inspec/docs/resources/inetd_conf.md.erb

100 lines
2.7 KiB
Text
Raw Normal View History

2016-09-22 12:43:57 +00:00
---
title: About the inetd_conf Resource
---
# inetd_conf
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.`
## Syntax
2016-09-22 12:43:57 +00:00
An `inetd_conf` resource block declares the list of services that are enabled in the `inetd.conf` file:
describe inetd_conf('path') do
its('service_name') { should eq 'value' }
end
where
* `'service_name'` is a service listed in the `inetd.conf` file
* `('path')` is the non-default path to the `inetd.conf` file
* `should eq 'value'` is the value that is expected
## Matchers
2016-09-22 12:43:57 +00:00
This resource matches any service that is listed in the `inetd.conf` file. You may want to ensure that specific services do not listen via `inetd.conf`:
its('shell') { should eq nil }
or:
its('netstat') { should eq nil }
or:
its('systat') { should eq nil }
For example:
describe inetd_conf do
its('shell') { should eq nil }
its('login') { should eq nil }
its('exec') { should eq nil }
end
### be
2016-09-22 12:43:57 +00:00
<%= partial "/shared/matcher_be" %>
### cmp
2016-09-22 12:43:57 +00:00
<%= partial "/shared/matcher_cmp" %>
### eq
2016-09-22 12:43:57 +00:00
<%= partial "/shared/matcher_eq" %>
### include
2016-09-22 12:43:57 +00:00
<%= partial "/shared/matcher_include" %>
### match
2016-09-22 12:43:57 +00:00
<%= partial "/shared/matcher_match" %>
## Examples
2016-09-22 12:43:57 +00:00
The following examples show how to use this InSpec audit resource.
### Verify that FTP is disabled
2016-09-22 12:43:57 +00:00
The contents if the `inetd.conf` file contain the following:
#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
and the following test is defined:
describe inetd_conf do
its('ftp') { should eq nil }
its('telnet') { should eq nil }
end
Because both the `ftp` and `telnet` Internet services are commented out (`#`), both services are disabled. Consequently, both tests will return `true`. However, if the `inetd.conf` file is set as follows:
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
then the same test will return `false` for `ftp` and the entire test will fail.
### Test if telnet is installed
2016-09-22 12:43:57 +00:00
describe package('telnetd') do
it { should_not be_installed }
end
describe inetd_conf do
its('telnet') { should eq nil }
end