inspec 1.51.6 → 1.51.15

Sign up to get free protection for your applications and to get access to all the features.
Files changed (404) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +101 -101
  3. data/CHANGELOG.md +2915 -2902
  4. data/Gemfile +53 -53
  5. data/LICENSE +14 -14
  6. data/MAINTAINERS.md +31 -31
  7. data/MAINTAINERS.toml +47 -47
  8. data/README.md +419 -419
  9. data/Rakefile +167 -167
  10. data/bin/inspec +12 -12
  11. data/docs/.gitignore +2 -2
  12. data/docs/README.md +40 -40
  13. data/docs/dsl_inspec.md +258 -258
  14. data/docs/dsl_resource.md +93 -93
  15. data/docs/glossary.md +99 -99
  16. data/docs/habitat.md +191 -191
  17. data/docs/inspec_and_friends.md +107 -107
  18. data/docs/matchers.md +165 -165
  19. data/docs/migration.md +293 -293
  20. data/docs/plugin_kitchen_inspec.md +49 -49
  21. data/docs/profiles.md +370 -370
  22. data/docs/resources/aide_conf.md.erb +78 -78
  23. data/docs/resources/apache.md.erb +66 -66
  24. data/docs/resources/apache_conf.md.erb +67 -67
  25. data/docs/resources/apt.md.erb +70 -70
  26. data/docs/resources/audit_policy.md.erb +46 -46
  27. data/docs/resources/auditd.md.erb +78 -78
  28. data/docs/resources/auditd_conf.md.erb +68 -68
  29. data/docs/resources/auditd_rules.md.erb +116 -116
  30. data/docs/resources/bash.md.erb +74 -74
  31. data/docs/resources/bond.md.erb +89 -89
  32. data/docs/resources/bridge.md.erb +54 -54
  33. data/docs/resources/bsd_service.md.erb +65 -65
  34. data/docs/resources/command.md.erb +137 -137
  35. data/docs/resources/cpan.md.erb +77 -77
  36. data/docs/resources/cran.md.erb +63 -63
  37. data/docs/resources/crontab.md.erb +87 -87
  38. data/docs/resources/csv.md.erb +53 -53
  39. data/docs/resources/dh_params.md.erb +216 -216
  40. data/docs/resources/directory.md.erb +28 -28
  41. data/docs/resources/docker.md.erb +163 -163
  42. data/docs/resources/docker_container.md.erb +99 -99
  43. data/docs/resources/docker_image.md.erb +93 -93
  44. data/docs/resources/docker_service.md.erb +113 -113
  45. data/docs/resources/elasticsearch.md.erb +230 -230
  46. data/docs/resources/etc_fstab.md.erb +124 -124
  47. data/docs/resources/etc_group.md.erb +74 -74
  48. data/docs/resources/etc_hosts.md.erb +75 -75
  49. data/docs/resources/etc_hosts_allow.md.erb +73 -73
  50. data/docs/resources/etc_hosts_deny.md.erb +73 -73
  51. data/docs/resources/file.md.erb +512 -512
  52. data/docs/resources/filesystem.md.erb +40 -40
  53. data/docs/resources/firewalld.md.erb +105 -105
  54. data/docs/resources/gem.md.erb +78 -78
  55. data/docs/resources/group.md.erb +60 -60
  56. data/docs/resources/grub_conf.md.erb +101 -100
  57. data/docs/resources/host.md.erb +77 -77
  58. data/docs/resources/http.md.erb +104 -98
  59. data/docs/resources/iis_app.md.erb +120 -116
  60. data/docs/resources/iis_site.md.erb +132 -128
  61. data/docs/resources/inetd_conf.md.erb +95 -84
  62. data/docs/resources/ini.md.erb +72 -69
  63. data/docs/resources/interface.md.erb +55 -46
  64. data/docs/resources/iptables.md.erb +63 -63
  65. data/docs/resources/json.md.erb +61 -61
  66. data/docs/resources/kernel_module.md.erb +106 -106
  67. data/docs/resources/kernel_parameter.md.erb +58 -58
  68. data/docs/resources/key_rsa.md.erb +73 -73
  69. data/docs/resources/launchd_service.md.erb +56 -56
  70. data/docs/resources/limits_conf.md.erb +66 -66
  71. data/docs/resources/login_def.md.erb +62 -62
  72. data/docs/resources/mount.md.erb +68 -68
  73. data/docs/resources/mssql_session.md.erb +59 -59
  74. data/docs/resources/mysql_conf.md.erb +98 -98
  75. data/docs/resources/mysql_session.md.erb +73 -73
  76. data/docs/resources/nginx.md.erb +78 -78
  77. data/docs/resources/nginx_conf.md.erb +127 -127
  78. data/docs/resources/npm.md.erb +59 -59
  79. data/docs/resources/ntp_conf.md.erb +59 -59
  80. data/docs/resources/oneget.md.erb +52 -52
  81. data/docs/resources/oracledb_session.md.erb +51 -51
  82. data/docs/resources/os.md.erb +140 -140
  83. data/docs/resources/os_env.md.erb +77 -77
  84. data/docs/resources/package.md.erb +119 -119
  85. data/docs/resources/packages.md.erb +66 -66
  86. data/docs/resources/parse_config.md.erb +102 -102
  87. data/docs/resources/parse_config_file.md.erb +137 -137
  88. data/docs/resources/passwd.md.erb +140 -140
  89. data/docs/resources/pip.md.erb +66 -66
  90. data/docs/resources/port.md.erb +136 -136
  91. data/docs/resources/postgres_conf.md.erb +78 -78
  92. data/docs/resources/postgres_hba_conf.md.erb +92 -92
  93. data/docs/resources/postgres_ident_conf.md.erb +75 -75
  94. data/docs/resources/postgres_session.md.erb +68 -68
  95. data/docs/resources/powershell.md.erb +101 -101
  96. data/docs/resources/processes.md.erb +107 -107
  97. data/docs/resources/rabbitmq_config.md.erb +40 -40
  98. data/docs/resources/registry_key.md.erb +157 -157
  99. data/docs/resources/runit_service.md.erb +56 -56
  100. data/docs/resources/security_policy.md.erb +46 -46
  101. data/docs/resources/service.md.erb +120 -120
  102. data/docs/resources/shadow.md.erb +143 -143
  103. data/docs/resources/ssh_config.md.erb +79 -79
  104. data/docs/resources/sshd_config.md.erb +82 -82
  105. data/docs/resources/ssl.md.erb +118 -118
  106. data/docs/resources/sys_info.md.erb +41 -41
  107. data/docs/resources/systemd_service.md.erb +56 -56
  108. data/docs/resources/sysv_service.md.erb +56 -56
  109. data/docs/resources/upstart_service.md.erb +56 -56
  110. data/docs/resources/user.md.erb +139 -139
  111. data/docs/resources/users.md.erb +126 -126
  112. data/docs/resources/vbscript.md.erb +54 -54
  113. data/docs/resources/virtualization.md.erb +56 -56
  114. data/docs/resources/windows_feature.md.erb +46 -46
  115. data/docs/resources/windows_hotfix.md.erb +52 -52
  116. data/docs/resources/windows_task.md.erb +89 -89
  117. data/docs/resources/wmi.md.erb +80 -80
  118. data/docs/resources/x509_certificate.md.erb +150 -150
  119. data/docs/resources/xinetd_conf.md.erb +155 -155
  120. data/docs/resources/xml.md.erb +84 -84
  121. data/docs/resources/yaml.md.erb +68 -68
  122. data/docs/resources/yum.md.erb +97 -97
  123. data/docs/resources/zfs_dataset.md.erb +52 -52
  124. data/docs/resources/zfs_pool.md.erb +46 -46
  125. data/docs/ruby_usage.md +203 -203
  126. data/docs/shared/matcher_be.md.erb +1 -1
  127. data/docs/shared/matcher_cmp.md.erb +43 -43
  128. data/docs/shared/matcher_eq.md.erb +3 -3
  129. data/docs/shared/matcher_include.md.erb +1 -1
  130. data/docs/shared/matcher_match.md.erb +1 -1
  131. data/docs/shell.md +172 -172
  132. data/examples/README.md +8 -8
  133. data/examples/inheritance/README.md +65 -65
  134. data/examples/inheritance/controls/example.rb +14 -14
  135. data/examples/inheritance/inspec.yml +15 -15
  136. data/examples/kitchen-ansible/.kitchen.yml +25 -25
