inspec 2.1.80 → 2.1.81

Sign up to get free protection for your applications and to get access to all the features.
Files changed (510) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +101 -101
  3. data/CHANGELOG.md +3177 -3172
  4. data/Gemfile +56 -56
  5. data/LICENSE +14 -14
  6. data/MAINTAINERS.md +33 -33
  7. data/MAINTAINERS.toml +52 -52
  8. data/README.md +453 -453
  9. data/Rakefile +349 -349
  10. data/bin/inspec +12 -12
  11. data/docs/.gitignore +2 -2
  12. data/docs/README.md +40 -40
  13. data/docs/dev/control-eval.md +61 -61
  14. data/docs/dsl_inspec.md +258 -258
  15. data/docs/dsl_resource.md +100 -100
  16. data/docs/glossary.md +99 -99
  17. data/docs/habitat.md +191 -191
  18. data/docs/inspec_and_friends.md +114 -114
  19. data/docs/matchers.md +169 -169
  20. data/docs/migration.md +293 -293
  21. data/docs/platforms.md +118 -118
  22. data/docs/plugin_kitchen_inspec.md +50 -50
  23. data/docs/profiles.md +378 -378
  24. data/docs/reporters.md +105 -105
  25. data/docs/resources/aide_conf.md.erb +75 -75
  26. data/docs/resources/apache.md.erb +67 -67
  27. data/docs/resources/apache_conf.md.erb +68 -68
  28. data/docs/resources/apt.md.erb +71 -71
  29. data/docs/resources/audit_policy.md.erb +47 -47
  30. data/docs/resources/auditd.md.erb +79 -79
  31. data/docs/resources/auditd_conf.md.erb +68 -68
  32. data/docs/resources/aws_cloudtrail_trail.md.erb +155 -155
  33. data/docs/resources/aws_cloudtrail_trails.md.erb +86 -86
  34. data/docs/resources/aws_cloudwatch_alarm.md.erb +91 -91
  35. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +154 -154
  36. data/docs/resources/aws_config_delivery_channel.md.erb +101 -101
  37. data/docs/resources/aws_config_recorder.md.erb +86 -86
  38. data/docs/resources/aws_ec2_instance.md.erb +112 -112
  39. data/docs/resources/aws_ec2_instances.md.erb +79 -79
  40. data/docs/resources/aws_iam_access_key.md.erb +129 -129
  41. data/docs/resources/aws_iam_access_keys.md.erb +204 -204
  42. data/docs/resources/aws_iam_group.md.erb +64 -64
  43. data/docs/resources/aws_iam_groups.md.erb +49 -49
  44. data/docs/resources/aws_iam_password_policy.md.erb +82 -82
  45. data/docs/resources/aws_iam_policies.md.erb +87 -87
  46. data/docs/resources/aws_iam_policy.md.erb +245 -245
  47. data/docs/resources/aws_iam_role.md.erb +69 -69
  48. data/docs/resources/aws_iam_root_user.md.erb +76 -76
  49. data/docs/resources/aws_iam_user.md.erb +120 -120
  50. data/docs/resources/aws_iam_users.md.erb +279 -279
  51. data/docs/resources/aws_kms_key.md.erb +177 -177
  52. data/docs/resources/aws_kms_keys.md.erb +89 -89
  53. data/docs/resources/aws_rds_instance.md.erb +66 -66
  54. data/docs/resources/aws_route_table.md.erb +53 -53
  55. data/docs/resources/aws_route_tables.md.erb +55 -55
  56. data/docs/resources/aws_s3_bucket.md.erb +146 -146
  57. data/docs/resources/aws_s3_bucket_object.md.erb +89 -89
  58. data/docs/resources/aws_s3_buckets.md.erb +59 -59
  59. data/docs/resources/aws_security_group.md.erb +296 -296
  60. data/docs/resources/aws_security_groups.md.erb +97 -97
  61. data/docs/resources/aws_sns_subscription.md.erb +130 -130
  62. data/docs/resources/aws_sns_topic.md.erb +69 -69
  63. data/docs/resources/aws_sns_topics.md.erb +58 -58
  64. data/docs/resources/aws_subnet.md.erb +140 -140
  65. data/docs/resources/aws_subnets.md.erb +132 -132
  66. data/docs/resources/aws_vpc.md.erb +125 -125
  67. data/docs/resources/aws_vpcs.md.erb +125 -125
  68. data/docs/resources/azure_generic_resource.md.erb +171 -171
  69. data/docs/resources/azure_resource_group.md.erb +284 -284
  70. data/docs/resources/azure_virtual_machine.md.erb +347 -347
  71. data/docs/resources/azure_virtual_machine_data_disk.md.erb +224 -224
  72. data/docs/resources/bash.md.erb +75 -75
  73. data/docs/resources/bond.md.erb +90 -90
  74. data/docs/resources/bridge.md.erb +57 -57
  75. data/docs/resources/bsd_service.md.erb +67 -67
  76. data/docs/resources/chocolatey_package.md.erb +58 -58
  77. data/docs/resources/command.md.erb +138 -138
  78. data/docs/resources/cpan.md.erb +79 -79
  79. data/docs/resources/cran.md.erb +64 -64
  80. data/docs/resources/crontab.md.erb +89 -89
  81. data/docs/resources/csv.md.erb +54 -54
  82. data/docs/resources/dh_params.md.erb +205 -205
  83. data/docs/resources/directory.md.erb +30 -30
  84. data/docs/resources/docker.md.erb +219 -219
  85. data/docs/resources/docker_container.md.erb +103 -103
  86. data/docs/resources/docker_image.md.erb +94 -94
  87. data/docs/resources/docker_service.md.erb +114 -114
  88. data/docs/resources/elasticsearch.md.erb +242 -242
  89. data/docs/resources/etc_fstab.md.erb +125 -125
  90. data/docs/resources/etc_group.md.erb +75 -75
  91. data/docs/resources/etc_hosts.md.erb +78 -78
  92. data/docs/resources/etc_hosts_allow.md.erb +74 -74
  93. data/docs/resources/etc_hosts_deny.md.erb +74 -74
  94. data/docs/resources/file.md.erb +526 -526
  95. data/docs/resources/filesystem.md.erb +41 -41
  96. data/docs/resources/firewalld.md.erb +107 -107
  97. data/docs/resources/gem.md.erb +79 -79
  98. data/docs/resources/group.md.erb +61 -61
  99. data/docs/resources/grub_conf.md.erb +101 -101
  100. data/docs/resources/host.md.erb +86 -86
  101. data/docs/resources/http.md.erb +197 -197
  102. data/docs/resources/iis_app.md.erb +122 -122
  103. data/docs/resources/iis_site.md.erb +135 -135
  104. data/docs/resources/inetd_conf.md.erb +94 -94
  105. data/docs/resources/ini.md.erb +76 -76
  106. data/docs/resources/interface.md.erb +58 -58
  107. data/docs/resources/iptables.md.erb +64 -64
  108. data/docs/resources/json.md.erb +63 -63
  109. data/docs/resources/kernel_module.md.erb +120 -120
  110. data/docs/resources/kernel_parameter.md.erb +53 -53
  111. data/docs/resources/key_rsa.md.erb +85 -85
  112. data/docs/resources/launchd_service.md.erb +57 -57
  113. data/docs/resources/limits_conf.md.erb +75 -75
  114. data/docs/resources/login_defs.md.erb +71 -71
  115. data/docs/resources/mount.md.erb +69 -69
  116. data/docs/resources/mssql_session.md.erb +60 -60
  117. data/docs/resources/mysql_conf.md.erb +99 -99
  118. data/docs/resources/mysql_session.md.erb +74 -74
  119. data/docs/resources/nginx.md.erb +79 -79
  120. data/docs/resources/nginx_conf.md.erb +138 -138
  121. data/docs/resources/npm.md.erb +60 -60
  122. data/docs/resources/ntp_conf.md.erb +60 -60
  123. data/docs/resources/oneget.md.erb +53 -53
  124. data/docs/resources/oracledb_session.md.erb +52 -52
  125. data/docs/resources/os.md.erb +141 -141
  126. data/docs/resources/os_env.md.erb +91 -91
  127. data/docs/resources/package.md.erb +120 -120
  128. data/docs/resources/packages.md.erb +67 -67
  129. data/docs/resources/parse_config.md.erb +103 -103
  130. data/docs/resources/parse_config_file.md.erb +138 -138
  131. data/docs/resources/passwd.md.erb +141 -141
  132. data/docs/resources/pip.md.erb +67 -67
  133. data/docs/resources/port.md.erb +137 -137
  134. data/docs/resources/postgres_conf.md.erb +79 -79
  135. data/docs/resources/postgres_hba_conf.md.erb +93 -93
  136. data/docs/resources/postgres_ident_conf.md.erb +76 -76
  137. data/docs/resources/postgres_session.md.erb +69 -69
  138. data/docs/resources/powershell.md.erb +102 -102
  139. data/docs/resources/processes.md.erb +109 -109
  140. data/docs/resources/rabbitmq_config.md.erb +41 -41
  141. data/docs/resources/registry_key.md.erb +158 -158
  142. data/docs/resources/runit_service.md.erb +57 -57
  143. data/docs/resources/security_policy.md.erb +47 -47
  144. data/docs/resources/service.md.erb +121 -121
  145. data/docs/resources/shadow.md.erb +146 -146
  146. data/docs/resources/ssh_config.md.erb +73 -73
  147. data/docs/resources/sshd_config.md.erb +83 -83
  148. data/docs/resources/ssl.md.erb +119 -119
  149. data/docs/resources/sys_info.md.erb +42 -42
  150. data/docs/resources/systemd_service.md.erb +57 -57
