Use the `file` InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
A `file` resource block declares the location of the file type to be tested, the expected file type (if required), and one (or more) resource properties.
The `content` property tests if contents in the file match the value specified in a regular expression. The values of the `content` property are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
its('content') { should match REGEX }
The following complete example tests the `pg_hba.conf` file in PostgreSQL for MD5 requirements. The tests look at all `host` and `local` settings in that file, and then compare the MD5 checksums against the values in the test:
describe file(hba_config_file) do
its('content') { should match(%r{local\s.*?all\s.*?all\s.*?md5}) }
its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5})
end
### file_version
The `file_version` property tests if a Windows file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
its('file_version') { should eq '1.2.3' }
### group
The `group` property tests if the group to which a file belongs matches the specified value.
The `link_path` property tests if the file exists at the specified path. If the file is a symlink,
InSpec will resolve the symlink and return the ultimate linked file.
its('link_path') { should eq '/some/path/to/file' }
### md5sum
The `md5sum` property tests if the MD5 checksum for a file matches the specified value.
its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
### mode
The `mode` property tests if the mode assigned to the file matches the specified value.
its('mode') { should cmp '0644' }
### mtime
The `mtime` property tests if the file modification time for the file matches the specified value. The mtime, where supported, is returned as the number of seconds since the epoch.
describe file('/') do
its('mtime') { should <= Time.now.to_i }
its('mtime') { should >= Time.now.to_i - 1000 }
end
### owner
The `owner` property tests if the owner of the file matches the specified value.
its('owner') { should eq 'root' }
### product_version
The `product_version` property tests if a Windows file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates.
its('product_version') { should eq 2.3.4 }
### selinux_label
The `selinux_label` property tests if the SELinux label for a file matches the specified value.
its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
### sha256sum
The `sha256sum` property tests if the SHA-256 checksum for a file matches the specified value.
its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
### size
The `size` property tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
its('size') { should eq 32375 }
Greater than:
its('size') { should > 64 }
Less than:
its('size') { should < 10240 }
### type
The `type` property tests for the file type. The available types are:
* `file`: the object is a file
* `directory`: the object is a directory
* `link`: the object is a symbolic link
* `pipe`: the object is a named pipe
* `socket`: the object is a socket
* `character_device`: the object is a character device
* `block_device`: the object is a block device
* `door`: the object is a door device
The `type` method usually returns the type as a Ruby "symbol". We recommend using the `cmp` matcher to match
### Test that a file's size is between 64 and 10240
describe file('/') do
its('size') { should be > 64 }
its('size') { should be < 10240 }
end
### Test that a file's size is zero
describe file('/proc/cpuinfo') do
its('size') { should be 0 }
end
### Test an MD5 checksum
require 'digest'
cpuinfo = file('/proc/cpuinfo').content
md5sum = Digest::MD5.hexdigest(cpuinfo)
describe file('/proc/cpuinfo') do
its('md5sum') { should eq md5sum }
end
### Test an SHA-256 checksum
require 'digest'
cpuinfo = file('/proc/cpuinfo').content
sha256sum = Digest::SHA256.hexdigest(cpuinfo)
describe file('/proc/cpuinfo') do
its('sha256sum') { should eq sha256sum }
end
### Verify NTP
The following example shows how to use the `file` audit resource to verify if the `ntp.conf` and `leap-seconds` files are present, and then the `command` resource to verify if NTP is installed and running:
describe file('/etc/ntp.conf') do
it { should be_file }
end
describe file('/etc/ntp.leapseconds') do
it { should be_file }
end
describe command('pgrep ntp') do
its('exit_status') { should eq 0 }
end
### Test parameters of symlinked file
If you need to test the parameters of the target file for a symlink, you can use the `link_path` method for the `file` resource.
The `be_allowed` matcher tests if the file contains a certain permission set, such as `execute` or `write` in Unix and [`full-control` or `modify` in Windows](https://www.codeproject.com/Reference/871338/AccessControl-FileSystemRights-Permissions-Table).
it { should be_allowed('read') }
Just like with `be_executable` and other permissions, one can check for the permission with respect to the specific user or group.
it { should be_allowed('full-control', by_user: 'MyComputerName\Administrator') }
The `be_character_device` matcher tests if the file exists as a character device (that corresponds to a block device), such as `/dev/rdisk0` or `/dev/rdisk0s9`:
The `be_file` matcher tests if the file exists as a file. This can be useful with configuration files like `/etc/passwd` where there typically is not an associated file extension---`passwd.txt`:
The `be_pipe` matcher tests if the file exists as first-in, first-out special file (`.fifo`) that is typically used to define a named pipe, such as `/var/log/nginx/access.log.fifo`:
The `be_setgid` matcher tests if the 'setgid' permission is set on the file or directory. On executable files, this causes the process to be started owned by the group that owns the file, rather than the primary group of the invocating user. This can result in escalation of privilege. On Linux, when setgid is set on directories, setgid causes newly created files and directories to be owned by the group that owns the setgid parent directory; additionally, newly created subdirectories will have the setgid bit set. To use this matcher:
The `be_sticky` matcher tests if the 'sticky bit' permission is set on the directory. On directories, this restricts file deletion to the owner of the file, even if the permission of the parent directory would normally permit deletion by others. This is commonly used on /tmp filesystems. To use this matcher:
The `be_setuid` matcher tests if the 'setuid' permission is set on the file. On executable files, this causes the process to be started owned by the user that owns the file, rather than invocating user. This can result in escalation of privilege. To use this matcher:
