RubyGems - inspec-core - Versions diffs - 2.1.67 - Mend

inspec-core 2.1.67

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (412) hide show

checksums.yaml +7 -0
data/CHANGELOG.md +3136 -0
data/Gemfile +56 -0
data/LICENSE +14 -0
data/MAINTAINERS.md +33 -0
data/MAINTAINERS.toml +52 -0
data/README.md +453 -0
data/bin/inspec +12 -0
data/docs/.gitignore +2 -0
data/docs/README.md +40 -0
data/docs/dev/control-eval.md +62 -0
data/docs/dsl_inspec.md +258 -0
data/docs/dsl_resource.md +100 -0
data/docs/glossary.md +99 -0
data/docs/habitat.md +192 -0
data/docs/inspec_and_friends.md +114 -0
data/docs/matchers.md +169 -0
data/docs/migration.md +293 -0
data/docs/platforms.md +119 -0
data/docs/plugin_kitchen_inspec.md +50 -0
data/docs/profiles.md +378 -0
data/docs/reporters.md +105 -0
data/docs/resources/aide_conf.md.erb +76 -0
data/docs/resources/apache.md.erb +67 -0
data/docs/resources/apache_conf.md.erb +68 -0
data/docs/resources/apt.md.erb +71 -0
data/docs/resources/audit_policy.md.erb +47 -0
data/docs/resources/auditd.md.erb +79 -0
data/docs/resources/auditd_conf.md.erb +68 -0
data/docs/resources/bash.md.erb +75 -0
data/docs/resources/bond.md.erb +90 -0
data/docs/resources/bridge.md.erb +57 -0
data/docs/resources/bsd_service.md.erb +67 -0
data/docs/resources/chocolatey_package.md.erb +58 -0
data/docs/resources/command.md.erb +138 -0
data/docs/resources/cpan.md.erb +79 -0
data/docs/resources/cran.md.erb +64 -0
data/docs/resources/crontab.md.erb +89 -0
data/docs/resources/csv.md.erb +54 -0
data/docs/resources/dh_params.md.erb +205 -0
data/docs/resources/directory.md.erb +30 -0
data/docs/resources/docker.md.erb +219 -0
data/docs/resources/docker_container.md.erb +103 -0
data/docs/resources/docker_image.md.erb +94 -0
data/docs/resources/docker_service.md.erb +114 -0
data/docs/resources/elasticsearch.md.erb +242 -0
data/docs/resources/etc_fstab.md.erb +125 -0
data/docs/resources/etc_group.md.erb +75 -0
data/docs/resources/etc_hosts.md.erb +78 -0
data/docs/resources/etc_hosts_allow.md.erb +74 -0
data/docs/resources/etc_hosts_deny.md.erb +74 -0
data/docs/resources/file.md.erb +526 -0
data/docs/resources/filesystem.md.erb +41 -0
data/docs/resources/firewalld.md.erb +107 -0
data/docs/resources/gem.md.erb +79 -0
data/docs/resources/group.md.erb +61 -0
data/docs/resources/grub_conf.md.erb +101 -0
data/docs/resources/host.md.erb +86 -0
data/docs/resources/http.md.erb +197 -0
data/docs/resources/iis_app.md.erb +122 -0
data/docs/resources/iis_site.md.erb +135 -0
data/docs/resources/inetd_conf.md.erb +94 -0
data/docs/resources/ini.md.erb +76 -0
data/docs/resources/interface.md.erb +58 -0
data/docs/resources/iptables.md.erb +64 -0
data/docs/resources/json.md.erb +63 -0
data/docs/resources/kernel_module.md.erb +120 -0
data/docs/resources/kernel_parameter.md.erb +53 -0
data/docs/resources/key_rsa.md.erb +85 -0
data/docs/resources/launchd_service.md.erb +57 -0
data/docs/resources/limits_conf.md.erb +75 -0
data/docs/resources/login_defs.md.erb +71 -0
data/docs/resources/mount.md.erb +69 -0
data/docs/resources/mssql_session.md.erb +60 -0
data/docs/resources/mysql_conf.md.erb +99 -0
data/docs/resources/mysql_session.md.erb +74 -0
data/docs/resources/nginx.md.erb +79 -0
data/docs/resources/nginx_conf.md.erb +138 -0
data/docs/resources/npm.md.erb +60 -0
data/docs/resources/ntp_conf.md.erb +60 -0
data/docs/resources/oneget.md.erb +53 -0
data/docs/resources/oracledb_session.md.erb +52 -0
data/docs/resources/os.md.erb +141 -0
data/docs/resources/os_env.md.erb +91 -0
data/docs/resources/package.md.erb +120 -0
data/docs/resources/packages.md.erb +67 -0
data/docs/resources/parse_config.md.erb +103 -0
data/docs/resources/parse_config_file.md.erb +138 -0
data/docs/resources/passwd.md.erb +141 -0
data/docs/resources/pip.md.erb +67 -0
data/docs/resources/port.md.erb +137 -0
data/docs/resources/postgres_conf.md.erb +79 -0
data/docs/resources/postgres_hba_conf.md.erb +93 -0
data/docs/resources/postgres_ident_conf.md.erb +76 -0
data/docs/resources/postgres_session.md.erb +69 -0
data/docs/resources/powershell.md.erb +102 -0
data/docs/resources/processes.md.erb +109 -0
data/docs/resources/rabbitmq_config.md.erb +41 -0
data/docs/resources/registry_key.md.erb +158 -0
data/docs/resources/runit_service.md.erb +57 -0
data/docs/resources/security_policy.md.erb +47 -0
data/docs/resources/service.md.erb +121 -0
data/docs/resources/shadow.md.erb +146 -0
data/docs/resources/ssh_config.md.erb +73 -0
data/docs/resources/sshd_config.md.erb +83 -0
data/docs/resources/ssl.md.erb +119 -0
data/docs/resources/sys_info.md.erb +42 -0
data/docs/resources/systemd_service.md.erb +57 -0
data/docs/resources/sysv_service.md.erb +57 -0
data/docs/resources/upstart_service.md.erb +57 -0
data/docs/resources/user.md.erb +140 -0
data/docs/resources/users.md.erb +127 -0
data/docs/resources/vbscript.md.erb +55 -0
data/docs/resources/virtualization.md.erb +57 -0
data/docs/resources/windows_feature.md.erb +47 -0
data/docs/resources/windows_hotfix.md.erb +53 -0
data/docs/resources/windows_task.md.erb +95 -0
data/docs/resources/wmi.md.erb +81 -0
data/docs/resources/x509_certificate.md.erb +151 -0
data/docs/resources/xinetd_conf.md.erb +156 -0
data/docs/resources/xml.md.erb +85 -0