  151. data/docs/resources/sysv_service.md.erb +57 -57
  152. data/docs/resources/upstart_service.md.erb +57 -57
  153. data/docs/resources/user.md.erb +140 -140
  154. data/docs/resources/users.md.erb +127 -127
  155. data/docs/resources/vbscript.md.erb +55 -55
  156. data/docs/resources/virtualization.md.erb +57 -57
  157. data/docs/resources/windows_feature.md.erb +47 -47
  158. data/docs/resources/windows_hotfix.md.erb +53 -53
  159. data/docs/resources/windows_task.md.erb +95 -95
  160. data/docs/resources/wmi.md.erb +81 -81
  161. data/docs/resources/x509_certificate.md.erb +151 -151
  162. data/docs/resources/xinetd_conf.md.erb +156 -156
  163. data/docs/resources/xml.md.erb +85 -85
  164. data/docs/resources/yaml.md.erb +69 -69
  165. data/docs/resources/yum.md.erb +98 -98
  166. data/docs/resources/zfs_dataset.md.erb +53 -53
  167. data/docs/resources/zfs_pool.md.erb +47 -47
  168. data/docs/ruby_usage.md +203 -203
  169. data/docs/shared/matcher_be.md.erb +1 -1
  170. data/docs/shared/matcher_cmp.md.erb +43 -43
  171. data/docs/shared/matcher_eq.md.erb +3 -3
  172. data/docs/shared/matcher_include.md.erb +1 -1
  173. data/docs/shared/matcher_match.md.erb +1 -1
  174. data/docs/shell.md +217 -217
  175. data/examples/README.md +8 -8
  176. data/examples/inheritance/README.md +65 -65
  177. data/examples/inheritance/controls/example.rb +14 -14
  178. data/examples/inheritance/inspec.yml +15 -15
  179. data/examples/kitchen-ansible/.kitchen.yml +25 -25
  180. data/examples/kitchen-ansible/Gemfile +19 -19
  181. data/examples/kitchen-ansible/README.md +53 -53
  182. data/examples/kitchen-ansible/files/nginx.repo +6 -6
  183. data/examples/kitchen-ansible/tasks/main.yml +16 -16
  184. data/examples/kitchen-ansible/test/integration/default/default.yml +5 -5
  185. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +28 -28
  186. data/examples/kitchen-chef/.kitchen.yml +20 -20
  187. data/examples/kitchen-chef/Berksfile +3 -3
  188. data/examples/kitchen-chef/Gemfile +19 -19
  189. data/examples/kitchen-chef/README.md +27 -27
  190. data/examples/kitchen-chef/metadata.rb +7 -7
  191. data/examples/kitchen-chef/recipes/default.rb +6 -6
  192. data/examples/kitchen-chef/recipes/nginx.rb +30 -30
  193. data/examples/kitchen-chef/test/integration/default/web_spec.rb +28 -28
  194. data/examples/kitchen-puppet/.kitchen.yml +23 -23
  195. data/examples/kitchen-puppet/Gemfile +20 -20
  196. data/examples/kitchen-puppet/Puppetfile +25 -25
  197. data/examples/kitchen-puppet/README.md +53 -53
  198. data/examples/kitchen-puppet/manifests/site.pp +33 -33
  199. data/examples/kitchen-puppet/metadata.json +11 -11
  200. data/examples/kitchen-puppet/modules/.gitkeep +0 -0
  201. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +28 -28
  202. data/examples/meta-profile/README.md +37 -37
  203. data/examples/meta-profile/controls/example.rb +13 -13
  204. data/examples/meta-profile/inspec.yml +13 -13
  205. data/examples/profile-attribute.yml +2 -2
  206. data/examples/profile-attribute/README.md +14 -14
  207. data/examples/profile-attribute/controls/example.rb +11 -11
  208. data/examples/profile-attribute/inspec.yml +8 -8
  209. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +8 -8
  210. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +8 -8
  211. data/examples/profile-aws/controls/iam_root_user_mfa.rb +8 -8
  212. data/examples/profile-aws/controls/iam_users_access_key_age.rb +8 -8
  213. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +8 -8
  214. data/examples/profile-aws/inspec.yml +11 -11
  215. data/examples/profile-azure/controls/azure_resource_group_example.rb +24 -24
  216. data/examples/profile-azure/controls/azure_vm_example.rb +29 -29
  217. data/examples/profile-azure/inspec.yml +11 -11
  218. data/examples/profile-sensitive/README.md +29 -29
  219. data/examples/profile-sensitive/controls/sensitive-failures.rb +9 -9
  220. data/examples/profile-sensitive/controls/sensitive.rb +9 -9
  221. data/examples/profile-sensitive/inspec.yml +8 -8
  222. data/examples/profile/README.md +48 -48
  223. data/examples/profile/controls/example.rb +23 -23
  224. data/examples/profile/controls/gordon.rb +36 -36
  225. data/examples/profile/controls/meta.rb +34 -34
  226. data/examples/profile/inspec.yml +10 -10
  227. data/examples/profile/libraries/gordon_config.rb +59 -59
  228. data/inspec.gemspec +49 -49
  229. data/lib/bundles/README.md +3 -3
  230. data/lib/bundles/inspec-artifact.rb +7 -7
  231. data/lib/bundles/inspec-artifact/README.md +1 -1
  232. data/lib/bundles/inspec-artifact/cli.rb +277 -277
  233. data/lib/bundles/inspec-compliance.rb +16 -16
  234. data/lib/bundles/inspec-compliance/.kitchen.yml +20 -20
  235. data/lib/bundles/inspec-compliance/README.md +193 -193
  236. data/lib/bundles/inspec-compliance/api.rb +360 -360
  237. data/lib/bundles/inspec-compliance/api/login.rb +193 -193
  238. data/lib/bundles/inspec-compliance/bootstrap.sh +41 -41
  239. data/lib/bundles/inspec-compliance/cli.rb +260 -260
  240. data/lib/bundles/inspec-compliance/configuration.rb +103 -103
  241. data/lib/bundles/inspec-compliance/http.rb +125 -125
  242. data/lib/bundles/inspec-compliance/images/cc-token.png +0 -0
  243. data/lib/bundles/inspec-compliance/support.rb +36 -36
  244. data/lib/bundles/inspec-compliance/target.rb +112 -112
  245. data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +93 -93
  246. data/lib/bundles/inspec-habitat.rb +12 -12
  247. data/lib/bundles/inspec-habitat/cli.rb +36 -36
  248. data/lib/bundles/inspec-habitat/log.rb +10 -10
  249. data/lib/bundles/inspec-habitat/profile.rb +391 -391
  250. data/lib/bundles/inspec-init.rb +8 -8
  251. data/lib/bundles/inspec-init/README.md +31 -31
  252. data/lib/bundles/inspec-init/cli.rb +97 -97
  253. data/lib/bundles/inspec-init/templates/profile/README.md +3 -3
  254. data/lib/bundles/inspec-init/templates/profile/controls/example.rb +19 -19
  255. data/lib/bundles/inspec-init/templates/profile/inspec.yml +8 -8
  256. data/lib/bundles/inspec-init/templates/profile/libraries/.gitkeep +0 -0
  257. data/lib/bundles/inspec-supermarket.rb +13 -13
  258. data/lib/bundles/inspec-supermarket/README.md +45 -45
  259. data/lib/bundles/inspec-supermarket/api.rb +84 -84
  260. data/lib/bundles/inspec-supermarket/cli.rb +73 -73
  261. data/lib/bundles/inspec-supermarket/target.rb +34 -34
  262. data/lib/fetchers/git.rb +163 -163
  263. data/lib/fetchers/local.rb +74 -74
  264. data/lib/fetchers/mock.rb +35 -35
  265. data/lib/fetchers/url.rb +247 -247
  266. data/lib/inspec.rb +24 -24
  267. data/lib/inspec/archive/tar.rb +29 -29
  268. data/lib/inspec/archive/zip.rb +19 -19
  269. data/lib/inspec/backend.rb +93 -93
  270. data/lib/inspec/base_cli.rb +368 -368
  271. data/lib/inspec/cached_fetcher.rb +66 -66
  272. data/lib/inspec/cli.rb +292 -292
  273. data/lib/inspec/completions/bash.sh.erb +45 -45
  274. data/lib/inspec/completions/fish.sh.erb +34 -34
  275. data/lib/inspec/completions/zsh.sh.erb +61 -61
  276. data/lib/inspec/control_eval_context.rb +179 -179
  277. data/lib/inspec/dependencies/cache.rb +72 -72
  278. data/lib/inspec/dependencies/dependency_set.rb +92 -92
  279. data/lib/inspec/dependencies/lockfile.rb +115 -115
  280. data/lib/inspec/dependencies/requirement.rb +123 -123
  281. data/lib/inspec/dependencies/resolver.rb +86 -86
  282. data/lib/inspec/describe.rb +27 -27
  283. data/lib/inspec/dsl.rb +66 -66
  284. data/lib/inspec/dsl_shared.rb +33 -33
  285. data/lib/inspec/env_printer.rb +157 -157
  286. data/lib/inspec/errors.rb +14 -14
  287. data/lib/inspec/exceptions.rb +12 -12
  288. data/lib/inspec/expect.rb +45 -45
  289. data/lib/inspec/fetcher.rb +45 -45
  290. data/lib/inspec/file_provider.rb +275 -275
  291. data/lib/inspec/formatters.rb +3 -3
  292. data/lib/inspec/formatters/base.rb +259 -259
  293. data/lib/inspec/formatters/json_rspec.rb +20 -20
