inspec 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +46 -3
- data/Gemfile +4 -1
- data/README.md +3 -0
- data/docs/dsl_inspec.md +3 -3
- data/docs/profiles.md +17 -0
- data/docs/resources/apache_conf.md.erb +10 -10
- data/docs/resources/apt.md.erb +13 -13
- data/docs/resources/audit_policy.md.erb +10 -10
- data/docs/resources/auditd_conf.md.erb +10 -10
- data/docs/resources/auditd_rules.md.erb +11 -11
- data/docs/resources/bash.md.erb +12 -12
- data/docs/resources/bond.md.erb +15 -15
- data/docs/resources/bridge.md.erb +11 -11
- data/docs/resources/bsd_service.md.erb +11 -11
- data/docs/resources/command.md.erb +21 -21
- data/docs/resources/csv.md.erb +10 -10
- data/docs/resources/directory.md.erb +8 -8
- data/docs/resources/etc_group.md.erb +16 -16
- data/docs/resources/etc_passwd.md.erb +17 -17
- data/docs/resources/etc_shadow.md.erb +19 -19
- data/docs/resources/file.md.erb +58 -58
- data/docs/resources/gem.md.erb +12 -12
- data/docs/resources/group.md.erb +12 -12
- data/docs/resources/grub_conf.md.erb +11 -11
- data/docs/resources/host.md.erb +13 -13
- data/docs/resources/iis_site.md.erb +16 -16
- data/docs/resources/inetd_conf.md.erb +10 -10
- data/docs/resources/ini.md.erb +9 -9
- data/docs/resources/interface.md.erb +11 -11
- data/docs/resources/iptables.md.erb +11 -11
- data/docs/resources/json.md.erb +10 -10
- data/docs/resources/kernel_module.md.erb +10 -10
- data/docs/resources/kernel_parameter.md.erb +12 -12
- data/docs/resources/launchd_service.md.erb +11 -11
- data/docs/resources/limits_conf.md.erb +10 -10
- data/docs/resources/login_def.md.erb +12 -12
- data/docs/resources/mount.md.erb +13 -13
- data/docs/resources/mysql_conf.md.erb +14 -14
- data/docs/resources/mysql_session.md.erb +10 -10
- data/docs/resources/npm.md.erb +12 -12
- data/docs/resources/ntp_conf.md.erb +9 -9
- data/docs/resources/oneget.md.erb +11 -11
- data/docs/resources/os.md.erb +13 -13
- data/docs/resources/os_env.md.erb +12 -12
- data/docs/resources/package.md.erb +15 -15
- data/docs/resources/parse_config.md.erb +13 -13
- data/docs/resources/parse_config_file.md.erb +22 -16
- data/docs/resources/pip.md.erb +12 -12
- data/docs/resources/port.md.erb +18 -18
- data/docs/resources/postgres_conf.md.erb +13 -13
- data/docs/resources/postgres_session.md.erb +11 -11
- data/docs/resources/powershell.md.erb +13 -13
- data/docs/resources/process.md.erb +12 -12
- data/docs/resources/registry_key.md.erb +17 -17
- data/docs/resources/runit_service.md.erb +11 -11
- data/docs/resources/security_policy.md.erb +10 -10
- data/docs/resources/service.md.erb +17 -17
