inspec 2.3.10 → 2.3.23

data/docs/resources/crontab.md.erb

@@ -1,103 +0,0 @@
----
-title: About the crontab Resource
-platform: linux
----
-
-# crontab
-
-Use the `crontab` InSpec audit resource to test the crontab entries for a particular user on the system. It recognizes special time strings (@yearly, @weekly, etc).
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v1.15.0 of InSpec.
-
-## Syntax
-
-A `crontab` resource block declares a user (which defaults to the current user, if not specified), and then the details to be tested, such as the schedule elements for each crontab entry or the commands itself:
-
-    describe crontab do
-      its('commands') { should include '/some/scheduled/task.sh' }
-    end
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-### Test that root's crontab has a particular command
-
-    describe crontab('root') do
-      its('commands') { should include '/path/to/some/script' }
-    end
-
-### Test that myuser's crontab entry for command '/home/myuser/build.sh' runs every minute
-
-    describe crontab('myuser').commands('/home/myuser/build.sh') do
-      its('hours') { should cmp '*' }
-      its('minutes') { should cmp '*' }
-    end
-
-### Test that the logged-in user's crontab has no tasks set to run on every hour and every minute
-
-```ruby
-describe crontab.where({'hour' => '*', 'minute' => '*'}) do
-  its('entries.length') { should cmp '0' }
-end
-```
-
-### Test that the logged-in user's crontab contains a single command that matches a pattern
-
-```ruby
-describe crontab.where { command =~ /a partial command string/ } do
-  its('entries.length') { should cmp 1 }
-end
-```
-
-### Test a special time string (i.e., @yearly /root/annual_report.sh)
-
-    describe crontab.commands('/root/annual_report.sh') do
-      its('hours') { should cmp '0' }
-      its('minutes') { should cmp '0' }
-      its('days') { should cmp '1' }
-      its('months') { should cmp '1' }
-    end
-
-### Test @reboot case
-
-    describe crontab.commands('/root/reboot.sh') do
-      its('hours') { should cmp '-1' }
-      its('minutes') { should cmp '-1' }
-    end
-
-<br>
-
-## Property Examples
-
-
-### Test a special time string
-
-    describe crontab do
-      its('minutes') { should cmp '0' }
-      its('hours') { should cmp '0' }
-      its('days') { should cmp '1' }
-      its('weekdays') { should cmp '1' }
-      its('user') { should include 'username'}
-      its('commands') { should include '/some/scheduled/task.sh' }
-    end
-
-InSpec will automatically interpret crontab-supported special time strings. For example, a crontab entry set to run `@yearly` can be tested as if the entry was manually configured to run on January 1, 12 AM.
-
-<br>
-
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

data/docs/resources/csv.md.erb

@@ -1,64 +0,0 @@
----
-title: About the csv Resource
-platform: os
----
-
-# csv
-
-Use the `csv` InSpec audit resource to test configuration data in a CSV file.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v1.0.0 of InSpec.
-
-## Syntax
-
-A `csv` resource block declares the configuration data to be tested:
-
-    describe csv('file') do
-      its('name') { should cmp 'foo' }
-    end
-
-where
-
-* `'file'` is the path to a CSV file
-* `name` is a configuration setting in a CSV file
-* `should eq 'foo'` tests a value of `name` as read from a CSV file versus the value declared in the test
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-### Test a CSV file
-
-    describe csv('some_file.csv') do
-      its('setting') { should eq 1 }
-    end
-
-<br>
-
-## Property Examples
-
-### name
-
-The `name` property tests the value of `name` as read from a CSV file compared to the value declared in the test.
-
-    its('name') { should cmp 'foo' }
-
-<br>
-
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-

