2015-10-19 16:05:10 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
InSpec Resources Reference
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-26 23:29:57 +00:00
The following InSpec audit resources are available:
2015-10-19 16:05:10 +00:00
2015-11-18 20:27:07 +00:00
* `apache_conf`_
* `apt`_
* `audit_policy`_
* `auditd_conf`_
* `auditd_rules`_
2016-06-18 09:27:10 +00:00
* `bash`_
2015-11-18 20:27:07 +00:00
* `bond`_
* `bridge`_
* `csv`_
* `command`_
* `directory`_
* `etc_group`_
* `file`_
* `gem`_
* `group <https://github.com/chef/inspec/blob/master/docs/resources.rst#group-1/> `_
2016-04-17 14:57:31 +00:00
* `grub_conf`_
2015-11-18 20:27:07 +00:00
* `host`_
2016-08-10 20:59:15 +00:00
* `iis_site`_
2015-11-18 20:27:07 +00:00
* `inetd_conf`_
2016-08-25 18:30:03 +00:00
* `ini`_
2015-11-18 20:27:07 +00:00
* `interface`_
* `iptables`_
* `kernel_module`_
* `kernel_parameter`_
* `limits_conf`_
* `login_defs`_
2015-12-31 00:11:06 +00:00
* `mount`_
2015-11-18 20:27:07 +00:00
* `mysql_conf`_
* `mysql_session`_
* `npm`_
* `ntp_conf`_
* `oneget`_
* `os`_
* `os_env`_
* `package`_
* `parse_config`_
* `parse_config_file`_
* `passwd`_
* `pip`_
* `port`_
* `postgres_conf`_
* `postgres_session`_
2016-03-18 11:29:36 +00:00
* `powershell`_
2015-11-18 20:27:07 +00:00
* `processes`_
* `registry_key`_
* `security_policy`_
* `service`_
* `ssh_config`_
* `sshd_config`_
* `user`_
* `windows_feature`_
* `yaml`_
* `yum`_
2015-10-19 16:05:10 +00:00
2015-10-26 23:29:57 +00:00
See below for more information about each InSpec audit resource, its related matchers, and examples of how to use it in a recipe.
2015-10-19 16:05:10 +00:00
2015-10-22 04:13:17 +00:00
2015-10-26 09:41:10 +00:00
apache_conf
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` apache_conf `` |inspec resource| to test the configuration settings for |apache|. This file is typically located under `` /etc/apache2 `` on the |debian| and |ubuntu| platforms and under `` /etc/httpd `` on the |fedora|, |centos|, |redhat enterprise linux|, and |archlinux| platforms. The configuration settings may vary significantly from platform to platform.
2015-10-20 04:48:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
An `` apache_conf `` |inspec resource| block declares configuration settings that should be tested:
2015-10-20 04:48:10 +00:00
.. code-block :: ruby
describe apache_conf('path') do
its('setting_name') { should eq 'value' }
end
where
* `` 'setting_name' `` is a configuration setting defined in the |apache| configuration file
* `` ('path') `` is the non-default path to the |apache| configuration file
* `` { should eq 'value' } `` is the value that is expected
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
This |inspec resource| matches any service that is listed in the |apache| configuration file:
2015-10-20 04:48:10 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('PidFile') { should_not eq '/var/run/httpd.pid' }
2015-10-20 04:48:10 +00:00
or:
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('Timeout') { should eq 300 }
2015-10-20 04:48:10 +00:00
For example:
.. code-block :: ruby
describe apache_conf do
its('MaxClients') { should eq 100 }
its('Listen') { should eq '443'}
end
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource in a test.
2015-10-20 04:48:10 +00:00
2015-10-26 09:41:10 +00:00
**Test for blocking .htaccess files on CentOS**
2015-10-20 04:48:10 +00:00
.. code-block :: ruby
describe apache_conf do
its('AllowOverride') { should eq 'None' }
end
2015-10-26 09:41:10 +00:00
**Test ports for SSL**
2015-10-20 04:48:10 +00:00
.. code-block :: ruby
2015-10-26 09:41:10 +00:00
2015-10-20 04:48:10 +00:00
describe apache_conf do
its('Listen') { should eq '443'}
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
apt
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` apt `` |inspec resource| to verify |apt| repositories on the |debian| and |ubuntu| platforms, and also |ppa| repositories on the |ubuntu| platform.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
An `` apt `` |inspec resource| block tests the contents of |apt| and |ppa| repositories:
2015-10-19 20:29:26 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe apt('path') do
it { should exist }
it { should be_enabled }
end
2015-10-19 20:29:26 +00:00
where
2015-10-20 01:25:25 +00:00
* `` apt('path') `` must specify an |apt| or |ppa| repository
* `` ('path') `` may be an `` http:// `` address, a `` ppa: `` address, or a short `` repo-name/ppa `` address
2015-10-27 21:20:33 +00:00
* `` exist `` and `` be_enabled `` are a valid matchers for this |inspec resource|
2015-10-19 20:29:26 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
be_enabled
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_enabled `` matcher tests if a package exists in the repository:
2015-10-19 20:29:26 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
it { should be_enabled }
2015-10-19 20:29:26 +00:00
2015-10-26 09:41:10 +00:00
exist
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` exist `` matcher tests if a package exists on the system:
2015-10-19 16:05:10 +00:00
2015-10-19 20:29:26 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
it { should exist }
2015-10-19 20:29:26 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource in a test.
2015-10-19 20:29:26 +00:00
2015-10-31 11:46:12 +00:00
**Test if apt repository exists and is enabled**
2015-10-19 20:29:26 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe apt('http://ppa.launchpad.net/juju/stable/ubuntu') do
it { should exist }
it { should be_enabled }
end
2015-10-19 20:29:26 +00:00
2015-10-31 11:46:12 +00:00
**Verify that a PPA repository exists and is enabled**
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
describe apt('ppa:nginx/stable') do
it { should exist }
it { should be_enabled }
end
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
**Verify that a repository is not present**
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe apt('ubuntu-wine/ppa') do
it { should_not exist }
it { should_not be_enabled }
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
2015-10-26 09:41:10 +00:00
audit_policy
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` audit_policy `` |inspec resource| to test auditing policies on the |windows| platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to `` No Auditing `` , `` Not Specified `` , `` Success `` , `` Success and Failure `` , or `` Failure `` .
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-22 17:10:13 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
An `` audit_policy `` |inspec resource| block declares a parameter that belongs to an audit policy category or subcategory:
2015-10-22 17:10:13 +00:00
.. code-block :: ruby
describe audit_policy do
its('parameter') { should eq 'value' }
end
where
2015-10-26 09:41:10 +00:00
* `` 'parameter' `` must specify a parameter
2015-10-22 17:10:13 +00:00
* `` 'value' `` must be one of `` No Auditing `` , `` Not Specified `` , `` Success `` , `` Success and Failure `` , or `` Failure ``
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource does not have any matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-22 17:10:13 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-22 17:10:13 +00:00
2015-10-31 11:46:12 +00:00
**Test that a parameter is not set to "No Auditing"**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-22 17:10:13 +00:00
describe audit_policy do
its('Other Account Logon Events') { should_not eq 'No Auditing' }
end
**Test that a parameter is set to "Success"**
.. code-block :: ruby
describe audit_policy do
2015-10-31 11:46:12 +00:00
its('User Account Management') { should eq 'Success' }
2015-10-22 17:10:13 +00:00
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
auditd_conf
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` auditd_conf `` |inspec resource| to test the configuration settings for the audit daemon. This file is typically located under `` /etc/audit/auditd.conf' `` on |unix| and |linux| platforms.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` auditd_conf `` |inspec resource| block declares configuration settings that should be tested:
2015-10-20 04:48:54 +00:00
.. code-block :: ruby
2015-10-22 05:49:59 +00:00
describe auditd_conf('path') do
2015-12-11 16:28:51 +00:00
its('keyword') { should cmp 'value' }
2015-10-20 04:48:54 +00:00
end
2015-10-22 05:49:59 +00:00
where
* `` 'keyword' `` is a configuration setting defined in the `` auditd.conf `` configuration file
* `` ('path') `` is the non-default path to the `` auditd.conf `` configuration file
* `` { should eq 'value' } `` is the value that is expected
2015-10-26 09:41:10 +00:00
Matchers
2015-10-22 05:49:59 +00:00
-----------------------------------------------------
2015-12-11 16:28:51 +00:00
This |inspec resource| matches any keyword that is listed in the `` auditd.conf `` configuration file. Since all option names and values are case insensitive for `` auditd_conf `` , we recommend to compare values with `cmp` `eq`
2015-12-11 16:10:17 +00:00
.. code-block :: ruby
its('log_format') { should cmp 'raw' }
its('max_log_file') { should cmp 6 }
2015-10-26 09:41:10 +00:00
Examples
2015-10-22 05:49:59 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-22 05:49:59 +00:00
2015-10-26 09:41:10 +00:00
**Test the auditd.conf file**
2015-10-20 04:48:54 +00:00
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-22 05:49:59 +00:00
describe auditd_conf do
2015-12-11 16:10:17 +00:00
its('log_file') { should cmp '/full/path/to/file' }
its('log_format') { should cmp 'raw' }
its('flush') { should cmp 'none' }
its('freq') { should cmp 1 }
its('num_logs') { should cmp 0 }
its('max_log_file') { should cmp 6 }
its('max_log_file_action') { should cmp 'email' }
its('space_left') { should cmp 2 }
its('action_mail_acct') { should cmp 'root' }
its('space_left_action') { should cmp 'email' }
its('admin_space_left') { should cmp 1 }
its('admin_space_left_action') { should cmp 'halt' }
its('disk_full_action') { should cmp 'halt' }
its('disk_error_action') { should cmp 'halt' }
2015-10-20 04:48:54 +00:00
end
2015-10-19 16:05:10 +00:00
2015-10-22 06:11:46 +00:00
2015-10-26 09:41:10 +00:00
auditd_rules
2015-10-19 16:05:10 +00:00
=====================================================
2016-01-29 15:39:54 +00:00
Use the `` auditd_rules `` |inspec resource| to test the rules for logging that exist on the system. The `` audit.rules `` file is typically located under `` /etc/audit/ `` and contains the list of rules that define what is captured in log files. This resource uses `auditctl` `audit.rules`
2015-10-22 06:11:46 +00:00
2015-10-31 11:46:12 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-22 06:11:46 +00:00
-----------------------------------------------------
2016-02-08 20:35:30 +00:00
A change in the output format (with an `audit` `auditd_rules`
2016-01-29 15:39:54 +00:00
2015-10-27 21:20:33 +00:00
A `` auditd_rules `` |inspec resource| block declares one (or more) rules to be tested, and then what that rule should do:
2015-10-22 06:11:46 +00:00
.. code-block :: ruby
2015-10-26 09:41:10 +00:00
2015-10-22 06:11:46 +00:00
describe auditd_rules do
its('LIST_RULES') { should eq [
'exit,always syscall=rmdir,unlink',
'exit,always auid=1001 (0x3e9) syscall=open',
'exit,always watch=/etc/group perm=wa',
'exit,always watch=/etc/passwd perm=wa',
'exit,always watch=/etc/shadow perm=wa',
'exit,always watch=/etc/sudoers perm=wa',
'exit,always watch=/etc/secret_directory perm=r',
] }
end
2015-10-31 11:46:12 +00:00
or test that individual rules are defined:
2015-10-22 06:11:46 +00:00
.. code-block :: ruby
2015-10-31 11:46:12 +00:00
describe auditd_rules do
its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/group perm=wa key=identity/) }
its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/passwd perm=wa key=identity/) }
its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/gshadow perm=wa key=identity/)}
its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/shadow perm=wa key=identity/)}
its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)}
end
2015-10-22 06:11:46 +00:00
where each test
2016-01-29 15:39:54 +00:00
* must declare one (or more) rules to be tested
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 16:52:34 +00:00
2015-10-22 06:11:46 +00:00
**Test if a rule contains a matching element that is identified by a regular expression.**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2016-02-08 20:35:30 +00:00
# syntax for audit < 2.3
2015-10-22 06:11:46 +00:00
describe audit_daemon_rules do
its("LIST_RULES") {
2015-10-31 11:46:12 +00:00
should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/)
2015-10-22 06:11:46 +00:00
}
end
2015-10-20 16:52:34 +00:00
2016-02-08 20:35:30 +00:00
# syntax for auditd >= 2.3
2016-01-29 15:39:54 +00:00
describe auditd_rules do
2016-05-03 22:14:33 +00:00
its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
2016-01-29 15:39:54 +00:00
end
2016-02-05 16:12:49 +00:00
The syntax for recent auditd versions allows more precise tests, such as the following:
2016-01-29 15:39:54 +00:00
**Query the audit daemon status.**
.. code-block :: ruby
describe auditd_rules.status('backlog') do
it { should cmp 0 }
end
2016-02-05 15:33:49 +00:00
**Query properties of rules targeting specific syscalls or files.**
2016-01-29 15:39:54 +00:00
.. code-block :: ruby
describe auditd_rules.syscall('open').action do
it { should eq(['always']) }
end
describe auditd_rules.key('sshd_config') do
2016-05-03 22:14:33 +00:00
its('permissions') { should contain_match(/x/) }
2016-01-29 15:39:54 +00:00
end
Note that filters can be chained, for example:
.. code-block :: ruby
describe auditd_rules.syscall('open').action('always').list do
it { should eq(['exit']) }
end
2015-10-19 16:05:10 +00:00
2015-10-22 04:14:48 +00:00
2016-06-18 09:27:10 +00:00
bash
=====================================================
Use the `` bash `` |inspec resource| to test an arbitrary command in BASH on the system.
**Stability: Stable**
Syntax
-----------------------------------------------------
A `` bash `` |inspec resource| block declares a command to be run, one (or more) expected outputs, and the location to which that output is sent:
.. code-block :: ruby
describe bash('command') do
it { should exist }
its('matcher') { should eq 'output' }
end
where
* `` 'command' `` must specify a command to be run
* `` 'matcher' `` is one of `` exit_status `` , `` stderr `` , or `` stdout ``
* `` 'output' `` tests the output of the command run on the system versus the output value stated in the test
Matchers
-----------------------------------------------------
This InSpec audit resource has the following matchers.
exist
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` exist `` matcher tests if a command may be run on the system:
.. code-block :: ruby
it { should exist }
exit_status
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` exit_status `` matcher tests the exit status for the command:
.. code-block :: ruby
its('exit_status') { should eq 123 }
stderr
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` stderr `` matcher tests results of the command as returned in standard error (stderr):
.. code-block :: ruby
its('stderr') { should eq 'error' }
stdout
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` stdout `` matcher tests results of the command as returned in standard output (stdout):
.. code-block :: ruby
its('stdout') { should match /^1$/ }
Examples
-----------------------------------------------------
The following examples show how to use this InSpec audit resource.