data/docs/resources/yaml.md.erb +69 -0
data/docs/resources/yum.md.erb +98 -0
data/docs/resources/zfs_dataset.md.erb +53 -0
data/docs/resources/zfs_pool.md.erb +47 -0
data/docs/ruby_usage.md +203 -0
data/docs/shared/matcher_be.md.erb +1 -0
data/docs/shared/matcher_cmp.md.erb +43 -0
data/docs/shared/matcher_eq.md.erb +3 -0
data/docs/shared/matcher_include.md.erb +1 -0
data/docs/shared/matcher_match.md.erb +1 -0
data/docs/shell.md +217 -0
data/examples/README.md +8 -0
data/examples/inheritance/README.md +65 -0
data/examples/inheritance/controls/example.rb +14 -0
data/examples/inheritance/inspec.yml +15 -0
data/examples/kitchen-ansible/.kitchen.yml +25 -0
data/examples/kitchen-ansible/Gemfile +19 -0
data/examples/kitchen-ansible/README.md +53 -0
data/examples/kitchen-ansible/files/nginx.repo +6 -0
data/examples/kitchen-ansible/tasks/main.yml +16 -0
data/examples/kitchen-ansible/test/integration/default/default.yml +5 -0
data/examples/kitchen-ansible/test/integration/default/web_spec.rb +28 -0
data/examples/kitchen-chef/.kitchen.yml +20 -0
data/examples/kitchen-chef/Berksfile +3 -0
data/examples/kitchen-chef/Gemfile +19 -0
data/examples/kitchen-chef/README.md +27 -0
data/examples/kitchen-chef/metadata.rb +7 -0
data/examples/kitchen-chef/recipes/default.rb +6 -0
data/examples/kitchen-chef/recipes/nginx.rb +30 -0
data/examples/kitchen-chef/test/integration/default/web_spec.rb +28 -0
data/examples/kitchen-puppet/.kitchen.yml +23 -0
data/examples/kitchen-puppet/Gemfile +20 -0
data/examples/kitchen-puppet/Puppetfile +25 -0
data/examples/kitchen-puppet/README.md +53 -0
data/examples/kitchen-puppet/manifests/site.pp +33 -0
data/examples/kitchen-puppet/metadata.json +11 -0
data/examples/kitchen-puppet/modules/.gitkeep +0 -0
data/examples/kitchen-puppet/test/integration/default/web_spec.rb +28 -0
data/examples/meta-profile/README.md +37 -0
data/examples/meta-profile/controls/example.rb +13 -0
data/examples/meta-profile/inspec.yml +13 -0
data/examples/profile-attribute.yml +2 -0
data/examples/profile-attribute/README.md +14 -0
data/examples/profile-attribute/controls/example.rb +11 -0
data/examples/profile-attribute/inspec.yml +8 -0
data/examples/profile-sensitive/README.md +29 -0
data/examples/profile-sensitive/controls/sensitive-failures.rb +9 -0
data/examples/profile-sensitive/controls/sensitive.rb +9 -0
data/examples/profile-sensitive/inspec.yml +8 -0
data/examples/profile/README.md +48 -0
data/examples/profile/controls/example.rb +23 -0
data/examples/profile/controls/gordon.rb +36 -0
data/examples/profile/controls/meta.rb +34 -0
data/examples/profile/inspec.yml +10 -0
data/examples/profile/libraries/gordon_config.rb +59 -0
data/inspec-core.gemspec +43 -0
data/lib/bundles/README.md +3 -0
data/lib/bundles/inspec-artifact.rb +7 -0
data/lib/bundles/inspec-artifact/README.md +1 -0
data/lib/bundles/inspec-artifact/cli.rb +277 -0
data/lib/bundles/inspec-compliance.rb +16 -0
data/lib/bundles/inspec-compliance/.kitchen.yml +20 -0
data/lib/bundles/inspec-compliance/README.md +193 -0
data/lib/bundles/inspec-compliance/api.rb +360 -0
data/lib/bundles/inspec-compliance/api/login.rb +193 -0
data/lib/bundles/inspec-compliance/bootstrap.sh +41 -0
data/lib/bundles/inspec-compliance/cli.rb +260 -0
data/lib/bundles/inspec-compliance/configuration.rb +103 -0
data/lib/bundles/inspec-compliance/http.rb +125 -0
data/lib/bundles/inspec-compliance/images/cc-token.png +0 -0
data/lib/bundles/inspec-compliance/support.rb +36 -0
data/lib/bundles/inspec-compliance/target.rb +106 -0
data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +93 -0
data/lib/bundles/inspec-habitat.rb +12 -0
data/lib/bundles/inspec-habitat/cli.rb +36 -0
data/lib/bundles/inspec-habitat/log.rb +10 -0
data/lib/bundles/inspec-habitat/profile.rb +391 -0
data/lib/bundles/inspec-init.rb +8 -0
data/lib/bundles/inspec-init/README.md +31 -0
data/lib/bundles/inspec-init/cli.rb +97 -0
data/lib/bundles/inspec-init/templates/profile/README.md +3 -0
data/lib/bundles/inspec-init/templates/profile/controls/example.rb +19 -0
data/lib/bundles/inspec-init/templates/profile/inspec.yml +8 -0
data/lib/bundles/inspec-init/templates/profile/libraries/.gitkeep +0 -0
data/lib/bundles/inspec-supermarket.rb +13 -0
data/lib/bundles/inspec-supermarket/README.md +45 -0
data/lib/bundles/inspec-supermarket/api.rb +84 -0
data/lib/bundles/inspec-supermarket/cli.rb +73 -0
data/lib/bundles/inspec-supermarket/target.rb +34 -0
data/lib/fetchers/git.rb +163 -0
data/lib/fetchers/local.rb +74 -0
data/lib/fetchers/mock.rb +35 -0
data/lib/fetchers/url.rb +247 -0
data/lib/inspec.rb +24 -0
data/lib/inspec/archive/tar.rb +29 -0
data/lib/inspec/archive/zip.rb +19 -0
data/lib/inspec/backend.rb +93 -0
data/lib/inspec/base_cli.rb +368 -0
data/lib/inspec/cached_fetcher.rb +66 -0
data/lib/inspec/cli.rb +292 -0
data/lib/inspec/completions/bash.sh.erb +45 -0
data/lib/inspec/completions/fish.sh.erb +34 -0
data/lib/inspec/completions/zsh.sh.erb +61 -0
data/lib/inspec/control_eval_context.rb +179 -0
data/lib/inspec/dependencies/cache.rb +72 -0
data/lib/inspec/dependencies/dependency_set.rb +92 -0
data/lib/inspec/dependencies/lockfile.rb +115 -0
data/lib/inspec/dependencies/requirement.rb +123 -0
