inspec 1.0.0.beta2 → 1.0.0.beta3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (95) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +41 -2
  3. data/Gemfile +4 -0
  4. data/Rakefile +2 -1
  5. data/docs/.gitignore +2 -0
  6. data/docs/README.md +21 -1
  7. data/docs/resources/apache_conf.md.erb +75 -0
  8. data/docs/resources/apt.md.erb +84 -0
  9. data/docs/resources/audit_policy.md.erb +61 -0
  10. data/docs/resources/auditd_conf.md.erb +79 -0
  11. data/docs/resources/auditd_rules.md.erb +132 -0
  12. data/docs/resources/bash.md.erb +84 -0
  13. data/docs/resources/bond.md.erb +97 -0
  14. data/docs/resources/bridge.md.erb +67 -0
  15. data/docs/resources/bsd_service.md.erb +76 -0
  16. data/docs/resources/command.md.erb +151 -0
  17. data/docs/resources/csv.md.erb +62 -0
  18. data/docs/resources/directory.md.erb +43 -0
  19. data/docs/resources/etc_group.md.erb +116 -0
  20. data/docs/resources/etc_passwd.md.erb +155 -0
  21. data/docs/resources/etc_shadow.md.erb +149 -0
  22. data/docs/resources/file.md.erb +460 -0
  23. data/docs/resources/gem.md.erb +73 -0
  24. data/docs/resources/group.md.erb +74 -0
  25. data/docs/resources/grub_conf.md.erb +115 -0
  26. data/docs/resources/host.md.erb +85 -0
  27. data/docs/resources/iis_site.md.erb +142 -0
  28. data/docs/resources/inetd_conf.md.erb +99 -0
  29. data/docs/resources/ini.md.erb +69 -0
  30. data/docs/resources/interface.md.erb +66 -0
  31. data/docs/resources/iptables.md.erb +70 -0
  32. data/docs/resources/json.md.erb +76 -0
  33. data/docs/resources/kernel_module.md.erb +60 -0
  34. data/docs/resources/kernel_parameter.md.erb +72 -0
  35. data/docs/resources/launchd_service.md.erb +76 -0
  36. data/docs/resources/limits_conf.md.erb +80 -0
  37. data/docs/resources/login_def.md.erb +77 -0
  38. data/docs/resources/mount.md.erb +83 -0
  39. data/docs/resources/mysql_conf.md.erb +102 -0
  40. data/docs/resources/mysql_session.md.erb +63 -0
  41. data/docs/resources/npm.md.erb +75 -0
  42. data/docs/resources/ntp_conf.md.erb +76 -0
  43. data/docs/resources/oneget.md.erb +67 -0
  44. data/docs/resources/os.md.erb +154 -0
  45. data/docs/resources/os_env.md.erb +98 -0
  46. data/docs/resources/package.md.erb +115 -0
  47. data/docs/resources/parse_config.md.erb +122 -0
  48. data/docs/resources/parse_config_file.md.erb +143 -0
  49. data/docs/resources/pip.md.erb +74 -0
  50. data/docs/resources/port.md.erb +150 -0
  51. data/docs/resources/postgres_conf.md.erb +90 -0
  52. data/docs/resources/postgres_session.md.erb +75 -0
  53. data/docs/resources/powershell.md.erb +116 -0
  54. data/docs/resources/process.md.erb +73 -0
  55. data/docs/resources/registry_key.md.erb +149 -0
  56. data/docs/resources/runit_service.md.erb +76 -0
  57. data/docs/resources/security_policy.md.erb +61 -0
  58. data/docs/resources/service.md.erb +135 -0
  59. data/docs/resources/ssh_config.md.erb +94 -0
  60. data/docs/resources/sshd_config.md.erb +97 -0
  61. data/docs/resources/ssl.md.erb +133 -0
  62. data/docs/resources/sys_info.md.erb +55 -0
  63. data/docs/resources/systemd_service.md.erb +76 -0
  64. data/docs/resources/sysv_service.md.erb +76 -0
  65. data/docs/resources/upstart_service.md.erb +76 -0
  66. data/docs/resources/user.md.erb +154 -0
  67. data/docs/resources/users.md.erb +140 -0
  68. data/docs/resources/vbscript.md.erb +69 -0
  69. data/docs/resources/windows_feature.md.erb +61 -0
  70. data/docs/resources/wmi.md.erb +95 -0
  71. data/docs/resources/xinetd_conf.md.erb +170 -0
  72. data/docs/resources/yaml.md.erb +69 -0
  73. data/docs/resources/yum.md.erb +103 -0
  74. data/docs/ruby_usage.md +154 -0
