inspec 0.9.5 → 0.9.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3fc1943a4f7b887acce7a49336b5d32aef1e4847
-  data.tar.gz: 88da833cba32da598a683bd1fff826caf2809af2
+  metadata.gz: 2a0409ea39853cce8b89f828d6c639c48c0adfe4
+  data.tar.gz: a424f575ac78ec70775f6d84d577330f278be8fc
 SHA512:
-  metadata.gz: c2d297e8107586f5657e7fb77e4973153e1beb9f1ad2d5f31db4135cb56006a5b8e311edc4d6a2e7f4cfbdb37db3bb26cb4337e550d5d9e3b5be8ffbc845a386
-  data.tar.gz: 3943ace22dbed7065268d871c5dfd5b4e46048d3c33474a2938e6e65619db190ded570559f3b1256a9c5fdc998dfea8fc841b8796e5f3665178f144fd0cca988
+  metadata.gz: 4be07873774b1a7b9bb11160c9078d004808aaad09be4c91841cc5af5e4a896d0d3c5f6c83d184fadd88048e26c4611ff26e688bc499149e32b91c66fca27071
+  data.tar.gz: a11ee4ab19c53b5c7f8e3a8d30a1047655ffe62d562a8874818bb29050005e7cb917c7e7d93fd8e396535147530aae450ce24f4f31c36f5c7415c029362c9d83

data/CHANGELOG.md

@@ -1,15 +1,65 @@
 # Change Log
 
-## [0.9.5](https://github.com/chef/inspec/tree/0.9.5) (2015-11-25)
-[Full Changelog](https://github.com/chef/inspec/compare/v0.9.4...0.9.5)
+## [0.9.6](https://github.com/chef/inspec/tree/0.9.6) (2015-12-11)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.9.5...0.9.6)
 
