inspec 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +46 -3
- data/Gemfile +4 -1
- data/README.md +3 -0
- data/docs/dsl_inspec.md +3 -3
- data/docs/profiles.md +17 -0
- data/docs/resources/apache_conf.md.erb +10 -10
- data/docs/resources/apt.md.erb +13 -13
- data/docs/resources/audit_policy.md.erb +10 -10
- data/docs/resources/auditd_conf.md.erb +10 -10
- data/docs/resources/auditd_rules.md.erb +11 -11
- data/docs/resources/bash.md.erb +12 -12
- data/docs/resources/bond.md.erb +15 -15
- data/docs/resources/bridge.md.erb +11 -11
- data/docs/resources/bsd_service.md.erb +11 -11
- data/docs/resources/command.md.erb +21 -21
- data/docs/resources/csv.md.erb +10 -10
- data/docs/resources/directory.md.erb +8 -8
- data/docs/resources/etc_group.md.erb +16 -16
- data/docs/resources/etc_passwd.md.erb +17 -17
- data/docs/resources/etc_shadow.md.erb +19 -19
- data/docs/resources/file.md.erb +58 -58
- data/docs/resources/gem.md.erb +12 -12
- data/docs/resources/group.md.erb +12 -12
- data/docs/resources/grub_conf.md.erb +11 -11
- data/docs/resources/host.md.erb +13 -13
- data/docs/resources/iis_site.md.erb +16 -16
- data/docs/resources/inetd_conf.md.erb +10 -10
- data/docs/resources/ini.md.erb +9 -9
- data/docs/resources/interface.md.erb +11 -11
- data/docs/resources/iptables.md.erb +11 -11
- data/docs/resources/json.md.erb +10 -10
- data/docs/resources/kernel_module.md.erb +10 -10
- data/docs/resources/kernel_parameter.md.erb +12 -12
- data/docs/resources/launchd_service.md.erb +11 -11
- data/docs/resources/limits_conf.md.erb +10 -10
- data/docs/resources/login_def.md.erb +12 -12
- data/docs/resources/mount.md.erb +13 -13
- data/docs/resources/mysql_conf.md.erb +14 -14
- data/docs/resources/mysql_session.md.erb +10 -10
- data/docs/resources/npm.md.erb +12 -12
- data/docs/resources/ntp_conf.md.erb +9 -9
- data/docs/resources/oneget.md.erb +11 -11
- data/docs/resources/os.md.erb +13 -13
- data/docs/resources/os_env.md.erb +12 -12
- data/docs/resources/package.md.erb +15 -15
- data/docs/resources/parse_config.md.erb +13 -13
- data/docs/resources/parse_config_file.md.erb +22 -16
- data/docs/resources/pip.md.erb +12 -12
- data/docs/resources/port.md.erb +18 -18
- data/docs/resources/postgres_conf.md.erb +13 -13
- data/docs/resources/postgres_session.md.erb +11 -11
- data/docs/resources/powershell.md.erb +13 -13
- data/docs/resources/process.md.erb +12 -12
- data/docs/resources/registry_key.md.erb +17 -17
- data/docs/resources/runit_service.md.erb +11 -11
- data/docs/resources/security_policy.md.erb +10 -10
- data/docs/resources/service.md.erb +17 -17
- data/docs/resources/ssh_config.md.erb +13 -13
- data/docs/resources/sshd_config.md.erb +14 -14
- data/docs/resources/ssl.md.erb +12 -12
- data/docs/resources/sys_info.md.erb +10 -10
- data/docs/resources/systemd_service.md.erb +11 -11
- data/docs/resources/sysv_service.md.erb +11 -11
- data/docs/resources/upstart_service.md.erb +11 -11
- data/docs/resources/user.md.erb +20 -20
- data/docs/resources/users.md.erb +19 -19
- data/docs/resources/vbscript.md.erb +9 -9
- data/docs/resources/windows_feature.md.erb +10 -10
- data/docs/resources/wmi.md.erb +10 -10
- data/docs/resources/xinetd_conf.md.erb +17 -17
- data/docs/resources/yaml.md.erb +10 -10
- data/docs/resources/yum.md.erb +16 -16
- data/examples/meta-profile/README.md +0 -5
- data/lib/inspec/base_cli.rb +6 -0
- data/lib/inspec/cli.rb +10 -3
- data/lib/inspec/profile.rb +3 -3
- data/lib/inspec/rspec_json_formatter.rb +24 -15
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/registry_key.rb +15 -5
- data/lib/utils/filter.rb +1 -0
