inspec 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +46 -3
- data/Gemfile +4 -1
- data/README.md +3 -0
- data/docs/dsl_inspec.md +3 -3
- data/docs/profiles.md +17 -0
- data/docs/resources/apache_conf.md.erb +10 -10
- data/docs/resources/apt.md.erb +13 -13
- data/docs/resources/audit_policy.md.erb +10 -10
- data/docs/resources/auditd_conf.md.erb +10 -10
- data/docs/resources/auditd_rules.md.erb +11 -11
- data/docs/resources/bash.md.erb +12 -12
- data/docs/resources/bond.md.erb +15 -15
- data/docs/resources/bridge.md.erb +11 -11
- data/docs/resources/bsd_service.md.erb +11 -11
- data/docs/resources/command.md.erb +21 -21
- data/docs/resources/csv.md.erb +10 -10
- data/docs/resources/directory.md.erb +8 -8
- data/docs/resources/etc_group.md.erb +16 -16
- data/docs/resources/etc_passwd.md.erb +17 -17
- data/docs/resources/etc_shadow.md.erb +19 -19
- data/docs/resources/file.md.erb +58 -58
- data/docs/resources/gem.md.erb +12 -12
- data/docs/resources/group.md.erb +12 -12
- data/docs/resources/grub_conf.md.erb +11 -11
- data/docs/resources/host.md.erb +13 -13
- data/docs/resources/iis_site.md.erb +16 -16
- data/docs/resources/inetd_conf.md.erb +10 -10
- data/docs/resources/ini.md.erb +9 -9
- data/docs/resources/interface.md.erb +11 -11
- data/docs/resources/iptables.md.erb +11 -11
- data/docs/resources/json.md.erb +10 -10
- data/docs/resources/kernel_module.md.erb +10 -10
- data/docs/resources/kernel_parameter.md.erb +12 -12
- data/docs/resources/launchd_service.md.erb +11 -11
- data/docs/resources/limits_conf.md.erb +10 -10
- data/docs/resources/login_def.md.erb +12 -12
- data/docs/resources/mount.md.erb +13 -13
- data/docs/resources/mysql_conf.md.erb +14 -14
- data/docs/resources/mysql_session.md.erb +10 -10
- data/docs/resources/npm.md.erb +12 -12
- data/docs/resources/ntp_conf.md.erb +9 -9
- data/docs/resources/oneget.md.erb +11 -11
- data/docs/resources/os.md.erb +13 -13
- data/docs/resources/os_env.md.erb +12 -12
- data/docs/resources/package.md.erb +15 -15
- data/docs/resources/parse_config.md.erb +13 -13
- data/docs/resources/parse_config_file.md.erb +22 -16
- data/docs/resources/pip.md.erb +12 -12
- data/docs/resources/port.md.erb +18 -18
- data/docs/resources/postgres_conf.md.erb +13 -13
- data/docs/resources/postgres_session.md.erb +11 -11
- data/docs/resources/powershell.md.erb +13 -13
- data/docs/resources/process.md.erb +12 -12
- data/docs/resources/registry_key.md.erb +17 -17
- data/docs/resources/runit_service.md.erb +11 -11
- data/docs/resources/security_policy.md.erb +10 -10
- data/docs/resources/service.md.erb +17 -17
- data/docs/resources/ssh_config.md.erb +13 -13
- data/docs/resources/sshd_config.md.erb +14 -14
