Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 15:14:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' of https://github.com/inspec/inspec into al-mitre/more-permissive-than

Browse source 
Signed-off-by: Aaron Lippold <lippold@gmail.com>
This commit is contained in:
Aaron Lippold 2019-03-28 08:22:20 -04:00
commit 1e9f8fd018
193 changed files with 1126 additions and 444 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
CHANGELOG.md
View file

@ -1,30 +1,33 @@
# Change Log
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
<!-- latest_release 3.7.8 -->
## [v3.7.8](https://github.com/inspec/inspec/tree/v3.7.8) (2019-03-18)
#### Enhancements
- Allow http resource to follow redirects [#3509](https://github.com/inspec/inspec/pull/3509) ([cattywampus](https://github.com/cattywampus))
<!-- latest_release -->
<!-- latest_release -->
<!-- release_rollup since=3.7.1 -->
### Changes since 3.7.1 release
#### Enhancements
- Allow http resource to follow redirects [#3509](https://github.com/inspec/inspec/pull/3509) ([cattywampus](https://github.com/cattywampus)) <!-- 3.7.8 -->
- Move all gem installation to Gemfile/bundle install [#3860](https://github.com/inspec/inspec/pull/3860) ([lamont-granquist](https://github.com/lamont-granquist)) <!-- 3.7.7 -->
#### Bug Fixes
- iis_app_pool: Fix PowerShell JSON parsing error [#3842](https://github.com/inspec/inspec/pull/3842) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 3.7.6 -->
- http resource: Add fallback to `#to_s` [#3843](https://github.com/inspec/inspec/pull/3843) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 3.7.5 -->
#### Merged Pull Requests
- Adds a v4 release to the expeditor config [#3816](https://github.com/inspec/inspec/pull/3816) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 3.7.4 -->
- Rewrite inspec-habitat plugin [#3818](https://github.com/inspec/inspec/pull/3818) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) <!-- 3.7.3 -->
- Add InSpec init profile for Azure. [#3861](https://github.com/inspec/inspec/pull/3861) ([skpaterson](https://github.com/skpaterson)) <!-- 3.7.2 -->
<!-- release_rollup -->
<!-- release_rollup -->
<!-- latest_stable_release -->
## [v3.7.11](https://github.com/inspec/inspec/tree/v3.7.11) (2019-03-22)
#### Enhancements
- Move all gem installation to Gemfile/bundle install [#3860](https://github.com/inspec/inspec/pull/3860) ([lamont-granquist](https://github.com/lamont-granquist))
- Allow http resource to follow redirects [#3509](https://github.com/inspec/inspec/pull/3509) ([cattywampus](https://github.com/cattywampus))
- Decoupling test profiles from example profiles [#3889](https://github.com/inspec/inspec/pull/3889) ([devoptimist](https://github.com/devoptimist))
- Add caching to Inspec::Config [#3873](https://github.com/inspec/inspec/pull/3873) ([clintoncwolfe](https://github.com/clintoncwolfe))
#### Bug Fixes
- http resource: Add fallback to `#to_s` [#3843](https://github.com/inspec/inspec/pull/3843) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
- iis_app_pool: Fix PowerShell JSON parsing error [#3842](https://github.com/inspec/inspec/pull/3842) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
- Repair anchor links to use dashes instead of underscores [#3890](https://github.com/inspec/inspec/pull/3890) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Re-add a bespoke unf_ext to our omnibus build [#3902](https://github.com/inspec/inspec/pull/3902) ([clintoncwolfe](https://github.com/clintoncwolfe))
#### Merged Pull Requests
- Add InSpec init profile for Azure. [#3861](https://github.com/inspec/inspec/pull/3861) ([skpaterson](https://github.com/skpaterson))
- Rewrite inspec-habitat plugin [#3818](https://github.com/inspec/inspec/pull/3818) ([jerryaldrichiii](https://github.com/jerryaldrichiii))
- Adds a v4 release to the expeditor config [#3816](https://github.com/inspec/inspec/pull/3816) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Fixes resource example indentation [#3898](https://github.com/inspec/inspec/pull/3898) ([burtlo](https://github.com/burtlo))
<!-- latest_stable_release -->
## [v3.7.1](https://github.com/inspec/inspec/tree/v3.7.1) (2019-03-02)
#### New Features
@ -47,7 +50,6 @@
- Attribute-&gt;Input Rename: Rename Classes and Methods [#3811](https://github.com/inspec/inspec/pull/3811) ([clintoncwolfe](https://github.com/clintoncwolfe))
- add json example from http request [#3827](https://github.com/inspec/inspec/pull/3827) ([jtimberman](https://github.com/jtimberman))
- Update the integration tests to use dokken-images and newer Chef technologies [#3814](https://github.com/inspec/inspec/pull/3814) ([tas50](https://github.com/tas50))
<!-- latest_stable_release -->
## [v3.6.6](https://github.com/inspec/inspec/tree/v3.6.6) (2019-02-12)

2
Dockerfile
View file

@ -1,7 +1,7 @@
FROM ruby:alpine
MAINTAINER Chef Software, Inc. <docker@chef.io>
ARG VERSION=3.7.1
ARG VERSION=3.7.11
ARG GEM_SOURCE=https://rubygems.org
RUN mkdir -p /share

2
Gemfile
View file

@ -9,7 +9,7 @@ gem 'aws-sdk', '~> 2'
group :omnibus do
gem 'rb-readline'
gem 'appbundler'
gem 'unf_ext', git: 'https://github.com/jquick/ruby-unf_ext.git', ref: 'c0b3bd922214a172976f6f368c0b4e4fbf91ed78'
gem 'unf_ext', git: 'https://github.com/chef/ruby-unf_ext.git', ref: '55d872fb15f3a26e4ee8f8dbe7ba859c80d40383'
end
group :test do

2
VERSION
View file

@ -1 +1 @@
3.7.8
3.7.11

72
docs/glossary.md
View file

@ -4,8 +4,8 @@ This document should help you become familiar with some of the terminology used
There are two ways to use it:
* A [text glossary](#text_glossary). Learn the meaning of a word you have encountered.
* A [visual glossary](#visual_glossary). Look at examples and see how the parts are labelled. You can then use the text glossary to read details of each concept.
* A [text glossary](#text-glossary). Learn the meaning of a word you have encountered.
* A [visual glossary](#visual-glossary). Look at examples and see how the parts are labelled. You can then use the text glossary to read details of each concept.
## Visual Glossary
@ -30,31 +30,31 @@ end
#### describe car(owner: 'Tony Clifton') do
_car_ is a [resource](#resource). Since we are talking about only one car, it is a [singular resource](#singular_resource).
_car_ is a [resource](#resource). Since we are talking about only one car, it is a [singular resource](#singular-resource).
#### describe car(_owner: 'Tony Clifton'_)
_owner_ is a [resource parameter](#resource_parameter) and _'Tony Clifton'_ is a resource parameter value.
_owner_ is a [resource parameter](#resource-parameter) and _'Tony Clifton'_ is a resource parameter value.
#### _it { should exist }_
Each line within the resource block beginning with `it` or `its` is a [test](#test). Use [it](#it) to access [resource-specific matchers](#resource_specific_matcher), and use [its](#its) to access [properties](#property) of the [resource](#resource), which are in turn used with [universal matchers](#universal_matcher).
Each line within the resource block beginning with `it` or `its` is a [test](#test). Use [it](#it) to access [resource-specific matchers](#resource-specific-matcher), and use [its](#its) to access [properties](#property) of the [resource](#resource), which are in turn used with [universal matchers](#universal-matcher).
#### its('_license\_plate_') { should cmp 'MOONMAN' }
_license\_plate_ is a [property](#property) belonging to the [resource](#resource). Properties expose testable information about the resource. Some properties are numbers, some (like this one) are text, some are lists, and some are more complex objects. Properties are always used with [universal matchers](#universal_matcher).
_license\_plate_ is a [property](#property) belonging to the [resource](#resource). Properties expose testable information about the resource. Some properties are numbers, some (like this one) are text, some are lists, and some are more complex objects. Properties are always used with [universal matchers](#universal-matcher).
#### its('license\_plate') { should _cmp_ 'MOONMAN' }
_cmp_ is a [universal matcher](#universal_matcher). `cmp` is a very flexible, loosely typed equality operator; here it checks to see if the license plate text is the same as the text 'MOONMAN'. Notice that the test operates on the license plate text (the property value) and not on the resource. You can find the full list of supported universal matchers on the [Universal Matcher page](https://www.inspec.io/docs/reference/matchers/).
_cmp_ is a [universal matcher](#universal-matcher). `cmp` is a very flexible, loosely typed equality operator; here it checks to see if the license plate text is the same as the text 'MOONMAN'. Notice that the test operates on the license plate text (the property value) and not on the resource. You can find the full list of supported universal matchers on the [Universal Matcher page](https://www.inspec.io/docs/reference/matchers/).
#### its('license\_plate') { should cmp _'MOONMAN'_ }
_'MOONMAN'_ is an [expected result](#expected_result). Some matchers take an expected result; others do not.
_'MOONMAN'_ is an [expected result](#expected-result). Some matchers take an expected result; others do not.
#### it { should _be\_classy_ }
_be\_classy_ is a [resource-specific matcher](#resource_specific_matcher). It returns a yes-or-no value, based on whether Tony's car is classy or not. (It is. Tony is a classy guy.)