  137. data/examples/kitchen-ansible/Gemfile +19 -19
  138. data/examples/kitchen-ansible/README.md +53 -53
  139. data/examples/kitchen-ansible/files/nginx.repo +6 -6
  140. data/examples/kitchen-ansible/tasks/main.yml +16 -16
  141. data/examples/kitchen-ansible/test/integration/default/default.yml +5 -5
  142. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +28 -28
  143. data/examples/kitchen-chef/.kitchen.yml +20 -20
  144. data/examples/kitchen-chef/Berksfile +3 -3
  145. data/examples/kitchen-chef/Gemfile +19 -19
  146. data/examples/kitchen-chef/README.md +27 -27
  147. data/examples/kitchen-chef/metadata.rb +7 -7
  148. data/examples/kitchen-chef/recipes/default.rb +6 -6
  149. data/examples/kitchen-chef/recipes/nginx.rb +30 -30
  150. data/examples/kitchen-chef/test/integration/default/web_spec.rb +28 -28
  151. data/examples/kitchen-puppet/.kitchen.yml +22 -22
  152. data/examples/kitchen-puppet/Gemfile +20 -20
  153. data/examples/kitchen-puppet/Puppetfile +25 -25
  154. data/examples/kitchen-puppet/README.md +53 -53
  155. data/examples/kitchen-puppet/manifests/site.pp +33 -33
  156. data/examples/kitchen-puppet/metadata.json +11 -11
  157. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +28 -28
  158. data/examples/meta-profile/README.md +37 -37
  159. data/examples/meta-profile/controls/example.rb +13 -13
  160. data/examples/meta-profile/inspec.yml +13 -13
  161. data/examples/profile-attribute.yml +2 -2
  162. data/examples/profile-attribute/README.md +14 -14
  163. data/examples/profile-attribute/controls/example.rb +11 -11
  164. data/examples/profile-attribute/inspec.yml +8 -8
  165. data/examples/profile-sensitive/README.md +29 -29
  166. data/examples/profile-sensitive/controls/sensitive-failures.rb +9 -9
  167. data/examples/profile-sensitive/controls/sensitive.rb +9 -9
  168. data/examples/profile-sensitive/inspec.yml +8 -8
  169. data/examples/profile/README.md +48 -48
  170. data/examples/profile/controls/example.rb +23 -23
  171. data/examples/profile/controls/gordon.rb +36 -36
  172. data/examples/profile/controls/meta.rb +34 -34
  173. data/examples/profile/inspec.yml +10 -10
  174. data/examples/profile/libraries/gordon_config.rb +53 -53
  175. data/inspec.gemspec +47 -47
  176. data/lib/bundles/README.md +3 -3
  177. data/lib/bundles/inspec-artifact.rb +7 -7
  178. data/lib/bundles/inspec-artifact/README.md +1 -1
  179. data/lib/bundles/inspec-artifact/cli.rb +277 -277
  180. data/lib/bundles/inspec-compliance.rb +16 -16
  181. data/lib/bundles/inspec-compliance/.kitchen.yml +20 -20
  182. data/lib/bundles/inspec-compliance/README.md +185 -185
  183. data/lib/bundles/inspec-compliance/api.rb +316 -316
  184. data/lib/bundles/inspec-compliance/api/login.rb +152 -152
  185. data/lib/bundles/inspec-compliance/bootstrap.sh +41 -41
  186. data/lib/bundles/inspec-compliance/cli.rb +277 -277
  187. data/lib/bundles/inspec-compliance/configuration.rb +103 -103
  188. data/lib/bundles/inspec-compliance/http.rb +86 -86
  189. data/lib/bundles/inspec-compliance/support.rb +36 -36
  190. data/lib/bundles/inspec-compliance/target.rb +98 -98
  191. data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +93 -93
  192. data/lib/bundles/inspec-habitat.rb +12 -12
  193. data/lib/bundles/inspec-habitat/cli.rb +36 -36
  194. data/lib/bundles/inspec-habitat/log.rb +10 -10
  195. data/lib/bundles/inspec-habitat/profile.rb +390 -390
  196. data/lib/bundles/inspec-init.rb +8 -8
  197. data/lib/bundles/inspec-init/README.md +31 -31
  198. data/lib/bundles/inspec-init/cli.rb +97 -97
  199. data/lib/bundles/inspec-init/templates/profile/README.md +3 -3
  200. data/lib/bundles/inspec-init/templates/profile/controls/example.rb +19 -19
  201. data/lib/bundles/inspec-init/templates/profile/inspec.yml +8 -8
  202. data/lib/bundles/inspec-supermarket.rb +13 -13
  203. data/lib/bundles/inspec-supermarket/README.md +45 -45
  204. data/lib/bundles/inspec-supermarket/api.rb +84 -84
  205. data/lib/bundles/inspec-supermarket/cli.rb +65 -65
  206. data/lib/bundles/inspec-supermarket/target.rb +34 -34
  207. data/lib/fetchers/git.rb +163 -163
  208. data/lib/fetchers/local.rb +74 -74
  209. data/lib/fetchers/mock.rb +35 -35
  210. data/lib/fetchers/url.rb +204 -204
  211. data/lib/inspec.rb +24 -24
  212. data/lib/inspec/archive/tar.rb +29 -29
  213. data/lib/inspec/archive/zip.rb +19 -19
  214. data/lib/inspec/backend.rb +92 -92
  215. data/lib/inspec/base_cli.rb +324 -322
  216. data/lib/inspec/cached_fetcher.rb +66 -66
  217. data/lib/inspec/cli.rb +298 -298
  218. data/lib/inspec/completions/bash.sh.erb +45 -45
  219. data/lib/inspec/completions/fish.sh.erb +34 -34
  220. data/lib/inspec/completions/zsh.sh.erb +61 -61
  221. data/lib/inspec/control_eval_context.rb +179 -179
  222. data/lib/inspec/dependencies/cache.rb +72 -72
  223. data/lib/inspec/dependencies/dependency_set.rb +92 -92
  224. data/lib/inspec/dependencies/lockfile.rb +115 -115
  225. data/lib/inspec/dependencies/requirement.rb +123 -123
  226. data/lib/inspec/dependencies/resolver.rb +86 -86
  227. data/lib/inspec/describe.rb +27 -27
  228. data/lib/inspec/dsl.rb +66 -66
  229. data/lib/inspec/dsl_shared.rb +33 -33
  230. data/lib/inspec/env_printer.rb +157 -157
  231. data/lib/inspec/errors.rb +13 -13
  232. data/lib/inspec/exceptions.rb +12 -12
  233. data/lib/inspec/expect.rb +45 -45
  234. data/lib/inspec/fetcher.rb +45 -45
  235. data/lib/inspec/file_provider.rb +275 -275
  236. data/lib/inspec/formatters.rb +3 -3
  237. data/lib/inspec/formatters/base.rb +208 -208
  238. data/lib/inspec/formatters/json_rspec.rb +20 -20
  239. data/lib/inspec/formatters/show_progress.rb +12 -12
  240. data/lib/inspec/library_eval_context.rb +58 -58
  241. data/lib/inspec/log.rb +11 -11
  242. data/lib/inspec/metadata.rb +253 -253
  243. data/lib/inspec/method_source.rb +24 -24
  244. data/lib/inspec/objects.rb +14 -14
  245. data/lib/inspec/objects/attribute.rb +65 -65
  246. data/lib/inspec/objects/control.rb +61 -61
  247. data/lib/inspec/objects/describe.rb +92 -92
  248. data/lib/inspec/objects/each_loop.rb +36 -36
  249. data/lib/inspec/objects/list.rb +15 -15
  250. data/lib/inspec/objects/or_test.rb +40 -40
  251. data/lib/inspec/objects/ruby_helper.rb +15 -15
  252. data/lib/inspec/objects/tag.rb +27 -27
  253. data/lib/inspec/objects/test.rb +87 -87
  254. data/lib/inspec/objects/value.rb +27 -27
  255. data/lib/inspec/plugins.rb +60 -60
  256. data/lib/inspec/plugins/cli.rb +24 -24
  257. data/lib/inspec/plugins/fetcher.rb +86 -86
  258. data/lib/inspec/plugins/resource.rb +132 -132
  259. data/lib/inspec/plugins/secret.rb +15 -15
  260. data/lib/inspec/plugins/source_reader.rb +40 -40
  261. data/lib/inspec/polyfill.rb +12 -12
  262. data/lib/inspec/profile.rb +510 -510
  263. data/lib/inspec/profile_context.rb +207 -207
  264. data/lib/inspec/profile_vendor.rb +66 -66