  75. data/docs/shared/matcher_be.md.erb +1 -0
  76. data/docs/shared/matcher_cmp.md.erb +45 -0
  77. data/docs/shared/matcher_eq.md.erb +3 -0
  78. data/docs/shared/matcher_include.md.erb +1 -0
  79. data/docs/shared/matcher_match.md.erb +1 -0
  80. data/lib/fetchers/url.rb +27 -29
  81. data/lib/inspec/cached_fetcher.rb +67 -0
  82. data/lib/inspec/dependencies/requirement.rb +6 -7
  83. data/lib/inspec/objects/each_loop.rb +5 -2
  84. data/lib/inspec/plugins/fetcher.rb +2 -0
  85. data/lib/inspec/profile.rb +9 -41
  86. data/lib/inspec/resource.rb +1 -1
  87. data/lib/inspec/rspec_json_formatter.rb +11 -5
  88. data/lib/inspec/version.rb +1 -1
  89. data/lib/resources/groups.rb +190 -0
  90. data/lib/resources/users.rb +3 -2
  91. metadata +79 -6
  92. data/docs/cli.rst +0 -448
  93. data/docs/resources.rst +0 -4836
  94. data/docs/ruby_usage.rst +0 -145
  95. data/lib/resources/group.rb +0 -137
@@ -0,0 +1,99 @@
1
+ ---
2
+ title: About the inetd_conf Resource
3
+ ---
4
+
5
+ # inetd_conf
6
+
7
+ Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.`
8
+
9
+ # Syntax
10
+
11
+ An `inetd_conf` resource block declares the list of services that are enabled in the `inetd.conf` file:
12
+
13
+ describe inetd_conf('path') do
14
+ its('service_name') { should eq 'value' }
15
+ end
16
+
17
+ where
18
+
19
+ * `'service_name'` is a service listed in the `inetd.conf` file
20
+ * `('path')` is the non-default path to the `inetd.conf` file
21
+ * `should eq 'value'` is the value that is expected
22
+
23
+
24
+ # Matchers
25
+
26
+ This resource matches any service that is listed in the `inetd.conf` file. You may want to ensure that specific services do not listen via `inetd.conf`:
27
+
28
+ its('shell') { should eq nil }
29
+
30
+ or:
31
+
32
+ its('netstat') { should eq nil }
33
+
34
+ or:
35
+
36
+ its('systat') { should eq nil }
37
+
38
+ For example:
39
+
40
+ describe inetd_conf do
41
+ its('shell') { should eq nil }
42
+ its('login') { should eq nil }
43
+ its('exec') { should eq nil }
44
+ end
45
+
46
+ ## be
47
+
48
+ <%= partial "/shared/matcher_be" %>
49
+
50
+ ## cmp
51
+
52
+ <%= partial "/shared/matcher_cmp" %>
53
+
54
+ ## eq
55
+
56
+ <%= partial "/shared/matcher_eq" %>
57
+
58
+ ## include
59
+
60
+ <%= partial "/shared/matcher_include" %>
61
+
62
+ ## match
63
+
64
+ <%= partial "/shared/matcher_match" %>
65
+
66
+ # Examples
67
+
68
+ The following examples show how to use this InSpec audit resource.
69
+
70
+ ## Verify that FTP is disabled
71
+
72
+ The contents if the `inetd.conf` file contain the following:
73
+
74
+ #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
75
+ #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
76
+
77
+ and the following test is defined:
78
+
79
+ describe inetd_conf do
80
+ its('ftp') { should eq nil }
81
+ its('telnet') { should eq nil }
82
+ end
83
+
84
+ Because both the `ftp` and `telnet` Internet services are commented out (`#`), both services are disabled. Consequently, both tests will return `true`. However, if the `inetd.conf` file is set as follows:
85
+
86
+ ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
87
+ #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
88
+
89
+ then the same test will return `false` for `ftp` and the entire test will fail.
90
+
91
+ ## Test if telnet is installed
92
+
93
+ describe package('telnetd') do
94
+ it { should_not be_installed }
95
+ end
96
+
97
+ describe inetd_conf do
98
+ its('telnet') { should eq nil }
99
+ end
@@ -0,0 +1,69 @@
1
+ ---
2
+ title: About the ini Resource
3
+ ---
4
+
5
+ # ini
6
+
7
+ Use the `ini` InSpec audit resource to test settings in an INI file.