_be\_classy_ is a [resource-specific matcher](#resource-specific-matcher). It returns a yes-or-no value, based on whether Tony's car is classy or not. (It is. Tony is a classy guy.)
#### it { _should\_not_ have\_check\_engine\_light\_on }
@ -72,19 +72,19 @@ _should\_not_ indicates this is a negated test. So, this test passes if the matc
#### describe _cars_.where(color: /^b/) do
_cars_ is a [resource](#resource). Since we are potentially talking about many cars, it is a [plural resource](#plural_resource).
_cars_ is a [resource](#resource). Since we are potentially talking about many cars, it is a [plural resource](#plural-resource).
#### describe cars._where(color: /^b/)_ do
_where(color: /^b/)_ is a [filter statement](#filter_statement). Without a filter statement, `cars` simply selects all the cars in the world.
_where(color: /^b/)_ is a [filter statement](#filter-statement). Without a filter statement, `cars` simply selects all the cars in the world.
#### describe cars.where(_color: /^b/_) do
_color_ is a [filter criterion](#filter_criteria) along with its filter value, _/^b/_. Here, the criterion expresses that we want to select all cars whose colors begin with the letter 'b' - blue, brown, burgundy, etc.
_color_ is a [filter criterion](#filter-criteria) along with its filter value, _/^b/_. Here, the criterion expresses that we want to select all cars whose colors begin with the letter 'b' - blue, brown, burgundy, etc.
#### _it { should exist }_
Each line within the resource block beginning with `it` or `its` is a [test](#test). Use [it](#it) to access [resource-specific matchers](#resource_specific_matcher), and use [its](#its) to access [properties](#property) of the [resource](#resource), which are in turn used with [universal matchers](#universal_matcher).
Each line within the resource block beginning with `it` or `its` is a [test](#test). Use [it](#it) to access [resource-specific matchers](#resource-specific-matcher), and use [its](#its) to access [properties](#property) of the [resource](#resource), which are in turn used with [universal matchers](#universal-matcher).
With plural resources, `exist` has a special meaning: did the filter match anything?
@ -94,11 +94,11 @@ _manufacturers_ is a [property](#property) of the [resource](#resource). Propert
#### its('manufacturers') { should _include_ 'Cadillac' }
_include_ is a [universal matcher](#universal_matcher). `include` works with lists, and checks to see if an expected result is present. Here, it checks to see if the list of manufacturers contains an entry with the text 'Cadillac'. Notice it operates on the manufacturers list (the property value) and not on the resource. You can find the full list of supported universal matchers on the [Universal Matcher page](https://www.inspec.io/docs/reference/matchers/).
_include_ is a [universal matcher](#universal-matcher). `include` works with lists, and checks to see if an expected result is present. Here, it checks to see if the list of manufacturers contains an entry with the text 'Cadillac'. Notice it operates on the manufacturers list (the property value) and not on the resource. You can find the full list of supported universal matchers on the [Universal Matcher page](https://www.inspec.io/docs/reference/matchers/).
#### its('manufacturers') { should include '_Cadillac_' }
_'Cadillac'_ is an [expected result](#expected_result). Some matchers take an expected result; others do not.
_'Cadillac'_ is an [expected result](#expected-result). Some matchers take an expected result; others do not.
#### its('count') { should _be >=_ 10 }
@ -118,7 +118,7 @@ The syntax for accessing attributes within a profile is documented in the [profi
### control block
The _`control`_ keyword is used to declare a _`control block`_. Here, the word 'control' means a 'regulatory control, recommendation, or requirement' - not a software engineering construct. A `control block` has a name (which usually refers to the assigned ID of the regulatory recommendation it implements), metadata such as descriptions, references, and tags, and finally groups together related [describe blocks](#describe_block) to implement the checks.
The _`control`_ keyword is used to declare a _`control block`_. Here, the word 'control' means a 'regulatory control, recommendation, or requirement' - not a software engineering construct. A `control block` has a name (which usually refers to the assigned ID of the regulatory recommendation it implements), metadata such as descriptions, references, and tags, and finally groups together related [describe blocks](#describe-block) to implement the checks.
### core resource
@ -147,7 +147,7 @@ end
_DSL_ is an acronym for _Domain Specific Language_. It refers to the language extensions InSpec provides to make authoring resources and controls easier. While InSpec control files are use Ruby, the _Control DSL_ makes it easy to write controls without knowledge of Ruby by providing DSL keywords such as [describe](#describe), [control](#control), [it](#it) and [its](#its). See the [InSpec DSL page](https://www.inspec.io/docs/reference/dsl_inspec/) for details about keywords available to control authors.
For [custom resource](#custom_resource) authors, an additional DSL is available - see the [Resource DSL page](https://www.inspec.io/docs/reference/dsl_resource/).
For [custom resource](#custom-resource) authors, an additional DSL is available - see the [Resource DSL page](https://www.inspec.io/docs/reference/dsl_resource/).
### expected result
@ -163,7 +163,7 @@ end
### filter statement
When using a [plural resource](#plural_resource), a _`filter statement`_ is used to select individual test subjects using [filter criteria](#filter_criteria). A filter statement almost always is indicated by the keyword `where`, and may be repeated using method chaining.
When using a [plural resource](#plural-resource), a _`filter statement`_ is used to select individual test subjects using [filter criteria](#filter-criteria). A filter statement almost always is indicated by the keyword `where`, and may be repeated using method chaining.
A filter statement may use method call syntax (which allows basic criteria operations, such as equality, regex matching, and ruby `===` comparison) or block syntax (which allows arbitrary code).
@ -180,7 +180,7 @@ end
### filter criteria
When using a [plural resource](#plural_resource), a _`filter criterion`_ is used to select individual test subjects within a [filter statement](#filter_statement). You may use multiple _`filter criteria`_ in a single filter statement.
When using a [plural resource](#plural-resource), a _`filter criterion`_ is used to select individual test subjects within a [filter statement](#filter-statement). You may use multiple _`filter criteria`_ in a single filter statement.
When method-call syntax is used with the filter statement, you provide filter criteria as a Hash, with filter criteria names as keys, and conditions as the Hash values. You may provide test, true/false, or numbers, in which case the comparison is equality; or you may provide a regular expression, in which case a match is performed.
@ -206,7 +206,7 @@ end
### it
Within a [describe block](#describe), _`it`_ declares an individual [test](#test) directly against the [resource](#resource) (as opposed to testing against one of the resource's [properties](#property), as [its](#its) does). Though it is possible to use [universal matchers](#universal_matcher) with `it`, it is much more typical to use [resource-specific matchers](#resource_specific_matchers).
Within a [describe block](#describe), _`it`_ declares an individual [test](#test) directly against the [resource](#resource) (as opposed to testing against one of the resource's [properties](#property), as [its](#its) does). Though it is possible to use [universal matchers](#universal-matcher) with `it`, it is much more typical to use [resource-specific matchers](#resource-specific-matchers).
`it` may be used with `should`, or negated using `should_not`.
@ -220,7 +220,7 @@ end
### its
Within a [describe block](#describe), _`its`_ declares an individual [test](#test) against a property of the [resource](#resource) (as opposed to testing directly against the resource itself, as [it](#it) does). You must use [universal matchers](#universal_matcher) with `its`; you cannot use [resource-specific matchers](#resource_specific_matchers).
Within a [describe block](#describe), _`its`_ declares an individual [test](#test) against a property of the [resource](#resource) (as opposed to testing directly against the resource itself, as [it](#it) does). You must use [universal matchers](#universal-matcher) with `its`; you cannot use [resource-specific matchers](#resource-specific-matchers).
`its` may be used with `should`, or negated using `should_not`.
@ -240,10 +240,10 @@ end
A _`matcher`_ performs the actual assertions against [resources](#resource) or the [properties](#property) of resources. Matchers always return a true/false value. Matchers fall into two camps:
* [resource-specific matchers](#resource_specific_matchers), which operate directly on the resource, are used with [it](#it), and tend to be highly customized to the auditing needs of the resource
* [universal matchers](#universal_matchers), which operate on the properties of the resource, are used with [its](#its), and tend to be very generic, operating on text, numbers, and lists
* [resource-specific matchers](#resource-specific-matchers), which operate directly on the resource, are used with [it](#it), and tend to be highly customized to the auditing needs of the resource
* [universal matchers](#universal-matchers), which operate on the properties of the resource, are used with [its](#its), and tend to be very generic, operating on text, numbers, and lists
Some matchers accept parameters, called [expected results](#expected_results).
Some matchers accept parameters, called [expected results](#expected-results).
For information on how RSpec matchers are related o InSpec matchers, see [InSpec and RSpec](https://www.inspec.io/docs/reference/inspec_and_friends/#rspec).
@ -258,11 +258,11 @@ end
### plural resource
A _`plural resource`_ is a [resource](#resource) that specializes in performing searches and represents multiple occurrences of the resource on the [target](#target) platform. Plural resources are used to audit counts, inspect group properties, and have the unique ability to enforce negative tests ("nothing like this should exist") often required by compliance standards. Plural resources are not intended to perform in-depth auditing of an individual; use [singular resources](#singular_resource) for that.
A _`plural resource`_ is a [resource](#resource) that specializes in performing searches and represents multiple occurrences of the resource on the [target](#target) platform. Plural resources are used to audit counts, inspect group properties, and have the unique ability to enforce negative tests ("nothing like this should exist") often required by compliance standards. Plural resources are not intended to perform in-depth auditing of an individual; use [singular resources](#singular-resource) for that.
