inspec 1.0.0.beta2 → 1.0.0.beta3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +41 -2
- data/Gemfile +4 -0
- data/Rakefile +2 -1
- data/docs/.gitignore +2 -0
- data/docs/README.md +21 -1
- data/docs/resources/apache_conf.md.erb +75 -0
- data/docs/resources/apt.md.erb +84 -0
- data/docs/resources/audit_policy.md.erb +61 -0
- data/docs/resources/auditd_conf.md.erb +79 -0
- data/docs/resources/auditd_rules.md.erb +132 -0
- data/docs/resources/bash.md.erb +84 -0
- data/docs/resources/bond.md.erb +97 -0
- data/docs/resources/bridge.md.erb +67 -0
- data/docs/resources/bsd_service.md.erb +76 -0
- data/docs/resources/command.md.erb +151 -0
- data/docs/resources/csv.md.erb +62 -0
- data/docs/resources/directory.md.erb +43 -0
- data/docs/resources/etc_group.md.erb +116 -0
- data/docs/resources/etc_passwd.md.erb +155 -0
- data/docs/resources/etc_shadow.md.erb +149 -0
- data/docs/resources/file.md.erb +460 -0
- data/docs/resources/gem.md.erb +73 -0
- data/docs/resources/group.md.erb +74 -0
- data/docs/resources/grub_conf.md.erb +115 -0
- data/docs/resources/host.md.erb +85 -0
- data/docs/resources/iis_site.md.erb +142 -0
- data/docs/resources/inetd_conf.md.erb +99 -0
- data/docs/resources/ini.md.erb +69 -0
- data/docs/resources/interface.md.erb +66 -0
- data/docs/resources/iptables.md.erb +70 -0
- data/docs/resources/json.md.erb +76 -0
- data/docs/resources/kernel_module.md.erb +60 -0
- data/docs/resources/kernel_parameter.md.erb +72 -0
- data/docs/resources/launchd_service.md.erb +76 -0
- data/docs/resources/limits_conf.md.erb +80 -0
- data/docs/resources/login_def.md.erb +77 -0
- data/docs/resources/mount.md.erb +83 -0
- data/docs/resources/mysql_conf.md.erb +102 -0
- data/docs/resources/mysql_session.md.erb +63 -0
- data/docs/resources/npm.md.erb +75 -0
- data/docs/resources/ntp_conf.md.erb +76 -0
- data/docs/resources/oneget.md.erb +67 -0
- data/docs/resources/os.md.erb +154 -0
- data/docs/resources/os_env.md.erb +98 -0
- data/docs/resources/package.md.erb +115 -0
- data/docs/resources/parse_config.md.erb +122 -0
- data/docs/resources/parse_config_file.md.erb +143 -0
- data/docs/resources/pip.md.erb +74 -0
- data/docs/resources/port.md.erb +150 -0
- data/docs/resources/postgres_conf.md.erb +90 -0
- data/docs/resources/postgres_session.md.erb +75 -0
- data/docs/resources/powershell.md.erb +116 -0
- data/docs/resources/process.md.erb +73 -0
- data/docs/resources/registry_key.md.erb +149 -0
- data/docs/resources/runit_service.md.erb +76 -0
- data/docs/resources/security_policy.md.erb +61 -0
- data/docs/resources/service.md.erb +135 -0
- data/docs/resources/ssh_config.md.erb +94 -0
- data/docs/resources/sshd_config.md.erb +97 -0
- data/docs/resources/ssl.md.erb +133 -0
- data/docs/resources/sys_info.md.erb +55 -0
- data/docs/resources/systemd_service.md.erb +76 -0
- data/docs/resources/sysv_service.md.erb +76 -0
- data/docs/resources/upstart_service.md.erb +76 -0
- data/docs/resources/user.md.erb +154 -0
- data/docs/resources/users.md.erb +140 -0
- data/docs/resources/vbscript.md.erb +69 -0
- data/docs/resources/windows_feature.md.erb +61 -0
- data/docs/resources/wmi.md.erb +95 -0
- data/docs/resources/xinetd_conf.md.erb +170 -0
- data/docs/resources/yaml.md.erb +69 -0
- data/docs/resources/yum.md.erb +103 -0
- data/docs/ruby_usage.md +154 -0
- data/docs/shared/matcher_be.md.erb +1 -0
- data/docs/shared/matcher_cmp.md.erb +45 -0
- data/docs/shared/matcher_eq.md.erb +3 -0
