inspec 1.0.0.beta2 → 1.0.0.beta3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (95) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +41 -2
  3. data/Gemfile +4 -0
  4. data/Rakefile +2 -1
  5. data/docs/.gitignore +2 -0
  6. data/docs/README.md +21 -1
  7. data/docs/resources/apache_conf.md.erb +75 -0
  8. data/docs/resources/apt.md.erb +84 -0
  9. data/docs/resources/audit_policy.md.erb +61 -0
  10. data/docs/resources/auditd_conf.md.erb +79 -0
  11. data/docs/resources/auditd_rules.md.erb +132 -0
  12. data/docs/resources/bash.md.erb +84 -0
  13. data/docs/resources/bond.md.erb +97 -0
  14. data/docs/resources/bridge.md.erb +67 -0
  15. data/docs/resources/bsd_service.md.erb +76 -0
  16. data/docs/resources/command.md.erb +151 -0
  17. data/docs/resources/csv.md.erb +62 -0
  18. data/docs/resources/directory.md.erb +43 -0
  19. data/docs/resources/etc_group.md.erb +116 -0
  20. data/docs/resources/etc_passwd.md.erb +155 -0
  21. data/docs/resources/etc_shadow.md.erb +149 -0
  22. data/docs/resources/file.md.erb +460 -0
  23. data/docs/resources/gem.md.erb +73 -0
  24. data/docs/resources/group.md.erb +74 -0
  25. data/docs/resources/grub_conf.md.erb +115 -0
  26. data/docs/resources/host.md.erb +85 -0
  27. data/docs/resources/iis_site.md.erb +142 -0
  28. data/docs/resources/inetd_conf.md.erb +99 -0
  29. data/docs/resources/ini.md.erb +69 -0
  30. data/docs/resources/interface.md.erb +66 -0
  31. data/docs/resources/iptables.md.erb +70 -0
  32. data/docs/resources/json.md.erb +76 -0
  33. data/docs/resources/kernel_module.md.erb +60 -0
  34. data/docs/resources/kernel_parameter.md.erb +72 -0
  35. data/docs/resources/launchd_service.md.erb +76 -0
  36. data/docs/resources/limits_conf.md.erb +80 -0
  37. data/docs/resources/login_def.md.erb +77 -0
  38. data/docs/resources/mount.md.erb +83 -0
  39. data/docs/resources/mysql_conf.md.erb +102 -0
  40. data/docs/resources/mysql_session.md.erb +63 -0
  41. data/docs/resources/npm.md.erb +75 -0
  42. data/docs/resources/ntp_conf.md.erb +76 -0
  43. data/docs/resources/oneget.md.erb +67 -0
  44. data/docs/resources/os.md.erb +154 -0
  45. data/docs/resources/os_env.md.erb +98 -0
  46. data/docs/resources/package.md.erb +115 -0
  47. data/docs/resources/parse_config.md.erb +122 -0
  48. data/docs/resources/parse_config_file.md.erb +143 -0
  49. data/docs/resources/pip.md.erb +74 -0
  50. data/docs/resources/port.md.erb +150 -0
  51. data/docs/resources/postgres_conf.md.erb +90 -0
  52. data/docs/resources/postgres_session.md.erb +75 -0
  53. data/docs/resources/powershell.md.erb +116 -0
  54. data/docs/resources/process.md.erb +73 -0
  55. data/docs/resources/registry_key.md.erb +149 -0
  56. data/docs/resources/runit_service.md.erb +76 -0
  57. data/docs/resources/security_policy.md.erb +61 -0
  58. data/docs/resources/service.md.erb +135 -0
  59. data/docs/resources/ssh_config.md.erb +94 -0
  60. data/docs/resources/sshd_config.md.erb +97 -0
  61. data/docs/resources/ssl.md.erb +133 -0
  62. data/docs/resources/sys_info.md.erb +55 -0
  63. data/docs/resources/systemd_service.md.erb +76 -0
  64. data/docs/resources/sysv_service.md.erb +76 -0
  65. data/docs/resources/upstart_service.md.erb +76 -0
  66. data/docs/resources/user.md.erb +154 -0
  67. data/docs/resources/users.md.erb +140 -0
