inspec 1.0.0.beta2 → 1.0.0.beta3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (95) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +41 -2
  3. data/Gemfile +4 -0
  4. data/Rakefile +2 -1
  5. data/docs/.gitignore +2 -0
  6. data/docs/README.md +21 -1
  7. data/docs/resources/apache_conf.md.erb +75 -0
  8. data/docs/resources/apt.md.erb +84 -0
  9. data/docs/resources/audit_policy.md.erb +61 -0
  10. data/docs/resources/auditd_conf.md.erb +79 -0
  11. data/docs/resources/auditd_rules.md.erb +132 -0
  12. data/docs/resources/bash.md.erb +84 -0
  13. data/docs/resources/bond.md.erb +97 -0
  14. data/docs/resources/bridge.md.erb +67 -0
  15. data/docs/resources/bsd_service.md.erb +76 -0
  16. data/docs/resources/command.md.erb +151 -0
  17. data/docs/resources/csv.md.erb +62 -0
  18. data/docs/resources/directory.md.erb +43 -0
  19. data/docs/resources/etc_group.md.erb +116 -0
  20. data/docs/resources/etc_passwd.md.erb +155 -0
  21. data/docs/resources/etc_shadow.md.erb +149 -0
  22. data/docs/resources/file.md.erb +460 -0
  23. data/docs/resources/gem.md.erb +73 -0
  24. data/docs/resources/group.md.erb +74 -0
  25. data/docs/resources/grub_conf.md.erb +115 -0
  26. data/docs/resources/host.md.erb +85 -0
  27. data/docs/resources/iis_site.md.erb +142 -0
  28. data/docs/resources/inetd_conf.md.erb +99 -0
  29. data/docs/resources/ini.md.erb +69 -0
  30. data/docs/resources/interface.md.erb +66 -0
  31. data/docs/resources/iptables.md.erb +70 -0
  32. data/docs/resources/json.md.erb +76 -0
  33. data/docs/resources/kernel_module.md.erb +60 -0
  34. data/docs/resources/kernel_parameter.md.erb +72 -0
  35. data/docs/resources/launchd_service.md.erb +76 -0
  36. data/docs/resources/limits_conf.md.erb +80 -0
  37. data/docs/resources/login_def.md.erb +77 -0
  38. data/docs/resources/mount.md.erb +83 -0
  39. data/docs/resources/mysql_conf.md.erb +102 -0
  40. data/docs/resources/mysql_session.md.erb +63 -0
  41. data/docs/resources/npm.md.erb +75 -0
  42. data/docs/resources/ntp_conf.md.erb +76 -0
  43. data/docs/resources/oneget.md.erb +67 -0
  44. data/docs/resources/os.md.erb +154 -0
  45. data/docs/resources/os_env.md.erb +98 -0
  46. data/docs/resources/package.md.erb +115 -0
  47. data/docs/resources/parse_config.md.erb +122 -0
  48. data/docs/resources/parse_config_file.md.erb +143 -0
  49. data/docs/resources/pip.md.erb +74 -0
  50. data/docs/resources/port.md.erb +150 -0
  51. data/docs/resources/postgres_conf.md.erb +90 -0
  52. data/docs/resources/postgres_session.md.erb +75 -0
  53. data/docs/resources/powershell.md.erb +116 -0
  54. data/docs/resources/process.md.erb +73 -0
  55. data/docs/resources/registry_key.md.erb +149 -0
  56. data/docs/resources/runit_service.md.erb +76 -0
  57. data/docs/resources/security_policy.md.erb +61 -0
  58. data/docs/resources/service.md.erb +135 -0
  59. data/docs/resources/ssh_config.md.erb +94 -0
  60. data/docs/resources/sshd_config.md.erb +97 -0
  61. data/docs/resources/ssl.md.erb +133 -0
  62. data/docs/resources/sys_info.md.erb +55 -0
  63. data/docs/resources/systemd_service.md.erb +76 -0
  64. data/docs/resources/sysv_service.md.erb +76 -0
  65. data/docs/resources/upstart_service.md.erb +76 -0
  66. data/docs/resources/user.md.erb +154 -0
  67. data/docs/resources/users.md.erb +140 -0
  68. data/docs/resources/vbscript.md.erb +69 -0
  69. data/docs/resources/windows_feature.md.erb +61 -0
  70. data/docs/resources/wmi.md.erb +95 -0
