inspec 1.51.6 → 1.51.15

Sign up to get free protection for your applications and to get access to all the features.
Files changed (404) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +101 -101
  3. data/CHANGELOG.md +2915 -2902
  4. data/Gemfile +53 -53
  5. data/LICENSE +14 -14
  6. data/MAINTAINERS.md +31 -31
  7. data/MAINTAINERS.toml +47 -47
  8. data/README.md +419 -419
  9. data/Rakefile +167 -167
  10. data/bin/inspec +12 -12
  11. data/docs/.gitignore +2 -2
  12. data/docs/README.md +40 -40
  13. data/docs/dsl_inspec.md +258 -258
  14. data/docs/dsl_resource.md +93 -93
  15. data/docs/glossary.md +99 -99
  16. data/docs/habitat.md +191 -191
  17. data/docs/inspec_and_friends.md +107 -107
  18. data/docs/matchers.md +165 -165
  19. data/docs/migration.md +293 -293
  20. data/docs/plugin_kitchen_inspec.md +49 -49
  21. data/docs/profiles.md +370 -370
  22. data/docs/resources/aide_conf.md.erb +78 -78
  23. data/docs/resources/apache.md.erb +66 -66
  24. data/docs/resources/apache_conf.md.erb +67 -67
  25. data/docs/resources/apt.md.erb +70 -70
  26. data/docs/resources/audit_policy.md.erb +46 -46
  27. data/docs/resources/auditd.md.erb +78 -78
  28. data/docs/resources/auditd_conf.md.erb +68 -68
  29. data/docs/resources/auditd_rules.md.erb +116 -116
  30. data/docs/resources/bash.md.erb +74 -74
  31. data/docs/resources/bond.md.erb +89 -89
  32. data/docs/resources/bridge.md.erb +54 -54
  33. data/docs/resources/bsd_service.md.erb +65 -65
  34. data/docs/resources/command.md.erb +137 -137
  35. data/docs/resources/cpan.md.erb +77 -77
  36. data/docs/resources/cran.md.erb +63 -63
  37. data/docs/resources/crontab.md.erb +87 -87
  38. data/docs/resources/csv.md.erb +53 -53
  39. data/docs/resources/dh_params.md.erb +216 -216
  40. data/docs/resources/directory.md.erb +28 -28
  41. data/docs/resources/docker.md.erb +163 -163
  42. data/docs/resources/docker_container.md.erb +99 -99
  43. data/docs/resources/docker_image.md.erb +93 -93
  44. data/docs/resources/docker_service.md.erb +113 -113
  45. data/docs/resources/elasticsearch.md.erb +230 -230
  46. data/docs/resources/etc_fstab.md.erb +124 -124
  47. data/docs/resources/etc_group.md.erb +74 -74
  48. data/docs/resources/etc_hosts.md.erb +75 -75
  49. data/docs/resources/etc_hosts_allow.md.erb +73 -73
  50. data/docs/resources/etc_hosts_deny.md.erb +73 -73
  51. data/docs/resources/file.md.erb +512 -512
  52. data/docs/resources/filesystem.md.erb +40 -40
  53. data/docs/resources/firewalld.md.erb +105 -105
  54. data/docs/resources/gem.md.erb +78 -78
  55. data/docs/resources/group.md.erb +60 -60
  56. data/docs/resources/grub_conf.md.erb +101 -100
  57. data/docs/resources/host.md.erb +77 -77
  58. data/docs/resources/http.md.erb +104 -98
  59. data/docs/resources/iis_app.md.erb +120 -116
  60. data/docs/resources/iis_site.md.erb +132 -128
  61. data/docs/resources/inetd_conf.md.erb +95 -84
  62. data/docs/resources/ini.md.erb +72 -69
  63. data/docs/resources/interface.md.erb +55 -46
  64. data/docs/resources/iptables.md.erb +63 -63
  65. data/docs/resources/json.md.erb +61 -61
  66. data/docs/resources/kernel_module.md.erb +106 -106
  67. data/docs/resources/kernel_parameter.md.erb +58 -58
  68. data/docs/resources/key_rsa.md.erb +73 -73
  69. data/docs/resources/launchd_service.md.erb +56 -56
  70. data/docs/resources/limits_conf.md.erb +66 -66
  71. data/docs/resources/login_def.md.erb +62 -62
  72. data/docs/resources/mount.md.erb +68 -68
  73. data/docs/resources/mssql_session.md.erb +59 -59
  74. data/docs/resources/mysql_conf.md.erb +98 -98
  75. data/docs/resources/mysql_session.md.erb +73 -73
  76. data/docs/resources/nginx.md.erb +78 -78
  77. data/docs/resources/nginx_conf.md.erb +127 -127
  78. data/docs/resources/npm.md.erb +59 -59
  79. data/docs/resources/ntp_conf.md.erb +59 -59
  80. data/docs/resources/oneget.md.erb +52 -52
  81. data/docs/resources/oracledb_session.md.erb +51 -51
  82. data/docs/resources/os.md.erb +140 -140
  83. data/docs/resources/os_env.md.erb +77 -77
  84. data/docs/resources/package.md.erb +119 -119
  85. data/docs/resources/packages.md.erb +66 -66
  86. data/docs/resources/parse_config.md.erb +102 -102
  87. data/docs/resources/parse_config_file.md.erb +137 -137
  88. data/docs/resources/passwd.md.erb +140 -140
  89. data/docs/resources/pip.md.erb +66 -66
  90. data/docs/resources/port.md.erb +136 -136
  91. data/docs/resources/postgres_conf.md.erb +78 -78
  92. data/docs/resources/postgres_hba_conf.md.erb +92 -92
  93. data/docs/resources/postgres_ident_conf.md.erb +75 -75
  94. data/docs/resources/postgres_session.md.erb +68 -68
  95. data/docs/resources/powershell.md.erb +101 -101
  96. data/docs/resources/processes.md.erb +107 -107
  97. data/docs/resources/rabbitmq_config.md.erb +40 -40
  98. data/docs/resources/registry_key.md.erb +157 -157