  68. data/docs/resources/vbscript.md.erb +69 -0
  69. data/docs/resources/windows_feature.md.erb +61 -0
  70. data/docs/resources/wmi.md.erb +95 -0
  71. data/docs/resources/xinetd_conf.md.erb +170 -0
  72. data/docs/resources/yaml.md.erb +69 -0
  73. data/docs/resources/yum.md.erb +103 -0
  74. data/docs/ruby_usage.md +154 -0
  75. data/docs/shared/matcher_be.md.erb +1 -0
  76. data/docs/shared/matcher_cmp.md.erb +45 -0
  77. data/docs/shared/matcher_eq.md.erb +3 -0
  78. data/docs/shared/matcher_include.md.erb +1 -0
  79. data/docs/shared/matcher_match.md.erb +1 -0
  80. data/lib/fetchers/url.rb +27 -29
  81. data/lib/inspec/cached_fetcher.rb +67 -0
  82. data/lib/inspec/dependencies/requirement.rb +6 -7
  83. data/lib/inspec/objects/each_loop.rb +5 -2
  84. data/lib/inspec/plugins/fetcher.rb +2 -0
  85. data/lib/inspec/profile.rb +9 -41
  86. data/lib/inspec/resource.rb +1 -1
  87. data/lib/inspec/rspec_json_formatter.rb +11 -5
  88. data/lib/inspec/version.rb +1 -1
  89. data/lib/resources/groups.rb +190 -0
  90. data/lib/resources/users.rb +3 -2
  91. metadata +79 -6
  92. data/docs/cli.rst +0 -448
  93. data/docs/resources.rst +0 -4836
  94. data/docs/ruby_usage.rst +0 -145
  95. data/lib/resources/group.rb +0 -137
@@ -0,0 +1,72 @@
1
+ ---
2
+ title: About the kernel_parameter Resource
3
+ ---
4
+
5
+ # kernel_parameter
6
+
7
+ Use the `kernel_parameter` InSpec audit resource to test kernel parameters on Linux platforms.
8
+
9
+ # Syntax
10
+
11
+ A `kernel_parameter` resource block declares a parameter and then a value to be tested:
12
+
13
+ describe kernel_parameter('path.to.parameter') do
14
+ its('value') { should eq 0 }
15
+ end
16
+
17
+ where
18
+
19
+ * `'kernel.parameter'` must specify a kernel parameter, such as `'net.ipv4.conf.all.forwarding'`
20
+ * `{ should eq 0 }` states the value to be tested
21
+
22
+ # Matchers
23
+
24
+ This InSpec audit resource has the following matchers:
25
+
26
+ ## be
27
+
28
+ <%= partial "/shared/matcher_be" %>
29
+
30
+ ## cmp
31
+
32
+ <%= partial "/shared/matcher_cmp" %>
33
+
34
+ ## eq
35
+
36
+ <%= partial "/shared/matcher_eq" %>
37
+
38
+ ## include
39
+
40
+ <%= partial "/shared/matcher_include" %>
41
+
42
+ ## match
43
+
44
+ <%= partial "/shared/matcher_match" %>
45
+
46
+ ## value
47
+
48
+ The `value` matcher tests the value assigned to the named IP address versus the value declared in the test:
49
+
50
+ its('value') { should eq 0 }
51
+
52
+ # Examples
53
+
54
+ The following examples show how to use this InSpec audit resource.
55
+
56
+ ## Test if global forwarding is enabled for an IPv4 address
57
+
58
+ describe kernel_parameter('net.ipv4.conf.all.forwarding') do
59
+ its('value') { should eq 1 }
60
+ end
61
+
62
+ ## Test if global forwarding is disabled for an IPv6 address
63
+
64
+ describe kernel_parameter('net.ipv6.conf.all.forwarding') do
65
+ its('value') { should eq 0 }
66
+ end
67
+
68
+ ## Test if an IPv6 address accepts redirects
69
+
70
+ describe kernel_parameter('net.ipv6.conf.interface.accept_redirects') do
71
+ its('value') { should eq 'true' }
72
+ end
@@ -0,0 +1,76 @@
1
+ ---
2
+ title: About the launchd_service Resource
3
+ ---
4
+
5
+ # launchd_service
6
+
7
+ Use the ``launchd_service`` InSpec audit resource to test a service using Launchd.
