2015-10-19 16:05:10 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
InSpec Resources Reference
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
The following InSpec resources are available:
2015-10-19 16:05:10 +00:00
* `` apt ``
* `` bond ``
* `` bridge ``
* `` command ``
* `` directory ``
* `` file ``
* `` gem ``
* `` group ``
* `` host ``
2015-10-20 04:48:10 +00:00
* `` iptables ``
2015-10-19 16:05:10 +00:00
* `` interface ``
* `` kernel_module ``
* `` kernel_parameter ``
2015-10-19 20:10:31 +00:00
* `` npm ``
* `` oneget ``
* `` os ``
* `` os_env ``
* `` package ``
* `` pip ``
* `` port ``
* `` processes ``
* `` registry_key ``
* `` script ``
* `` service ``
* `` user ``
* `` windows_feature ``
* `` yum ``
In addition to the open source resources, Chef Compliance ships with additional resources:
* `` apache_conf ``
* `` audit_policy ``
* `` audit_daemon_conf ``
* `` audit_daemon_rules ``
* `` csv ``
* `` etc_group ``
* `` group_policy ``
* `` inetd_config ``
* `` json ``
2015-10-19 16:05:10 +00:00
* `` limits_conf ``
* `` login_defs ``
* `` mysql ``
* `` mysql_conf ``
* `` mysql_session ``
* `` ntp_conf ``
* `` parse_config ``
* `` parse_config_file ``
* `` passwd ``
* `` postgres ``
* `` postgres_conf ``
* `` postgres_session ``
* `` security_policy ``
* `` ssh_config ``
* `` sshd_config ``
2015-10-19 20:10:31 +00:00
* `` yaml ``
2015-10-19 16:05:10 +00:00
2015-10-19 20:34:33 +00:00
See below for more information about each InSpec resource, its related matchers, and examples of how to use it in a recipe.
2015-10-19 16:05:10 +00:00
2015-10-20 04:48:10 +00:00
apache_conf -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 04:48:10 +00:00
Use the `` apache_conf `` InSpec resource to test the configuration settings for |apache|. This file is typically located under `` /etc/apache2 `` on the |debian| and |ubuntu| platforms and under `` /etc/httpd `` on the |fedora|, |centos|, |redhat enterprise linux|, and |archlinux| platforms. The configuration settings may vary significantly from platform to platform.
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 04:48:10 +00:00
A `` apache_conf `` InSpec resource block declares configuration settings that should be tested. For example:
.. code-block :: ruby
describe apache_conf('path') do
its('setting_name') { should eq 'value' }
end
where
* `` 'setting_name' `` is a configuration setting defined in the |apache| configuration file
* `` ('path') `` is the non-default path to the |apache| configuration file
* `` { should eq 'value' } `` is the value that is expected
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 04:48:10 +00:00
This InSpec resource matches any service that is listed in the |apache| configuration file. For example:
.. code-block :: ruby
its('PidFile') { should_not eq '/var/run/httpd.pid' }
or:
.. code-block :: ruby
its('Timeout') { should eq 300 }
For example:
.. code-block :: ruby
describe apache_conf do
its('MaxClients') { should eq 100 }
its('Listen') { should eq '443'}
end
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 04:48:10 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-20 21:04:07 +00:00
**Test for blocking .htaccess files on CentOS**
2015-10-20 04:48:10 +00:00
.. code-block :: ruby
describe apache_conf do
its('AllowOverride') { should eq 'None' }
end
2015-10-20 21:04:07 +00:00
**Test ports for SSL**
2015-10-20 04:48:10 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
2015-10-20 04:48:10 +00:00
describe apache_conf do
its('Listen') { should eq '443'}
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
apt -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` apt `` InSpec resource to verify |apt| repositories on the |debian| and |ubuntu| platforms, and also |ppa| repositories on the |ubuntu| platform.
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
An `` apt `` InSpec resource block tests the contents of |apt| and |ppa| repositories. For example:
2015-10-19 20:29:26 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe apt('path') do
it { should exist }
it { should be_enabled }
end
2015-10-19 20:29:26 +00:00
where
2015-10-20 01:25:25 +00:00
* `` apt('path') `` must specify an |apt| or |ppa| repository
* `` ('path') `` may be an `` http:// `` address, a `` ppa: `` address, or a short `` repo-name/ppa `` address
* `` exist `` and `` be_enabled `` are a valid matchers for this InSpec resource
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
This InSpec resource has the following matchers.
be_enabled -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` be_enabled `` matcher tests if a package exists in the repository. For example:
2015-10-19 20:29:26 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
it { should be_enabled }
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
exist -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` exist `` matcher tests if a package exists on the system. For example:
2015-10-19 16:05:10 +00:00
2015-10-19 20:29:26 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
it { should exist }
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 20:29:26 +00:00
2015-10-20 21:04:07 +00:00
**Test if Ubuntu is updated to the latest stable Juju package**
2015-10-19 20:29:26 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe apt('http://ppa.launchpad.net/juju/stable/ubuntu') do
it { should exist }
it { should be_enabled }
end
2015-10-19 20:29:26 +00:00
2015-10-20 21:04:07 +00:00
**Test if Nginx is updated to the latest stable package**
2015-10-19 20:29:26 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe apt('ppa:nginx/stable') do
it { should exist }
it { should be_enabled }
end
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
**Verify that a repository exists and is enabled**
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
describe apt('ppa:nginx/stable') do
it { should exist }
it { should be_enabled }
end
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
**Verify that a repository is not present**
2015-10-19 20:29:26 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe apt('ubuntu-wine/ppa') do
it { should_not exist }
it { should_not be_enabled }
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
audit_policy
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` audit_policy `` InSpec resource to xxxxx.
2015-10-19 16:05:10 +00:00
2015-10-20 16:52:34 +00:00
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 16:05:10 +00:00
2015-10-20 16:52:34 +00:00
**Verify Microsoft Windows Audit Policy**
.. code-block :: ruby
describe audit_policy do
its('Other Account Logon Events') { should_not eq 'No Auditing' }
end
2015-10-19 16:05:10 +00:00
audit_daemon_conf
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` audit_daemon_conf `` InSpec resource to xxxxx.
2015-10-19 16:05:10 +00:00
IN_PROGRESS
2015-10-20 04:48:54 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 04:48:54 +00:00
The following examples show how to use this InSpec resource in a test.
**Test xxxxx**
.. code-block :: ruby
describe audit_daemon_conf do
its('space_left_action') { should eq 'email' }
its('action_mail_acct') { should eq 'root' }
its('admin_space_left_action') { should eq 'halt' }
end
**Test xxxxx**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 04:48:54 +00:00
describe audit_daemon_conf do
its('space_left_action') { should eq 'SYSLOG' }
its('action_mail_acct') { should eq 'root' }
its('tcp_listen_queue') { should eq '5' }
end
2015-10-19 16:05:10 +00:00
audit_daemon_rules
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` audit_daemon_rules `` InSpec resource to xxxxx.
2015-10-19 16:05:10 +00:00
IN_PROGRESS
2015-10-20 16:52:34 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 16:52:34 +00:00
**Test audit daemon rules contains the matching element, which is identified by a regular expression.**
.. code-block :: ruby
describe audit_daemon_rules do
its("LIST_RULES") {should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/) }
end
2015-10-19 16:05:10 +00:00
bond
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` bond `` InSpec resource to test a logical, bonded network interface (i.e. "two or more network interfaces aggregated into a single, logical network interface"). On |unix| and |linux| platforms, any value in the `` /proc/net/bonding `` directory may be tested.
2015-10-19 16:05:10 +00:00
IN_PROGRESS
bridge -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` bridge `` InSpec resource to test basic network bridge properties, such as name, if an interface is defined, and the associations for any defined interface.
2015-10-19 16:05:10 +00:00
* On |unix| and |linux| platforms, any value in the `` /sys/class/net/{interface}/bridge `` directory may be tested
* On the |windows| platform, the `` Get-NetAdapter `` cmdlet is associated with the `` Get-NetAdapterBinding `` cmdlet and returns the `` ComponentID ms_bridge `` value as a |json| object
.. not sure the previous two bullet items are actually true, but keeping there for reference for now, just in case
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` bridge `` InSpec resource block declares xxxxx. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe bridge('br0') do
it { should exist }
it { should have_interface 'eth0' }
end
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
.. where
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
.. * ``xxxxx`` must specify xxxxx
.. * xxxxx
2015-10-19 20:34:33 +00:00
.. * ``xxxxx`` is a valid matcher for this InSpec resource
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
exist -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` exist `` matcher tests if the network bridge is available. For example:
.. code-block :: ruby
it { should exist }
have_interface -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` have_interface `` matcher tests if the named interface is defined for the network bridge. For example:
.. code-block :: ruby
it { should have_interface 'eth0' }
interfaces -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` interfaces `` matcher tests if the named interface is present. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('interfaces') { should eq foo }
its('interfaces') { should eq bar }
its('interfaces') { should include foo, bar }
2015-10-19 16:05:10 +00:00
.. wild guessing ^^^
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
.. Examples
2015-10-20 21:16:47 +00:00
.. -----------------------------------------------------
2015-10-20 21:04:07 +00:00
.. The following examples show how to use this InSpec resource in a test.