 **Implemented enhancements:**
 
-- Support the -i switch for key files as per ssh? [\#261](https://github.com/chef/inspec/issues/261)
+- JSON configuration [\#292](https://github.com/chef/inspec/issues/292)
+- Replace the `pry... ` bits in inspec shell [\#267](https://github.com/chef/inspec/issues/267)
+- Better wording for check [\#260](https://github.com/chef/inspec/issues/260)
+- OS resource with string and symbol support [\#227](https://github.com/chef/inspec/issues/227)
+- matcher for less-restrictive comparison [\#318](https://github.com/chef/inspec/pull/318) ([chris-rock](https://github.com/chris-rock))
+- add readme to examples [\#313](https://github.com/chef/inspec/pull/313) ([chris-rock](https://github.com/chris-rock))
+- Minor `inspec shell` improvements [\#283](https://github.com/chef/inspec/pull/283) ([srenatus](https://github.com/srenatus))
+- add kitchen-ansible inspec example [\#275](https://github.com/chef/inspec/pull/275) ([alexpop](https://github.com/alexpop))
+- add kitchen-puppet example with inspec testing [\#273](https://github.com/chef/inspec/pull/273) ([alexpop](https://github.com/alexpop))
+- Feature: Add shell `help resource` command [\#269](https://github.com/chef/inspec/pull/269) ([chris-rock](https://github.com/chris-rock))
+
+**Fixed bugs:**
+
+- auditd\_conf parameters should be case insensitive [\#307](https://github.com/chef/inspec/issues/307)
+- Processes resource doesn't handle user or state [\#295](https://github.com/chef/inspec/issues/295)
+- JSON configuration [\#292](https://github.com/chef/inspec/issues/292)
+- Windows file matcher does not match existing files [\#288](https://github.com/chef/inspec/issues/288)
+- Inspec hangs when executing some windows profiles against linux machine [\#279](https://github.com/chef/inspec/issues/279)
+- Utils::FindFiles doesn't work [\#276](https://github.com/chef/inspec/issues/276)
+- etc\_group not implemented for centos [\#266](https://github.com/chef/inspec/issues/266)
+- Port resource returns arrays [\#256](https://github.com/chef/inspec/issues/256)
+- Custom resource not available, undefined local variable or method `gordon\_config` [\#232](https://github.com/chef/inspec/issues/232)
+- File permission checks should return false unless file exists [\#301](https://github.com/chef/inspec/pull/301) ([adamleff](https://github.com/adamleff))
+- remove json doc for windows\_feature [\#272](https://github.com/chef/inspec/pull/272) ([chris-rock](https://github.com/chris-rock))
+- improvement: add etc\_group support for centos and add integration test [\#270](https://github.com/chef/inspec/pull/270) ([chris-rock](https://github.com/chris-rock))
+
+**Merged pull requests:**
+
+- Bugfix: Properly initialize script resource [\#316](https://github.com/chef/inspec/pull/316) ([chris-rock](https://github.com/chris-rock))
+- improve shell prompt and help [\#315](https://github.com/chef/inspec/pull/315) ([chris-rock](https://github.com/chris-rock))
+- port resource: array attributes, resource alternative [\#303](https://github.com/chef/inspec/pull/303) ([srenatus](https://github.com/srenatus))
+- support string and symbol for os resource [\#299](https://github.com/chef/inspec/pull/299) ([chris-rock](https://github.com/chris-rock))
+- \[resources/apache\_conf\]: add tests, fix bug [\#298](https://github.com/chef/inspec/pull/298) ([srenatus](https://github.com/srenatus))
+- \[resources/processes\] add user\(s\), state\(s\) attribute [\#297](https://github.com/chef/inspec/pull/297) ([srenatus](https://github.com/srenatus))
+- fix small grammar error [\#294](https://github.com/chef/inspec/pull/294) ([juliandunn](https://github.com/juliandunn))
+- read config from file/stdin [\#293](https://github.com/chef/inspec/pull/293) ([srenatus](https://github.com/srenatus))
+- revert to old find\_files interface [\#291](https://github.com/chef/inspec/pull/291) ([srenatus](https://github.com/srenatus))
+- Adding support for Wind River Linux [\#289](https://github.com/chef/inspec/pull/289) ([adamleff](https://github.com/adamleff))
+- travis workarounds [\#286](https://github.com/chef/inspec/pull/286) ([srenatus](https://github.com/srenatus))
+- Support mint in the integration tests [\#281](https://github.com/chef/inspec/pull/281) ([artem-sidorenko](https://github.com/artem-sidorenko))
+- align cli documentation with cli [\#278](https://github.com/chef/inspec/pull/278) ([chris-rock](https://github.com/chris-rock))
+- Remove description of custom resource [\#277](https://github.com/chef/inspec/pull/277) ([chris-rock](https://github.com/chris-rock))
+- add rake tasks for showing and bumping the version of inspec [\#265](https://github.com/chef/inspec/pull/265) ([arlimus](https://github.com/arlimus))
+
+## [v0.9.5](https://github.com/chef/inspec/tree/v0.9.5) (2015-11-25)
+[Full Changelog](https://github.com/chef/inspec/compare/v0.9.4...v0.9.5)
+
+**Implemented enhancements:**
+
+- Support the -i switch for key files as per ssh [\#261](https://github.com/chef/inspec/issues/261)
 - Add -p alias for --port like ssh [\#263](https://github.com/chef/inspec/pull/263) ([alexmanly](https://github.com/alexmanly))
 
 **Merged pull requests:**
 
+- 0.9.5 [\#264](https://github.com/chef/inspec/pull/264) ([arlimus](https://github.com/arlimus))
 - Add -i alias for --key\_files like ssh [\#262](https://github.com/chef/inspec/pull/262) ([jcreedcmu](https://github.com/jcreedcmu))
 
 ## [v0.9.4](https://github.com/chef/inspec/tree/v0.9.4) (2015-11-24)
@@ -19,13 +69,10 @@
 
 - registry\_key needs to be case insensitive [\#254](https://github.com/chef/inspec/issues/254)
 - User resource doesn't handle group names with spaces [\#238](https://github.com/chef/inspec/issues/238)
+- inspec does not extract section name from test file header [\#182](https://github.com/chef/inspec/issues/182)
 - bugfix: user resources support for group with whitespace [\#258](https://github.com/chef/inspec/pull/258) ([chris-rock](https://github.com/chris-rock))
 - Bugfix: make registry\_key resource case-insensitive [\#255](https://github.com/chef/inspec/pull/255) ([alexpop](https://github.com/alexpop))
 
