inspec 1.40.0 → 1.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (114) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +30 -9
  3. data/docs/matchers.md +18 -0
  4. data/docs/plugin_kitchen_inspec.md +18 -24
  5. data/docs/profiles.md +39 -2
  6. data/docs/resources/aide_conf.md.erb +18 -28
  7. data/docs/resources/apache_conf.md.erb +19 -33
  8. data/docs/resources/apt.md.erb +22 -36
  9. data/docs/resources/audit_policy.md.erb +9 -24
  10. data/docs/resources/auditd.md.erb +9 -24
  11. data/docs/resources/auditd_conf.md.erb +20 -34
  12. data/docs/resources/auditd_rules.md.erb +8 -24
  13. data/docs/resources/bash.md.erb +4 -26
  14. data/docs/resources/bond.md.erb +25 -40
  15. data/docs/resources/bridge.md.erb +5 -25
  16. data/docs/resources/bsd_service.md.erb +5 -25
  17. data/docs/resources/command.md.erb +35 -50
  18. data/docs/resources/crontab.md.erb +9 -23
  19. data/docs/resources/csv.md.erb +12 -27
  20. data/docs/resources/dh_params.md +1 -0
  21. data/docs/resources/directory.md.erb +5 -25
  22. data/docs/resources/docker.md.erb +60 -57
  23. data/docs/resources/docker_container.md.erb +23 -19
  24. data/docs/resources/docker_image.md.erb +20 -16
  25. data/docs/resources/etc_fstab.md.erb +5 -2
  26. data/docs/resources/etc_group.md.erb +29 -45
  27. data/docs/resources/etc_hosts.md.erb +6 -0
  28. data/docs/resources/etc_hosts_allow.md.erb +6 -2
  29. data/docs/resources/etc_hosts_deny.md.erb +6 -2
  30. data/docs/resources/file.md.erb +198 -212
  31. data/docs/resources/firewalld.md.erb +7 -1
  32. data/docs/resources/gem.md.erb +21 -35
  33. data/docs/resources/group.md.erb +16 -30
  34. data/docs/resources/grub_conf.md.erb +9 -24
  35. data/docs/resources/host.md.erb +32 -49
  36. data/docs/resources/http.md.erb +38 -44
  37. data/docs/resources/iis_app.md.erb +25 -35
  38. data/docs/resources/iis_site.md.erb +26 -40
  39. data/docs/resources/inetd_conf.md.erb +27 -42
  40. data/docs/resources/ini.md.erb +9 -23
  41. data/docs/resources/interface.md.erb +5 -25
  42. data/docs/resources/iptables.md.erb +15 -29
  43. data/docs/resources/json.md.erb +12 -27
  44. data/docs/resources/kernel_module.md.erb +47 -61
  45. data/docs/resources/kernel_parameter.md.erb +15 -29
  46. data/docs/resources/key_rsa.md.erb +3 -0
  47. data/docs/resources/launchd_service.md.erb +5 -25
  48. data/docs/resources/limits_conf.md.erb +15 -29
  49. data/docs/resources/login_def.md.erb +15 -30
  50. data/docs/resources/mount.md.erb +18 -33
  51. data/docs/resources/mssql_session.md.erb +9 -12
  52. data/docs/resources/mysql_conf.md.erb +17 -32
  53. data/docs/resources/mysql_session.md.erb +15 -29
  54. data/docs/resources/nginx.md.erb +6 -0
  55. data/docs/resources/nginx_conf.md.erb +25 -20
  56. data/docs/resources/npm.md.erb +19 -35
  57. data/docs/resources/ntp_conf.md.erb +20 -37
  58. data/docs/resources/oneget.md.erb +15 -30
  59. data/docs/resources/oracledb_session.md.erb +9 -11
  60. data/docs/resources/os.md.erb +29 -43
  61. data/docs/resources/os_env.md.erb +29 -44
  62. data/docs/resources/package.md.erb +33 -42
  63. data/docs/resources/parse_config.md.erb +5 -25
  64. data/docs/resources/parse_config_file.md.erb +31 -43
  65. data/docs/resources/passwd.md.erb +24 -39
  66. data/docs/resources/pip.md.erb +20 -35
  67. data/docs/resources/port.md.erb +43 -57
  68. data/docs/resources/postgres_conf.md.erb +17 -31
  69. data/docs/resources/postgres_hba_conf.md.erb +26 -38
  70. data/docs/resources/postgres_ident_conf.md.erb +25 -37
  71. data/docs/resources/postgres_session.md.erb +15 -29
  72. data/docs/resources/powershell.md.erb +27 -42
  73. data/docs/resources/processes.md.erb +17 -33
  74. data/docs/resources/rabbitmq_config.md.erb +9 -24
  75. data/docs/resources/registry_key.md.erb +27 -42
  76. data/docs/resources/runit_service.md.erb +5 -25
  77. data/docs/resources/security_policy.md.erb +12 -27
  78. data/docs/resources/service.md.erb +27 -42
  79. data/docs/resources/shadow.md.erb +20 -35
  80. data/docs/resources/ssh_config.md.erb +19 -34
  81. data/docs/resources/sshd_config.md.erb +19 -34
  82. data/docs/resources/ssl.md.erb +39 -54
  83. data/docs/resources/sys_info.md.erb +12 -26
  84. data/docs/resources/systemd_service.md.erb +5 -25
  85. data/docs/resources/sysv_service.md.erb +5 -25
  86. data/docs/resources/upstart_service.md.erb +5 -25
  87. data/docs/resources/user.md.erb +29 -44
  88. data/docs/resources/users.md.erb +12 -26
  89. data/docs/resources/vbscript.md.erb +9 -24
  90. data/docs/resources/virtualization.md.erb +8 -23
  91. data/docs/resources/windows_feature.md.erb +15 -30
  92. data/docs/resources/windows_hotfix.md.erb +15 -9
  93. data/docs/resources/windows_task.md.erb +12 -26
  94. data/docs/resources/wmi.md.erb +9 -24
  95. data/docs/resources/x509_certificate.md.erb +4 -0
  96. data/docs/resources/xinetd_conf.md.erb +65 -80
  97. data/docs/resources/xml.md.erb +12 -26
  98. data/docs/resources/yaml.md.erb +12 -27
  99. data/docs/resources/yum.md.erb +37 -51
  100. data/docs/resources/zfs_dataset.md.erb +15 -26
  101. data/docs/resources/zfs_pool.md.erb +9 -20
  102. data/lib/inspec/backend.rb +8 -0
  103. data/lib/inspec/profile.rb +9 -1
  104. data/lib/inspec/shell.rb +13 -13
  105. data/lib/inspec/version.rb +1 -1
  106. data/lib/matchers/matchers.rb +2 -0
  107. data/lib/resources/etc_hosts.rb +1 -1
  108. data/lib/resources/host.rb +4 -1
  109. data/lib/resources/http.rb +173 -23
  110. data/lib/resources/processes.rb +106 -20
  111. data/lib/resources/ssh_conf.rb +1 -1
  112. data/lib/resources/ssl.rb +4 -3
  113. data/lib/utils/object_traversal.rb +35 -10
  114. metadata +2 -2
@@ -6,6 +6,8 @@ title: About the command Resource
6
6
 
