inspec 2.0.32 → 2.0.45

data/docs/resources/ssh_config.md.erb

@@ -1,80 +1,80 @@
----
-title: About the ssh_config Resource
-platform: linux
----
-
-# ssh_config
-
-Use the `ssh_config` InSpec audit resource to test OpenSSH client configuration data located at `/etc/ssh/ssh_config` on Linux and Unix platforms.
-
-<br>
-
-## Syntax
-
-An `ssh_config` resource block declares the client OpenSSH configuration data to be tested:
-
-    describe ssh_config('path') do
-      its('name') { should include('foo') }
-    end
-
-where
-
-* `name` is a configuration setting in `ssh_config`
-* `('path')` is the non-default `/path/to/ssh_config`
-* `{ should include('foo') }` tests the value of `name` as read from `ssh_config` versus the value declared in the test
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-### Test SSH configuration settings
-
-    describe ssh_config do
-      its('cipher') { should contain '3des' }
-      its('port') { should eq '22' }
-      its('hostname') { should include('example.com') }
-    end
-
-### Test which variables from the local environment are sent to the server
-
-    only_if do
-      command('sshd').exist? or command('ssh').exists?
-    end
-
-    describe ssh_config do
-      its('SendEnv') { should include('GORDON_CLIENT') }
-    end
-
-### Test owner and group permissions
-
-    describe ssh_config do
-      its('owner') { should eq 'root' }
-      its('mode') { should cmp '0644' }
-    end
-
-### Test SSH configuration
-
-    describe ssh_config do
-      its('Host') { should eq '*' }
-      its('Tunnel') { should eq nil }
-      its('SendEnv') { should eq 'LANG LC_*' }
-      its('HashKnownHosts') { should eq 'yes' }
-    end
-
-<br>
-
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### name
-
-The `name` matcher tests the value of `name` as read from `ssh_config` versus the value declared in the test:
-
-    its('name') { should eq 'foo' }
-
-or:
-
-    its('name') { should include('bar') }
+---
+title: About the ssh_config Resource
+platform: linux
+---
+
+# ssh_config
+
+Use the `ssh_config` InSpec audit resource to test OpenSSH client configuration data located at `/etc/ssh/ssh_config` on Linux and Unix platforms.
+
+<br>
+
+## Syntax
+
+An `ssh_config` resource block declares the client OpenSSH configuration data to be tested:
+
+    describe ssh_config('path') do
+      its('name') { should include('foo') }
+    end
+
+where
+
+* `name` is a configuration setting in `ssh_config`
+* `('path')` is the non-default `/path/to/ssh_config`
+* `{ should include('foo') }` tests the value of `name` as read from `ssh_config` versus the value declared in the test
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test SSH configuration settings
+
+    describe ssh_config do
+      its('cipher') { should contain '3des' }
+      its('port') { should eq '22' }
+      its('hostname') { should include('example.com') }
+    end
+
+### Test which variables from the local environment are sent to the server
+
+    only_if do
+      command('sshd').exist? or command('ssh').exists?
+    end
+
+    describe ssh_config do
+      its('SendEnv') { should include('GORDON_CLIENT') }
+    end
+
+### Test owner and group permissions
+
+    describe ssh_config do
+      its('owner') { should eq 'root' }
+      its('mode') { should cmp '0644' }
+    end
+
+### Test SSH configuration
+
+    describe ssh_config do
+      its('Host') { should eq '*' }
+      its('Tunnel') { should eq nil }
+      its('SendEnv') { should eq 'LANG LC_*' }
+      its('HashKnownHosts') { should eq 'yes' }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### name
+
+The `name` matcher tests the value of `name` as read from `ssh_config` versus the value declared in the test:
+
+    its('name') { should eq 'foo' }
+
+or:
+
+    its('name') { should include('bar') }

