inspec 0.9.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (247) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +8 -0
  3. data/.rubocop.yml +65 -0
  4. data/.travis.yml +23 -0
  5. data/CHANGELOG.md +38 -0
  6. data/Gemfile +33 -0
  7. data/LICENSE +201 -0
  8. data/MAINTAINERS.md +28 -0
  9. data/MAINTAINERS.toml +42 -0
  10. data/README.md +257 -0
  11. data/Rakefile +47 -0
  12. data/bin/inspec +109 -0
  13. data/docs/ctl_inspec.rst +195 -0
  14. data/docs/dsl_inspec.rst +182 -0
  15. data/docs/readme.rst +100 -0
  16. data/docs/resources.rst +4319 -0
  17. data/docs/template.rst +51 -0
  18. data/examples/test-kitchen/.kitchen.yml +20 -0
  19. data/examples/test-kitchen/Berksfile +3 -0
  20. data/examples/test-kitchen/Gemfile +21 -0
  21. data/examples/test-kitchen/README.md +27 -0
  22. data/examples/test-kitchen/metadata.rb +7 -0
  23. data/examples/test-kitchen/recipes/default.rb +6 -0
  24. data/examples/test-kitchen/recipes/nginx.rb +30 -0
  25. data/examples/test-kitchen/test/integration/default/web_spec.rb +28 -0
  26. data/inspec.gemspec +30 -0
  27. data/lib/inspec.rb +20 -0
  28. data/lib/inspec/backend.rb +42 -0
  29. data/lib/inspec/dsl.rb +151 -0
  30. data/lib/inspec/log.rb +34 -0
  31. data/lib/inspec/metadata.rb +79 -0
  32. data/lib/inspec/plugins.rb +9 -0
  33. data/lib/inspec/plugins/resource.rb +62 -0
  34. data/lib/inspec/profile.rb +138 -0
  35. data/lib/inspec/profile_context.rb +170 -0
  36. data/lib/inspec/resource.rb +76 -0
  37. data/lib/inspec/rspec_json_formatter.rb +27 -0
  38. data/lib/inspec/rule.rb +170 -0
  39. data/lib/inspec/runner.rb +154 -0
  40. data/lib/inspec/shell.rb +66 -0
  41. data/lib/inspec/targets.rb +9 -0
  42. data/lib/inspec/targets/core.rb +27 -0
  43. data/lib/inspec/targets/dir.rb +67 -0
  44. data/lib/inspec/targets/file.rb +29 -0
  45. data/lib/inspec/targets/folder.rb +43 -0
  46. data/lib/inspec/targets/tar.rb +34 -0
  47. data/lib/inspec/targets/url.rb +39 -0
  48. data/lib/inspec/targets/zip.rb +47 -0
  49. data/lib/inspec/version.rb +7 -0
  50. data/lib/matchers/matchers.rb +221 -0
  51. data/lib/resources/apache.rb +29 -0
  52. data/lib/resources/apache_conf.rb +113 -0
  53. data/lib/resources/apt.rb +140 -0
  54. data/lib/resources/audit_policy.rb +63 -0
  55. data/lib/resources/auditd_conf.rb +56 -0
  56. data/lib/resources/auditd_rules.rb +53 -0
  57. data/lib/resources/bond.rb +65 -0
  58. data/lib/resources/bridge.rb +114 -0
  59. data/lib/resources/command.rb +57 -0
  60. data/lib/resources/csv.rb +32 -0
  61. data/lib/resources/directory.rb +15 -0
  62. data/lib/resources/etc_group.rb +150 -0
  63. data/lib/resources/file.rb +110 -0
  64. data/lib/resources/gem.rb +46 -0
  65. data/lib/resources/group.rb +132 -0
  66. data/lib/resources/host.rb +143 -0
  67. data/lib/resources/inetd_conf.rb +56 -0
  68. data/lib/resources/interface.rb +127 -0
  69. data/lib/resources/iptables.rb +65 -0
  70. data/lib/resources/json.rb +64 -0
  71. data/lib/resources/kernel_module.rb +40 -0
  72. data/lib/resources/kernel_parameter.rb +55 -0
  73. data/lib/resources/limits_conf.rb +55 -0
  74. data/lib/resources/login_def.rb +60 -0
  75. data/lib/resources/mysql.rb +81 -0
  76. data/lib/resources/mysql_conf.rb +116 -0
  77. data/lib/resources/mysql_session.rb +52 -0
  78. data/lib/resources/npm.rb +44 -0
  79. data/lib/resources/ntp_conf.rb +58 -0
  80. data/lib/resources/oneget.rb +63 -0
  81. data/lib/resources/os.rb +22 -0
  82. data/lib/resources/os_env.rb +34 -0
  83. data/lib/resources/package.rb +169 -0
  84. data/lib/resources/parse_config.rb +75 -0
  85. data/lib/resources/passwd.rb +93 -0
  86. data/lib/resources/pip.rb +75 -0
  87. data/lib/resources/port.rb +296 -0
  88. data/lib/resources/postgres.rb +37 -0
  89. data/lib/resources/postgres_conf.rb +87 -0
  90. data/lib/resources/postgres_session.rb +59 -0
  91. data/lib/resources/processes.rb +57 -0
  92. data/lib/resources/registry_key.rb +54 -0
  93. data/lib/resources/script.rb +34 -0
  94. data/lib/resources/security_policy.rb +73 -0
  95. data/lib/resources/service.rb +379 -0
  96. data/lib/resources/ssh_conf.rb +75 -0
  97. data/lib/resources/user.rb +374 -0
  98. data/lib/resources/windows_feature.rb +77 -0
  99. data/lib/resources/yaml.rb +23 -0
  100. data/lib/resources/yum.rb +154 -0
  101. data/lib/utils/convert.rb +12 -0
  102. data/lib/utils/detect.rb +15 -0
  103. data/lib/utils/find_files.rb +36 -0
  104. data/lib/utils/hash.rb +13 -0
  105. data/lib/utils/modulator.rb +12 -0
  106. data/lib/utils/parser.rb +61 -0
  107. data/lib/utils/simpleconfig.rb +115 -0
  108. data/tasks/maintainers.rb +213 -0
  109. data/test/docker_run.rb +156 -0
  110. data/test/docker_test.rb +51 -0
  111. data/test/helper.rb +200 -0
  112. data/test/integration/.kitchen.yml +42 -0
  113. data/test/integration/Berksfile +4 -0
  114. data/test/integration/cookbooks/os_prepare/metadata.rb +8 -0
  115. data/test/integration/cookbooks/os_prepare/recipes/apt.rb +20 -0
  116. data/test/integration/cookbooks/os_prepare/recipes/default.rb +9 -0
  117. data/test/integration/cookbooks/os_prepare/recipes/file.rb +21 -0
  118. data/test/integration/cookbooks/os_prepare/recipes/package.rb +26 -0
  119. data/test/integration/default/_debug_spec.rb +1 -0
  120. data/test/integration/default/apt_spec.rb +42 -0
  121. data/test/integration/default/file_spec.rb +109 -0
  122. data/test/integration/default/group_spec.rb +32 -0
  123. data/test/integration/default/kernel_module_spec.rb +17 -0
  124. data/test/integration/default/kernel_parameter_spec.rb +56 -0
  125. data/test/integration/default/package_spec.rb +11 -0
  126. data/test/integration/default/service_spec.rb +28 -0
  127. data/test/integration/default/user_spec.rb +44 -0
  128. data/test/resource/command_test.rb +33 -0
  129. data/test/resource/dsl_test.rb +45 -0
  130. data/test/resource/file_test.rb +130 -0
  131. data/test/resource/ssh_config.rb +9 -0
  132. data/test/resource/sshd_config.rb +9 -0
  133. data/test/test-extra.yaml +11 -0
  134. data/test/test.yaml +11 -0
  135. data/test/unit/mock/cmd/Get-NetAdapter +24 -0
  136. data/test/unit/mock/cmd/GetUserAccount +33 -0
  137. data/test/unit/mock/cmd/GetWin32Group +23 -0
  138. data/test/unit/mock/cmd/PATH +1 -0
  139. data/test/unit/mock/cmd/Resolve-DnsName +26 -0
  140. data/test/unit/mock/cmd/Test-NetConnection +4 -0
  141. data/test/unit/mock/cmd/auditctl +7 -0
  142. data/test/unit/mock/cmd/auditpol +2 -0
  143. data/test/unit/mock/cmd/brew-info-jq +1 -0
  144. data/test/unit/mock/cmd/chage-l-root +7 -0
  145. data/test/unit/mock/cmd/dpkg-s-curl +21 -0
  146. data/test/unit/mock/cmd/dscl +5 -0
  147. data/test/unit/mock/cmd/etc-apt +7 -0
  148. data/test/unit/mock/cmd/find-etc-rc-d-name-S +12 -0
  149. data/test/unit/mock/cmd/find-net-interface +9 -0
  150. data/test/unit/mock/cmd/gem-list-local-a-q-rubocop +1 -0
  151. data/test/unit/mock/cmd/get-net-tcpconnection +24 -0
  152. data/test/unit/mock/cmd/get-netadapter-binding-bridge +4 -0
  153. data/test/unit/mock/cmd/get-package-firefox +30 -0
  154. data/test/unit/mock/cmd/get-package-ruby +18 -0
  155. data/test/unit/mock/cmd/get-service-dhcp +10 -0
  156. data/test/unit/mock/cmd/get-windows-feature +7 -0
  157. data/test/unit/mock/cmd/getent-hosts-example.com +1 -0
  158. data/test/unit/mock/cmd/getent-passwd-root +1 -0
  159. data/test/unit/mock/cmd/id-chartmann +1 -0
  160. data/test/unit/mock/cmd/id-root +1 -0
  161. data/test/unit/mock/cmd/initctl-show-config-ssh +3 -0
  162. data/test/unit/mock/cmd/initctl-status-ssh +1 -0
  163. data/test/unit/mock/cmd/iptables-s +6 -0
  164. data/test/unit/mock/cmd/launchctl-list +3 -0
  165. data/test/unit/mock/cmd/ls-1-etc-init.d +2 -0
  166. data/test/unit/mock/cmd/ls-sys-class-net-br +2 -0
  167. data/test/unit/mock/cmd/lsmod +2 -0
  168. data/test/unit/mock/cmd/lsof-np-itcp +4 -0
  169. data/test/unit/mock/cmd/netstat-tulpen +5 -0
  170. data/test/unit/mock/cmd/npm-ls-g--json-bower +9 -0
  171. data/test/unit/mock/cmd/pacman-qi-curl +21 -0
  172. data/test/unit/mock/cmd/ping-example.com +6 -0
  173. data/test/unit/mock/cmd/pip-show-jinja2 +11 -0
  174. data/test/unit/mock/cmd/ps-aux +3 -0
  175. data/test/unit/mock/cmd/pw-usershow-root-7 +1 -0
  176. data/test/unit/mock/cmd/reg_schedule +1 -0
  177. data/test/unit/mock/cmd/rpm-qia-curl +24 -0
  178. data/test/unit/mock/cmd/sbin_sysctl +1 -0
  179. data/test/unit/mock/cmd/secedit-export +7 -0
  180. data/test/unit/mock/cmd/service-e +2 -0
  181. data/test/unit/mock/cmd/service-sendmail-onestatus +3 -0
  182. data/test/unit/mock/cmd/service-sshd-status +1 -0
  183. data/test/unit/mock/cmd/sockstat +5 -0
  184. data/test/unit/mock/cmd/success +0 -0
  185. data/test/unit/mock/cmd/systemctl-show-all-sshd +6 -0
  186. data/test/unit/mock/cmd/win32_product +8 -0
  187. data/test/unit/mock/cmd/yum-repolist-all +52 -0
  188. data/test/unit/mock/files/auditd.conf +4 -0
  189. data/test/unit/mock/files/bond0 +37 -0
  190. data/test/unit/mock/files/etcgroup +3 -0
  191. data/test/unit/mock/files/example.csv +6 -0
  192. data/test/unit/mock/files/inetd.conf +2 -0
  193. data/test/unit/mock/files/kitchen.yml +7 -0
  194. data/test/unit/mock/files/limits.conf +5 -0
  195. data/test/unit/mock/files/login.defs +5 -0
  196. data/test/unit/mock/files/mysql.conf +8 -0
  197. data/test/unit/mock/files/mysql2.conf +2 -0
  198. data/test/unit/mock/files/ntp.conf +5 -0
  199. data/test/unit/mock/files/passwd +2 -0
  200. data/test/unit/mock/files/policyfile.lock.json +12 -0
  201. data/test/unit/mock/files/ssh_config +5 -0
  202. data/test/unit/mock/files/sshd_config +7 -0
  203. data/test/unit/mock/profiles/empty/metadata.rb +0 -0
  204. data/test/unit/mock/profiles/metadata/metadata.rb +1 -0
  205. data/test/unit/profile_context_test.rb +140 -0
  206. data/test/unit/profile_test.rb +49 -0
  207. data/test/unit/resources/apt_test.rb +46 -0
  208. data/test/unit/resources/audit_policy_test.rb +13 -0
  209. data/test/unit/resources/auditd_conf_test.rb +15 -0
  210. data/test/unit/resources/auditd_rules_test.rb +21 -0
  211. data/test/unit/resources/bond_test.rb +24 -0
  212. data/test/unit/resources/bridge_test.rb +56 -0
  213. data/test/unit/resources/csv_test.rb +35 -0
  214. data/test/unit/resources/etc_group_test.rb +37 -0
  215. data/test/unit/resources/gem_test.rb +20 -0
  216. data/test/unit/resources/group_test.rb +96 -0
  217. data/test/unit/resources/host_test.rb +38 -0
  218. data/test/unit/resources/inetd_conf_test.rb +15 -0
  219. data/test/unit/resources/interface_test.rb +54 -0
  220. data/test/unit/resources/iptables_test.rb +30 -0
  221. data/test/unit/resources/json_test.rb +36 -0
  222. data/test/unit/resources/kernel_module_test.rb +23 -0
  223. data/test/unit/resources/kernel_parameter_test.rb +13 -0
  224. data/test/unit/resources/limits_conf_test.rb +14 -0
  225. data/test/unit/resources/login_def_test.rb +16 -0
  226. data/test/unit/resources/mysql_conf_test.rb +14 -0
  227. data/test/unit/resources/npm_test.rb +20 -0
  228. data/test/unit/resources/ntp_conf_test.rb +16 -0
  229. data/test/unit/resources/oneget_test.rb +45 -0
  230. data/test/unit/resources/os_env_test.rb +13 -0
  231. data/test/unit/resources/package_test.rb +51 -0
  232. data/test/unit/resources/passwd_test.rb +24 -0
  233. data/test/unit/resources/pip_test.rb +15 -0
  234. data/test/unit/resources/port_test.rb +46 -0
  235. data/test/unit/resources/processes_test.rb +32 -0
  236. data/test/unit/resources/registry_key_test.rb +19 -0
  237. data/test/unit/resources/script_test.rb +19 -0
  238. data/test/unit/resources/security_policy_test.rb +16 -0
  239. data/test/unit/resources/service_test.rb +116 -0
  240. data/test/unit/resources/ssh_conf_test.rb +33 -0
  241. data/test/unit/resources/user_test.rb +93 -0
  242. data/test/unit/resources/windows_feature.rb +17 -0
  243. data/test/unit/resources/yaml_test.rb +34 -0
  244. data/test/unit/resources/yum_test.rb +68 -0
  245. data/test/unit/simpleconfig_test.rb +80 -0
  246. data/test/unit/utils/content_parser_test.rb +30 -0
  247. metadata +555 -0
@@ -0,0 +1,182 @@
1
+ =====================================================
2
+ InSpec DSL
3
+ =====================================================
4
+
5
+ |inspec| is a run-time framework and rule language used to specify compliance, securuty, and policy requirements. It includes a collection of resources that help you write auditing controls quickly and easily. The syntax used by both open source and |chef compliance| auditing is the same. The open source |inspec resource| framework is compatible with |chef compliance|.
6
+
7
+ The InSpec DSL is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
8
+
9
+ The following sections describe the syntax and show some simple examples of using the |inspec resources| to define
10
+
11
+ Syntax
12
+ =====================================================
13
+
14
+ The following resource tests |ssh| server configuration. For example, a simple control may desrcibed as:
15
+
16
+ .. code-block:: ruby
17
+
18
+ describe sshd_config do
19
+ its('Port') { should eq('22') }
20
+ end
21
+
22
+ In various use cases like implementing IT compliance across different departments, it becomes handy to extend the control with metadata. Each control may define an additional ``impact``, ``title`` or ``desc``. An example looks like:
23
+
24
+ .. code-block:: ruby
25
+
26
+ control 'sshd-8' do
27
+ impact 0.6
28
+ title 'Server: Configure the service port'
29
+ desc '
30
+ Always specify which port the SSH server should listen to.
31
+ Prevent unexpected settings.
32
+ '
33
+ describe sshd_config do
34
+ its('Port') { should eq('22') }
35
+ end
36
+ end
37
+
38
+ where
39
+
40
+ * ``'sshd-8'`` is the name of the control
41
+ * ``impact``, ``title``, and ``desc`` define metadata that fully describes the importance of the control, its purpose, with a succinct and complete description
42
+ * ``impact`` is an float that measures the importance of the compliance results and must be a value between ``0.0`` and ``1.0``.
43
+ * ``describe`` is a block that contains at least one test. A ``control`` block must contain at least one ``describe`` block, but may contain as many as required
44
+ * ``sshd_config`` is an |inspec| resource. For the full list of InSpec resources, see |inspec| resource documentation
45
+ * ``its('Port')`` is the matcher; ``{ should eq('22') }`` is the test. A ``describe`` block must contain at least one matcher, but may contain as many as required
46
+
47
+
48
+ Author Tests
49
+ -----------------------------------------------------
50
+ It is recommended that test files are located in the ``/tests`` directory. When writing controls, the ``impact``, ``title``, ``desc`` metadata are _optional_, but are highly recommended.
51
+
52
+ Examples
53
+ =====================================================
54
+ The following examples show simple compliance tests using a single ``control`` block.
55
+
56
+ Test System Event Log
57
+ -----------------------------------------------------
58
+ The following test shows how to audit machines running |windows| 2012 R2 that pwassword complexity is enabled:
59
+
60
+ .. code-block:: ruby
61
+
62
+ control 'windows-account-102' do
63
+ impact 1.0
64
+ title 'Windows Password Complexity is Enabled'
65
+ desc 'Password must meet complexity requirement'
66
+ describe security_policy do
67
+ its('PasswordComplexity') { should eq 1 }
68
+ end
69
+ end
70
+
71
+ Are PosgtreSQL passwords empty?
72
+ -----------------------------------------------------
73
+ The following test shows how to audit machines running |postgresql| to ensure that passwords are not empty.
74
+
75
+ .. code-block:: ruby
76
+
77
+ control 'postgres-7' do
78
+ impact 1.0
79
+ title 'Don't allow empty passwords'
80
+ describe postgres_session('user', 'pass').query("SELECT * FROM pg_shadow WHERE passwd IS NULL;") do
81
+ its('output') { should eq('') }
82
+ end
83
+ end
84
+
85
+
86
+ Are MySQL passwords in ENV?
87
+ -----------------------------------------------------
88
+ The following test shows how to audit machines running |mysql| to ensure that passwords are not stored in ``ENV``:
89
+
90
+ .. code-block:: ruby
91
+
92
+ control 'mysql-3' do
93
+ impact 1.0
94
+ title 'Do not store your MySQL password in your ENV'
95
+ desc '
96
+ Storing credentials in your ENV may easily expose
97
+ them to an attacker. Prevent this at all costs.
98
+ '
99
+ describe command('env') do
100
+ its(:stdout) { should_not match(/^MYSQL_PWD=/) }
101
+ end
102
+ end
103
+
104
+ Is /etc/ssh a Directory?
105
+ -----------------------------------------------------
106
+ The following test shows how to audit machines to ensure that ``/etc/ssh`` is a directory:
107
+
108
+ .. code-block:: ruby
109
+
110
+ control 'basic-1' do
111
+ impact 1.0
112
+ title '/etc/ssh should be a directory'
113
+ desc '
114
+ In order for OpenSSH to function correctly, its
115
+ configuration path must be a folder.
116
+ '
117
+ describe file('/etc/ssh') do
118
+ it { should be_directory }
119
+ end
120
+ end
121
+
122
+ Is Apache running?
123
+ -----------------------------------------------------
124
+ The following test shows how to audit machines to ensure that |apache| is enabled and running:
125
+
126
+ .. code-block:: ruby
127
+
128
+ control 'apache-1' do
129
+ impact 0.3
130
+ title 'Apache2 should be configured and running'
131
+ describe service(apache.service) do
132
+ it { should be_enabled }
133
+ it { should be_running }
134
+ end
135
+ end
136
+
137
+ Are insecure packages installed ?
138
+ -----------------------------------------------------
139
+ The following test shows how to audit machines for insecure packages:
140
+
141
+ .. code-block:: ruby
142
+
143
+ control 'cis-os-services-5.1.3' do
144
+ impact 0.7
145
+ title '5.1.3 Ensure rsh client is not installed'
146
+
147
+ describe package('rsh') do
148
+ it { should_not be_installed }
149
+ end
150
+
151
+ describe package('rsh-redone-client') do
152
+ it { should_not be_installed }
153
+ end
154
+ end
155
+
156
+
157
+ Test Windows Registry Keys
158
+ -----------------------------------------------------
159
+ The following test shows how to audit machines to ensure Safe DLL Seach Mode is enabled:
160
+
161
+ .. code-block:: ruby
162
+
163
+ control 'windows-base-101' do
164
+ impact 1.0
165
+ title 'Safe DLL Search Mode is Enabled'
166
+ desc '
167
+ @link: https://msdn.microsoft.com/en-us/library/ms682586(v=vs.85).aspx
168
+ '
169
+ describe registry_key('HKLM\\System\\CurrentControlSet\\Control\\Session Manager') do
170
+ it { should exist }
171
+ it { should_not have_property_value('SafeDllSearchMode', :type_dword, '0') }
172
+ end
173
+ end
174
+
175
+ .. |inspec| replace:: InSpec
176
+ .. |inspec resource| replace:: InSpec Resource
177
+ .. |chef compliance| replace:: Chef Compliance
178
+ .. |ruby| replace:: Ruby
179
+ .. |ruby| replace:: SSH
180
+ .. |windows| replace:: Microsoft Windows
181
+ .. |postgresql| replace:: PostgreSQL
182
+ .. |apache| replace:: Apache
data/docs/readme.rst ADDED
@@ -0,0 +1,100 @@
1
+ =====================================================
2
+ InSpec Documentation
3
+ =====================================================
4
+
5
+ InSpec a collection of resources and matchers to test the compliance of your nodes. This documentation provides an introduction to this mechanism and shows how to write custom tests.
6
+
7
+ Introduction
8
+ -----------------------------------------------------
9
+
10
+ At first, we add our tests to the ``test`` folder. Each test file must end with ``_spec.rb``:
11
+
12
+ .. code-block:: bash
13
+
14
+ mkdir test
15
+ touch test/example_spec.rb
16
+
17
+ We add a control to this file, to check the ``/tmp`` path in our system:
18
+
19
+ .. code-block:: ruby
20
+
21
+ # encoding: utf-8
22
+
23
+ control "cis-fs-2.1" do # A unique ID for this control
24
+ impact 0.7 # The criticality, if this control fails.
25
+ title "Create separate /tmp partition" # A human-readable title
26
+ desc "An optional description..."
27
+ describe file('/tmp') do # The actual test
28
+ it { should be_mounted }
29
+ end
30
+ end
31
+
32
+
33
+ Let's add another spec for checking the SSH server configuration:
34
+
35
+ .. code-block:: bash
36
+
37
+ touch test/sshd_spec.rb
38
+
39
+ It will contain:
40
+
41
+ .. code-block:: ruby
42
+
43
+ # encoding: utf-8
44
+
45
+ # Skip all controls, if SSH doesn't exist on the system
46
+ only_if do
47
+ command('sshd').exist?
48
+ end
49
+
50
+ control "sshd-11" do
51
+ impact 1.0
52
+ title "Server: Set protocol version to SSHv2"
53
+ desc "
54
+ Set the SSH protocol version to 2. Don't use legacy
55
+ insecure SSHv1 connections anymore.
56
+ "
57
+ describe sshd_config do
58
+ its('Protocol') { should eq('2') }
59
+ end
60
+ end
61
+
62
+ control "sshd-7" do
63
+ impact 1.0
64
+ title "Server: Do not permit root-based login with password."
65
+ desc "
66
+ To reduce the potential to gain full privileges
67
+ of a system in the course of an attack (by either misconfiguration
68
+ or vulnerabilities), do not allow login as root with password
69
+ "
70
+ describe sshd_config do
71
+ its('PermitRootLogin') { should match(/no|without-password/) }
72
+ end
73
+ end
74
+
75
+
76
+ Now, we are ready to run the tests locally:
77
+
78
+ bundle exec bin/inspec exec demo/test/example_spec.rb
79
+
80
+ .. code-block:: bash
81
+
82
+ # run tests individually
83
+ $ inspec exec test/example_spec.rb
84
+ $ inspec exec test/sshd_spec.rb
85
+
86
+ # if you want to run all test located within the directory
87
+ $ inspec exec ./test
88
+
89
+
90
+ Stability Index
91
+ -----------------------------------------------------
92
+
93
+ Every available InSpec resource will indicate its stability. As InSpec matures, certain parts are more reliable than others. Brand new features are likely to be redesigned and marked as such.
94
+
95
+ The stability indices are as follows:
96
+
97
+ * ``Stability: Deprecated`` - This features will be removed in future versions, because its known for being problematic. Do not rely on it.
98
+ * ``Stability: Experimental`` - New features may change or are removed in future versions
99
+ * ``Stability: Stable`` - API is well established and proofed. Maintaining compatibility is a high priority
100
+ * ``Stability: Locked`` - Only security and performance fixes are allowed
@@ -0,0 +1,4319 @@
1
+ =====================================================
2
+ InSpec Resources Reference
3
+ =====================================================
4
+
5
+ The following InSpec audit resources are available:
6
+
7
+ * ``apache_conf``
8
+ * ``apt``
9
+ * ``audit_policy``
10
+ * ``auditd_conf``
11
+ * ``auditd_rules``
12
+ * ``bond``
13
+ * ``bridge``
14
+ * ``csv``
15
+ * ``command``
16
+ * ``directory``
17
+ * ``etc_group``
18
+ * ``file``
19
+ * ``gem``
20
+ * ``group``
21
+ * ``host``
22
+ * ``inetd_conf``
23
+ * ``interface``
24
+ * ``iptables``
25
+ * ``kernel_module``
26
+ * ``kernel_parameter``
27
+ * ``limits_conf``
28
+ * ``login_defs``
29
+ * ``mysql_conf``
30
+ * ``mysql_session``
31
+ * ``npm``
32
+ * ``ntp_conf``
33
+ * ``oneget``
34
+ * ``os``
35
+ * ``os_env``
36
+ * ``package``
37
+ * ``parse_config``
38
+ * ``parse_config_file``
39
+ * ``passwd``
40
+ * ``pip``
41
+ * ``port``
42
+ * ``postgres_conf``
43
+ * ``postgres_session``
44
+ * ``processes``
45
+ * ``registry_key``
46
+ * ``script``
47
+ * ``security_policy``
48
+ * ``service``
49
+ * ``ssh_config``
50
+ * ``sshd_config``
51
+ * ``user``
52
+ * ``windows_feature``
53
+ * ``yaml``
54
+ * ``yum``
55
+
56
+ See below for more information about each InSpec audit resource, its related matchers, and examples of how to use it in a recipe.
57
+
58
+
59
+ apache_conf
60
+ =====================================================
61
+ Use the ``apache_conf`` |inspec resource| to test the configuration settings for |apache|. This file is typically located under ``/etc/apache2`` on the |debian| and |ubuntu| platforms and under ``/etc/httpd`` on the |fedora|, |centos|, |redhat enterprise linux|, and |archlinux| platforms. The configuration settings may vary significantly from platform to platform.
62
+
63
+ **Stability: Experimental**
64
+
65
+ Syntax
66
+ -----------------------------------------------------
67
+ An ``apache_conf`` |inspec resource| block declares configuration settings that should be tested:
68
+
69
+ .. code-block:: ruby
70
+
71
+ describe apache_conf('path') do
72
+ its('setting_name') { should eq 'value' }
73
+ end
74
+
75
+ where
76
+
77
+ * ``'setting_name'`` is a configuration setting defined in the |apache| configuration file
78
+ * ``('path')`` is the non-default path to the |apache| configuration file
79
+ * ``{ should eq 'value' }`` is the value that is expected
80
+
81
+ Matchers
82
+ -----------------------------------------------------
83
+ This |inspec resource| matches any service that is listed in the |apache| configuration file:
84
+
85
+ .. code-block:: ruby
86
+
87
+ its('PidFile') { should_not eq '/var/run/httpd.pid' }
88
+
89
+ or:
90
+
91
+ .. code-block:: ruby
92
+
93
+ its('Timeout') { should eq 300 }
94
+
95
+ For example:
96
+
97
+ .. code-block:: ruby
98
+
99
+ describe apache_conf do
100
+ its('MaxClients') { should eq 100 }
101
+ its('Listen') { should eq '443'}
102
+ end
103
+
104
+ Examples
105
+ -----------------------------------------------------
106
+ The following examples show how to use this InSpec audit resource in a test.
107
+
108
+ **Test for blocking .htaccess files on CentOS**
109
+
110
+ .. code-block:: ruby
111
+
112
+ describe apache_conf do
113
+ its('AllowOverride') { should eq 'None' }
114
+ end
115
+
116
+ **Test ports for SSL**
117
+
118
+ .. code-block:: ruby
119
+
120
+ describe apache_conf do
121
+ its('Listen') { should eq '443'}
122
+ end
123
+
124
+
125
+ apt
126
+ =====================================================
127
+ Use the ``apt`` |inspec resource| to verify |apt| repositories on the |debian| and |ubuntu| platforms, and also |ppa| repositories on the |ubuntu| platform.
128
+
129
+ **Stability: Stable**
130
+
131
+ Syntax
132
+ -----------------------------------------------------
133
+ An ``apt`` |inspec resource| block tests the contents of |apt| and |ppa| repositories:
134
+
135
+ .. code-block:: ruby
136
+
137
+ describe apt('path') do
138
+ it { should exist }
139
+ it { should be_enabled }
140
+ end
141
+
142
+ where
143
+
144
+ * ``apt('path')`` must specify an |apt| or |ppa| repository
145
+ * ``('path')`` may be an ``http://`` address, a ``ppa:`` address, or a short ``repo-name/ppa`` address
146
+ * ``exist`` and ``be_enabled`` are a valid matchers for this |inspec resource|
147
+
148
+ Matchers
149
+ -----------------------------------------------------
150
+ This InSpec audit resource has the following matchers.
151
+
152
+ be_enabled
153
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
154
+ The ``be_enabled`` matcher tests if a package exists in the repository:
155
+
156
+ .. code-block:: ruby
157
+
158
+ it { should be_enabled }
159
+
160
+ exist
161
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
162
+ The ``exist`` matcher tests if a package exists on the system:
163
+
164
+ .. code-block:: ruby
165
+
166
+ it { should exist }
167
+
168
+ Examples
169
+ -----------------------------------------------------
170
+ The following examples show how to use this InSpec audit resource in a test.
171
+
172
+ **Test if apt repository exists and is enabled**
173
+
174
+ .. code-block:: ruby
175
+
176
+ describe apt('http://ppa.launchpad.net/juju/stable/ubuntu') do
177
+ it { should exist }
178
+ it { should be_enabled }
179
+ end
180
+
181
+ **Verify that a PPA repository exists and is enabled**
182
+
183
+ .. code-block:: ruby
184
+
185
+ describe apt('ppa:nginx/stable') do
186
+ it { should exist }
187
+ it { should be_enabled }
188
+ end
189
+
190
+ **Verify that a repository is not present**
191
+
192
+ .. code-block:: ruby
193
+
194
+ describe apt('ubuntu-wine/ppa') do
195
+ it { should_not exist }
196
+ it { should_not be_enabled }
197
+ end
198
+
199
+
200
+
201
+ audit_policy
202
+ =====================================================
203
+ Use the ``audit_policy`` |inspec resource| to test auditing policies on the |windows| platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to ``No Auditing``, ``Not Specified``, ``Success``, ``Success and Failure``, or ``Failure``.
204
+
205
+ **Stability: Experimental**
206
+
207
+ Syntax
208
+ -----------------------------------------------------
209
+ An ``audit_policy`` |inspec resource| block declares a parameter that belongs to an audit policy category or subcategory:
210
+
211
+ .. code-block:: ruby
212
+
213
+ describe audit_policy do
214
+ its('parameter') { should eq 'value' }
215
+ end
216
+
217
+ where
218
+
219
+ * ``'parameter'`` must specify a parameter
220
+ * ``'value'`` must be one of ``No Auditing``, ``Not Specified``, ``Success``, ``Success and Failure``, or ``Failure``
221
+
222
+ Matchers
223
+ -----------------------------------------------------
224
+ This InSpec audit resource does not have any matchers.
225
+
226
+ Examples
227
+ -----------------------------------------------------
228
+ The following examples show how to use this InSpec audit resource.
229
+
230
+ **Test that a parameter is not set to "No Auditing"**
231
+
232
+ .. code-block:: ruby
233
+
234
+ describe audit_policy do
235
+ its('Other Account Logon Events') { should_not eq 'No Auditing' }
236
+ end
237
+
238
+ **Test that a parameter is set to "Success"**
239
+
240
+ .. code-block:: ruby
241
+
242
+ describe audit_policy do
243
+ its('User Account Management') { should eq 'Success' }
244
+ end
245
+
246
+
247
+
248
+ auditd_conf
249
+ =====================================================
250
+ Use the ``auditd_conf`` |inspec resource| to test the configuration settings for the audit daemon. This file is typically located under ``/etc/audit/auditd.conf'`` on |unix| and |linux| platforms.
251
+
252
+ **Stability: Experimental**
253
+
254
+ Syntax
255
+ -----------------------------------------------------
256
+ A ``auditd_conf`` |inspec resource| block declares configuration settings that should be tested:
257
+
258
+ .. code-block:: ruby
259
+
260
+ describe auditd_conf('path') do
261
+ its('keyword') { should eq 'value' }
262
+ end
263
+
264
+ where
265
+
266
+ * ``'keyword'`` is a configuration setting defined in the ``auditd.conf`` configuration file
267
+ * ``('path')`` is the non-default path to the ``auditd.conf`` configuration file
268
+ * ``{ should eq 'value' }`` is the value that is expected
269
+
270
+ Matchers
271
+ -----------------------------------------------------
272
+ This |inspec resource| matches any keyword that is listed in the ``auditd.conf`` configuration file:
273
+
274
+ .. code-block:: ruby
275
+
276
+ its('log_format') { should eq 'raw' }
277
+
278
+ Examples
279
+ -----------------------------------------------------
280
+ The following examples show how to use this InSpec audit resource.
281
+
282
+ **Test the auditd.conf file**
283
+
284
+ .. code-block:: ruby
285
+
286
+ describe auditd_conf do
287
+ its('log_file') { should eq '/full/path/to/file' }
288
+ its('log_format') { should eq 'raw' }
289
+ its('flush') { should eq 'none' }
290
+ its('freq') { should eq '1' }
291
+ its('num_logs') { should eq '0' }
292
+ its('max_log_file') { should eq '6' }
293
+ its('max_log_file_action') { should eq 'email' }
294
+ its('space_left') { should eq '2' }
295
+ its('action_mail_acct') { should eq 'root' }
296
+ its('space_left_action') { should eq 'email' }
297
+ its('admin_space_left') { should eq '1' }
298
+ its('admin_space_left_action') { should eq 'halt' }
299
+ its('disk_full_action') { should eq 'halt' }
300
+ its('disk_error_action') { should eq 'halt' }
301
+ end
302
+
303
+
304
+
305
+ auditd_rules
306
+ =====================================================
307
+ Use the ``auditd_rules`` |inspec resource| to test the rules for logging that exist on the system. The ``audit.rules`` file is typically located under ``/etc/audit/`` and contains the list of rules that define what is captured in log files.
308
+
309
+ **Stability: Experimental**
310
+
311
+ Syntax
312
+ -----------------------------------------------------
313
+ A ``auditd_rules`` |inspec resource| block declares one (or more) rules to be tested, and then what that rule should do:
314
+
315
+ .. code-block:: ruby
316
+
317
+ describe auditd_rules do
318
+ its('LIST_RULES') { should eq [
319
+ 'exit,always syscall=rmdir,unlink',
320
+ 'exit,always auid=1001 (0x3e9) syscall=open',
321
+ 'exit,always watch=/etc/group perm=wa',
322
+ 'exit,always watch=/etc/passwd perm=wa',
323
+ 'exit,always watch=/etc/shadow perm=wa',
324
+ 'exit,always watch=/etc/sudoers perm=wa',
325
+ 'exit,always watch=/etc/secret_directory perm=r',
326
+ ] }
327
+ end
328
+
329
+ or test that individual rules are defined:
330
+
331
+ .. code-block:: ruby
332
+
333
+ describe auditd_rules do
334
+ its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/group perm=wa key=identity/) }
335
+ its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/passwd perm=wa key=identity/) }
336
+ its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/gshadow perm=wa key=identity/)}
337
+ its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/shadow perm=wa key=identity/)}
338
+ its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)}
339
+ end
340
+
341
+ where each test
342
+
343
+ * Must declare one (or more) rules to be tested
344
+
345
+ Examples
346
+ -----------------------------------------------------
347
+ The following examples show how to use this InSpec audit resource.
348
+
349
+ **Test if a rule contains a matching element that is identified by a regular expression.**
350
+
351
+ .. code-block:: ruby
352
+
353
+ describe audit_daemon_rules do
354
+ its("LIST_RULES") {
355
+ should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/)
356
+ }
357
+ end
358
+
359
+
360
+
361
+ bond
362
+ =====================================================
363
+ Use the ``bond`` |inspec resource| to test a logical, bonded network interface (i.e. "two or more network interfaces aggregated into a single, logical network interface"). On |linux| platforms, any value in the ``/proc/net/bonding`` directory may be tested.
364
+
365
+ **Stability: Stable**
366
+
367
+ Syntax
368
+ -----------------------------------------------------
369
+ A ``bond`` |inspec resource| block declares a bonded network interface, and then specifies the properties of that bonded network interface to be tested:
370
+
371
+ .. code-block:: ruby
372
+
373
+ describe bond('name') do
374
+ it { should exist }
375
+ end
376
+
377
+ where
378
+
379
+ * ``'name'`` is the name of the bonded network interface
380
+ * ``{ should exist }`` is a valid matcher for this |inspec resource|
381
+
382
+ Matchers
383
+ -----------------------------------------------------
384
+ This InSpec audit resource has the following matchers.
385
+
386
+ content
387
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
388
+ The ``content`` matcher tests if contents in the file that defines the bonded network interface match the value specified in the test. The values of the ``content`` matcher are arbitrary:
389
+
390
+ .. code-block:: ruby
391
+
392
+ its('content') { should match('value') }
393
+
394
+ exist
395
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
396
+ The ``exist`` matcher tests if the bonded network interface is available:
397
+
398
+ .. code-block:: ruby
399
+
400
+ it { should exist }
401
+
402
+ have_interface
403
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
404
+ The ``have_interface`` matcher tests if the bonded network interface has one (or more) secondary interfaces:
405
+
406
+ .. code-block:: ruby
407
+
408
+ it { should have_interface }
409
+
410
+ interfaces
411
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
412
+ The ``interfaces`` matcher tests if the named secondary interfaces are available:
413
+
414
+ .. code-block:: ruby
415
+
416
+ its('interfaces') { should eq ['eth0', 'eth1', ...] }
417
+
418
+ params
419
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
420
+ The ``params`` matcher tests arbitrary parameters for the bonded network interface:
421
+
422
+ .. code-block:: ruby
423
+
424
+ its('params') { should eq 'value' }
425
+
426
+ Examples
427
+ -----------------------------------------------------
428
+ The following examples show how to use this InSpec audit resource.
429
+
430
+ **Test if eth0 is a secondary interface for bond0**
431
+
432
+ .. code-block:: ruby
433
+
434
+ describe bond('bond0') do
435
+ it { should exist }
436
+ it { should have_interface 'eth0' }
437
+ end
438
+
439
+ **Test parameters for bond0**
440
+
441
+ .. code-block:: ruby
442
+
443
+ describe bond('bond0') do
444
+ its('Bonding Mode') { should eq 'IEEE 802.3ad Dynamic link aggregation' }
445
+ its('Transmit Hash Policy') { should eq 'layer3+4 (1)' }
446
+ its('MII Status') { should eq 'up' }
447
+ its('MII Polling Interval (ms)') { should eq '100' }
448
+ its('Up Delay (ms)') { should eq '0' }
449
+ its('Down Delay (ms)') { should eq '0' }
450
+ end
451
+
452
+
453
+
454
+
455
+
456
+ bridge
457
+ =====================================================
458
+ Use the ``bridge`` |inspec resource| to test basic network bridge properties, such as name, if an interface is defined, and the associations for any defined interface.
459
+
460
+ * On |linux| platforms, any value in the ``/sys/class/net/{interface}/bridge`` directory may be tested
461
+ * On the |windows| platform, the ``Get-NetAdapter`` cmdlet is associated with the ``Get-NetAdapterBinding`` cmdlet and returns the ``ComponentID ms_bridge`` value as a |json| object
462
+
463
+ .. not sure the previous two bullet items are actually true, but keeping there for reference for now, just in case
464
+
465
+ **Stability: Stable**
466
+
467
+ Syntax
468
+ -----------------------------------------------------
469
+ A ``bridge`` |inspec resource| block declares the bridge to be tested and what interface it should be associated with:
470
+
471
+ .. code-block:: ruby
472
+
473
+ describe bridge('br0') do
474
+ it { should exist }
475
+ it { should have_interface 'eth0' }
476
+ end
477
+
478
+ ..
479
+ .. where
480
+ ..
481
+ .. * ``xxxxx`` must specify xxxxx
482
+ .. * xxxxx
483
+ .. * ``xxxxx`` is a valid matcher for this InSpec audit resource
484
+ ..
485
+
486
+
487
+ Matchers
488
+ -----------------------------------------------------
489
+ This InSpec audit resource has the following matchers.
490
+
491
+ exist
492
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
493
+ The ``exist`` matcher tests if the network bridge is available:
494
+
495
+ .. code-block:: ruby
496
+
497
+ it { should exist }
498
+
499
+ have_interface
500
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
501
+ The ``have_interface`` matcher tests if the named interface is defined for the network bridge:
502
+
503
+ .. code-block:: ruby
504
+
505
+ it { should have_interface 'eth0' }
506
+
507
+ interfaces
508
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
509
+ The ``interfaces`` matcher tests if the named interface is present:
510
+
511
+ .. code-block:: ruby
512
+
513
+ its('interfaces') { should eq 'foo' }
514
+ its('interfaces') { should eq 'bar' }
515
+ its('interfaces') { should include('foo') }
516
+
517
+ ..
518
+ .. Examples
519
+ .. -----------------------------------------------------
520
+ .. The following examples show how to use this InSpec audit resource.
521
+ ..
522
+ .. **xxxxx**
523
+ ..
524
+ .. xxxxx
525
+ ..
526
+ .. **xxxxx**
527
+ ..
528
+ .. xxxxx
529
+ ..
530
+
531
+
532
+
533
+
534
+ command
535
+ =====================================================
536
+ Use the ``command`` |inspec resource| to test an arbitrary command that is run on the system.
537
+
538
+ **Stability: Stable**
539
+
540
+ Syntax
541
+ -----------------------------------------------------
542
+ A ``command`` |inspec resource| block declares a command to be run, one (or more) expected outputs, and the location to which that output is sent:
543
+
544
+ .. code-block:: ruby
545
+
546
+ describe command('command') do
547
+ it { should exist }
548
+ its('matcher') { should eq 'output' }
549
+ end
550
+
551
+ where
552
+
553
+ * ``'command'`` must specify a command to be run
554
+ * ``'matcher'`` is one of ``exit_status``, ``stderr``, or ``stdout``
555
+ * ``'output'`` tests the output of the command run on the system versus the output value stated in the test
556
+
557
+ Matchers
558
+ -----------------------------------------------------
559
+ This InSpec audit resource has the following matchers.
560
+
561
+ exist
562
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
563
+ The ``exist`` matcher tests if a command may be run on the system:
564
+
565
+ .. code-block:: ruby
566
+
567
+ it { should exist }
568
+
569
+ exit_status
570
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
571
+ The ``exit_status`` matcher tests the exit status for the command:
572
+
573
+ .. code-block:: ruby
574
+
575
+ its('exit_status') { should eq 123 }
576
+
577
+ stderr
578
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
579
+ The ``stderr`` matcher tests results of the command as returned in standard error (stderr):
580
+
581
+ .. code-block:: ruby
582
+
583
+ its('stderr') { should eq 'error' }
584
+
585
+ stdout
586
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
587
+ The ``stdout`` matcher tests results of the command as returned in standard output (stdout):
588
+
589
+ .. code-block:: ruby
590
+
591
+ its('stdout') { should eq '/^1$/' }
592
+
593
+ Examples
594
+ -----------------------------------------------------
595
+ The following examples show how to use this InSpec audit resource.
596
+
597
+ **Test for PostgreSQL database running a RC, but no development, or beta release**
598
+
599
+ .. code-block:: ruby
600
+
601
+ describe command('psql -V') do
602
+ its('stdout') { should eq '/RC/' }
603
+ its('stdout') { should_not eq '/DEVEL/' }
604
+ its('stdout') { should_not eq '/BETA/' }
605
+ end
606
+
607
+ **Test standard output (stdout)**
608
+
609
+ .. code-block:: ruby
610
+
611
+ describe command('echo hello') do
612
+ its('stdout') { should eq 'hello\n' }
613
+ its('stderr') { should eq '' }
614
+ its('exit_status') { should eq 0 }
615
+ end
616
+
617
+ **Test standard error (stderr)**
618
+
619
+ .. code-block:: ruby
620
+
621
+ describe command('>&2 echo error') do
622
+ its('stdout') { should eq '' }
623
+ its('stderr') { should eq 'error\n' }
624
+ its('exit_status') { should eq 0 }
625
+ end
626
+
627
+ **Test an exit status code**
628
+
629
+ .. code-block:: ruby
630
+
631
+ describe command('exit 123') do
632
+ its('stdout') { should eq '' }
633
+ its('stderr') { should eq '' }
634
+ its('exit_status') { should eq 123 }
635
+ end
636
+
637
+ **Test if the command shell exists**
638
+
639
+ .. code-block:: ruby
640
+
641
+ describe command('/bin/sh').exist? do
642
+ it { should eq true }
643
+ end
644
+
645
+ **Test for a command that should not exist**
646
+
647
+ .. code-block:: ruby
648
+
649
+ describe command('this is not existing').exist? do
650
+ it { should eq false }
651
+ end
652
+
653
+
654
+
655
+
656
+ csv
657
+ =====================================================
658
+ Use the ``csv`` |inspec resource| to test configuration data in a |csv| file.
659
+
660
+ **Stability: Experimental**
661
+
662
+ Syntax
663
+ -----------------------------------------------------
664
+ A ``csv`` |inspec resource| block declares the configuration data to be tested:
665
+
666
+ .. code-block:: ruby
667
+
668
+ describe csv('file') do
669
+ its('name') { should eq 'foo' }
670
+ end
671
+
672
+ where
673
+
674
+ * ``'file'`` is the path to a |csv| file
675
+ * ``name`` is a configuration setting in a |csv| file
676
+ * ``should eq 'foo'`` tests a value of ``name`` as read from a |csv| file versus the value declared in the test
677
+
678
+ Matchers
679
+ -----------------------------------------------------
680
+ This InSpec audit resource has the following matchers.
681
+
682
+ name
683
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
684
+ The ``name`` matcher tests the value of ``name`` as read from a |csv| file versus the value declared in the test:
685
+
686
+ .. code-block:: ruby
687
+
688
+ its('name') { should eq 'foo' }
689
+
690
+ Examples
691
+ -----------------------------------------------------
692
+ The following examples show how to use this InSpec audit resource.
693
+
694
+ **Test a CSV file**
695
+
696
+ .. code-block:: ruby
697
+
698
+ describe csv('some_file.csv') do
699
+ its('setting') { should eq 1 }
700
+ end
701
+
702
+
703
+
704
+ directory
705
+ =====================================================
706
+ Use the ``directory`` |inspec resource| to test if the file type is a directory. This is equivalent to using the ``file`` |inspec resource| and the ``be_directory`` matcher, but provides a simpler and more direct way to test directories. All of the matchers available to ``file`` may be used with ``directory``.
707
+
708
+ **Stability: Experimental**
709
+
710
+ Syntax
711
+ -----------------------------------------------------
712
+ A ``directory`` |inspec resource| block declares the location of the directory to be tested, and then one (or more) matchers:
713
+
714
+ .. code-block:: ruby
715
+
716
+ describe directory('path') do
717
+ it { should MATCHER 'value' }
718
+ end
719
+
720
+ Matchers
721
+ -----------------------------------------------------
722
+ This |inspec resource| may use any of the matchers available to the ``file`` resource that are useful for testing a directory.
723
+
724
+ ..
725
+ .. Examples
726
+ .. -----------------------------------------------------
727
+ .. The following examples show how to use this InSpec audit resource.
728
+ ..
729
+ .. **xxxxx**
730
+ ..
731
+ .. xxxxx
732
+ ..
733
+ .. **xxxxx**
734
+ ..
735
+ .. xxxxx
736
+ ..
737
+
738
+
739
+ etc_group
740
+ =====================================================
741
+ Use the ``etc_group`` |inspec resource| to test groups that are defined on |linux| and |unix| platforms. The ``/etc/group`` file stores details about each group---group name, password, group identifier, along with a comma-separate list of users that belong to the group.
742
+
743
+ **Stability: Experimental**
744
+
745
+ Syntax
746
+ -----------------------------------------------------
747
+ A ``etc_group`` |inspec resource| block declares a collection of properties to be tested:
748
+
749
+ .. code-block:: ruby
750
+
751
+ describe etc_group('path') do
752
+ its('matcher') { should eq 'some_value' }
753
+ end
754
+
755
+ or:
756
+
757
+ .. code-block:: ruby
758
+
759
+ describe etc_group.where(item: 'value', item: 'value') do
760
+ its('gids') { should_not contain_duplicates }
761
+ its('groups') { should include 'user_name' }
762
+ its('users') { should include 'user_name' }
763
+ end
764
+
765
+ where
766
+
767
+ * ``('path')`` is the non-default path to the ``inetd.conf`` file
768
+ * ``.where()`` may specify a specific item and value, to which the matchers are compared
769
+ * ``'gids'``, ``'groups'``, and ``'users'`` are valid matchers for this |inspec resource|
770
+
771
+ Matchers
772
+ -----------------------------------------------------
773
+ This InSpec audit resource has the following matchers.
774
+
775
+ gids
776
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
777
+ The ``gids`` matcher tests if the named group identifier is present or if it contains duplicates:
778
+
779
+ .. code-block:: ruby
780
+
781
+ its('gids') { should_not contain_duplicates }
782
+
783
+ groups
784
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
785
+ The ``groups`` matcher tests all groups for the named user:
786
+
787
+ .. code-block:: ruby
788
+
789
+ its('groups') { should include 'my_group' }
790
+
791
+ users
792
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
793
+ The ``users`` matcher tests all groups for the named user:
794
+
795
+ .. code-block:: ruby
796
+
797
+ its('users') { should include 'my_user' }
798
+
799
+ where
800
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
801
+ The ``where`` matcher allows the test to be focused to one (or more) specific items:
802
+
803
+ .. code-block:: ruby
804
+
805
+ etc_group.where(item: 'value', item: 'value')
806
+
807
+ where ``item`` may be one (or more) of:
808
+
809
+ * ``name: 'name'``
810
+ * ``group_name: 'group_name'``
811
+ * ``password: 'password'``
812
+ * ``gid: 'gid'``
813
+ * ``group_id: 'gid'``
814
+ * ``users: 'user_name'``
815
+ * ``members: 'member_name'``
816
+
817
+ Examples
818
+ -----------------------------------------------------
819
+ The following examples show how to use this InSpec audit resource.
820
+
821
+ **Test group identifiers (GIDs) for duplicates**
822
+
823
+ .. code-block:: ruby
824
+
825
+ describe etc_group do
826
+ its('gids') { should_not contain_duplicates }
827
+ end
828
+
829
+ **Test all groups to see if a specific user belongs to one (or more) groups**
830
+
831
+ .. code-block:: ruby
832
+
833
+ describe etc_group do
834
+ its('groups') { should include 'my_group' }
835
+ end
836
+
837
+
838
+ **Test all groups for a specific user name**
839
+
840
+ .. code-block:: ruby
841
+
842
+ describe etc_group do
843
+ its('users') { should include 'my_user' }
844
+ end
845
+
846
+ **Filter a list of groups for a specific user**
847
+
848
+ .. code-block:: ruby
849
+
850
+ describe etc_group.where(name: 'my_group') do
851
+ its('users') { should include 'my_user' }
852
+ end
853
+
854
+
855
+
856
+ file
857
+ =====================================================
858
+ Use the ``file`` |inspec resource| to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
859
+
860
+ **Stability: Stable**
861
+
862
+ Syntax
863
+ -----------------------------------------------------
864
+ A ``file`` |inspec resource| block declares the location of the file type to be tested, what type that file should be (if required), and then one (or more) matchers:
865
+
866
+ .. code-block:: ruby
867
+
868
+ describe file('path') do
869
+ it { should MATCHER 'value' }
870
+ end
871
+
872
+ where
873
+
874
+ * ``('path')`` is the name of the file and/or the path to the file
875
+ * ``MATCHER`` is a valid matcher for this |inspec resource|
876
+ * ``'value'`` is the value to be tested
877
+
878
+ Matchers
879
+ -----------------------------------------------------
880
+ This InSpec audit resource has the following matchers.
881
+
882
+ be_block_device
883
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
884
+ The ``be_block_device`` matcher tests if the file exists as a block device, such as ``/dev/disk0`` or ``/dev/disk0s9``:
885
+
886
+ .. code-block:: ruby
887
+
888
+ it { should be_block_device }
889
+
890
+ be_character_device
891
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
892
+ The ``be_character_device`` matcher tests if the file exists as a character device (that corresponds to a block device), such as ``/dev/rdisk0`` or ``/dev/rdisk0s9``:
893
+
894
+ .. code-block:: ruby
895
+
896
+ it { should be_character_device }
897
+
898
+ be_directory
899
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
900
+ The ``be_directory`` matcher tests if the file exists as a directory, such as ``/etc/passwd``, ``/etc/shadow``, or ``/var/log/httpd``:
901
+
902
+ .. code-block:: ruby
903
+
904
+ it { should be_directory }
905
+
906
+ be_executable
907
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
908
+ The ``be_executable`` matcher tests if the file exists as an executable:
909
+
910
+ .. code-block:: ruby
911
+
912
+ it { should be_executable }
913
+
914
+ The ``be_executable`` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
915
+
916
+ .. code-block:: ruby
917
+
918
+ it { should be_executable.by('group') }
919
+
920
+ an owner:
921
+
922
+ .. code-block:: ruby
923
+
924
+ it { should be_executable.by('owner') }
925
+
926
+ a user:
927
+
928
+ .. code-block:: ruby
929
+
930
+ it { should be_executable.by_user('user') }
931
+
932
+ be_file
933
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
934
+ The ``be_file`` matcher tests if the file exists as a file. This can be useful with configuration files like ``/etc/passwd`` where there typically is not an associated file extension---``passwd.txt``:
935
+
936
+ .. code-block:: ruby
937
+
938
+ it { should be_file }
939
+
940
+ be_grouped_into
941
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
942
+ The ``be_grouped_into`` matcher tests if the file exists as part of the named group:
943
+
944
+ .. code-block:: ruby
945
+
946
+ it { should be_grouped_into 'group' }
947
+
948
+ be_immutable
949
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
950
+ The ``be_immutable`` matcher tests if the file is immutable, i.e. "cannot be changed":
951
+
952
+ .. code-block:: ruby
953
+
954
+ it { should be_immutable }
955
+
956
+ be_linked_to
957
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
958
+ The ``be_linked_to`` matcher tests if the file is linked to the named target:
959
+
960
+ .. code-block:: ruby
961
+
962
+ it { should be_linked_to '/etc/target-file' }
963
+
964
+ be_mounted
965
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
966
+ The ``be_mounted`` matcher tests if the file is accessible from the file system:
967
+
968
+ .. code-block:: ruby
969
+
970
+ it { should be_mounted }
971
+
972
+ be_owned_by
973
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
974
+ The ``be_owned_by`` matcher tests if the file is owned by the named user, such as ``root``:
975
+
976
+ .. code-block:: ruby
977
+
978
+ it { should be_owned_by 'root' }
979
+
980
+ be_pipe
981
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
982
+ The ``be_pipe`` matcher tests if the file exists as first-in, first-out special file (``.fifo``) that is typically used to define a named pipe, such as ``/var/log/nginx/access.log.fifo``:
983
+
984
+ .. code-block:: ruby
985
+
986
+ it { should be_pipe }
987
+
988
+ be_readable
989
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
990
+ The ``be_readable`` matcher tests if the file is readable:
991
+
992
+ .. code-block:: ruby
993
+
994
+ it { should be_readable }
995
+
996
+ The ``be_readable`` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
997
+
998
+ .. code-block:: ruby
999
+
1000
+ it { should be_readable.by('group') }
1001
+
1002
+ an owner:
1003
+
1004
+ .. code-block:: ruby
1005
+
1006
+ it { should be_readable.by('owner') }
1007
+
1008
+ a user:
1009
+
1010
+ .. code-block:: ruby
1011
+
1012
+ it { should be_readable.by_user('user') }
1013
+
1014
+ be_socket
1015
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1016
+ The ``be_socket`` matcher tests if the file exists as socket (``.sock``), such as ``/var/run/php-fpm.sock``:
1017
+
1018
+ .. code-block:: ruby
1019
+
1020
+ it { should be_socket }
1021
+
1022
+ be_symlink
1023
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1024
+ The ``be_symlink`` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
1025
+
1026
+ .. code-block:: ruby
1027
+
1028
+ it { should be_symlink }
1029
+
1030
+ be_version
1031
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1032
+ The ``be_version`` matcher tests the version of the file:
1033
+
1034
+ .. code-block:: ruby
1035
+
1036
+ it { should be_version '1.2.3' }
1037
+
1038
+ be_writable
1039
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1040
+ The ``be_writable`` matcher tests if the file is writable:
1041
+
1042
+ .. code-block:: ruby
1043
+
1044
+ it { should be_writable }
1045
+
1046
+ The ``be_writable`` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
1047
+
1048
+ .. code-block:: ruby
1049
+
1050
+ it { should be_writable.by('group') }
1051
+
1052
+ an owner:
1053
+
1054
+ .. code-block:: ruby
1055
+
1056
+ it { should be_writable.by('owner') }
1057
+
1058
+ a user:
1059
+
1060
+ .. code-block:: ruby
1061
+
1062
+ it { should be_writable.by_user('user') }
1063
+
1064
+ content
1065
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1066
+ The ``content`` matcher tests if contents in the file match the value specified in the test. The values of the ``content`` matcher are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
1067
+
1068
+ .. code-block:: ruby
1069
+
1070
+ its('content') { should contain 'value' }
1071
+
1072
+ The following complete example tests the ``pg_hba.conf`` file in |postgresql| for |md5| requirements. The tests look at all ``host`` and ``local`` settings in that file, and then compare the |md5| checksums against the values in the test:
1073
+
1074
+ .. code-block:: bash
1075
+
1076
+ describe file(hba_config_file) do
1077
+ its('content') { should match '/local\s.*?all\s.*?all\s.*?md5/' }
1078
+ its('content') { should match '%r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/}' }
1079
+ its('content') { should match '%r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/}' }
1080
+ end
1081
+
1082
+ exist
1083
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1084
+ The ``exist`` matcher tests if the named file exists:
1085
+
1086
+ .. code-block:: ruby
1087
+
1088
+ it { should exist }
1089
+
1090
+ file_version
1091
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1092
+ The ``file_version`` matcher tests if the file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
1093
+
1094
+ .. code-block:: ruby
1095
+
1096
+ its('file_version') { should eq '1.2.3' }
1097
+
1098
+ group
1099
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1100
+ The ``group`` matcher tests if the group to which a file belongs matches the specified value:
1101
+
1102
+ .. code-block:: ruby
1103
+
1104
+ its('group') { should eq 'admins' }
1105
+
1106
+ have_mode
1107
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1108
+ The ``have_mode`` matcher tests if a file has a mode assigned to it:
1109
+
1110
+ .. code-block:: ruby
1111
+
1112
+ it { should have_mode }
1113
+
1114
+ link_path
1115
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1116
+ The ``link_path`` matcher tests if the file exists at the specified path:
1117
+
1118
+ .. code-block:: ruby
1119
+
1120
+ its('link_path') { should eq '/some/path/to/file' }
1121
+
1122
+ link_target
1123
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1124
+ The ``link_target`` matcher tests if a file that is linked to this file exists at the specified path:
1125
+
1126
+ .. code-block:: ruby
1127
+
1128
+ its('link_target') { should eq '/some/path/to/file' }
1129
+
1130
+ md5sum
1131
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1132
+ The ``md5sum`` matcher tests if the |md5| checksum for a file matches the specified value:
1133
+
1134
+ .. code-block:: ruby
1135
+
1136
+ its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
1137
+
1138
+ mode
1139
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1140
+ The ``mode`` matcher tests if the mode assigned to the file matches the specified value:
1141
+
1142
+ .. code-block:: ruby
1143
+
1144
+ its('mode') { should eq 0644 }
1145
+
1146
+ mtime
1147
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1148
+ The ``mtime`` matcher tests if the file modification time for the file matches the specified value:
1149
+
1150
+ .. code-block:: ruby
1151
+
1152
+ its('mtime') { should eq 'October 31 2015 12:10:45' }
1153
+
1154
+ or:
1155
+
1156
+ .. code-block:: bash
1157
+
1158
+ describe file('/').mtime.to_i do
1159
+ it { should <= Time.now.to_i }
1160
+ it { should >= Time.now.to_i - 1000}
1161
+ end
1162
+
1163
+ owner
1164
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1165
+ The ``owner`` matcher tests if the owner of the file matches the specified value:
1166
+
1167
+ .. code-block:: ruby
1168
+
1169
+ its('owner') { should eq 'root' }
1170
+
1171
+ product_version
1172
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1173
+ The ``product_version`` matcher tests if the file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
1174
+
1175
+ .. code-block:: ruby
1176
+
1177
+ its('product_version') { should eq 2.3.4 }
1178
+
1179
+ selinux_label
1180
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1181
+ The ``selinux_label`` matcher tests if the |selinux| label for a file matches the specified value:
1182
+
1183
+ .. code-block:: ruby
1184
+
1185
+ its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
1186
+
1187
+ sha256sum
1188
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1189
+ The ``sha256sum`` matcher tests if the |sha256| checksum for a file matches the specified value:
1190
+
1191
+ .. code-block:: ruby
1192
+
1193
+ its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
1194
+
1195
+ size
1196
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1197
+ The ``size`` matcher tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
1198
+
1199
+ .. code-block:: ruby
1200
+
1201
+ its('size') { should eq 32375 }
1202
+
1203
+ Greater than:
1204
+
1205
+ .. code-block:: ruby
1206
+
1207
+ its('size') { should > 64 }
1208
+
1209
+ Less than:
1210
+
1211
+ .. code-block:: ruby
1212
+
1213
+ its('size') { should < 10240 }
1214
+
1215
+ type
1216
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1217
+ The ``type`` matcher tests if the first letter of the file's mode string contains one of the following characters:
1218
+
1219
+ * ``-`` or ``f`` (the file is a file); use ``'file`` to test for this file type
1220
+ * ``d`` (the file is a directory); use ``'directory`` to test for this file type
1221
+ * ``l`` (the file is a symbolic link); use ``'link`` to test for this file type
1222
+ * ``p`` (the file is a named pipe); use ``'pipe`` to test for this file type
1223
+ * ``s`` (the file is a socket); use ``'socket`` to test for this file type
1224
+ * ``c`` (the file is a character device); use ``'character`` to test for this file type
1225
+ * ``b`` (the file is a block device); use ``'block`` to test for this file type
1226
+ * ``D`` (the file is a door); use ``'door`` to test for this file type
1227
+
1228
+ For example:
1229
+
1230
+ .. code-block:: ruby
1231
+
1232
+ its('type') { should eq 'file' }
1233
+
1234
+ or:
1235
+
1236
+ .. code-block:: ruby
1237
+
1238
+ its('type') { should eq 'socket' }
1239
+
1240
+ Examples
1241
+ -----------------------------------------------------
1242
+ The following examples show how to use this InSpec audit resource.