data/docs/resources/dh_params.md.erb

@@ -1,221 +0,0 @@
----
-title: The dh_params Resource
-platform: linux
----
-
-# dh_params
-
-Use the `dh_params` InSpec audit resource to test Diffie-Hellman (DH) parameters.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v1.19.0 of InSpec.
-
-## Syntax
-
-A `dh_params` resource block declares a parameter file to be tested.
-
-    describe dh_params('/path/to/file.dh_pem') do
-      it { should be_dh_params }
-      it { should be_valid }
-      its('generator') { should eq 2 }
-      its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
-      its('prime_length') { should eq 2048 }
-      its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
-      its('text') { should eq 'PKCS#3 DH Parameters: (2048 bit)...' }
-    end
-
-<br>
-
-## Properties
-
-* `generator`, `modulus`, `prime_length`, `pem`, `text`
-
-<br>
-
-## Property Examples
-
-### generator (Integer)
-
-Verify generator used for the Diffie-Hellman operation:
-
-    describe dh_params('/path/to/file.dh_pem') do
-      its('generator') { should eq 2 }
-    end
-
-### modulus (String)
-
-Verify prime modulus used for the Diffie-Hellman operation:
-
-    describe dh_params('/path/to/file.dh_pem') do
-      its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
-    end
-
-Example using multi-line string:
-
-```ruby
-describe dh_params('/path/to/file.dh_pem') do
-  its('modulus') do
-    # regex removes all whitespace
-    should eq <<-EOF.gsub(/[[:space:]]+/, '')
-      00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
-      f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
-      48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
-      1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
-      2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
-      ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
-      30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
-      1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
-      28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
-      2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
-      01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
-      e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
-      3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
-      60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
-      31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
-      5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
-      4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
-      cd:13
-    EOF
-  end
-end
-```
-
-### prime_length (Integer)
-
-Verify length of prime modulus used for the Diffie-Hellman operation:
-
-    describe dh_params('/path/to/file.dh_pem') do
-      its('prime_length') { should eq 2048 }
-    end
-
-### pem (String)
-
-Verify `pem` output of DH parameters:
-
-    describe dh_params('/path/to/file.dh_pem') do
-      its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
-    end
-
-Example using multi-line string:
-
-```ruby
-its('pem') do
-  # regex removes all leading spaces
-  should eq <<-EOF.gsub(/^[[:blank:]]+/, '')
-    -----BEGIN DH PARAMETERS-----
-    MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
-    QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
-    h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
-    MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
-    X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
-    KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
-    -----END DH PARAMETERS-----
-  EOF
-end
-```
-
-Verify via `openssl dhparam` command:
-
-    $ openssl dhparam -in /path/to/file.dh_pem
-    -----BEGIN DH PARAMETERS-----
-    MIIBCAKCAQEAkaAVieW8OJMSAvyRooX39yljLtNOeob37oT+QtBIvJyR1VT4eB3A
-    QXiixKwaJIudiFWYC6ynI+vCqisuqfmv1I5OEbx/NaKs2jrv8CVsmqT9ACh2hixX
-    h2cwXbHWWyKPcqHq3ovvnjMaQJJohQJUAgn6wGDBPE4oJtvtJY44IVZA3MDAZh8r
-    MsO0eKkmlOr3QSiy9VsBOAxGCYUmTWkSjZUPNeLmTkc6ht2Ksv5FFSfYWcI89GL/
-    X3Tpd5JQRzYrBVdg7nuhYMwceit3GIo398cxPhXLFX97Zpb7xr591gNeDWB1K1ti
-    KqM3tjT5/pZM9sXjoVKvAcFPx0Kgvu3NEwIBAg==
-    -----END DH PARAMETERS-----
-
-### text (String)
-
-Verify human-readable text output of DH parameters:
-
-    describe dh_params('/path/to/file.dh_pem') do
-      its('text') { should eq 'PKCS#3 DH Parameters: (2048 bit)...' }
-    end
-
-Example using multi-line string:
-
-```ruby
-its('text') do
-  # regex removes 2 leading spaces
-  should eq <<-EOF.gsub(/^[[:blank:]]{2}/, '')
-    PKCS#3 DH Parameters: (2048 bit)
-        prime:
-            00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
-            f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
-            48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
-            1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
-            2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
-            ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
-            30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
-            1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
-            28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
-            2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
-            01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
-            e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
-            3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
-            60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
-            31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
-            5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
-            4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
-            cd:13
-        generator: 2 (0x2)
-    EOF
-end
-```
-
-Verify via `openssl dhparam` command:
-
-    $ openssl dhparam -in /path/to/file.dh_pem -noout -text
-    PKCS#3 DH Parameters: (2048 bit)
-        prime:
-            00:91:a0:15:89:e5:bc:38:93:12:02:fc:91:a2:85:
-            f7:f7:29:63:2e:d3:4e:7a:86:f7:ee:84:fe:42:d0:
-            48:bc:9c:91:d5:54:f8:78:1d:c0:41:78:a2:c4:ac:
-            1a:24:8b:9d:88:55:98:0b:ac:a7:23:eb:c2:aa:2b:
-            2e:a9:f9:af:d4:8e:4e:11:bc:7f:35:a2:ac:da:3a:
-            ef:f0:25:6c:9a:a4:fd:00:28:76:86:2c:57:87:67:
-            30:5d:b1:d6:5b:22:8f:72:a1:ea:de:8b:ef:9e:33:
-            1a:40:92:68:85:02:54:02:09:fa:c0:60:c1:3c:4e:
-            28:26:db:ed:25:8e:38:21:56:40:dc:c0:c0:66:1f:
-            2b:32:c3:b4:78:a9:26:94:ea:f7:41:28:b2:f5:5b:
-            01:38:0c:46:09:85:26:4d:69:12:8d:95:0f:35:e2:
-            e6:4e:47:3a:86:dd:8a:b2:fe:45:15:27:d8:59:c2:
-            3c:f4:62:ff:5f:74:e9:77:92:50:47:36:2b:05:57:
-            60:ee:7b:a1:60:cc:1c:7a:2b:77:18:8a:37:f7:c7:
-            31:3e:15:cb:15:7f:7b:66:96:fb:c6:be:7d:d6:03:
-            5e:0d:60:75:2b:5b:62:2a:a3:37:b6:34:f9:fe:96:
-            4c:f6:c5:e3:a1:52:af:01:c1:4f:c7:42:a0:be:ed:
-            cd:13
-        generator: 2 (0x2)
-
-<br>
-
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-
-### be_valid
-
-Verify whether DH parameters are valid:
-
-    describe dh_params('/path/to/file.dh_pem') do
-      it { should be_valid }
-    end
-
-### be\_dh\_params
-
-    describe dh_params('/path/to/file.dh_pem') do
-        it { should be_dh_params}
-    end
-

