inspec-core 2.3.10 → 2.3.23
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +34 -13
- data/etc/plugin_filters.json +25 -0
- data/inspec-core.gemspec +1 -1
- data/lib/bundles/inspec-compliance/api.rb +3 -0
- data/lib/bundles/inspec-compliance/configuration.rb +3 -0
- data/lib/bundles/inspec-compliance/http.rb +3 -0
- data/lib/bundles/inspec-compliance/support.rb +3 -0
- data/lib/bundles/inspec-compliance/target.rb +3 -0
- data/lib/inspec/objects/attribute.rb +3 -0
- data/lib/inspec/plugin/v2.rb +3 -0
- data/lib/inspec/plugin/v2/filter.rb +62 -0
- data/lib/inspec/plugin/v2/installer.rb +21 -1
- data/lib/inspec/plugin/v2/loader.rb +4 -0
- data/lib/inspec/profile.rb +3 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +25 -3
- data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +65 -11
- data/lib/plugins/inspec-plugin-manager-cli/test/unit/cli_args_test.rb +5 -1
- data/lib/resources/package.rb +1 -1
- metadata +4 -197
- data/docs/.gitignore +0 -2
- data/docs/README.md +0 -41
- data/docs/dev/control-eval.md +0 -62
- data/docs/dev/filtertable-internals.md +0 -353
- data/docs/dev/filtertable-usage.md +0 -533
- data/docs/dev/integration-testing.md +0 -31
- data/docs/dev/plugins.md +0 -323
- data/docs/dsl_inspec.md +0 -354
- data/docs/dsl_resource.md +0 -100
- data/docs/glossary.md +0 -381
- data/docs/habitat.md +0 -193
- data/docs/inspec_and_friends.md +0 -114
- data/docs/matchers.md +0 -161
- data/docs/migration.md +0 -293
- data/docs/platforms.md +0 -119
- data/docs/plugin_kitchen_inspec.md +0 -60
- data/docs/plugins.md +0 -57
- data/docs/profiles.md +0 -576
- data/docs/reporters.md +0 -170
- data/docs/resources/aide_conf.md.erb +0 -86
- data/docs/resources/apache.md.erb +0 -77
- data/docs/resources/apache_conf.md.erb +0 -78
- data/docs/resources/apt.md.erb +0 -81
- data/docs/resources/audit_policy.md.erb +0 -57
- data/docs/resources/auditd.md.erb +0 -89
- data/docs/resources/auditd_conf.md.erb +0 -78
- data/docs/resources/bash.md.erb +0 -85
- data/docs/resources/bond.md.erb +0 -100
- data/docs/resources/bridge.md.erb +0 -67
- data/docs/resources/bsd_service.md.erb +0 -77
- data/docs/resources/chocolatey_package.md.erb +0 -68
- data/docs/resources/command.md.erb +0 -176
- data/docs/resources/cpan.md.erb +0 -89
- data/docs/resources/cran.md.erb +0 -74
- data/docs/resources/crontab.md.erb +0 -103
- data/docs/resources/csv.md.erb +0 -64
- data/docs/resources/dh_params.md.erb +0 -221
- data/docs/resources/directory.md.erb +0 -40
- data/docs/resources/docker.md.erb +0 -240
- data/docs/resources/docker_container.md.erb +0 -113
- data/docs/resources/docker_image.md.erb +0 -104
- data/docs/resources/docker_plugin.md.erb +0 -80
- data/docs/resources/docker_service.md.erb +0 -124
- data/docs/resources/elasticsearch.md.erb +0 -252
- data/docs/resources/etc_fstab.md.erb +0 -135
- data/docs/resources/etc_group.md.erb +0 -85
- data/docs/resources/etc_hosts.md.erb +0 -88
- data/docs/resources/etc_hosts_allow.md.erb +0 -84
- data/docs/resources/etc_hosts_deny.md.erb +0 -84
- data/docs/resources/file.md.erb +0 -543
- data/docs/resources/filesystem.md.erb +0 -51
- data/docs/resources/firewalld.md.erb +0 -117
- data/docs/resources/gem.md.erb +0 -108
- data/docs/resources/group.md.erb +0 -71
- data/docs/resources/grub_conf.md.erb +0 -111
- data/docs/resources/host.md.erb +0 -96
- data/docs/resources/http.md.erb +0 -207
- data/docs/resources/iis_app.md.erb +0 -132
- data/docs/resources/iis_site.md.erb +0 -145
- data/docs/resources/inetd_conf.md.erb +0 -104
- data/docs/resources/ini.md.erb +0 -86
- data/docs/resources/interface.md.erb +0 -68
- data/docs/resources/iptables.md.erb +0 -74
- data/docs/resources/json.md.erb +0 -73
