inspec 1.0.0.beta2 → 1.0.0.beta3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +41 -2
- data/Gemfile +4 -0
- data/Rakefile +2 -1
- data/docs/.gitignore +2 -0
- data/docs/README.md +21 -1
- data/docs/resources/apache_conf.md.erb +75 -0
- data/docs/resources/apt.md.erb +84 -0
- data/docs/resources/audit_policy.md.erb +61 -0
- data/docs/resources/auditd_conf.md.erb +79 -0
- data/docs/resources/auditd_rules.md.erb +132 -0
- data/docs/resources/bash.md.erb +84 -0
- data/docs/resources/bond.md.erb +97 -0
- data/docs/resources/bridge.md.erb +67 -0
- data/docs/resources/bsd_service.md.erb +76 -0
- data/docs/resources/command.md.erb +151 -0
- data/docs/resources/csv.md.erb +62 -0
- data/docs/resources/directory.md.erb +43 -0
- data/docs/resources/etc_group.md.erb +116 -0
- data/docs/resources/etc_passwd.md.erb +155 -0
- data/docs/resources/etc_shadow.md.erb +149 -0
- data/docs/resources/file.md.erb +460 -0
- data/docs/resources/gem.md.erb +73 -0
- data/docs/resources/group.md.erb +74 -0
- data/docs/resources/grub_conf.md.erb +115 -0
- data/docs/resources/host.md.erb +85 -0
- data/docs/resources/iis_site.md.erb +142 -0
- data/docs/resources/inetd_conf.md.erb +99 -0
- data/docs/resources/ini.md.erb +69 -0
- data/docs/resources/interface.md.erb +66 -0
- data/docs/resources/iptables.md.erb +70 -0
- data/docs/resources/json.md.erb +76 -0
- data/docs/resources/kernel_module.md.erb +60 -0
- data/docs/resources/kernel_parameter.md.erb +72 -0
- data/docs/resources/launchd_service.md.erb +76 -0
- data/docs/resources/limits_conf.md.erb +80 -0
- data/docs/resources/login_def.md.erb +77 -0
- data/docs/resources/mount.md.erb +83 -0
- data/docs/resources/mysql_conf.md.erb +102 -0
- data/docs/resources/mysql_session.md.erb +63 -0
- data/docs/resources/npm.md.erb +75 -0
- data/docs/resources/ntp_conf.md.erb +76 -0
- data/docs/resources/oneget.md.erb +67 -0
- data/docs/resources/os.md.erb +154 -0
- data/docs/resources/os_env.md.erb +98 -0
- data/docs/resources/package.md.erb +115 -0
- data/docs/resources/parse_config.md.erb +122 -0
- data/docs/resources/parse_config_file.md.erb +143 -0
- data/docs/resources/pip.md.erb +74 -0
- data/docs/resources/port.md.erb +150 -0
- data/docs/resources/postgres_conf.md.erb +90 -0
- data/docs/resources/postgres_session.md.erb +75 -0
- data/docs/resources/powershell.md.erb +116 -0
- data/docs/resources/process.md.erb +73 -0
- data/docs/resources/registry_key.md.erb +149 -0
- data/docs/resources/runit_service.md.erb +76 -0
- data/docs/resources/security_policy.md.erb +61 -0
- data/docs/resources/service.md.erb +135 -0
- data/docs/resources/ssh_config.md.erb +94 -0
- data/docs/resources/sshd_config.md.erb +97 -0
- data/docs/resources/ssl.md.erb +133 -0
- data/docs/resources/sys_info.md.erb +55 -0
- data/docs/resources/systemd_service.md.erb +76 -0
- data/docs/resources/sysv_service.md.erb +76 -0
- data/docs/resources/upstart_service.md.erb +76 -0
- data/docs/resources/user.md.erb +154 -0
- data/docs/resources/users.md.erb +140 -0
- data/docs/resources/vbscript.md.erb +69 -0
- data/docs/resources/windows_feature.md.erb +61 -0
- data/docs/resources/wmi.md.erb +95 -0
- data/docs/resources/xinetd_conf.md.erb +170 -0