- metadata +3 -4
data/docs/resources/ssl.md.erb
CHANGED
@@ -6,7 +6,7 @@ title: About the ssl Resource
|
|
6
6
|
|
7
7
|
Use the `ssl` InSpec audit resource to test SSL settings for the named port.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
An `ssl` resource block declares an SSL port, and then other properties of the test like cipher and/or protocol:
|
12
12
|
|
@@ -26,21 +26,21 @@ where
|
|
26
26
|
* `filter` may take any of the following arguments: `ciphers`, `protocols`, and `handshake`
|
27
27
|
|
28
28
|
|
29
|
-
|
29
|
+
## Matchers
|
30
30
|
|
31
31
|
This InSpec audit resource has the following matchers:
|
32
32
|
|
33
|
-
|
33
|
+
### be
|
34
34
|
|
35
35
|
<%= partial "/shared/matcher_be" %>
|
36
36
|
|
37
|
-
|
37
|
+
### be_enabled
|
38
38
|
|
39
39
|
The `be_enabled` matcher tests if SSL is enabled:
|
40
40
|
|
41
41
|
it { should be_enabled }
|
42
42
|
|
43
|
-
|
43
|
+
### ciphers
|
44
44
|
|
45
45
|
The `ciphers` matcher tests the named cipher:
|
46
46
|
|
@@ -52,23 +52,23 @@ or:
|
|
52
52
|
it { should_not be_enabled }
|
53
53
|
end
|
54
54
|
|
55
|
-
|
55
|
+
### cmp
|
56
56
|
|
57
57
|
<%= partial "/shared/matcher_cmp" %>
|
58
58
|
|
59
|
-
|
59
|
+
### eq
|
60
60
|
|
61
61
|
<%= partial "/shared/matcher_eq" %>
|
62
62
|
|
63
|
-
|
63
|
+
### include
|
64
64
|
|
65
65
|
<%= partial "/shared/matcher_include" %>
|
66
66
|
|
67
|
-
|
67
|
+
### match
|
68
68
|
|
69
69
|
<%= partial "/shared/matcher_match" %>
|
70
70
|
|
71
|
-
|
71
|
+
### protocols
|
72
72
|
|
73
73
|
The `protocols` matcher tests the number of times the named user appears in `/etc/shadow`:
|
74
74
|
|
@@ -80,11 +80,11 @@ or:
|
|
80
80
|
it { should_not be_enabled }
|
81
81
|
end
|
82
82
|
|
83
|
-
|
83
|
+
## Examples
|
84
84
|
|
85
85
|
The following examples show how to use this InSpec audit resource.
|
86
86
|
|
87
|
-
|
87
|
+
### Run the ssl-benchmark example profile
|
88
88
|
|
89
89
|
The following shows how to use the `ssl` InSpec audit resource to find all TCP ports on the system, including IPv4 and IPv6. (This is a partial example based on the `ssl_text.rb` file in the `ssl-benchmark` profile on GitHub.)
|
90
90
|
|
@@ -6,7 +6,7 @@ title: About the sys_info Resource
|
|
6
6
|
|
7
7
|
Use the `sys_info` InSpec audit resource to test for operating system properties for the named host, and then returns that info as standard output.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
An `sys_info` resource block declares the hostname to be tested:
|
12
12
|
|
@@ -14,41 +14,41 @@ An `sys_info` resource block declares the hostname to be tested:
|
|
14
14
|
its('hostname') { should eq 'value' }
|
15
15
|
end
|
16
16
|
|
17
|
-
|
17
|
+
## Matchers
|
18
18
|
|
19
19
|
This InSpec audit resource has the following matchers:
|
20
20
|
|
21
|
-
|
21
|
+
### be
|
22
22
|
|
23
23
|
<%= partial "/shared/matcher_be" %>
|
24
24
|
|
25
|
-
|
25
|
+
### cmp
|
26
26
|
|
27
27
|
<%= partial "/shared/matcher_cmp" %>
|
28
28
|
|
29
|
-
|
29
|
+
### eq
|
30
30
|
|
31
31
|
<%= partial "/shared/matcher_eq" %>
|
32
32
|
|
33
|
-
|
33
|
+
### hostname
|
34
34
|
|
35
35
|
The `hostname` matcher tests the host for which standard output is returned:
|
36
36
|
|
37
37
|
its('hostname') { should eq 'value' }
|
38
38
|
|
39
|
-
|
39
|
+
### include
|
40
40
|
|
41
41
|
<%= partial "/shared/matcher_include" %>
|
42
42
|
|
43
|
-
|
43
|
+
### match
|
44
44
|
|
45
45
|
<%= partial "/shared/matcher_match" %>
|
46
46
|
|
47
|
-
|
47
|
+
## Examples
|
48
48
|
|
49
49
|
The following examples show how to use this InSpec audit resource.
