inspec-core 2.1.67

data/docs/resources/kernel_parameter.md.erb

@@ -0,0 +1,53 @@
+---
+title: About the kernel_parameter Resource
+platform: linux
+---
+
+# kernel_parameter
+
+Use the `kernel_parameter` InSpec audit resource to test kernel parameters on Linux platforms.
+ These parameters are located under `/proc/cmdline`.
+<br>
+
+## Syntax
+
+A `kernel_parameter` resource block declares a parameter and then a value to be tested:
+
+    describe kernel_parameter('path.to.parameter') do
+      its('value') { should eq 0 }
+    end
+
+where
+
+* `'kernel.parameter'` must specify a kernel parameter, such as `'net.ipv4.conf.all.forwarding'`
+* `{ should eq 0 }` states the value to be tested
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test if global forwarding is enabled for an IPv4 address
+
+    describe kernel_parameter('net.ipv4.conf.all.forwarding') do
+      its('value') { should eq 1 }
+    end
+
+### Test if global forwarding is disabled for an IPv6 address
+
+    describe kernel_parameter('net.ipv6.conf.all.forwarding') do
+      its('value') { should eq 0 }
+    end
+
+### Test if an IPv6 address accepts redirects
+
+    describe kernel_parameter('net.ipv6.conf.interface.accept_redirects') do
+      its('value') { should cmp 'true' }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

data/docs/resources/key_rsa.md.erb

@@ -0,0 +1,85 @@
+---
+title: The key_rsa Resource
+platform: os
+---
+
+# key_rsa
+
+Use the `key_rsa` InSpec audit resource to test RSA public/private keypairs.
+
+This resource is mainly useful when used in conjunction with the x509_certificate resource but it can also be used for checking SSH keys.
+
+<br>
+
+## Syntax
+
+An `key_rsa` resource block declares a `key file` to be tested.
+
+    describe key_rsa('mycertificate.key') do
+      it { should be_private }
+      it { should be_public }
+      its('public_key') { should match "-----BEGIN PUBLIC KEY-----\n3597459df9f3982" }
+      its('key_length') { should eq 2048 }
+    end
+
+You can use an optional passphrase with `key_rsa`
+
+    describe key_rsa('mycertificate.key', 'passphrase') do
+      it { should be_private }
+    end
+
+<br>
+
+## Properties
+
+  * `public_key`, `private_key`, `key_length`
+
+<br>
+
+## Property Examples
+
+### public_key (String)
+
+The `public_key` property returns the public part of the RSA key pair
+
+    describe key_rsa('/etc/pki/www.mywebsite.com.key') do
+      its('public_key') { should match "-----BEGIN PUBLIC KEY-----\n3597459df9f3982......" }
+    end
+
+### private_key (String)
+
+The `private_key` property returns the private key or the RSA key pair.
+
+    describe key_rsa('/etc/pki/www.mywebsite.com.key') do
+      its('private_key') { should match "-----BEGIN RSA PRIVATE KEY-----\nMIIJJwIBAAK......" }
+    end
+
+### key_length
+
+The `key_length` property allows testing the number of bits in the key pair.
+
+    describe key_rsa('/etc/pki/www.mywebsite.com.key') do
+      its('key_length') { should eq 2048 }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### public?
+
+To verify if a key is public use the following:
+
+    describe key_rsa('/etc/pki/www.mywebsite.com.key') do
+      it { should be_public }
+    end
+
+### private?
+
+This property verifies that the key includes a private key:
+
+    describe key_rsa('/etc/pki/www.mywebsite.com.key') do
+      it { should be_private }
+    end

data/docs/resources/launchd_service.md.erb

@@ -0,0 +1,57 @@
+---
+title: About the launchd_service Resource
+platform: linux
+---
+
+# launchd_service
+
+Use the ``launchd_service`` InSpec audit resource to test a service using Launchd.
+
+<br>
+
+## Syntax
+
+A ``launchd_service`` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
+
+    describe launchd_service('service_name') do
+      it { should be_installed }
+      it { should be_enabled }
+      it { should be_running }
+    end
+
+where
+
+* ``('service_name')`` must specify a service name
+* `be_installed`, `be_enabled`, and `be_running` are valid matchers for this resource; all matchers available to the `service` resource may be used
+
+The path to the service manager's control may be specified for situations where the path isn't available in the current ``PATH``. For example:
+
+    describe launchd_service('service_name', '/path/to/control') do
+      it { should be_enabled }
+      it { should be_installed }
+      it { should be_running }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### be_enabled
+
+The `be_enabled` matcher tests if the named service is enabled:
+
+    it { should be_enabled }
+
+### be_installed
+
+The `be_installed` matcher tests if the named service is installed:
+
+    it { should be_installed }
+
+### be_running
+
+The `be_running` matcher tests if the named service is running:
+
+    it { should be_running }