data/lib/inspec/dependencies/resolver.rb +86 -0
data/lib/inspec/describe.rb +27 -0
data/lib/inspec/dsl.rb +66 -0
data/lib/inspec/dsl_shared.rb +33 -0
data/lib/inspec/env_printer.rb +157 -0
data/lib/inspec/errors.rb +14 -0
data/lib/inspec/exceptions.rb +12 -0
data/lib/inspec/expect.rb +45 -0
data/lib/inspec/fetcher.rb +45 -0
data/lib/inspec/file_provider.rb +275 -0
data/lib/inspec/formatters.rb +3 -0
data/lib/inspec/formatters/base.rb +259 -0
data/lib/inspec/formatters/json_rspec.rb +20 -0
data/lib/inspec/formatters/show_progress.rb +12 -0
data/lib/inspec/library_eval_context.rb +58 -0
data/lib/inspec/log.rb +11 -0
data/lib/inspec/metadata.rb +247 -0
data/lib/inspec/method_source.rb +24 -0
data/lib/inspec/objects.rb +14 -0
data/lib/inspec/objects/attribute.rb +75 -0
data/lib/inspec/objects/control.rb +61 -0
data/lib/inspec/objects/describe.rb +92 -0
data/lib/inspec/objects/each_loop.rb +36 -0
data/lib/inspec/objects/list.rb +15 -0
data/lib/inspec/objects/or_test.rb +40 -0
data/lib/inspec/objects/ruby_helper.rb +15 -0
data/lib/inspec/objects/tag.rb +27 -0
data/lib/inspec/objects/test.rb +87 -0
data/lib/inspec/objects/value.rb +27 -0
data/lib/inspec/plugins.rb +60 -0
data/lib/inspec/plugins/cli.rb +24 -0
data/lib/inspec/plugins/fetcher.rb +86 -0
data/lib/inspec/plugins/resource.rb +135 -0
data/lib/inspec/plugins/secret.rb +15 -0
data/lib/inspec/plugins/source_reader.rb +40 -0
data/lib/inspec/polyfill.rb +12 -0
data/lib/inspec/profile.rb +513 -0
data/lib/inspec/profile_context.rb +208 -0
data/lib/inspec/profile_vendor.rb +66 -0
data/lib/inspec/reporters.rb +60 -0
data/lib/inspec/reporters/automate.rb +76 -0
data/lib/inspec/reporters/base.rb +25 -0
data/lib/inspec/reporters/cli.rb +356 -0
data/lib/inspec/reporters/json.rb +116 -0
data/lib/inspec/reporters/json_min.rb +48 -0
data/lib/inspec/reporters/junit.rb +78 -0
data/lib/inspec/require_loader.rb +33 -0
data/lib/inspec/resource.rb +190 -0
data/lib/inspec/rule.rb +280 -0
data/lib/inspec/runner.rb +345 -0
data/lib/inspec/runner_mock.rb +41 -0
data/lib/inspec/runner_rspec.rb +175 -0
data/lib/inspec/runtime_profile.rb +26 -0
data/lib/inspec/schema.rb +213 -0
data/lib/inspec/secrets.rb +19 -0
data/lib/inspec/secrets/yaml.rb +30 -0
data/lib/inspec/shell.rb +220 -0
data/lib/inspec/shell_detector.rb +90 -0
data/lib/inspec/source_reader.rb +29 -0
data/lib/inspec/version.rb +8 -0
data/lib/matchers/matchers.rb +339 -0
data/lib/resources/aide_conf.rb +151 -0
data/lib/resources/apache.rb +48 -0
data/lib/resources/apache_conf.rb +149 -0
data/lib/resources/apt.rb +149 -0
data/lib/resources/audit_policy.rb +63 -0
data/lib/resources/auditd.rb +231 -0
data/lib/resources/auditd_conf.rb +46 -0
data/lib/resources/bash.rb +35 -0
data/lib/resources/bond.rb +69 -0
data/lib/resources/bridge.rb +122 -0
data/lib/resources/chocolatey_package.rb +78 -0
data/lib/resources/command.rb +73 -0
data/lib/resources/cpan.rb +58 -0
data/lib/resources/cran.rb +64 -0
data/lib/resources/crontab.rb +169 -0
data/lib/resources/csv.rb +56 -0
data/lib/resources/dh_params.rb +77 -0
data/lib/resources/directory.rb +25 -0
data/lib/resources/docker.rb +236 -0
data/lib/resources/docker_container.rb +89 -0
data/lib/resources/docker_image.rb +83 -0
data/lib/resources/docker_object.rb +57 -0
data/lib/resources/docker_service.rb +90 -0
data/lib/resources/elasticsearch.rb +169 -0
data/lib/resources/etc_fstab.rb +94 -0
data/lib/resources/etc_group.rb +154 -0
data/lib/resources/etc_hosts.rb +66 -0
data/lib/resources/etc_hosts_allow_deny.rb +112 -0
data/lib/resources/file.rb +298 -0
data/lib/resources/filesystem.rb +31 -0
data/lib/resources/firewalld.rb +143 -0
data/lib/resources/gem.rb +70 -0
data/lib/resources/groups.rb +215 -0
data/lib/resources/grub_conf.rb +227 -0
data/lib/resources/host.rb +306 -0
data/lib/resources/http.rb +253 -0
data/lib/resources/iis_app.rb +101 -0
data/lib/resources/iis_site.rb +148 -0
data/lib/resources/inetd_conf.rb +54 -0
data/lib/resources/ini.rb +29 -0
data/lib/resources/interface.rb +129 -0
data/lib/resources/iptables.rb +80 -0
data/lib/resources/json.rb +111 -0
data/lib/resources/kernel_module.rb +107 -0
data/lib/resources/kernel_parameter.rb +58 -0
data/lib/resources/key_rsa.rb +63 -0
data/lib/resources/limits_conf.rb +46 -0
data/lib/resources/login_def.rb +57 -0
data/lib/resources/mount.rb +88 -0
data/lib/resources/mssql_session.rb +101 -0
data/lib/resources/mysql.rb +82 -0
data/lib/resources/mysql_conf.rb +127 -0
data/lib/resources/mysql_session.rb +85 -0
data/lib/resources/nginx.rb +96 -0
data/lib/resources/nginx_conf.rb +226 -0
data/lib/resources/npm.rb +48 -0
data/lib/resources/ntp_conf.rb +51 -0
data/lib/resources/oneget.rb +71 -0
data/lib/resources/oracledb_session.rb +139 -0
data/lib/resources/os.rb +36 -0
data/lib/resources/os_env.rb +86 -0
data/lib/resources/package.rb +370 -0
data/lib/resources/packages.rb +111 -0
data/lib/resources/parse_config.rb +112 -0
data/lib/resources/passwd.rb +76 -0
data/lib/resources/pip.rb +130 -0
data/lib/resources/platform.rb +109 -0
data/lib/resources/port.rb +771 -0
data/lib/resources/postgres.rb +131 -0
data/lib/resources/postgres_conf.rb +114 -0
data/lib/resources/postgres_hba_conf.rb +90 -0
data/lib/resources/postgres_ident_conf.rb +79 -0