- data/docs/resources/yaml.md.erb +69 -0
- data/docs/resources/yum.md.erb +103 -0
- data/docs/ruby_usage.md +154 -0
- data/docs/shared/matcher_be.md.erb +1 -0
- data/docs/shared/matcher_cmp.md.erb +45 -0
- data/docs/shared/matcher_eq.md.erb +3 -0
- data/docs/shared/matcher_include.md.erb +1 -0
- data/docs/shared/matcher_match.md.erb +1 -0
- data/lib/fetchers/url.rb +27 -29
- data/lib/inspec/cached_fetcher.rb +67 -0
- data/lib/inspec/dependencies/requirement.rb +6 -7
- data/lib/inspec/objects/each_loop.rb +5 -2
- data/lib/inspec/plugins/fetcher.rb +2 -0
- data/lib/inspec/profile.rb +9 -41
- data/lib/inspec/resource.rb +1 -1
- data/lib/inspec/rspec_json_formatter.rb +11 -5
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/groups.rb +190 -0
- data/lib/resources/users.rb +3 -2
- metadata +79 -6
- data/docs/cli.rst +0 -448
- data/docs/resources.rst +0 -4836
- data/docs/ruby_usage.rst +0 -145
- data/lib/resources/group.rb +0 -137
@@ -0,0 +1,84 @@
|
|
1
|
+
---
|
2
|
+
title: About the bash Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# bash
|
6
|
+
|
7
|
+
Use the `bash` InSpec audit resource to test an arbitrary command that is run on the system using a Bash script.
|
8
|
+
|
9
|
+
# Syntax
|
10
|
+
|
11
|
+
A `command` resource block declares a command to be run, one (or more) expected outputs, and the location to which that output is sent:
|
12
|
+
|
13
|
+
describe bash('command') do
|
14
|
+
it { should exist }
|
15
|
+
its('matcher') { should eq 'output' }
|
16
|
+
end
|
17
|
+
|
18
|
+
where
|
19
|
+
|
20
|
+
* `'command'` must specify a command to be run
|
21
|
+
* `'matcher'` is one of `exit_status`, `stderr`, or `stdout`
|
22
|
+
* `'output'` tests the output of the command run on the system versus the output value stated in the test
|
23
|
+
|
24
|
+
For example:
|
25
|
+
|
26
|
+
describe bash('ls -al /') do
|
27
|
+
its('stdout') { should match /bin/ }
|
28
|
+
its('stderr') { should eq '' }
|
29
|
+
its('exit_status') { should eq 0 }
|
30
|
+
end
|
31
|
+
|
32
|
+
|
33
|
+
# Matchers
|
34
|
+
|
35
|
+
This InSpec audit resource has the following matchers:
|
36
|
+
|
37
|
+
## be
|
38
|
+
|
39
|
+
<%= partial "/shared/matcher_be" %>
|
40
|
+
|
41
|
+
## cmp
|
42
|
+
|
43
|
+
<%= partial "/shared/matcher_cmp" %>
|
44
|
+
|
45
|
+
## eq
|
46
|
+
|
47
|
+
<%= partial "/shared/matcher_eq" %>
|
48
|
+
|
49
|
+
## exist
|
50
|
+
|
51
|
+
The `exist` matcher tests if a command may be run on the system:
|
52
|
+
|
53
|
+
it { should exist }
|
54
|
+
|
55
|
+
## exit_status
|
56
|
+
|
57
|
+
The `exit_status` matcher tests the exit status for the command:
|
58
|
+
|
59
|
+
its('exit_status') { should eq 0 }
|
60
|
+
|
61
|
+
## include
|
62
|
+
|
63
|
+
<%= partial "/shared/matcher_include" %>
|
64
|
+
|
65
|
+
## match
|
66
|
+
|
67
|
+
<%= partial "/shared/matcher_match" %>
|
68
|
+
|
69
|
+
## stderr
|
70
|
+
|
71
|
+
The `stderr` matcher tests results of the command as returned in standard error (stderr):
|
72
|
+
|
73
|
+
its('stderr') { should eq '' }
|
74
|
+
|
75
|
+
## stdout
|
76
|
+
|
77
|
+
The `stdout` matcher tests results of the command as returned in standard output (stdout).
