2016-09-22 12:43:57 +00:00
---
title: About the xinetd_conf Resource
---
# xinetd_conf
Use the `xinetd_conf` InSpec audit resource to test services under `/etc/xinet.d` on Linux and Unix platforms. xinetd---the extended Internet service daemon---listens on all ports, and then loads the appropriate program based on a request. The `xinetd.conf` file is typically located at `/etc/xinetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
2016-09-27 19:03:23 +00:00
## Syntax
2016-09-22 12:43:57 +00:00
An `xinetd_conf` resource block declares settings found in a `xinetd.conf` file for the named service:
describe xinetd_conf('service_name') do
it { should be_enabled } # or be_disabled
its('setting') { should eq 'value' }
end
where
* `'service_name'` is a service located under `/etc/xinet.d`
* `('setting')` is a setting in the `xinetd.conf` file
* `should eq 'value'` is the value that is expected
2016-09-27 19:03:23 +00:00
## Matchers
2016-09-22 12:43:57 +00:00
This InSpec audit resource has the following matchers:
2016-09-27 19:03:23 +00:00
### be
2016-09-22 12:43:57 +00:00
<%= partial "/shared/matcher_be" %>
2016-09-27 19:03:23 +00:00
### be_enabed
2016-09-22 12:43:57 +00:00
The `be_enabled` matcher tests if a service listed under `/etc/xinet.d` is enabled:
it { should be_enabled }
2016-09-27 19:03:23 +00:00
### cmp
2016-09-22 12:43:57 +00:00
<%= partial "/shared/matcher_cmp" %>
2016-09-27 19:03:23 +00:00
### eq
2016-09-22 12:43:57 +00:00
<%= partial "/shared/matcher_eq" %>
2016-09-27 19:03:23 +00:00
### ids
2016-09-22 12:43:57 +00:00
The `ids` matcher tests if the named service is located under `/etc/xinet.d`:
its('ids') { should include 'service_name' }
For example:
its('ids') { should include 'chargen-stream chargen-dgram'}
2016-09-27 19:03:23 +00:00
### include
2016-09-22 12:43:57 +00:00
<%= partial "/shared/matcher_include" %>
2016-09-27 19:03:23 +00:00
### match
2016-09-22 12:43:57 +00:00
<%= partial "/shared/matcher_match" %>
2016-09-27 19:03:23 +00:00
### services
2016-09-22 12:43:57 +00:00
The `services` matcher tests if the named service is listed under `/etc/xinet.d`:
its('services') { should include 'service_name' }
2016-09-27 19:03:23 +00:00
### socket_types
2016-09-22 12:43:57 +00:00
The `socket_types` matcher tests if a service listed under `/etc/xinet.d` is configured to use the named socket type:
its('socket_types') { should eq 'socket' }
where `socket` is one of `dgram`, `raw`, or `stream`. For a UDP-based service:
its('socket_types') { should eq 'dgram' }
For a raw socket (such as a service using a non-standard protocol or a service that requires direct access to IP):
its('socket_types') { should eq 'raw' }
For a TCP-based service:
its('socket_types') { should eq 'stream' }
2016-09-27 19:03:23 +00:00
### types
2016-09-22 12:43:57 +00:00
The `types` matcher tests the service type:
its('type') { should eq 'TYPE' }
where `'TYPE'` is `INTERNAL` (for a service provided by xinetd), `RPC` (for a service based on remote procedure call), or `UNLISTED` (for services not under `/etc/services` or `/etc/rpc`).
2016-09-27 19:03:23 +00:00
### wait
2016-09-22 12:43:57 +00:00
The `wait` matcher tests how a service handles incoming connections.
For UDP (`dgram`) socket types the `wait` matcher should test for `yes`:
its('socket_types') { should eq 'dgram' }
its('wait') { should eq 'yes' }
For TCP (`stream`) socket types the `wait` matcher should test for `no`:
its('socket_types') { should eq 'stream' }
its('wait') { should eq 'no' }
2016-09-27 19:03:23 +00:00
## Examples
2016-09-22 12:43:57 +00:00
The following examples show how to use this InSpec audit resource.
2016-09-27 19:03:23 +00:00
### Test a socket_type
2016-09-22 12:43:57 +00:00
The network socket type: `dgram` (a datagram-based service), `raw` (a service that requires direct access to an IP address), `stream` (a stream-based service), or `seqpacket` (a service that requires a sequenced packet).
describe xinetd_conf.services('service_name') do
its('socket_types') { should include 'dgram' }
end
2016-09-27 19:03:23 +00:00
### Test a service type
2016-09-22 12:43:57 +00:00
The type of service: `INTERNAL` (a service provided by xinetd), `RPC` (an RPC-based service), `TCPMUX` (a service that is started on a well-known TPCMUX port), or `UNLISTED` (a service that is not listed in a standard system file location).
describe xinetd_conf.services('service_name') do
its('type') { should include 'RPC' }
end
2016-09-27 19:03:23 +00:00
### Test the telnet service
2016-09-22 12:43:57 +00:00
For example, a `telnet` file under `/etc/xinet.d` contains the following settings:
service telnet
{
disable = yes
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
Some examples of tests that can be run against that file include:
describe xinetd_conf.services('telnet') do
it { should be_disabled }
end
and
describe xinetd_conf.services('telnet') do
its('socket_type') { should include 'stream' }
end
and
describe xinetd_conf.services('telnet') do
its('wait') { should eq 'no' }
end
All three settings can be tested in the same block as well:
describe xinetd_conf.services('telnet') do
it { should be_disabled }
its('socket_type') { should include 'stream' }
its('wait') { should eq 'no' }
end