-**Closed issues:**
-
-- inspec does not extract section name from test file header [\#182](https://github.com/chef/inspec/issues/182)
-
 **Merged pull requests:**
 
 - 0.9.4 [\#259](https://github.com/chef/inspec/pull/259) ([arlimus](https://github.com/arlimus))
@@ -39,9 +86,12 @@
 
 - Support the control keyword, synonymous to rule [\#188](https://github.com/chef/inspec/issues/188)
 
-**Closed issues:**
+**Fixed bugs:**
 
 - Multiple computed calls to describe aren't registered [\#246](https://github.com/chef/inspec/issues/246)
+
+**Closed issues:**
+
 - port resource does not work on CentOS [\#239](https://github.com/chef/inspec/issues/239)
 - os\_env not working [\#236](https://github.com/chef/inspec/issues/236)
 - service resource misbehaves on upstart hosts [\#226](https://github.com/chef/inspec/issues/226)

data/README.md

@@ -1,6 +1,6 @@
 # InSpec: Inspect Your Infrastructure
 
-InSpec is open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.
+InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security and policy requirements.
 
 ```ruby
 # Disallow insecure protocols by testing
@@ -92,7 +92,7 @@ end
 
 describe port(443) do
   it { should be_listening }
-  its('protocol') {should eq 'tcp'}
+  its('protocols') {should include 'tcp'}
 end
 ```
 
@@ -152,43 +152,6 @@ Which will provide you with:
 {"family":"ubuntu","release":"14.04","arch":null}
 ```
 
-## Custom InSpec resources
-
-You can easily create your own resources. Here is a custom resource for an
-application called Gordon. It is saved as `gordon_config.rb`.
-
-```ruby
-require 'yaml'
-
-class GordonConfig < Inspec.resource(1)
-  name 'gordon_config'
-
-  def initialize
-    @path = '/etc/gordon/config.yaml'
-    @config = inspec.file(@path).content
-    @params = YAML.load(@config)
-  end
-
-  def method_missing(name)
-    @params[name.to_s]
-  end
-end
-```
-
-Include this file in your `test.rb`:
-
-```ruby
-require_relative 'gordon_config'
-```
-
-Now you can start using your new resource:
-
-```ruby
-describe gordon_config do
-  its('Version') { should eq('1.0') }
-end
-```
-
 ## Documentation
 
 Documentation is available: https://github.com/chef/inspec/tree/master/docs
@@ -221,6 +184,12 @@ We perform `unit`, `resource` and `integration` tests.
 bundle exec rake test
 ```
 
+If you like to run only one test, use
+
+```bash
+bundle exec ruby -W -Ilib:test test/unit/resources/user_test.rb
+```
+
 ### Resource tests
 
 Resource tests make sure the backend execution layer behaves as expected. These tests will take a while, as a lot of different operating systems and configurations are being tested.