data/lib/resources/postgres_session.rb +71 -0
data/lib/resources/powershell.rb +67 -0
data/lib/resources/processes.rb +204 -0
data/lib/resources/rabbitmq_conf.rb +51 -0
data/lib/resources/registry_key.rb +297 -0
data/lib/resources/security_policy.rb +180 -0
data/lib/resources/service.rb +794 -0
data/lib/resources/shadow.rb +159 -0
data/lib/resources/ssh_conf.rb +97 -0
data/lib/resources/ssl.rb +99 -0
data/lib/resources/sys_info.rb +28 -0
data/lib/resources/toml.rb +32 -0
data/lib/resources/users.rb +654 -0
data/lib/resources/vbscript.rb +68 -0
data/lib/resources/virtualization.rb +247 -0
data/lib/resources/windows_feature.rb +84 -0
data/lib/resources/windows_hotfix.rb +35 -0
data/lib/resources/windows_task.rb +102 -0
data/lib/resources/wmi.rb +110 -0
data/lib/resources/x509_certificate.rb +137 -0
data/lib/resources/xinetd.rb +106 -0
data/lib/resources/xml.rb +46 -0
data/lib/resources/yaml.rb +43 -0
data/lib/resources/yum.rb +180 -0
data/lib/resources/zfs_dataset.rb +60 -0
data/lib/resources/zfs_pool.rb +49 -0
data/lib/source_readers/flat.rb +39 -0
data/lib/source_readers/inspec.rb +75 -0
data/lib/utils/command_wrapper.rb +27 -0
data/lib/utils/convert.rb +12 -0
data/lib/utils/database_helpers.rb +77 -0
data/lib/utils/enumerable_delegation.rb +9 -0
data/lib/utils/erlang_parser.rb +192 -0
data/lib/utils/file_reader.rb +25 -0
data/lib/utils/filter.rb +273 -0
data/lib/utils/filter_array.rb +27 -0
data/lib/utils/find_files.rb +47 -0
data/lib/utils/hash.rb +41 -0
data/lib/utils/json_log.rb +18 -0
data/lib/utils/latest_version.rb +22 -0
data/lib/utils/modulator.rb +12 -0
data/lib/utils/nginx_parser.rb +105 -0
data/lib/utils/object_traversal.rb +49 -0
data/lib/utils/parser.rb +274 -0
data/lib/utils/pkey_reader.rb +15 -0
data/lib/utils/plugin_registry.rb +93 -0
data/lib/utils/simpleconfig.rb +120 -0
data/lib/utils/spdx.rb +13 -0
data/lib/utils/spdx.txt +344 -0
metadata +713 -0

data/lib/resources/security_policy.rb ADDED

@@ -0,0 +1,180 @@
+# encoding: utf-8
+#
+# Security Configuration and Analysis
+#
+# Export local security policy:
+# secedit /export /cfg secpol.cfg
+#
+# @link http://www.microsoft.com/en-us/download/details.aspx?id=25250
+#
+# In Windows, some security options are managed differently that the local GPO
+# All local GPO parameters can be examined via Registry, but not all security
+# parameters. Therefore we need a combination of Registry and secedit output
+require 'hashie'
+module Inspec::Resources
+  # known and supported MS privilege rights
+  # @see https://technet.microsoft.com/en-us/library/dd277311.aspx
+  # @see https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx
+  MS_PRIVILEGES_RIGHTS = [
+    'SeNetworkLogonRight',
+    'SeBackupPrivilege',
+    'SeChangeNotifyPrivilege',
+    'SeSystemtimePrivilege',
+    'SeCreatePagefilePrivilege',
+    'SeDebugPrivilege',
+    'SeRemoteShutdownPrivilege',
+    'SeAuditPrivilege',
+    'SeIncreaseQuotaPrivilege',
+    'SeIncreaseBasePriorityPrivilege',
+    'SeLoadDriverPrivilege',
+    'SeBatchLogonRight',
+    'SeServiceLogonRight',
+    'SeInteractiveLogonRight',
+    'SeSecurityPrivilege',
+    'SeSystemEnvironmentPrivilege',
+    'SeProfileSingleProcessPrivilege',
+    'SeSystemProfilePrivilege',
+    'SeAssignPrimaryTokenPrivilege',
+    'SeRestorePrivilege',
+    'SeShutdownPrivilege',
+    'SeTakeOwnershipPrivilege',
+    'SeUndockPrivilege',
+    'SeManageVolumePrivilege',
+    'SeRemoteInteractiveLogonRight',
+    'SeImpersonatePrivilege',
+    'SeCreateGlobalPrivilege',
+    'SeIncreaseWorking',
+    'SeTimeZonePrivilege',
+    'SeCreateSymbolicLinkPrivilege',
+    'SeDenyNetworkLogonRight', # Deny access to this computer from the network
+    'SeDenyInteractiveLogonRight', # Deny logon locally
+    'SeDenyBatchLogonRight', # Deny logon as a batch job
+    'SeDenyServiceLogonRight', # Deny logon as a service
+    'SeTcbPrivilege',
+    'SeMachineAccountPrivilege',
+    'SeCreateTokenPrivilege',
+    'SeCreatePermanentPrivilege',
+    'SeEnableDelegationPrivilege',
+    'SeLockMemoryPrivilege',
+    'SeSyncAgentPrivilege',
+    'SeUnsolicitedInputPrivilege',
+    'SeTrustedCredManAccessPrivilege',
+    'SeRelabelPrivilege', # the privilege to change a Windows integrity label (new to Windows Vista)
+    'SeDenyRemoteInteractiveLogonRight', # Deny logon through Terminal Services
+  ].freeze
+  class SecurityPolicy < Inspec.resource(1)
+    name 'security_policy'
+    supports platform: 'windows'
+    desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
+    example "
+      describe security_policy do
+        its('SeNetworkLogonRight') { should include 'S-1-5-11' }
+      end
+      describe security_policy(translate_sid: true) do
+        its('SeNetworkLogonRight') { should include 'NT AUTHORITY\\Authenticated Users' }
+      end
+    "
+    def initialize(opts = {})
+      @translate_sid = opts[:translate_sid] || false
+    end
+    def content
+      read_content
+    end
+    def params(*opts)
+      opts.inject(read_params) do |res, nxt|
+        res.respond_to?(:key) ? res[nxt] : nil
+      end
+    end
+    def method_missing(name)
+      params = read_params
+      return nil if params.nil?
