inspec/docs/ctl_inspec.rst

202 lines
5.2 KiB
ReStructuredText
Raw Normal View History

2015-10-23 05:37:02 +00:00
=====================================================
InSpec CLI
=====================================================
2015-10-26 10:04:24 +00:00
Use the InSpec CLI to run audit tests against targets using locally, SSH, |winrm|, or on |docker| containers.
2015-10-23 05:37:02 +00:00
Common Options
=====================================================
The following options may be used with any of the InSpec CLI subcommands:
``-b``, ``--backend``
2015-10-26 10:02:59 +00:00
Specify the backend. Possible values: ``local`` (default), ``ssh``, ``winrm``, or ``docker``.
2015-10-23 05:37:02 +00:00
``--sudo``
Run scans with sudo. Only activates on Unix and non-root user. Default value: ``false``.
2015-10-23 05:37:02 +00:00
``--host``
The remote host to be tested.
2015-11-25 12:10:11 +00:00
``-i``, ``--key_files``
2015-10-23 05:37:02 +00:00
The login key or certificate file required for remote scanning.
``--password``
The login password for remote scanning.
``--path``
2015-10-31 11:07:19 +00:00
The login path used to connect to the target for |winrm|.
2015-10-23 05:37:02 +00:00
2015-11-25 13:20:12 +00:00
``-p``, ``--port``
2015-10-23 05:37:02 +00:00
The port over which remote scanning will occur.
``--self_signed``
2015-10-26 10:02:59 +00:00
Use to allow remote scanning with self-signed certificates for |winrm| targets. Default value: ``false``.
2015-10-23 05:37:02 +00:00
``--ssl``
2015-10-26 10:02:59 +00:00
Use to require transport-layer encryption via SSL for |winrm| targets. Default value: ``false``.
2015-10-23 05:37:02 +00:00
``--sudo_options``
Additional options that may be required by the sudo password for remote scanning. Default value: ``''``.
``--sudo_password``
The sudo password, if required.
``-t``, ``--target``
The URI for the target of a remote scan, preceded by the target's backend. For example: ``backend://user:pass@host:port``, where ``backend`` is one of ``docker``, ``local``, ``ssh``, or ``winrm``.
``--user``
The login user for remote scanning.
``--json_config``
A JSON file containing configuration options. Use `--json_config=-` to read from standard input. The file's format corresponds to the command line argument options. For example, `{"host": "example.com", "sudo": true}` is equivalent to `--host=example.com --sudo`. Command line switches override the configuration file.
``--diagnose``
Dump configuration values from a command line options, the configuration file, and the merged effective options.
2015-10-23 05:37:02 +00:00
check
=====================================================
2015-12-01 10:19:04 +00:00
Use ``inspec check`` to verify all tests the specified path.
2015-10-23 05:37:02 +00:00
Syntax
-----------------------------------------------------
This subcommand has the following syntax:
.. code-block:: bash
$ inspec check PATH (options)
where:
* ``PATH`` is the location against which tests are run
detect
=====================================================
Use ``inspec detect`` to detect the platform for the target.
For example, if the configuration on the target is:
.. code-block:: bash
id=$( docker run -dti ubuntu:14.04 /bin/bash )
the following command:
.. code-block:: bash
$ inspec detect -t docker://$id
will return:
.. code-block:: javascript
{"family":"ubuntu","release":"14.04","arch":null}
exec
=====================================================
2015-10-23 17:30:37 +00:00
Use ``inspec exec`` to run all tests at the specified path.
2015-10-23 05:37:02 +00:00
Syntax
-----------------------------------------------------
This subcommand has the following syntax:
.. code-block:: bash
$ inspec exec PATHS (options)
where:
* ``PATHS`` is one (or more) locations against which tests are run
Options
-----------------------------------------------------
This subcommand has additional options:
``--id``
Use to attach a profile identifier to all test results.
Examples
-----------------------------------------------------
The following examples show how to use this subcommand.
**Run a test locally**
.. code-block:: bash
$ inspec exec test.rb
**Run a test on a remote host using SSH**
.. code-block:: bash
$ inspec exec test.rb -t ssh://user@hostname
**Run a test on a remote host using WinRM**
.. code-block:: bash
$ inspec exec test.rb -t winrm://Administrator@windowshost --password 'password'
**Run a test against a Docker container**
.. code-block:: bash
$ inspec exec test.rb -t docker://container_id
help
=====================================================
Use ``inspec help`` to print help for the |ctl inspec| from the command shell.
json
=====================================================
Use ``inspec json`` to read all tests at the specified path, and then generate a |json| profile to standard output (stdout).
2015-10-23 05:37:02 +00:00
Syntax
-----------------------------------------------------
This subcommand has the following syntax:
.. code-block:: bash
$ inspec json PATH (options)
where:
* ``PATH`` is the location against which tests are run
Options
-----------------------------------------------------
This subcommand has additional options:
``--id``
Use to attach a profile identifier to all test results.
``-o``, ``--output``
Use to save the |json| profile to a file instead of printing to stdout.
2015-10-23 05:37:02 +00:00
shell
=====================================================
Use ``inspec shell`` to open an interactive debugging shell.
version
=====================================================
Use ``inspec version`` to print the version of the InSpec CLI.
2015-10-26 10:02:59 +00:00
.. |winrm| replace:: Windows Remote Management
.. _winrm: https://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx
.. |docker| replace:: Docker
2015-10-26 10:04:24 +00:00
.. _docker: https://www.docker.com/
2015-10-31 11:07:19 +00:00
.. |json| replace:: JSON