8
+
9
+ # Syntax
10
+
11
+ A ``launchd_service`` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
12
+
13
+ describe launchd_service('service_name') do
14
+ it { should be_installed }
15
+ it { should be_enabled }
16
+ it { should be_running }
17
+ end
18
+
19
+ where
20
+
21
+ * ``('service_name')`` must specify a service name
22
+ * `be_installed`, `be_enabled`, and `be_running` are valid matchers for this resource; all matchers available to the `service` resource may be used
23
+
24
+ The path to the service manager's control may be specified for situations where the path isn't available in the current ``PATH``. For example:
25
+
26
+ describe launchd_service('service_name', '/path/to/control') do
27
+ it { should be_enabled }
28
+ it { should be_installed }
29
+ it { should be_running }
30
+ end
31
+
32
+ # Matchers
33
+
34
+ This InSpec audit resource has the following matchers:
35
+
36
+ ## be
37
+
38
+ <%= partial "/shared/matcher_be" %>
39
+
40
+ ## be_enabled
41
+
42
+ The `be_enabled` matcher tests if the named service is enabled:
43
+
44
+ it { should be_enabled }
45
+
46
+ ## be_installed
47
+
48
+ The `be_installed` matcher tests if the named service is installed:
49
+
50
+ it { should be_installed }
51
+
52
+ ## be_running
53
+
54
+ The `be_running` matcher tests if the named service is running:
55
+
56
+ it { should be_running }
57
+
58
+ ## cmp
59
+
60
+ <%= partial "/shared/matcher_cmp" %>
61
+
62
+ ## eq
63
+
64
+ <%= partial "/shared/matcher_eq" %>
65
+
66
+ ## include
67
+
68
+ <%= partial "/shared/matcher_include" %>
69
+
70
+ ## match
71
+
72
+ <%= partial "/shared/matcher_match" %>
73
+
74
+ # Examples
75
+
76
+ None.
@@ -0,0 +1,80 @@
1
+ ---
2
+ title: About the limits_conf Resource
3
+ ---
4
+
5
+ # limits_conf
6
+
7
+ Use the `limits_conf` InSpec audit resource to test configuration settings in the `/etc/security/limits.conf` file. The `limits.conf` defines limits for processes (by user and/or group names) and helps ensure that the system on which those processes are running remains stable. Each process may be assigned a hard or soft limit.
8
+
9
+ * Soft limits are maintained by the shell and defines the number of file handles (or open files) available to the user or group after login
10
+ * Hard limits are maintained by the kernel and defines the maximum number of allowed file handles
11
+
12
+ Entries in the `limits.conf` file are similar to:
13
+
14
+ grantmc soft nofile 4096
15
+ grantmc hard nofile 63536
16
+
17
+ ^^^^^^^^^ ^^^^ ^^^^^^ ^^^^^
18
+ domain type item value
19
+
20
+ # Syntax
21
+
22
+ A `limits_conf` resource block declares a domain to be tested, along with associated type, item, and value:
23
+
24
+ describe limits_conf('path') do
25
+ its('domain') { should include ['type', 'item', 'value'] }
26
+ its('domain') { should eq ['type', 'item', 'value'] }
27
+ end
28
+
29
+ where
30
+
31
+ * `('path')` is the non-default path to the `inetd.conf` file
32
+ * `'domain'` is a user or group name, such as `grantmc`
33
+ * `'type'` is either `hard` or `soft`
34
+ * `'item'` is the item for which limits are defined, such as `core`, `nofile`, `stack`, `nproc`, `priority`, or `maxlogins`
35
+ * `'value'` is the value associated with the `item`
36
+
37
+ # Matchers
38
+
39
+ This InSpec audit resource has the following matchers:
40
+
41
+ ## be
42
+
43
+ <%= partial "/shared/matcher_be" %>
44
+
45
+ ## cmp
46
+
47
+ <%= partial "/shared/matcher_cmp" %>
48
+
49
+ ## domain
50
+
51
+ The `domain` matcher tests the domain in the `limits.conf` file, along with associated type, item, and value:
52
+
53
+ its('domain') { should include ['type', 'item', 'value'] }
54
+ `
55
+ For example:
56
+
57
+ its('grantmc') { should include ['hard', 'nofile', '63536'] }
58
+
59
+ ## eq
60
+
61
+ <%= partial "/shared/matcher_eq" %>
62
+
63
+ ## include
64
+
65
+ <%= partial "/shared/matcher_include" %>
66
+
67
+ ## match
68
+
69
+ <%= partial "/shared/matcher_match" %>
70
+
71
+ # Examples
72
+
73
+ The following examples show how to use this InSpec audit resource.