7
7
  Use the `command` InSpec audit resource to test an arbitrary command that is run on the system.
8
8
 
9
+ <br>
10
+
9
11
  ## Syntax
10
12
 
11
13
  A `command` resource block declares a command to be run, one (or more) expected outputs, and the location to which that output is sent:
@@ -21,56 +23,7 @@ where
21
23
  * `'matcher'` is one of `exit_status`, `stderr`, or `stdout`
22
24
  * `'output'` tests the output of the command run on the system versus the output value stated in the test
23
25
 
24
-
25
- ## Matchers
26
-
27
- This InSpec audit resource has the following matchers:
28
-
29
- ### be
30
-
31
- <%= partial "/shared/matcher_be" %>
32
-
33
- ### cmp
34
-
35
- <%= partial "/shared/matcher_cmp" %>
36
-
37
- ### eq
38
-
39
- <%= partial "/shared/matcher_eq" %>
40
-
41
- ### exist
42
-
43
- The `exist` matcher tests if a command may be run on the system:
44
-
45
- it { should exist }
46
-
47
- ### exit_status
48
-
49
- The `exit_status` matcher tests the exit status for the command:
50
-
51
- its('exit_status') { should eq 123 }
52
-
53
- ### include
54
-
55
- <%= partial "/shared/matcher_include" %>
56
-
57
- ### match
58
-
59
- <%= partial "/shared/matcher_match" %>
60
-
61
- ### stderr
62
-
63
- The `stderr` matcher tests results of the command as returned in standard error (stderr):
64
-
65
- its('stderr') { should eq 'error' }
66
-
67
- ### stdout
68
-
69
- The `stdout` matcher tests results of the command as returned in standard output (stdout). The following example shows matching output using a regular expression:
70
-
71
- describe command('echo 1') do
72
- its('stdout') { should match (/[0-9]/) }
73
- end
26
+ <br>
74
27
 