..
.. **xxxxx**
..
2015-10-19 16:05:10 +00:00
.. xxxxx
2015-10-20 21:04:07 +00:00
..
.. **xxxxx**
..
2015-10-19 16:05:10 +00:00
.. xxxxx
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
command
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` command `` InSpec resource to test an arbitrary command.
2015-10-19 16:05:10 +00:00
IN_PROGRESS
2015-10-20 22:02:57 +00:00
csv -- DONE
2015-10-19 16:05:10 +00:00
=====================================================
2015-10-20 22:02:57 +00:00
Use the `` csv `` InSpec resource to test configuration data in a |csv| file.
Syntax -- DONE
-----------------------------------------------------
A `` csv `` InSpec resource block declares the configuration data to be tested. For example:
.. code-block :: ruby
describe csv('file') do
its('name') { should eq 'foo' }
end
where
* `` 'file' `` is the path to a |csv| file
* `` name `` is a configuration setting in a |csv| file
* `` should eq 'foo' `` tests a value of `` name `` as read from a |csv| file versus the value declared in the test
Matchers -- DONE
-----------------------------------------------------
This InSpec resource has the following matchers.
name -- DONE
+++++++++++++++++++++++++++++++++++++++++++++++++++++
The `` name `` matcher tests the value of `` name `` as read from a |csv| file versus the value declared in the test. For example:
.. code-block :: ruby
its('name') { should eq 'foo' }
Examples -- DONE
-----------------------------------------------------
The following examples show how to use this InSpec resource in a test.
**Test a CSV file**
.. code-block :: ruby
describe csv('some_file.csv') do
its('setting') { should eq 1 }
end
2015-10-19 16:05:10 +00:00
directory
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` directory `` InSpec resource to xxxxx.
2015-10-19 16:05:10 +00:00
IN_PROGRESS
etc_group
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` etc_group `` InSpec resource to test the contents of the `` /etc/group `` file on |linux| and |unix| platforms. The `` /etc/group `` file stores details about each group---group name, password, group identifier, and a comma-separate list of users that belong to the group.
2015-10-19 16:05:10 +00:00
IN_PROGRESS
2015-10-20 16:52:34 +00:00
Parse the `/etc/group` file:
.. code-block :: ruby
etc_group # uses /etc/group
You can also specify the file's location:
.. code-block :: ruby
etc_group('/etc/group')
Matchers
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 16:52:34 +00:00
gids
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 16:52:34 +00:00
Access all group IDs:
.. code-block :: ruby
describe etc_group do
its('gids') { should_not contain_duplicates }
end
groups
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 16:52:34 +00:00
Access all group names:
.. code-block :: ruby
describe etc_group do
its('groups') { should include 'my_user' }
end
users
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 16:52:34 +00:00
Access all group names:
.. code-block :: ruby
describe etc_group.where(name: 'my_user') do
its('users') { should include 'my_user' }
end
where
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 16:52:34 +00:00
Filter the list of groups. Filter choices are `name` for the group name, `gid` for a group ID (a number), `password` , and `users` .
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 16:52:34 +00:00
describe etc_group.where(name: 'my_user') do
its('users') { should include 'my_user' }
end
Examples
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 16:52:34 +00:00
**Verify that no gid is used twice**
.. code-block :: ruby
describe etc_group do
its(:gids) { should_not contain_duplicates }
end
2015-10-19 16:05:10 +00:00
file
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` file `` InSpec resource to xxxxx.
2015-10-19 16:05:10 +00:00
IN_PROGRESS
2015-10-20 01:25:25 +00:00
gem -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 01:25:25 +00:00
Use the `` gem `` InSpec resource to test if a global |gem| package is installed.
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
A `` gem `` InSpec resource block declares a package and (optionally) a package version. For example:
2015-10-19 20:59:05 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe gem('gem_package_name') do
it { should be_installed }
end
2015-10-19 20:59:05 +00:00
where
2015-10-20 01:25:25 +00:00
* `` ('gem_package_name') `` must specify a |gem| package, such as `` 'rubocop' ``
* `` be_installed `` is a valid matcher for this InSpec resource
2015-10-19 20:59:05 +00:00
2015-10-20 01:25:25 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
This InSpec resource has the following matchers.
be_installed -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` be_installed `` matcher tests if the named |gem| package is installed. For example:
2015-10-19 20:59:05 +00:00
.. code-block :: ruby
it { should be_installed }
2015-10-20 01:25:25 +00:00
version -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` version `` matcher tests if the named package version is on the system. For example:
2015-10-19 16:05:10 +00:00
2015-10-19 20:59:05 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('version') { should eq '0.33.0' }
2015-10-19 20:59:05 +00:00
2015-10-20 01:25:25 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 20:59:05 +00:00
2015-10-20 01:25:25 +00:00
**Verify that a gem package is installed, with a specific version**
2015-10-19 20:59:05 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe gem('rubocop') do
it { should be_installed }
2015-10-20 21:04:07 +00:00
its('version') { should eq '0.33.0' }
2015-10-20 01:25:25 +00:00
end
2015-10-19 16:05:10 +00:00
2015-10-19 20:59:05 +00:00
**Verify that a gem package is not installed**
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe gem('rubocop') do
it { should_not be_installed }
end
2015-10-19 20:59:05 +00:00
2015-10-19 16:05:10 +00:00
group
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` group `` InSpec resource to xxxxx.
2015-10-19 16:05:10 +00:00
IN_PROGRESS
group_policy
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` group_policy `` InSpec resource to xxxxx.
2015-10-19 16:05:10 +00:00
IN_PROGRESS
2015-10-20 16:52:34 +00:00
Test Microsoft Windows Group Policies:
.. code-block :: ruby
describe group_policy('Local Policies\Security Options') do
its('Network access: Restrict anonymous access to Named Pipes and Shares') { should eq 1 }
end
2015-10-19 16:05:10 +00:00
host -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` host `` InSpec resource to test the name used to refer to a specific host and its availability, including the Internet protocols and ports over which that host name should be available.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` host `` InSpec resource block declares a host name, and then (depending on what is to be tested) a port and/or a protocol. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe host('example.com', port: 80, proto: 'udp') do
it { should be_reachable }
end
where
* `` host() `` must specify a host name and may specify a port number and/or a protocol
* `` 'example.com' `` is the host name
* `` port: `` is the port number
* `` proto: 'name' `` is the Internet protocol: |icmp| (`` proto: 'icmp' `` ), |tcp| (`` proto: 'tcp' `` ), or |udp| (`` proto: 'udp' `` )
2015-10-19 20:34:33 +00:00
* `` be_reachable `` is a valid matcher for this InSpec resource
2015-10-19 16:05:10 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
be_reachable -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_reachable `` matcher tests if the host name is available. For example:
.. code-block :: ruby
it { should be_reachable }
be_resolvable -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_resolvable `` matcher tests for host name resolution, i.e. "resolvable to an IP address". For example:
.. code-block :: ruby
it { should be_resolvable }
ipaddress -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 16:05:10 +00:00
The `` ipaddress `` matcher tests if a host name is resolvable to a specific IP address. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('ipaddress') { should include '93.184.216.34' }
2015-10-19 16:05:10 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Verify host name s reachable over a specific protocol and port number**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe host('example.com', port: 53, proto: 'udp') do
it { should be_reachable }
end
2015-10-20 21:04:07 +00:00
**Verify that a specific IP address can be resolved**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe host('example.com', port: 80, proto: 'tcp') do
it { should be_resolvable }
2015-10-20 21:04:07 +00:00
its('ipaddress') { should include '192.168.1.1' }
2015-10-19 16:05:10 +00:00
end
2015-10-20 01:25:25 +00:00
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
inetd_config -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` inetd_config `` InSpec resource to test if a service is enabled in the `` inetd.conf `` file on |linux| and |unix| platforms. |inetd|---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `` inetd.conf `` file is typically located at `` /etc/inetd.conf `` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` inetd_config `` InSpec resource block declares the list of services that should be disabled in the `` inetd.conf `` file. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe inetd_config('path') do
2015-10-20 21:04:07 +00:00
its('service_name') { should eq 'value' }
2015-10-19 16:05:10 +00:00
end
where
* `` 'service_name' `` is a service listed in the `` inetd.conf `` file
* `` ('path') `` is the non-default path to the `` inetd.conf `` file
* `` should eq 'value' `` is the value that is expected
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource matches any service that is listed in the `` inetd.conf `` file. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('shell') { should eq nil }
2015-10-19 16:05:10 +00:00
or:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('netstat') { should eq nil }
2015-10-19 16:05:10 +00:00
or:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('systat') { should eq nil }
2015-10-19 16:05:10 +00:00
For example:
.. code-block :: ruby
describe inetd_conf do
2015-10-20 21:04:07 +00:00
its('shell') { should eq nil }
its('login') { should eq nil }
its('exec') { should eq nil }
2015-10-19 16:05:10 +00:00
end
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Verify that FTP is disabled**
2015-10-19 16:05:10 +00:00
The contents if the `` inetd.conf `` file contain the following:
.. code-block :: text
#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
and the following test is defined:
.. code-block :: ruby
describe inetd_config do
2015-10-20 21:04:07 +00:00
its('ftp') { should eq nil }
its('telnet') { should eq nil }
2015-10-19 16:05:10 +00:00
end
Because both the `` ftp `` and `` telnet `` Internet services are commented out (`` # `` ), both services are disabled. Consequently, both tests will return `` true `` . However, if the `` inetd.conf `` file is set as follows:
.. code-block :: text
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
then the same test will return `` false `` for `` ftp `` and the entire test will fail.
