inspec-core 2.3.10 → 2.3.23
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +34 -13
- data/etc/plugin_filters.json +25 -0
- data/inspec-core.gemspec +1 -1
- data/lib/bundles/inspec-compliance/api.rb +3 -0
- data/lib/bundles/inspec-compliance/configuration.rb +3 -0
- data/lib/bundles/inspec-compliance/http.rb +3 -0
- data/lib/bundles/inspec-compliance/support.rb +3 -0
- data/lib/bundles/inspec-compliance/target.rb +3 -0
- data/lib/inspec/objects/attribute.rb +3 -0
- data/lib/inspec/plugin/v2.rb +3 -0
- data/lib/inspec/plugin/v2/filter.rb +62 -0
- data/lib/inspec/plugin/v2/installer.rb +21 -1
- data/lib/inspec/plugin/v2/loader.rb +4 -0
- data/lib/inspec/profile.rb +3 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +25 -3
- data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +65 -11
- data/lib/plugins/inspec-plugin-manager-cli/test/unit/cli_args_test.rb +5 -1
- data/lib/resources/package.rb +1 -1
- metadata +4 -197
- data/docs/.gitignore +0 -2
- data/docs/README.md +0 -41
- data/docs/dev/control-eval.md +0 -62
- data/docs/dev/filtertable-internals.md +0 -353
- data/docs/dev/filtertable-usage.md +0 -533
- data/docs/dev/integration-testing.md +0 -31
- data/docs/dev/plugins.md +0 -323
- data/docs/dsl_inspec.md +0 -354
- data/docs/dsl_resource.md +0 -100
- data/docs/glossary.md +0 -381
- data/docs/habitat.md +0 -193
- data/docs/inspec_and_friends.md +0 -114
- data/docs/matchers.md +0 -161
- data/docs/migration.md +0 -293
- data/docs/platforms.md +0 -119
- data/docs/plugin_kitchen_inspec.md +0 -60
- data/docs/plugins.md +0 -57
- data/docs/profiles.md +0 -576
- data/docs/reporters.md +0 -170
- data/docs/resources/aide_conf.md.erb +0 -86
- data/docs/resources/apache.md.erb +0 -77
- data/docs/resources/apache_conf.md.erb +0 -78
- data/docs/resources/apt.md.erb +0 -81
- data/docs/resources/audit_policy.md.erb +0 -57
- data/docs/resources/auditd.md.erb +0 -89
- data/docs/resources/auditd_conf.md.erb +0 -78
- data/docs/resources/bash.md.erb +0 -85
- data/docs/resources/bond.md.erb +0 -100
- data/docs/resources/bridge.md.erb +0 -67
- data/docs/resources/bsd_service.md.erb +0 -77
- data/docs/resources/chocolatey_package.md.erb +0 -68
- data/docs/resources/command.md.erb +0 -176
- data/docs/resources/cpan.md.erb +0 -89
- data/docs/resources/cran.md.erb +0 -74
- data/docs/resources/crontab.md.erb +0 -103
- data/docs/resources/csv.md.erb +0 -64
- data/docs/resources/dh_params.md.erb +0 -221
- data/docs/resources/directory.md.erb +0 -40
- data/docs/resources/docker.md.erb +0 -240
- data/docs/resources/docker_container.md.erb +0 -113
- data/docs/resources/docker_image.md.erb +0 -104
- data/docs/resources/docker_plugin.md.erb +0 -80
- data/docs/resources/docker_service.md.erb +0 -124
- data/docs/resources/elasticsearch.md.erb +0 -252
- data/docs/resources/etc_fstab.md.erb +0 -135
- data/docs/resources/etc_group.md.erb +0 -85
- data/docs/resources/etc_hosts.md.erb +0 -88
- data/docs/resources/etc_hosts_allow.md.erb +0 -84
- data/docs/resources/etc_hosts_deny.md.erb +0 -84
- data/docs/resources/file.md.erb +0 -543
- data/docs/resources/filesystem.md.erb +0 -51
- data/docs/resources/firewalld.md.erb +0 -117
- data/docs/resources/gem.md.erb +0 -108
- data/docs/resources/group.md.erb +0 -71
- data/docs/resources/grub_conf.md.erb +0 -111
- data/docs/resources/host.md.erb +0 -96
- data/docs/resources/http.md.erb +0 -207
- data/docs/resources/iis_app.md.erb +0 -132
- data/docs/resources/iis_site.md.erb +0 -145
- data/docs/resources/inetd_conf.md.erb +0 -104
- data/docs/resources/ini.md.erb +0 -86
- data/docs/resources/interface.md.erb +0 -68
- data/docs/resources/iptables.md.erb +0 -74
- data/docs/resources/json.md.erb +0 -73
- data/docs/resources/kernel_module.md.erb +0 -130
- data/docs/resources/kernel_parameter.md.erb +0 -63
- data/docs/resources/key_rsa.md.erb +0 -95
- data/docs/resources/launchd_service.md.erb +0 -67
