inspec 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +46 -3
- data/Gemfile +4 -1
- data/README.md +3 -0
- data/docs/dsl_inspec.md +3 -3
- data/docs/profiles.md +17 -0
- data/docs/resources/apache_conf.md.erb +10 -10
- data/docs/resources/apt.md.erb +13 -13
- data/docs/resources/audit_policy.md.erb +10 -10
- data/docs/resources/auditd_conf.md.erb +10 -10
- data/docs/resources/auditd_rules.md.erb +11 -11
- data/docs/resources/bash.md.erb +12 -12
- data/docs/resources/bond.md.erb +15 -15
- data/docs/resources/bridge.md.erb +11 -11
- data/docs/resources/bsd_service.md.erb +11 -11
- data/docs/resources/command.md.erb +21 -21
- data/docs/resources/csv.md.erb +10 -10
- data/docs/resources/directory.md.erb +8 -8
- data/docs/resources/etc_group.md.erb +16 -16
- data/docs/resources/etc_passwd.md.erb +17 -17
- data/docs/resources/etc_shadow.md.erb +19 -19
- data/docs/resources/file.md.erb +58 -58
- data/docs/resources/gem.md.erb +12 -12
- data/docs/resources/group.md.erb +12 -12
- data/docs/resources/grub_conf.md.erb +11 -11
- data/docs/resources/host.md.erb +13 -13
- data/docs/resources/iis_site.md.erb +16 -16
- data/docs/resources/inetd_conf.md.erb +10 -10
- data/docs/resources/ini.md.erb +9 -9
- data/docs/resources/interface.md.erb +11 -11
- data/docs/resources/iptables.md.erb +11 -11
- data/docs/resources/json.md.erb +10 -10
- data/docs/resources/kernel_module.md.erb +10 -10
- data/docs/resources/kernel_parameter.md.erb +12 -12
- data/docs/resources/launchd_service.md.erb +11 -11
- data/docs/resources/limits_conf.md.erb +10 -10
- data/docs/resources/login_def.md.erb +12 -12
- data/docs/resources/mount.md.erb +13 -13
- data/docs/resources/mysql_conf.md.erb +14 -14
- data/docs/resources/mysql_session.md.erb +10 -10
- data/docs/resources/npm.md.erb +12 -12
- data/docs/resources/ntp_conf.md.erb +9 -9
- data/docs/resources/oneget.md.erb +11 -11
- data/docs/resources/os.md.erb +13 -13
- data/docs/resources/os_env.md.erb +12 -12
- data/docs/resources/package.md.erb +15 -15
- data/docs/resources/parse_config.md.erb +13 -13
- data/docs/resources/parse_config_file.md.erb +22 -16
- data/docs/resources/pip.md.erb +12 -12
- data/docs/resources/port.md.erb +18 -18
- data/docs/resources/postgres_conf.md.erb +13 -13
- data/docs/resources/postgres_session.md.erb +11 -11
- data/docs/resources/powershell.md.erb +13 -13
- data/docs/resources/process.md.erb +12 -12
- data/docs/resources/registry_key.md.erb +17 -17
- data/docs/resources/runit_service.md.erb +11 -11
- data/docs/resources/security_policy.md.erb +10 -10
- data/docs/resources/service.md.erb +17 -17
- data/docs/resources/ssh_config.md.erb +13 -13
- data/docs/resources/sshd_config.md.erb +14 -14
- data/docs/resources/ssl.md.erb +12 -12
- data/docs/resources/sys_info.md.erb +10 -10
- data/docs/resources/systemd_service.md.erb +11 -11
- data/docs/resources/sysv_service.md.erb +11 -11
- data/docs/resources/upstart_service.md.erb +11 -11
- data/docs/resources/user.md.erb +20 -20
- data/docs/resources/users.md.erb +19 -19
- data/docs/resources/vbscript.md.erb +9 -9
- data/docs/resources/windows_feature.md.erb +10 -10
- data/docs/resources/wmi.md.erb +10 -10
- data/docs/resources/xinetd_conf.md.erb +17 -17
- data/docs/resources/yaml.md.erb +10 -10
- data/docs/resources/yum.md.erb +16 -16
- data/examples/meta-profile/README.md +0 -5
