inspec 1.0.0.beta2 → 1.0.0.beta3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (95) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +41 -2
  3. data/Gemfile +4 -0
  4. data/Rakefile +2 -1
  5. data/docs/.gitignore +2 -0
  6. data/docs/README.md +21 -1
  7. data/docs/resources/apache_conf.md.erb +75 -0
  8. data/docs/resources/apt.md.erb +84 -0
  9. data/docs/resources/audit_policy.md.erb +61 -0
  10. data/docs/resources/auditd_conf.md.erb +79 -0
  11. data/docs/resources/auditd_rules.md.erb +132 -0
  12. data/docs/resources/bash.md.erb +84 -0
  13. data/docs/resources/bond.md.erb +97 -0
  14. data/docs/resources/bridge.md.erb +67 -0
  15. data/docs/resources/bsd_service.md.erb +76 -0
  16. data/docs/resources/command.md.erb +151 -0
  17. data/docs/resources/csv.md.erb +62 -0
  18. data/docs/resources/directory.md.erb +43 -0
  19. data/docs/resources/etc_group.md.erb +116 -0
  20. data/docs/resources/etc_passwd.md.erb +155 -0
  21. data/docs/resources/etc_shadow.md.erb +149 -0
  22. data/docs/resources/file.md.erb +460 -0
  23. data/docs/resources/gem.md.erb +73 -0
  24. data/docs/resources/group.md.erb +74 -0
  25. data/docs/resources/grub_conf.md.erb +115 -0
  26. data/docs/resources/host.md.erb +85 -0
  27. data/docs/resources/iis_site.md.erb +142 -0
  28. data/docs/resources/inetd_conf.md.erb +99 -0
  29. data/docs/resources/ini.md.erb +69 -0
  30. data/docs/resources/interface.md.erb +66 -0
  31. data/docs/resources/iptables.md.erb +70 -0
  32. data/docs/resources/json.md.erb +76 -0
  33. data/docs/resources/kernel_module.md.erb +60 -0
  34. data/docs/resources/kernel_parameter.md.erb +72 -0
  35. data/docs/resources/launchd_service.md.erb +76 -0
  36. data/docs/resources/limits_conf.md.erb +80 -0
  37. data/docs/resources/login_def.md.erb +77 -0
  38. data/docs/resources/mount.md.erb +83 -0
  39. data/docs/resources/mysql_conf.md.erb +102 -0
  40. data/docs/resources/mysql_session.md.erb +63 -0
  41. data/docs/resources/npm.md.erb +75 -0
  42. data/docs/resources/ntp_conf.md.erb +76 -0
  43. data/docs/resources/oneget.md.erb +67 -0
  44. data/docs/resources/os.md.erb +154 -0
  45. data/docs/resources/os_env.md.erb +98 -0
  46. data/docs/resources/package.md.erb +115 -0
  47. data/docs/resources/parse_config.md.erb +122 -0
  48. data/docs/resources/parse_config_file.md.erb +143 -0
  49. data/docs/resources/pip.md.erb +74 -0
  50. data/docs/resources/port.md.erb +150 -0
  51. data/docs/resources/postgres_conf.md.erb +90 -0
  52. data/docs/resources/postgres_session.md.erb +75 -0
  53. data/docs/resources/powershell.md.erb +116 -0
  54. data/docs/resources/process.md.erb +73 -0
  55. data/docs/resources/registry_key.md.erb +149 -0
  56. data/docs/resources/runit_service.md.erb +76 -0
  57. data/docs/resources/security_policy.md.erb +61 -0
  58. data/docs/resources/service.md.erb +135 -0
  59. data/docs/resources/ssh_config.md.erb +94 -0
  60. data/docs/resources/sshd_config.md.erb +97 -0
  61. data/docs/resources/ssl.md.erb +133 -0
  62. data/docs/resources/sys_info.md.erb +55 -0
  63. data/docs/resources/systemd_service.md.erb +76 -0
  64. data/docs/resources/sysv_service.md.erb +76 -0
  65. data/docs/resources/upstart_service.md.erb +76 -0
  66. data/docs/resources/user.md.erb +154 -0
  67. data/docs/resources/users.md.erb +140 -0
  68. data/docs/resources/vbscript.md.erb +69 -0
  69. data/docs/resources/windows_feature.md.erb +61 -0
  70. data/docs/resources/wmi.md.erb +95 -0
  71. data/docs/resources/xinetd_conf.md.erb +170 -0
  72. data/docs/resources/yaml.md.erb +69 -0
  73. data/docs/resources/yum.md.erb +103 -0
  74. data/docs/ruby_usage.md +154 -0
