inspec 2.1.84 → 2.2.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +31 -8
- data/README.md +1 -0
- data/docs/dev/filtertable-internals.md +353 -0
- data/docs/dev/filtertable-usage.md +533 -0
- data/docs/matchers.md +36 -36
- data/docs/profiles.md +2 -2
- data/docs/resources/apache.md.erb +1 -1
- data/docs/resources/aws_elb.md.erb +144 -0
- data/docs/resources/aws_elbs.md.erb +242 -0
- data/docs/resources/aws_flow_log.md.erb +118 -0
- data/docs/resources/aws_iam_groups.md.erb +34 -1
- data/docs/resources/crontab.md.erb +10 -6
- data/docs/resources/dh_params.md.erb +71 -65
- data/docs/resources/docker_service.md.erb +1 -1
- data/docs/resources/etc_fstab.md.erb +1 -1
- data/docs/resources/firewalld.md.erb +1 -1
- data/docs/resources/http.md.erb +1 -1
- data/docs/resources/iis_app.md.erb +1 -1
- data/docs/resources/inetd_conf.md.erb +1 -1
- data/docs/resources/nginx.md.erb +1 -1
- data/docs/resources/npm.md.erb +9 -1
- data/docs/resources/os.md.erb +21 -19
- data/docs/resources/shadow.md.erb +37 -31
- data/docs/resources/x509_certificate.md.erb +2 -2
- data/examples/custom-resource/README.md +3 -0
- data/examples/custom-resource/controls/example.rb +7 -0
- data/examples/custom-resource/inspec.yml +8 -0
- data/examples/custom-resource/libraries/batsignal.rb +20 -0
- data/examples/custom-resource/libraries/gordon.rb +21 -0
- data/lib/inspec/reporters/junit.rb +1 -0
- data/lib/inspec/resource.rb +8 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/resource_support/aws.rb +3 -0
- data/lib/resources/aws/aws_elb.rb +81 -0
- data/lib/resources/aws/aws_elbs.rb +78 -0
- data/lib/resources/aws/aws_flow_log.rb +102 -0
- data/lib/resources/aws/aws_iam_groups.rb +1 -2
- data/lib/resources/aws/aws_iam_users.rb +65 -47
- data/lib/resources/npm.rb +15 -2
- data/lib/resources/package.rb +1 -1
- data/lib/utils/filter.rb +243 -85
- metadata +15 -2
@@ -0,0 +1,118 @@
|
|
1
|
+
---
|
2
|
+
title: About the aws_flow_log Resource
|
3
|
+
platform: aws
|
4
|
+
---
|
5
|
+
|
6
|
+
# aws\_flow\_log
|
7
|
+
|
8
|
+
Use the `aws_flow_log` InSpec audit resource to test properties of a single Flow Log.
|
9
|
+
|
10
|
+
## Syntax
|
11
|
+
|
12
|
+
describe aws_flow_log('fl-9c718cf5') do
|
13
|
+
it { should exist }
|
14
|
+
end
|
15
|
+
|
16
|
+
## Resource Parameters
|
17
|
+
### flow\_log\_id
|
18
|
+
|
19
|
+
This resource accepts a single parameter or other search terms. You may pass it as a string, or as the value in a hash:
|
20
|
+
|
21
|
+
describe aws_flow_log('fl-9c718cf5') do
|
22
|
+
it { should exist }
|
23
|
+
end
|
24
|
+
|
25
|
+
describe aws_flow_log(flow_log_id: 'fl-8905f8e0') do
|
26
|
+
it { should exist }
|
27
|
+
end
|
28
|
+
|
29
|
+
### subnet\_id
|
30
|
+
|
31
|
+
To search for a flow log by the associated subnet id:
|
32
|
+
|
33
|
+
describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do
|
34
|
+
it { should exist }
|
35
|
+
end
|
36
|
+
|
37
|
+
### vpc\_id
|
38
|
+
|
39
|
+
To search for a flow log by the associated vpc id:
|
40
|
+
|
41
|
+
describe aws_flow_log(vpc_id: 'vpc-96cabaef') do
|
42
|
+
it { should exist }
|
43
|
+
end
|
44
|
+
|
45
|
+
## Properties
|
46
|
+
### flow\_log\_id
|
47
|
+
|
48
|
+
The `flow_log_id` property tests the name of the flow log.