- data/docs/resources/ssl.md.erb +12 -12
- data/docs/resources/sys_info.md.erb +10 -10
- data/docs/resources/systemd_service.md.erb +11 -11
- data/docs/resources/sysv_service.md.erb +11 -11
- data/docs/resources/upstart_service.md.erb +11 -11
- data/docs/resources/user.md.erb +20 -20
- data/docs/resources/users.md.erb +19 -19
- data/docs/resources/vbscript.md.erb +9 -9
- data/docs/resources/windows_feature.md.erb +10 -10
- data/docs/resources/wmi.md.erb +10 -10
- data/docs/resources/xinetd_conf.md.erb +17 -17
- data/docs/resources/yaml.md.erb +10 -10
- data/docs/resources/yum.md.erb +16 -16
- data/examples/meta-profile/README.md +0 -5
- data/lib/inspec/base_cli.rb +6 -0
- data/lib/inspec/cli.rb +10 -3
- data/lib/inspec/profile.rb +3 -3
- data/lib/inspec/rspec_json_formatter.rb +24 -15
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/registry_key.rb +15 -5
- data/lib/utils/filter.rb +1 -0
- metadata +3 -4
@@ -6,7 +6,7 @@ title: About the login_defs Resource
|
|
6
6
|
|
7
7
|
Use the `login_defs` InSpec audit resource to test configuration settings in the `/etc/login.defs` file. The `logins.defs` file defines site-specific configuration for the shadow password suite on Linux and Unix platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `login_defs` resource block declares the `login.defs` configuration data to be tested:
|
12
12
|
|
@@ -20,41 +20,41 @@ where
|
|
20
20
|
* `{ should include('foo') }` tests the value of `name` as read from `login.defs` versus the value declared in the test
|
21
21
|
|
22
22
|
|
23
|
-
|
23
|
+
## Matchers
|
24
24
|
|
25
25
|
This InSpec audit resource has the following matchers:
|
26
26
|
|
27
|
-
|
27
|
+
### be
|
28
28
|
|
29
29
|
<%= partial "/shared/matcher_be" %>
|
30
30
|
|
31
|
-
|
31
|
+
### cmp
|
32
32
|
|
33
33
|
<%= partial "/shared/matcher_cmp" %>
|
34
34
|
|
35
|
-
|
35
|
+
### eq
|
36
36
|
|
37
37
|
<%= partial "/shared/matcher_eq" %>
|
38
38
|
|
39
|
-
|
39
|
+
### include
|
40
40
|
|
41
41
|
<%= partial "/shared/matcher_include" %>
|
42
42
|
|
43
|
-
|
43
|
+
### match
|
44
44
|
|
45
45
|
<%= partial "/shared/matcher_match" %>
|
46
46
|
|
47
|
-
|
47
|
+
### name
|
48
48
|
|
49
49
|
The `name` matcher tests the value of `name` as read from `login.defs` versus the value declared in the test:
|
50
50
|
|
51
51
|
its('name') { should eq 'foo' }
|
52
52
|
|
53
|
-
|
53
|
+
## Examples
|
54
54
|
|
55
55
|
The following examples show how to use this InSpec audit resource.
|
56
56
|
|
57
|
-
|
57
|
+
### Test password expiration settings
|
58
58
|
|
59
59
|
describe login_defs do
|
60
60
|
its('PASS_MAX_DAYS') { should eq '180' }
|
@@ -63,13 +63,13 @@ The following examples show how to use this InSpec audit resource.