Plural resources nearly always have a name that ends in 's': `processes`, `aws_security_groups`, `cars`. Plural resources generally do not have [resource-specific matchers](#resource_specific_matcher). If they have properties, they are almost always list properties, meaning that they return a list of values, which may or may not be de-duplicated.
Plural resources nearly always have a name that ends in 's': `processes`, `aws_security_groups`, `cars`. Plural resources generally do not have [resource-specific matchers](#resource-specific-matcher). If they have properties, they are almost always list properties, meaning that they return a list of values, which may or may not be de-duplicated.
Plural resources support [filter statements](#filter_statement). See the [resource documentation](https://www.inspec.io/docs/reference/resources/) for details regarding which [filter criteria](#filter_criteria) are supported on each resource.
Plural resources support [filter statements](#filter-statement). See the [resource documentation](https://www.inspec.io/docs/reference/resources/) for details regarding which [filter criteria](#filter-criteria) are supported on each resource.
Here, `cars` is a plural resource.
@ -286,11 +286,11 @@ A _`profile`_ is a set of related [controls](#control) in a distributable form.
Profiles may be distributed locally as a directory tree, as a tarball or zipfile at a URL, as a git repo, and several other ways. Profiles contain metadata, including versioning, and can setup dependency relationships with other profiles.
Aside from controls, profiles can also contain [custom resources](#custom_resource). If the profile contains only custom resources and no controls, we call it a [resource pack](#resource_pack).
Aside from controls, profiles can also contain [custom resources](#custom-resource). If the profile contains only custom resources and no controls, we call it a [resource pack](#resource-pack).
### property
A fact about a [resource](#resource). Typically, you use the [its](#its) keyword to access the property and write a [test](#test) within a [describe block](#describe_block), and then use a [universal matcher](#universal_matcher) to make assertions about the value of the property.
A fact about a [resource](#resource). Typically, you use the [its](#its) keyword to access the property and write a [test](#test) within a [describe block](#describe-block), and then use a [universal matcher](#universal-matcher) to make assertions about the value of the property.
Each resource has different properties. See the [resource documentation](https://www.inspec.io/docs/reference/resources/) for details.
@ -310,9 +310,9 @@ An output format for the `inspec exec` command line. Several reporters are avail
A _`resource`_ represents a category of things on the [target](#target) you wish to examine. For example, to check for the existence and permissions of a file, you would use the [`file`](https://www.inspec.io/docs/reference/resources/file/) resource. InSpec offers dozens of different resources, from the highly specialized (such as `aws_security_group`, which examines firewall rules in AWS) to the very general (such as `command`, which runs a command and lets you examine its output).
Resources are generally categorized as either [singular](#singular_resource) or [plural](#plural_resource), though there are some irregular resources that cannot be cleanly considered one or the other.
Resources are generally categorized as either [singular](#singular-resource) or [plural](#plural-resource), though there are some irregular resources that cannot be cleanly considered one or the other.
Resources are used within a [describe block](#describe_block) to perform [tests](#test).
Resources are used within a [describe block](#describe-block) to perform [tests](#test).
Here, `car` is a resource.
@ -324,11 +324,11 @@ end
### resource pack
A _resource pack_ is a type of [profile](#profile) that is used to distribute [custom resources](#custom_resource). This specialized type of profile contains no [controls](#control), but it does contain a `libraries` directory within which Ruby files define custom resources.
A _resource pack_ is a type of [profile](#profile) that is used to distribute [custom resources](#custom-resource). This specialized type of profile contains no [controls](#control), but it does contain a `libraries` directory within which Ruby files define custom resources.
### resource parameter
_`resource parameters`_ are information passed to the resource when they are declared. Typically, resource parameters provide identifying information or connectivity information. Resource parameters are not the same as a [filter statement](#filter_statement).
_`resource parameters`_ are information passed to the resource when they are declared. Typically, resource parameters provide identifying information or connectivity information. Resource parameters are not the same as a [filter statement](#filter-statement).
Resource parameters vary from resource to resource; refer to the [resource documentation](https://www.inspec.io/docs/reference/resources/) for details.
@ -356,7 +356,7 @@ end
### singular resource
A [resource](#resource) intended to uniquely identify a single object on the [target](#target). Singular resources specialize in providing richer auditing capabilities via resource-specific matchers. Compare to [plural resources](#plural_resource).
A [resource](#resource) intended to uniquely identify a single object on the [target](#target). Singular resources specialize in providing richer auditing capabilities via resource-specific matchers. Compare to [plural resources](#plural-resource).
### target
@ -364,7 +364,7 @@ The _`target`_ is the OS or API on which InSpec is performing audits. In InSpec
### test
A _`test`_ is an individual assertion about the state of the [resource](#resource) or one of its [properties](#property). All tests begin with the keyword [it](#it) or [its](#its). Tests are grouped within a [describe block](#describe_block).
A _`test`_ is an individual assertion about the state of the [resource](#resource) or one of its [properties](#property). All tests begin with the keyword [it](#it) or [its](#its). Tests are grouped within a [describe block](#describe-block).
### universal matcher
@ -372,7 +372,7 @@ A _universal matcher_ is a [matcher](#matcher) that can be used on the [properti
Universal matchers are documented on the [Universal Matchers](https://www.inspec.io/docs/reference/matchers/) page.
Here, we access the 'color' property, then use the `cmp` universal matcher to compare the property to the 'black' [expected result](#expected_result).
Here, we access the 'color' property, then use the `cmp` universal matcher to compare the property to the 'black' [expected result](#expected-result).
```Ruby
describe car(owner: 'Bruce Wayne') do

12
lib/inspec/config.rb
View file

@ -30,6 +30,17 @@ module Inspec
Inspec::Config.new({ backend: :mock }.merge(opts), StringIO.new('{}'))
end
# Use this to get a cached version of the config. This prevents you from
# being required to pass it around everywhere.
def self.cached
@cached_config
end
def self.cached=(cfg)
@cached_config ||= cfg
end
# This gets called when the first config is created.
def initialize(cli_opts = {}, cfg_io = nil, command_name = nil)
@command_name = command_name || (ARGV.empty? ? nil : ARGV[0].to_sym)
@defaults = Defaults.for_command(@command_name)
@ -40,6 +51,7 @@ module Inspec
@merged_options = merge_options
@final_options = finalize_options
self.class.cached = self
end
def diagnose

17
lib/inspec/shell.rb
View file

@ -80,19 +80,6 @@ module Inspec
"\e[1m\e[39m#{x}\e[0m"
end
def print_example(example)
# determine min whitespace that can be removed
min = nil
example.lines.each do |line|
if !line.strip.empty? # ignore empty lines
line_whitespace = line.length - line.lstrip.length
min = line_whitespace if min.nil? || line_whitespace < min
end
end
# remove whitespace from each line
example.gsub(/\n\s{#{min}}/, "\n")
end
def intro
puts 'Welcome to the interactive InSpec Shell'
puts "To find out how to use it, type: #{mark 'help'}"
@ -142,8 +129,8 @@ module Inspec
end
unless topic_info.example.nil?
info += "#{mark 'Example:'}\n"
info += "#{print_example(topic_info.example)}\n\n"
info += "#{mark 'Example:'}\n\n"
info += "#{topic_info.example}\n\n"
end
info += "#{mark 'Web Reference:'}\n\n"

2
lib/inspec/version.rb
View file

@ -4,5 +4,5 @@
# author: Christoph Hartmann
module Inspec
VERSION = '3.7.8'
VERSION = '3.7.11'
end

4
lib/resources/aide_conf.rb
View file

@ -9,7 +9,7 @@ module Inspec::Resources
supports platform: 'unix'
desc 'Use the aide_conf InSpec audit resource to test the rules established for
the file integrity tool AIDE. Controlled by the aide.conf file typically at /etc/aide.conf.'
example "
example <<~EXAMPLE
describe aide_conf do
its('selection_lines') { should include '/sbin' }
end
@ -21,7 +21,7 @@ module Inspec::Resources
describe aide_conf.all_have_rule('sha512') do
it { should eq true }
end
"
EXAMPLE
attr_reader :params

4
lib/resources/apache.rb
View file

@ -6,7 +6,7 @@ module Inspec::Resources
name 'apache'
supports platform: 'unix'
desc 'Use the apache InSpec audit resource to retrieve Apache environment settings.'
example "
example <<~EXAMPLE
describe apache do
its ('service') { should cmp 'apache2' }
end
@ -22,7 +22,7 @@ module Inspec::Resources
describe apache do
its ('user') { should cmp 'www-data' }
end
"
EXAMPLE
attr_reader :service, :conf_dir, :conf_path, :user
def initialize

4
lib/resources/apache_conf.rb
View file

@ -11,11 +11,11 @@ module Inspec::Resources
supports platform: 'linux'
supports platform: 'debian'
desc 'Use the apache_conf InSpec audit resource to test the configuration settings for Apache. This file is typically located under /etc/apache2 on the Debian and Ubuntu platforms and under /etc/httpd on the Fedora, CentOS, Red Hat Enterprise Linux, and Arch Linux platforms. The configuration settings may vary significantly from platform to platform.'