1243
+
1244
+ **Test the contents of a file for MD5 requirements**
1245
+
1246
+ .. code-block:: bash
1247
+
1248
+ describe file(hba_config_file) do
1249
+ its('content') { should match '/local\s.*?all\s.*?all\s.*?md5/' }
1250
+ its('content') { should match '%r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/}' }
1251
+ its('content') { should match '%r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/}' }
1252
+ end
1253
+
1254
+ **Test if a file exists**
1255
+
1256
+ .. code-block:: bash
1257
+
1258
+ describe file('/tmp') do
1259
+ it { should exist }
1260
+ end
1261
+
1262
+ **Test that a file does not exist**
1263
+
1264
+ .. code-block:: bash
1265
+
1266
+ describe file('/tmpest') do
1267
+ it { should_not exist }
1268
+ end
1269
+
1270
+ **Test if a path is a directory**
1271
+
1272
+ .. code-block:: bash
1273
+
1274
+ describe file('/tmp') do
1275
+ its('type') { should eq :directory }
1276
+ it { should be_directory }
1277
+ end
1278
+
1279
+ **Test if a path is a file and not a directory**
1280
+
1281
+ .. code-block:: bash
1282
+
1283
+ describe file('/proc/version') do
1284
+ its('type') { should eq 'file' }
1285
+ it { should be_file }
1286
+ it { should_not be_directory }
1287
+ end
1288
+
1289
+ **Test if a file is a symbolic link**
1290
+
1291
+ .. code-block:: bash
1292
+
1293
+ describe file('/dev/stdout') do
1294
+ its('type') { should eq 'symlink' }
1295
+ it { should be_symlink }
1296
+ it { should_not be_file }
1297
+ it { should_not be_directory }
1298
+ end
1299
+
1300
+ **Test if a file is a character device**
1301
+
1302
+ .. code-block:: bash
1303
+
1304
+ describe file('/dev/zero') do
1305
+ its('type') { should eq 'character' }
1306
+ it { should be_character_device }
1307
+ it { should_not be_file }
1308
+ it { should_not be_directory }
1309
+ end
1310
+
1311
+ **Test if a file is a block device**
1312
+
1313
+ .. code-block:: bash
1314
+
1315
+ describe file('/dev/zero') do
1316
+ its('type') { should eq 'block' }
1317
+ it { should be_character_device }
1318
+ it { should_not be_file }
1319
+ it { should_not be_directory }
1320
+ end
1321
+
1322
+ **Test the mode for a file**
1323
+
1324
+ .. code-block:: bash
1325
+
1326
+ describe file('/dev') do
1327
+ its('mode') { should eq 00755 }
1328
+ end
1329
+
1330
+ **Test the owner of a file**
1331
+
1332
+ .. code-block:: bash
1333
+
1334
+ describe file('/root') do
1335
+ its('owner') { should eq 'root' }
1336
+ end
1337
+
1338
+ **Test if a file is owned by the root user**
1339
+
1340
+ .. code-block:: bash
1341
+
1342
+ describe file('/dev') do
1343
+ it { should be_owned_by 'root' }
1344
+ end
1345
+
1346
+ **Test the mtime for a file**
1347
+
1348
+ .. code-block:: bash
1349
+
1350
+ describe file('/').mtime.to_i do
1351
+ it { should <= Time.now.to_i }
1352
+ it { should >= Time.now.to_i - 1000}
1353
+ end
1354
+
1355
+ **Test that a file's size is between 64 and 10240**
1356
+
1357
+ .. code-block:: bash
1358
+
1359
+ describe file('/') do
1360
+ its('size') { should be > 64 }
1361
+ its('size') { should be < 10240 }
1362
+ end
1363
+
1364
+ **Test that a file's size is zero**
1365
+
1366
+ .. code-block:: bash
1367
+
1368
+ describe file('/proc/cpuinfo') do
1369
+ its('size') { should be 0 }
1370
+ end
1371
+
1372
+ **Test that a file is not mounted**
1373
+
1374
+ .. code-block:: bash
1375
+
1376
+ describe file('/proc/cpuinfo') do
1377
+ it { should_not be_mounted }
1378
+ end
1379
+
1380
+ **Test an MD5 checksum**
1381
+
1382
+ .. code-block:: bash
1383
+
1384
+ require 'digest'
1385
+ cpuinfo = file('/proc/cpuinfo').content
1386
+ md5sum = Digest::MD5.hexdigest(cpuinfo)
1387
+
1388
+ describe file('/proc/cpuinfo') do
1389
+ its('md5sum') { should eq md5sum }
1390
+ end
1391
+
1392
+ **Test an SHA-256 checksum**
1393
+
1394
+ .. code-block:: bash
1395
+
1396
+ require 'digest'
1397
+ cpuinfo = file('/proc/cpuinfo').content
1398
+ sha256sum = Digest::SHA256.hexdigest(cpuinfo)
1399
+
1400
+ describe file('/proc/cpuinfo') do
1401
+ its('sha256sum') { should eq sha256sum }
1402
+ end
1403
+
1404
+
1405
+ gem
1406
+ =====================================================
1407
+ Use the ``gem`` |inspec resource| to test if a global |gem| package is installed.
1408
+
1409
+ **Stability: Experimental**
1410
+
1411
+ Syntax
1412
+ -----------------------------------------------------
1413
+ A ``gem`` |inspec resource| block declares a package and (optionally) a package version:
1414
+
1415
+ .. code-block:: ruby
1416
+
1417
+ describe gem('gem_package_name') do
1418
+ it { should be_installed }
1419
+ end
1420
+
1421
+ where
1422
+
1423
+ * ``('gem_package_name')`` must specify a |gem| package, such as ``'rubocop'``
1424
+ * ``be_installed`` is a valid matcher for this |inspec resource|
1425
+
1426
+ Matchers
1427
+ -----------------------------------------------------
1428
+ This InSpec audit resource has the following matchers.
1429
+
1430
+ be_installed
1431
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1432
+ The ``be_installed`` matcher tests if the named |gem| package is installed:
1433
+
1434
+ .. code-block:: ruby
1435
+
1436
+ it { should be_installed }
1437
+
1438
+ version
1439
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1440
+ The ``version`` matcher tests if the named package version is on the system:
1441
+
1442
+ .. code-block:: ruby
1443
+
1444
+ its('version') { should eq '0.33.0' }
1445
+
1446
+ Examples
1447
+ -----------------------------------------------------
1448
+ The following examples show how to use this InSpec audit resource.
1449
+
1450
+ **Verify that a gem package is installed, with a specific version**
1451
+
1452
+ .. code-block:: ruby
1453
+
1454
+ describe gem('rubocop') do
1455
+ it { should be_installed }
1456
+ its('version') { should eq '0.33.0' }
1457
+ end
1458
+
1459
+ **Verify that a gem package is not installed**
1460
+
1461
+ .. code-block:: ruby
1462
+
1463
+ describe gem('rubocop') do
1464
+ it { should_not be_installed }
1465
+ end
1466
+
1467
+
1468
+ group
1469
+ =====================================================
1470
+ Use the ``group`` |inspec resource| to test groups on the system.
1471
+
1472
+ Syntax
1473
+ -----------------------------------------------------
1474
+ A ``group`` |inspec resource| block declares a group, and then the details to be tested, such as if the group is a local group, the group identifier, or if the group exists:
1475
+
1476
+ .. code-block:: ruby
1477
+
1478
+ describe group('group_name') do
1479
+ it { should exist }
1480
+ its('gid') { should eq 0 }
1481
+ end
1482
+
1483
+ where
1484
+
1485
+ * ``'group_name'`` must specify the name of a group on the system
1486
+ * ``exist`` and ``'gid'`` are valid matchers for this |inspec resource|
1487
+
1488
+ Matchers
1489
+ -----------------------------------------------------
1490
+ This InSpec audit resource has the following matchers.
1491
+
1492
+ be_local
1493
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1494
+ The ``be_local`` matcher tests if the group is a local group:
1495
+
1496
+ .. code-block:: ruby
1497
+
1498
+ it { should be_local }
1499
+
1500
+ exist
1501
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1502
+ The ``exist`` matcher tests if the named user exists:
1503
+
1504
+ .. code-block:: ruby
1505
+
1506
+ it { should exist }
1507
+
1508
+ gid
1509
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1510
+ The ``gid`` matcher tests the named group identifier:
1511
+
1512
+ .. code-block:: ruby
1513
+
1514
+ its('gid') { should eq 1234 }
1515
+
1516
+ Examples
1517
+ -----------------------------------------------------
1518
+ The following examples show how to use this InSpec audit resource.
1519
+
1520
+ **Test the group identifier for the root group**
1521
+
1522
+ .. code-block:: ruby
1523
+
1524
+ describe group('root') do
1525
+ it { should exist }
1526
+ its('gid') { should eq 0 }
1527
+ end
1528
+
1529
+
1530
+
1531
+ host
1532
+ =====================================================
1533
+ Use the ``host`` |inspec resource| to test the name used to refer to a specific host and its availability, including the Internet protocols and ports over which that host name should be available.
1534
+
1535
+ **Stability: Stable**
1536
+
1537
+ Syntax
1538
+ -----------------------------------------------------
1539
+ A ``host`` |inspec resource| block declares a host name, and then (depending on what is to be tested) a port and/or a protocol:
1540
+
1541
+ .. code-block:: ruby
1542
+
1543
+ describe host('example.com', port: 80, proto: 'tcp') do
1544
+ it { should be_reachable }
1545
+ end
1546
+
1547
+ where
1548
+
1549
+ * ``host()`` must specify a host name and may specify a port number and/or a protocol
1550
+ * ``'example.com'`` is the host name
1551
+ * ``port:`` is the port number
1552
+ * ``proto: 'name'`` is the Internet protocol: |tcp| (``proto: 'tcp'``), |udp| (``proto: 'udp'`` or |icmp| (``proto: 'icmp'``))
1553
+ * ``be_reachable`` is a valid matcher for this |inspec resource|
1554
+
1555
+ Matchers
1556
+ -----------------------------------------------------
1557
+ This InSpec audit resource has the following matchers.
1558
+
1559
+ be_reachable
1560
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1561
+ The ``be_reachable`` matcher tests if the host name is available:
1562
+
1563
+ .. code-block:: ruby
1564
+
1565
+ it { should be_reachable }
1566
+
1567
+ be_resolvable
1568
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1569
+ The ``be_resolvable`` matcher tests for host name resolution, i.e. "resolvable to an IP address":
1570
+
1571
+ .. code-block:: ruby
1572
+
1573
+ it { should be_resolvable }
1574
+
1575
+ ipaddress
1576
+ -----------------------------------------------------
1577
+ The ``ipaddress`` matcher tests if a host name is resolvable to a specific IP address:
1578
+
1579
+ .. code-block:: ruby
1580
+
1581
+ its('ipaddress') { should include '93.184.216.34' }
1582
+
1583
+ Examples
1584
+ -----------------------------------------------------
1585
+ The following examples show how to use this InSpec audit resource.
1586
+
1587
+ **Verify host name s reachable over a specific protocol and port number**
1588
+
1589
+ .. code-block:: ruby
1590
+
1591
+ describe host('example.com', port: 53, proto: 'udp') do
1592
+ it { should be_reachable }
1593
+ end
1594
+
1595
+ **Verify that a specific IP address can be resolved**
1596
+
1597
+ .. code-block:: ruby
1598
+
1599
+ describe host('example.com', port: 80, proto: 'tcp') do
1600
+ it { should be_resolvable }
1601
+ its('ipaddress') { should include '192.168.1.1' }
1602
+ end
1603
+
1604
+
1605
+
1606
+
1607
+ inetd_conf
1608
+ =====================================================
1609
+ Use the ``inetd_conf`` |inspec resource| to test if a service is enabled in the ``inetd.conf`` file on |linux| and |unix| platforms. |inetd|---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The ``inetd.conf`` file is typically located at ``/etc/inetd.conf`` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
1610
+
1611
+ **Stability: Experimental**
1612
+
1613
+ Syntax
1614
+ -----------------------------------------------------
1615
+ An ``inetd_conf`` |inspec resource| block declares the list of services that are enabled in the ``inetd.conf`` file:
1616
+
1617
+ .. code-block:: ruby
1618
+
1619
+ describe inetd_conf('path') do
1620
+ its('service_name') { should eq 'value' }
1621
+ end
1622
+
1623
+ where
1624
+
1625
+ * ``'service_name'`` is a service listed in the ``inetd.conf`` file
1626
+ * ``('path')`` is the non-default path to the ``inetd.conf`` file
1627
+ * ``should eq 'value'`` is the value that is expected
1628
+
1629
+ Matchers
1630
+ -----------------------------------------------------
1631
+ This |inspec resource| matches any service that is listed in the ``inetd.conf`` file. You may want to ensure that specific services do not listen via ``inetd.conf``:
1632
+
1633
+ .. code-block:: ruby
1634
+
1635
+ its('shell') { should eq nil }
1636
+
1637
+ or:
1638
+
1639
+ .. code-block:: ruby
1640
+
1641
+ its('netstat') { should eq nil }
1642
+
1643
+ or:
1644
+
1645
+ .. code-block:: ruby
1646
+
1647
+ its('systat') { should eq nil }
1648
+
1649
+ For example:
1650
+
1651
+ .. code-block:: ruby
1652
+
1653
+ describe inetd_conf do
1654
+ its('shell') { should eq nil }
1655
+ its('login') { should eq nil }
1656
+ its('exec') { should eq nil }
1657
+ end
1658
+
1659
+ Examples
1660
+ -----------------------------------------------------
1661
+ The following examples show how to use this InSpec audit resource.
1662
+
1663
+ **Verify that FTP is disabled**
1664
+
1665
+ The contents if the ``inetd.conf`` file contain the following:
1666
+
1667
+ .. code-block:: text
1668
+
1669
+ #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
1670
+ #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
1671
+
1672
+ and the following test is defined:
1673
+
1674
+ .. code-block:: ruby
1675
+
1676
+ describe inetd_conf do
1677
+ its('ftp') { should eq nil }
1678
+ its('telnet') { should eq nil }
1679
+ end
1680
+
1681
+ Because both the ``ftp`` and ``telnet`` Internet services are commented out (``#``), both services are disabled. Consequently, both tests will return ``true``. However, if the ``inetd.conf`` file is set as follows:
1682
+
1683
+ .. code-block:: text
1684
+
1685
+ ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
1686
+ #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
1687
+
1688
+ then the same test will return ``false`` for ``ftp`` and the entire test will fail.
1689
+
1690
+ **Test if telnet is installed**
1691
+
1692
+ .. code-block:: ruby
1693
+
1694
+ describe package('telnetd') do
1695
+ it { should_not be_installed }
1696
+ end
1697
+
1698
+ describe inetd_conf do
1699
+ its('telnet') { should eq nil }
1700
+ end
1701
+
1702
+
1703
+
1704
+ interface
1705
+ =====================================================
1706
+ Use the ``interface`` |inspec resource| to test basic network adapter properties, such as name, status, state, address, and link speed (in MB/sec).
1707
+
1708
+ * On |linux| platforms, ``/sys/class/net/#{iface}`` is used as source
1709
+ * On the |windows| platform, the ``Get-NetAdapter`` cmdlet is used as source
1710
+
1711
+ **Stability: Stable**
1712
+
1713
+ Syntax
1714
+ -----------------------------------------------------
1715
+ An ``interface`` |inspec resource| block declares network interface properties to be tested:
1716
+
1717
+ .. code-block:: ruby
1718
+
1719
+ describe interface do
1720
+ it { should be_up }
1721
+ its('speed') { should eq 1000 }
1722
+ its('name') { should eq eth0 }
1723
+ end
1724
+
1725
+
1726
+ Matchers
1727
+ -----------------------------------------------------
1728
+ This InSpec audit resource has the following matchers.
1729
+
1730
+ be_up
1731
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1732
+ The ``be_up`` matcher tests if the network interface is available:
1733
+
1734
+ .. code-block:: ruby
1735
+
1736
+ it { should be_up }
1737
+
1738
+ name
1739
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1740
+ The ``name`` matcher tests if the named network interface exists:
1741
+
1742
+ .. code-block:: ruby
1743
+
1744
+ its('name') { should eq eth0 }
1745
+
1746
+ speed
1747
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1748
+ The ``speed`` matcher tests the speed of the network interface, in MB/sec:
1749
+
1750
+ .. code-block:: ruby
1751
+
1752
+ its('speed') { should eq 1000 }
1753
+
1754
+ ..
1755
+ .. Examples
1756
+ .. -----------------------------------------------------
1757
+ .. The following examples show how to use this InSpec audit resource.
1758
+ ..
1759
+ .. **xxxxx**
1760
+ ..
1761
+ .. xxxxx
1762
+ ..
1763
+ .. **xxxxx**
1764
+ ..
1765
+ .. xxxxx
1766
+ ..
1767
+
1768
+
1769
+
1770
+ iptables
1771
+ =====================================================
1772
+ Use the ``iptables`` |inspec resource| to test rules that are defined in ``iptables``, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
1773
+
1774
+ **Stability: Experimental**
1775
+
1776
+ Syntax
1777
+ -----------------------------------------------------
1778
+ A ``iptables`` |inspec resource| block declares tests for rules in IP tables:
1779
+
1780
+ .. code-block:: ruby
1781
+
1782
+ describe iptables(rule:'name', table:'name', chain: 'name') do
1783
+ it { should have_rule('RULE') }
1784
+ end
1785
+
1786
+ where
1787
+
1788
+ * ``iptables()`` may specify any combination of ``rule``, ``table``, or ``chain``
1789
+ * ``rule:'name'`` is the name of a rule that matches a set of packets
1790
+ * ``table:'name'`` is the packet matching table against which the test is run
1791
+ * ``chain: 'name'`` is the name of a user-defined chain or one of ``ACCEPT``, ``DROP``, ``QUEUE``, or ``RETURN``
1792
+ * ``have_rule('RULE')`` tests that rule in the iptables file
1793
+
1794
+ Matchers
1795
+ -----------------------------------------------------
1796
+ This InSpec audit resource has the following matchers.
1797
+
1798
+ have_rule
1799
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1800
+ The ``have_rule`` matcher tests the named rule against the information in the ``iptables`` file:
1801
+
1802
+ .. code-block:: ruby
1803
+
1804
+ it { should have_rule('RULE') }
1805
+
1806
+ Examples
1807
+ -----------------------------------------------------
1808
+ The following examples show how to use this InSpec audit resource.
1809
+
1810
+ **Test if the IP table allows a packet through**
1811
+
1812
+ .. code-block:: ruby
1813
+
1814
+ describe iptables do
1815
+ it { should have_rule('-P INPUT ACCEPT') }
1816
+ end
1817
+
1818
+ **Test if the IP table allows a packet through, for a specific table and chain**
1819
+
1820
+ .. code-block:: ruby
1821
+
1822
+ describe iptables(table:'mangle', chain: 'input') do
1823
+ it { should have_rule('-P INPUT ACCEPT') }
1824
+ end
1825
+
1826
+
1827
+
1828
+ json
1829
+ =====================================================
1830
+ Use the ``json`` |inspec resource| to test data in a |json| file.
