inspec 1.0.0.beta2 → 1.0.0.beta3

data/docs/resources/kernel_parameter.md.erb

@@ -0,0 +1,72 @@
+---
+title: About the kernel_parameter Resource
+---
+
+# kernel_parameter
+
+Use the `kernel_parameter` InSpec audit resource to test kernel parameters on Linux platforms.
+
+# Syntax
+
+A `kernel_parameter` resource block declares a parameter and then a value to be tested:
+
+    describe kernel_parameter('path.to.parameter') do
+      its('value') { should eq 0 }
+    end
+
+where
+
+* `'kernel.parameter'` must specify a kernel parameter, such as `'net.ipv4.conf.all.forwarding'`
+* `{ should eq 0 }` states the value to be tested
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+## value
+
+The `value` matcher tests the value assigned to the named IP address versus the value declared in the test:
+
+    its('value') { should eq 0 }
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test if global forwarding is enabled for an IPv4 address
+
+    describe kernel_parameter('net.ipv4.conf.all.forwarding') do
+      its('value') { should eq 1 }
+    end
+
+## Test if global forwarding is disabled for an IPv6 address
+
+    describe kernel_parameter('net.ipv6.conf.all.forwarding') do
+      its('value') { should eq 0 }
+    end
+
+## Test if an IPv6 address accepts redirects
+
+    describe kernel_parameter('net.ipv6.conf.interface.accept_redirects') do
+      its('value') { should eq 'true' }
+    end

data/docs/resources/launchd_service.md.erb

@@ -0,0 +1,76 @@
+---
+title: About the launchd_service Resource
+---
+
+# launchd_service
+
+Use the ``launchd_service`` InSpec audit resource to test a service using Launchd.
+
+# Syntax
+
+A ``launchd_service`` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
+
+    describe launchd_service('service_name') do
+      it { should be_installed }
+      it { should be_enabled }
+      it { should be_running }
+    end
+
+where
+
+* ``('service_name')`` must specify a service name
+* `be_installed`, `be_enabled`, and `be_running` are valid matchers for this resource; all matchers available to the `service` resource may be used
+
+The path to the service manager's control may be specified for situations where the path isn't available in the current ``PATH``. For example:
+
+    describe launchd_service('service_name', '/path/to/control') do
+      it { should be_enabled }
+      it { should be_installed }
+      it { should be_running }
+    end
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## be_enabled
+
+The `be_enabled` matcher tests if the named service is enabled:
+
+    it { should be_enabled }
+
+## be_installed
+
+The `be_installed` matcher tests if the named service is installed:
+
+    it { should be_installed }
+
+## be_running
+
+The `be_running` matcher tests if the named service is running:
+
+    it { should be_running }
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+None.

data/docs/resources/limits_conf.md.erb

@@ -0,0 +1,80 @@
+---
+title: About the limits_conf Resource
+---
+
+# limits_conf
+
+Use the `limits_conf` InSpec audit resource to test configuration settings in the `/etc/security/limits.conf` file. The `limits.conf` defines limits for processes (by user and/or group names) and helps ensure that the system on which those processes are running remains stable. Each process may be assigned a hard or soft limit.
+
+* Soft limits are maintained by the shell and defines the number of file handles (or open files) available to the user or group after login
+* Hard limits are maintained by the kernel and defines the maximum number of allowed file handles
+
+Entries in the `limits.conf` file are similar to:
+
+    grantmc     soft   nofile   4096
+    grantmc     hard   nofile   63536
+
+    ^^^^^^^^^   ^^^^   ^^^^^^   ^^^^^
+    domain      type    item    value
+
+# Syntax
+
+A `limits_conf` resource block declares a domain to be tested, along with associated type, item, and value:
+
+    describe limits_conf('path') do
+      its('domain') { should include ['type', 'item', 'value'] }
+      its('domain') { should eq ['type', 'item', 'value'] }
+    end
+
+where
+
+* `('path')` is the non-default path to the `inetd.conf` file
+* `'domain'` is a user or group name, such as `grantmc`
+* `'type'` is either `hard` or `soft`
+* `'item'` is the item for which limits are defined, such as `core`, `nofile`, `stack`, `nproc`, `priority`, or `maxlogins`
+* `'value'` is the value associated with the `item`
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## domain
+
+The `domain` matcher tests the domain in the `limits.conf` file, along with associated type, item, and value:
+
+    its('domain') { should include ['type', 'item', 'value'] }
+`
+For example:
+
+    its('grantmc') { should include ['hard', 'nofile', '63536'] }
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test limits
+
+    describe limits_conf('path') do
+      its('*') { should include ['soft', 'core', '0'], ['hard', 'rss', '10000'] }
+      its('ftp') { should eq ['hard', 'nproc', '0'] }
+    end

