inspec 2.3.10 → 2.3.23

Sign up to get free protection for your applications and to get access to all the features.
Files changed (271) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +34 -13
  3. data/etc/plugin_filters.json +25 -0
  4. data/inspec.gemspec +3 -3
  5. data/lib/bundles/inspec-compliance/api.rb +3 -0
  6. data/lib/bundles/inspec-compliance/configuration.rb +3 -0
  7. data/lib/bundles/inspec-compliance/http.rb +3 -0
  8. data/lib/bundles/inspec-compliance/support.rb +3 -0
  9. data/lib/bundles/inspec-compliance/target.rb +3 -0
  10. data/lib/inspec/objects/attribute.rb +3 -0
  11. data/lib/inspec/plugin/v2.rb +3 -0
  12. data/lib/inspec/plugin/v2/filter.rb +62 -0
  13. data/lib/inspec/plugin/v2/installer.rb +21 -1
  14. data/lib/inspec/plugin/v2/loader.rb +4 -0
  15. data/lib/inspec/profile.rb +3 -1
  16. data/lib/inspec/version.rb +1 -1
  17. data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +25 -3
  18. data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +65 -11
  19. data/lib/plugins/inspec-plugin-manager-cli/test/unit/cli_args_test.rb +5 -1
  20. data/lib/resources/package.rb +1 -1
  21. metadata +5 -253
  22. data/MAINTAINERS.toml +0 -52
  23. data/docs/.gitignore +0 -2
  24. data/docs/README.md +0 -41
  25. data/docs/dev/control-eval.md +0 -62
  26. data/docs/dev/filtertable-internals.md +0 -353
  27. data/docs/dev/filtertable-usage.md +0 -533
  28. data/docs/dev/integration-testing.md +0 -31
  29. data/docs/dev/plugins.md +0 -323
  30. data/docs/dsl_inspec.md +0 -354
  31. data/docs/dsl_resource.md +0 -100
  32. data/docs/glossary.md +0 -381
  33. data/docs/habitat.md +0 -193
  34. data/docs/inspec_and_friends.md +0 -114
  35. data/docs/matchers.md +0 -161
  36. data/docs/migration.md +0 -293
  37. data/docs/platforms.md +0 -119
  38. data/docs/plugin_kitchen_inspec.md +0 -60
  39. data/docs/plugins.md +0 -57
  40. data/docs/profiles.md +0 -576
  41. data/docs/reporters.md +0 -170
  42. data/docs/resources/aide_conf.md.erb +0 -86
  43. data/docs/resources/apache.md.erb +0 -77
  44. data/docs/resources/apache_conf.md.erb +0 -78
  45. data/docs/resources/apt.md.erb +0 -81
  46. data/docs/resources/audit_policy.md.erb +0 -57
  47. data/docs/resources/auditd.md.erb +0 -89
  48. data/docs/resources/auditd_conf.md.erb +0 -78
  49. data/docs/resources/aws_cloudtrail_trail.md.erb +0 -165
  50. data/docs/resources/aws_cloudtrail_trails.md.erb +0 -96
  51. data/docs/resources/aws_cloudwatch_alarm.md.erb +0 -101
  52. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +0 -164
  53. data/docs/resources/aws_config_delivery_channel.md.erb +0 -111
  54. data/docs/resources/aws_config_recorder.md.erb +0 -96
  55. data/docs/resources/aws_ebs_volume.md.erb +0 -76
  56. data/docs/resources/aws_ebs_volumes.md.erb +0 -86
  57. data/docs/resources/aws_ec2_instance.md.erb +0 -122
  58. data/docs/resources/aws_ec2_instances.md.erb +0 -89
  59. data/docs/resources/aws_elb.md.erb +0 -154
  60. data/docs/resources/aws_elbs.md.erb +0 -252
  61. data/docs/resources/aws_flow_log.md.erb +0 -128
  62. data/docs/resources/aws_iam_access_key.md.erb +0 -139
  63. data/docs/resources/aws_iam_access_keys.md.erb +0 -214
  64. data/docs/resources/aws_iam_group.md.erb +0 -74
  65. data/docs/resources/aws_iam_groups.md.erb +0 -92
  66. data/docs/resources/aws_iam_password_policy.md.erb +0 -92
  67. data/docs/resources/aws_iam_policies.md.erb +0 -97
  68. data/docs/resources/aws_iam_policy.md.erb +0 -264
  69. data/docs/resources/aws_iam_role.md.erb +0 -79
  70. data/docs/resources/aws_iam_root_user.md.erb +0 -86
  71. data/docs/resources/aws_iam_user.md.erb +0 -130
  72. data/docs/resources/aws_iam_users.md.erb +0 -289
  73. data/docs/resources/aws_kms_key.md.erb +0 -187
  74. data/docs/resources/aws_kms_keys.md.erb +0 -99
  75. data/docs/resources/aws_rds_instance.md.erb +0 -76
  76. data/docs/resources/aws_route_table.md.erb +0 -63
  77. data/docs/resources/aws_route_tables.md.erb +0 -65
  78. data/docs/resources/aws_s3_bucket.md.erb +0 -156
  79. data/docs/resources/aws_s3_bucket_object.md.erb +0 -99
  80. data/docs/resources/aws_s3_buckets.md.erb +0 -69
  81. data/docs/resources/aws_security_group.md.erb +0 -323
  82. data/docs/resources/aws_security_groups.md.erb +0 -107
  83. data/docs/resources/aws_sns_subscription.md.erb +0 -140
  84. data/docs/resources/aws_sns_topic.md.erb +0 -79
  85. data/docs/resources/aws_sns_topics.md.erb +0 -68
  86. data/docs/resources/aws_subnet.md.erb +0 -150
  87. data/docs/resources/aws_subnets.md.erb +0 -142
  88. data/docs/resources/aws_vpc.md.erb +0 -135
  89. data/docs/resources/aws_vpcs.md.erb +0 -135
  90. data/docs/resources/azure_generic_resource.md.erb +0 -183
  91. data/docs/resources/azure_resource_group.md.erb +0 -294
  92. data/docs/resources/azure_virtual_machine.md.erb +0 -357
  93. data/docs/resources/azure_virtual_machine_data_disk.md.erb +0 -234
  94. data/docs/resources/bash.md.erb +0 -85
  95. data/docs/resources/bond.md.erb +0 -100
  96. data/docs/resources/bridge.md.erb +0 -67
  97. data/docs/resources/bsd_service.md.erb +0 -77
  98. data/docs/resources/chocolatey_package.md.erb +0 -68
  99. data/docs/resources/command.md.erb +0 -176
  100. data/docs/resources/cpan.md.erb +0 -89
  101. data/docs/resources/cran.md.erb +0 -74
  102. data/docs/resources/crontab.md.erb +0 -103
  103. data/docs/resources/csv.md.erb +0 -64
  104. data/docs/resources/dh_params.md.erb +0 -221
  105. data/docs/resources/directory.md.erb +0 -40
  106. data/docs/resources/docker.md.erb +0 -240
  107. data/docs/resources/docker_container.md.erb +0 -113
  108. data/docs/resources/docker_image.md.erb +0 -104
  109. data/docs/resources/docker_plugin.md.erb +0 -80
  110. data/docs/resources/docker_service.md.erb +0 -124
  111. data/docs/resources/elasticsearch.md.erb +0 -252
  112. data/docs/resources/etc_fstab.md.erb +0 -135
  113. data/docs/resources/etc_group.md.erb +0 -85
  114. data/docs/resources/etc_hosts.md.erb +0 -88
  115. data/docs/resources/etc_hosts_allow.md.erb +0 -84
  116. data/docs/resources/etc_hosts_deny.md.erb +0 -84
  117. data/docs/resources/file.md.erb +0 -543
  118. data/docs/resources/filesystem.md.erb +0 -51
  119. data/docs/resources/firewalld.md.erb +0 -117
  120. data/docs/resources/gem.md.erb +0 -108
  121. data/docs/resources/group.md.erb +0 -71
  122. data/docs/resources/grub_conf.md.erb +0 -111
  123. data/docs/resources/host.md.erb +0 -96
  124. data/docs/resources/http.md.erb +0 -207
  125. data/docs/resources/iis_app.md.erb +0 -132
  126. data/docs/resources/iis_site.md.erb +0 -145
  127. data/docs/resources/inetd_conf.md.erb +0 -104
  128. data/docs/resources/ini.md.erb +0 -86
  129. data/docs/resources/interface.md.erb +0 -68
  130. data/docs/resources/iptables.md.erb +0 -74
  131. data/docs/resources/json.md.erb +0 -73
  132. data/docs/resources/kernel_module.md.erb +0 -130
  133. data/docs/resources/kernel_parameter.md.erb +0 -63
  134. data/docs/resources/key_rsa.md.erb +0 -95
  135. data/docs/resources/launchd_service.md.erb +0 -67
  136. data/docs/resources/limits_conf.md.erb +0 -85
  137. data/docs/resources/login_defs.md.erb +0 -81
  138. data/docs/resources/mount.md.erb +0 -79
  139. data/docs/resources/mssql_session.md.erb +0 -78
  140. data/docs/resources/mysql_conf.md.erb +0 -109
  141. data/docs/resources/mysql_session.md.erb +0 -84
  142. data/docs/resources/nginx.md.erb +0 -89
  143. data/docs/resources/nginx_conf.md.erb +0 -148
  144. data/docs/resources/npm.md.erb +0 -78
  145. data/docs/resources/ntp_conf.md.erb +0 -70
  146. data/docs/resources/oneget.md.erb +0 -63
  147. data/docs/resources/oracledb_session.md.erb +0 -103
  148. data/docs/resources/os.md.erb +0 -153
  149. data/docs/resources/os_env.md.erb +0 -101
  150. data/docs/resources/package.md.erb +0 -130
  151. data/docs/resources/packages.md.erb +0 -77
  152. data/docs/resources/parse_config.md.erb +0 -113
  153. data/docs/resources/parse_config_file.md.erb +0 -148
  154. data/docs/resources/passwd.md.erb +0 -151
  155. data/docs/resources/pip.md.erb +0 -77
  156. data/docs/resources/port.md.erb +0 -147
  157. data/docs/resources/postgres_conf.md.erb +0 -89
  158. data/docs/resources/postgres_hba_conf.md.erb +0 -103
  159. data/docs/resources/postgres_ident_conf.md.erb +0 -86
  160. data/docs/resources/postgres_session.md.erb +0 -79
  161. data/docs/resources/powershell.md.erb +0 -112
  162. data/docs/resources/processes.md.erb +0 -119
  163. data/docs/resources/rabbitmq_config.md.erb +0 -51
  164. data/docs/resources/registry_key.md.erb +0 -197
  165. data/docs/resources/runit_service.md.erb +0 -67
  166. data/docs/resources/security_policy.md.erb +0 -57
  167. data/docs/resources/service.md.erb +0 -131
  168. data/docs/resources/shadow.md.erb +0 -267
  169. data/docs/resources/ssh_config.md.erb +0 -83
  170. data/docs/resources/sshd_config.md.erb +0 -93
  171. data/docs/resources/ssl.md.erb +0 -129
  172. data/docs/resources/sys_info.md.erb +0 -52
  173. data/docs/resources/systemd_service.md.erb +0 -67
  174. data/docs/resources/sysv_service.md.erb +0 -67
  175. data/docs/resources/upstart_service.md.erb +0 -67
  176. data/docs/resources/user.md.erb +0 -150
  177. data/docs/resources/users.md.erb +0 -137
  178. data/docs/resources/vbscript.md.erb +0 -65
  179. data/docs/resources/virtualization.md.erb +0 -67
  180. data/docs/resources/windows_feature.md.erb +0 -69
  181. data/docs/resources/windows_hotfix.md.erb +0 -63
  182. data/docs/resources/windows_task.md.erb +0 -95
  183. data/docs/resources/wmi.md.erb +0 -91
  184. data/docs/resources/x509_certificate.md.erb +0 -161
  185. data/docs/resources/xinetd_conf.md.erb +0 -166
  186. data/docs/resources/xml.md.erb +0 -95
  187. data/docs/resources/yaml.md.erb +0 -79
  188. data/docs/resources/yum.md.erb +0 -108
  189. data/docs/resources/zfs_dataset.md.erb +0 -63
  190. data/docs/resources/zfs_pool.md.erb +0 -57
  191. data/docs/shared/matcher_be.md.erb +0 -1
  192. data/docs/shared/matcher_cmp.md.erb +0 -43
  193. data/docs/shared/matcher_eq.md.erb +0 -3
  194. data/docs/shared/matcher_include.md.erb +0 -1
  195. data/docs/shared/matcher_match.md.erb +0 -1
  196. data/docs/shell.md +0 -217
  197. data/docs/style.md +0 -178
  198. data/examples/README.md +0 -8
  199. data/examples/custom-resource/README.md +0 -3
  200. data/examples/custom-resource/controls/example.rb +0 -7
  201. data/examples/custom-resource/inspec.yml +0 -8
  202. data/examples/custom-resource/libraries/batsignal.rb +0 -20
  203. data/examples/custom-resource/libraries/gordon.rb +0 -21
  204. data/examples/inheritance/README.md +0 -65
  205. data/examples/inheritance/controls/example.rb +0 -14
  206. data/examples/inheritance/inspec.yml +0 -16
  207. data/examples/kitchen-ansible/.kitchen.yml +0 -25
  208. data/examples/kitchen-ansible/Gemfile +0 -19
  209. data/examples/kitchen-ansible/README.md +0 -53
  210. data/examples/kitchen-ansible/files/nginx.repo +0 -6
  211. data/examples/kitchen-ansible/tasks/main.yml +0 -16
  212. data/examples/kitchen-ansible/test/integration/default/default.yml +0 -5
  213. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -28
  214. data/examples/kitchen-chef/.kitchen.yml +0 -20
  215. data/examples/kitchen-chef/Berksfile +0 -3
  216. data/examples/kitchen-chef/Gemfile +0 -19
  217. data/examples/kitchen-chef/README.md +0 -27
  218. data/examples/kitchen-chef/metadata.rb +0 -7
  219. data/examples/kitchen-chef/recipes/default.rb +0 -6
  220. data/examples/kitchen-chef/recipes/nginx.rb +0 -30
  221. data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -28
  222. data/examples/kitchen-puppet/.kitchen.yml +0 -23
  223. data/examples/kitchen-puppet/Gemfile +0 -20
  224. data/examples/kitchen-puppet/Puppetfile +0 -25
  225. data/examples/kitchen-puppet/README.md +0 -53
  226. data/examples/kitchen-puppet/manifests/site.pp +0 -33
  227. data/examples/kitchen-puppet/metadata.json +0 -11
  228. data/examples/kitchen-puppet/modules/.gitkeep +0 -0
  229. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -28
  230. data/examples/meta-profile/README.md +0 -37
  231. data/examples/meta-profile/controls/example.rb +0 -13
  232. data/examples/meta-profile/inspec.yml +0 -13
  233. data/examples/plugins/inspec-resource-lister/Gemfile +0 -12
  234. data/examples/plugins/inspec-resource-lister/LICENSE +0 -13
  235. data/examples/plugins/inspec-resource-lister/README.md +0 -62
  236. data/examples/plugins/inspec-resource-lister/Rakefile +0 -40
  237. data/examples/plugins/inspec-resource-lister/inspec-resource-lister.gemspec +0 -45
  238. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister.rb +0 -16
  239. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/cli_command.rb +0 -70
  240. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/plugin.rb +0 -55
  241. data/examples/plugins/inspec-resource-lister/lib/inspec-resource-lister/version.rb +0 -10
  242. data/examples/plugins/inspec-resource-lister/test/fixtures/README.md +0 -24
  243. data/examples/plugins/inspec-resource-lister/test/functional/README.md +0 -18
  244. data/examples/plugins/inspec-resource-lister/test/functional/inspec_resource_lister_test.rb +0 -110
  245. data/examples/plugins/inspec-resource-lister/test/helper.rb +0 -26
  246. data/examples/plugins/inspec-resource-lister/test/unit/README.md +0 -17
  247. data/examples/plugins/inspec-resource-lister/test/unit/cli_args_test.rb +0 -64
  248. data/examples/plugins/inspec-resource-lister/test/unit/plugin_def_test.rb +0 -51
  249. data/examples/profile-attribute.yml +0 -2
  250. data/examples/profile-attribute/README.md +0 -14
  251. data/examples/profile-attribute/controls/example.rb +0 -11
  252. data/examples/profile-attribute/inspec.yml +0 -8
  253. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +0 -8
  254. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +0 -8
  255. data/examples/profile-aws/controls/iam_root_user_mfa.rb +0 -8
  256. data/examples/profile-aws/controls/iam_users_access_key_age.rb +0 -8
  257. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +0 -8
  258. data/examples/profile-aws/inspec.yml +0 -11
  259. data/examples/profile-azure/controls/azure_resource_group_example.rb +0 -24
  260. data/examples/profile-azure/controls/azure_vm_example.rb +0 -29
  261. data/examples/profile-azure/inspec.yml +0 -11
  262. data/examples/profile-sensitive/README.md +0 -29
  263. data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -9
  264. data/examples/profile-sensitive/controls/sensitive.rb +0 -9
  265. data/examples/profile-sensitive/inspec.yml +0 -8
  266. data/examples/profile/README.md +0 -48
  267. data/examples/profile/controls/example.rb +0 -24
  268. data/examples/profile/controls/gordon.rb +0 -36
  269. data/examples/profile/controls/meta.rb +0 -36
  270. data/examples/profile/inspec.yml +0 -11
  271. data/examples/profile/libraries/gordon_config.rb +0 -59
@@ -1,267 +0,0 @@
1
- ---
2
- title: About the shadow Resource
3
- platform: linux
4
- ---
5
-
6
- # shadow
7
-
8
- Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are readable only by the `root` user. `shadow` is a [plural resource](https://www.inspec.io/docs/reference/glossary/#plural_resource). Like all plural resources, it functions by performing searches across multiple entries in the shadow file.
9
-
10
- The format for `/etc/shadow` includes:
11
-
12
- * A username
13
- * The hashed password for that user
14
- * The last date a password was changed, as the number of days since Jan 1 1970
15
- * The minimum number of days a password must exist, before it may be changed
16
- * The maximum number of days after which a password must be changed
17
- * The number of days a user is warned about an expiring password
18
- * The number of days a user must be inactive before the user account is disabled
19
- * The date on which a user account was disabled, as the number of days since Jan 1 1970
20
-
21
- These entries are defined as a colon-delimited row in the file, one row per user:
22
-
23
- dannos:Gb7crrO5CDF.:10063:0:99999:7:::
24
-
25
- The `shadow` resource understands this format, allows you to search on the fields, and exposes the selected users' properties.
26
-
27
- <br>
28
-
29
- ## Availability
30
-
31
- ### Installation
32
-
33
- This resource is distributed along with InSpec itself. You can use it automatically.
34
-
35
- ### Version
36
-
37
- This resource first became available in v1.0.0 of InSpec.
38
-
39
- ## Resource Parameters
40
-
41
- The `shadow` resource takes one optional parameter: the path to the shadow file. If omitted, `/etc/shadow` is assumed.
42
-
43
- # Expect a file to exist at the default location and have 32 users
44
- describe shadow do
45
- its('count') { should eq 32 }
46
- end
47
-
48
- # Use a custom location
49
- describe shadow('/etc/my-custom-place/shadow') do
50
- its('count') { should eq 32 }
51
- end
52
-
53
- ## Examples
54
-
55
- A `shadow` resource block uses `where` to filter entries from the shadow file. If `where` is omitted, all entries are selected.
56
-
57
- # Select all users. Among them, there should not be a user with the name 'forbidden_user'.
58
- describe shadow do
59
- its('users') { should_not include 'forbidden_user' }
60
- end
61
-
62
- # Ensure there is only one user named 'root' (Select all with name 'root', then count them).
63
- describe shadow.where(user: 'root') do
64
- its('count') { should eq 1 }
65
- end
66
-
67
- Use `where` to match any of the supported [filter criteria](#filter_criteria). `where` has a method form for simple equality and a block form for more complex queries.
68
-
69
- # Method form, simple
70
- # Select just the root user (direct equality)
71
- describe shadow.where(user: 'root') do
72
- its ('count') { should eq 1 }
73
- end
74
-
75
- # Method form, with a regex
76
- # Select all users whose names begin with smb
77
- describe shadow.where(user: /^smb/) do
78
- its ('count') { should eq 2 }
79
- end
80
-
81
- # Block form
82
- # Select users whose passwords have expired
83
- describe shadow.where { expiry_date > 0 } do
84
- # This test directly asserts that there should be 0 such users
85
- its('count') { should eq 0 }
86
- # But if the count test fails, this test outputs the users that are causing the failure.
87
- its('users') { should be_empty }
88
- end
89
-
90
- <br>
91
-
92
- ## Properties
93
-
94
- As a [plural resource](https://www.inspec.io/docs/reference/glossary/#plural_resource), all of `shadow`'s properties return lists (that is, Ruby Arrays). `include` and `be_empty` are two useful matchers when working with lists. You can also perform manipulation of the lists, such as calling `uniq`, `sort`, `count`, `first`, `last`, `min`, and `max`.
95
-
96
- ### users
97
-
98
- A list of strings, representing the usernames matched by the filter.
99
-
100
- describe shadow
101
- its('users') { should include 'root' }
102
- end
103
-
104
- ### passwords
105
-
106
- A list of strings, representing the encrypted password strings for entries matched by the `where` filter. Each string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed. Different operating systems use different flags here (such as `*LK*` to indicate the account is locked).
107
-
108
- # Use uniq to remove duplicates, then determine
109
- # if the only password left on the list is '*'
110
- describe shadow.where(user: /adm$/) do
111
- its('passwords.uniq.first') { should cmp '*' }
112
- its('passwords.uniq.count') { should eq 1 }
113
- end
114
-
115
- ### last\_changes
116
-
117
- A list of integers, indicating the number of days since Jan 1 1970 since the password for each matching entry was changed.
118
-
119
- # Ensure all entries have changed their password in the last 90 days. (Probably want a filter on that)
120
- describe shadow do
121
- its('last_changes.min') { should be < Date.today - 90 - Date.new(1970,1,1) }
122
- end
123
-
124
- ### min\_days
125
-
126
- A list of integers reflecting the minimum number of days a password must exist, before it may be changed, for the users that matched the filter.
127
-
128
- # min_days seems crazy today; make sure it is zero for everyone
129
- describe shadow do
130
- its('min_days.uniq') { should eq [0] }
131
- end
132
-
133
- ### max\_days
134
-
135
- A list of integers reflecting the maximum number of days after which the password must be changed for each user matching the filter.
136
-
137
- # Make sure there is no policy allowing longer than 90 days
138
- describe shadow do
139
- its('max_days.max') { should be < 90 }
140
- end
141
-
142
- ### warn\_days
143
-
144
- A list of integers reflecting the number of days a user is warned about an expiring password for each user matching the filter.
145
-
146
- # Ensure everyone gets the same 7-day policy
147
- describe shadow do
148
- its('warn_days.uniq.count') { should eq 1 }
149
- its('warn_days.uniq.first') { should eq 7 }
150
- end
151
-
152
- ### inactive\_days
153
-
154
- A list of integers reflecting the number of days a user must be inactive before the user account is disabled for each user matching the filter.
155
-
156
- # Ensure everyone except admins has an stale policy of no more than 14 days
157
- describe shadow.where { user !~ /adm$/ } do
158
- its('inactive_days.max') { should be <= 14 }
159
- end
160
-
161
- ### expiry\_dates
162
-
163
- A list of integers reflecting the number of days since Jan 1 1970 that a user account has been disabled, for each user matching the filter. Value is `nil` if the account has not expired.
164
-
165
- # No one should have an expired account.
166
- describe shadow do
167
- its('expiry_dates.compact') { should be_empty }
168
- end
169
-
170
- ### count
171
-
172
- The `count` property tests the number of records that the filter matched.
173
-
174
- # Should probably only have one root user
175
- describe shadow.user('root') do
176
- its('count') { should eq 1 }
177
- end
178
-
179
- <br>
180
-
181
- ## Filter Criteria
182
-
183
- You may use any of these filter criteria with the `where` function. They are named after the columns in the shadow file. Each has a related list [property](#properties).
184
-
185
- ### user
186
-
187
- The string username of a user. Always present. Not required to be unique.
188
-
189
- # Expect all users whose name ends in adm to have a disabled password via the '*' flag
190
- describe shadow.where(user: /adm$/) do
191
- its('password.uniq') { should eq ['*'] }
192
- end
193
-
194
- ### password
195
-
196
- The encrypted password strings, or an account status string. Each string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed. Different operating systems use other flags here (such as `*LK*` to indicate the account is locked).
197
-
198
- # Find 'locked' accounts and ensure 'nobody' is on the list
199
- describe shadow.where(password: '*LK*') do
200
- its('users') { should include 'nobody' }
201
- end
202
-
203
- ### last_change
204
-
205
- An integer reflecting the number of days since Jan 1 1970 since the user's password was changed.
206
-
207
- # Find users who have not changed their password within 90 days
208
- describe shadow.where { last_change > Date.today - 90 - Date.new(1970,1,1) } do
209
- its('users') { should be_empty }
210
- end
211
-
212
- ### min_days
213
-
214
- An integer reflecting the minimum number of days a user is required to wait before
215
- changing their password again.
216
-
217
- # Find users who have a nonzero wait time
218
- describe shadow.where { min_days > 0 } do
219
- its('users') { should be_empty }
220
- end
221
-
222
- ### max_days
223
-
224
- An integer reflecting the maximum number of days a user may go without changing their password.
225
-
226
- # All users should have a 30-day policy
227
- describe shadow.where { max_days != 30 } do
228
- its('users') { should be_empty }
229
- end
230
-
231
- ### warn_days
232
-
233
- An integer reflecting the number of days before a password expiration that a user recieves an alert.
234
-
235
- # All users should have a 7-day warning policy
236
- describe shadow.where { warn_days != 7 } do
237
- its('users') { should be_empty }
238
- end
239
-
240
- ### inactive_days
241
-
242
- An integer reflecting the number of days that must pass before a user who has not logged in will be disabled.
243
-
244
- # Ensure everyone has a stale policy of no more than 14 days.
245
- describe shadow.where { inactive_days.nil? || inactive_days > 14 } do
246
- its('users') { should be_empty }
247
- end
248
-
249
- ### expiry_date
250
-
251
- An integer reflecting the number of days since Jan 1, 1970 on which the user was disabled. The `expiry_date` criterion is `nil` for enabled users.
252
-
253
- # Ensure no one is disabled due to a old password
254
- describe shadow.where { !expiry_date.nil? } do
255
- its('users') { should be_empty }
256
- end
257
-
258
- # Ensure no one is disabled for more than 14 days
259
- describe shadow.where { !expiry_date.nil? && expiry_date - Date.new(1970,1,1) > 14} do
260
- its('users') { should be_empty }
261
- end
262
-
263
- ## Matchers
264
-
265
- This resource has no resource-specific matchers.
266
-
267
- For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
@@ -1,83 +0,0 @@
1
- ---
2
- title: About the ssh_config Resource
3
- platform: linux
4
- ---
5
-
6
- # ssh_config
7
-
8
- Use the `ssh_config` InSpec audit resource to test OpenSSH client configuration data located at `/etc/ssh/ssh_config` on Linux and Unix platforms.
9
-
10
- <br>
11
-
12
- ## Availability
13
-
14
- ### Installation
15
-
16
- This resource is distributed along with InSpec itself. You can use it automatically.
17
-
18
- ### Version
19
-
20
- This resource first became available in v1.0.0 of InSpec.
21
-
22
- ## Syntax
23
-
24
- An `ssh_config` resource block declares the client OpenSSH configuration data to be tested:
25
-
26
- describe ssh_config('path') do
27
- its('name') { should include('foo') }
28
- end
29
-
30
- where
31
-
32
- * `name` is a configuration setting in `ssh_config`
33
- * `('path')` is the non-default `/path/to/ssh_config`
34
- * `{ should include('foo') }` tests the value of `name` as read from `ssh_config` versus the value declared in the test
35
-
36
- <br>
37
-
38
- ## Examples
39
-
40
- The following examples show how to use this InSpec audit resource.
41
-
42
- ### Test SSH configuration settings
43
-
44
- describe ssh_config do
45
- its('cipher') { should contain '3des' }
46
- its('port') { should eq '22' }
47
- its('hostname') { should include('example.com') }
48
- end
49
-
50
- ### Test which variables from the local environment are sent to the server
51
-
52
- only_if do
53
- command('sshd').exist? or command('ssh').exists?
54
- end
55
-
56
- describe ssh_config do
57
- its('SendEnv') { should include('GORDON_CLIENT') }
58
- end
59
-
60
- ### Test SSH configuration
61
-
62
- describe ssh_config do
63
- its('Host') { should eq '*' }
64
- its('Tunnel') { should eq nil }
65
- its('SendEnv') { should eq 'LANG LC_*' }
66
- its('HashKnownHosts') { should eq 'yes' }
67
- end
68
-
69
- <br>
70
-
71
- ## Matchers
72
-
73
- For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
74
-
75
- ### name
76
-
77
- The `name` matcher tests the value of `name` as read from `ssh_config` versus the value declared in the test:
78
-
79
- its('name') { should eq 'foo' }
80
-
81
- or:
82
-
83
- its('name') { should include('bar') }
@@ -1,93 +0,0 @@
1
- ---
2
- title: About the sshd_config Resource
3
- platform: linux
4
- ---
5
-
6
- # sshd_config
7
-
8
- Use the `sshd_config` InSpec audit resource to test configuration data for the OpenSSH daemon located at `/etc/ssh/sshd_config` on Linux and Unix platforms. sshd---the OpenSSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges.
9
-
10
- <br>
11
-
12
- ## Availability
13
-
14
- ### Installation
15
-
16
- This resource is distributed along with InSpec itself. You can use it automatically.
17
-
18
- ### Version
19
-
20
- This resource first became available in v1.0.0 of InSpec.
21
-
22
- ## Syntax
23
-
24
- An `sshd_config` resource block declares the client OpenSSH configuration data to be tested:
25
-
26
- describe sshd_config('path') do
27
- its('name') { should include('foo') }
28
- end
29
-
30
- where
31
-
32
- * `name` is a configuration setting in `sshd_config`
33
- * `('path')` is the non-default `/path/to/sshd_config`
34
- * `{ should include('foo') }` tests the value of `name` as read from `sshd_config` versus the value declared in the test
35
-
36
- <br>
37
-
38
- ## Examples
39
-
40
- The following examples show how to use this InSpec audit resource.
41
-
42
- ### Test which variables may be sent to the server
43
-
44
- describe sshd_config do
45
- its('AcceptEnv') { should include('GORDON_SERVER') }
46
- end
47
-
48
- ### Test for IPv6-only addresses
49
-
50
- describe sshd_config do
51
- its('AddressFamily') { should cmp 'inet6' }
52
- end
53
-
54
- ### Test the Protocol setting
55
-
56
- describe sshd_config do
57
- its('Protocol') { should cmp 2 }
58
- end
59
-
60
- ### Test for approved, strong ciphers
61
-
62
- describe sshd_config do
63
- its('Ciphers') { should cmp('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
64
- end
65
-
66
- ### Test SSH protocols
67
-
68
- describe sshd_config do
69
- its('Port') { should cmp 22 }
70
- its('UsePAM') { should eq 'yes' }
71
- its('ListenAddress') { should eq nil }
72
- its('HostKey') { should eq [
73
- '/etc/ssh/ssh_host_rsa_key',
74
- '/etc/ssh/ssh_host_dsa_key',
75
- '/etc/ssh/ssh_host_ecdsa_key',
76
- ] }
77
- end
78
-
79
- <br>
80
-
81
- ## Matchers
82
-
83
- For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
84
-
85
- ### name
86
-
87
- The `name` matcher tests the value of `name` as read from `sshd_config` versus the value declared in the test:
88
-
89
- its('name') { should cmp 'foo' }
90
-
91
- or:
92
-
93
- its('name') {should include('bar') }
@@ -1,129 +0,0 @@
1
- ---
2
- title: About the ssl Resource
3
- platform: os
4
- ---
5
-
6
- # ssl
7
-
8
- Use the `ssl` InSpec audit resource to test SSL settings for the named port.
9
-
10
- <br>
11
-
12
- ## Availability
13
-
14
- ### Installation
15
-
16
- This resource is distributed along with InSpec itself. You can use it automatically.
17
-
18
- ### Version
19
-
20
- This resource first became available in v1.0.0 of InSpec.
21
-
22
- ## Syntax
23
-
24
- An `ssl` resource block declares an SSL port, and then other properties of the test like cipher and/or protocol:
25
-
26
- describe ssl(port: #) do
27
- it { should be_enabled }
28
- end
29
-
30
- or:
31
-
32
- describe ssl(port: #).filter('value') do
33
- it { should be_enabled }
34
- end
35
-
36
- where
37
-
38
- * `ssl(port: #)` is the port number, such as `ssl(port: 443)`
39
- * `filter` may take any of the following arguments: `ciphers`, `protocols`, and `handshake`
40
-
41
- <br>
42
-
43
- ## Examples
44
-
45
- The following examples show how to use this InSpec audit resource.
46
-
47
- ### Run the ssl-benchmark example profile
48
-
49
- The following shows how to use the `ssl` InSpec audit resource to find all TCP ports on the system, including IPv4 and IPv6. (This is a partial example based on the `ssl_text.rb` file in the `ssl-benchmark` profile on GitHub.)
50
-
51
- ...
52
-
53
- control 'tls1.2' do
54
- title 'Run TLS 1.2 whenever SSL is active on a port'
55
- impact 0.5
56
-
57
- sslports.each do |socket|
58
- proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
59
- describe ssl(port: socket.port).protocols('tls1.2') do
60
- it(proc_desc) { should be_enabled }
61
- it { should be_enabled }
62
- end
63
- end
64
- end
65
-
66
- ...
67
-
68
- control 'rc4' do
69
- title 'Disable RC4 ciphers from all exposed SSL/TLS ports and versions.'
70
- impact 0.5
71
-
72
- sslports.each do |socket|
73
- proc_desc = "on node == #{command('hostname').stdout.strip} running #{socket.process.inspect} (#{socket.pid})"
74
- describe ssl(port: socket.port).ciphers(/rc4/i) do
75
- it(proc_desc) { should_not be_enabled }
76
- it { should_not be_enabled }
77
- end
78
- end
79
- end
80
-
81
- There are two ways to run the `ssl-benchmark` example profile to test SSL via the `ssl` resource.
82
-
83
- Clone the profile:
84
-
85
- $ git clone https://github.com/dev-sec/ssl-benchmark
86
-
87
- and then run:
88
-
89
- $ inspec exec ssl-benchmark
90
-
91
- Or execute the profile directly via URL:
92
-
93
- $ inspec exec https://github.com/dev-sec/ssl-benchmark
94
-
95
- <br>
96
-
97
- ## Matchers
98
-
99
- For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
100
-
101
- ### be_enabled
102
-
103
- The `be_enabled` matcher tests if SSL is enabled:
104
-
105
- it { should be_enabled }
106
-
107
- ### ciphers
108
-
109
- The `ciphers` matcher tests the named cipher:
110
-
111
- its('ciphers') { should_not eq '/rc4/i' }
112
-
113
- or:
114
-
115
- describe ssl(port: 443).ciphers(/rc4/i) do
116
- it { should_not be_enabled }
117
- end
118
-
119
- ### protocols
120
-
121
- The `protocols` matcher tests what protocol versions (SSLv3, TLSv1.1, etc) are enabled:
122
-
123
- its('protocols') { should eq 'ssl2' }
124
-
125
- or:
126
-
127
- describe ssl(port: 443).protocols('ssl2') do
128
- it { should_not be_enabled }
129
- end