  71. data/docs/resources/xinetd_conf.md.erb +170 -0
  72. data/docs/resources/yaml.md.erb +69 -0
  73. data/docs/resources/yum.md.erb +103 -0
  74. data/docs/ruby_usage.md +154 -0
  75. data/docs/shared/matcher_be.md.erb +1 -0
  76. data/docs/shared/matcher_cmp.md.erb +45 -0
  77. data/docs/shared/matcher_eq.md.erb +3 -0
  78. data/docs/shared/matcher_include.md.erb +1 -0
  79. data/docs/shared/matcher_match.md.erb +1 -0
  80. data/lib/fetchers/url.rb +27 -29
  81. data/lib/inspec/cached_fetcher.rb +67 -0
  82. data/lib/inspec/dependencies/requirement.rb +6 -7
  83. data/lib/inspec/objects/each_loop.rb +5 -2
  84. data/lib/inspec/plugins/fetcher.rb +2 -0
  85. data/lib/inspec/profile.rb +9 -41
  86. data/lib/inspec/resource.rb +1 -1
  87. data/lib/inspec/rspec_json_formatter.rb +11 -5
  88. data/lib/inspec/version.rb +1 -1
  89. data/lib/resources/groups.rb +190 -0
  90. data/lib/resources/users.rb +3 -2
  91. metadata +79 -6
  92. data/docs/cli.rst +0 -448
  93. data/docs/resources.rst +0 -4836
  94. data/docs/ruby_usage.rst +0 -145
  95. data/lib/resources/group.rb +0 -137
@@ -0,0 +1,460 @@
1
+ ---
2
+ title: About the file Resource
3
+ ---
4
+
5
+ # file
6
+
7
+ Use the `file` InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
8
+
9
+ # Syntax
10
+
11
+ A `file` resource block declares the location of the file type to be tested, what type that file should be (if required), and then one (or more) matchers:
12
+
13
+ describe file('path') do
14
+ it { should MATCHER 'value' }
15
+ end
16
+
17
+ where
18
+
19
+ * `('path')` is the name of the file and/or the path to the file
20
+ * `MATCHER` is a valid matcher for this resource
21
+ * `'value'` is the value to be tested
22
+
23
+
24
+ # Matchers
25
+
26
+ This InSpec audit resource has the following matchers:
27
+
28
+ ## be
29
+
30
+ <%= partial "/shared/matcher_be" %>
31
+
32
+ ## be_block_device
33
+
34
+ The `be_block_device` matcher tests if the file exists as a block device, such as `/dev/disk0` or `/dev/disk0s9`:
35
+
36
+ it { should be_block_device }
37
+
38
+ ## be_character_device
39
+
40
+ The `be_character_device` matcher tests if the file exists as a character device (that corresponds to a block device), such as `/dev/rdisk0` or `/dev/rdisk0s9`:
41
+
42
+ it { should be_character_device }
43
+
44
+ ## be_directory
45
+
46
+ The `be_directory` matcher tests if the file exists as a directory, such as `/etc/passwd`, `/etc/shadow`, or `/var/log/httpd`:
47
+
48
+ it { should be_directory }
49
+
50
+ ## be_executable
51
+
52
+ The `be_executable` matcher tests if the file exists as an executable:
53
+
54
+ it { should be_executable }
55
+
56
+ The `be_executable` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
57
+
58
+ it { should be_executable.by('group') }
59
+
60
+ an owner:
61
+
62
+ it { should be_executable.by('owner') }
63
+
64
+ a user:
65
+
66
+ it { should be_executable.by_user('user') }
67
+
68
+ ## be_file
69
+
70
+ The `be_file` matcher tests if the file exists as a file. This can be useful with configuration files like `/etc/passwd` where there typically is not an associated file extension---`passwd.txt`:
71
+
72
+ it { should be_file }
73
+
74
+ ## be_grouped_into
75
+
76
+ The `be_grouped_into` matcher tests if the file exists as part of the named group:
77
+
78
+ it { should be_grouped_into 'group' }
79
+
80
+ ## be_immutable
81
+
82
+ The `be_immutable` matcher tests if the file is immutable, i.e. "cannot be changed":