2015-10-20 21:04:07 +00:00
**Test if telnet is installed**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe package('telnetd') do
it { should_not be_installed }
end
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe inetd_conf do
its('telnet') { should eq nil }
end
2015-10-19 16:05:10 +00:00
interface -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` interface `` InSpec resource to test basic network adapter properties, such as name, status, state, address, and link speed (in MB/sec).
2015-10-19 16:05:10 +00:00
* On |unix| and |linux| platforms, any value in the `` /sys/class/net/#{iface} `` directory may be tested.
* On the |windows| platform, the `` Get-NetAdapter `` cmdlet returns the following values: `` Property Name `` , `` InterfaceDescription `` , `` Status `` , `` State `` , `` MacAddress `` , `` LinkSpeed `` , `` ReceiveLinkSpeed `` , `` TransmitLinkSpeed `` , and `` Virtual `` , returned as a |json| object.
.. not sure the previous two bullet items are actually true, but keeping there for reference for now, just in case
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` interface `` InSpec resource block declares network interface properties to be tested. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe interface do
it { should be_up }
2015-10-20 21:04:07 +00:00
its('speed') { should eq 1000 }
2015-10-19 16:05:10 +00:00
its('name') { should eq eth0 }
end
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
.. where
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
.. * ``xxxxx`` must specify xxxxx
.. * xxxxx
2015-10-19 20:34:33 +00:00
.. * ``xxxxx`` is a valid matcher for this InSpec resource
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
be_up -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_up `` matcher tests if the network interface is available. For example:
.. code-block :: ruby
it { should be_up }
name -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` name `` matcher tests if the named network interface exists. For example:
.. code-block :: ruby
its('name') { should eq eth0 }
speed -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` speed `` matcher tests the speed of the network interface, in MB/sec. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('speed') { should eq 1000 }
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
.. Examples
2015-10-20 21:16:47 +00:00
.. -----------------------------------------------------
2015-10-20 21:04:07 +00:00
.. The following examples show how to use this InSpec resource in a test.
..
.. **xxxxx**
..
2015-10-19 16:05:10 +00:00
.. xxxxx
2015-10-20 21:04:07 +00:00
..
.. **xxxxx**
..
2015-10-19 16:05:10 +00:00
.. xxxxx
2015-10-20 21:04:07 +00:00
..
iptables
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 21:04:07 +00:00
Use the `` iptables `` InSpec resource to test xxxxx.
IN_PROGRESS
2015-10-19 16:05:10 +00:00
json -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` json `` InSpec resource to test data in a |json| file.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` json `` InSpec resource block declares the data to be tested. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe json do
its('name') { should eq 'foo' }
end
where
* `` name `` is a configuration setting in a |json| file
* `` should eq 'foo' `` tests a value of `` name `` as read from a |json| file versus the value declared in the test
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
name -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` name `` matcher tests the value of `` name `` as read from a |json| file versus the value declared in the test. For example:
.. code-block :: ruby
its('name') { should eq 'foo' }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
**Test a cookbook version in a policyfile.lock.json file**
.. code-block :: ruby
describe json('policyfile.lock.json') do
its('cookbook_locks.omnibus.version') { should eq('2.2.0') }
end
2015-10-20 21:04:07 +00:00
kernel_module -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 21:04:07 +00:00
Use the `` kernel_module `` InSpec resource to test kernel modules on |linux| platforms. These parameters are located under `` /lib/modules `` . Any submodule may be tested using this resource.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
A `` kernel_module `` InSpec resource block declares a module name, and then tests if that module is a loadable kernel module. For example:
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
describe kernel_module('module_name') do
it { should be_loaded }
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
where
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
* `` 'module_name' `` must specify a kernel module, such as `` 'bridge' ``
* `` { should be_loaded } `` tests if the module is a loadable kernel module
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
be_loaded -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 21:04:07 +00:00
The `` be_loaded `` matcher tests if the module is a loadable kernel module. For example:
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
it { should be_loaded }
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test if a module is loaded**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
describe kernel_module('bridge') do
it { should be_loaded }
end
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
kernel_parameter -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 21:04:07 +00:00
Use the `` kernel_parameter `` InSpec resource to test kernel parameters on |linux| platforms. These parameters are located under `` /proc/sys/net `` . Any subdirectory may be tested using this resource.
.. https://www.kernel.org/doc/Documentation/kernel-parameters.txt
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
A `` kernel_parameter `` InSpec resource block declares a parameter and then a value to be tested. For example:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
describe kernel_parameter('path.to.parameter') do
its('value') { should eq 0 }
end
where
* `` 'path.to.parameter' `` must specify a kernel parameter, such as `` 'net.ipv4.conf.all.forwarding' ``
* `` { should eq 0 } `` states the value to be tested
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
This InSpec resource has the following matchers.
value -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 21:04:07 +00:00
The `` value `` matcher tests the value assigned to the named IP address versus the value declared in the test. For example:
.. code-block :: ruby
its('value') { should eq 0 }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
**Test if global forwarding is enabled for an IPv4 address**
.. code-block :: ruby
describe kernel_parameter('net.ipv4.conf.all.forwarding') do
its(:value) { should eq 1 }
end
**Test if global forwarding is disabled for an IPv6 address**
.. code-block :: ruby
describe kernel_parameter('net.ipv6.conf.all.forwarding') do
its(:value) { should eq 0 }
end
**Test if an IPv6 address accepts redirects**
.. code-block :: ruby
describe kernel_parameter('net.ipv6.conf.interface.accept_redirects') do
its(:value) { should eq 'true' }
end
limits_conf -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 21:04:07 +00:00
Use the `` limits_conf `` InSpec resource to test configuration settings in the `` /etc/security/limits.conf `` file. The `` limits.conf `` defines limits for processes (by user and/or group names) and helps ensure that the system on which those processes are running remains stable. Each process may be assigned a hard or soft limit.
* Soft limits are maintained by the shell and defines the number of file handles (or open files) available to the user or group after login
* Hard limits are maintained by the kernel and defines the maximum number of allowed file handles
Entries in the `` limits.conf `` file are similar to:
.. code-block :: bash
grantmc soft nofile 4096
grantmc hard nofile 63536
^^^^^^^^^ ^^^^ ^^^^^^ ^^^^^
domain type item value
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
A `` limits_conf `` InSpec resource block declares a domain to be tested, along with associated type, item, and value. For example:
.. code-block :: ruby
describe limits_conf('path') do
its('domain') { should include ['type', 'item', 'value'] }
its('domain') { should eq ['type', 'item', 'value'] }
end
where
* `` ('path') `` is the non-default path to the `` inetd.conf `` file
* `` 'domain' `` is a user or group name, such as `` grantmc ``
* `` 'type' `` is either `` hard `` or `` soft ``
* `` 'item' `` is the item for which limits are defined, such as `` core `` , `` nofile `` , `` stack `` , `` nproc `` , `` priority `` , or `` maxlogins ``
* `` 'value' `` is the value associated with the `` item ``
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
This InSpec resource has the following matchers.
domain -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 21:04:07 +00:00
The `` domain `` matcher tests the domain in the `` limits.conf `` file, along with associated type, item, and value. For example:
.. code-block :: ruby
its('domain') { should include ['type', 'item', 'value'] }
For example:
.. code-block :: ruby
its('grantmc') { should include ['hard', 'nofile', '63536'] }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
**Test * and ftp limits**
describe limits_conf('path') do
its('*') { should include ['soft', 'core', '0'], ['hard', 'rss', '10000'] }
its('ftp') { should eq ['hard', 'nproc', '0'] }
end
2015-10-20 16:52:34 +00:00
2015-10-19 16:05:10 +00:00
login_defs -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` login_defs `` InSpec resource to test configuration settings in the `` /etc/login.defs `` file. The `` logins.defs `` file defines site-specific configuration for the shadow password suite on |linux| and |unix| platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` login_defs `` InSpec resource block declares the `` login.defs `` configuration data to be tested. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe login_defs do
its('name') { should include('foo') }
end
where
* `` name `` is a configuration setting in `` login.defs ``
* `` { should include('foo') } `` tests the value of `` name `` as read from `` login.defs `` versus the value declared in the test
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
name -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` name `` matcher tests the value of `` name `` as read from `` login.defs `` versus the value declared in the test. For example:
.. code-block :: ruby
its('name') { should eq 'foo' }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test password expiration settings**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe login_defs do
its('PASS_MAX_DAYS') { should eq '180' }
its('PASS_MIN_DAYS') { should eq '1' }
its('PASS_MIN_LEN') { should eq '15' }
its('PASS_WARN_AGE') { should eq '30' }
end
2015-10-20 21:04:07 +00:00
**Test the encryption method**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe login_defs do
its('ENCRYPT_METHOD') { should eq 'SHA512' }
end
2015-10-20 21:04:07 +00:00
**Test xxxxx** <<< what does this test?
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe login_def do
its('UMASK') { should eq '077' }
its('PASS_MAX_DAYS.to_i') { should be <= 90 }
end
2015-10-20 21:04:07 +00:00
mysql -- NOT AN InSpec resource?