  294. data/lib/inspec/formatters/show_progress.rb +12 -12
  295. data/lib/inspec/library_eval_context.rb +58 -58
  296. data/lib/inspec/log.rb +11 -11
  297. data/lib/inspec/metadata.rb +247 -247
  298. data/lib/inspec/method_source.rb +24 -24
  299. data/lib/inspec/objects.rb +14 -14
  300. data/lib/inspec/objects/attribute.rb +75 -75
  301. data/lib/inspec/objects/control.rb +61 -61
  302. data/lib/inspec/objects/describe.rb +92 -92
  303. data/lib/inspec/objects/each_loop.rb +36 -36
  304. data/lib/inspec/objects/list.rb +15 -15
  305. data/lib/inspec/objects/or_test.rb +40 -40
  306. data/lib/inspec/objects/ruby_helper.rb +15 -15
  307. data/lib/inspec/objects/tag.rb +27 -27
  308. data/lib/inspec/objects/test.rb +87 -87
  309. data/lib/inspec/objects/value.rb +27 -27
  310. data/lib/inspec/plugins.rb +60 -60
  311. data/lib/inspec/plugins/cli.rb +24 -24
  312. data/lib/inspec/plugins/fetcher.rb +86 -86
  313. data/lib/inspec/plugins/resource.rb +135 -135
  314. data/lib/inspec/plugins/secret.rb +15 -15
  315. data/lib/inspec/plugins/source_reader.rb +40 -40
  316. data/lib/inspec/polyfill.rb +12 -12
  317. data/lib/inspec/profile.rb +513 -513
  318. data/lib/inspec/profile_context.rb +208 -208
  319. data/lib/inspec/profile_vendor.rb +66 -66
  320. data/lib/inspec/reporters.rb +60 -60
  321. data/lib/inspec/reporters/automate.rb +76 -76
  322. data/lib/inspec/reporters/base.rb +25 -25
  323. data/lib/inspec/reporters/cli.rb +356 -356
  324. data/lib/inspec/reporters/json.rb +117 -117
  325. data/lib/inspec/reporters/json_min.rb +48 -48
  326. data/lib/inspec/reporters/junit.rb +78 -78
  327. data/lib/inspec/require_loader.rb +33 -33
  328. data/lib/inspec/resource.rb +190 -190
  329. data/lib/inspec/rule.rb +280 -280
  330. data/lib/inspec/runner.rb +345 -345
  331. data/lib/inspec/runner_mock.rb +41 -41
  332. data/lib/inspec/runner_rspec.rb +175 -175
  333. data/lib/inspec/runtime_profile.rb +26 -26
  334. data/lib/inspec/schema.rb +213 -213
  335. data/lib/inspec/secrets.rb +19 -19
  336. data/lib/inspec/secrets/yaml.rb +30 -30
  337. data/lib/inspec/shell.rb +220 -220
  338. data/lib/inspec/shell_detector.rb +90 -90
  339. data/lib/inspec/source_reader.rb +29 -29
  340. data/lib/inspec/version.rb +8 -8
  341. data/lib/matchers/matchers.rb +339 -339
  342. data/lib/resource_support/aws.rb +50 -50
  343. data/lib/resource_support/aws/aws_backend_base.rb +12 -12
  344. data/lib/resource_support/aws/aws_backend_factory_mixin.rb +12 -12
  345. data/lib/resource_support/aws/aws_plural_resource_mixin.rb +21 -21
  346. data/lib/resource_support/aws/aws_resource_mixin.rb +66 -66
  347. data/lib/resource_support/aws/aws_singular_resource_mixin.rb +24 -24
  348. data/lib/resources/aide_conf.rb +151 -151
  349. data/lib/resources/apache.rb +48 -48
  350. data/lib/resources/apache_conf.rb +149 -149
  351. data/lib/resources/apt.rb +149 -149
  352. data/lib/resources/audit_policy.rb +63 -63
  353. data/lib/resources/auditd.rb +231 -231
  354. data/lib/resources/auditd_conf.rb +46 -46
  355. data/lib/resources/aws/aws_cloudtrail_trail.rb +93 -93
  356. data/lib/resources/aws/aws_cloudtrail_trails.rb +47 -47
  357. data/lib/resources/aws/aws_cloudwatch_alarm.rb +62 -62
  358. data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +100 -100
  359. data/lib/resources/aws/aws_config_delivery_channel.rb +70 -70
  360. data/lib/resources/aws/aws_config_recorder.rb +93 -93
  361. data/lib/resources/aws/aws_ec2_instance.rb +157 -157
  362. data/lib/resources/aws/aws_ec2_instances.rb +64 -64
  363. data/lib/resources/aws/aws_iam_access_key.rb +106 -106
  364. data/lib/resources/aws/aws_iam_access_keys.rb +149 -149
  365. data/lib/resources/aws/aws_iam_group.rb +58 -58
  366. data/lib/resources/aws/aws_iam_groups.rb +52 -52
  367. data/lib/resources/aws/aws_iam_password_policy.rb +116 -116
  368. data/lib/resources/aws/aws_iam_policies.rb +53 -53
  369. data/lib/resources/aws/aws_iam_policy.rb +291 -291
  370. data/lib/resources/aws/aws_iam_role.rb +55 -55
  371. data/lib/resources/aws/aws_iam_root_user.rb +78 -78
  372. data/lib/resources/aws/aws_iam_user.rb +142 -142
  373. data/lib/resources/aws/aws_iam_users.rb +146 -146
  374. data/lib/resources/aws/aws_kms_key.rb +96 -96
  375. data/lib/resources/aws/aws_kms_keys.rb +53 -53
  376. data/lib/resources/aws/aws_rds_instance.rb +71 -71
  377. data/lib/resources/aws/aws_route_table.rb +63 -63
  378. data/lib/resources/aws/aws_route_tables.rb +60 -60
  379. data/lib/resources/aws/aws_s3_bucket.rb +137 -137
  380. data/lib/resources/aws/aws_s3_bucket_object.rb +82 -82
  381. data/lib/resources/aws/aws_s3_buckets.rb +51 -51
  382. data/lib/resources/aws/aws_security_group.rb +249 -249
  383. data/lib/resources/aws/aws_security_groups.rb +68 -68
  384. data/lib/resources/aws/aws_sns_subscription.rb +78 -78
  385. data/lib/resources/aws/aws_sns_topic.rb +53 -53
  386. data/lib/resources/aws/aws_sns_topics.rb +56 -56
  387. data/lib/resources/aws/aws_subnet.rb +88 -88
  388. data/lib/resources/aws/aws_subnets.rb +53 -53
  389. data/lib/resources/aws/aws_vpc.rb +73 -73
  390. data/lib/resources/aws/aws_vpcs.rb +52 -52
  391. data/lib/resources/azure/azure_backend.rb +377 -377
  392. data/lib/resources/azure/azure_generic_resource.rb +59 -59
  393. data/lib/resources/azure/azure_resource_group.rb +152 -152
  394. data/lib/resources/azure/azure_virtual_machine.rb +264 -264
  395. data/lib/resources/azure/azure_virtual_machine_data_disk.rb +134 -134
  396. data/lib/resources/bash.rb +35 -35
  397. data/lib/resources/bond.rb +69 -69
  398. data/lib/resources/bridge.rb +122 -122
  399. data/lib/resources/chocolatey_package.rb +78 -78
  400. data/lib/resources/command.rb +73 -73
  401. data/lib/resources/cpan.rb +58 -58
  402. data/lib/resources/cran.rb +64 -64
  403. data/lib/resources/crontab.rb +169 -169
  404. data/lib/resources/csv.rb +56 -56
  405. data/lib/resources/dh_params.rb +77 -77
  406. data/lib/resources/directory.rb +25 -25
  407. data/lib/resources/docker.rb +236 -236
  408. data/lib/resources/docker_container.rb +89 -89
  409. data/lib/resources/docker_image.rb +83 -83
  410. data/lib/resources/docker_object.rb +57 -57
  411. data/lib/resources/docker_service.rb +90 -90
  412. data/lib/resources/elasticsearch.rb +169 -169
  413. data/lib/resources/etc_fstab.rb +94 -94
  414. data/lib/resources/etc_group.rb +154 -154
  415. data/lib/resources/etc_hosts.rb +66 -66
  416. data/lib/resources/etc_hosts_allow_deny.rb +112 -112
  417. data/lib/resources/file.rb +298 -298
  418. data/lib/resources/filesystem.rb +31 -31
  419. data/lib/resources/firewalld.rb +143 -143
  420. data/lib/resources/gem.rb +70 -70
  421. data/lib/resources/groups.rb +215 -215
  422. data/lib/resources/grub_conf.rb +227 -227
  423. data/lib/resources/host.rb +306 -306
  424. data/lib/resources/http.rb +253 -253
  425. data/lib/resources/iis_app.rb +101 -101
  426. data/lib/resources/iis_site.rb +148 -148
  427. data/lib/resources/inetd_conf.rb +54 -54
  428. data/lib/resources/ini.rb +29 -29
  429. data/lib/resources/interface.rb +129 -129
  430. data/lib/resources/iptables.rb +80 -80
  431. data/lib/resources/json.rb +111 -111
  432. data/lib/resources/kernel_module.rb +107 -107
  433. data/lib/resources/kernel_parameter.rb +58 -58
  434. data/lib/resources/key_rsa.rb +63 -63
  435. data/lib/resources/limits_conf.rb +46 -46
  436. data/lib/resources/login_def.rb +57 -57
  437. data/lib/resources/mount.rb +88 -88
  438. data/lib/resources/mssql_session.rb +101 -101
  439. data/lib/resources/mysql.rb +82 -82
  440. data/lib/resources/mysql_conf.rb +127 -127
  441. data/lib/resources/mysql_session.rb +85 -85
  442. data/lib/resources/nginx.rb +96 -96
  443. data/lib/resources/nginx_conf.rb +226 -226
  444. data/lib/resources/npm.rb +48 -48
  445. data/lib/resources/ntp_conf.rb +51 -51
  446. data/lib/resources/oneget.rb +71 -71