data/docs/resources/directory.md.erb

@@ -1,40 +0,0 @@
----
-title: About the directory Resource
-platform: os
----
-
-# directory
-
-Use the `directory` InSpec audit resource to test if the file type is a directory. This is equivalent to using the `file` resource and the `be_directory` matcher, but provides a simpler and more direct way to test directories.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v1.0.0 of InSpec.
-
-## Syntax
-
-A `directory` resource block declares the location of the directory to be tested, and then one (or more) matchers.
-
-    describe directory('path') do
-      its('property') { should cmp 'value' }
-    end
-
-<br>
-
-## Properties
-
-All of the properties available to `file` may be used with `directory`.
-
-<br>
-
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

data/docs/resources/docker.md.erb

@@ -1,240 +0,0 @@
----
-title: About the docker Resource
-platform: linux
----
-
-# docker
-
-Use the `docker` InSpec audit resource to test configuration data for the Docker daemon. It is a very comprehensive resource. See also: [docker_container](https://www.inspec.io/docs/reference/resources/docker_container/) and [docker_image](https://www.inspec.io/docs/reference/resources/docker_image/), too.
-
-<br>
-
-## Availability
-
-### Installation
-
-This resource is distributed along with InSpec itself. You can use it automatically.
-
-### Version
-
-This resource first became available in v1.21.0 of InSpec.
-
-## Syntax
-
-A `docker` resource block declares allows you to write test for many containers:
-
-    describe docker.containers do
-      its('images') { should_not include 'u12:latest' }
-    end
-
-or:
-
-    describe docker.containers.where { names == 'flamboyant_colden' } do
-      it { should be_running }
-    end
-
-where
-
-* `.where()` may specify a specific item and value, to which the resource parameters are compared
-* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes`  and `status` are valid parameters for `containers`
-
-The `docker` resource block also declares allows you to write test for many images:
-
-    describe docker.images do
-      its('repositories') { should_not include 'inssecure_image' }
-    end
-
-or if you want to query specific images:
-
-    describe docker.images.where { repository == 'ubuntu' && tag == '12.04' } do
-      it { should_not exist }
-    end
-
-where
-
-* `.where()` may specify a specific filter and expected value, against which parameters are compared
-
-<br>
-
-## Examples
-
-The following examples show how to use this InSpec audit resource.
-
-### Return all running containers
-
-    docker.containers.running?.ids.each do |id|
-      describe docker.object(id) do
-        its('State.Health.Status') { should eq 'healthy' }
-      end
-    end
-
-### Verify a Docker Server and Client version
-
-    describe docker.version do
-      its('Server.Version') { should cmp >= '1.12'}
-      its('Client.Version') { should cmp >= '1.12'}
-    end
-
-### Iterate over all containers to verify host coniguration
-
-    docker.containers.ids.each do |id|
-      # call Docker inspect for a specific container id
-      describe docker.object(id) do
-        its(%w(HostConfig Privileged)) { should cmp false }
-        its(%w(HostConfig Privileged)) { should_not cmp true }
-      end
-    end
-
-### Iterate over all images to verify the container was built without ADD instruction
-
-    docker.images.ids.each do |id|
-      describe command("docker history #{id}| grep 'ADD'") do
-        its('stdout') { should eq '' }
-      end
-    end
-
-### Verify that health-checks are enabled for a container
