inspec 2.1.84 → 2.2.10

data/docs/resources/aws_flow_log.md.erb

@@ -0,0 +1,118 @@
+---
+title: About the aws_flow_log Resource
+platform: aws
+---
+
+# aws\_flow\_log
+
+Use the `aws_flow_log` InSpec audit resource to test properties of a single Flow Log.
+
+## Syntax
+
+    describe aws_flow_log('fl-9c718cf5') do
+      it { should exist }
+    end
+
+## Resource Parameters
+### flow\_log\_id
+
+This resource accepts a single parameter or other search terms. You may pass it as a string, or as the value in a hash:
+
+    describe aws_flow_log('fl-9c718cf5') do
+      it { should exist }
+    end
+
+    describe aws_flow_log(flow_log_id: 'fl-8905f8e0') do
+      it { should exist }
+    end
+
+### subnet\_id
+
+To search for a flow log by the associated subnet id:
+
+    describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do
+      it { should exist }
+    end
+
+### vpc\_id
+
+To search for a flow log by the associated vpc id:
+
+    describe aws_flow_log(vpc_id: 'vpc-96cabaef') do
+      it { should exist }
+    end
+
+## Properties
+### flow\_log\_id
+
+The `flow_log_id` property tests the name of the flow log.
+
+  describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do
+    its('flow_log_id') { should cmp 'fl-9c718cf5' }
+  end
+
+### log\_group\_name
+
+The `log_group_name` property tests the name of the associated log group.
+
+  describe aws_flow_log('fl-9c718cf5') do
+    its('log_group_name') { should cmp 'test_log_group' }
+  end
+
+### resource\_id
+
+The `resource_id` property tests the id of the associated VPC, subnet, or network interface.
+
+  describe aws_flow_log('fl-9c718cf5') do
+    its('resource_id') { should cmp 'subnet-c6a4319c' }
+  end
+
+### resource\_type
+
+The `resource_type` property tests the type of resource the Flow Log is attached to.
+The property will return `eni`, `subnet`, or `vpc`.
+
+  describe aws_flow_log('fl-9c718cf5') do
+    its('resource_type') { should cmp 'subnet' }
+  end
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### exist
+
+Indicates that the Flow Log provided was found.  Use `should_not` to test for Flow Logs that should not exist.
+
+    describe aws_flow_log('should-be-there') do
+      it { should exist }
+    end
+
+    describe aws_flow_log('should-not-be-there') do
+      it { should_not exist }
+    end
+
+### be\_attached\_to\_eni
+
+Indicates that the Flow Log is attached to a ENI resource.
+
+    describe aws_flow_log('fl-9c718cf5') do
+      it { should be_attached_to_eni }
+    end
+
+### be\_attached\_to\_subnet
+
+Indicates that the Flow Log is attached to a subnet resource.
+
+    describe aws_flow_log('fl-9c718cf5') do
+      it { should be_attached_to_subnet }
+    end
+
+### be\_attached\_to\_vpc
+
+Indicates that the Flow Log is attached to a vpc resource.
+
+    describe aws_flow_log('fl-9c718cf5') do
+      it { should be_attached_to_vpc }
+    end
+

data/docs/resources/aws_iam_groups.md.erb

@@ -30,9 +30,42 @@ As this is the initial release of `aws_iam_groups`, its limited functionality pr
 
 <br>
 
+## Filter Criteria
+
+### group_name
+
+Filters the IAM groups by their group name, a string.  If you know the exact group name, use `aws_iam_group` (singular) instead.  This criteria may be used when you know a pattern of the name.
+
+    # Use a regex to find groups ending with 'Admins'
+    describe aws_iam_groups.where(group_name: /Admins$/) do
+      its('group_names') { should include 'FriendlyAdmins' }
+      its('group_names') { shoud_not include 'ShunnedAdmins' }
+    end
+
+## Properties
+
+### group_names
+
+An Array of Strings, reflecting the IAM group names matched by the filter.  If no groups matched, this will be empty.  You can also use this with `aws_iam_group` to enumerate groups.
+
+    # Check for friendly people
+    describe aws_iam_groups.where(group_name: /Admins$/) do
+      its('group_names') { should include 'FriendlyAdmins' }
+      its('group_names') { should include 'KindAdmins' }
+    end
+
+    # Use to loop and fetch groups individually for auditing in detail
+    # Without a `where`, this fetches all groups
+    aws_iam_groups.group_names.each do |group_names|
+      # A roundabout way of saying "bob should not be in any groups"
+      describe aws_iam_group(group_name) do
+        its('users') { should_not include 'bob' }
+      end
+    end
+
 ## Matchers
 
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+This resource has no resource-specific matchers.  For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
 
 ### exists
 

data/docs/resources/crontab.md.erb

@@ -38,15 +38,19 @@ The following examples show how to use this InSpec audit resource.
 
