inspec-core 2.1.84 → 2.2.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +31 -8
- data/README.md +1 -0
- data/docs/dev/filtertable-internals.md +353 -0
- data/docs/dev/filtertable-usage.md +533 -0
- data/docs/matchers.md +36 -36
- data/docs/profiles.md +2 -2
- data/docs/resources/apache.md.erb +1 -1
- data/docs/resources/crontab.md.erb +10 -6
- data/docs/resources/dh_params.md.erb +71 -65
- data/docs/resources/docker_service.md.erb +1 -1
- data/docs/resources/etc_fstab.md.erb +1 -1
- data/docs/resources/firewalld.md.erb +1 -1
- data/docs/resources/http.md.erb +1 -1
- data/docs/resources/iis_app.md.erb +1 -1
- data/docs/resources/inetd_conf.md.erb +1 -1
- data/docs/resources/nginx.md.erb +1 -1
- data/docs/resources/npm.md.erb +9 -1
- data/docs/resources/os.md.erb +21 -19
- data/docs/resources/shadow.md.erb +37 -31
- data/docs/resources/x509_certificate.md.erb +2 -2
- data/examples/custom-resource/README.md +3 -0
- data/examples/custom-resource/controls/example.rb +7 -0
- data/examples/custom-resource/inspec.yml +8 -0
- data/examples/custom-resource/libraries/batsignal.rb +20 -0
- data/examples/custom-resource/libraries/gordon.rb +21 -0
- data/lib/inspec/reporters/junit.rb +1 -0
- data/lib/inspec/resource.rb +8 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/npm.rb +15 -2
- data/lib/resources/package.rb +1 -1
- data/lib/utils/filter.rb +243 -85
- metadata +9 -2
data/docs/matchers.md
CHANGED
@@ -55,58 +55,58 @@ end
|
|
55
55
|
|
56
56
|
* Compare strings to numbers
|
57
57
|
|
58
|
-
|
59
|
-
|
60
|
-
|
58
|
+
```ruby
|
59
|
+
describe sshd_config do
|
60
|
+
its('Protocol') { should eq '2' }
|
61
61
|
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
62
|
+
its('Protocol') { should cmp '2' }
|
63
|
+
its('Protocol') { should cmp 2 }
|
64
|
+
end
|
65
|
+
```
|
66
66
|
|
67
67
|
* String comparisons are not case-sensitive
|
68
68
|
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
69
|
+
```ruby
|
70
|
+
describe auditd_conf do
|
71
|
+
its('log_format') { should cmp 'raw' }
|
72
|
+
its('log_format') { should cmp 'RAW' }
|
73
|
+
end
|
74
|
+
```
|
75
75
|
* Recognize versions embedded in strings
|
76
76
|
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
77
|
+
```ruby
|
78
|
+
describe package(curl) do
|
79
|
+
its('version') { should cmp > '7.35.0-1ubuntu2.10' }
|
80
|
+
end
|
81
|
+
```
|
82
82
|
|
83
83
|
* Compare arrays with only one entry to a value
|
84
84
|
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
85
|
+
```ruby
|
86
|
+
describe passwd.uids(0) do
|
87
|
+
its('users') { should cmp 'root' }
|
88
|
+
its('users') { should cmp ['root'] }
|
89
|
+
end
|
90
|
+
```
|
91
91
|
|
92
92
|
* Single-value arrays of strings may also be compared to a regex
|
93
93
|
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
94
|
+
```ruby
|
95
|
+
describe auditd_conf do
|
96
|
+
its('log_format') { should cmp /raw/i }
|
97
|
+
end
|
98
|
+
```
|
99
99
|
|
100
100
|
* Improved printing of octal comparisons
|
101
101
|
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
102
|
+
```ruby
|
103
|
+
describe file('/proc/cpuinfo') do
|
104
|
+
its('mode') { should cmp '0345' }
|
105
|
+
end
|
106
106
|
|
107
|
-
|
108
|
-
|
109
|
-
|
107
|
+
expected: 0345
|
108
|
+
got: 0444
|
109
|
+
```
|
110
110
|
<br>
|
111
111
|
|
112
112
|
## eq
|
data/docs/profiles.md
CHANGED
@@ -29,7 +29,7 @@ where:
|
|
29
29
|
* `files` is the directory with additional files that a profile can access (optional)
|
30
30
|
* `README.md` should be used to explain the profile, its scope, and usage
|
31
31
|
|
32
|
-
See a complete example profile in the InSpec open source repository: [
|
32
|
+
See a complete example profile in the InSpec open source repository: [Example InSpec Profile](https://github.com/chef/inspec/tree/master/examples/profile)
|
33
33
|
|
34
34
|
Also check out [Explore InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/) on Learn Chef Rally to learn more about how profiles are structured with hands-on examples.