**List content of a directorye**
.. code-block :: ruby
describe bash('ls -al /') do
its('stdout') { should match /bin/ }
its('stderr') { should eq '' }
its('exit_status') { should eq 0 }
end
**Test standard output (stdout)**
.. code-block :: ruby
describe bash('echo hello') do
its('stdout') { should eq 'hello\n' }
its('stderr') { should eq '' }
its('exit_status') { should eq 0 }
end
**Test standard error (stderr)**
.. code-block :: ruby
describe bash('>&2 echo error') do
its('stdout') { should eq '' }
its('stderr') { should eq 'error\n' }
its('exit_status') { should eq 0 }
end
**Test an exit status code**
.. code-block :: ruby
describe bash('exit 123') do
its('stdout') { should eq '' }
its('stderr') { should eq '' }
its('exit_status') { should eq 123 }
end
**Specify the path of the bash executable**
.. code-block :: ruby
describe bash('echo hello', path: '/bin/bash') do
its('stdout') { should eq 'hello\n' }
end
**Specify bash arguments (defaults to -c)**
.. code-block :: ruby
describe bash('echo hello', args: '-x -c') do
its('stdout') { should eq 'hello\n' }
end
2015-10-26 09:41:10 +00:00
bond
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-31 11:46:12 +00:00
Use the `` bond `` |inspec resource| to test a logical, bonded network interface (i.e. "two or more network interfaces aggregated into a single, logical network interface"). On |linux| platforms, any value in the `` /proc/net/bonding `` directory may be tested.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-22 04:14:48 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` bond `` |inspec resource| block declares a bonded network interface, and then specifies the properties of that bonded network interface to be tested:
2015-10-22 04:14:48 +00:00
.. code-block :: ruby
describe bond('name') do
it { should exist }
end
where
* `` 'name' `` is the name of the bonded network interface
2015-10-27 21:20:33 +00:00
* `` { should exist } `` is a valid matcher for this |inspec resource|
2015-10-22 04:14:48 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-22 04:14:48 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-22 04:14:48 +00:00
2015-10-26 09:41:10 +00:00
content
2015-10-22 04:14:48 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` content `` matcher tests if contents in the file that defines the bonded network interface match the value specified in the test. The values of the `` content `` matcher are arbitrary:
.. code-block :: ruby
2015-10-23 21:24:00 +00:00
its('content') { should match('value') }
2015-10-22 04:14:48 +00:00
2015-10-26 09:41:10 +00:00
exist
2015-10-22 04:14:48 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` exist `` matcher tests if the bonded network interface is available:
.. code-block :: ruby
it { should exist }
2015-10-26 09:41:10 +00:00
have_interface
2015-10-22 04:14:48 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` have_interface `` matcher tests if the bonded network interface has one (or more) secondary interfaces:
.. code-block :: ruby
it { should have_interface }
2015-10-26 09:41:10 +00:00
interfaces
2015-10-22 04:14:48 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` interfaces `` matcher tests if the named secondary interfaces are available:
.. code-block :: ruby
its('interfaces') { should eq ['eth0', 'eth1', ...] }
2015-10-26 09:41:10 +00:00
params
2015-10-22 04:14:48 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` params `` matcher tests arbitrary parameters for the bonded network interface:
.. code-block :: ruby
its('params') { should eq 'value' }
2015-10-26 09:41:10 +00:00
Examples
2015-10-22 04:14:48 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-22 04:14:48 +00:00
2015-10-26 09:41:10 +00:00
**Test if eth0 is a secondary interface for bond0**
2015-10-22 04:14:48 +00:00
.. code-block :: ruby
describe bond('bond0') do
it { should exist }
it { should have_interface 'eth0' }
end
2015-10-26 09:41:10 +00:00
**Test parameters for bond0**
2015-10-22 04:14:48 +00:00
.. code-block :: ruby
describe bond('bond0') do
its('Bonding Mode') { should eq 'IEEE 802.3ad Dynamic link aggregation' }
its('Transmit Hash Policy') { should eq 'layer3+4 (1)' }
its('MII Status') { should eq 'up' }
its('MII Polling Interval (ms)') { should eq '100' }
its('Up Delay (ms)') { should eq '0' }
its('Down Delay (ms)') { should eq '0' }
end
2015-10-19 16:05:10 +00:00
2015-10-22 04:13:17 +00:00
2015-10-26 09:41:10 +00:00
bridge
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` bridge `` |inspec resource| to test basic network bridge properties, such as name, if an interface is defined, and the associations for any defined interface.
2015-10-19 16:05:10 +00:00
2015-10-31 11:46:12 +00:00
* On |linux| platforms, any value in the `` /sys/class/net/{interface}/bridge `` directory may be tested
2015-10-19 16:05:10 +00:00
* On the |windows| platform, the `` Get-NetAdapter `` cmdlet is associated with the `` Get-NetAdapterBinding `` cmdlet and returns the `` ComponentID ms_bridge `` value as a |json| object
.. not sure the previous two bullet items are actually true, but keeping there for reference for now, just in case
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` bridge `` |inspec resource| block declares the bridge to be tested and what interface it should be associated with:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe bridge('br0') do
it { should exist }
it { should have_interface 'eth0' }
end
2015-10-26 09:41:10 +00:00
..
2015-10-19 16:05:10 +00:00
.. where
2015-10-26 09:41:10 +00:00
..
2015-10-19 16:05:10 +00:00
.. * ``xxxxx`` must specify xxxxx
.. * xxxxx
2015-10-26 23:29:57 +00:00
.. * ``xxxxx`` is a valid matcher for this InSpec audit resource
2015-10-26 09:41:10 +00:00
..
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
exist
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` exist `` matcher tests if the network bridge is available:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should exist }
2015-10-26 09:41:10 +00:00
have_interface
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` have_interface `` matcher tests if the named interface is defined for the network bridge:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should have_interface 'eth0' }
2015-10-26 09:41:10 +00:00
interfaces
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` interfaces `` matcher tests if the named interface is present:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-31 12:58:53 +00:00
its('interfaces') { should eq 'foo' }
its('interfaces') { should eq 'bar' }
its('interfaces') { should include('foo') }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
..
2015-10-19 16:05:10 +00:00
.. Examples
2015-10-20 21:16:47 +00:00
.. -----------------------------------------------------
2015-10-26 23:29:57 +00:00
.. The following examples show how to use this InSpec audit resource.
2015-10-26 09:41:10 +00:00
..
.. **xxxxx**
..
2015-10-19 16:05:10 +00:00
.. xxxxx
2015-10-26 09:41:10 +00:00
..
.. **xxxxx**
..
2015-10-19 16:05:10 +00:00
.. xxxxx
2015-10-26 09:41:10 +00:00
..
2015-10-19 16:05:10 +00:00
2015-10-22 17:39:52 +00:00
2015-10-26 09:41:10 +00:00
command
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` command `` |inspec resource| to test an arbitrary command that is run on the system.
2015-10-22 17:39:52 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-22 17:39:52 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` command `` |inspec resource| block declares a command to be run, one (or more) expected outputs, and the location to which that output is sent:
2015-10-22 17:39:52 +00:00
.. code-block :: ruby
describe command('command') do
it { should exist }
its('matcher') { should eq 'output' }
end
where
* `` 'command' `` must specify a command to be run
* `` 'matcher' `` is one of `` exit_status `` , `` stderr `` , or `` stdout ``
* `` 'output' `` tests the output of the command run on the system versus the output value stated in the test
2015-10-26 09:41:10 +00:00
Matchers
2015-10-22 17:39:52 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-22 17:39:52 +00:00
2015-10-26 09:41:10 +00:00
exist
2015-10-22 17:39:52 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` exist `` matcher tests if a command may be run on the system:
.. code-block :: ruby
it { should exist }
2015-10-26 09:41:10 +00:00
exit_status
2015-10-22 17:39:52 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` exit_status `` matcher tests the exit status for the command:
.. code-block :: ruby
its('exit_status') { should eq 123 }
2015-10-26 09:41:10 +00:00
stderr
2015-10-22 17:39:52 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` stderr `` matcher tests results of the command as returned in standard error (stderr):
.. code-block :: ruby
2015-10-31 12:58:53 +00:00
its('stderr') { should eq 'error' }
2015-10-22 17:39:52 +00:00
2015-10-26 09:41:10 +00:00
stdout
2015-10-22 17:39:52 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` stdout `` matcher tests results of the command as returned in standard output (stdout):
.. code-block :: ruby
2016-05-31 20:56:31 +00:00
its('stdout') { should match /^1$/ }
2015-10-22 17:39:52 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-22 17:39:52 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-22 17:39:52 +00:00
2015-10-31 12:58:53 +00:00
**Test for PostgreSQL database running a RC, but no development, or beta release**
2015-10-22 17:39:52 +00:00
.. code-block :: ruby
2015-10-31 12:58:53 +00:00
describe command('psql -V') do
2016-05-31 20:56:31 +00:00
its('stdout') { should match /RC/ }
its('stdout') { should_not match /DEVEL/ }
its('stdout') { should_not match /BETA/ }
2015-10-22 17:39:52 +00:00
end
2015-10-26 09:41:10 +00:00
**Test standard output (stdout)**
2015-10-22 17:39:52 +00:00
.. code-block :: ruby
describe command('echo hello') do
its('stdout') { should eq 'hello\n' }
its('stderr') { should eq '' }
its('exit_status') { should eq 0 }
end
2015-10-26 09:41:10 +00:00
**Test standard error (stderr)**
2015-10-22 17:39:52 +00:00
.. code-block :: ruby
describe command('>&2 echo error') do
its('stdout') { should eq '' }
its('stderr') { should eq 'error\n' }
its('exit_status') { should eq 0 }
end
2015-10-26 09:41:10 +00:00
**Test an exit status code**
2015-10-22 17:39:52 +00:00
.. code-block :: ruby
describe command('exit 123') do
its('stdout') { should eq '' }
its('stderr') { should eq '' }
its('exit_status') { should eq 123 }
end
2015-10-26 09:41:10 +00:00
**Test if the command shell exists**
2015-10-22 17:39:52 +00:00
.. code-block :: ruby
describe command('/bin/sh').exist? do
it { should eq true }
end
2015-10-26 09:41:10 +00:00
**Test for a command that should not exist**
2015-10-22 17:39:52 +00:00
.. code-block :: ruby
describe command('this is not existing').exist? do
it { should eq false }
end
2015-10-19 16:05:10 +00:00
2015-10-22 04:13:17 +00:00
2015-10-26 09:41:10 +00:00
csv
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` csv `` |inspec resource| to test configuration data in a |csv| file.
2015-10-20 22:02:57 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 22:02:57 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` csv `` |inspec resource| block declares the configuration data to be tested:
2015-10-20 22:02:57 +00:00
.. code-block :: ruby
describe csv('file') do
its('name') { should eq 'foo' }
end
where
* `` 'file' `` is the path to a |csv| file
* `` name `` is a configuration setting in a |csv| file
* `` should eq 'foo' `` tests a value of `` name `` as read from a |csv| file versus the value declared in the test
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 22:02:57 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 22:02:57 +00:00
2015-10-26 09:41:10 +00:00
name
2015-10-20 22:02:57 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` name `` matcher tests the value of `` name `` as read from a |csv| file versus the value declared in the test:
2015-10-20 22:02:57 +00:00
.. code-block :: ruby
its('name') { should eq 'foo' }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 22:02:57 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 22:02:57 +00:00
**Test a CSV file**
.. code-block :: ruby
describe csv('some_file.csv') do
its('setting') { should eq 1 }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
directory
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` directory `` |inspec resource| to test if the file type is a directory. This is equivalent to using the `` file `` |inspec resource| and the `` be_directory `` matcher, but provides a simpler and more direct way to test directories. All of the matchers available to `` file `` may be used with `` directory `` .
2015-10-22 02:52:52 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-22 02:52:52 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` directory `` |inspec resource| block declares the location of the directory to be tested, and then one (or more) matchers:
2015-10-22 02:52:52 +00:00
.. code-block :: ruby
describe directory('path') do
it { should MATCHER 'value' }
end
2015-10-26 09:41:10 +00:00
Matchers
2015-10-22 02:52:52 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
This |inspec resource| may use any of the matchers available to the `` file `` resource that are useful for testing a directory.
2015-10-22 02:52:52 +00:00
2015-10-26 09:41:10 +00:00
..
2015-10-22 02:52:52 +00:00
.. Examples
.. -----------------------------------------------------
2015-10-26 23:29:57 +00:00
.. The following examples show how to use this InSpec audit resource.
2015-10-26 09:41:10 +00:00
..
.. **xxxxx**
..
2015-10-22 02:52:52 +00:00
.. xxxxx
2015-10-26 09:41:10 +00:00
..
.. **xxxxx**
..
2015-10-22 02:52:52 +00:00
.. xxxxx
2015-10-26 09:41:10 +00:00
..