8
+
9
+ # Syntax
10
+
11
+ An `ini` resource block declares the configuration settings to be tested:
12
+
13
+ describe ini('path') do
14
+ its('setting_name') { should eq 'value' }
15
+ end
16
+
17
+ where
18
+
19
+ * `'setting_name'` is a synchronization setting defined in the INI file
20
+ * `('path')` is the path to the INI file
21
+ * `{ should eq 'value' }` is the value that is expected
22
+
23
+ For example:
24
+
25
+ describe ini('path/to/ini_file.ini') do
26
+ its('port') { should eq '143' }
27
+ its('server') { should eq '192.0.2.62' }
28
+ end
29
+
30
+ # Matchers
31
+
32
+ This InSpec audit resource has the following matchers:
33
+
34
+ ## be
35
+
36
+ <%= partial "/shared/matcher_be" %>
37
+
38
+ ## cmp
39
+
40
+ <%= partial "/shared/matcher_cmp" %>
41
+
42
+ ## eq
43
+
44
+ <%= partial "/shared/matcher_eq" %>
45
+
46
+ ## include
47
+
48
+ <%= partial "/shared/matcher_include" %>
49
+
50
+ ## match
51
+
52
+ <%= partial "/shared/matcher_match" %>
53
+
54
+ # Examples
55
+
56
+ The following examples show how to use this InSpec audit resource.
57
+
58
+ ## Test SMTP settings in a PHP INI file
59
+
60
+ For example, a PHP INI file located at contains the following settings:
61
+
62
+ ; SMTP = smtp.gmail.com
63
+ ; smtp_port = 465
64
+
65
+ and can be tested like this:
66
+
67
+ describe ini(/etc/php5/apache2/php.ini) do
68
+ its('smtp_port') { should eq('465') }
69
+ end
@@ -0,0 +1,66 @@
1
+ ---
2
+ title: About the interface Resource
3
+ ---
4
+
5
+ # interface
6
+
7
+ Use the `interface` InSpec audit resource to test basic network adapter properties, such as name, status, state, address, and link speed (in MB/sec).
8
+
9
+ * On Linux platforms, `/sys/class/net/#{iface}` is used as source
10
+ * On the Windows platform, the `Get-NetAdapter` cmdlet is used as source
11
+
12
+ # Syntax
13
+
14
+ An `interface` resource block declares network interface properties to be tested:
15
+
16
+ describe interface do
17
+ it { should be_up }
18
+ its('speed') { should eq 1000 }
19
+ its('name') { should eq eth0 }
20
+ end
21
+
22
+ # Matchers
23
+
24
+ This InSpec audit resource has the following matchers:
25
+
26
+ ## be
27
+
28
+ <%= partial "/shared/matcher_be" %>
29
+
30
+ ## be_up
31
+
32
+ The `be_up` matcher tests if the network interface is available:
33
+
34
+ it { should be_up }
35
+
36
+ ## cmp
37
+
38
+ <%= partial "/shared/matcher_cmp" %>
39
+
40
+ ## eq
41
+
42
+ <%= partial "/shared/matcher_eq" %>
43
+
44
+ ## include
45
+
46
+ <%= partial "/shared/matcher_include" %>
47
+
48
+ ## match
49
+
50
+ <%= partial "/shared/matcher_match" %>
51
+
52
+ ## name
53
+
54
+ The `name` matcher tests if the named network interface exists:
55
+
56
+ its('name') { should eq eth0 }
57
+
58
+ ## speed
59
+
60
+ The `speed` matcher tests the speed of the network interface, in MB/sec:
61
+
62
+ its('speed') { should eq 1000 }
63
+
64
+ # Examples
65
+
66
+ None.
@@ -0,0 +1,70 @@
1
+ ---
2
+ title: About the iptables Resource
3
+ ---
4
+
5
+ # iptables
6
+
7
+ Use the `iptables` InSpec audit resource to test rules that are defined in `iptables`, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
8
+
9
+ # Syntax
10
+
11
+ A `iptables` resource block declares tests for rules in IP tables:
12
+
13
+ describe iptables(rule:'name', table:'name', chain: 'name') do
14
+ it { should have_rule('RULE') }
15
+ end
16
+
17
+ where
18
+
19
+ * `iptables()` may specify any combination of `rule`, `table`, or `chain`
20
+ * `rule:'name'` is the name of a rule that matches a set of packets
21
+ * `table:'name'` is the packet matching table against which the test is run
22
+ * `chain: 'name'` is the name of a user-defined chain or one of `ACCEPT`, `DROP`, `QUEUE`, or `RETURN`
23
+ * `have_rule('RULE')` tests that rule in the iptables file
24
+
25
+
26
+ # Matchers
27
+
28
+ This InSpec audit resource has the following matchers:
29
+
30
+ ## be
31
+
32
+ <%= partial "/shared/matcher_be" %>
33
+
34
+ ## cmp
35
+
36
+ <%= partial "/shared/matcher_cmp" %>
37
+
38
+ ## eq
39
+
40
+ <%= partial "/shared/matcher_eq" %>
41
+
42
+ ## have_rule
43
+
44
+ The `have_rule` matcher tests the named rule against the information in the `iptables` file:
45
+
46
+ it { should have_rule('RULE') }
47
+
48
+ ## include
49
+
50
+ <%= partial "/shared/matcher_include" %>
51
+
52
+ ## match
53
+
54
+ <%= partial "/shared/matcher_match" %>
55
+
56
+ # Examples
57
+
58
+ The following examples show how to use this InSpec audit resource.