83
+
84
+ it { should be_immutable }
85
+
86
+ ## be_linked_to
87
+
88
+ The `be_linked_to` matcher tests if the file is linked to the named target:
89
+
90
+ it { should be_linked_to '/etc/target-file' }
91
+
92
+ ## be_mounted
93
+
94
+ The `be_mounted` matcher tests if the file is accessible from the file system:
95
+
96
+ it { should be_mounted }
97
+
98
+ ## be_owned_by
99
+
100
+ The `be_owned_by` matcher tests if the file is owned by the named user, such as `root`:
101
+
102
+ it { should be_owned_by 'root' }
103
+
104
+ ## be_pipe
105
+
106
+ The `be_pipe` matcher tests if the file exists as first-in, first-out special file (`.fifo`) that is typically used to define a named pipe, such as `/var/log/nginx/access.log.fifo`:
107
+
108
+ it { should be_pipe }
109
+
110
+ ## be_readable
111
+
112
+ The `be_readable` matcher tests if the file is readable:
113
+
114
+ it { should be_readable }
115
+
116
+ The `be_readable` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
117
+
118
+ it { should be_readable.by('group') }
119
+
120
+ an owner:
121
+
122
+ it { should be_readable.by('owner') }
123
+
124
+ a user:
125
+
126
+ it { should be_readable.by_user('user') }
127
+
128
+ ## be_socket
129
+
130
+ The `be_socket` matcher tests if the file exists as socket (`.sock`), such as `/var/run/php-fpm.sock`:
131
+
132
+ it { should be_socket }
133
+
134
+ ## be_symlink
135
+
136
+ The `be_symlink` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
137
+
138
+ it { should be_symlink }
139
+
140
+ ## be_version
141
+
142
+ The `be_version` matcher tests the version of the file:
143
+
144
+ it { should be_version '1.2.3' }
145
+
146
+ ## be_writable
147
+
148
+ The `be_writable` matcher tests if the file is writable:
149
+
150
+ it { should be_writable }
151
+
152
+ The `be_writable` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
153
+
154
+ it { should be_writable.by('group') }
155
+
156
+ an owner:
157
+
158
+ it { should be_writable.by('owner') }
159
+
160
+ a user:
161
+
162
+ it { should be_writable.by_user('user') }
163
+
164
+ ## cmp
165
+
166
+ <%= partial "/shared/matcher_cmp" %>
167
+
168
+ ## content
169
+
170
+ The `content` matcher tests if contents in the file match the value specified in a regular expression. The values of the `content` matcher are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
171
+
172
+ its('content') { should match REGEX }
173
+
174
+ The following complete example tests the `pg_hba.conf` file in PostgreSQL for MD5 requirements. The tests look at all `host` and `local` settings in that file, and then compare the MD5 checksums against the values in the test:
175
+
176
+ describe file(hba_config_file) do
177
+ its('content') { should match(%r{local\s.*?all\s.*?all\s.*?md5}) }
178
+ its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
179
+ its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5})
180
+ end
181
+
182
+ ## eq
183
+
184
+ <%= partial "/shared/matcher_eq" %>
185
+
186
+ ## exist
187
+
188
+ The `exist` matcher tests if the named file exists:
189
+
190
+ it { should exist }
191
+
192
+ ## file_version
193
+
194
+ The `file_version` matcher tests if the file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
195
+
196
+ its('file_version') { should eq '1.2.3' }
197
+
198
+ ## group
199
+
200
+ The `group` matcher tests if the group to which a file belongs matches the specified value:
201
+
202
+ its('group') { should eq 'admins' }
