inspec 1.40.0 → 1.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (114) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +30 -9
  3. data/docs/matchers.md +18 -0
  4. data/docs/plugin_kitchen_inspec.md +18 -24
  5. data/docs/profiles.md +39 -2
  6. data/docs/resources/aide_conf.md.erb +18 -28
  7. data/docs/resources/apache_conf.md.erb +19 -33
  8. data/docs/resources/apt.md.erb +22 -36
  9. data/docs/resources/audit_policy.md.erb +9 -24
  10. data/docs/resources/auditd.md.erb +9 -24
  11. data/docs/resources/auditd_conf.md.erb +20 -34
  12. data/docs/resources/auditd_rules.md.erb +8 -24
  13. data/docs/resources/bash.md.erb +4 -26
  14. data/docs/resources/bond.md.erb +25 -40
  15. data/docs/resources/bridge.md.erb +5 -25
  16. data/docs/resources/bsd_service.md.erb +5 -25
  17. data/docs/resources/command.md.erb +35 -50
  18. data/docs/resources/crontab.md.erb +9 -23
  19. data/docs/resources/csv.md.erb +12 -27
  20. data/docs/resources/dh_params.md +1 -0
  21. data/docs/resources/directory.md.erb +5 -25
  22. data/docs/resources/docker.md.erb +60 -57
  23. data/docs/resources/docker_container.md.erb +23 -19
  24. data/docs/resources/docker_image.md.erb +20 -16
  25. data/docs/resources/etc_fstab.md.erb +5 -2
  26. data/docs/resources/etc_group.md.erb +29 -45
  27. data/docs/resources/etc_hosts.md.erb +6 -0
  28. data/docs/resources/etc_hosts_allow.md.erb +6 -2
  29. data/docs/resources/etc_hosts_deny.md.erb +6 -2
  30. data/docs/resources/file.md.erb +198 -212
  31. data/docs/resources/firewalld.md.erb +7 -1
  32. data/docs/resources/gem.md.erb +21 -35
  33. data/docs/resources/group.md.erb +16 -30
  34. data/docs/resources/grub_conf.md.erb +9 -24
  35. data/docs/resources/host.md.erb +32 -49
  36. data/docs/resources/http.md.erb +38 -44
  37. data/docs/resources/iis_app.md.erb +25 -35
  38. data/docs/resources/iis_site.md.erb +26 -40
  39. data/docs/resources/inetd_conf.md.erb +27 -42
  40. data/docs/resources/ini.md.erb +9 -23
  41. data/docs/resources/interface.md.erb +5 -25
  42. data/docs/resources/iptables.md.erb +15 -29
  43. data/docs/resources/json.md.erb +12 -27
  44. data/docs/resources/kernel_module.md.erb +47 -61
  45. data/docs/resources/kernel_parameter.md.erb +15 -29
  46. data/docs/resources/key_rsa.md.erb +3 -0
  47. data/docs/resources/launchd_service.md.erb +5 -25
  48. data/docs/resources/limits_conf.md.erb +15 -29
  49. data/docs/resources/login_def.md.erb +15 -30
  50. data/docs/resources/mount.md.erb +18 -33
  51. data/docs/resources/mssql_session.md.erb +9 -12
  52. data/docs/resources/mysql_conf.md.erb +17 -32
  53. data/docs/resources/mysql_session.md.erb +15 -29
  54. data/docs/resources/nginx.md.erb +6 -0
  55. data/docs/resources/nginx_conf.md.erb +25 -20
  56. data/docs/resources/npm.md.erb +19 -35
  57. data/docs/resources/ntp_conf.md.erb +20 -37
  58. data/docs/resources/oneget.md.erb +15 -30