|
50
50
|
|
51
|
-
|
51
|
+
### Get system information for example.com
|
52
52
|
|
53
53
|
describe sys_info do
|
54
54
|
its('hostname') { should eq 'example.com' }
|
@@ -6,7 +6,7 @@ title: About the systemd_service Resource
|
|
6
6
|
|
7
7
|
Use the `systemd_service` InSpec audit resource to test a service using SystemD.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `systemd_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
|
12
12
|
|
@@ -29,48 +29,48 @@ The path to the service manager's control may be specified for situations where
|
|
29
29
|
it { should be_running }
|
30
30
|
end
|
31
31
|
|
32
|
-
|
32
|
+
## Matchers
|
33
33
|
|
34
34
|
This InSpec audit resource has the following matchers:
|
35
35
|
|
36
|
-
|
36
|
+
### be
|
37
37
|
|
38
38
|
<%= partial "/shared/matcher_be" %>
|
39
39
|
|
40
|
-
|
40
|
+
### be_enabled
|
41
41
|
|
42
42
|
The `be_enabled` matcher tests if the named service is enabled:
|
43
43
|
|
44
44
|
it { should be_enabled }
|
45
45
|
|
46
|
-
|
46
|
+
### be_installed
|
47
47
|
|
48
48
|
The `be_installed` matcher tests if the named service is installed:
|
49
49
|
|
50
50
|
it { should be_installed }
|
51
51
|
|
52
|
-
|
52
|
+
### be_running
|
53
53
|
|
54
54
|
The `be_running` matcher tests if the named service is running:
|
55
55
|
|
56
56
|
it { should be_running }
|
57
57
|
|
58
|
-
|
58
|
+
### cmp
|
59
59
|
|
60
60
|
<%= partial "/shared/matcher_cmp" %>
|
61
61
|
|
62
|
-
|
62
|
+
### eq
|
63
63
|
|
64
64
|
<%= partial "/shared/matcher_eq" %>
|
65
65
|
|
66
|
-
|
66
|
+
### include
|
67
67
|
|
68
68
|
<%= partial "/shared/matcher_include" %>
|
69
69
|
|
70
|
-
|
70
|
+
### match
|
71
71
|
|
72
72
|
<%= partial "/shared/matcher_match" %>
|
73
73
|
|
74
|
-
|
74
|
+
## Examples
|
75
75
|
|
76
76
|
None.
|
@@ -6,7 +6,7 @@ title: About the sysv_service Resource
|
|
6
6
|
|
7
7
|
Use the `sysv_service` InSpec audit resource to test a service using SystemV.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `sysv_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
|
12
12
|
|
@@ -29,48 +29,48 @@ The path to the service manager's control may be specified for situations where
|
|
29
29
|
it { should be_running }
|
30
30
|
end
|
31
31
|
|
32
|
-
|
32
|
+
## Matchers
|
33
33
|
|
34
34
|
This InSpec audit resource has the following matchers:
|
35
35
|
|
36
|
-
|
36
|
+
### be
|
37
37
|
|
38
38
|
<%= partial "/shared/matcher_be" %>
|
39
39
|
|
40
|
-
|
40
|
+
### be_enabled
|
41
41
|
|
42
42
|
The `be_enabled` matcher tests if the named service is enabled:
|
43
43
|
|
44
44
|
it { should be_enabled }
|
45
45
|
|
46
|
-
|
46
|
+
### be_installed
|
47
47
|
|
48
48
|
The `be_installed` matcher tests if the named service is installed:
|
49
49
|
|
50
50
|
it { should be_installed }
|
51
51
|
|
52
|
-
|
52
|
+
### be_running
|
53
53
|
|
54
54
|
The `be_running` matcher tests if the named service is running:
|
55
55
|
|
56
56
|
it { should be_running }
|
57
57
|
|
58
|
-
|
58
|
+
### cmp
|
59
59
|
|
60
60
|
<%= partial "/shared/matcher_cmp" %>
|
61
61
|
|
62
|
-
|
62
|
+
### eq
|
63
63
|
|
64
64
|
<%= partial "/shared/matcher_eq" %>
|
65
65
|
|
66
|
-
|
66
|
+
### include
|
67
67
|
|
68
68
|
<%= partial "/shared/matcher_include" %>
|
69
69
|
|
70
|
-
|
70
|
+
### match
|
71
71
|
|
72
72
|
<%= partial "/shared/matcher_match" %>
|
73
73
|
|
74
|
-
|
74
|
+
## Examples
|
75
75
|
|
76
76
|
None.
