inspec 2.1.84 → 2.2.10
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +31 -8
- data/README.md +1 -0
- data/docs/dev/filtertable-internals.md +353 -0
- data/docs/dev/filtertable-usage.md +533 -0
- data/docs/matchers.md +36 -36
- data/docs/profiles.md +2 -2
- data/docs/resources/apache.md.erb +1 -1
- data/docs/resources/aws_elb.md.erb +144 -0
- data/docs/resources/aws_elbs.md.erb +242 -0
- data/docs/resources/aws_flow_log.md.erb +118 -0
- data/docs/resources/aws_iam_groups.md.erb +34 -1
- data/docs/resources/crontab.md.erb +10 -6
- data/docs/resources/dh_params.md.erb +71 -65
- data/docs/resources/docker_service.md.erb +1 -1
- data/docs/resources/etc_fstab.md.erb +1 -1
- data/docs/resources/firewalld.md.erb +1 -1
- data/docs/resources/http.md.erb +1 -1
- data/docs/resources/iis_app.md.erb +1 -1
- data/docs/resources/inetd_conf.md.erb +1 -1
- data/docs/resources/nginx.md.erb +1 -1
- data/docs/resources/npm.md.erb +9 -1
- data/docs/resources/os.md.erb +21 -19
- data/docs/resources/shadow.md.erb +37 -31
- data/docs/resources/x509_certificate.md.erb +2 -2
- data/examples/custom-resource/README.md +3 -0
- data/examples/custom-resource/controls/example.rb +7 -0
- data/examples/custom-resource/inspec.yml +8 -0
- data/examples/custom-resource/libraries/batsignal.rb +20 -0
- data/examples/custom-resource/libraries/gordon.rb +21 -0
- data/lib/inspec/reporters/junit.rb +1 -0
- data/lib/inspec/resource.rb +8 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/resource_support/aws.rb +3 -0
- data/lib/resources/aws/aws_elb.rb +81 -0
- data/lib/resources/aws/aws_elbs.rb +78 -0
- data/lib/resources/aws/aws_flow_log.rb +102 -0
- data/lib/resources/aws/aws_iam_groups.rb +1 -2
- data/lib/resources/aws/aws_iam_users.rb +65 -47
- data/lib/resources/npm.rb +15 -2
- data/lib/resources/package.rb +1 -1
- data/lib/utils/filter.rb +243 -85
- metadata +15 -2
@@ -0,0 +1,118 @@
|
|
1
|
+
---
|
2
|
+
title: About the aws_flow_log Resource
|
3
|
+
platform: aws
|
4
|
+
---
|
5
|
+
|
6
|
+
# aws\_flow\_log
|
7
|
+
|
8
|
+
Use the `aws_flow_log` InSpec audit resource to test properties of a single Flow Log.
|
9
|
+
|
10
|
+
## Syntax
|
11
|
+
|
12
|
+
describe aws_flow_log('fl-9c718cf5') do
|
13
|
+
it { should exist }
|
14
|
+
end
|
15
|
+
|
16
|
+
## Resource Parameters
|
17
|
+
### flow\_log\_id
|
18
|
+
|
19
|
+
This resource accepts a single parameter or other search terms. You may pass it as a string, or as the value in a hash:
|
20
|
+
|
21
|
+
describe aws_flow_log('fl-9c718cf5') do
|
22
|
+
it { should exist }
|
23
|
+
end
|
24
|
+
|
25
|
+
describe aws_flow_log(flow_log_id: 'fl-8905f8e0') do
|
26
|
+
it { should exist }
|
27
|
+
end
|
28
|
+
|
29
|
+
### subnet\_id
|
30
|
+
|
31
|
+
To search for a flow log by the associated subnet id:
|
32
|
+
|
33
|
+
describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do
|
34
|
+
it { should exist }
|
35
|
+
end
|
36
|
+
|
37
|
+
### vpc\_id
|
38
|
+
|
39
|
+
To search for a flow log by the associated vpc id:
|
40
|
+
|
41
|
+
describe aws_flow_log(vpc_id: 'vpc-96cabaef') do
|
42
|
+
it { should exist }
|
43
|
+
end
|
44
|
+
|
45
|
+
## Properties
|
46
|
+
### flow\_log\_id
|
47
|
+
|
48
|
+
The `flow_log_id` property tests the name of the flow log.
|
49
|
+
|
50
|
+
describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do
|
51
|
+
its('flow_log_id') { should cmp 'fl-9c718cf5' }
|
52
|
+
end
|
53
|
+
|
54
|
+
### log\_group\_name
|
55
|
+
|
56
|
+
The `log_group_name` property tests the name of the associated log group.
|
57
|
+
|
58
|
+
describe aws_flow_log('fl-9c718cf5') do
|
59
|
+
its('log_group_name') { should cmp 'test_log_group' }
|
60
|
+
end
|
61
|
+
|
62
|
+
### resource\_id
|
63
|
+
|
64
|
+
The `resource_id` property tests the id of the associated VPC, subnet, or network interface.
|
65
|
+
|
66
|
+
describe aws_flow_log('fl-9c718cf5') do
|
67
|
+
its('resource_id') { should cmp 'subnet-c6a4319c' }
|
68
|
+
end
|
69
|
+
|
70
|
+
### resource\_type
|
71
|
+
|
72
|
+
The `resource_type` property tests the type of resource the Flow Log is attached to.
|
73
|
+
The property will return `eni`, `subnet`, or `vpc`.
|
74
|
+
|
75
|
+
describe aws_flow_log('fl-9c718cf5') do
|
76
|
+
its('resource_type') { should cmp 'subnet' }
|
77
|
+
end
|
78
|
+
|
79
|
+
## Matchers
|
80
|
+
|
81
|
+
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
82
|
+
|
83
|
+
### exist
|
84
|
+
|
85
|
+
Indicates that the Flow Log provided was found. Use `should_not` to test for Flow Logs that should not exist.
|
86
|
+
|
87
|
+
describe aws_flow_log('should-be-there') do
|
88
|
+
it { should exist }
|
89
|
+
end
|
90
|
+
|
91
|
+
describe aws_flow_log('should-not-be-there') do
|
92
|
+
it { should_not exist }
|
93
|
+
end
|
94
|
+
|
95
|
+
### be\_attached\_to\_eni
|
96
|
+
|
97
|
+
Indicates that the Flow Log is attached to a ENI resource.
|
98
|
+
|
99
|
+
describe aws_flow_log('fl-9c718cf5') do
|
100
|
+
it { should be_attached_to_eni }
|
101
|
+
end
|
102
|
+
|
103
|
+
### be\_attached\_to\_subnet
|
104
|
+
|
105
|
+
Indicates that the Flow Log is attached to a subnet resource.
|
106
|
+
|
107
|
+
describe aws_flow_log('fl-9c718cf5') do
|
108
|
+
it { should be_attached_to_subnet }
|
109
|
+
end
|
110
|
+
|
111
|
+
### be\_attached\_to\_vpc
|
112
|
+
|
113
|
+
Indicates that the Flow Log is attached to a vpc resource.
|
114
|
+
|
115
|
+
describe aws_flow_log('fl-9c718cf5') do
|
116
|
+
it { should be_attached_to_vpc }
|
117
|
+
end
|
118
|
+
|
@@ -30,9 +30,42 @@ As this is the initial release of `aws_iam_groups`, its limited functionality pr
|
|
30
30
|
|
31
31
|
<br>
|
32
32
|
|
33
|
+
## Filter Criteria
|
34
|
+
|
35
|
+
### group_name
|
36
|
+
|
37
|
+
Filters the IAM groups by their group name, a string. If you know the exact group name, use `aws_iam_group` (singular) instead. This criteria may be used when you know a pattern of the name.
|
38
|
+
|
39
|
+
# Use a regex to find groups ending with 'Admins'
|
40
|
+
describe aws_iam_groups.where(group_name: /Admins$/) do
|
41
|
+
its('group_names') { should include 'FriendlyAdmins' }
|
42
|
+
its('group_names') { shoud_not include 'ShunnedAdmins' }
|
43
|
+
end
|
44
|
+
|
45
|
+
## Properties
|
46
|
+
|
47
|
+
### group_names
|
48
|
+
|
49
|
+
An Array of Strings, reflecting the IAM group names matched by the filter. If no groups matched, this will be empty. You can also use this with `aws_iam_group` to enumerate groups.