  99. data/docs/resources/runit_service.md.erb +56 -56
  100. data/docs/resources/security_policy.md.erb +46 -46
  101. data/docs/resources/service.md.erb +120 -120
  102. data/docs/resources/shadow.md.erb +143 -143
  103. data/docs/resources/ssh_config.md.erb +79 -79
  104. data/docs/resources/sshd_config.md.erb +82 -82
  105. data/docs/resources/ssl.md.erb +118 -118
  106. data/docs/resources/sys_info.md.erb +41 -41
  107. data/docs/resources/systemd_service.md.erb +56 -56
  108. data/docs/resources/sysv_service.md.erb +56 -56
  109. data/docs/resources/upstart_service.md.erb +56 -56
  110. data/docs/resources/user.md.erb +139 -139
  111. data/docs/resources/users.md.erb +126 -126
  112. data/docs/resources/vbscript.md.erb +54 -54
  113. data/docs/resources/virtualization.md.erb +56 -56
  114. data/docs/resources/windows_feature.md.erb +46 -46
  115. data/docs/resources/windows_hotfix.md.erb +52 -52
  116. data/docs/resources/windows_task.md.erb +89 -89
  117. data/docs/resources/wmi.md.erb +80 -80
  118. data/docs/resources/x509_certificate.md.erb +150 -150
  119. data/docs/resources/xinetd_conf.md.erb +155 -155
  120. data/docs/resources/xml.md.erb +84 -84
  121. data/docs/resources/yaml.md.erb +68 -68
  122. data/docs/resources/yum.md.erb +97 -97
  123. data/docs/resources/zfs_dataset.md.erb +52 -52
  124. data/docs/resources/zfs_pool.md.erb +46 -46
  125. data/docs/ruby_usage.md +203 -203
  126. data/docs/shared/matcher_be.md.erb +1 -1
  127. data/docs/shared/matcher_cmp.md.erb +43 -43
  128. data/docs/shared/matcher_eq.md.erb +3 -3
  129. data/docs/shared/matcher_include.md.erb +1 -1
  130. data/docs/shared/matcher_match.md.erb +1 -1
  131. data/docs/shell.md +172 -172
  132. data/examples/README.md +8 -8
  133. data/examples/inheritance/README.md +65 -65
  134. data/examples/inheritance/controls/example.rb +14 -14
  135. data/examples/inheritance/inspec.yml +15 -15
  136. data/examples/kitchen-ansible/.kitchen.yml +25 -25
  137. data/examples/kitchen-ansible/Gemfile +19 -19
  138. data/examples/kitchen-ansible/README.md +53 -53
  139. data/examples/kitchen-ansible/files/nginx.repo +6 -6
  140. data/examples/kitchen-ansible/tasks/main.yml +16 -16
  141. data/examples/kitchen-ansible/test/integration/default/default.yml +5 -5
  142. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +28 -28
  143. data/examples/kitchen-chef/.kitchen.yml +20 -20
  144. data/examples/kitchen-chef/Berksfile +3 -3
  145. data/examples/kitchen-chef/Gemfile +19 -19
  146. data/examples/kitchen-chef/README.md +27 -27
  147. data/examples/kitchen-chef/metadata.rb +7 -7
  148. data/examples/kitchen-chef/recipes/default.rb +6 -6
  149. data/examples/kitchen-chef/recipes/nginx.rb +30 -30
  150. data/examples/kitchen-chef/test/integration/default/web_spec.rb +28 -28
  151. data/examples/kitchen-puppet/.kitchen.yml +22 -22
  152. data/examples/kitchen-puppet/Gemfile +20 -20
  153. data/examples/kitchen-puppet/Puppetfile +25 -25
  154. data/examples/kitchen-puppet/README.md +53 -53
  155. data/examples/kitchen-puppet/manifests/site.pp +33 -33
  156. data/examples/kitchen-puppet/metadata.json +11 -11
  157. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +28 -28
  158. data/examples/meta-profile/README.md +37 -37
  159. data/examples/meta-profile/controls/example.rb +13 -13
  160. data/examples/meta-profile/inspec.yml +13 -13
  161. data/examples/profile-attribute.yml +2 -2
  162. data/examples/profile-attribute/README.md +14 -14
  163. data/examples/profile-attribute/controls/example.rb +11 -11
  164. data/examples/profile-attribute/inspec.yml +8 -8
  165. data/examples/profile-sensitive/README.md +29 -29
  166. data/examples/profile-sensitive/controls/sensitive-failures.rb +9 -9
  167. data/examples/profile-sensitive/controls/sensitive.rb +9 -9
  168. data/examples/profile-sensitive/inspec.yml +8 -8
  169. data/examples/profile/README.md +48 -48
  170. data/examples/profile/controls/example.rb +23 -23
  171. data/examples/profile/controls/gordon.rb +36 -36
  172. data/examples/profile/controls/meta.rb +34 -34
  173. data/examples/profile/inspec.yml +10 -10
  174. data/examples/profile/libraries/gordon_config.rb +53 -53
  175. data/inspec.gemspec +47 -47
  176. data/lib/bundles/README.md +3 -3
  177. data/lib/bundles/inspec-artifact.rb +7 -7
  178. data/lib/bundles/inspec-artifact/README.md +1 -1
  179. data/lib/bundles/inspec-artifact/cli.rb +277 -277
  180. data/lib/bundles/inspec-compliance.rb +16 -16
  181. data/lib/bundles/inspec-compliance/.kitchen.yml +20 -20
  182. data/lib/bundles/inspec-compliance/README.md +185 -185
  183. data/lib/bundles/inspec-compliance/api.rb +316 -316
  184. data/lib/bundles/inspec-compliance/api/login.rb +152 -152
  185. data/lib/bundles/inspec-compliance/bootstrap.sh +41 -41
  186. data/lib/bundles/inspec-compliance/cli.rb +277 -277
  187. data/lib/bundles/inspec-compliance/configuration.rb +103 -103
