Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 15:14:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

Resource documentation update (#2207)

Browse source 
Light formatting changes, change order of example and matchers, slight
color changes

Signed-off-by: hannah-radish <hmaddy@chef.io>
This commit is contained in:
hannah-radish 2017-10-03 14:35:10 -07:00 committed by Adam Leff
parent fb52fd8770
commit 9cfc86d2ab
99 changed files with 2093 additions and 3240 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docs/matchers.md
View file

@ -14,6 +14,8 @@ The following matchers are available:
* `include`
* `match`
<br>
## be
This matcher can be followed by many different comparison operators.
@ -26,6 +28,8 @@ describe file('/proc/cpuinfo') do
end
```
<br>
## cmp
Unlike `eq`, cmp is a matcher for less-restrictive comparisons. It will
@ -92,6 +96,7 @@ end
expected: 0345
got: 0444
```
<br>
## eq
@ -116,6 +121,8 @@ its('Port') { should eq 22 }
For less restrictive comparisons, please use `cmp`.
<br>
## include
Verifies if a value is included in a list.
@ -126,6 +133,8 @@ describe passwd do
end
```
<br>
## be_in
Verifies that an item is included in a list.
@ -136,6 +145,8 @@ describe resource do
end
```
<br>
## match
Check if a string matches a regular expression.

46
docs/resources/aide_conf.md.erb
View file

@ -6,6 +6,8 @@ title: About the aide_conf Resource
Use the `aide_conf` InSpec audit resource to test the rules established for the file integrity tool AIDE. Controlled by the aide.conf file typically at /etc/aide.conf.
<br>
## Syntax
An `aide_conf` resource block can be used to determine if the selection lines contain one (or more) directories whose files should be added to the aide database:
@ -30,37 +32,11 @@ Use the where clause to match a selection_line to one rule or a particular set o
its('rules') { should include ['p', 'i', 'l', 'n', 'u', 'g', 'sha512'] }
end
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### all_have_rule
The usage of all_have_rule will return whether or not all selection lines in audit.conf contain a particular rule:
describe aide_conf.all_have_rule('sha512') do
it { should eq true }
end
<br>
## Examples
The following examples show how to use this InSpec audit resource.
The following examples show how to use this InSpec audit resource. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### Test if all selection lines contain the xattr rule
@ -79,3 +55,17 @@ The following examples show how to use this InSpec audit resource.
describe aide_conf.where { selection_line == '/sbin' } do
its('rules') { should include ['r', 'sha512'] }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### all_have_rule
The usage of all_have_rule will return whether or not all selection lines in audit.conf contain a particular rule:
describe aide_conf.all_have_rule('sha512') do
it { should eq true }
end

60
docs/resources/apache_conf.md.erb
View file

@ -6,6 +6,8 @@ title: About the apache_conf Resource
Use the `apache_conf` InSpec audit resource to test the configuration settings for Apache. This file is typically located under `/etc/apache2` on the Debian and Ubuntu platforms and under `/etc/httpd` on the Fedora, CentOS, RedHat Enterprise Linux, and ArchLinux platforms. The configuration settings may vary significantly from platform to platform.
<br>
## Syntax
An `apache_conf` InSpec audit resource block declares configuration settings that should be tested:
@ -20,43 +22,7 @@ where
* `('path')` is the non-default path to the Apache configuration file
* `{ should eq 'value' }` is the value that is expected
## Matchers
This InSpec audit resource matches any service that is listed in the Apache configuration file:
its('PidFile') { should_not eq '/var/run/httpd.pid' }
or:
its('Timeout') { should eq 300 }
For example:
describe apache_conf do
its('MaxClients') { should eq 100 }
its('Listen') { should eq '443'}
end
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -73,3 +39,23 @@ The following examples show how to use this InSpec audit resource.
describe apache_conf do
its('Listen') { should eq '443'}
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
This InSpec audit resource matches any service that is listed in the Apache configuration file:
its('PidFile') { should_not eq '/var/run/httpd.pid' }
or:
its('Timeout') { should eq 300 }
For example:
describe apache_conf do
its('MaxClients') { should eq 100 }
its('Listen') { should eq '443'}
end