  59. data/docs/resources/oracledb_session.md.erb +9 -11
  60. data/docs/resources/os.md.erb +29 -43
  61. data/docs/resources/os_env.md.erb +29 -44
  62. data/docs/resources/package.md.erb +33 -42
  63. data/docs/resources/parse_config.md.erb +5 -25
  64. data/docs/resources/parse_config_file.md.erb +31 -43
  65. data/docs/resources/passwd.md.erb +24 -39
  66. data/docs/resources/pip.md.erb +20 -35
  67. data/docs/resources/port.md.erb +43 -57
  68. data/docs/resources/postgres_conf.md.erb +17 -31
  69. data/docs/resources/postgres_hba_conf.md.erb +26 -38
  70. data/docs/resources/postgres_ident_conf.md.erb +25 -37
  71. data/docs/resources/postgres_session.md.erb +15 -29
  72. data/docs/resources/powershell.md.erb +27 -42
  73. data/docs/resources/processes.md.erb +17 -33
  74. data/docs/resources/rabbitmq_config.md.erb +9 -24
  75. data/docs/resources/registry_key.md.erb +27 -42
  76. data/docs/resources/runit_service.md.erb +5 -25
  77. data/docs/resources/security_policy.md.erb +12 -27
  78. data/docs/resources/service.md.erb +27 -42
  79. data/docs/resources/shadow.md.erb +20 -35
  80. data/docs/resources/ssh_config.md.erb +19 -34
  81. data/docs/resources/sshd_config.md.erb +19 -34
  82. data/docs/resources/ssl.md.erb +39 -54
  83. data/docs/resources/sys_info.md.erb +12 -26
  84. data/docs/resources/systemd_service.md.erb +5 -25
  85. data/docs/resources/sysv_service.md.erb +5 -25
  86. data/docs/resources/upstart_service.md.erb +5 -25
  87. data/docs/resources/user.md.erb +29 -44
  88. data/docs/resources/users.md.erb +12 -26
  89. data/docs/resources/vbscript.md.erb +9 -24
  90. data/docs/resources/virtualization.md.erb +8 -23
  91. data/docs/resources/windows_feature.md.erb +15 -30
  92. data/docs/resources/windows_hotfix.md.erb +15 -9
  93. data/docs/resources/windows_task.md.erb +12 -26
  94. data/docs/resources/wmi.md.erb +9 -24
  95. data/docs/resources/x509_certificate.md.erb +4 -0
  96. data/docs/resources/xinetd_conf.md.erb +65 -80
  97. data/docs/resources/xml.md.erb +12 -26
  98. data/docs/resources/yaml.md.erb +12 -27
  99. data/docs/resources/yum.md.erb +37 -51
  100. data/docs/resources/zfs_dataset.md.erb +15 -26
  101. data/docs/resources/zfs_pool.md.erb +9 -20
  102. data/lib/inspec/backend.rb +8 -0
  103. data/lib/inspec/profile.rb +9 -1
  104. data/lib/inspec/shell.rb +13 -13
  105. data/lib/inspec/version.rb +1 -1
  106. data/lib/matchers/matchers.rb +2 -0
  107. data/lib/resources/etc_hosts.rb +1 -1
  108. data/lib/resources/host.rb +4 -1
  109. data/lib/resources/http.rb +173 -23
  110. data/lib/resources/processes.rb +106 -20
  111. data/lib/resources/ssh_conf.rb +1 -1
  112. data/lib/resources/ssl.rb +4 -3
  113. data/lib/utils/object_traversal.rb +35 -10
  114. metadata +2 -2
@@ -8,6 +8,8 @@ Use the `nginx` InSpec audit resource to test the fields and validity of nginx.
8
8
 