|
78
|
+
|
79
|
+
its('stdout') { should match /bin/ }
|
80
|
+
|
81
|
+
|
82
|
+
# Examples
|
83
|
+
|
84
|
+
None.
|
@@ -0,0 +1,97 @@
|
|
1
|
+
---
|
2
|
+
title: About the bond Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# bond
|
6
|
+
|
7
|
+
Use the `bond` InSpec audit resource to test a logical, bonded network interface (i.e. "two or more network interfaces aggregated into a single, logical network interface"). On Linux platforms, any value in the `/proc/net/bonding` directory may be tested.
|
8
|
+
|
9
|
+
# Syntax
|
10
|
+
|
11
|
+
A `bond` resource block declares a bonded network interface, and then specifies the properties of that bonded network interface to be tested:
|
12
|
+
|
13
|
+
describe bond('name') do
|
14
|
+
it { should exist }
|
15
|
+
end
|
16
|
+
|
17
|
+
where
|
18
|
+
|
19
|
+
* `'name'` is the name of the bonded network interface
|
20
|
+
* `{ should exist }` is a valid matcher for this resource
|
21
|
+
|
22
|
+
|
23
|
+
# Matchers
|
24
|
+
|
25
|
+
This InSpec audit resource has the following matchers:
|
26
|
+
|
27
|
+
## be
|
28
|
+
|
29
|
+
<%= partial "/shared/matcher_be" %>
|
30
|
+
|
31
|
+
## cmp
|
32
|
+
|
33
|
+
<%= partial "/shared/matcher_cmp" %>
|
34
|
+
|
35
|
+
## content
|
36
|
+
|
37
|
+
The `content` matcher tests if contents in the file that defines the bonded network interface match the value specified in the test. The values of the `content` matcher are arbitrary:
|
38
|
+
|
39
|
+
its('content') { should match('value') }
|
40
|
+
|
41
|
+
## eq
|
42
|
+
|
43
|
+
<%= partial "/shared/matcher_eq" %>
|
44
|
+
|
45
|
+
## exist
|
46
|
+
|
47
|
+
The `exist` matcher tests if the bonded network interface is available:
|
48
|
+
|
49
|
+
it { should exist }
|
50
|
+
|
51
|
+
## have_interface
|
52
|
+
|
53
|
+
The `have_interface` matcher tests if the bonded network interface has one (or more) secondary interfaces:
|
54
|
+
|
55
|
+
it { should have_interface }
|
56
|
+
|
57
|
+
## include
|
58
|
+
|
59
|
+
<%= partial "/shared/matcher_include" %>
|
60
|
+
|
61
|
+
## interfaces
|
62
|
+
|
63
|
+
The `interfaces` matcher tests if the named secondary interfaces are available:
|
64
|
+
|
65
|
+
its('interfaces') { should eq ['eth0', 'eth1', ...] }
|
66
|
+
|
67
|
+
## match
|
68
|
+
|
69
|
+
<%= partial "/shared/matcher_match" %>
|
70
|
+
|
71
|
+
## params
|
72
|
+
|
73
|
+
The `params` matcher tests arbitrary parameters for the bonded network interface:
|
74
|
+
|
75
|
+
its('params') { should eq 'value' }
|
76
|
+
|
77
|
+
# Examples
|
78
|
+
|
79
|
+
The following examples show how to use this InSpec audit resource.