|
35
35
|
|
@@ -300,7 +300,7 @@ The following command runs the tests and applies the secrets specified in `profi
|
|
300
300
|
|
301
301
|
$ inspec exec examples/profile-attribute --attrs examples/profile-attribute.yml
|
302
302
|
|
303
|
-
See the full example in the InSpec open source repository: https://github.com/chef/inspec/tree/master/examples/profile-attribute
|
303
|
+
See the full example in the InSpec open source repository: [Example InSpec Profile with Attributes](https://github.com/chef/inspec/tree/master/examples/profile-attribute)
|
304
304
|
|
305
305
|
# Profile files
|
306
306
|
|
@@ -38,15 +38,19 @@ The following examples show how to use this InSpec audit resource.
|
|
38
38
|
|
39
39
|
### Test that the logged-in user's crontab has no tasks set to run on every hour and every minute
|
40
40
|
|
41
|
-
|
42
|
-
|
43
|
-
|
41
|
+
```ruby
|
42
|
+
describe crontab.where({'hour' => '*', 'minute' => '*'}) do
|
43
|
+
its('entries.length') { should cmp '0' }
|
44
|
+
end
|
45
|
+
```
|
44
46
|
|
45
47
|
### Test that the logged-in user's crontab contains a single command that matches a pattern
|
46
48
|
|
47
|
-
|
48
|
-
|
49
|
-
|
49
|
+
```ruby
|
50
|
+
describe crontab.where { command =~ /a partial command string/ } do
|
51
|
+
its('entries.length') { should cmp 1 }
|
52
|
+
end
|
53
|
+
```
|
50
54
|
|
51
55
|
### Test a special time string (i.e., @yearly /root/annual_report.sh)
|
52
56
|
|
@@ -51,31 +51,33 @@ Verify prime modulus used for the Diffie-Hellman operation:
|
|
51
51
|
|
52
52
|
Example using multi-line string:
|
53
53
|
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
54
|
+
```ruby
|
55
|
+
describe dh_params('/path/to/file.dh_pem') do
|
56
|
+
its('modulus') do
|
57
|
+
# regex removes all whitespace
|
58
|
+
should eq <<-EOF.gsub(/[[:space:]]+/, '')
|
59
|
+
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
60
|
+
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
61
|
+
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
62
|
+
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
63
|
+
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
64
|
+
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
65
|
+
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
66
|
+
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
67
|
+
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
68
|
+
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
69
|
+
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
70
|
+
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
71
|
+
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
72
|
+
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
73
|
+
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
74
|
+
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
75
|
+
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
76
|
+
cd:13
|
77
|
+
EOF
|
78
|
+
end
|
79
|
+
end
|
80
|
+
```
|
79
81
|
|
80
82
|
### prime_length (Integer)
|
81
83
|
|
@@ -95,19 +97,21 @@ Verify `pem` output of DH parameters:
|
|
95
97
|
|
96
98
|
Example using multi-line string:
|
97
99
|
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
100
|
+
```ruby
|
101
|
+
its('pem') do
|
102
|
+
# regex removes all leading spaces
|
103
|
+
should eq <<-EOF.gsub(/^[[:blank:]]+/, '')
|
104
|
+
-----BEGIN DH PARAMETERS-----
|
105
|
+
MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
|
106
|
+
QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
|
107
|
+
h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
|
108
|
+
MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
|
109
|
+
X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
|
110
|
+
KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
|
111
|
+
-----END DH PARAMETERS-----
|
112
|
+
EOF
|
113
|
+
end
|
114
|
+
```
|
111
115
|
|
112
116
|
Verify via `openssl dhparam` command:
|
113
117
|
|
@@ -131,32 +135,34 @@ Verify human-readable text output of DH parameters:
|
|
131
135
|
|
132
136
|
Example using multi-line string:
|
133
137
|
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
138
|
+
```ruby
|
139
|
+
its('text') do
|
140
|
+
# regex removes 2 leading spaces
|
141
|
+
should eq <<-EOF.gsub(/^[[:blank:]]{2}/, '')
|
142
|
+
PKCS#3 DH Parameters: (2048 bit)
|
143
|
+
prime:
|
144
|
+
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
145
|
+
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
146
|
+
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
147
|
+
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
148
|
+
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
149
|
+
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
150
|
+
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
151
|
+
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
152
|
+
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
153
|
+
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
154
|
+
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
155
|
+
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
156
|
+
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
157
|
+
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
158
|
+
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
159
|
+
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
160
|
+
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
161
|
+
cd:13
|
162
|
+
generator: 2 (0x2)
|
163
|
+
EOF
|
164
|
+
end
|
165
|
+
```
|
160
166
|
|
161
167
|
Verify via `openssl dhparam` command:
|
162
168
|
|
@@ -189,7 +195,7 @@ Verify via `openssl dhparam` command:
|
|
189
195
|
|
190
196
|
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
191
197
|
|
192
|
-
###
|
198
|
+
### be_valid
|
193
199
|
|
194
200
|
Verify whether DH parameters are valid:
|
195
201
|
|
@@ -50,7 +50,7 @@ The `id` property returns the service id:
|
|
50
50
|
|
51
51
|
### image
|
52
52
|
|
53
|
-
The `image` property
|
53
|
+
The `image` property is a combination of `repository:tag` it tests the value of the image:
|
54
54
|
|
55
55
|
its('image') { should eq 'alpine:latest' }
|
56
56
|
|
@@ -89,7 +89,7 @@ Use the optional constructor parameter to give an alternative path to fstab file
|
|
89
89
|
its('dump_options') { should cmp 0 }
|
90
90
|
end
|
91
91
|
|
92
|
-
###
|
92
|
+
### file\_system\_options
|
93
93
|
|
94
94
|
`file_system_options` returns a integer array of each partitions file system option.