-
-    describe docker.object('71b5df59442b') do
-      its(%w(Config Healthcheck)) { should_not eq nil }
-    end
-
-<br>
-
-## How to run the DevSec Docker baseline profile
-
-There are two ways to run the `docker-baseline` profile to test Docker via the `docker` resource.
-
-Clone the profile:
-
-    $ git clone https://github.com/dev-sec/cis-docker-benchmark.git
-
-and then run:
-
-    $ inspec exec cis-docker-benchmark
-
-Or execute the profile directly via URL:
-
-    $ inspec exec https://github.com/dev-sec/cis-docker-benchmark
-
-<br>
-
-## Resource Parameters
-
-* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `status` are valid parameters for `containers`
-
-<br>
-
-## Resource Parameter Examples
-
-### containers
-
-`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/).
-
-    describe docker.containers do
-      its('ids') { should include 'sha:71b5df59...442b' }
-      its('commands') { should_not include '/bin/sh' }
-      its('images') { should_not include 'u12:latest' }
-      its('ports') { should include '0.0.0.0:1234->1234/tcp' }
-      its('labels') { should include 'License=GPLv2,Vendor=CentOS' }
-    end
-
-### object('id')
-
-`object` returns low-level information about Docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
-
-    describe docker.object(id) do
-      its('Configuration.Path') { should eq 'value' }
-    end
-
-### images
-
-`images` returns information about a Docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/).
-
-    describe docker.images do
-      its('ids') { should include 'sha:12b5df59...442b' }
-      its('repositories') { should_not include 'my_image' }
-      its('tags') { should_not include 'unwanted_tag' }
-      its('sizes') { should_not include "1.41 GB" }
-    end
-
-### plugins
-
-`plugins` returns information about Docker plugins as returned by [docker plugin ls](https://docs.docker.com/engine/reference/commandline/plugin/).
-
-    describe docker.plugins do
-      its('names') { should include ["store/weaveworks/net-plugin", "docker4x/cloudstor"] }
-      its('ids') { should cmp ["6ea8176de74b", "771d3ee7c7ea"] }
-      its('versions') { should cmp ["2.3.0", "18.03.1-ce-aws1"] }
-      its('enabled') { should cmp [true, false] }
-    end
-
-### info
-
-`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
-
-    describe docker.info do
-      its('Configuration.Path') { should eq 'value' }
-    end
-
-### version
-
-`info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/)
-
-    describe docker.version do
-      its('Server.Version') { should cmp >= '1.12'}
-      its('Client.Version') { should cmp >= '1.12'}
-    end
-
-<br>
-
-## Properties
-
-* `id`, `image`, `repo`, `tag`, `ports`, `command`
-
-<br>
-
-## Property Examples
-
-### id
-
-    describe docker_container(name: 'an-echo-server') do
-      its('id') { should_not eq '' }
-    end
-
-### image
-
-    describe docker_container(name: 'an-echo-server') do
-      its('image') { should eq 'busybox:latest' }
-    end
-
-### repo
-
-    describe docker_container(name: 'an-echo-server') do
-      its('repo') { should eq 'busybox' }
-    end
-
-### tag
-
-    describe docker_container(name: 'an-echo-server') do
-      its('tag') { should eq 'latest' }
-    end
-
-### ports
-
-    describe docker_container(name: 'an-echo-server') do
-      its('ports') { should eq "0.0.0.0:1234->1234/tcp" }
-    end
-
-### command
-
-    describe docker_container(name: 'an-echo-server') do
-      its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
-    end
-
-<br>
-
-## Matchers
-
-For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
-