74
+
75
+ ## Test limits
76
+
77
+ describe limits_conf('path') do
78
+ its('*') { should include ['soft', 'core', '0'], ['hard', 'rss', '10000'] }
79
+ its('ftp') { should eq ['hard', 'nproc', '0'] }
80
+ end
@@ -0,0 +1,77 @@
1
+ ---
2
+ title: About the login_defs Resource
3
+ ---
4
+
5
+ # login_defs
6
+
7
+ Use the `login_defs` InSpec audit resource to test configuration settings in the `/etc/login.defs` file. The `logins.defs` file defines site-specific configuration for the shadow password suite on Linux and Unix platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.
8
+
9
+ # Syntax
10
+
11
+ A `login_defs` resource block declares the `login.defs` configuration data to be tested:
12
+
13
+ describe login_defs do
14
+ its('name') { should include('foo') }
15
+ end
16
+
17
+ where
18
+
19
+ * `name` is a configuration setting in `login.defs`
20
+ * `{ should include('foo') }` tests the value of `name` as read from `login.defs` versus the value declared in the test
21
+
22
+
23
+ # Matchers
24
+
25
+ This InSpec audit resource has the following matchers:
26
+
27
+ ## be
28
+
29
+ <%= partial "/shared/matcher_be" %>
30
+
31
+ ## cmp
32
+
33
+ <%= partial "/shared/matcher_cmp" %>
34
+
35
+ ## eq
36
+
37
+ <%= partial "/shared/matcher_eq" %>
38
+
39
+ ## include
40
+
41
+ <%= partial "/shared/matcher_include" %>
42
+
43
+ ## match
44
+
45
+ <%= partial "/shared/matcher_match" %>
46
+
47
+ ## name
48
+
49
+ The `name` matcher tests the value of `name` as read from `login.defs` versus the value declared in the test:
50
+
51
+ its('name') { should eq 'foo' }
52
+
53
+ # Examples
54
+
55
+ The following examples show how to use this InSpec audit resource.
56
+
57
+ ## Test password expiration settings
58
+
59
+ describe login_defs do
60
+ its('PASS_MAX_DAYS') { should eq '180' }
61
+ its('PASS_MIN_DAYS') { should eq '1' }
62
+ its('PASS_MIN_LEN') { should eq '15' }
63
+ its('PASS_WARN_AGE') { should eq '30' }
64
+ end
65
+
66
+ ## Test the encryption method
67
+
68
+ describe login_defs do
69
+ its('ENCRYPT_METHOD') { should eq 'SHA512' }
70
+ end
71
+
72
+ ## Test umask setting
73
+
74
+ describe login_def do
75
+ its('UMASK') { should eq '077' }
76
+ its('PASS_MAX_DAYS') { should eq '90' }
77
+ end
@@ -0,0 +1,83 @@
1
+ ---
2
+ title: About the mount Resource
3
+ ---
4
+
5
+ # mount
6
+
7
+ Use the `mount` InSpec audit resource to test the mount points on Linux systems.
8
+
9
+ # Syntax
10
+
11
+ An `mount` resource block declares the synchronization settings that should be tested:
12
+
13
+ describe mount('path') do
14
+ it { should MATCHER 'value' }
15
+ end
16
+
17
+ where
18
+
19
+ * `('path')` is the path to the mounted directory
20
+ * `MATCHER` is a valid matcher for this resource
21
+ * `'value'` is the value to be tested
22
+
23
+
24
+ # Matchers
25
+
26
+ This InSpec audit resource has the following matchers:
27
+
28
+ ## be
29
+
30
+ <%= partial "/shared/matcher_be" %>
31
+
32
+ ## be_mounted
33
+
34
+ The `be_mounted` matcher tests if the file is accessible from the file system:
35
+
36
+ it { should be_mounted }
37
+
38
+ ## cmp
39
+
40
+ <%= partial "/shared/matcher_cmp" %>
41
+
42
+ ## device
43
+
44
+ The `device` matcher tests the device from the `fstab` table:
45
+
46
+ its('device') { should eq '/dev/mapper/VolGroup-lv_root' }
47
+
48
+ ## eq
49
+
50
+ <%= partial "/shared/matcher_eq" %>
51
+
52
+ ## include
53
+
54
+ <%= partial "/shared/matcher_include" %>
55
+
56
+ ## match
57
+
58
+ <%= partial "/shared/matcher_match" %>
59
+
60
+ ## options
61
+
62
+ The `options` matcher tests the mount options for the file system from the `fstab` table:
63
+
64
+ its('options') { should eq ['rw', 'mode=620'] }
65
+
66
+ ## type
67
+
68
+ The `type` matcher tests the file system type:
69
+
70
+ its('type') { should eq 'ext4' }
71
+
72
+ # Examples
73
+
74
+ The following examples show how to use this InSpec audit resource.