75
28
  ## Examples
76
29
 
@@ -149,3 +102,35 @@ Wix includes serveral tools -- such as `candle` (preprocesses and compiles sourc
149
102
  it { should be_file }
150
103
  end
151
104
  end
105
+
106
+ <br>
107
+
108
+ ## Matchers
109
+
110
+ This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
111
+
112
+ ### exist
113
+
114
+ The `exist` matcher tests if a command may be run on the system:
115
+
116
+ it { should exist }
117
+
118
+ ### exit_status
119
+
120
+ The `exit_status` matcher tests the exit status for the command:
121
+
122
+ its('exit_status') { should eq 123 }
123
+
124
+ ### stderr
125
+
126
+ The `stderr` matcher tests results of the command as returned in standard error (stderr):
127
+
128
+ its('stderr') { should eq 'error' }
129
+
130
+ ### stdout
131
+
132
+ The `stdout` matcher tests results of the command as returned in standard output (stdout). The following example shows matching output using a regular expression:
133
+
134
+ describe command('echo 1') do
135
+ its('stdout') { should match (/[0-9]/) }
136
+ end
@@ -6,6 +6,8 @@ title: About the crontab Resource
6
6
 
7
7
  Use the `crontab` InSpec audit resource to test the crontab entries for a particular user on the system. It recognizes special time strings (@yearly, @weekly, etc).
8
8
 
9
+ <br>
10
+
9
11
  ## Syntax
10
12
 
11
13
  A `crontab` resource block declares a user (which defaults to the current user, if not specified), and then the details to be tested, such as the schedule elements for each crontab entry or the commands itself:
@@ -14,29 +16,7 @@ A `crontab` resource block declares a user (which defaults to the current user,
14
16
  its('commands') { should include '/some/scheduled/task.sh' }
15
17
  end
16
18
 
17
- ## Matchers
18
-
19
- This InSpec audit resource has the following matchers:
20
-
21
- ### be
22
-
23
- <%= partial "/shared/matcher_be" %>
24
-
25
- ### cmp
26
-
27
- <%= partial "/shared/matcher_cmp" %>
28
-
29
- ### eq
30
-
31
- <%= partial "/shared/matcher_eq" %>
32
-
33
- ### include
34
-
35
- <%= partial "/shared/matcher_include" %>
36
-
37
- ### match
38
-
39
- <%= partial "/shared/matcher_match" %>
19
+ <br>
40
20
 
41
21
  ## Examples
42
22
 
@@ -82,3 +62,9 @@ The following examples show how to use this InSpec audit resource.
82
62
  its('hours') { should cmp '-1' }
83
63
  its('minutes') { should cmp '-1' }
84
64
  end
65
+
66
+ <br>
67
+
68
+ ## Matchers
69
+
70
+ For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -6,6 +6,8 @@ title: About the csv Resource
6
6
 
7
7
  Use the `csv` InSpec audit resource to test configuration data in a CSV file.
8
8
 
9
+ <br>
10
+
9
11
  ## Syntax
10
12
 
11
13
  A `csv` resource block declares the configuration data to be tested:
@@ -20,43 +22,26 @@ where
20
22
  * `name` is a configuration setting in a CSV file
21
23
  * `should eq 'foo'` tests a value of `name` as read from a CSV file versus the value declared in the test
22
24
 
25
+ <br>
23
26
 
24
- ## Matchers
25
-
26
- This InSpec audit resource has the following matchers:
27
-
28
- ### be
29
-
30
- <%= partial "/shared/matcher_be" %>
31
-
32
- ### cmp
33
-
34
- <%= partial "/shared/matcher_cmp" %>
27
+ ## Examples
35
28
 
36
- ### eq
29
+ The following examples show how to use this InSpec audit resource.
37
30
 
38
- <%= partial "/shared/matcher_eq" %>
31
+ ### Test a CSV file
39
32
 
40
- ### include
33
+ describe csv('some_file.csv') do
34
+ its('setting') { should eq 1 }
35
+ end
41
36
 