data/Rakefile

@@ -48,14 +48,79 @@ namespace :test do
   end
 end
 
-# Automatically generate a changelog for this project. Only loaded if
-# the necessary gem is installed.
-begin
-  require 'github_changelog_generator/task'
-  require_relative 'lib/inspec/version'
-  GitHubChangelogGenerator::RakeTask.new :changelog do |config|
-    config.since_tag = '0.7.0'
-    config.future_release = Inspec::VERSION
+# Print the current version of this gem or update it.
+#
+# @param [Type] target the new version you want to set, or nil if you only want to show
+def inspec_version(target = nil)
+  path = 'lib/inspec/version.rb'
+  require_relative path.sub(/.rb$/, '')
+
+  nu_version = target.nil? ? '' : " -> #{target}"
+  puts "Inspec: #{Inspec::VERSION}#{nu_version}"
+
+  unless target.nil?
+    raw = File.read(path)
+    nu = raw.sub(/VERSION.*/, "VERSION = '#{target}'")
+    File.write(path, nu)
+    load(path)
   end
-rescue LoadError
+end
+
+# Check if a command is available
+#
+# @param [Type] x the command you are interested in
+# @param [Type] msg the message to display if the command is missing
+def require_command(x, msg = nil)
+  return if system("command -v #{x} || exit 1")
+  msg ||= 'Please install it first!'
+  puts "\033[31;1mCan't find command #{x.inspect}. #{msg}\033[0m"
+  exit 1
+end
+
+# Check if a required environment variable has been set
+#
+# @param [String] x the variable you are interested in
+# @param [String] msg the message you want to display if the variable is missing
+def require_env(x, msg = nil)
+  exists = `env | grep "^#{x}="`
+  return unless exists.empty?
+  puts "\033[31;1mCan't find environment variable #{x.inspect}. #{msg}\033[0m"
+  exit 1
+end
+
+# Check the requirements for running an update of this repository.
+def check_update_requirements
+  require_command 'git'
+  require_command 'github_changelog_generator', "\n"\
+    "For more information on how to install it see:\n"\
+    "  https://github.com/skywinder/github-changelog-generator\n"
+  require_env 'CHANGELOG_GITHUB_TOKEN', "\n"\
+    "Please configure this token to make sure you can run all commands\n"\
+    "against GitHub.\n\n"\
+    "See github_changelog_generator homepage for more information:\n"\
+    "  https://github.com/skywinder/github-changelog-generator\n"
+end
+
+# Show the current version of this gem.
+desc 'Show the version of this gem'
+task :version do
+  inspec_version
+end
+
+desc 'Generate the changelog'
+task :changelog do
+  require_relative 'lib/inspec/version'
+  system "github_changelog_generator -u chef -p inspec --future-release #{Inspec::VERSION} --since-tag 0.7.0"
+end
+
+# Update the version of this gem and create an updated
+# changelog. It covers everything short of actually releasing
+# the gem.
+desc 'Bump the version of this gem'
+task :bump_version, [:version] do |_, args|
+  v = args[:version] || ENV['to']
+  fail "You must specify a target version!  rake release[1.2.3]" if v.empty?
+  check_update_requirements
+  inspec_version(v)
+  Rake::Task['changelog'].invoke
 end

data/bin/inspec

@@ -6,9 +6,13 @@
 
 require 'thor'
 require 'json'
+require 'pp'
 require_relative '../lib/inspec'
 
-class InspecCLI < Thor
+class InspecCLI < Thor # rubocop:disable Metrics/ClassLength
+  class_option :diagnose, type: :boolean,
+    desc: 'Show diagnostics (versions, configurations)'
+
   def self.target_options
     option :target, aliases: :t, type: :string, default: nil,
       desc: 'Simple targeting option using URIs, e.g. ssh://user:pass@host:port'
@@ -36,16 +40,20 @@ class InspecCLI < Thor
       desc: 'Use SSL for transport layer encryption (WinRM).'
     option :self_signed, type: :boolean, default: false,
       desc: 'Allow remote scans with self-signed certificates (WinRM).'
+    option :json_config, type: :string,
+      desc: 'Read configuration from JSON file (`-` reads from stdin).'
   end
 
-  desc 'json PATH', 'read all tests in PATH and generate a JSON profile'
+  desc 'json PATH', 'read all tests in PATH and generate a JSON summary'
   option :id, type: :string,
     desc: 'Attach a profile ID to all test results'
   option :output, aliases: :o, type: :string,
     desc: 'Save the created profile to a path'
   def json(path)
-    profile = Inspec::Profile.from_path(path, options)
-    dst = options[:output].to_s
+    diagnose
+
+    profile = Inspec::Profile.from_path(path, opts)
+    dst = opts[:output].to_s
     if dst.empty?
       puts JSON.pretty_generate(profile.info)
     else
@@ -59,21 +67,25 @@ class InspecCLI < Thor
     end
   end
 
-  desc 'check PATH', 'verify test structure in PATH'
+  desc 'check PATH', 'verify all tests at the specified PATH'
   def check(path)
-    o = options.dup
+    diagnose
+
+    o = opts.dup
     o[:logger] = Logger.new(STDOUT)
     profile = Inspec::Profile.from_path(path, o)
     exit 1 unless profile.check
   end
 