  265. data/lib/inspec/reporters.rb +50 -33
  266. data/lib/inspec/reporters/base.rb +24 -23
  267. data/lib/inspec/reporters/cli.rb +395 -395
  268. data/lib/inspec/reporters/json.rb +134 -132
  269. data/lib/inspec/reporters/json_min.rb +48 -44
  270. data/lib/inspec/reporters/junit.rb +77 -77
  271. data/lib/inspec/require_loader.rb +33 -33
  272. data/lib/inspec/resource.rb +176 -176
  273. data/lib/inspec/rule.rb +266 -266
  274. data/lib/inspec/runner.rb +340 -337
  275. data/lib/inspec/runner_mock.rb +41 -41
  276. data/lib/inspec/runner_rspec.rb +163 -185
  277. data/lib/inspec/runtime_profile.rb +26 -26
  278. data/lib/inspec/schema.rb +186 -186
  279. data/lib/inspec/secrets.rb +19 -19
  280. data/lib/inspec/secrets/yaml.rb +30 -30
  281. data/lib/inspec/shell.rb +223 -223
  282. data/lib/inspec/shell_detector.rb +90 -90
  283. data/lib/inspec/source_reader.rb +29 -29
  284. data/lib/inspec/version.rb +8 -8
  285. data/lib/matchers/matchers.rb +397 -397
  286. data/lib/resources/aide_conf.rb +160 -160
  287. data/lib/resources/apache.rb +49 -49
  288. data/lib/resources/apache_conf.rb +158 -158
  289. data/lib/resources/apt.rb +150 -150
  290. data/lib/resources/audit_policy.rb +64 -64
  291. data/lib/resources/auditd.rb +233 -233
  292. data/lib/resources/auditd_conf.rb +56 -56
  293. data/lib/resources/auditd_rules.rb +205 -205
  294. data/lib/resources/bash.rb +36 -36
  295. data/lib/resources/bond.rb +69 -69
  296. data/lib/resources/bridge.rb +123 -123
  297. data/lib/resources/command.rb +69 -69
  298. data/lib/resources/cpan.rb +60 -60
  299. data/lib/resources/cran.rb +66 -66
  300. data/lib/resources/crontab.rb +169 -169
  301. data/lib/resources/csv.rb +58 -58
  302. data/lib/resources/dh_params.rb +83 -83
  303. data/lib/resources/directory.rb +25 -25
  304. data/lib/resources/docker.rb +239 -239
  305. data/lib/resources/docker_container.rb +92 -92
  306. data/lib/resources/docker_image.rb +86 -86
  307. data/lib/resources/docker_object.rb +57 -57
  308. data/lib/resources/docker_service.rb +94 -94
  309. data/lib/resources/elasticsearch.rb +168 -168
  310. data/lib/resources/etc_fstab.rb +102 -102
  311. data/lib/resources/etc_group.rb +157 -157
  312. data/lib/resources/etc_hosts.rb +81 -81
  313. data/lib/resources/etc_hosts_allow_deny.rb +122 -122
  314. data/lib/resources/file.rb +298 -298
  315. data/lib/resources/filesystem.rb +31 -31
  316. data/lib/resources/firewalld.rb +144 -144
  317. data/lib/resources/gem.rb +71 -71
  318. data/lib/resources/groups.rb +213 -213
  319. data/lib/resources/grub_conf.rb +237 -237
  320. data/lib/resources/host.rb +300 -300
  321. data/lib/resources/http.rb +252 -252
  322. data/lib/resources/iis_app.rb +103 -103
  323. data/lib/resources/iis_site.rb +147 -147
  324. data/lib/resources/inetd_conf.rb +63 -63
  325. data/lib/resources/ini.rb +29 -29
  326. data/lib/resources/interface.rb +130 -130
  327. data/lib/resources/iptables.rb +70 -70
  328. data/lib/resources/json.rb +115 -115
  329. data/lib/resources/kernel_module.rb +110 -110
  330. data/lib/resources/kernel_parameter.rb +58 -58
  331. data/lib/resources/key_rsa.rb +67 -67
  332. data/lib/resources/limits_conf.rb +56 -56
  333. data/lib/resources/login_def.rb +67 -67
  334. data/lib/resources/mount.rb +90 -90
  335. data/lib/resources/mssql_session.rb +103 -103
  336. data/lib/resources/mysql.rb +82 -82
  337. data/lib/resources/mysql_conf.rb +133 -133
  338. data/lib/resources/mysql_session.rb +72 -72
  339. data/lib/resources/nginx.rb +97 -97
  340. data/lib/resources/nginx_conf.rb +228 -228
  341. data/lib/resources/npm.rb +48 -48
  342. data/lib/resources/ntp_conf.rb +59 -59
  343. data/lib/resources/oneget.rb +72 -72
  344. data/lib/resources/oracledb_session.rb +140 -140
  345. data/lib/resources/os.rb +46 -46
  346. data/lib/resources/os_env.rb +76 -76
  347. data/lib/resources/package.rb +357 -357
  348. data/lib/resources/packages.rb +112 -112
  349. data/lib/resources/parse_config.rb +116 -116
  350. data/lib/resources/passwd.rb +96 -96
  351. data/lib/resources/pip.rb +89 -89
  352. data/lib/resources/platform.rb +112 -112
  353. data/lib/resources/port.rb +771 -771
  354. data/lib/resources/postgres.rb +132 -132
  355. data/lib/resources/postgres_conf.rb +122 -122
  356. data/lib/resources/postgres_hba_conf.rb +101 -101
  357. data/lib/resources/postgres_ident_conf.rb +79 -79
  358. data/lib/resources/postgres_session.rb +72 -72
  359. data/lib/resources/powershell.rb +58 -58
  360. data/lib/resources/processes.rb +204 -204
  361. data/lib/resources/rabbitmq_conf.rb +53 -53
  362. data/lib/resources/registry_key.rb +296 -296
  363. data/lib/resources/security_policy.rb +181 -181
  364. data/lib/resources/service.rb +784 -784
  365. data/lib/resources/shadow.rb +141 -141
  366. data/lib/resources/ssh_conf.rb +102 -102
  367. data/lib/resources/ssl.rb +99 -99
  368. data/lib/resources/sys_info.rb +26 -26
  369. data/lib/resources/toml.rb +32 -32
  370. data/lib/resources/users.rb +652 -652
  371. data/lib/resources/vbscript.rb +70 -70
  372. data/lib/resources/virtualization.rb +251 -251
  373. data/lib/resources/windows_feature.rb +85 -85
  374. data/lib/resources/windows_hotfix.rb +35 -35
  375. data/lib/resources/windows_task.rb +106 -106
  376. data/lib/resources/wmi.rb +114 -114
  377. data/lib/resources/x509_certificate.rb +143 -143
  378. data/lib/resources/xinetd.rb +112 -112
  379. data/lib/resources/xml.rb +45 -45
  380. data/lib/resources/yaml.rb +45 -45
  381. data/lib/resources/yum.rb +181 -181
  382. data/lib/resources/zfs_dataset.rb +60 -60
  383. data/lib/resources/zfs_pool.rb +49 -49
  384. data/lib/source_readers/flat.rb +39 -39
  385. data/lib/source_readers/inspec.rb +75 -75
  386. data/lib/utils/command_wrapper.rb +27 -27
  387. data/lib/utils/convert.rb +12 -12
  388. data/lib/utils/database_helpers.rb +77 -77
  389. data/lib/utils/erlang_parser.rb +192 -192
  390. data/lib/utils/filter.rb +272 -272
  391. data/lib/utils/filter_array.rb +27 -27
  392. data/lib/utils/find_files.rb +44 -44
  393. data/lib/utils/hash.rb +41 -41
  394. data/lib/utils/json_log.rb +18 -18
  395. data/lib/utils/latest_version.rb +22 -22
  396. data/lib/utils/modulator.rb +12 -12
  397. data/lib/utils/nginx_parser.rb +85 -85
  398. data/lib/utils/object_traversal.rb +49 -49
  399. data/lib/utils/parser.rb +274 -274
  400. data/lib/utils/plugin_registry.rb +93 -93
  401. data/lib/utils/simpleconfig.rb +132 -132
  402. data/lib/utils/spdx.rb +13 -13
  403. data/lib/utils/spdx.txt +343 -343
  404. metadata +2 -2
@@ -1,73 +1,73 @@
1
- ---
2
- title: About the etc_hosts_allow Resource
3
- ---
4
-
5
- # etc\_hosts\_allow
6
-
7
- Use the `etc_hosts_allow` InSpec audit resource to test rules defined for accepting daemon and client traffic in the `'/etc/hosts.allow'` file.