- data/docs/resources/limits_conf.md.erb +0 -85
- data/docs/resources/login_defs.md.erb +0 -81
- data/docs/resources/mount.md.erb +0 -79
- data/docs/resources/mssql_session.md.erb +0 -78
- data/docs/resources/mysql_conf.md.erb +0 -109
- data/docs/resources/mysql_session.md.erb +0 -84
- data/docs/resources/nginx.md.erb +0 -89
- data/docs/resources/nginx_conf.md.erb +0 -148
- data/docs/resources/npm.md.erb +0 -78
- data/docs/resources/ntp_conf.md.erb +0 -70
- data/docs/resources/oneget.md.erb +0 -63
- data/docs/resources/oracledb_session.md.erb +0 -103
- data/docs/resources/os.md.erb +0 -153
- data/docs/resources/os_env.md.erb +0 -101
- data/docs/resources/package.md.erb +0 -130
- data/docs/resources/packages.md.erb +0 -77
- data/docs/resources/parse_config.md.erb +0 -113
- data/docs/resources/parse_config_file.md.erb +0 -148
- data/docs/resources/passwd.md.erb +0 -151
- data/docs/resources/pip.md.erb +0 -77
- data/docs/resources/port.md.erb +0 -147
- data/docs/resources/postgres_conf.md.erb +0 -89
- data/docs/resources/postgres_hba_conf.md.erb +0 -103
- data/docs/resources/postgres_ident_conf.md.erb +0 -86
- data/docs/resources/postgres_session.md.erb +0 -79
- data/docs/resources/powershell.md.erb +0 -112
- data/docs/resources/processes.md.erb +0 -119
- data/docs/resources/rabbitmq_config.md.erb +0 -51
- data/docs/resources/registry_key.md.erb +0 -197
- data/docs/resources/runit_service.md.erb +0 -67
- data/docs/resources/security_policy.md.erb +0 -57
- data/docs/resources/service.md.erb +0 -131
- data/docs/resources/shadow.md.erb +0 -267
- data/docs/resources/ssh_config.md.erb +0 -83
- data/docs/resources/sshd_config.md.erb +0 -93
- data/docs/resources/ssl.md.erb +0 -129
- data/docs/resources/sys_info.md.erb +0 -52
- data/docs/resources/systemd_service.md.erb +0 -67
- data/docs/resources/sysv_service.md.erb +0 -67
- data/docs/resources/upstart_service.md.erb +0 -67
- data/docs/resources/user.md.erb +0 -150
- data/docs/resources/users.md.erb +0 -137
- data/docs/resources/vbscript.md.erb +0 -65
- data/docs/resources/virtualization.md.erb +0 -67
- data/docs/resources/windows_feature.md.erb +0 -69
- data/docs/resources/windows_hotfix.md.erb +0 -63
- data/docs/resources/windows_task.md.erb +0 -95
- data/docs/resources/wmi.md.erb +0 -91
- data/docs/resources/x509_certificate.md.erb +0 -161
- data/docs/resources/xinetd_conf.md.erb +0 -166
- data/docs/resources/xml.md.erb +0 -95
- data/docs/resources/yaml.md.erb +0 -79
- data/docs/resources/yum.md.erb +0 -108
- data/docs/resources/zfs_dataset.md.erb +0 -63
- data/docs/resources/zfs_pool.md.erb +0 -57
- data/docs/shared/matcher_be.md.erb +0 -1
- data/docs/shared/matcher_cmp.md.erb +0 -43
- data/docs/shared/matcher_eq.md.erb +0 -3
- data/docs/shared/matcher_include.md.erb +0 -1
- data/docs/shared/matcher_match.md.erb +0 -1
- data/docs/shell.md +0 -217
- data/docs/style.md +0 -178
- data/examples/README.md +0 -8
- data/examples/custom-resource/README.md +0 -3
- data/examples/custom-resource/controls/example.rb +0 -7
- data/examples/custom-resource/inspec.yml +0 -8
- data/examples/custom-resource/libraries/batsignal.rb +0 -20
- data/examples/custom-resource/libraries/gordon.rb +0 -21
- data/examples/inheritance/README.md +0 -65
- data/examples/inheritance/controls/example.rb +0 -14
- data/examples/inheritance/inspec.yml +0 -16
- data/examples/kitchen-ansible/.kitchen.yml +0 -25
- data/examples/kitchen-ansible/Gemfile +0 -19
- data/examples/kitchen-ansible/README.md +0 -53
- data/examples/kitchen-ansible/files/nginx.repo +0 -6
- data/examples/kitchen-ansible/tasks/main.yml +0 -16
- data/examples/kitchen-ansible/test/integration/default/default.yml +0 -5
- data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -28
- data/examples/kitchen-chef/.kitchen.yml +0 -20
- data/examples/kitchen-chef/Berksfile +0 -3
- data/examples/kitchen-chef/Gemfile +0 -19
