inspec-core 2.1.84 → 2.2.10
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +31 -8
- data/README.md +1 -0
- data/docs/dev/filtertable-internals.md +353 -0
- data/docs/dev/filtertable-usage.md +533 -0
- data/docs/matchers.md +36 -36
- data/docs/profiles.md +2 -2
- data/docs/resources/apache.md.erb +1 -1
- data/docs/resources/crontab.md.erb +10 -6
- data/docs/resources/dh_params.md.erb +71 -65
- data/docs/resources/docker_service.md.erb +1 -1
- data/docs/resources/etc_fstab.md.erb +1 -1
- data/docs/resources/firewalld.md.erb +1 -1
- data/docs/resources/http.md.erb +1 -1
- data/docs/resources/iis_app.md.erb +1 -1
- data/docs/resources/inetd_conf.md.erb +1 -1
- data/docs/resources/nginx.md.erb +1 -1
- data/docs/resources/npm.md.erb +9 -1
- data/docs/resources/os.md.erb +21 -19
- data/docs/resources/shadow.md.erb +37 -31
- data/docs/resources/x509_certificate.md.erb +2 -2
- data/examples/custom-resource/README.md +3 -0
- data/examples/custom-resource/controls/example.rb +7 -0
- data/examples/custom-resource/inspec.yml +8 -0
- data/examples/custom-resource/libraries/batsignal.rb +20 -0
- data/examples/custom-resource/libraries/gordon.rb +21 -0
- data/lib/inspec/reporters/junit.rb +1 -0
- data/lib/inspec/resource.rb +8 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/npm.rb +15 -2
- data/lib/resources/package.rb +1 -1
- data/lib/utils/filter.rb +243 -85
- metadata +9 -2
data/docs/matchers.md
CHANGED
@@ -55,58 +55,58 @@ end
|
|
55
55
|
|
56
56
|
* Compare strings to numbers
|
57
57
|
|
58
|
-
|
59
|
-
|
60
|
-
|
58
|
+
```ruby
|
59
|
+
describe sshd_config do
|
60
|
+
its('Protocol') { should eq '2' }
|
61
61
|
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
62
|
+
its('Protocol') { should cmp '2' }
|
63
|
+
its('Protocol') { should cmp 2 }
|
64
|
+
end
|
65
|
+
```
|
66
66
|
|
67
67
|
* String comparisons are not case-sensitive
|
68
68
|
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
69
|
+
```ruby
|
70
|
+
describe auditd_conf do
|
71
|
+
its('log_format') { should cmp 'raw' }
|
72
|
+
its('log_format') { should cmp 'RAW' }
|
73
|
+
end
|
74
|
+
```
|
75
75
|
* Recognize versions embedded in strings
|
76
76
|
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
81
|
-
|
77
|
+
```ruby
|
78
|
+
describe package(curl) do
|
79
|
+
its('version') { should cmp > '7.35.0-1ubuntu2.10' }
|
80
|
+
end
|
81
|
+
```
|
82
82
|
|
83
83
|
* Compare arrays with only one entry to a value
|
84
84
|
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
85
|
+
```ruby
|
86
|
+
describe passwd.uids(0) do
|
87
|
+
its('users') { should cmp 'root' }
|
88
|
+
its('users') { should cmp ['root'] }
|
89
|
+
end
|
90
|
+
```
|
91
91
|
|
92
92
|
* Single-value arrays of strings may also be compared to a regex
|
93
93
|
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
94
|
+
```ruby
|
95
|
+
describe auditd_conf do
|
96
|
+
its('log_format') { should cmp /raw/i }
|
97
|
+
end
|
98
|
+
```
|
99
99
|
|
100
100
|
* Improved printing of octal comparisons
|
101
101
|
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
102
|
+
```ruby
|
103
|
+
describe file('/proc/cpuinfo') do
|
104
|
+
its('mode') { should cmp '0345' }
|
105
|
+
end
|
106
106
|
|
107
|
-
|
108
|
-
|
109
|
-
|
107
|
+
expected: 0345
|
108
|
+
got: 0444
|
109
|
+
```
|
110
110
|
<br>
|
111
111
|
|
112
112
|
## eq
|
data/docs/profiles.md
CHANGED
@@ -29,7 +29,7 @@ where:
|
|
29
29
|
* `files` is the directory with additional files that a profile can access (optional)
|
30
30
|
* `README.md` should be used to explain the profile, its scope, and usage
|
31
31
|
|
32
|
-
See a complete example profile in the InSpec open source repository: [
|
32
|
+
See a complete example profile in the InSpec open source repository: [Example InSpec Profile](https://github.com/chef/inspec/tree/master/examples/profile)
|
33
33
|
|
34
34
|
Also check out [Explore InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/) on Learn Chef Rally to learn more about how profiles are structured with hands-on examples.