data/docs/resources/login_def.md.erb

@@ -0,0 +1,77 @@
+---
+title: About the login_defs Resource
+---
+
+# login_defs
+
+Use the `login_defs` InSpec audit resource to test configuration settings in the `/etc/login.defs` file. The `logins.defs` file defines site-specific configuration for the shadow password suite on Linux and Unix platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.
+
+# Syntax
+
+A `login_defs` resource block declares the `login.defs` configuration data to be tested:
+
+    describe login_defs do
+      its('name') { should include('foo') }
+    end
+
+where
+
+* `name` is a configuration setting in `login.defs`
+* `{ should include('foo') }` tests the value of `name` as read from `login.defs` versus the value declared in the test
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+## name
+
+The `name` matcher tests the value of `name` as read from `login.defs` versus the value declared in the test:
+
+    its('name') { should eq 'foo' }
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test password expiration settings
+
+    describe login_defs do
+      its('PASS_MAX_DAYS') { should eq '180' }
+      its('PASS_MIN_DAYS') { should eq '1' }
+      its('PASS_MIN_LEN') { should eq '15' }
+      its('PASS_WARN_AGE') { should eq '30' }
+    end
+
+## Test the encryption method
+
+    describe login_defs do
+      its('ENCRYPT_METHOD') { should eq 'SHA512' }
+    end
+
+## Test umask setting
+
+    describe login_def do
+      its('UMASK') { should eq '077' }
+      its('PASS_MAX_DAYS') { should eq '90' }
+    end

data/docs/resources/mount.md.erb

@@ -0,0 +1,83 @@
+---
+title: About the mount Resource
+---
+
+# mount
+
+Use the `mount` InSpec audit resource to test the mount points on Linux systems.
+
+# Syntax
+
+An `mount` resource block declares the synchronization settings that should be tested:
+
+    describe mount('path') do
+      it { should MATCHER 'value' }
+    end
+
+where
+
+* `('path')` is the path to the mounted directory
+* `MATCHER` is a valid matcher for this resource
+* `'value'` is the value to be tested
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## be_mounted
+
+The `be_mounted` matcher tests if the file is accessible from the file system:
+
+    it { should be_mounted }
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## device
+
+The `device` matcher tests the device from the `fstab` table:
+
+    its('device') { should eq  '/dev/mapper/VolGroup-lv_root' }
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+## options
+
+The `options` matcher tests the mount options for the file system from the `fstab` table:
+
+    its('options') { should eq ['rw', 'mode=620'] }
+
+## type
+
+The `type` matcher tests the file system type:
+
+    its('type') { should eq  'ext4' }
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test a the mount point on '/'
+
+    describe mount('/') do
+      it { should be_mounted }
+      its('device') { should eq  '/dev/mapper/VolGroup-lv_root' }
+      its('type') { should eq  'ext4' }
+      its('options') { should eq ['rw', 'mode=620'] }
+    end

data/docs/resources/mysql_conf.md.erb

@@ -0,0 +1,102 @@
+---
+title: About the mysql_conf Resource
+---
+
+# mysql_conf
+
+Use the `mysql_conf` InSpec audit resource to test the contents of the configuration file for MySQL, typically located at `/etc/mysql/my.cnf` or `/etc/my.cnf`.
+
+# Syntax
+
+A `mysql_conf` resource block declares one (or more) settings in the `my.cnf` file, and then compares the setting in the configuration file to the value stated in the test:
+
+    describe mysql_conf('path') do
+      its('setting') { should eq 'value' }
+    end
+
+where
+
+* `'setting'` specifies a setting in the `my.cnf` file, such as `max_connections`
+* `('path')` is the non-default path to the `my.cnf` file
+* `should eq 'value'` is the value that is expected
+
+
+# Matchers
+
+This InSpec audit resource has the following matchers:
+
+## be
+
+<%= partial "/shared/matcher_be" %>
+
+## cmp
+
+<%= partial "/shared/matcher_cmp" %>
+
+## eq
+
+<%= partial "/shared/matcher_eq" %>
+
+## include
+
+<%= partial "/shared/matcher_include" %>
+
+## match
+
+<%= partial "/shared/matcher_match" %>
+
+## setting
+
+The `setting` matcher tests specific, named settings in the `my.cnf` file:
+
+    its('setting') { should eq 'value' }
+
+Use a `setting` matcher for each setting to be tested.
+
+# Examples
+
+The following examples show how to use this InSpec audit resource.
+
+## Test the maximum number of allowed connections
+
+    describe mysql_conf do
+      its('max_connections') { should eq '505' }
+      its('max_user_connections') { should eq '500' }
+    end
+
+## Test slow query logging**
+
+    describe mysql_conf do
+      its('slow_query_log_file') { should eq 'hostname_slow.log' }
+      its('slow_query_log') { should eq '0' }
+      its('log_queries_not_using_indexes') { should eq '1' }
+      its('long_query_time') { should eq '0.5' }
+      its('min_examined_row_limit') { should eq '100' }
+    end
+
+## Test the port and socket on which MySQL listens
+
+    describe mysql_conf do
+      its('port') { should eq '3306' }
+      its('socket') { should eq '/var/run/mysqld/mysql.sock' }
+    end
+
+## Test connection and thread variables
+
+    describe mysql_conf do
+      its('port') { should eq '3306' }
+      its('socket') { should eq '/var/run/mysqld/mysql.sock' }
+      its('max_allowed_packet') { should eq '12M' }
+      its('default_storage_engine') { should eq 'InnoDB' }
+      its('character_set_server') { should eq 'utf8' }
+      its('collation_server') { should eq 'utf8_general_ci' }
+      its('max_connections') { should eq '505' }
+      its('max_user_connections') { should eq '500' }
+      its('thread_cache_size') { should eq '505' }
+    end
+
+## Test the safe-user-create parameter
+
+    describe mysql_conf.params('mysqld') do
+      its('safe-user-create') { should eq('1') }
+    end