|
80
|
+
|
81
|
+
## Test if eth0 is a secondary interface for bond0
|
82
|
+
|
83
|
+
describe bond('bond0') do
|
84
|
+
it { should exist }
|
85
|
+
it { should have_interface 'eth0' }
|
86
|
+
end
|
87
|
+
|
88
|
+
## Test parameters for bond0
|
89
|
+
|
90
|
+
describe bond('bond0') do
|
91
|
+
its('Bonding Mode') { should eq 'IEEE 802.3ad Dynamic link aggregation' }
|
92
|
+
its('Transmit Hash Policy') { should eq 'layer3+4 (1)' }
|
93
|
+
its('MII Status') { should eq 'up' }
|
94
|
+
its('MII Polling Interval (ms)') { should eq '100' }
|
95
|
+
its('Up Delay (ms)') { should eq '0' }
|
96
|
+
its('Down Delay (ms)') { should eq '0' }
|
97
|
+
end
|
@@ -0,0 +1,67 @@
|
|
1
|
+
---
|
2
|
+
title: About the bridge Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# bridge
|
6
|
+
|
7
|
+
Use the `bridge` InSpec audit resource to test basic network bridge properties, such as name, if an interface is defined, and the associations for any defined interface.
|
8
|
+
|
9
|
+
* On Linux platforms, any value in the `/sys/class/net/{interface}/bridge` directory may be tested
|
10
|
+
* On the Windows platform, the `Get-NetAdapter` cmdlet is associated with the `Get-NetAdapterBinding` cmdlet and returns the `ComponentID ms_bridge` value as a JSON object
|
11
|
+
|
12
|
+
# Syntax
|
13
|
+
|
14
|
+
A `bridge` resource block declares the bridge to be tested and what interface it should be associated with:
|
15
|
+
|
16
|
+
describe bridge('br0') do
|
17
|
+
it { should exist }
|
18
|
+
it { should have_interface 'eth0' }
|
19
|
+
end
|
20
|
+
|
21
|
+
# Matchers
|
22
|
+
|
23
|
+
This InSpec audit resource has the following matchers:
|
24
|
+
|
25
|
+
## be
|
26
|
+
|
27
|
+
<%= partial "/shared/matcher_be" %>
|
28
|
+
|
29
|
+
## cmp
|
30
|
+
|
31
|
+
<%= partial "/shared/matcher_cmp" %>
|
32
|
+
|
33
|
+
## eq
|
34
|
+
|
35
|
+
<%= partial "/shared/matcher_eq" %>
|
36
|
+
|
37
|
+
## exist
|
38
|
+
|
39
|
+
The `exist` matcher tests if the network bridge is available:
|
40
|
+
|
41
|
+
it { should exist }
|
42
|
+
|
43
|
+
## have_interface
|
44
|
+
|
45
|
+
The `have_interface` matcher tests if the named interface is defined for the network bridge:
|
46
|
+
|
47
|
+
it { should have_interface 'eth0' }
|
48
|
+
|
49
|
+
## include
|
50
|
+
|
51
|
+
<%= partial "/shared/matcher_include" %>
|
52
|
+
|
53
|
+
## interfaces
|
54
|
+
|
55
|
+
The `interfaces` matcher tests if the named interface is present:
|
56
|
+
|
57
|
+
its('interfaces') { should eq 'foo' }
|
58
|
+
its('interfaces') { should eq 'bar' }
|
59
|
+
its('interfaces') { should include('foo') }
|
60
|
+
|
61
|
+
## match
|
62
|
+
|
63
|
+
<%= partial "/shared/matcher_match" %>
|
64
|
+
|
65
|
+
# Examples
|
66
|
+
|
67
|
+
None.
|
@@ -0,0 +1,76 @@
|
|
1
|
+
---
|
2
|
+
title: About the bsd_service Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# bsd_service
|
6
|
+
|
7
|
+
Use the `bsd_service` InSpec audit resource to test a service using a Berkeley OS-style `init` on the FreeBSD platform.