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 21:04:07 +00:00
TBD
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
.. This one seems like it's just loading some mysql information on behalf of the mysql_conf and mysql_session InSpec resources. Right?
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
mysql_conf -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 21:04:07 +00:00
Use the `` mysql_conf `` InSpec resource to test the contents of the configuration file for |mysql|, typically located at `` /etc/mysql/<version>/my.cnf `` .
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
A `` mysql_conf `` InSpec resource block declares one (or more) settings in the `` my.cnf `` file, and then compares the setting in the configuration file to the value stated in the test. For example:
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
describe mysql_conf('path') do
its('setting') { should eq 'value' }
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
where
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
* `` 'setting' `` specifies a setting in the `` my.cnf `` file
* `` ('path') `` is the non-default path to the `` my.cnf `` file
* `` should eq 'value' `` is the value that is expected
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
This InSpec resource has the following matchers.
setting -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 21:04:07 +00:00
The `` setting `` matcher tests specific, named settings in the `` my.cnf `` file. For example:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('setting') { should eq 'value' }
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
Use a `` setting `` matcher for each setting to be tested.
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
**Test the maximum number of allowed connections**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
describe mysql_conf do
its('max_connections') { should eq '505' }
its('max_user_connections') { should eq '500' }
end
**Test slow query logging**
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
describe mysql_conf do
its('slow_query_log_file') { should eq 'hostname_slow.log' }
its('slow_query_log') { should eq '0' }
its('log_queries_not_using_indexes') { should eq '1' }
its('long_query_time') { should eq '0.5' }
its('min_examined_row_limit') { should eq '100' }
end
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
**Test the port and socket on which MySQL listens**
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
describe mysql_conf do
its('port') { should eq '3306' }
its('socket') { should eq '/var/run/mysqld/mysql.sock' }
end
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
**Test connection and thread variables**
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
describe mysql_conf do
its('port') { should eq '3306' }
its('socket') { should eq '/var/run/mysqld/mysql.sock' }
its('max_allowed_packet') { should eq '12M' }
its('default_storage_engine') { should eq 'InnoDB' }
its('character_set_server') { should eq 'utf8' }
its('collation_server') { should eq 'utf8_general_ci' }
its('max_connections') { should eq '505' }
its('max_user_connections') { should eq '500' }
its('thread_cache_size') { should eq '505' }
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test the safe-user-create parameter**
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
.. code-block :: ruby
describe mysql_conf.params('mysqld') do
its('safe-user-create') { should eq('1') }
end
2015-10-19 16:05:10 +00:00
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
mysql_session -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 21:04:07 +00:00
Use the `` mysql_session `` InSpec resource to test SQL commands run against a |mysql| database.
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
A `` mysql_session `` InSpec resource block declares the username and password to use for the session, and then the command to be run. For example:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
sql = mysql_session('username', 'password')
sql.describe('QUERY') do
its('output') { should eq('') }
end
where
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
* `` sql = mysql_session `` declares a username and password with permission to run the query
* `` describe('QUERY') `` contains the query to be run
* `` its('output') { should eq('') } `` compares the results of the query against the expected result in the test
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
This InSpec resource has the following matchers.
2015-10-20 16:52:34 +00:00
2015-10-20 21:04:07 +00:00
output -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 21:04:07 +00:00
The `` output `` matcher tests the results of the query. For example:
2015-10-20 16:52:34 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('output') { should eq(/^0/) }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
**Test for matching databases**
.. code-block :: ruby
sql = mysql_session('my_user','password')
sql.describe('show databases like \'test\';') do
its(:stdout) { should_not match(/test/) }
end
2015-10-20 16:52:34 +00:00
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
npm -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 01:25:25 +00:00
Use the `` npm `` InSpec resource to test if a global |npm| package is installed. |npm| is the `the package manager for Javascript packages <https://docs.npmjs.com> `__ , such as |bower| and |statsd|.
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
A `` npm `` InSpec resource block declares a package and (optionally) a package version. For example:
2015-10-19 21:14:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe gem('npm_package_name') do
it { should be_installed }
end
2015-10-19 21:14:20 +00:00
where
2015-10-20 01:25:25 +00:00
* `` ('npm_package_name') `` must specify a |npm| package, such as `` 'bower' `` or `` 'statsd' ``
2015-10-19 21:14:20 +00:00
* `` be_installed `` is a valid matcher for this InSpec resource
2015-10-20 01:25:25 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
This InSpec resource has the following matchers.
be_installed -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` be_installed `` matcher tests if the named |gem| package and package version (if specified) is installed. For example:
.. code-block :: ruby
it { should be_installed }
version -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` version `` matcher tests if the named package version is on the system. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('version') { should eq '1.2.3' }
2015-10-20 01:25:25 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
The following examples show how to use this InSpec resource in a test.
**Verify that bower is installed, with a specific version**
.. code-block :: ruby
describe npm('bower') do
it { should be_installed }
2015-10-20 21:04:07 +00:00
its('version') { should eq '1.4.1' }
2015-10-20 01:25:25 +00:00
end
**Verify that statsd is not installed**
.. code-block :: ruby
describe npm('statsd') do
it { should_not be_installed }
end
ntp_conf -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 01:25:25 +00:00
Use the `` ntp_conf `` InSpec resource to test the synchronization settings defined in the `` ntp.conf `` file. This file is typically located at `` /etc/ntp.conf `` .
2015-10-19 21:14:20 +00:00
2015-10-20 01:25:25 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
A `` ntp_conf `` InSpec resource block declares the synchronization settings that should be tested. For example:
2015-10-19 21:14:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe ntp_conf('path') do
2015-10-20 21:04:07 +00:00
its('setting_name') { should eq 'value' }
2015-10-20 01:25:25 +00:00
end
where
* `` 'setting_name' `` is a synchronization setting defined in the `` ntp.conf `` file
* `` ('path') `` is the non-default path to the `` ntp.conf `` file
* `` { should eq 'value' } `` is the value that is expected
2015-10-19 21:14:20 +00:00
2015-10-20 01:25:25 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
This InSpec resource matches any service that is listed in the `` ntp.conf `` file. For example:
.. code-block :: ruby
its('server') { should_not eq nil }
or:
2015-10-19 21:14:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
For example:
.. code-block :: ruby
describe ntp_conf do
its('server') { should_not eq nil }
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
end
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-20 21:04:07 +00:00
**Test for clock drift against named servers**
2015-10-20 04:50:25 +00:00
.. code-block :: ruby
describe ntp_conf do
its('driftfile') { should eq '/var/lib/ntp/ntp.drift' }
its('server') { should eq [
0.ubuntu.pool.ntp.org,
1.ubuntu.pool.ntp.org,
2.ubuntu.pool.ntp.org
] }
end
2015-10-19 21:14:20 +00:00
2015-10-20 01:25:25 +00:00
oneget -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 01:25:25 +00:00
Use the `` oneget `` InSpec resource to test if the named package and/or package version is installed on the system. This resource uses |oneget|, which is `part of the Windows Management Framework 5.0 and Windows 10 <https://github.com/OneGet/oneget> `__ . This resource uses the `` Get-Package `` cmdlet to return all of the package names in the |oneget| repository.
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
A `` oneget `` InSpec resource block declares a package and (optionally) a package version. For example:
.. code-block :: ruby
2015-10-19 21:14:20 +00:00
2015-10-20 01:25:25 +00:00
describe oneget('name') do
it { should be_installed }
end
where
* `` ('name') `` must specify the name of a package, such as `` 'VLC' ``
* `` be_installed `` is a valid matcher for this InSpec resource
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
This InSpec resource has the following matchers.
2015-10-19 21:14:20 +00:00
2015-10-20 01:25:25 +00:00
be_installed -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` be_installed `` matcher tests if the named package is installed on the system. For example:
2015-10-19 21:14:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
it { should be_installed }
2015-10-19 21:14:20 +00:00
2015-10-20 01:25:25 +00:00
version -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` version `` matcher tests if the named package version is on the system. For example:
2015-10-19 21:14:20 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
its('version') { should eq '1.2.3' }
2015-10-20 01:25:25 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-20 21:04:07 +00:00
**Test if VLC is installed**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
describe package('VLC') do
it { should be_installed }
end
os -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 01:25:25 +00:00
Use the `` os `` InSpec resource to test the platform on which the system is running.
2015-10-19 21:14:20 +00:00
2015-10-20 01:25:25 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
A `` os `` InSpec resource block declares the platform to be tested. For example:
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
describe os do
it { should eq 'platform' }
end
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
where
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
* `` 'platform' `` is one of `` bsd `` , `` debian `` , `` linux `` , `` redhat `` , `` solaris `` , `` suse `` , `` unix `` , or `` windows ``
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
This InSpec resource does not have any matchers.
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test for RedHat**
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
describe os do
it { should eq 'redhat' }
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test for Ubuntu**
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
describe os do
it { should eq 'debian' }
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test for Microsoft Windows**
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
describe os do
it { should eq 'windows' }
end
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
os_env -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 01:25:25 +00:00
Use the `` os_env `` InSpec resource to test the environment variables for the platform on which the system is running.