1831
+
1832
+ **Stability: Experimental**
1833
+
1834
+ Syntax
1835
+ -----------------------------------------------------
1836
+ A ``json`` |inspec resource| block declares the data to be tested:
1837
+
1838
+ .. code-block:: ruby
1839
+
1840
+ describe json do
1841
+ its('name') { should eq 'foo' }
1842
+ end
1843
+
1844
+ where
1845
+
1846
+ * ``name`` is a configuration setting in a |json| file
1847
+ * ``should eq 'foo'`` tests a value of ``name`` as read from a |json| file versus the value declared in the test
1848
+
1849
+ Matchers
1850
+ -----------------------------------------------------
1851
+ This InSpec audit resource has the following matchers.
1852
+
1853
+ name
1854
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1855
+ The ``name`` matcher tests the value of ``name`` as read from a |json| file versus the value declared in the test:
1856
+
1857
+ .. code-block:: ruby
1858
+
1859
+ its('name') { should eq 'foo' }
1860
+
1861
+ Examples
1862
+ -----------------------------------------------------
1863
+ The following examples show how to use this InSpec audit resource.
1864
+
1865
+ **Test a cookbook version in a policyfile.lock.json file**
1866
+
1867
+ .. code-block:: ruby
1868
+
1869
+ describe json('policyfile.lock.json') do
1870
+ its('cookbook_locks.omnibus.version') { should eq('2.2.0') }
1871
+ end
1872
+
1873
+
1874
+
1875
+ kernel_module
1876
+ =====================================================
1877
+ Use the ``kernel_module`` |inspec resource| to test kernel modules on |linux| platforms. These parameters are located under ``/lib/modules``. Any submodule may be tested using this resource.
1878
+
1879
+ **Stability: Stable**
1880
+
1881
+ Syntax
1882
+ -----------------------------------------------------
1883
+ A ``kernel_module`` |inspec resource| block declares a module name, and then tests if that module is a loadable kernel module:
1884
+
1885
+ .. code-block:: ruby
1886
+
1887
+ describe kernel_module('module_name') do
1888
+ it { should be_loaded }
1889
+ end
1890
+
1891
+ where
1892
+
1893
+ * ``'module_name'`` must specify a kernel module, such as ``'bridge'``
1894
+ * ``{ should be_loaded }`` tests if the module is a loadable kernel module
1895
+
1896
+ Matchers
1897
+ -----------------------------------------------------
1898
+ This InSpec audit resource has the following matchers.
1899
+
1900
+ be_loaded
1901
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1902
+ The ``be_loaded`` matcher tests if the module is a loadable kernel module:
1903
+
1904
+ .. code-block:: ruby
1905
+
1906
+ it { should be_loaded }
1907
+
1908
+ Examples
1909
+ -----------------------------------------------------
1910
+ The following examples show how to use this InSpec audit resource.
1911
+
1912
+ **Test if a module is loaded**
1913
+
1914
+ .. code-block:: ruby
1915
+
1916
+ describe kernel_module('bridge') do
1917
+ it { should be_loaded }
1918
+ end
1919
+
1920
+
1921
+ kernel_parameter
1922
+ =====================================================
1923
+ Use the ``kernel_parameter`` |inspec resource| to test kernel parameters on |linux| platforms.
1924
+
1925
+ **Stability: Stable**
1926
+
1927
+ Syntax
1928
+ -----------------------------------------------------
1929
+ A ``kernel_parameter`` |inspec resource| block declares a parameter and then a value to be tested:
1930
+
1931
+ .. code-block:: ruby
1932
+
1933
+ describe kernel_parameter('path.to.parameter') do
1934
+ its('value') { should eq 0 }
1935
+ end
1936
+
1937
+ where
1938
+
1939
+ * ``'kernel.parameter'`` must specify a kernel parameter, such as ``'net.ipv4.conf.all.forwarding'``
1940
+ * ``{ should eq 0 }`` states the value to be tested
1941
+
1942
+ Matchers
1943
+ -----------------------------------------------------
1944
+ This InSpec audit resource has the following matchers.
1945
+
1946
+ value
1947
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
1948
+ The ``value`` matcher tests the value assigned to the named IP address versus the value declared in the test:
1949
+
1950
+ .. code-block:: ruby
1951
+
1952
+ its('value') { should eq 0 }
1953
+
1954
+ Examples
1955
+ -----------------------------------------------------
1956
+ The following examples show how to use this InSpec audit resource.
1957
+
1958
+ **Test if global forwarding is enabled for an IPv4 address**
1959
+
1960
+ .. code-block:: ruby
1961
+
1962
+ describe kernel_parameter('net.ipv4.conf.all.forwarding') do
1963
+ its(:value) { should eq 1 }
1964
+ end
1965
+
1966
+ **Test if global forwarding is disabled for an IPv6 address**
1967
+
1968
+ .. code-block:: ruby
1969
+
1970
+ describe kernel_parameter('net.ipv6.conf.all.forwarding') do
1971
+ its(:value) { should eq 0 }
1972
+ end
1973
+
1974
+ **Test if an IPv6 address accepts redirects**
1975
+
1976
+ .. code-block:: ruby
1977
+
1978
+ describe kernel_parameter('net.ipv6.conf.interface.accept_redirects') do
1979
+ its(:value) { should eq 'true' }
1980
+ end
1981
+
1982
+
1983
+ limits_conf
1984
+ =====================================================
1985
+ Use the ``limits_conf`` |inspec resource| to test configuration settings in the ``/etc/security/limits.conf`` file. The ``limits.conf`` defines limits for processes (by user and/or group names) and helps ensure that the system on which those processes are running remains stable. Each process may be assigned a hard or soft limit.
1986
+
1987
+ * Soft limits are maintained by the shell and defines the number of file handles (or open files) available to the user or group after login
1988
+ * Hard limits are maintained by the kernel and defines the maximum number of allowed file handles
1989
+
1990
+ Entries in the ``limits.conf`` file are similar to:
1991
+
1992
+ .. code-block:: bash
1993
+
1994
+ grantmc soft nofile 4096
1995
+ grantmc hard nofile 63536
1996
+
1997
+ ^^^^^^^^^ ^^^^ ^^^^^^ ^^^^^
1998
+ domain type item value
1999
+
2000
+ **Stability: Experimental**
2001
+
2002
+ Syntax
2003
+ -----------------------------------------------------
2004
+ A ``limits_conf`` |inspec resource| block declares a domain to be tested, along with associated type, item, and value:
2005
+
2006
+ .. code-block:: ruby
2007
+
2008
+ describe limits_conf('path') do
2009
+ its('domain') { should include ['type', 'item', 'value'] }
2010
+ its('domain') { should eq ['type', 'item', 'value'] }
2011
+ end
2012
+
2013
+ where
2014
+
2015
+ * ``('path')`` is the non-default path to the ``inetd.conf`` file
2016
+ * ``'domain'`` is a user or group name, such as ``grantmc``
2017
+ * ``'type'`` is either ``hard`` or ``soft``
2018
+ * ``'item'`` is the item for which limits are defined, such as ``core``, ``nofile``, ``stack``, ``nproc``, ``priority``, or ``maxlogins``
2019
+ * ``'value'`` is the value associated with the ``item``
2020
+
2021
+ Matchers
2022
+ -----------------------------------------------------
2023
+ This InSpec audit resource has the following matchers.
2024
+
2025
+ domain
2026
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2027
+ The ``domain`` matcher tests the domain in the ``limits.conf`` file, along with associated type, item, and value:
2028
+
2029
+ .. code-block:: ruby
2030
+
2031
+ its('domain') { should include ['type', 'item', 'value'] }
2032
+
2033
+ For example:
2034
+
2035
+ .. code-block:: ruby
2036
+
2037
+ its('grantmc') { should include ['hard', 'nofile', '63536'] }
2038
+
2039
+ Examples
2040
+ -----------------------------------------------------
2041
+ The following examples show how to use this InSpec audit resource.
2042
+
2043
+ **Test * and ftp limits**
2044
+
2045
+ .. code-block:: ruby
2046
+
2047
+ describe limits_conf('path') do
2048
+ its('*') { should include ['soft', 'core', '0'] }
2049
+ its('*') { should include ['hard', 'rss', '10000'] }
2050
+ its('ftp') { should eq ['hard', 'nproc', '0'] }
2051
+ end
2052
+
2053
+ login_defs
2054
+ =====================================================
2055
+ Use the ``login_defs`` |inspec resource| to test configuration settings in the ``/etc/login.defs`` file. The ``logins.defs`` file defines site-specific configuration for the shadow password suite on |linux| and |unix| platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.
2056
+
2057
+ **Stability: Experimental**
2058
+
2059
+ Syntax
2060
+ -----------------------------------------------------
2061
+ A ``login_defs`` |inspec resource| block declares the ``login.defs`` configuration data to be tested:
2062
+
2063
+ .. code-block:: ruby
2064
+
2065
+ describe login_defs do
2066
+ its('name') { should include('foo') }
2067
+ end
2068
+
2069
+ where
2070
+
2071
+ * ``name`` is a configuration setting in ``login.defs``
2072
+ * ``{ should include('foo') }`` tests the value of ``name`` as read from ``login.defs`` versus the value declared in the test
2073
+
2074
+ Matchers
2075
+ -----------------------------------------------------
2076
+ This InSpec audit resource has the following matchers.
2077
+
2078
+ name
2079
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2080
+ The ``name`` matcher tests the value of ``name`` as read from ``login.defs`` versus the value declared in the test:
2081
+
2082
+ .. code-block:: ruby
2083
+
2084
+ its('name') { should eq 'foo' }
2085
+
2086
+ Examples
2087
+ -----------------------------------------------------
2088
+ The following examples show how to use this InSpec audit resource.
2089
+
2090
+ **Test password expiration settings**
2091
+
2092
+ .. code-block:: ruby
2093
+
2094
+ describe login_defs do
2095
+ its('PASS_MAX_DAYS') { should eq '180' }
2096
+ its('PASS_MIN_DAYS') { should eq '1' }
2097
+ its('PASS_MIN_LEN') { should eq '15' }
2098
+ its('PASS_WARN_AGE') { should eq '30' }
2099
+ end
2100
+
2101
+ **Test the encryption method**
2102
+
2103
+ .. code-block:: ruby
2104
+
2105
+ describe login_defs do
2106
+ its('ENCRYPT_METHOD') { should eq 'SHA512' }
2107
+ end
2108
+
2109
+ **Test umask and password expiration**
2110
+
2111
+ .. code-block:: ruby
2112
+
2113
+ describe login_def do
2114
+ its('UMASK') { should eq '077' }
2115
+ its('PASS_MAX_DAYS') { should eq '90' }
2116
+ end
2117
+
2118
+ mysql_conf
2119
+ =====================================================
2120
+ Use the ``mysql_conf`` |inspec resource| to test the contents of the configuration file for |mysql|, typically located at ``/etc/mysql/my.cnf`` or ``/etc/my.cnf``.
2121
+
2122
+ Syntax
2123
+ -----------------------------------------------------
2124
+ A ``mysql_conf`` |inspec resource| block declares one (or more) settings in the ``my.cnf`` file, and then compares the setting in the configuration file to the value stated in the test:
2125
+
2126
+ .. code-block:: ruby
2127
+
2128
+ describe mysql_conf('path') do
2129
+ its('setting') { should eq 'value' }
2130
+ end
2131
+
2132
+ where
2133
+
2134
+ * ``'setting'`` specifies a setting in the ``my.cnf`` file, such as ``max_connections``
2135
+ * ``('path')`` is the non-default path to the ``my.cnf`` file
2136
+ * ``should eq 'value'`` is the value that is expected
2137
+
2138
+ **Stability: Experimental**
2139
+
2140
+ Matchers
2141
+ -----------------------------------------------------
2142
+ This InSpec audit resource has the following matchers.
2143
+
2144
+ setting
2145
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2146
+ The ``setting`` matcher tests specific, named settings in the ``my.cnf`` file:
2147
+
2148
+ .. code-block:: ruby
2149
+
2150
+ its('setting') { should eq 'value' }
2151
+
2152
+ Use a ``setting`` matcher for each setting to be tested.
2153
+
2154
+ Examples
2155
+ -----------------------------------------------------
2156
+ The following examples show how to use this InSpec audit resource.
2157
+
2158
+ **Test the maximum number of allowed connections**
2159
+
2160
+ .. code-block:: ruby
2161
+
2162
+ describe mysql_conf do
2163
+ its('max_connections') { should eq '505' }
2164
+ its('max_user_connections') { should eq '500' }
2165
+ end
2166
+
2167
+ **Test slow query logging**
2168
+
2169
+ .. code-block:: ruby
2170
+
2171
+ describe mysql_conf do
2172
+ its('slow_query_log_file') { should eq 'hostname_slow.log' }
2173
+ its('slow_query_log') { should eq '0' }
2174
+ its('log_queries_not_using_indexes') { should eq '1' }
2175
+ its('long_query_time') { should eq '0.5' }
2176
+ its('min_examined_row_limit') { should eq '100' }
2177
+ end
2178
+
2179
+ **Test the port and socket on which MySQL listens**
2180
+
2181
+ .. code-block:: ruby
2182
+
2183
+ describe mysql_conf do
2184
+ its('port') { should eq '3306' }
2185
+ its('socket') { should eq '/var/run/mysqld/mysql.sock' }
2186
+ end
2187
+
2188
+ **Test connection and thread variables**
2189
+
2190
+ .. code-block:: ruby
2191
+
2192
+ describe mysql_conf do
2193
+ its('port') { should eq '3306' }
2194
+ its('socket') { should eq '/var/run/mysqld/mysql.sock' }
2195
+ its('max_allowed_packet') { should eq '12M' }
2196
+ its('default_storage_engine') { should eq 'InnoDB' }
2197
+ its('character_set_server') { should eq 'utf8' }
2198
+ its('collation_server') { should eq 'utf8_general_ci' }
2199
+ its('max_connections') { should eq '505' }
2200
+ its('max_user_connections') { should eq '500' }
2201
+ its('thread_cache_size') { should eq '505' }
2202
+ end
2203
+
2204
+ **Test the safe-user-create parameter**
2205
+
2206
+ .. code-block:: ruby
2207
+
2208
+ describe mysql_conf.params('mysqld') do
2209
+ its('safe-user-create') { should eq('1') }
2210
+ end
2211
+
2212
+
2213
+ mysql_session
2214
+ =====================================================
2215
+ Use the ``mysql_session`` |inspec resource| to test SQL commands run against a |mysql| database.
2216
+
2217
+ **Stability: Experimental**
2218
+
2219
+ Syntax
2220
+ -----------------------------------------------------
2221
+ A ``mysql_session`` |inspec resource| block declares the username and password to use for the session, and then the command to be run:
2222
+
2223
+ .. code-block:: ruby
2224
+
2225
+ describe mysql_session('username', 'password').query('QUERY') do
2226
+ its('output') { should eq('') }
2227
+ end
2228
+
2229
+ where
2230
+
2231
+ * ``mysql_session`` declares a username and password with permission to run the query
2232
+ * ``query('QUERY')`` contains the query to be run
2233
+ * ``its('output') { should eq('') }`` compares the results of the query against the expected result in the test
2234
+
2235
+ Matchers
2236
+ -----------------------------------------------------
2237
+ This InSpec audit resource has the following matchers.
2238
+
2239
+ output
2240
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2241
+ The ``output`` matcher tests the results of the query:
2242
+
2243
+ .. code-block:: ruby
2244
+
2245
+ its('output') { should eq(/^0/) }
2246
+
2247
+ Examples
2248
+ -----------------------------------------------------
2249
+ The following examples show how to use this InSpec audit resource.
2250
+
2251
+ **Test for matching databases**
2252
+
2253
+ .. code-block:: ruby
2254
+
2255
+ sql = mysql_session('my_user','password')
2256
+ describe sql.query('show databases like \'test\';') do
2257
+ its(:stdout) { should_not match(/test/) }
2258
+ end
2259
+
2260
+
2261
+
2262
+
2263
+ npm
2264
+ =====================================================
2265
+ Use the ``npm`` |inspec resource| to test if a global |npm| package is installed. |npm| is the `the package manager for Nodejs packages <https://docs.npmjs.com>`__, such as |bower| and |statsd|.
2266
+
2267
+ **Stability: Experimental**
2268
+
2269
+ Syntax
2270
+ -----------------------------------------------------
2271
+ A ``npm`` |inspec resource| block declares a package and (optionally) a package version:
2272
+
2273
+ .. code-block:: ruby
2274
+
2275
+ describe gem('npm_package_name') do
2276
+ it { should be_installed }
2277
+ end
2278
+
2279
+ where
2280
+
2281
+ * ``('npm_package_name')`` must specify a |npm| package, such as ``'bower'`` or ``'statsd'``
2282
+ * ``be_installed`` is a valid matcher for this |inspec resource|
2283
+
2284
+ Matchers
2285
+ -----------------------------------------------------
2286
+ This InSpec audit resource has the following matchers.
2287
+
2288
+ be_installed
2289
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2290
+ The ``be_installed`` matcher tests if the named |gem| package and package version (if specified) is installed:
2291
+
2292
+ .. code-block:: ruby
2293
+
2294
+ it { should be_installed }
2295
+
2296
+ version
2297
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2298
+ The ``version`` matcher tests if the named package version is on the system:
2299
+
2300
+ .. code-block:: ruby
2301
+
2302
+ its('version') { should eq '1.2.3' }
2303
+
2304
+ Examples
2305
+ -----------------------------------------------------
2306
+ The following examples show how to use this InSpec audit resource.
2307
+
2308
+ **Verify that bower is installed, with a specific version**
2309
+
2310
+ .. code-block:: ruby
2311
+
2312
+ describe npm('bower') do
2313
+ it { should be_installed }
2314
+ its('version') { should eq '1.4.1' }
2315
+ end
2316
+
2317
+ **Verify that statsd is not installed**
2318
+
2319
+ .. code-block:: ruby
2320
+
2321
+ describe npm('statsd') do
2322
+ it { should_not be_installed }
2323
+ end
2324
+
2325
+
2326
+ ntp_conf
2327
+ =====================================================
2328
+ Use the ``ntp_conf`` |inspec resource| to test the synchronization settings defined in the ``ntp.conf`` file. This file is typically located at ``/etc/ntp.conf``.
2329
+
2330
+ **Stability: Experimental**
2331
+
2332
+ Syntax
2333
+ -----------------------------------------------------
2334
+ An ``ntp_conf`` |inspec resource| block declares the synchronization settings that should be tested:
2335
+
2336
+ .. code-block:: ruby
2337
+
2338
+ describe ntp_conf('path') do
2339
+ its('setting_name') { should eq 'value' }
2340
+ end
2341
+
2342
+ where
2343
+
2344
+ * ``'setting_name'`` is a synchronization setting defined in the ``ntp.conf`` file
2345
+ * ``('path')`` is the non-default path to the ``ntp.conf`` file
2346
+ * ``{ should eq 'value' }`` is the value that is expected
2347
+
2348
+ Matchers
2349
+ -----------------------------------------------------
2350
+ This |inspec resource| matches any service that is listed in the ``ntp.conf`` file:
2351
+
2352
+ .. code-block:: ruby
2353
+
2354
+ its('server') { should_not eq nil }
2355
+
2356
+ or:
2357
+
2358
+ .. code-block:: ruby
2359
+
2360
+ its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
2361
+
2362
+ For example:
2363
+
2364
+ .. code-block:: ruby
2365
+
2366
+ describe ntp_conf do
2367
+ its('server') { should_not eq nil }
2368
+ its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
2369
+ end
2370
+
2371
+ Examples
2372
+ -----------------------------------------------------
2373
+ The following examples show how to use this InSpec audit resource.
2374
+
2375
+ **Test for clock drift against named servers**
2376
+
2377
+ .. code-block:: ruby
2378
+
2379
+ describe ntp_conf do
2380
+ its('driftfile') { should eq '/var/lib/ntp/ntp.drift' }
2381
+ its('server') { should eq [
2382
+ 0.ubuntu.pool.ntp.org,
2383
+ 1.ubuntu.pool.ntp.org,
2384
+ 2.ubuntu.pool.ntp.org
2385
+ ] }
2386
+ end
2387
+
2388
+
2389
+
2390
+ oneget
2391
+ =====================================================
2392
+ Use the ``oneget`` |inspec resource| to test if the named package and/or package version is installed on the system. This resource uses |oneget|, which is `part of the Windows Management Framework 5.0 and Windows 10 <https://github.com/OneGet/oneget>`__. This resource uses the ``Get-Package`` cmdlet to return all of the package names in the |oneget| repository.
2393
+
2394
+ **Stability: Experimental**
2395
+
2396
+ Syntax
2397
+ -----------------------------------------------------
2398
+ A ``oneget`` |inspec resource| block declares a package and (optionally) a package version:
2399
+
2400
+ .. code-block:: ruby
2401
+
2402
+ describe oneget('name') do
2403
+ it { should be_installed }
2404
+ end
2405
+
2406
+ where
2407
+
2408
+ * ``('name')`` must specify the name of a package, such as ``'VLC'``
2409
+ * ``be_installed`` is a valid matcher for this |inspec resource|
2410
+
2411
+ Matchers
2412
+ -----------------------------------------------------
2413
+ This InSpec audit resource has the following matchers.