-  desc 'exec PATHS', 'run all test files'
+  desc 'exec PATHS', 'run all test files at the specified PATH.'
   option :id, type: :string,
     desc: 'Attach a profile ID to all test results'
   target_options
   option :format, type: :string, default: 'progress'
   def exec(*tests)
-    runner = Inspec::Runner.new(options)
+    diagnose
+
+    runner = Inspec::Runner.new(opts)
     runner.add_tests(tests)
     runner.run
   rescue RuntimeError => e
@@ -83,7 +95,9 @@ class InspecCLI < Thor
   desc 'detect', 'detect the target OS'
   target_options
   def detect
-    runner = Inspec::Runner.new(options)
+    diagnose
+
+    runner = Inspec::Runner.new(opts)
     rel = File.join(File.dirname(__FILE__), *%w{.. lib utils detect.rb})
     detect_util = File.expand_path(rel)
     runner.add_tests([detect_util])
@@ -94,8 +108,11 @@ class InspecCLI < Thor
 
   desc 'shell', 'open an interactive debugging shell'
   target_options
+  option :format, type: :string, default: Inspec::NoSummaryFormatter, hide: true
   def shell_func
-    runner = Inspec::Runner.new(options)
+    diagnose
+
+    runner = Inspec::Runner.new(opts)
     Inspec::Shell.new(runner).start
   rescue RuntimeError => e
     puts e.message
@@ -105,5 +122,44 @@ class InspecCLI < Thor
   def version
     puts Inspec::VERSION
   end
+
+  private
+
+  def diagnose
+    return unless opts['diagnose']
+    puts "InSpec version: #{Inspec::VERSION}"
+    puts "Train version: #{Train::VERSION}"
+    puts 'Command line configuration:'
+    pp options
+    puts 'JSON configuration file:'
+    pp options_json
+    puts 'Merged configuration:'
+    pp opts
+    puts
+  end
+
+  def opts
+    # argv overrides json
+    Thor::CoreExt::HashWithIndifferentAccess.new(options_json.merge(options))
+  end
+
+  def options_json
+    conffile = options['json_config']
+    @json ||= conffile ? read_config(conffile) : {}
+  end
+
+  def read_config(file)
+    if file == '-'
+      puts 'WARN: reading JSON config from standard input' if STDIN.tty?
+      config = STDIN.read
+    else
+      config = File.read(file)
+    end
+
+    JSON.load(config)
+  rescue JSON::ParserError => e
+    puts "Failed to load JSON configuration: #{e}\nConfig was: #{config.inspect}"
+    exit 1
+  end
 end
 InspecCLI.start(ARGV)

data/docs/ctl_inspec.rst

@@ -47,11 +47,17 @@ The following options may be used with any of the InSpec CLI subcommands:
 ``--user``
    The login user for remote scanning.
 
+``--json_config``
+   A JSON file containing configuration options. Use `--json_config=-` to read from standard input. The file's format corresponds to the command line argument options. For example, `{"host": "example.com", "sudo": true}` is equivalent to `--host=example.com --sudo`. Command line switches override the configuration file.
+
+``--diagnose``
+   Dump configuration values from a command line options, the configuration file, and the merged effective options.
+
 
 
 check
 =====================================================
-Use ``inspec check`` to run all tests at the specified path.
+Use ``inspec check`` to verify all tests the specified path.
 
 Syntax
 -----------------------------------------------------

data/docs/inspec_and_friends.rst

@@ -64,7 +64,7 @@ One of the key differences is that InSpec targets more user groups. It is optimi
       insecure SSHv1 connections anymore.
     "
     describe sshd_config do
-      its('Protocol') { should eq('2') }
+      its('Protocol') { should cmp 2 }
     end
   end
 

data/docs/resources.rst

@@ -258,7 +258,7 @@ A ``auditd_conf`` |inspec resource| block declares configuration settings that s
 .. code-block:: ruby
 
    describe auditd_conf('path') do
-     its('keyword') { should eq 'value' }
+     its('keyword') { should cmp 'value' }
    end
 
 where
@@ -269,11 +269,12 @@ where
 
 Matchers
 -----------------------------------------------------
-This |inspec resource| matches any keyword that is listed in the ``auditd.conf`` configuration file:
+This |inspec resource| matches any keyword that is listed in the ``auditd.conf`` configuration file. Since all option names and values are case insensitive for ``auditd_conf``, we recommend to compare values with `cmp` instead of the `eq`:
 