|
35
35
|
|
@@ -300,7 +300,7 @@ The following command runs the tests and applies the secrets specified in `profi
|
|
300
300
|
|
301
301
|
$ inspec exec examples/profile-attribute --attrs examples/profile-attribute.yml
|
302
302
|
|
303
|
-
See the full example in the InSpec open source repository: https://github.com/chef/inspec/tree/master/examples/profile-attribute
|
303
|
+
See the full example in the InSpec open source repository: [Example InSpec Profile with Attributes](https://github.com/chef/inspec/tree/master/examples/profile-attribute)
|
304
304
|
|
305
305
|
# Profile files
|
306
306
|
|
@@ -38,15 +38,19 @@ The following examples show how to use this InSpec audit resource.
|
|
38
38
|
|
39
39
|
### Test that the logged-in user's crontab has no tasks set to run on every hour and every minute
|
40
40
|
|
41
|
-
|
42
|
-
|
43
|
-
|
41
|
+
```ruby
|
42
|
+
describe crontab.where({'hour' => '*', 'minute' => '*'}) do
|
43
|
+
its('entries.length') { should cmp '0' }
|
44
|
+
end
|
45
|
+
```
|
44
46
|
|
45
47
|
### Test that the logged-in user's crontab contains a single command that matches a pattern
|
46
48
|
|
47
|
-
|
48
|
-
|
49
|
-
|
49
|
+
```ruby
|
50
|
+
describe crontab.where { command =~ /a partial command string/ } do
|
51
|
+
its('entries.length') { should cmp 1 }
|
52
|
+
end
|
53
|
+
```
|
50
54
|
|
51
55
|
### Test a special time string (i.e., @yearly /root/annual_report.sh)
|
52
56
|
|
@@ -51,31 +51,33 @@ Verify prime modulus used for the Diffie-Hellman operation:
|
|
51
51
|
|
52
52
|
Example using multi-line string:
|
53
53
|
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
54
|
+
```ruby
|
55
|
+
describe dh_params('/path/to/file.dh_pem') do
|
56
|
+
its('modulus') do
|
57
|
+
# regex removes all whitespace
|
58
|
+
should eq <<-EOF.gsub(/[[:space:]]+/, '')
|
59
|
+
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
60
|
+
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
61
|
+
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
62
|
+
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
63
|
+
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
64
|
+
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
65
|
+
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
66
|
+
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
67
|
+
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
68
|
+
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
69
|
+
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
70
|
+
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
71
|
+
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
72
|
+
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
73
|
+
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
74
|
+
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
75
|
+
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
76
|
+
cd:13
|
77
|
+
EOF
|
78
|
+
end
|
79
|
+
end
|
80
|
+
```
|
79
81
|
|
80
82
|
### prime_length (Integer)
|
81
83
|
|
@@ -95,19 +97,21 @@ Verify `pem` output of DH parameters:
|
|
95
97
|
|
96
98
|
Example using multi-line string:
|
97
99
|
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
100
|
+
```ruby
|
101
|
+
its('pem') do
|
102
|
+
# regex removes all leading spaces
|
103
|
+
should eq <<-EOF.gsub(/^[[:blank:]]+/, '')
|
104
|
+
-----BEGIN DH PARAMETERS-----
|
105
|
+
MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
|
106
|
+
QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
|
107
|
+
h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
|
108
|
+
MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
|
109
|
+
X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
|
110
|
+
KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
|
111
|
+
-----END DH PARAMETERS-----
|
112
|
+
EOF
|
113
|
+
end
|
114
|
+
```
|
111
115
|
|
112
116
|
Verify via `openssl dhparam` command:
|
113
117
|
|
@@ -131,32 +135,34 @@ Verify human-readable text output of DH parameters:
|
|
131
135
|
|
132
136
|
Example using multi-line string:
|
133
137
|
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
138
|
+
```ruby
|
139
|
+
its('text') do
|
140
|
+
# regex removes 2 leading spaces
|
141
|
+
should eq <<-EOF.gsub(/^[[:blank:]]{2}/, '')
|
142
|
+
PKCS#3 DH Parameters: (2048 bit)
|
143
|
+
prime:
|
144
|
+
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
145
|
+
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
146
|
+
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
147
|
+
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
148
|
+
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
149
|
+
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
150
|
+
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
151
|
+
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
152
|
+
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
153
|
+
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
154
|
+
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
155
|
+
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
156
|
+
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
157
|
+
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
158
|
+
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
159
|
+
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
160
|
+
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
161
|
+
cd:13
|
162
|
+
generator: 2 (0x2)
|
163
|
+
EOF
|
164
|
+
end
|
165
|
+
```
|
160
166
|
|
161
167
|
Verify via `openssl dhparam` command:
|
162
168
|
|
@@ -189,7 +195,7 @@ Verify via `openssl dhparam` command:
|
|
189
195
|
|
190
196
|
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
191
197
|
|
192
|
-
###
|
198
|
+
### be_valid
|
193
199
|
|
194
200
|
Verify whether DH parameters are valid:
|
195
201
|
|
@@ -50,7 +50,7 @@ The `id` property returns the service id:
|
|
50
50
|
|
51
51
|
### image
|
52
52
|
|
53
|
-
The `image` property
|
53
|
+
The `image` property is a combination of `repository:tag` it tests the value of the image:
|
54
54
|
|
55
55
|
its('image') { should eq 'alpine:latest' }
|
56
56
|
|
@@ -89,7 +89,7 @@ Use the optional constructor parameter to give an alternative path to fstab file
|
|
89
89
|
its('dump_options') { should cmp 0 }
|
90
90
|
end
|
91
91
|
|
92
|
-
###
|
92
|
+
### file\_system\_options
|
93
93
|
|
94
94
|
`file_system_options` returns a integer array of each partitions file system option.