- data/docs/resources/kernel_module.md.erb +0 -130
- data/docs/resources/kernel_parameter.md.erb +0 -63
- data/docs/resources/key_rsa.md.erb +0 -95
- data/docs/resources/launchd_service.md.erb +0 -67
- data/docs/resources/limits_conf.md.erb +0 -85
- data/docs/resources/login_defs.md.erb +0 -81
- data/docs/resources/mount.md.erb +0 -79
- data/docs/resources/mssql_session.md.erb +0 -78
- data/docs/resources/mysql_conf.md.erb +0 -109
- data/docs/resources/mysql_session.md.erb +0 -84
- data/docs/resources/nginx.md.erb +0 -89
- data/docs/resources/nginx_conf.md.erb +0 -148
- data/docs/resources/npm.md.erb +0 -78
- data/docs/resources/ntp_conf.md.erb +0 -70
- data/docs/resources/oneget.md.erb +0 -63
- data/docs/resources/oracledb_session.md.erb +0 -103
- data/docs/resources/os.md.erb +0 -153
- data/docs/resources/os_env.md.erb +0 -101
- data/docs/resources/package.md.erb +0 -130
- data/docs/resources/packages.md.erb +0 -77
- data/docs/resources/parse_config.md.erb +0 -113
- data/docs/resources/parse_config_file.md.erb +0 -148
- data/docs/resources/passwd.md.erb +0 -151
- data/docs/resources/pip.md.erb +0 -77
- data/docs/resources/port.md.erb +0 -147
- data/docs/resources/postgres_conf.md.erb +0 -89
- data/docs/resources/postgres_hba_conf.md.erb +0 -103
- data/docs/resources/postgres_ident_conf.md.erb +0 -86
- data/docs/resources/postgres_session.md.erb +0 -79
- data/docs/resources/powershell.md.erb +0 -112
- data/docs/resources/processes.md.erb +0 -119
- data/docs/resources/rabbitmq_config.md.erb +0 -51
- data/docs/resources/registry_key.md.erb +0 -197
- data/docs/resources/runit_service.md.erb +0 -67
- data/docs/resources/security_policy.md.erb +0 -57
- data/docs/resources/service.md.erb +0 -131
- data/docs/resources/shadow.md.erb +0 -267
- data/docs/resources/ssh_config.md.erb +0 -83
- data/docs/resources/sshd_config.md.erb +0 -93
- data/docs/resources/ssl.md.erb +0 -129
- data/docs/resources/sys_info.md.erb +0 -52
- data/docs/resources/systemd_service.md.erb +0 -67
- data/docs/resources/sysv_service.md.erb +0 -67
- data/docs/resources/upstart_service.md.erb +0 -67
- data/docs/resources/user.md.erb +0 -150
- data/docs/resources/users.md.erb +0 -137
- data/docs/resources/vbscript.md.erb +0 -65
- data/docs/resources/virtualization.md.erb +0 -67
- data/docs/resources/windows_feature.md.erb +0 -69
- data/docs/resources/windows_hotfix.md.erb +0 -63
- data/docs/resources/windows_task.md.erb +0 -95
- data/docs/resources/wmi.md.erb +0 -91
- data/docs/resources/x509_certificate.md.erb +0 -161
- data/docs/resources/xinetd_conf.md.erb +0 -166
- data/docs/resources/xml.md.erb +0 -95
- data/docs/resources/yaml.md.erb +0 -79
- data/docs/resources/yum.md.erb +0 -108
- data/docs/resources/zfs_dataset.md.erb +0 -63
- data/docs/resources/zfs_pool.md.erb +0 -57
- data/docs/shared/matcher_be.md.erb +0 -1
- data/docs/shared/matcher_cmp.md.erb +0 -43
- data/docs/shared/matcher_eq.md.erb +0 -3
- data/docs/shared/matcher_include.md.erb +0 -1
- data/docs/shared/matcher_match.md.erb +0 -1
- data/docs/shell.md +0 -217
- data/docs/style.md +0 -178
- data/examples/README.md +0 -8
- data/examples/custom-resource/README.md +0 -3
- data/examples/custom-resource/controls/example.rb +0 -7
- data/examples/custom-resource/inspec.yml +0 -8
- data/examples/custom-resource/libraries/batsignal.rb +0 -20
- data/examples/custom-resource/libraries/gordon.rb +0 -21
- data/examples/inheritance/README.md +0 -65
- data/examples/inheritance/controls/example.rb +0 -14
- data/examples/inheritance/inspec.yml +0 -16
- data/examples/kitchen-ansible/.kitchen.yml +0 -25
- data/examples/kitchen-ansible/Gemfile +0 -19