example "
example <<~EXAMPLE
describe apache_conf do
its('setting_name') { should eq 'value' }
end
"
EXAMPLE
include FindFiles
include FileReader

4
lib/resources/apt.rb
View file

@ -31,12 +31,12 @@ module Inspec::Resources
name 'apt'
supports platform: 'unix'
desc 'Use the apt InSpec audit resource to verify Apt repositories on the Debian and Ubuntu platforms, and also PPA repositories on the Ubuntu platform.'
example "
example <<~EXAMPLE
describe apt('nginx/stable') do
it { should exist }
it { should be_enabled }
end
"
EXAMPLE
def initialize(ppa_name)
@deb_url = nil

4
lib/resources/audit_policy.rb
View file

@ -26,11 +26,11 @@ module Inspec::Resources
name 'audit_policy'
supports platform: 'windows'
desc 'Use the audit_policy InSpec audit resource to test auditing policies on the Microsoft Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each enabled auditing category property, the auditing level may be set to No Auditing, Not Specified, Success, Success and Failure, or Failure.'
example "
example <<~EXAMPLE
describe audit_policy do
its('parameter') { should eq 'value' }
end
"
EXAMPLE
def method_missing(method)
key = method.to_s

4
lib/resources/auditd.rb
View file

@ -14,7 +14,7 @@ module Inspec::Resources
name 'auditd'
supports platform: 'unix'
desc 'Use the auditd InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditcl -l command.'
example "
example <<~EXAMPLE
describe auditd.syscall('chown').where {arch == 'b32'} do
its('action') { should eq ['always'] }
its('list') { should eq ['exit'] }
@ -27,7 +27,7 @@ module Inspec::Resources
describe auditd do
its('lines') { should include %r(-w /etc/ssh/sshd_config) }
end
"
EXAMPLE
def initialize
unless inspec.command('/sbin/auditctl').exist?

4
lib/resources/auditd_conf.rb
View file

@ -9,11 +9,11 @@ module Inspec::Resources
name 'auditd_conf'
supports platform: 'unix'
desc "Use the auditd_conf InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under /etc/audit/auditd.conf' on UNIX and Linux platforms."
example "
example <<~EXAMPLE
describe auditd_conf do
its('space_left_action') { should eq 'email' }
end
"
EXAMPLE
include FileReader

5
lib/resources/aws/aws_billing_report.rb
View file

@ -2,7 +2,7 @@ class AwsBillingReport < Inspec.resource(1)
name 'aws_billing_report'
supports platform: 'aws'
desc 'Verifies settings for AWS Cost and Billing Reports.'
example "
example <<~EXAMPLE
describe aws_billing_report('inspec1') do
its('report_name') { should cmp 'inspec1' }
its('time_unit') { should cmp 'hourly' }
@ -10,7 +10,8 @@ class AwsBillingReport < Inspec.resource(1)
describe aws_billing_report(report: 'inspec1') do
it { should exist }
end"
end
EXAMPLE
include AwsSingularResourceMixin

21
lib/resources/aws/aws_billing_reports.rb
View file

@ -4,17 +4,18 @@ class AwsBillingReports < Inspec.resource(1)
name 'aws_billing_reports'
supports platform: 'aws'
desc 'Verifies settings for AWS Cost and Billing Reports.'
example "
describe aws_billing_reports do
its('report_names') { should include 'inspec1' }
its('s3_buckets') { should include 'inspec1-s3-bucket' }
end
example <<~EXAMPLE
describe aws_billing_reports do
its('report_names') { should include 'inspec1' }
its('s3_buckets') { should include 'inspec1-s3-bucket' }
end
describe aws_billing_reports.where { report_name =~ /inspec.*/ } do
its ('report_names') { should include ['inspec1'] }
its ('time_units') { should include ['DAILY'] }
its ('s3_buckets') { should include ['inspec1-s3-bucket'] }
end"
describe aws_billing_reports.where { report_name =~ /inspec.*/ } do
its ('report_names') { should include ['inspec1'] }
its ('time_units') { should include ['DAILY'] }
its ('s3_buckets') { should include ['inspec1-s3-bucket'] }
end
EXAMPLE
include AwsPluralResourceMixin

4
lib/resources/aws/aws_cloudtrail_trail.rb
View file

@ -1,11 +1,11 @@
class AwsCloudTrailTrail < Inspec.resource(1)
name 'aws_cloudtrail_trail'
desc 'Verifies settings for an individual AWS CloudTrail Trail'
example "
example <<~EXAMPLE
describe aws_cloudtrail_trail('trail-name') do
it { should exist }
end
"
EXAMPLE
supports platform: 'aws'

4
lib/resources/aws/aws_cloudtrail_trails.rb
View file

@ -1,11 +1,11 @@
class AwsCloudTrailTrails < Inspec.resource(1)
name 'aws_cloudtrail_trails'
desc 'Verifies settings for AWS CloudTrail Trails in bulk'
example '
example <<~EXAMPLE
describe aws_cloudtrail_trails do
it { should exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

18
lib/resources/aws/aws_cloudwatch_alarm.rb
View file

@ -1,14 +1,14 @@
class AwsCloudwatchAlarm < Inspec.resource(1)
name 'aws_cloudwatch_alarm'
desc <<-EOD
# Look for a specific alarm
aws_cloudwatch_alarm(
metric_name: 'my-metric-name',
metric_namespace: 'my-metric-namespace',
) do
it { should exist }
end
EOD
desc <<~EXAMPLE
# Look for a specific alarm
aws_cloudwatch_alarm(
metric_name: 'my-metric-name',
metric_namespace: 'my-metric-namespace',
) do
it { should exist }
end
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

36
lib/resources/aws/aws_cloudwatch_log_metric_filter.rb
View file

@ -1,25 +1,25 @@
class AwsCloudwatchLogMetricFilter < Inspec.resource(1)
name 'aws_cloudwatch_log_metric_filter'
desc 'Verifies individual Cloudwatch Log Metric Filters'
example <<-EOX
# Look for a LMF by its filter name and log group name. This combination
# will always either find at most one LMF - no duplicates.
describe aws_cloudwatch_log_metric_filter(
filter_name: 'my-filter',
log_group_name: 'my-log-group'
) do
it { should exist }
end
example <<~EXAMPLE
# Look for a LMF by its filter name and log group name. This combination
# will always either find at most one LMF - no duplicates.
describe aws_cloudwatch_log_metric_filter(
filter_name: 'my-filter',
log_group_name: 'my-log-group'
) do
it { should exist }
end
# Search for an LMF by pattern and log group.
# This could result in an error if the results are not unique.
describe aws_cloudwatch_log_metric_filter(
log_group_name: 'my-log-group',
pattern: 'my-filter'
) do
it { should exist }
end
EOX
# Search for an LMF by pattern and log group.
# This could result in an error if the results are not unique.
describe aws_cloudwatch_log_metric_filter(
log_group_name: 'my-log-group',
pattern: 'my-filter'
) do
it { should exist }
end
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin
attr_reader :filter_name, :log_group_name, :metric_name, :metric_namespace, :pattern

4
lib/resources/aws/aws_config_delivery_channel.rb
View file

@ -1,13 +1,13 @@
class AwsConfigDeliveryChannel < Inspec.resource(1)
name 'aws_config_delivery_channel'
desc 'Verifies settings for AWS Config Delivery Channel'
example "
example <<~EXAMPLE
describe aws_config_delivery_channel do
it { should exist }
its('s3_bucket_name') { should eq 'my_bucket' }
its('sns_topic_arn') { should eq arn:aws:sns:us-east-1:721741954427:sns_topic' }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_config_recorder.rb
View file

@ -1,14 +1,14 @@
class AwsConfigurationRecorder < Inspec.resource(1)
name 'aws_config_recorder'
desc 'Verifies settings for AWS Configuration Recorder'
example "
example <<~EXAMPLE
describe aws_config_recorder('My_Recorder') do
it { should exist }
it { should be_recording }
it { should be_all_supported }
it { should have_include_global_resource_types }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_ebs_volume.rb
View file

@ -2,7 +2,7 @@ class AwsEbsVolume < Inspec.resource(1)
name 'aws_ebs_volume'
desc 'Verifies settings for an EBS volume'
example <<-EOX
example <<~EXAMPLE
describe aws_ebs_volume('vol-123456') do
it { should be_encrypted }
its('size') { should cmp 8 }
@ -12,7 +12,7 @@ class AwsEbsVolume < Inspec.resource(1)
its('encrypted') { should eq true }
its('iops') { should cmp 100 }
end
EOX
EXAMPLE
supports platform: 'aws'
# TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin

4
lib/resources/aws/aws_ebs_volumes.rb
View file

@ -1,11 +1,11 @@
class AwsEbsVolumes < Inspec.resource(1)
name 'aws_ebs_volumes'
desc 'Verifies settings for AWS EBS Volumes in bulk'
example '
example <<~EXAMPLE
describe aws_ebs_volumes do
it { should exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_ec2_instance.rb
View file

@ -3,7 +3,7 @@ class AwsEc2Instance < Inspec.resource(1)
name 'aws_ec2_instance'
desc 'Verifies settings for an EC2 instance'
example <<-EOX
example <<~EXAMPLE
describe aws_ec2_instance('i-123456') do
it { should be_running }
it { should have_roles }
@ -13,7 +13,7 @@ class AwsEc2Instance < Inspec.resource(1)
it { should be_running }
it { should have_roles }
end
EOX
EXAMPLE
supports platform: 'aws'
# TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin

4
lib/resources/aws/aws_ec2_instances.rb
View file

@ -1,11 +1,11 @@
class AwsEc2Instances < Inspec.resource(1)
name 'aws_ec2_instances'
desc 'Verifies settings for AWS EC2 Instances in bulk'
example '
example <<~EXAMPLE
describe aws_ec2_instances do
it { should exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_ecs_cluster.rb
View file

@ -2,11 +2,11 @@ class AwsEcsCluster < Inspec.resource(1)
name 'aws_ecs_cluster'
desc 'Verifies settings for an ECS cluster'
example <<-EOX
example <<~EXAMPLE
describe aws_ecs_cluster('default') do
it { should exist }
end
EOX
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_eks_cluster.rb
View file

@ -2,11 +2,11 @@ class AwsEksCluster < Inspec.resource(1)
name 'aws_eks_cluster'
desc 'Verifies settings for an EKS cluster'
example <<-EOX
example <<~EXAMPLE
describe aws_eks_cluster('default') do
it { should exist }
end
EOX
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_elb.rb
View file

@ -1,11 +1,11 @@
class AwsElb < Inspec.resource(1)
name 'aws_elb'
desc 'Verifies settings for AWS Elastic Load Balancer'
example "
example <<~EXAMPLE
describe aws_elb('myelb') do
it { should exist }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_elbs.rb
View file

@ -1,11 +1,11 @@
class AwsElbs < Inspec.resource(1)
name 'aws_elbs'
desc 'Verifies settings for AWS ELBs (classic Elastic Load Balancers) in bulk'
example '
example <<~EXAMPLE
describe aws_elbs do
it { should exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_flow_log.rb
View file

@ -2,11 +2,11 @@ class AwsFlowLog < Inspec.resource(1)
name 'aws_flow_log'
supports platform: 'aws'
desc 'This resource is used to test the attributes of a Flow Log.'