- data/examples/kitchen-chef/README.md +0 -27
- data/examples/kitchen-chef/metadata.rb +0 -7
- data/examples/kitchen-chef/recipes/default.rb +0 -6
- data/examples/kitchen-chef/recipes/nginx.rb +0 -30
- data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -28
- data/examples/kitchen-puppet/.kitchen.yml +0 -23
- data/examples/kitchen-puppet/Gemfile +0 -20
- data/examples/kitchen-puppet/Puppetfile +0 -25
- data/examples/kitchen-puppet/README.md +0 -53
- data/examples/kitchen-puppet/manifests/site.pp +0 -33
- data/examples/kitchen-puppet/metadata.json +0 -11
- data/examples/kitchen-puppet/modules/.gitkeep +0 -0
- data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -28
- data/examples/meta-profile/README.md +0 -37
- data/examples/meta-profile/controls/example.rb +0 -13
- data/examples/meta-profile/inspec.yml +0 -13
- data/examples/plugins/inspec-resource-lister/Gemfile +0 -12
- data/examples/plugins/inspec-resource-lister/LICENSE +0 -13
- data/examples/plugins/inspec-resource-lister/README.md +0 -62
- data/examples/plugins/inspec-resource-lister/Rakefile +0 -40
- data/examples/plugins/inspec-resource-lister/inspec-resource-lister.gemspec +0 -45
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister.rb +0 -16
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/cli_command.rb +0 -70
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/plugin.rb +0 -55
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/version.rb +0 -10
- data/examples/plugins/inspec-resource-lister/test/fixtures/README.md +0 -24
- data/examples/plugins/inspec-resource-lister/test/functional/README.md +0 -18
- data/examples/plugins/inspec-resource-lister/test/functional/inspec_resource_lister_test.rb +0 -110
- data/examples/plugins/inspec-resource-lister/test/helper.rb +0 -26
- data/examples/plugins/inspec-resource-lister/test/unit/README.md +0 -17
- data/examples/plugins/inspec-resource-lister/test/unit/cli_args_test.rb +0 -64
- data/examples/plugins/inspec-resource-lister/test/unit/plugin_def_test.rb +0 -51
- data/examples/profile-attribute.yml +0 -2
- data/examples/profile-attribute/README.md +0 -14
- data/examples/profile-attribute/controls/example.rb +0 -11
- data/examples/profile-attribute/inspec.yml +0 -8
- data/examples/profile-sensitive/README.md +0 -29
- data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -9
- data/examples/profile-sensitive/controls/sensitive.rb +0 -9
- data/examples/profile-sensitive/inspec.yml +0 -8
- data/examples/profile/README.md +0 -48
- data/examples/profile/controls/example.rb +0 -24
- data/examples/profile/controls/gordon.rb +0 -36
- data/examples/profile/controls/meta.rb +0 -36
- data/examples/profile/inspec.yml +0 -11
- data/examples/profile/libraries/gordon_config.rb +0 -59
@@ -1,103 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: About the crontab Resource
|
3
|
-
platform: linux
|
4
|
-
---
|
5
|
-
|
6
|
-
# crontab
|
7
|
-
|
8
|
-
Use the `crontab` InSpec audit resource to test the crontab entries for a particular user on the system. It recognizes special time strings (@yearly, @weekly, etc).
|
9
|
-
|
10
|
-
<br>
|
11
|
-
|
12
|
-
## Availability
|
13
|
-
|
14
|
-
### Installation
|
15
|
-
|
16
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
17
|
-
|
18
|
-
### Version
|
19
|
-
|
20
|
-
This resource first became available in v1.15.0 of InSpec.
|
21
|
-
|
22
|
-
## Syntax
|
23
|
-
|
24
|
-
A `crontab` resource block declares a user (which defaults to the current user, if not specified), and then the details to be tested, such as the schedule elements for each crontab entry or the commands itself:
|
25
|
-
|
26
|
-
describe crontab do
|
27
|
-
its('commands') { should include '/some/scheduled/task.sh' }
|
28
|
-
end
|
29
|
-
|
30
|
-
<br>
|
31
|
-
|
32
|
-
## Examples
|
33
|
-
|
34
|
-
The following examples show how to use this InSpec audit resource.