58
docs/resources/apt.md.erb
View file

@ -6,6 +6,8 @@ title: About the apt Resource
Use the `apt` InSpec audit resource to verify Apt repositories on the Debian and Ubuntu platforms, and also PPA repositories on the Ubuntu platform.
<br>
## Syntax
An `apt` resource block tests the contents of Apt and PPA repositories:
@ -21,42 +23,7 @@ where
* `('path')` may be an `http://` address, a `ppa:` address, or a short `repo-name/ppa` address
* `exist` and `be_enabled` are a valid matchers for this resource
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_enabled
The `be_enabled` matcher tests if a package exists in the repository:
it { should be_enabled }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### exist
The `exist` matcher tests if a package exists on the system:
it { should exist }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -82,3 +49,22 @@ The following examples show how to use this InSpec audit resource.
it { should_not exist }
it { should_not be_enabled }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabled
The `be_enabled` matcher tests if a package exists in the repository:
it { should be_enabled }
### exist
The `exist` matcher tests if a package exists on the system:
it { should exist }

33
docs/resources/audit_policy.md.erb
View file

@ -6,6 +6,8 @@ title: About the audit_policy Resource
Use the `audit_policy` Inspec audit resource to test auditing policies on the Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to `No Auditing`, `Not Specified`, `Success`, `Success and Failure`, or `Failure`.
<br>
## Syntax
An `audit_policy` resource block declares a parameter that belongs to an audit policy category or subcategory:
@ -19,30 +21,7 @@ where
* `'parameter'` must specify a parameter
* `'value'` must be one of `No Auditing`, `Not Specified`, `Success`, `Success and Failure`, or `Failure`
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -59,3 +38,9 @@ The following examples show how to use this InSpec audit resource.
describe audit_policy do
its('User Account Management') { should eq 'Success' }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

33
docs/resources/auditd.md.erb
View file

@ -6,6 +6,8 @@ title: About the auditd Resource
Use the `auditd` InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditcl -l command. This resource supports versions of `audit` >= 2.3.
<br>
## Syntax
An `auditd` resource block declares one (or more) rules to be tested, and then what that rule should do:
@ -23,30 +25,7 @@ or test that multiple individual rules are defined:
where each test must declare one (or more) rules to be tested.
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -91,3 +70,9 @@ The key filter may be useful in evaluating rules with particular key values:
describe auditd.where { key == "privileged" } do
its('permissions') { should include ['x'] }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

54
docs/resources/auditd_conf.md.erb
View file

@ -6,6 +6,8 @@ title: About the auditd_conf Resource
Use the `auditd_conf` InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under `/etc/audit/auditd.conf'` on Unix and Linux platforms.
<br>
## Syntax
A `auditd_conf` resource block declares configuration settings that should be tested:
@ -20,40 +22,7 @@ where
* `('path')` is the non-default path to the `auditd.conf` configuration file
* `{ should cmp 'value' }` is the value that is expected
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### keyword
This matcher will matche any keyword that is listed in the `auditd.conf` configuration file. Option names and values are case-insensitive:
its('log_format') { should cmp 'raw' }
or:
its('max_log_file') { should cmp 6 }
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -77,3 +46,20 @@ The following examples show how to use this InSpec audit resource.
its('disk_full_action') { should cmp 'halt' }
its('disk_error_action') { should cmp 'halt' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### keyword
This matcher will matche any keyword that is listed in the `auditd.conf` configuration file. Option names and values are case-insensitive:
its('log_format') { should cmp 'raw' }
or:
its('max_log_file') { should cmp 6 }