+      # deep search for hash key
+      params.extend Hashie::Extensions::DeepFind
+      res = params.deep_find(name.to_s)
+      # return an empty array if configuration does not include rights configuration
+      return [] if res.nil? && MS_PRIVILEGES_RIGHTS.include?(name.to_s)
+      res
+    end
+    def to_s
+      'Security Policy'
+    end
+    private
+    def read_content
+      return @content if defined?(@content)
+      # using process pid to prevent any race conditions with multiple runners
+      export_file = "win_secpol-#{Process.pid}.cfg"
+      # export the security policy
+      cmd = inspec.command("secedit /export /cfg #{export_file}")
+      return nil if cmd.exit_status.to_i != 0
+      # store file content
+      cmd = inspec.command("Get-Content #{export_file}")
+      return skip_resource "Can't read security policy" if cmd.exit_status.to_i != 0
+      @content = cmd.stdout
+    ensure
+      # delete temp file
+      inspec.command("Remove-Item #{export_file}").exit_status.to_i
+    end
+    def read_params
+      return @params if defined?(@params)
+      return @params = {} if read_content.nil?
+      conf = SimpleConfig.new(
+        @content,
+        assignment_regex: /^\s*(.*)=\s*(\S*)\s*$/,
+      )
+      @params = convert_hash(conf.params)
+    end
+    # extracts the values, this methods detects:
+    # numbers and SIDs and optimizes them for further usage
+    def extract_value(val)
+      if val =~ /^\d+$/
+        val.to_i
+      # special handling for SID array
+      elsif val =~ /[,]{0,1}\*\S/
+        if @translate_sid
+          val.split(',').map { |v|
+            object_name = inspec.command("(New-Object System.Security.Principal.SecurityIdentifier(\"#{v.sub('*S', 'S')}\")).Translate( [System.Security.Principal.NTAccount]).Value").stdout.to_s.strip
+            object_name.empty? || object_name.nil? ? v.sub('*S', 'S') : object_name
+          }
+        else
+          val.split(',').map { |v|
+            v.sub('*S', 'S')
+          }
+        end
+      # special handling for string values with "
+      elsif !(m = /^\"(.*)\"$/.match(val)).nil?
+        m[1]
+      else
+        val
+      end
+    end
+    def convert_hash(hash)
+      new_hash = {}
+      hash.each do |k, v|
+        v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(v)
+        new_hash[k.strip] = value
+      end
+      new_hash
+    end
+  end
+end

data/lib/resources/service.rb ADDED

@@ -0,0 +1,794 @@
+# encoding: utf-8
+require 'hashie'
+require 'utils/file_reader'
+module Inspec::Resources
+  class Runlevels < Hash
+    attr_accessor :owner
+    def self.from_hash(owner, hash = {}, filter = nil)
+      res = Runlevels.new(owner)
+      filter = filter.first if filter.is_a?(Array) && filter.length <= 1
+      ks = case filter
+           when nil
+             hash.keys
+           when Regexp
+             hash.keys.find_all { |x| x.to_s =~ filter }
+           when Array
+             f = filter.map(&:to_s)
+             hash.keys.find_all { |x| f.include?(x.to_s) }
+           when Numeric
+             hash.keys.include?(filter) ? [filter] : []
+           else
+             hash.keys.find_all { |x| x == filter }
+           end
+      ks.each { |k| res[k] = hash[k] }
+      res
+    end
+    def initialize(owner, default = false)
+      @owner = owner
+      super(default)
+    end
+    def filter(f)
+      Runlevels.from_hash(owner, self, f)
+    end
+    # Check if all runlevels are enabled
+    #
+    # @return [boolean] true if all runlevels are enabled
+    def enabled?
+      values.all?
+    end
+    # Check if all runlevels are disabled
+    #
+    # @return [boolean] true if all runlevels are disabled
+    def disabled?
+      values.none?
+    end
+    def to_s
+      "#{owner} runlevels #{keys.join(', ')}"
+    end
+  end
+  # We detect the init system for each operating system, based on the operating
+  # system.
+  #
+  # Fedora 15 : systemd
+  # RedHat 7 : systemd
+  # Ubuntu 15.04 : systemd
+  # Ubuntu < 15.04 : upstart
+  #
+  # TODO: extend the logic to detect the running init system, independently of OS
+  class Service < Inspec.resource(1)
+    name 'service'
+    supports platform: 'unix'
+    supports platform: 'windows'
+    desc 'Use the service InSpec audit resource to test if the named service is installed, running and/or enabled.'