data/docs/resources/sshd_config.md.erb

@@ -1,83 +1,83 @@
----
-title: About the sshd_config Resource
-platform: linux
----
-
-# sshd_config
-
-Use the `sshd_config` InSpec audit resource to test configuration data for the OpenSSH daemon located at `/etc/ssh/sshd_config` on Linux and Unix platforms. sshd---the OpenSSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges.
-
-<br>
-
-## Syntax
-
-An `sshd_config` resource block declares the client OpenSSH configuration data to be tested:
-
-    describe sshd_config('path') do
-      its('name') { should include('foo') }
-    end
-
-where
-
-* `name` is a configuration setting in `sshd_config`
-* `('path')` is the non-default `/path/to/sshd_config`
-* `{ should include('foo') }` tests the value of `name` as read from `sshd_config` versus the value declared in the test
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-### Test which variables may be sent to the server
-
-    describe sshd_config do
-      its('AcceptEnv') { should include('GORDON_SERVER') }
-    end
-
-### Test for IPv6-only addresses
-
-    describe sshd_config do
-      its('AddressFamily') { should cmp 'inet6' }
-    end
-
-### Test the Protocol setting
-
-    describe sshd_config do
-      its('Protocol') { should cmp 2 }
-    end
-
-### Test for approved, strong ciphers
-
-    describe sshd_config do
-      its('Ciphers') { should cmp('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
-    end
-
-### Test SSH protocols
-
-    describe sshd_config do
-      its('Port') { should cmp  22 }
-      its('UsePAM') { should eq 'yes' }
-      its('ListenAddress') { should eq nil }
-      its('HostKey') { should eq [
-          '/etc/ssh/ssh_host_rsa_key',
-          '/etc/ssh/ssh_host_dsa_key',
-          '/etc/ssh/ssh_host_ecdsa_key',
-        ] }
-    end
-
-<br>
-
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### name
-
-The `name` matcher tests the value of `name` as read from `sshd_config` versus the value declared in the test:
-
-    its('name') { should cmp 'foo' }
-
-or:
-
-    its('name') {should include('bar') }
+---
+title: About the sshd_config Resource
+platform: linux
+---
+
+# sshd_config
+
+Use the `sshd_config` InSpec audit resource to test configuration data for the OpenSSH daemon located at `/etc/ssh/sshd_config` on Linux and Unix platforms. sshd---the OpenSSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges.
+
+<br>
+
+## Syntax
+
+An `sshd_config` resource block declares the client OpenSSH configuration data to be tested:
+
+    describe sshd_config('path') do
+      its('name') { should include('foo') }
+    end
+
+where
+
+* `name` is a configuration setting in `sshd_config`
+* `('path')` is the non-default `/path/to/sshd_config`
+* `{ should include('foo') }` tests the value of `name` as read from `sshd_config` versus the value declared in the test
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test which variables may be sent to the server
+
+    describe sshd_config do
+      its('AcceptEnv') { should include('GORDON_SERVER') }
+    end
+
+### Test for IPv6-only addresses
+
+    describe sshd_config do
+      its('AddressFamily') { should cmp 'inet6' }
+    end
+
+### Test the Protocol setting
+
+    describe sshd_config do
+      its('Protocol') { should cmp 2 }
+    end
+
+### Test for approved, strong ciphers
+
+    describe sshd_config do
+      its('Ciphers') { should cmp('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
+    end
+
+### Test SSH protocols
+
+    describe sshd_config do
+      its('Port') { should cmp  22 }
+      its('UsePAM') { should eq 'yes' }
+      its('ListenAddress') { should eq nil }
+      its('HostKey') { should eq [
+          '/etc/ssh/ssh_host_rsa_key',
+          '/etc/ssh/ssh_host_dsa_key',
+          '/etc/ssh/ssh_host_ecdsa_key',
+        ] }
+    end
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### name
+
+The `name` matcher tests the value of `name` as read from `sshd_config` versus the value declared in the test:
+
+    its('name') { should cmp 'foo' }
+
+or:
+
+    its('name') {should include('bar') }