32
docs/resources/auditd_rules.md.erb
View file

@ -6,6 +6,7 @@ title: About the auditd_rules Resource
Use the `auditd_rules` InSpec audit resource to test the rules for logging that exist on the system. The `audit.rules` file is typically located under `/etc/audit/` and contains the list of rules that define what is captured in log files. This resource uses `auditctl` to query the run-time `auditd` rules setup, which may be different from `audit.rules`.
<br>
## Syntax
@ -61,30 +62,7 @@ or test that individual rules are defined:
where each test must declare one (or more) rules to be tested.
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -130,3 +108,9 @@ Filters may be chained. For example:
describe auditd_rules.syscall('open').action('always').list do
it { should eq(['exit']) }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

30
docs/resources/bash.md.erb
View file

@ -6,6 +6,8 @@ title: About the bash Resource
Use the `bash` InSpec audit resource to test an arbitrary command that is run on the system using a Bash script.
<br>
## Syntax
A `command` resource block declares a command to be run, one (or more) expected outputs, and the location to which that output is sent:
@ -29,22 +31,11 @@ For example:
its('exit_status') { should eq 0 }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exist
@ -58,14 +49,6 @@ The `exit_status` matcher tests the exit status for the command:
its('exit_status') { should eq 0 }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### stderr
The `stderr` matcher tests results of the command as returned in standard error (stderr):
@ -77,8 +60,3 @@ The `stderr` matcher tests results of the command as returned in standard error
The `stdout` matcher tests results of the command as returned in standard output (stdout).
its('stdout') { should match /bin/ }
## Examples
None.

93
docs/resources/bond.md.erb
View file

@ -6,6 +6,8 @@ title: About the bond Resource
Use the `bond` InSpec audit resource to test a logical, bonded network interface (i.e. "two or more network interfaces aggregated into a single, logical network interface"). On Linux platforms, any value in the `/proc/net/bonding` directory may be tested.
<br>
## Syntax
A `bond` resource block declares a bonded network interface, and then specifies the properties of that bonded network interface to be tested:
@ -19,60 +21,7 @@ where
* `'name'` is the name of the bonded network interface
* `{ should exist }` is a valid matcher for this resource
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### content
The `content` matcher tests if contents in the file that defines the bonded network interface match the value specified in the test. The values of the `content` matcher are arbitrary:
its('content') { should match('value') }
### eq
<%= partial "/shared/matcher_eq" %>
### exist
The `exist` matcher tests if the bonded network interface is available:
it { should exist }
### have_interface
The `have_interface` matcher tests if the bonded network interface has one (or more) secondary interfaces:
it { should have_interface }
### include
<%= partial "/shared/matcher_include" %>
### interfaces
The `interfaces` matcher tests if the named secondary interfaces are available:
its('interfaces') { should eq ['eth0', 'eth1', ...] }
### match
<%= partial "/shared/matcher_match" %>
### params
The `params` matcher tests arbitrary parameters for the bonded network interface:
its('params') { should eq 'value' }
<br>
## Examples
@ -95,3 +44,39 @@ The following examples show how to use this InSpec audit resource.
its('Up Delay (ms)') { should eq '0' }
its('Down Delay (ms)') { should eq '0' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### content
The `content` matcher tests if contents in the file that defines the bonded network interface match the value specified in the test. The values of the `content` matcher are arbitrary:
its('content') { should match('value') }
### exist
The `exist` matcher tests if the bonded network interface is available:
it { should exist }
### have_interface
The `have_interface` matcher tests if the bonded network interface has one (or more) secondary interfaces:
it { should have_interface }
### interfaces
The `interfaces` matcher tests if the named secondary interfaces are available:
its('interfaces') { should eq ['eth0', 'eth1', ...] }
### params
The `params` matcher tests arbitrary parameters for the bonded network interface:
its('params') { should eq 'value' }