8
-
9
- <br>
10
-
11
- ## Syntax
12
-
13
- An etc/hosts.allow rule specifies one or more daemons mapped to one or more clients, with zero or more options to for accepting traffic when found.
14
-
15
- Use the where clause to match a property to one or more rules in the hosts.allow file.
16
-
17
- describe etc_hosts_allow.where { daemon == 'value' } do
18
- its ('client_list') { should include ['values'] }
19
- its ('options') { should include ['values'] }
20
- end
21
-
22
- Use the optional constructor parameter to give an alternative path to hosts.allow
23
-
24
- describe etc_hosts_allow(hosts_path).where { daemon == 'value' } do
25
- its ('client_list') { should include ['values'] }
26
- its ('options') { should include ['values'] }
27
- end
28
-
29
- where
30
-
31
- * `daemon` is a daemon that will be allowed to pass traffic in.
32
- * `client_list` is a list of clients will be allowed to pass traffic in.
33
- * `options` is a list of tasks that to be done with the rule when traffic is found.
34
-
35
- <br>
36
-
37
- ## Supported Properties
38
-
39
- 'daemon', 'client_list', 'options'
40
-
41
- <br>
42
-
43
- ## Property Examples
44
-
45
- ### daemon
46
-
47
- `daemon` returns a string containing the daemon that is allowed in the rule.
48
-
49
- describe etc_hosts_allow.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
50
- its('daemon') { should eq ['vsftpd', 'sshd'] }
51
- end
52
-
53
- ### client_list
54
-
55
- `client_list` returns a 2d string array where each entry contains the clients specified for the rule.
56
-
57
- describe etc_hosts_allow.where { daemon == 'sshd' } do
58
- its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
59
- end
60
-
61
- ### options
62
-
63
- `options` returns a 2d string array where each entry contains any options specified for the rule.
64
-
65
- describe etc_hosts_allow.where { daemon == 'sshd' } do
66
- its('options') { should include ['deny', 'echo "REJECTED"'] }
67
- end
68
-
69
- <br>
70
-
71
- ## Matchers
72
-
73
- For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
1
+ ---
2
+ title: About the etc_hosts_allow Resource
3
+ ---
4
+
5
+ # etc\_hosts\_allow
6
+
7
+ Use the `etc_hosts_allow` InSpec audit resource to test rules defined for accepting daemon and client traffic in the `'/etc/hosts.allow'` file.
8
+
9
+ <br>
10
+
11
+ ## Syntax
12
+
13
+ An etc/hosts.allow rule specifies one or more daemons mapped to one or more clients, with zero or more options to for accepting traffic when found.
14
+
15
+ Use the where clause to match a property to one or more rules in the hosts.allow file.
16
+
17
+ describe etc_hosts_allow.where { daemon == 'value' } do
18
+ its ('client_list') { should include ['values'] }
19
+ its ('options') { should include ['values'] }
20
+ end
21
+
22
+ Use the optional constructor parameter to give an alternative path to hosts.allow
23
+
24
+ describe etc_hosts_allow(hosts_path).where { daemon == 'value' } do
25
+ its ('client_list') { should include ['values'] }
26
+ its ('options') { should include ['values'] }
27
+ end
28
+
29
+ where
30
+
31
+ * `daemon` is a daemon that will be allowed to pass traffic in.
32
+ * `client_list` is a list of clients will be allowed to pass traffic in.
33
+ * `options` is a list of tasks that to be done with the rule when traffic is found.
34
+
35
+ <br>
36
+
37
+ ## Supported Properties
38
+
39
+ 'daemon', 'client_list', 'options'
40
+
41
+ <br>
42
+
43
+ ## Property Examples
44
+
45
+ ### daemon
46
+
47
+ `daemon` returns a string containing the daemon that is allowed in the rule.
48
+
49
+ describe etc_hosts_allow.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
50
+ its('daemon') { should eq ['vsftpd', 'sshd'] }
51
+ end
52
+
53
+ ### client_list
54
+
55
+ `client_list` returns a 2d string array where each entry contains the clients specified for the rule.
56
+
57
+ describe etc_hosts_allow.where { daemon == 'sshd' } do
58
+ its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
59
+ end
60
+
61
+ ### options
62
+
63
+ `options` returns a 2d string array where each entry contains any options specified for the rule.
64
+
65
+ describe etc_hosts_allow.where { daemon == 'sshd' } do
66
+ its('options') { should include ['deny', 'echo "REJECTED"'] }
67
+ end
68
+
69
+ <br>
70
+
71
+ ## Matchers
72
+
73
+ For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -1,73 +1,73 @@
1
- ---
2
- title: About the etc_hosts_deny Resource
3
- ---
4
-
5
- # etc\_hosts\_deny
6
-
7
- Use the `etc_hosts_deny` InSpec audit resource to test rules for rejecting daemon and client traffic defined in /etc/hosts.deny.
8
-
9
- <br>
10
-
11
- ## Syntax
12
-
13
- An etc/hosts.deny rule specifies one or more daemons mapped to one or more clients, with zero or more options for rejecting traffic when found.
14
-
15
- Use the where clause to match a property to one or more rules in the hosts.deny file:
16
-
17
- describe etc_hosts_deny.where { daemon == 'value' } do
18
- its ('client_list') { should include ['values'] }
19
- its ('options') { should include ['values'] }
20
- end
21
-
22
- Use the optional constructor parameter to give an alternative path to hosts.deny:
23
-
24
- describe etc_hosts_deny(hosts_path).where { daemon == 'value' } do
25
- its ('client_list') { should include ['values'] }
26
- its ('options') { should include ['values'] }
27
- end
28
-
29
- where
30
-
31
- * `daemon` is a daemon that will be rejected to pass traffic in.
32
- * `client_list` is a list of clients will be rejected to pass traffic in.
33
- * `options` is a list of tasks that to be done with the rule when traffic is found.
34
-
35
- <br>
36
-
37
- ## Supported Resource Properties
38
-
39
- 'daemon', 'client_list', 'options'
40
-
41
- <br>
42
-
43
- ## Parameter Examples and Return Types
44
-
45
- ### daemon
46
-
47
- `daemon` returns a string containing the daemon that is allowed in the rule.
48
-
49
- describe etc_hosts_deny.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
50
- its('daemon') { should eq ['vsftpd', 'sshd'] }
51
- end
52
-
53
- ### client_list
54
-
55
- `client_list` returns a 2d string array where each entry contains the clients specified for the rule.
56
-
57
- describe etc_hosts_deny.where { daemon == 'sshd' } do
58
- its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
59
- end
60
-
61
- ### options
62
-
63
- `options` returns a 2d string array where each entry contains any options specified for the rule.
64
-
65
- describe etc_hosts_deny.where { daemon == 'sshd' } do
66
- its('options') { should include ['deny', 'echo "REJECTED"'] }
67
- end
68
-
69
- <br>
70
-
71
- ## Matchers
72
-
73
- For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
1
+ ---
2
+ title: About the etc_hosts_deny Resource
3
+ ---
4
+
5
+ # etc\_hosts\_deny
6
+
7
+ Use the `etc_hosts_deny` InSpec audit resource to test rules for rejecting daemon and client traffic defined in /etc/hosts.deny.
8
+
9
+ <br>
10
+
11
+ ## Syntax
12
+
13
+ An etc/hosts.deny rule specifies one or more daemons mapped to one or more clients, with zero or more options for rejecting traffic when found.
14
+
15
+ Use the where clause to match a property to one or more rules in the hosts.deny file:
16
+
17
+ describe etc_hosts_deny.where { daemon == 'value' } do
18
+ its ('client_list') { should include ['values'] }
19
+ its ('options') { should include ['values'] }
20
+ end
21
+
22
+ Use the optional constructor parameter to give an alternative path to hosts.deny:
23
+
24
+ describe etc_hosts_deny(hosts_path).where { daemon == 'value' } do
25
+ its ('client_list') { should include ['values'] }
26
+ its ('options') { should include ['values'] }
27
+ end
28
+
29
+ where
30
+
31
+ * `daemon` is a daemon that will be rejected to pass traffic in.
