inspec 1.0.0.beta2 → 1.0.0.beta3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (95) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +41 -2
  3. data/Gemfile +4 -0
  4. data/Rakefile +2 -1
  5. data/docs/.gitignore +2 -0
  6. data/docs/README.md +21 -1
  7. data/docs/resources/apache_conf.md.erb +75 -0
  8. data/docs/resources/apt.md.erb +84 -0
  9. data/docs/resources/audit_policy.md.erb +61 -0
  10. data/docs/resources/auditd_conf.md.erb +79 -0
  11. data/docs/resources/auditd_rules.md.erb +132 -0
  12. data/docs/resources/bash.md.erb +84 -0
  13. data/docs/resources/bond.md.erb +97 -0
  14. data/docs/resources/bridge.md.erb +67 -0
  15. data/docs/resources/bsd_service.md.erb +76 -0
  16. data/docs/resources/command.md.erb +151 -0
  17. data/docs/resources/csv.md.erb +62 -0
  18. data/docs/resources/directory.md.erb +43 -0
  19. data/docs/resources/etc_group.md.erb +116 -0
  20. data/docs/resources/etc_passwd.md.erb +155 -0
  21. data/docs/resources/etc_shadow.md.erb +149 -0
  22. data/docs/resources/file.md.erb +460 -0
  23. data/docs/resources/gem.md.erb +73 -0
  24. data/docs/resources/group.md.erb +74 -0
  25. data/docs/resources/grub_conf.md.erb +115 -0
  26. data/docs/resources/host.md.erb +85 -0
  27. data/docs/resources/iis_site.md.erb +142 -0
  28. data/docs/resources/inetd_conf.md.erb +99 -0
  29. data/docs/resources/ini.md.erb +69 -0
  30. data/docs/resources/interface.md.erb +66 -0
  31. data/docs/resources/iptables.md.erb +70 -0
  32. data/docs/resources/json.md.erb +76 -0
  33. data/docs/resources/kernel_module.md.erb +60 -0
  34. data/docs/resources/kernel_parameter.md.erb +72 -0
  35. data/docs/resources/launchd_service.md.erb +76 -0
  36. data/docs/resources/limits_conf.md.erb +80 -0
  37. data/docs/resources/login_def.md.erb +77 -0
  38. data/docs/resources/mount.md.erb +83 -0
  39. data/docs/resources/mysql_conf.md.erb +102 -0
  40. data/docs/resources/mysql_session.md.erb +63 -0
  41. data/docs/resources/npm.md.erb +75 -0
  42. data/docs/resources/ntp_conf.md.erb +76 -0
  43. data/docs/resources/oneget.md.erb +67 -0
  44. data/docs/resources/os.md.erb +154 -0
  45. data/docs/resources/os_env.md.erb +98 -0
  46. data/docs/resources/package.md.erb +115 -0
  47. data/docs/resources/parse_config.md.erb +122 -0
  48. data/docs/resources/parse_config_file.md.erb +143 -0
  49. data/docs/resources/pip.md.erb +74 -0
  50. data/docs/resources/port.md.erb +150 -0
  51. data/docs/resources/postgres_conf.md.erb +90 -0
  52. data/docs/resources/postgres_session.md.erb +75 -0
  53. data/docs/resources/powershell.md.erb +116 -0
  54. data/docs/resources/process.md.erb +73 -0
  55. data/docs/resources/registry_key.md.erb +149 -0
  56. data/docs/resources/runit_service.md.erb +76 -0
  57. data/docs/resources/security_policy.md.erb +61 -0
  58. data/docs/resources/service.md.erb +135 -0
  59. data/docs/resources/ssh_config.md.erb +94 -0
  60. data/docs/resources/sshd_config.md.erb +97 -0
  61. data/docs/resources/ssl.md.erb +133 -0
  62. data/docs/resources/sys_info.md.erb +55 -0