|
8
|
+
|
9
|
+
# Syntax
|
10
|
+
|
11
|
+
A `bsd_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
|
12
|
+
|
13
|
+
describe bsd_service('service_name') do
|
14
|
+
it { should be_installed }
|
15
|
+
it { should be_enabled }
|
16
|
+
it { should be_running }
|
17
|
+
end
|
18
|
+
|
19
|
+
where
|
20
|
+
|
21
|
+
* `('service_name')` must specify a service name
|
22
|
+
* `be_installed`, `be_enabled`, and `be_running` are valid matchers for this resource; all matchers available to the `service` resource may be used
|
23
|
+
|
24
|
+
The path to the service manager's control may be specified for situations where the path isn't available in the current `PATH`. For example:
|
25
|
+
|
26
|
+
describe bsd_service('service_name', '/path/to/control') do
|
27
|
+
it { should be_enabled }
|
28
|
+
it { should be_installed }
|
29
|
+
it { should be_running }
|
30
|
+
end
|
31
|
+
|
32
|
+
# Matchers
|
33
|
+
|
34
|
+
This InSpec audit resource has the following matchers:
|
35
|
+
|
36
|
+
## be
|
37
|
+
|
38
|
+
<%= partial "/shared/matcher_be" %>
|
39
|
+
|
40
|
+
## be_enabled
|
41
|
+
|
42
|
+
The `be_enabled` matcher tests if the named service is enabled:
|
43
|
+
|
44
|
+
it { should be_enabled }
|
45
|
+
|
46
|
+
## be_installed
|
47
|
+
|
48
|
+
The `be_installed` matcher tests if the named service is installed:
|
49
|
+
|
50
|
+
it { should be_installed }
|
51
|
+
|
52
|
+
## be_running
|
53
|
+
|
54
|
+
The `be_running` matcher tests if the named service is running:
|
55
|
+
|
56
|
+
it { should be_running }
|
57
|
+
|
58
|
+
## cmp
|
59
|
+
|
60
|
+
<%= partial "/shared/matcher_cmp" %>
|
61
|
+
|
62
|
+
## eq
|
63
|
+
|
64
|
+
<%= partial "/shared/matcher_eq" %>
|
65
|
+
|
66
|
+
## include
|
67
|
+
|
68
|
+
<%= partial "/shared/matcher_include" %>
|
69
|
+
|
70
|
+
## match
|
71
|
+
|
72
|
+
<%= partial "/shared/matcher_match" %>
|
73
|
+
|
74
|
+
# Examples
|
75
|
+
|
76
|
+
None.
|
@@ -0,0 +1,151 @@
|
|
1
|
+
---
|
2
|
+
title: About the command Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# command
|
6
|
+
|
7
|
+
Use the `command` InSpec audit resource to test an arbitrary command that is run on the system.
|
8
|
+
|
9
|
+
# Syntax
|
10
|
+
|
11
|
+
A `command` resource block declares a command to be run, one (or more) expected outputs, and the location to which that output is sent:
|
12
|
+
|
13
|
+
describe command('command') do
|
14
|
+
it { should exist }
|
15
|
+
its('matcher') { should eq 'output' }
|
16
|
+
end
|
17
|
+
|
18
|
+
where
|
19
|
+
|
20
|
+
* `'command'` must specify a command to be run
|
21
|
+
* `'matcher'` is one of `exit_status`, `stderr`, or `stdout`
|
22
|
+
* `'output'` tests the output of the command run on the system versus the output value stated in the test
|
23
|
+
|
24
|
+
|
25
|
+
# Matchers
|
26
|
+
|
27
|
+
This InSpec audit resource has the following matchers:
|
28
|
+
|
29
|
+
## be
|
30
|
+
|
31
|
+
<%= partial "/shared/matcher_be" %>
|
32
|
+
|
33
|
+
## cmp
|
34
|
+
|
35
|
+
<%= partial "/shared/matcher_cmp" %>
|
36
|
+
|
37
|
+
## eq
|
38
|
+
|
39
|
+
<%= partial "/shared/matcher_eq" %>
|
40
|
+
|
41
|
+
## exist
|
42
|
+
|
43
|
+
The `exist` matcher tests if a command may be run on the system:
|
44
|
+
|
45
|
+
it { should exist }
|
46
|
+
|
47
|
+
## exit_status
|
48
|
+
|
49
|
+
The `exit_status` matcher tests the exit status for the command:
|
50
|
+
|
51
|
+
its('exit_status') { should eq 123 }
|
52
|
+
|
53
|
+
## include
|
54
|
+
|
55
|
+
<%= partial "/shared/matcher_include" %>
|
56
|
+
|
57
|
+
## match
|
58
|
+
|
59
|
+
<%= partial "/shared/matcher_match" %>
|
60
|
+
|
61
|
+
## stderr
|
62
|
+
|
63
|
+
The `stderr` matcher tests results of the command as returned in standard error (stderr):
|
64
|
+
|
65
|
+
its('stderr') { should eq 'error' }
|
66
|
+
|
67
|
+
## stdout
|
68
|
+
|
69
|
+
The `stdout` matcher tests results of the command as returned in standard output (stdout). The following example shows matching output using a regular expression:
|
70
|
+
|
71
|
+
describe command('echo 1') do
|
72
|
+
its('stdout') { should match (/[0-9]/) }
|
73
|
+
end
|
74
|
+
|
75
|
+
# Examples
|
76
|
+
|
77
|
+
The following examples show how to use this InSpec audit resource.