32
+ * `client_list` is a list of clients will be rejected to pass traffic in.
33
+ * `options` is a list of tasks that to be done with the rule when traffic is found.
34
+
35
+ <br>
36
+
37
+ ## Supported Resource Properties
38
+
39
+ 'daemon', 'client_list', 'options'
40
+
41
+ <br>
42
+
43
+ ## Parameter Examples and Return Types
44
+
45
+ ### daemon
46
+
47
+ `daemon` returns a string containing the daemon that is allowed in the rule.
48
+
49
+ describe etc_hosts_deny.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
50
+ its('daemon') { should eq ['vsftpd', 'sshd'] }
51
+ end
52
+
53
+ ### client_list
54
+
55
+ `client_list` returns a 2d string array where each entry contains the clients specified for the rule.
56
+
57
+ describe etc_hosts_deny.where { daemon == 'sshd' } do
58
+ its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
59
+ end
60
+
61
+ ### options
62
+
63
+ `options` returns a 2d string array where each entry contains any options specified for the rule.
64
+
65
+ describe etc_hosts_deny.where { daemon == 'sshd' } do
66
+ its('options') { should include ['deny', 'echo "REJECTED"'] }
67
+ end
68
+
69
+ <br>
70
+
71
+ ## Matchers
72
+
73
+ For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -1,512 +1,512 @@
1
- ---
2
- title: About the file Resource
3
- ---
4
-
5
- # file
6
-
7
- Use the `file` InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
8
-
9
- <br>
10
-
11
- ## Syntax
12
-
13
- A `file` resource block declares the location of the file type to be tested, the expected file type (if required), and one (or more) resource properties.
14
-
15
- describe file('path') do
16
- it { should PROPERTY 'value' }
17
- end
18
-
19
- where
20
-
21
- * `('path')` is the name of the file and/or the path to the file.
22
- * `PROPERTY` is a valid resource property for this resource'
23
- * `'value'` is the value to be tested.
24
-
25
- <br>
26
-
27
- ## Supported Resource Properties
28
-
29
- ### General Resource Properties
30
-
31
- content, size, basename, path, owner, group, type
32
-
33
- ### Unix/Linux Resource Properties
34
-
35
- symlink, mode, link_path, mtime, size, selinux\_label, md5sum, sha256sum, path, source, source\_path, uid, gid
36
-
37
- ### Windows Resource Properties
38
-
39
- file\_version, product\_version
40
-
41
- ## Resource Property Examples
42
-
43
- ### content
44
-
45
- The `content` property tests if contents in the file match the value specified in a regular expression. The values of the `content` property are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
46
-
47
- its('content') { should match REGEX }
48
-
49
- The following complete example tests the `pg_hba.conf` file in PostgreSQL for MD5 requirements. The tests look at all `host` and `local` settings in that file, and then compare the MD5 checksums against the values in the test:
50
-
51
- describe file(hba_config_file) do
52
- its('content') { should match(%r{local\s.*?all\s.*?all\s.*?md5}) }
53
- its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
54
- its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5})
55
- end
56
-
57
- ### file_version
58
-
59
- The `file_version` property tests if a Windows file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
60
-
61
- its('file_version') { should eq '1.2.3' }
62
-
63
- ### group
64
-
65
- The `group` property tests if the group to which a file belongs matches the specified value.
66
-
67
- its('group') { should eq 'admins' }
68
-
69
- The following examples show how to use this InSpec audit resource.
70
-
71
- ### link_path
72
-
73
- The `link_path` property tests if the file exists at the specified path. If the file is a symlink,
74
- InSpec will resolve the symlink and return the ultimate linked file.
75
-
76
- its('link_path') { should eq '/some/path/to/file' }
77
-
78
- ### md5sum
79
-
80
- The `md5sum` property tests if the MD5 checksum for a file matches the specified value.
81
-
82
- its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
83
-
84
- ### mode
85
-
86
- The `mode` property tests if the mode assigned to the file matches the specified value.
87
-
88
- its('mode') { should cmp '0644' }
89
-
90
- ### mtime
91
-
92
- The `mtime` property tests if the file modification time for the file matches the specified value. The mtime, where supported, is returned as the number of seconds since the epoch.
93
-
94
- describe file('/') do
95
- its('mtime') { should <= Time.now.to_i }
96
- its('mtime') { should >= Time.now.to_i - 1000 }
97
- end
98
-
99
- ### owner
100
-
101
- The `owner` property tests if the owner of the file matches the specified value.
102
-
103
- its('owner') { should eq 'root' }
104
-
105
- ### product_version
106
-
107
- The `product_version` property tests if a Windows file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates.
108
-
109
- its('product_version') { should eq 2.3.4 }
110
-
111
- ### selinux_label
112
-
113
- The `selinux_label` property tests if the SELinux label for a file matches the specified value.
114
-
115
- its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
116
-
117
- ### sha256sum
118
-
119
- The `sha256sum` property tests if the SHA-256 checksum for a file matches the specified value.
120
-
121
- its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
122
-
123
- ### size
124
-
125
- The `size` property tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
126
-
127
- its('size') { should eq 32375 }
128
-
129
- Greater than:
130
-
131
- its('size') { should > 64 }
132
-
133
- Less than:
134
-
135
- its('size') { should < 10240 }
136
-
137
- ### type
138
-
139
- The `type` property tests for the file type. The available types are:
140
-
141
- * `file`: the object is a file
142
- * `directory`: the object is a directory
143
- * `link`: the object is a symbolic link
144
- * `pipe`: the object is a named pipe
145
- * `socket`: the object is a socket
146
- * `character_device`: the object is a character device
147
- * `block_device`: the object is a block device
148
- * `door`: the object is a door device
149
-
150
- The `type` method usually returns the type as a Ruby "symbol". We recommend using the `cmp` matcher to match
151
- either by symbol or string.
152
-
153
- For example:
154
-
155
- its('type') { should eq :file }
156
- its('type') { should cmp 'file' }
157
-
158
- or:
159
-
160
- its('type') { should eq :socket }
161
- its('type') { should cmp 'socket' }
162
-
163
- ### Test the contents of a file for MD5 requirements
164
-
165
- describe file(hba_config_file) do
166
- its('content') { should match /local\s.*?all\s.*?all\s.*?md5/ }
167
- its('content') { should match %r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/} }
168
- its('content') { should match %r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/} }
169
- end
170
-
171
- ### Test if a file exists
172
-
173
- describe file('/tmp') do
174
- it { should exist }
175
- end
176
-
177
- ### Test that a file does not exist
178
-
179
- describe file('/tmpest') do
180
- it { should_not exist }
181
- end
182
-
183
- ### Test if a path is a directory
184
-
185
- describe file('/tmp') do
186
- its('type') { should eq :directory }
187
- it { should be_directory }
188
- end
189
-
190
- ### Test if a path is a file and not a directory
191
-
192
- describe file('/proc/version') do
193
- its('type') { should cmp 'file' }
194
- it { should be_file }
195
- it { should_not be_directory }
196
- end
197
-
198
- ### Test if a file is a symbolic link
199
-
200
- describe file('/dev/stdout') do
201
- its('type') { should cmp 'symlink' }
202
- it { should be_symlink }
203
- it { should_not be_file }
204
- it { should_not be_directory }
205
- end
206
-
207
- ### Test if a file is a character device
208
-
209
- describe file('/dev/zero') do
210
- its('type') { should cmp 'character' }
211
- it { should be_character_device }
212
- it { should_not be_file }
213
- it { should_not be_directory }
214
- end
215
-
216
- ### Test if a file is a block device
217
-
218
- describe file('/dev/zero') do
219
- its('type') { should cmp 'block' }
220
- it { should be_character_device }
221
- it { should_not be_file }
222
- it { should_not be_directory }
223
- end
224
-
225
- ### Test the mode for a file
226
-
227
- describe file('/dev') do
228
- its('mode') { should cmp '00755' }
229
- end
230
-
231
- ### Test the owner of a file
232
-
233
- describe file('/root') do
234
- its('owner') { should eq 'root' }
235
- end
236
-
237
- ### Test if a file is owned by the root user
238
-
239
- describe file('/dev') do
240
- it { should be_owned_by 'root' }
241
- end
242
-
243
- ### Test the mtime for a file
244
-
245
- describe file('/') do
246
- its('mtime') { should <= Time.now.to_i }
247
- its('mtime') { should >= Time.now.to_i - 1000 }
248
- end
249
-
250
- ### Test that a file's size is between 64 and 10240
251
-
252
- describe file('/') do
253
- its('size') { should be > 64 }
254
- its('size') { should be < 10240 }
255
- end
256
-
257
- ### Test that a file's size is zero
258
-
259
- describe file('/proc/cpuinfo') do
260
- its('size') { should be 0 }
261
- end
262
-
263
-
264
- ### Test an MD5 checksum
265
-
266
- require 'digest'
267
- cpuinfo = file('/proc/cpuinfo').content
268
-
269
- md5sum = Digest::MD5.hexdigest(cpuinfo)
270
-
271
- describe file('/proc/cpuinfo') do
272
- its('md5sum') { should eq md5sum }
273
- end
274
-
275
- ### Test an SHA-256 checksum
276
-
277
- require 'digest'
278
- cpuinfo = file('/proc/cpuinfo').content
279
-
280
- sha256sum = Digest::SHA256.hexdigest(cpuinfo)
281
-
282
- describe file('/proc/cpuinfo') do
283
- its('sha256sum') { should eq sha256sum }
284
- end
285
-
286
- ### Verify NTP
287
-
288
- The following example shows how to use the `file` audit resource to verify if the `ntp.conf` and `leap-seconds` files are present, and then the `command` resource to verify if NTP is installed and running:
289
-
290
- describe file('/etc/ntp.conf') do
291
- it { should be_file }
292
- end
293
-
294
- describe file('/etc/ntp.leapseconds') do
295
- it { should be_file }
296
- end
297
-
298
- describe command('pgrep ntp') do
299
- its('exit_status') { should eq 0 }
300
- end
301
-
302
- ### Test parameters of symlinked file
303
-
304
- If you need to test the parameters of the target file for a symlink, you can use the `link_path` method for the `file` resource.