  447. data/lib/resources/oracledb_session.rb +139 -139
  448. data/lib/resources/os.rb +36 -36
  449. data/lib/resources/os_env.rb +86 -86
  450. data/lib/resources/package.rb +370 -370
  451. data/lib/resources/packages.rb +111 -111
  452. data/lib/resources/parse_config.rb +112 -112
  453. data/lib/resources/passwd.rb +76 -76
  454. data/lib/resources/pip.rb +130 -130
  455. data/lib/resources/platform.rb +109 -109
  456. data/lib/resources/port.rb +771 -771
  457. data/lib/resources/postgres.rb +131 -131
  458. data/lib/resources/postgres_conf.rb +114 -114
  459. data/lib/resources/postgres_hba_conf.rb +90 -90
  460. data/lib/resources/postgres_ident_conf.rb +79 -79
  461. data/lib/resources/postgres_session.rb +71 -71
  462. data/lib/resources/powershell.rb +67 -67
  463. data/lib/resources/processes.rb +204 -204
  464. data/lib/resources/rabbitmq_conf.rb +51 -51
  465. data/lib/resources/registry_key.rb +297 -297
  466. data/lib/resources/security_policy.rb +180 -180
  467. data/lib/resources/service.rb +794 -794
  468. data/lib/resources/shadow.rb +159 -159
  469. data/lib/resources/ssh_conf.rb +97 -97
  470. data/lib/resources/ssl.rb +99 -99
  471. data/lib/resources/sys_info.rb +28 -28
  472. data/lib/resources/toml.rb +32 -32
  473. data/lib/resources/users.rb +654 -654
  474. data/lib/resources/vbscript.rb +68 -68
  475. data/lib/resources/virtualization.rb +247 -247
  476. data/lib/resources/windows_feature.rb +84 -84
  477. data/lib/resources/windows_hotfix.rb +35 -35
  478. data/lib/resources/windows_task.rb +102 -102
  479. data/lib/resources/wmi.rb +110 -110
  480. data/lib/resources/x509_certificate.rb +137 -137
  481. data/lib/resources/xinetd.rb +106 -106
  482. data/lib/resources/xml.rb +46 -46
  483. data/lib/resources/yaml.rb +43 -43
  484. data/lib/resources/yum.rb +180 -180
  485. data/lib/resources/zfs_dataset.rb +60 -60
  486. data/lib/resources/zfs_pool.rb +49 -49
  487. data/lib/source_readers/flat.rb +39 -39
  488. data/lib/source_readers/inspec.rb +75 -75
  489. data/lib/utils/command_wrapper.rb +27 -27
  490. data/lib/utils/convert.rb +12 -12
  491. data/lib/utils/database_helpers.rb +77 -77
  492. data/lib/utils/enumerable_delegation.rb +9 -9
  493. data/lib/utils/erlang_parser.rb +192 -192
  494. data/lib/utils/file_reader.rb +25 -25
  495. data/lib/utils/filter.rb +273 -273
  496. data/lib/utils/filter_array.rb +27 -27
  497. data/lib/utils/find_files.rb +47 -47
  498. data/lib/utils/hash.rb +41 -41
  499. data/lib/utils/json_log.rb +18 -18
  500. data/lib/utils/latest_version.rb +22 -22
  501. data/lib/utils/modulator.rb +12 -12
  502. data/lib/utils/nginx_parser.rb +105 -105
  503. data/lib/utils/object_traversal.rb +49 -49
  504. data/lib/utils/parser.rb +274 -274
  505. data/lib/utils/pkey_reader.rb +15 -15
  506. data/lib/utils/plugin_registry.rb +93 -93
  507. data/lib/utils/simpleconfig.rb +120 -120
  508. data/lib/utils/spdx.rb +13 -13
  509. data/lib/utils/spdx.txt +343 -343
  510. metadata +3 -3
@@ -1,74 +1,74 @@
1
- ---
2
- title: About the etc_hosts_allow Resource
3
- platform: linux
4
- ---
5
-
6
- # etc\_hosts\_allow
7
-
8
- Use the `etc_hosts_allow` InSpec audit resource to test rules defined for accepting daemon and client traffic in the `'/etc/hosts.allow'` file.
9
-
10
- <br>
11
-
12
- ## Syntax
13
-
14
- An etc/hosts.allow rule specifies one or more daemons mapped to one or more clients, with zero or more options to for accepting traffic when found.
15
-
16
- Use the where clause to match a property to one or more rules in the hosts.allow file.
17
-
18
- describe etc_hosts_allow.where { daemon == 'value' } do
19
- its ('client_list') { should include ['values'] }
20
- its ('options') { should include ['values'] }
21
- end
22
-
23
- Use the optional constructor parameter to give an alternative path to hosts.allow
24
-
25
- describe etc_hosts_allow(hosts_path).where { daemon == 'value' } do
26
- its ('client_list') { should include ['values'] }
27
- its ('options') { should include ['values'] }
28
- end
29
-
30
- where
31
-
32
- * `daemon` is a daemon that will be allowed to pass traffic in.
33
- * `client_list` is a list of clients will be allowed to pass traffic in.
34
- * `options` is a list of tasks that to be done with the rule when traffic is found.
35
-
36
- <br>
37
-
38
- ## Properties
39
-
40
- 'daemon', 'client_list', 'options'
41
-
42
- <br>
43
-
44
- ## Property Examples
45
-
46
- ### daemon
47
-
48
- `daemon` returns a string containing the daemon that is allowed in the rule.
49
-
50
- describe etc_hosts_allow.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
51
- its('daemon') { should eq ['vsftpd', 'sshd'] }
52
- end
53
-
54
- ### client_list
55
-
56
- `client_list` returns a 2d string array where each entry contains the clients specified for the rule.
57
-
58
- describe etc_hosts_allow.where { daemon == 'sshd' } do
59
- its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
60
- end
61
-
62
- ### options
63
-
64
- `options` returns a 2d string array where each entry contains any options specified for the rule.
65
-
66
- describe etc_hosts_allow.where { daemon == 'sshd' } do
67
- its('options') { should include ['deny', 'echo "REJECTED"'] }
68
- end
69
-
70
- <br>
71
-
72
- ## Matchers
73
-
74
- For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
1
+ ---
2
+ title: About the etc_hosts_allow Resource
3
+ platform: linux
4
+ ---
5
+
6
+ # etc\_hosts\_allow
7
+
8
+ Use the `etc_hosts_allow` InSpec audit resource to test rules defined for accepting daemon and client traffic in the `'/etc/hosts.allow'` file.
9
+
10
+ <br>
11
+
12
+ ## Syntax
13
+
14
+ An etc/hosts.allow rule specifies one or more daemons mapped to one or more clients, with zero or more options to for accepting traffic when found.
15
+
16
+ Use the where clause to match a property to one or more rules in the hosts.allow file.
17
+
18
+ describe etc_hosts_allow.where { daemon == 'value' } do
19
+ its ('client_list') { should include ['values'] }
20
+ its ('options') { should include ['values'] }
21
+ end
22
+
23
+ Use the optional constructor parameter to give an alternative path to hosts.allow
24
+
25
+ describe etc_hosts_allow(hosts_path).where { daemon == 'value' } do
26
+ its ('client_list') { should include ['values'] }
27
+ its ('options') { should include ['values'] }
28
+ end
29
+
30
+ where
31
+
32
+ * `daemon` is a daemon that will be allowed to pass traffic in.
33
+ * `client_list` is a list of clients will be allowed to pass traffic in.
34
+ * `options` is a list of tasks that to be done with the rule when traffic is found.
35
+
36
+ <br>
37
+
38
+ ## Properties
39
+
40
+ 'daemon', 'client_list', 'options'
41
+
42
+ <br>
43
+
44
+ ## Property Examples
45
+
46
+ ### daemon
47
+
48
+ `daemon` returns a string containing the daemon that is allowed in the rule.
49
+
50
+ describe etc_hosts_allow.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
51
+ its('daemon') { should eq ['vsftpd', 'sshd'] }
52
+ end
53
+
54
+ ### client_list
55
+
56
+ `client_list` returns a 2d string array where each entry contains the clients specified for the rule.
57
+
58
+ describe etc_hosts_allow.where { daemon == 'sshd' } do
59
+ its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
60
+ end
61
+
62
+ ### options
63
+
64
+ `options` returns a 2d string array where each entry contains any options specified for the rule.
65
+
66
+ describe etc_hosts_allow.where { daemon == 'sshd' } do
67
+ its('options') { should include ['deny', 'echo "REJECTED"'] }
68
+ end
69
+
70
+ <br>
71
+
72
+ ## Matchers
73
+
74
+ For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -1,74 +1,74 @@
1
- ---
2
- title: About the etc_hosts_deny Resource
3
- platform: linux
4
- ---
5
-
6
- # etc\_hosts\_deny
7
-
8
- Use the `etc_hosts_deny` InSpec audit resource to test rules for rejecting daemon and client traffic defined in /etc/hosts.deny.
