inspec 1.40.0 → 1.41.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +30 -9
- data/docs/matchers.md +18 -0
- data/docs/plugin_kitchen_inspec.md +18 -24
- data/docs/profiles.md +39 -2
- data/docs/resources/aide_conf.md.erb +18 -28
- data/docs/resources/apache_conf.md.erb +19 -33
- data/docs/resources/apt.md.erb +22 -36
- data/docs/resources/audit_policy.md.erb +9 -24
- data/docs/resources/auditd.md.erb +9 -24
- data/docs/resources/auditd_conf.md.erb +20 -34
- data/docs/resources/auditd_rules.md.erb +8 -24
- data/docs/resources/bash.md.erb +4 -26
- data/docs/resources/bond.md.erb +25 -40
- data/docs/resources/bridge.md.erb +5 -25
- data/docs/resources/bsd_service.md.erb +5 -25
- data/docs/resources/command.md.erb +35 -50
- data/docs/resources/crontab.md.erb +9 -23
- data/docs/resources/csv.md.erb +12 -27
- data/docs/resources/dh_params.md +1 -0
- data/docs/resources/directory.md.erb +5 -25
- data/docs/resources/docker.md.erb +60 -57
- data/docs/resources/docker_container.md.erb +23 -19
- data/docs/resources/docker_image.md.erb +20 -16
- data/docs/resources/etc_fstab.md.erb +5 -2
- data/docs/resources/etc_group.md.erb +29 -45
- data/docs/resources/etc_hosts.md.erb +6 -0
- data/docs/resources/etc_hosts_allow.md.erb +6 -2
- data/docs/resources/etc_hosts_deny.md.erb +6 -2
- data/docs/resources/file.md.erb +198 -212
- data/docs/resources/firewalld.md.erb +7 -1
- data/docs/resources/gem.md.erb +21 -35
- data/docs/resources/group.md.erb +16 -30
- data/docs/resources/grub_conf.md.erb +9 -24
- data/docs/resources/host.md.erb +32 -49
- data/docs/resources/http.md.erb +38 -44
- data/docs/resources/iis_app.md.erb +25 -35
- data/docs/resources/iis_site.md.erb +26 -40
- data/docs/resources/inetd_conf.md.erb +27 -42
- data/docs/resources/ini.md.erb +9 -23
- data/docs/resources/interface.md.erb +5 -25
- data/docs/resources/iptables.md.erb +15 -29
- data/docs/resources/json.md.erb +12 -27
- data/docs/resources/kernel_module.md.erb +47 -61
- data/docs/resources/kernel_parameter.md.erb +15 -29
- data/docs/resources/key_rsa.md.erb +3 -0
- data/docs/resources/launchd_service.md.erb +5 -25
- data/docs/resources/limits_conf.md.erb +15 -29
- data/docs/resources/login_def.md.erb +15 -30
- data/docs/resources/mount.md.erb +18 -33
- data/docs/resources/mssql_session.md.erb +9 -12
- data/docs/resources/mysql_conf.md.erb +17 -32
- data/docs/resources/mysql_session.md.erb +15 -29
- data/docs/resources/nginx.md.erb +6 -0
- data/docs/resources/nginx_conf.md.erb +25 -20
- data/docs/resources/npm.md.erb +19 -35
- data/docs/resources/ntp_conf.md.erb +20 -37
- data/docs/resources/oneget.md.erb +15 -30
- data/docs/resources/oracledb_session.md.erb +9 -11
- data/docs/resources/os.md.erb +29 -43
- data/docs/resources/os_env.md.erb +29 -44
- data/docs/resources/package.md.erb +33 -42
- data/docs/resources/parse_config.md.erb +5 -25