  188. data/lib/bundles/inspec-compliance/http.rb +86 -86
  189. data/lib/bundles/inspec-compliance/support.rb +36 -36
  190. data/lib/bundles/inspec-compliance/target.rb +98 -98
  191. data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +93 -93
  192. data/lib/bundles/inspec-habitat.rb +12 -12
  193. data/lib/bundles/inspec-habitat/cli.rb +36 -36
  194. data/lib/bundles/inspec-habitat/log.rb +10 -10
  195. data/lib/bundles/inspec-habitat/profile.rb +390 -390
  196. data/lib/bundles/inspec-init.rb +8 -8
  197. data/lib/bundles/inspec-init/README.md +31 -31
  198. data/lib/bundles/inspec-init/cli.rb +97 -97
  199. data/lib/bundles/inspec-init/templates/profile/README.md +3 -3
  200. data/lib/bundles/inspec-init/templates/profile/controls/example.rb +19 -19
  201. data/lib/bundles/inspec-init/templates/profile/inspec.yml +8 -8
  202. data/lib/bundles/inspec-supermarket.rb +13 -13
  203. data/lib/bundles/inspec-supermarket/README.md +45 -45
  204. data/lib/bundles/inspec-supermarket/api.rb +84 -84
  205. data/lib/bundles/inspec-supermarket/cli.rb +65 -65
  206. data/lib/bundles/inspec-supermarket/target.rb +34 -34
  207. data/lib/fetchers/git.rb +163 -163
  208. data/lib/fetchers/local.rb +74 -74
  209. data/lib/fetchers/mock.rb +35 -35
  210. data/lib/fetchers/url.rb +204 -204
  211. data/lib/inspec.rb +24 -24
  212. data/lib/inspec/archive/tar.rb +29 -29
  213. data/lib/inspec/archive/zip.rb +19 -19
  214. data/lib/inspec/backend.rb +92 -92
  215. data/lib/inspec/base_cli.rb +324 -322
  216. data/lib/inspec/cached_fetcher.rb +66 -66
  217. data/lib/inspec/cli.rb +298 -298
  218. data/lib/inspec/completions/bash.sh.erb +45 -45
  219. data/lib/inspec/completions/fish.sh.erb +34 -34
  220. data/lib/inspec/completions/zsh.sh.erb +61 -61
  221. data/lib/inspec/control_eval_context.rb +179 -179
  222. data/lib/inspec/dependencies/cache.rb +72 -72
  223. data/lib/inspec/dependencies/dependency_set.rb +92 -92
  224. data/lib/inspec/dependencies/lockfile.rb +115 -115
  225. data/lib/inspec/dependencies/requirement.rb +123 -123
  226. data/lib/inspec/dependencies/resolver.rb +86 -86
  227. data/lib/inspec/describe.rb +27 -27
  228. data/lib/inspec/dsl.rb +66 -66
  229. data/lib/inspec/dsl_shared.rb +33 -33
  230. data/lib/inspec/env_printer.rb +157 -157
  231. data/lib/inspec/errors.rb +13 -13
  232. data/lib/inspec/exceptions.rb +12 -12
  233. data/lib/inspec/expect.rb +45 -45
  234. data/lib/inspec/fetcher.rb +45 -45
  235. data/lib/inspec/file_provider.rb +275 -275
  236. data/lib/inspec/formatters.rb +3 -3
  237. data/lib/inspec/formatters/base.rb +208 -208
  238. data/lib/inspec/formatters/json_rspec.rb +20 -20
  239. data/lib/inspec/formatters/show_progress.rb +12 -12
  240. data/lib/inspec/library_eval_context.rb +58 -58
  241. data/lib/inspec/log.rb +11 -11
  242. data/lib/inspec/metadata.rb +253 -253
  243. data/lib/inspec/method_source.rb +24 -24
  244. data/lib/inspec/objects.rb +14 -14
  245. data/lib/inspec/objects/attribute.rb +65 -65
  246. data/lib/inspec/objects/control.rb +61 -61
  247. data/lib/inspec/objects/describe.rb +92 -92
  248. data/lib/inspec/objects/each_loop.rb +36 -36
  249. data/lib/inspec/objects/list.rb +15 -15
  250. data/lib/inspec/objects/or_test.rb +40 -40
  251. data/lib/inspec/objects/ruby_helper.rb +15 -15
  252. data/lib/inspec/objects/tag.rb +27 -27
  253. data/lib/inspec/objects/test.rb +87 -87
  254. data/lib/inspec/objects/value.rb +27 -27
  255. data/lib/inspec/plugins.rb +60 -60
  256. data/lib/inspec/plugins/cli.rb +24 -24
  257. data/lib/inspec/plugins/fetcher.rb +86 -86
  258. data/lib/inspec/plugins/resource.rb +132 -132
  259. data/lib/inspec/plugins/secret.rb +15 -15
  260. data/lib/inspec/plugins/source_reader.rb +40 -40
  261. data/lib/inspec/polyfill.rb +12 -12
  262. data/lib/inspec/profile.rb +510 -510
  263. data/lib/inspec/profile_context.rb +207 -207
  264. data/lib/inspec/profile_vendor.rb +66 -66
  265. data/lib/inspec/reporters.rb +50 -33
  266. data/lib/inspec/reporters/base.rb +24 -23
  267. data/lib/inspec/reporters/cli.rb +395 -395
  268. data/lib/inspec/reporters/json.rb +134 -132
  269. data/lib/inspec/reporters/json_min.rb +48 -44
  270. data/lib/inspec/reporters/junit.rb +77 -77
  271. data/lib/inspec/require_loader.rb +33 -33
  272. data/lib/inspec/resource.rb +176 -176
  273. data/lib/inspec/rule.rb +266 -266
  274. data/lib/inspec/runner.rb +340 -337
  275. data/lib/inspec/runner_mock.rb +41 -41
  276. data/lib/inspec/runner_rspec.rb +163 -185
  277. data/lib/inspec/runtime_profile.rb +26 -26
  278. data/lib/inspec/schema.rb +186 -186
  279. data/lib/inspec/secrets.rb +19 -19
  280. data/lib/inspec/secrets/yaml.rb +30 -30
  281. data/lib/inspec/shell.rb +223 -223
  282. data/lib/inspec/shell_detector.rb +90 -90
  283. data/lib/inspec/source_reader.rb +29 -29
  284. data/lib/inspec/version.rb +8 -8
