inspec 1.0.0.beta2 → 1.0.0.beta3

data/docs/resources/registry_key.md.erb

@@ -0,0 +1,149 @@
+---
+title: About the registry_key Resource
+---
+
+# registry_key
+
+Use the `registry_key` InSpec audit resource to test key values in the Windows registry.
+
+# Syntax
+
+A `registry_key` resource block declares the item in the Windows registry, the path to a setting under that item, and then one (or more) name/value pairs to be tested.
+
+Use a registry key name and path:
+
+    describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule') do
+      its('Start') { should eq 2 }
+    end
+
+Use only a registry key path:
+
+    describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule') do
+      its('Start') { should eq 2 }
+    end
+
+Or use a Ruby Hash:
+
+    describe registry_key({
+      name: 'Task Scheduler',
+      hive: 'HKEY_LOCAL_MACHINE',
+      key: ''\SYSTEM\CurrentControlSet\services\Schedule'
+    }) do
+      its('Start') { should eq 2 }
+    end
+
+
+## Registry Key Path Separators
+
+A Windows registry key can be used as a string in Ruby code, such as when a registry key is used as the name of a recipe. In Ruby, when a registry key is enclosed in a double-quoted string (`" "`), the same backslash character (`\`) that is used to define the registry key path separator is also used in Ruby to define an escape character. Therefore, the registry key path separators must be escaped when they are enclosed in a double-quoted string. For example, the following registry key:
+
+    HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Themes
+
+may be encloused in a single-quoted string with a single backslash:
+
+    'HKCU\SOFTWARE\path\to\key\Themes'
+
+or may be enclosed in a double-quoted string with an extra backslash as an escape character:
+
+    "HKCU\\SOFTWARE\\path\\to\\key\\Themes"
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## children
+
+The `children` matcher return all of the child items of a registry key. A regular expression may be used to filter child items:
+
+    describe registry_key('Key Name', '\path\to\key').children(regex)
+      ...
+    end
+
+For example, to get all child items for a registry key:
+
+    describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet').children do
+      it { should_not eq [] }
+    end
+
+The following example shows how find a property that may exist against multiple registry keys, and then test that property for every registry key in which that property is located:
+
+    describe registry_key({
+      hive: HKEY_USERS
+    }).children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}\\Software\\Policies\\Microsoft\\Windows\\Installer/).each
+      { |key|
+        describe registry_key(key) do
+          its('AlwaysInstallElevated') { should eq 'value' }
+        end
+      }
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## exist
+
+The `exist` matcher tests if the registry key is present:
+
+    it { should exist }
+
+## have_property
+
+The `have_property` matcher tests if a property exists for a registry key:
+
+    it { should have_property 'value' }
+
+## have_property_value
+
+The `have_property_value` matcher tests if a property value exists for a registry key:
+
+    it { should have_property_value 'value' }
+
+## have_value
+
+The `have_value` matcher tests if a value exists for a registry key:
+
+    it { should have_value 'value' }
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+## name
+
+The `name` matcher tests the value for the specified registry setting:
+
+    its('name') { should eq 'value' }
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test the start time for the Schedule service
+
+    describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\...\Schedule') do
+      its('Start') { should eq 2 }
+    end
+
+where `'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule'` is the full path to the setting.
+
+## Use a regular expression in responses
+
+    describe registry_key({
+      hive: 'HKEY_LOCAL_MACHINE',
+      key: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion'
+    }) do
+      its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ }
+    end

data/docs/resources/runit_service.md.erb

@@ -0,0 +1,76 @@
+---
+title: About the runit_service Resource
+---
+
+# runit_service
+
+Use the `runit_service` InSpec audit resource to test a service using runit.
+
+# Syntax
+
+A `runit_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
+
+    describe runit_service('service_name') do
+      it { should be_installed }
+      it { should be_enabled }
+      it { should be_running }
+    end
+
+where
+
+* `('service_name')` must specify a service name
+* `be_installed`, `be_enabled`, and `be_running` are valid matchers for this resource; all matchers available to the `service` resource may be used
+
+The path to the service manager's control may be specified for situations where the path isn't available in the current `PATH`. For example:
+
+    describe runit_service('service_name', '/path/to/control') do
+      it { should be_enabled }
+      it { should be_installed }
+      it { should be_running }
+    end
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## be_enabled
+
+The `be_enabled` matcher tests if the named service is enabled:
+
+    it { should be_enabled }
+
+## be_installed
+
+The `be_installed` matcher tests if the named service is installed:
+
+    it { should be_installed }
+
+## be_running
+
+The `be_running` matcher tests if the named service is running:
+
+    it { should be_running }
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+None.