9
9
  Nginx resource extracts and exposes data reported by the command 'nginx -V'
10
10
 
11
+ <br>
12
+
11
13
  ## Syntax
12
14
 
13
15
  An `nginx` InSpec audit resource block extracts configuration settings that should be tested:
@@ -25,10 +27,14 @@ where
25
27
  * `'attribute'` is a configuration parsed from result of the command 'nginx -V'
26
28
  * `'value'` is the value that is expected of the attribute
27
29
 
30
+ <br>
31
+
28
32
  ## Supported Properties
29
33
 
30
34
  * 'compiler_info', 'error_log_path', 'http_client_body_temp_path', 'http_fastcgi_temp_path', 'http_log_path', 'http_proxy_temp_path', 'http_scgi_temp_path', 'http_uwsgi_temp_path', 'lock_path', 'modules', 'modules_path', 'openssl_version', 'prefix', 'sbin_path', 'service', 'support_info', 'version'
31
35
 
36
+ <br>
37
+
32
38
  ## Property Examples and Return Types
33
39
 
34
40
  ### version(String)
@@ -8,6 +8,8 @@ Use the `nginx_conf` InSpec resource to test configuration data for the NGINX se
8
8
 
9
9
  **Stability: Experimental**
10
10
 
11
+ <br>
12
+
11
13
  ## Syntax
12
14
 
13
15
  An `nginx_conf` resource block declares the client NGINX configuration data to be tested:
@@ -23,10 +25,32 @@ where
23
25
  * `params['pid']` selects the `pid` entry from the global NGINX configuration
24
26
  * `{ should cmp 'logs/nginx.pid' }` tests if the PID is set to `logs/nginx.pid` (via `cmp` matcher)
25
27
 
28
+ <br>
29
+
30
+ ## Examples
31
+
32
+ The following examples show how to use this InSpec audit resource.
33
+
34
+ ### Find a specific server
35
+
36
+ servers = nginx_conf.servers
37
+ domain2 = servers.find { |s| s.params['server_name'].flatten.include? 'domain2.com' }
38
+ describe 'No server serves domain2' do
39
+ subject { domain2 }
40
+ it { should be_nil }
41
+ end
42
+
43
+ ### Test a raw parameter
44
+
45
+ describe nginx_conf.params['worker_processes'].flatten do
46
+ it { should cmp 5 }
47
+ end
48
+
49
+ <br>
26
50
 
27
51
  ## Matchers
28
52
 
29
- This InSpec audit resource has the following matchers:
53
+ This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
30
54
 
31
55
  ### http
32
56
 
@@ -101,22 +125,3 @@ Locations provide access to their parent server entry and raw parameters:
101
125
 
102
126
  location.params
103
127
  => {"_"=>["~", "\\.php$"], "fastcgi_pass"=>[["127.0.0.1:1025"]]}
104
-
105
- ## Examples
106
-
107
- The following examples show how to use this InSpec audit resource.
108
-
109
- ### Find a specific server
110
-
111
- servers = nginx_conf.servers
112
- domain2 = servers.find { |s| s.params['server_name'].flatten.include? 'domain2.com' }
113
- describe 'No server serves domain2' do
114
- subject { domain2 }
115
- it { should be_nil }
116
- end
117
-
118
- ### Test a raw parameter
119
-
120
- describe nginx_conf.params['worker_processes'].flatten do
121
- it { should cmp 5 }
122
- end
@@ -6,6 +6,7 @@ title: About the npm Resource
6
6
 
7
7
  Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for Node.js packages (https://docs.npmjs.com), such as Bower and StatsD.
8
8
 
9
+ <br>
9
10
 
10
11
  ## Syntax
11
12
 
@@ -20,56 +21,39 @@ where
20
21
  * `('npm_package_name')` must specify an NPM package, such as `'bower'` or `'statsd'`
21
22
  * `be_installed` is a valid matcher for this resource
22
23
 
24
+ <br>
23
25
 
24
- ## Matchers
25
-
26
- This InSpec audit resource has the following matchers:
27
-
28
- ### be
29
-
30
- <%= partial "/shared/matcher_be" %>
26
+ ## Examples
31
27
 
32
- ### be_installed
28
+ The following examples show how to use this InSpec audit resource.
33
29
 
34
- The `be_installed` matcher tests if the named Gem package and package version (if specified) is installed:
30
+ ### Verify that bower is installed, with a specific version
35
31
 