- data/examples/kitchen-ansible/README.md +0 -53
- data/examples/kitchen-ansible/files/nginx.repo +0 -6
- data/examples/kitchen-ansible/tasks/main.yml +0 -16
- data/examples/kitchen-ansible/test/integration/default/default.yml +0 -5
- data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -28
- data/examples/kitchen-chef/.kitchen.yml +0 -20
- data/examples/kitchen-chef/Berksfile +0 -3
- data/examples/kitchen-chef/Gemfile +0 -19
- data/examples/kitchen-chef/README.md +0 -27
- data/examples/kitchen-chef/metadata.rb +0 -7
- data/examples/kitchen-chef/recipes/default.rb +0 -6
- data/examples/kitchen-chef/recipes/nginx.rb +0 -30
- data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -28
- data/examples/kitchen-puppet/.kitchen.yml +0 -23
- data/examples/kitchen-puppet/Gemfile +0 -20
- data/examples/kitchen-puppet/Puppetfile +0 -25
- data/examples/kitchen-puppet/README.md +0 -53
- data/examples/kitchen-puppet/manifests/site.pp +0 -33
- data/examples/kitchen-puppet/metadata.json +0 -11
- data/examples/kitchen-puppet/modules/.gitkeep +0 -0
- data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -28
- data/examples/meta-profile/README.md +0 -37
- data/examples/meta-profile/controls/example.rb +0 -13
- data/examples/meta-profile/inspec.yml +0 -13
- data/examples/plugins/inspec-resource-lister/Gemfile +0 -12
- data/examples/plugins/inspec-resource-lister/LICENSE +0 -13
- data/examples/plugins/inspec-resource-lister/README.md +0 -62
- data/examples/plugins/inspec-resource-lister/Rakefile +0 -40
- data/examples/plugins/inspec-resource-lister/inspec-resource-lister.gemspec +0 -45
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister.rb +0 -16
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/cli_command.rb +0 -70
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/plugin.rb +0 -55
- data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/version.rb +0 -10
- data/examples/plugins/inspec-resource-lister/test/fixtures/README.md +0 -24
- data/examples/plugins/inspec-resource-lister/test/functional/README.md +0 -18
- data/examples/plugins/inspec-resource-lister/test/functional/inspec_resource_lister_test.rb +0 -110
- data/examples/plugins/inspec-resource-lister/test/helper.rb +0 -26
- data/examples/plugins/inspec-resource-lister/test/unit/README.md +0 -17
- data/examples/plugins/inspec-resource-lister/test/unit/cli_args_test.rb +0 -64
- data/examples/plugins/inspec-resource-lister/test/unit/plugin_def_test.rb +0 -51
- data/examples/profile-attribute.yml +0 -2
- data/examples/profile-attribute/README.md +0 -14
- data/examples/profile-attribute/controls/example.rb +0 -11
- data/examples/profile-attribute/inspec.yml +0 -8
- data/examples/profile-sensitive/README.md +0 -29
- data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -9
- data/examples/profile-sensitive/controls/sensitive.rb +0 -9
- data/examples/profile-sensitive/inspec.yml +0 -8
- data/examples/profile/README.md +0 -48
- data/examples/profile/controls/example.rb +0 -24
- data/examples/profile/controls/gordon.rb +0 -36
- data/examples/profile/controls/meta.rb +0 -36
- data/examples/profile/inspec.yml +0 -11
- data/examples/profile/libraries/gordon_config.rb +0 -59
@@ -1,104 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: About the inetd_conf Resource
|
3
|
-
platform: linux
|
4
|
-
---
|
5
|
-
|
6
|
-
# inetd_conf
|
7
|
-
|
8
|
-
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
|
9
|
-
|
10
|
-
<br>
|
11
|
-
|
12
|
-
## Availability
|
13
|
-
|
14
|
-
### Installation
|
15
|
-
|
16
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
17
|
-
|
18
|
-
### Version
|
19
|
-
|
20
|
-
This resource first became available in v1.0.0 of InSpec.