data/docs/resources/security_policy.md.erb

@@ -0,0 +1,61 @@
+---
+title: About the security_policy Resource
+---
+
+# security_policy
+
+Use the `security_policy` InSpec audit resource to test security policies on the Windows platform.
+
+# Syntax
+
+A `security_policy` resource block declares the name of a security policy and the value to be tested:
+
+    describe security_policy do
+      its('policy_name') { should eq 'value' }
+    end
+
+where
+
+* `'policy_name'` must specify a security policy
+* `{ should eq 'value' }` tests the value of `policy_name` against the value declared in the test
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+## policy_name
+
+The `policy_name` matcher must be the name of a security policy:
+
+    its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Verify that only the Administrators group has remote access
+
+    describe security_policy do
+      its('SeRemoteInteractiveLogonRight') { should eq '*S-1-5-32-544' }
+    end

data/docs/resources/service.md.erb

@@ -0,0 +1,135 @@
+---
+title: About the service Resource
+---
+
+# service
+
+Use the `service` InSpec audit resource to test if the named service is installed, running and/or enabled.
+
+Under some circumstances, it may be necessary to specify the service manager by using one of the following service manager-specific resources: `bsd_service`, `launchd_service`, `runit_service`, `systemd_service`, `sysv_service`, oe `upstart_service`. These resources are based on the `service` resource.
+
+# Syntax
+
+A `service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
+
+    describe service('service_name') do
+      it { should be_installed }
+      it { should be_enabled }
+      it { should be_running }
+    end
+
+where
+
+* `('service_name')` must specify a service name
+* `be_installed`, `be_enabled`, and `be_running` are valid matchers for this resource
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## be_enabled
+
+The `be_enabled` matcher tests if the named service is enabled:
+
+    it { should be_enabled }
+
+## be_installed
+
+The `be_installed` matcher tests if the named service is installed:
+
+    it { should be_installed }
+
+## be_running
+
+The `be_running` matcher tests if the named service is running:
+
+    it { should be_running }
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test if the postgresql service is both running and enabled
+
+    describe service('postgresql') do
+      it { should be_enabled }
+      it { should be_running }
+    end
+
+## Test if the mysql service is both running and enabled
+
+    describe service('mysqld') do
+      it { should be_enabled }
+      it { should be_running }
+    end
+
+## Test if ClamAV (an antivirus engine) is installed and running
+
+    describe package('clamav') do
+      it { should be_installed }
+      its('version') { should eq '0.98.7' }
+    end
+
+    describe service('clamd') do
+      it { should_not be_enabled }
+      it { should_not be_installed }
+      it { should_not be_running }
+    end
+
+## Test Unix System V run levels
+
+On targets that are using SystemV services, the existing run levels can also be checked:
+
+    describe service('sshd').runlevels do
+      its('keys') { should include(2) }
+    end
+
+    describe service('sshd').runlevels(2,4) do
+      it { should be_enabled }
+    end
+
+## Override the service manager
+
+Under some circumstances, it may be required to override the logic in place to select the right service manager. For example, to check a service managed by Upstart:
+
+    describe upstart_service('service') do
+      it { should_not be_enabled }
+      it { should be_installed }
+      it { should be_running }
+    end
+
+This is also possible with `systemd_service`, `runit_service`, `sysv_service`, `bsd_service`, and `launchd_service`. Provide the control command when it is not to be found at the default location. For example, if the `sv` command for services managed by runit is not in the `PATH`:
+
+    describe runit_service('service', '/opt/chef/embedded/sbin/sv') do
+      it { should be_enabled }
+      it { should be_installed }
+      it { should be_running }
+    end
+
+## Verify that IIS is running
+
+    describe service('W3SVC') do
+      it { should be_installed }
+      it { should be_running }
+    end

data/docs/resources/ssh_config.md.erb

@@ -0,0 +1,94 @@
+---
+title: About the ssh_config Resource
+---
+
+# ssh_config
+
+Use the `ssh_config` InSpec audit resource to test OpenSSH client configuration data located at `/etc/ssh/ssh_config` on Linux and Unix platforms.
+
+# Syntax
+
+An `ssh_config` resource block declares the client OpenSSH configuration data to be tested:
+
+    describe ssh_config('path') do
+      its('name') { should include('foo') }
+    end
+
+where
+
+* `name` is a configuration setting in `ssh_config`
+* `('path')` is the non-default `/path/to/ssh_config`
+* `{ should include('foo') }` tests the value of `name` as read from `ssh_config` versus the value declared in the test
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+## name
+
+The `name` matcher tests the value of `name` as read from `ssh_config` versus the value declared in the test:
+
+    its('name') { should eq 'foo' }
+
+or:
+
+    its('name') { should include('bar') }
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test SSH configuration settings
+
+    describe ssh_config do
+      its('cipher') { should contain '3des' }
+      its('port') { should eq '22' }
+      its('hostname') { should include('example.com') }
+    end
+
+## Test which variables from the local environment are sent to the server
+
+    only_if do
+      command('sshd').exist? or command('ssh').exists?
+    end
+
+    describe ssh_config do
+      its('SendEnv') { should include('GORDON_CLIENT') }
+    end
+
+## Test owner and group permissions
+
+    describe ssh_config do
+      its('owner') { should eq 'root' }
+      its('mode') { should cmp '0644' }
+    end
+
+## Test SSH configuration
+
+    describe ssh_config do
+      its('Host') { should eq '*' }
+      its('Tunnel') { should eq nil }
+      its('SendEnv') { should eq 'LANG LC_*' }
+      its('HashKnownHosts') { should eq 'yes' }
+    end