  63. data/docs/resources/systemd_service.md.erb +76 -0
  64. data/docs/resources/sysv_service.md.erb +76 -0
  65. data/docs/resources/upstart_service.md.erb +76 -0
  66. data/docs/resources/user.md.erb +154 -0
  67. data/docs/resources/users.md.erb +140 -0
  68. data/docs/resources/vbscript.md.erb +69 -0
  69. data/docs/resources/windows_feature.md.erb +61 -0
  70. data/docs/resources/wmi.md.erb +95 -0
  71. data/docs/resources/xinetd_conf.md.erb +170 -0
  72. data/docs/resources/yaml.md.erb +69 -0
  73. data/docs/resources/yum.md.erb +103 -0
  74. data/docs/ruby_usage.md +154 -0
  75. data/docs/shared/matcher_be.md.erb +1 -0
  76. data/docs/shared/matcher_cmp.md.erb +45 -0
  77. data/docs/shared/matcher_eq.md.erb +3 -0
  78. data/docs/shared/matcher_include.md.erb +1 -0
  79. data/docs/shared/matcher_match.md.erb +1 -0
  80. data/lib/fetchers/url.rb +27 -29
  81. data/lib/inspec/cached_fetcher.rb +67 -0
  82. data/lib/inspec/dependencies/requirement.rb +6 -7
  83. data/lib/inspec/objects/each_loop.rb +5 -2
  84. data/lib/inspec/plugins/fetcher.rb +2 -0
  85. data/lib/inspec/profile.rb +9 -41
  86. data/lib/inspec/resource.rb +1 -1
  87. data/lib/inspec/rspec_json_formatter.rb +11 -5
  88. data/lib/inspec/version.rb +1 -1
  89. data/lib/resources/groups.rb +190 -0
  90. data/lib/resources/users.rb +3 -2
  91. metadata +79 -6
  92. data/docs/cli.rst +0 -448
  93. data/docs/resources.rst +0 -4836
  94. data/docs/ruby_usage.rst +0 -145
  95. data/lib/resources/group.rb +0 -137
@@ -0,0 +1,97 @@
1
+ ---
2
+ title: About the sshd_config Resource
3
+ ---
4
+
5
+ # sshd_config
6
+
7
+ Use the `sshd_config` InSpec audit resource to test configuration data for the OpenSSH daemon located at `/etc/ssh/sshd_config` on Linux and Unix platforms. sshd---the OpenSSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges.
8
+
9
+ # Syntax
10
+
11
+ An `sshd_config` resource block declares the client OpenSSH configuration data to be tested:
12
+
13
+ describe sshd_config('path') do
14
+ its('name') { should include('foo') }
15
+ end
16
+
17
+ where
18
+
19
+ * `name` is a configuration setting in `sshd_config`
20
+ * `('path')` is the non-default `/path/to/sshd_config`
21
+ * `{ should include('foo') }` tests the value of `name` as read from `sshd_config` versus the value declared in the test
22
+
23
+
24
+ # Matchers
25
+
26
+ This InSpec audit resource has the following matchers:
27
+
28
+ ## be
29
+
30
+ <%= partial "/shared/matcher_be" %>
31
+
32
+ ## cmp
33
+
34
+ <%= partial "/shared/matcher_cmp" %>
35
+
36
+ ## eq
37
+
38
+ <%= partial "/shared/matcher_eq" %>
39
+
40
+ ## include
41
+
42
+ <%= partial "/shared/matcher_include" %>
43
+
44
+ ## match
45
+
46
+ <%= partial "/shared/matcher_match" %>
47
+
48
+ ## name
49
+
50
+ The `name` matcher tests the value of `name` as read from `sshd_config` versus the value declared in the test:
51
+
52
+ its('name') { should cmp 'foo' }
53
+
54
+ or:
55
+
56
+ its('name') {should include('bar') }
57
+
58
+ # Examples
59
+
60
+ The following examples show how to use this InSpec audit resource.
