inspec 2.3.10 → 2.3.23

Sign up to get free protection for your applications and to get access to all the features.
Files changed (271) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +34 -13
  3. data/etc/plugin_filters.json +25 -0
  4. data/inspec.gemspec +3 -3
  5. data/lib/bundles/inspec-compliance/api.rb +3 -0
  6. data/lib/bundles/inspec-compliance/configuration.rb +3 -0
  7. data/lib/bundles/inspec-compliance/http.rb +3 -0
  8. data/lib/bundles/inspec-compliance/support.rb +3 -0
  9. data/lib/bundles/inspec-compliance/target.rb +3 -0
  10. data/lib/inspec/objects/attribute.rb +3 -0
  11. data/lib/inspec/plugin/v2.rb +3 -0
  12. data/lib/inspec/plugin/v2/filter.rb +62 -0
  13. data/lib/inspec/plugin/v2/installer.rb +21 -1
  14. data/lib/inspec/plugin/v2/loader.rb +4 -0
  15. data/lib/inspec/profile.rb +3 -1
  16. data/lib/inspec/version.rb +1 -1
  17. data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +25 -3
  18. data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +65 -11
  19. data/lib/plugins/inspec-plugin-manager-cli/test/unit/cli_args_test.rb +5 -1
  20. data/lib/resources/package.rb +1 -1
  21. metadata +5 -253
  22. data/MAINTAINERS.toml +0 -52
  23. data/docs/.gitignore +0 -2
  24. data/docs/README.md +0 -41
  25. data/docs/dev/control-eval.md +0 -62
  26. data/docs/dev/filtertable-internals.md +0 -353
  27. data/docs/dev/filtertable-usage.md +0 -533
  28. data/docs/dev/integration-testing.md +0 -31
  29. data/docs/dev/plugins.md +0 -323
  30. data/docs/dsl_inspec.md +0 -354
  31. data/docs/dsl_resource.md +0 -100
  32. data/docs/glossary.md +0 -381
  33. data/docs/habitat.md +0 -193
  34. data/docs/inspec_and_friends.md +0 -114
  35. data/docs/matchers.md +0 -161
  36. data/docs/migration.md +0 -293
  37. data/docs/platforms.md +0 -119
  38. data/docs/plugin_kitchen_inspec.md +0 -60
  39. data/docs/plugins.md +0 -57
  40. data/docs/profiles.md +0 -576
  41. data/docs/reporters.md +0 -170
  42. data/docs/resources/aide_conf.md.erb +0 -86
  43. data/docs/resources/apache.md.erb +0 -77
  44. data/docs/resources/apache_conf.md.erb +0 -78
  45. data/docs/resources/apt.md.erb +0 -81
  46. data/docs/resources/audit_policy.md.erb +0 -57
  47. data/docs/resources/auditd.md.erb +0 -89
  48. data/docs/resources/auditd_conf.md.erb +0 -78
  49. data/docs/resources/aws_cloudtrail_trail.md.erb +0 -165
  50. data/docs/resources/aws_cloudtrail_trails.md.erb +0 -96
  51. data/docs/resources/aws_cloudwatch_alarm.md.erb +0 -101
  52. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +0 -164
  53. data/docs/resources/aws_config_delivery_channel.md.erb +0 -111
  54. data/docs/resources/aws_config_recorder.md.erb +0 -96
  55. data/docs/resources/aws_ebs_volume.md.erb +0 -76
  56. data/docs/resources/aws_ebs_volumes.md.erb +0 -86
  57. data/docs/resources/aws_ec2_instance.md.erb +0 -122
  58. data/docs/resources/aws_ec2_instances.md.erb +0 -89
  59. data/docs/resources/aws_elb.md.erb +0 -154
  60. data/docs/resources/aws_elbs.md.erb +0 -252
  61. data/docs/resources/aws_flow_log.md.erb +0 -128
  62. data/docs/resources/aws_iam_access_key.md.erb +0 -139
  63. data/docs/resources/aws_iam_access_keys.md.erb +0 -214
  64. data/docs/resources/aws_iam_group.md.erb +0 -74
  65. data/docs/resources/aws_iam_groups.md.erb +0 -92
  66. data/docs/resources/aws_iam_password_policy.md.erb +0 -92
  67. data/docs/resources/aws_iam_policies.md.erb +0 -97
  68. data/docs/resources/aws_iam_policy.md.erb +0 -264
  69. data/docs/resources/aws_iam_role.md.erb +0 -79
  70. data/docs/resources/aws_iam_root_user.md.erb +0 -86
  71. data/docs/resources/aws_iam_user.md.erb +0 -130
  72. data/docs/resources/aws_iam_users.md.erb +0 -289
  73. data/docs/resources/aws_kms_key.md.erb +0 -187
  74. data/docs/resources/aws_kms_keys.md.erb +0 -99