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
A `` os_env `` InSpec resource block declares xxxxx. For example:
2015-10-19 20:44:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe os_env('VARIABLE') do
its('matcher') { should eq 1 }
end
2015-10-19 20:44:20 +00:00
where
2015-10-20 01:25:25 +00:00
* `` ('VARIABLE') `` must specify an environment variable, such as `` PATH ``
* `` matcher `` is a valid matcher for this InSpec resource
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
This InSpec resource has the following matchers.
exit_status -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` exit_status `` matcher tests the exit status of the platform environment. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('exit_status') { should eq 0 }
2015-10-20 01:25:25 +00:00
split -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` split `` matcher tests the delimiter between environment variables. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('split') { should include ('') }
2015-10-20 01:25:25 +00:00
or:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('split') { should_not include ('.') }
2015-10-20 01:25:25 +00:00
Use `` -1 `` to test for cases where there is a trailing colon (`` : `` ), such as `` dir1::dir2: `` :
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('split') { should include ('-1') }
2015-10-20 01:25:25 +00:00
stderr -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` stderr `` matcher tests environment variables after they are output to stderr. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('stderr') { should include('PWD=/root') }
2015-10-20 01:25:25 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-20 21:04:07 +00:00
**Test the PATH environment variable**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe os_env('PATH') do |dirs|
2015-10-20 21:04:07 +00:00
its('split') { should_not include('') }
its('split') { should_not include('.') }
2015-10-20 01:25:25 +00:00
end
2015-10-19 20:44:20 +00:00
2015-10-20 01:25:25 +00:00
package -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 01:25:25 +00:00
Use the `` package `` InSpec resource to test if the named package and/or package version is installed on the system.
2015-10-19 20:44:20 +00:00
2015-10-20 01:25:25 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
A `` package `` InSpec resource block declares a package and (optionally) a package version. For example:
.. code-block :: ruby
describe package('name') do
it { should be_installed }
end
where
* `` ('name') `` must specify the name of a package, such as `` 'nginx' ``
* `` be_installed `` is a valid matcher for this InSpec resource
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
This InSpec resource has the following matchers.
be_installed -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` be_installed `` matcher tests if the named package is installed on the system. For example:
2015-10-19 20:44:20 +00:00
.. code-block :: ruby
it { should be_installed }
2015-10-20 01:25:25 +00:00
version -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
The `` version `` matcher tests if the named package version is on the system. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('version) { should eq '1.2.3' }
2015-10-20 01:25:25 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-20 21:04:07 +00:00
**Test if nginx version 1.9.5 is installed**
2015-10-19 20:44:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe package('nginx') do
it { should be_installed }
2015-10-20 21:04:07 +00:00
its('version') { should eq 1.9.5 }
2015-10-20 01:25:25 +00:00
end
2015-10-19 20:44:20 +00:00
2015-10-20 21:04:07 +00:00
**Test that a package is not installed**
2015-10-19 20:44:20 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe package('some_package') do
it { should_not be_installed }
end
2015-10-19 20:44:20 +00:00
2015-10-20 21:04:07 +00:00
**Test if telnet is installed**
2015-10-19 20:44:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe package('telnetd') do
it { should_not be_installed }
end
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe inetd_conf do
its('telnet') { should eq nil }
end
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
**Test if ClamAV (an antivirus engine) is installed and running**
2015-10-19 20:44:20 +00:00
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
describe package('clamav') do
it { should be_installed }
its('version') { should eq '0.98.7' }
end
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe service('clamd') do
it { should_not be_enabled }
it { should_not be_installed }
it { should_not be_running }
end
2015-10-19 20:44:20 +00:00
2015-10-20 01:25:25 +00:00
parse_config -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 01:25:25 +00:00
Use the `` parse_config `` InSpec resource to test arbitrary configuration files, such as testing the results of a regular expression, ensuring that settings are commented out, testing for multiple values, and so on.
2015-10-19 20:44:20 +00:00
2015-10-20 01:25:25 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
A `` parse_config `` InSpec resource block declares the location of the configuration file to be tested, and then which settings in that file are to be tested. Because this InSpec resource relies on arbitrary configuration files, the test itself is often arbitrary and relies on custom |ruby| code. For example:
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
output = command('some-command').stdout
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe parse_config(output, { data_config_option: value } ) do
its('setting') { should eq 1 }
end
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
or:
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
audit = command('/sbin/auditctl -l').stdout
options = {
assignment_re: /^\s*([^:]* ?)\s*:\s* (.*?)\s* $/,
multiple_values: true
}
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe parse_config(audit, options) do
its('setting') { should eq 1 }
end
where each test
* Must declare the location of the configuration file to be tested
* Must declare one (or more) settings to be tested
* May run a command to `` stdout `` , and then run the test against that output
* May use options to define how configuration data is to be parsed
Options -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
This InSpec resource supports the following options for parsing configuration data. Use them in an `` options `` block stated outside of (and immediately before) the actual test. For example:
.. code-block :: ruby
options = {
assignment_re: /^\s*([^:]* ?)\s*:\s* (.*?)\s* $/,
multiple_values: true
}
describe parse_config(options) do
its('setting') { should eq 1 }
end
assignment_re -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
Use `` assignment_re `` to test a key value using a regular expression. For example:
.. code-block :: ruby
'key = value'
may be tested using the following regular expression, which determines assignment from key to value:
.. code-block :: ruby
assignment_re: /^\s*([^=]* ?)\s*=\s* (.*?)\s* $/
comment_char -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
Use `` comment_char `` to test for comments in a configuration file. For example:
.. code-block :: ruby
comment_char: '#'
key_vals -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
Use `` key_vals `` to test how many values a key contains. For example:
.. code-block :: ruby
key = a b c
contains three values. To test that value to ensure it only contains one, use:
.. code-block :: ruby
key_vals: 1
multiple_values -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
Use `` multiple_values `` to test for the presence of multiple key values. For example:
.. code-block :: ruby
'key = a' and 'key = b'
params['key'] = ['a', 'b']
or:
.. code-block :: ruby
'key = a' and 'key = b'
params['key'] = 'b'
To test if multiple values are present, use:
.. code-block :: ruby
multiple_values: false
The preceding test will fail with the first example and will pass with the second.
standalone_comments -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
Use `` standalone_comments `` to test for comments in a configuration file and to ensure they are not integrated into the same lines as code. For example:
.. code-block :: ruby
'key = value # comment'
params['key'] = 'value'
or:
.. code-block :: ruby
'key = value # comment'
params['key'] = 'value # comment'
To test if comments are standalone, use:
.. code-block :: ruby
standalone_comments: true
The preceding test will fail with the second example and will pass with the first.
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-20 21:04:07 +00:00
**Test the expiration time for new account passwords**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
output = command('useradd -D').stdout
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe parse_config(output) do
its('INACTIVE.to_i') { should be >= 35 }
end
2015-10-20 21:04:07 +00:00
**Test that bob is a user**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe parse_config(data, { multiple_values: true }) do
its('users') { should include 'bob'}
end
parse_config_file -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` parse_config_file `` InSpec resource to test arbitrary configuration files.
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
Syntax -- DONE (is this really "identical" to the parse_config syntax?)
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
A `` parse_config_file `` InSpec resource block declares the location of the configuration file to be tested, and then which settings in that file are to be tested. Because this InSpec resource relies on arbitrary configuration files, the test itself is often arbitrary and relies on custom |ruby| code. For example:
.. code-block :: ruby
output = command('some-command').stdout
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe parse_config_file(output, { data_config_option: value } ) do
its('setting') { should eq 1 }
end
or:
.. code-block :: ruby
audit = command('/sbin/auditctl -l').stdout
options = {
assignment_re: /^\s*([^:]* ?)\s*:\s* (.*?)\s* $/,
multiple_values: true
}
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe parse_config_file(audit, options) do
its('setting') { should eq 1 }
end
where each test
* Must declare the location of the configuration file to be tested
* Must declare one (or more) settings to be tested
* May run a command to `` stdout `` , and then run the test against that output
* May use options to define how configuration data is to be parsed
.. or is this one more like this?