|
|
63
63
|
its('PASS_WARN_AGE') { should eq '30' }
|
64
64
|
end
|
65
65
|
|
66
|
-
|
66
|
+
### Test the encryption method
|
67
67
|
|
68
68
|
describe login_defs do
|
69
69
|
its('ENCRYPT_METHOD') { should eq 'SHA512' }
|
70
70
|
end
|
71
71
|
|
72
|
-
|
72
|
+
### Test umask setting
|
73
73
|
|
74
74
|
describe login_def do
|
75
75
|
its('UMASK') { should eq '077' }
|
data/docs/resources/mount.md.erb
CHANGED
@@ -6,7 +6,7 @@ title: About the mount Resource
|
|
6
6
|
|
7
7
|
Use the `mount` InSpec audit resource to test the mount points on Linux systems.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
An `mount` resource block declares the synchronization settings that should be tested:
|
12
12
|
|
@@ -21,59 +21,59 @@ where
|
|
21
21
|
* `'value'` is the value to be tested
|
22
22
|
|
23
23
|
|
24
|
-
|
24
|
+
## Matchers
|
25
25
|
|
26
26
|
This InSpec audit resource has the following matchers:
|
27
27
|
|
28
|
-
|
28
|
+
### be
|
29
29
|
|
30
30
|
<%= partial "/shared/matcher_be" %>
|
31
31
|
|
32
|
-
|
32
|
+
### be_mounted
|
33
33
|
|
34
34
|
The `be_mounted` matcher tests if the file is accessible from the file system:
|
35
35
|
|
36
36
|
it { should be_mounted }
|
37
37
|
|
38
|
-
|
38
|
+
### cmp
|
39
39
|
|
40
40
|
<%= partial "/shared/matcher_cmp" %>
|
41
41
|
|
42
|
-
|
42
|
+
### device
|
43
43
|
|
44
44
|
The `device` matcher tests the device from the `fstab` table:
|
45
45
|
|
46
46
|
its('device') { should eq '/dev/mapper/VolGroup-lv_root' }
|
47
47
|
|
48
|
-
|
48
|
+
### eq
|
49
49
|
|
50
50
|
<%= partial "/shared/matcher_eq" %>
|
51
51
|
|
52
|
-
|
52
|
+
### include
|
53
53
|
|
54
54
|
<%= partial "/shared/matcher_include" %>
|
55
55
|
|
56
|
-
|
56
|
+
### match
|
57
57
|
|
58
58
|
<%= partial "/shared/matcher_match" %>
|
59
59
|
|
60
|
-
|
60
|
+
### options
|
61
61
|
|
62
62
|
The `options` matcher tests the mount options for the file system from the `fstab` table:
|
63
63
|
|
64
64
|
its('options') { should eq ['rw', 'mode=620'] }
|
65
65
|
|
66
|
-
|
66
|
+
### type
|
67
67
|
|
68
68
|
The `type` matcher tests the file system type:
|
69
69
|
|
70
70
|
its('type') { should eq 'ext4' }
|
71
71
|
|
72
|
-
|
72
|
+
## Examples
|
73
73
|
|
74
74
|
The following examples show how to use this InSpec audit resource.
|
75
75
|
|
76
|
-
|
76
|
+
### Test a the mount point on '/'
|
77
77
|
|
78
78
|
describe mount('/') do
|
79
79
|
it { should be_mounted }
|
@@ -6,7 +6,7 @@ title: About the mysql_conf Resource
|
|
6
6
|
|
7
7
|
Use the `mysql_conf` InSpec audit resource to test the contents of the configuration file for MySQL, typically located at `/etc/mysql/my.cnf` or `/etc/my.cnf`.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `mysql_conf` resource block declares one (or more) settings in the `my.cnf` file, and then compares the setting in the configuration file to the value stated in the test:
|
12
12
|
|
@@ -21,31 +21,31 @@ where
|
|
21
21
|
* `should eq 'value'` is the value that is expected
|
22
22
|
|
23
23
|
|
24
|
-
|
24
|
+
## Matchers
|
25
25
|
|
26
26
|
This InSpec audit resource has the following matchers:
|
27
27
|
|
28
|
-
|
28
|
+
### be
|
29
29
|
|
30
30
|
<%= partial "/shared/matcher_be" %>
|
31
31
|
|
32
|
-
|
32
|
+
### cmp
|
33
33
|
|
34
34
|
<%= partial "/shared/matcher_cmp" %>
|
35
35
|
|
36
|
-
|
36
|
+
### eq
|
37
37
|
|
38
38
|
<%= partial "/shared/matcher_eq" %>
|
39
39
|
|
40
|
-
|
40
|
+
### include
|
41
41
|
|
42
42
|
<%= partial "/shared/matcher_include" %>
|
43
43
|
|
44
|
-
|
44
|
+
### match
|
45
45
|
|
46
46
|
<%= partial "/shared/matcher_match" %>
|
47
47
|
|
48
|
-
|
48
|
+
### setting
|
49
49
|
|
50
50
|
The `setting` matcher tests specific, named settings in the `my.cnf` file:
|
51
51
|
|
@@ -53,18 +53,18 @@ The `setting` matcher tests specific, named settings in the `my.cnf` file:
|
|
53
53
|
|
54
54
|
Use a `setting` matcher for each setting to be tested.