|
49
|
+
|
50
|
+
describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do
|
51
|
+
its('flow_log_id') { should cmp 'fl-9c718cf5' }
|
52
|
+
end
|
53
|
+
|
54
|
+
### log\_group\_name
|
55
|
+
|
56
|
+
The `log_group_name` property tests the name of the associated log group.
|
57
|
+
|
58
|
+
describe aws_flow_log('fl-9c718cf5') do
|
59
|
+
its('log_group_name') { should cmp 'test_log_group' }
|
60
|
+
end
|
61
|
+
|
62
|
+
### resource\_id
|
63
|
+
|
64
|
+
The `resource_id` property tests the id of the associated VPC, subnet, or network interface.
|
65
|
+
|
66
|
+
describe aws_flow_log('fl-9c718cf5') do
|
67
|
+
its('resource_id') { should cmp 'subnet-c6a4319c' }
|
68
|
+
end
|
69
|
+
|
70
|
+
### resource\_type
|
71
|
+
|
72
|
+
The `resource_type` property tests the type of resource the Flow Log is attached to.
|
73
|
+
The property will return `eni`, `subnet`, or `vpc`.
|
74
|
+
|
75
|
+
describe aws_flow_log('fl-9c718cf5') do
|
76
|
+
its('resource_type') { should cmp 'subnet' }
|
77
|
+
end
|
78
|
+
|
79
|
+
## Matchers
|
80
|
+
|
81
|
+
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
82
|
+
|
83
|
+
### exist
|
84
|
+
|
85
|
+
Indicates that the Flow Log provided was found. Use `should_not` to test for Flow Logs that should not exist.
|
86
|
+
|
87
|
+
describe aws_flow_log('should-be-there') do
|
88
|
+
it { should exist }
|
89
|
+
end
|
90
|
+
|
91
|
+
describe aws_flow_log('should-not-be-there') do
|
92
|
+
it { should_not exist }
|
93
|
+
end
|
94
|
+
|
95
|
+
### be\_attached\_to\_eni
|
96
|
+
|
97
|
+
Indicates that the Flow Log is attached to a ENI resource.
|
98
|
+
|
99
|
+
describe aws_flow_log('fl-9c718cf5') do
|
100
|
+
it { should be_attached_to_eni }
|
101
|
+
end
|
102
|
+
|
103
|
+
### be\_attached\_to\_subnet
|
104
|
+
|
105
|
+
Indicates that the Flow Log is attached to a subnet resource.
|
106
|
+
|
107
|
+
describe aws_flow_log('fl-9c718cf5') do
|
108
|
+
it { should be_attached_to_subnet }
|
109
|
+
end
|
110
|
+
|
111
|
+
### be\_attached\_to\_vpc
|
112
|
+
|
113
|
+
Indicates that the Flow Log is attached to a vpc resource.
|
114
|
+
|
115
|
+
describe aws_flow_log('fl-9c718cf5') do
|
116
|
+
it { should be_attached_to_vpc }
|
117
|
+
end
|
118
|
+
|
@@ -30,9 +30,42 @@ As this is the initial release of `aws_iam_groups`, its limited functionality pr
|
|
30
30
|
|
31
31
|
<br>
|
32
32
|
|
33
|
+
## Filter Criteria
|
34
|
+
|
35
|
+
### group_name
|
36
|
+
|
37
|
+
Filters the IAM groups by their group name, a string. If you know the exact group name, use `aws_iam_group` (singular) instead. This criteria may be used when you know a pattern of the name.
|
38
|
+
|
39
|
+
# Use a regex to find groups ending with 'Admins'
|
40
|
+
describe aws_iam_groups.where(group_name: /Admins$/) do
|
41
|
+
its('group_names') { should include 'FriendlyAdmins' }
|
42
|
+
its('group_names') { shoud_not include 'ShunnedAdmins' }
|
43
|
+
end
|
44
|
+
|
45
|
+
## Properties
|
46
|
+
|
47
|
+
### group_names
|
48
|
+
|
49
|
+
An Array of Strings, reflecting the IAM group names matched by the filter. If no groups matched, this will be empty. You can also use this with `aws_iam_group` to enumerate groups.