.. code-block :: ruby
audit = command('/sbin/auditctl -l').stdout
options = {
assignment_re: /^\s*([^:]* ?)\s*:\s* (.*?)\s* $/,
multiple_values: true
}
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe parse_config_file(audit, options) do
its('setting') { should eq 1 }
end
where each test
* Must declare the location of the configuration file to be tested
* Must declare one (or more) settings to be tested
* May run a command to `` stdout `` , and then run the test against that output
* May use options to define how configuration data is to be parsed
Options -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
This InSpec resource supports the following options for parsing configuration data. Use them in an `` options `` block stated outside of (and immediately before) the actual test. For example:
.. code-block :: ruby
describe parse_config_file(/path/to/config/file) do
its('setting') { should eq 1 }
end
InSpec == inspec (command-line)
assignment_re -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
IDENTICAL TO parse_config << INCLUDE THEM IN BOTH SPOTS WHEN PUBLISHED
comment_char -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
IDENTICAL TO parse_config << INCLUDE THEM IN BOTH SPOTS WHEN PUBLISHED
key_vals -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
IDENTICAL TO parse_config << INCLUDE THEM IN BOTH SPOTS WHEN PUBLISHED
multiple_values -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
IDENTICAL TO parse_config << INCLUDE THEM IN BOTH SPOTS WHEN PUBLISHED
standalone_comments -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 01:25:25 +00:00
IDENTICAL TO parse_config << INCLUDE THEM IN BOTH SPOTS WHEN PUBLISHED
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 01:25:25 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-20 21:04:07 +00:00
**Test a configuration setting**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe parse_config_file('/path/to/file.conf') do
its('PARAM_X') { should eq 'Y' }
end
2015-10-20 21:04:07 +00:00
**Use options, and then test a configuration setting**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe parse_config_file('/path/to/file.conf', { multiple_values: true }) do
its('PARAM_X') { should include 'Y' }
end
2015-10-19 16:05:10 +00:00
passwd -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` passwd `` InSpec resource to test the contents of `` /etc/passwd `` , which contains the following information for users that may log into the system and/or as users that own running processes. The format for `` /etc/passwd `` includes:
2015-10-19 16:05:10 +00:00
* A username
* The password for that user
* The user identifier (UID) assigned to that user
* The group identifier (GID) assigned to that user
* Additional information about that user
* That user's home directory
* That user's default command shell
defined as a colon-delimited row in the file, one row per user. For example:
.. code-block :: bash
root:x:1234:5678:additional_info:/home/dir/:/bin/bash
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` passwd `` InSpec resource block declares one (or more) users and associated user information to be tested. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe passwd do
2015-10-20 21:04:07 +00:00
its('matcher') { should eq 0 }
2015-10-19 16:05:10 +00:00
end
where
2015-10-19 20:34:33 +00:00
* `` count `` , `` gids `` , `` passwords `` , `` uid `` , `` uids `` , `` username `` , `` usernames `` , and `` users `` are valid matchers for this InSpec resource
2015-10-19 16:05:10 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
2015-10-20 04:51:30 +00:00
count -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 04:51:30 +00:00
The `` count `` matcher tests the number of times the named user appears in `` /etc/passwd `` . For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('count') { should eq 1 }
2015-10-19 16:05:10 +00:00
gids -- ?????
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` gids `` matcher tests if xxxxx. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('gids') { should eq 1234 }
2015-10-19 16:05:10 +00:00
passwords -- ?????
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` passwords `` matcher tests if xxxxx. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('passwords') { should eq xxxxx }
2015-10-19 16:05:10 +00:00
uid -- ?????
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` uid `` matcher tests if xxxxx. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('uid') { should eq xxxxx }
2015-10-19 16:05:10 +00:00
uids -- ?????
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` uids `` matcher tests if xxxxx. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('uids') { should eq 1 }
2015-10-19 16:05:10 +00:00
username -- ?????
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` username `` matcher tests if xxxxx. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('username') { should eq 'root' }
2015-10-19 16:05:10 +00:00
2015-10-20 04:51:30 +00:00
usernames -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-20 04:51:30 +00:00
The `` usernames `` matcher tests if the usernames in the test match the usernames in `` /etc/passwd `` . For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('usernames') { should eq ['root', 'www-data'] }
2015-10-19 16:05:10 +00:00
users -- ?????
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` users `` matcher tests if xxxxx. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('users') { should eq 'root' }
2015-10-19 16:05:10 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**xxxxx**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe passwd do
2015-10-20 21:04:07 +00:00
its('usernames') { should eq 'root' }
its('uids') { should eq 1 }
2015-10-19 16:05:10 +00:00
end
2015-10-20 21:04:07 +00:00
**xxxxx**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe passwd.uid(0) do
2015-10-20 21:04:07 +00:00
its('username') { should eq 'root' }
its('count') { should eq 1 }
2015-10-19 16:05:10 +00:00
end
pip -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` pip `` InSpec resource to test packages that are installed using the |pip| installer.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` pip `` InSpec resource block declares a package and (optionally) a package version. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe pip('Jinja2') do
it { should be_installed }
end
where
* `` 'Jinja2' `` is the name of the package
* `` be_installed `` tests to see if the `` Jinja2 `` package is installed
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
be_installed -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_installed `` matcher tests if the named package is installed on the system. For example:
.. code-block :: ruby
it { should be_installed }
version -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` version `` matcher tests if the named package version is on the system. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('version') { should eq '1.2.3' }
2015-10-19 16:05:10 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test if Jinja2 is installed on the system**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe pip('Jinja2') do
it { should be_installed }
end
2015-10-20 21:04:07 +00:00
**Test if Jinja2 2.8 is installed on the system**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe pip('Jinja2') do
it { should be_installed }
2015-10-20 21:04:07 +00:00
its('version') { should eq '2.8' }
2015-10-19 16:05:10 +00:00
end
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
port -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` port `` InSpec resource to test basic port properties, such as port, process, if it's listening.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` port `` InSpec resource block declares a port, and then depending on what needs to be tested, a process, protocol, process identifier, and its state (is it listening?). For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe port(514) do
it { should be_listening }
2015-10-20 21:04:07 +00:00
its('process') {should eq 'syslog'}
2015-10-19 16:05:10 +00:00
end
where the `` syslog `` process is tested to see if it's listening on port 514.
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
be_listening -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_listening `` matcher tests if the port is listening for traffic. For example:
.. code-block :: ruby
it { should be_listening }
be_listening.with() -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_listening `` matcher can also test if the port is listening for traffic over a specific protocol or on local binding address. Use `` .with() `` to specify a protocol or local binding address. For example, a protocol:
.. code-block :: ruby
it { should be_listening.with('tcp') }
A local binding address:
it { should be_listening.with('127.0.0.1:631') }
A protocol and a local binding address:
it { should be_listening.with('tcp', '127.0.0.1:631') }
pid -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` pid `` matcher tests the process identifier (PID). For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('pid') { should eq '27808' }
2015-10-19 16:05:10 +00:00
process -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` process `` matcher tests if the named process is running on the system. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('process') { should eq 'syslog' }
2015-10-19 16:05:10 +00:00
protocol -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` protocol `` matcher tests the Internet protocol: |icmp| (`` 'icmp' `` ), |tcp| (`` 'tcp' `` or `` 'tcp6' `` ), or |udp| (`` 'udp' `` or `` 'udp6' `` ). For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('protocol') { should eq 'tcp' }
2015-10-19 16:05:10 +00:00
or for the |ipv6| protocol:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('protocol') { should eq 'tcp6' }
2015-10-19 16:05:10 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test port 80, listening with the TCP protocol**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe port(80) do
it { should be_listening }
its('protocol') {should eq 'tcp'}
end
2015-10-20 21:04:07 +00:00
**Test port 80, listening with TCP version IPv6 protocol**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe port(80) do
it { should be_listening }
its('protocol') {should eq 'tcp6'}
end
2015-10-20 21:04:07 +00:00
**Test ports for SSL, then verify ciphers**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe port(80) do
it { should_not be_listening }
end
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe port(443) do
it { should be_listening }
its('protocol') {should eq 'tcp'}
end
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe sshd_conf do
its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
end
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
postgres -- NOT AN InSpec resource?
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 16:05:10 +00:00
TBD
2015-10-19 20:34:33 +00:00
.. This one seems like it's just loading some postgresql information on behalf of the postgres_conf and postgres_session InSpec resources. Right?
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
postgres_conf -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` postgres_conf `` InSpec resource to test the contents of the configuration file for |postgresql|, typically located at `` /etc/postgresql/<version>/main/postgresql.conf `` or `` /var/lib/postgres/data/postgresql.conf `` , depending on the platform.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` postgres_conf `` InSpec resource block declares one (or more) settings in the `` postgresql.conf `` file, and then compares the setting in the configuration file to the value stated in the test. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe postgres_conf('path') do
its('setting') { should eq 'value' }
end
where
* `` 'setting' `` specifies a setting in the `` postgresql.conf `` file
* `` ('path') `` is the non-default path to the `` postgresql.conf `` file
* `` should eq 'value' `` is the value that is expected
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
setting -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` setting `` matcher tests specific, named settings in the `` postgresql.conf `` file. For example:
.. code-block :: ruby
its('setting') { should eq 'value' }
Use a `` setting `` matcher for each setting to be tested.
