the value of the service's published ports:
+
+    its('ports') { should include '*:8000->8000/tcp' }
+
+### repo
+
+The `repo` property tests the value of the repository name:
+
+    its('repo') { should eq 'alpine' }
+
+### replicas
+
+The `replicas` property tests the value of the service's replica count:
+
+    its('replicas') { should eq '3/3' }
+
+### tag
+
+The `tag` property tests the value of image tag:
+
+    its('tag') { should eq 'latest' }
+
+### Test a docker service
+
+    describe docker_service('foo') do
+      it { should exist }
+      its('id') { should eq '2ghswegspre1' }
+      its('repo') { should eq 'alpine' }
+      its('tag') { should eq 'latest' }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### exist
+
+The `exist` matcher tests if the image is available on the node:
+
+    it { should exist }
+
+