36
- it { should be_installed }
32
+ describe npm('bower') do
33
+ it { should be_installed }
34
+ its('version') { should eq '1.4.1' }
35
+ end
37
36
 
38
- ### cmp
37
+ ### Verify that statsd is not installed
39
38
 
40
- <%= partial "/shared/matcher_cmp" %>
39
+ describe npm('statsd') do
40
+ it { should_not be_installed }
41
+ end
41
42
 
42
- ### eq
43
+ <br>
43
44
 
44
- <%= partial "/shared/matcher_eq" %>
45
+ ## Matchers
45
46
 
46
- ### include
47
+ This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
47
48
 
48
- <%= partial "/shared/matcher_include" %>
49
+ ### be_installed
49
50
 
50
- ### match
51
+ The `be_installed` matcher tests if the named Gem package and package version (if specified) is installed:
51
52
 
52
- <%= partial "/shared/matcher_match" %>
53
+ it { should be_installed }
53
54
 
54
55
  ### version
55
56
 
56
57
  The `version` matcher tests if the named package version is on the system:
57
58
 
58
59
  its('version') { should eq '1.2.3' }
59
-
60
- ## Examples
61
-
62
- The following examples show how to use this InSpec audit resource.
63
-
64
- ### Verify that bower is installed, with a specific version
65
-
66
- describe npm('bower') do
67
- it { should be_installed }
68
- its('version') { should eq '1.4.1' }
69
- end
70
-
71
- ### Verify that statsd is not installed
72
-
73
- describe npm('statsd') do
74
- it { should_not be_installed }
75
- end
@@ -6,6 +6,7 @@ title: About the ntp_conf Resource
6
6
 
7
7
  Use the `ntp_conf` InSpec audit resource to test the synchronization settings defined in the `ntp.conf` file. This file is typically located at `/etc/ntp.conf`.
8
8
 
9
+ <br>
9
10
 
10
11
  ## Syntax
11
12
 
@@ -21,56 +22,38 @@ where
21
22
  * `('path')` is the non-default path to the `ntp.conf` file
22
23
  * `{ should eq 'value' }` is the value that is expected
23
24
 
25
+ <br>
24
26
 
25
- ## Matchers
26
-
27
- This resource matches any service that is listed in the `ntp.conf` file:
28
-
29
- its('server') { should_not eq nil }
30
-
31
- or:
27
+ ## Examples
32
28
 
33
- its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
29
+ The following examples show how to use this InSpec audit resource.
34
30
 
35
- For example:
31
+ ### Test for clock drift against named servers
36
32
 
37
33
  describe ntp_conf do
38
- its('server') { should_not eq nil }
39
- its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
34
+ its('driftfile') { should eq '/var/lib/ntp/ntp.drift' }
35
+ its('server') { should eq [
36
+ 0.ubuntu.pool.ntp.org,
37
+ 1.ubuntu.pool.ntp.org,
38
+ 2.ubuntu.pool.ntp.org
39
+ ] }
40
40
  end
41
41
 
42
+ <br>
42
43
 
43
- ### be
44
-
45
- <%= partial "/shared/matcher_be" %>
46
-
47
- ### cmp
48
-
49
- <%= partial "/shared/matcher_cmp" %>
50
-
51
- ### eq
52
-
53
- <%= partial "/shared/matcher_eq" %>
54
-
55
- ### include
56
-
57
- <%= partial "/shared/matcher_include" %>
44
+ ## Matchers
58
45
 
59
- ### match
46
+ This resource matches any service that is listed in the `ntp.conf` file. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
60
47
 
61
- <%= partial "/shared/matcher_match" %>
48
+ its('server') { should_not eq nil }
62
49
 
63
- ## Examples
50
+ or:
64
51
 
65
- The following examples show how to use this InSpec audit resource.
52
+ its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
66
53
 