|
35
|
-
|
36
|
-
### Test that root's crontab has a particular command
|
37
|
-
|
38
|
-
describe crontab('root') do
|
39
|
-
its('commands') { should include '/path/to/some/script' }
|
40
|
-
end
|
41
|
-
|
42
|
-
### Test that myuser's crontab entry for command '/home/myuser/build.sh' runs every minute
|
43
|
-
|
44
|
-
describe crontab('myuser').commands('/home/myuser/build.sh') do
|
45
|
-
its('hours') { should cmp '*' }
|
46
|
-
its('minutes') { should cmp '*' }
|
47
|
-
end
|
48
|
-
|
49
|
-
### Test that the logged-in user's crontab has no tasks set to run on every hour and every minute
|
50
|
-
|
51
|
-
```ruby
|
52
|
-
describe crontab.where({'hour' => '*', 'minute' => '*'}) do
|
53
|
-
its('entries.length') { should cmp '0' }
|
54
|
-
end
|
55
|
-
```
|
56
|
-
|
57
|
-
### Test that the logged-in user's crontab contains a single command that matches a pattern
|
58
|
-
|
59
|
-
```ruby
|
60
|
-
describe crontab.where { command =~ /a partial command string/ } do
|
61
|
-
its('entries.length') { should cmp 1 }
|
62
|
-
end
|
63
|
-
```
|
64
|
-
|
65
|
-
### Test a special time string (i.e., @yearly /root/annual_report.sh)
|
66
|
-
|
67
|
-
describe crontab.commands('/root/annual_report.sh') do
|
68
|
-
its('hours') { should cmp '0' }
|
69
|
-
its('minutes') { should cmp '0' }
|
70
|
-
its('days') { should cmp '1' }
|
71
|
-
its('months') { should cmp '1' }
|
72
|
-
end
|
73
|
-
|
74
|
-
### Test @reboot case
|
75
|
-
|
76
|
-
describe crontab.commands('/root/reboot.sh') do
|
77
|
-
its('hours') { should cmp '-1' }
|
78
|
-
its('minutes') { should cmp '-1' }
|
79
|
-
end
|
80
|
-
|
81
|
-
<br>
|
82
|
-
|
83
|
-
## Property Examples
|
84
|
-
|
85
|
-
|
86
|
-
### Test a special time string
|
87
|
-
|
88
|
-
describe crontab do
|
89
|
-
its('minutes') { should cmp '0' }
|
90
|
-
its('hours') { should cmp '0' }
|
91
|
-
its('days') { should cmp '1' }
|
92
|
-
its('weekdays') { should cmp '1' }
|
93
|
-
its('user') { should include 'username'}
|
94
|
-
its('commands') { should include '/some/scheduled/task.sh' }
|
95
|
-
end
|
96
|
-
|
97
|
-
InSpec will automatically interpret crontab-supported special time strings. For example, a crontab entry set to run `@yearly` can be tested as if the entry was manually configured to run on January 1, 12 AM.
|
98
|
-
|
99
|
-
<br>
|
100
|
-
|
101
|
-
## Matchers
|
102
|
-
|
103
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
data/docs/resources/csv.md.erb
DELETED
@@ -1,64 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: About the csv Resource
|
3
|
-
platform: os
|
4
|
-
---
|
5
|
-
|
6
|
-
# csv
|
7
|
-
|
8
|
-
Use the `csv` InSpec audit resource to test configuration data in a CSV file.
|
9
|
-
|
10
|
-
<br>
|
11
|
-
|
12
|
-
## Availability
|
13
|
-
|
14
|
-
### Installation
|
15
|
-
|
16
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
17
|
-
|
18
|
-
### Version
|
19
|
-
|
20
|
-
This resource first became available in v1.0.0 of InSpec.
|
21
|
-
|
22
|
-
## Syntax
|
23
|
-
|
24
|
-
A `csv` resource block declares the configuration data to be tested:
|
25
|
-
|
26
|
-
describe csv('file') do
|
27
|
-
its('name') { should cmp 'foo' }
|
28
|
-
end
|
29
|
-
|
30
|
-
where
|
31
|
-
|
32
|
-
* `'file'` is the path to a CSV file
|
33
|
-
* `name` is a configuration setting in a CSV file
|
34
|
-
* `should eq 'foo'` tests a value of `name` as read from a CSV file versus the value declared in the test
|
35
|
-
|
36
|
-
<br>
|
37
|
-
|
38
|
-
## Examples
|
39
|
-
|
40
|
-
The following examples show how to use this InSpec audit resource.
|
41
|
-
|
42
|
-
### Test a CSV file
|
43
|
-
|
44
|
-
describe csv('some_file.csv') do
|
45
|
-
its('setting') { should eq 1 }
|
46
|
-
end
|
47
|
-
|
48
|
-
<br>
|
49
|
-
|
50
|
-
## Property Examples
|
51
|
-
|
52
|
-
### name
|
53
|
-
|
54
|
-
The `name` property tests the value of `name` as read from a CSV file compared to the value declared in the test.