  285. data/lib/matchers/matchers.rb +397 -397
  286. data/lib/resources/aide_conf.rb +160 -160
  287. data/lib/resources/apache.rb +49 -49
  288. data/lib/resources/apache_conf.rb +158 -158
  289. data/lib/resources/apt.rb +150 -150
  290. data/lib/resources/audit_policy.rb +64 -64
  291. data/lib/resources/auditd.rb +233 -233
  292. data/lib/resources/auditd_conf.rb +56 -56
  293. data/lib/resources/auditd_rules.rb +205 -205
  294. data/lib/resources/bash.rb +36 -36
  295. data/lib/resources/bond.rb +69 -69
  296. data/lib/resources/bridge.rb +123 -123
  297. data/lib/resources/command.rb +69 -69
  298. data/lib/resources/cpan.rb +60 -60
  299. data/lib/resources/cran.rb +66 -66
  300. data/lib/resources/crontab.rb +169 -169
  301. data/lib/resources/csv.rb +58 -58
  302. data/lib/resources/dh_params.rb +83 -83
  303. data/lib/resources/directory.rb +25 -25
  304. data/lib/resources/docker.rb +239 -239
  305. data/lib/resources/docker_container.rb +92 -92
  306. data/lib/resources/docker_image.rb +86 -86
  307. data/lib/resources/docker_object.rb +57 -57
  308. data/lib/resources/docker_service.rb +94 -94
  309. data/lib/resources/elasticsearch.rb +168 -168
  310. data/lib/resources/etc_fstab.rb +102 -102
  311. data/lib/resources/etc_group.rb +157 -157
  312. data/lib/resources/etc_hosts.rb +81 -81
  313. data/lib/resources/etc_hosts_allow_deny.rb +122 -122
  314. data/lib/resources/file.rb +298 -298
  315. data/lib/resources/filesystem.rb +31 -31
  316. data/lib/resources/firewalld.rb +144 -144
  317. data/lib/resources/gem.rb +71 -71
  318. data/lib/resources/groups.rb +213 -213
  319. data/lib/resources/grub_conf.rb +237 -237
  320. data/lib/resources/host.rb +300 -300
  321. data/lib/resources/http.rb +252 -252
  322. data/lib/resources/iis_app.rb +103 -103
  323. data/lib/resources/iis_site.rb +147 -147
  324. data/lib/resources/inetd_conf.rb +63 -63
  325. data/lib/resources/ini.rb +29 -29
  326. data/lib/resources/interface.rb +130 -130
  327. data/lib/resources/iptables.rb +70 -70
  328. data/lib/resources/json.rb +115 -115
  329. data/lib/resources/kernel_module.rb +110 -110
  330. data/lib/resources/kernel_parameter.rb +58 -58
  331. data/lib/resources/key_rsa.rb +67 -67
  332. data/lib/resources/limits_conf.rb +56 -56
  333. data/lib/resources/login_def.rb +67 -67
  334. data/lib/resources/mount.rb +90 -90
  335. data/lib/resources/mssql_session.rb +103 -103
  336. data/lib/resources/mysql.rb +82 -82
  337. data/lib/resources/mysql_conf.rb +133 -133
  338. data/lib/resources/mysql_session.rb +72 -72
  339. data/lib/resources/nginx.rb +97 -97
  340. data/lib/resources/nginx_conf.rb +228 -228
  341. data/lib/resources/npm.rb +48 -48
  342. data/lib/resources/ntp_conf.rb +59 -59
  343. data/lib/resources/oneget.rb +72 -72
  344. data/lib/resources/oracledb_session.rb +140 -140
  345. data/lib/resources/os.rb +46 -46
  346. data/lib/resources/os_env.rb +76 -76
  347. data/lib/resources/package.rb +357 -357
  348. data/lib/resources/packages.rb +112 -112
  349. data/lib/resources/parse_config.rb +116 -116
  350. data/lib/resources/passwd.rb +96 -96
  351. data/lib/resources/pip.rb +89 -89
  352. data/lib/resources/platform.rb +112 -112
  353. data/lib/resources/port.rb +771 -771
  354. data/lib/resources/postgres.rb +132 -132
  355. data/lib/resources/postgres_conf.rb +122 -122
  356. data/lib/resources/postgres_hba_conf.rb +101 -101
  357. data/lib/resources/postgres_ident_conf.rb +79 -79
  358. data/lib/resources/postgres_session.rb +72 -72
  359. data/lib/resources/powershell.rb +58 -58
  360. data/lib/resources/processes.rb +204 -204
  361. data/lib/resources/rabbitmq_conf.rb +53 -53
  362. data/lib/resources/registry_key.rb +296 -296
  363. data/lib/resources/security_policy.rb +181 -181
  364. data/lib/resources/service.rb +784 -784
  365. data/lib/resources/shadow.rb +141 -141
  366. data/lib/resources/ssh_conf.rb +102 -102
  367. data/lib/resources/ssl.rb +99 -99
  368. data/lib/resources/sys_info.rb +26 -26
  369. data/lib/resources/toml.rb +32 -32
  370. data/lib/resources/users.rb +652 -652
  371. data/lib/resources/vbscript.rb +70 -70
  372. data/lib/resources/virtualization.rb +251 -251
  373. data/lib/resources/windows_feature.rb +85 -85
  374. data/lib/resources/windows_hotfix.rb +35 -35
  375. data/lib/resources/windows_task.rb +106 -106
  376. data/lib/resources/wmi.rb +114 -114
  377. data/lib/resources/x509_certificate.rb +143 -143
  378. data/lib/resources/xinetd.rb +112 -112
  379. data/lib/resources/xml.rb +45 -45
  380. data/lib/resources/yaml.rb +45 -45
  381. data/lib/resources/yum.rb +181 -181
  382. data/lib/resources/zfs_dataset.rb +60 -60
  383. data/lib/resources/zfs_pool.rb +49 -49
  384. data/lib/source_readers/flat.rb +39 -39
  385. data/lib/source_readers/inspec.rb +75 -75
  386. data/lib/utils/command_wrapper.rb +27 -27