75
+
76
+ ## Test a the mount point on '/'
77
+
78
+ describe mount('/') do
79
+ it { should be_mounted }
80
+ its('device') { should eq '/dev/mapper/VolGroup-lv_root' }
81
+ its('type') { should eq 'ext4' }
82
+ its('options') { should eq ['rw', 'mode=620'] }
83
+ end
@@ -0,0 +1,102 @@
1
+ ---
2
+ title: About the mysql_conf Resource
3
+ ---
4
+
5
+ # mysql_conf
6
+
7
+ Use the `mysql_conf` InSpec audit resource to test the contents of the configuration file for MySQL, typically located at `/etc/mysql/my.cnf` or `/etc/my.cnf`.
8
+
9
+ # Syntax
10
+
11
+ A `mysql_conf` resource block declares one (or more) settings in the `my.cnf` file, and then compares the setting in the configuration file to the value stated in the test:
12
+
13
+ describe mysql_conf('path') do
14
+ its('setting') { should eq 'value' }
15
+ end
16
+
17
+ where
18
+
19
+ * `'setting'` specifies a setting in the `my.cnf` file, such as `max_connections`
20
+ * `('path')` is the non-default path to the `my.cnf` file
21
+ * `should eq 'value'` is the value that is expected
22
+
23
+
24
+ # Matchers
25
+
26
+ This InSpec audit resource has the following matchers:
27
+
28
+ ## be
29
+
30
+ <%= partial "/shared/matcher_be" %>
31
+
32
+ ## cmp
33
+
34
+ <%= partial "/shared/matcher_cmp" %>
35
+
36
+ ## eq
37
+
38
+ <%= partial "/shared/matcher_eq" %>
39
+
40
+ ## include
41
+
42
+ <%= partial "/shared/matcher_include" %>
43
+
44
+ ## match
45
+
46
+ <%= partial "/shared/matcher_match" %>
47
+
48
+ ## setting
49
+
50
+ The `setting` matcher tests specific, named settings in the `my.cnf` file:
51
+
52
+ its('setting') { should eq 'value' }
53
+
54
+ Use a `setting` matcher for each setting to be tested.
55
+
56
+ # Examples
57
+
58
+ The following examples show how to use this InSpec audit resource.
59
+
60
+ ## Test the maximum number of allowed connections
61
+
62
+ describe mysql_conf do
63
+ its('max_connections') { should eq '505' }
64
+ its('max_user_connections') { should eq '500' }
65
+ end
66
+
67
+ ## Test slow query logging**
68
+
69
+ describe mysql_conf do
70
+ its('slow_query_log_file') { should eq 'hostname_slow.log' }
71
+ its('slow_query_log') { should eq '0' }
72
+ its('log_queries_not_using_indexes') { should eq '1' }
73
+ its('long_query_time') { should eq '0.5' }
74
+ its('min_examined_row_limit') { should eq '100' }
75
+ end
76
+
77
+ ## Test the port and socket on which MySQL listens
78
+
79
+ describe mysql_conf do
80
+ its('port') { should eq '3306' }
81
+ its('socket') { should eq '/var/run/mysqld/mysql.sock' }
82
+ end
83
+
84
+ ## Test connection and thread variables
85
+
86
+ describe mysql_conf do
87
+ its('port') { should eq '3306' }
88
+ its('socket') { should eq '/var/run/mysqld/mysql.sock' }
89
+ its('max_allowed_packet') { should eq '12M' }
90
+ its('default_storage_engine') { should eq 'InnoDB' }
91
+ its('character_set_server') { should eq 'utf8' }
92
+ its('collation_server') { should eq 'utf8_general_ci' }
93
+ its('max_connections') { should eq '505' }
94
+ its('max_user_connections') { should eq '500' }
95
+ its('thread_cache_size') { should eq '505' }
96
+ end
97
+
98
+ ## Test the safe-user-create parameter
99
+
100
+ describe mysql_conf.params('mysqld') do
101
+ its('safe-user-create') { should eq('1') }
102
+ end