- data/docs/resources/parse_config_file.md.erb +31 -43
- data/docs/resources/passwd.md.erb +24 -39
- data/docs/resources/pip.md.erb +20 -35
- data/docs/resources/port.md.erb +43 -57
- data/docs/resources/postgres_conf.md.erb +17 -31
- data/docs/resources/postgres_hba_conf.md.erb +26 -38
- data/docs/resources/postgres_ident_conf.md.erb +25 -37
- data/docs/resources/postgres_session.md.erb +15 -29
- data/docs/resources/powershell.md.erb +27 -42
- data/docs/resources/processes.md.erb +17 -33
- data/docs/resources/rabbitmq_config.md.erb +9 -24
- data/docs/resources/registry_key.md.erb +27 -42
- data/docs/resources/runit_service.md.erb +5 -25
- data/docs/resources/security_policy.md.erb +12 -27
- data/docs/resources/service.md.erb +27 -42
- data/docs/resources/shadow.md.erb +20 -35
- data/docs/resources/ssh_config.md.erb +19 -34
- data/docs/resources/sshd_config.md.erb +19 -34
- data/docs/resources/ssl.md.erb +39 -54
- data/docs/resources/sys_info.md.erb +12 -26
- data/docs/resources/systemd_service.md.erb +5 -25
- data/docs/resources/sysv_service.md.erb +5 -25
- data/docs/resources/upstart_service.md.erb +5 -25
- data/docs/resources/user.md.erb +29 -44
- data/docs/resources/users.md.erb +12 -26
- data/docs/resources/vbscript.md.erb +9 -24
- data/docs/resources/virtualization.md.erb +8 -23
- data/docs/resources/windows_feature.md.erb +15 -30
- data/docs/resources/windows_hotfix.md.erb +15 -9
- data/docs/resources/windows_task.md.erb +12 -26
- data/docs/resources/wmi.md.erb +9 -24
- data/docs/resources/x509_certificate.md.erb +4 -0
- data/docs/resources/xinetd_conf.md.erb +65 -80
- data/docs/resources/xml.md.erb +12 -26
- data/docs/resources/yaml.md.erb +12 -27
- data/docs/resources/yum.md.erb +37 -51
- data/docs/resources/zfs_dataset.md.erb +15 -26
- data/docs/resources/zfs_pool.md.erb +9 -20
- data/lib/inspec/backend.rb +8 -0
- data/lib/inspec/profile.rb +9 -1
- data/lib/inspec/shell.rb +13 -13
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +2 -0
- data/lib/resources/etc_hosts.rb +1 -1
- data/lib/resources/host.rb +4 -1
- data/lib/resources/http.rb +173 -23
- data/lib/resources/processes.rb +106 -20
- data/lib/resources/ssh_conf.rb +1 -1
- data/lib/resources/ssl.rb +4 -3
- data/lib/utils/object_traversal.rb +35 -10
- metadata +2 -2
@@ -6,6 +6,8 @@ title: About the iis_site Resource
|
|
6
6
|
|
7
7
|
Use the `iis_site` InSpec audit resource to test the state of IIS on Windows Server 2012 (and later).
|
8
8
|
|
9
|
+
<br>
|
10
|
+
|
9
11
|
## Syntax
|
10
12
|
|
11
13
|
An `iis_site` resource block declares details about the named site:
|
@@ -36,27 +38,40 @@ For example:
|
|
36
38
|
it { should have_path('C:\\inetpub\\wwwroot') }
|
37
39
|
end
|
38
40
|
|
39
|
-
|
41
|
+
<br>
|
40
42
|
|
41
|
-
|
43
|
+
## Examples
|
42
44
|
|
43
|
-
|
45
|
+
The following examples show how to use this InSpec audit resource.
|
44
46
|
|
45
|
-
|
47
|
+
### Test a default IIS site
|
46
48
|
|
47
|
-
|
49
|
+
describe iis_site('Default Web Site') do
|
50
|
+
it { should exist }
|
51
|
+
it { should be_running }
|
52
|
+
it { should have_app_pool('DefaultAppPool') }
|
53
|
+
it { should have_binding('http *:80:') }
|
54
|
+
it { should have_path('%SystemDrive%\\inetpub\\wwwroot') }
|
55
|
+
end
|
48
56
|
|
49
|
-
|
57
|
+
### Test if IIS service is running
|
50
58
|
|
51
|
-
|
59
|
+
describe service('W3SVC') do
|
60
|
+
it { should be_installed }
|
61
|
+
it { should be_running }
|
62
|
+
end
|
52
63
|
|
53
|
-
|
64
|
+
<br>
|
54
65
|
|
55
|
-
|
66
|
+
## Matchers
|
67
|
+
|
68
|
+
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
69
|
+
|
70
|
+
### be_running
|
56
71
|
|
57
|
-
|
72
|
+
The `be_running` matcher tests if the site is running:
|
58
73
|
|
59
|
-
|
74
|
+
it { should be_running }
|
60
75
|
|
61
76
|
### exist
|
62
77
|
|
@@ -111,32 +126,3 @@ Testing a site with 128-bit SSL enabled:
|
|
111
126
|
The `have_path` matcher tests if the named path is defined for the site:
|
112
127
|
|
113
128
|
it { should have_path('C:\\inetpub\\wwwroot') }
|
114
|
-
|
115
|
-
### include
|
116
|
-
|
117
|
-
<%= partial "/shared/matcher_include" %>
|
118
|
-
|
119
|
-
### match
|
120
|
-
|
121
|
-
<%= partial "/shared/matcher_match" %>
|
122
|
-
|
123
|
-
## Examples
|
124
|
-
|
125
|
-
The following examples show how to use this InSpec audit resource.
|
126
|
-
|
127
|
-
### Test a default IIS site
|
128
|
-
|
129
|
-
describe iis_site('Default Web Site') do
|
130
|
-
it { should exist }
|
131
|
-
it { should be_running }
|
132
|
-
it { should have_app_pool('DefaultAppPool') }
|
133
|
-
it { should have_binding('http *:80:') }
|
134
|
-
it { should have_path('%SystemDrive%\\inetpub\\wwwroot') }
|
135
|
-
end
|
136
|
-
|
137
|
-
### Test if IIS service is running
|
138
|
-
|
139
|
-
describe service('W3SVC') do
|
140
|
-
it { should be_installed }
|
141
|
-
it { should be_running }
|
142
|
-
end
|
@@ -6,6 +6,8 @@ title: About the inetd_conf Resource
|
|
6
6
|
|
7
7
|
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.`
|
8
8
|
|
9
|
+
<br>
|
10
|
+
|
9
11
|
## Syntax
|
10
12
|
|
11
13
|
An `inetd_conf` resource block declares the list of services that are enabled in the `inetd.conf` file:
|
@@ -20,48 +22,7 @@ where
|
|
20
22
|
* `('path')` is the non-default path to the `inetd.conf` file
|
21
23
|
* `should eq 'value'` is the value that is expected
|
22
24
|
|
23
|
-
|
24
|
-
## Matchers
|
25
|
-
|
26
|
-
This resource matches any service that is listed in the `inetd.conf` file. You may want to ensure that specific services do not listen via `inetd.conf`:
|
27
|
-
|
28
|
-
its('shell') { should eq nil }
|
29
|
-
|
30
|
-
or:
|
31
|
-
|
32
|
-
its('netstat') { should eq nil }
|
33
|
-
|
34
|
-
or:
|
35
|
-
|
36
|
-
its('systat') { should eq nil }
|
37
|
-
|
38
|
-
For example:
|
39
|
-
|
40
|
-
describe inetd_conf do
|
41
|
-
its('shell') { should eq nil }
|
42
|
-
its('login') { should eq nil }
|
43
|
-
its('exec') { should eq nil }
|
44
|
-
end
|
45
|
-
|
46
|
-
### be
|
47
|
-
|
48
|
-
<%= partial "/shared/matcher_be" %>
|
49
|
-
|
50
|
-
### cmp
|
51
|
-
|
52
|
-
<%= partial "/shared/matcher_cmp" %>
|
53
|
-
|
54
|
-
### eq
|
55
|
-
|
56
|
-
<%= partial "/shared/matcher_eq" %>
|
57
|
-
|
58
|
-
### include
|
59
|
-
|
60
|
-
<%= partial "/shared/matcher_include" %>
|
61
|
-
|
62
|
-
### match
|
63
|
-
|
64
|
-
<%= partial "/shared/matcher_match" %>
|
25
|
+
<br>
|
65
26
|
|
66
27
|
## Examples
|
67
28
|
|
@@ -97,3 +58,27 @@ then the same test will return `false` for `ftp` and the entire test will fail.