305
-
306
- For example, for the following symlink:
307
-
308
- lrwxrwxrwx. 1 root root 11 03-10 17:56 /dev/virtio-ports/com.redhat.rhevm.vdsm -> ../vport2p1
309
-
310
- ... you can write controls for both the link and the target.
311
-
312
- describe file('/dev/virtio-ports/com.redhat.rhevm.vdsm') do
313
- it { should be_symlink }
314
- end
315
-
316
- virito_port_vdsm = file('/dev/virtio-ports/com.redhat.rhevm.vdsm').link_path
317
- describe file(virito_port_vdsm) do
318
- it { should exist }
319
- it { should be_character_device }
320
- it { should be_owned_by 'ovirtagent' }
321
- it { should be_grouped_into 'ovirtagent' }
322
- end
323
-
324
- <br>
325
-
326
- ## Matchers
327
-
328
- For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
329
-
330
- ### be\_allowed
331
-
332
- The `be_allowed` matcher tests if the file contains a certain permission set, such as `execute` or `write` in Unix and [`full-control` or `modify` in Windows](https://www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table).
333
-
334
- it { should be_allowed('read') }
335
-
336
- Just like with `be_executable` and other permissions, one can check for the permission with respect to the specific user or group.
337
-
338
- it { should be_allowed('full-control', by_user: 'MyComputerName\Administrator') }
339
-
340
- OR
341
-
342
- it { should be_allowed('write', by: 'root') }
343
-
344
- ### be\_block\_device
345
-
346
- The `be_block_device` matcher tests if the file exists as a block device, such as `/dev/disk0` or `/dev/disk0s9`:
347
-
348
- it { should be_block_device }
349
-
350
- ### be\_character\_device
351
-
352
- The `be_character_device` matcher tests if the file exists as a character device (that corresponds to a block device), such as `/dev/rdisk0` or `/dev/rdisk0s9`:
353
-
354
- it { should be_character_device }
355
-
356
- ### be_directory
357
-
358
- The `be_directory` matcher tests if the file exists as a directory, such as `/etc/passwd`, `/etc/shadow`, or `/var/log/httpd`:
359
-
360
- it { should be_directory }
361
-
362
- ### be_executable
363
-
364
- The `be_executable` matcher tests if the file exists as an executable:
365
-
366
- it { should be_executable }
367
-
368
- The `be_executable` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
369
-
370
- it { should be_executable.by('group') }
371
-
372
- an owner:
373
-
374
- it { should be_executable.by('owner') }
375
-
376
- any user other than the owner or members of the file's group:
377
-
378
- it { should be_executable.by('others') }
379
-
380
- a user:
381
-
382
- it { should be_executable.by_user('user') }
383
-
384
- ### be_file
385
-
386
- The `be_file` matcher tests if the file exists as a file. This can be useful with configuration files like `/etc/passwd` where there typically is not an associated file extension---`passwd.txt`:
387
-
388
- it { should be_file }
389
-
390
- ### be\_grouped\_into
391
-
392
- The `be_grouped_into` matcher tests if the file exists as part of the named group:
393
-
394
- it { should be_grouped_into 'group' }
395
-
396
- ### be_immutable
397
-
398
- The `be_immutable` matcher tests if the file is immutable, i.e. "cannot be changed":
399
-
400
- it { should be_immutable }
401
-
402
- ### be\_linked\_to
403
-
404
- The `be_linked_to` matcher tests if the file is linked to the named target:
405
-
406
- it { should be_linked_to '/etc/target-file' }
407
-
408
-
409
- ### be\_owned\_by
410
-
411
- The `be_owned_by` matcher tests if the file is owned by the named user, such as `root`:
412
-
413
- it { should be_owned_by 'root' }
414
-
415
- ### be_pipe
416
-
417
- The `be_pipe` matcher tests if the file exists as first-in, first-out special file (`.fifo`) that is typically used to define a named pipe, such as `/var/log/nginx/access.log.fifo`:
418
-
419
- it { should be_pipe }
420
-
421
- ### be_readable
422
-
423
- The `be_readable` matcher tests if the file is readable:
424
-
425
- it { should be_readable }
426
-
427
- The `be_readable` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
428
-
429
- it { should be_readable.by('group') }
430
-
431
- an owner:
432
-
433
- it { should be_readable.by('owner') }
434
-
435
- any user other than the owner or members of the file's group:
436
-
437
- it { should be_readable.by('others') }
438
-
439
- a user:
440
-
441
- it { should be_readable.by_user('user') }
442
-
443
- ### be_setgid
444
-
445
- The `be_setgid` matcher tests if the 'setgid' permission is set on the file or directory. On executable files, this causes the process to be started owned by the group that owns the file, rather than the primary group of the invocating user. This can result in escalation of privilege. On Linux, when setgid is set on directories, setgid causes newly created files and directories to be owned by the group that owns the setgid parent directory; additionally, newly created subdirectories will have the setgid bit set. To use this matcher:
446
-
447
- it { should be_setgid }
448
-
449
- ### be_socket
450
-
451
- The `be_socket` matcher tests if the file exists as socket (`.sock`), such as `/var/run/php-fpm.sock`:
452
-
453
- it { should be_socket }
454
-
455
- ### be_sticky
456
-
457
- The `be_sticky` matcher tests if the 'sticky bit' permission is set on the directory. On directories, this restricts file deletion to the owner of the file, even if the permission of the parent directory would normally permit deletion by others. This is commonly used on /tmp filesystems. To use this matcher:
458
-
459
- it { should be_sticky }
460
-
461
- ### be_setuid
462
-
463
- The `be_setuid` matcher tests if the 'setuid' permission is set on the file. On executable files, this causes the process to be started owned by the user that owns the file, rather than invocating user. This can result in escalation of privilege. To use this matcher:
464
-
465
- it { should be_setuid }
466
-
467
- ### be_symlink
468
-
469
- The `be_symlink` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
470
-
471
- it { should be_symlink }
472
-
473
- ### be_version
474
-
475
- The `be_version` matcher tests the version of the file:
476
-
477
- it { should be_version '1.2.3' }
478
-
479
- ### be_writable
480
-
481
- The `be_writable` matcher tests if the file is writable:
482
-
483
- it { should be_writable }
484
-
485
- The `be_writable` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
486
-
487
- it { should be_writable.by('group') }
488
-
489
- an owner:
490
-
491
- it { should be_writable.by('owner') }
492
-
493
- any user other than the owner or members of the file's group:
494
-
495
- it { should be_writable.by('others') }
496
-
497
- a user:
498
-
499
- it { should be_writable.by_user('user') }
500
-
501
- ### exist
502
-
503
- The `exist` matcher tests if the named file exists:
504
-
505
- it { should exist }
506
-
507
- ### have_mode
508
-
509
- The `have_mode` matcher tests if a file has a mode assigned to it:
510
-
511
- it { should have_mode }
512
-
1
+ ---
2
+ title: About the file Resource
3
+ ---
4
+
5
+ # file
6
+
7
+ Use the `file` InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
8
+
9
+ <br>
10
+
11
+ ## Syntax
12
+
13
+ A `file` resource block declares the location of the file type to be tested, the expected file type (if required), and one (or more) resource properties.