  75. data/docs/resources/aws_rds_instance.md.erb +0 -76
  76. data/docs/resources/aws_route_table.md.erb +0 -63
  77. data/docs/resources/aws_route_tables.md.erb +0 -65
  78. data/docs/resources/aws_s3_bucket.md.erb +0 -156
  79. data/docs/resources/aws_s3_bucket_object.md.erb +0 -99
  80. data/docs/resources/aws_s3_buckets.md.erb +0 -69
  81. data/docs/resources/aws_security_group.md.erb +0 -323
  82. data/docs/resources/aws_security_groups.md.erb +0 -107
  83. data/docs/resources/aws_sns_subscription.md.erb +0 -140
  84. data/docs/resources/aws_sns_topic.md.erb +0 -79
  85. data/docs/resources/aws_sns_topics.md.erb +0 -68
  86. data/docs/resources/aws_subnet.md.erb +0 -150
  87. data/docs/resources/aws_subnets.md.erb +0 -142
  88. data/docs/resources/aws_vpc.md.erb +0 -135
  89. data/docs/resources/aws_vpcs.md.erb +0 -135
  90. data/docs/resources/azure_generic_resource.md.erb +0 -183
  91. data/docs/resources/azure_resource_group.md.erb +0 -294
  92. data/docs/resources/azure_virtual_machine.md.erb +0 -357
  93. data/docs/resources/azure_virtual_machine_data_disk.md.erb +0 -234
  94. data/docs/resources/bash.md.erb +0 -85
  95. data/docs/resources/bond.md.erb +0 -100
  96. data/docs/resources/bridge.md.erb +0 -67
  97. data/docs/resources/bsd_service.md.erb +0 -77
  98. data/docs/resources/chocolatey_package.md.erb +0 -68
  99. data/docs/resources/command.md.erb +0 -176
  100. data/docs/resources/cpan.md.erb +0 -89
  101. data/docs/resources/cran.md.erb +0 -74
  102. data/docs/resources/crontab.md.erb +0 -103
  103. data/docs/resources/csv.md.erb +0 -64
  104. data/docs/resources/dh_params.md.erb +0 -221
  105. data/docs/resources/directory.md.erb +0 -40
  106. data/docs/resources/docker.md.erb +0 -240
  107. data/docs/resources/docker_container.md.erb +0 -113
  108. data/docs/resources/docker_image.md.erb +0 -104
  109. data/docs/resources/docker_plugin.md.erb +0 -80
  110. data/docs/resources/docker_service.md.erb +0 -124
  111. data/docs/resources/elasticsearch.md.erb +0 -252
  112. data/docs/resources/etc_fstab.md.erb +0 -135
  113. data/docs/resources/etc_group.md.erb +0 -85
  114. data/docs/resources/etc_hosts.md.erb +0 -88
  115. data/docs/resources/etc_hosts_allow.md.erb +0 -84
  116. data/docs/resources/etc_hosts_deny.md.erb +0 -84
  117. data/docs/resources/file.md.erb +0 -543
  118. data/docs/resources/filesystem.md.erb +0 -51
  119. data/docs/resources/firewalld.md.erb +0 -117
  120. data/docs/resources/gem.md.erb +0 -108
  121. data/docs/resources/group.md.erb +0 -71
  122. data/docs/resources/grub_conf.md.erb +0 -111
  123. data/docs/resources/host.md.erb +0 -96
  124. data/docs/resources/http.md.erb +0 -207
  125. data/docs/resources/iis_app.md.erb +0 -132
  126. data/docs/resources/iis_site.md.erb +0 -145
  127. data/docs/resources/inetd_conf.md.erb +0 -104
  128. data/docs/resources/ini.md.erb +0 -86
  129. data/docs/resources/interface.md.erb +0 -68
  130. data/docs/resources/iptables.md.erb +0 -74
  131. data/docs/resources/json.md.erb +0 -73
  132. data/docs/resources/kernel_module.md.erb +0 -130
  133. data/docs/resources/kernel_parameter.md.erb +0 -63
  134. data/docs/resources/key_rsa.md.erb +0 -95
  135. data/docs/resources/launchd_service.md.erb +0 -67
  136. data/docs/resources/limits_conf.md.erb +0 -85
  137. data/docs/resources/login_defs.md.erb +0 -81
  138. data/docs/resources/mount.md.erb +0 -79
  139. data/docs/resources/mssql_session.md.erb +0 -78
  140. data/docs/resources/mysql_conf.md.erb +0 -109
  141. data/docs/resources/mysql_session.md.erb +0 -84
  142. data/docs/resources/nginx.md.erb +0 -89
  143. data/docs/resources/nginx_conf.md.erb +0 -148
  144. data/docs/resources/npm.md.erb +0 -78
  145. data/docs/resources/ntp_conf.md.erb +0 -70
  146. data/docs/resources/oneget.md.erb +0 -63