2414
+
2415
+ be_installed
2416
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2417
+ The ``be_installed`` matcher tests if the named package is installed on the system:
2418
+
2419
+ .. code-block:: ruby
2420
+
2421
+ it { should be_installed }
2422
+
2423
+ version
2424
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2425
+ The ``version`` matcher tests if the named package version is on the system:
2426
+
2427
+ .. code-block:: ruby
2428
+
2429
+ its('version') { should eq '1.2.3' }
2430
+
2431
+ Examples
2432
+ -----------------------------------------------------
2433
+ The following examples show how to use this InSpec audit resource.
2434
+
2435
+ **Test if VLC is installed**
2436
+
2437
+ .. code-block:: ruby
2438
+
2439
+ describe oneget('VLC') do
2440
+ it { should be_installed }
2441
+ end
2442
+
2443
+
2444
+ os
2445
+ =====================================================
2446
+ Use the ``os`` |inspec resource| to test the platform on which the system is running.
2447
+
2448
+ **Stability: Stable**
2449
+
2450
+ Syntax
2451
+ -----------------------------------------------------
2452
+ A ``os`` |inspec resource| block declares the platform to be tested:
2453
+
2454
+ .. code-block:: ruby
2455
+
2456
+ describe os['family'] do
2457
+ it { should eq 'platform' }
2458
+ end
2459
+
2460
+ where
2461
+
2462
+ * ``'platform'`` is one of ``bsd``, ``debian``, ``linux``, ``redhat``, ``solaris``, ``suse``, ``unix``, or ``windows``
2463
+
2464
+
2465
+ Matchers
2466
+ -----------------------------------------------------
2467
+ This InSpec audit resource does not have any matchers.
2468
+
2469
+ Examples
2470
+ -----------------------------------------------------
2471
+ The following examples show how to use this InSpec audit resource.
2472
+
2473
+ **Test for RedHat**
2474
+
2475
+ .. code-block:: ruby
2476
+
2477
+ describe os['family'] do
2478
+ it { should eq 'redhat' }
2479
+ end
2480
+
2481
+ **Test for Ubuntu**
2482
+
2483
+ .. code-block:: ruby
2484
+
2485
+ describe os['family'] do
2486
+ it { should eq 'debian' }
2487
+ end
2488
+
2489
+ **Test for Microsoft Windows**
2490
+
2491
+ .. code-block:: ruby
2492
+
2493
+ describe os['family'] do
2494
+ it { should eq 'windows' }
2495
+ end
2496
+
2497
+
2498
+ os_env
2499
+ =====================================================
2500
+ Use the ``os_env`` |inspec resource| to test the environment variables for the platform on which the system is running.
2501
+
2502
+ **Stability: Experimental**
2503
+
2504
+ Syntax
2505
+ -----------------------------------------------------
2506
+ A ``os_env`` |inspec resource| block declares an environment variable, and then declares its value:
2507
+
2508
+ .. code-block:: ruby
2509
+
2510
+ describe os_env('VARIABLE') do
2511
+ its('matcher') { should eq 1 }
2512
+ end
2513
+
2514
+ where
2515
+
2516
+ * ``('VARIABLE')`` must specify an environment variable, such as ``PATH``
2517
+ * ``matcher`` is a valid matcher for this InSpec resource
2518
+
2519
+ Matchers
2520
+ -----------------------------------------------------
2521
+ This InSpec audit resource has the following matchers.
2522
+
2523
+ content
2524
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2525
+ The ``content`` matcher return the value of the environment variable:
2526
+
2527
+ .. code-block:: ruby
2528
+
2529
+ its('content') { should eq '/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin' }
2530
+
2531
+ split
2532
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2533
+ The ``split`` splits the content with the ``:``` deliminator:
2534
+
2535
+ .. code-block:: ruby
2536
+
2537
+ its('split') { should include ('') }
2538
+
2539
+ or:
2540
+
2541
+ .. code-block:: ruby
2542
+
2543
+ its('split') { should_not include ('.') }
2544
+
2545
+ Use ``-1`` to test for cases where there is a trailing colon (``:``), such as ``dir1::dir2:``:
2546
+
2547
+ .. code-block:: ruby
2548
+
2549
+ its('split') { should include ('-1') }
2550
+
2551
+
2552
+ Examples
2553
+ -----------------------------------------------------
2554
+ The following examples show how to use this InSpec audit resource.
2555
+
2556
+ **Test the PATH environment variable**
2557
+
2558
+ .. code-block:: ruby
2559
+
2560
+ describe os_env('PATH') do
2561
+ its('split') { should_not include('') }
2562
+ its('split') { should_not include('.') }
2563
+ end
2564
+
2565
+
2566
+ package
2567
+ =====================================================
2568
+ Use the ``package`` |inspec resource| to test if the named package and/or package version is installed on the system.
2569
+
2570
+ **Stability: Stable**
2571
+
2572
+ Syntax
2573
+ -----------------------------------------------------
2574
+ A ``package`` |inspec resource| block declares a package and (optionally) a package version:
2575
+
2576
+ .. code-block:: ruby
2577
+
2578
+ describe package('name') do
2579
+ it { should be_installed }
2580
+ end
2581
+
2582
+ where
2583
+
2584
+ * ``('name')`` must specify the name of a package, such as ``'nginx'``
2585
+ * ``be_installed`` is a valid matcher for this |inspec resource|
2586
+
2587
+ Matchers
2588
+ -----------------------------------------------------
2589
+ This InSpec audit resource has the following matchers.
2590
+
2591
+ be_installed
2592
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2593
+ The ``be_installed`` matcher tests if the named package is installed on the system:
2594
+
2595
+ .. code-block:: ruby
2596
+
2597
+ it { should be_installed }
2598
+
2599
+ version
2600
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2601
+ The ``version`` matcher tests if the named package version is on the system:
2602
+
2603
+ .. code-block:: ruby
2604
+
2605
+ its('version) { should eq '1.2.3' }
2606
+
2607
+ Examples
2608
+ -----------------------------------------------------
2609
+ The following examples show how to use this InSpec audit resource.
2610
+
2611
+ **Test if nginx version 1.9.5 is installed**
2612
+
2613
+ .. code-block:: ruby
2614
+
2615
+ describe package('nginx') do
2616
+ it { should be_installed }
2617
+ its('version') { should eq 1.9.5 }
2618
+ end
2619
+
2620
+ **Test that a package is not installed**
2621
+
2622
+ .. code-block:: ruby
2623
+
2624
+ describe package('some_package') do
2625
+ it { should_not be_installed }
2626
+ end
2627
+
2628
+ **Test if telnet is installed**
2629
+
2630
+ .. code-block:: ruby
2631
+
2632
+ describe package('telnetd') do
2633
+ it { should_not be_installed }
2634
+ end
2635
+
2636
+ describe inetd_conf do
2637
+ its('telnet') { should eq nil }
2638
+ end
2639
+
2640
+ **Test if ClamAV (an antivirus engine) is installed and running**
2641
+
2642
+ .. code-block:: ruby
2643
+
2644
+ describe package('clamav') do
2645
+ it { should be_installed }
2646
+ its('version') { should eq '0.98.7' }
2647
+ end
2648
+
2649
+ describe service('clamd') do
2650
+ it { should_not be_enabled }
2651
+ it { should_not be_installed }
2652
+ it { should_not be_running }
2653
+ end
2654
+
2655
+
2656
+ parse_config
2657
+ =====================================================
2658
+ Use the ``parse_config`` |inspec resource| to test arbitrary configuration files.
2659
+
2660
+ **Stability: Experimental**
2661
+
2662
+ Syntax
2663
+ -----------------------------------------------------
2664
+ A ``parse_config`` |inspec resource| block declares the location of the configuration setting to be tested, and then what value is to be tested. Because this |inspec resource| relies on arbitrary configuration files, the test itself is often arbitrary and relies on custom |ruby| code:
2665
+
2666
+ .. code-block:: ruby
2667
+
2668
+ output = command('some-command').stdout
2669
+
2670
+ describe parse_config(output, { data_config_option: value } ) do
2671
+ its('setting') { should eq 1 }
2672
+ end
2673
+
2674
+ or:
2675
+
2676
+ .. code-block:: ruby
2677
+
2678
+ audit = command('/sbin/auditctl -l').stdout
2679
+ options = {
2680
+ assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
2681
+ multiple_values: true
2682
+ }
2683
+
2684
+ describe parse_config(audit, options) do
2685
+ its('setting') { should eq 1 }
2686
+ end
2687
+
2688
+ where each test
2689
+
2690
+ * Must declare the location of the configuration file to be tested
2691
+ * Must declare one (or more) settings to be tested
2692
+ * May run a command to ``stdout``, and then run the test against that output
2693
+ * May use options to define how configuration data is to be parsed
2694
+
2695
+ Options
2696
+ -----------------------------------------------------
2697
+ This |inspec resource| supports the following options for parsing configuration data. Use them in an ``options`` block stated outside of (and immediately before) the actual test:
2698
+
2699
+ .. code-block:: ruby
2700
+
2701
+ options = {
2702
+ assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
2703
+ multiple_values: true
2704
+ }
2705
+ describe parse_config(options) do
2706
+ its('setting') { should eq 1 }
2707
+ end
2708
+
2709
+ assignment_re
2710
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2711
+ Use ``assignment_re`` to test a key value using a regular expression:
2712
+
2713
+ .. code-block:: ruby
2714
+
2715
+ 'key = value'
2716
+
2717
+ may be tested using the following regular expression, which determines assignment from key to value:
2718
+
2719
+ .. code-block:: ruby
2720
+
2721
+ assignment_re: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/
2722
+
2723
+ comment_char
2724
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2725
+ Use ``comment_char`` to test for comments in a configuration file:
2726
+
2727
+ .. code-block:: ruby
2728
+
2729
+ comment_char: '#'
2730
+
2731
+ key_vals
2732
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2733
+ Use ``key_vals`` to test how many values a key contains:
2734
+
2735
+ .. code-block:: ruby
2736
+
2737
+ key = a b c
2738
+
2739
+ contains three values. To test that value to ensure it only contains one, use:
2740
+
2741
+ .. code-block:: ruby
2742
+
2743
+ key_vals: 1
2744
+
2745
+ multiple_values
2746
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2747
+ Use ``multiple_values`` if the source file uses the same key multiple times. All values will be aggregated in an array:
2748
+
2749
+ .. code-block:: ruby
2750
+
2751
+ # # file structure:
2752
+ # key = a
2753
+ # key = b
2754
+ # key2 = c
2755
+ params['key'] = ['a', 'b']
2756
+ params['key2'] = ['c']
2757
+
2758
+ To use plain key value mapping, use ``multiple_values: false``:
2759
+
2760
+ .. code-block:: ruby
2761
+
2762
+ # # file structure:
2763
+ # key = a
2764
+ # key = b
2765
+ # key2 = c
2766
+ params['key'] = 'b'
2767
+ params['key2'] = 'c'
2768
+
2769
+
2770
+ standalone_comments
2771
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2772
+ Use ``standalone_comments`` to parse comments as a line , otherwise inline comments are allowed:
2773
+
2774
+ .. code-block:: ruby
2775
+
2776
+ 'key = value # comment'
2777
+ params['key'] = 'value # comment'
2778
+
2779
+
2780
+ Use ``standalone_comments: false``, to parse the following:
2781
+
2782
+ .. code-block:: ruby
2783
+
2784
+ 'key = value # comment'
2785
+ params['key'] = 'value'
2786
+
2787
+ Examples
2788
+ -----------------------------------------------------
2789
+ The following examples show how to use this InSpec audit resource.
2790
+
2791
+ **Test the expiration time for new account passwords**
2792
+
2793
+ .. code-block:: ruby
2794
+
2795
+ output = command('useradd -D').stdout
2796
+
2797
+ describe parse_config(output) do
2798
+ its('INACTIVE') { should eq '35' }
2799
+ end
2800
+
2801
+ **Test that bob is a user**
2802
+
2803
+ .. code-block:: ruby
2804
+
2805
+ describe parse_config(data, { multiple_values: true }) do
2806
+ its('users') { should include 'bob'}
2807
+ end
2808
+
2809
+
2810
+ parse_config_file
2811
+ =====================================================
2812
+ Use the ``parse_config_file`` InSpec audit resource to test arbitrary configuration files. It works identiacal to ``parse_config``. Instead of using a command output, this resource works with files.
2813
+
2814
+ **Stability: Experimental**
2815
+
2816
+ Syntax
2817
+ -----------------------------------------------------
2818
+ A ``parse_config_file`` InSpec audit resource block declares the location of the configuration file to be tested, and then which settings in that file are to be tested.
2819
+
2820
+ .. code-block:: ruby
2821
+
2822
+ describe parse_config_file('/path/to/file', { data_config_option: value } ) do
2823
+ its('setting') { should eq 1 }
2824
+ end
2825
+
2826
+ or:
2827
+
2828
+ .. code-block:: ruby
2829
+
2830
+ options = {
2831
+ assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
2832
+ multiple_values: true
2833
+ }
2834
+
2835
+ describe parse_config_file('path/to/file', options) do
2836
+ its('setting') { should eq 1 }
2837
+ end
2838
+
2839
+ where each test
2840
+
2841
+ * Must declare the location of the configuration file to be tested
2842
+ * Must declare one (or more) settings to be tested
2843
+ * May run a command to ``stdout``, and then run the test against that output
2844
+ * May use options to define how configuration data is to be parsed
2845
+
2846
+ Options
2847
+ -----------------------------------------------------
2848
+ This |inspec resource| supports the following options for parsing configuration data. Use them in an ``options`` block stated outside of (and immediately before) the actual test:
2849
+
2850
+ .. code-block:: ruby
2851
+
2852
+ options = {
2853
+ assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
2854
+ multiple_values: true
2855
+ }
2856
+ describe parse_config_file('path/to/file', options) do
2857
+ its('setting') { should eq 1 }
2858
+ end
2859
+
2860
+ assignment_re
2861
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2862
+ Use ``assignment_re`` to parse a key value using a regular expression:
2863
+
2864
+ .. code-block:: ruby
2865
+
2866
+ 'key = value'
2867
+
2868
+ may be parsed using the following regular expression, which determines assignment from key to value:
2869
+
2870
+ .. code-block:: ruby
2871
+
2872
+ assignment_re: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/
2873
+
2874
+ comment_char
2875
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2876
+ Use ``comment_char`` to parse for comments in a configuration file:
2877
+
2878
+ .. code-block:: ruby
2879
+
2880
+ comment_char: '#'
2881
+
2882
+ key_vals
2883
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2884
+ Use ``key_vals`` to parse how many values a key contains:
2885
+
2886
+ .. code-block:: ruby
2887
+
2888
+ key = a b c
2889
+
2890
+ contains three values. To test that value to ensure it only contains one, use:
2891
+
2892
+ .. code-block:: ruby
2893
+
2894
+ key_vals: 1
2895
+
2896
+
2897
+ multiple_values
2898
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2899
+ Use ``multiple_values`` if the source file uses the same key multiple times. All values will be aggregated in an array:
2900
+
2901
+ .. code-block:: ruby
2902
+
2903
+ # # file structure:
2904
+ # key = a
2905
+ # key = b
2906
+ # key2 = c
2907
+ params['key'] = ['a', 'b']
2908
+ params['key2'] = ['c']
2909
+
2910
+ To use plain key value mapping, use ``multiple_values: false``:
2911
+
2912
+ .. code-block:: ruby
2913
+
2914
+ # # file structure:
2915
+ # key = a
2916
+ # key = b
2917
+ # key2 = c
2918
+ params['key'] = 'b'
2919
+ params['key2'] = 'c'
2920
+
2921
+
2922
+ standalone_comments
2923
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
2924
+ Use ``standalone_comments`` to parse comments as a line , otherwise inline comments are allowed:
2925
+
2926
+ .. code-block:: ruby
2927
+
2928
+ 'key = value # comment'
2929
+ params['key'] = 'value # comment'
2930
+
2931
+
2932
+ Use ``standalone_comments: false``, to parse the following:
2933
+
2934
+ .. code-block:: ruby
2935
+
2936
+ 'key = value # comment'
2937
+ params['key'] = 'value'
2938
+
2939
+ Examples
2940
+ -----------------------------------------------------
2941
+ The following examples show how to use this InSpec audit resource.
2942
+
2943
+ **Test a configuration setting**
2944
+
2945
+ .. code-block:: ruby
2946
+
2947
+ describe parse_config_file('/path/to/file.conf') do
2948
+ its('PARAM_X') { should eq 'Y' }
2949
+ end
2950
+
2951
+ **Use options, and then test a configuration setting**
2952
+
2953
+ .. code-block:: ruby
2954
+
2955
+ describe parse_config_file('/path/to/file.conf', { multiple_values: true }) do
2956
+ its('PARAM_X') { should include 'Y' }
2957
+ end
2958
+
2959
+
2960
+
2961
+ passwd
2962
+ =====================================================
2963
+ Use the ``passwd`` |inspec resource| to test the contents of ``/etc/passwd``, which contains the following information for users that may log into the system and/or as users that own running processes. The format for ``/etc/passwd`` includes:
2964
+
2965
+ * A username
2966
+ * The password for that user (on newer systems passwords should be stored in ``/etc/shadow`` )
2967
+ * The user identifier (UID) assigned to that user
2968
+ * The group identifier (GID) assigned to that user
2969
+ * Additional information about that user
2970
+ * That user's home directory
2971
+ * That user's default command shell
2972
+
2973
+ defined as a colon-delimited row in the file, one row per user:
2974
+
2975
+ .. code-block:: bash
2976
+
2977
+ root:x:1234:5678:additional_info:/home/dir/:/bin/bash
2978
+
2979
+ **Stability: Experimental**
2980
+
2981
+ Syntax
2982
+ -----------------------------------------------------
2983
+ A ``passwd`` |inspec resource| block declares one (or more) users and associated user information to be tested:
2984
+
2985
+ .. code-block:: ruby
2986
+
2987
+ describe passwd do
2988
+ its('matcher') { should eq 0 }
2989
+ end
2990
+
2991
+ describe passwd.uid(filter) do
2992
+ its(:username) { should eq 'root' }
2993
+ its(:count) { should eq 1 }
2994
+ end
2995
+
2996
+ where
2997
+
2998
+ * ``gids``, ``passwords``, ``uids``, and ``usernames`` are valid matchers for ``passwd``
2999
+ * ``filter`` is a filter for a specific uid
3000
+ * ``count``, ``uid``, ``username`` are valid matchers for ``passwd.uid(userid)``
3001
+
3002
+
3003
+ Matchers for ``passwd``
3004
+ -----------------------------------------------------
3005
+ This InSpec audit resource has the following matchers.
3006
+
3007
+ gids
3008
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3009
+ The ``gids`` matcher tests if the group indentifiers in the test match group identifiers in ``/etc/passwd``:
3010
+
3011
+ .. code-block:: ruby
3012
+
3013
+ its('gids') { should eq 1234 }
3014
+
3015
+ passwords
3016
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3017
+ The ``passwords`` matcher tests if passwords are
3018
+
3019
+ * Encrypted
3020
+ * Have direct logins disabled, as indicated by an asterisk (``*``)
3021
+ * In the ``/etc/shadow`` file, as indicated by the letter x (``x``)
3022
+
3023
+ For example:
3024
+
3025
+ .. code-block:: ruby
3026
+
3027
+ its('passwords') { should eq 'x' }
3028
+
3029
+ uids
3030
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3031
+ The ``uids`` matcher tests if the user indentifiers in the test match user identifiers in ``/etc/passwd``:
3032
+
3033
+ .. code-block:: ruby
3034
+
3035
+ its('uids') { should eq ['1234', '1235'] }
3036
+
3037
+ usernames
3038
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3039
+ The ``usernames`` matcher tests if the usernames in the test match usernames in ``/etc/passwd``:
3040
+
3041
+ .. code-block:: ruby
3042
+
3043
+ its('usernames') { should eq ['root', 'www-data'] }
3044
+
3045
+
3046
+ Matchers for ``passwd.uid(userid)``
3047
+ -----------------------------------------------------
3048
+ This InSpec audit resource has the following matchers.
3049
+
3050
+ count
3051
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3052
+ The ``count`` matcher tests the number of times the named user appears in ``/etc/passwd``:
3053
+
3054
+ .. code-block:: ruby
3055
+
3056
+ its('count') { should eq 1 }
3057
+
3058
+ uid
3059
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3060
+ The ``uid`` matcher tests if the user identifier in the test matches a user identifier in ``/etc/passwd``:
3061
+
3062
+ .. code-block:: ruby
3063
+
3064
+ its('uid') { should eq 1234 }
3065
+
3066
+ username
3067
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3068
+ The ``username`` matcher tests if the user name in the test matches a user name in ``/etc/passwd``:
3069
+
3070
+ .. code-block:: ruby
3071
+
3072
+ its('username') { should eq 'root' }
3073
+
3074
+ Examples
3075
+ -----------------------------------------------------
3076
+ The following examples show how to use this InSpec audit resource.