- data/docs/resources/ssh_config.md.erb +13 -13
- data/docs/resources/sshd_config.md.erb +14 -14
- data/docs/resources/ssl.md.erb +12 -12
- data/docs/resources/sys_info.md.erb +10 -10
- data/docs/resources/systemd_service.md.erb +11 -11
- data/docs/resources/sysv_service.md.erb +11 -11
- data/docs/resources/upstart_service.md.erb +11 -11
- data/docs/resources/user.md.erb +20 -20
- data/docs/resources/users.md.erb +19 -19
- data/docs/resources/vbscript.md.erb +9 -9
- data/docs/resources/windows_feature.md.erb +10 -10
- data/docs/resources/wmi.md.erb +10 -10
- data/docs/resources/xinetd_conf.md.erb +17 -17
- data/docs/resources/yaml.md.erb +10 -10
- data/docs/resources/yum.md.erb +16 -16
- data/examples/meta-profile/README.md +0 -5
- data/lib/inspec/base_cli.rb +6 -0
- data/lib/inspec/cli.rb +10 -3
- data/lib/inspec/profile.rb +3 -3
- data/lib/inspec/rspec_json_formatter.rb +24 -15
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/registry_key.rb +15 -5
- data/lib/utils/filter.rb +1 -0
- metadata +3 -4
data/docs/resources/pip.md.erb
CHANGED
@@ -6,7 +6,7 @@ title: About the pip Resource
|
|
6
6
|
|
7
7
|
Use the `pip` InSpec audit resource to test packages that are installed using the Python PIP installer.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `pip` resource block declares a package and (optionally) a package version:
|
12
12
|
|
@@ -20,53 +20,53 @@ where
|
|
20
20
|
* `be_installed` tests to see if the `Jinja2` package is installed
|
21
21
|
|
22
22
|
|
23
|
-
|
23
|
+
## Matchers
|
24
24
|
|
25
25
|
This InSpec audit resource has the following matchers:
|
26
26
|
|
27
|
-
|
27
|
+
### be
|
28
28
|
|
29
29
|
<%= partial "/shared/matcher_be" %>
|
30
30
|
|
31
|
-
|
31
|
+
### be_installed
|
32
32
|
|
33
33
|
The `be_installed` matcher tests if the named package is installed on the system:
|
34
34
|
|
35
35
|
it { should be_installed }
|
36
36
|
|
37
|
-
|
37
|
+
### cmp
|
38
38
|
|
39
39
|
<%= partial "/shared/matcher_cmp" %>
|
40
40
|
|
41
|
-
|
41
|
+
### eq
|
42
42
|
|
43
43
|
<%= partial "/shared/matcher_eq" %>
|
44
44
|
|
45
|
-
|
45
|
+
### include
|
46
46
|
|
47
47
|
<%= partial "/shared/matcher_include" %>
|
48
48
|
|
49
|
-
|
49
|
+
### match
|
50
50
|
|
51
51
|
<%= partial "/shared/matcher_match" %>
|
52
52
|
|
53
|
-
|
53
|
+
### version
|
54
54
|
|
55
55
|
The `version` matcher tests if the named package version is on the system:
|
56
56
|
|
57
57
|
its('version') { should eq '1.2.3' }
|
58
58
|
|
59
|
-
|
59
|
+
## Examples
|
60
60
|
|
61
61
|
The following examples show how to use this InSpec audit resource.