  75. data/docs/shared/matcher_be.md.erb +1 -0
  76. data/docs/shared/matcher_cmp.md.erb +45 -0
  77. data/docs/shared/matcher_eq.md.erb +3 -0
  78. data/docs/shared/matcher_include.md.erb +1 -0
  79. data/docs/shared/matcher_match.md.erb +1 -0
  80. data/lib/fetchers/url.rb +27 -29
  81. data/lib/inspec/cached_fetcher.rb +67 -0
  82. data/lib/inspec/dependencies/requirement.rb +6 -7
  83. data/lib/inspec/objects/each_loop.rb +5 -2
  84. data/lib/inspec/plugins/fetcher.rb +2 -0
  85. data/lib/inspec/profile.rb +9 -41
  86. data/lib/inspec/resource.rb +1 -1
  87. data/lib/inspec/rspec_json_formatter.rb +11 -5
  88. data/lib/inspec/version.rb +1 -1
  89. data/lib/resources/groups.rb +190 -0
  90. data/lib/resources/users.rb +3 -2
  91. metadata +79 -6
  92. data/docs/cli.rst +0 -448
  93. data/docs/resources.rst +0 -4836
  94. data/docs/ruby_usage.rst +0 -145
  95. data/lib/resources/group.rb +0 -137
@@ -0,0 +1,150 @@
1
+ ---
2
+ title: About the port Resource
3
+ ---
4
+
5
+ # port
6
+
7
+ Use the `port` InSpec audit resource to test basic port properties, such as port, process, if it's listening.
8
+
9
+ # Syntax
10
+
11
+ A `port` resource block declares a port, and then depending on what needs to be tested, a process, protocol, process identifier, and its state (is it listening?):
12
+
13
+ describe port(514) do
14
+ it { should be_listening }
15
+ its('processes') {should include 'syslog'}
16
+ end
17
+
18
+ where the `processes` returns the processes listening on port 514.
19
+
20
+ A filter may specify an attribute:
21
+
22
+ describe port.where { protocol =~ /tcp/ && port > 22 && port < 80 } do
23
+ it { should_not be_listening }
24
+ end
25
+
26
+ where
27
+
28
+ * `.where{}` specifies a block in which one (or more) attributes---`port`, `address`, `protocol`, `process`, `pid`, or `listening?`----scope the test to ports that match those attributes
29
+
30
+ For example, to test if the SSH daemon is available on a Linux machine via the default port (22):
31
+
32
+ describe port(22) do
33
+ its('processes') { should include 'sshd' }
34
+ its('protocols') { should include 'tcp' }
35
+ its('addresses') { should include '0.0.0.0' }
36
+ end
37
+
38
+ # Matchers
39
+
40
+ This InSpec audit resource has the following matchers:
41
+
42
+ ## address
43
+
44
+ The `addresses` matcher tests if the specified address is associated with a port:
45
+
46
+ its('addresses') { should include '0.0.0.0' }
47
+
48
+ ## be
49
+
50
+ <%= partial "/shared/matcher_be" %>
51
+
52
+ ## be_listening
53
+
54
+ The `be_listening` matcher tests if the port is listening for traffic:
55
+
56
+ it { should be_listening }
57
+
58
+ ## cmp
59
+
60
+ <%= partial "/shared/matcher_cmp" %>
61
+
62
+ ## eq
63
+
64
+ <%= partial "/shared/matcher_eq" %>
65
+
66
+ ## include
67
+
68
+ <%= partial "/shared/matcher_include" %>
69
+
70
+ ## match
71
+
72
+ <%= partial "/shared/matcher_match" %>
73
+
74
+ ## pids
75
+
76
+ The `pids` matcher tests the process identifiers (PIDs):
77
+
78
+ its('pids') { should eq ['27808'] }
79
+
80
+ ## processes
81
+
82
+ The `processes` matcher tests if the named process is running on the system:
83
+
84
+ its('processes') { should eq ['syslog'] }
85
+
86
+ ## protocols
87
+
88
+ The `protocols` matcher tests the Internet protocol: ICMP (`'icmp'`), TCP (`'tcp'` or `'tcp6'`), or UDP (`'udp'` or `'udp6'`):
89
+
90
+ its('protocols') { should include 'tcp' }
91
+
92
+ or for the IPv6 protocol:
93
+
94
+ its('protocols') { should include 'tcp6' }
95
+
96
+ # Examples
97
+
98
+ The following examples show how to use this InSpec audit resource.