30
docs/resources/bridge.md.erb
View file

@ -9,6 +9,8 @@ Use the `bridge` InSpec audit resource to test basic network bridge properties,
* On Linux platforms, any value in the `/sys/class/net/{interface}/bridge` directory may be tested
* On the Windows platform, the `Get-NetAdapter` cmdlet is associated with the `Get-NetAdapterBinding` cmdlet and returns the `ComponentID ms_bridge` value as a JSON object
<br>
## Syntax
A `bridge` resource block declares the bridge to be tested and what interface it should be associated with:
@ -18,21 +20,11 @@ A `bridge` resource block declares the bridge to be tested and what interface it
it { should have_interface 'eth0' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exist
@ -46,10 +38,6 @@ The `have_interface` matcher tests if the named interface is defined for the net
it { should have_interface 'eth0' }
### include
<%= partial "/shared/matcher_include" %>
### interfaces
The `interfaces` matcher tests if the named interface is present:
@ -57,11 +45,3 @@ The `interfaces` matcher tests if the named interface is present:
its('interfaces') { should eq 'foo' }
its('interfaces') { should eq 'bar' }
its('interfaces') { should include('foo') }
### match
<%= partial "/shared/matcher_match" %>
## Examples
None.

30
docs/resources/bsd_service.md.erb
View file

@ -6,6 +6,8 @@ title: About the bsd_service Resource
Use the `bsd_service` InSpec audit resource to test a service using a Berkeley OS-style `init` on the FreeBSD platform.
<br>
## Syntax
A `bsd_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
@ -29,13 +31,11 @@ The path to the service manager's control may be specified for situations where
it { should be_running }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabled
@ -54,23 +54,3 @@ The `be_installed` matcher tests if the named service is installed:
The `be_running` matcher tests if the named service is running:
it { should be_running }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
## Examples
None.

85
docs/resources/command.md.erb
View file

@ -6,6 +6,8 @@ title: About the command Resource
Use the `command` InSpec audit resource to test an arbitrary command that is run on the system.
<br>
## Syntax
A `command` resource block declares a command to be run, one (or more) expected outputs, and the location to which that output is sent:
@ -21,56 +23,7 @@ where
* `'matcher'` is one of `exit_status`, `stderr`, or `stdout`
* `'output'` tests the output of the command run on the system versus the output value stated in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### exist
The `exist` matcher tests if a command may be run on the system:
it { should exist }
### exit_status
The `exit_status` matcher tests the exit status for the command:
its('exit_status') { should eq 123 }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### stderr
The `stderr` matcher tests results of the command as returned in standard error (stderr):
its('stderr') { should eq 'error' }
### stdout
The `stdout` matcher tests results of the command as returned in standard output (stdout). The following example shows matching output using a regular expression:
describe command('echo 1') do
its('stdout') { should match (/[0-9]/) }
end
<br>
## Examples
@ -149,3 +102,35 @@ Wix includes serveral tools -- such as `candle` (preprocesses and compiles sourc
it { should be_file }
end
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exist
The `exist` matcher tests if a command may be run on the system:
it { should exist }
### exit_status
The `exit_status` matcher tests the exit status for the command:
its('exit_status') { should eq 123 }
### stderr
The `stderr` matcher tests results of the command as returned in standard error (stderr):
its('stderr') { should eq 'error' }
### stdout
The `stdout` matcher tests results of the command as returned in standard output (stdout). The following example shows matching output using a regular expression:
describe command('echo 1') do
its('stdout') { should match (/[0-9]/) }
end

32
docs/resources/crontab.md.erb
View file

@ -6,6 +6,8 @@ title: About the crontab Resource
Use the `crontab` InSpec audit resource to test the crontab entries for a particular user on the system. It recognizes special time strings (@yearly, @weekly, etc).
<br>
## Syntax
A `crontab` resource block declares a user (which defaults to the current user, if not specified), and then the details to be tested, such as the schedule elements for each crontab entry or the commands itself:
@ -14,29 +16,7 @@ A `crontab` resource block declares a user (which defaults to the current user,
its('commands') { should include '/some/scheduled/task.sh' }
end
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -82,3 +62,9 @@ The following examples show how to use this InSpec audit resource.
its('hours') { should cmp '-1' }
its('minutes') { should cmp '-1' }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