|
50
|
+
|
51
|
+
# Check for friendly people
|
52
|
+
describe aws_iam_groups.where(group_name: /Admins$/) do
|
53
|
+
its('group_names') { should include 'FriendlyAdmins' }
|
54
|
+
its('group_names') { should include 'KindAdmins' }
|
55
|
+
end
|
56
|
+
|
57
|
+
# Use to loop and fetch groups individually for auditing in detail
|
58
|
+
# Without a `where`, this fetches all groups
|
59
|
+
aws_iam_groups.group_names.each do |group_names|
|
60
|
+
# A roundabout way of saying "bob should not be in any groups"
|
61
|
+
describe aws_iam_group(group_name) do
|
62
|
+
its('users') { should_not include 'bob' }
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
33
66
|
## Matchers
|
34
67
|
|
35
|
-
For a full list of available matchers, please visit our [
|
68
|
+
This resource has no resource-specific matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
|
36
69
|
|
37
70
|
### exists
|
38
71
|
|
@@ -38,15 +38,19 @@ The following examples show how to use this InSpec audit resource.
|
|
38
38
|
|
39
39
|
### Test that the logged-in user's crontab has no tasks set to run on every hour and every minute
|
40
40
|
|
41
|
-
|
42
|
-
|
43
|
-
|
41
|
+
```ruby
|
42
|
+
describe crontab.where({'hour' => '*', 'minute' => '*'}) do
|
43
|
+
its('entries.length') { should cmp '0' }
|
44
|
+
end
|
45
|
+
```
|
44
46
|
|
45
47
|
### Test that the logged-in user's crontab contains a single command that matches a pattern
|
46
48
|
|
47
|
-
|
48
|
-
|
49
|
-
|
49
|
+
```ruby
|
50
|
+
describe crontab.where { command =~ /a partial command string/ } do
|
51
|
+
its('entries.length') { should cmp 1 }
|
52
|
+
end
|
53
|
+
```
|
50
54
|
|
51
55
|
### Test a special time string (i.e., @yearly /root/annual_report.sh)
|
52
56
|
|
@@ -51,31 +51,33 @@ Verify prime modulus used for the Diffie-Hellman operation:
|
|
51
51
|
|
52
52
|
Example using multi-line string:
|
53
53
|
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
54
|
+
```ruby
|
55
|
+
describe dh_params('/path/to/file.dh_pem') do
|
56
|
+
its('modulus') do
|
57
|
+
# regex removes all whitespace
|
58
|
+
should eq <<-EOF.gsub(/[[:space:]]+/, '')
|
59
|
+
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
60
|
+
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
61
|
+
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
62
|
+
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
63
|
+
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
64
|
+
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
65
|
+
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
66
|
+
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
67
|
+
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
68
|
+
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
69
|
+
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
70
|
+
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
71
|
+
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
72
|
+
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
73
|
+
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
74
|
+
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
75
|
+
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
76
|
+
cd:13
|
77
|
+
EOF
|
78
|
+
end
|
79
|
+
end
|
80
|
+
```
|
79
81
|
|
80
82
|
### prime_length (Integer)
|
81
83
|
|
@@ -95,19 +97,21 @@ Verify `pem` output of DH parameters:
|
|
95
97
|
|
96
98
|
Example using multi-line string:
|
97
99
|
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
100
|
+
```ruby
|
101
|
+
its('pem') do
|
102
|
+
# regex removes all leading spaces
|
103
|
+
should eq <<-EOF.gsub(/^[[:blank:]]+/, '')
|
104
|
+
-----BEGIN DH PARAMETERS-----
|
105
|
+
MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
|
106
|
+
QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
|
107
|
+
h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
|
108
|
+
MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
|
109
|
+
X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
|
110
|
+
KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
|
111
|
+
-----END DH PARAMETERS-----
|
112
|
+
EOF
|
113
|
+
end
|
114
|
+
```
|
111
115
|
|
112
116
|
Verify via `openssl dhparam` command:
|
113
117
|
|
@@ -131,32 +135,34 @@ Verify human-readable text output of DH parameters:
|
|
131
135
|
|
132
136
|
Example using multi-line string:
|
133
137
|
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
138
|
+
```ruby
|
139
|
+
its('text') do
|
140
|
+
# regex removes 2 leading spaces
|
141
|
+
should eq <<-EOF.gsub(/^[[:blank:]]{2}/, '')
|
142
|
+
PKCS#3 DH Parameters: (2048 bit)
|
143
|
+
prime:
|
144
|
+
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
145
|
+
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
146
|
+
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
147
|
+
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
148
|
+
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
149
|
+
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
150
|
+
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
151
|
+
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
152
|
+
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
153
|
+
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
154
|
+
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
155
|
+
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
156
|
+
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
157
|
+
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
158
|
+
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
159
|
+
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
160
|
+
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
161
|
+
cd:13
|
162
|
+
generator: 2 (0x2)
|
163
|
+
EOF
|
164
|
+
end
|
165
|
+
```
|
160
166
|
|
161
167
|
Verify via `openssl dhparam` command:
|
162
168
|
|
@@ -189,7 +195,7 @@ Verify via `openssl dhparam` command:
|
|
189
195
|
|
190
196
|
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
191
197
|
|
192
|
-
###
|
198
|
+
### be_valid
|
193
199
|
|
194
200
|
Verify whether DH parameters are valid:
|
195
201
|
|
@@ -50,7 +50,7 @@ The `id` property returns the service id:
|
|
50
50
|
|
51
51
|
### image
|
52
52
|
|
53
|
-
The `image` property
|
53
|
+
The `image` property is a combination of `repository:tag` it tests the value of the image:
|
54
54
|
|
55
55
|
its('image') { should eq 'alpine:latest' }
|
56
56
|
|
@@ -89,7 +89,7 @@ Use the optional constructor parameter to give an alternative path to fstab file
|
|
89
89
|
its('dump_options') { should cmp 0 }
|
90
90
|
end
|
91
91
|
|
92
|
-
###
|
92
|
+
### file\_system\_options
|
93
93
|
|
94
94
|
`file_system_options` returns a integer array of each partitions file system option.