- data/docs/shared/matcher_include.md.erb +1 -0
- data/docs/shared/matcher_match.md.erb +1 -0
- data/lib/fetchers/url.rb +27 -29
- data/lib/inspec/cached_fetcher.rb +67 -0
- data/lib/inspec/dependencies/requirement.rb +6 -7
- data/lib/inspec/objects/each_loop.rb +5 -2
- data/lib/inspec/plugins/fetcher.rb +2 -0
- data/lib/inspec/profile.rb +9 -41
- data/lib/inspec/resource.rb +1 -1
- data/lib/inspec/rspec_json_formatter.rb +11 -5
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/groups.rb +190 -0
- data/lib/resources/users.rb +3 -2
- metadata +79 -6
- data/docs/cli.rst +0 -448
- data/docs/resources.rst +0 -4836
- data/docs/ruby_usage.rst +0 -145
- data/lib/resources/group.rb +0 -137
@@ -0,0 +1,99 @@
|
|
1
|
+
---
|
2
|
+
title: About the inetd_conf Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# inetd_conf
|
6
|
+
|
7
|
+
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.`
|
8
|
+
|
9
|
+
# Syntax
|
10
|
+
|
11
|
+
An `inetd_conf` resource block declares the list of services that are enabled in the `inetd.conf` file:
|
12
|
+
|
13
|
+
describe inetd_conf('path') do
|
14
|
+
its('service_name') { should eq 'value' }
|
15
|
+
end
|
16
|
+
|
17
|
+
where
|
18
|
+
|
19
|
+
* `'service_name'` is a service listed in the `inetd.conf` file
|
20
|
+
* `('path')` is the non-default path to the `inetd.conf` file
|
21
|
+
* `should eq 'value'` is the value that is expected
|
22
|
+
|
23
|
+
|
24
|
+
# Matchers
|
25
|
+
|
26
|
+
This resource matches any service that is listed in the `inetd.conf` file. You may want to ensure that specific services do not listen via `inetd.conf`:
|
27
|
+
|
28
|
+
its('shell') { should eq nil }
|
29
|
+
|
30
|
+
or:
|
31
|
+
|
32
|
+
its('netstat') { should eq nil }
|
33
|
+
|
34
|
+
or:
|
35
|
+
|
36
|
+
its('systat') { should eq nil }
|
37
|
+
|
38
|
+
For example:
|
39
|
+
|
40
|
+
describe inetd_conf do
|
41
|
+
its('shell') { should eq nil }
|
42
|
+
its('login') { should eq nil }
|
43
|
+
its('exec') { should eq nil }
|
44
|
+
end
|
45
|
+
|
46
|
+
## be
|
47
|
+
|
48
|
+
<%= partial "/shared/matcher_be" %>
|
49
|
+
|
50
|
+
## cmp
|
51
|
+
|
52
|
+
<%= partial "/shared/matcher_cmp" %>
|
53
|
+
|
54
|
+
## eq
|
55
|
+
|
56
|
+
<%= partial "/shared/matcher_eq" %>
|
57
|
+
|
58
|
+
## include
|
59
|
+
|
60
|
+
<%= partial "/shared/matcher_include" %>
|
61
|
+
|
62
|
+
## match
|
63
|
+
|
64
|
+
<%= partial "/shared/matcher_match" %>
|
65
|
+
|
66
|
+
# Examples
|
67
|
+
|
68
|
+
The following examples show how to use this InSpec audit resource.
|
69
|
+
|
70
|
+
## Verify that FTP is disabled
|
71
|
+
|
72
|
+
The contents if the `inetd.conf` file contain the following:
|
73
|
+
|
74
|
+
#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
|
75
|
+
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
|
76
|
+
|
77
|
+
and the following test is defined:
|
78
|
+
|
79
|
+
describe inetd_conf do
|
80
|
+
its('ftp') { should eq nil }
|
81
|
+
its('telnet') { should eq nil }
|
82
|
+
end
|
83
|
+
|
84
|
+
Because both the `ftp` and `telnet` Internet services are commented out (`#`), both services are disabled. Consequently, both tests will return `true`. However, if the `inetd.conf` file is set as follows:
|
85
|
+
|
86
|
+
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
|
87
|
+
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
|
88
|
+
|
89
|
+
then the same test will return `false` for `ftp` and the entire test will fail.