|
55
55
|
|
56
|
-
|
56
|
+
## Examples
|
57
57
|
|
58
58
|
The following examples show how to use this InSpec audit resource.
|
59
59
|
|
60
|
-
|
60
|
+
### Test the maximum number of allowed connections
|
61
61
|
|
62
62
|
describe mysql_conf do
|
63
63
|
its('max_connections') { should eq '505' }
|
64
64
|
its('max_user_connections') { should eq '500' }
|
65
65
|
end
|
66
66
|
|
67
|
-
|
67
|
+
### Test slow query logging**
|
68
68
|
|
69
69
|
describe mysql_conf do
|
70
70
|
its('slow_query_log_file') { should eq 'hostname_slow.log' }
|
@@ -74,14 +74,14 @@ The following examples show how to use this InSpec audit resource.
|
|
74
74
|
its('min_examined_row_limit') { should eq '100' }
|
75
75
|
end
|
76
76
|
|
77
|
-
|
77
|
+
### Test the port and socket on which MySQL listens
|
78
78
|
|
79
79
|
describe mysql_conf do
|
80
80
|
its('port') { should eq '3306' }
|
81
81
|
its('socket') { should eq '/var/run/mysqld/mysql.sock' }
|
82
82
|
end
|
83
83
|
|
84
|
-
|
84
|
+
### Test connection and thread variables
|
85
85
|
|
86
86
|
describe mysql_conf do
|
87
87
|
its('port') { should eq '3306' }
|
@@ -95,7 +95,7 @@ The following examples show how to use this InSpec audit resource.
|
|
95
95
|
its('thread_cache_size') { should eq '505' }
|
96
96
|
end
|
97
97
|
|
98
|
-
|
98
|
+
### Test the safe-user-create parameter
|
99
99
|
|
100
100
|
describe mysql_conf.params('mysqld') do
|
101
101
|
its('safe-user-create') { should eq('1') }
|
@@ -6,7 +6,7 @@ title: About the mysql_session Resource
|
|
6
6
|
|
7
7
|
Use the `mysql_session` InSpec audit resource to test SQL commands run against a MySQL database.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `mysql_session` resource block declares the username and password to use for the session, and then the command to be run:
|
12
12
|
|
@@ -20,41 +20,41 @@ where
|
|
20
20
|
* `query('QUERY')` contains the query to be run
|
21
21
|
* `its('output') { should eq('') }` compares the results of the query against the expected result in the test
|
22
22
|
|
23
|
-
|
23
|
+
## Matchers
|
24
24
|
|
25
25
|
This InSpec audit resource has the following matchers:
|
26
26
|
|
27
|
-
|
27
|
+
### be
|
28
28
|
|
29
29
|
<%= partial "/shared/matcher_be" %>
|
30
30
|
|
31
|
-
|
31
|
+
### cmp
|
32
32
|
|
33
33
|
<%= partial "/shared/matcher_cmp" %>
|
34
34
|
|
35
|
-
|
35
|
+
### eq
|
36
36
|
|
37
37
|
<%= partial "/shared/matcher_eq" %>
|
38
38
|
|
39
|
-
|
39
|
+
### include
|
40
40
|
|
41
41
|
<%= partial "/shared/matcher_include" %>
|
42
42
|
|
43
|
-
|
43
|
+
### match
|
44
44
|
|
45
45
|
<%= partial "/shared/matcher_match" %>
|
46
46
|
|
47
|
-
|
47
|
+
### output
|
48
48
|
|
49
49
|
The `output` matcher tests the results of the query:
|
50
50
|
|
51
51
|
its('output') { should eq(/^0/) }
|
52
52
|
|
53
|
-
|
53
|
+
## Examples
|
54
54
|
|
55
55
|
The following examples show how to use this InSpec audit resource.