+    example "
+      describe service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+        its('type') { should be 'systemd' }
+        its ('startmode') { should be 'Auto'}
+      end
+      describe service('service_name').runlevels(3, 5) do
+        it { should be_enabled }
+      end
+      describe service('service_name').params do
+        its('UnitFileState') { should eq 'enabled' }
+      end
+    "
+    attr_reader :service_ctl
+    def initialize(service_name, service_ctl = nil)
+      @service_name = service_name
+      @service_mgmt = nil
+      @service_ctl ||= service_ctl
+      @cache = nil
+      @service_mgmt = select_service_mgmt
+      return skip_resource 'The `service` resource is not supported on your OS yet.' if @service_mgmt.nil?
+    end
+    def select_service_mgmt # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/MethodLength
+      os = inspec.os
+      platform = os[:name]
+      # Ubuntu
+      # @see: https://wiki.ubuntu.com/SystemdForUpstartUsers
+      # Ubuntu 15.04 : Systemd
+      #   Systemd runs with PID 1 as /sbin/init.
+      #   Upstart runs with PID 1 as /sbin/upstart.
+      # Ubuntu < 15.04 : Upstart
+      # Upstart runs with PID 1 as /sbin/init.
+      # Systemd runs with PID 1 as /lib/systemd/systemd.
+      if %w{ubuntu}.include?(platform)
+        version = os[:release].to_f
+        if version < 15.04
+          Upstart.new(inspec, service_ctl)
+        else
+          Systemd.new(inspec, service_ctl)
+        end
+      elsif %w{linuxmint}.include?(platform)
+        version = os[:release].to_f
+        if version < 18
+          Upstart.new(inspec, service_ctl)
+        else
+          Systemd.new(inspec, service_ctl)
+        end
+      elsif %w{debian}.include?(platform)
+        version = os[:release].to_i
+        if version > 7
+          Systemd.new(inspec, service_ctl)
+        else
+          SysV.new(inspec, service_ctl || '/usr/sbin/service')
+        end
+      elsif %w{redhat fedora centos oracle}.include?(platform)
+        version = os[:release].to_i
+        if (%w{redhat centos oracle}.include?(platform) && version >= 7) || (platform == 'fedora' && version >= 15)
+          Systemd.new(inspec, service_ctl)
+        else
+          SysV.new(inspec, service_ctl || '/sbin/service')
+        end
+      elsif %w{wrlinux}.include?(platform)
+        SysV.new(inspec, service_ctl)
+      elsif %w{mac_os_x}.include?(platform)
+        LaunchCtl.new(inspec, service_ctl)
+      elsif os.windows?
+        WindowsSrv.new(inspec)
+      elsif %w{freebsd}.include?(platform)
+        BSDInit.new(inspec, service_ctl)
+      elsif %w{arch}.include?(platform)
+        Systemd.new(inspec, service_ctl)
+      elsif %w{coreos}.include?(platform)
+        Systemd.new(inspec, service_ctl)
+      elsif %w{suse opensuse}.include?(platform)
+        if os[:release].to_i >= 12
+          Systemd.new(inspec, service_ctl)
+        else
+          SysV.new(inspec, service_ctl || '/sbin/service')
+        end
+      elsif %w{aix}.include?(platform)
+        SrcMstr.new(inspec)
+      elsif %w{amazon}.include?(platform)
+        if os[:release] =~ /^20\d\d/
+          Upstart.new(inspec, service_ctl)
+        else
+          Systemd.new(inspec, service_ctl)
+        end
+      elsif os.solaris?
+        Svcs.new(inspec)
+      end
+    end
+    def info
+      return nil if @service_mgmt.nil?
+      @cache ||= @service_mgmt.info(@service_name)
+    end
+    # verifies if the service is enabled
+    def enabled?(_level = nil)
+      return false if info.nil?
+      info[:enabled]
+    end
+    def params
+      return {} if info.nil?
+      Hashie::Mash.new(info[:params] || {})
+    end
+    # verifies the service is registered
+    def installed?(_name = nil, _version = nil)
+      return false if info.nil?
+      info[:installed]
+    end
+    # verifies the service is currently running
+    def running?(_under = nil)
+      return false if info.nil?
+      info[:running]
+    end
+    # get all runlevels that are available and their configuration
+    def runlevels(*args)
+      return Runlevels.new(self) if info.nil? or info[:runlevels].nil?
+      Runlevels.from_hash(self, info[:runlevels], args)
+    end
+    # returns the service type from info
+    def type
+      return nil if info.nil?
+      info[:type]
+    end
+    # returns the service name from info
+    def name
+      return @service_name if info.nil?
+      info[:name]
+    end
+    # returns the service description from info
+    def description
+      return nil if info.nil?
+      info[:description]
+    end
+    # returns the service start up mode from info
+    def startmode
+      return nil if info.nil?
+      info[:startmode]
+    end
+    def to_s
+      "Service #{@service_name}"
+    end
+    private :info
+  end
+  class ServiceManager
+    attr_reader :inspec, :service_ctl
+    def initialize(inspec, service_ctl = nil)
+      @inspec = inspec
+      @service_ctl ||= service_ctl
+    end
+  end
+  # @see: http://www.freedesktop.org/software/systemd/man/systemctl.html
+  # @see: http://www.freedesktop.org/software/systemd/man/systemd-system.conf.html
+  class Systemd < ServiceManager
+    def initialize(inspec, service_ctl = nil)
+      @service_ctl = service_ctl || 'systemctl'
+      super
+    end
+    def is_enabled?(service_name)
+      result = inspec.command("#{service_ctl} is-enabled #{service_name} --quiet")
+      return true if result.exit_status == 0
+      # Some systems may not have a `.service` file for a particular service
+      # which causes the `systemctl is-enabled` check to fail despite the
+      # service being enabled. In that event we fallback to `sysv_service`.
+      if result.stderr =~ /Failed to get.*No such file or directory/
+        return inspec.sysv_service(service_name).enabled?
+      end
+      false
+    end
+    def is_active?(service_name)
+      inspec.command("#{service_ctl} is-active #{service_name} --quiet").exit_status == 0
+    end
+    def info(service_name)
+      cmd = inspec.command("#{service_ctl} show --all #{service_name}")
+      return nil if cmd.exit_status.to_i != 0
+      # parse data
+      params = SimpleConfig.new(
+        cmd.stdout.chomp,
+        assignment_regex: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/,
+        multiple_values: false,
+      ).params
+      # LoadState values eg. loaded, not-found
+      installed = params['LoadState'] == 'loaded'
+      {
+        name: params['Id'],
+        description: params['Description'],
+        installed: installed,
+        running: is_active?(service_name),
+        enabled: is_enabled?(service_name),
+        type: 'systemd',
+        params: params,
+      }
+    end
+  end
+  # AIX services
+  class SrcMstr < ServiceManager
+    attr_reader :name
+    def info(service_name)
+      @name = service_name
+      running = status?