|
62
62
|
|
63
|
-
|
63
|
+
### Test if Jinja2 is installed on the system
|
64
64
|
|
65
65
|
describe pip('Jinja2') do
|
66
66
|
it { should be_installed }
|
67
67
|
end
|
68
68
|
|
69
|
-
|
69
|
+
### Test if Jinja2 2.8 is installed on the system
|
70
70
|
|
71
71
|
describe pip('Jinja2') do
|
72
72
|
it { should be_installed }
|
data/docs/resources/port.md.erb
CHANGED
@@ -6,7 +6,7 @@ title: About the port Resource
|
|
6
6
|
|
7
7
|
Use the `port` InSpec audit resource to test basic port properties, such as port, process, if it's listening.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `port` resource block declares a port, and then depending on what needs to be tested, a process, protocol, process identifier, and its state (is it listening?):
|
12
12
|
|
@@ -35,55 +35,55 @@ For example, to test if the SSH daemon is available on a Linux machine via the d
|
|
35
35
|
its('addresses') { should include '0.0.0.0' }
|
36
36
|
end
|
37
37
|
|
38
|
-
|
38
|
+
## Matchers
|
39
39
|
|
40
40
|
This InSpec audit resource has the following matchers:
|
41
41
|
|
42
|
-
|
42
|
+
### address
|
43
43
|
|
44
44
|
The `addresses` matcher tests if the specified address is associated with a port:
|
45
45
|
|
46
46
|
its('addresses') { should include '0.0.0.0' }
|
47
47
|
|
48
|
-
|
48
|
+
### be
|
49
49
|
|
50
50
|
<%= partial "/shared/matcher_be" %>
|
51
51
|
|
52
|
-
|
52
|
+
### be_listening
|
53
53
|
|
54
54
|
The `be_listening` matcher tests if the port is listening for traffic:
|
55
55
|
|
56
56
|
it { should be_listening }
|
57
57
|
|
58
|
-
|
58
|
+
### cmp
|
59
59
|
|
60
60
|
<%= partial "/shared/matcher_cmp" %>
|
61
61
|
|
62
|
-
|
62
|
+
### eq
|
63
63
|
|
64
64
|
<%= partial "/shared/matcher_eq" %>
|
65
65
|
|
66
|
-
|
66
|
+
### include
|
67
67
|
|
68
68
|
<%= partial "/shared/matcher_include" %>
|
69
69
|
|
70
|
-
|
70
|
+
### match
|
71
71
|
|
72
72
|
<%= partial "/shared/matcher_match" %>
|
73
73
|
|
74
|
-
|
74
|
+
### pids
|
75
75
|
|
76
76
|
The `pids` matcher tests the process identifiers (PIDs):
|
77
77
|
|
78
78
|
its('pids') { should eq ['27808'] }
|
79
79
|
|
80
|
-
|
80
|
+
### processes
|
81
81
|
|
82
82
|
The `processes` matcher tests if the named process is running on the system:
|
83
83
|
|
84
84
|
its('processes') { should eq ['syslog'] }
|
85
85
|
|
86
|
-
|
86
|
+
### protocols
|
87
87
|
|
88
88
|
The `protocols` matcher tests the Internet protocol: ICMP (`'icmp'`), TCP (`'tcp'` or `'tcp6'`), or UDP (`'udp'` or `'udp6'`):
|
89
89
|
|
@@ -93,18 +93,18 @@ or for the IPv6 protocol:
|
|
93
93
|
|
94
94
|
its('protocols') { should include 'tcp6' }
|
95
95
|
|
96
|
-
|
96
|
+
## Examples
|
97
97
|
|
98
98
|
The following examples show how to use this InSpec audit resource.
|
99
99
|
|
100
|
-
|
100
|
+
### Test port 80, listening with the TCP protocol
|
101
101
|
|
102
102
|
describe port(80) do
|
103
103
|
it { should be_listening }
|
104
104
|
its('protocols') {should eq ['tcp']}
|
105
105
|
end
|
106
106
|
|
107
|
-
|
107
|
+
### Test port 80, on a specific address
|
108
108
|
|
109
109
|