data/docs/resources/ssl.md.erb

@@ -1,119 +1,119 @@
----
-title: About the ssl Resource
-platform: os
----
-
-# ssl
-
-Use the `ssl` InSpec audit resource to test SSL settings for the named port.
-
-<br>
-
-## Syntax
-
-An `ssl` resource block declares an SSL port, and then other properties of the test like cipher and/or protocol:
-
-    describe ssl(port: #) do
-      it { should be_enabled }
-    end
-
-or:
-
-    describe ssl(port: #).filter('value') do
-      it { should be_enabled }
-    end
-
-where
-
-* `ssl(port: #)` is the port number, such as `ssl(port: 443)`
-* `filter` may take any of the following arguments: `ciphers`, `protocols`, and `handshake`
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-### Run the ssl-benchmark example profile
-
-The following shows how to use the `ssl` InSpec audit resource to find all TCP ports on the system, including IPv4 and IPv6. (This is a partial example based on the `ssl_text.rb` file in the `ssl-benchmark` profile on GitHub.)
-
-    ...
-
-    control 'tls1.2' do
-      title 'Run TLS 1.2 whenever SSL is active on a port'
-      impact 0.5
-
-      sslports.each do |socket|
-        proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
-        describe ssl(port: socket.port).protocols('tls1.2') do
-          it(proc_desc) { should be_enabled }
-          it { should be_enabled }
-        end
-      end
-    end
-
-    ...
-
-    control 'rc4' do
-      title 'Disable RC4 ciphers from all exposed SSL/TLS ports and versions.'
-      impact 0.5
-
-      sslports.each do |socket|
-        proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
-        describe ssl(port: socket.port).ciphers(/rc4/i) do
-          it(proc_desc) { should_not be_enabled }
-          it { should_not be_enabled }
-        end
-      end
-    end
-
-There are two ways to run the `ssl-benchmark` example profile to test SSL via the `ssl` resource.
-
-Clone the profile:
-
-    $ git clone https://github.com/dev-sec/ssl-benchmark
-
-and then run:
-
-    $ inspec exec ssl-benchmark
-
-Or execute the profile directly via URL:
-
-    $ inspec exec https://github.com/dev-sec/ssl-benchmark
-
-<br>
-
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### be_enabled
-
-The `be_enabled` matcher tests if SSL is enabled:
-
-    it { should be_enabled }
-
-### ciphers
-
-The `ciphers` matcher tests the named cipher:
-
-    its('ciphers') { should_not eq '/rc4/i' }
-
-or:
-
-    describe ssl(port: 443).ciphers(/rc4/i) do
-      it { should_not be_enabled }
-    end
-
-### protocols
-
-The `protocols` matcher tests what protocol versions (SSLv3, TLSv1.1, etc) are enabled:
-
-    its('protocols') { should eq 'ssl2' }
-
-or:
-
-    describe ssl(port: 443).protocols('ssl2') do
-      it { should_not be_enabled }
-    end
+---
+title: About the ssl Resource
+platform: os
+---
+
+# ssl
+
+Use the `ssl` InSpec audit resource to test SSL settings for the named port.
+
+<br>
+
+## Syntax
+
+An `ssl` resource block declares an SSL port, and then other properties of the test like cipher and/or protocol:
+
+    describe ssl(port: #) do
+      it { should be_enabled }
+    end
+
+or:
+
+    describe ssl(port: #).filter('value') do
+      it { should be_enabled }
+    end
+
+where
+
+* `ssl(port: #)` is the port number, such as `ssl(port: 443)`
+* `filter` may take any of the following arguments: `ciphers`, `protocols`, and `handshake`
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Run the ssl-benchmark example profile
+
+The following shows how to use the `ssl` InSpec audit resource to find all TCP ports on the system, including IPv4 and IPv6. (This is a partial example based on the `ssl_text.rb` file in the `ssl-benchmark` profile on GitHub.)
+
+    ...
+
+    control 'tls1.2' do
+      title 'Run TLS 1.2 whenever SSL is active on a port'
+      impact 0.5
+
+      sslports.each do |socket|
+        proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
+        describe ssl(port: socket.port).protocols('tls1.2') do
+          it(proc_desc) { should be_enabled }
+          it { should be_enabled }
+        end
+      end
+    end
+
+    ...
+
+    control 'rc4' do
+      title 'Disable RC4 ciphers from all exposed SSL/TLS ports and versions.'
+      impact 0.5
+
+      sslports.each do |socket|
+        proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
+        describe ssl(port: socket.port).ciphers(/rc4/i) do
+          it(proc_desc) { should_not be_enabled }
+          it { should_not be_enabled }
+        end
+      end
+    end
+
+There are two ways to run the `ssl-benchmark` example profile to test SSL via the `ssl` resource.
+
+Clone the profile:
+
+    $ git clone https://github.com/dev-sec/ssl-benchmark
+
+and then run:
+
+    $ inspec exec ssl-benchmark
+
+Or execute the profile directly via URL:
+
+    $ inspec exec https://github.com/dev-sec/ssl-benchmark
+
+<br>
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### be_enabled
+
+The `be_enabled` matcher tests if SSL is enabled:
+
+    it { should be_enabled }
+
+### ciphers
+
+The `ciphers` matcher tests the named cipher:
+
+    its('ciphers') { should_not eq '/rc4/i' }
+
+or:
+
+    describe ssl(port: 443).ciphers(/rc4/i) do
+      it { should_not be_enabled }
+    end
+
+### protocols
+
+The `protocols` matcher tests what protocol versions (SSLv3, TLSv1.1, etc) are enabled:
+
+    its('protocols') { should eq 'ssl2' }
+
+or:
+
+    describe ssl(port: 443).protocols('ssl2') do
+      it { should_not be_enabled }
+    end