example <<~EOT
example <<~EXAMPLE
describe aws_flow_log('fl-9c718cf5') do
it { should exist }
end
EOT
EXAMPLE
include AwsSingularResourceMixin

4
lib/resources/aws/aws_iam_access_key.rb
View file

@ -1,14 +1,14 @@
class AwsIamAccessKey < Inspec.resource(1)
name 'aws_iam_access_key'
desc 'Verifies settings for an individual IAM access key'
example "
example <<~EXAMPLE
describe aws_iam_access_key(username: 'username', id: 'access-key id') do
it { should exist }
it { should_not be_active }
its('create_date') { should be > Time.now - 365 * 86400 }
its('last_used_date') { should be > Time.now - 90 * 86400 }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_iam_access_keys.rb
View file

@ -1,11 +1,11 @@
class AwsIamAccessKeys < Inspec.resource(1)
name 'aws_iam_access_keys'
desc 'Verifies settings for AWS IAM Access Keys in bulk'
example '
example <<~EXAMPLE
describe aws_iam_access_keys do
it { should_not exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_iam_group.rb
View file

@ -1,11 +1,11 @@
class AwsIamGroup < Inspec.resource(1)
name 'aws_iam_group'
desc 'Verifies settings for AWS IAM Group'
example "
example <<~EXAMPLE
describe aws_iam_group('mygroup') do
it { should exist }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_iam_groups.rb
View file

@ -1,11 +1,11 @@
class AwsIamGroups < Inspec.resource(1)
name 'aws_iam_groups'
desc 'Verifies settings for AWS IAM groups in bulk'
example '
example <<~EXAMPLE
describe aws_iam_groups do
it { should exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_iam_password_policy.rb
View file

@ -3,7 +3,7 @@ class AwsIamPasswordPolicy < Inspec.resource(1)
name 'aws_iam_password_policy'
desc 'Verifies iam password policy'
example <<-EOX
example <<~EXAMPLE
describe aws_iam_password_policy do
its('requires_lowercase_characters?') { should be true }
end
@ -11,7 +11,7 @@ class AwsIamPasswordPolicy < Inspec.resource(1)
describe aws_iam_password_policy do
its('requires_uppercase_characters?') { should be true }
end
EOX
EXAMPLE
supports platform: 'aws'
# TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin

4
lib/resources/aws/aws_iam_policies.rb
View file

@ -1,11 +1,11 @@
class AwsIamPolicies < Inspec.resource(1)
name 'aws_iam_policies'
desc 'Verifies settings for AWS IAM Policies in bulk'
example '
example <<~EXAMPLE
describe aws_iam_policies do
it { should exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_iam_policy.rb
View file

@ -5,11 +5,11 @@ require 'uri'
class AwsIamPolicy < Inspec.resource(1)
name 'aws_iam_policy'
desc 'Verifies settings for individual AWS IAM Policy'
example "
example <<~EXAMPLE
describe aws_iam_policy('AWSSupportAccess') do
it { should be_attached }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_iam_role.rb
View file

@ -1,11 +1,11 @@
class AwsIamRole < Inspec.resource(1)
name 'aws_iam_role'
desc 'Verifies settings for an IAM Role'
example "
example <<~EXAMPLE
describe aws_iam_role('my-role') do
it { should exist }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_iam_root_user.rb
View file

@ -1,11 +1,11 @@
class AwsIamRootUser < Inspec.resource(1)
name 'aws_iam_root_user'
desc 'Verifies settings for AWS root account'
example "
example <<~EXAMPLE
describe aws_iam_root_user do
it { should have_access_key }
end
"
EXAMPLE
supports platform: 'aws'
# TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin

4
lib/resources/aws/aws_iam_user.rb
View file

@ -5,14 +5,14 @@
class AwsIamUser < Inspec.resource(1)
name 'aws_iam_user'
desc 'Verifies settings for AWS IAM user'
example "
example <<~EXAMPLE
describe aws_iam_user(username: 'test_user') do
it { should have_mfa_enabled }
it { should_not have_console_password }
it { should_not have_inline_user_policies }
it { should_not have_attached_user_policies }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_iam_users.rb
View file

@ -5,7 +5,7 @@
class AwsIamUsers < Inspec.resource(1)
name 'aws_iam_users'
desc 'Verifies settings for AWS IAM users'
example '
example <<~EXAMPLE
describe aws_iam_users.where(has_mfa_enabled?: false) do
it { should_not exist }
end
@ -18,7 +18,7 @@ class AwsIamUsers < Inspec.resource(1)
describe aws_iam_users.where(has_attached_policies?: true) do
it { should_not exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_kms_key.rb
View file

@ -1,11 +1,11 @@
class AwsKmsKey < Inspec.resource(1)
name 'aws_kms_key'
desc 'Verifies settings for an individual AWS KMS Key'
example "
example <<~EXAMPLE
describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
it { should exist }
end
"
EXAMPLE
supports platform: 'aws'

4
lib/resources/aws/aws_kms_keys.rb
View file

@ -1,11 +1,11 @@
class AwsKmsKeys < Inspec.resource(1)
name 'aws_kms_keys'
desc 'Verifies settings for AWS KMS Keys in bulk'
example '
example <<~EXAMPLE
describe aws_kms_keys do
it { should exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_rds_instance.rb
View file

@ -2,11 +2,11 @@
class AwsRdsInstance < Inspec.resource(1)
name 'aws_rds_instance'
desc 'Verifies settings for an rds instance'
example "
example <<~EXAMPLE
describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
it { should exist }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_route_table.rb
View file

@ -1,11 +1,11 @@
class AwsRouteTable < Inspec.resource(1)
name 'aws_route_table'
desc 'Verifies settings for an AWS Route Table'
example "
example <<~EXAMPLE
describe aws_route_table do
its('route_table_id') { should cmp 'rtb-05462d2278326a79c' }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_route_tables.rb
View file

@ -1,11 +1,11 @@
class AwsRouteTables < Inspec.resource(1)
name 'aws_route_tables'
desc 'Verifies settings for AWS Route Tables in bulk'
example '
example <<~EXAMPLE
describe aws_route_tables do
it { should exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_s3_bucket.rb
View file

@ -2,11 +2,11 @@
class AwsS3Bucket < Inspec.resource(1)
name 'aws_s3_bucket'
desc 'Verifies settings for a s3 bucket'
example "
example <<~EXAMPLE
describe aws_s3_bucket(bucket_name: 'test_bucket') do
it { should exist }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_s3_bucket_object.rb
View file

@ -2,12 +2,12 @@
class AwsS3BucketObject < Inspec.resource(1)
name 'aws_s3_bucket_object'
desc 'Verifies settings for a s3 bucket object'
example "
example <<~EXAMPLE
describe aws_s3_bucket_object(bucket_name: 'bucket_name', key: 'file_name') do
it { should exist }
it { should_not be_public }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_s3_buckets.rb
View file

@ -3,11 +3,11 @@
class AwsS3Buckets < Inspec.resource(1)
name 'aws_s3_buckets'
desc 'Verifies settings for AWS S3 Buckets in bulk'
example "
example <<~EXAMPLE
describe aws_s3_bucket do
its('bucket_names') { should eq ['my_bucket'] }
end
"
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

10
lib/resources/aws/aws_security_group.rb
View file

@ -4,11 +4,11 @@ require 'ipaddr'
class AwsSecurityGroup < Inspec.resource(1)
name 'aws_security_group'
desc 'Verifies settings for an individual AWS Security Group.'