|
|
97
58
|
describe inetd_conf do
|
98
59
|
its('telnet') { should eq nil }
|
99
60
|
end
|
61
|
+
|
62
|
+
<br>
|
63
|
+
|
64
|
+
## Matchers
|
65
|
+
|
66
|
+
This resource matches any service that is listed in the `inetd.conf` file. You may want to ensure that specific services do not listen via `inetd.conf`. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
67
|
+
|
68
|
+
its('shell') { should eq nil }
|
69
|
+
|
70
|
+
or:
|
71
|
+
|
72
|
+
its('netstat') { should eq nil }
|
73
|
+
|
74
|
+
or:
|
75
|
+
|
76
|
+
its('systat') { should eq nil }
|
77
|
+
|
78
|
+
For example:
|
79
|
+
|
80
|
+
describe inetd_conf do
|
81
|
+
its('shell') { should eq nil }
|
82
|
+
its('login') { should eq nil }
|
83
|
+
its('exec') { should eq nil }
|
84
|
+
end
|
data/docs/resources/ini.md.erb
CHANGED
@@ -6,6 +6,8 @@ title: About the ini Resource
|
|
6
6
|
|
7
7
|
Use the `ini` InSpec audit resource to test settings in an INI file.
|
8
8
|
|
9
|
+
<br>
|
10
|
+
|
9
11
|
## Syntax
|
10
12
|
|
11
13
|
An `ini` resource block declares the configuration settings to be tested:
|
@@ -27,29 +29,7 @@ For example:
|
|
27
29
|
its('server') { should eq '192.0.2.62' }
|
28
30
|
end
|
29
31
|
|
30
|
-
|
31
|
-
|
32
|
-
This InSpec audit resource has the following matchers:
|
33
|
-
|
34
|
-
### be
|
35
|
-
|
36
|
-
<%= partial "/shared/matcher_be" %>
|
37
|
-
|
38
|
-
### cmp
|
39
|
-
|
40
|
-
<%= partial "/shared/matcher_cmp" %>
|
41
|
-
|
42
|
-
### eq
|
43
|
-
|
44
|
-
<%= partial "/shared/matcher_eq" %>
|
45
|
-
|
46
|
-
### include
|
47
|
-
|
48
|
-
<%= partial "/shared/matcher_include" %>
|
49
|
-
|
50
|
-
### match
|
51
|
-
|
52
|
-
<%= partial "/shared/matcher_match" %>
|
32
|
+
<br>
|
53
33
|
|
54
34
|
## Examples
|
55
35
|
|
@@ -67,3 +47,9 @@ and can be tested like this:
|
|
67
47
|
describe ini(/etc/php5/apache2/php.ini) do
|
68
48
|
its('smtp_port') { should eq('465') }
|
69
49
|
end
|
50
|
+
|
51
|
+
<br>
|
52
|
+
|
53
|
+
## Matchers
|
54
|
+
|
55
|
+
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
@@ -9,6 +9,8 @@ Use the `interface` InSpec audit resource to test basic network adapter properti
|
|
9
9
|
* On Linux platforms, `/sys/class/net/#{iface}` is used as source
|
10
10
|
* On the Windows platform, the `Get-NetAdapter` cmdlet is used as source
|
11
11
|
|
12
|
+
<br>
|
13
|
+
|
12
14
|
## Syntax
|
13
15
|
|
14
16
|
An `interface` resource block declares network interface properties to be tested:
|
@@ -19,13 +21,11 @@ An `interface` resource block declares network interface properties to be tested
|
|
19
21
|
its('name') { should eq eth0 }
|
20
22
|
end
|
21
23
|
|
22
|
-
|
23
|
-
|
24
|
-
This InSpec audit resource has the following matchers:
|
24
|
+
<br>
|
25
25
|
|
26
|
-
|
26
|
+
## Matchers
|
27
27
|
|
28
|
-
|
28
|
+
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
29
29
|
|
30
30
|
### be_up
|
31
31
|
|
@@ -33,22 +33,6 @@ The `be_up` matcher tests if the network interface is available:
|
|
33
33
|
|
34
34
|
it { should be_up }
|
35
35
|
|
36
|
-
### cmp
|
37
|
-
|
38
|
-
<%= partial "/shared/matcher_cmp" %>
|
39
|
-
|
40
|
-
### eq
|
41
|
-
|
42
|
-
<%= partial "/shared/matcher_eq" %>
|
43
|
-
|
44
|
-
### include
|
45
|
-
|
46
|
-
<%= partial "/shared/matcher_include" %>
|
47
|
-
|
48
|
-
### match
|
49
|
-
|
50
|
-
<%= partial "/shared/matcher_match" %>
|
51
|
-
|
52
36
|
### name
|
53
37
|
|
54
38
|
The `name` matcher tests if the named network interface exists:
|
@@ -60,7 +44,3 @@ The `name` matcher tests if the named network interface exists:
|
|
60
44
|
The `speed` matcher tests the speed of the network interface, in MB/sec:
|
61
45
|
|
62
46
|
its('speed') { should eq 1000 }
|
63
|
-
|
64
|
-
## Examples
|
65
|
-
|
66
|
-
None.
|
@@ -6,6 +6,8 @@ title: About the iptables Resource
|
|
6
6
|
|
7
7
|
Use the `iptables` InSpec audit resource to test rules that are defined in `iptables`, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
|
8
8
|
|
9
|
+
<br>
|
10
|
+
|
9
11
|
## Syntax
|
10
12
|
|
11
13
|
A `iptables` resource block declares tests for rules in IP tables:
|
@@ -22,35 +24,7 @@ where
|
|
22
24
|
* `chain: 'name'` is the name of a user-defined chain or one of `ACCEPT`, `DROP`, `QUEUE`, or `RETURN`
|
23
25
|
* `have_rule('RULE')` tests that rule in the iptables list. This must match the entire line taken from `iptables -S CHAIN`.
|
24
26
|
|
25
|
-
|
26
|
-
|
27
|
-
This InSpec audit resource has the following matchers:
|
28
|
-
|
29
|
-
### be
|
30
|
-
|
31
|
-
<%= partial "/shared/matcher_be" %>
|
32
|
-
|
33
|
-
### cmp
|
34
|
-
|
35
|
-
<%= partial "/shared/matcher_cmp" %>
|
36
|
-
|
37
|
-
### eq
|
38
|
-
|
39
|
-
<%= partial "/shared/matcher_eq" %>
|
40
|
-
|
41
|
-
### have_rule
|
42
|
-
|
43
|
-
The `have_rule` matcher tests the named rule against the information in the `iptables` file:
|
44
|
-
|
45
|
-
it { should have_rule('RULE') }
|
46
|
-
|
47
|
-
### include
|
48
|
-
|
49
|
-
<%= partial "/shared/matcher_include" %>
|
50
|
-
|
51
|
-
### match
|
52
|
-
|
53
|
-
<%= partial "/shared/matcher_match" %>
|
27
|
+
<br>
|
54
28
|
|
55
29
|
## Examples
|
56
30
|
|
@@ -75,3 +49,15 @@ The following examples show how to use this InSpec audit resource.
|
|
75
49
|
end
|
76
50
|
|
77
51
|
Note that the rule specification must exactly match what's in the output of `iptables -S INPUT`, which will depend on how you've built your rules.