|
56
56
|
|
57
|
-
|
57
|
+
### Test for matching databases
|
58
58
|
|
59
59
|
sql = mysql_session('my_user','password')
|
60
60
|
|
data/docs/resources/npm.md.erb
CHANGED
@@ -7,7 +7,7 @@ title: About the npm Resource
|
|
7
7
|
Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for Node.js packages (https://docs.npmjs.com), such as Bower and StatsD.
|
8
8
|
|
9
9
|
|
10
|
-
|
10
|
+
## Syntax
|
11
11
|
|
12
12
|
A `npm` resource block declares a package and (optionally) a package version:
|
13
13
|
|
@@ -21,54 +21,54 @@ where
|
|
21
21
|
* `be_installed` is a valid matcher for this resource
|
22
22
|
|
23
23
|
|
24
|
-
|
24
|
+
## Matchers
|
25
25
|
|
26
26
|
This InSpec audit resource has the following matchers:
|
27
27
|
|
28
|
-
|
28
|
+
### be
|
29
29
|
|
30
30
|
<%= partial "/shared/matcher_be" %>
|
31
31
|
|
32
|
-
|
32
|
+
### be_installed
|
33
33
|
|
34
34
|
The `be_installed` matcher tests if the named Gem package and package version (if specified) is installed:
|
35
35
|
|
36
36
|
it { should be_installed }
|
37
37
|
|
38
|
-
|
38
|
+
### cmp
|
39
39
|
|
40
40
|
<%= partial "/shared/matcher_cmp" %>
|
41
41
|
|
42
|
-
|
42
|
+
### eq
|
43
43
|
|
44
44
|
<%= partial "/shared/matcher_eq" %>
|
45
45
|
|
46
|
-
|
46
|
+
### include
|
47
47
|
|
48
48
|
<%= partial "/shared/matcher_include" %>
|
49
49
|
|
50
|
-
|
50
|
+
### match
|
51
51
|
|
52
52
|
<%= partial "/shared/matcher_match" %>
|
53
53
|
|
54
|
-
|
54
|
+
### version
|
55
55
|
|
56
56
|
The `version` matcher tests if the named package version is on the system:
|
57
57
|
|
58
58
|
its('version') { should eq '1.2.3' }
|
59
59
|
|
60
|
-
|
60
|
+
## Examples
|
61
61
|
|
62
62
|
The following examples show how to use this InSpec audit resource.
|
63
63
|
|
64
|
-
|
64
|
+
### Verify that bower is installed, with a specific version
|
65
65
|
|
66
66
|
describe npm('bower') do
|
67
67
|
it { should be_installed }
|
68
68
|
its('version') { should eq '1.4.1' }
|
69
69
|
end
|
70
70
|
|
71
|
-
|
71
|
+
### Verify that statsd is not installed
|
72
72
|
|
73
73
|
describe npm('statsd') do
|
74
74
|
it { should_not be_installed }
|
@@ -7,7 +7,7 @@ title: About the ntp_conf Resource
|
|
7
7
|
Use the `ntp_conf` InSpec audit resource to test the synchronization settings defined in the `ntp.conf` file. This file is typically located at `/etc/ntp.conf`.