61
+
62
+ ## Test which variables may be sent to the server
63
+
64
+ describe sshd_config do
65
+ its('AcceptEnv') { should include('GORDON_SERVER') }
66
+ end
67
+
68
+ ## Test for IPv6-only addresses
69
+
70
+ describe sshd_config do
71
+ its('AddressFamily') { should cmp 'inet6' }
72
+ end
73
+
74
+ ## Test the Protocol setting
75
+
76
+ describe sshd_config do
77
+ its('Protocol') { should cmp 2 }
78
+ end
79
+
80
+ ## Test for approved, strong ciphers
81
+
82
+ describe sshd_config do
83
+ its('Ciphers') { should cmp('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
84
+ end
85
+
86
+ ## Test SSH protocols
87
+
88
+ describe sshd_config do
89
+ its('Port') { should cmp 22 }
90
+ its('UsePAM') { should eq 'yes' }
91
+ its('ListenAddress') { should eq nil }
92
+ its('HostKey') { should eq [
93
+ '/etc/ssh/ssh_host_rsa_key',
94
+ '/etc/ssh/ssh_host_dsa_key',
95
+ '/etc/ssh/ssh_host_ecdsa_key',
96
+ ] }
97
+ end
@@ -0,0 +1,133 @@
1
+ ---
2
+ title: About the ssl Resource
3
+ ---
4
+
5
+ # ssl
6
+
7
+ Use the `ssl` InSpec audit resource to test SSL settings for the named port.
8
+
9
+ # Syntax
10
+
11
+ An `ssl` resource block declares an SSL port, and then other properties of the test like cipher and/or protocol:
12
+
13
+ describe ssl(port: #) do
14
+ it { should be_enabled }
15
+ end
16
+
17
+ or:
18
+
19
+ describe ssl(port: #).filter('value') do
20
+ it { should be_enabled }
21
+ end
22
+
23
+ where
24
+
25
+ * `ssl(port: #)` is the port number, such as `ssl(port: 443)`
26
+ * `filter` may take any of the following arguments: `ciphers`, `protocols`, and `handshake`
27
+
28
+
29
+ # Matchers
30
+
31
+ This InSpec audit resource has the following matchers:
32
+
33
+ ## be
34
+
35
+ <%= partial "/shared/matcher_be" %>
36
+
37
+ ## be_enabled
38
+
39
+ The `be_enabled` matcher tests if SSL is enabled:
40
+
41
+ it { should be_enabled }
42
+
43
+ ## ciphers
44
+
45
+ The `ciphers` matcher tests the named cipher:
46
+
47
+ its('ciphers') { should_not eq '/rc4/i' }
48
+
49
+ or:
50
+
51
+ describe ssl(port: 443).ciphers(/rc4/i) do
52
+ it { should_not be_enabled }
53
+ end
54
+
55
+ ## cmp
56
+
57
+ <%= partial "/shared/matcher_cmp" %>
58
+
59
+ ## eq
60
+
61
+ <%= partial "/shared/matcher_eq" %>
62
+
63
+ ## include
64
+
65
+ <%= partial "/shared/matcher_include" %>
66
+
67
+ ## match
68
+
69
+ <%= partial "/shared/matcher_match" %>
70
+
71
+ ## protocols
72
+
73
+ The `protocols` matcher tests the number of times the named user appears in `/etc/shadow`:
74
+
75
+ its('protocols') { should eq 'ssl2' }
76
+
77
+ or:
78
+
79
+ describe ssl(port: 443).protocols('ssl2') do
80
+ it { should_not be_enabled }
81
+ end
82
+
83
+ # Examples
84
+
85
+ The following examples show how to use this InSpec audit resource.
86
+
87
+ ## Run the ssl-benchmark example profile
88
+
89
+ The following shows how to use the `ssl` InSpec audit resource to find all TCP ports on the system, including IPv4 and IPv6. (This is a partial example based on the `ssl_text.rb` file in the `ssl-benchmark` profile on GitHub.)
90
+
91
+ ...
92
+
93
+ control 'tls1.2' do
94
+ title 'Run TLS 1.2 whenever SSL is active on a port'
95
+ impact 0.5
96
+
97
+ sslports.each do |socket|
98
+ proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
99
+ describe ssl(port: socket.port).protocols('tls1.2') do
100
+ it(proc_desc) { should be_enabled }
101
+ it { should be_enabled }
102
+ end
103
+ end
104
+ end
105
+
106
+ ...
107
+
108
+ control 'rc4' do
109
+ title 'Disable RC4 ciphers from all exposed SSL/TLS ports and versions.'
110
+ impact 0.5
111
+
112
+ sslports.each do |socket|
113
+ proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
114
+ describe ssl(port: socket.port).ciphers(/rc4/i) do
115
+ it(proc_desc) { should_not be_enabled }
116
+ it { should_not be_enabled }
117
+ end
118
+ end
119
+ end
120
+
121
+ There are two ways to run the `ssl-benchmark` example profile to test SSL via the `ssl` resource.