|
50
|
+
|
51
|
+
# Check for friendly people
|
52
|
+
describe aws_iam_groups.where(group_name: /Admins$/) do
|
53
|
+
its('group_names') { should include 'FriendlyAdmins' }
|
54
|
+
its('group_names') { should include 'KindAdmins' }
|
55
|
+
end
|
56
|
+
|
57
|
+
# Use to loop and fetch groups individually for auditing in detail
|
58
|
+
# Without a `where`, this fetches all groups
|
59
|
+
aws_iam_groups.group_names.each do |group_names|
|
60
|
+
# A roundabout way of saying "bob should not be in any groups"
|
61
|
+
describe aws_iam_group(group_name) do
|
62
|
+
its('users') { should_not include 'bob' }
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
33
66
|
## Matchers
|
34
67
|
|
35
|
-
For a full list of available matchers, please visit our [
|
68
|
+
This resource has no resource-specific matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
|
36
69
|
|
37
70
|
### exists
|
38
71
|
|
@@ -38,15 +38,19 @@ The following examples show how to use this InSpec audit resource.
|
|
38
38
|
|
39
39
|
### Test that the logged-in user's crontab has no tasks set to run on every hour and every minute
|
40
40
|
|
41
|
-
|
42
|
-
|
43
|
-
|
41
|
+
```ruby
|
42
|
+
describe crontab.where({'hour' => '*', 'minute' => '*'}) do
|
43
|
+
its('entries.length') { should cmp '0' }
|
44
|
+
end
|
45
|
+
```
|
44
46
|
|
45
47
|
### Test that the logged-in user's crontab contains a single command that matches a pattern
|
46
48
|
|
47
|
-
|
48
|
-
|
49
|
-
|
49
|
+
```ruby
|
50
|
+
describe crontab.where { command =~ /a partial command string/ } do
|
51
|
+
its('entries.length') { should cmp 1 }
|
52
|
+
end
|
53
|
+
```
|
50
54
|
|
51
55
|
### Test a special time string (i.e., @yearly /root/annual_report.sh)
|
52
56
|
|
@@ -51,31 +51,33 @@ Verify prime modulus used for the Diffie-Hellman operation:
|
|
51
51
|
|
52
52
|
Example using multi-line string:
|
53
53
|
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
54
|
+
```ruby
|
55
|
+
describe dh_params('/path/to/file.dh_pem') do
|
56
|
+
its('modulus') do
|
57
|
+
# regex removes all whitespace
|
58
|
+
should eq <<-EOF.gsub(/[[:space:]]+/, '')
|
59
|
+
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
60
|
+
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
61
|
+
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
62
|
+
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
63
|
+
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
64
|
+
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
65
|
+
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
66
|
+
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
67
|
+
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
68
|
+
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
69
|
+
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
70
|
+
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
71
|
+
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
72
|
+
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
73
|
+
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
74
|
+
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
75
|
+
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
76
|
+
cd:13
|
77
|
+
EOF
|
78
|
+
end
|
79
|
+
end
|
80
|
+
```
|
79
81
|
|
80
82
|
### prime_length (Integer)
|
81
83
|
|
@@ -95,19 +97,21 @@ Verify `pem` output of DH parameters:
|
|
95
97
|
|
96
98
|
Example using multi-line string:
|
97
99
|
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
100
|
+
```ruby
|
101
|
+
its('pem') do
|
102
|
+
# regex removes all leading spaces
|
103
|
+
should eq <<-EOF.gsub(/^[[:blank:]]+/, '')
|
104
|
+
-----BEGIN DH PARAMETERS-----
|
105
|
+
MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
|
106
|
+
QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
|
107
|
+
h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
|
108
|
+
MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
|
109
|
+
X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
|
110
|
+
KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
|
111
|
+
-----END DH PARAMETERS-----
|
112
|
+
EOF
|
113
|
+
end
|
114
|
+
```
|
111
115
|
|
112
116
|
Verify via `openssl dhparam` command:
|
113
117
|
|
@@ -131,32 +135,34 @@ Verify human-readable text output of DH parameters:
|
|
131
135
|
|
132
136
|
Example using multi-line string:
|
133
137
|
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
138
|
+
```ruby
|
139
|
+
its('text') do
|
140
|
+
# regex removes 2 leading spaces
|
141
|
+
should eq <<-EOF.gsub(/^[[:blank:]]{2}/, '')
|
142
|
+
PKCS#3 DH Parameters: (2048 bit)
|
143
|
+
prime:
|
144
|
+
00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
|
145
|
+
f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
|
146
|
+
48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
|
147
|
+
1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
|
148
|
+
2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
|
149
|
+
ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
|
150
|
+
30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
|
151
|
+
1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
|
152
|
+
28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
|
153
|
+
2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
|
154
|
+
01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
|
155
|
+
e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
|
156
|
+
3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
|
157
|
+
60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
|
158
|
+
31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
|
159
|
+
5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
|
160
|
+
4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
|
161
|
+
cd:13
|
162
|
+
generator: 2 (0x2)
|
163
|
+
EOF
|
164
|
+
end
|
165
|
+
```
|
160
166
|
|
161
167
|
Verify via `openssl dhparam` command:
|
162
168
|
|
@@ -189,7 +195,7 @@ Verify via `openssl dhparam` command:
|
|
189
195
|
|
190
196
|
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
191
197
|
|
192
|
-
###
|
198
|
+
### be_valid
|
193
199
|
|
194
200
|
Verify whether DH parameters are valid:
|
195
201
|
|
@@ -50,7 +50,7 @@ The `id` property returns the service id:
|
|
50
50
|
|
51
51
|
### image
|
52
52
|
|
53
|
-
The `image` property
|
53
|
+
The `image` property is a combination of `repository:tag` it tests the value of the image:
|
54
54
|
|
55
55
|
its('image') { should eq 'alpine:latest' }
|
56
56
|
|
@@ -89,7 +89,7 @@ Use the optional constructor parameter to give an alternative path to fstab file
|
|
89
89
|
its('dump_options') { should cmp 0 }
|
90
90
|
end
|
91
91
|
|
92
|
-
###
|
92
|
+
### file\_system\_options
|
93
93
|
|
94
94
|
`file_system_options` returns a integer array of each partitions file system option.