- data/lib/inspec/base_cli.rb +6 -0
- data/lib/inspec/cli.rb +10 -3
- data/lib/inspec/profile.rb +3 -3
- data/lib/inspec/rspec_json_formatter.rb +24 -15
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/registry_key.rb +15 -5
- data/lib/utils/filter.rb +1 -0
- metadata +3 -4
@@ -9,7 +9,7 @@ Use the `interface` InSpec audit resource to test basic network adapter properti
|
|
9
9
|
* On Linux platforms, `/sys/class/net/#{iface}` is used as source
|
10
10
|
* On the Windows platform, the `Get-NetAdapter` cmdlet is used as source
|
11
11
|
|
12
|
-
|
12
|
+
## Syntax
|
13
13
|
|
14
14
|
An `interface` resource block declares network interface properties to be tested:
|
15
15
|
|
@@ -19,48 +19,48 @@ An `interface` resource block declares network interface properties to be tested
|
|
19
19
|
its('name') { should eq eth0 }
|
20
20
|
end
|
21
21
|
|
22
|
-
|
22
|
+
## Matchers
|
23
23
|
|
24
24
|
This InSpec audit resource has the following matchers:
|
25
25
|
|
26
|
-
|
26
|
+
### be
|
27
27
|
|
28
28
|
<%= partial "/shared/matcher_be" %>
|
29
29
|
|
30
|
-
|
30
|
+
### be_up
|
31
31
|
|
32
32
|
The `be_up` matcher tests if the network interface is available:
|
33
33
|
|
34
34
|
it { should be_up }
|
35
35
|
|
36
|
-
|
36
|
+
### cmp
|
37
37
|
|
38
38
|
<%= partial "/shared/matcher_cmp" %>
|
39
39
|
|
40
|
-
|
40
|
+
### eq
|
41
41
|
|
42
42
|
<%= partial "/shared/matcher_eq" %>
|
43
43
|
|
44
|
-
|
44
|
+
### include
|
45
45
|
|
46
46
|
<%= partial "/shared/matcher_include" %>
|
47
47
|
|
48
|
-
|
48
|
+
### match
|
49
49
|
|
50
50
|
<%= partial "/shared/matcher_match" %>
|
51
51
|
|
52
|
-
|
52
|
+
### name
|
53
53
|
|
54
54
|
The `name` matcher tests if the named network interface exists:
|
55
55
|
|
56
56
|
its('name') { should eq eth0 }
|
57
57
|
|
58
|
-
|
58
|
+
### speed
|
59
59
|
|
60
60
|
The `speed` matcher tests the speed of the network interface, in MB/sec:
|
61
61
|
|
62
62
|
its('speed') { should eq 1000 }
|
63
63
|
|
64
|
-
|
64
|
+
## Examples
|
65
65
|
|
66
66
|
None.
|
@@ -6,7 +6,7 @@ title: About the iptables Resource
|
|
6
6
|
|
7
7
|
Use the `iptables` InSpec audit resource to test rules that are defined in `iptables`, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `iptables` resource block declares tests for rules in IP tables:
|
12
12
|
|
@@ -23,47 +23,47 @@ where
|
|
23
23
|
* `have_rule('RULE')` tests that rule in the iptables file
|
24
24
|
|
25
25
|
|
26
|
-
|
26
|
+
## Matchers
|
27
27
|
|
28
28
|
This InSpec audit resource has the following matchers:
|
29
29
|
|
30
|
-
|
30
|
+
### be
|
31
31
|
|
32
32
|
<%= partial "/shared/matcher_be" %>
|
33
33
|
|
34
|
-
|
34
|
+
### cmp
|
35
35
|
|
36
36
|
<%= partial "/shared/matcher_cmp" %>
|
37
37
|
|
38
|
-
|
38
|
+
### eq
|
39
39
|
|
40
40
|
<%= partial "/shared/matcher_eq" %>
|
41
41
|
|
42
|
-
|
42
|
+
### have_rule
|
43
43
|
|
44
44
|
The `have_rule` matcher tests the named rule against the information in the `iptables` file:
|
45
45
|
|
46
46
|
it { should have_rule('RULE') }
|
47
47
|
|
48
|
-
|
48
|
+
### include
|
49
49
|
|
50
50
|
<%= partial "/shared/matcher_include" %>
|
51
51
|
|
52
|
-
|
52
|
+
### match
|
53
53
|
|
54
54
|
<%= partial "/shared/matcher_match" %>
|
55
55
|
|
56
|
-
|
56
|
+
## Examples
|
57
57
|
|
58
58
|
The following examples show how to use this InSpec audit resource.