  387. data/lib/utils/convert.rb +12 -12
  388. data/lib/utils/database_helpers.rb +77 -77
  389. data/lib/utils/erlang_parser.rb +192 -192
  390. data/lib/utils/filter.rb +272 -272
  391. data/lib/utils/filter_array.rb +27 -27
  392. data/lib/utils/find_files.rb +44 -44
  393. data/lib/utils/hash.rb +41 -41
  394. data/lib/utils/json_log.rb +18 -18
  395. data/lib/utils/latest_version.rb +22 -22
  396. data/lib/utils/modulator.rb +12 -12
  397. data/lib/utils/nginx_parser.rb +85 -85
  398. data/lib/utils/object_traversal.rb +49 -49
  399. data/lib/utils/parser.rb +274 -274
  400. data/lib/utils/plugin_registry.rb +93 -93
  401. data/lib/utils/simpleconfig.rb +132 -132
  402. data/lib/utils/spdx.rb +13 -13
  403. data/lib/utils/spdx.txt +343 -343
  404. metadata +2 -2
@@ -1,150 +1,150 @@
1
- ---
2
- title: The x509_certificate Resource
3
- ---
4
-
5
- # x509_certificate
6
-
7
- Use the `x509_certificate` InSpec audit resource to test the fields and validity of an x.509 certificate.
8
-
9
- X.509 certificates use public/private key pairs to sign and encrypt documents
10
- or communications over a network. They may also be used for authentication.
11
-
12
- Examples include SSL certificates, S/MIME certificates and VPN authentication
13
- certificates.
14
-
15
- <br>
16
-
17
- ## Syntax
18
-
19
- An `x509_certificate` resource block declares a certificate `key file` to be tested.
20
-
21
- describe x509_certificate('mycertificate.pem') do
22
- its('validity_in_days') { should be > 30 }
23
- end
24
-
25
- <br>
26
-
27
- ## Supported Properties
28
-
29
- ### subject.XX
30
-
31
- `subject` property makes it easier to access individual subject elements.
32
-
33
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
34
- its('subject.CN') { should eq "www.mywebsite.com" }
35
- end
36
-
37
- ### subject_dn (String)
38
-
39
- The `subject_dn` string returns the distinguished name of the subject field. It contains several fields separated by forward slashes. The field identifiers are the same ones used by OpenSSL to generate CSR's and certs. Use `subject.XX` instead to access the parsed version.
40
-
41
- e.g. `/C=US/L=Seattle/O=Chef Software Inc/OU=Chefs/CN=Richard Nixon`
42
-
43
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
44
- its('subject_dn') { should match "CN=www.mywebsite.com" }
45
- end
46
-
47
- ### issuer.XX
48
-
49
- `issuer` makes it easier to access individual issuer elements.
50
-
51
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
52
- its('issuer.CN') { should eq "Acme Trust CA" }
53
- end
54
-
55
- ### issuer_dn (String)
56
-
57
- The `issuer_dn` is the distinguished name from a CA (certificate authority) during the
58
- certificate signing process. It describes which authority is guaranteeing the
59
- identity of our certificate.
60
-
61
- e.g. `/C=US/L=Seattle/CN=Acme Trust CA/emailAddress=support@acmetrust.org`
62
-
63
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
64
- its('issuer_cn') { should match "CN=Acme Trust CA" }
65
- end
66
-
67
- ### public_key (String)
68
-
69
- The `public_key` property returns a base64 encoded public key in PEM format.
70
-
71
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
72
- its('public_key') { should match "-----BEGIN PUBLIC KEY-----\nblah blah blah..." }
73
- end
74
-
75
- ### key_length (Integer)
76
-
77
- The `key_length` property calculates the number of bits in the public key.
78
- More bits increase security, but at the cost of speed and in extreme cases, compatibility.
79
-
80
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
81
- its('key_length') { should be 2048 }
82
- end
83
-
84
- ### signature_algorithm (String)
85
-
86
- The `signature_algorithm` property describes which hash function was used by the CA to
87
- sign the certificate.
88
-
89
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
90
- its('signature_algorithm') { should be 'sha256WithRSAEncryption' }
91
- end
92
-
93
-
94
- ### validity_in_days (Float)
95
-
96
- The `validity_in_days` property can be used to check that certificates are not in
97
- danger of expiring soon.
98
-
99
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
100
- its('validity_in_days') { should be > 30 }
101
- end
102
-
103
- ### not_before and not_after (Time)
104
-
105
- The `not_before` and `not_after` properties expose the start and end dates of certificate
106
- validity. They are exposed as ruby Time class so that date arithmetic can be easily performed.
107
-
108
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
109
- its('not_before') { should be <= Time.utc.now }
110
- its('not_after') { should be >= Time.utc.now }
111
- end
112
-
113
- ### serial (Integer)
114
-
115
- The `serial` property exposes the serial number of the certificate. The serial number is set by the CA during the signing process and should be unique within that CA.