67
- ### Test for clock drift against named servers
54
+ For example:
68
55
 
69
56
  describe ntp_conf do
70
- its('driftfile') { should eq '/var/lib/ntp/ntp.drift' }
71
- its('server') { should eq [
72
- 0.ubuntu.pool.ntp.org,
73
- 1.ubuntu.pool.ntp.org,
74
- 2.ubuntu.pool.ntp.org
75
- ] }
57
+ its('server') { should_not eq nil }
58
+ its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
76
59
  end
@@ -6,6 +6,8 @@ title: About the oneget Resource
6
6
 
7
7
  Use the `oneget` InSpec audit resource to test if the named package and/or package version is installed on the system. This resource uses Oneget, which is `part of the Windows Management Framework 5.0 and Windows 10 <https://github.com/OneGet/oneget>`__. This resource uses the `Get-Package` cmdlet to return all of the package names in the Oneget repository.
8
8
 
9
+ <br>
10
+
9
11
  ## Syntax
10
12
 
11
13
  A `oneget` resource block declares a package and (optionally) a package version:
@@ -19,49 +21,32 @@ where
19
21
  * `('name')` must specify the name of a package, such as `'VLC'`
20
22
  * `be_installed` is a valid matcher for this resource
21
23
 
24
+ <br>
22
25
 
23
- ## Matchers
24
-
25
- This InSpec audit resource has the following matchers:
26
-
27
- ### be
28
-
29
- <%= partial "/shared/matcher_be" %>
30
-
31
- ### be_installed
32
-
33
- The `be_installed` matcher tests if the named package is installed on the system:
26
+ ## Examples
34
27
 
35
- it { should be_installed }
28
+ The following examples show how to use this InSpec audit resource.
36
29
 
37
- ### cmp
30
+ ### Test if VLC is installed
38
31
 
39
- <%= partial "/shared/matcher_cmp" %>
32
+ describe oneget('VLC') do
33
+ it { should be_installed }
34
+ end
40
35
 
41
- ### eq
36
+ <br>
42
37
 
43
- <%= partial "/shared/matcher_eq" %>
38
+ ## Matchers
44
39
 
45
- ### include
40
+ This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
46
41
 
47
- <%= partial "/shared/matcher_include" %>
42
+ ### be_installed
48
43
 
49
- ### match
44
+ The `be_installed` matcher tests if the named package is installed on the system:
50
45
 
51
- <%= partial "/shared/matcher_match" %>
46
+ it { should be_installed }
52
47
 
53
48
  ### version
54
49
 
55
50
  The `version` matcher tests if the named package version is on the system:
56
51
 
57
52
  its('version') { should eq '1.2.3' }
58
-
59
- ## Examples
60
-
61
- The following examples show how to use this InSpec audit resource.
62
-
63
- ### Test if VLC is installed
64
-
65
- describe oneget('VLC') do
66
- it { should be_installed }
67
- end
@@ -6,6 +6,8 @@ title: About the oracledb_session Resource
6
6
 
7
7
  Use the `oracledb_session` InSpec audit resource to test SQL commands run against a Oracle database.
8
8
 
9
+ <br>
10
+
9
11
  ## Syntax
10
12
 
11
13
  A `oracledb_session` resource block declares the username and password to use for the session with an optional service to connect to, and then the command to be run:
@@ -20,17 +22,7 @@ where
20
22
  * `query('QUERY')` contains the query to be run
21
23
  * `its('value') { should eq('') }` compares the results of the query against the expected result in the test
22
24
 
23
- ## Matchers
24
-
25
- This InSpec audit resource has the following matchers:
26
-
27
- ### cmp
28
-
29
- <%= partial "/shared/matcher_cmp" %>
30
-
31
- ### eq
32
-
33
- <%= partial "/shared/matcher_eq" %>
25
+ <br>
34
26
 