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test the maximum number of allowed client connections**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe postgres_conf do
its('max_connections') { should eq '5' }
end
2015-10-20 21:04:07 +00:00
**Test system logging**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe postgres_conf do
its('logging_collector') { should eq 'on' }
its('log_connections') { should eq 'on' }
its('log_disconnections') { should eq 'on' }
its('log_duration') { should eq 'on' }
its('log_hostname') { should eq 'on' }
its('log_line_prefix') { should eq '%t %u %d %h' }
end
2015-10-20 21:04:07 +00:00
**Test the port on which PostgreSQL listens**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe postgres_conf do
its('port') { should eq '5432' }
end
2015-10-20 21:04:07 +00:00
**Test the Unix socket settings**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe postgres_conf do
its('unix_socket_directories') { should eq '.s.PGSQL.5432' }
its('unix_socket_group') { should eq nil }
its('unix_socket_permissions') { should eq '0770' }
end
where `` unix_socket_group `` is set to the |postgresql| default setting (the group to which the server user belongs).
postgres_session -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` postgres_session `` InSpec resource to test SQL commands run against a |postgresql| database.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` postgres_session `` InSpec resource block declares the username and password to use for the session, and then the command to be run. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
sql = postgres_session('username', 'password')
sql.describe('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
its('output') { should eq('') }
end
where
* `` sql = postgres_session `` declares a username and password with permission to run the query
* `` describe('') `` contains the query to be run
* `` its('output') { should eq('') } `` compares the results of the query against the expected result in the test
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
output -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` output `` matcher tests the results of the query. For example:
.. code-block :: ruby
2015-10-20 21:04:07 +00:00
its('output') { should eq(/^0/) }
2015-10-19 16:05:10 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
**Test the PostgreSQL shadow password**
.. code-block :: ruby
sql = postgres_session('my_user', 'password')
sql.describe('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
2015-10-20 21:04:07 +00:00
its('output') { should eq('') }
2015-10-19 16:05:10 +00:00
end
2015-10-20 21:04:07 +00:00
**Test for risky database entries**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
sql = postgres_session('my_user', 'password')
sql.describe('SELECT count (*)
FROM pg_language
WHERE lanpltrusted = 'f'
AND lanname!='internal'
AND lanname!='c';') do
2015-10-20 21:04:07 +00:00
its('output') { should eq(/^0/) }
2015-10-19 16:05:10 +00:00
end
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
processes -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-20 21:04:07 +00:00
Use the `` processes `` InSpec resource to test properties for programs that are running on the system.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` processes `` InSpec resource block declares the name of the process to be tested, and then declares one (or more) property/value pairs. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe processes('process_name') do
its('property_name') { should eq 'property_value' }
end
where
* `` processes('process_name') `` must specify the name of a process that is running on the system
* Multiple properties may be tested; for each property to be tested, use an `` its('property_name') `` statement
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
property_name -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` property_name `` matcher tests the named property for the specified value. For example:
.. code-block :: ruby
its('property_name') { should eq 'property_value' }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test if the list length for the mysqld process is 1**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe processes('mysqld') do
its('list.length') { should eq '1' }
end
2015-10-20 21:04:07 +00:00
**Test if the init process is owned by the root user**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe processes('init') do
its('user') { should eq 'root' }
end
2015-10-20 21:04:07 +00:00
**Test if a high-priority process is running**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe processes('some_process') do
its('state') { should eq 'R<' }
end
registry_key -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` registry_key `` InSpec resource to test key values in the |windows| registry.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` registry_key `` InSpec resource block declares the item in the |windows| registry, the path to a setting under that item, and then one (or more) name/value pairs to be tested. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe registry_key('registry_item', 'path\to\key') do
its('name') { should eq 'value' }
end
where
* `` 'registry_item' `` is a key in the |windows| registry
* `` 'path\to\key' `` is the path in the |windows| registry
* `` ('name') `` and `` 'value' `` represent the name of the key and the value assigned to that key
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
name -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` name `` matcher tests the value for the specified registry setting. For example:
.. code-block :: ruby
its('name') { should eq 'value' }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test the start time for the Schedule service**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\...\Schedule') do
its('Start') { should eq 2 }
end
where `` 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule' `` is the full path to the setting.
script -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` script `` InSpec resource to test a |powershell| script on the |windows| platform.
2015-10-19 16:05:10 +00:00
.. this one is a bit of a wild guess.
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` script `` InSpec resource block declares xxxxx. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe script do
its('script_name') { should include 'total_wild_guess' }
end
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
.. where
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
.. * ``xxxxx`` must specify xxxxx
.. * xxxxx
2015-10-19 20:34:33 +00:00
.. * ``xxxxx`` is a valid matcher for this InSpec resource
2015-10-20 21:04:07 +00:00
..
2015-10-19 16:05:10 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
script_name -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` script_name `` matcher tests the named script against the value specified by the test. For example:
.. code-block :: ruby
its('script_name') { should include 'total_wild_guess' }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
.. stoopid test below; probably need a better one
2015-10-20 21:04:07 +00:00
**Test that user Grantmc belongs to the Active Directory object**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe script do
its('ADObject') { should include 'Get-ADPermission -Identity Grantmc' }
end
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
security_policy -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` security_policy `` InSpec resource to test security policies on the |windows| platform.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` security_policy `` InSpec resource block declares the name of a security policy and the value to be tested. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe security_policy do
its('policy_name') { should eq 'value' }
end
where
* `` 'policy_name' `` must specify a security policy
* `` { should eq 'value' } `` tests the value of `` policy_name `` against the value declared in the test
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
policy_name -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` policy_name `` matcher must be the name of a security policy. For example:
.. code-block :: ruby
its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
**Verify that only the Administrators group has remote access**
.. code-block :: ruby
describe security_policy do
its('SeRemoteInteractiveLogonRight') { should eq '*S-1-5-32-544' }
end
service -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` service `` InSpec resource to test if the named service is installed, running and/or enabled.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` service `` InSpec resource block declares the name of a service and then one (or more) matchers to test the state of the service. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe service('service_name') do
it { should be_installed }
it { should be_enabled }
it { should be_running }
end
2015-10-19 21:15:11 +00:00
where
2015-10-20 01:25:25 +00:00
* `` ('service_name') `` must specify a service name
* `` be_installed `` , `` be_enabled `` , and `` be_running `` are valid matchers for this InSpec resource
2015-10-19 21:15:11 +00:00
2015-10-19 16:05:10 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
be_enabled -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_enabled `` matcher tests if the named service is enabled. For example:
.. code-block :: ruby
it { should be_enabled }
be_installed -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_installed `` matcher tests if the named service is installed. For example:
.. code-block :: ruby
it { should be_installed }
be_running -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_running `` matcher tests if the named service is running. For example:
.. code-block :: ruby
it { should be_running }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test if the postgresql service is both running and enabled**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe service('postgresql') do
it { should be_enabled }
it { should be_running }
end
2015-10-20 21:04:07 +00:00
**Test if the mysql service is both running and enabled**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe service('mysqld') do
it { should be_enabled }
it { should be_running }
end
2015-10-20 01:25:25 +00:00
**Test if ClamAV (an antivirus engine) is installed and running**
2015-10-19 21:15:11 +00:00
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe package('clamav') do
it { should be_installed }
its('version') { should eq '0.98.7' }
end
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe service('clamd') do
it { should_not be_enabled }
it { should_not be_installed }
it { should_not be_running }
end
2015-10-19 21:15:11 +00:00
2015-10-19 16:05:10 +00:00
ssh_config -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` ssh_config `` InSpec resource to test |openssh| |ssh| client configuration data located at `` etc/ssh/ssh_config `` on |linux| and |unix| platforms.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` ssh_config `` InSpec resource block declares the client |openssh| configuration data to be tested. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe ssh_config('path') do
its('name') { should include('foo') }
end
where
* `` name `` is a configuration setting in `` ssh_config ``
* `` ('path') `` is the non-default `` /path/to/ssh_config ``
2015-10-20 21:04:07 +00:00
* `` { should include('foo') } `` tests the value of `` name `` as read from `` ssh_config `` versus the value declared in the test
2015-10-19 16:05:10 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
name -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` name `` matcher tests the value of `` name `` as read from `` ssh_config `` versus the value declared in the test. For example:
.. code-block :: ruby
its('name') { should eq 'foo' }
or:
.. code-block :: ruby
2015-10-20 01:25:25 +00:00
it's('name') { should include('bar') }
2015-10-19 16:05:10 +00:00
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
**Test SSH configuration settings**
.. code-block :: ruby
describe ssh_config do
its('cipher') { should eq '3des' }
its('port') { should '22' }
its('hostname') { should include('example.com') }
end
**Test which variables from the local environment are sent to the server**
.. code-block :: ruby
return unless command('ssh').exist?
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
describe ssh_config do
its('SendEnv') { should include('GORDON_CLIENT') }
end
**Test owner and group permissions**
.. code-block :: ruby
describe ssh_config do
its('owner') { should eq 'root' }
its('mode') { should eq 644 }
end
2015-10-20 21:04:07 +00:00
**Test SSH configuration**
.. code-block :: ruby
describe ssh_config do
its('Host') { should eq '*' }
its('Tunnel') { should eq nil }
its('SendEnv') { should eq 'LANG LC_*' }
its('HashKnownHosts') { should eq 'yes' }
end
2015-10-19 16:05:10 +00:00
sshd_config -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` sshd_config `` InSpec resource to test configuration data for the |openssh| daemon located at `` etc/ssh/sshd_config `` on |linux| and |unix| platforms. sshd---the |openssh| daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` sshd_config `` InSpec resource block declares the client |openssh| configuration data to be tested. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe sshd_config('path') do
its('name') { should include('foo') }
end
where
* `` name `` is a configuration setting in `` sshd_config ``
* `` ('path') `` is the non-default `` /path/to/sshd_config ``
2015-10-20 21:04:07 +00:00
* `` { should include('foo') } `` tests the value of `` name `` as read from `` sshd_config `` versus the value declared in the test
2015-10-19 16:05:10 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
name -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` name `` matcher tests the value of `` name `` as read from `` sshd_config `` versus the value declared in the test. For example:
.. code-block :: ruby
its('name') { should eq 'foo' }
or:
.. code-block :: ruby
it's('name') {should include('bar') }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
**Test which variables may be sent to the server**
.. code-block :: ruby
return unless command('sshd').exist?