|
55
|
-
|
56
|
-
its('name') { should cmp 'foo' }
|
57
|
-
|
58
|
-
<br>
|
59
|
-
|
60
|
-
## Matchers
|
61
|
-
|
62
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
63
|
-
|
64
|
-
|
@@ -1,221 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: The dh_params Resource
|
3
|
-
platform: linux
|
4
|
-
---
|
5
|
-
|
6
|
-
# dh_params
|
7
|
-
|
8
|
-
Use the `dh_params` InSpec audit resource to test Diffie-Hellman (DH) parameters.
|
9
|
-
|
10
|
-
<br>
|
11
|
-
|
12
|
-
## Availability
|
13
|
-
|
14
|
-
### Installation
|
15
|
-
|
16
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
17
|
-
|
18
|
-
### Version
|
19
|
-
|
20
|
-
This resource first became available in v1.19.0 of InSpec.
|
21
|
-
|
22
|
-
## Syntax
|
23
|
-
|
24
|
-
A `dh_params` resource block declares a parameter file to be tested.
|
25
|
-
|
26
|
-
describe dh_params('/path/to/file.dh_pem') do
|
27
|
-
it { should be_dh_params }
|
28
|
-
it { should be_valid }
|
29
|
-
its('generator') { should eq 2 }
|
30
|
-
its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
|
31
|
-
its('prime_length') { should eq 2048 }
|
32
|
-
its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
|
33
|
-
its('text') { should eq 'PKCS#3 DH Parameters: (2048 bit)...' }
|
34
|
-
end
|
35
|
-
|
36
|
-
<br>
|
37
|
-
|
38
|
-
## Properties
|
39
|
-
|
40
|
-
* `generator`, `modulus`, `prime_length`, `pem`, `text`
|
41
|
-
|
42
|
-
<br>
|
43
|
-
|
44
|
-
## Property Examples
|
45
|
-
|
46
|
-
### generator (Integer)
|
47
|
-
|
48
|
-
Verify generator used for the Diffie-Hellman operation:
|
49
|
-
|
50
|
-
describe dh_params('/path/to/file.dh_pem') do
|
51
|
-
its('generator') { should eq 2 }
|
52
|
-
end
|
53
|
-
|
54
|
-
### modulus (String)
|
55
|
-
|
56
|
-
Verify prime modulus used for the Diffie-Hellman operation:
|
57
|
-
|
58
|
-
describe dh_params('/path/to/file.dh_pem') do
|
59
|
-
its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
|
60
|
-
end
|
61
|
-
|
62
|
-
Example using multi-line string:
|
63
|
-
|
64
|
-
```ruby
|
65
|
-
describe dh_params('/path/to/file.dh_pem') do
|
66
|
-
its('modulus') do
|
67
|
-
# regex removes all whitespace
|
68
|
-
should eq <<-EOF.gsub(/[[:space:]]+/, '')
|
69
|
-
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
70
|
-
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
71
|
-
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
72
|
-
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
73
|
-
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
74
|
-
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
75
|
-
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
76
|
-
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
77
|
-
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
78
|
-
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
79
|
-
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
80
|
-
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
81
|
-
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
82
|
-
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
83
|
-
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
84
|
-
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
85
|
-
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
86
|
-
cd:13
|
87
|
-
EOF
|
88
|
-
end
|
89
|
-
end
|
90
|
-
```
|
91
|
-
|
92
|
-
### prime_length (Integer)
|
93
|
-
|
94
|
-
Verify length of prime modulus used for the Diffie-Hellman operation:
|
95
|
-
|
96
|
-
describe dh_params('/path/to/file.dh_pem') do
|
97
|
-
its('prime_length') { should eq 2048 }
|
98
|
-
end
|
99
|
-
|
100
|
-
### pem (String)
|
101
|
-
|
102
|
-
Verify `pem` output of DH parameters:
|
103
|
-
|
104
|
-
describe dh_params('/path/to/file.dh_pem') do
|
105
|
-
its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
|
106
|
-
end
|
107
|
-
|
108
|
-
Example using multi-line string:
|
109
|
-
|
110
|
-
```ruby
|
111
|
-
its('pem') do
|
112
|
-
# regex removes all leading spaces
|
113
|
-
should eq <<-EOF.gsub(/^[[:blank:]]+/, '')
|
114
|
-
-----BEGIN DH PARAMETERS-----
|
115
|
-
MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
|
116
|
-
QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
|
117
|
-
h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
|
118
|
-
MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
|
119
|
-
X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
|
120
|
-
KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
|
121
|
-
-----END DH PARAMETERS-----
|
122
|
-
EOF
|
123
|
-
end
|
124
|
-
```
|
125
|
-
|
126
|
-
Verify via `openssl dhparam` command:
|
127
|
-
|
128
|
-
$ openssl dhparam -in /path/to/file.dh_pem
|
129
|
-
-----BEGIN DH PARAMETERS-----
|
130
|
-
MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
|
131
|
-
QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
|
132
|
-
h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
|
133
|
-
MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
|
134
|
-
X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
|
135
|
-
KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
|
136
|
-
-----END DH PARAMETERS-----
|
137
|
-
|
138
|
-
### text (String)
|
139
|
-
|
140
|
-
Verify human-readable text output of DH parameters:
|
141
|
-
|
142
|
-
describe dh_params('/path/to/file.dh_pem') do
|
143
|
-
its('text') { should eq 'PKCS#3 DH Parameters: (2048 bit)...' }
|
144
|
-
end
|
145
|
-
|
146
|
-
Example using multi-line string:
|
147
|
-
|
148
|
-
```ruby
|
149
|
-
its('text') do
|
150
|
-
# regex removes 2 leading spaces
|
151
|
-
should eq <<-EOF.gsub(/^[[:blank:]]{2}/, '')
|
152
|
-
PKCS#3 DH Parameters: (2048 bit)
|
153
|
-
prime:
|
154
|
-
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
155
|
-
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
156
|
-
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
157
|
-
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
158
|
-
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
159
|
-
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
160
|
-
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
161
|
-
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
162
|
-
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
163
|
-
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
164
|
-
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
165
|
-
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
166
|
-
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
167
|
-
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
168
|
-
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
169
|
-
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
170
|
-
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
171
|
-
cd:13
|
172
|
-
generator: 2 (0x2)
|
173
|
-
EOF
|
174
|
-
end
|
175
|
-
```
|
176
|
-
|
177
|
-
Verify via `openssl dhparam` command:
|
178
|
-
|
179
|
-
$ openssl dhparam -in /path/to/file.dh_pem -noout -text
|
180
|
-
PKCS#3 DH Parameters: (2048 bit)
|
181
|
-
prime:
|
182
|
-
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
183
|
-
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
184
|
-
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
185
|
-
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
186
|
-
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
187
|
-
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
188
|
-
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
189
|
-
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
190
|
-
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
191
|
-
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
192
|
-
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
193
|
-
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
194
|
-
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
195
|
-
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
196
|
-
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
197
|
-
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
198
|
-
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
199
|
-
cd:13
|
200
|
-
generator: 2 (0x2)
|
201
|
-
|
202
|
-
<br>
|
203
|
-
|
204
|
-
## Matchers
|
205
|
-
|
206
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
207
|
-
|
208
|
-
### be_valid
|
209
|
-
|
210
|
-
Verify whether DH parameters are valid:
|
211
|
-
|
212
|
-
describe dh_params('/path/to/file.dh_pem') do
|
213
|
-
it { should be_valid }
|
214
|
-
end
|
215
|
-
|
216
|
-
### be\_dh\_params
|
217
|
-
|
218
|
-
describe dh_params('/path/to/file.dh_pem') do
|
219
|
-
it { should be_dh_params}
|
220
|
-
end
|
221
|
-
|
@@ -1,40 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: About the directory Resource
|
3
|
-
platform: os
|
4
|
-
---
|
5
|
-
|
6
|
-
# directory
|
7
|
-
|
8
|
-
Use the `directory` InSpec audit resource to test if the file type is a directory. This is equivalent to using the `file` resource and the `be_directory` matcher, but provides a simpler and more direct way to test directories.
|
9
|
-
|
10
|
-
<br>
|
11
|
-
|
12
|
-
## Availability
|
13
|
-
|
14
|
-
### Installation
|
15
|
-
|
16
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
17
|
-
|
18
|
-
### Version
|
19
|
-
|
20
|
-
This resource first became available in v1.0.0 of InSpec.
|
21
|
-
|
22
|
-
## Syntax
|
23
|
-
|
24
|
-
A `directory` resource block declares the location of the directory to be tested, and then one (or more) matchers.
|
25
|
-
|
26
|
-
describe directory('path') do
|
27
|
-
its('property') { should cmp 'value' }
|
28
|
-
end
|
29
|
-
|
30
|
-
<br>
|
31
|
-
|
32
|
-
## Properties
|
33
|
-
|
34
|
-
All of the properties available to `file` may be used with `directory`.
|
35
|
-
|
36
|
-
<br>
|
37
|
-
|
38
|
-
## Matchers
|
39
|
-
|
40
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
@@ -1,240 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: About the docker Resource
|
3
|
-
platform: linux
|
4
|
-
---
|
5
|
-
|
6
|
-
# docker
|
7
|
-
|
8
|
-
Use the `docker` InSpec audit resource to test configuration data for the Docker daemon. It is a very comprehensive resource. See also: [docker_container](https://www.inspec.io/docs/reference/resources/docker_container/) and [docker_image](https://www.inspec.io/docs/reference/resources/docker_image/), too.