A specific port address may be checked using either of the following examples:
|
110
110
|
|
@@ -119,14 +119,14 @@ or:
|
|
119
119
|
it { should be_listening }
|
120
120
|
end
|
121
121
|
|
122
|
-
|
122
|
+
### Test port 80, listening with TCP version IPv6 protocol
|
123
123
|
|
124
124
|
describe port(80) do
|
125
125
|
it { should be_listening }
|
126
126
|
its('protocols') {should eq ['tcp6']}
|
127
127
|
end
|
128
128
|
|
129
|
-
|
129
|
+
### Test that only secure ports accept requests
|
130
130
|
|
131
131
|
describe port(80) do
|
132
132
|
it { should_not be_listening }
|
@@ -137,7 +137,7 @@ or:
|
|
137
137
|
its('protocols') {should eq ['tcp']}
|
138
138
|
end
|
139
139
|
|
140
|
-
|
140
|
+
### Verify port 65432 is not listening
|
141
141
|
|
142
142
|
describe port(22) do
|
143
143
|
it { should be_listening }
|
@@ -6,7 +6,7 @@ title: About the postgres_conf Resource
|
|
6
6
|
|
7
7
|
Use the `postgres_conf` InSpec audit resource to test the contents of the configuration file for PostgreSQL, typically located at `/etc/postgresql/<version>/main/postgresql.conf` or `/var/lib/postgres/data/postgresql.conf`, depending on the platform.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `postgres_conf` resource block declares one (or more) settings in the `postgresql.conf` file, and then compares the setting in the configuration file to the value stated in the test:
|
12
12
|
|
@@ -20,31 +20,31 @@ where
|
|
20
20
|
* `('path')` is the non-default path to the `postgresql.conf` file (optional)
|
21
21
|
* `should eq 'value'` is the value that is expected
|
22
22
|
|
23
|
-
|
23
|
+
## Matchers
|
24
24
|
|
25
25
|
This InSpec audit resource has the following matchers:
|
26
26
|
|
27
|
-
|
27
|
+
### be
|
28
28
|
|
29
29
|
<%= partial "/shared/matcher_be" %>
|
30
30
|
|
31
|
-
|
31
|
+
### cmp
|
32
32
|
|
33
33
|
<%= partial "/shared/matcher_cmp" %>
|
34
34
|
|
35
|
-
|
35
|
+
### eq
|
36
36
|
|
37
37
|
<%= partial "/shared/matcher_eq" %>
|
38
38
|
|
39
|
-
|
39
|
+
### include
|
40
40
|
|
41
41
|
<%= partial "/shared/matcher_include" %>
|
42
42
|
|
43
|
-
|
43
|
+
### match
|
44
44
|
|
45
45
|
<%= partial "/shared/matcher_match" %>
|
46
46
|
|
47
|
-
|
47
|
+
### setting
|
48
48
|
|
49
49
|
The `setting` matcher tests specific, named settings in the `postgresql.conf` file:
|
50
50
|
|
@@ -52,17 +52,17 @@ The `setting` matcher tests specific, named settings in the `postgresql.conf` fi
|
|
52
52
|
|
53
53
|
Use a `setting` matcher for each setting to be tested.
|
54
54
|
|
55
|
-
|
55
|
+
## Examples
|
56
56
|
|
57
57
|
The following examples show how to use this InSpec audit resource.
|
58
58
|
|
59
|
-
|
59
|
+
### Test the maximum number of allowed client connections
|
60
60
|
|
61
61
|
describe postgres_conf do
|
62
62
|
its('max_connections') { should eq '5' }
|
63
63
|
end
|
64
64
|
|
65
|
-
|
65
|
+
### Test system logging
|
66
66
|
|
67
67
|
describe postgres_conf do
|
68
68
|
its('logging_collector') { should eq 'on' }
|
@@ -73,13 +73,13 @@ The following examples show how to use this InSpec audit resource.