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
describe sshd_config do
its('AcceptEnv') { should include('GORDON_SERVER') }
end
**Test for IPv6-only addresses**
.. code-block :: ruby
return unless command('sshd').exist?
2015-10-20 21:04:07 +00:00
2015-10-19 16:05:10 +00:00
describe sshd_config do
its('AddressFamily') { should eq 'inet6' }
end
**Test protocols**
.. code-block :: ruby
describe sshd_config do
its('Protocol') { should eq '2' }
end
2015-10-20 21:04:07 +00:00
**Test ports for SSL, then verify ciphers**
2015-10-20 01:25:25 +00:00
.. code-block :: ruby
describe port(80) do
it { should_not be_listening }
end
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe port(443) do
it { should be_listening }
its('protocol') {should eq 'tcp'}
end
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe sshd_conf do
its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
end
2015-10-20 21:04:07 +00:00
**Test SSH protocols**
.. code-block :: ruby
describe sshd_config do
its('Port') { should eq '22' }
its('UsePAM') { should eq 'yes' }
its('ListenAddress') { should eq nil }
its('HostKey') { should eq [
'/etc/ssh/ssh_host_rsa_key',
'/etc/ssh/ssh_host_dsa_key',
'/etc/ssh/ssh_host_ecdsa_key',
] }
end
2015-10-19 16:05:10 +00:00
user -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` user `` InSpec resource to test user profiles, including the groups to which they belong, the frequency of required password changes, the directory paths to home and shell.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` user `` InSpec resource block declares a user name, and then one (or more) matchers. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe user('root') do
it { should exist }
its('uid') { should eq 1234 }
its('gid') { should eq 1234 }
its('group') { should eq 'root' }
its('groups') { should eq ['root', 'other']}
its('home') { should eq '/root' }
its('shell') { should eq '/bin/bash' }
its('mindays') { should eq 0 }
its('maxdays') { should eq 90 }
its('warndays') { should eq 8 }
end
where
* `` ('root') `` is the user to be tested
* `` it { should exist } `` tests if the user exists
2015-10-19 20:34:33 +00:00
* `` gid `` , `` group `` , `` groups `` , `` home `` , `` maxdays `` , `` mindays `` , `` shell `` , `` uid `` , and `` warndays `` are valid matchers for this InSpec resource
2015-10-19 16:05:10 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
exist -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` exist `` matcher tests if the named user exists. For example:
.. code-block :: ruby
it { should exist }
gid -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` gid `` matcher tests the group identifier. For example:
.. code-block :: ruby
its('gid') { should eq 1234 } }
where `` 1234 `` represents the user identifier.
group -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` group `` matcher tests the group to which the user belongs. For example:
.. code-block :: ruby
its('group') { should eq 'root' }
where `` root `` represents the group.
groups -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` groups `` matcher tests two (or more) groups to which the user belongs. For example:
.. code-block :: ruby
its('groups') { should eq ['root', 'other']}
home -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` home `` matcher tests the home directory path for the user. For example:
.. code-block :: ruby
its('home') { should eq '/root' }
maxdays -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` maxdays `` matcher tests the maximum number of days between password changes. For example:
.. code-block :: ruby
its('maxdays') { should eq 99 }
where `` 99 `` represents the maximum number of days.
mindays -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` mindays `` matcher tests the minimum number of days between password changes. For example:
.. code-block :: ruby
its('mindays') { should eq 0 }
where `` 0 `` represents the maximum number of days.
shell -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` shell `` matcher tests the path to the default shell for the user. For example:
.. code-block :: ruby
its('shell') { should eq '/bin/bash' }
uid -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` uid `` matcher tests the user identifier. For example:
.. code-block :: ruby
its('uid') { should eq 1234 } }
where `` 1234 `` represents the user identifier.
warndays -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` warndays `` matcher tests the number of days a user is warned before a password must be changed. For example:
.. code-block :: ruby
its('warndays') { should eq 5 }
where `` 5 `` represents the number of days a user is warned.
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 01:25:25 +00:00
**Verify available users for the MySQL server**
.. code-block :: ruby
describe user('root') do
it { should exist }
it { should belong_to_group 'root' }
its('uid') { should eq 0 }
its('groups') { should eq ['root'] }
end
2015-10-20 21:04:07 +00:00
2015-10-20 01:25:25 +00:00
describe user('mysql') do
it { should_not exist }
end
2015-10-19 16:05:10 +00:00
windows_feature -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` windows_feature `` InSpec resource to test features on |windows|. The `` Get-WindowsFeature `` cmdlet returns the following values: `` Property Name `` , `` DisplayName `` , `` Description `` , `` Installed `` , and `` InstallState `` , returned as a |json| object similar to:
2015-10-19 16:05:10 +00:00
.. code-block :: javascript
{
"Name": "XPS-Viewer",
"DisplayName": "XPS Viewer",
"Description": "The XPS Viewer reads, sets permissions, and digitally signs XPS documents.",
"Installed": false,
"InstallState": 0
}
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` windows_feature `` InSpec resource block declares the name of the |windows| feature, tests if that feature is installed, and then returns information about that feature. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe windows_feature('feature_name') do
it { should be_installed }
end
where
* `` ('feature_name') `` must specify a |windows| feature name, such as `` DHCP Server `` or `` IIS-Webserver ``
2015-10-19 20:34:33 +00:00
* `` be_installed `` is a valid matcher for this InSpec resource
2015-10-19 16:05:10 +00:00
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
be_installed -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_installed `` matcher tests if the named |windows| feature is installed. For example:
.. code-block :: ruby
it { should be_installed }
If the feature is installed, the `` Get-WindowsFeature `` cmdlet is run and the name, display name, description, and install state is returned as a |json| object.
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
2015-10-20 21:04:07 +00:00
**Test the DHCP Server feature**
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe windows_feature('DHCP Server') do
it{ should be_installed }
end
yaml -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` yaml `` InSpec resource to test configuration data in a |yaml| file.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` yaml `` InSpec resource block declares the configuration data to be tested. For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe yaml do
its('name') { should eq 'foo' }
end
where
* `` name `` is a configuration setting in a |yaml| file
* `` should eq 'foo' `` tests a value of `` name `` as read from a |yaml| file versus the value declared in the test
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
name -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` name `` matcher tests the value of `` name `` as read from a |yaml| file versus the value declared in the test. For example:
.. code-block :: ruby
its('name') { should eq 'foo' }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
**Test a kitchen.yml file driver**
.. code-block :: ruby
describe yaml('.kitchen.yaml') do
its('driver.name') { should eq('vagrant') }
end
2015-10-20 01:25:25 +00:00
2015-10-19 16:05:10 +00:00
yum -- DONE
2015-10-20 21:16:47 +00:00
=====================================================
2015-10-19 20:34:33 +00:00
Use the `` yum `` InSpec resource to test packages in the |yum| repository.
2015-10-19 16:05:10 +00:00
Syntax -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
A `` yum `` InSpec resource block declares a package repo, tests if the package repository is present, and if it that package repository is a valid package source (i.e. "is enabled"). For example:
2015-10-19 16:05:10 +00:00
.. code-block :: ruby
describe yum.repo('name') do
it { should exist }
it { should be_enabled }
end
where
* `` repo('name') `` is the (optional) name of a package repo, using either a full identifier (`` 'updates/7/x86_64' `` ) or a short identifier (`` 'updates' `` )
Matchers -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-19 20:34:33 +00:00
This InSpec resource has the following matchers.
2015-10-19 16:05:10 +00:00
be_enabled -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` be_enabled `` matcher tests if the package repository is a valid package source. For example:
.. code-block :: ruby
it { should be_enabled }
exist -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` exist `` matcher tests if the package repository exists. For example:
.. code-block :: ruby
it { should exist }
repo('name') -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` repo('name') `` matcher names a specific package repository. For example:
.. code-block :: ruby
describe yum.repo('epel') do
...
end
repos -- DONE
2015-10-20 21:16:47 +00:00
+++++++++++++++++++++++++++++++++++++++++++++++++++++
2015-10-19 16:05:10 +00:00
The `` repos `` matcher tests if a named repo, using either a full identifier (`` 'updates/7/x86_64' `` ) or a short identifier (`` 'updates' `` ), is included in the |yum| repo:
.. code-block :: ruby
its('repos') { should include 'some_repo' }
Examples -- DONE
2015-10-20 21:16:47 +00:00
-----------------------------------------------------
2015-10-20 21:04:07 +00:00
The following examples show how to use this InSpec resource in a test.
2015-10-19 16:05:10 +00:00
**Test if the yum repo exists**
.. code-block :: ruby
describe yum do
its('repos') { should exist }
end
**Test if the 'base/7/x86_64' repo exists and is enabled**
.. code-block :: ruby
describe yum do
its('repos') { should include 'base/7/x86_64' }
its('epel') { should exist }
its('epel') { should be_enabled }
end
**Test if a specific yum repo exists**
.. code-block :: ruby
describe yum.repo('epel') do
it { should exist }
it { should be_enabled }
end
2015-10-20 21:04:07 +00:00