|
95
95
|
|
data/docs/resources/http.md.erb
CHANGED
@@ -172,7 +172,7 @@ In InSpec 2.0, the HTTP test will automatically execute remotely whenever InSpec
|
|
172
172
|
|
173
173
|
The `body` matcher tests body content of http response:
|
174
174
|
|
175
|
-
|
175
|
+
its('body') { should eq 'hello\n' }
|
176
176
|
|
177
177
|
### headers
|
178
178
|
|
@@ -28,7 +28,7 @@ where
|
|
28
28
|
* `'site_name'` is the name of the site, such as `'Default Web Site'`
|
29
29
|
* `('application_pool')` is the name of the application pool in which the site's root application is run, such as `'DefaultAppPool'`
|
30
30
|
* `('protocols')` is a binding for the site, such as `'http'`. A site may have multiple bindings; therefore, use a `have_protocol` matcher for each site protocol to be tested
|
31
|
-
* `('physical_path') is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
|
31
|
+
* `('physical_path')` is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
|
32
32
|
|
33
33
|
For example:
|
34
34
|
|
@@ -5,7 +5,7 @@ platform: linux
|
|
5
5
|
|
6
6
|
# inetd_conf
|
7
7
|
|
8
|
-
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled
|
8
|
+
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
|
9
9
|
|
10
10
|
<br>
|
11
11
|
|
data/docs/resources/nginx.md.erb
CHANGED
@@ -32,7 +32,7 @@ where
|
|
32
32
|
|
33
33
|
## Properties
|
34
34
|
|
35
|
-
*
|
35
|
+
* `compiler_info`, `error_log_path`, `http_client_body_temp_path`, `http_fastcgi_temp_path`, `http_log_path`, `http_proxy_temp_path`, `http_scgi_temp_path`, `http_uwsgi_temp_path`, `lock_path`, `modules`, `modules_path`, `openssl_version`, `prefix`, `sbin_path`, `service`, `support_info`, `version`
|
36
36
|
|
37
37
|
<br>
|
38
38
|
|
data/docs/resources/npm.md.erb
CHANGED
@@ -5,7 +5,7 @@ platform: os
|
|
5
5
|
|
6
6
|
# npm
|
7
7
|
|
8
|
-
Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for Node.js packages
|
8
|
+
Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for [Node.js packages](https://docs.npmjs.com), such as Bower and StatsD.
|
9
9
|
|
10
10
|
<br>
|
11
11
|
|
@@ -22,6 +22,14 @@ where
|
|
22
22
|
* `('npm_package_name')` must specify an NPM package, such as `'bower'` or `'statsd'`
|
23
23
|
* `be_installed` is a valid matcher for this resource
|
24
24
|
|
25
|
+
You can also specify additional options:
|
26
|
+
|
27
|
+
describe npm('npm_package_name', path: '/path/to/project') do
|
28
|
+
it { should be_installed }
|
29
|
+
end
|
30
|
+
|
31
|
+
The `path` specifies a folder, that contains a `node_modules` subdirectory. It emulates running `npm` inside the specified folder. This way you can inspect local NPM installations as well as global ones.
|
32
|
+
|
25
33
|
<br>
|
26
34
|
|
27
35
|
## Examples
|