116
-
117
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
118
- its('serial') { should eq 9623283588743302433 }
119
- end
120
-
121
- ### version (Integer)
122
-
123
- The `version` property exposes the certificate version.
124
-
125
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
126
- its('version') { should eq 2 }
127
- end
128
-
129
- ### extensions (Hash)
130
-
131
- The `extensions` hash property is mainly used to determine what the certificate can be used for.
132
-
133
- describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
134
- # Check what extension categories we have
135
- its('extensions') { should include 'keyUsage' }
136
- its('extensions') { should include 'extendedKeyUsage' }
137
- its('extensions') { should include 'subjectAltName' }
138
-
139
- # Check examples of basic 'keyUsage'
140
- its('extensions.keyUsage') { should include 'Digital Signature' }
141
- its('extensions.keyUsage') { should include 'Non Repudiation' }
142
- its('extensions.keyUsage') { should include 'Data Encipherment' }
143
-
144
- # Check examples of newer 'extendedKeyUsage'
145
- its('extensions.extendedKeyUsage') { should include 'TLS Web Server Authentication' }
146
- its('extensions.extendedKeyUsage') { should include 'Code Signing' }
147
-
148
- # Check examples of 'subjectAltName'
149
- its('extensions.subjectAltName') { should include 'email:support@chef.io' }
150
- end
1
+ ---
2
+ title: The x509_certificate Resource
3
+ ---
4
+
5
+ # x509_certificate
6
+
7
+ Use the `x509_certificate` InSpec audit resource to test the fields and validity of an x.509 certificate.
8
+
9
+ X.509 certificates use public/private key pairs to sign and encrypt documents
10
+ or communications over a network. They may also be used for authentication.
11
+
12
+ Examples include SSL certificates, S/MIME certificates and VPN authentication
13
+ certificates.
14
+
15
+ <br>
16
+
17
+ ## Syntax
18
+
19
+ An `x509_certificate` resource block declares a certificate `key file` to be tested.
20
+
21
+ describe x509_certificate('mycertificate.pem') do
22
+ its('validity_in_days') { should be > 30 }
23
+ end
24
+
25
+ <br>
26
+
27
+ ## Supported Properties
28
+
29
+ ### subject.XX
30
+
31
+ `subject` property makes it easier to access individual subject elements.
32
+
33
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
34
+ its('subject.CN') { should eq "www.mywebsite.com" }
35
+ end
36
+
37
+ ### subject_dn (String)
38
+
39
+ The `subject_dn` string returns the distinguished name of the subject field. It contains several fields separated by forward slashes. The field identifiers are the same ones used by OpenSSL to generate CSR's and certs. Use `subject.XX` instead to access the parsed version.
40
+
41
+ e.g. `/C=US/L=Seattle/O=Chef Software Inc/OU=Chefs/CN=Richard Nixon`
42
+
43
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
44
+ its('subject_dn') { should match "CN=www.mywebsite.com" }
45
+ end
46
+
47
+ ### issuer.XX
48
+
49
+ `issuer` makes it easier to access individual issuer elements.
50
+
51
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
52
+ its('issuer.CN') { should eq "Acme Trust CA" }
53
+ end
54
+
55
+ ### issuer_dn (String)
56
+
57
+ The `issuer_dn` is the distinguished name from a CA (certificate authority) during the
58
+ certificate signing process. It describes which authority is guaranteeing the
59
+ identity of our certificate.
60
+
61
+ e.g. `/C=US/L=Seattle/CN=Acme Trust CA/emailAddress=support@acmetrust.org`
62
+
63
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
64
+ its('issuer_cn') { should match "CN=Acme Trust CA" }
65
+ end
66
+
67
+ ### public_key (String)
68
+
69
+ The `public_key` property returns a base64 encoded public key in PEM format.
70
+
71
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
72
+ its('public_key') { should match "-----BEGIN PUBLIC KEY-----\nblah blah blah..." }
73
+ end
74
+
75
+ ### key_length (Integer)
76
+
77
+ The `key_length` property calculates the number of bits in the public key.
78
+ More bits increase security, but at the cost of speed and in extreme cases, compatibility.
79
+
80
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
81
+ its('key_length') { should be 2048 }
82
+ end
83
+
84
+ ### signature_algorithm (String)
85
+
86
+ The `signature_algorithm` property describes which hash function was used by the CA to
87
+ sign the certificate.
88
+
89
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
90
+ its('signature_algorithm') { should be 'sha256WithRSAEncryption' }
91
+ end
92
+
93
+
94
+ ### validity_in_days (Float)
95
+
96
+ The `validity_in_days` property can be used to check that certificates are not in
97
+ danger of expiring soon.
98
+
99
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
100
+ its('validity_in_days') { should be > 30 }
101
+ end
102
+
103
+ ### not_before and not_after (Time)
104
+
105
+ The `not_before` and `not_after` properties expose the start and end dates of certificate
106
+ validity. They are exposed as ruby Time class so that date arithmetic can be easily performed.
107
+
108
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
109
+ its('not_before') { should be <= Time.utc.now }
110
+ its('not_after') { should be >= Time.utc.now }
111
+ end
112
+
113
+ ### serial (Integer)
114
+
115
+ The `serial` property exposes the serial number of the certificate. The serial number is set by the CA during the signing process and should be unique within that CA.
116
+
117
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
118
+ its('serial') { should eq 9623283588743302433 }
119
+ end
120
+
121
+ ### version (Integer)
122
+
123
+ The `version` property exposes the certificate version.
124
+
125
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
126
+ its('version') { should eq 2 }
127
+ end
128
+
129
+ ### extensions (Hash)
130
+
131
+ The `extensions` hash property is mainly used to determine what the certificate can be used for.