|
90
|
+
|
91
|
+
## Test if telnet is installed
|
92
|
+
|
93
|
+
describe package('telnetd') do
|
94
|
+
it { should_not be_installed }
|
95
|
+
end
|
96
|
+
|
97
|
+
describe inetd_conf do
|
98
|
+
its('telnet') { should eq nil }
|
99
|
+
end
|
@@ -0,0 +1,69 @@
|
|
1
|
+
---
|
2
|
+
title: About the ini Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# ini
|
6
|
+
|
7
|
+
Use the `ini` InSpec audit resource to test settings in an INI file.
|
8
|
+
|
9
|
+
# Syntax
|
10
|
+
|
11
|
+
An `ini` resource block declares the configuration settings to be tested:
|
12
|
+
|
13
|
+
describe ini('path') do
|
14
|
+
its('setting_name') { should eq 'value' }
|
15
|
+
end
|
16
|
+
|
17
|
+
where
|
18
|
+
|
19
|
+
* `'setting_name'` is a synchronization setting defined in the INI file
|
20
|
+
* `('path')` is the path to the INI file
|
21
|
+
* `{ should eq 'value' }` is the value that is expected
|
22
|
+
|
23
|
+
For example:
|
24
|
+
|
25
|
+
describe ini('path/to/ini_file.ini') do
|
26
|
+
its('port') { should eq '143' }
|
27
|
+
its('server') { should eq '192.0.2.62' }
|
28
|
+
end
|
29
|
+
|
30
|
+
# Matchers
|
31
|
+
|
32
|
+
This InSpec audit resource has the following matchers:
|
33
|
+
|
34
|
+
## be
|
35
|
+
|
36
|
+
<%= partial "/shared/matcher_be" %>
|
37
|
+
|
38
|
+
## cmp
|
39
|
+
|
40
|
+
<%= partial "/shared/matcher_cmp" %>
|
41
|
+
|
42
|
+
## eq
|
43
|
+
|
44
|
+
<%= partial "/shared/matcher_eq" %>
|
45
|
+
|
46
|
+
## include
|
47
|
+
|
48
|
+
<%= partial "/shared/matcher_include" %>
|
49
|
+
|
50
|
+
## match
|
51
|
+
|
52
|
+
<%= partial "/shared/matcher_match" %>
|
53
|
+
|
54
|
+
# Examples
|
55
|
+
|
56
|
+
The following examples show how to use this InSpec audit resource.
|
57
|
+
|
58
|
+
## Test SMTP settings in a PHP INI file
|
59
|
+
|
60
|
+
For example, a PHP INI file located at contains the following settings:
|
61
|
+
|
62
|
+
; SMTP = smtp.gmail.com
|
63
|
+
; smtp_port = 465
|
64
|
+
|
65
|
+
and can be tested like this:
|
66
|
+
|
67
|
+
describe ini(/etc/php5/apache2/php.ini) do
|
68
|
+
its('smtp_port') { should eq('465') }
|
69
|
+
end
|
@@ -0,0 +1,66 @@
|
|
1
|
+
---
|
2
|
+
title: About the interface Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# interface
|
6
|
+
|
7
|
+
Use the `interface` InSpec audit resource to test basic network adapter properties, such as name, status, state, address, and link speed (in MB/sec).
|
8
|
+
|
9
|
+
* On Linux platforms, `/sys/class/net/#{iface}` is used as source
|
10
|
+
* On the Windows platform, the `Get-NetAdapter` cmdlet is used as source
|
11
|
+
|
12
|
+
# Syntax
|
13
|
+
|
14
|
+
An `interface` resource block declares network interface properties to be tested:
|
15
|
+
|
16
|
+
describe interface do
|
17
|
+
it { should be_up }
|
18
|
+
its('speed') { should eq 1000 }
|
19
|
+
its('name') { should eq eth0 }
|
20
|
+
end
|
21
|
+
|
22
|
+
# Matchers
|
23
|
+
|
24
|
+
This InSpec audit resource has the following matchers:
|
25
|
+
|
26
|
+
## be
|
27
|
+
|
28
|
+
<%= partial "/shared/matcher_be" %>
|
29
|
+
|
30
|
+
## be_up
|
31
|
+
|
32
|
+
The `be_up` matcher tests if the network interface is available:
|
33
|
+
|
34
|
+
it { should be_up }
|
35
|
+
|
36
|
+
## cmp
|
37
|
+
|
38
|
+
<%= partial "/shared/matcher_cmp" %>
|
39
|
+
|
40
|
+
## eq
|
41
|
+
|
42
|
+
<%= partial "/shared/matcher_eq" %>
|
43
|
+
|
44
|
+
## include
|
45
|
+
|
46
|
+
<%= partial "/shared/matcher_include" %>
|
47
|
+
|
48
|
+
## match
|
49
|
+
|
50
|
+
<%= partial "/shared/matcher_match" %>
|
51
|
+
|
52
|
+
## name
|
53
|
+
|
54
|
+
The `name` matcher tests if the named network interface exists:
|
55
|
+
|
56
|
+
its('name') { should eq eth0 }
|
57
|
+
|
58
|
+
## speed
|
59
|
+
|
60
|
+
The `speed` matcher tests the speed of the network interface, in MB/sec:
|
61
|
+
|
62
|
+
its('speed') { should eq 1000 }
|
63
|
+
|
64
|
+
# Examples
|
65
|
+
|
66
|
+
None.