|
|
73
73
|
its('log_line_prefix') { should eq '%t %u %d %h' }
|
74
74
|
end
|
75
75
|
|
76
|
-
|
76
|
+
### Test the port on which PostgreSQL listens
|
77
77
|
|
78
78
|
describe postgres_conf do
|
79
79
|
its('port') { should eq '5432' }
|
80
80
|
end
|
81
81
|
|
82
|
-
|
82
|
+
### Test the Unix socket settings
|
83
83
|
|
84
84
|
describe postgres_conf do
|
85
85
|
its('unix_socket_directories') { should eq '.s.PGSQL.5432' }
|
@@ -6,7 +6,7 @@ title: About the postgres_session Resource
|
|
6
6
|
|
7
7
|
Use the `postgres_session` InSpec audit resource to test SQL commands run against a PostgreSQL database.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `postgres_session` resource block declares the username and password to use for the session, and then the command to be run:
|
12
12
|
|
@@ -22,41 +22,41 @@ where
|
|
22
22
|
* `sql.query('')` contains the query to be run
|
23
23
|
* `its('output') { should eq('') }` compares the results of the query against the expected result in the test
|
24
24
|
|
25
|
-
|
25
|
+
## Matchers
|
26
26
|
|
27
27
|
This InSpec audit resource has the following matchers:
|
28
28
|
|
29
|
-
|
29
|
+
### be
|
30
30
|
|
31
31
|
<%= partial "/shared/matcher_be" %>
|
32
32
|
|
33
|
-
|
33
|
+
### cmp
|
34
34
|
|
35
35
|
<%= partial "/shared/matcher_cmp" %>
|
36
36
|
|
37
|
-
|
37
|
+
### eq
|
38
38
|
|
39
39
|
<%= partial "/shared/matcher_eq" %>
|
40
40
|
|
41
|
-
|
41
|
+
### include
|
42
42
|
|
43
43
|
<%= partial "/shared/matcher_include" %>
|
44
44
|
|
45
|
-
|
45
|
+
### match
|
46
46
|
|
47
47
|
<%= partial "/shared/matcher_match" %>
|
48
48
|
|
49
|
-
|
49
|
+
### output
|
50
50
|
|
51
51
|
The `output` matcher tests the results of the query:
|
52
52
|
|
53
53
|
its('output') { should eq(/^0/) }
|
54
54
|
|
55
|
-
|
55
|
+
## Examples
|
56
56
|
|
57
57
|
The following examples show how to use this InSpec audit resource.
|
58
58
|
|
59
|
-
|
59
|
+
### Test the PostgreSQL shadow password
|
60
60
|
|
61
61
|
sql = postgres_session('my_user', 'password')
|
62
62
|
|
@@ -64,7 +64,7 @@ The following examples show how to use this InSpec audit resource.
|
|
64
64
|
its('output') { should eq('') }
|
65
65
|
end
|
66
66
|
|
67
|
-
|
67
|
+
### Test for risky database entries
|
68
68
|
|
69
69
|
describe postgres_session('my_user', 'password').query('SELECT count (*)
|
70
70
|
FROM pg_language
|
@@ -6,7 +6,7 @@ title: About the powershell Resource
|
|
6
6
|
|
7
7
|
Use the `powershell` InSpec audit resource to test a Powershell script on the Windows platform.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `powershell` resource block declares a Powershell script to be tested, and then compares the output of that command to the matcher in the test:
|
12
12
|
|
@@ -25,53 +25,53 @@ where
|
|
25
25
|
* `'output'` tests the output of the command run on the system versus the output value stated in the test
|
26
26
|
|
27
27
|
|
28
|
-
|
28
|
+
## Matchers
|
29
29
|
|
30
30
|
This InSpec audit resource has the following matchers:
|
31
31
|
|
32
|
-
|
32
|
+
### be
|
33
33
|
|
34
34
|
<%= partial "/shared/matcher_be" %>
|
35
35
|
|
36
|
-
|
36
|
+
### cmp
|
37
37
|
|
38
38
|
<%= partial "/shared/matcher_cmp" %>
|
39
39
|
|
40
|
-
|
40
|
+
### eq
|
41
41
|
|
42
42
|
<%= partial "/shared/matcher_eq" %>
|
43
43
|
|
44
|
-
|
44
|
+
### exit_status
|
45
45
|
|
46
46
|
The `exit_status` matcher tests the exit status for the command:
|
47
47
|
|
48
48
|
its('exit_status') { should eq 123 }
|
49
49
|
|
50
|
-
|
50
|
+
### include
|
51
51
|
|
52
52
|
<%= partial "/shared/matcher_include" %>
|
53
53
|
|
54
|
-
|
54
|
+
### match
|
55
55
|
|
56
56
|
<%= partial "/shared/matcher_match" %>
|
57
57
|
|
58
|
-
|
58
|
+
### stderr
|
59
59
|
|
60
60
|
The `stderr` matcher tests results of the command as returned in standard error (stderr):
|
61
61
|
|
62
62
|
its('stderr') { should eq 'error' }
|
63
63
|
|
64
|
-
|
64
|
+
### stdout
|
65
65
|
|
66
66
|
The `stdout` matcher tests results of the command as returned in standard output (stdout):
|
67
67
|
|
68
68
|
its('stdout') { should eq '/^1$/' }
|
69
69
|
|
70
|
-
|
70
|
+
## Examples
|
71
71
|
|
72
72
|
The following examples show how to use this InSpec audit resource.