42
- <%= partial "/shared/matcher_include" %>
37
+ <br>
43
38
 
44
- ### match
39
+ ## Matchers
45
40
 
46
- <%= partial "/shared/matcher_match" %>
41
+ This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
47
42
 
48
43
  ### name
49
44
 
50
45
  The `name` matcher tests the value of `name` as read from a CSV file versus the value declared in the test:
51
46
 
52
47
  its('name') { should eq 'foo' }
53
-
54
- ## Examples
55
-
56
- The following examples show how to use this InSpec audit resource.
57
-
58
- ### Test a CSV file
59
-
60
- describe csv('some_file.csv') do
61
- its('setting') { should eq 1 }
62
- end
@@ -6,6 +6,7 @@ title: The dh_params Resource
6
6
 
7
7
  Use the `dh_params` InSpec audit resource to test Diffie-Hellman (DH) parameters.
8
8
 
9
+ <br>
9
10
 
10
11
  ## Syntax
11
12
 
@@ -6,6 +6,8 @@ title: About the directory Resource
6
6
 
7
7
  Use the `directory` InSpec audit resource to test if the file type is a directory. This is equivalent to using the `file` resource and the `be_directory` matcher, but provides a simpler and more direct way to test directories. All of the matchers available to `file` may be used with `directory`.
8
8
 
9
+ <br>
10
+
9
11
  ## Syntax
10
12
 
11
13
  A `directory` resource block declares the location of the directory to be tested, and then one (or more) matchers:
@@ -14,30 +16,8 @@ A `directory` resource block declares the location of the directory to be tested
14
16
  it { should MATCHER 'value' }
15
17
  end
16
18
 
17
- ## Matchers
18
-
19
- This resource may use any of the matchers available to the `file` resource that may be useful when testing a directory.
20
-
21
- ### be
22
-
23
- <%= partial "/shared/matcher_be" %>
24
-
25
- ### cmp
26
-
27
- <%= partial "/shared/matcher_cmp" %>
19
+ <br>
28
20
 
29
- ### eq
30
-
31
- <%= partial "/shared/matcher_eq" %>
32
-
33
- ### include
34
-
35
- <%= partial "/shared/matcher_include" %>
36
-
37
- ### match
38
-
39
- <%= partial "/shared/matcher_match" %>
40
-
41
- ## Examples
21
+ ## Matchers
42
22
 
43
- None.
23
+ This resource may use any of the matchers available to the `file` resource that may be useful when testing a directory. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -6,6 +6,8 @@ title: About the docker Resource
6
6
 
7
7
  Use the `docker` InSpec audit resource to test configuration data for docker daemon. It is a very comprehensive resource. Please have a look at [docker_container](docker_container) and [docker_image](docker_image), too.
8
8
 
9
+ <br>
10
+
9
11
  ## Syntax
10
12
 
11
13
  A `docker` resource block declares allows you to write test for many containers:
@@ -42,63 +44,7 @@ where
42
44
  * `.where()` may specify a specific item and value, to which the matchers are compared
43
45
  * `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `'status'` are valid matchers for `containers`
44
46
 
45
-
46
-
47
- ## Matchers
48
-
49
- This InSpec audit resource has the following matchers:
50
-
51
- ### containers
52
-
53
- `containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/). You can determine specific information about
54
-
55
- describe docker.containers do
56
- its('ids') { should include 'sha:71b5df59...442b' }
57
- its('commands') { should_not include '/bin/sh' }
58
- its('images') { should_not include 'u12:latest' }
59
- its('ports') { should include '0.0.0.0:1234->1234/tcp' }
60
- its('labels') { should include 'License=GPLv2,Vendor=CentOS' }
61
- end
62
-
63
-
64
- ### images
65
-
66
- `images` returns information about docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/). You can determine specific information about
67
-
68
- describe docker.images do
69
- its('ids') { should include 'sha:12b5df59...442b' }
70
- its('repositories') { should_not include 'my_image' }
71
- its('tags') { should_not include 'unwanted_tag' }
72
- its('sizes') { should_not include "1.41 GB" }
73
- end
74
-
75
- ### version
76
-
77
- `info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/)
78
-
79
- describe docker.version do
80
- its('Server.Version') { should cmp >= '1.12'}
81
- its('Client.Version') { should cmp >= '1.12'}
82
- end
83
-
84
-
85
- ### info
86
-
87
- `info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
88
-
89
- describe docker.info do
90
- its('Configuration.Path') { should eq 'value' }
91
- end
92
-
93
-
94
- ### object('id')
95
-
96
- `object` returns low-level information about docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
97
-
98
- describe docker.object(id) do
99
- its('Configuration.Path') { should eq 'value' }
100
- end
101
-
47
+ <br>
102
48
 