  147. data/docs/resources/oracledb_session.md.erb +0 -103
  148. data/docs/resources/os.md.erb +0 -153
  149. data/docs/resources/os_env.md.erb +0 -101
  150. data/docs/resources/package.md.erb +0 -130
  151. data/docs/resources/packages.md.erb +0 -77
  152. data/docs/resources/parse_config.md.erb +0 -113
  153. data/docs/resources/parse_config_file.md.erb +0 -148
  154. data/docs/resources/passwd.md.erb +0 -151
  155. data/docs/resources/pip.md.erb +0 -77
  156. data/docs/resources/port.md.erb +0 -147
  157. data/docs/resources/postgres_conf.md.erb +0 -89
  158. data/docs/resources/postgres_hba_conf.md.erb +0 -103
  159. data/docs/resources/postgres_ident_conf.md.erb +0 -86
  160. data/docs/resources/postgres_session.md.erb +0 -79
  161. data/docs/resources/powershell.md.erb +0 -112
  162. data/docs/resources/processes.md.erb +0 -119
  163. data/docs/resources/rabbitmq_config.md.erb +0 -51
  164. data/docs/resources/registry_key.md.erb +0 -197
  165. data/docs/resources/runit_service.md.erb +0 -67
  166. data/docs/resources/security_policy.md.erb +0 -57
  167. data/docs/resources/service.md.erb +0 -131
  168. data/docs/resources/shadow.md.erb +0 -267
  169. data/docs/resources/ssh_config.md.erb +0 -83
  170. data/docs/resources/sshd_config.md.erb +0 -93
  171. data/docs/resources/ssl.md.erb +0 -129
  172. data/docs/resources/sys_info.md.erb +0 -52
  173. data/docs/resources/systemd_service.md.erb +0 -67
  174. data/docs/resources/sysv_service.md.erb +0 -67
  175. data/docs/resources/upstart_service.md.erb +0 -67
  176. data/docs/resources/user.md.erb +0 -150
  177. data/docs/resources/users.md.erb +0 -137
  178. data/docs/resources/vbscript.md.erb +0 -65
  179. data/docs/resources/virtualization.md.erb +0 -67
  180. data/docs/resources/windows_feature.md.erb +0 -69
  181. data/docs/resources/windows_hotfix.md.erb +0 -63
  182. data/docs/resources/windows_task.md.erb +0 -95
  183. data/docs/resources/wmi.md.erb +0 -91
  184. data/docs/resources/x509_certificate.md.erb +0 -161
  185. data/docs/resources/xinetd_conf.md.erb +0 -166
  186. data/docs/resources/xml.md.erb +0 -95
  187. data/docs/resources/yaml.md.erb +0 -79
  188. data/docs/resources/yum.md.erb +0 -108
  189. data/docs/resources/zfs_dataset.md.erb +0 -63
  190. data/docs/resources/zfs_pool.md.erb +0 -57
  191. data/docs/shared/matcher_be.md.erb +0 -1
  192. data/docs/shared/matcher_cmp.md.erb +0 -43
  193. data/docs/shared/matcher_eq.md.erb +0 -3
  194. data/docs/shared/matcher_include.md.erb +0 -1
  195. data/docs/shared/matcher_match.md.erb +0 -1
  196. data/docs/shell.md +0 -217
  197. data/docs/style.md +0 -178
  198. data/examples/README.md +0 -8
  199. data/examples/custom-resource/README.md +0 -3
  200. data/examples/custom-resource/controls/example.rb +0 -7
  201. data/examples/custom-resource/inspec.yml +0 -8
  202. data/examples/custom-resource/libraries/batsignal.rb +0 -20
  203. data/examples/custom-resource/libraries/gordon.rb +0 -21
  204. data/examples/inheritance/README.md +0 -65
  205. data/examples/inheritance/controls/example.rb +0 -14
  206. data/examples/inheritance/inspec.yml +0 -16
  207. data/examples/kitchen-ansible/.kitchen.yml +0 -25
  208. data/examples/kitchen-ansible/Gemfile +0 -19
  209. data/examples/kitchen-ansible/README.md +0 -53
  210. data/examples/kitchen-ansible/files/nginx.repo +0 -6
  211. data/examples/kitchen-ansible/tasks/main.yml +0 -16
  212. data/examples/kitchen-ansible/test/integration/default/default.yml +0 -5
  213. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -28
  214. data/examples/kitchen-chef/.kitchen.yml +0 -20
  215. data/examples/kitchen-chef/Berksfile +0 -3
  216. data/examples/kitchen-chef/Gemfile +0 -19
  217. data/examples/kitchen-chef/README.md +0 -27
  218. data/examples/kitchen-chef/metadata.rb +0 -7
  219. data/examples/kitchen-chef/recipes/default.rb +0 -6
  220. data/examples/kitchen-chef/recipes/nginx.rb +0 -30
  221. data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -28
  222. data/examples/kitchen-puppet/.kitchen.yml +0 -23
  223. data/examples/kitchen-puppet/Gemfile +0 -20
  224. data/examples/kitchen-puppet/Puppetfile +0 -25
  225. data/examples/kitchen-puppet/README.md +0 -53
  226. data/examples/kitchen-puppet/manifests/site.pp +0 -33
  227. data/examples/kitchen-puppet/metadata.json +0 -11
  228. data/examples/kitchen-puppet/modules/.gitkeep +0 -0
  229. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -28
  230. data/examples/meta-profile/README.md +0 -37
  231. data/examples/meta-profile/controls/example.rb +0 -13
  232. data/examples/meta-profile/inspec.yml +0 -13
  233. data/examples/plugins/inspec-resource-lister/Gemfile +0 -12
  234. data/examples/plugins/inspec-resource-lister/LICENSE +0 -13
  235. data/examples/plugins/inspec-resource-lister/README.md +0 -62
  236. data/examples/plugins/inspec-resource-lister/Rakefile +0 -40
  237. data/examples/plugins/inspec-resource-lister/inspec-resource-lister.gemspec +0 -45
  238. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister.rb +0 -16
  239. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/cli_command.rb +0 -70
  240. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/plugin.rb +0 -55
  241. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/version.rb +0 -10
  242. data/examples/plugins/inspec-resource-lister/test/fixtures/README.md +0 -24
  243. data/examples/plugins/inspec-resource-lister/test/functional/README.md +0 -18
  244. data/examples/plugins/inspec-resource-lister/test/functional/inspec_resource_lister_test.rb +0 -110
  245. data/examples/plugins/inspec-resource-lister/test/helper.rb +0 -26
  246. data/examples/plugins/inspec-resource-lister/test/unit/README.md +0 -17
  247. data/examples/plugins/inspec-resource-lister/test/unit/cli_args_test.rb +0 -64
  248. data/examples/plugins/inspec-resource-lister/test/unit/plugin_def_test.rb +0 -51
  249. data/examples/profile-attribute.yml +0 -2
  250. data/examples/profile-attribute/README.md +0 -14
  251. data/examples/profile-attribute/controls/example.rb +0 -11
  252. data/examples/profile-attribute/inspec.yml +0 -8
  253. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +0 -8
  254. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +0 -8
  255. data/examples/profile-aws/controls/iam_root_user_mfa.rb +0 -8
  256. data/examples/profile-aws/controls/iam_users_access_key_age.rb +0 -8
  257. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +0 -8
  258. data/examples/profile-aws/inspec.yml +0 -11
  259. data/examples/profile-azure/controls/azure_resource_group_example.rb +0 -24
  260. data/examples/profile-azure/controls/azure_vm_example.rb +0 -29
  261. data/examples/profile-azure/inspec.yml +0 -11
  262. data/examples/profile-sensitive/README.md +0 -29
  263. data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -9
  264. data/examples/profile-sensitive/controls/sensitive.rb +0 -9
  265. data/examples/profile-sensitive/inspec.yml +0 -8
  266. data/examples/profile/README.md +0 -48
  267. data/examples/profile/controls/example.rb +0 -24
  268. data/examples/profile/controls/gordon.rb +0 -36
  269. data/examples/profile/controls/meta.rb +0 -36
  270. data/examples/profile/inspec.yml +0 -11
  271. data/examples/profile/libraries/gordon_config.rb +0 -59
@@ -1,543 +0,0 @@
1
- ---
2
- title: About the file Resource
3
- platform: os
4
- ---
5
-
6
- # file
7
-
8
- Use the `file` InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
9
-
10
- <br>
11
-
12
- ## Availability
13
-
14
- ### Installation
15
-
16
- This resource is distributed along with InSpec itself. You can use it automatically.
17
-
18
- ### Version
19
-
20
- This resource first became available in v1.0.0 of InSpec.
21
-
22
- ## Syntax
23
-
24
- A `file` resource block declares the location of the file type to be tested, the expected file type (if required), and one (or more) resource properties.
25
-
26
- describe file('path') do
27
- it { should PROPERTY 'value' }
28
- end
29
-
30
- where
31
-
32
- * `('path')` is the name of the file and/or the path to the file.
33
- * `PROPERTY` is a valid resource property for this resource'
34
- * `'value'` is the value to be tested.
35
-
36
- <br>
37
-
38
- ## Properties
39
-
40
- ### General Properties
41
-
42
- content, size, basename, path, owner, group, type
43
-
44
- ### Unix/Linux Properties
45
-
46
- symlink, mode, link_path, shallow_link_path, mtime, size, selinux\_label, md5sum, sha256sum, path, source, source\_path, uid, gid
47
-
48
- ### Windows Properties
49
-
50
- file\_version, product\_version
51
-
52
- <br>
53
-
54
- ## Resource Property Examples
55
-
56
- ### content
57
-
58
- The `content` property tests if contents in the file match the value specified in a regular expression. The values of the `content` property are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
59
-
60
- its('content') { should match REGEX }
61
-
62
- The following complete example tests the `pg_hba.conf` file in PostgreSQL for MD5 requirements. The tests look at all `host` and `local` settings in that file, and then compare the MD5 checksums against the values in the test:
63
-
64
- describe file('/etc/postgresql/9.1/main/pg_hba.conf') do
65
- its('content') { should match(%r{local\s.*?all\s.*?all\s.*?md5}) }
66
- its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
67
- its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5}) }
68
- end
69
-
70
- ### file_version
71
-
72
- The `file_version` property tests if a Windows file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
73
-
74
- its('file_version') { should eq '1.2.3' }
75
-
76
- ### group
77
-
78
- The `group` property tests if the group to which a file belongs matches the specified value.
79
-
80
- its('group') { should eq 'admins' }
81
-
82
- The following examples show how to use this InSpec audit resource.
83
-
84
- ### link_path
85
-
86
- The `link_path` property tests if the file exists at the specified path. If the file is a symlink,
87
- InSpec will resolve the symlink recursively and return the ultimate linked file.
88
-
89
- its('link_path') { should eq '/some/path/to/file' }
90
-
91
- ### shallow_link_path
92
-
93
- The `shallow_link_path`` property returns the path that the file refers to, only resolving
94
- it once (that is, it performs a readlink operation). If the file is not a symlink, nil is returned.
95
-
96
- its('shallow_link_path') { should eq '/some/path/to/file' }
97
-
98
- ### md5sum
99
-
100
- The `md5sum` property tests if the MD5 checksum for a file matches the specified value.
101
-
102
- its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
103
-
104
- ### mode
105
-
106
- The `mode` property tests if the mode assigned to the file matches the specified value.
107
-
108
- its('mode') { should cmp '0644' }
109
-
110
- InSpec [octal](https://en.wikipedia.org/wiki/Leading_zero#0_as_a_prefix) values begin the numeric mode specification with zero.
111
-
112
- For example, write:
113
-
114
- { should cmp '0644' }
115
-
116
- not
117
-
118
- { should cmp '644' }
119
-
120
- Without the zero prefix for the octal value, InSpec will interpret it as the _decimal_ value 644, which is octal 1024 or `-----w-r-T`, and any test for a file that is `-rw-r--r--` will fail.
121
-
122
- ### mtime
123
-
124
- The `mtime` property tests if the file modification time for the file matches the specified value. The mtime, where supported, is returned as the number of seconds since the epoch.
125
-
126
- describe file('/') do
127
- its('mtime') { should <= Time.now.to_i }
128
- its('mtime') { should >= Time.now.to_i - 1000 }
129
- end
130
-
131
- ### owner
132
-
133
- The `owner` property tests if the owner of the file matches the specified value.
134
-
135
- its('owner') { should eq 'root' }
136
-
137
- ### product_version
138
-
139
- The `product_version` property tests if a Windows file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates.
140
-
141
- its('product_version') { should eq '2.3.4' }
142
-
143
- ### selinux_label
144
-
145
- The `selinux_label` property tests if the SELinux label for a file matches the specified value.
146
-
147
- its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
148
-
149
- ### sha256sum
150
-
151
- The `sha256sum` property tests if the SHA-256 checksum for a file matches the specified value.
152
-
153
- its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
154
-
155
- ### size
156
-
157
- The `size` property tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
158
-
159
- its('size') { should eq 32375 }
160
-
161
- Greater than:
162
-
163
- its('size') { should > 64 }
164
-
165
- Less than:
166
-
167
- its('size') { should < 10240 }
168
-
169
- ### type
170
-
171
- The `type` property tests for the file type. The available types are:
172
-
173
- * `file`: the object is a file
174
- * `directory`: the object is a directory
175
- * `link`: the object is a symbolic link
176
- * `pipe`: the object is a named pipe
177
- * `socket`: the object is a socket
178
- * `character_device`: the object is a character device
179
- * `block_device`: the object is a block device
180
- * `door`: the object is a door device
181
-
182
- The `type` method usually returns the type as a Ruby "symbol". We recommend using the `cmp` matcher to match
183
- either by symbol or string.
184
-
185
- For example:
186
-
187
- its('type') { should eq :file }
188
- its('type') { should cmp 'file' }
189
-
190
- or:
191
-
192
- its('type') { should eq :socket }
193
- its('type') { should cmp 'socket' }
194
-
195
- ### Test the contents of a file for MD5 requirements
196
-
197
- describe file('/etc/postgresql/9.1/main/pg_hba.conf') do
198
- its('content') { should match /local\s.*?all\s.*?all\s.*?md5/ }
199
- its('content') { should match %r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/} }
200
- its('content') { should match %r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/} }
201
- end
202
-
203
- ### Test if a file exists
204
-
205
- describe file('/tmp') do
206
- it { should exist }
207
- end
208
-
209
- ### Test that a file does not exist
210
-
211
- describe file('/tmpest') do
212
- it { should_not exist }
213
- end
214
-
215
- ### Test if a path is a directory
216
-
217
- describe file('/tmp') do
218
- its('type') { should eq :directory }
219
- it { should be_directory }
220
- end
221
-
222
- ### Test if a path is a file and not a directory
223
-
224
- describe file('/proc/version') do
225
- its('type') { should cmp 'file' }
226
- it { should be_file }
227
- it { should_not be_directory }
228
- end
229
-
230
- ### Test if a file is a symbolic link
231
-
232
- describe file('/dev/stdout') do
233
- its('type') { should cmp 'symlink' }
234
- it { should be_symlink }
235
- it { should_not be_file }
236
- it { should_not be_directory }
237
- end
238
-
239
- ### Test if a file is a character device
240
-
241
- describe file('/dev/zero') do
242
- its('type') { should cmp 'character' }
243
- it { should be_character_device }
244
- it { should_not be_file }
245
- it { should_not be_directory }
246
- end
247
-
248
- ### Test if a file is a block device
249
-
250
- describe file('/dev/zero') do
251
- its('type') { should cmp 'block' }
252
- it { should be_character_device }
253
- it { should_not be_file }
254
- it { should_not be_directory }
255
- end
256
-
257
- ### Test the mode for a file
258
-
259
- describe file('/dev') do
260
- its('mode') { should cmp '00755' }
261
- end
262
-
263
- ### Test the owner of a file
264
-
265
- describe file('/root') do
266
- its('owner') { should eq 'root' }
267
- end
268
-
269
- ### Test if a file is owned by the root user
270
-
271
- describe file('/dev') do
272
- it { should be_owned_by 'root' }
273
- end
274
-
275
- ### Test the mtime for a file
276
-
277
- describe file('/') do
278
- its('mtime') { should <= Time.now.to_i }
279
- its('mtime') { should >= Time.now.to_i - 1000 }
280
- end
281
-
282
- ### Test that a file's size is between 64 and 10240
283
-
284
- describe file('/') do
285
- its('size') { should be > 64 }
286
- its('size') { should be < 10240 }
287
- end
288
-
289
- ### Test that a file's size is zero
290
-
291
- describe file('/proc/cpuinfo') do
292
- its('size') { should be 0 }
293
- end
294
-
295
-
296
- ### Test an MD5 checksum
297
-
298
- require 'digest'
299
- cpuinfo = file('/proc/cpuinfo').content
300
-
301
- md5sum = Digest::MD5.hexdigest(cpuinfo)
302
-
303
- describe file('/proc/cpuinfo') do
304
- its('md5sum') { should eq md5sum }
305
- end
306
-
307
- ### Test an SHA-256 checksum
308
-
309
- require 'digest'
310
- cpuinfo = file('/proc/cpuinfo').content
311
-
312
- sha256sum = Digest::SHA256.hexdigest(cpuinfo)
313
-
314
- describe file('/proc/cpuinfo') do
315
- its('sha256sum') { should eq sha256sum }
316
- end
317
-
318
- ### Verify NTP
319
-
320
- The following example shows how to use the `file` audit resource to verify if the `ntp.conf` and `leap-seconds` files are present, and then the `command` resource to verify if NTP is installed and running:
321
-
322
- describe file('/etc/ntp.conf') do
323
- it { should be_file }
324
- end
325
-
326
- describe file('/etc/ntp.leapseconds') do
327
- it { should be_file }
328
- end
329
-
330
- describe command('pgrep ntp') do
331
- its('exit_status') { should eq 0 }
332
- end
333
-
334
- ### Test parameters of symlinked file
335
-
336
- If you need to test the parameters of the target file for a symlink, you can use the `link_path` (recursive resolution) or `shallow_link_path` (direct link) method for the `file` resource.
337
-
338
- For example, for the following symlink:
339
-
340
- lrwxrwxrwx. 1 root root 11 03-10 17:56 /dev/virtio-ports/com.redhat.rhevm.vdsm -> ../vport2p1
341
-
342
- ... you can write controls for both the link and the target.
343
-
344
- describe file('/dev/virtio-ports/com.redhat.rhevm.vdsm') do
345
- it { should be_symlink }
346
- end
347
-
348
- virito_port_vdsm = file('/dev/virtio-ports/com.redhat.rhevm.vdsm').link_path
349
- describe file(virito_port_vdsm) do
350
- it { should exist }
351
- it { should be_character_device }
352
- it { should be_owned_by 'ovirtagent' }
353
- it { should be_grouped_into 'ovirtagent' }
354
- end
355
-
356
- <br>
357
-
358
- ## Matchers
359
-
360
- For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
361
-
362
- ### be\_allowed
363
-
364
- The `be_allowed` matcher tests if the file contains a certain permission set, such as `execute` or `write` in Unix and [`full-control` or `modify` in Windows](https://www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table).
365
-
366
- it { should be_allowed('read') }
367
-
368
- Just like with `be_executable` and other permissions, one can check for the permission with respect to the specific user or group.
369
-
370
- it { should be_allowed('full-control', by_user: 'MyComputerName\Administrator') }
371
-
372
- OR
373
-
374
- it { should be_allowed('write', by: 'root') }
375
-
376
- ### be\_block\_device
377
-
378
- The `be_block_device` matcher tests if the file exists as a block device, such as `/dev/disk0` or `/dev/disk0s9`:
379
-
380
- it { should be_block_device }
381
-
382
- ### be\_character\_device
383
-
384
- The `be_character_device` matcher tests if the file exists as a character device (that corresponds to a block device), such as `/dev/rdisk0` or `/dev/rdisk0s9`:
385
-
386
- it { should be_character_device }
387
-
388
- ### be_directory
389
-
390
- The `be_directory` matcher tests if the file exists as a directory, such as `/etc/passwd`, `/etc/shadow`, or `/var/log/httpd`:
391
-
392
- it { should be_directory }
393
-
394
- ### be_executable
395
-
396
- The `be_executable` matcher tests if the file exists as an executable:
397
-
398
- it { should be_executable }
399
-
400
- The `be_executable` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
401
-
402
- it { should be_executable.by('group') }
403
-
404
- an owner:
405
-
406
- it { should be_executable.by('owner') }
407
-
408
- any user other than the owner or members of the file's group:
409
-
410
- it { should be_executable.by('others') }
411
-
412
- a user:
413
-
414
- it { should be_executable.by_user('user') }
415
-
416
- ### be_file
417
-
418
- The `be_file` matcher tests if the file exists as a file. This can be useful with configuration files like `/etc/passwd` where there typically is not an associated file extension---`passwd.txt`:
419
-
420
- it { should be_file }
421
-
422
- ### be\_grouped\_into
423
-
424
- The `be_grouped_into` matcher tests if the file exists as part of the named group:
425
-
426
- it { should be_grouped_into 'group' }
427
-
428
- ### be_immutable
429
-
430
- The `be_immutable` matcher tests if the file is immutable, i.e. "cannot be changed":
431
-
432
- it { should be_immutable }
433
-
434
- ### be\_linked\_to
435
-
436
- The `be_linked_to` matcher tests if the file is linked to the named target:
437
-
438
- it { should be_linked_to '/etc/target-file' }
439
-
440
-
441
- ### be\_owned\_by
442
-
443
- The `be_owned_by` matcher tests if the file is owned by the named user, such as `root`:
444
-
445
- it { should be_owned_by 'root' }
446
-
447
- ### be_pipe
448
-
449
- The `be_pipe` matcher tests if the file exists as first-in, first-out special file (`.fifo`) that is typically used to define a named pipe, such as `/var/log/nginx/access.log.fifo`:
450
-
451
- it { should be_pipe }
452
-
453
- ### be_readable
454
-
455
- The `be_readable` matcher tests if the file is readable:
456
-
457
- it { should be_readable }
458
-
459
- The `be_readable` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
460
-
461
- it { should be_readable.by('group') }
462
-
463
- an owner:
464
-
465
- it { should be_readable.by('owner') }
466
-
467
- any user other than the owner or members of the file's group:
468
-
469
- it { should be_readable.by('others') }
470
-
471
- a user:
472
-
473
- it { should be_readable.by_user('user') }
474
-
475
- ### be_setgid
476
-
477
- The `be_setgid` matcher tests if the 'setgid' permission is set on the file or directory. On executable files, this causes the process to be started owned by the group that owns the file, rather than the primary group of the invocating user. This can result in escalation of privilege. On Linux, when setgid is set on directories, setgid causes newly created files and directories to be owned by the group that owns the setgid parent directory; additionally, newly created subdirectories will have the setgid bit set. To use this matcher:
478
-
479
- it { should be_setgid }
480
-
481
- ### be_socket
482
-
483
- The `be_socket` matcher tests if the file exists as socket (`.sock`), such as `/var/run/php-fpm.sock`:
484
-
485
- it { should be_socket }
486
-
487
- ### be_sticky
488
-
489
- The `be_sticky` matcher tests if the 'sticky bit' permission is set on the directory. On directories, this restricts file deletion to the owner of the file, even if the permission of the parent directory would normally permit deletion by others. This is commonly used on /tmp filesystems. To use this matcher:
490
-
491
- it { should be_sticky }
492
-
493
- ### be_setuid
494
-
495
- The `be_setuid` matcher tests if the 'setuid' permission is set on the file. On executable files, this causes the process to be started owned by the user that owns the file, rather than invocating user. This can result in escalation of privilege. To use this matcher:
496
-
497
- it { should be_setuid }
498
-
499
- ### be_symlink
500
-
501
- The `be_symlink` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
502
-
503
- it { should be_symlink }
504
-
505
- ### be_version
506
-
507
- The `be_version` matcher tests the version of the file:
508
-
509
- it { should be_version '1.2.3' }
510
-
511
- ### be_writable
512
-
513
- The `be_writable` matcher tests if the file is writable:
514
-
515
- it { should be_writable }
516
-
517
- The `be_writable` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
518
-
519
- it { should be_writable.by('group') }
520
-
521
- an owner:
522
-
523
- it { should be_writable.by('owner') }
524
-
525
- any user other than the owner or members of the file's group:
526
-
527
- it { should be_writable.by('others') }
528
-
529
- a user:
530
-
531
- it { should be_writable.by_user('user') }
532
-
533
- ### exist
534
-
535
- The `exist` matcher tests if the named file exists:
536
-
537
- it { should exist }
538
-
539
- ### have_mode
540
-
541
- The `have_mode` matcher tests if a file has a mode assigned to it:
542
-
543
- it { should have_mode }