example "
describe aws_security_group('sg-12345678') do
it { should exist }
end
"
example <<~EXAMPLE
describe aws_security_group('sg-12345678') do
it { should exist }
end
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_security_groups.rb
View file

@ -1,7 +1,7 @@
class AwsSecurityGroups < Inspec.resource(1)
name 'aws_security_groups'
desc 'Verifies settings for AWS Security Groups in bulk'
example <<-EOX
example <<~EXAMPLE
# Verify that you have security groups defined
describe aws_security_groups do
it { should exist }
@ -11,7 +11,7 @@ class AwsSecurityGroups < Inspec.resource(1)
describe aws_security_groups do
its('entries.count') { should be > 1 }
end
EOX
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_sns_subscription.rb
View file

@ -1,7 +1,7 @@
class AwsSnsSubscription < Inspec.resource(1)
name 'aws_sns_subscription'
desc 'Verifies settings for an SNS Subscription'
example "
example <<~EXAMPLE
describe aws_sns_subscription('arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6') do
it { should_not have_raw_message_delivery }
it { should be_confirmation_authenticated }
@ -10,7 +10,7 @@ class AwsSnsSubscription < Inspec.resource(1)
its('endpoint') { should cmp 'arn:aws:sqs:us-east-1::test-queue-01' }
its('protocol') { should cmp 'sqs' }
end
"
EXAMPLE
supports platform: 'aws'

4
lib/resources/aws/aws_sns_topic.rb
View file

@ -1,12 +1,12 @@
class AwsSnsTopic < Inspec.resource(1)
name 'aws_sns_topic'
desc 'Verifies settings for an SNS Topic'
example "
example <<~EXAMPLE
describe aws_sns_topic('arn:aws:sns:us-east-1:123456789012:some-topic') do
it { should exist }
its('confirmed_subscription_count') { should_not be_zero }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_sns_topics.rb
View file

@ -1,11 +1,11 @@
class AwsSnsTopics < Inspec.resource(1)
name 'aws_sns_topics'
desc 'Verifies settings for SNS Topics in bulk'
example "
example <<~EXAMPLE
describe aws_sns_topics do
its('topic_arns') { should include '' }
end
"
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_sqs_queue.rb
View file

@ -3,12 +3,12 @@ require 'uri'
class AwsSqsQueue < Inspec.resource(1)
name 'aws_sqs_queue'
desc 'Verifies settings for an SQS Queue'
example "
example <<~EXAMPLE
describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/519527725796/QueueName') do
it { should exist }
its('visiblity_timeout') { should be 300}
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_subnet.rb
View file

@ -1,12 +1,12 @@
class AwsSubnet < Inspec.resource(1)
name 'aws_subnet'
desc 'This resource is used to test the attributes of a VPC subnet'
example "
example <<~EXAMPLE
describe aws_subnet(subnet_id: 'subnet-12345678') do
it { should exist }
its('cidr_block') { should eq '10.0.1.0/24' }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_subnets.rb
View file

@ -1,14 +1,14 @@
class AwsSubnets < Inspec.resource(1)
name 'aws_subnets'
desc 'Verifies settings for VPC Subnets in bulk'
example "
example <<~EXAMPLE
# you should be able to test the cidr_block of a subnet
describe aws_subnets.where(vpc_id: 'vpc-123456789') do
its('subnet_ids') { should eq ['subnet-12345678', 'subnet-87654321'] }
its('cidr_blocks') { should eq ['172.31.96.0/20'] }
its('states') { should_not include 'pending' }
end
"
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/aws/aws_vpc.rb
View file

@ -1,12 +1,12 @@
class AwsVpc < Inspec.resource(1)
name 'aws_vpc'
desc 'Verifies settings for AWS VPC'
example "
example <<~EXAMPLE
describe aws_vpc do
it { should be_default }
its('cidr_block') { should cmp '10.0.0.0/16' }
end
"
EXAMPLE
supports platform: 'aws'
include AwsSingularResourceMixin

4
lib/resources/aws/aws_vpcs.rb
View file

@ -1,11 +1,11 @@
class AwsVpcs < Inspec.resource(1)
name 'aws_vpcs'
desc 'Verifies settings for AWS VPCs in bulk'
example '
example <<~EXAMPLE
describe aws_vpcs do
it { should exist }
end
'
EXAMPLE
supports platform: 'aws'
include AwsPluralResourceMixin

4
lib/resources/bash.rb
View file

@ -8,7 +8,7 @@ module Inspec::Resources
name 'bash'
supports platform: 'unix'
desc 'Run a command or script in BASH.'
example "
example <<~EXAMPLE
describe bash('ls -al /') do
its('stdout') { should match /bin/ }
its('stderr') { should eq '' }
@ -20,7 +20,7 @@ module Inspec::Resources
# Specify arguments (defaults to -c)
bash('...', args: '-x -c')
"
EXAMPLE
def initialize(command, options = {})
@raw_command = command

4
lib/resources/bond.rb
View file

@ -8,11 +8,11 @@ module Inspec::Resources
name 'bond'
supports platform: 'unix'
desc 'Use the bond InSpec audit resource to test a logical, bonded network interface (i.e. "two or more network interfaces aggregated into a single, logical network interface"). On Linux platforms, any value in the /proc/net/bonding directory may be tested.'
example "
example <<~EXAMPLE
describe bond('bond0') do
it { should exist }
end
"
EXAMPLE
include FileReader

4
lib/resources/bridge.rb
View file

@ -11,12 +11,12 @@ module Inspec::Resources
name 'bridge'
supports platform: 'unix'
desc 'Use the bridge InSpec audit resource to test basic network bridge properties, such as name, if an interface is defined, and the associations for any defined interface.'
example "
example <<~EXAMPLE
describe bridge 'br0' do
it { should exist }
it { should have_interface 'eth0' }
end
"
EXAMPLE
def initialize(bridge_name)
@bridge_name = bridge_name

4
lib/resources/chocolatey_package.rb
View file

@ -7,12 +7,12 @@ module Inspec::Resources
name 'chocolatey_package'
supports platform: 'windows'
desc 'Use the chocolatey_package InSpec audit resource to test if the named package and/or package version is installed on the system.'
example <<-EOH
example <<~EXAMPLE
describe chocolatey_package('git') do
it { should be_installed }
its('version') { should eq '2.15.1' }
end
EOH
EXAMPLE
attr_reader :package_name

4
lib/resources/command.rb
View file

@ -7,7 +7,7 @@ module Inspec::Resources
supports platform: 'unix'
supports platform: 'windows'
desc 'Use the command InSpec audit resource to test an arbitrary command that is run on the system.'
example "
example <<~EXAMPLE
describe command('ls -al /') do
its('stdout') { should match /bin/ }
its('stderr') { should eq '' }
@ -18,7 +18,7 @@ module Inspec::Resources
describe command('ls') do
it { should exist }
end
"
EXAMPLE
attr_reader :command

4
lib/resources/cpan.rb
View file

@ -11,11 +11,11 @@ module Inspec::Resources
name 'cpan'
supports platform: 'unix'
desc 'Use the `cpan` InSpec audit resource to test Perl modules that are installed by system packages or the CPAN installer.'
example "
example <<~EXAMPLE
describe cpan('DBD::Pg') do
it { should be_installed }
end
"
EXAMPLE
def initialize(package_name, perl_lib_path = nil)
@package_name = package_name

4
lib/resources/cran.rb
View file

@ -11,11 +11,11 @@ module Inspec::Resources
name 'cran'
supports platform: 'unix'
desc 'Use the `cran` InSpec audit resource to test R modules that are installed from CRAN package repository.'
example "
example <<~EXAMPLE
describe cran('DBI') do
it { should be_installed }
end
"
EXAMPLE
def initialize(package_name)
@package_name = package_name

4
lib/resources/crontab.rb
View file

@ -8,7 +8,7 @@ module Inspec::Resources
name 'crontab'
supports platform: 'unix'
desc 'Use the crontab InSpec audit resource to test the contents of the crontab for a given user which contains information about scheduled tasks owned by that user.'
example "
example <<~EXAMPLE
describe crontab(user: 'root') do
its('commands') { should include '/path/to/some/script' }
end
@ -29,7 +29,7 @@ module Inspec::Resources
describe crontab(path: '/etc/cron.d/some_crontab') do
its('commands') { should include '/path/to/some/script' }
end
"
EXAMPLE
attr_reader :params

4
lib/resources/csv.rb
View file

@ -7,11 +7,11 @@ module Inspec::Resources
class CsvConfig < JsonConfig
name 'csv'
desc 'Use the csv InSpec audit resource to test configuration data in a CSV file.'
example "
example <<~EXAMPLE
describe csv('example.csv') do
its('name') { should eq(['John', 'Alice']) }
end
"
EXAMPLE
# override the parse method from JsonConfig
# Assuming a header row of name,col1,col2, it will output an array of hashes like so:

4
lib/resources/dh_params.rb
View file

@ -11,7 +11,7 @@ class DhParams < Inspec.resource(1)
parameters.