9
-
10
- <br>
11
-
12
- ## Syntax
13
-
14
- An etc/hosts.deny rule specifies one or more daemons mapped to one or more clients, with zero or more options for rejecting traffic when found.
15
-
16
- Use the where clause to match a property to one or more rules in the hosts.deny file:
17
-
18
- describe etc_hosts_deny.where { daemon == 'value' } do
19
- its ('client_list') { should include ['values'] }
20
- its ('options') { should include ['values'] }
21
- end
22
-
23
- Use the optional constructor parameter to give an alternative path to hosts.deny:
24
-
25
- describe etc_hosts_deny(hosts_path).where { daemon == 'value' } do
26
- its ('client_list') { should include ['values'] }
27
- its ('options') { should include ['values'] }
28
- end
29
-
30
- where
31
-
32
- * `daemon` is a daemon that will be rejected to pass traffic in.
33
- * `client_list` is a list of clients will be rejected to pass traffic in.
34
- * `options` is a list of tasks that to be done with the rule when traffic is found.
35
-
36
- <br>
37
-
38
- ## Properties
39
-
40
- 'daemon', 'client_list', 'options'
41
-
42
- <br>
43
-
44
- ## Parameter Examples
45
-
46
- ### daemon
47
-
48
- `daemon` returns a string containing the daemon that is allowed in the rule.
49
-
50
- describe etc_hosts_deny.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
51
- its('daemon') { should eq ['vsftpd', 'sshd'] }
52
- end
53
-
54
- ### client_list
55
-
56
- `client_list` returns a 2d string array where each entry contains the clients specified for the rule.
57
-
58
- describe etc_hosts_deny.where { daemon == 'sshd' } do
59
- its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
60
- end
61
-
62
- ### options
63
-
64
- `options` returns a 2d string array where each entry contains any options specified for the rule.
65
-
66
- describe etc_hosts_deny.where { daemon == 'sshd' } do
67
- its('options') { should include ['deny', 'echo "REJECTED"'] }
68
- end
69
-
70
- <br>
71
-
72
- ## Matchers
73
-
74
- For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
1
+ ---
2
+ title: About the etc_hosts_deny Resource
3
+ platform: linux
4
+ ---
5
+
6
+ # etc\_hosts\_deny
7
+
8
+ Use the `etc_hosts_deny` InSpec audit resource to test rules for rejecting daemon and client traffic defined in /etc/hosts.deny.
9
+
10
+ <br>
11
+
12
+ ## Syntax
13
+
14
+ An etc/hosts.deny rule specifies one or more daemons mapped to one or more clients, with zero or more options for rejecting traffic when found.
15
+
16
+ Use the where clause to match a property to one or more rules in the hosts.deny file:
17
+
18
+ describe etc_hosts_deny.where { daemon == 'value' } do
19
+ its ('client_list') { should include ['values'] }
20
+ its ('options') { should include ['values'] }
21
+ end
22
+
23
+ Use the optional constructor parameter to give an alternative path to hosts.deny:
24
+
25
+ describe etc_hosts_deny(hosts_path).where { daemon == 'value' } do
26
+ its ('client_list') { should include ['values'] }
27
+ its ('options') { should include ['values'] }
28
+ end
29
+
30
+ where
31
+
32
+ * `daemon` is a daemon that will be rejected to pass traffic in.
33
+ * `client_list` is a list of clients will be rejected to pass traffic in.
34
+ * `options` is a list of tasks that to be done with the rule when traffic is found.
35
+
36
+ <br>
37
+
38
+ ## Properties
39
+
40
+ 'daemon', 'client_list', 'options'
41
+
42
+ <br>
43
+
44
+ ## Parameter Examples
45
+
46
+ ### daemon
47
+
48
+ `daemon` returns a string containing the daemon that is allowed in the rule.
49
+
50
+ describe etc_hosts_deny.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
51
+ its('daemon') { should eq ['vsftpd', 'sshd'] }
52
+ end
53
+
54
+ ### client_list
55
+
56
+ `client_list` returns a 2d string array where each entry contains the clients specified for the rule.
57
+
58
+ describe etc_hosts_deny.where { daemon == 'sshd' } do
59
+ its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
60
+ end
61
+
62
+ ### options
63
+
64
+ `options` returns a 2d string array where each entry contains any options specified for the rule.
65
+
66
+ describe etc_hosts_deny.where { daemon == 'sshd' } do
67
+ its('options') { should include ['deny', 'echo "REJECTED"'] }
68
+ end
69
+
70
+ <br>
71
+
72
+ ## Matchers
73
+
74
+ For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -1,526 +1,526 @@
1
- ---
2
- title: About the file Resource
3
- platform: os
4
- ---
5
-
6
- # file
7
-
8
- Use the `file` InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
9
-
10
- <br>
11
-
12
- ## Syntax
13
-
14
- A `file` resource block declares the location of the file type to be tested, the expected file type (if required), and one (or more) resource properties.
15
-
16
- describe file('path') do
17
- it { should PROPERTY 'value' }
18
- end
19
-
20
- where
21
-
22
- * `('path')` is the name of the file and/or the path to the file.
23
- * `PROPERTY` is a valid resource property for this resource'
24
- * `'value'` is the value to be tested.
25
-
26
- <br>
27
-
28
- ## Properties
29
-
30
- ### General Properties
31
-
32
- content, size, basename, path, owner, group, type
33
-
34
- ### Unix/Linux Properties
35
-
36
- symlink, mode, link_path, mtime, size, selinux\_label, md5sum, sha256sum, path, source, source\_path, uid, gid
37
-
38
- ### Windows Properties
39
-
40
- file\_version, product\_version
41
-
42
- <br>
43
-
44
- ## Resource Property Examples
45
-
46
- ### content
47
-
48
- The `content` property tests if contents in the file match the value specified in a regular expression. The values of the `content` property are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
49
-
50
- its('content') { should match REGEX }
51
-
52
- The following complete example tests the `pg_hba.conf` file in PostgreSQL for MD5 requirements. The tests look at all `host` and `local` settings in that file, and then compare the MD5 checksums against the values in the test:
53
-
54
- describe file('/etc/postgresql/9.1/main/pg_hba.conf') do
55
- its('content') { should match(%r{local\s.*?all\s.*?all\s.*?md5}) }
56
- its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
57
- its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5}) }
58
- end
59
-
60
- ### file_version
61
-
62
- The `file_version` property tests if a Windows file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
63
-
64
- its('file_version') { should eq '1.2.3' }
65
-
66
- ### group
67
-
68
- The `group` property tests if the group to which a file belongs matches the specified value.
69
-
70
- its('group') { should eq 'admins' }
71
-
72
- The following examples show how to use this InSpec audit resource.
73
-
74
- ### link_path
75
-
76
- The `link_path` property tests if the file exists at the specified path. If the file is a symlink,
77
- InSpec will resolve the symlink and return the ultimate linked file.
78
-
79
- its('link_path') { should eq '/some/path/to/file' }
80
-
81
- ### md5sum
82
-
83
- The `md5sum` property tests if the MD5 checksum for a file matches the specified value.
84
-
85
- its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
86
-
87
- ### mode
88
-
89
- The `mode` property tests if the mode assigned to the file matches the specified value.
90
-
91
- its('mode') { should cmp '0644' }
92
-
93
- InSpec [octal](https://en.wikipedia.org/wiki/Leading_zero#0_as_a_prefix) values begin the numeric mode specification with zero.
94
-
95
- For example, write:
96
-
97
- { should cmp '0644' }
98
-
99
- not
100
-
101
- { should cmp '644' }
102
-
103
- Without the zero prefix for the octal value, InSpec will interpret it as the _decimal_ value 644, which is octal 1024 or `-----w-r-T`, and any test for a file that is `-rw-r--r--` will fail.
104
-
105
- ### mtime
106
-
107
- The `mtime` property tests if the file modification time for the file matches the specified value. The mtime, where supported, is returned as the number of seconds since the epoch.
108
-
109
- describe file('/') do
110
- its('mtime') { should <= Time.now.to_i }
111
- its('mtime') { should >= Time.now.to_i - 1000 }
112
- end
113
-
114
- ### owner
115
-
116
- The `owner` property tests if the owner of the file matches the specified value.
117
-
118
- its('owner') { should eq 'root' }
119
-
120
- ### product_version
121
-
122
- The `product_version` property tests if a Windows file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates.
123
-
124
- its('product_version') { should eq '2.3.4' }
125
-
126
- ### selinux_label
127
-
128
- The `selinux_label` property tests if the SELinux label for a file matches the specified value.
129
-
130
- its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
131
-
132
- ### sha256sum
133
-
134
- The `sha256sum` property tests if the SHA-256 checksum for a file matches the specified value.
135
-
136
- its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
137
-
138
- ### size
139
-
140
- The `size` property tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
141
-
142
- its('size') { should eq 32375 }
143
-
144
- Greater than:
145
-
146
- its('size') { should > 64 }
147
-
148
- Less than:
149
-
150
- its('size') { should < 10240 }
151
-
152
- ### type
153
-
154
- The `type` property tests for the file type. The available types are:
155
-
156
- * `file`: the object is a file
157
- * `directory`: the object is a directory
158
- * `link`: the object is a symbolic link
159
- * `pipe`: the object is a named pipe
160
- * `socket`: the object is a socket
161
- * `character_device`: the object is a character device
162
- * `block_device`: the object is a block device
163
- * `door`: the object is a door device
164
-
165
- The `type` method usually returns the type as a Ruby "symbol". We recommend using the `cmp` matcher to match
166
- either by symbol or string.