14
+
15
+ describe file('path') do
16
+ it { should PROPERTY 'value' }
17
+ end
18
+
19
+ where
20
+
21
+ * `('path')` is the name of the file and/or the path to the file.
22
+ * `PROPERTY` is a valid resource property for this resource'
23
+ * `'value'` is the value to be tested.
24
+
25
+ <br>
26
+
27
+ ## Supported Resource Properties
28
+
29
+ ### General Resource Properties
30
+
31
+ content, size, basename, path, owner, group, type
32
+
33
+ ### Unix/Linux Resource Properties
34
+
35
+ symlink, mode, link_path, mtime, size, selinux\_label, md5sum, sha256sum, path, source, source\_path, uid, gid
36
+
37
+ ### Windows Resource Properties
38
+
39
+ file\_version, product\_version
40
+
41
+ ## Resource Property Examples
42
+
43
+ ### content
44
+
45
+ The `content` property tests if contents in the file match the value specified in a regular expression. The values of the `content` property are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
46
+
47
+ its('content') { should match REGEX }
48
+
49
+ The following complete example tests the `pg_hba.conf` file in PostgreSQL for MD5 requirements. The tests look at all `host` and `local` settings in that file, and then compare the MD5 checksums against the values in the test:
50
+
51
+ describe file(hba_config_file) do
52
+ its('content') { should match(%r{local\s.*?all\s.*?all\s.*?md5}) }
53
+ its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
54
+ its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5})
55
+ end
56
+
57
+ ### file_version
58
+
59
+ The `file_version` property tests if a Windows file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
60
+
61
+ its('file_version') { should eq '1.2.3' }
62
+
63
+ ### group
64
+
65
+ The `group` property tests if the group to which a file belongs matches the specified value.
66
+
67
+ its('group') { should eq 'admins' }
68
+
69
+ The following examples show how to use this InSpec audit resource.
70
+
71
+ ### link_path
72
+
73
+ The `link_path` property tests if the file exists at the specified path. If the file is a symlink,
74
+ InSpec will resolve the symlink and return the ultimate linked file.
75
+
76
+ its('link_path') { should eq '/some/path/to/file' }
77
+
78
+ ### md5sum
79
+
80
+ The `md5sum` property tests if the MD5 checksum for a file matches the specified value.
81
+
82
+ its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
83
+
84
+ ### mode
85
+
86
+ The `mode` property tests if the mode assigned to the file matches the specified value.
87
+
88
+ its('mode') { should cmp '0644' }
89
+
90
+ ### mtime
91
+
92
+ The `mtime` property tests if the file modification time for the file matches the specified value. The mtime, where supported, is returned as the number of seconds since the epoch.
93
+
94
+ describe file('/') do
95
+ its('mtime') { should <= Time.now.to_i }
96
+ its('mtime') { should >= Time.now.to_i - 1000 }
97
+ end
98
+
99
+ ### owner
100
+
101
+ The `owner` property tests if the owner of the file matches the specified value.
102
+
103
+ its('owner') { should eq 'root' }
104
+
105
+ ### product_version
106
+
107
+ The `product_version` property tests if a Windows file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates.
108
+
109
+ its('product_version') { should eq 2.3.4 }
110
+
111
+ ### selinux_label
112
+
113
+ The `selinux_label` property tests if the SELinux label for a file matches the specified value.
114
+
115
+ its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
116
+
117
+ ### sha256sum
118
+
119
+ The `sha256sum` property tests if the SHA-256 checksum for a file matches the specified value.
120
+
121
+ its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
122
+
123
+ ### size
124
+
125
+ The `size` property tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
126
+
127
+ its('size') { should eq 32375 }
128
+
129
+ Greater than:
130
+
131
+ its('size') { should > 64 }
132
+
133
+ Less than:
134
+
135
+ its('size') { should < 10240 }
136
+
137
+ ### type
138
+
139
+ The `type` property tests for the file type. The available types are:
140
+
141
+ * `file`: the object is a file
142
+ * `directory`: the object is a directory
143
+ * `link`: the object is a symbolic link
144
+ * `pipe`: the object is a named pipe
145
+ * `socket`: the object is a socket
146
+ * `character_device`: the object is a character device
147
+ * `block_device`: the object is a block device
148
+ * `door`: the object is a door device
149
+
150
+ The `type` method usually returns the type as a Ruby "symbol". We recommend using the `cmp` matcher to match
151
+ either by symbol or string.
152
+
153
+ For example:
154
+
155
+ its('type') { should eq :file }
156
+ its('type') { should cmp 'file' }
157
+
158
+ or:
159
+
160
+ its('type') { should eq :socket }
161
+ its('type') { should cmp 'socket' }
162
+
163
+ ### Test the contents of a file for MD5 requirements
164
+
165
+ describe file(hba_config_file) do
166
+ its('content') { should match /local\s.*?all\s.*?all\s.*?md5/ }
167
+ its('content') { should match %r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/} }
168
+ its('content') { should match %r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/} }
169
+ end
170
+
171
+ ### Test if a file exists
172
+
173
+ describe file('/tmp') do
174
+ it { should exist }
175
+ end
176
+
177
+ ### Test that a file does not exist
178
+
179
+ describe file('/tmpest') do
180
+ it { should_not exist }
181
+ end
182
+
183
+ ### Test if a path is a directory
184
+
185
+ describe file('/tmp') do
186
+ its('type') { should eq :directory }
187
+ it { should be_directory }
188
+ end
189
+
190
+ ### Test if a path is a file and not a directory
191
+
192
+ describe file('/proc/version') do
193
+ its('type') { should cmp 'file' }
194
+ it { should be_file }
195
+ it { should_not be_directory }
196
+ end
197
+
198
+ ### Test if a file is a symbolic link
199
+
200
+ describe file('/dev/stdout') do
201
+ its('type') { should cmp 'symlink' }
202
+ it { should be_symlink }
203
+ it { should_not be_file }
204
+ it { should_not be_directory }
205
+ end
206
+
207
+ ### Test if a file is a character device
208
+
209
+ describe file('/dev/zero') do
210
+ its('type') { should cmp 'character' }
211
+ it { should be_character_device }
212
+ it { should_not be_file }
213
+ it { should_not be_directory }
214
+ end
215
+
216
+ ### Test if a file is a block device
217
+
218
+ describe file('/dev/zero') do
219
+ its('type') { should cmp 'block' }
220
+ it { should be_character_device }
221
+ it { should_not be_file }
222
+ it { should_not be_directory }
223
+ end
224
+
225
+ ### Test the mode for a file
226
+
227
+ describe file('/dev') do
228
+ its('mode') { should cmp '00755' }
229
+ end
230
+
231
+ ### Test the owner of a file
232
+
233
+ describe file('/root') do
234
+ its('owner') { should eq 'root' }
235
+ end
236
+
237
+ ### Test if a file is owned by the root user
238
+
239
+ describe file('/dev') do
240
+ it { should be_owned_by 'root' }
241
+ end
242
+
243
+ ### Test the mtime for a file
244
+
245
+ describe file('/') do
246
+ its('mtime') { should <= Time.now.to_i }
247
+ its('mtime') { should >= Time.now.to_i - 1000 }
248
+ end
249
+
250
+ ### Test that a file's size is between 64 and 10240
251
+
252
+ describe file('/') do
253
+ its('size') { should be > 64 }
254
+ its('size') { should be < 10240 }
255
+ end
256
+
257
+ ### Test that a file's size is zero
258
+
259
+ describe file('/proc/cpuinfo') do
260
+ its('size') { should be 0 }
261
+ end
262
+
263
+
264
+ ### Test an MD5 checksum
265
+
266
+ require 'digest'
267
+ cpuinfo = file('/proc/cpuinfo').content
268
+
269
+ md5sum = Digest::MD5.hexdigest(cpuinfo)
270
+
271
+ describe file('/proc/cpuinfo') do
272
+ its('md5sum') { should eq md5sum }
273
+ end
274
+
275
+ ### Test an SHA-256 checksum
276
+
277
+ require 'digest'
278
+ cpuinfo = file('/proc/cpuinfo').content
279
+
280
+ sha256sum = Digest::SHA256.hexdigest(cpuinfo)
281
+
282
+ describe file('/proc/cpuinfo') do
283
+ its('sha256sum') { should eq sha256sum }
284
+ end
285
+
286
+ ### Verify NTP
287
+
288
+ The following example shows how to use the `file` audit resource to verify if the `ntp.conf` and `leap-seconds` files are present, and then the `command` resource to verify if NTP is installed and running:
289
+
290
+ describe file('/etc/ntp.conf') do
291
+ it { should be_file }
292
+ end
293
+
294
+ describe file('/etc/ntp.leapseconds') do
295
+ it { should be_file }
296
+ end
297
+
298
+ describe command('pgrep ntp') do
299
+ its('exit_status') { should eq 0 }
300
+ end
301
+
302
+ ### Test parameters of symlinked file
303
+
304
+ If you need to test the parameters of the target file for a symlink, you can use the `link_path` method for the `file` resource.