|
8
8
|
|
9
9
|
|
10
|
-
|
10
|
+
## Syntax
|
11
11
|
|
12
12
|
An `ntp_conf` resource block declares the synchronization settings that should be tested:
|
13
13
|
|
@@ -22,7 +22,7 @@ where
|
|
22
22
|
* `{ should eq 'value' }` is the value that is expected
|
23
23
|
|
24
24
|
|
25
|
-
|
25
|
+
## Matchers
|
26
26
|
|
27
27
|
This resource matches any service that is listed in the `ntp.conf` file:
|
28
28
|
|
@@ -40,31 +40,31 @@ For example:
|
|
40
40
|
end
|
41
41
|
|
42
42
|
|
43
|
-
|
43
|
+
### be
|
44
44
|
|
45
45
|
<%= partial "/shared/matcher_be" %>
|
46
46
|
|
47
|
-
|
47
|
+
### cmp
|
48
48
|
|
49
49
|
<%= partial "/shared/matcher_cmp" %>
|
50
50
|
|
51
|
-
|
51
|
+
### eq
|
52
52
|
|
53
53
|
<%= partial "/shared/matcher_eq" %>
|
54
54
|
|
55
|
-
|
55
|
+
### include
|
56
56
|
|
57
57
|
<%= partial "/shared/matcher_include" %>
|
58
58
|
|
59
|
-
|
59
|
+
### match
|
60
60
|
|
61
61
|
<%= partial "/shared/matcher_match" %>
|
62
62
|
|
63
|
-
|
63
|
+
## Examples
|
64
64
|
|
65
65
|
The following examples show how to use this InSpec audit resource.
|
66
66
|
|
67
|
-
|
67
|
+
### Test for clock drift against named servers
|
68
68
|
|
69
69
|
describe ntp_conf do
|
70
70
|
its('driftfile') { should eq '/var/lib/ntp/ntp.drift' }
|
@@ -6,7 +6,7 @@ title: About the oneget Resource
|
|
6
6
|
|
7
7
|
Use the `oneget` InSpec audit resource to test if the named package and/or package version is installed on the system. This resource uses Oneget, which is `part of the Windows Management Framework 5.0 and Windows 10 <https://github.com/OneGet/oneget>`__. This resource uses the `Get-Package` cmdlet to return all of the package names in the Oneget repository.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `oneget` resource block declares a package and (optionally) a package version:
|
12
12
|
|
@@ -20,47 +20,47 @@ where
|
|
20
20
|
* `be_installed` is a valid matcher for this resource
|
21
21
|
|
22
22
|
|
23
|
-
|
23
|
+
## Matchers
|
24
24
|
|
25
25
|
This InSpec audit resource has the following matchers:
|
26
26
|
|
27
|
-
|
27
|
+
### be
|
28
28
|
|
29
29
|
<%= partial "/shared/matcher_be" %>
|
30
30
|
|
31
|
-
|
31
|
+
### be_installed
|
32
32
|
|
33
33
|
The `be_installed` matcher tests if the named package is installed on the system:
|
34
34
|
|
35
35
|
it { should be_installed }
|
36
36
|
|
37
|
-
|
37
|
+
### cmp
|
38
38
|
|
39
39
|
<%= partial "/shared/matcher_cmp" %>
|
40
40
|
|
41
|
-
|
41
|
+
### eq
|
42
42
|
|
43
43
|
<%= partial "/shared/matcher_eq" %>
|
44
44
|
|
45
|
-
|
45
|
+
### include
|
46
46
|
|
47
47
|
<%= partial "/shared/matcher_include" %>
|
48
48
|
|
49
|
-
|
49
|
+
### match
|
50
50
|
|
51
51
|
<%= partial "/shared/matcher_match" %>
|
52
52
|
|
53
|
-
|
53
|
+
### version
|
54
54
|
|
55
55
|
The `version` matcher tests if the named package version is on the system:
|
56
56
|
|
57
57
|
its('version') { should eq '1.2.3' }
|
58
58
|
|
59
|
-
|
59
|
+
## Examples
|
60
60
|
|
61
61
|
The following examples show how to use this InSpec audit resource.
|
62
62
|
|
63
|
-
|
63
|
+
### Test if VLC is installed
|
64
64
|
|
65
65
|
describe oneget('VLC') do
|
66
66
|
it { should be_installed }
|