|
21
|
-
|
22
|
-
## Syntax
|
23
|
-
|
24
|
-
An `inetd_conf` resource block declares the list of services that are enabled in the `inetd.conf` file:
|
25
|
-
|
26
|
-
describe inetd_conf('path') do
|
27
|
-
its('service_name') { should eq 'value' }
|
28
|
-
end
|
29
|
-
|
30
|
-
where
|
31
|
-
|
32
|
-
* `'service_name'` is a service listed in the `inetd.conf` file
|
33
|
-
* `('path')` is the non-default path to the `inetd.conf` file
|
34
|
-
* `should eq 'value'` is the value that is expected
|
35
|
-
|
36
|
-
<br>
|
37
|
-
|
38
|
-
## Properties
|
39
|
-
|
40
|
-
This resource supports any of the properties listed as services in the `inetd.conf` file. You may want to ensure that specific services do not listen via `inetd.conf`.
|
41
|
-
|
42
|
-
<br>
|
43
|
-
|
44
|
-
## Examples
|
45
|
-
|
46
|
-
The following examples show how to use this InSpec audit resource.
|
47
|
-
|
48
|
-
### Basic tests for inetd_conf services:
|
49
|
-
|
50
|
-
its('shell') { should eq nil }
|
51
|
-
|
52
|
-
or:
|
53
|
-
|
54
|
-
its('netstat') { should eq nil }
|
55
|
-
|
56
|
-
or:
|
57
|
-
|
58
|
-
its('systat') { should eq nil }
|
59
|
-
|
60
|
-
For example:
|
61
|
-
|
62
|
-
describe inetd_conf do
|
63
|
-
its('shell') { should eq nil }
|
64
|
-
its('login') { should eq nil }
|
65
|
-
its('exec') { should eq nil }
|
66
|
-
end
|
67
|
-
|
68
|
-
### Verify that FTP is disabled
|
69
|
-
|
70
|
-
The contents if the `inetd.conf` file contain the following:
|
71
|
-
|
72
|
-
#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
|
73
|
-
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
|
74
|
-
|
75
|
-
and the following test is defined:
|
76
|
-
|
77
|
-
describe inetd_conf do
|
78
|
-
its('ftp') { should eq nil }
|
79
|
-
its('telnet') { should eq nil }
|
80
|
-
end
|
81
|
-
|
82
|
-
Because both the `ftp` and `telnet` Internet services are commented out (`#`), both services are disabled. Consequently, both tests will return `true`. However, if the `inetd.conf` file is set as follows:
|
83
|
-
|
84
|
-
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
|
85
|
-
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
|
86
|
-
|
87
|
-
then the same test will return `false` for `ftp` and the entire test will fail.
|
88
|
-
|
89
|
-
### Test if telnet is installed
|
90
|
-
|
91
|
-
describe package('telnetd') do
|
92
|
-
it { should_not be_installed }
|
93
|
-
end
|
94
|
-
|
95
|
-
describe inetd_conf do
|
96
|
-
its('telnet') { should eq nil }
|
97
|
-
end
|
98
|
-
|
99
|
-
<br>
|
100
|
-
|
101
|
-
## Matchers
|
102
|
-
|
103
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
104
|
-
|
data/docs/resources/ini.md.erb
DELETED
@@ -1,86 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: About the ini Resource
|
3
|
-
platform: os
|
4
|
-
---
|
5
|
-
|
6
|
-
# ini
|
7
|
-
|
8
|
-
Use the `ini` InSpec audit resource to test settings in an INI file.