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
etc_group
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-31 12:58:53 +00:00
Use the `` etc_group `` |inspec resource| to test groups that are defined on |linux| and |unix| platforms. The `` /etc/group `` file stores details about each group---group name, password, group identifier, along with a comma-separate list of users that belong to the group.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 23:51:48 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` etc_group `` |inspec resource| block declares a collection of properties to be tested:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 23:51:48 +00:00
describe etc_group('path') do
its('matcher') { should eq 'some_value' }
end
2015-10-20 16:52:34 +00:00
2015-10-20 23:51:48 +00:00
or:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 23:51:48 +00:00
describe etc_group.where(item: 'value', item: 'value') do
its('gids') { should_not contain_duplicates }
its('groups') { should include 'user_name' }
its('users') { should include 'user_name' }
end
where
2015-10-20 16:52:34 +00:00
2015-10-20 23:51:48 +00:00
* `` ('path') `` is the non-default path to the `` inetd.conf `` file
* `` .where() `` may specify a specific item and value, to which the matchers are compared
2015-10-27 21:20:33 +00:00
* `` 'gids' `` , `` 'groups' `` , and `` 'users' `` are valid matchers for this |inspec resource|
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
gids
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` gids `` matcher tests if the named group identifier is present or if it contains duplicates:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('gids') { should_not contain_duplicates }
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
groups
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` groups `` matcher tests all groups for the named user:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('groups') { should include 'my_group' }
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
users
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` users `` matcher tests all groups for the named user:
2015-10-20 16:52:34 +00:00
2015-10-20 23:51:48 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('users') { should include 'my_user' }
2015-10-20 23:51:48 +00:00
2015-10-26 09:41:10 +00:00
where
2015-10-20 23:51:48 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` where `` matcher allows the test to be focused to one (or more) specific items:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
etc_group.where(item: 'value', item: 'value')
2015-10-20 16:52:34 +00:00
2015-10-20 23:51:48 +00:00
where `` item `` may be one (or more) of:
2015-10-20 16:52:34 +00:00
2015-10-20 23:51:48 +00:00
* `` name: 'name' ``
* `` group_name: 'group_name' ``
* `` password: 'password' ``
* `` gid: 'gid' ``
* `` group_id: 'gid' ``
* `` users: 'user_name' ``
* `` members: 'member_name' ``
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 23:51:48 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
**Test group identifiers (GIDs) for duplicates**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 23:51:48 +00:00
describe etc_group do
its('gids') { should_not contain_duplicates }
end
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
**Test all groups to see if a specific user belongs to one (or more) groups**
2015-10-20 16:52:34 +00:00
2015-10-20 23:51:48 +00:00
.. code-block :: ruby
describe etc_group do
2015-10-31 12:58:53 +00:00
its('groups') { should include 'my_group' }
2015-10-20 23:51:48 +00:00
end
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
**Test all groups for a specific user name**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-31 12:58:53 +00:00
describe etc_group do
2015-10-20 23:51:48 +00:00
its('users') { should include 'my_user' }
end
2015-10-26 09:41:10 +00:00
**Filter a list of groups for a specific user**
2015-10-20 23:51:48 +00:00
.. code-block :: ruby
2015-10-31 12:58:53 +00:00
describe etc_group.where(name: 'my_group') do
2015-10-20 23:51:48 +00:00
its('users') { should include 'my_user' }
end
2015-10-26 09:41:10 +00:00
file
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` file `` |inspec resource| to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
2015-10-22 02:29:50 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-22 02:29:50 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` file `` |inspec resource| block declares the location of the file type to be tested, what type that file should be (if required), and then one (or more) matchers:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
describe file('path') do
it { should MATCHER 'value' }
end
where
* `` ('path') `` is the name of the file and/or the path to the file
2015-10-27 21:20:33 +00:00
* `` MATCHER `` is a valid matcher for this |inspec resource|
2015-10-22 02:29:50 +00:00
* `` 'value' `` is the value to be tested
2015-10-26 09:41:10 +00:00
Matchers
2015-10-22 02:29:50 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-22 02:29:50 +00:00
2015-10-26 09:41:10 +00:00
be_block_device
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_block_device `` matcher tests if the file exists as a block device, such as `` /dev/disk0 `` or `` /dev/disk0s9 `` :
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_block_device }
2015-10-26 09:41:10 +00:00
be_character_device
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_character_device `` matcher tests if the file exists as a character device (that corresponds to a block device), such as `` /dev/rdisk0 `` or `` /dev/rdisk0s9 `` :
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_character_device }
2015-10-26 09:41:10 +00:00
be_directory
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_directory `` matcher tests if the file exists as a directory, such as `` /etc/passwd `` , `` /etc/shadow `` , or `` /var/log/httpd `` :
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_directory }
2015-10-26 09:41:10 +00:00
be_executable
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-27 21:20:33 +00:00
The `` be_executable `` matcher tests if the file exists as an executable:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_executable }
The `` be_executable `` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
.. code-block :: ruby
it { should be_executable.by('group') }
an owner:
.. code-block :: ruby
it { should be_executable.by('owner') }
a user:
.. code-block :: ruby
it { should be_executable.by_user('user') }
2015-10-27 21:20:33 +00:00
be_file
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` be_file `` matcher tests if the file exists as a file. This can be useful with configuration files like `` /etc/passwd `` where there typically is not an associated file extension---`` passwd.txt `` :
.. code-block :: ruby
it { should be_file }
2015-10-26 09:41:10 +00:00
be_grouped_into
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_grouped_into `` matcher tests if the file exists as part of the named group:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_grouped_into 'group' }
2015-10-26 09:41:10 +00:00
be_immutable
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_immutable `` matcher tests if the file is immutable, i.e. "cannot be changed":
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_immutable }
2015-10-26 09:41:10 +00:00
be_linked_to
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_linked_to `` matcher tests if the file is linked to the named target:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_linked_to '/etc/target-file' }
2015-10-26 09:41:10 +00:00
be_mounted
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_mounted `` matcher tests if the file is accessible from the file system:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_mounted }
2015-10-26 09:41:10 +00:00
be_owned_by
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_owned_by `` matcher tests if the file is owned by the named user, such as `` root `` :
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_owned_by 'root' }
2015-10-26 09:41:10 +00:00
be_pipe
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_pipe `` matcher tests if the file exists as first-in, first-out special file (`` .fifo `` ) that is typically used to define a named pipe, such as `` /var/log/nginx/access.log.fifo `` :
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_pipe }
2015-10-26 09:41:10 +00:00
be_readable
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_readable `` matcher tests if the file is readable:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_readable }
The `` be_readable `` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
.. code-block :: ruby
it { should be_readable.by('group') }
an owner:
.. code-block :: ruby
it { should be_readable.by('owner') }
a user:
.. code-block :: ruby
it { should be_readable.by_user('user') }
2015-10-26 09:41:10 +00:00
be_socket
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_socket `` matcher tests if the file exists as socket (`` .sock `` ), such as `` /var/run/php-fpm.sock `` :
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_socket }
2015-10-26 09:41:10 +00:00
be_symlink
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_symlink `` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_symlink }
2015-10-26 09:41:10 +00:00
be_version
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_version `` matcher tests the version of the file:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_version '1.2.3' }
2015-10-26 09:41:10 +00:00
be_writable
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_writable `` matcher tests if the file is writable:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should be_writable }
The `` be_writable `` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
.. code-block :: ruby
it { should be_writable.by('group') }
an owner:
.. code-block :: ruby
it { should be_writable.by('owner') }
a user:
.. code-block :: ruby
it { should be_writable.by_user('user') }
2015-10-26 09:41:10 +00:00
content
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` content `` matcher tests if contents in the file match the value specified in the test. The values of the `` content `` matcher are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
2016-05-16 09:33:13 +00:00
its('content') { should match REGEX }
2015-10-22 02:29:50 +00:00
The following complete example tests the `` pg_hba.conf `` file in |postgresql| for |md5| requirements. The tests look at all `` host `` and `` local `` settings in that file, and then compare the |md5| checksums against the values in the test:
.. code-block :: bash
describe file(hba_config_file) do
2016-07-14 11:06:41 +00:00
its('content') { should match(%r{local\s.*?all\s.* ?all\s.*?md5}) }
its('content') { should match(%r{host\s.*?all\s.* ?all\s.*?127.0.0.1\/32\s.* ?md5}) }
its('content') { should match(%r{host\s.*?all\s.* ?all\s.*?::1\/128\s.* ?md5}) }
2015-10-22 02:29:50 +00:00
end
2015-10-26 09:41:10 +00:00
exist
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` exist `` matcher tests if the named file exists:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should exist }
2015-10-26 09:41:10 +00:00
file_version
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` file_version `` matcher tests if the file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
its('file_version') { should eq '1.2.3' }
2015-10-26 09:41:10 +00:00
group
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` group `` matcher tests if the group to which a file belongs matches the specified value:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
its('group') { should eq 'admins' }
2015-10-26 09:41:10 +00:00
have_mode
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` have_mode `` matcher tests if a file has a mode assigned to it:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
it { should have_mode }
2015-10-26 09:41:10 +00:00
link_path
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` link_path `` matcher tests if the file exists at the specified path:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
its('link_path') { should eq '/some/path/to/file' }
2015-10-26 09:41:10 +00:00
link_target
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` link_target `` matcher tests if a file that is linked to this file exists at the specified path:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
its('link_target') { should eq '/some/path/to/file' }
2015-10-26 09:41:10 +00:00
md5sum
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` md5sum `` matcher tests if the |md5| checksum for a file matches the specified value:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
2015-10-26 09:41:10 +00:00
mode
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` mode `` matcher tests if the mode assigned to the file matches the specified value:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
2016-08-30 17:23:47 +00:00
its('mode') { should cmp '0644' }
2015-10-22 02:29:50 +00:00
2015-10-26 09:41:10 +00:00
mtime
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` mtime `` matcher tests if the file modification time for the file matches the specified value:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
its('mtime') { should eq 'October 31 2015 12:10:45' }
or:
.. code-block :: bash
describe file('/').mtime.to_i do
it { should <= Time.now.to_i }
it { should >= Time.now.to_i - 1000}
end
2015-10-26 09:41:10 +00:00
owner
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` owner `` matcher tests if the owner of the file matches the specified value:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
its('owner') { should eq 'root' }
2015-10-26 09:41:10 +00:00
product_version
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` product_version `` matcher tests if the file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
its('product_version') { should eq 2.3.4 }
2015-10-26 09:41:10 +00:00
selinux_label
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` selinux_label `` matcher tests if the |selinux| label for a file matches the specified value:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
2015-10-31 12:58:53 +00:00
its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
2015-10-22 02:29:50 +00:00
2015-10-26 09:41:10 +00:00
sha256sum
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` sha256sum `` matcher tests if the |sha256| checksum for a file matches the specified value:
2015-10-22 02:29:50 +00:00
.. code-block :: ruby
its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
2015-10-26 09:41:10 +00:00
size
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` size `` matcher tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
.. code-block :: ruby
its('size') { should eq 32375 }
Greater than:
.. code-block :: ruby
its('size') { should > 64 }
Less than:
.. code-block :: ruby
its('size') { should < 10240 }
2015-10-26 09:41:10 +00:00
type
2015-10-22 02:29:50 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` type `` matcher tests if the first letter of the file's mode string contains one of the following characters:
* `` - `` or `` f `` (the file is a file); use `` 'file `` to test for this file type
* `` d `` (the file is a directory); use `` 'directory `` to test for this file type
* `` l `` (the file is a symbolic link); use `` 'link `` to test for this file type
* `` p `` (the file is a named pipe); use `` 'pipe `` to test for this file type
* `` s `` (the file is a socket); use `` 'socket `` to test for this file type
* `` c `` (the file is a character device); use `` 'character `` to test for this file type
* `` b `` (the file is a block device); use `` 'block `` to test for this file type
* `` D `` (the file is a door); use `` 'door `` to test for this file type
For example:
.. code-block :: ruby
its('type') { should eq 'file' }
or:
.. code-block :: ruby
its('type') { should eq 'socket' }
2015-10-26 09:41:10 +00:00
Examples
2015-10-22 02:29:50 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-22 02:29:50 +00:00
2015-10-26 09:41:10 +00:00
**Test the contents of a file for MD5 requirements**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file(hba_config_file) do
2016-05-16 09:33:13 +00:00
its('content') { should match /local\s.*?all\s.* ?all\s.*?md5/ }
its('content') { should match %r{/host\s.*?all\s.* ?all\s.*?127.0.0.1\/32\s.* ?md5/} }
its('content') { should match %r{/host\s.*?all\s.* ?all\s.*?::1\/128\s.* ?md5/} }
2015-10-22 02:29:50 +00:00
end
2015-10-26 09:41:10 +00:00
**Test if a file exists**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/tmp') do
it { should exist }
end
2015-10-26 09:41:10 +00:00
**Test that a file does not exist**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/tmpest') do
it { should_not exist }
end
2015-10-31 12:58:53 +00:00
**Test if a path is a directory**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/tmp') do
its('type') { should eq :directory }
it { should be_directory }
end
2015-10-31 12:58:53 +00:00
**Test if a path is a file and not a directory**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/proc/version') do
its('type') { should eq 'file' }
it { should be_file }
it { should_not be_directory }
end
2015-10-26 09:41:10 +00:00
**Test if a file is a symbolic link**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/dev/stdout') do
its('type') { should eq 'symlink' }
it { should be_symlink }
it { should_not be_file }
it { should_not be_directory }
end
2015-10-26 09:41:10 +00:00
**Test if a file is a character device**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/dev/zero') do
its('type') { should eq 'character' }
it { should be_character_device }
it { should_not be_file }
it { should_not be_directory }
end
2015-10-26 09:41:10 +00:00
**Test if a file is a block device**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/dev/zero') do
its('type') { should eq 'block' }
it { should be_character_device }
it { should_not be_file }
it { should_not be_directory }
end
2015-10-26 09:41:10 +00:00
**Test the mode for a file**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/dev') do
2016-08-30 17:23:47 +00:00
its('mode') { should cmp '00755' }
2015-10-22 02:29:50 +00:00
end
2015-10-26 09:41:10 +00:00
**Test the owner of a file**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/root') do
its('owner') { should eq 'root' }
end
2015-10-26 09:41:10 +00:00
**Test if a file is owned by the root user**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/dev') do
it { should be_owned_by 'root' }
end
2015-10-26 09:41:10 +00:00
**Test the mtime for a file**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/').mtime.to_i do
it { should <= Time.now.to_i }
it { should >= Time.now.to_i - 1000}
end
2015-10-26 09:41:10 +00:00
**Test that a file's size is between 64 and 10240**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/') do
its('size') { should be > 64 }
its('size') { should be < 10240 }
end
2015-10-26 09:41:10 +00:00
**Test that a file's size is zero**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/proc/cpuinfo') do
its('size') { should be 0 }
end
2015-10-26 09:41:10 +00:00
**Test that a file is not mounted**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
describe file('/proc/cpuinfo') do
it { should_not be_mounted }
end
2015-10-26 09:41:10 +00:00
**Test an MD5 checksum**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
require 'digest'
cpuinfo = file('/proc/cpuinfo').content
md5sum = Digest::MD5.hexdigest(cpuinfo)
2015-10-26 09:41:10 +00:00
2015-10-22 02:29:50 +00:00
describe file('/proc/cpuinfo') do
its('md5sum') { should eq md5sum }
end
2015-10-26 09:41:10 +00:00
**Test an SHA-256 checksum**
2015-10-22 02:29:50 +00:00
.. code-block :: bash
require 'digest'
cpuinfo = file('/proc/cpuinfo').content
sha256sum = Digest::SHA256.hexdigest(cpuinfo)
2015-10-26 09:41:10 +00:00
2015-10-22 02:29:50 +00:00
describe file('/proc/cpuinfo') do
its('sha256sum') { should eq sha256sum }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
gem
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` gem `` |inspec resource| to test if a global |gem| package is installed.
2015-10-20 01:25:25 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` gem `` |inspec resource| block declares a package and (optionally) a package version:
2015-10-19 20:59:05 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe gem('gem_package_name') do
it { should be_installed }
end
2015-10-19 20:59:05 +00:00
where
2015-10-20 01:25:25 +00:00
* `` ('gem_package_name') `` must specify a |gem| package, such as `` 'rubocop' ``
2015-10-27 21:20:33 +00:00
* `` be_installed `` is a valid matcher for this |inspec resource|
2015-10-19 20:59:05 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
be_installed
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_installed `` matcher tests if the named |gem| package is installed:
2015-10-19 20:59:05 +00:00
.. code-block :: ruby
it { should be_installed }
2015-10-26 09:41:10 +00:00
version
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` version `` matcher tests if the named package version is on the system:
2015-10-19 16:05:10 +00:00
2015-10-19 20:59:05 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('version') { should eq '0.33.0' }
2015-10-19 20:59:05 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 20:59:05 +00:00
2015-10-20 01:25:25 +00:00
**Verify that a gem package is installed, with a specific version**
2015-10-19 20:59:05 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe gem('rubocop') do
it { should be_installed }
2015-10-20 21:04:07 +00:00
its('version') { should eq '0.33.0' }
2015-10-20 01:25:25 +00:00
end
2015-10-19 16:05:10 +00:00
2015-10-19 20:59:05 +00:00
**Verify that a gem package is not installed**
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe gem('rubocop') do
it { should_not be_installed }
end
2015-10-19 20:59:05 +00:00
2015-10-26 09:41:10 +00:00
group
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` group `` |inspec resource| to test groups on the system.
2015-10-21 00:20:47 +00:00
2015-10-26 09:41:10 +00:00
Syntax
2015-10-21 00:20:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` group `` |inspec resource| block declares a group, and then the details to be tested, such as if the group is a local group, the group identifier, or if the group exists:
2015-10-21 00:20:47 +00:00
.. code-block :: ruby
describe group('group_name') do
it { should exist }
its('gid') { should eq 0 }
end
where
* `` 'group_name' `` must specify the name of a group on the system
2015-10-27 21:20:33 +00:00
* `` exist `` and `` 'gid' `` are valid matchers for this |inspec resource|
2015-10-21 00:20:47 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-21 00:20:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-21 00:20:47 +00:00
2015-10-26 09:41:10 +00:00
be_local
2015-10-21 00:20:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_local `` matcher tests if the group is a local group:
2015-10-21 00:20:47 +00:00
.. code-block :: ruby
it { should be_local }
2015-10-26 09:41:10 +00:00
exist
2015-10-21 00:20:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` exist `` matcher tests if the named user exists:
2015-10-21 00:20:47 +00:00
.. code-block :: ruby
it { should exist }
2015-10-26 09:41:10 +00:00
gid
2015-10-21 00:20:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` gid `` matcher tests the named group identifier:
2015-10-21 00:20:47 +00:00
.. code-block :: ruby
its('gid') { should eq 1234 }
2015-10-26 09:41:10 +00:00
Examples
2015-10-21 00:20:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-21 00:20:47 +00:00
2015-10-26 09:41:10 +00:00
**Test the group identifier for the root group**
2015-10-21 00:20:47 +00:00
.. code-block :: ruby
describe group('root') do
it { should exist }
its('gid') { should eq 0 }
end
2015-10-19 16:05:10 +00:00
2016-04-17 14:57:31 +00:00
grub_conf
=====================================================
Test both Grub 1 and Grub 2 configurations.