 .. code-block:: ruby
 
-   its('log_format') { should eq 'raw' }
+   its('log_format') { should cmp 'raw' }
+   its('max_log_file') { should cmp 6 }
 
 Examples
 -----------------------------------------------------
@@ -284,20 +285,20 @@ The following examples show how to use this InSpec audit resource.
 .. code-block:: ruby
 
    describe auditd_conf do
-     its('log_file') { should eq '/full/path/to/file' }
-     its('log_format') { should eq 'raw' }
-     its('flush') { should eq 'none' }
-     its('freq') { should eq '1' }
-     its('num_logs') { should eq '0' }
-     its('max_log_file') { should eq '6' }
-     its('max_log_file_action') { should eq 'email' }
-     its('space_left') { should eq '2' }
-     its('action_mail_acct') { should eq 'root' }
-     its('space_left_action') { should eq 'email' }
-     its('admin_space_left') { should eq '1' }
-     its('admin_space_left_action') { should eq 'halt' }
-     its('disk_full_action') { should eq 'halt' }
-     its('disk_error_action') { should eq 'halt' }
+     its('log_file') { should cmp '/full/path/to/file' }
+     its('log_format') { should cmp 'raw' }
+     its('flush') { should cmp 'none' }
+     its('freq') { should cmp 1 }
+     its('num_logs') { should cmp 0 }
+     its('max_log_file') { should cmp 6 }
+     its('max_log_file_action') { should cmp 'email' }
+     its('space_left') { should cmp 2 }
+     its('action_mail_acct') { should cmp 'root' }
+     its('space_left_action') { should cmp 'email' }
+     its('admin_space_left') { should cmp 1 }
+     its('admin_space_left_action') { should cmp 'halt' }
+     its('disk_full_action') { should cmp 'halt' }
+     its('disk_error_action') { should cmp 'halt' }
    end
 
 
@@ -3176,10 +3177,10 @@ A ``port`` |inspec resource| block declares a port, and then depending on what n
 
    describe port(514) do
      it { should be_listening }
-     its('process') {should eq 'syslog'}
+     its('processes') {should include 'syslog'}
    end
 
-where the ``process`` returns the process listening on port 514.
+where the ``processes`` returns the processes listening on port 514.
 
 Matchers
 -----------------------------------------------------
@@ -3195,33 +3196,33 @@ The ``be_listening`` matcher tests if the port is listening for traffic:
 
 pid
 +++++++++++++++++++++++++++++++++++++++++++++++++++++
-The ``pid`` matcher tests the process identifier (PID):
+The ``pids`` matcher tests the process identifier (PID):
 
 .. code-block:: ruby
 
-   its('pid') { should eq '27808' }
+   its('pids') { should eq ['27808'] }
 
 process
 +++++++++++++++++++++++++++++++++++++++++++++++++++++
-The ``process`` matcher tests if the named process is running on the system:
+The ``processes`` matcher tests if the named process is running on the system:
 
 .. code-block:: ruby
 
-   its('process') { should eq 'syslog' }
+   its('processes') { should eq ['syslog'] }
 
 protocol
 +++++++++++++++++++++++++++++++++++++++++++++++++++++
-The ``protocol`` matcher tests the Internet protocol: |icmp| (``'icmp'``), |tcp| (``'tcp'`` or ``'tcp6'``), or |udp| (``'udp'`` or ``'udp6'``):
+The ``protocols`` matcher tests the Internet protocol: |icmp| (``'icmp'``), |tcp| (``'tcp'`` or ``'tcp6'``), or |udp| (``'udp'`` or ``'udp6'``):
 
 .. code-block:: ruby
 
-   its('protocol') { should eq 'tcp' }
+   its('protocols') { should eq ['tcp'] }
 
 or for the |ipv6| protocol:
 