|
9
|
-
|
10
|
-
<br>
|
11
|
-
|
12
|
-
## Availability
|
13
|
-
|
14
|
-
### Installation
|
15
|
-
|
16
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
17
|
-
|
18
|
-
### Version
|
19
|
-
|
20
|
-
This resource first became available in v1.21.0 of InSpec.
|
21
|
-
|
22
|
-
## Syntax
|
23
|
-
|
24
|
-
A `docker` resource block declares allows you to write test for many containers:
|
25
|
-
|
26
|
-
describe docker.containers do
|
27
|
-
its('images') { should_not include 'u12:latest' }
|
28
|
-
end
|
29
|
-
|
30
|
-
or:
|
31
|
-
|
32
|
-
describe docker.containers.where { names == 'flamboyant_colden' } do
|
33
|
-
it { should be_running }
|
34
|
-
end
|
35
|
-
|
36
|
-
where
|
37
|
-
|
38
|
-
* `.where()` may specify a specific item and value, to which the resource parameters are compared
|
39
|
-
* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers`
|
40
|
-
|
41
|
-
The `docker` resource block also declares allows you to write test for many images:
|
42
|
-
|
43
|
-
describe docker.images do
|
44
|
-
its('repositories') { should_not include 'inssecure_image' }
|
45
|
-
end
|
46
|
-
|
47
|
-
or if you want to query specific images:
|
48
|
-
|
49
|
-
describe docker.images.where { repository == 'ubuntu' && tag == '12.04' } do
|
50
|
-
it { should_not exist }
|
51
|
-
end
|
52
|
-
|
53
|
-
where
|
54
|
-
|
55
|
-
* `.where()` may specify a specific filter and expected value, against which parameters are compared
|
56
|
-
|
57
|
-
<br>
|
58
|
-
|
59
|
-
## Examples
|
60
|
-
|
61
|
-
The following examples show how to use this InSpec audit resource.
|
62
|
-
|
63
|
-
### Return all running containers
|
64
|
-
|
65
|
-
docker.containers.running?.ids.each do |id|
|
66
|
-
describe docker.object(id) do
|
67
|
-
its('State.Health.Status') { should eq 'healthy' }
|
68
|
-
end
|
69
|
-
end
|
70
|
-
|
71
|
-
### Verify a Docker Server and Client version
|
72
|
-
|
73
|
-
describe docker.version do
|
74
|
-
its('Server.Version') { should cmp >= '1.12'}
|
75
|
-
its('Client.Version') { should cmp >= '1.12'}
|
76
|
-
end
|
77
|
-
|
78
|
-
### Iterate over all containers to verify host coniguration
|
79
|
-
|
80
|
-
docker.containers.ids.each do |id|
|
81
|
-
# call Docker inspect for a specific container id
|
82
|
-
describe docker.object(id) do
|
83
|
-
its(%w(HostConfig Privileged)) { should cmp false }
|
84
|
-
its(%w(HostConfig Privileged)) { should_not cmp true }
|
85
|
-
end
|
86
|
-
end
|
87
|
-
|
88
|
-
### Iterate over all images to verify the container was built without ADD instruction
|
89
|
-
|
90
|
-
docker.images.ids.each do |id|
|
91
|
-
describe command("docker history #{id}| grep 'ADD'") do
|
92
|
-
its('stdout') { should eq '' }
|
93
|
-
end
|
94
|
-
end
|
95
|
-
|
96
|
-
### Verify that health-checks are enabled for a container
|
97
|
-
|
98
|
-
describe docker.object('71b5df59442b') do
|
99
|
-
its(%w(Config Healthcheck)) { should_not eq nil }
|
100
|
-
end
|
101
|
-
|
102
|
-
<br>
|
103
|
-
|
104
|
-
## How to run the DevSec Docker baseline profile
|
105
|
-
|
106
|
-
There are two ways to run the `docker-baseline` profile to test Docker via the `docker` resource.
|
107
|
-
|
108
|
-
Clone the profile:
|
109
|
-
|
110
|
-
$ git clone https://github.com/dev-sec/cis-docker-benchmark.git
|
111
|
-
|
112
|
-
and then run:
|
113
|
-
|
114
|
-
$ inspec exec cis-docker-benchmark
|
115
|
-
|
116
|
-
Or execute the profile directly via URL:
|
117
|
-
|
118
|
-
$ inspec exec https://github.com/dev-sec/cis-docker-benchmark
|
119
|
-
|
120
|
-
<br>
|
121
|
-
|
122
|
-
## Resource Parameters
|
123
|
-
|
124
|
-
* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers`
|
125
|
-
|
126
|
-
<br>
|
127
|
-
|
128
|
-
## Resource Parameter Examples
|
129
|
-
|
130
|
-
### containers
|
131
|
-
|
132
|
-
`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/).