|
@@ -0,0 +1,70 @@
|
|
1
|
+
---
|
2
|
+
title: About the iptables Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# iptables
|
6
|
+
|
7
|
+
Use the `iptables` InSpec audit resource to test rules that are defined in `iptables`, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
|
8
|
+
|
9
|
+
# Syntax
|
10
|
+
|
11
|
+
A `iptables` resource block declares tests for rules in IP tables:
|
12
|
+
|
13
|
+
describe iptables(rule:'name', table:'name', chain: 'name') do
|
14
|
+
it { should have_rule('RULE') }
|
15
|
+
end
|
16
|
+
|
17
|
+
where
|
18
|
+
|
19
|
+
* `iptables()` may specify any combination of `rule`, `table`, or `chain`
|
20
|
+
* `rule:'name'` is the name of a rule that matches a set of packets
|
21
|
+
* `table:'name'` is the packet matching table against which the test is run
|
22
|
+
* `chain: 'name'` is the name of a user-defined chain or one of `ACCEPT`, `DROP`, `QUEUE`, or `RETURN`
|
23
|
+
* `have_rule('RULE')` tests that rule in the iptables file
|
24
|
+
|
25
|
+
|
26
|
+
# Matchers
|
27
|
+
|
28
|
+
This InSpec audit resource has the following matchers:
|
29
|
+
|
30
|
+
## be
|
31
|
+
|
32
|
+
<%= partial "/shared/matcher_be" %>
|
33
|
+
|
34
|
+
## cmp
|
35
|
+
|
36
|
+
<%= partial "/shared/matcher_cmp" %>
|
37
|
+
|
38
|
+
## eq
|
39
|
+
|
40
|
+
<%= partial "/shared/matcher_eq" %>
|
41
|
+
|
42
|
+
## have_rule
|
43
|
+
|
44
|
+
The `have_rule` matcher tests the named rule against the information in the `iptables` file:
|
45
|
+
|
46
|
+
it { should have_rule('RULE') }
|
47
|
+
|
48
|
+
## include
|
49
|
+
|
50
|
+
<%= partial "/shared/matcher_include" %>
|
51
|
+
|
52
|
+
## match
|
53
|
+
|
54
|
+
<%= partial "/shared/matcher_match" %>
|
55
|
+
|
56
|
+
# Examples
|
57
|
+
|
58
|
+
The following examples show how to use this InSpec audit resource.
|
59
|
+
|
60
|
+
## Test if the IP table allows a packet through
|
61
|
+
|
62
|
+
describe iptables do
|
63
|
+
it { should have_rule('-P INPUT ACCEPT') }
|
64
|
+
end
|
65
|
+
|
66
|
+
## Test if the IP table allows a packet through, for a specific table and chain
|
67
|
+
|
68
|
+
describe iptables(table:'mangle', chain: 'input') do
|
69
|
+
it { should have_rule('-P INPUT ACCEPT') }
|
70
|
+
end
|
@@ -0,0 +1,76 @@
|
|
1
|
+
---
|
2
|
+
title: About the json Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# json
|
6
|
+
|
7
|
+
Use the `json` InSpec audit resource to test data in a JSON file.