|
78
|
+
|
79
|
+
## Test for PostgreSQL database running a RC, development, or beta release
|
80
|
+
|
81
|
+
describe command('psql -V') do
|
82
|
+
its('stdout') { should eq '/RC/' }
|
83
|
+
its('stdout') { should_not eq '/DEVEL/' }
|
84
|
+
its('stdout') { should_not eq '/BETA/' }
|
85
|
+
end
|
86
|
+
|
87
|
+
## Test standard output (stdout)
|
88
|
+
|
89
|
+
describe command('echo hello') do
|
90
|
+
its('stdout') { should eq 'hello\n' }
|
91
|
+
its('stderr') { should eq '' }
|
92
|
+
its('exit_status') { should eq 0 }
|
93
|
+
end
|
94
|
+
|
95
|
+
## Test standard error (stderr)
|
96
|
+
|
97
|
+
describe command('>&2 echo error') do
|
98
|
+
its('stdout') { should eq '' }
|
99
|
+
its('stderr') { should eq 'error\n' }
|
100
|
+
its('exit_status') { should eq 0 }
|
101
|
+
end
|
102
|
+
|
103
|
+
## Test an exit status code
|
104
|
+
|
105
|
+
describe command('exit 123') do
|
106
|
+
its('stdout') { should eq '' }
|
107
|
+
its('stderr') { should eq '' }
|
108
|
+
its('exit_status') { should eq 123 }
|
109
|
+
end
|
110
|
+
|
111
|
+
## Test if the command shell exists
|
112
|
+
|
113
|
+
describe command('/bin/sh').exist? do
|
114
|
+
it { should eq true }
|
115
|
+
end
|
116
|
+
|
117
|
+
## Test for a command that should not exist
|
118
|
+
|
119
|
+
describe command('this is not existing').exist? do
|
120
|
+
it { should eq false }
|
121
|
+
end
|
122
|
+
|
123
|
+
## Verify NTP
|
124
|
+
|
125
|
+
The following example shows how to use the `file` audit resource to verify if the `ntp.conf` and `leap-seconds` files are present, and then the `command` resource to verify if NTP is installed and running:
|
126
|
+
|
127
|
+
describe file('/etc/ntp.conf') do
|
128
|
+
it { should be_file }
|
129
|
+
end
|
130
|
+
|
131
|
+
describe file('/etc/ntp.leapseconds') do
|
132
|
+
it { should be_file }
|
133
|
+
end
|
134
|
+
|
135
|
+
describe command('pgrep ntp') do
|
136
|
+
its('exit_status') { should eq 0 }
|
137
|
+
end
|
138
|
+
|
139
|
+
## Verify WiX
|
140
|
+
|
141
|
+
Wix includes serveral tools -- such as `candle` (preprocesses and compiles source files into object files), `light` (links and binds object files to an installer database), and `heat` (harvests files from various input formats). The following example uses a whitespace array and the `file` audit resource to verify if these three tools are present:
|
142
|
+
|
143
|
+
%w(
|
144
|
+
candle.exe
|
145
|
+
heat.exe
|
146
|
+
light.exe
|
147
|
+
).each do |utility|
|
148
|
+
describe file("C:/wix/#{utility}") do
|
149
|
+
it { should be_file }
|
150
|
+
end
|
151
|
+
end
|