59
+
60
+ ## Test if the IP table allows a packet through
61
+
62
+ describe iptables do
63
+ it { should have_rule('-P INPUT ACCEPT') }
64
+ end
65
+
66
+ ## Test if the IP table allows a packet through, for a specific table and chain
67
+
68
+ describe iptables(table:'mangle', chain: 'input') do
69
+ it { should have_rule('-P INPUT ACCEPT') }
70
+ end
@@ -0,0 +1,76 @@
1
+ ---
2
+ title: About the json Resource
3
+ ---
4
+
5
+ # json
6
+
7
+ Use the `json` InSpec audit resource to test data in a JSON file.
8
+
9
+ # Syntax
10
+
11
+ A `json` resource block declares the data to be tested. Assume the following JSON file:
12
+
13
+ {
14
+ "name" : "hello",
15
+ "meta" : {
16
+ "creator" : "John Doe"
17
+ },
18
+ "array": [
19
+ "zero",
20
+ "one"
21
+ ]
22
+ }
23
+
24
+ This file can be queried using:
25
+
26
+ describe json('/paht/to/name.json') do
27
+ its('name') { should eq 'hello' }
28
+ its(['meta','creator']) { should eq 'John Doe' }
29
+ its(['array', 1]) { should eq 'one' }
30
+ end
31
+
32
+ where
33
+
34
+ * `name` is a configuration setting in a JSON file
35
+ * `should eq 'foo'` tests a value of `name` as read from a JSON file versus the value declared in the test
36
+
37
+
38
+ # Matchers
39
+
40
+ This InSpec audit resource has the following matchers:
41
+
42
+ ## be
43
+
44
+ <%= partial "/shared/matcher_be" %>
45
+
46
+ ## cmp
47
+
48
+ <%= partial "/shared/matcher_cmp" %>
49
+
50
+ ## eq
51
+
52
+ <%= partial "/shared/matcher_eq" %>
53
+
54
+ ## include
55
+
56
+ <%= partial "/shared/matcher_include" %>
57
+
58
+ ## match
59
+
60
+ <%= partial "/shared/matcher_match" %>
61
+
62
+ ## name
63
+
64
+ The `name` matcher tests the value of `name` as read from a JSON file versus the value declared in the test:
65
+
66
+ its('name') { should eq 'foo' }
67
+
68
+ # Examples
69
+
70
+ The following examples show how to use this InSpec audit resource.
71
+
72
+ ## Test a cookbook version in a policyfile.lock.json file
73
+
74
+ describe json('policyfile.lock.json') do
75
+ its(['cookbook_locks', 'omnibus', 'version']) { should eq('2.2.0') }
76
+ end
@@ -0,0 +1,60 @@
1
+ ---
2
+ title: About the kernel_module Resource
3
+ ---
4
+
5
+ # kernel_module
6
+
7
+ Use the `kernel_module` InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under `/lib/modules`. Any submodule may be tested using this resource.
8
+
9
+ # Syntax
10
+
11
+ A `kernel_module` resource block declares a module name, and then tests if that module is a loadable kernel module:
12
+
13
+ describe kernel_module('module_name') do
14
+ it { should be_loaded }
15
+ end
16
+
17
+ where
18
+
19
+ * `'module_name'` must specify a kernel module, such as `'bridge'`
20
+ * `{ should be_loaded }` tests if the module is a loadable kernel module
21
+
22
+ # Matchers
23
+
24
+ This InSpec audit resource has the following matchers:
25
+
26
+ ## be
27
+
28
+ <%= partial "/shared/matcher_be" %>
29
+
30
+ ## be_loaded
31
+
32
+ The `be_loaded` matcher tests if the module is a loadable kernel module:
33
+
34
+ it { should be_loaded }
35
+
36
+ ## cmp
37
+
38
+ <%= partial "/shared/matcher_cmp" %>
39
+
40
+ ## eq
41
+
42
+ <%= partial "/shared/matcher_eq" %>
43
+
44
+ ## include
45
+
46
+ <%= partial "/shared/matcher_include" %>
47
+
48
+ ## match
49
+
50
+ <%= partial "/shared/matcher_match" %>
51
+
52
+ # Examples
53
+
54
+ The following examples show how to use this InSpec audit resource.
55
+
56
+ ## Test if a module is loaded
57
+
58
+ describe kernel_module('bridge') do
59
+ it { should be_loaded }
60
+ end