|
133
|
-
|
134
|
-
describe docker.containers do
|
135
|
-
its('ids') { should include 'sha:71b5df59...442b' }
|
136
|
-
its('commands') { should_not include '/bin/sh' }
|
137
|
-
its('images') { should_not include 'u12:latest' }
|
138
|
-
its('ports') { should include '0.0.0.0:1234->1234/tcp' }
|
139
|
-
its('labels') { should include 'License=GPLv2,Vendor=CentOS' }
|
140
|
-
end
|
141
|
-
|
142
|
-
### object('id')
|
143
|
-
|
144
|
-
`object` returns low-level information about Docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
|
145
|
-
|
146
|
-
describe docker.object(id) do
|
147
|
-
its('Configuration.Path') { should eq 'value' }
|
148
|
-
end
|
149
|
-
|
150
|
-
### images
|
151
|
-
|
152
|
-
`images` returns information about a Docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/).
|
153
|
-
|
154
|
-
describe docker.images do
|
155
|
-
its('ids') { should include 'sha:12b5df59...442b' }
|
156
|
-
its('repositories') { should_not include 'my_image' }
|
157
|
-
its('tags') { should_not include 'unwanted_tag' }
|
158
|
-
its('sizes') { should_not include "1.41 GB" }
|
159
|
-
end
|
160
|
-
|
161
|
-
### plugins
|
162
|
-
|
163
|
-
`plugins` returns information about Docker plugins as returned by [docker plugin ls](https://docs.docker.com/engine/reference/commandline/plugin/).
|
164
|
-
|
165
|
-
describe docker.plugins do
|
166
|
-
its('names') { should include ["store/weaveworks/net-plugin", "docker4x/cloudstor"] }
|
167
|
-
its('ids') { should cmp ["6ea8176de74b", "771d3ee7c7ea"] }
|
168
|
-
its('versions') { should cmp ["2.3.0", "18.03.1-ce-aws1"] }
|
169
|
-
its('enabled') { should cmp [true, false] }
|
170
|
-
end
|
171
|
-
|
172
|
-
### info
|
173
|
-
|
174
|
-
`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
|
175
|
-
|
176
|
-
describe docker.info do
|
177
|
-
its('Configuration.Path') { should eq 'value' }
|
178
|
-
end
|
179
|
-
|
180
|
-
### version
|
181
|
-
|
182
|
-
`info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/)
|
183
|
-
|
184
|
-
describe docker.version do
|
185
|
-
its('Server.Version') { should cmp >= '1.12'}
|
186
|
-
its('Client.Version') { should cmp >= '1.12'}
|
187
|
-
end
|
188
|
-
|
189
|
-
<br>
|
190
|
-
|
191
|
-
## Properties
|
192
|
-
|
193
|
-
* `id`, `image`, `repo`, `tag`, `ports`, `command`
|
194
|
-
|
195
|
-
<br>
|
196
|
-
|
197
|
-
## Property Examples
|
198
|
-
|
199
|
-
### id
|
200
|
-
|
201
|
-
describe docker_container(name: 'an-echo-server') do
|
202
|
-
its('id') { should_not eq '' }
|
203
|
-
end
|
204
|
-
|
205
|
-
### image
|
206
|
-
|
207
|
-
describe docker_container(name: 'an-echo-server') do
|
208
|
-
its('image') { should eq 'busybox:latest' }
|
209
|
-
end
|
210
|
-
|
211
|
-
### repo
|
212
|
-
|
213
|
-
describe docker_container(name: 'an-echo-server') do
|
214
|
-
its('repo') { should eq 'busybox' }
|
215
|
-
end
|
216
|
-
|
217
|
-
### tag
|
218
|
-
|
219
|
-
describe docker_container(name: 'an-echo-server') do
|
220
|
-
its('tag') { should eq 'latest' }
|
221
|
-
end
|
222
|
-
|
223
|
-
### ports
|
224
|
-
|
225
|
-
describe docker_container(name: 'an-echo-server') do
|
226
|
-
its('ports') { should eq "0.0.0.0:1234->1234/tcp" }
|
227
|
-
end
|
228
|
-
|
229
|
-
### command
|
230
|
-
|
231
|
-
describe docker_container(name: 'an-echo-server') do
|
232
|
-
its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
|
233
|
-
end
|
234
|
-
|
235
|
-
<br>
|
236
|
-
|
237
|
-
## Matchers
|
238
|
-
|
239
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
240
|
-
|