45
docs/resources/csv.md.erb
View file

@ -6,6 +6,8 @@ title: About the csv Resource
Use the `csv` InSpec audit resource to test configuration data in a CSV file.
<br>
## Syntax
A `csv` resource block declares the configuration data to be tested:
@ -20,36 +22,7 @@ where
* `name` is a configuration setting in a CSV file
* `should eq 'foo'` tests a value of `name` as read from a CSV file versus the value declared in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### name
The `name` matcher tests the value of `name` as read from a CSV file versus the value declared in the test:
its('name') { should eq 'foo' }
<br>
## Examples
@ -60,3 +33,15 @@ The following examples show how to use this InSpec audit resource.
describe csv('some_file.csv') do
its('setting') { should eq 1 }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### name
The `name` matcher tests the value of `name` as read from a CSV file versus the value declared in the test:
its('name') { should eq 'foo' }

1
docs/resources/dh_params.md
View file

@ -6,6 +6,7 @@ title: The dh_params Resource
Use the `dh_params` InSpec audit resource to test Diffie-Hellman (DH) parameters.
<br>
## Syntax

30
docs/resources/directory.md.erb
View file

@ -6,6 +6,8 @@ title: About the directory Resource
Use the `directory` InSpec audit resource to test if the file type is a directory. This is equivalent to using the `file` resource and the `be_directory` matcher, but provides a simpler and more direct way to test directories. All of the matchers available to `file` may be used with `directory`.
<br>
## Syntax
A `directory` resource block declares the location of the directory to be tested, and then one (or more) matchers:
@ -14,30 +16,8 @@ A `directory` resource block declares the location of the directory to be tested
it { should MATCHER 'value' }
end
<br>
## Matchers
This resource may use any of the matchers available to the `file` resource that may be useful when testing a directory.
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
## Examples
None.
This resource may use any of the matchers available to the `file` resource that may be useful when testing a directory. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

117
docs/resources/docker.md.erb
View file

@ -6,6 +6,8 @@ title: About the docker Resource
Use the `docker` InSpec audit resource to test configuration data for docker daemon. It is a very comprehensive resource. Please have a look at [docker_container](docker_container) and [docker_image](docker_image), too.
<br>
## Syntax
A `docker` resource block declares allows you to write test for many containers:
@ -42,63 +44,7 @@ where
* `.where()` may specify a specific item and value, to which the matchers are compared
* `commands`, `ids`, `images`, `labels`, `local_volumes`, `mounts`, `names`, `networks`, `ports`, `sizes` and `'status'` are valid matchers for `containers`
## Matchers
This InSpec audit resource has the following matchers:
### containers
`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/). You can determine specific information about
describe docker.containers do
its('ids') { should include 'sha:71b5df59...442b' }
its('commands') { should_not include '/bin/sh' }
its('images') { should_not include 'u12:latest' }
its('ports') { should include '0.0.0.0:1234->1234/tcp' }
its('labels') { should include 'License=GPLv2,Vendor=CentOS' }
end
### images
`images` returns information about docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/). You can determine specific information about
describe docker.images do
its('ids') { should include 'sha:12b5df59...442b' }
its('repositories') { should_not include 'my_image' }
its('tags') { should_not include 'unwanted_tag' }
its('sizes') { should_not include "1.41 GB" }
end
### version
`info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/)
describe docker.version do
its('Server.Version') { should cmp >= '1.12'}
its('Client.Version') { should cmp >= '1.12'}
end
### info
`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
describe docker.info do
its('Configuration.Path') { should eq 'value' }
end
### object('id')
`object` returns low-level information about docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
describe docker.object(id) do
its('Configuration.Path') { should eq 'value' }
end
<br>
## Examples
@ -158,3 +104,60 @@ and then run:
Or execute the profile directly via URL:
$ inspec exec https://github.com/dev-sec/cis-docker-benchmark
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### containers
`containers` returns information about containers as returned by [docker ps -a](https://docs.docker.com/engine/reference/commandline/ps/). You can determine specific information about
describe docker.containers do
its('ids') { should include 'sha:71b5df59...442b' }
its('commands') { should_not include '/bin/sh' }
its('images') { should_not include 'u12:latest' }
its('ports') { should include '0.0.0.0:1234->1234/tcp' }
its('labels') { should include 'License=GPLv2,Vendor=CentOS' }
end
### images
`images` returns information about docker image as returned by [docker images](https://docs.docker.com/engine/reference/commandline/images/). You can determine specific information about
describe docker.images do
its('ids') { should include 'sha:12b5df59...442b' }
its('repositories') { should_not include 'my_image' }
its('tags') { should_not include 'unwanted_tag' }
its('sizes') { should_not include "1.41 GB" }
end
### version
`info` returns the parsed result of [docker version](https://docs.docker.com/engine/reference/commandline/version/)
describe docker.version do
its('Server.Version') { should cmp >= '1.12'}
its('Client.Version') { should cmp >= '1.12'}
end
### info
`info` returns the parsed result of [docker info](https://docs.docker.com/engine/reference/commandline/info/)
describe docker.info do
its('Configuration.Path') { should eq 'value' }
end
### object('id')
`object` returns low-level information about docker objects. It is calling [docker inspect](https://docs.docker.com/engine/reference/commandline/info/) under the hood.
describe docker.object(id) do
its('Configuration.Path') { should eq 'value' }
end