|
73
73
|
|
74
|
-
|
74
|
+
### Get all groups of Administrator user
|
75
75
|
|
76
76
|
script = <<-EOH
|
77
77
|
# find user
|
@@ -85,7 +85,7 @@ The following examples show how to use this InSpec audit resource.
|
|
85
85
|
its('stdout') { should_not eq '' }
|
86
86
|
end
|
87
87
|
|
88
|
-
|
88
|
+
### Write-Output 'hello'
|
89
89
|
|
90
90
|
The following Powershell script:
|
91
91
|
|
@@ -6,7 +6,7 @@ title: About the processes Resource
|
|
6
6
|
|
7
7
|
Use the `processes` InSpec audit resource to test properties for programs that are running on the system.
|
8
8
|
|
9
|
-
|
9
|
+
## Syntax
|
10
10
|
|
11
11
|
A `processes` resource block declares the name of the process to be tested, and then declares one (or more) property/value pairs:
|
12
12
|
|
@@ -20,53 +20,53 @@ where
|
|
20
20
|
* `property_name` may be used to test user (`its('users')`) and state properties (`its('states')`)
|
21
21
|
|
22
22
|
|
23
|
-
|
23
|
+
## Matchers
|
24
24
|
|
25
25
|
This InSpec audit resource has the following matchers:
|
26
26
|
|
27
|
-
|
27
|
+
### be
|
28
28
|
|
29
29
|
<%= partial "/shared/matcher_be" %>
|
30
30
|
|
31
|
-
|
31
|
+
### cmp
|
32
32
|
|
33
33
|
<%= partial "/shared/matcher_cmp" %>
|
34
34
|
|
35
|
-
|
35
|
+
### eq
|
36
36
|
|
37
37
|
<%= partial "/shared/matcher_eq" %>
|
38
38
|
|
39
|
-
|
39
|
+
### include
|
40
40
|
|
41
41
|
<%= partial "/shared/matcher_include" %>
|
42
42
|
|
43
|
-
|
43
|
+
### match
|
44
44
|
|
45
45
|
<%= partial "/shared/matcher_match" %>
|
46
46
|
|
47
|
-
|
47
|
+
### property_name
|
48
48
|
|
49
49
|
The `property_name` matcher tests the named property for the specified value:
|
50
50
|
|
51
51
|
its('property_name') { should eq ['property_value'] }
|
52
52
|
|
53
|
-
|
53
|
+
## Examples
|
54
54
|
|
55
55
|
The following examples show how to use this InSpec audit resource.
|
56
56
|
|
57
|
-
|
57
|
+
### Test if the list length for the mysqld process is 1
|
58
58
|
|
59
59
|
describe processes('mysqld') do
|
60
60
|
its('list.length') { should eq 1 }
|
61
61
|
end
|
62
62
|
|
63
|
-
|
63
|
+
### Test if the init process is owned by the root user
|
64
64
|
|
65
65
|
describe processes('init') do
|
66
66
|
its('users') { should eq ['root'] }
|
67
67
|
end
|
68
68
|
|
69
|
-
|
69
|
+
### Test if a high-priority process is running
|
70
70
|
|
71
71
|
describe processes('some_process') do
|
72
72
|
its('states') { should eq ['R<'] }
|