103
49
  ## Examples
104
50
 
@@ -158,3 +104,60 @@ and then run:
158
104
  Or execute the profile directly via URL:
159
105
 
160
106
  $ inspec exec https://github.com/dev-sec/cis-docker-benchmark
107
+
108
+ <br>
109
+
110
+ ## Matchers
111
+
112
+ This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
113
+
114
+ ### containers
115
+
116
+ `containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/). You can determine specific information about
117
+
118
+ describe docker.containers do
119
+ its('ids') { should include 'sha:71b5df59...442b' }
120
+ its('commands') { should_not include '/bin/sh' }
121
+ its('images') { should_not include 'u12:latest' }
122
+ its('ports') { should include '0.0.0.0:1234->1234/tcp' }
123
+ its('labels') { should include 'License=GPLv2,Vendor=CentOS' }
124
+ end
125
+
126
+
127
+ ### images
128
+
129
+ `images` returns information about docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/). You can determine specific information about
130
+
131
+ describe docker.images do
132
+ its('ids') { should include 'sha:12b5df59...442b' }
133
+ its('repositories') { should_not include 'my_image' }
134
+ its('tags') { should_not include 'unwanted_tag' }
135
+ its('sizes') { should_not include "1.41 GB" }
136
+ end
137
+
138
+ ### version
139
+
140
+ `info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/)
141
+
142
+ describe docker.version do
143
+ its('Server.Version') { should cmp >= '1.12'}
144
+ its('Client.Version') { should cmp >= '1.12'}
145
+ end
146
+
147
+
148
+ ### info
149
+
150
+ `info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
151
+
152
+ describe docker.info do
153
+ its('Configuration.Path') { should eq 'value' }
154
+ end
155
+
156
+
157
+ ### object('id')
158
+
159
+ `object` returns low-level information about docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
160
+
161
+ describe docker.object(id) do
162
+ its('Configuration.Path') { should eq 'value' }
163
+ end
@@ -6,6 +6,8 @@ title: About the docker_container Resource
6
6
 
7
7
  Use the `docker_container` InSpec audit resource to test a docker container.
8
8
 
9
+ <br>
10
+
9
11
  ## Syntax
10
12
 
11
13
  A `docker_container` resource block declares the configuration data to be tested:
@@ -35,10 +37,30 @@ Alternatively, you can pass in the container id:
35
37
  it { should be_running }
36
38
  end
37
39
 
40
+ <br>
41
+
42
+ ## Examples
43
+
44
+ The following examples show how to use this InSpec resource.
45
+
46
+ ### Verify an running container:
47
+
48
+ describe docker_container('an-echo-server') do
49
+ it { should exist }
50
+ it { should be_running }
51
+ its('id') { should_not eq '' }
52
+ its('image') { should eq 'busybox:latest' }
53
+ its('repo') { should eq 'busybox' }
54
+ its('tag') { should eq 'latest' }
55
+ its('ports') { should eq [] }
56
+ its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
57
+ end
58
+
59
+ <br>
38
60
 
39
61
  ## Matchers
40
62
 
41
- This InSpec audit resource has the following matchers:
63
+ This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
42
64
 
43
65
  ### id
44
66
 
@@ -69,21 +91,3 @@ The `ports` matcher tests the value the docker ports:
69
91
  The `command` matcher tests the value of the container run command:
70
92
 
71
93
  its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
72
-
73
-
74
- ## Examples
75
-
76
- The following examples show how to use this InSpec resource.
77
-
78
- ### Verify an running container:
79
-
80
- describe docker_container('an-echo-server') do
81
- it { should exist }
82
- it { should be_running }
83
- its('id') { should_not eq '' }
84
- its('image') { should eq 'busybox:latest' }
85
- its('repo') { should eq 'busybox' }
86
- its('tag') { should eq 'latest' }
87
- its('ports') { should eq [] }
88
- its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
89
- end