 ### Test that the logged-in user's crontab has no tasks set to run on every hour and every minute
 
-    describe crontab.where({'hour' => '*', 'minute' => '*'}) do
-      its('entries.length') { should cmp '0' }
-    end
+```ruby
+describe crontab.where({'hour' => '*', 'minute' => '*'}) do
+  its('entries.length') { should cmp '0' }
+end
+```
 
 ### Test that the logged-in user's crontab contains a single command that matches a pattern
 
-    describe crontab.where { command =~ /a partial command string/ } do
-      its('entries.length') { should cmp 1 }
-    end
+```ruby
+describe crontab.where { command =~ /a partial command string/ } do
+  its('entries.length') { should cmp 1 }
+end
+```
 
 ### Test a special time string (i.e., @yearly /root/annual_report.sh)
 

data/docs/resources/dh_params.md.erb

@@ -51,31 +51,33 @@ Verify prime modulus used for the Diffie-Hellman operation:
 
 Example using multi-line string:
 
-    describe dh_params('/path/to/file.dh_pem') do
-      its('modulus') do
-        # regex removes all whitespace
-        should eq <<-EOF.gsub(/[[:space:]]+/, '')
-          00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
-          f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
-          48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
-          1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
-          2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
-          ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
-          30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
-          1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
-          28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
-          2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
-          01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
-          e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
-          3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
-          60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
-          31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
-          5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
-          4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
-          cd:13
-        EOF
-      end
-    end
+```ruby
+describe dh_params('/path/to/file.dh_pem') do
+  its('modulus') do
+    # regex removes all whitespace
+    should eq <<-EOF.gsub(/[[:space:]]+/, '')
+      00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
+      f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
+      48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
+      1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
+      2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
+      ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
+      30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
+      1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
+      28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
+      2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
+      01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
+      e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
+      3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
+      60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
+      31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
+      5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
+      4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
+      cd:13
+    EOF
+  end
+end
+```
 
 ### prime_length (Integer)
 
@@ -95,19 +97,21 @@ Verify `pem` output of DH parameters:
 
 Example using multi-line string:
 
-    its('pem') do
-      # regex removes all leading spaces
-      should eq <<-EOF.gsub(/^[[:blank:]]+/, '')
-        -----BEGIN DH PARAMETERS-----
-        MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
-        QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
-        h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
-        MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
-        X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
-        KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
-        -----END DH PARAMETERS-----
-      EOF
-    end
+```ruby
+its('pem') do
+  # regex removes all leading spaces
+  should eq <<-EOF.gsub(/^[[:blank:]]+/, '')
+    -----BEGIN DH PARAMETERS-----
+    MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
+    QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
+    h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
+    MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
+    X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
+    KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
+    -----END DH PARAMETERS-----
+  EOF
+end
+```
 
 Verify via `openssl dhparam` command:
 
@@ -131,32 +135,34 @@ Verify human-readable text output of DH parameters:
 
 Example using multi-line string:
 
-    its('text') do
-      # regex removes 2 leading spaces
-      should eq <<-EOF.gsub(/^[[:blank:]]{2}/, '')
-        PKCS#3 DH Parameters: (2048 bit)
-            prime:
-                00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
-                f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
-                48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
-                1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
-                2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
-                ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
-                30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
-                1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
-                28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
-                2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
-                01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
-                e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
-                3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
-                60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
-                31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
-                5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
-                4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
-                cd:13
-            generator: 2 (0x2)
-        EOF
-    end
+```ruby
+its('text') do
+  # regex removes 2 leading spaces
+  should eq <<-EOF.gsub(/^[[:blank:]]{2}/, '')
+    PKCS#3 DH Parameters: (2048 bit)
+        prime:
+            00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
+            f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
+            48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
+            1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
+            2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
+            ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
+            30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
+            1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
+            28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
+            2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
+            01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
+            e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
+            3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
+            60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
+            31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
+            5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
+            4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
+            cd:13
+        generator: 2 (0x2)
+    EOF
+end
+```
 