|
95
95
|
|
data/docs/resources/http.md.erb
CHANGED
@@ -172,7 +172,7 @@ In InSpec 2.0, the HTTP test will automatically execute remotely whenever InSpec
|
|
172
172
|
|
173
173
|
The `body` matcher tests body content of http response:
|
174
174
|
|
175
|
-
|
175
|
+
its('body') { should eq 'hello\n' }
|
176
176
|
|
177
177
|
### headers
|
178
178
|
|
@@ -28,7 +28,7 @@ where
|
|
28
28
|
* `'site_name'` is the name of the site, such as `'Default Web Site'`
|
29
29
|
* `('application_pool')` is the name of the application pool in which the site's root application is run, such as `'DefaultAppPool'`
|
30
30
|
* `('protocols')` is a binding for the site, such as `'http'`. A site may have multiple bindings; therefore, use a `have_protocol` matcher for each site protocol to be tested
|
31
|
-
* `('physical_path') is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
|
31
|
+
* `('physical_path')` is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
|
32
32
|
|
33
33
|
For example:
|
34
34
|
|
@@ -5,7 +5,7 @@ platform: linux
|
|
5
5
|
|
6
6
|
# inetd_conf
|
7
7
|
|
8
|
-
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled
|
8
|
+
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
|
9
9
|
|
10
10
|
<br>
|
11
11
|
|
data/docs/resources/nginx.md.erb
CHANGED
@@ -32,7 +32,7 @@ where
|
|
32
32
|
|
33
33
|
## Properties
|
34
34
|
|
35
|
-
*
|
35
|
+
* `compiler_info`, `error_log_path`, `http_client_body_temp_path`, `http_fastcgi_temp_path`, `http_log_path`, `http_proxy_temp_path`, `http_scgi_temp_path`, `http_uwsgi_temp_path`, `lock_path`, `modules`, `modules_path`, `openssl_version`, `prefix`, `sbin_path`, `service`, `support_info`, `version`
|
36
36
|
|
37
37
|
<br>
|
38
38
|
|
data/docs/resources/npm.md.erb
CHANGED
@@ -5,7 +5,7 @@ platform: os
|
|
5
5
|
|
6
6
|
# npm
|
7
7
|
|
8
|
-
Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for Node.js packages
|
8
|
+
Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for [Node.js packages](https://docs.npmjs.com), such as Bower and StatsD.
|
9
9
|
|
10
10
|
<br>
|
11
11
|
|
@@ -22,6 +22,14 @@ where
|
|
22
22
|
* `('npm_package_name')` must specify an NPM package, such as `'bower'` or `'statsd'`
|
23
23
|
* `be_installed` is a valid matcher for this resource
|
24
24
|
|
25
|
+
You can also specify additional options:
|
26
|
+
|
27
|
+
describe npm('npm_package_name', path: '/path/to/project') do
|
28
|
+
it { should be_installed }
|
29
|
+
end
|
30
|
+
|
31
|
+
The `path` specifies a folder, that contains a `node_modules` subdirectory. It emulates running `npm` inside the specified folder. This way you can inspect local NPM installations as well as global ones.
|
32
|
+
|
25
33
|
<br>
|
26
34
|
|
27
35
|
## Examples
|