'
example "
example <<~EXAMPLE
describe dh_params('/path/to/file.dh_pem') do
it { should be_dh_params }
it { should be_valid }
@ -21,7 +21,7 @@ class DhParams < Inspec.resource(1)
its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
its('text') { should eq 'PKCS#3 DH Parameters: (2048 bit)...' }
end
"
EXAMPLE
include FileReader

4
lib/resources/directory.rb
View file

@ -8,11 +8,11 @@ module Inspec::Resources
supports platform: 'unix'
supports platform: 'windows'
desc 'Use the directory InSpec audit resource to test if the file type is a directory. This is equivalent to using the file InSpec audit resource and the be_directory matcher, but provides a simpler and more direct way to test directories. All of the matchers available to file may be used with directory.'
example "
example <<~EXAMPLE
describe directory('path') do
it { should be_directory }
end
"
EXAMPLE
def exist?
file.exist? && file.directory?

4
lib/resources/docker.rb
View file

@ -94,7 +94,7 @@ module Inspec::Resources
A resource to retrieve information about docker
"
example "
example <<~EXAMPLE
describe docker.containers do
its('images') { should_not include 'u12:latest' }
end
@ -127,7 +127,7 @@ module Inspec::Resources
its(%w(HostConfig Privileged)) { should_not cmp true }
end
end
"
EXAMPLE
def containers
DockerContainerFilter.new(parse_containers)

4
lib/resources/docker_container.rb
View file

@ -11,7 +11,7 @@ module Inspec::Resources
name 'docker_container'
supports platform: 'unix'
desc ''
example "
example <<~EXAMPLE
describe docker_container('an-echo-server') do
it { should exist }
it { should be_running }
@ -28,7 +28,7 @@ module Inspec::Resources
it { should exist }
it { should be_running }
end
"
EXAMPLE
def initialize(opts = {})
# if a string is provided, we expect it is the name

4
lib/resources/docker_image.rb
View file

@ -11,7 +11,7 @@ module Inspec::Resources
name 'docker_image'
supports platform: 'unix'
desc ''
example "
example <<~EXAMPLE
describe docker_image('alpine:latest') do
it { should exist }
its('id') { should_not eq '' }
@ -27,7 +27,7 @@ module Inspec::Resources
describe docker_image(id: '4a415e366388') do
it { should exist }
end
"
EXAMPLE
def initialize(opts = {})
# do sanitizion of input values

4
lib/resources/docker_plugin.rb
View file

@ -5,7 +5,7 @@ module Inspec::Resources
name 'docker_plugin'
supports platform: 'unix'
desc 'Retrieves info about docker plugins'
example "
example <<~EXAMPLE
describe docker_plugin('rexray/ebs') do
it { should exist }
its('id') { should_not eq '0ac30b93ad40' }
@ -20,7 +20,7 @@ module Inspec::Resources
describe docker_plugin(id: '4a415e366388') do
it { should exist }
end
"
EXAMPLE
def initialize(opts = {})
# do sanitizion of input values

4
lib/resources/docker_service.rb
View file

@ -11,7 +11,7 @@ module Inspec::Resources
name 'docker_service'
supports platform: 'unix'
desc 'Swarm-mode service'
example "
example <<~EXAMPLE
describe docker_service('service1') do
it { should exist }
its('id') { should_not eq '' }
@ -27,7 +27,7 @@ module Inspec::Resources
describe docker_service(image: 'alpine:latest') do
it { should exist }
end
"
EXAMPLE
def initialize(opts = {})
# do sanitizion of input values

4
lib/resources/elasticsearch.rb
View file

@ -11,7 +11,7 @@ module Inspec::Resources
desc "Use the Elasticsearch InSpec audit resource to test the status of nodes in
an Elasticsearch cluster."
example "
example <<~EXAMPLE
describe elasticsearch('http://eshost.mycompany.biz:9200/', username: 'elastic', password: 'changeme', ssl_verify: false) do
its('node_count') { should >= 3 }
end
@ -21,7 +21,7 @@ module Inspec::Resources
its('os') { should_not include 'MacOS' }
its('version') { should cmp > 1.2.0 }
end
"
EXAMPLE
filter = FilterTable.create
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }

4
lib/resources/etc_fstab.rb
View file

@ -9,7 +9,7 @@ module Inspec::Resources
name 'etc_fstab'
supports platform: 'unix'
desc 'Use the etc_fstab InSpec audit resource to check the configuration of the etc/fstab file.'
example "
example <<~EXAMPLE
nfs_systems = etc_fstab.nfs_file_systems.entries
nfs_systems.each do |file_system|
describe file_system do
@ -22,7 +22,7 @@ module Inspec::Resources
describe etc_fstab do
its ('home_mount_options') { should include 'nosuid' }
end
"
EXAMPLE
attr_reader :params

4
lib/resources/etc_group.rb
View file

@ -30,13 +30,13 @@ module Inspec::Resources
name 'etc_group'
supports platform: 'unix'
desc 'Use the etc_group InSpec audit resource to test groups that are defined on Linux and UNIX platforms. The /etc/group file stores details about each group---group name, password, group identifier, along with a comma-separate list of users that belong to the group.'
example "
example <<~EXAMPLE
describe etc_group do
its('gids') { should_not contain_duplicates }
its('groups') { should include 'my_user' }
its('users') { should include 'my_user' }
end
"
EXAMPLE
include FileReader

4
lib/resources/etc_hosts.rb
View file

@ -10,13 +10,13 @@ class EtcHosts < Inspec.resource(1)
supports platform: 'windows'
desc 'Use the etc_hosts InSpec audit resource to find an
ip_address and its associated hosts'
example "
example <<~EXAMPLE
describe etc_hosts.where { ip_address == '127.0.0.1' } do
its('ip_address') { should cmp '127.0.0.1' }
its('primary_name') { should cmp 'localhost' }
its('all_host_names') { should eq [['localhost', 'localhost.localdomain', 'localhost4', 'localhost4.localdomain4']] }
end
"
EXAMPLE
attr_reader :params

8
lib/resources/etc_hosts_allow_deny.rb
View file

@ -9,12 +9,12 @@ module Inspec::Resources
supports platform: 'unix'
desc 'Use the etc_hosts_allow InSpec audit resource to test the connections
the client will allow. Controlled by the /etc/hosts.allow file.'
example "
example <<~EXAMPLE
describe etc_hosts_allow.where { daemon == 'ALL' } do
its('client_list') { should include ['127.0.0.1', '[::1]'] }
its('options') { should eq [[]] }
end
"
EXAMPLE
attr_reader :params
@ -91,12 +91,12 @@ module Inspec::Resources
supports platform: 'unix'
desc 'Use the etc_hosts_deny InSpec audit resource to test the connections
the client will deny. Controlled by the /etc/hosts.deny file.'
example "
example <<~EXAMPLE
describe etc_hosts_deny.where { daemon_list == 'ALL' } do
its('client_list') { should eq [['127.0.0.1', '[::1]']] }
its('options') { should eq [] }
end
"
EXAMPLE
def initialize(path = nil)
return skip_resource '`etc_hosts_deny` is not supported on your OS' unless inspec.os.linux?

4
lib/resources/file.rb
View file

@ -22,7 +22,7 @@ module Inspec::Resources
supports platform: 'unix'
supports platform: 'windows'
desc 'Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.'
example "
example <<~EXAMPLE
describe file('path') do
it { should exist }
it { should be_file }
@ -32,7 +32,7 @@ module Inspec::Resources
it { should be_owned_by 'root' }
its('mode') { should cmp '0644' }
end
"
EXAMPLE
attr_reader :file, :mount_options
def initialize(path)

4
lib/resources/filesystem.rb
View file

@ -4,7 +4,7 @@ module Inspec::Resources
supports platform: 'linux'
supports platform: 'windows'
desc 'Use the filesystem InSpec resource to test file system'
example "
example <<~EXAMPLE
describe filesystem('/') do
its('size_kb') { should be >= 32000 }
its('free_kb') { should be >= 3200 }
@ -17,7 +17,7 @@ module Inspec::Resources
its('type') { should cmp 'NTFS' }
its('percent_free') { should be >= 20 }
end
"
EXAMPLE
attr_reader :partition
def initialize(partition)

4
lib/resources/firewalld.rb
View file

@ -10,7 +10,7 @@ module Inspec::Resources
name 'firewalld'
supports platform: 'linux'
desc 'Use the firewalld resource to check and see if firewalld is configured to grand or deny access to specific hosts or services'
example "
example <<~EXAMPLE
describe firewalld do
it { should be_running }
its('default_zone') { should eq 'public' }
@ -23,7 +23,7 @@ module Inspec::Resources
its('sources') { should cmp ['ssh', 'icmp'] }
its('services') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
end
"
EXAMPLE
attr_reader :params

4
lib/resources/gem.rb
View file

@ -6,12 +6,12 @@ module Inspec::Resources
supports platform: 'unix'
supports platform: 'windows'
desc 'Use the gem InSpec audit resource to test if a global gem package is installed.'
example "
example <<~EXAMPLE
describe gem('rubocop') do
it { should be_installed }
its('version') { should eq '0.33.0' }
end
"
EXAMPLE
attr_reader :gem_binary

8
lib/resources/groups.rb
View file

@ -28,7 +28,7 @@ module Inspec::Resources
supports platform: 'unix'
supports platform: 'windows'
desc 'Use the group InSpec audit resource to test groups on the system. Groups can be filtered.'