|
9
|
-
|
10
|
-
<br>
|
11
|
-
|
12
|
-
## Availability
|
13
|
-
|
14
|
-
### Installation
|
15
|
-
|
16
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
17
|
-
|
18
|
-
### Version
|
19
|
-
|
20
|
-
This resource first became available in v1.0.0 of InSpec.
|
21
|
-
|
22
|
-
## Syntax
|
23
|
-
|
24
|
-
An `ini` resource block declares the configuration settings to be tested:
|
25
|
-
|
26
|
-
describe ini('path') do
|
27
|
-
its('setting_name') { should eq 'value' }
|
28
|
-
end
|
29
|
-
|
30
|
-
where
|
31
|
-
|
32
|
-
* `'setting_name'` is a setting key defined in the INI file
|
33
|
-
* `('path')` is the path to the INI file
|
34
|
-
* `{ should eq 'value' }` is the value that is expected
|
35
|
-
|
36
|
-
For example:
|
37
|
-
|
38
|
-
describe ini('path/to/ini_file.ini') do
|
39
|
-
its('port') { should eq '143' }
|
40
|
-
its('server') { should eq '192.0.2.62' }
|
41
|
-
end
|
42
|
-
|
43
|
-
Settings inside of sections, such as the following:
|
44
|
-
|
45
|
-
[section_name]
|
46
|
-
setting_name = 123
|
47
|
-
|
48
|
-
... can be retrieved by prefixing the setting_name with the section.
|
49
|
-
|
50
|
-
its('section_name.setting_name') { should cmp 123 }
|
51
|
-
|
52
|
-
In the event a section or setting name has a period in it, the alternate syntax can be used:
|
53
|
-
|
54
|
-
its(['section.with.a.dot.in.it', 'setting.name.with.dots']) { should cmp 'lotsadots' }
|
55
|
-
|
56
|
-
<br>
|
57
|
-
|
58
|
-
## Properties
|
59
|
-
|
60
|
-
This resource supports any of the settings listed in an INI file as properties.
|
61
|
-
|
62
|
-
<br>
|
63
|
-
|
64
|
-
## Examples
|
65
|
-
|
66
|
-
The following examples show how to use this InSpec audit resource.
|
67
|
-
|
68
|
-
### Test SMTP settings in a PHP INI file
|
69
|
-
|
70
|
-
For example, a PHP INI file located at contains the following settings:
|
71
|
-
|
72
|
-
[mail function]
|
73
|
-
SMTP = smtp.gmail.com
|
74
|
-
smtp_port = 465
|
75
|
-
|
76
|
-
and can be tested like this:
|
77
|
-
|
78
|
-
describe ini('/etc/php5/apache2/php.ini') do
|
79
|
-
its('mail function.smtp_port') { should eq('465') }
|
80
|
-
end
|
81
|
-
|
82
|
-
<br>
|
83
|
-
|
84
|
-
## Matchers
|
85
|
-
|
86
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
@@ -1,68 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: About the interface Resource
|
3
|
-
platform: os
|
4
|
-
---
|
5
|
-
|
6
|
-
# interface
|
7
|
-
|
8
|
-
Use the `interface` InSpec audit resource to test basic network adapter properties, such as name, status, and link speed (in MB/sec).
|
9
|
-
|
10
|
-
* On Linux platforms, `/sys/class/net/#{iface}` is used as source
|
11
|
-
* On the Windows platform, the `Get-NetAdapter` cmdlet is used as source
|
12
|
-
|
13
|
-
<br>
|
14
|
-
|
15
|
-
## Availability
|
16
|
-
|
17
|
-
### Installation
|
18
|
-
|
19
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
20
|
-
|
21
|
-
### Version
|
22
|
-
|
23
|
-
This resource first became available in v1.0.0 of InSpec.
