mirror of
https://github.com/inspec/inspec
synced 2024-12-18 00:53:22 +00:00
443 lines
8.9 KiB
ReStructuredText
443 lines
8.9 KiB
ReStructuredText
|
=====================================================
|
||
|
InSpec CLI
|
||
|
=====================================================
|
||
|
|
||
|
Use the InSpec CLI to run tests and audits against targets using local, SSH, WinRM, or Docker connections.
|
||
|
|
||
|
archive
|
||
|
=====================================================
|
||
|
|
||
|
Archive a profile to tar.gz (default) or zip
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec archive PATH
|
||
|
|
||
|
Options
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has additional options:
|
||
|
|
||
|
``--ignore-errors``, ``--no-ignore-errors``
|
||
|
Ignore profile warnings.
|
||
|
|
||
|
``-o``, ``--output=OUTPUT``
|
||
|
Save the archive to a path
|
||
|
|
||
|
``--overwrite``, ``--no-overwrite``
|
||
|
Overwrite existing archive.
|
||
|
|
||
|
``--profiles-path=PROFILES_PATH``
|
||
|
Folder which contains referenced profiles.
|
||
|
|
||
|
``--tar``, ``--no-tar``
|
||
|
Generates a tar.gz archive.
|
||
|
|
||
|
``--zip``, ``--no-zip``
|
||
|
Generates a zip archive.
|
||
|
|
||
|
|
||
|
|
||
|
check
|
||
|
=====================================================
|
||
|
|
||
|
Verify all tests at the specified path
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec check PATH
|
||
|
|
||
|
Options
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has additional options:
|
||
|
|
||
|
``--format=FORMAT``
|
||
|
|
||
|
|
||
|
``--profiles-path=PROFILES_PATH``
|
||
|
Folder which contains referenced profiles.
|
||
|
|
||
|
|
||
|
|
||
|
compliance
|
||
|
=====================================================
|
||
|
|
||
|
Chef compliance commands
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec compliance SUBCOMMAND ...
|
||
|
|
||
|
|
||
|
|
||
|
detect
|
||
|
=====================================================
|
||
|
|
||
|
Detect the target os
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec detect
|
||
|
|
||
|
Options
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has additional options:
|
||
|
|
||
|
``-b``, ``--backend=BACKEND``
|
||
|
Choose a backend: local, ssh, winrm, docker.
|
||
|
|
||
|
``--format=FORMAT``
|
||
|
|
||
|
|
||
|
``--host=HOST``
|
||
|
Specify a remote host which is tested.
|
||
|
|
||
|
``--json-config=JSON_CONFIG``
|
||
|
Read configuration from JSON file (`-` reads from stdin).
|
||
|
|
||
|
``-i``, ``--key-files=one two three``
|
||
|
Login key or certificate file for a remote scan.
|
||
|
|
||
|
``-l``, ``--log-level=LOG_LEVEL``
|
||
|
Set the log level: info (default), debug, warn, error
|
||
|
|
||
|
``--password=PASSWORD``
|
||
|
Login password for a remote scan, if required.
|
||
|
|
||
|
``--path=PATH``
|
||
|
Login path to use when connecting to the target (WinRM).
|
||
|
|
||
|
``-p``, ``--port=N``
|
||
|
Specify the login port for a remote scan.
|
||
|
|
||
|
``--self-signed``, ``--no-self-signed``
|
||
|
Allow remote scans with self-signed certificates (WinRM).
|
||
|
|
||
|
``--ssl``, ``--no-ssl``
|
||
|
Use SSL for transport layer encryption (WinRM).
|
||
|
|
||
|
``--sudo``, ``--no-sudo``
|
||
|
Run scans with sudo. Only activates on Unix and non-root user.
|
||
|
|
||
|
``--sudo-command=SUDO_COMMAND``
|
||
|
Alternate command for sudo.
|
||
|
|
||
|
``--sudo-options=SUDO_OPTIONS``
|
||
|
Additional sudo options for a remote scan.
|
||
|
|
||
|
``--sudo-password=SUDO_PASSWORD``
|
||
|
Specify a sudo password, if it is required.
|
||
|
|
||
|
``-t``, ``--target=TARGET``
|
||
|
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
|
||
|
|
||
|
``--user=USER``
|
||
|
The login user for a remote scan.
|
||
|
|
||
|
|
||
|
|
||
|
env
|
||
|
=====================================================
|
||
|
|
||
|
Output shell-appropriate completion configuration
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec env
|
||
|
|
||
|
|
||
|
|
||
|
exec
|
||
|
=====================================================
|
||
|
|
||
|
Run all test files at the specified path.
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec exec PATHS
|
||
|
|
||
|
Options
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has additional options:
|
||
|
|
||
|
``--attrs=one two three``
|
||
|
Load attributes file (experimental)
|
||
|
|
||
|
``-b``, ``--backend=BACKEND``
|
||
|
Choose a backend: local, ssh, winrm, docker.
|
||
|
|
||
|
``--color``, ``--no-color``
|
||
|
Use colors in output.
|
||
|
|
||
|
``--controls=one two three``
|
||
|
A list of controls to run. Ignore all other tests.
|
||
|
|
||
|
``--format=FORMAT``
|
||
|
Which formatter to use: cli, progress, documentation, json, json-min
|
||
|
|
||
|
``--host=HOST``
|
||
|
Specify a remote host which is tested.
|
||
|
|
||
|
``--json-config=JSON_CONFIG``
|
||
|
Read configuration from JSON file (`-` reads from stdin).
|
||
|
|
||
|
``-i``, ``--key-files=one two three``
|
||
|
Login key or certificate file for a remote scan.
|
||
|
|
||
|
``-l``, ``--log-level=LOG_LEVEL``
|
||
|
Set the log level: info (default), debug, warn, error
|
||
|
|
||
|
``--password=PASSWORD``
|
||
|
Login password for a remote scan, if required.
|
||
|
|
||
|
``--path=PATH``
|
||
|
Login path to use when connecting to the target (WinRM).
|
||
|
|
||
|
``-p``, ``--port=N``
|
||
|
Specify the login port for a remote scan.
|
||
|
|
||
|
``--profiles-path=PROFILES_PATH``
|
||
|
Folder which contains referenced profiles.
|
||
|
|
||
|
``--self-signed``, ``--no-self-signed``
|
||
|
Allow remote scans with self-signed certificates (WinRM).
|
||
|
|
||
|
``--ssl``, ``--no-ssl``
|
||
|
Use SSL for transport layer encryption (WinRM).
|
||
|
|
||
|
``--sudo``, ``--no-sudo``
|
||
|
Run scans with sudo. Only activates on Unix and non-root user.
|
||
|
|
||
|
``--sudo-command=SUDO_COMMAND``
|
||
|
Alternate command for sudo.
|
||
|
|
||
|
``--sudo-options=SUDO_OPTIONS``
|
||
|
Additional sudo options for a remote scan.
|
||
|
|
||
|
``--sudo-password=SUDO_PASSWORD``
|
||
|
Specify a sudo password, if it is required.
|
||
|
|
||
|
``-t``, ``--target=TARGET``
|
||
|
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
|
||
|
|
||
|
``--user=USER``
|
||
|
The login user for a remote scan.
|
||
|
|
||
|
|
||
|
|
||
|
help
|
||
|
=====================================================
|
||
|
|
||
|
Describe available commands or one specific command
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec help [COMMAND]
|
||
|
|
||
|
|
||
|
|
||
|
init
|
||
|
=====================================================
|
||
|
|
||
|
Scaffolds a new project
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec init TEMPLATE ...
|
||
|
|
||
|
|
||
|
|
||
|
json
|
||
|
=====================================================
|
||
|
|
||
|
Read all tests in path and generate a json summary
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec json PATH
|
||
|
|
||
|
Options
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has additional options:
|
||
|
|
||
|
``--controls=one two three``
|
||
|
A list of controls to include. Ignore all other tests.
|
||
|
|
||
|
``-o``, ``--output=OUTPUT``
|
||
|
Save the created profile to a path
|
||
|
|
||
|
``--profiles-path=PROFILES_PATH``
|
||
|
Folder which contains referenced profiles.
|
||
|
|
||
|
|
||
|
|
||
|
scap
|
||
|
=====================================================
|
||
|
|
||
|
Scap commands
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec scap SUBCOMMAND ...
|
||
|
|
||
|
|
||
|
|
||
|
shell
|
||
|
=====================================================
|
||
|
|
||
|
Open an interactive debugging shell
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec shell
|
||
|
|
||
|
Options
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has additional options:
|
||
|
|
||
|
``-b``, ``--backend=BACKEND``
|
||
|
Choose a backend: local, ssh, winrm, docker.
|
||
|
|
||
|
``-c``, ``--command=COMMAND``
|
||
|
|
||
|
|
||
|
``--host=HOST``
|
||
|
Specify a remote host which is tested.
|
||
|
|
||
|
``--json-config=JSON_CONFIG``
|
||
|
Read configuration from JSON file (`-` reads from stdin).
|
||
|
|
||
|
``-i``, ``--key-files=one two three``
|
||
|
Login key or certificate file for a remote scan.
|
||
|
|
||
|
``-l``, ``--log-level=LOG_LEVEL``
|
||
|
Set the log level: info (default), debug, warn, error
|
||
|
|
||
|
``--password=PASSWORD``
|
||
|
Login password for a remote scan, if required.
|
||
|
|
||
|
``--path=PATH``
|
||
|
Login path to use when connecting to the target (WinRM).
|
||
|
|
||
|
``-p``, ``--port=N``
|
||
|
Specify the login port for a remote scan.
|
||
|
|
||
|
``--self-signed``, ``--no-self-signed``
|
||
|
Allow remote scans with self-signed certificates (WinRM).
|
||
|
|
||
|
``--ssl``, ``--no-ssl``
|
||
|
Use SSL for transport layer encryption (WinRM).
|
||
|
|
||
|
``--sudo``, ``--no-sudo``
|
||
|
Run scans with sudo. Only activates on Unix and non-root user.
|
||
|
|
||
|
``--sudo-command=SUDO_COMMAND``
|
||
|
Alternate command for sudo.
|
||
|
|
||
|
``--sudo-options=SUDO_OPTIONS``
|
||
|
Additional sudo options for a remote scan.
|
||
|
|
||
|
``--sudo-password=SUDO_PASSWORD``
|
||
|
Specify a sudo password, if it is required.
|
||
|
|
||
|
``-t``, ``--target=TARGET``
|
||
|
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
|
||
|
|
||
|
``--user=USER``
|
||
|
The login user for a remote scan.
|
||
|
|
||
|
|
||
|
|
||
|
supermarket
|
||
|
=====================================================
|
||
|
|
||
|
Supermarket commands
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec supermarket SUBCOMMAND ...
|
||
|
|
||
|
|
||
|
|
||
|
version
|
||
|
=====================================================
|
||
|
|
||
|
Prints the version of this tool
|
||
|
|
||
|
Syntax
|
||
|
-----------------------------------------------------
|
||
|
|
||
|
This subcommand has the following syntax:
|
||
|
|
||
|
.. code-block:: bash
|
||
|
|
||
|
$ inspec version
|
||
|
|
||
|
|
||
|
|