|
59
59
|
|
60
|
-
|
60
|
+
### Test if the IP table allows a packet through
|
61
61
|
|
62
62
|
describe iptables do
|
63
63
|
it { should have_rule('-P INPUT ACCEPT') }
|
64
64
|
end
|
65
65
|
|
66
|
-
|
66
|
+
### Test if the IP table allows a packet through, for a specific table and chain
|
67
67
|
|
68
68
|
describe iptables(table:'mangle', chain: 'input') do
|
69
69
|
it { should have_rule('-P INPUT ACCEPT') }
|
data/docs/resources/json.md.erb
CHANGED
@@ -6,7 +6,7 @@ title: About the json Resource
|
|
6
6
|
|
7
7
|
Use the `json` InSpec audit resource to test data in a JSON file.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `json` resource block declares the data to be tested. Assume the following JSON file:
|
12
12
|
|
@@ -35,41 +35,41 @@ where
|
|
35
35
|
* `should eq 'foo'` tests a value of `name` as read from a JSON file versus the value declared in the test
|
36
36
|
|
37
37
|
|
38
|
-
|
38
|
+
## Matchers
|
39
39
|
|
40
40
|
This InSpec audit resource has the following matchers:
|
41
41
|
|
42
|
-
|
42
|
+
### be
|
43
43
|
|
44
44
|
<%= partial "/shared/matcher_be" %>
|
45
45
|
|
46
|
-
|
46
|
+
### cmp
|
47
47
|
|
48
48
|
<%= partial "/shared/matcher_cmp" %>
|
49
49
|
|
50
|
-
|
50
|
+
### eq
|
51
51
|
|
52
52
|
<%= partial "/shared/matcher_eq" %>
|
53
53
|
|
54
|
-
|
54
|
+
### include
|
55
55
|
|
56
56
|
<%= partial "/shared/matcher_include" %>
|
57
57
|
|
58
|
-
|
58
|
+
### match
|
59
59
|
|
60
60
|
<%= partial "/shared/matcher_match" %>
|
61
61
|
|
62
|
-
|
62
|
+
### name
|
63
63
|
|
64
64
|
The `name` matcher tests the value of `name` as read from a JSON file versus the value declared in the test:
|
65
65
|
|
66
66
|
its('name') { should eq 'foo' }
|
67
67
|
|
68
|
-
|
68
|
+
## Examples
|
69
69
|
|
70
70
|
The following examples show how to use this InSpec audit resource.
|
71
71
|
|
72
|
-
|
72
|
+
### Test a cookbook version in a policyfile.lock.json file
|
73
73
|
|
74
74
|
describe json('policyfile.lock.json') do
|
75
75
|
its(['cookbook_locks', 'omnibus', 'version']) { should eq('2.2.0') }
|
@@ -6,7 +6,7 @@ title: About the kernel_module Resource
|
|
6
6
|
|
7
7
|
Use the `kernel_module` InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under `/lib/modules`. Any submodule may be tested using this resource.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `kernel_module` resource block declares a module name, and then tests if that module is a loadable kernel module:
|
12
12
|
|
@@ -19,41 +19,41 @@ where
|
|
19
19
|
* `'module_name'` must specify a kernel module, such as `'bridge'`
|
20
20
|
* `{ should be_loaded }` tests if the module is a loadable kernel module
|
21
21
|
|
22
|
-
|
22
|
+
## Matchers
|
23
23
|
|
24
24
|
This InSpec audit resource has the following matchers:
|
25
25
|
|
26
|
-
|
26
|
+
### be
|
27
27
|
|
28
28
|
<%= partial "/shared/matcher_be" %>
|
29
29
|
|
30
|
-
|
30
|
+
### be_loaded
|
31
31
|
|
32
32
|
The `be_loaded` matcher tests if the module is a loadable kernel module:
|
33
33
|
|
34
34
|
it { should be_loaded }
|
35
35
|
|
36
|
-
|
36
|
+
### cmp
|
37
37
|
|
38
38
|
<%= partial "/shared/matcher_cmp" %>
|
39
39
|
|
40
|
-
|
40
|
+
### eq
|
41
41
|
|
42
42
|
<%= partial "/shared/matcher_eq" %>
|
43
43
|
|
44
|
-
|
44
|
+
### include
|
45
45
|
|
46
46
|
<%= partial "/shared/matcher_include" %>
|
47
47
|
|
48
|
-
|
48
|
+
### match
|
49
49
|
|
50
50
|
<%= partial "/shared/matcher_match" %>
|
51
51
|
|
52
|
-
|
52
|
+
## Examples
|
53
53
|
|
54
54
|
The following examples show how to use this InSpec audit resource.