 .. code-block:: ruby
 
-   its('protocol') { should eq 'tcp6' }
+   its('protocols') { should eq ['tcp6'] }
 
 Examples
 -----------------------------------------------------
@@ -3233,7 +3234,7 @@ The following examples show how to use this InSpec audit resource.
 
    describe port(80) do
      it { should be_listening }
-     its('protocol') {should eq 'tcp'}
+     its('protocols') {should eq ['tcp']}
    end
 
 **Test port 80, listening with TCP version IPv6 protocol**
@@ -3242,7 +3243,7 @@ The following examples show how to use this InSpec audit resource.
 
    describe port(80) do
      it { should be_listening }
-     its('protocol') {should eq 'tcp6'}
+     its('protocols') {should eq ['tcp6']}
    end
 
 **Test ports for HTTPs**
@@ -3255,7 +3256,22 @@ The following examples show how to use this InSpec audit resource.
 
    describe port(443) do
      it { should be_listening }
-     its('protocol') {should eq 'tcp'}
+     its('protocols') {should eq ['tcp']}
+   end
+
+**Test port 80 on a specific address**
+
+This check can be implemented in two equivalent ways:
+
+.. code-block:: ruby
+
+   describe port(80) do
+     it { should be_listening }
+     its('addresses') {should include '0.0.0.0'}
+   end
+
+   describe port('0.0.0.0', 80) do
+     it { should be_listening }
    end
 
 postgres_conf
@@ -3424,7 +3440,7 @@ A ``processes`` |inspec resource| block declares the name of the process to be t
 where
 
 * ``processes('process_name')`` must specify the name of a process that is running on the system
-* Multiple properties may be tested; for each property to be tested, use an ``its('property_name')`` statement
+* The ``user`` and ``state`` properties may be tested; they are exposed via ``users`` and ``states``, respectively.
 
 Matchers
 -----------------------------------------------------
@@ -3466,7 +3482,7 @@ The following examples show how to use this InSpec audit resource.
 .. code-block:: ruby
 
    describe processes('init') do
-     its('user') { should eq 'root' }
+     its('users') { should eq ['root'] }
    end
 
 **Test if a high-priority process is running**
@@ -3474,7 +3490,7 @@ The following examples show how to use this InSpec audit resource.
 .. code-block:: ruby
 
    describe processes('some_process') do
-     its('state') { should eq 'R<' }
+     its('states') { should eq ['R<'] }
    end
 
 
@@ -3895,7 +3911,7 @@ The following examples show how to use this InSpec audit resource.
 .. code-block:: ruby
 
    describe sshd_config do
-     its('Protocol') { should eq '2' }
+     its('Protocol') { should cmp 2 }
    end
 
 **Test ciphers**
@@ -3911,7 +3927,7 @@ The following examples show how to use this InSpec audit resource.
 .. code-block:: ruby
 
    describe sshd_config do
-     its('Port') { should eq '22' }
+     its('Port') { should cmp 22 }
      its('UsePAM') { should eq 'yes' }
      its('ListenAddress') { should eq nil }
      its('HostKey') { should eq [
@@ -4084,20 +4100,10 @@ The |nginx| user is typically ``www-data``, but on |centos| it's ``nginx``. The
 
 windows_feature
 =====================================================
-Use the ``windows_feature`` |inspec resource| to test features on |windows|. The ``Get-WindowsFeature`` cmdlet returns the following values: ``Property Name``, ``DisplayName``, ``Description``, ``Installed``, and ``InstallState``, returned as a |json| object similar to:
+Use the ``windows_feature`` |inspec resource| to test features on |windows|. It uses the  ``Get-WindowsFeature`` cmdlet under the hood.
 
 **Stability: Experimental**
 
-.. code-block:: javascript
-
-   {
-     "Name": "XPS-Viewer",
-     "DisplayName": "XPS Viewer",
-     "Description": "The XPS Viewer reads, sets permissions, and digitally signs XPS documents.",
-     "Installed": false,
-     "InstallState": 0
-   }
-
 Syntax
 -----------------------------------------------------
 A ``windows_feature`` |inspec resource| block declares the name of the |windows| feature, tests if that feature is installed, and then returns information about that feature: