inspec 1.0.0.beta2 → 1.0.0.beta3

data/docs/resources/inetd_conf.md.erb

@@ -0,0 +1,99 @@
+---
+title: About the inetd_conf Resource
+---
+
+# inetd_conf
+
+Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.`
+
+# Syntax
+
+An `inetd_conf` resource block declares the list of services that are enabled in the `inetd.conf` file:
+
+    describe inetd_conf('path') do
+      its('service_name') { should eq 'value' }
+    end
+
+where
+
+* `'service_name'` is a service listed in the `inetd.conf` file
+* `('path')` is the non-default path to the `inetd.conf` file
+* `should eq 'value'` is the value that is expected
+
+
+# Matchers
+
+This resource matches any service that is listed in the `inetd.conf` file. You may want to ensure that specific services do not listen via `inetd.conf`:
+
+    its('shell') { should eq nil }
+
+or:
+
+    its('netstat') { should eq nil }
+
+or:
+
+    its('systat') { should eq nil }
+
+For example:
+
+    describe inetd_conf do
+      its('shell') { should eq nil }
+      its('login') { should eq nil }
+      its('exec') { should eq nil }
+    end
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Verify that FTP is disabled
+
+The contents if the `inetd.conf` file contain the following:
+
+    #ftp      stream   tcp   nowait   root   /usr/sbin/tcpd   in.ftpd -l -a
+    #telnet   stream   tcp   nowait   root   /usr/sbin/tcpd   in.telnetd
+
+and the following test is defined:
+
+    describe inetd_conf do
+      its('ftp') { should eq nil }
+      its('telnet') { should eq nil }
+    end
+
+Because both the `ftp` and `telnet` Internet services are commented out (`#`), both services are disabled. Consequently, both tests will return `true`. However, if the `inetd.conf` file is set as follows:
+
+    ftp       stream   tcp   nowait   root   /usr/sbin/tcpd   in.ftpd -l -a
+    #telnet   stream   tcp   nowait   root   /usr/sbin/tcpd   in.telnetd
+
+then the same test will return `false` for `ftp` and the entire test will fail.
+
+## Test if telnet is installed
+
+    describe package('telnetd') do
+      it { should_not be_installed }
+    end
+
+    describe inetd_conf do
+      its('telnet') { should eq nil }
+    end

data/docs/resources/ini.md.erb

@@ -0,0 +1,69 @@
+---
+title: About the ini Resource
+---
+
+# ini
+
+Use the `ini` InSpec audit resource to test settings in an INI file.
+
+# Syntax
+
+An `ini` resource block declares the configuration settings to be tested:
+
+    describe ini('path') do
+      its('setting_name') { should eq 'value' }
+    end
+
+where
+
+* `'setting_name'` is a synchronization setting defined in the INI file
+* `('path')` is the path to the INI file
+* `{ should eq 'value' }` is the value that is expected
+
+For example:
+
+    describe ini('path/to/ini_file.ini') do
+      its('port') { should eq '143' }
+      its('server') { should eq '192.0.2.62' }
+    end
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test SMTP settings in a PHP INI file
+
+For example, a PHP INI file located at contains the following settings:
+
+    ; SMTP = smtp.gmail.com
+    ; smtp_port = 465
+
+and can be tested like this:
+
+    describe ini(/etc/php5/apache2/php.ini) do
+      its('smtp_port') { should eq('465') }
+    end

data/docs/resources/interface.md.erb

@@ -0,0 +1,66 @@
+---
+title: About the interface Resource
+---
+
+# interface
+
+Use the `interface` InSpec audit resource to test basic network adapter properties, such as name, status, state, address, and link speed (in MB/sec).
+
+* On Linux platforms, `/sys/class/net/#{iface}` is used as source
+* On the Windows platform, the `Get-NetAdapter` cmdlet is used as source
+
+# Syntax
+
+An `interface` resource block declares network interface properties to be tested:
+
+    describe interface do
+      it { should be_up }
+      its('speed') { should eq 1000 }
+      its('name') { should eq eth0 }
+    end
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## be_up
+
+The `be_up` matcher tests if the network interface is available:
+
+    it { should be_up }
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+## name
+
+The `name` matcher tests if the named network interface exists:
+
+    its('name') { should eq eth0 }
+
+## speed
+
+The `speed` matcher tests the speed of the network interface, in MB/sec:
+
+    its('speed') { should eq 1000 }
+
+# Examples
+
+None.