|
95
95
|
|
data/docs/resources/http.md.erb
CHANGED
@@ -172,7 +172,7 @@ In InSpec 2.0, the HTTP test will automatically execute remotely whenever InSpec
|
|
172
172
|
|
173
173
|
The `body` matcher tests body content of http response:
|
174
174
|
|
175
|
-
|
175
|
+
its('body') { should eq 'hello\n' }
|
176
176
|
|
177
177
|
### headers
|
178
178
|
|
@@ -28,7 +28,7 @@ where
|
|
28
28
|
* `'site_name'` is the name of the site, such as `'Default Web Site'`
|
29
29
|
* `('application_pool')` is the name of the application pool in which the site's root application is run, such as `'DefaultAppPool'`
|
30
30
|
* `('protocols')` is a binding for the site, such as `'http'`. A site may have multiple bindings; therefore, use a `have_protocol` matcher for each site protocol to be tested
|
31
|
-
* `('physical_path') is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
|
31
|
+
* `('physical_path')` is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
|
32
32
|
|
33
33
|
For example:
|
34
34
|
|
@@ -5,7 +5,7 @@ platform: linux
|
|
5
5
|
|
6
6
|
# inetd_conf
|
7
7
|
|
8
|
-
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled
|
8
|
+
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
|
9
9
|
|
10
10
|
<br>
|
11
11
|
|
data/docs/resources/nginx.md.erb
CHANGED
@@ -32,7 +32,7 @@ where
|
|
32
32
|
|
33
33
|
## Properties
|
34
34
|
|
35
|
-
*
|
35
|
+
* `compiler_info`, `error_log_path`, `http_client_body_temp_path`, `http_fastcgi_temp_path`, `http_log_path`, `http_proxy_temp_path`, `http_scgi_temp_path`, `http_uwsgi_temp_path`, `lock_path`, `modules`, `modules_path`, `openssl_version`, `prefix`, `sbin_path`, `service`, `support_info`, `version`
|
36
36
|
|
37
37
|
<br>
|
38
38
|
|
data/docs/resources/npm.md.erb
CHANGED
@@ -5,7 +5,7 @@ platform: os
|
|
5
5
|
|
6
6
|
# npm
|
7
7
|
|
8
|
-
Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for Node.js packages
|
8
|
+
Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for [Node.js packages](https://docs.npmjs.com), such as Bower and StatsD.
|
9
9
|
|
10
10
|
<br>
|
11
11
|
|
@@ -22,6 +22,14 @@ where
|
|
22
22
|
* `('npm_package_name')` must specify an NPM package, such as `'bower'` or `'statsd'`
|
23
23
|
* `be_installed` is a valid matcher for this resource
|
24
24
|
|
25
|
+
You can also specify additional options:
|
26
|
+
|
27
|
+
describe npm('npm_package_name', path: '/path/to/project') do
|
28
|
+
it { should be_installed }
|
29
|
+
end
|
30
|
+
|
31
|
+
The `path` specifies a folder, that contains a `node_modules` subdirectory. It emulates running `npm` inside the specified folder. This way you can inspect local NPM installations as well as global ones.
|
32
|
+
|
25
33
|
<br>
|
26
34
|
|
27
35
|
## Examples
|
data/docs/resources/os.md.erb
CHANGED
@@ -120,22 +120,24 @@ Use `os.family` to enable more granular testing of platforms, platform names, ar
|
|
120
120
|
|
121
121
|
For example, both of the following tests should have the same result:
|
122
122
|
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
123
|
+
```ruby
|
124
|
+
if os.family == 'debian'
|
125
|
+
describe port(69) do
|
126
|
+
its('processes') { should include 'in.tftpd' }
|
127
|
+
end
|
128
|
+
elsif os.family == 'redhat'
|
129
|
+
describe port(69) do
|
130
|
+
its('processes') { should include 'xinetd' }
|
131
|
+
end
|
132
|
+
end
|
133
|
+
|
134
|
+
if os.debian?
|
135
|
+
describe port(69) do
|
136
|
+
its('processes') { should include 'in.tftpd' }
|
137
|
+
end
|
138
|
+
elsif os.redhat?
|
139
|
+
describe port(69) do
|
140
|
+
its('processes') { should include 'xinetd' }
|
141
|
+
end
|
142
|
+
end
|
143
|
+
```
|