35
27
  ## Examples
36
28
 
@@ -51,3 +43,9 @@ The following examples show how to use this InSpec audit resource.
51
43
  describe sql.query('SELECT NAME FROM v$database;').row(0).column('name') do
52
44
  its('value') { should cmp 'ORCL' }
53
45
  end
46
+
47
+ <br>
48
+
49
+ ## Matchers
50
+
51
+ For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -6,45 +6,53 @@ title: About the os Resource
6
6
 
7
7
  Use the `os` InSpec audit resource to test the platform on which the system is running.
8
8
 
9
+ <br>
10
+
9
11
  ## Syntax
10
12
 
11
13
  An `os` resource block declares the platform to be tested. The platform may specified via matcher or control block name. For example, using a matcher:
12
14
 
13
15
  describe os[:family] do
14
- it { should eq 'platform_name' }
16
+ it { should eq 'platform_family_name' }
15
17
  end
16
18
 
17
- or using the block name:
18
-
19
- describe os[:family_name] do
20
- ...
21
- end
19
+ * `'platform_family_name'` (a string) is one of `aix`, `bsd`, `darwin`, `debian`, `hpux`, `linux`, `redhat`, `solaris`, `suse`, `unix`, or `windows`
22
20
 
23
- * `'platform_name'` (a string) or `:family_name` (a symbol) is one of `aix`, `bsd`, `darwin`, `debian`, `hpux`, `linux`, `redhat`, `solaris`, `suse`, `unix`, or `windows`
21
+ The parameters available to `os` are:
24
22
 
25
- ## Matchers
23
+ * `:name` - the operating system name, such as `centos`
24
+ * `:family` - the operating system family, such as `redhat`
25
+ * `:release` - the version of the operating system, such as `7.3.1611`
26
+ * `:arch` - the architecture of the operating system, such as `x86_64`
27
+ <br>
26
28
 
27
- This InSpec audit resource has the following matchers:
29
+ ## Examples
28
30
 
29
- ### be
31
+ The following examples show how to use this InSpec audit resource.
30
32
 
31
- <%= partial "/shared/matcher_be" %>
33
+ ### Test for RedHat
32
34
 
33
- ### cmp
35
+ describe os[:family] do
36
+ it { should eq 'redhat' }
37
+ end
34
38
 
35
- <%= partial "/shared/matcher_cmp" %>
39
+ ### Test for Ubuntu
36
40
 
37
- ### eq
41
+ describe os[:family] do
42
+ it { should eq 'debian' }
43
+ end
38
44
 
39
- <%= partial "/shared/matcher_eq" %>
45
+ ### Test for Microsoft Windows
40
46
 
41
- ### include
47
+ describe os[:family] do
48
+ it { should eq 'windows' }
49
+ end
42
50
 
43
- <%= partial "/shared/matcher_include" %>
51
+ <br>
44
52
 
45
- ### match
53
+ ## Matchers
46
54
 
47
- <%= partial "/shared/matcher_match" %>
55
+ This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
48
56
 
49
57
  ## os.family? Helpers
50
58
 
@@ -121,34 +129,12 @@ For example, both of the following tests should have the same result:
121
129
  end
122
130
  end
123
131
 
124
- if os[:debian]
132
+ if os.debian?
125
133
  describe port(69) do
126
134
  its('processes') { should include 'in.tftpd' }
127
135
  end
128
- elsif os[:redhat]
136
+ elsif os.redhat?
129
137
  describe port(69) do
130
138
  its('processes') { should include 'xinetd' }
131
139
  end
132
140
  end
133
-
134
- ## Examples
135
-
136
- The following examples show how to use this InSpec audit resource.
137
-
138
- ### Test for RedHat
139
-
140
- describe os[:family] do
141
- it { should eq 'redhat' }
142
- end
143
-
144
- ### Test for Ubuntu
145
-
146
- describe os[:family] do
147
- it { should eq 'debian' }
148
- end
149
-
150
- ### Test for Microsoft Windows
151
-
152
- describe os[:family] do
153
- it { should eq 'windows' }
154
- end