example "
example <<~EXAMPLE
describe groups.where { name == 'root'} do
its('names') { should eq ['root'] }
its('gids') { should eq [0] }
@ -38,7 +38,7 @@ module Inspec::Resources
its('names') { should eq ['Administrators'] }
its('gids') { should eq ['S-1-5-32-544'] }
end
"
EXAMPLE
def initialize
# select group manager
@ -80,7 +80,7 @@ module Inspec::Resources
supports platform: 'unix'
supports platform: 'windows'
desc 'Use the group InSpec audit resource to test groups on the system.'
example "
example <<~EXAMPLE
describe group('root') do
it { should exist }
its('gid') { should eq 0 }
@ -89,7 +89,7 @@ module Inspec::Resources
describe group('Administrators') do
its('members') { should include 'Administrator' }
end
"
EXAMPLE
def initialize(groupname)
@group = groupname

4
lib/resources/grub_conf.rb
View file

@ -7,7 +7,7 @@ class GrubConfig < Inspec.resource(1)
name 'grub_conf'
supports platform: 'unix'
desc 'Use the grub_conf InSpec audit resource to test the boot config of Linux systems that use Grub.'
example "
example <<~EXAMPLE
describe grub_conf('/etc/grub.conf', 'default') do
its('kernel') { should include '/vmlinuz-2.6.32-573.7.1.el6.x86_64' }
its('initrd') { should include '/initramfs-2.6.32-573.el6.x86_64.img=1' }
@ -19,7 +19,7 @@ class GrubConfig < Inspec.resource(1)
describe grub_conf('/etc/grub.conf', 'CentOS (2.6.32-573.12.1.el6.x86_64)') do
its('kernel') { should include 'audit=1' }
end
"
EXAMPLE
include FileReader

4
lib/resources/host.rb
View file

@ -30,7 +30,7 @@ module Inspec::Resources
supports platform: 'unix'
supports platform: 'windows'
desc 'Use the host InSpec audit resource to test the name used to refer to a specific host and its availability, including the Internet protocols and ports over which that host name should be available.'
example "
example <<~EXAMPLE
describe host('example.com') do
it { should be_reachable }
it { should be_resolvable }
@ -40,7 +40,7 @@ module Inspec::Resources
describe host('example.com', port: '80', protocol: 'tcp') do
it { should be_reachable }
end
"
EXAMPLE
attr_reader :hostname, :port, :protocol

4
lib/resources/http.rb
View file

@ -12,7 +12,7 @@ module Inspec::Resources
name 'http'
supports platform: 'unix'
desc 'Use the http InSpec audit resource to test http call.'
example "
example <<~EXAMPLE
describe http('http://localhost:8080/ping', auth: {user: 'user', pass: 'test'}, params: {format: 'html'}) do
its('status') { should cmp 200 }
its('body') { should cmp 'pong' }
@ -23,7 +23,7 @@ module Inspec::Resources
its('Content-Length') { should cmp 258 }
its('Content-Type') { should cmp 'text/html; charset=UTF-8' }
end
"
EXAMPLE
def initialize(url, opts = {})
@url = url

4
lib/resources/iis_app.rb
View file

@ -7,7 +7,7 @@ module Inspec::Resources
name 'iis_app'
supports platform: 'windows'
desc 'Tests IIS application configuration on windows. Supported in server 2012+ only'
example "
example <<~EXAMPLE
describe iis_app('/myapp', 'Default Web Site') do
it { should exist }
it { should have_application_pool('MyAppPool') }
@ -16,7 +16,7 @@ module Inspec::Resources
it { should have_physical_path('C:\\inetpub\\wwwroot\\myapp') }
it { should have_path('\\My Application') }
end
"
EXAMPLE
def initialize(path, site_name)
@path = path

4
lib/resources/iis_app_pool.rb
View file

@ -7,14 +7,14 @@ class IisAppPool < Inspec.resource(1)
name 'iis_app_pool'
desc 'Tests IIS application pool configuration on windows.'
supports platform: 'windows'
example <<~EOH
example <<~EXAMPLE
describe iis_app_pool('DefaultAppPool') do
it { should exist }
its('enable32bit') { should cmp 'True' }
its('runtime_version') { should eq 'v4.0' }
its('pipeline_mode') { should eq 'Integrated' }
end
EOH
EXAMPLE
def initialize(pool_name)
@pool_name = pool_name

8
lib/resources/iis_site.rb
View file

@ -18,7 +18,7 @@ module Inspec::Resources
name 'iis_site'
supports platform: 'windows'
desc 'Tests IIS site configuration on windows. Supported in server 2012+ only'
example "
example <<~EXAMPLE
describe iis_site('Default Web Site') do
it { should exist }
it { should be_running }
@ -27,7 +27,7 @@ module Inspec::Resources
it { should have_binding('net.pipe *') }
it { should have_path('C:\\inetpub\\wwwroot') }
end
"
EXAMPLE
def initialize(site_name)
@site_name = site_name
@ -125,13 +125,13 @@ module Inspec::Resources
class IisSiteServerSpec < IisSite
name 'iis_website'
desc 'Tests IIS site configuration on windows. Deprecated, use `iis_site` instead.'
example "
example <<~EXAMPLE
describe iis_website('Default Website') do
it{ should exist }
it{ should be_running }
it{ should be_in_app_pool('Default App Pool') }
end
"
EXAMPLE
def initialize(site_name)
super(site_name)

4
lib/resources/inetd_conf.rb
View file

@ -9,13 +9,13 @@ module Inspec::Resources
name 'inetd_conf'
supports platform: 'unix'
desc 'Use the inetd_conf InSpec audit resource to test if a service is enabled in the inetd.conf file on Linux and UNIX platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The inetd.conf file is typically located at /etc/inetd.conf and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.'
example "
example <<~EXAMPLE
describe inetd_conf do
its('shell') { should eq nil }
its('login') { should eq nil }
its('exec') { should eq nil }
end
"
EXAMPLE
include FileReader

4
lib/resources/ini.rb
View file

@ -8,11 +8,11 @@ module Inspec::Resources
supports platform: 'unix'
supports platform: 'windows'
desc 'Use the ini InSpec audit resource to test data in a INI file.'
example "
example <<~EXAMPLE
descibe ini do
its('auth_protocol') { should eq 'https' }
end
"
EXAMPLE
# override file load and parse hash with simple config
def parse(content)
SimpleConfig.new(content).params

4
lib/resources/interface.rb
View file

@ -8,13 +8,13 @@ module Inspec::Resources
supports platform: 'unix'
supports platform: 'windows'
desc 'Use the interface InSpec audit resource to test basic network adapter properties, such as name, status, and link speed (in MB/sec).'
example "
example <<~EXAMPLE
describe interface('eth0') do
it { should exist }
it { should be_up }
its('speed') { should eq 1000 }
end
"
EXAMPLE
def initialize(iface)
@iface = iface

4
lib/resources/iptables.rb
View file

@ -24,11 +24,11 @@ module Inspec::Resources
name 'iptables'
supports platform: 'linux'
desc 'Use the iptables InSpec audit resource to test rules that are defined in iptables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.'
example "
example <<~EXAMPLE
describe iptables do
it { should have_rule('-P INPUT ACCEPT') }
end
"
EXAMPLE
def initialize(params = {})
@table = params[:table]

5
lib/resources/json.rb
View file

@ -8,7 +8,7 @@ module Inspec::Resources
class JsonConfig < Inspec.resource(1)
name 'json'
desc 'Use the json InSpec audit resource to test data in a JSON file.'
example "
example <<~EXAMPLE
describe json('policyfile.lock.json') do
its(['cookbook_locks','omnibus','version']) { should eq('2.2.0') }
end
@ -20,8 +20,7 @@ module Inspec::Resources
describe json({ content: '{\"item1\": { \"status\": \"available\" } }' }) do
its(['item1', 'status']) { should cmp 'available' }
end
"
EXAMPLE
include ObjectTraverser
include FileReader

35
lib/resources/kernel_module.rb
View file

@ -12,27 +12,26 @@ module Inspec::Resources
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
method.'
example "
example <<~EXAMPLE
describe kernel_module('video') do
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
describe kernel_module('video') do
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
describe kernel_module('sstfb') do
it { should_not be_loaded }
it { should be_disabled }
end
describe kernel_module('sstfb') do
it { should_not be_loaded }
it { should be_disabled }
end
describe kernel_module('floppy') do
it { should be_blacklisted }
end
describe kernel_module('floppy') do
it { should be_blacklisted }
end
describe kernel_module('dhcp') do
it { should_not be_loaded }
end
"
describe kernel_module('dhcp') do
it { should_not be_loaded }
end
EXAMPLE
def initialize(modulename = nil)
@module = modulename

4
lib/resources/kernel_parameter.rb
View file

@ -5,11 +5,11 @@ module Inspec::Resources
name 'kernel_parameter'
supports platform: 'unix'
desc 'Use the kernel_parameter InSpec audit resource to test kernel parameters on Linux platforms.'
example "
example <<~EXAMPLE
describe kernel_parameter('net.ipv4.conf.all.forwarding') do
its('value') { should eq 0 }
end
"
EXAMPLE
def initialize(parameter = nil)
@parameter = parameter

Some files were not shown because too many files have changed in this diff Show more