167
-
168
- For example:
169
-
170
- its('type') { should eq :file }
171
- its('type') { should cmp 'file' }
172
-
173
- or:
174
-
175
- its('type') { should eq :socket }
176
- its('type') { should cmp 'socket' }
177
-
178
- ### Test the contents of a file for MD5 requirements
179
-
180
- describe file('/etc/postgresql/9.1/main/pg_hba.conf') do
181
- its('content') { should match /local\s.*?all\s.*?all\s.*?md5/ }
182
- its('content') { should match %r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/} }
183
- its('content') { should match %r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/} }
184
- end
185
-
186
- ### Test if a file exists
187
-
188
- describe file('/tmp') do
189
- it { should exist }
190
- end
191
-
192
- ### Test that a file does not exist
193
-
194
- describe file('/tmpest') do
195
- it { should_not exist }
196
- end
197
-
198
- ### Test if a path is a directory
199
-
200
- describe file('/tmp') do
201
- its('type') { should eq :directory }
202
- it { should be_directory }
203
- end
204
-
205
- ### Test if a path is a file and not a directory
206
-
207
- describe file('/proc/version') do
208
- its('type') { should cmp 'file' }
209
- it { should be_file }
210
- it { should_not be_directory }
211
- end
212
-
213
- ### Test if a file is a symbolic link
214
-
215
- describe file('/dev/stdout') do
216
- its('type') { should cmp 'symlink' }
217
- it { should be_symlink }
218
- it { should_not be_file }
219
- it { should_not be_directory }
220
- end
221
-
222
- ### Test if a file is a character device
223
-
224
- describe file('/dev/zero') do
225
- its('type') { should cmp 'character' }
226
- it { should be_character_device }
227
- it { should_not be_file }
228
- it { should_not be_directory }
229
- end
230
-
231
- ### Test if a file is a block device
232
-
233
- describe file('/dev/zero') do
234
- its('type') { should cmp 'block' }
235
- it { should be_character_device }
236
- it { should_not be_file }
237
- it { should_not be_directory }
238
- end
239
-
240
- ### Test the mode for a file
241
-
242
- describe file('/dev') do
243
- its('mode') { should cmp '00755' }
244
- end
245
-
246
- ### Test the owner of a file
247
-
248
- describe file('/root') do
249
- its('owner') { should eq 'root' }
250
- end
251
-
252
- ### Test if a file is owned by the root user
253
-
254
- describe file('/dev') do
255
- it { should be_owned_by 'root' }
256
- end
257
-
258
- ### Test the mtime for a file
259
-
260
- describe file('/') do
261
- its('mtime') { should <= Time.now.to_i }
262
- its('mtime') { should >= Time.now.to_i - 1000 }
263
- end
264
-
265
- ### Test that a file's size is between 64 and 10240
266
-
267
- describe file('/') do
268
- its('size') { should be > 64 }
269
- its('size') { should be < 10240 }
270
- end
271
-
272
- ### Test that a file's size is zero
273
-
274
- describe file('/proc/cpuinfo') do
275
- its('size') { should be 0 }
276
- end
277
-
278
-
279
- ### Test an MD5 checksum
280
-
281
- require 'digest'
282
- cpuinfo = file('/proc/cpuinfo').content
283
-
284
- md5sum = Digest::MD5.hexdigest(cpuinfo)
285
-
286
- describe file('/proc/cpuinfo') do
287
- its('md5sum') { should eq md5sum }
288
- end
289
-
290
- ### Test an SHA-256 checksum
291
-
292
- require 'digest'
293
- cpuinfo = file('/proc/cpuinfo').content
294
-
295
- sha256sum = Digest::SHA256.hexdigest(cpuinfo)
296
-
297
- describe file('/proc/cpuinfo') do
298
- its('sha256sum') { should eq sha256sum }
299
- end
300
-
301
- ### Verify NTP
302
-
303
- The following example shows how to use the `file` audit resource to verify if the `ntp.conf` and `leap-seconds` files are present, and then the `command` resource to verify if NTP is installed and running:
304
-
305
- describe file('/etc/ntp.conf') do
306
- it { should be_file }
307
- end
308
-
309
- describe file('/etc/ntp.leapseconds') do
310
- it { should be_file }
311
- end
312
-
313
- describe command('pgrep ntp') do
314
- its('exit_status') { should eq 0 }
315
- end
316
-
317
- ### Test parameters of symlinked file
318
-
319
- If you need to test the parameters of the target file for a symlink, you can use the `link_path` method for the `file` resource.
320
-
321
- For example, for the following symlink:
322
-
323
- lrwxrwxrwx. 1 root root 11 03-10 17:56 /dev/virtio-ports/com.redhat.rhevm.vdsm -> ../vport2p1
324
-
325
- ... you can write controls for both the link and the target.
326
-
327
- describe file('/dev/virtio-ports/com.redhat.rhevm.vdsm') do
328
- it { should be_symlink }
329
- end
330
-
331
- virito_port_vdsm = file('/dev/virtio-ports/com.redhat.rhevm.vdsm').link_path
332
- describe file(virito_port_vdsm) do
333
- it { should exist }
334
- it { should be_character_device }
335
- it { should be_owned_by 'ovirtagent' }
336
- it { should be_grouped_into 'ovirtagent' }
337
- end
338
-
339
- <br>
340
-
341
- ## Matchers
342
-
343
- For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
344
-
345
- ### be\_allowed
346
-
347
- The `be_allowed` matcher tests if the file contains a certain permission set, such as `execute` or `write` in Unix and [`full-control` or `modify` in Windows](https://www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table).
348
-
349
- it { should be_allowed('read') }
350
-
351
- Just like with `be_executable` and other permissions, one can check for the permission with respect to the specific user or group.
352
-
353
- it { should be_allowed('full-control', by_user: 'MyComputerName\Administrator') }
354
-
355
- OR
356
-
357
- it { should be_allowed('write', by: 'root') }
358
-
359
- ### be\_block\_device
360
-
361
- The `be_block_device` matcher tests if the file exists as a block device, such as `/dev/disk0` or `/dev/disk0s9`:
362
-
363
- it { should be_block_device }
364
-
365
- ### be\_character\_device
366
-
367
- The `be_character_device` matcher tests if the file exists as a character device (that corresponds to a block device), such as `/dev/rdisk0` or `/dev/rdisk0s9`:
368
-
369
- it { should be_character_device }
370
-
371
- ### be_directory
372
-
373
- The `be_directory` matcher tests if the file exists as a directory, such as `/etc/passwd`, `/etc/shadow`, or `/var/log/httpd`:
374
-
375
- it { should be_directory }
376
-
377
- ### be_executable
378
-
379
- The `be_executable` matcher tests if the file exists as an executable:
380
-
381
- it { should be_executable }
382
-
383
- The `be_executable` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
384
-
385
- it { should be_executable.by('group') }
386
-
387
- an owner:
388
-
389
- it { should be_executable.by('owner') }
390
-
391
- any user other than the owner or members of the file's group:
392
-
393
- it { should be_executable.by('others') }
394
-
395
- a user:
396
-
397
- it { should be_executable.by_user('user') }
398
-
399
- ### be_file
400
-
401
- The `be_file` matcher tests if the file exists as a file. This can be useful with configuration files like `/etc/passwd` where there typically is not an associated file extension---`passwd.txt`:
402
-
403
- it { should be_file }
404
-
405
- ### be\_grouped\_into
406
-
407
- The `be_grouped_into` matcher tests if the file exists as part of the named group:
408
-
409
- it { should be_grouped_into 'group' }
410
-
411
- ### be_immutable
412
-
413
- The `be_immutable` matcher tests if the file is immutable, i.e. "cannot be changed":
414
-
415
- it { should be_immutable }
416
-
417
- ### be\_linked\_to
418
-
419
- The `be_linked_to` matcher tests if the file is linked to the named target:
420
-
421
- it { should be_linked_to '/etc/target-file' }
422
-
423
-
424
- ### be\_owned\_by
425
-
426
- The `be_owned_by` matcher tests if the file is owned by the named user, such as `root`:
427
-
428
- it { should be_owned_by 'root' }
429
-
430
- ### be_pipe
431
-
432
- The `be_pipe` matcher tests if the file exists as first-in, first-out special file (`.fifo`) that is typically used to define a named pipe, such as `/var/log/nginx/access.log.fifo`:
433
-
434
- it { should be_pipe }
435
-
436
- ### be_readable
437
-
438
- The `be_readable` matcher tests if the file is readable:
439
-
440
- it { should be_readable }
441
-
442
- The `be_readable` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
443
-
444
- it { should be_readable.by('group') }
445
-
446
- an owner:
447
-
448
- it { should be_readable.by('owner') }
449
-
450
- any user other than the owner or members of the file's group:
451
-
452
- it { should be_readable.by('others') }
453
-
454
- a user:
455
-
456
- it { should be_readable.by_user('user') }
457
-
458
- ### be_setgid
459
-
460
- The `be_setgid` matcher tests if the 'setgid' permission is set on the file or directory. On executable files, this causes the process to be started owned by the group that owns the file, rather than the primary group of the invocating user. This can result in escalation of privilege. On Linux, when setgid is set on directories, setgid causes newly created files and directories to be owned by the group that owns the setgid parent directory; additionally, newly created subdirectories will have the setgid bit set. To use this matcher:
461
-
462
- it { should be_setgid }
463
-
464
- ### be_socket
465
-
466
- The `be_socket` matcher tests if the file exists as socket (`.sock`), such as `/var/run/php-fpm.sock`:
467
-
468
- it { should be_socket }
469
-
470
- ### be_sticky
471
-
472
- The `be_sticky` matcher tests if the 'sticky bit' permission is set on the directory. On directories, this restricts file deletion to the owner of the file, even if the permission of the parent directory would normally permit deletion by others. This is commonly used on /tmp filesystems. To use this matcher:
473
-
474
- it { should be_sticky }
475
-
476
- ### be_setuid
477
-
478
- The `be_setuid` matcher tests if the 'setuid' permission is set on the file. On executable files, this causes the process to be started owned by the user that owns the file, rather than invocating user. This can result in escalation of privilege. To use this matcher:
479
-
480
- it { should be_setuid }
481
-
482
- ### be_symlink
483
-
484
- The `be_symlink` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
485
-
486
- it { should be_symlink }
487
-
488
- ### be_version
489
-
490
- The `be_version` matcher tests the version of the file:
491
-
492
- it { should be_version '1.2.3' }
493
-
494
- ### be_writable
495
-
496
- The `be_writable` matcher tests if the file is writable:
497
-
498
- it { should be_writable }
499
-
500
- The `be_writable` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
501
-
502
- it { should be_writable.by('group') }
503
-
504
- an owner:
505
-
506
- it { should be_writable.by('owner') }
507
-
508
- any user other than the owner or members of the file's group:
509
-
510
- it { should be_writable.by('others') }
511
-
512
- a user:
513
-
514
- it { should be_writable.by_user('user') }
515
-
516
- ### exist
517
-
518
- The `exist` matcher tests if the named file exists:
519
-
520
- it { should exist }
521
-
522
- ### have_mode
523
-
524
- The `have_mode` matcher tests if a file has a mode assigned to it:
525
-
526
- it { should have_mode }
1
+ ---
2
+ title: About the file Resource
3
+ platform: os
4
+ ---
5
+
6
+ # file
7
+
8
+ Use the `file` InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
9
+
10
+ <br>
11
+
12
+ ## Syntax
13
+
14
+ A `file` resource block declares the location of the file type to be tested, the expected file type (if required), and one (or more) resource properties.