3077
+
3078
+ **Test usernames and UIDs**
3079
+
3080
+ .. code-block:: ruby
3081
+
3082
+ describe passwd do
3083
+ its('usernames') { should eq ['root', 'www-data'] }
3084
+ its('uids') { should eq [0, 33] }
3085
+ end
3086
+
3087
+ **Select one user and test for multiple occurances in passwd**
3088
+
3089
+ .. code-block:: ruby
3090
+
3091
+ describe passwd.uid(0) do
3092
+ its('username') { should eq 'root' }
3093
+ its('count') { should eq 1 }
3094
+ end
3095
+
3096
+ describe passwd.uid(33) do
3097
+ its('username') { should eq 'www-data' }
3098
+ its('count') { should eq 1 }
3099
+ end
3100
+
3101
+
3102
+ pip
3103
+ =====================================================
3104
+ Use the ``pip`` |inspec resource| to test packages that are installed using the |pip| installer.
3105
+
3106
+ **Stability: Experimental**
3107
+
3108
+ Syntax
3109
+ -----------------------------------------------------
3110
+ A ``pip`` |inspec resource| block declares a package and (optionally) a package version:
3111
+
3112
+ .. code-block:: ruby
3113
+
3114
+ describe pip('Jinja2') do
3115
+ it { should be_installed }
3116
+ end
3117
+
3118
+ where
3119
+
3120
+ * ``'Jinja2'`` is the name of the package
3121
+ * ``be_installed`` tests to see if the ``Jinja2`` package is installed
3122
+
3123
+ Matchers
3124
+ -----------------------------------------------------
3125
+ This InSpec audit resource has the following matchers.
3126
+
3127
+ be_installed
3128
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3129
+ The ``be_installed`` matcher tests if the named package is installed on the system:
3130
+
3131
+ .. code-block:: ruby
3132
+
3133
+ it { should be_installed }
3134
+
3135
+ version
3136
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3137
+ The ``version`` matcher tests if the named package version is on the system:
3138
+
3139
+ .. code-block:: ruby
3140
+
3141
+ its('version') { should eq '1.2.3' }
3142
+
3143
+ Examples
3144
+ -----------------------------------------------------
3145
+ The following examples show how to use this InSpec audit resource.
3146
+
3147
+ **Test if Jinja2 is installed on the system**
3148
+
3149
+ .. code-block:: ruby
3150
+
3151
+ describe pip('Jinja2') do
3152
+ it { should be_installed }
3153
+ end
3154
+
3155
+ **Test if Jinja2 2.8 is installed on the system**
3156
+
3157
+ .. code-block:: ruby
3158
+
3159
+ describe pip('Jinja2') do
3160
+ it { should be_installed }
3161
+ its('version') { should eq '2.8' }
3162
+ end
3163
+
3164
+
3165
+ port
3166
+ =====================================================
3167
+ Use the ``port`` |inspec resource| to test basic port properties, such as port, process, if it's listening.
3168
+
3169
+ **Stability: Stable**
3170
+
3171
+ Syntax
3172
+ -----------------------------------------------------
3173
+ A ``port`` |inspec resource| block declares a port, and then depending on what needs to be tested, a process, protocol, process identifier, and its state (is it listening?):
3174
+
3175
+ .. code-block:: ruby
3176
+
3177
+ describe port(514) do
3178
+ it { should be_listening }
3179
+ its('process') {should eq 'syslog'}
3180
+ end
3181
+
3182
+ where the ``process`` returns the process listening on port 514.
3183
+
3184
+ Matchers
3185
+ -----------------------------------------------------
3186
+ This InSpec audit resource has the following matchers.
3187
+
3188
+ be_listening
3189
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3190
+ The ``be_listening`` matcher tests if the port is listening for traffic:
3191
+
3192
+ .. code-block:: ruby
3193
+
3194
+ it { should be_listening }
3195
+
3196
+ pid
3197
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3198
+ The ``pid`` matcher tests the process identifier (PID):
3199
+
3200
+ .. code-block:: ruby
3201
+
3202
+ its('pid') { should eq '27808' }
3203
+
3204
+ process
3205
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3206
+ The ``process`` matcher tests if the named process is running on the system:
3207
+
3208
+ .. code-block:: ruby
3209
+
3210
+ its('process') { should eq 'syslog' }
3211
+
3212
+ protocol
3213
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3214
+ The ``protocol`` matcher tests the Internet protocol: |icmp| (``'icmp'``), |tcp| (``'tcp'`` or ``'tcp6'``), or |udp| (``'udp'`` or ``'udp6'``):
3215
+
3216
+ .. code-block:: ruby
3217
+
3218
+ its('protocol') { should eq 'tcp' }
3219
+
3220
+ or for the |ipv6| protocol:
3221
+
3222
+ .. code-block:: ruby
3223
+
3224
+ its('protocol') { should eq 'tcp6' }
3225
+
3226
+ Examples
3227
+ -----------------------------------------------------
3228
+ The following examples show how to use this InSpec audit resource.
3229
+
3230
+ **Test port 80, listening with the TCP protocol**
3231
+
3232
+ .. code-block:: ruby
3233
+
3234
+ describe port(80) do
3235
+ it { should be_listening }
3236
+ its('protocol') {should eq 'tcp'}
3237
+ end
3238
+
3239
+ **Test port 80, listening with TCP version IPv6 protocol**
3240
+
3241
+ .. code-block:: ruby
3242
+
3243
+ describe port(80) do
3244
+ it { should be_listening }
3245
+ its('protocol') {should eq 'tcp6'}
3246
+ end
3247
+
3248
+ **Test ports for HTTPs**
3249
+
3250
+ .. code-block:: ruby
3251
+
3252
+ describe port(80) do
3253
+ it { should_not be_listening }
3254
+ end
3255
+
3256
+ describe port(443) do
3257
+ it { should be_listening }
3258
+ its('protocol') {should eq 'tcp'}
3259
+ end
3260
+
3261
+ postgres_conf
3262
+ =====================================================
3263
+ Use the ``postgres_conf`` |inspec resource| to test the contents of the configuration file for |postgresql|, typically located at ``/etc/postgresql/<version>/main/postgresql.conf`` or ``/var/lib/postgres/data/postgresql.conf``, depending on the platform.
3264
+
3265
+ **Stability: Experimental**
3266
+
3267
+ Syntax
3268
+ -----------------------------------------------------
3269
+ A ``postgres_conf`` |inspec resource| block declares one (or more) settings in the ``postgresql.conf`` file, and then compares the setting in the configuration file to the value stated in the test:
3270
+
3271
+ .. code-block:: ruby
3272
+
3273
+ describe postgres_conf('path') do
3274
+ its('setting') { should eq 'value' }
3275
+ end
3276
+
3277
+ where
3278
+
3279
+ * ``'setting'`` specifies a setting in the ``postgresql.conf`` file
3280
+ * ``('path')`` is the non-default path to the ``postgresql.conf`` file (optional)
3281
+ * ``should eq 'value'`` is the value that is expected
3282
+
3283
+ Matchers
3284
+ -----------------------------------------------------
3285
+ This InSpec audit resource has the following matchers.
3286
+
3287
+ setting
3288
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3289
+ The ``setting`` matcher tests specific, named settings in the ``postgresql.conf`` file:
3290
+
3291
+ .. code-block:: ruby
3292
+
3293
+ its('setting') { should eq 'value' }
3294
+
3295
+ Use a ``setting`` matcher for each setting to be tested.
3296
+
3297
+ Examples
3298
+ -----------------------------------------------------
3299
+ The following examples show how to use this InSpec audit resource.
3300
+
3301
+ **Test the maximum number of allowed client connections**
3302
+
3303
+ .. code-block:: ruby
3304
+
3305
+ describe postgres_conf do
3306
+ its('max_connections') { should eq '5' }
3307
+ end
3308
+
3309
+ **Test system logging**
3310
+
3311
+ .. code-block:: ruby
3312
+
3313
+ describe postgres_conf do
3314
+ its('logging_collector') { should eq 'on' }
3315
+ its('log_connections') { should eq 'on' }
3316
+ its('log_disconnections') { should eq 'on' }
3317
+ its('log_duration') { should eq 'on' }
3318
+ its('log_hostname') { should eq 'on' }
3319
+ its('log_line_prefix') { should eq '%t %u %d %h' }
3320
+ end
3321
+
3322
+ **Test the port on which PostgreSQL listens**
3323
+
3324
+ .. code-block:: ruby
3325
+
3326
+ describe postgres_conf do
3327
+ its('port') { should eq '5432' }
3328
+ end
3329
+
3330
+ **Test the Unix socket settings**
3331
+
3332
+ .. code-block:: ruby
3333
+
3334
+ describe postgres_conf do
3335
+ its('unix_socket_directories') { should eq '.s.PGSQL.5432' }
3336
+ its('unix_socket_group') { should eq nil }
3337
+ its('unix_socket_permissions') { should eq '0770' }
3338
+ end
3339
+
3340
+ where ``unix_socket_group`` is set to the |postgresql| default setting (the group to which the server user belongs).
3341
+
3342
+
3343
+
3344
+ postgres_session
3345
+ =====================================================
3346
+ Use the ``postgres_session`` |inspec resource| to test SQL commands run against a |postgresql| database.
3347
+
3348
+ **Stability: Experimental**
3349
+
3350
+ Syntax
3351
+ -----------------------------------------------------
3352
+ A ``postgres_session`` |inspec resource| block declares the username and password to use for the session, and then the command to be run:
3353
+
3354
+ .. code-block:: ruby
3355
+
3356
+ sql = postgres_session('username', 'password')
3357
+
3358
+ describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
3359
+ its('output') { should eq('') }
3360
+ end
3361
+
3362
+ where
3363
+
3364
+ * ``sql = postgres_session`` declares a username and password with permission to run the query
3365
+ * ``sql.query('')`` contains the query to be run
3366
+ * ``its('output') { should eq('') }`` compares the results of the query against the expected result in the test
3367
+
3368
+ Matchers
3369
+ -----------------------------------------------------
3370
+ This InSpec audit resource has the following matchers.
3371
+
3372
+ output
3373
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3374
+ The ``output`` matcher tests the results of the query:
3375
+
3376
+ .. code-block:: ruby
3377
+
3378
+ its('output') { should eq(/^0/) }
3379
+
3380
+ Examples
3381
+ -----------------------------------------------------
3382
+ The following examples show how to use this InSpec audit resource.
3383
+
3384
+ **Test the PostgreSQL shadow password**
3385
+
3386
+ .. code-block:: ruby
3387
+
3388
+ sql = postgres_session('my_user', 'password')
3389
+
3390
+ describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
3391
+ its('output') { should eq('') }
3392
+ end
3393
+
3394
+ **Test for risky database entries**
3395
+
3396
+ .. code-block:: ruby
3397
+
3398
+ describe postgres_session('my_user', 'password').query('SELECT count (*)
3399
+ FROM pg_language
3400
+ WHERE lanpltrusted = 'f'
3401
+ AND lanname!='internal'
3402
+ AND lanname!='c';') do
3403
+ its('output') { should eq(/^0/) }
3404
+ end
3405
+
3406
+
3407
+
3408
+ processes
3409
+ =====================================================
3410
+ Use the ``processes`` |inspec resource| to test properties for programs that are running on the system.
3411
+
3412
+ **Stability: Experimental**
3413
+
3414
+ Syntax
3415
+ -----------------------------------------------------
3416
+ A ``processes`` |inspec resource| block declares the name of the process to be tested, and then declares one (or more) property/value pairs:
3417
+
3418
+ .. code-block:: ruby
3419
+
3420
+ describe processes('process_name') do
3421
+ its('property_name') { should eq 'property_value' }
3422
+ end
3423
+
3424
+ where
3425
+
3426
+ * ``processes('process_name')`` must specify the name of a process that is running on the system
3427
+ * Multiple properties may be tested; for each property to be tested, use an ``its('property_name')`` statement
3428
+
3429
+ Matchers
3430
+ -----------------------------------------------------
3431
+ This InSpec audit resource has the following matchers.
3432
+
3433
+ property_name
3434
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3435
+ The ``property_name`` matcher tests the named property for the specified value:
3436
+
3437
+ .. code-block:: ruby
3438
+
3439
+ its('property_name') { should eq 'property_value' }
3440
+
3441
+ Examples
3442
+ -----------------------------------------------------
3443
+ The following examples show how to use this InSpec audit resource.
3444
+
3445
+ .. The title for the example below needs to be clarified, then it can be uncommented
3446
+ ..
3447
+ .. **Test for multiple instances of Nginx**
3448
+ ..
3449
+ .. .. code-block:: ruby
3450
+ ..
3451
+ .. describe processes('postgres') do
3452
+ .. its('list.length') { should be(1) }
3453
+ .. end
3454
+ ..
3455
+
3456
+ **Test for multiple instances of mysqld**
3457
+
3458
+ .. code-block:: ruby
3459
+
3460
+ describe processes('mysqld') do
3461
+ its('list.length') { should eq 1 }
3462
+ end
3463
+
3464
+ **Test if the init process is owned by the root user**
3465
+
3466
+ .. code-block:: ruby
3467
+
3468
+ describe processes('init') do
3469
+ its('user') { should eq 'root' }
3470
+ end
3471
+
3472
+ **Test if a high-priority process is running**
3473
+
3474
+ .. code-block:: ruby
3475
+
3476
+ describe processes('some_process') do
3477
+ its('state') { should eq 'R<' }
3478
+ end
3479
+
3480
+
3481
+ registry_key
3482
+ =====================================================
3483
+ Use the ``registry_key`` |inspec resource| to test key values in the |windows| registry.
3484
+
3485
+ **Stability: Stable**
3486
+
3487
+ Syntax
3488
+ -----------------------------------------------------
3489
+ A ``registry_key`` |inspec resource| block declares the item in the |windows| registry, the path to a setting under that item, and then one (or more) name/value pairs to be tested:
3490
+
3491
+ .. code-block:: ruby
3492
+
3493
+ describe registry_key('registry_item', 'path\to\key') do
3494
+ its('name') { should eq 'value' }
3495
+ end
3496
+
3497
+ describe registry_key('path\to\key') do
3498
+ its('name') { should eq 'value' }
3499
+ end
3500
+
3501
+ where
3502
+
3503
+ * ``'registry_item'`` is a key in the |windows| registry (optional)
3504
+ * ``'path\to\key'`` is the path in the |windows| registry
3505
+ * ``('name')`` and ``'value'`` represent the name of the key and the value assigned to that key
3506
+
3507
+ Matchers
3508
+ -----------------------------------------------------
3509
+ This InSpec audit resource has the following matchers.
3510
+
3511
+ name
3512
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3513
+ The ``name`` matcher tests the value for the specified registry setting:
3514
+
3515
+ .. code-block:: ruby
3516
+
3517
+ its('name') { should eq 'value' }
3518
+
3519
+ Examples
3520
+ -----------------------------------------------------
3521
+ The following examples show how to use this InSpec audit resource.
3522
+
3523
+ **Test the start time for the Schedule service**
3524
+
3525
+ .. code-block:: ruby
3526
+
3527
+ describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\...\Schedule') do
3528
+ its('Start') { should eq 2 }
3529
+ end
3530
+
3531
+ where ``'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule'`` is the full path to the setting.
3532
+
3533
+
3534
+ script
3535
+ =====================================================
3536
+ Use the ``script`` |inspec resource| to test a |powershell| script on the |windows| platform.
3537
+
3538
+ **Stability: Experimental**
3539
+
3540
+ Syntax
3541
+ -----------------------------------------------------
3542
+ A ``script`` |inspec resource| block declares a script to be tested, and then a command that should be part of that script:
3543
+
3544
+ .. code-block:: ruby
3545
+
3546
+ script = <<-EOH
3547
+ # you powershell script
3548
+ EOH
3549
+
3550
+ describe script(script) do
3551
+ its('matcher') { should eq 'output' }
3552
+ end
3553
+
3554
+
3555
+ where
3556
+
3557
+ * ``'script'`` must specify a Powershell script to be run
3558
+ * ``'matcher'`` is one of ``exit_status``, ``stderr``, or ``stdout``
3559
+ * ``'output'`` tests the output of the command run on the system versus the output value stated in the test
3560
+
3561
+
3562
+ Matchers
3563
+ -----------------------------------------------------
3564
+ This InSpec audit resource has the following matchers.
3565
+
3566
+ exit_status
3567
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3568
+ The ``exit_status`` matcher tests the exit status for the command:
3569
+
3570
+ .. code-block:: ruby
3571
+
3572
+ its('exit_status') { should eq 123 }
3573
+
3574
+ stderr
3575
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3576
+ The ``stderr`` matcher tests results of the command as returned in standard error (stderr):
3577
+
3578
+ .. code-block:: ruby
3579
+
3580
+ its('stderr') { should eq 'error' }
3581
+
3582
+ stdout
3583
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3584
+ The ``stdout`` matcher tests results of the command as returned in standard output (stdout):
3585
+
3586
+ .. code-block:: ruby
3587
+
3588
+ its('stdout') { should eq '/^1$/' }
3589
+
3590
+ Examples
3591
+ -----------------------------------------------------
3592
+ The following examples show how to use this InSpec audit resource.
3593
+
3594
+ **Get all groups of Administrator user**
3595
+
3596
+ .. code-block:: ruby
3597
+
3598
+ myscript = <<-EOH
3599
+ # find user
3600
+ $user = Get-WmiObject Win32_UserAccount -filter "Name = 'Administrator'"
3601
+ # get related groups
3602
+ $groups = $user.GetRelated('Win32_Group') | Select-Object -Property Caption, Domain, Name, LocalAccount, SID, SIDType, Status
3603
+ $groups | ConvertTo-Json
3604
+ EOH
3605
+
3606
+ describe script(myscript) do
3607
+ its('stdout') { should_not eq '' }
3608
+ end
3609
+
3610
+
3611
+ security_policy
3612
+ =====================================================
3613
+ Use the ``security_policy`` |inspec resource| to test security policies on the |windows| platform.
3614
+
3615
+ **Stability: Experimental**
3616
+
3617
+ Syntax
3618
+ -----------------------------------------------------
3619
+ A ``security_policy`` |inspec resource| block declares the name of a security policy and the value to be tested:
3620
+
3621
+ .. code-block:: ruby
3622
+
3623
+ describe security_policy do
3624
+ its('policy_name') { should eq 'value' }
3625
+ end
3626
+
3627
+ where
3628
+
3629
+ * ``'policy_name'`` must specify a security policy
3630
+ * ``{ should eq 'value' }`` tests the value of ``policy_name`` against the value declared in the test
3631
+
3632
+ Matchers
3633
+ -----------------------------------------------------
3634
+ This InSpec audit resource has the following matchers.
3635
+
3636
+ policy_name
3637
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3638
+ The ``policy_name`` matcher must be the name of a security policy:
3639
+
3640
+ .. code-block:: ruby
3641
+
3642
+ its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
3643
+
3644
+ Examples
3645
+ -----------------------------------------------------
3646
+ The following examples show how to use this InSpec audit resource.
3647
+
3648
+ **Verify that only the Administrators group has remote access**
3649
+
3650
+ .. code-block:: ruby
3651
+
3652
+ describe security_policy do
3653
+ its('SeRemoteInteractiveLogonRight') { should eq '*S-1-5-32-544' }
3654
+ end
3655
+
3656
+
3657
+ service
3658
+ =====================================================
3659
+ Use the ``service`` |inspec resource| to test if the named service is installed, running and/or enabled.
3660
+
3661
+ **Stability: Stable**
3662
+
3663
+ Syntax
3664
+ -----------------------------------------------------
3665
+ A ``service`` |inspec resource| block declares the name of a service and then one (or more) matchers to test the state of the service:
3666
+
3667
+ .. code-block:: ruby
3668
+
3669
+ describe service('service_name') do
3670
+ it { should be_installed }
3671
+ it { should be_enabled }
3672
+ it { should be_running }
3673
+ end
3674
+
3675
+ where
3676
+
3677
+ * ``('service_name')`` must specify a service name
3678
+ * ``be_installed``, ``be_enabled``, and ``be_running`` are valid matchers for this |inspec resource|
3679
+
3680
+ Matchers
3681
+ -----------------------------------------------------
3682
+ This InSpec audit resource has the following matchers.
3683
+
3684
+ be_enabled
3685
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3686
+ The ``be_enabled`` matcher tests if the named service is enabled:
3687
+
3688
+ .. code-block:: ruby
3689
+
3690
+ it { should be_enabled }
3691
+
3692
+ be_installed
3693
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3694
+ The ``be_installed`` matcher tests if the named service is installed:
3695
+
3696
+ .. code-block:: ruby
3697
+
3698
+ it { should be_installed }
3699
+
3700
+ be_running
3701
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3702
+ The ``be_running`` matcher tests if the named service is running:
3703
+
3704
+ .. code-block:: ruby
3705
+
3706
+ it { should be_running }
3707
+
3708
+ Examples
3709
+ -----------------------------------------------------
3710
+ The following examples show how to use this InSpec audit resource.