|
95
95
|
|
data/docs/resources/http.md.erb
CHANGED
@@ -172,7 +172,7 @@ In InSpec 2.0, the HTTP test will automatically execute remotely whenever InSpec
|
|
172
172
|
|
173
173
|
The `body` matcher tests body content of http response:
|
174
174
|
|
175
|
-
|
175
|
+
its('body') { should eq 'hello\n' }
|
176
176
|
|
177
177
|
### headers
|
178
178
|
|
@@ -28,7 +28,7 @@ where
|
|
28
28
|
* `'site_name'` is the name of the site, such as `'Default Web Site'`
|
29
29
|
* `('application_pool')` is the name of the application pool in which the site's root application is run, such as `'DefaultAppPool'`
|
30
30
|
* `('protocols')` is a binding for the site, such as `'http'`. A site may have multiple bindings; therefore, use a `have_protocol` matcher for each site protocol to be tested
|
31
|
-
* `('physical_path') is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
|
31
|
+
* `('physical_path')` is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
|
32
32
|
|
33
33
|
For example:
|
34
34
|
|
@@ -5,7 +5,7 @@ platform: linux
|
|
5
5
|
|
6
6
|
# inetd_conf
|
7
7
|
|
8
|
-
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled
|
8
|
+
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
|
9
9
|
|
10
10
|
<br>
|
11
11
|
|
data/docs/resources/nginx.md.erb
CHANGED
@@ -32,7 +32,7 @@ where
|
|
32
32
|
|
33
33
|
## Properties
|
34
34
|
|
35
|
-
*
|
35
|
+
* `compiler_info`, `error_log_path`, `http_client_body_temp_path`, `http_fastcgi_temp_path`, `http_log_path`, `http_proxy_temp_path`, `http_scgi_temp_path`, `http_uwsgi_temp_path`, `lock_path`, `modules`, `modules_path`, `openssl_version`, `prefix`, `sbin_path`, `service`, `support_info`, `version`
|
36
36
|
|
37
37
|
<br>
|
38
38
|
|
data/docs/resources/npm.md.erb
CHANGED
@@ -5,7 +5,7 @@ platform: os
|
|
5
5
|
|
6
6
|
# npm
|
7
7
|
|
8
|
-
Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for Node.js packages
|
8
|
+
Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for [Node.js packages](https://docs.npmjs.com), such as Bower and StatsD.
|
9
9
|
|
10
10
|
<br>
|
11
11
|
|
@@ -22,6 +22,14 @@ where
|
|
22
22
|
* `('npm_package_name')` must specify an NPM package, such as `'bower'` or `'statsd'`
|
23
23
|
* `be_installed` is a valid matcher for this resource
|
24
24
|
|
25
|
+
You can also specify additional options:
|
26
|
+
|
27
|
+
describe npm('npm_package_name', path: '/path/to/project') do
|
28
|
+
it { should be_installed }
|
29
|
+
end
|
30
|
+
|
31
|
+
The `path` specifies a folder, that contains a `node_modules` subdirectory. It emulates running `npm` inside the specified folder. This way you can inspect local NPM installations as well as global ones.
|
32
|
+
|
25
33
|
<br>
|
26
34
|
|
27
35
|
## Examples
|
data/docs/resources/os.md.erb
CHANGED
@@ -120,22 +120,24 @@ Use `os.family` to enable more granular testing of platforms, platform names, ar
|
|
120
120
|
|
121
121
|
For example, both of the following tests should have the same result:
|
122
122
|
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
123
|
+
```ruby
|
124
|
+
if os.family == 'debian'
|
125
|
+
describe port(69) do
|
126
|
+
its('processes') { should include 'in.tftpd' }
|
127
|
+
end
|
128
|
+
elsif os.family == 'redhat'
|
129
|
+
describe port(69) do
|
130
|
+
its('processes') { should include 'xinetd' }
|
131
|
+
end
|
132
|
+
end
|
133
|
+
|
134
|
+
if os.debian?
|
135
|
+
describe port(69) do
|
136
|
+
its('processes') { should include 'in.tftpd' }
|
137
|
+
end
|
138
|
+
elsif os.redhat?
|
139
|
+
describe port(69) do
|
140
|
+
its('processes') { should include 'xinetd' }
|
141
|
+
end
|
142
|
+
end
|
143
|
+
```
|