15
+
16
+ describe file('path') do
17
+ it { should PROPERTY 'value' }
18
+ end
19
+
20
+ where
21
+
22
+ * `('path')` is the name of the file and/or the path to the file.
23
+ * `PROPERTY` is a valid resource property for this resource'
24
+ * `'value'` is the value to be tested.
25
+
26
+ <br>
27
+
28
+ ## Properties
29
+
30
+ ### General Properties
31
+
32
+ content, size, basename, path, owner, group, type
33
+
34
+ ### Unix/Linux Properties
35
+
36
+ symlink, mode, link_path, mtime, size, selinux\_label, md5sum, sha256sum, path, source, source\_path, uid, gid
37
+
38
+ ### Windows Properties
39
+
40
+ file\_version, product\_version
41
+
42
+ <br>
43
+
44
+ ## Resource Property Examples
45
+
46
+ ### content
47
+
48
+ The `content` property tests if contents in the file match the value specified in a regular expression. The values of the `content` property are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
49
+
50
+ its('content') { should match REGEX }
51
+
52
+ The following complete example tests the `pg_hba.conf` file in PostgreSQL for MD5 requirements. The tests look at all `host` and `local` settings in that file, and then compare the MD5 checksums against the values in the test:
53
+
54
+ describe file('/etc/postgresql/9.1/main/pg_hba.conf') do
55
+ its('content') { should match(%r{local\s.*?all\s.*?all\s.*?md5}) }
56
+ its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
57
+ its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5}) }
58
+ end
59
+
60
+ ### file_version
61
+
62
+ The `file_version` property tests if a Windows file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
63
+
64
+ its('file_version') { should eq '1.2.3' }
65
+
66
+ ### group
67
+
68
+ The `group` property tests if the group to which a file belongs matches the specified value.
69
+
70
+ its('group') { should eq 'admins' }
71
+
72
+ The following examples show how to use this InSpec audit resource.
73
+
74
+ ### link_path
75
+
76
+ The `link_path` property tests if the file exists at the specified path. If the file is a symlink,
77
+ InSpec will resolve the symlink and return the ultimate linked file.
78
+
79
+ its('link_path') { should eq '/some/path/to/file' }
80
+
81
+ ### md5sum
82
+
83
+ The `md5sum` property tests if the MD5 checksum for a file matches the specified value.
84
+
85
+ its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
86
+
87
+ ### mode
88
+
89
+ The `mode` property tests if the mode assigned to the file matches the specified value.
90
+
91
+ its('mode') { should cmp '0644' }
92
+
93
+ InSpec [octal](https://en.wikipedia.org/wiki/Leading_zero#0_as_a_prefix) values begin the numeric mode specification with zero.
94
+
95
+ For example, write:
96
+
97
+ { should cmp '0644' }
98
+
99
+ not
100
+
101
+ { should cmp '644' }
102
+
103
+ Without the zero prefix for the octal value, InSpec will interpret it as the _decimal_ value 644, which is octal 1024 or `-----w-r-T`, and any test for a file that is `-rw-r--r--` will fail.
104
+
105
+ ### mtime
106
+
107
+ The `mtime` property tests if the file modification time for the file matches the specified value. The mtime, where supported, is returned as the number of seconds since the epoch.
108
+
109
+ describe file('/') do
110
+ its('mtime') { should <= Time.now.to_i }
111
+ its('mtime') { should >= Time.now.to_i - 1000 }
112
+ end
113
+
114
+ ### owner
115
+
116
+ The `owner` property tests if the owner of the file matches the specified value.
117
+
118
+ its('owner') { should eq 'root' }
119
+
120
+ ### product_version
121
+
122
+ The `product_version` property tests if a Windows file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates.
123
+
124
+ its('product_version') { should eq '2.3.4' }
125
+
126
+ ### selinux_label
127
+
128
+ The `selinux_label` property tests if the SELinux label for a file matches the specified value.
129
+
130
+ its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
131
+
132
+ ### sha256sum
133
+
134
+ The `sha256sum` property tests if the SHA-256 checksum for a file matches the specified value.
135
+
136
+ its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
137
+
138
+ ### size
139
+
140
+ The `size` property tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
141
+
142
+ its('size') { should eq 32375 }
143
+
144
+ Greater than:
145
+
146
+ its('size') { should > 64 }
147
+
148
+ Less than:
149
+
150
+ its('size') { should < 10240 }
151
+
152
+ ### type
153
+
154
+ The `type` property tests for the file type. The available types are:
155
+
156
+ * `file`: the object is a file
157
+ * `directory`: the object is a directory
158
+ * `link`: the object is a symbolic link
159
+ * `pipe`: the object is a named pipe
160
+ * `socket`: the object is a socket
161
+ * `character_device`: the object is a character device
162
+ * `block_device`: the object is a block device
163
+ * `door`: the object is a door device
164
+
165
+ The `type` method usually returns the type as a Ruby "symbol". We recommend using the `cmp` matcher to match
166
+ either by symbol or string.