203
+
204
+ ## have_mode
205
+
206
+ The `have_mode` matcher tests if a file has a mode assigned to it:
207
+
208
+ it { should have_mode }
209
+
210
+ ## include
211
+
212
+ <%= partial "/shared/matcher_include" %>
213
+
214
+ ## link_path
215
+
216
+ The `link_path` matcher tests if the file exists at the specified path:
217
+
218
+ its('link_path') { should eq '/some/path/to/file' }
219
+
220
+ ## link_target
221
+
222
+ The `link_target` matcher tests if a file that is linked to this file exists at the specified path:
223
+
224
+ its('link_target') { should eq '/some/path/to/file' }
225
+
226
+ ## match
227
+
228
+ <%= partial "/shared/matcher_match" %>
229
+
230
+ ## md5sum
231
+
232
+ The `md5sum` matcher tests if the MD5 checksum for a file matches the specified value:
233
+
234
+ its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
235
+
236
+ ## mode
237
+
238
+ The `mode` matcher tests if the mode assigned to the file matches the specified value:
239
+
240
+ its('mode') { should cmp '0644' }
241
+
242
+ ## mtime
243
+
244
+ The `mtime` matcher tests if the file modification time for the file matches the specified value:
245
+
246
+ its('mtime') { should eq 'October 31 2015 12:10:45' }
247
+
248
+ or:
249
+
250
+ describe file('/').mtime.to_i do
251
+ it { should <= Time.now.to_i }
252
+ it { should >= Time.now.to_i - 1000}
253
+ end
254
+
255
+ ## owner
256
+
257
+ The `owner` matcher tests if the owner of the file matches the specified value:
258
+
259
+ its('owner') { should eq 'root' }
260
+
261
+ ## product_version
262
+
263
+ The `product_version` matcher tests if the file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
264
+
265
+ its('product_version') { should eq 2.3.4 }
266
+
267
+ ## selinux_label
268
+
269
+ The `selinux_label` matcher tests if the SELinux label for a file matches the specified value:
270
+
271
+ its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
272
+
273
+ ## sha256sum
274
+
275
+ The `sha256sum` matcher tests if the SHA-256 checksum for a file matches the specified value:
276
+
277
+ its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
278
+
279
+ ## size
280
+
281
+ The `size` matcher tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
282
+
283
+ its('size') { should eq 32375 }
284
+
285
+ Greater than:
286
+
287
+ its('size') { should > 64 }
288
+
289
+ Less than:
290
+
291
+ its('size') { should < 10240 }
292
+
293
+ ## type
294
+
295
+ The `type` matcher tests if the first letter of the file's mode string contains one of the following characters:
296
+
297
+ * `-` or `f` (the file is a file); use `'file` to test for this file type
298
+ * `d` (the file is a directory); use `'directory` to test for this file type
299
+ * `l` (the file is a symbolic link); use `'link` to test for this file type
300
+ * `p` (the file is a named pipe); use `'pipe` to test for this file type
301
+ * `s` (the file is a socket); use `'socket` to test for this file type
302
+ * `c` (the file is a character device); use `'character` to test for this file type
303
+ * `b` (the file is a block device); use `'block` to test for this file type
304
+ * `D` (the file is a door); use `'door` to test for this file type
305
+
306
+ For example:
307
+
308
+ its('type') { should eq 'file' }
309
+
310
+ or:
311
+
312
+ its('type') { should eq 'socket' }
313
+
314
+ # Examples
315
+
316
+ The following examples show how to use this InSpec audit resource.