**Stability: Experimental**
Syntax
-----------------------------------------------------
A `` grub_conf `` resource is used to specify a configuration file and boot configuration.
.. code-block :: ruby
describe grub_conf('/etc/grub.conf', 'default') do
its('kernel') { should include '/vmlinuz-2.6.32-573.7.1.el6.x86_64' }
its('initrd') { should include '/initramfs-2.6.32-573.el6.x86_64.img=1' }
its('default') { should_not eq '1' }
its('timeout') { should eq '5' }
end
You can also check specific kernels:
.. code-block :: ruby
grub_conf('/etc/grub.conf', 'CentOS (2.6.32-573.12.1.el6.x86_64)') do
its('kernel') { should include 'audit=1' }
end
2015-10-26 09:41:10 +00:00
host
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` host `` |inspec resource| to test the name used to refer to a specific host and its availability, including the Internet protocols and ports over which that host name should be available.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` host `` |inspec resource| block declares a host name, and then (depending on what is to be tested) a port and/or a protocol:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-31 12:58:53 +00:00
describe host('example.com', port: 80, proto: 'tcp') do
2015-10-19 16:05:10 +00:00
it { should be_reachable }
end
where
* `` host() `` must specify a host name and may specify a port number and/or a protocol
* `` 'example.com' `` is the host name
* `` port: `` is the port number
2015-10-31 12:58:53 +00:00
* `` proto: 'name' `` is the Internet protocol: |tcp| (`` proto: 'tcp' `` ), |udp| (`` proto: 'udp' `` or |icmp| (`` proto: 'icmp' `` ))
2015-10-27 21:20:33 +00:00
* `` be_reachable `` is a valid matcher for this |inspec resource|
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
be_reachable
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_reachable `` matcher tests if the host name is available:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
it { should be_reachable }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
be_resolvable
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_resolvable `` matcher tests for host name resolution, i.e. "resolvable to an IP address":
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
it { should be_resolvable }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
ipaddress
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-22 04:13:17 +00:00
The `` ipaddress `` matcher tests if a host name is resolvable to a specific IP address:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('ipaddress') { should include '93.184.216.34' }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Verify host name s reachable over a specific protocol and port number**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe host('example.com', port: 53, proto: 'udp') do
it { should be_reachable }
end
2015-10-26 09:41:10 +00:00
**Verify that a specific IP address can be resolved**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe host('example.com', port: 80, proto: 'tcp') do
it { should be_resolvable }
2015-10-20 21:04:07 +00:00
its('ipaddress') { should include '192.168.1.1' }
2015-10-19 16:05:10 +00:00
end
2015-10-20 01:25:25 +00:00
2016-08-10 20:59:15 +00:00
iis_site
=====================================================
Tests the status, path, bindings, and application pool of an IIS website. Supported in windows 2012 and higher.
**Stability: Experimental**
Syntax
-----------------------------------------------------
An `` iis_site `` |inspec resource| block declares the IIS web site properties to be tested:
.. code-block :: ruby
describe iis_site('website') do
it { should exist }
it { should be_running }
it { should have_app_pool('app_pool') }
it { should have_binding('https :443:www.contoso.com sslFlags=0') }
it { should have_path('C:\\inetpub\\wwwroot') }
end
where
* `` iis_site() `` must specify a web site name
* `` 'website' `` is the web site name
* `` have_app_pool('my_app_pool') `` tests that our site belongs to the 'my_app_pool' application pool
* `` have_binding('my_binding') `` tests that our site has the specified binding. my_binding should be in the format of the default output from the Get-Website powershell cmdlet
Matchers
-----------------------------------------------------
This InSpec audit resource has the following matchers.
exist
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` exist `` matcher tests if the website exists in IIS:
.. code-block :: ruby
it { should exist }
be_running
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` be_running `` matcher tests if the IIS site is running
.. code-block :: ruby
it { should be_running }
2016-08-18 16:29:23 +00:00
2016-08-10 20:59:15 +00:00
have_app_pool
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` have_app_pool `` matcher tests if the IIS site belongs in the specified application pool
2015-10-20 21:04:07 +00:00
2016-08-10 20:59:15 +00:00
.. code-block :: ruby
it { should have_app_pool('Default App Pool') }
have_binding
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` have_binding `` matcher tests if the IIS site has the specified binding
.. code-block :: ruby
it { should have_binding('http :80:*' ) }
2016-08-18 16:29:23 +00:00
2016-08-10 20:59:15 +00:00
have_path
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` have_path `` matcher tests if the IIS site is located in the specified path
.. code-block :: ruby
2016-08-18 16:29:23 +00:00
it { should have_path('c:\\inetpub\\wwwroot\\my_site') }
2016-08-10 20:59:15 +00:00
Examples
-----------------------------------------------------
The following examples show how to use this InSpec audit resource.
**Test if a web site 'My Site' is running and is located on disk at c:\\mysite**
.. code-block :: ruby
describe iis_site('My Site') do
it { should be_running }
2016-08-18 16:29:23 +00:00
it { should have_path('c:\\mysite') }
2016-08-10 20:59:15 +00:00
end
**Test to see if 'Default Web Site' has been removed**
.. code-block :: ruby
describe iis_site('Default Web Site') do
it { should_not exist }
end
**Test 'New Website' is running in Default App Pool and listening on port 80 via http**
.. code-block :: ruby
describe iis_site('New Website') do
it { should have_app_pool('app_pool') }
it { should have_binding('http :80:*') }
end
2016-08-18 16:29:23 +00:00
2015-10-22 04:13:17 +00:00
2015-10-26 09:41:10 +00:00
inetd_conf
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` inetd_conf `` |inspec resource| to test if a service is enabled in the `` inetd.conf `` file on |linux| and |unix| platforms. |inetd|---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `` inetd.conf `` file is typically located at `` /etc/inetd.conf `` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-31 12:58:53 +00:00
An `` inetd_conf `` |inspec resource| block declares the list of services that are enabled in the `` inetd.conf `` file:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-26 15:21:51 +00:00
describe inetd_conf('path') do
2015-10-20 21:04:07 +00:00
its('service_name') { should eq 'value' }
2015-10-19 16:05:10 +00:00
end
where
* `` 'service_name' `` is a service listed in the `` inetd.conf `` file
* `` ('path') `` is the non-default path to the `` inetd.conf `` file
* `` should eq 'value' `` is the value that is expected
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-31 12:58:53 +00:00
This |inspec resource| matches any service that is listed in the `` inetd.conf `` file. You may want to ensure that specific services do not listen via `` inetd.conf `` :
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('shell') { should eq nil }
2015-10-19 16:05:10 +00:00
or:
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('netstat') { should eq nil }
2015-10-19 16:05:10 +00:00
or:
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('systat') { should eq nil }
2015-10-19 16:05:10 +00:00
For example:
.. code-block :: ruby
describe inetd_conf do
2015-10-20 21:04:07 +00:00
its('shell') { should eq nil }
its('login') { should eq nil }
its('exec') { should eq nil }
2015-10-19 16:05:10 +00:00
end
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Verify that FTP is disabled**
2015-10-19 16:05:10 +00:00
The contents if the `` inetd.conf `` file contain the following:
.. code-block :: text
#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
and the following test is defined:
.. code-block :: ruby
2015-10-26 15:21:51 +00:00
describe inetd_conf do
2015-10-20 21:04:07 +00:00
its('ftp') { should eq nil }
its('telnet') { should eq nil }
2015-10-19 16:05:10 +00:00
end
Because both the `` ftp `` and `` telnet `` Internet services are commented out (`` # `` ), both services are disabled. Consequently, both tests will return `` true `` . However, if the `` inetd.conf `` file is set as follows:
.. code-block :: text
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
then the same test will return `` false `` for `` ftp `` and the entire test will fail.
2015-10-26 09:41:10 +00:00
**Test if telnet is installed**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe package('telnetd') do
it { should_not be_installed }
end
2015-10-26 09:41:10 +00:00
2015-10-20 01:25:25 +00:00
describe inetd_conf do
its('telnet') { should eq nil }
end
2015-10-22 19:00:05 +00:00
2016-08-25 18:30:03 +00:00
ini
=====================================================
Use the `` ini `` |inspec resource| to test data in a INI file.
**Stability: Stable**
Syntax
-----------------------------------------------------
An `` ini `` |inspec resource| block declares the content of the `` ini `` file:
.. code-block :: ruby
describe ini('path/to/ini_file.ini') do
its('auth_protocol') { should eq 'https' }
end
where
* `` 'auth_protocol' `` is a key in the `` ini `` file
* `` ('https') `` is the expected value associated with the above key in the `` ini `` file
Matchers
-----------------------------------------------------
This |inspec resource| matches any content in the `` ini `` file:
.. code-block :: ruby
its('port') { should eq '143' }
Examples
-----------------------------------------------------
The following examples show how to use this InSpec audit resource.
For example:
.. code-block :: ruby
describe ini('path/to/ini_file.ini') do
its('port') { should eq '143' }
its('server') { should eq '192.0.2.62' }
end
2015-10-22 19:00:05 +00:00
2015-10-26 09:41:10 +00:00
interface
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` interface `` |inspec resource| to test basic network adapter properties, such as name, status, state, address, and link speed (in MB/sec).
2015-10-19 16:05:10 +00:00
2015-10-31 13:44:16 +00:00
* On |linux| platforms, `` /sys/class/net/#{iface} `` is used as source
* On the |windows| platform, the `` Get-NetAdapter `` cmdlet is used as source
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
An `` interface `` |inspec resource| block declares network interface properties to be tested:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe interface do
it { should be_up }
2015-10-20 21:04:07 +00:00
its('speed') { should eq 1000 }
2015-10-19 16:05:10 +00:00
its('name') { should eq eth0 }
end
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
be_up
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_up `` matcher tests if the network interface is available:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should be_up }
2015-10-26 09:41:10 +00:00
name
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` name `` matcher tests if the named network interface exists:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('name') { should eq eth0 }
2015-10-26 09:41:10 +00:00
speed
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` speed `` matcher tests the speed of the network interface, in MB/sec:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('speed') { should eq 1000 }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
..
2015-10-19 16:05:10 +00:00
.. Examples
2015-10-20 21:16:47 +00:00
.. -----------------------------------------------------
2015-10-26 23:29:57 +00:00
.. The following examples show how to use this InSpec audit resource.
2015-10-26 09:41:10 +00:00
..
.. **xxxxx**
..
2015-10-19 16:05:10 +00:00
.. xxxxx
2015-10-26 09:41:10 +00:00
..
.. **xxxxx**
..
2015-10-19 16:05:10 +00:00
.. xxxxx
2015-10-26 09:41:10 +00:00
..
2015-10-20 21:04:07 +00:00
2015-10-22 19:00:05 +00:00
2015-10-26 09:41:10 +00:00
iptables
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` iptables `` |inspec resource| to test rules that are defined in `` iptables `` , which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
2015-10-22 19:00:05 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-22 19:00:05 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` iptables `` |inspec resource| block declares tests for rules in IP tables:
2015-10-22 19:00:05 +00:00
.. code-block :: ruby
describe iptables(rule:'name', table:'name', chain: 'name') do
it { should have_rule('RULE') }
end
where
* `` iptables() `` may specify any combination of `` rule `` , `` table `` , or `` chain ``
* `` rule:'name' `` is the name of a rule that matches a set of packets
* `` table:'name' `` is the packet matching table against which the test is run
* `` chain: 'name' `` is the name of a user-defined chain or one of `` ACCEPT `` , `` DROP `` , `` QUEUE `` , or `` RETURN ``
* `` have_rule('RULE') `` tests that rule in the iptables file
2015-10-26 09:41:10 +00:00
Matchers
2015-10-22 19:00:05 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 21:04:07 +00:00
2015-10-26 09:41:10 +00:00
have_rule
2015-10-22 19:00:05 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` have_rule `` matcher tests the named rule against the information in the `` iptables `` file:
.. code-block :: ruby
it { should have_rule('RULE') }
2015-10-26 09:41:10 +00:00
Examples
2015-10-22 19:00:05 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-22 19:00:05 +00:00
2015-10-26 09:41:10 +00:00
**Test if the IP table allows a packet through**
2015-10-20 21:04:07 +00:00
2015-10-22 19:00:05 +00:00
.. code-block :: ruby
describe iptables do
it { should have_rule('-P INPUT ACCEPT') }
end
2015-10-26 09:41:10 +00:00
**Test if the IP table allows a packet through, for a specific table and chain**
2015-10-22 19:00:05 +00:00
.. code-block :: ruby
describe iptables(table:'mangle', chain: 'input') do
it { should have_rule('-P INPUT ACCEPT') }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
json
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` json `` |inspec resource| to test data in a |json| file.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2016-04-16 11:47:41 +00:00
A `` json `` |inspec resource| block declares the data to be tested. Assume the following json file:
.. code-block :: json
{
"name" : "hello",
"meta" : {
"creator" : "John Doe"
2016-06-21 22:06:27 +00:00
},
"array": [
"zero",
"one"
]
2016-04-16 11:47:41 +00:00
}
This file can be queried via:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2016-09-15 20:27:44 +00:00
describe json('/path/to/name.json') do
2016-04-16 11:47:41 +00:00
its('name') { should eq 'hello' }
its(['meta','creator']) { should eq 'John Doe' }
2016-06-21 22:06:27 +00:00
its(['array', 1]) { should eq 'one' }
2015-10-19 16:05:10 +00:00
end
where
* `` name `` is a configuration setting in a |json| file
* `` should eq 'foo' `` tests a value of `` name `` as read from a |json| file versus the value declared in the test
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
name
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` name `` matcher tests the value of `` name `` as read from a |json| file versus the value declared in the test:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('name') { should eq 'foo' }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
**Test a cookbook version in a policyfile.lock.json file**
.. code-block :: ruby
describe json('policyfile.lock.json') do
its('cookbook_locks.omnibus.version') { should eq('2.2.0') }
end
2015-10-22 04:13:17 +00:00
2015-10-26 09:41:10 +00:00
kernel_module
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` kernel_module `` |inspec resource| to test kernel modules on |linux| platforms. These parameters are located under `` /lib/modules `` . Any submodule may be tested using this resource.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` kernel_module `` |inspec resource| block declares a module name, and then tests if that module is a loadable kernel module:
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
describe kernel_module('module_name') do
it { should be_loaded }
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
where
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
* `` 'module_name' `` must specify a kernel module, such as `` 'bridge' ``
* `` { should be_loaded } `` tests if the module is a loadable kernel module
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
be_loaded
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_loaded `` matcher tests if the module is a loadable kernel module:
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
it { should be_loaded }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test if a module is loaded**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
describe kernel_module('bridge') do
it { should be_loaded }
end
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
2015-10-26 09:41:10 +00:00
kernel_parameter
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-31 13:44:16 +00:00
Use the `` kernel_parameter `` |inspec resource| to test kernel parameters on |linux| platforms.