|
55
55
|
|
56
|
-
|
56
|
+
### Test if a module is loaded
|
57
57
|
|
58
58
|
describe kernel_module('bridge') do
|
59
59
|
it { should be_loaded }
|
@@ -6,7 +6,7 @@ title: About the kernel_parameter Resource
|
|
6
6
|
|
7
7
|
Use the `kernel_parameter` InSpec audit resource to test kernel parameters on Linux platforms.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `kernel_parameter` resource block declares a parameter and then a value to be tested:
|
12
12
|
|
@@ -19,53 +19,53 @@ where
|
|
19
19
|
* `'kernel.parameter'` must specify a kernel parameter, such as `'net.ipv4.conf.all.forwarding'`
|
20
20
|
* `{ should eq 0 }` states the value to be tested
|
21
21
|
|
22
|
-
|
22
|
+
## Matchers
|
23
23
|
|
24
24
|
This InSpec audit resource has the following matchers:
|
25
25
|
|
26
|
-
|
26
|
+
### be
|
27
27
|
|
28
28
|
<%= partial "/shared/matcher_be" %>
|
29
29
|
|
30
|
-
|
30
|
+
### cmp
|
31
31
|
|
32
32
|
<%= partial "/shared/matcher_cmp" %>
|
33
33
|
|
34
|
-
|
34
|
+
### eq
|
35
35
|
|
36
36
|
<%= partial "/shared/matcher_eq" %>
|
37
37
|
|
38
|
-
|
38
|
+
### include
|
39
39
|
|
40
40
|
<%= partial "/shared/matcher_include" %>
|
41
41
|
|
42
|
-
|
42
|
+
### match
|
43
43
|
|
44
44
|
<%= partial "/shared/matcher_match" %>
|
45
45
|
|
46
|
-
|
46
|
+
### value
|
47
47
|
|
48
48
|
The `value` matcher tests the value assigned to the named IP address versus the value declared in the test:
|
49
49
|
|
50
50
|
its('value') { should eq 0 }
|
51
51
|
|
52
|
-
|
52
|
+
## Examples
|
53
53
|
|
54
54
|
The following examples show how to use this InSpec audit resource.
|
55
55
|
|
56
|
-
|
56
|
+
### Test if global forwarding is enabled for an IPv4 address
|
57
57
|
|
58
58
|
describe kernel_parameter('net.ipv4.conf.all.forwarding') do
|
59
59
|
its('value') { should eq 1 }
|
60
60
|
end
|
61
61
|
|
62
|
-
|
62
|
+
### Test if global forwarding is disabled for an IPv6 address
|
63
63
|
|
64
64
|
describe kernel_parameter('net.ipv6.conf.all.forwarding') do
|
65
65
|
its('value') { should eq 0 }
|
66
66
|
end
|
67
67
|
|
68
|
-
|
68
|
+
### Test if an IPv6 address accepts redirects
|
69
69
|
|
70
70
|
describe kernel_parameter('net.ipv6.conf.interface.accept_redirects') do
|
71
71
|
its('value') { should eq 'true' }
|
@@ -6,7 +6,7 @@ title: About the launchd_service Resource
|
|
6
6
|
|
7
7
|
Use the ``launchd_service`` InSpec audit resource to test a service using Launchd.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A ``launchd_service`` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
|
12
12
|
|
@@ -29,48 +29,48 @@ The path to the service manager's control may be specified for situations where
|
|
29
29
|
it { should be_running }
|
30
30
|
end
|
31
31
|
|
32
|
-
|
32
|
+
## Matchers
|
33
33
|
|
34
34
|
This InSpec audit resource has the following matchers:
|
35
35
|
|
36
|
-
|
36
|
+
### be
|
37
37
|
|
38
38
|
<%= partial "/shared/matcher_be" %>
|
39
39
|
|
40
|
-
|
40
|
+
### be_enabled
|
41
41
|
|
42
42
|
The `be_enabled` matcher tests if the named service is enabled:
|
43
43
|
|
44
44
|
it { should be_enabled }
|
45
45
|
|
46
|
-
|
46
|
+
### be_installed
|
47
47
|
|
48
48
|
The `be_installed` matcher tests if the named service is installed:
|
49
49
|
|
50
50
|
it { should be_installed }
|
51
51
|
|
52
|
-
|
52
|
+
### be_running
|
53
53
|
|
54
54
|
The `be_running` matcher tests if the named service is running:
|
55
55
|
|
56
56
|
it { should be_running }
|
57
57
|
|
58
|
-
|
58
|
+
### cmp
|
59
59
|
|
60
60
|
<%= partial "/shared/matcher_cmp" %>
|
61
61
|
|
62
|
-
|
62
|
+
### eq
|
63
63
|
|
64
64
|
<%= partial "/shared/matcher_eq" %>
|
65
65
|
|
66
|
-
|
66
|
+
### include
|
67
67
|
|
68
68
|
<%= partial "/shared/matcher_include" %>
|
69
69
|
|
70
|
-
|
70
|
+
### match
|
71
71
|
|
72
72
|
<%= partial "/shared/matcher_match" %>
|
73
73
|
|
74
|
-
|
74
|
+
## Examples
|
75
75
|
|
76
76
|
None.
|
@@ -17,7 +17,7 @@ Entries in the `limits.conf` file are similar to:
|
|
17
17
|
^^^^^^^^^ ^^^^ ^^^^^^ ^^^^^
|
18
18
|
domain type item value
|
19
19
|
|
20
|
-
|
20
|
+
## Syntax
|
21
21
|
|
22
22
|
A `limits_conf` resource block declares a domain to be tested, along with associated type, item, and value:
|
23
23
|
|
@@ -34,19 +34,19 @@ where
|
|
34
34
|
* `'item'` is the item for which limits are defined, such as `core`, `nofile`, `stack`, `nproc`, `priority`, or `maxlogins`
|
35
35
|
* `'value'` is the value associated with the `item`
|
36
36
|
|
37
|
-
|
37
|
+
## Matchers
|
38
38
|
|
39
39
|
This InSpec audit resource has the following matchers:
|
40
40
|
|
41
|
-
|
41
|
+
### be
|
42
42
|
|
43
43
|
<%= partial "/shared/matcher_be" %>
|
44
44
|
|
45
|
-
|
45
|
+
### cmp
|
46
46
|
|
47
47
|
<%= partial "/shared/matcher_cmp" %>
|
48
48
|
|
49
|
-
|
49
|
+
### domain
|
50
50
|
|
51
51
|
The `domain` matcher tests the domain in the `limits.conf` file, along with associated type, item, and value:
|
52
52
|
|
@@ -56,23 +56,23 @@ For example:
|
|
56
56
|
|
57
57
|
its('grantmc') { should include ['hard', 'nofile', '63536'] }
|
58
58
|
|
59
|
-
|
59
|
+
### eq
|
60
60
|
|
61
61
|
<%= partial "/shared/matcher_eq" %>
|
62
62
|
|
63
|
-
|
63
|
+
### include
|
64
64
|
|
65
65
|
<%= partial "/shared/matcher_include" %>
|
66
66
|
|
67
|
-
|
67
|
+
### match
|
68
68
|
|
69
69
|
<%= partial "/shared/matcher_match" %>
|
70
70
|
|
71
|
-
|
71
|
+
## Examples
|
72
72
|
|
73
73
|
The following examples show how to use this InSpec audit resource.
|
74
74
|
|
75
|
-
|
75
|
+
### Test limits
|
76
76
|
|
77
77
|
describe limits_conf('path') do
|
78
78
|
its('*') { should include ['soft', 'core', '0'], ['hard', 'rss', '10000'] }
|