317
+
318
+ ## Test the contents of a file for MD5 requirements
319
+
320
+ describe file(hba_config_file) do
321
+ its('content') { should match /local\s.*?all\s.*?all\s.*?md5/ }
322
+ its('content') { should match %r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/} }
323
+ its('content') { should match %r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/} }
324
+ end
325
+
326
+ ## Test if a file exists
327
+
328
+ describe file('/tmp') do
329
+ it { should exist }
330
+ end
331
+
332
+ ## Test that a file does not exist
333
+
334
+ describe file('/tmpest') do
335
+ it { should_not exist }
336
+ end
337
+
338
+ ## Test if a path is a directory
339
+
340
+ describe file('/tmp') do
341
+ its('type') { should eq :directory }
342
+ it { should be_directory }
343
+ end
344
+
345
+ ## Test if a path is a file and not a directory
346
+
347
+ describe file('/proc/version') do
348
+ its('type') { should eq 'file' }
349
+ it { should be_file }
350
+ it { should_not be_directory }
351
+ end
352
+
353
+ ## Test if a file is a symbolic link
354
+
355
+ describe file('/dev/stdout') do
356
+ its('type') { should eq 'symlink' }
357
+ it { should be_symlink }
358
+ it { should_not be_file }
359
+ it { should_not be_directory }
360
+ end
361
+
362
+ ## Test if a file is a character device
363
+
364
+ describe file('/dev/zero') do
365
+ its('type') { should eq 'character' }
366
+ it { should be_character_device }
367
+ it { should_not be_file }
368
+ it { should_not be_directory }
369
+ end
370
+
371
+ ## Test if a file is a block device
372
+
373
+ describe file('/dev/zero') do
374
+ its('type') { should eq 'block' }
375
+ it { should be_character_device }
376
+ it { should_not be_file }
377
+ it { should_not be_directory }
378
+ end
379
+
380
+ ## Test the mode for a file
381
+
382
+ describe file('/dev') do
383
+ its('mode') { should cmp '00755' }
384
+ end
385
+
386
+ ## Test the owner of a file
387
+
388
+ describe file('/root') do
389
+ its('owner') { should eq 'root' }
390
+ end
391
+
392
+ ## Test if a file is owned by the root user
393
+
394
+ describe file('/dev') do
395
+ it { should be_owned_by 'root' }
396
+ end
397
+
398
+ ## Test the mtime for a file
399
+
400
+ describe file('/').mtime.to_i do
401
+ it { should <= Time.now.to_i }
402
+ it { should >= Time.now.to_i - 1000}
403
+ end
404
+
405
+ ## Test that a file's size is between 64 and 10240
406
+
407
+ describe file('/') do
408
+ its('size') { should be > 64 }
409
+ its('size') { should be < 10240 }
410
+ end
411
+
412
+ ## Test that a file's size is zero
413
+
414
+ describe file('/proc/cpuinfo') do
415
+ its('size') { should be 0 }
416
+ end
417
+
418
+ ## Test that a file is not mounted
419
+
420
+ describe file('/proc/cpuinfo') do
421
+ it { should_not be_mounted }
422
+ end
423
+
424
+ ## Test an MD5 checksum
425
+
426
+ require 'digest'
427
+ cpuinfo = file('/proc/cpuinfo').content
428
+
429
+ md5sum = Digest::MD5.hexdigest(cpuinfo)
430
+
431
+ describe file('/proc/cpuinfo') do
432
+ its('md5sum') { should eq md5sum }
433
+ end
434
+
435
+ ## Test an SHA-256 checksum
436
+
437
+ require 'digest'
438
+ cpuinfo = file('/proc/cpuinfo').content
439
+
440
+ sha256sum = Digest::SHA256.hexdigest(cpuinfo)
441
+
442
+ describe file('/proc/cpuinfo') do
443
+ its('sha256sum') { should eq sha256sum }
444
+ end
445
+
446
+ ## Verify NTP
447
+
448
+ The following example shows how to use the `file` audit resource to verify if the `ntp.conf` and `leap-seconds` files are present, and then the `command` resource to verify if NTP is installed and running:
449
+
450
+ describe file('/etc/ntp.conf') do
451
+ it { should be_file }
452
+ end
453
+
454
+ describe file('/etc/ntp.leapseconds') do
455
+ it { should be_file }
456
+ end
457
+
458
+ describe command('pgrep ntp') do
459
+ its('exit_status') { should eq 0 }
460
+ end