2015-10-20 21:04:07 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` kernel_parameter `` |inspec resource| block declares a parameter and then a value to be tested:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
describe kernel_parameter('path.to.parameter') do
its('value') { should eq 0 }
end
where
2015-10-31 13:44:16 +00:00
* `` 'kernel.parameter' `` must specify a kernel parameter, such as `` 'net.ipv4.conf.all.forwarding' ``
2015-10-20 21:04:07 +00:00
* `` { should eq 0 } `` states the value to be tested
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 21:04:07 +00:00
2015-10-26 09:41:10 +00:00
value
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` value `` matcher tests the value assigned to the named IP address versus the value declared in the test:
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
its('value') { should eq 0 }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 21:04:07 +00:00
2015-10-26 09:41:10 +00:00
**Test if global forwarding is enabled for an IPv4 address**
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
describe kernel_parameter('net.ipv4.conf.all.forwarding') do
2016-05-03 22:14:33 +00:00
its('value') { should eq 1 }
2015-10-20 21:04:07 +00:00
end
2015-10-26 09:41:10 +00:00
**Test if global forwarding is disabled for an IPv6 address**
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
describe kernel_parameter('net.ipv6.conf.all.forwarding') do
2016-05-03 22:14:33 +00:00
its('value') { should eq 0 }
2015-10-20 21:04:07 +00:00
end
2015-10-26 09:41:10 +00:00
**Test if an IPv6 address accepts redirects**
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
describe kernel_parameter('net.ipv6.conf.interface.accept_redirects') do
2016-05-03 22:14:33 +00:00
its('value') { should eq 'true' }
2015-10-20 21:04:07 +00:00
end
2015-10-26 09:41:10 +00:00
limits_conf
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` limits_conf `` |inspec resource| to test configuration settings in the `` /etc/security/limits.conf `` file. The `` limits.conf `` defines limits for processes (by user and/or group names) and helps ensure that the system on which those processes are running remains stable. Each process may be assigned a hard or soft limit.
2015-10-20 21:04:07 +00:00
* Soft limits are maintained by the shell and defines the number of file handles (or open files) available to the user or group after login
* Hard limits are maintained by the kernel and defines the maximum number of allowed file handles
Entries in the `` limits.conf `` file are similar to:
.. code-block :: bash
grantmc soft nofile 4096
grantmc hard nofile 63536
2015-10-26 09:41:10 +00:00
2015-10-20 21:04:07 +00:00
^^^^^^^^^ ^^^^ ^^^^^^ ^^^^^
domain type item value
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` limits_conf `` |inspec resource| block declares a domain to be tested, along with associated type, item, and value:
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
describe limits_conf('path') do
its('domain') { should include ['type', 'item', 'value'] }
its('domain') { should eq ['type', 'item', 'value'] }
end
where
* `` ('path') `` is the non-default path to the `` inetd.conf `` file
* `` 'domain' `` is a user or group name, such as `` grantmc ``
* `` 'type' `` is either `` hard `` or `` soft ``
* `` 'item' `` is the item for which limits are defined, such as `` core `` , `` nofile `` , `` stack `` , `` nproc `` , `` priority `` , or `` maxlogins ``
* `` 'value' `` is the value associated with the `` item ``
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 21:04:07 +00:00
2015-10-26 09:41:10 +00:00
domain
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` domain `` matcher tests the domain in the `` limits.conf `` file, along with associated type, item, and value:
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
its('domain') { should include ['type', 'item', 'value'] }
For example:
.. code-block :: ruby
its('grantmc') { should include ['hard', 'nofile', '63536'] }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 21:04:07 +00:00
2015-10-26 09:41:10 +00:00
**Test * and ftp limits**
2015-10-20 21:04:07 +00:00
2015-10-30 11:28:40 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
describe limits_conf('path') do
2015-10-31 13:44:16 +00:00
its('*') { should include ['soft', 'core', '0'] }
its('*') { should include ['hard', 'rss', '10000'] }
2015-10-20 21:04:07 +00:00
its('ftp') { should eq ['hard', 'nproc', '0'] }
end
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
login_defs
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` login_defs `` |inspec resource| to test configuration settings in the `` /etc/login.defs `` file. The `` logins.defs `` file defines site-specific configuration for the shadow password suite on |linux| and |unix| platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` login_defs `` |inspec resource| block declares the `` login.defs `` configuration data to be tested:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe login_defs do
its('name') { should include('foo') }
end
where
* `` name `` is a configuration setting in `` login.defs ``
* `` { should include('foo') } `` tests the value of `` name `` as read from `` login.defs `` versus the value declared in the test
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
name
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` name `` matcher tests the value of `` name `` as read from `` login.defs `` versus the value declared in the test:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('name') { should eq 'foo' }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test password expiration settings**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe login_defs do
its('PASS_MAX_DAYS') { should eq '180' }
its('PASS_MIN_DAYS') { should eq '1' }
its('PASS_MIN_LEN') { should eq '15' }
its('PASS_WARN_AGE') { should eq '30' }
end
2015-10-26 09:41:10 +00:00
**Test the encryption method**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe login_defs do
its('ENCRYPT_METHOD') { should eq 'SHA512' }
end
2015-10-27 21:20:33 +00:00
**Test umask and password expiration**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe login_def do
its('UMASK') { should eq '077' }
2015-10-27 16:47:55 +00:00
its('PASS_MAX_DAYS') { should eq '90' }
2015-10-19 16:05:10 +00:00
end
2015-12-31 00:11:06 +00:00
mount
=====================================================
Use the `` mount `` |inspec resource| to test the mountpoints on |linux| systems.
**Stability: Experimental**
Syntax
-----------------------------------------------------
An `` mount `` |inspec resource| block declares the synchronization settings that should be tested:
.. code-block :: ruby
describe mount('path') do
it { should MATCHER 'value' }
end
where
* `` ('path') `` is the path to the mounted directory
* `` MATCHER `` is a valid matcher for this |inspec resource|
* `` 'value' `` is the value to be tested
Matchers
-----------------------------------------------------
This |inspec resource| has the following matchers:
be_mounted
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` be_mounted `` matcher tests if the file is accessible from the file system:
.. code-block :: ruby
it { should be_mounted }
device
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` device `` matcher tests the device from the fstab table:
.. code-block :: ruby
its('device') { should eq '/dev/mapper/VolGroup-lv_root' }
type
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` type `` matcher tests the filesystem type:
.. code-block :: ruby
its('type') { should eq 'ext4' }
options
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` options `` matcher tests the mount options for the filesystem from the fstab table:
.. code-block :: ruby
its('options') { should eq ['rw', 'mode=620'] }
Examples
-----------------------------------------------------
The following examples show how to use this InSpec audit resource.
**Test a the mount point on '/'**
.. code-block :: ruby
describe mount('/') do
it { should be_mounted }
its('device') { should eq '/dev/mapper/VolGroup-lv_root' }
its('type') { should eq 'ext4' }
its('options') { should eq ['rw', 'mode=620'] }
end
2015-10-26 09:41:10 +00:00
mysql_conf
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-31 13:44:16 +00:00
Use the `` mysql_conf `` |inspec resource| to test the contents of the configuration file for |mysql|, typically located at `` /etc/mysql/my.cnf `` or `` /etc/my.cnf `` .
2015-10-20 21:04:07 +00:00
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` mysql_conf `` |inspec resource| block declares one (or more) settings in the `` my.cnf `` file, and then compares the setting in the configuration file to the value stated in the test:
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
describe mysql_conf('path') do
its('setting') { should eq 'value' }
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
where
2015-10-20 16:52:34 +00:00
2015-10-27 21:20:33 +00:00
* `` 'setting' `` specifies a setting in the `` my.cnf `` file, such as `` max_connections ``
2015-10-20 21:04:07 +00:00
* `` ('path') `` is the non-default path to the `` my.cnf `` file
* `` should eq 'value' `` is the value that is expected
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 21:04:07 +00:00
2015-10-26 09:41:10 +00:00
setting
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` setting `` matcher tests specific, named settings in the `` my.cnf `` file:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('setting') { should eq 'value' }
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
Use a `` setting `` matcher for each setting to be tested.
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 21:04:07 +00:00
2015-10-26 09:41:10 +00:00
**Test the maximum number of allowed connections**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
describe mysql_conf do
its('max_connections') { should eq '505' }
its('max_user_connections') { should eq '500' }
end
2015-10-26 09:41:10 +00:00
**Test slow query logging**
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
describe mysql_conf do
its('slow_query_log_file') { should eq 'hostname_slow.log' }
its('slow_query_log') { should eq '0' }
its('log_queries_not_using_indexes') { should eq '1' }
its('long_query_time') { should eq '0.5' }
its('min_examined_row_limit') { should eq '100' }
end
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
**Test the port and socket on which MySQL listens**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
describe mysql_conf do
its('port') { should eq '3306' }
its('socket') { should eq '/var/run/mysqld/mysql.sock' }
end
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
**Test connection and thread variables**
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
describe mysql_conf do
its('port') { should eq '3306' }
its('socket') { should eq '/var/run/mysqld/mysql.sock' }
its('max_allowed_packet') { should eq '12M' }
its('default_storage_engine') { should eq 'InnoDB' }
its('character_set_server') { should eq 'utf8' }
its('collation_server') { should eq 'utf8_general_ci' }
its('max_connections') { should eq '505' }
its('max_user_connections') { should eq '500' }
its('thread_cache_size') { should eq '505' }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test the safe-user-create parameter**
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
describe mysql_conf.params('mysqld') do
its('safe-user-create') { should eq('1') }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
mysql_session
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` mysql_session `` |inspec resource| to test SQL commands run against a |mysql| database.
2015-10-20 21:04:07 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` mysql_session `` |inspec resource| block declares the username and password to use for the session, and then the command to be run:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-31 13:44:16 +00:00
describe mysql_session('username', 'password').query('QUERY') do
2015-10-20 21:04:07 +00:00
its('output') { should eq('') }
end
where
2015-10-20 16:52:34 +00:00
2015-10-31 13:44:16 +00:00
* `` mysql_session `` declares a username and password with permission to run the query
* `` query('QUERY') `` contains the query to be run
2015-10-20 21:04:07 +00:00
* `` its('output') { should eq('') } `` compares the results of the query against the expected result in the test
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
output
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` output `` matcher tests the results of the query:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('output') { should eq(/^0/) }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 21:04:07 +00:00
**Test for matching databases**
.. code-block :: ruby
sql = mysql_session('my_user','password')
2015-10-31 13:44:16 +00:00
describe sql.query('show databases like \'test\';') do
2016-05-03 22:14:33 +00:00
its('stdout') { should_not match(/test/) }
2015-10-20 21:04:07 +00:00
end
2015-10-20 16:52:34 +00:00
2015-10-26 09:41:10 +00:00
npm
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-31 13:44:16 +00:00
Use the `` npm `` |inspec resource| to test if a global |npm| package is installed. |npm| is the `the package manager for Nodejs packages <https://docs.npmjs.com> `__ , such as |bower| and |statsd|.
2015-10-20 01:25:25 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` npm `` |inspec resource| block declares a package and (optionally) a package version:
2015-10-19 21:14:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe gem('npm_package_name') do
it { should be_installed }
end
2015-10-19 21:14:20 +00:00
where
2015-10-20 01:25:25 +00:00
* `` ('npm_package_name') `` must specify a |npm| package, such as `` 'bower' `` or `` 'statsd' ``
2015-10-27 21:20:33 +00:00
* `` be_installed `` is a valid matcher for this |inspec resource|
2015-10-19 21:14:20 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
be_installed
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_installed `` matcher tests if the named |gem| package and package version (if specified) is installed:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
it { should be_installed }
2015-10-26 09:41:10 +00:00
version
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` version `` matcher tests if the named package version is on the system:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('version') { should eq '1.2.3' }
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 01:25:25 +00:00
**Verify that bower is installed, with a specific version**
.. code-block :: ruby
describe npm('bower') do
it { should be_installed }
2015-10-20 21:04:07 +00:00
its('version') { should eq '1.4.1' }
2015-10-20 01:25:25 +00:00
end
**Verify that statsd is not installed**
.. code-block :: ruby
describe npm('statsd') do
it { should_not be_installed }
end
2015-10-26 09:41:10 +00:00
ntp_conf
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` ntp_conf `` |inspec resource| to test the synchronization settings defined in the `` ntp.conf `` file. This file is typically located at `` /etc/ntp.conf `` .
2015-10-19 21:14:20 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
An `` ntp_conf `` |inspec resource| block declares the synchronization settings that should be tested:
2015-10-19 21:14:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe ntp_conf('path') do
2015-10-20 21:04:07 +00:00
its('setting_name') { should eq 'value' }
2015-10-20 01:25:25 +00:00
end
where
* `` 'setting_name' `` is a synchronization setting defined in the `` ntp.conf `` file
* `` ('path') `` is the non-default path to the `` ntp.conf `` file
* `` { should eq 'value' } `` is the value that is expected
2015-10-19 21:14:20 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
This |inspec resource| matches any service that is listed in the `` ntp.conf `` file:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('server') { should_not eq nil }
2015-10-20 01:25:25 +00:00
or:
2015-10-19 21:14:20 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
2015-10-20 01:25:25 +00:00
For example:
.. code-block :: ruby
describe ntp_conf do
its('server') { should_not eq nil }
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
end
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
**Test for clock drift against named servers**
2015-10-20 04:50:25 +00:00
.. code-block :: ruby
describe ntp_conf do
its('driftfile') { should eq '/var/lib/ntp/ntp.drift' }
its('server') { should eq [
0.ubuntu.pool.ntp.org,
1.ubuntu.pool.ntp.org,
2.ubuntu.pool.ntp.org
] }
end
2015-10-19 21:14:20 +00:00
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
oneget
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` oneget `` |inspec resource| to test if the named package and/or package version is installed on the system. This resource uses |oneget|, which is `part of the Windows Management Framework 5.0 and Windows 10 <https://github.com/OneGet/oneget> `__ . This resource uses the `` Get-Package `` cmdlet to return all of the package names in the |oneget| repository.
2015-10-20 01:25:25 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` oneget `` |inspec resource| block declares a package and (optionally) a package version:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 21:14:20 +00:00
2015-10-20 01:25:25 +00:00
describe oneget('name') do
it { should be_installed }
end
where
* `` ('name') `` must specify the name of a package, such as `` 'VLC' ``
2015-10-27 21:20:33 +00:00
* `` be_installed `` is a valid matcher for this |inspec resource|
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 21:14:20 +00:00
2015-10-26 09:41:10 +00:00
be_installed
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_installed `` matcher tests if the named package is installed on the system:
2015-10-19 21:14:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
it { should be_installed }
2015-10-19 21:14:20 +00:00
2015-10-26 09:41:10 +00:00
version
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` version `` matcher tests if the named package version is on the system:
2015-10-19 21:14:20 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
its('version') { should eq '1.2.3' }
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
**Test if VLC is installed**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-11-02 08:55:05 +00:00
describe oneget('VLC') do
2015-10-20 01:25:25 +00:00
it { should be_installed }
end
2015-10-26 09:41:10 +00:00
os
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` os `` |inspec resource| to test the platform on which the system is running.
2015-10-19 21:14:20 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` os `` |inspec resource| block declares the platform to be tested:
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-11-07 11:56:01 +00:00
describe os[:family] do
2015-10-20 01:25:25 +00:00
it { should eq 'platform' }
end
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
where
2015-10-19 16:05:10 +00:00
2016-08-19 17:56:12 +00:00
* `` 'family' `` is one of `` aix `` , `` bsd `` , `` debian `` , `` hpux `` , `` linux `` , `` redhat `` , `` solaris `` , `` suse `` , `` unix `` , or `` windows ``
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource does not have any matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test for RedHat**
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-11-07 11:56:01 +00:00
describe os[:family] do
2015-10-20 01:25:25 +00:00
it { should eq 'redhat' }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test for Ubuntu**
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-11-07 11:56:01 +00:00
describe os[:family] do
2015-10-20 01:25:25 +00:00
it { should eq 'debian' }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test for Microsoft Windows**
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-11-07 11:56:01 +00:00
describe os[:family] do
2015-10-20 01:25:25 +00:00
it { should eq 'windows' }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
os_env
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` os_env `` |inspec resource| to test the environment variables for the platform on which the system is running.