305
+
306
+ For example, for the following symlink:
307
+
308
+ lrwxrwxrwx. 1 root root 11 03-10 17:56 /dev/virtio-ports/com.redhat.rhevm.vdsm -> ../vport2p1
309
+
310
+ ... you can write controls for both the link and the target.
311
+
312
+ describe file('/dev/virtio-ports/com.redhat.rhevm.vdsm') do
313
+ it { should be_symlink }
314
+ end
315
+
316
+ virito_port_vdsm = file('/dev/virtio-ports/com.redhat.rhevm.vdsm').link_path
317
+ describe file(virito_port_vdsm) do
318
+ it { should exist }
319
+ it { should be_character_device }
320
+ it { should be_owned_by 'ovirtagent' }
321
+ it { should be_grouped_into 'ovirtagent' }
322
+ end
323
+
324
+ <br>
325
+
326
+ ## Matchers
327
+
328
+ For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
329
+
330
+ ### be\_allowed
331
+
332
+ The `be_allowed` matcher tests if the file contains a certain permission set, such as `execute` or `write` in Unix and [`full-control` or `modify` in Windows](https://www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table).
333
+
334
+ it { should be_allowed('read') }
335
+
336
+ Just like with `be_executable` and other permissions, one can check for the permission with respect to the specific user or group.
337
+
338
+ it { should be_allowed('full-control', by_user: 'MyComputerName\Administrator') }
339
+
340
+ OR
341
+
342
+ it { should be_allowed('write', by: 'root') }
343
+
344
+ ### be\_block\_device
345
+
346
+ The `be_block_device` matcher tests if the file exists as a block device, such as `/dev/disk0` or `/dev/disk0s9`:
347
+
348
+ it { should be_block_device }
349
+
350
+ ### be\_character\_device
351
+
352
+ The `be_character_device` matcher tests if the file exists as a character device (that corresponds to a block device), such as `/dev/rdisk0` or `/dev/rdisk0s9`:
353
+
354
+ it { should be_character_device }
355
+
356
+ ### be_directory
357
+
358
+ The `be_directory` matcher tests if the file exists as a directory, such as `/etc/passwd`, `/etc/shadow`, or `/var/log/httpd`:
359
+
360
+ it { should be_directory }
361
+
362
+ ### be_executable
363
+
364
+ The `be_executable` matcher tests if the file exists as an executable:
365
+
366
+ it { should be_executable }
367
+
368
+ The `be_executable` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
369
+
370
+ it { should be_executable.by('group') }
371
+
372
+ an owner:
373
+
374
+ it { should be_executable.by('owner') }
375
+
376
+ any user other than the owner or members of the file's group:
377
+
378
+ it { should be_executable.by('others') }
379
+
380
+ a user:
381
+
382
+ it { should be_executable.by_user('user') }
383
+
384
+ ### be_file
385
+
386
+ The `be_file` matcher tests if the file exists as a file. This can be useful with configuration files like `/etc/passwd` where there typically is not an associated file extension---`passwd.txt`:
387
+
388
+ it { should be_file }
389
+
390
+ ### be\_grouped\_into
391
+
392
+ The `be_grouped_into` matcher tests if the file exists as part of the named group:
393
+
394
+ it { should be_grouped_into 'group' }
395
+
396
+ ### be_immutable
397
+
398
+ The `be_immutable` matcher tests if the file is immutable, i.e. "cannot be changed":
399
+
400
+ it { should be_immutable }
401
+
402
+ ### be\_linked\_to
403
+
404
+ The `be_linked_to` matcher tests if the file is linked to the named target:
405
+
406
+ it { should be_linked_to '/etc/target-file' }
407
+
408
+
409
+ ### be\_owned\_by
410
+
411
+ The `be_owned_by` matcher tests if the file is owned by the named user, such as `root`:
412
+
413
+ it { should be_owned_by 'root' }
414
+
415
+ ### be_pipe
416
+
417
+ The `be_pipe` matcher tests if the file exists as first-in, first-out special file (`.fifo`) that is typically used to define a named pipe, such as `/var/log/nginx/access.log.fifo`:
418
+
419
+ it { should be_pipe }
420
+
421
+ ### be_readable
422
+
423
+ The `be_readable` matcher tests if the file is readable:
424
+
425
+ it { should be_readable }
426
+
427
+ The `be_readable` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
428
+
429
+ it { should be_readable.by('group') }
430
+
431
+ an owner:
432
+
433
+ it { should be_readable.by('owner') }
434
+
435
+ any user other than the owner or members of the file's group:
436
+
437
+ it { should be_readable.by('others') }
438
+
439
+ a user:
440
+
441
+ it { should be_readable.by_user('user') }
442
+
443
+ ### be_setgid
444
+
445
+ The `be_setgid` matcher tests if the 'setgid' permission is set on the file or directory. On executable files, this causes the process to be started owned by the group that owns the file, rather than the primary group of the invocating user. This can result in escalation of privilege. On Linux, when setgid is set on directories, setgid causes newly created files and directories to be owned by the group that owns the setgid parent directory; additionally, newly created subdirectories will have the setgid bit set. To use this matcher:
446
+
447
+ it { should be_setgid }
448
+
449
+ ### be_socket
450
+
451
+ The `be_socket` matcher tests if the file exists as socket (`.sock`), such as `/var/run/php-fpm.sock`:
452
+
453
+ it { should be_socket }
454
+
455
+ ### be_sticky
456
+
457
+ The `be_sticky` matcher tests if the 'sticky bit' permission is set on the directory. On directories, this restricts file deletion to the owner of the file, even if the permission of the parent directory would normally permit deletion by others. This is commonly used on /tmp filesystems. To use this matcher:
458
+
459
+ it { should be_sticky }
460
+
461
+ ### be_setuid
462
+
463
+ The `be_setuid` matcher tests if the 'setuid' permission is set on the file. On executable files, this causes the process to be started owned by the user that owns the file, rather than invocating user. This can result in escalation of privilege. To use this matcher:
464
+
465
+ it { should be_setuid }
466
+
467
+ ### be_symlink
468
+
469
+ The `be_symlink` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
470
+
471
+ it { should be_symlink }
472
+
473
+ ### be_version
474
+
475
+ The `be_version` matcher tests the version of the file:
476
+
477
+ it { should be_version '1.2.3' }
478
+
479
+ ### be_writable
480
+
481
+ The `be_writable` matcher tests if the file is writable:
482
+
483
+ it { should be_writable }
484
+
485
+ The `be_writable` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
486
+
487
+ it { should be_writable.by('group') }
488
+
489
+ an owner:
490
+
491
+ it { should be_writable.by('owner') }
492
+
493
+ any user other than the owner or members of the file's group:
494
+
495
+ it { should be_writable.by('others') }
496
+
497
+ a user:
498
+
499
+ it { should be_writable.by_user('user') }
500
+
501
+ ### exist
502
+
503
+ The `exist` matcher tests if the named file exists:
504
+
505
+ it { should exist }
506
+
507
+ ### have_mode
508
+
509
+ The `have_mode` matcher tests if a file has a mode assigned to it:
510
+
511
+ it { should have_mode }
512
+