167
+
168
+ For example:
169
+
170
+ its('type') { should eq :file }
171
+ its('type') { should cmp 'file' }
172
+
173
+ or:
174
+
175
+ its('type') { should eq :socket }
176
+ its('type') { should cmp 'socket' }
177
+
178
+ ### Test the contents of a file for MD5 requirements
179
+
180
+ describe file('/etc/postgresql/9.1/main/pg_hba.conf') do
181
+ its('content') { should match /local\s.*?all\s.*?all\s.*?md5/ }
182
+ its('content') { should match %r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/} }
183
+ its('content') { should match %r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/} }
184
+ end
185
+
186
+ ### Test if a file exists
187
+
188
+ describe file('/tmp') do
189
+ it { should exist }
190
+ end
191
+
192
+ ### Test that a file does not exist
193
+
194
+ describe file('/tmpest') do
195
+ it { should_not exist }
196
+ end
197
+
198
+ ### Test if a path is a directory
199
+
200
+ describe file('/tmp') do
201
+ its('type') { should eq :directory }
202
+ it { should be_directory }
203
+ end
204
+
205
+ ### Test if a path is a file and not a directory
206
+
207
+ describe file('/proc/version') do
208
+ its('type') { should cmp 'file' }
209
+ it { should be_file }
210
+ it { should_not be_directory }
211
+ end
212
+
213
+ ### Test if a file is a symbolic link
214
+
215
+ describe file('/dev/stdout') do
216
+ its('type') { should cmp 'symlink' }
217
+ it { should be_symlink }
218
+ it { should_not be_file }
219
+ it { should_not be_directory }
220
+ end
221
+
222
+ ### Test if a file is a character device
223
+
224
+ describe file('/dev/zero') do
225
+ its('type') { should cmp 'character' }
226
+ it { should be_character_device }
227
+ it { should_not be_file }
228
+ it { should_not be_directory }
229
+ end
230
+
231
+ ### Test if a file is a block device
232
+
233
+ describe file('/dev/zero') do
234
+ its('type') { should cmp 'block' }
235
+ it { should be_character_device }
236
+ it { should_not be_file }
237
+ it { should_not be_directory }
238
+ end
239
+
240
+ ### Test the mode for a file
241
+
242
+ describe file('/dev') do
243
+ its('mode') { should cmp '00755' }
244
+ end
245
+
246
+ ### Test the owner of a file
247
+
248
+ describe file('/root') do
249
+ its('owner') { should eq 'root' }
250
+ end
251
+
252
+ ### Test if a file is owned by the root user
253
+
254
+ describe file('/dev') do
255
+ it { should be_owned_by 'root' }
256
+ end
257
+
258
+ ### Test the mtime for a file
259
+
260
+ describe file('/') do
261
+ its('mtime') { should <= Time.now.to_i }
262
+ its('mtime') { should >= Time.now.to_i - 1000 }
263
+ end
264
+
265
+ ### Test that a file's size is between 64 and 10240
266
+
267
+ describe file('/') do
268
+ its('size') { should be > 64 }
269
+ its('size') { should be < 10240 }
270
+ end
271
+
272
+ ### Test that a file's size is zero
273
+
274
+ describe file('/proc/cpuinfo') do
275
+ its('size') { should be 0 }
276
+ end
277
+
278
+
279
+ ### Test an MD5 checksum
280
+
281
+ require 'digest'
282
+ cpuinfo = file('/proc/cpuinfo').content
283
+
284
+ md5sum = Digest::MD5.hexdigest(cpuinfo)
285
+
286
+ describe file('/proc/cpuinfo') do
287
+ its('md5sum') { should eq md5sum }
288
+ end
289
+
290
+ ### Test an SHA-256 checksum
291
+
292
+ require 'digest'
293
+ cpuinfo = file('/proc/cpuinfo').content
294
+
295
+ sha256sum = Digest::SHA256.hexdigest(cpuinfo)
296
+
297
+ describe file('/proc/cpuinfo') do
298
+ its('sha256sum') { should eq sha256sum }
299
+ end
300
+
301
+ ### Verify NTP
302
+
303
+ The following example shows how to use the `file` audit resource to verify if the `ntp.conf` and `leap-seconds` files are present, and then the `command` resource to verify if NTP is installed and running:
304
+
305
+ describe file('/etc/ntp.conf') do
306
+ it { should be_file }
307
+ end
308
+
309
+ describe file('/etc/ntp.leapseconds') do
310
+ it { should be_file }
311
+ end
312
+
313
+ describe command('pgrep ntp') do
314
+ its('exit_status') { should eq 0 }
315
+ end
316
+
317
+ ### Test parameters of symlinked file
318
+
319
+ If you need to test the parameters of the target file for a symlink, you can use the `link_path` method for the `file` resource.
320
+
321
+ For example, for the following symlink:
322
+
323
+ lrwxrwxrwx. 1 root root 11 03-10 17:56 /dev/virtio-ports/com.redhat.rhevm.vdsm -> ../vport2p1
324
+
325
+ ... you can write controls for both the link and the target.
326
+
327
+ describe file('/dev/virtio-ports/com.redhat.rhevm.vdsm') do
328
+ it { should be_symlink }
329
+ end
330
+
331
+ virito_port_vdsm = file('/dev/virtio-ports/com.redhat.rhevm.vdsm').link_path
332
+ describe file(virito_port_vdsm) do
333
+ it { should exist }
334
+ it { should be_character_device }
335
+ it { should be_owned_by 'ovirtagent' }
336
+ it { should be_grouped_into 'ovirtagent' }
337
+ end
338
+
339
+ <br>
340
+
341
+ ## Matchers
342
+
343
+ For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
344
+
345
+ ### be\_allowed
346
+
347
+ The `be_allowed` matcher tests if the file contains a certain permission set, such as `execute` or `write` in Unix and [`full-control` or `modify` in Windows](https://www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table).
348
+
349
+ it { should be_allowed('read') }
350
+
351
+ Just like with `be_executable` and other permissions, one can check for the permission with respect to the specific user or group.
352
+
353
+ it { should be_allowed('full-control', by_user: 'MyComputerName\Administrator') }
354
+
355
+ OR
356
+
357
+ it { should be_allowed('write', by: 'root') }
358
+
359
+ ### be\_block\_device
360
+
361
+ The `be_block_device` matcher tests if the file exists as a block device, such as `/dev/disk0` or `/dev/disk0s9`:
362
+
363
+ it { should be_block_device }
364
+
365
+ ### be\_character\_device
366
+
367
+ The `be_character_device` matcher tests if the file exists as a character device (that corresponds to a block device), such as `/dev/rdisk0` or `/dev/rdisk0s9`:
368
+
369
+ it { should be_character_device }
370
+
371
+ ### be_directory
372
+
373
+ The `be_directory` matcher tests if the file exists as a directory, such as `/etc/passwd`, `/etc/shadow`, or `/var/log/httpd`:
374
+
375
+ it { should be_directory }
376
+
377
+ ### be_executable
378
+
379
+ The `be_executable` matcher tests if the file exists as an executable:
380
+
381
+ it { should be_executable }
382
+
383
+ The `be_executable` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
384
+
385
+ it { should be_executable.by('group') }
386
+
387
+ an owner:
388
+
389
+ it { should be_executable.by('owner') }
390
+
391
+ any user other than the owner or members of the file's group:
392
+
393
+ it { should be_executable.by('others') }
394
+
395
+ a user:
396
+
397
+ it { should be_executable.by_user('user') }
398
+
399
+ ### be_file
400
+
401
+ The `be_file` matcher tests if the file exists as a file. This can be useful with configuration files like `/etc/passwd` where there typically is not an associated file extension---`passwd.txt`:
402
+
403
+ it { should be_file }
404
+
405
+ ### be\_grouped\_into
406
+
407
+ The `be_grouped_into` matcher tests if the file exists as part of the named group:
408
+
409
+ it { should be_grouped_into 'group' }
410
+
411
+ ### be_immutable
412
+
413
+ The `be_immutable` matcher tests if the file is immutable, i.e. "cannot be changed":
414
+
415
+ it { should be_immutable }
416
+
417
+ ### be\_linked\_to
418
+
419
+ The `be_linked_to` matcher tests if the file is linked to the named target:
420
+
421
+ it { should be_linked_to '/etc/target-file' }
422
+
423
+
424
+ ### be\_owned\_by
425
+
426
+ The `be_owned_by` matcher tests if the file is owned by the named user, such as `root`:
427
+
428
+ it { should be_owned_by 'root' }
429
+
430
+ ### be_pipe
431
+
432
+ The `be_pipe` matcher tests if the file exists as first-in, first-out special file (`.fifo`) that is typically used to define a named pipe, such as `/var/log/nginx/access.log.fifo`:
433
+
434
+ it { should be_pipe }
435
+
436
+ ### be_readable
437
+
438
+ The `be_readable` matcher tests if the file is readable:
439
+
440
+ it { should be_readable }
441
+
442
+ The `be_readable` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
443
+
444
+ it { should be_readable.by('group') }
445
+
446
+ an owner:
447
+
448
+ it { should be_readable.by('owner') }
449
+
450
+ any user other than the owner or members of the file's group:
451
+
452
+ it { should be_readable.by('others') }
453
+
454
+ a user:
455
+
456
+ it { should be_readable.by_user('user') }
457
+
458
+ ### be_setgid
459
+
460
+ The `be_setgid` matcher tests if the 'setgid' permission is set on the file or directory. On executable files, this causes the process to be started owned by the group that owns the file, rather than the primary group of the invocating user. This can result in escalation of privilege. On Linux, when setgid is set on directories, setgid causes newly created files and directories to be owned by the group that owns the setgid parent directory; additionally, newly created subdirectories will have the setgid bit set. To use this matcher:
461
+
462
+ it { should be_setgid }
463
+
464
+ ### be_socket
465
+
466
+ The `be_socket` matcher tests if the file exists as socket (`.sock`), such as `/var/run/php-fpm.sock`:
467
+
468
+ it { should be_socket }
469
+
470
+ ### be_sticky
471
+
472
+ The `be_sticky` matcher tests if the 'sticky bit' permission is set on the directory. On directories, this restricts file deletion to the owner of the file, even if the permission of the parent directory would normally permit deletion by others. This is commonly used on /tmp filesystems. To use this matcher:
473
+
474
+ it { should be_sticky }
475
+
476
+ ### be_setuid
477
+
478
+ The `be_setuid` matcher tests if the 'setuid' permission is set on the file. On executable files, this causes the process to be started owned by the user that owns the file, rather than invocating user. This can result in escalation of privilege. To use this matcher:
479
+
480
+ it { should be_setuid }
481
+
482
+ ### be_symlink
483
+
484
+ The `be_symlink` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
485
+
486
+ it { should be_symlink }
487
+
488
+ ### be_version
489
+
490
+ The `be_version` matcher tests the version of the file:
491
+
492
+ it { should be_version '1.2.3' }
493
+
494
+ ### be_writable
495
+
496
+ The `be_writable` matcher tests if the file is writable:
497
+
498
+ it { should be_writable }
499
+
500
+ The `be_writable` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
501
+
502
+ it { should be_writable.by('group') }
503
+
504
+ an owner:
505
+
506
+ it { should be_writable.by('owner') }
507
+
508
+ any user other than the owner or members of the file's group:
509
+
510
+ it { should be_writable.by('others') }
511
+
512
+ a user:
513
+
514
+ it { should be_writable.by_user('user') }
515
+
516
+ ### exist
517
+
518
+ The `exist` matcher tests if the named file exists:
519
+
520
+ it { should exist }
521
+
522
+ ### have_mode
523
+
524
+ The `have_mode` matcher tests if a file has a mode assigned to it:
525
+
526
+ it { should have_mode }