2015-10-20 01:25:25 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` os_env `` |inspec resource| block declares an environment variable, and then declares its value:
2015-10-19 20:44:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe os_env('VARIABLE') do
its('matcher') { should eq 1 }
end
2015-10-19 20:44:20 +00:00
where
2015-10-20 01:25:25 +00:00
* `` ('VARIABLE') `` must specify an environment variable, such as `` PATH ``
2015-10-27 21:20:33 +00:00
* `` matcher `` is a valid matcher for this InSpec resource
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 01:25:25 +00:00
2015-10-31 13:44:16 +00:00
content
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-31 13:44:16 +00:00
The `` content `` matcher return the value of the environment variable:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-31 13:44:16 +00:00
its('content') { should eq '/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin' }
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
split
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-31 13:44:16 +00:00
The `` split `` splits the content with the `` : ` `` deliminator:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('split') { should include ('') }
2015-10-20 01:25:25 +00:00
or:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('split') { should_not include ('.') }
2015-10-20 01:25:25 +00:00
Use `` -1 `` to test for cases where there is a trailing colon (`` : `` ), such as `` dir1::dir2: `` :
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('split') { should include ('-1') }
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
**Test the PATH environment variable**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-30 13:37:00 +00:00
describe os_env('PATH') do
2015-10-20 21:04:07 +00:00
its('split') { should_not include('') }
its('split') { should_not include('.') }
2015-10-20 01:25:25 +00:00
end
2015-10-19 20:44:20 +00:00
2015-10-26 09:41:10 +00:00
package
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` package `` |inspec resource| to test if the named package and/or package version is installed on the system.
2015-10-19 20:44:20 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` package `` |inspec resource| block declares a package and (optionally) a package version:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe package('name') do
it { should be_installed }
end
where
* `` ('name') `` must specify the name of a package, such as `` 'nginx' ``
2015-10-27 21:20:33 +00:00
* `` be_installed `` is a valid matcher for this |inspec resource|
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
be_installed
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_installed `` matcher tests if the named package is installed on the system:
2015-10-19 20:44:20 +00:00
.. code-block :: ruby
it { should be_installed }
2015-10-26 09:41:10 +00:00
version
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` version `` matcher tests if the named package version is on the system:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-11-03 16:03:30 +00:00
its('version') { should eq '1.2.3' }
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
**Test if nginx version 1.9.5 is installed**
2015-10-19 20:44:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe package('nginx') do
it { should be_installed }
2015-10-20 21:04:07 +00:00
its('version') { should eq 1.9.5 }
2015-10-20 01:25:25 +00:00
end
2015-10-19 20:44:20 +00:00
2015-10-26 09:41:10 +00:00
**Test that a package is not installed**
2015-10-19 20:44:20 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe package('some_package') do
it { should_not be_installed }
end
2015-10-19 20:44:20 +00:00
2015-10-26 09:41:10 +00:00
**Test if telnet is installed**
2015-10-19 20:44:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe package('telnetd') do
it { should_not be_installed }
end
2015-10-26 09:41:10 +00:00
2015-10-20 01:25:25 +00:00
describe inetd_conf do
its('telnet') { should eq nil }
end
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
**Test if ClamAV (an antivirus engine) is installed and running**
2015-10-19 20:44:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe package('clamav') do
it { should be_installed }
its('version') { should eq '0.98.7' }
end
2015-10-26 09:41:10 +00:00
2015-10-20 01:25:25 +00:00
describe service('clamd') do
it { should_not be_enabled }
it { should_not be_installed }
it { should_not be_running }
end
2015-10-19 20:44:20 +00:00
2015-10-26 09:41:10 +00:00
parse_config
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` parse_config `` |inspec resource| to test arbitrary configuration files.
2015-10-19 20:44:20 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` parse_config `` |inspec resource| block declares the location of the configuration setting to be tested, and then what value is to be tested. Because this |inspec resource| relies on arbitrary configuration files, the test itself is often arbitrary and relies on custom |ruby| code:
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
output = command('some-command').stdout
2015-10-26 09:41:10 +00:00
2015-10-20 01:25:25 +00:00
describe parse_config(output, { data_config_option: value } ) do
its('setting') { should eq 1 }
end
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
or:
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
audit = command('/sbin/auditctl -l').stdout
options = {
assignment_re: /^\s*([^:]* ?)\s*:\s* (.*?)\s* $/,
multiple_values: true
}
2015-10-26 09:41:10 +00:00
2015-10-20 01:25:25 +00:00
describe parse_config(audit, options) do
its('setting') { should eq 1 }
end
where each test
* Must declare the location of the configuration file to be tested
* Must declare one (or more) settings to be tested
* May run a command to `` stdout `` , and then run the test against that output
* May use options to define how configuration data is to be parsed
2015-10-26 09:41:10 +00:00
Options
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
This |inspec resource| supports the following options for parsing configuration data. Use them in an `` options `` block stated outside of (and immediately before) the actual test:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
options = {
assignment_re: /^\s*([^:]* ?)\s*:\s* (.*?)\s* $/,
multiple_values: true
}
describe parse_config(options) do
its('setting') { should eq 1 }
end
2015-10-26 09:41:10 +00:00
assignment_re
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
Use `` assignment_re `` to test a key value using a regular expression:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
'key = value'
may be tested using the following regular expression, which determines assignment from key to value:
.. code-block :: ruby
assignment_re: /^\s*([^=]* ?)\s*=\s* (.*?)\s* $/
2015-10-26 09:41:10 +00:00
comment_char
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
Use `` comment_char `` to test for comments in a configuration file:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
comment_char: '#'
2015-10-26 09:41:10 +00:00
key_vals
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
Use `` key_vals `` to test how many values a key contains:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
key = a b c
contains three values. To test that value to ensure it only contains one, use:
.. code-block :: ruby
key_vals: 1
2015-10-26 09:41:10 +00:00
multiple_values
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-31 16:43:40 +00:00
Use `` multiple_values `` if the source file uses the same key multiple times. All values will be aggregated in an array:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-31 16:43:40 +00:00
# # file structure:
# key = a
# key = b
# key2 = c
2015-10-20 01:25:25 +00:00
params['key'] = ['a', 'b']
2015-10-31 16:43:40 +00:00
params['key2'] = ['c']
2015-10-20 01:25:25 +00:00
2015-10-31 16:43:40 +00:00
To use plain key value mapping, use `` multiple_values: false `` :
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-31 16:43:40 +00:00
# # file structure:
# key = a
# key = b
# key2 = c
2015-10-20 01:25:25 +00:00
params['key'] = 'b'
2015-10-31 16:43:40 +00:00
params['key2'] = 'c'
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
standalone_comments
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-31 16:43:40 +00:00
Use `` standalone_comments `` to parse comments as a line , otherwise inline comments are allowed:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
'key = value # comment'
params['key'] = 'value # comment'
2015-10-31 16:43:40 +00:00
Use `` standalone_comments: false `` , to parse the following:
2015-10-20 01:25:25 +00:00
2015-10-31 16:43:40 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
2015-11-02 08:55:05 +00:00
'key = value # comment'
params['key'] = 'value'
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
**Test the expiration time for new account passwords**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
output = command('useradd -D').stdout
2015-10-26 09:41:10 +00:00
2015-10-20 01:25:25 +00:00
describe parse_config(output) do
2015-10-27 16:47:55 +00:00
its('INACTIVE') { should eq '35' }
2015-10-20 01:25:25 +00:00
end
2015-10-26 09:41:10 +00:00
**Test that bob is a user**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe parse_config(data, { multiple_values: true }) do
its('users') { should include 'bob'}
end
2015-10-26 09:41:10 +00:00
parse_config_file
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-31 16:43:40 +00:00
Use the `` parse_config_file `` InSpec audit resource to test arbitrary configuration files. It works identiacal to `` parse_config `` . Instead of using a command output, this resource works with files.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-31 16:43:40 +00:00
A `` parse_config_file `` InSpec audit resource block declares the location of the configuration file to be tested, and then which settings in that file are to be tested.
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-27 16:49:58 +00:00
describe parse_config_file('/path/to/file', { data_config_option: value } ) do
2015-10-20 01:25:25 +00:00
its('setting') { should eq 1 }
end
or:
.. code-block :: ruby
2015-10-27 16:49:58 +00:00
options = {
assignment_re: /^\s*([^:]* ?)\s*:\s* (.*?)\s* $/,
multiple_values: true
}
2015-10-26 09:41:10 +00:00
2015-10-27 16:49:58 +00:00
describe parse_config_file('path/to/file', options) do
2015-10-20 01:25:25 +00:00
its('setting') { should eq 1 }
end
where each test
* Must declare the location of the configuration file to be tested
* Must declare one (or more) settings to be tested
* May run a command to `` stdout `` , and then run the test against that output
* May use options to define how configuration data is to be parsed
2015-10-27 21:20:33 +00:00
Options
-----------------------------------------------------
This |inspec resource| supports the following options for parsing configuration data. Use them in an `` options `` block stated outside of (and immediately before) the actual test:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-27 21:20:33 +00:00
options = {
assignment_re: /^\s*([^:]* ?)\s*:\s* (.*?)\s* $/,
multiple_values: true
}
2015-10-31 16:43:40 +00:00
describe parse_config_file('path/to/file', options) do
2015-10-20 01:25:25 +00:00
its('setting') { should eq 1 }
end
2015-10-27 21:20:33 +00:00
assignment_re
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-31 16:43:40 +00:00
Use `` assignment_re `` to parse a key value using a regular expression:
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-27 21:20:33 +00:00
'key = value'
2015-10-31 16:43:40 +00:00
may be parsed using the following regular expression, which determines assignment from key to value:
2015-10-20 01:25:25 +00:00
2015-10-27 21:20:33 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
2015-10-27 21:20:33 +00:00
assignment_re: /^\s*([^=]* ?)\s*=\s* (.*?)\s* $/
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
comment_char
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-31 16:43:40 +00:00
Use `` comment_char `` to parse for comments in a configuration file:
2015-10-27 21:20:33 +00:00
.. code-block :: ruby
comment_char: '#'
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
key_vals
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-31 16:43:40 +00:00
Use `` key_vals `` to parse how many values a key contains:
2015-10-27 21:20:33 +00:00
.. code-block :: ruby
key = a b c
contains three values. To test that value to ensure it only contains one, use:
.. code-block :: ruby
key_vals: 1
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
multiple_values
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-31 16:43:40 +00:00
Use `` multiple_values `` if the source file uses the same key multiple times. All values will be aggregated in an array:
2015-10-27 21:20:33 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
# # file structure:
# key = a
# key = b
# key2 = c
params['key'] = ['a', 'b']
params['key2'] = ['c']
2015-10-27 21:20:33 +00:00
2015-10-31 16:43:40 +00:00
To use plain key value mapping, use `` multiple_values: false `` :
2015-10-27 21:20:33 +00:00
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
# # file structure:
# key = a
# key = b
# key2 = c
params['key'] = 'b'
params['key2'] = 'c'
2015-10-27 21:20:33 +00:00
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
standalone_comments
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-31 16:43:40 +00:00
Use `` standalone_comments `` to parse comments as a line , otherwise inline comments are allowed:
2015-10-27 21:20:33 +00:00
.. code-block :: ruby
'key = value # comment'
params['key'] = 'value # comment'
2015-10-31 16:43:40 +00:00
Use `` standalone_comments: false `` , to parse the following:
2015-10-27 21:20:33 +00:00
2015-10-31 16:43:40 +00:00
.. code-block :: ruby
2015-10-27 21:20:33 +00:00
2015-10-31 16:43:40 +00:00
'key = value # comment'
params['key'] = 'value'
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
**Test a configuration setting**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe parse_config_file('/path/to/file.conf') do
2015-11-02 08:55:05 +00:00
its('PARAM_X') { should eq 'Y' }
2015-10-20 01:25:25 +00:00
end
2015-10-26 09:41:10 +00:00
**Use options, and then test a configuration setting**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe parse_config_file('/path/to/file.conf', { multiple_values: true }) do
2015-11-02 08:55:05 +00:00
its('PARAM_X') { should include 'Y' }
2015-10-20 01:25:25 +00:00
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
passwd
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` passwd `` |inspec resource| to test the contents of `` /etc/passwd `` , which contains the following information for users that may log into the system and/or as users that own running processes. The format for `` /etc/passwd `` includes:
2015-10-19 16:05:10 +00:00
* A username
2015-10-31 16:43:40 +00:00
* The password for that user (on newer systems passwords should be stored in `` /etc/shadow `` )
2015-10-19 16:05:10 +00:00
* The user identifier (UID) assigned to that user
* The group identifier (GID) assigned to that user
* Additional information about that user
* That user's home directory
* That user's default command shell
2015-10-22 04:13:17 +00:00
defined as a colon-delimited row in the file, one row per user:
2015-10-19 16:05:10 +00:00
.. code-block :: bash
root:x:1234:5678:additional_info:/home/dir/:/bin/bash
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` passwd `` |inspec resource| block declares one (or more) users and associated user information to be tested:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe passwd do
2016-05-03 22:14:33 +00:00
its('users') { should_not include 'forbidden_user' }
2015-10-19 16:05:10 +00:00
end
2016-02-18 10:39:12 +00:00
describe passwd.uid(0) do
2016-05-03 22:14:33 +00:00
its('users') { should cmp 'root' }
its('count') { should eq 1 }
2015-10-31 16:43:40 +00:00
end
2015-10-19 16:05:10 +00:00
where
2016-02-18 10:39:12 +00:00
* `` users `` , `` uids `` , `` gids `` , `` passwords `` , `` homes `` , and `` shells `` are valid accessors for `` passwd ``
* All of these matchers can be given an argument to filter by, for example: `` passwd.users(/name/) ``
* There is an explicit method to filter by (`` filter `` ) which can take multiple arguments at once
* `` count `` retrieves the number of entries
* `` lines `` provides raw passwd lines
* `` params `` returns an array of maps for all entries
2015-10-19 16:05:10 +00:00
2015-10-31 16:43:40 +00:00
Matchers for `` passwd ``
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-27 21:20:33 +00:00
gids
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-27 21:20:33 +00:00
The `` gids `` matcher tests if the group indentifiers in the test match group identifiers in `` /etc/passwd `` :
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2016-02-18 10:39:12 +00:00
its('gids') { should include 1234 }
its('gids') { should cmp 0 }
2015-10-19 16:05:10 +00:00
2015-10-27 21:20:33 +00:00
passwords
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-27 21:20:33 +00:00
The `` passwords `` matcher tests if passwords are
* Encrypted
* Have direct logins disabled, as indicated by an asterisk (`` * `` )
* In the `` /etc/shadow `` file, as indicated by the letter x (`` x `` )
For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2016-02-18 10:39:12 +00:00
its('passwords') { should eq ['x'] }
its('passwords') { should cmp '*' }
2015-10-19 16:05:10 +00:00
2015-10-31 16:43:40 +00:00
uids
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-31 16:43:40 +00:00
The `` uids `` matcher tests if the user indentifiers in the test match user identifiers in `` /etc/passwd `` :
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-31 16:43:40 +00:00
its('uids') { should eq ['1234', '1235'] }
2015-10-19 16:05:10 +00:00
2016-02-18 10:39:12 +00:00
users
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2016-02-18 10:39:12 +00:00
The `` users `` matcher tests if the usernames in the test match usernames in `` /etc/passwd `` :
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2016-02-18 10:39:12 +00:00
its('users') { should_not include 'www-data' }
2015-10-31 16:43:40 +00:00
count
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2016-02-18 10:39:12 +00:00
The `` count `` matcher tests the number of entries in `` /etc/passwd `` . It becomes especially useful in conjunction combination with filters:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2016-02-18 10:39:12 +00:00
describe passwd.users('highlander') do
its('count') { should eq 1 }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-27 21:20:33 +00:00
**Test usernames and UIDs**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe passwd do
2016-02-18 10:39:12 +00:00
its('users') { should eq ['root', 'www-data'] }
2015-10-31 16:43:40 +00:00
its('uids') { should eq [0, 33] }
2015-10-19 16:05:10 +00:00
end
2015-10-31 16:43:40 +00:00
**Select one user and test for multiple occurances in passwd**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2016-02-18 10:39:12 +00:00
describe passwd.uids(0) do
its('users') { should cmp 'root' }
2015-10-20 21:04:07 +00:00
its('count') { should eq 1 }
2015-10-19 16:05:10 +00:00
end
2016-02-18 10:39:12 +00:00
describe passwd.filter(user: 'www-data') do
its('uids') { should cmp 33 }
2015-10-31 16:43:40 +00:00
its('count') { should eq 1 }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
pip
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` pip `` |inspec resource| to test packages that are installed using the |pip| installer.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` pip `` |inspec resource| block declares a package and (optionally) a package version:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe pip('Jinja2') do
it { should be_installed }
end
where
* `` 'Jinja2' `` is the name of the package
* `` be_installed `` tests to see if the `` Jinja2 `` package is installed
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
be_installed
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_installed `` matcher tests if the named package is installed on the system:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should be_installed }
2015-10-26 09:41:10 +00:00
version
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` version `` matcher tests if the named package version is on the system:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('version') { should eq '1.2.3' }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test if Jinja2 is installed on the system**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe pip('Jinja2') do
it { should be_installed }
end
2015-10-26 09:41:10 +00:00
**Test if Jinja2 2.8 is installed on the system**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe pip('Jinja2') do
it { should be_installed }
2015-10-20 21:04:07 +00:00
its('version') { should eq '2.8' }
2015-10-19 16:05:10 +00:00
end
2015-10-26 09:41:10 +00:00
port
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` port `` |inspec resource| to test basic port properties, such as port, process, if it's listening.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` port `` |inspec resource| block declares a port, and then depending on what needs to be tested, a process, protocol, process identifier, and its state (is it listening?):
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe port(514) do
it { should be_listening }
2015-12-08 13:09:26 +00:00
its('processes') {should include 'syslog'}
2015-10-19 16:05:10 +00:00
end
2015-12-08 13:09:26 +00:00
where the `` processes `` returns the processes listening on port 514.