|
@@ -6,7 +6,7 @@ title: About the upstart_service Resource
|
|
6
6
|
|
7
7
|
Use the `upstart_service` InSpec audit resource to test a service using Upstart.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
An `upstart_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
|
12
12
|
|
@@ -29,48 +29,48 @@ The path to the service manager's control may be specified for situations where
|
|
29
29
|
it { should be_running }
|
30
30
|
end
|
31
31
|
|
32
|
-
|
32
|
+
## Matchers
|
33
33
|
|
34
34
|
This InSpec audit resource has the following matchers:
|
35
35
|
|
36
|
-
|
36
|
+
### be
|
37
37
|
|
38
38
|
<%= partial "/shared/matcher_be" %>
|
39
39
|
|
40
|
-
|
40
|
+
### be_enabled
|
41
41
|
|
42
42
|
The `be_enabled` matcher tests if the named service is enabled:
|
43
43
|
|
44
44
|
it { should be_enabled }
|
45
45
|
|
46
|
-
|
46
|
+
### be_installed
|
47
47
|
|
48
48
|
The `be_installed` matcher tests if the named service is installed:
|
49
49
|
|
50
50
|
it { should be_installed }
|
51
51
|
|
52
|
-
|
52
|
+
### be_running
|
53
53
|
|
54
54
|
The `be_running` matcher tests if the named service is running:
|
55
55
|
|
56
56
|
it { should be_running }
|
57
57
|
|
58
|
-
|
58
|
+
### cmp
|
59
59
|
|
60
60
|
<%= partial "/shared/matcher_cmp" %>
|
61
61
|
|
62
|
-
|
62
|
+
### eq
|
63
63
|
|
64
64
|
<%= partial "/shared/matcher_eq" %>
|
65
65
|
|
66
|
-
|
66
|
+
### include
|
67
67
|
|
68
68
|
<%= partial "/shared/matcher_include" %>
|
69
69
|
|
70
|
-
|
70
|
+
### match
|
71
71
|
|
72
72
|
<%= partial "/shared/matcher_match" %>
|
73
73
|
|
74
|
-
|
74
|
+
## Examples
|
75
75
|
|
76
76
|
None.
|
data/docs/resources/user.md.erb
CHANGED
@@ -6,7 +6,7 @@ title: About the user Resource
|
|
6
6
|
|
7
7
|
Use the `user` InSpec audit resource to test user profiles for a single, known/expected local user, including the groups to which that user belongs, the frequency of required password changes, and the directory paths to home and shell.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `user` resource block declares a user name, and then one (or more) matchers:
|
12
12
|
|
@@ -29,29 +29,29 @@ where
|
|
29
29
|
* `it { should exist }` tests if the user exists
|
30
30
|
* `gid`, `group`, `groups`, `home`, `maxdays`, `mindays`, `shell`, `uid`, and `warndays` are valid matchers for this resource
|
31
31
|
|
32
|
-
|
32
|
+
## Matchers
|
33
33
|
|
34
34
|
This InSpec audit resource has the following matchers:
|
35
35
|
|
36
|
-
|
36
|
+
### be
|
37
37
|
|
38
38
|
<%= partial "/shared/matcher_be" %>
|
39
39
|
|
40
|
-
|
40
|
+
### cmp
|
41
41
|
|
42
42
|
<%= partial "/shared/matcher_cmp" %>
|
43
43
|
|
44
|
-
|
44
|
+
### eq
|
45
45
|
|
46
46
|
<%= partial "/shared/matcher_eq" %>
|
47
47
|
|
48
|
-
|
48
|
+
### exist
|
49
49
|
|
50
50
|
The `exist` matcher tests if the named user exists:
|
51
51
|
|
52
52
|
it { should exist }
|
53
53
|
|
54
|
-
|
54
|
+
### gid
|
55
55
|
|
56
56
|
The `gid` matcher tests the group identifier:
|
57
57
|
|
@@ -59,7 +59,7 @@ The `gid` matcher tests the group identifier:
|
|
59
59
|
|
60
60
|
where `1234` represents the user identifier.