|
24
|
-
|
25
|
-
## Syntax
|
26
|
-
|
27
|
-
An `interface` resource block declares network interface properties to be tested:
|
28
|
-
|
29
|
-
describe interface('eth0') do
|
30
|
-
it { should be_up }
|
31
|
-
its('speed') { should eq 1000 }
|
32
|
-
its('name') { should eq eth0 }
|
33
|
-
end
|
34
|
-
|
35
|
-
<br>
|
36
|
-
|
37
|
-
## Properties
|
38
|
-
|
39
|
-
`name`, `speed`
|
40
|
-
|
41
|
-
<br>
|
42
|
-
|
43
|
-
## Resource Property Examples
|
44
|
-
|
45
|
-
### name
|
46
|
-
|
47
|
-
The `name` matcher tests if the named network interface exists:
|
48
|
-
|
49
|
-
its('name') { should eq eth0 }
|
50
|
-
|
51
|
-
### speed
|
52
|
-
|
53
|
-
The `speed` matcher tests the speed of the network interface, in MB/sec:
|
54
|
-
|
55
|
-
its('speed') { should eq 1000 }
|
56
|
-
|
57
|
-
<br>
|
58
|
-
|
59
|
-
## Matchers
|
60
|
-
|
61
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
62
|
-
|
63
|
-
### be_up
|
64
|
-
|
65
|
-
The `be_up` matcher tests if the network interface is available:
|
66
|
-
|
67
|
-
it { should be_up }
|
68
|
-
|
@@ -1,74 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: About the iptables Resource
|
3
|
-
platform: linux
|
4
|
-
---
|
5
|
-
|
6
|
-
# iptables
|
7
|
-
|
8
|
-
Use the `iptables` InSpec audit resource to test rules that are defined in `iptables`, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
|
9
|
-
|
10
|
-
<br>
|
11
|
-
|
12
|
-
## Availability
|
13
|
-
|
14
|
-
### Installation
|
15
|
-
|
16
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
17
|
-
|
18
|
-
### Version
|
19
|
-
|
20
|
-
This resource first became available in v1.0.0 of InSpec.
|
21
|
-
|
22
|
-
## Syntax
|
23
|
-
|
24
|
-
A `iptables` resource block declares tests for rules in IP tables:
|
25
|
-
|
26
|
-
describe iptables(rule:'name', table:'name', chain: 'name') do
|
27
|
-
it { should have_rule('RULE') }
|
28
|
-
end
|
29
|
-
|
30
|
-
where
|
31
|
-
|
32
|
-
* `iptables()` may specify any combination of `rule`, `table`, or `chain`
|
33
|
-
* `rule:'name'` is the name of a rule that matches a set of packets
|
34
|
-
* `table:'name'` is the packet matching table against which the test is run
|
35
|
-
* `chain: 'name'` is the name of a user-defined chain or one of `ACCEPT`, `DROP`, `QUEUE`, or `RETURN`
|
36
|
-
* `have_rule('RULE')` tests that rule in the iptables list. This must match the entire line taken from `iptables -S CHAIN`.
|
37
|
-
|
38
|
-
<br>
|
39
|
-
|
40
|
-
## Examples
|
41
|
-
|
42
|
-
The following examples show how to use this InSpec audit resource.
|
43
|
-
|
44
|
-
### Test if the INPUT chain is in default ACCEPT mode
|
45
|
-
|
46
|
-
describe iptables do
|
47
|
-
it { should have_rule('-P INPUT ACCEPT') }
|
48
|
-
end
|
49
|
-
|
50
|
-
### Test if the INPUT chain from the mangle table is in ACCEPT mode
|
51
|
-
|
52
|
-
describe iptables(table:'mangle', chain: 'INPUT') do
|
53
|
-
it { should have_rule('-P INPUT ACCEPT') }
|
54
|
-
end
|
55
|
-
|
56
|
-
### Test if there is a rule allowing Postgres (5432/TCP) traffic
|
57
|
-
|
58
|
-
describe iptables do
|
59
|
-
it { should have_rule('-A INPUT -p tcp -m tcp -m multiport --dports 5432 -m comment --comment "postgres" -j ACCEPT') }
|
60
|
-
end
|
61
|
-
|
62
|
-
Note that the rule specification must exactly match what's in the output of `iptables -S INPUT`, which will depend on how you've built your rules.