|
52
|
+
|
53
|
+
<br>
|
54
|
+
|
55
|
+
## Matchers
|
56
|
+
|
57
|
+
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
58
|
+
|
59
|
+
### have_rule
|
60
|
+
|
61
|
+
The `have_rule` matcher tests the named rule against the information in the `iptables` file:
|
62
|
+
|
63
|
+
it { should have_rule('RULE') }
|
data/docs/resources/json.md.erb
CHANGED
@@ -6,6 +6,8 @@ title: About the json Resource
|
|
6
6
|
|
7
7
|
Use the `json` InSpec audit resource to test data in a JSON file.
|
8
8
|
|
9
|
+
<br>
|
10
|
+
|
9
11
|
## Syntax
|
10
12
|
|
11
13
|
A `json` resource block declares the data to be tested. Assume the following JSON file:
|
@@ -34,43 +36,26 @@ where
|
|
34
36
|
* `name` is a configuration setting in a JSON file
|
35
37
|
* `should eq 'foo'` tests a value of `name` as read from a JSON file versus the value declared in the test
|
36
38
|
|
39
|
+
<br>
|
37
40
|
|
38
|
-
##
|
39
|
-
|
40
|
-
This InSpec audit resource has the following matchers:
|
41
|
-
|
42
|
-
### be
|
43
|
-
|
44
|
-
<%= partial "/shared/matcher_be" %>
|
45
|
-
|
46
|
-
### cmp
|
47
|
-
|
48
|
-
<%= partial "/shared/matcher_cmp" %>
|
41
|
+
## Examples
|
49
42
|
|
50
|
-
|
43
|
+
The following examples show how to use this InSpec audit resource.
|
51
44
|
|
52
|
-
|
45
|
+
### Test a cookbook version in a policyfile.lock.json file
|
53
46
|
|
54
|
-
|
47
|
+
describe json('policyfile.lock.json') do
|
48
|
+
its(['cookbook_locks', 'omnibus', 'version']) { should eq('2.2.0') }
|
49
|
+
end
|
55
50
|
|
56
|
-
|
51
|
+
<br>
|
57
52
|
|
58
|
-
|
53
|
+
## Matchers
|
59
54
|
|
60
|
-
|
55
|
+
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
61
56
|
|
62
57
|
### name
|
63
58
|
|
64
59
|
The `name` matcher tests the value of `name` as read from a JSON file versus the value declared in the test:
|
65
60
|
|
66
61
|
its('name') { should eq 'foo' }
|
67
|
-
|
68
|
-
## Examples
|
69
|
-
|
70
|
-
The following examples show how to use this InSpec audit resource.
|
71
|
-
|
72
|
-
### Test a cookbook version in a policyfile.lock.json file
|
73
|
-
|
74
|
-
describe json('policyfile.lock.json') do
|
75
|
-
its(['cookbook_locks', 'omnibus', 'version']) { should eq('2.2.0') }
|
76
|
-
end
|
@@ -12,6 +12,8 @@ The `kernel_module` resource can also verify if a kernel module is `blacklisted`
|
|
12
12
|
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
|
13
13
|
method.
|
14
14
|
|
15
|
+
<br>
|
16
|
+
|
15
17
|
## Syntax
|
16
18
|
|
17
19
|
A `kernel_module` resource block declares a module name, and then tests if that
|
@@ -32,90 +34,74 @@ where
|
|
32
34
|
* `{ should be_blacklisted }` tests if the module is blacklisted or if the module is disabled via a fake install using /bin/false or /bin/true
|
33
35
|
* `{ should be_disabled }` tests if the module is disabled via a fake install using /bin/false or /bin/true
|
34
36
|
|
35
|
-
|
36
|
-
|
37
|
-
This InSpec audit resource has the following matchers:
|
37
|
+
<br>
|
38
38
|
|
39
|
-
|
40
|
-
|
41
|
-
<%= partial "/shared/matcher_be" %>
|
39
|
+
## Examples
|
42
40
|
|
43
|
-
|
41
|
+
The following examples show how to use this InSpec audit resource.