+      return nil if running.nil?
+      {
+        name: service_name,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled?,
+        type: 'srcmstr',
+      }
+    end
+    private
+    def status?
+      status_cmd = inspec.command("lssrc -s #{@name}")
+      return nil if status_cmd.exit_status.to_i != 0
+      status_cmd.stdout.split(/\n/).last.chomp =~ /active$/ ? true : false
+    end
+    def enabled?
+      enabled_rc_tcpip? || enabled_inittab?
+    end
+    def enabled_rc_tcpip?
+      inspec.command(
+        "grep -v ^# /etc/rc.tcpip | grep 'start ' | grep -Eq '(/{0,1}| )#{name} '",
+      ).exit_status == 0
+    end
+    def enabled_inittab?
+      inspec.command("lsitab #{name}").exit_status == 0
+    end
+  end
+  # @see: http://upstart.ubuntu.com
+  class Upstart < ServiceManager
+    include FileReader
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'initctl'
+      super
+    end
+    def info(service_name)
+      # get the status of upstart service
+      status = inspec.command("#{service_ctl} status #{service_name}")
+      # fallback for systemv services, those are not handled via `initctl`
+      return SysV.new(inspec).info(service_name) if status.exit_status.to_i != 0 || status.stdout == ''
+      # @see: http://upstart.ubuntu.com/cookbook/#job-states
+      # grep for running to indicate the service is there
+      running = !status.stdout[%r{start/running}].nil?
+      enabled = info_enabled(service_name)
+      {
+        name: service_name,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled,
+        type: 'upstart',
+      }
+    end
+    private
+    def info_enabled(service_name)
+      # check if a service is enabled
+      config = read_file_content("/etc/init/#{service_name}.conf", allow_empty: true)
+      !config.match(/^\s*start on/).nil?
+    end
+    def version
+      @version ||= begin
+        out = inspec.command("#{service_ctl} --version").stdout
+        Gem::Version.new(out[/\(upstart ([^\)]+)\)/, 1])
+      end
+    end
+  end
+  class SysV < ServiceManager
+    RUNLEVELS = { 0=>false, 1=>false, 2=>false, 3=>false, 4=>false, 5=>false, 6=>false }.freeze
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'service'
+      super
+    end
+    def info(service_name)
+      # check if service is installed
+      # read all available services via ls /etc/init.d/
+      srvlist = inspec.command('ls -1 /etc/init.d/')
+      return nil if srvlist.exit_status != 0
+      # check if the service is in list
+      service = srvlist.stdout.split("\n").select { |srv| srv == service_name }
+      # abort if we could not find any service
+      return nil if service.empty?
+      # read all enabled services from runlevel
+      # on rhel via: 'chkconfig --list', is not installed by default
+      # bash: for i in `find /etc/rc*.d -name S*`; do basename $i | sed -r 's/^S[0-9]+//'; done | sort | uniq
+      enabled_services_cmd = inspec.command('find /etc/rc*.d /etc/init.d/rc*.d -name "S*"').stdout
+      service_line = %r{rc(?<runlevel>[0-6])\.d/S[^/]*?#{Regexp.escape service_name}$}
+      all_services = enabled_services_cmd.split("\n").map { |line|
+        service_line.match(line)
+      }.compact
+      enabled = !all_services.empty?
+      # Determine a list of runlevels which this service is activated for
+      runlevels = RUNLEVELS.dup
+      all_services.each { |x| runlevels[x[:runlevel].to_i] = true }
+      # check if service is really running
+      # service throws an exit code if the service is not installed or
+      # not enabled
+      cmd = inspec.command("#{service_ctl} #{service_name} status")
+      running = cmd.exit_status == 0
+      {
+        name: service_name,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled,
+        runlevels: runlevels,
+        type: 'sysv',
+      }
+    end
+  end
+  # @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
+  # @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
+  class BSDInit < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'service'
+      super
+    end
+    def info(service_name)
+      # check if service is enabled
+      # services are enabled in /etc/rc.conf and /etc/defaults/rc.conf
+      # via #{service_name}_enable="YES"
+      # service SERVICE status returns the following result if not activated:
+      #   Cannot 'status' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
+      # gather all enabled services
+      cmd = inspec.command("#{service_ctl} -e")
+      return nil if cmd.exit_status != 0
+      # search for the service
+      srv = /(^.*#{service_name}$)/.match(cmd.stdout)
+      return nil if srv.nil? || srv[0].nil?
+      enabled = true
+      # check if the service is running
+      # if the service is not available or not running, we always get an error code
+      cmd = inspec.command("#{service_ctl} #{service_name} onestatus")
+      running = cmd.exit_status == 0
+      {
+        name: service_name,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled,
+        type: 'bsd-init',
+      }
+    end
+  end
+  class Runit < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'sv'
+      super
+    end
+    # rubocop:disable Style/DoubleNegation
+    def info(service_name)
+      # get the status of runit service
+      cmd = inspec.command("#{service_ctl} status #{service_name}")
+      # return nil unless cmd.exit_status == 0 # NOTE(sr) why do we do this?
+      installed = cmd.exit_status == 0
+      running = installed && !!(cmd.stdout =~ /^run:/)
+      enabled = installed && (running || !!(cmd.stdout =~ /normally up/) || !!(cmd.stdout =~ /want up/))
+      {
+        name: service_name,
+        description: nil,
+        installed: installed,
+        running: running,
+        enabled: enabled,
+        type: 'runit',
+      }
+    end
+  end
+  # MacOS / Darwin
+  # new launctl on macos 10.10
+  class LaunchCtl < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'launchctl'
+      super
+    end
+    def info(service_name)
+      # get the status of upstart service
+      cmd = inspec.command("#{service_ctl} list")
+      return nil if cmd.exit_status != 0
+      # search for the service
+      srv = /(^.*#{service_name}.*)/.match(cmd.stdout)
+      return nil if srv.nil? || srv[0].nil?