2015-10-19 16:05:10 +00:00
2016-08-18 16:29:23 +00:00
or:
.. code-block :: ruby
describe port.where { protocol =~ /tcp/ && port > 22 && port < 80 } do
it { should_not be_listening }
end
where
* `` .where{} `` may specify a block to filter on attributes: port, address, protocol, process, pid, listening?
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
be_listening
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_listening `` matcher tests if the port is listening for traffic:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should be_listening }
2015-10-26 09:41:10 +00:00
pid
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-12-08 13:09:26 +00:00
The `` pids `` matcher tests the process identifier (PID):
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-12-08 13:09:26 +00:00
its('pids') { should eq ['27808'] }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
process
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-12-08 13:09:26 +00:00
The `` processes `` matcher tests if the named process is running on the system:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-12-08 13:09:26 +00:00
its('processes') { should eq ['syslog'] }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
protocol
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-12-08 13:09:26 +00:00
The `` protocols `` matcher tests the Internet protocol: |icmp| (`` 'icmp' `` ), |tcp| (`` 'tcp' `` or `` 'tcp6' `` ), or |udp| (`` 'udp' `` or `` 'udp6' `` ):
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-12-08 13:09:26 +00:00
its('protocols') { should eq ['tcp'] }
2015-10-19 16:05:10 +00:00
or for the |ipv6| protocol:
.. code-block :: ruby
2015-12-08 13:09:26 +00:00
its('protocols') { should eq ['tcp6'] }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test port 80, listening with the TCP protocol**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe port(80) do
it { should be_listening }
2015-12-08 13:09:26 +00:00
its('protocols') {should eq ['tcp']}
2015-10-19 16:05:10 +00:00
end
2015-10-26 09:41:10 +00:00
**Test port 80, listening with TCP version IPv6 protocol**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe port(80) do
it { should be_listening }
2015-12-08 13:09:26 +00:00
its('protocols') {should eq ['tcp6']}
2015-10-19 16:05:10 +00:00
end
2015-10-31 16:49:58 +00:00
**Test ports for HTTPs**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe port(80) do
it { should_not be_listening }
end
2015-10-26 09:41:10 +00:00
2015-10-20 01:25:25 +00:00
describe port(443) do
it { should be_listening }
2015-12-08 13:09:26 +00:00
its('protocols') {should eq ['tcp']}
end
**Test port 80 on a specific address**
This check can be implemented in two equivalent ways:
.. code-block :: ruby
describe port(80) do
it { should be_listening }
its('addresses') {should include '0.0.0.0'}
end
describe port('0.0.0.0', 80) do
it { should be_listening }
2015-10-20 01:25:25 +00:00
end
2015-10-26 09:41:10 +00:00
2016-08-18 16:29:23 +00:00
**Test that no ports above 80 are listening**
.. code-block :: ruby
describe port.where { protocol =~ /tcp/ && port > 80 } do
it { should_not be_listening }
end
**Tests that only httpd and sshd are listening**
describe port.where { listening? } do
its('processes') { should contain_exactly('sshd','httpd') }
end
2015-10-26 09:41:10 +00:00
postgres_conf
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` postgres_conf `` |inspec resource| to test the contents of the configuration file for |postgresql|, typically located at `` /etc/postgresql/<version>/main/postgresql.conf `` or `` /var/lib/postgres/data/postgresql.conf `` , depending on the platform.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` postgres_conf `` |inspec resource| block declares one (or more) settings in the `` postgresql.conf `` file, and then compares the setting in the configuration file to the value stated in the test:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe postgres_conf('path') do
its('setting') { should eq 'value' }
end
where
* `` 'setting' `` specifies a setting in the `` postgresql.conf `` file
2015-10-31 17:15:10 +00:00
* `` ('path') `` is the non-default path to the `` postgresql.conf `` file (optional)
2015-10-19 16:05:10 +00:00
* `` should eq 'value' `` is the value that is expected
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
setting
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` setting `` matcher tests specific, named settings in the `` postgresql.conf `` file:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('setting') { should eq 'value' }
Use a `` setting `` matcher for each setting to be tested.
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test the maximum number of allowed client connections**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe postgres_conf do
its('max_connections') { should eq '5' }
end
2015-10-26 09:41:10 +00:00
**Test system logging**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe postgres_conf do
its('logging_collector') { should eq 'on' }
its('log_connections') { should eq 'on' }
its('log_disconnections') { should eq 'on' }
its('log_duration') { should eq 'on' }
its('log_hostname') { should eq 'on' }
its('log_line_prefix') { should eq '%t %u %d %h' }
end
2015-10-26 09:41:10 +00:00
**Test the port on which PostgreSQL listens**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe postgres_conf do
its('port') { should eq '5432' }
end
2015-10-26 09:41:10 +00:00
**Test the Unix socket settings**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe postgres_conf do
its('unix_socket_directories') { should eq '.s.PGSQL.5432' }
its('unix_socket_group') { should eq nil }
its('unix_socket_permissions') { should eq '0770' }
end
where `` unix_socket_group `` is set to the |postgresql| default setting (the group to which the server user belongs).
2015-10-26 09:41:10 +00:00
postgres_session
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` postgres_session `` |inspec resource| to test SQL commands run against a |postgresql| database.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` postgres_session `` |inspec resource| block declares the username and password to use for the session, and then the command to be run:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
sql = postgres_session('username', 'password')
2015-10-26 16:21:37 +00:00
describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
2015-10-19 16:05:10 +00:00
its('output') { should eq('') }
end
where
* `` sql = postgres_session `` declares a username and password with permission to run the query
2015-10-26 16:23:43 +00:00
* `` sql.query('') `` contains the query to be run
2015-10-19 16:05:10 +00:00
* `` its('output') { should eq('') } `` compares the results of the query against the expected result in the test
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
output
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` output `` matcher tests the results of the query:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('output') { should eq(/^0/) }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
**Test the PostgreSQL shadow password**
.. code-block :: ruby
sql = postgres_session('my_user', 'password')
2015-10-26 16:21:37 +00:00
describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
2015-10-20 21:04:07 +00:00
its('output') { should eq('') }
2015-10-19 16:05:10 +00:00
end
2015-10-26 09:41:10 +00:00
**Test for risky database entries**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-31 17:15:10 +00:00
describe postgres_session('my_user', 'password').query('SELECT count (*)
2016-07-05 20:53:57 +00:00
FROM pg_language
WHERE lanpltrusted = \'f\'
AND lanname!=\'internal\'
AND lanname!=\'c\';') do
its('output') { should eq '0' }
2015-10-19 16:05:10 +00:00
end
2016-03-18 11:29:36 +00:00
powershell
=====================================================
Use the `` powershell `` |inspec resource| to test a |powershell| script on the |windows| platform.
**Stability: Experimental**
Syntax
-----------------------------------------------------
A `` powershell `` |inspec resource| block declares a script to be tested, and then a command that should be part of that script:
.. code-block :: ruby
script = <<-EOH
# you powershell script
EOH
describe powershell(script) do
its('matcher') { should eq 'output' }
end
where
* `` 'script' `` must specify a Powershell script to be run
* `` 'matcher' `` is one of `` exit_status `` , `` stderr `` , or `` stdout ``
* `` 'output' `` tests the output of the command run on the system versus the output value stated in the test
Matchers
-----------------------------------------------------
This InSpec audit resource has the following matchers.
exit_status
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` exit_status `` matcher tests the exit status for the command:
.. code-block :: ruby
its('exit_status') { should eq 123 }
stderr
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` stderr `` matcher tests results of the command as returned in standard error (stderr):
.. code-block :: ruby
its('stderr') { should eq 'error' }
stdout
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` stdout `` matcher tests results of the command as returned in standard output (stdout):
.. code-block :: ruby
its('stdout') { should eq '/^1$/' }
Examples
-----------------------------------------------------
The following examples show how to use this InSpec audit resource.
**Get all groups of Administrator user**
.. code-block :: ruby
myscript = <<-EOH
# find user
$user = Get-WmiObject Win32_UserAccount -filter "Name = 'Administrator'"
# get related groups
$groups = $user.GetRelated('Win32_Group') | Select-Object -Property Caption, Domain, Name, LocalAccount, SID, SIDType, Status
$groups | ConvertTo-Json
EOH
describe script(myscript) do
its('stdout') { should_not eq '' }
end
2015-10-26 09:41:10 +00:00
processes
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` processes `` |inspec resource| to test properties for programs that are running on the system.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` processes `` |inspec resource| block declares the name of the process to be tested, and then declares one (or more) property/value pairs:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe processes('process_name') do
its('property_name') { should eq 'property_value' }
end
where
* `` processes('process_name') `` must specify the name of a process that is running on the system
2015-12-07 08:39:48 +00:00
* The `` user `` and `` state `` properties may be tested; they are exposed via `` users `` and `` states `` , respectively.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
property_name
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` property_name `` matcher tests the named property for the specified value:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('property_name') { should eq 'property_value' }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-11-02 08:55:05 +00:00
.. The title for the example below needs to be clarified, then it can be uncommented
2015-11-18 20:27:07 +00:00
..
2015-11-02 08:55:05 +00:00
.. **Test for multiple instances of Nginx**
2015-11-18 20:27:07 +00:00
..
2015-11-02 08:55:05 +00:00
.. .. code-block:: ruby
2015-11-18 20:27:07 +00:00
..
2015-11-02 08:55:05 +00:00
.. describe processes('postgres') do
.. its('list.length') { should be(1) }
.. end
2015-11-18 20:27:07 +00:00
..
2015-10-31 12:58:53 +00:00
**Test for multiple instances of mysqld**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe processes('mysqld') do
2015-10-31 12:58:53 +00:00
its('list.length') { should eq 1 }
2015-10-19 16:05:10 +00:00
end
2015-10-26 09:41:10 +00:00
**Test if the init process is owned by the root user**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe processes('init') do
2015-12-07 08:39:48 +00:00
its('users') { should eq ['root'] }
2015-10-19 16:05:10 +00:00
end
2015-10-26 09:41:10 +00:00
**Test if a high-priority process is running**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe processes('some_process') do
2015-12-07 08:39:48 +00:00
its('states') { should eq ['R<'] }
2015-10-19 16:05:10 +00:00
end
2015-10-26 09:41:10 +00:00
registry_key
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` registry_key `` |inspec resource| to test key values in the |windows| registry.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` registry_key `` |inspec resource| block declares the item in the |windows| registry, the path to a setting under that item, and then one (or more) name/value pairs to be tested:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe registry_key('registry_item', 'path\to\key') do
its('name') { should eq 'value' }
end
2015-10-31 17:15:10 +00:00
describe registry_key('path\to\key') do
its('name') { should eq 'value' }
end
2015-10-19 16:05:10 +00:00
where
2015-10-31 17:15:10 +00:00
* `` 'registry_item' `` is a key in the |windows| registry (optional)
2015-10-19 16:05:10 +00:00
* `` 'path\to\key' `` is the path in the |windows| registry
* `` ('name') `` and `` 'value' `` represent the name of the key and the value assigned to that key
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
name
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` name `` matcher tests the value for the specified registry setting:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('name') { should eq 'value' }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test the start time for the Schedule service**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\...\Schedule') do
its('Start') { should eq 2 }
end
where `` 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule' `` is the full path to the setting.