132
+
133
+ describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
134
+ # Check what extension categories we have
135
+ its('extensions') { should include 'keyUsage' }
136
+ its('extensions') { should include 'extendedKeyUsage' }
137
+ its('extensions') { should include 'subjectAltName' }
138
+
139
+ # Check examples of basic 'keyUsage'
140
+ its('extensions.keyUsage') { should include 'Digital Signature' }
141
+ its('extensions.keyUsage') { should include 'Non Repudiation' }
142
+ its('extensions.keyUsage') { should include 'Data Encipherment' }
143
+
144
+ # Check examples of newer 'extendedKeyUsage'
145
+ its('extensions.extendedKeyUsage') { should include 'TLS Web Server Authentication' }
146
+ its('extensions.extendedKeyUsage') { should include 'Code Signing' }
147
+
148
+ # Check examples of 'subjectAltName'
149
+ its('extensions.subjectAltName') { should include 'email:support@chef.io' }
150
+ end
@@ -1,155 +1,155 @@
1
- ---
2
- title: About the xinetd_conf Resource
3
- ---
4
-
5
- # xinetd_conf
6
-
7
- Use the `xinetd_conf` InSpec audit resource to test services under `/etc/xinet.d` on Linux and Unix platforms. xinetd---the extended Internet service daemon---listens on all ports, and then loads the appropriate program based on a request. The `xinetd.conf` file is typically located at `/etc/xinetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
8
-
9
- <br>
10
-
11
- ## Syntax
12
-
13
- An `xinetd_conf` resource block declares settings found in a `xinetd.conf` file for the named service:
14
-
15
- describe xinetd_conf('service_name') do
16
- it { should be_enabled } # or be_disabled
17
- its('setting') { should eq 'value' }
18
- end
19
-
20
- where
21
-
22
- * `'service_name'` is a service located under `/etc/xinet.d`
23
- * `('setting')` is a setting in the `xinetd.conf` file
24
- * `should eq 'value'` is the value that is expected
25
-
26
- <br>
27
-
28
- ## Examples
29
-
30
- The following examples show how to use this InSpec audit resource.
31
-
32
- ### Test a socket_type
33
-
34
- The network socket type: `dgram` (a datagram-based service), `raw` (a service that requires direct access to an IP address), `stream` (a stream-based service), or `seqpacket` (a service that requires a sequenced packet).
35
-
36
- describe xinetd_conf.services('service_name') do
37
- its('socket_types') { should include 'dgram' }
38
- end
39
-
40
- ### Test a service type
41
-
42
- The type of service: `INTERNAL` (a service provided by xinetd), `RPC` (an RPC-based service), `TCPMUX` (a service that is started on a well-known TPCMUX port), or `UNLISTED` (a service that is not listed in a standard system file location).
43
-
44
- describe xinetd_conf.services('service_name') do
45
- its('type') { should include 'RPC' }
46
- end
47
-
48
- ### Test the telnet service
49
-
50
- For example, a `telnet` file under `/etc/xinet.d` contains the following settings:
51
-
52
- service telnet
53
- {
54
- disable = yes
55
- flags = REUSE
56
- socket_type = stream
57
- wait = no
58
- user = root
59
- server = /usr/sbin/in.telnetd
60
- log_on_failure += USERID
61
- }
62
-
63
- Some examples of tests that can be run against that file include:
64
-
65
- describe xinetd_conf.services('telnet') do
66
- it { should be_disabled }
67
- end
68
-
69
- and
70
-
71
- describe xinetd_conf.services('telnet') do
72
- its('socket_type') { should include 'stream' }
73
- end
74
-
75
- and
76
-
77
- describe xinetd_conf.services('telnet') do
78
- its('wait') { should eq 'no' }
79
- end
80
-
81
- All three settings can be tested in the same block as well:
82
-
83
- describe xinetd_conf.services('telnet') do
84
- it { should be_disabled }
85
- its('socket_type') { should include 'stream' }
86
- its('wait') { should eq 'no' }
87
- end
88
-
89
- <br>
90
-
91
- ## Matchers
92
-
93
- For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
94
-
95
- ### be_enabed
96
-
97
- The `be_enabled` matcher tests if a service listed under `/etc/xinet.d` is enabled:
98
-
99
- it { should be_enabled }
100
-
101
- ### ids
102
-
103
- The `ids` matcher tests if the named service is located under `/etc/xinet.d`:
104
-
105
- its('ids') { should include 'service_name' }
106
-
107
- For example:
108
-
109
- its('ids') { should include 'chargen-stream chargen-dgram'}
110
-
111
- ### services
112
-
113
- The `services` matcher tests if the named service is listed under `/etc/xinet.d`:
114
-
115
- its('services') { should include 'service_name' }
116
-
117
- ### socket_types
118
-
119
- The `socket_types` matcher tests if a service listed under `/etc/xinet.d` is configured to use the named socket type:
120
-
121
- its('socket_types') { should eq 'socket' }
122
-
123
- where `socket` is one of `dgram`, `raw`, or `stream`. For a UDP-based service:
124
-
125
- its('socket_types') { should eq 'dgram' }
126
-
127
- For a raw socket (such as a service using a non-standard protocol or a service that requires direct access to IP):
128
-
129
- its('socket_types') { should eq 'raw' }
130
-
131
- For a TCP-based service:
132
-
133
- its('socket_types') { should eq 'stream' }
134
-
135
- ### types
136
-
137
- The `types` matcher tests the service type:
138
-
139
- its('type') { should eq 'TYPE' }
140
-
141
- where `'TYPE'` is `INTERNAL` (for a service provided by xinetd), `RPC` (for a service based on remote procedure call), or `UNLISTED` (for services not under `/etc/services` or `/etc/rpc`).
142
-
143
- ### wait
144
-
145
- The `wait` matcher tests how a service handles incoming connections.