|
63
|
-
|
64
|
-
<br>
|
65
|
-
|
66
|
-
## Matchers
|
67
|
-
|
68
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
69
|
-
|
70
|
-
### have_rule
|
71
|
-
|
72
|
-
The `have_rule` matcher tests the named rule against the information in the `iptables` file:
|
73
|
-
|
74
|
-
it { should have_rule('RULE') }
|
data/docs/resources/json.md.erb
DELETED
@@ -1,73 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: About the json Resource
|
3
|
-
platform: os
|
4
|
-
---
|
5
|
-
|
6
|
-
# json
|
7
|
-
|
8
|
-
Use the `json` InSpec audit resource to test data in a JSON file.
|
9
|
-
|
10
|
-
<br>
|
11
|
-
|
12
|
-
## Availability
|
13
|
-
|
14
|
-
### Installation
|
15
|
-
|
16
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
17
|
-
|
18
|
-
### Version
|
19
|
-
|
20
|
-
This resource first became available in v1.0.0 of InSpec.
|
21
|
-
|
22
|
-
## Syntax
|
23
|
-
|
24
|
-
A `json` resource block declares the data to be tested. Assume the following JSON file:
|
25
|
-
|
26
|
-
{
|
27
|
-
"name" : "hello",
|
28
|
-
"meta" : {
|
29
|
-
"creator" : "John Doe"
|
30
|
-
},
|
31
|
-
"array": [
|
32
|
-
"zero",
|
33
|
-
"one"
|
34
|
-
]
|
35
|
-
}
|
36
|
-
|
37
|
-
This file can be queried using:
|
38
|
-
|
39
|
-
describe json('/path/to/name.json') do
|
40
|
-
its('name') { should eq 'hello' }
|
41
|
-
its(['meta','creator']) { should eq 'John Doe' }
|
42
|
-
its(['array', 1]) { should eq 'one' }
|
43
|
-
end
|
44
|
-
|
45
|
-
where
|
46
|
-
|
47
|
-
* `name` is a configuration setting in a JSON file
|
48
|
-
* `should eq 'foo'` tests a value of `name` as read from a JSON file versus the value declared in the test
|
49
|
-
|
50
|
-
<br>
|
51
|
-
|
52
|
-
## Examples
|
53
|
-
|
54
|
-
The following examples show how to use this InSpec audit resource.
|
55
|
-
|
56
|
-
### name
|
57
|
-
|
58
|
-
The `name` matcher tests the value of the filename as read from a JSON file versus the value declared in the test:
|
59
|
-
|
60
|
-
its('name') { should eq '/tmp/example.json' }
|
61
|
-
|
62
|
-
### Test a cookbook version in a policyfile.lock.json file
|
63
|
-
|
64
|
-
describe json('policyfile.lock.json') do
|
65
|
-
its(['cookbook_locks', 'omnibus', 'version']) { should eq('2.2.0') }
|
66
|
-
end
|
67
|
-
|
68
|
-
<br>
|
69
|
-
|
70
|
-
## Matchers
|
71
|
-
|
72
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
73
|
-
|
@@ -1,130 +0,0 @@
|
|
1
|
-
---
|
2
|
-
title: About the kernel_module Resource
|
3
|
-
platform: linux
|
4
|
-
---
|
5
|
-
|
6
|
-
# kernel_module
|
7
|
-
|
8
|
-
Use the `kernel_module` InSpec audit resource to test kernel modules on Linux
|
9
|
-
platforms. These parameters are located under `/lib/modules`. Any submodule may
|
10
|
-
be tested using this resource.
|
11
|
-
|
12
|
-
The `kernel_module` resource can also verify if a kernel module is `blacklisted`
|
13
|
-
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
|
14
|
-
method.
|
15
|
-
|
16
|
-
<br>
|
17
|
-
|
18
|
-
## Availability
|
19
|
-
|
20
|
-
### Installation
|
21
|
-
|
22
|
-
This resource is distributed along with InSpec itself. You can use it automatically.
|
23
|
-
|
24
|
-
### Version
|
25
|
-
|
26
|
-
This resource first became available in v1.0.0 of InSpec.