data/docs/resources/limits_conf.md.erb

@@ -0,0 +1,75 @@
+---
+title: About the limits_conf Resource
+platform: linux
+---
+
+# limits_conf
+
+Use the `limits_conf` InSpec audit resource to test configuration settings in the `/etc/security/limits.conf` file. The `limits.conf` defines limits for processes (by user and/or group names) and helps ensure that the system running those processes remains stable. Each process may be assigned a hard or soft limit.
+
+* Soft limits are maintained by the shell and defines the number of file handles (or open files) available to the user or group after login
+* Hard limits are maintained by the kernel and defines the maximum number of allowed file handles
+
+Entries in the `limits.conf` file are similar to:
+
+    grantmc     soft   nofile   4096
+    grantmc     hard   nofile   63536
+
+    ^^^^^^^^^   ^^^^   ^^^^^^   ^^^^^
+    domain      type    item    value
+
+<br>
+
+## Syntax
+
+A `limits_conf` resource block declares a domain to be tested, along with associated type, item, and value:
+
+    describe limits_conf('path') do
+      its('domain') { should include ['type', 'item', 'value'] }
+      its('domain') { should eq ['type', 'item', 'value'] }
+    end
+
+where
+
+* `('path')` is the non-default path to the `inetd.conf` file
+* `'domain'` is a user or group name, such as `grantmc`
+* `'type'` is either `hard` or `soft`
+* `'item'` is the item for which limits are defined, such as `core`, `nofile`, `stack`, `nproc`, `priority`, or `maxlogins`
+* `'value'` is the value associated with the `item`
+
+<br>
+
+## Properties
+
+* `domain`
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### domain
+
+The `domain` property tests the domain in the `limits.conf` file, along with associated type, item, and value:
+
+    its('domain') { should include ['type', 'item', 'value'] }
+`
+For example:
+
+    its('grantmc') { should include ['hard', 'nofile', '63536'] }
+
+### Test limits
+
+    describe limits_conf('path') do
+      its('*') { should include ['soft', 'core', '0'], ['hard', 'rss', '10000'] }
+      its('ftp') { should eq ['hard', 'nproc', '0'] }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+

data/docs/resources/login_defs.md.erb

@@ -0,0 +1,71 @@
+---
+title: About the login_defs Resource
+platform: linux
+---
+
+# login_defs
+
+Use the `login_defs` InSpec audit resource to test configuration settings in the `/etc/login.defs` file. The `logins.defs` file defines site-specific configuration for the shadow password suite on Linux and Unix platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.
+
+<br>
+
+## Syntax
+
+A `login_defs` resource block declares the `login.defs` configuration data to be tested:
+
+    describe login_defs do
+      its('name') { should include('foo') }
+    end
+
+where
+
+* `name` is a configuration setting in `login.defs`
+* `{ should include('foo') }` tests the value of `name` as read from `login.defs` versus the value declared in the test
+
+<br>
+
+## Properties
+
+This resource supports the properties found in the `login.defs` configuration settings.
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### name
+
+The `name` matcher tests the value of `name` as read from `login.defs` versus the value declared in the test:
+
+    its('name') { should eq 'foo' }
+
+### Test password expiration settings
+
+    describe login_defs do
+      its('PASS_MAX_DAYS') { should eq '180' }
+      its('PASS_MIN_DAYS') { should eq '1' }
+      its('PASS_MIN_LEN') { should eq '15' }
+      its('PASS_WARN_AGE') { should eq '30' }
+    end
+
+### Test the encryption method
+
+    describe login_defs do
+      its('ENCRYPT_METHOD') { should eq 'SHA512' }
+    end
+
+### Test umask setting
+
+    describe login_def do
+      its('UMASK') { should eq '077' }
+      its('PASS_MAX_DAYS') { should eq '90' }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+

data/docs/resources/mount.md.erb

@@ -0,0 +1,69 @@
+---
+title: About the mount Resource
+platform: linux
+---
+
+# mount
+
+Use the `mount` InSpec audit resource to test the mount points on FreeBSD and Linux systems.
+
+<br>
+
+## Syntax
+
+An `mount` resource block declares the synchronization settings that should be tested:
+
+    describe mount('path') do
+      it { should MATCHER 'value' }
+    end
+
+where
+
+* `('path')` is the path to the mounted directory
+* `MATCHER` is a valid matcher for this resource
+* `'value'` is the value to be tested
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test a the mount point on '/'
+
+    describe mount('/') do
+      it { should be_mounted }
+      its('device') { should eq  '/dev/mapper/VolGroup-lv_root' }
+      its('type') { should eq  'ext4' }
+      its('options') { should eq ['rw', 'mode=620'] }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### be_mounted
+
+The `be_mounted` matcher tests if the file is accessible from the file system:
+
+    it { should be_mounted }
+
+### device
+
+The `device` matcher tests the device from the `fstab` table:
+
+    its('device') { should eq  '/dev/mapper/VolGroup-lv_root' }
+
+### options
+
+The `options` matcher tests the mount options for the file system from the `fstab` table:
+
+    its('options') { should eq ['rw', 'mode=620'] }
+
+### type
+
+The `type` matcher tests the file system type:
+
+    its('type') { should eq  'ext4' }

data/docs/resources/mssql_session.md.erb

@@ -0,0 +1,60 @@
+---
+title: About the mssql_session Resource
+platform: windows
+---
+
+# mssql_session
+
+Use the `mssql_session` InSpec audit resource to test SQL commands run against a Microsoft SQL database.
+
+<br>
+
+## Syntax
+
+A `mssql_session` resource block declares the username and password to use for the session, and then the command to be run:
+
+    describe mssql_session(user: 'username', password: 'password').query('QUERY').row(0).column('result') do
+      its('value') { should eq('') }
+    end
+
+where
+
+* `mssql_session` declares a username and password with permission to run the query.  Omitting the username or password parameters results in the use of Windows authentication as the user InSpec is executing as.  You may also optionally pass a host and instance name.  If omitted, they will default to host: localhost and the default instance.
+* `query('QUERY')` contains the query to be run
+* `its('value') { should eq('') }` compares the results of the query against the expected result in the test
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test for matching databases
+
+    sql = mssql_session(user: 'my_user', password: 'password')
+
+    describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
+      its("value") { should cmp > '12.00.4457' }
+    end
+
+### Test using Windows authentication
+
+    sql = mssql_session
+
+    describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
+      its("value") { should cmp > '12.00.4457' }
+    end
+
+### Test a specific host and instance
+
+    sql = mssql_session(user: 'my_user', password: 'password', host: 'mssqlserver', instance: 'foo')
+
+    describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
+      its("value") { should cmp > '12.00.4457' }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).