|
44
42
|
|
45
|
-
|
43
|
+
### Test a modules 'version'
|
46
44
|
|
45
|
+
describe kernel_module('bridge') do
|
47
46
|
it { should be_loaded }
|
47
|
+
its(:version) { should cmp >= '2.2.2' }
|
48
|
+
end
|
48
49
|
|
49
|
-
###
|
50
|
-
|
51
|
-
<%= partial "/shared/matcher_cmp" %>
|
52
|
-
|
53
|
-
### eq
|
54
|
-
|
55
|
-
<%= partial "/shared/matcher_eq" %>
|
50
|
+
### Test if a module is loaded, not disabled and not blacklisted
|
56
51
|
|
57
|
-
|
52
|
+
describe kernel_module('video') do
|
53
|
+
it { should be_loaded }
|
54
|
+
it { should_not be_disabled }
|
55
|
+
it { should_not be_blacklisted }
|
56
|
+
end
|
58
57
|
|
59
|
-
|
58
|
+
### Check if a module is blacklisted
|
60
59
|
|
61
|
-
|
60
|
+
describe kernel_module('floppy') do
|
61
|
+
it { should be_blacklisted }
|
62
|
+
end
|
62
63
|
|
63
|
-
|
64
|
+
### Ensure a module is *not* blacklisted and it is loaded
|
64
65
|
|
65
|
-
|
66
|
+
describe kernel_module('video') do
|
67
|
+
it { should_not be_blacklisted }
|
68
|
+
it { should be_loaded }
|
69
|
+
end
|
66
70
|
|
67
|
-
|
71
|
+
### Ensure a module is disabled via 'bin_false'
|
68
72
|
|
69
|
-
|
73
|
+
describe kernel_module('sstfb') do
|
74
|
+
it { should_not be_loaded }
|
75
|
+
it { should be_disabled }
|
76
|
+
end
|
70
77
|
|
71
|
-
|
78
|
+
### Ensure a module is 'blacklisted'/'disabled' via 'bin_true'
|
72
79
|
|
73
|
-
|
80
|
+
describe kernel_module('nvidiafb') do
|
81
|
+
it { should_not be_loaded }
|
82
|
+
it { should be_blacklisted }
|
83
|
+
end
|
74
84
|
|
75
|
-
|
85
|
+
### Ensure a module is not loaded
|
76
86
|
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
end
|
87
|
+
describe kernel_module('dhcp') do
|
88
|
+
it { should_not be_loaded }
|
89
|
+
end
|
81
90
|
|
82
|
-
|
91
|
+
<br>
|
83
92
|
|
84
|
-
|
85
|
-
it { should be_loaded }
|
86
|
-
it { should_not be_disabled }
|
87
|
-
it { should_not be_blacklisted }
|
88
|
-
end
|
89
|
-
|
90
|
-
### Check if a module is blacklisted
|
91
|
-
|
92
|
-
describe kernel_module('floppy') do
|
93
|
-
it { should be_blacklisted }
|
94
|
-
end
|
95
|
-
|
96
|
-
### Ensure a module is *not* blacklisted and it is loaded
|
93
|
+
## Matchers
|
97
94
|
|
98
|
-
|
99
|
-
it { should_not be_blacklisted }
|
100
|
-
it { should be_loaded }
|
101
|
-
end
|
95
|
+
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
102
96
|
|
103
|
-
|
97
|
+
### be_loaded
|
104
98
|
|
105
|
-
|
106
|
-
it { should_not be_loaded }
|
107
|
-
it { should be_disabled }
|
108
|
-
end
|
99
|
+
The `be_loaded` matcher tests if the module is a loadable kernel module:
|
109
100
|
|
110
|
-
|
101
|
+
it { should be_loaded }
|
111
102
|
|
112
|
-
|
113
|
-
it { should_not be_loaded }
|
114
|
-
it { should be_blacklisted }
|
115
|
-
end
|
103
|
+
### version
|
116
104
|
|
117
|
-
|
105
|
+
The `version` matcher tests if the named module version is on the system:
|
118
106
|
|
119
|
-
|
120
|
-
it { should_not be_loaded }
|
121
|
-
end
|
107
|
+
its(:version) { should eq '3.2.2' }
|