99
+
100
+ ## Test port 80, listening with the TCP protocol
101
+
102
+ describe port(80) do
103
+ it { should be_listening }
104
+ its('protocols') {should eq ['tcp']}
105
+ end
106
+
107
+ ## Test port 80, on a specific address
108
+
109
+ A specific port address may be checked using either of the following examples:
110
+
111
+ describe port(80) do
112
+ it { should be_listening }
113
+ its('addresses') {should include '0.0.0.0'}
114
+ end
115
+
116
+ or:
117
+
118
+ describe port('0.0.0.0', 80) do
119
+ it { should be_listening }
120
+ end
121
+
122
+ ## Test port 80, listening with TCP version IPv6 protocol
123
+
124
+ describe port(80) do
125
+ it { should be_listening }
126
+ its('protocols') {should eq ['tcp6']}
127
+ end
128
+
129
+ ## Test that only secure ports accept requests
130
+
131
+ describe port(80) do
132
+ it { should_not be_listening }
133
+ end
134
+
135
+ describe port(443) do
136
+ it { should be_listening }
137
+ its('protocols') {should eq ['tcp']}
138
+ end
139
+
140
+ ## Verify port 65432 is not listening
141
+
142
+ describe port(22) do
143
+ it { should be_listening }
144
+ its('protocols') { should include('tcp') }
145
+ its('protocols') { should_not include('udp') }
146
+ end
147
+
148
+ describe port(65432) do
149
+ it { should_not be_listening }
150
+ end
@@ -0,0 +1,90 @@
1
+ ---
2
+ title: About the postgres_conf Resource
3
+ ---
4
+
5
+ # postgres_conf
6
+
7
+ Use the `postgres_conf` InSpec audit resource to test the contents of the configuration file for PostgreSQL, typically located at `/etc/postgresql/<version>/main/postgresql.conf` or `/var/lib/postgres/data/postgresql.conf`, depending on the platform.
8
+
9
+ # Syntax
10
+
11
+ A `postgres_conf` resource block declares one (or more) settings in the `postgresql.conf` file, and then compares the setting in the configuration file to the value stated in the test:
12
+
13
+ describe postgres_conf('path') do
14
+ its('setting') { should eq 'value' }
15
+ end
16
+
17
+ where
18
+
19
+ * `'setting'` specifies a setting in the `postgresql.conf` file
20
+ * `('path')` is the non-default path to the `postgresql.conf` file (optional)
21
+ * `should eq 'value'` is the value that is expected
22
+
23
+ # Matchers
24
+
25
+ This InSpec audit resource has the following matchers:
26
+
27
+ ## be
28
+
29
+ <%= partial "/shared/matcher_be" %>
30
+
31
+ ## cmp
32
+
33
+ <%= partial "/shared/matcher_cmp" %>
34
+
35
+ ## eq
36
+
37
+ <%= partial "/shared/matcher_eq" %>
38
+
39
+ ## include
40
+
41
+ <%= partial "/shared/matcher_include" %>
42
+
43
+ ## match
44
+
45
+ <%= partial "/shared/matcher_match" %>
46
+
47
+ ## setting
48
+
49
+ The `setting` matcher tests specific, named settings in the `postgresql.conf` file:
50
+
51
+ its('setting') { should eq 'value' }
52
+
53
+ Use a `setting` matcher for each setting to be tested.
54
+
55
+ # Examples
56
+
57
+ The following examples show how to use this InSpec audit resource.