3711
+
3712
+ **Test if the postgresql service is both running and enabled**
3713
+
3714
+ .. code-block:: ruby
3715
+
3716
+ describe service('postgresql') do
3717
+ it { should be_enabled }
3718
+ it { should be_running }
3719
+ end
3720
+
3721
+ **Test if the mysql service is both running and enabled**
3722
+
3723
+ .. code-block:: ruby
3724
+
3725
+ describe service('mysqld') do
3726
+ it { should be_enabled }
3727
+ it { should be_running }
3728
+ end
3729
+
3730
+ **Test if ClamAV (an antivirus engine) is installed and running**
3731
+
3732
+ .. code-block:: ruby
3733
+
3734
+ describe package('clamav') do
3735
+ it { should be_installed }
3736
+ its('version') { should eq '0.98.7' }
3737
+ end
3738
+
3739
+ describe service('clamd') do
3740
+ it { should_not be_enabled }
3741
+ it { should_not be_installed }
3742
+ it { should_not be_running }
3743
+ end
3744
+
3745
+
3746
+ ssh_config
3747
+ =====================================================
3748
+ Use the ``ssh_config`` |inspec resource| to test |openssh| |ssh| client configuration data located at ``/etc/ssh/ssh_config`` on |linux| and |unix| platforms.
3749
+
3750
+ **Stability: Experimental**
3751
+
3752
+ Syntax
3753
+ -----------------------------------------------------
3754
+ A ``ssh_config`` |inspec resource| block declares the client |openssh| configuration data to be tested:
3755
+
3756
+ .. code-block:: ruby
3757
+
3758
+ describe ssh_config('path') do
3759
+ its('name') { should include('foo') }
3760
+ end
3761
+
3762
+ where
3763
+
3764
+ * ``name`` is a configuration setting in ``ssh_config``
3765
+ * ``('path')`` is the non-default ``/path/to/ssh_config``
3766
+ * ``{ should include('foo') }`` tests the value of ``name`` as read from ``ssh_config`` versus the value declared in the test
3767
+
3768
+ Matchers
3769
+ -----------------------------------------------------
3770
+ This InSpec audit resource has the following matchers.
3771
+
3772
+ name
3773
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3774
+ The ``name`` matcher tests the value of ``name`` as read from ``ssh_config`` versus the value declared in the test:
3775
+
3776
+ .. code-block:: ruby
3777
+
3778
+ its('name') { should eq 'foo' }
3779
+
3780
+ or:
3781
+
3782
+ .. code-block:: ruby
3783
+
3784
+ its('name') { should include('bar') }
3785
+
3786
+ Examples
3787
+ -----------------------------------------------------
3788
+ The following examples show how to use this InSpec audit resource.
3789
+
3790
+ **Test SSH configuration settings**
3791
+
3792
+ .. code-block:: ruby
3793
+
3794
+ describe ssh_config do
3795
+ its('cipher') { should contain '3des' }
3796
+ its('port') { should '22' }
3797
+ its('hostname') { should include('example.com') }
3798
+ end
3799
+
3800
+ **Test which variables from the local environment are sent to the server**
3801
+
3802
+ .. code-block:: ruby
3803
+
3804
+ only_if do
3805
+ command('sshd').exist? or command('ssh').exists?
3806
+ end
3807
+
3808
+ describe ssh_config do
3809
+ its('SendEnv') { should include('GORDON_CLIENT') }
3810
+ end
3811
+
3812
+ **Test owner and group permissions**
3813
+
3814
+ .. code-block:: ruby
3815
+
3816
+ describe ssh_config do
3817
+ its('owner') { should eq 'root' }
3818
+ its('mode') { should eq 644 }
3819
+ end
3820
+
3821
+ **Test SSH configuration**
3822
+
3823
+ .. code-block:: ruby
3824
+
3825
+ describe ssh_config do
3826
+ its('Host') { should eq '*' }
3827
+ its('Tunnel') { should eq nil }
3828
+ its('SendEnv') { should eq 'LANG LC_*' }
3829
+ its('HashKnownHosts') { should eq 'yes' }
3830
+ end
3831
+
3832
+
3833
+ sshd_config
3834
+ =====================================================
3835
+ Use the ``sshd_config`` |inspec resource| to test configuration data for the |openssh| daemon located at ``/etc/ssh/sshd_config`` on |linux| and |unix| platforms. sshd---the |openssh| daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges.
3836
+
3837
+ **Stability: Experimental**
3838
+
3839
+ Syntax
3840
+ -----------------------------------------------------
3841
+ A ``sshd_config`` |inspec resource| block declares the client |openssh| configuration data to be tested:
3842
+
3843
+ .. code-block:: ruby
3844
+
3845
+ describe sshd_config('path') do
3846
+ its('name') { should include('foo') }
3847
+ end
3848
+
3849
+ where
3850
+
3851
+ * ``name`` is a configuration setting in ``sshd_config``
3852
+ * ``('path')`` is the non-default ``/path/to/sshd_config``
3853
+ * ``{ should include('foo') }`` tests the value of ``name`` as read from ``sshd_config`` versus the value declared in the test
3854
+
3855
+ Matchers
3856
+ -----------------------------------------------------
3857
+ This InSpec audit resource has the following matchers.
3858
+
3859
+ name
3860
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3861
+ The ``name`` matcher tests the value of ``name`` as read from ``sshd_config`` versus the value declared in the test:
3862
+
3863
+ .. code-block:: ruby
3864
+
3865
+ its('name') { should eq 'foo' }
3866
+
3867
+ or:
3868
+
3869
+ .. code-block:: ruby
3870
+
3871
+ its('name') {should include('bar') }
3872
+
3873
+ Examples
3874
+ -----------------------------------------------------
3875
+ The following examples show how to use this InSpec audit resource.
3876
+
3877
+ **Test which variables may be sent to the server**
3878
+
3879
+ .. code-block:: ruby
3880
+
3881
+ describe sshd_config do
3882
+ its('AcceptEnv') { should include('GORDON_SERVER') }
3883
+ end
3884
+
3885
+ **Test for IPv6-only addresses**
3886
+
3887
+ .. code-block:: ruby
3888
+
3889
+ describe sshd_config do
3890
+ its('AddressFamily') { should eq 'inet6' }
3891
+ end
3892
+
3893
+ **Test protocols**
3894
+
3895
+ .. code-block:: ruby
3896
+
3897
+ describe sshd_config do
3898
+ its('Protocol') { should eq '2' }
3899
+ end
3900
+
3901
+ **Test ciphers**
3902
+
3903
+ .. code-block:: ruby
3904
+
3905
+ describe sshd_config do
3906
+ its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
3907
+ end
3908
+
3909
+ **Test SSH protocols**
3910
+
3911
+ .. code-block:: ruby
3912
+
3913
+ describe sshd_config do
3914
+ its('Port') { should eq '22' }
3915
+ its('UsePAM') { should eq 'yes' }
3916
+ its('ListenAddress') { should eq nil }
3917
+ its('HostKey') { should eq [
3918
+ '/etc/ssh/ssh_host_rsa_key',
3919
+ '/etc/ssh/ssh_host_dsa_key',
3920
+ '/etc/ssh/ssh_host_ecdsa_key',
3921
+ ] }
3922
+ end
3923
+
3924
+
3925
+ user
3926
+ =====================================================
3927
+ Use the ``user`` |inspec resource| to test user profiles, including the groups to which they belong, the frequency of required password changes, the directory paths to home and shell.
3928
+
3929
+ **Stability: Stable**
3930
+
3931
+ Syntax
3932
+ -----------------------------------------------------
3933
+ A ``user`` |inspec resource| block declares a user name, and then one (or more) matchers:
3934
+
3935
+ .. code-block:: ruby
3936
+
3937
+ describe user('root') do
3938
+ it { should exist }
3939
+ its('uid') { should eq 1234 }
3940
+ its('gid') { should eq 1234 }
3941
+ its('group') { should eq 'root' }
3942
+ its('groups') { should eq ['root', 'other']}
3943
+ its('home') { should eq '/root' }
3944
+ its('shell') { should eq '/bin/bash' }
3945
+ its('mindays') { should eq 0 }
3946
+ its('maxdays') { should eq 90 }
3947
+ its('warndays') { should eq 8 }
3948
+ end
3949
+
3950
+ where
3951
+
3952
+ * ``('root')`` is the user to be tested
3953
+ * ``it { should exist }`` tests if the user exists
3954
+ * ``gid``, ``group``, ``groups``, ``home``, ``maxdays``, ``mindays``, ``shell``, ``uid``, and ``warndays`` are valid matchers for this |inspec resource|
3955
+
3956
+ Matchers
3957
+ -----------------------------------------------------
3958
+ This InSpec audit resource has the following matchers.
3959
+
3960
+ exist
3961
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3962
+ The ``exist`` matcher tests if the named user exists:
3963
+
3964
+ .. code-block:: ruby
3965
+
3966
+ it { should exist }
3967
+
3968
+ gid
3969
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3970
+ The ``gid`` matcher tests the group identifier:
3971
+
3972
+ .. code-block:: ruby
3973
+
3974
+ its('gid') { should eq 1234 } }
3975
+
3976
+ where ``1234`` represents the user identifier.
3977
+
3978
+ group
3979
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3980
+ The ``group`` matcher tests the group to which the user belongs:
3981
+
3982
+ .. code-block:: ruby
3983
+
3984
+ its('group') { should eq 'root' }
3985
+
3986
+ where ``root`` represents the group.
3987
+
3988
+ groups
3989
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3990
+ The ``groups`` matcher tests two (or more) groups to which the user belongs:
3991
+
3992
+ .. code-block:: ruby
3993
+
3994
+ its('groups') { should eq ['root', 'other']}
3995
+
3996
+ home
3997
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
3998
+ The ``home`` matcher tests the home directory path for the user:
3999
+
4000
+ .. code-block:: ruby
4001
+
4002
+ its('home') { should eq '/root' }
4003
+
4004
+ maxdays
4005
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4006
+ The ``maxdays`` matcher tests the maximum number of days between password changes:
4007
+
4008
+ .. code-block:: ruby
4009
+
4010
+ its('maxdays') { should eq 99 }
4011
+
4012
+ where ``99`` represents the maximum number of days.
4013
+
4014
+ mindays
4015
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4016
+ The ``mindays`` matcher tests the minimum number of days between password changes:
4017
+
4018
+ .. code-block:: ruby
4019
+
4020
+ its('mindays') { should eq 0 }
4021
+
4022
+ where ``0`` represents the maximum number of days.
4023
+
4024
+ shell
4025
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4026
+ The ``shell`` matcher tests the path to the default shell for the user:
4027
+
4028
+ .. code-block:: ruby
4029
+
4030
+ its('shell') { should eq '/bin/bash' }
4031
+
4032
+ uid
4033
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4034
+ The ``uid`` matcher tests the user identifier:
4035
+
4036
+ .. code-block:: ruby
4037
+
4038
+ its('uid') { should eq 1234 } }
4039
+
4040
+ where ``1234`` represents the user identifier.
4041
+
4042
+ warndays
4043
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4044
+ The ``warndays`` matcher tests the number of days a user is warned before a password must be changed:
4045
+
4046
+ .. code-block:: ruby
4047
+
4048
+ its('warndays') { should eq 5 }
4049
+
4050
+ where ``5`` represents the number of days a user is warned.
4051
+
4052
+ Examples
4053
+ -----------------------------------------------------
4054
+ The following examples show how to use this InSpec audit resource.
4055
+
4056
+ **Verify available users for the MySQL server**
4057
+
4058
+ .. code-block:: ruby
4059
+
4060
+ describe user('root') do
4061
+ it { should exist }
4062
+ it { should belong_to_group 'root' }
4063
+ its('uid') { should eq 0 }
4064
+ its('groups') { should eq ['root'] }
4065
+ end
4066
+
4067
+ describe user('mysql') do
4068
+ it { should_not exist }
4069
+ end
4070
+
4071
+ **Test users on multiple platforms**
4072
+
4073
+ The |nginx| user is typically ``www-data``, but on |centos| it's ``nginx``. The following example shows how to test for the |nginx| user with a single test, but accounting for all platforms:
4074
+
4075
+ .. code-block:: ruby
4076
+
4077
+ web_user = 'www-data'
4078
+ web_user = 'nginx' if os[:family] == 'centos'
4079
+
4080
+ describe user(web_user) do
4081
+ it { should exist }
4082
+ end
4083
+
4084
+
4085
+ windows_feature
4086
+ =====================================================
4087
+ Use the ``windows_feature`` |inspec resource| to test features on |windows|. The ``Get-WindowsFeature`` cmdlet returns the following values: ``Property Name``, ``DisplayName``, ``Description``, ``Installed``, and ``InstallState``, returned as a |json| object similar to:
4088
+
4089
+ **Stability: Experimental**
4090
+
4091
+ .. code-block:: javascript
4092
+
4093
+ {
4094
+ "Name": "XPS-Viewer",
4095
+ "DisplayName": "XPS Viewer",
4096
+ "Description": "The XPS Viewer reads, sets permissions, and digitally signs XPS documents.",
4097
+ "Installed": false,
4098
+ "InstallState": 0
4099
+ }
4100
+
4101
+ Syntax
4102
+ -----------------------------------------------------
4103
+ A ``windows_feature`` |inspec resource| block declares the name of the |windows| feature, tests if that feature is installed, and then returns information about that feature:
4104
+
4105
+ .. code-block:: ruby
4106
+
4107
+ describe windows_feature('feature_name') do
4108
+ it { should be_installed }
4109
+ end
4110
+
4111
+ where
4112
+
4113
+ * ``('feature_name')`` must specify a |windows| feature name, such as ``DHCP Server`` or ``IIS-Webserver``
4114
+ * ``be_installed`` is a valid matcher for this |inspec resource|
4115
+
4116
+ Matchers
4117
+ -----------------------------------------------------
4118
+ This InSpec audit resource has the following matchers.
4119
+
4120
+ be_installed
4121
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4122
+ The ``be_installed`` matcher tests if the named |windows| feature is installed:
4123
+
4124
+ .. code-block:: ruby
4125
+
4126
+ it { should be_installed }
4127
+
4128
+ Examples
4129
+ -----------------------------------------------------
4130
+ The following examples show how to use this InSpec audit resource.
4131
+
4132
+ **Test the DHCP Server feature**
4133
+
4134
+ .. code-block:: ruby
4135
+
4136
+ describe windows_feature('DHCP Server') do
4137
+ it{ should be_installed }
4138
+ end
4139
+
4140
+
4141
+ yaml
4142
+ =====================================================
4143
+ Use the ``yaml`` |inspec resource| to test configuration data in a |yaml| file.
4144
+
4145
+ **Stability: Experimental**
4146
+
4147
+ Syntax
4148
+ -----------------------------------------------------
4149
+ A ``yaml`` |inspec resource| block declares the configuration data to be tested:
4150
+
4151
+ .. code-block:: ruby
4152
+
4153
+ describe yaml do
4154
+ its('name') { should eq 'foo' }
4155
+ end
4156
+
4157
+ where
4158
+
4159
+ * ``name`` is a configuration setting in a |yaml| file
4160
+ * ``should eq 'foo'`` tests a value of ``name`` as read from a |yaml| file versus the value declared in the test
4161
+
4162
+ Matchers
4163
+ -----------------------------------------------------
4164
+ This InSpec audit resource has the following matchers.
4165
+
4166
+ name
4167
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4168
+ The ``name`` matcher tests the value of ``name`` as read from a |yaml| file versus the value declared in the test:
4169
+
4170
+ .. code-block:: ruby
4171
+
4172
+ its('name') { should eq 'foo' }
4173
+
4174
+ Examples
4175
+ -----------------------------------------------------
4176
+ The following examples show how to use this InSpec audit resource.
4177
+
4178
+ **Test a kitchen.yml file driver**
4179
+
4180
+ .. code-block:: ruby
4181
+
4182
+ describe yaml('.kitchen.yaml') do
4183
+ its('driver.name') { should eq('vagrant') }
4184
+ end
4185
+
4186
+
4187
+ yum
4188
+ =====================================================
4189
+ Use the ``yum`` |inspec resource| to test packages in the |yum| repository.
4190
+
4191
+ **Stability: Experimental**
4192
+
4193
+ Syntax
4194
+ -----------------------------------------------------
4195
+ A ``yum`` |inspec resource| block declares a package repo, tests if the package repository is present, and if it that package repository is a valid package source (i.e. "is enabled"):
4196
+
4197
+ .. code-block:: ruby
4198
+
4199
+ describe yum.repo('name') do
4200
+ it { should exist }
4201
+ it { should be_enabled }
4202
+ end
4203
+
4204
+ where
4205
+
4206
+ * ``repo('name')`` is the (optional) name of a package repo, using either a full identifier (``'updates/7/x86_64'``) or a short identifier (``'updates'``)
4207
+
4208
+ Matchers
4209
+ -----------------------------------------------------
4210
+ This InSpec audit resource has the following matchers.
4211
+
4212
+ be_enabled
4213
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4214
+ The ``be_enabled`` matcher tests if the package repository is a valid package source:
4215
+
4216
+ .. code-block:: ruby
4217
+
4218
+ it { should be_enabled }
4219
+
4220
+ exist
4221
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4222
+ The ``exist`` matcher tests if the package repository exists:
4223
+
4224
+ .. code-block:: ruby
4225
+
4226
+ it { should exist }
4227
+
4228
+ repo('name')
4229
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4230
+ The ``repo('name')`` matcher names a specific package repository:
4231
+
4232
+ .. code-block:: ruby
4233
+
4234
+ describe yum.repo('epel') do
4235
+ ...
4236
+ end
4237
+
4238
+ repos
4239
+ +++++++++++++++++++++++++++++++++++++++++++++++++++++
4240
+ The ``repos`` matcher tests if a named repo, using either a full identifier (``'updates/7/x86_64'``) or a short identifier (``'updates'``), is included in the |yum| repo:
4241
+
4242
+ .. code-block:: ruby
4243
+
4244
+ its('repos') { should include 'some_repo' }
4245
+
4246
+ Examples
4247
+ -----------------------------------------------------
4248
+ The following examples show how to use this InSpec audit resource.
4249
+
4250
+ **Test if the yum repo exists**
4251
+
4252
+ .. code-block:: ruby
4253
+
4254
+ describe yum do
4255
+ its('repos') { should exist }
4256
+ end
4257
+
4258
+ **Test if the 'base/7/x86_64' repo exists and is enabled**
4259
+
4260
+ .. code-block:: ruby
4261
+
4262
+ describe yum do
4263
+ its('repos') { should include 'base/7/x86_64' }
4264
+ its('epel') { should exist }
4265
+ its('epel') { should be_enabled }
4266
+ end
4267
+
4268
+ **Test if a specific yum repo exists**
4269
+
4270
+ .. code-block:: ruby
4271
+
4272
+ describe yum.repo('epel') do
4273
+ it { should exist }
4274
+ it { should be_enabled }
4275
+ end
4276
+
4277
+
4278
+
4279
+
4280
+ .. |inspec resource| replace:: InSpec audit resource
4281
+ .. |apt| replace:: Apt
4282
+ .. |apache| replace:: Apache
4283
+ .. |archlinux| replace:: Arch Linux
4284
+ .. |debian| replace:: Debian
4285
+ .. |fedora| replace:: Fedora
4286
+ .. |redhat enterprise linux| replace:: Red Hat Enterprise Linux
4287
+ .. |centos| replace:: CentOS
4288
+ .. |redhat| replace:: Red Hat
4289
+ .. |ubuntu| replace:: Ubuntu
4290
+ .. |windows| replace:: Microsoft Windows
4291
+ .. |unix| replace:: UNIX
4292
+ .. |linux| replace:: Linux
4293
+ .. |ppa| replace:: PPA
4294
+ .. |json| replace:: JSON
4295
+ .. |csv| replace:: CSV
4296
+ .. |postgresql| replace:: PostgreSQL
4297
+ .. |md5| replace:: MD5
4298
+ .. |sha256| replace:: SHA-256
4299
+ .. |selinux| replace:: SELinux
4300
+ .. |gem| replace:: gem
4301
+ .. |icmp| replace:: ICMP
4302
+ .. |tcp| replace:: TCP
4303
+ .. |udp| replace:: UDP
4304
+ .. |inetd| replace:: inetd
4305
+ .. |mysql| replace:: MySQL
4306
+ .. |npm| replace:: npm
4307
+ .. |bower| replace:: bower
4308
+ .. |statsd| replace:: StatsD
4309
+ .. |oneget| replace:: OneGet
4310
+ .. |ruby| replace:: Ruby
4311
+ .. |pip| replace:: pip
4312
+ .. |ipv4| replace:: Internet Protocol version 4 (IPv4)
4313
+ .. |ipv6| replace:: Internet Protocol version 6 (IPv6)
4314
+ .. |powershell| replace:: Windows PowerShell
4315
+ .. |openssh| replace:: Open SSH
4316
+ .. |ssh| replace:: SSH
4317
+ .. |nginx| replace:: Nginx
4318
+ .. |yaml| replace:: YAML
4319
+ .. |yum| replace:: Yum