|
61
61
|
|
62
|
-
|
62
|
+
### group
|
63
63
|
|
64
64
|
The `group` matcher tests the group to which the user belongs:
|
65
65
|
|
@@ -67,27 +67,27 @@ The `group` matcher tests the group to which the user belongs:
|
|
67
67
|
|
68
68
|
where `root` represents the group.
|
69
69
|
|
70
|
-
|
70
|
+
### groups
|
71
71
|
|
72
72
|
The `groups` matcher tests two (or more) groups to which the user belongs:
|
73
73
|
|
74
74
|
its('groups') { should eq ['root', 'other']}
|
75
75
|
|
76
|
-
|
76
|
+
### home
|
77
77
|
|
78
78
|
The `home` matcher tests the home directory path for the user:
|
79
79
|
|
80
80
|
its('home') { should eq '/root' }
|
81
81
|
|
82
|
-
|
82
|
+
### include
|
83
83
|
|
84
84
|
<%= partial "/shared/matcher_include" %>
|
85
85
|
|
86
|
-
|
86
|
+
### match
|
87
87
|
|
88
88
|
<%= partial "/shared/matcher_match" %>
|
89
89
|
|
90
|
-
|
90
|
+
### maxdays
|
91
91
|
|
92
92
|
The `maxdays` matcher tests the maximum number of days between password changes:
|
93
93
|
|
@@ -95,7 +95,7 @@ The `maxdays` matcher tests the maximum number of days between password changes:
|
|
95
95
|
|
96
96
|
where `99` represents the maximum number of days.
|
97
97
|
|
98
|
-
|
98
|
+
### mindays
|
99
99
|
|
100
100
|
The `mindays` matcher tests the minimum number of days between password changes:
|
101
101
|
|
@@ -103,13 +103,13 @@ The `mindays` matcher tests the minimum number of days between password changes:
|
|
103
103
|
|
104
104
|
where `0` represents the maximum number of days.
|
105
105
|
|
106
|
-
|
106
|
+
### shell
|
107
107
|
|
108
108
|
The `shell` matcher tests the path to the default shell for the user:
|
109
109
|
|
110
110
|
its('shell') { should eq '/bin/bash' }
|
111
111
|
|
112
|
-
|
112
|
+
### uid
|
113
113
|
|
114
114
|
The `uid` matcher tests the user identifier:
|
115
115
|
|
@@ -117,7 +117,7 @@ The `uid` matcher tests the user identifier:
|
|
117
117
|
|
118
118
|
where `1234` represents the user identifier.
|
119
119
|
|
120
|
-
|
120
|
+
### warndays
|
121
121
|
|
122
122
|
The `warndays` matcher tests the number of days a user is warned before a password must be changed:
|
123
123
|
|
@@ -125,11 +125,11 @@ The `warndays` matcher tests the number of days a user is warned before a passwo
|
|
125
125
|
|
126
126
|
where `5` represents the number of days a user is warned.
|
127
127
|
|
128
|
-
|
128
|
+
## Examples
|
129
129
|
|
130
130
|
The following examples show how to use this InSpec audit resource.
|
131
131
|
|
132
|
-
|
132
|
+
### Verify available users for the MySQL server
|
133
133
|
|
134
134
|
describe user('root') do
|
135
135
|
it { should exist }
|
@@ -142,7 +142,7 @@ The following examples show how to use this InSpec audit resource.
|
|
142
142
|
it { should_not exist }
|
143
143
|
end
|
144
144
|
|
145
|
-
|
145
|
+
### Test users on multiple platforms
|
146
146
|
|
147
147
|
The `nginx` user is typically `www-data`, but on CentOS it's `nginx`. The following example shows how to test for the `nginx` user with a single test, but accounting for all platforms:
|
148
148
|
|