146
-
147
- For UDP (`dgram`) socket types the `wait` matcher should test for `yes`:
148
-
149
- its('socket_types') { should eq 'dgram' }
150
- its('wait') { should eq 'yes' }
151
-
152
- For TCP (`stream`) socket types the `wait` matcher should test for `no`:
153
-
154
- its('socket_types') { should eq 'stream' }
155
- its('wait') { should eq 'no' }
1
+ ---
2
+ title: About the xinetd_conf Resource
3
+ ---
4
+
5
+ # xinetd_conf
6
+
7
+ Use the `xinetd_conf` InSpec audit resource to test services under `/etc/xinet.d` on Linux and Unix platforms. xinetd---the extended Internet service daemon---listens on all ports, and then loads the appropriate program based on a request. The `xinetd.conf` file is typically located at `/etc/xinetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
8
+
9
+ <br>
10
+
11
+ ## Syntax
12
+
13
+ An `xinetd_conf` resource block declares settings found in a `xinetd.conf` file for the named service:
14
+
15
+ describe xinetd_conf('service_name') do
16
+ it { should be_enabled } # or be_disabled
17
+ its('setting') { should eq 'value' }
18
+ end
19
+
20
+ where
21
+
22
+ * `'service_name'` is a service located under `/etc/xinet.d`
23
+ * `('setting')` is a setting in the `xinetd.conf` file
24
+ * `should eq 'value'` is the value that is expected
25
+
26
+ <br>
27
+
28
+ ## Examples
29
+
30
+ The following examples show how to use this InSpec audit resource.
31
+
32
+ ### Test a socket_type
33
+
34
+ The network socket type: `dgram` (a datagram-based service), `raw` (a service that requires direct access to an IP address), `stream` (a stream-based service), or `seqpacket` (a service that requires a sequenced packet).
35
+
36
+ describe xinetd_conf.services('service_name') do
37
+ its('socket_types') { should include 'dgram' }
38
+ end
39
+
40
+ ### Test a service type
41
+
42
+ The type of service: `INTERNAL` (a service provided by xinetd), `RPC` (an RPC-based service), `TCPMUX` (a service that is started on a well-known TPCMUX port), or `UNLISTED` (a service that is not listed in a standard system file location).
43
+
44
+ describe xinetd_conf.services('service_name') do
45
+ its('type') { should include 'RPC' }
46
+ end
47
+
48
+ ### Test the telnet service
49
+
50
+ For example, a `telnet` file under `/etc/xinet.d` contains the following settings:
51
+
52
+ service telnet
53
+ {
54
+ disable = yes
55
+ flags = REUSE
56
+ socket_type = stream
57
+ wait = no
58
+ user = root
59
+ server = /usr/sbin/in.telnetd
60
+ log_on_failure += USERID
61
+ }
62
+
63
+ Some examples of tests that can be run against that file include:
64
+
65
+ describe xinetd_conf.services('telnet') do
66
+ it { should be_disabled }
67
+ end
68
+
69
+ and
70
+
71
+ describe xinetd_conf.services('telnet') do
72
+ its('socket_type') { should include 'stream' }
73
+ end
74
+
75
+ and
76
+
77
+ describe xinetd_conf.services('telnet') do
78
+ its('wait') { should eq 'no' }
79
+ end
80
+
81
+ All three settings can be tested in the same block as well:
82
+
83
+ describe xinetd_conf.services('telnet') do
84
+ it { should be_disabled }
85
+ its('socket_type') { should include 'stream' }
86
+ its('wait') { should eq 'no' }
87
+ end
88
+
89
+ <br>
90
+
91
+ ## Matchers
92
+
93
+ For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
94
+
95
+ ### be_enabed
96
+
97
+ The `be_enabled` matcher tests if a service listed under `/etc/xinet.d` is enabled:
98
+
99
+ it { should be_enabled }
100
+
101
+ ### ids
102
+
103
+ The `ids` matcher tests if the named service is located under `/etc/xinet.d`:
104
+
105
+ its('ids') { should include 'service_name' }
106
+
107
+ For example:
108
+
109
+ its('ids') { should include 'chargen-stream chargen-dgram'}
110
+
111
+ ### services
112
+
113
+ The `services` matcher tests if the named service is listed under `/etc/xinet.d`:
114
+
115
+ its('services') { should include 'service_name' }
116
+
117
+ ### socket_types
118
+
119
+ The `socket_types` matcher tests if a service listed under `/etc/xinet.d` is configured to use the named socket type:
120
+
121
+ its('socket_types') { should eq 'socket' }
122
+
123
+ where `socket` is one of `dgram`, `raw`, or `stream`. For a UDP-based service:
124
+
125
+ its('socket_types') { should eq 'dgram' }
126
+
127
+ For a raw socket (such as a service using a non-standard protocol or a service that requires direct access to IP):
128
+
129
+ its('socket_types') { should eq 'raw' }
130
+
131
+ For a TCP-based service:
132
+
133
+ its('socket_types') { should eq 'stream' }
134
+
135
+ ### types
136
+
137
+ The `types` matcher tests the service type:
138
+
139
+ its('type') { should eq 'TYPE' }
140
+
141
+ where `'TYPE'` is `INTERNAL` (for a service provided by xinetd), `RPC` (for a service based on remote procedure call), or `UNLISTED` (for services not under `/etc/services` or `/etc/rpc`).
142
+
143
+ ### wait
144
+
145
+ The `wait` matcher tests how a service handles incoming connections.
146
+
147
+ For UDP (`dgram`) socket types the `wait` matcher should test for `yes`:
148
+
149
+ its('socket_types') { should eq 'dgram' }
150
+ its('wait') { should eq 'yes' }
151
+
152
+ For TCP (`stream`) socket types the `wait` matcher should test for `no`:
153
+
154
+ its('socket_types') { should eq 'stream' }
155
+ its('wait') { should eq 'no' }