 Verify via `openssl dhparam` command:
 
@@ -189,7 +195,7 @@ Verify via `openssl dhparam` command:
 
 For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
 
-### valid?
+### be_valid
 
 Verify whether DH parameters are valid:
 

data/docs/resources/docker_service.md.erb

@@ -50,7 +50,7 @@ The `id` property returns the service id:
 
 ### image
 
-The `image` property tests the value of the image. It is a combination of `repository:tag`:
+The `image` property is a combination of `repository:tag` it tests the value of the image:
 
     its('image') { should eq 'alpine:latest' }
 

data/docs/resources/etc_fstab.md.erb

@@ -89,7 +89,7 @@ Use the optional constructor parameter to give an alternative path to fstab file
       its('dump_options') { should cmp 0 }
     end
 
-### file_system_options
+### file\_system\_options
 
 `file_system_options` returns a integer array of each partitions file system option.
 

data/docs/resources/firewalld.md.erb

@@ -80,7 +80,7 @@ The `be_running` matcher tests if the firewalld service is running:
 
     it { should be_running }
 
-### have_zone
+### `have_zone`
 
 `have_zone` returns true or false if the zone is set on firewalld. It does not mean the zone is active.
 

data/docs/resources/http.md.erb

@@ -172,7 +172,7 @@ In InSpec 2.0, the HTTP test will automatically execute remotely whenever InSpec
 
 The `body` matcher tests body content of http response:
 
-   its('body') { should eq 'hello\n' }
+    its('body') { should eq 'hello\n' }
 
 ### headers
 

data/docs/resources/iis_app.md.erb

@@ -28,7 +28,7 @@ where
 * `'site_name'` is the name of the site, such as `'Default Web Site'`
 * `('application_pool')` is the name of the application pool in which the site's root application is run, such as `'DefaultAppPool'`
 * `('protocols')` is a binding for the site, such as `'http'`. A site may have multiple bindings; therefore, use a `have_protocol` matcher for each site protocol to be tested
-* `('physical_path') is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
+* `('physical_path')` is the physical path to the application, such as `'C:\\inetpub\\wwwroot\\myapp'`
 
 For example:
 

data/docs/resources/inetd_conf.md.erb

@@ -5,7 +5,7 @@ platform: linux
 
 # inetd_conf
 
-Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.`
+Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
 
 <br>
 

data/docs/resources/nginx.md.erb

@@ -32,7 +32,7 @@ where
 
 ## Properties
 
-* 'compiler_info',  'error_log_path',  'http_client_body_temp_path',  'http_fastcgi_temp_path',  'http_log_path',  'http_proxy_temp_path',  'http_scgi_temp_path',  'http_uwsgi_temp_path',  'lock_path',  'modules', 'modules_path',  'openssl_version',  'prefix',  'sbin_path',  'service',  'support_info',  'version'
+* `compiler_info`,  `error_log_path`,  `http_client_body_temp_path`,  `http_fastcgi_temp_path`,  `http_log_path`,  `http_proxy_temp_path`,  `http_scgi_temp_path`,  `http_uwsgi_temp_path`,  `lock_path`,  `modules`, `modules_path`,  `openssl_version`,  `prefix`,  `sbin_path`,  `service`,  `support_info`,  `version`
 
 <br>
 

data/docs/resources/npm.md.erb

@@ -5,7 +5,7 @@ platform: os
 
 # npm
 
-Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for Node.js packages (https://docs.npmjs.com), such as Bower and StatsD.
+Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for [Node.js packages](https://docs.npmjs.com), such as Bower and StatsD.
 
 <br>
 
@@ -22,6 +22,14 @@ where
 * `('npm_package_name')` must specify an NPM package, such as `'bower'` or `'statsd'`
 * `be_installed` is a valid matcher for this resource
 
+You can also specify additional options:
+
+    describe npm('npm_package_name', path: '/path/to/project') do
+      it { should be_installed }
+    end
+
+The `path` specifies a folder, that contains a `node_modules` subdirectory. It emulates running `npm` inside the specified folder. This way you can inspect local NPM installations as well as global ones.
+
 <br>
 
 ## Examples