data/docs/resources/iptables.md.erb

@@ -0,0 +1,70 @@
+---
+title: About the iptables Resource
+---
+
+# iptables
+
+Use the `iptables` InSpec audit resource to test rules that are defined in `iptables`, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
+
+# Syntax
+
+A `iptables` resource block declares tests for rules in IP tables:
+
+    describe iptables(rule:'name', table:'name', chain: 'name') do
+      it { should have_rule('RULE') }
+    end
+
+where
+
+* `iptables()` may specify any combination of `rule`, `table`, or `chain`
+* `rule:'name'` is the name of a rule that matches a set of packets
+* `table:'name'` is the packet matching table against which the test is run
+* `chain: 'name'` is the name of a user-defined chain or one of `ACCEPT`, `DROP`, `QUEUE`, or `RETURN`
+* `have_rule('RULE')` tests that rule in the iptables file
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## have_rule
+
+The `have_rule` matcher tests the named rule against the information in the `iptables` file:
+
+    it { should have_rule('RULE') }
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test if the IP table allows a packet through
+
+    describe iptables do
+      it { should have_rule('-P INPUT ACCEPT') }
+    end
+
+## Test if the IP table allows a packet through, for a specific table and chain
+
+    describe iptables(table:'mangle', chain: 'input') do
+      it { should have_rule('-P INPUT ACCEPT') }
+    end

data/docs/resources/json.md.erb

@@ -0,0 +1,76 @@
+---
+title: About the json Resource
+---
+
+# json
+
+Use the `json` InSpec audit resource to test data in a JSON file.
+
+# Syntax
+
+A `json` resource block declares the data to be tested. Assume the following JSON file:
+
+    {
+      "name" : "hello",
+      "meta" : {
+        "creator" : "John Doe"
+      },
+      "array": [
+        "zero",
+        "one"
+      ]
+    }
+
+This file can be queried using:
+
+    describe json('/paht/to/name.json') do
+      its('name') { should eq 'hello' }
+      its(['meta','creator']) { should eq 'John Doe' }
+      its(['array', 1]) { should eq 'one' }
+    end
+
+where
+
+* `name` is a configuration setting in a JSON file
+* `should eq 'foo'` tests a value of `name` as read from a JSON file versus the value declared in the test
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+## name
+
+The `name` matcher tests the value of `name` as read from a JSON file versus the value declared in the test:
+
+    its('name') { should eq 'foo' }
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test a cookbook version in a policyfile.lock.json file
+
+    describe json('policyfile.lock.json') do
+      its(['cookbook_locks', 'omnibus', 'version']) { should eq('2.2.0') }
+    end

data/docs/resources/kernel_module.md.erb

@@ -0,0 +1,60 @@
+---
+title: About the kernel_module Resource
+---
+
+# kernel_module
+
+Use the `kernel_module` InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under `/lib/modules`. Any submodule may be tested using this resource.
+
+# Syntax
+
+A `kernel_module` resource block declares a module name, and then tests if that module is a loadable kernel module:
+
+    describe kernel_module('module_name') do
+      it { should be_loaded }
+    end
+
+where
+
+* `'module_name'` must specify a kernel module, such as `'bridge'`
+* `{ should be_loaded }` tests if the module is a loadable kernel module
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## be_loaded
+
+The `be_loaded` matcher tests if the module is a loadable kernel module:
+
+    it { should be_loaded }
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test if a module is loaded
+
+    describe kernel_module('bridge') do
+      it { should be_loaded }
+    end