|
8
|
+
|
9
|
+
# Syntax
|
10
|
+
|
11
|
+
A `json` resource block declares the data to be tested. Assume the following JSON file:
|
12
|
+
|
13
|
+
{
|
14
|
+
"name" : "hello",
|
15
|
+
"meta" : {
|
16
|
+
"creator" : "John Doe"
|
17
|
+
},
|
18
|
+
"array": [
|
19
|
+
"zero",
|
20
|
+
"one"
|
21
|
+
]
|
22
|
+
}
|
23
|
+
|
24
|
+
This file can be queried using:
|
25
|
+
|
26
|
+
describe json('/paht/to/name.json') do
|
27
|
+
its('name') { should eq 'hello' }
|
28
|
+
its(['meta','creator']) { should eq 'John Doe' }
|
29
|
+
its(['array', 1]) { should eq 'one' }
|
30
|
+
end
|
31
|
+
|
32
|
+
where
|
33
|
+
|
34
|
+
* `name` is a configuration setting in a JSON file
|
35
|
+
* `should eq 'foo'` tests a value of `name` as read from a JSON file versus the value declared in the test
|
36
|
+
|
37
|
+
|
38
|
+
# Matchers
|
39
|
+
|
40
|
+
This InSpec audit resource has the following matchers:
|
41
|
+
|
42
|
+
## be
|
43
|
+
|
44
|
+
<%= partial "/shared/matcher_be" %>
|
45
|
+
|
46
|
+
## cmp
|
47
|
+
|
48
|
+
<%= partial "/shared/matcher_cmp" %>
|
49
|
+
|
50
|
+
## eq
|
51
|
+
|
52
|
+
<%= partial "/shared/matcher_eq" %>
|
53
|
+
|
54
|
+
## include
|
55
|
+
|
56
|
+
<%= partial "/shared/matcher_include" %>
|
57
|
+
|
58
|
+
## match
|
59
|
+
|
60
|
+
<%= partial "/shared/matcher_match" %>
|
61
|
+
|
62
|
+
## name
|
63
|
+
|
64
|
+
The `name` matcher tests the value of `name` as read from a JSON file versus the value declared in the test:
|
65
|
+
|
66
|
+
its('name') { should eq 'foo' }
|
67
|
+
|
68
|
+
# Examples
|
69
|
+
|
70
|
+
The following examples show how to use this InSpec audit resource.
|
71
|
+
|
72
|
+
## Test a cookbook version in a policyfile.lock.json file
|
73
|
+
|
74
|
+
describe json('policyfile.lock.json') do
|
75
|
+
its(['cookbook_locks', 'omnibus', 'version']) { should eq('2.2.0') }
|
76
|
+
end
|
@@ -0,0 +1,60 @@
|
|
1
|
+
---
|
2
|
+
title: About the kernel_module Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# kernel_module
|
6
|
+
|
7
|
+
Use the `kernel_module` InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under `/lib/modules`. Any submodule may be tested using this resource.
|
8
|
+
|
9
|
+
# Syntax
|
10
|
+
|
11
|
+
A `kernel_module` resource block declares a module name, and then tests if that module is a loadable kernel module:
|
12
|
+
|
13
|
+
describe kernel_module('module_name') do
|
14
|
+
it { should be_loaded }
|
15
|
+
end
|
16
|
+
|
17
|
+
where
|
18
|
+
|
19
|
+
* `'module_name'` must specify a kernel module, such as `'bridge'`
|
20
|
+
* `{ should be_loaded }` tests if the module is a loadable kernel module
|
21
|
+
|
22
|
+
# Matchers
|
23
|
+
|
24
|
+
This InSpec audit resource has the following matchers:
|
25
|
+
|
26
|
+
## be
|
27
|
+
|
28
|
+
<%= partial "/shared/matcher_be" %>
|
29
|
+
|
30
|
+
## be_loaded
|
31
|
+
|
32
|
+
The `be_loaded` matcher tests if the module is a loadable kernel module:
|
33
|
+
|
34
|
+
it { should be_loaded }
|
35
|
+
|
36
|
+
## cmp
|
37
|
+
|
38
|
+
<%= partial "/shared/matcher_cmp" %>
|
39
|
+
|
40
|
+
## eq
|
41
|
+
|
42
|
+
<%= partial "/shared/matcher_eq" %>
|
43
|
+
|
44
|
+
## include
|
45
|
+
|
46
|
+
<%= partial "/shared/matcher_include" %>
|
47
|
+
|
48
|
+
## match
|
49
|
+
|
50
|
+
<%= partial "/shared/matcher_match" %>
|
51
|
+
|
52
|
+
# Examples
|
53
|
+
|
54
|
+
The following examples show how to use this InSpec audit resource.
|
55
|
+
|
56
|
+
## Test if a module is loaded
|
57
|
+
|
58
|
+
describe kernel_module('bridge') do
|
59
|
+
it { should be_loaded }
|
60
|
+
end
|