122
+
123
+ Clone the profile:
124
+
125
+ $ git clone https://github.com/dev-sec/ssl-benchmark
126
+
127
+ and then run:
128
+
129
+ $ inspec exec ssl-benchmark
130
+
131
+ Or execute the profile directly via URL:
132
+
133
+ $ inspec exec https://github.com/dev-sec/ssl-benchmark
@@ -0,0 +1,55 @@
1
+ ---
2
+ title: About the sys_info Resource
3
+ ---
4
+
5
+ # sys_info
6
+
7
+ Use the `sys_info` InSpec audit resource to test for operating system properties for the named host, and then returns that info as standard output.
8
+
9
+ # Syntax
10
+
11
+ An `sys_info` resource block declares the hostname to be tested:
12
+
13
+ describe sys_info do
14
+ its('hostname') { should eq 'value' }
15
+ end
16
+
17
+ # Matchers
18
+
19
+ This InSpec audit resource has the following matchers:
20
+
21
+ ## be
22
+
23
+ <%= partial "/shared/matcher_be" %>
24
+
25
+ ## cmp
26
+
27
+ <%= partial "/shared/matcher_cmp" %>
28
+
29
+ ## eq
30
+
31
+ <%= partial "/shared/matcher_eq" %>
32
+
33
+ ## hostname
34
+
35
+ The `hostname` matcher tests the host for which standard output is returned:
36
+
37
+ its('hostname') { should eq 'value' }
38
+
39
+ ## include
40
+
41
+ <%= partial "/shared/matcher_include" %>
42
+
43
+ ## match
44
+
45
+ <%= partial "/shared/matcher_match" %>
46
+
47
+ # Examples
48
+
49
+ The following examples show how to use this InSpec audit resource.
50
+
51
+ ## Get system information for example.com
52
+
53
+ describe sys_info do
54
+ its('hostname') { should eq 'example.com' }
55
+ end
@@ -0,0 +1,76 @@
1
+ ---
2
+ title: About the systemd_service Resource
3
+ ---
4
+
5
+ # systemd_service
6
+
7
+ Use the `systemd_service` InSpec audit resource to test a service using SystemD.
8
+
9
+ # Syntax
10
+
11
+ A `systemd_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
12
+
13
+ describe systemd_service('service_name') do
14
+ it { should be_installed }
15
+ it { should be_enabled }
16
+ it { should be_running }
17
+ end
18
+
19
+ where
20
+
21
+ * `('service_name')` must specify a service name
22
+ * `be_installed`, `be_enabled`, and `be_running` are valid matchers for this resource; all matchers available to the `service` resource may be used
23
+
24
+ The path to the service manager's control may be specified for situations where the path isn't available in the current `PATH`. For example:
25
+
26
+ describe systemd_service('service_name', '/path/to/control') do
27
+ it { should be_enabled }
28
+ it { should be_installed }
29
+ it { should be_running }
30
+ end
31
+
32
+ # Matchers
33
+
34
+ This InSpec audit resource has the following matchers:
35
+
36
+ ## be
37
+
38
+ <%= partial "/shared/matcher_be" %>
39
+
40
+ ## be_enabled
41
+
42
+ The `be_enabled` matcher tests if the named service is enabled:
43
+
44
+ it { should be_enabled }
45
+
46
+ ## be_installed
47
+
48
+ The `be_installed` matcher tests if the named service is installed:
49
+
50
+ it { should be_installed }
51
+
52
+ ## be_running
53
+
54
+ The `be_running` matcher tests if the named service is running:
55
+
56
+ it { should be_running }
57
+
58
+ ## cmp
59
+
60
+ <%= partial "/shared/matcher_cmp" %>
61
+
62
+ ## eq
63
+
64
+ <%= partial "/shared/matcher_eq" %>
65
+
66
+ ## include
67
+
68
+ <%= partial "/shared/matcher_include" %>
69
+
70
+ ## match
71
+
72
+ <%= partial "/shared/matcher_match" %>
73
+
74
+ # Examples
75
+
76
+ None.