58
+
59
+ ## Test the maximum number of allowed client connections
60
+
61
+ describe postgres_conf do
62
+ its('max_connections') { should eq '5' }
63
+ end
64
+
65
+ ## Test system logging
66
+
67
+ describe postgres_conf do
68
+ its('logging_collector') { should eq 'on' }
69
+ its('log_connections') { should eq 'on' }
70
+ its('log_disconnections') { should eq 'on' }
71
+ its('log_duration') { should eq 'on' }
72
+ its('log_hostname') { should eq 'on' }
73
+ its('log_line_prefix') { should eq '%t %u %d %h' }
74
+ end
75
+
76
+ ## Test the port on which PostgreSQL listens
77
+
78
+ describe postgres_conf do
79
+ its('port') { should eq '5432' }
80
+ end
81
+
82
+ ## Test the Unix socket settings
83
+
84
+ describe postgres_conf do
85
+ its('unix_socket_directories') { should eq '.s.PGSQL.5432' }
86
+ its('unix_socket_group') { should eq nil }
87
+ its('unix_socket_permissions') { should eq '0770' }
88
+ end
89
+
90
+ where `unix_socket_group` is set to the PostgreSQL default setting (the group to which the server user belongs).
@@ -0,0 +1,75 @@
1
+ ---
2
+ title: About the postgres_session Resource
3
+ ---
4
+
5
+ # postgres_session
6
+
7
+ Use the `postgres_session` InSpec audit resource to test SQL commands run against a PostgreSQL database.
8
+
9
+ # Syntax
10
+
11
+ A `postgres_session` resource block declares the username and password to use for the session, and then the command to be run:
12
+
13
+ sql = postgres_session('username', 'password')
14
+
15
+ describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
16
+ its('output') { should eq('') }
17
+ end
18
+
19
+ where
20
+
21
+ * `sql = postgres_session` declares a username and password with permission to run the query
22
+ * `sql.query('')` contains the query to be run
23
+ * `its('output') { should eq('') }` compares the results of the query against the expected result in the test
24
+
25
+ # Matchers
26
+
27
+ This InSpec audit resource has the following matchers:
28
+
29
+ ## be
30
+
31
+ <%= partial "/shared/matcher_be" %>
32
+
33
+ ## cmp
34
+
35
+ <%= partial "/shared/matcher_cmp" %>
36
+
37
+ ## eq
38
+
39
+ <%= partial "/shared/matcher_eq" %>
40
+
41
+ ## include
42
+
43
+ <%= partial "/shared/matcher_include" %>
44
+
45
+ ## match
46
+
47
+ <%= partial "/shared/matcher_match" %>
48
+
49
+ ## output
50
+
51
+ The `output` matcher tests the results of the query:
52
+
53
+ its('output') { should eq(/^0/) }
54
+
55
+ # Examples
56
+
57
+ The following examples show how to use this InSpec audit resource.
58
+
59
+ ## Test the PostgreSQL shadow password
60
+
61
+ sql = postgres_session('my_user', 'password')
62
+
63
+ describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
64
+ its('output') { should eq('') }
65
+ end
66
+
67
+ ## Test for risky database entries
68
+
69
+ describe postgres_session('my_user', 'password').query('SELECT count (*)
70
+ FROM pg_language
71
+ WHERE lanpltrusted = \'f\'
72
+ AND lanname!=\'internal\'
73
+ AND lanname!=\'c\';') do
74
+ its('output') { should eq '0' }
75
+ end
@@ -0,0 +1,116 @@
1
+ ---
2
+ title: About the powershell Resource
3
+ ---
4
+
5
+ # powershell
6
+
7
+ Use the `powershell` InSpec audit resource to test a Powershell script on the Windows platform.
8
+
9
+ # Syntax
10
+
11
+ A `powershell` resource block declares a Powershell script to be tested, and then compares the output of that command to the matcher in the test:
12
+
13
+ script = <<-EOH
14
+ # a PowerShell script
15
+ EOH
16
+
17
+ describe script(script) do
18
+ its('matcher') { should eq 'output' }
19
+ end
20
+
21
+ where
22
+
23
+ * `'script'` must specify a Powershell script to be run
24
+ * `'matcher'` is one of `exit_status`, `stderr`, or `stdout`
25
+ * `'output'` tests the output of the command run on the system versus the output value stated in the test
26
+
27
+
28
+ # Matchers
29
+
30
+ This InSpec audit resource has the following matchers:
31
+
32
+ ## be
33
+
34
+ <%= partial "/shared/matcher_be" %>
35
+
36
+ ## cmp
37
+
38
+ <%= partial "/shared/matcher_cmp" %>
39
+
40
+ ## eq
41
+
42
+ <%= partial "/shared/matcher_eq" %>
43
+
44
+ ## exit_status
45
+
46
+ The `exit_status` matcher tests the exit status for the command:
47
+
48
+ its('exit_status') { should eq 123 }
49
+
50
+ ## include
51
+
52
+ <%= partial "/shared/matcher_include" %>
53
+
54
+ ## match
55
+
56
+ <%= partial "/shared/matcher_match" %>
57
+
58
+ ## stderr
59
+
60
+ The `stderr` matcher tests results of the command as returned in standard error (stderr):
61
+
62
+ its('stderr') { should eq 'error' }
63
+
64
+ ## stdout
65
+
66
+ The `stdout` matcher tests results of the command as returned in standard output (stdout):
67
+
68
+ its('stdout') { should eq '/^1$/' }
69
+
70
+ # Examples
71
+
72
+ The following examples show how to use this InSpec audit resource.