2015-10-26 09:41:10 +00:00
security_policy
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` security_policy `` |inspec resource| to test security policies on the |windows| platform.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` security_policy `` |inspec resource| block declares the name of a security policy and the value to be tested:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe security_policy do
its('policy_name') { should eq 'value' }
end
where
* `` 'policy_name' `` must specify a security policy
* `` { should eq 'value' } `` tests the value of `` policy_name `` against the value declared in the test
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
policy_name
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` policy_name `` matcher must be the name of a security policy:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
**Verify that only the Administrators group has remote access**
.. code-block :: ruby
describe security_policy do
its('SeRemoteInteractiveLogonRight') { should eq '*S-1-5-32-544' }
end
2015-10-26 09:41:10 +00:00
service
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` service `` |inspec resource| to test if the named service is installed, running and/or enabled.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` service `` |inspec resource| block declares the name of a service and then one (or more) matchers to test the state of the service:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe service('service_name') do
it { should be_installed }
it { should be_enabled }
it { should be_running }
end
2015-10-19 21:15:11 +00:00
where
2015-10-20 01:25:25 +00:00
* `` ('service_name') `` must specify a service name
2015-10-27 21:20:33 +00:00
* `` be_installed `` , `` be_enabled `` , and `` be_running `` are valid matchers for this |inspec resource|
2015-10-19 21:15:11 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
be_enabled
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_enabled `` matcher tests if the named service is enabled:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should be_enabled }
2015-10-26 09:41:10 +00:00
be_installed
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_installed `` matcher tests if the named service is installed:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should be_installed }
2015-10-26 09:41:10 +00:00
be_running
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_running `` matcher tests if the named service is running:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should be_running }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
**Test if the postgresql service is both running and enabled**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe service('postgresql') do
it { should be_enabled }
it { should be_running }
end
2015-10-26 09:41:10 +00:00
**Test if the mysql service is both running and enabled**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe service('mysqld') do
it { should be_enabled }
it { should be_running }
end
2015-10-20 01:25:25 +00:00
**Test if ClamAV (an antivirus engine) is installed and running**
2015-10-19 21:15:11 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe package('clamav') do
it { should be_installed }
its('version') { should eq '0.98.7' }
end
2015-10-26 09:41:10 +00:00
2015-10-20 01:25:25 +00:00
describe service('clamd') do
it { should_not be_enabled }
it { should_not be_installed }
it { should_not be_running }
end
2015-10-19 21:15:11 +00:00
2015-10-19 16:05:10 +00:00
2016-02-17 10:41:53 +00:00
**Test the runlevels for Sys-V services**
On targets using Sys-V services, the existing runlevels can also be checked:
.. code-block :: ruby
describe service('sshd').runlevels do
its('keys') { should include(2) }
end
describe service('sshd').runlevels(2,4) do
it { should be_enabled }
end
**Override the service manager**
Under some circumstances, it may be required to override the logic in place to select the right service manager. For example, if you want to check a service managed by Upstart, you can explicitly do so:
.. code-block :: ruby
describe upstart_service('service') do
it { should_not be_enabled }
it { should be_installed }
it { should be_running }
end
2016-08-26 08:40:51 +00:00
The following service-manager-specific resources are available:
* `` systemd_service `` ,
* `` runit_service `` ,
* `` sysv_service `` ,
* `` bsd_service `` , and
* `` launchd_service `` .
These resources support the same matchers as the `service`
You can also provide the path to the service manager's control tool. This is useful in cases when it isn't available in the current `PATH`
2016-02-17 10:41:53 +00:00
For example, if your `sv`
.. code-block :: ruby
describe runit_service('service', '/opt/chef/embedded/sbin/sv') do
it { should be_enabled }
it { should be_installed }
it { should be_running }
end
2015-10-26 09:41:10 +00:00
ssh_config
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-31 17:27:55 +00:00
Use the `` ssh_config `` |inspec resource| to test |openssh| |ssh| client configuration data located at `` /etc/ssh/ssh_config `` on |linux| and |unix| platforms.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` ssh_config `` |inspec resource| block declares the client |openssh| configuration data to be tested:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe ssh_config('path') do
its('name') { should include('foo') }
end
where
* `` name `` is a configuration setting in `` ssh_config ``
* `` ('path') `` is the non-default `` /path/to/ssh_config ``
2015-10-26 09:41:10 +00:00
* `` { should include('foo') } `` tests the value of `` name `` as read from `` ssh_config `` versus the value declared in the test
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
name
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` name `` matcher tests the value of `` name `` as read from `` ssh_config `` versus the value declared in the test:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('name') { should eq 'foo' }
or:
.. code-block :: ruby
2015-10-31 17:27:55 +00:00
its('name') { should include('bar') }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
**Test SSH configuration settings**
.. code-block :: ruby
describe ssh_config do
2015-10-31 17:27:55 +00:00
its('cipher') { should contain '3des' }
2016-01-15 01:34:37 +00:00
its('port') { should eq '22' }
2015-10-19 16:05:10 +00:00
its('hostname') { should include('example.com') }
end
**Test which variables from the local environment are sent to the server**
.. code-block :: ruby
2015-10-31 17:27:55 +00:00
only_if do
command('sshd').exist? or command('ssh').exists?
end
2015-10-26 09:41:10 +00:00
2015-10-19 16:05:10 +00:00
describe ssh_config do
its('SendEnv') { should include('GORDON_CLIENT') }
end
**Test owner and group permissions**
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
describe ssh_config do
its('owner') { should eq 'root' }
2016-08-30 17:23:47 +00:00
its('mode') { should cmp '0644' }
2015-11-02 08:55:05 +00:00
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test SSH configuration**
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
describe ssh_config do
its('Host') { should eq '*' }
its('Tunnel') { should eq nil }
its('SendEnv') { should eq 'LANG LC_*' }
its('HashKnownHosts') { should eq 'yes' }
end
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
sshd_config
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-31 19:46:12 +00:00
Use the `` sshd_config `` |inspec resource| to test configuration data for the |openssh| daemon located at `` /etc/ssh/sshd_config `` on |linux| and |unix| platforms. sshd---the |openssh| daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` sshd_config `` |inspec resource| block declares the client |openssh| configuration data to be tested:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe sshd_config('path') do
its('name') { should include('foo') }
end
where
* `` name `` is a configuration setting in `` sshd_config ``
* `` ('path') `` is the non-default `` /path/to/sshd_config ``
2015-10-26 09:41:10 +00:00
* `` { should include('foo') } `` tests the value of `` name `` as read from `` sshd_config `` versus the value declared in the test
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
name
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` name `` matcher tests the value of `` name `` as read from `` sshd_config `` versus the value declared in the test:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('name') { should eq 'foo' }
or:
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
its('name') {should include('bar') }
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
**Test which variables may be sent to the server**
.. code-block :: ruby
describe sshd_config do
its('AcceptEnv') { should include('GORDON_SERVER') }
end
**Test for IPv6-only addresses**
.. code-block :: ruby
describe sshd_config do
its('AddressFamily') { should eq 'inet6' }
end
**Test protocols**
.. code-block :: ruby
describe sshd_config do
2015-12-11 16:10:17 +00:00
its('Protocol') { should cmp 2 }
2015-10-19 16:05:10 +00:00
end
2015-10-31 19:46:12 +00:00
**Test ciphers**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-31 10:54:47 +00:00
describe sshd_config do
2015-10-20 01:25:25 +00:00
its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
end
2015-10-20 21:04:07 +00:00
**Test SSH protocols**
.. code-block :: ruby
2015-11-02 08:55:05 +00:00
describe sshd_config do
2015-12-11 16:10:17 +00:00
its('Port') { should cmp 22 }
2015-11-02 08:55:05 +00:00
its('UsePAM') { should eq 'yes' }
its('ListenAddress') { should eq nil }
its('HostKey') { should eq [
2015-10-20 21:04:07 +00:00
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
'/etc/ssh/ssh_host_ecdsa_key',
2015-11-02 08:55:05 +00:00
] }
end
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
user
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` user `` |inspec resource| to test user profiles, including the groups to which they belong, the frequency of required password changes, the directory paths to home and shell.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Stable**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` user `` |inspec resource| block declares a user name, and then one (or more) matchers:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe user('root') do
it { should exist }
its('uid') { should eq 1234 }
its('gid') { should eq 1234 }
its('group') { should eq 'root' }
its('groups') { should eq ['root', 'other']}
its('home') { should eq '/root' }
its('shell') { should eq '/bin/bash' }
its('mindays') { should eq 0 }
its('maxdays') { should eq 90 }
its('warndays') { should eq 8 }
end
where
* `` ('root') `` is the user to be tested
* `` it { should exist } `` tests if the user exists
2015-10-27 21:20:33 +00:00
* `` gid `` , `` group `` , `` groups `` , `` home `` , `` maxdays `` , `` mindays `` , `` shell `` , `` uid `` , and `` warndays `` are valid matchers for this |inspec resource|
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
exist
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` exist `` matcher tests if the named user exists:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should exist }
2015-10-26 09:41:10 +00:00
gid
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` gid `` matcher tests the group identifier:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('gid') { should eq 1234 } }
where `` 1234 `` represents the user identifier.
2015-10-26 09:41:10 +00:00
group
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` group `` matcher tests the group to which the user belongs:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('group') { should eq 'root' }
where `` root `` represents the group.
2015-10-26 09:41:10 +00:00
groups
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` groups `` matcher tests two (or more) groups to which the user belongs:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('groups') { should eq ['root', 'other']}
2015-10-26 09:41:10 +00:00
home
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` home `` matcher tests the home directory path for the user:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('home') { should eq '/root' }
2015-10-26 09:41:10 +00:00
maxdays
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` maxdays `` matcher tests the maximum number of days between password changes:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('maxdays') { should eq 99 }
where `` 99 `` represents the maximum number of days.
2015-10-26 09:41:10 +00:00
mindays
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` mindays `` matcher tests the minimum number of days between password changes:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('mindays') { should eq 0 }
where `` 0 `` represents the maximum number of days.
2015-10-26 09:41:10 +00:00
shell
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` shell `` matcher tests the path to the default shell for the user:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('shell') { should eq '/bin/bash' }
2015-10-26 09:41:10 +00:00
uid
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` uid `` matcher tests the user identifier:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('uid') { should eq 1234 } }
where `` 1234 `` represents the user identifier.
2015-10-26 09:41:10 +00:00
warndays
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` warndays `` matcher tests the number of days a user is warned before a password must be changed:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('warndays') { should eq 5 }
where `` 5 `` represents the number of days a user is warned.
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
**Verify available users for the MySQL server**
.. code-block :: ruby
describe user('root') do
it { should exist }
it { should belong_to_group 'root' }
its('uid') { should eq 0 }
its('groups') { should eq ['root'] }
end
2015-10-26 09:41:10 +00:00
2015-10-20 01:25:25 +00:00
describe user('mysql') do
it { should_not exist }
end
2015-10-19 16:05:10 +00:00
2015-10-22 04:13:17 +00:00
**Test users on multiple platforms**
The |nginx| user is typically `` www-data `` , but on |centos| it's `` nginx `` . The following example shows how to test for the |nginx| user with a single test, but accounting for all platforms:
.. code-block :: ruby
web_user = 'www-data'
web_user = 'nginx' if os[:family] == 'centos'
2015-10-26 09:41:10 +00:00
2015-10-22 04:13:17 +00:00
describe user(web_user) do
it { should exist }
end
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
windows_feature
2015-10-20 21:16:47 +00:00
=====================================================
2015-11-27 15:03:52 +00:00
Use the `` windows_feature `` |inspec resource| to test features on |windows|. It uses the `` Get-WindowsFeature `` cmdlet under the hood.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` windows_feature `` |inspec resource| block declares the name of the |windows| feature, tests if that feature is installed, and then returns information about that feature:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe windows_feature('feature_name') do
it { should be_installed }
end
where
* `` ('feature_name') `` must specify a |windows| feature name, such as `` DHCP Server `` or `` IIS-Webserver ``
2015-10-27 21:20:33 +00:00
* `` be_installed `` is a valid matcher for this |inspec resource|
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
be_installed
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_installed `` matcher tests if the named |windows| feature is installed:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should be_installed }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test the DHCP Server feature**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe windows_feature('DHCP Server') do
it{ should be_installed }
end
2015-10-26 09:41:10 +00:00
yaml
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` yaml `` |inspec resource| to test configuration data in a |yaml| file.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` yaml `` |inspec resource| block declares the configuration data to be tested:
2015-10-19 16:05:10 +00:00
2016-06-21 22:06:27 +00:00
.. code-block :: yaml
name: foo
array:
- zero
- one
This file can be queried via:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe yaml do
its('name') { should eq 'foo' }
2016-06-21 22:06:27 +00:00
its(['array', 1]) { should eq 'one' }
2015-10-19 16:05:10 +00:00
end
where
* `` name `` is a configuration setting in a |yaml| file
* `` should eq 'foo' `` tests a value of `` name `` as read from a |yaml| file versus the value declared in the test
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
name
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` name `` matcher tests the value of `` name `` as read from a |yaml| file versus the value declared in the test:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
its('name') { should eq 'foo' }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
**Test a kitchen.yml file driver**
.. code-block :: ruby
describe yaml('.kitchen.yaml') do
its('driver.name') { should eq('vagrant') }
end
2015-10-20 01:25:25 +00:00
2015-10-26 09:41:10 +00:00
yum
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-27 21:20:33 +00:00
Use the `` yum `` |inspec resource| to test packages in the |yum| repository.
2015-10-19 16:05:10 +00:00
2015-10-27 16:47:27 +00:00
**Stability: Experimental**
2015-10-26 09:41:10 +00:00
Syntax
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-27 21:20:33 +00:00
A `` yum `` |inspec resource| block declares a package repo, tests if the package repository is present, and if it that package repository is a valid package source (i.e. "is enabled"):
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe yum.repo('name') do
it { should exist }
it { should be_enabled }
end
where
* `` repo('name') `` is the (optional) name of a package repo, using either a full identifier (`` 'updates/7/x86_64' `` ) or a short identifier (`` 'updates' `` )
2015-10-26 09:41:10 +00:00
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
This InSpec audit resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-26 09:41:10 +00:00
be_enabled
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` be_enabled `` matcher tests if the package repository is a valid package source:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should be_enabled }
2015-10-26 09:41:10 +00:00
exist
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` exist `` matcher tests if the package repository exists:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
it { should exist }
2015-10-26 09:41:10 +00:00
repo('name')
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-22 04:13:17 +00:00
The `` repo('name') `` matcher names a specific package repository:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe yum.repo('epel') do
...
end
2015-10-26 09:41:10 +00:00
repos
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` repos `` matcher tests if a named repo, using either a full identifier (`` 'updates/7/x86_64' `` ) or a short identifier (`` 'updates' `` ), is included in the |yum| repo:
.. code-block :: ruby
its('repos') { should include 'some_repo' }
2015-10-26 09:41:10 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-26 23:29:57 +00:00
The following examples show how to use this InSpec audit resource.
2015-10-19 16:05:10 +00:00
**Test if the yum repo exists**
.. code-block :: ruby
describe yum do
its('repos') { should exist }
end
**Test if the 'base/7/x86_64' repo exists and is enabled**
.. code-block :: ruby
describe yum do
its('repos') { should include 'base/7/x86_64' }
its('epel') { should exist }
its('epel') { should be_enabled }
end
**Test if a specific yum repo exists**
.. code-block :: ruby
describe yum.repo('epel') do
it { should exist }
it { should be_enabled }
end
2015-10-30 13:29:19 +00:00
.. |inspec resource| replace :: InSpec audit resource
.. |apt| replace :: Apt
.. |apache| replace :: Apache
.. |archlinux| replace :: Arch Linux
.. |debian| replace :: Debian
.. |fedora| replace :: Fedora
.. |redhat enterprise linux| replace :: Red Hat Enterprise Linux
.. |centos| replace :: CentOS
.. |redhat| replace :: Red Hat
.. |ubuntu| replace :: Ubuntu
.. |windows| replace :: Microsoft Windows
.. |unix| replace :: UNIX
.. |linux| replace :: Linux
.. |ppa| replace :: PPA
.. |json| replace :: JSON
.. |csv| replace :: CSV
.. |postgresql| replace :: PostgreSQL
.. |md5| replace :: MD5
.. |sha256| replace :: SHA-256
.. |selinux| replace :: SELinux
.. |gem| replace :: gem
.. |icmp| replace :: ICMP
.. |tcp| replace :: TCP
.. |udp| replace :: UDP
.. |inetd| replace :: inetd
.. |mysql| replace :: MySQL
.. |npm| replace :: npm
.. |bower| replace :: bower
.. |statsd| replace :: StatsD
.. |oneget| replace :: OneGet
.. |ruby| replace :: Ruby
.. |pip| replace :: pip
.. |ipv4| replace :: Internet Protocol version 4 (IPv4)
.. |ipv6| replace :: Internet Protocol version 6 (IPv6)
.. |powershell| replace :: Windows PowerShell
.. |openssh| replace :: Open SSH
.. |ssh| replace :: SSH
.. |nginx| replace :: Nginx
.. |yaml| replace :: YAML
.. |yum| replace :: Yum