+      # extract values from service
+      parsed_srv = /^(?<pid>[0-9-]+)\t(?<exit>[0-9]+)\t(?<name>\S*)$/.match(srv[0])
+      enabled = !parsed_srv['name'].nil? # it's in the list
+      # check if the service is running
+      pid = parsed_srv['pid']
+      running = pid != '-'
+      # extract service label
+      srv = parsed_srv['name'] || service_name
+      {
+        name: srv,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled,
+        type: 'darwin',
+      }
+    end
+  end
+  # Determine the service state from Windows
+  # Uses Powershell to retrieve the information
+  class WindowsSrv < ServiceManager
+    # Determine service details
+    # PS: Get-Service -Name 'dhcp'| Select-Object -Property Name, DisplayName, Status | ConvertTo-Json
+    # {
+    #     "Name":  "dhcp",
+    #     "DisplayName":  "DHCP Client",
+    #     "Status":  4
+    # }
+    #
+    # Until StartMode is not added to Get-Service, we need to do a workaround
+    # @see: https://connect.microsoft.com/PowerShell/feedback/details/424948/i-would-like-to-see-the-property-starttype-added-to-get-services
+    # Also see: https://msdn.microsoft.com/en-us/library/aa384896(v=vs.85).aspx
+    # Use the following powershell to determine the start mode
+    # PS: Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq $name -or $_.DisplayName -eq $name} | Select-Object -Prop
+    # erty Name, StartMode, State, Status | ConvertTo-Json
+    # {
+    #     "Name":  "Dhcp",
+    #     "StartMode":  "Auto",
+    #     "State":  "Running",
+    #     "Status":  "OK"
+    # }
+    #
+    # Windows Services have the following status code:
+    # @see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms685996(v=vs.85).aspx
+    # - 1: Stopped
+    # - 2: Starting
+    # - 3: Stopping
+    # - 4: Running
+    # - 5: Continue Pending
+    # - 6: Pause Pending
+    # - 7: Paused
+    def info(service_name)
+      cmd = inspec.command("New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Service -Value (Get-Service -Name '#{service_name}'| Select-Object -Property Name, DisplayName, Status) -PassThru | Add-Member -MemberType NoteProperty -Name WMI -Value (Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq '#{service_name}' -or $_.DisplayName -eq '#{service_name}'} | Select-Object -Property StartMode) -PassThru | ConvertTo-Json")
+      # cannot rely on exit code for now, successful command returns exit code 1
+      # return nil if cmd.exit_status != 0
+      # try to parse json
+      begin
+        service = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return nil
+      end
+      # check that we got a response
+      return nil if service.nil? || service['Service'].nil?
+      {
+        name: service['Service']['Name'],
+        description: service['Service']['DisplayName'],
+        installed: true,
+        running: service_running?(service),
+        enabled: service_enabled?(service),
+        startmode: service['WMI']['StartMode'],
+        type: 'windows',
+      }
+    end
+    private
+    # detect if service is enabled
+    def service_enabled?(service)
+      !service['WMI'].nil? &&
+        !service['WMI']['StartMode'].nil? &&
+        (service['WMI']['StartMode'] == 'Auto' ||
+        service['WMI']['StartMode'] == 'Manual')
+    end
+    # detect if service is running
+    def service_running?(service)
+      !service['Service']['Status'].nil? && service['Service']['Status'] == 4
+    end
+  end
+  # Solaris services
+  class Svcs < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || 'svcs'
+      super
+    end
+    def info(service_name)
+      # get the status of runit service
+      cmd = inspec.command("#{service_ctl} -l #{service_name}")
+      return nil if cmd.exit_status != 0
+      params = SimpleConfig.new(
+        cmd.stdout.chomp,
+        assignment_regex: /^(\w+)\s*(.*)$/,
+        multiple_values: false,
+      ).params
+      installed = cmd.exit_status == 0
+      running = installed && (params['state'] == 'online')
+      enabled = installed && (params['enabled'] == 'true')
+      {
+        name: service_name,
+        description: params['name'],
+        installed: installed,
+        running: running,
+        enabled: enabled,
+        type: 'svcs',
+      }
+    end
+  end
+  # specific resources for specific service managers
+  class SystemdService < Service
+    name 'systemd_service'
+    supports platform: 'unix'
+    desc 'Use the systemd_service InSpec audit resource to test if the named service (controlled by systemd) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe systemd_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard systemctl path
+      describe systemd_service('service_name', '/path/to/systemctl') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      Systemd.new(inspec, service_ctl)
+    end
+  end
+  class UpstartService < Service
+    name 'upstart_service'
+    supports platform: 'unix'
+    desc 'Use the upstart_service InSpec audit resource to test if the named service (controlled by upstart) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe upstart_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard initctl path
+      describe upstart_service('service_name', '/path/to/initctl') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      Upstart.new(inspec, service_ctl)
+    end
+  end
+  class SysVService < Service
+    name 'sysv_service'
+    supports platform: 'unix'
+    desc 'Use the sysv_service InSpec audit resource to test if the named service (controlled by SysV) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe sysv_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard service path
+      describe sysv_service('service_name', '/path/to/service') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      SysV.new(inspec, service_ctl)
+    end
+  end
+  class BSDService < Service
+    name 'bsd_service'
+    supports platform: 'unix'
+    desc 'Use the bsd_service InSpec audit resource to test if the named service (controlled by BSD init) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe bsd_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard service path
+      describe bsd_service('service_name', '/path/to/service') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      BSDInit.new(inspec, service_ctl)
+    end
+  end
+  class LaunchdService < Service
+    name 'launchd_service'
+    supports platform: 'unix'
+    desc 'Use the launchd_service InSpec audit resource to test if the named service (controlled by launchd) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe launchd_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard launchctl path
+      describe launchd_service('service_name', '/path/to/launchctl') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      LaunchCtl.new(inspec, service_ctl)
+    end
+  end
+  class RunitService < Service
+    name 'runit_service'
+    supports platform: 'unix'
+    desc 'Use the runit_service InSpec audit resource to test if the named service (controlled by runit) is installed, running and/or enabled.'
+    example "
+      # to override service mgmt auto-detection
+      describe runit_service('service_name') do
+        it { should be_installed }
+        it { should be_enabled }
+        it { should be_running }
+      end
+      # to set a non-standard sv path
+      describe runit_service('service_name', '/path/to/sv') do
+        it { should be_running }
+      end
+    "
+    def select_service_mgmt
+      Runit.new(inspec, service_ctl)
+    end
+  end
+end