|
27
|
-
|
28
|
-
## Syntax
|
29
|
-
|
30
|
-
A `kernel_module` resource block declares a module name, and then tests if that
|
31
|
-
module is a loaded kernel module, if it is enabled, disabled or if it is
|
32
|
-
blacklisted:
|
33
|
-
|
34
|
-
describe kernel_module('module_name') do
|
35
|
-
it { should be_loaded }
|
36
|
-
it { should_not be_disabled }
|
37
|
-
it { should_not be_blacklisted }
|
38
|
-
end
|
39
|
-
|
40
|
-
where
|
41
|
-
|
42
|
-
* `'module_name'` must specify a kernel module, such as `'bridge'`
|
43
|
-
* `{ should be_loaded }` tests if the module is a loaded kernel module
|
44
|
-
* `{ should be_blacklisted }` tests if the module is blacklisted or if the module is disabled via a fake install using /bin/false or /bin/true
|
45
|
-
* `{ should be_disabled }` tests if the module is disabled via a fake install using /bin/false or /bin/true
|
46
|
-
|
47
|
-
<br>
|
48
|
-
|
49
|
-
## Examples
|
50
|
-
|
51
|
-
The following examples show how to use this InSpec audit resource.
|
52
|
-
|
53
|
-
### version
|
54
|
-
|
55
|
-
The `version` property tests if the kernel module on the system has the correct version:
|
56
|
-
|
57
|
-
its('version') { should eq '3.2.2' }
|
58
|
-
|
59
|
-
### Test a kernel module's 'version'
|
60
|
-
|
61
|
-
describe kernel_module('bridge') do
|
62
|
-
it { should be_loaded }
|
63
|
-
its('version') { should cmp >= '2.2.2' }
|
64
|
-
end
|
65
|
-
|
66
|
-
### Test if a kernel module is loaded, not disabled, and not blacklisted
|
67
|
-
|
68
|
-
describe kernel_module('video') do
|
69
|
-
it { should be_loaded }
|
70
|
-
it { should_not be_disabled }
|
71
|
-
it { should_not be_blacklisted }
|
72
|
-
end
|
73
|
-
|
74
|
-
### Check if a kernel module is blacklisted
|
75
|
-
|
76
|
-
describe kernel_module('floppy') do
|
77
|
-
it { should be_blacklisted }
|
78
|
-
end
|
79
|
-
|
80
|
-
### Check if a kernel module is *not* blacklisted and is loaded
|
81
|
-
|
82
|
-
describe kernel_module('video') do
|
83
|
-
it { should_not be_blacklisted }
|
84
|
-
it { should be_loaded }
|
85
|
-
end
|
86
|
-
|
87
|
-
### Check if a kernel module is disabled via 'bin_false'
|
88
|
-
|
89
|
-
describe kernel_module('sstfb') do
|
90
|
-
it { should_not be_loaded }
|
91
|
-
it { should be_disabled }
|
92
|
-
end
|
93
|
-
|
94
|
-
### Check if a kernel module is 'blacklisted'/'disabled' via 'bin_true'
|
95
|
-
|
96
|
-
describe kernel_module('nvidiafb') do
|
97
|
-
it { should_not be_loaded }
|
98
|
-
it { should be_blacklisted }
|
99
|
-
end
|
100
|
-
|
101
|
-
### Check if a kernel module is not loaded
|
102
|
-
|
103
|
-
describe kernel_module('dhcp') do
|
104
|
-
it { should_not be_loaded }
|
105
|
-
end
|
106
|
-
|
107
|
-
<br>
|
108
|
-
|
109
|
-
## Matchers
|
110
|
-
|
111
|
-
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
112
|
-
|
113
|
-
|
114
|
-
### be_blacklisted
|
115
|
-
|
116
|
-
The `be_blacklisted` matcher tests if the kernel module is a blacklisted module:
|
117
|
-
|
118
|
-
it { should be_blacklisted }
|
119
|
-
|
120
|
-
### be_disabled
|
121
|
-
|
122
|
-
The `be_disabled` matcher tests if the kernel module is disabled:
|
123
|
-
|
124
|
-
it { should be_disabled }
|
125
|
-
|
126
|
-
### be_loaded
|
127
|
-
|
128
|
-
The `be_loaded` matcher tests if the kernel module is loaded:
|
129
|
-
|
130
|
-
it { should be_loaded }
|