@@ -0,0 +1,76 @@
1
+ ---
2
+ title: About the sysv_service Resource
3
+ ---
4
+
5
+ # sysv_service
6
+
7
+ Use the `sysv_service` InSpec audit resource to test a service using SystemV.
8
+
9
+ # Syntax
10
+
11
+ A `sysv_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
12
+
13
+ describe sysv_service('service_name') do
14
+ it { should be_installed }
15
+ it { should be_enabled }
16
+ it { should be_running }
17
+ end
18
+
19
+ where
20
+
21
+ * `('service_name')` must specify a service name
22
+ * `be_installed`, `be_enabled`, and `be_running` are valid matchers for this resource; all matchers available to the `service` resource may be used
23
+
24
+ The path to the service manager's control may be specified for situations where the path isn't available in the current `PATH`. For example:
25
+
26
+ describe sysv_service('service_name', '/path/to/control') do
27
+ it { should be_enabled }
28
+ it { should be_installed }
29
+ it { should be_running }
30
+ end
31
+
32
+ # Matchers
33
+
34
+ This InSpec audit resource has the following matchers:
35
+
36
+ ## be
37
+
38
+ <%= partial "/shared/matcher_be" %>
39
+
40
+ ## be_enabled
41
+
42
+ The `be_enabled` matcher tests if the named service is enabled:
43
+
44
+ it { should be_enabled }
45
+
46
+ ## be_installed
47
+
48
+ The `be_installed` matcher tests if the named service is installed:
49
+
50
+ it { should be_installed }
51
+
52
+ ## be_running
53
+
54
+ The `be_running` matcher tests if the named service is running:
55
+
56
+ it { should be_running }
57
+
58
+ ## cmp
59
+
60
+ <%= partial "/shared/matcher_cmp" %>
61
+
62
+ ## eq
63
+
64
+ <%= partial "/shared/matcher_eq" %>
65
+
66
+ ## include
67
+
68
+ <%= partial "/shared/matcher_include" %>
69
+
70
+ ## match
71
+
72
+ <%= partial "/shared/matcher_match" %>
73
+
74
+ # Examples
75
+
76
+ None.
@@ -0,0 +1,76 @@
1
+ ---
2
+ title: About the upstart_service Resource
3
+ ---
4
+
5
+ # upstart_service
6
+
7
+ Use the `upstart_service` InSpec audit resource to test a service using Upstart.
8
+
9
+ # Syntax
10
+
11
+ An `upstart_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
12
+
13
+ describe upstart_service('service_name') do
14
+ it { should be_installed }
15
+ it { should be_enabled }
16
+ it { should be_running }
17
+ end
18
+
19
+ where
20
+
21
+ * `('service_name')` must specify a service name
22
+ * `be_installed`, `be_enabled`, and `be_running` are valid matchers for this resource; all matchers available to the `service` resource may be used
23
+
24
+ The path to the service manager's control may be specified for situations where the path isn't available in the current `PATH`. For example:
25
+
26
+ describe upstart_service('service_name', '/path/to/control') do
27
+ it { should be_enabled }
28
+ it { should be_installed }
29
+ it { should be_running }
30
+ end
31
+
32
+ # Matchers
33
+
34
+ This InSpec audit resource has the following matchers:
35
+
36
+ ## be
37
+
38
+ <%= partial "/shared/matcher_be" %>
39
+
40
+ ## be_enabled
41
+
42
+ The `be_enabled` matcher tests if the named service is enabled:
43
+
44
+ it { should be_enabled }
45
+
46
+ ## be_installed
47
+
48
+ The `be_installed` matcher tests if the named service is installed:
49
+
50
+ it { should be_installed }
51
+
52
+ ## be_running
53
+
54
+ The `be_running` matcher tests if the named service is running:
55
+
56
+ it { should be_running }
57
+
58
+ ## cmp
59
+
60
+ <%= partial "/shared/matcher_cmp" %>
61
+
62
+ ## eq
63
+
64
+ <%= partial "/shared/matcher_eq" %>
65
+
66
+ ## include
67
+
68
+ <%= partial "/shared/matcher_include" %>
69
+
70
+ ## match
71
+
72
+ <%= partial "/shared/matcher_match" %>
73
+
74
+ # Examples
75
+
76
+ None.