73
+
74
+ ## Get all groups of Administrator user
75
+
76
+ script = <<-EOH
77
+ # find user
78
+ $user = Get-WmiObject Win32_UserAccount -filter "Name = 'Administrator'"
79
+ # get related groups
80
+ $groups = $user.GetRelated('Win32_Group') | Select-Object -Property Caption, Domain, Name, LocalAccount, SID, SIDType, Status
81
+ $groups | ConvertTo-Json
82
+ EOH
83
+
84
+ describe powershell(script) do
85
+ its('stdout') { should_not eq '' }
86
+ end
87
+
88
+ ## Write-Output 'hello'
89
+
90
+ The following Powershell script:
91
+
92
+ script = <<-EOH
93
+ Write-Output 'hello'
94
+ EOH
95
+
96
+ can be tested in the following ways.
97
+
98
+ For a newline:
99
+
100
+ describe powershell(script) do
101
+ its('stdout') { should eq "hello\r\n" }
102
+ its('stderr') { should eq '' }
103
+ end
104
+
105
+ Removing whitespace `\r\n` from `stdout`:
106
+
107
+ describe powershell(script) do
108
+ its('strip') { should eq "hello" }
109
+ end
110
+
111
+ No newline:
112
+
113
+ describe powershell("'hello' | Write-Host -NoNewLine") do
114
+ its('stdout') { should eq 'hello' }
115
+ its('stderr') { should eq '' }
116
+ end
@@ -0,0 +1,73 @@
1
+ ---
2
+ title: About the processes Resource
3
+ ---
4
+
5
+ # processes
6
+
7
+ Use the `processes` InSpec audit resource to test properties for programs that are running on the system.
8
+
9
+ # Syntax
10
+
11
+ A `processes` resource block declares the name of the process to be tested, and then declares one (or more) property/value pairs:
12
+
13
+ describe processes('process_name') do
14
+ its('property_name') { should eq ['property_value'] }
15
+ end
16
+
17
+ where
18
+
19
+ * `processes('process_name')` must specify the name of a process that is running on the system
20
+ * `property_name` may be used to test user (`its('users')`) and state properties (`its('states')`)
21
+
22
+
23
+ # Matchers
24
+
25
+ This InSpec audit resource has the following matchers:
26
+
27
+ ## be
28
+
29
+ <%= partial "/shared/matcher_be" %>
30
+
31
+ ## cmp
32
+
33
+ <%= partial "/shared/matcher_cmp" %>
34
+
35
+ ## eq
36
+
37
+ <%= partial "/shared/matcher_eq" %>
38
+
39
+ ## include
40
+
41
+ <%= partial "/shared/matcher_include" %>
42
+
43
+ ## match
44
+
45
+ <%= partial "/shared/matcher_match" %>
46
+
47
+ ## property_name
48
+
49
+ The `property_name` matcher tests the named property for the specified value:
50
+
51
+ its('property_name') { should eq ['property_value'] }
52
+
53
+ # Examples
54
+
55
+ The following examples show how to use this InSpec audit resource.
56
+
57
+ ## Test if the list length for the mysqld process is 1
58
+
59
+ describe processes('mysqld') do
60
+ its('list.length') { should eq 1 }
61
+ end
62
+
63
+ ## Test if the init process is owned by the root user
64
+
65
+ describe processes('init') do
66
+ its('users') { should eq ['root'] }
67
+ end
68
+
69
+ ## Test if a high-priority process is running
70
+
71
+ describe processes('some_process') do
72
+ its('states') { should eq ['R<'] }
73
+ end