42
docs/resources/docker_container.md.erb
View file

@ -6,6 +6,8 @@ title: About the docker_container Resource
Use the `docker_container` InSpec audit resource to test a docker container.
<br>
## Syntax
A `docker_container` resource block declares the configuration data to be tested:
@ -35,10 +37,30 @@ Alternatively, you can pass in the container id:
it { should be_running }
end
<br>
## Examples
The following examples show how to use this InSpec resource.
### Verify an running container:
describe docker_container('an-echo-server') do
it { should exist }
it { should be_running }
its('id') { should_not eq '' }
its('image') { should eq 'busybox:latest' }
its('repo') { should eq 'busybox' }
its('tag') { should eq 'latest' }
its('ports') { should eq [] }
its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### id
@ -69,21 +91,3 @@ The `ports` matcher tests the value the docker ports:
The `command` matcher tests the value of the container run command:
its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
## Examples
The following examples show how to use this InSpec resource.
### Verify an running container:
describe docker_container('an-echo-server') do
it { should exist }
it { should be_running }
its('id') { should_not eq '' }
its('image') { should eq 'busybox:latest' }
its('repo') { should eq 'busybox' }
its('tag') { should eq 'latest' }
its('ports') { should eq [] }
its('command') { should eq 'nc -ll -p 1234 -e /bin/cat' }
end

36
docs/resources/docker_image.md.erb
View file

@ -6,6 +6,8 @@ title: About the docker_image Resource
Use the `docker_image` InSpec audit resource to verify a docker image.
<br>
## Syntax
A `docker_image` resource block declares the image:
@ -35,10 +37,27 @@ You can also pass in repository and tag as separate values
...
end
<br>
## Examples
The following examples show how to use this InSpec `docker_image` resource.
### Test a docker image
describe docker_image('alpine:latest') do
it { should exist }
its('id') { should eq 'sha256:4a415e...a526' }
its('image') { should eq 'alpine:latest' }
its('repo') { should eq 'alpine' }
its('tag') { should eq 'latest' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exist
@ -69,18 +88,3 @@ The `repo` matcher tests the value of the repository name:
The `tag` matcher tests the value of image tag:
its('tag') { should eq 'latest' }
## Examples
The following examples show how to use this InSpec `docker_image` resource.
### Test a docker image
describe docker_image('alpine:latest') do
it { should exist }
its('id') { should eq 'sha256:4a415e...a526' }
its('image') { should eq 'alpine:latest' }
its('repo') { should eq 'alpine' }
its('tag') { should eq 'latest' }
end

7
docs/resources/etc_fstab.md.erb
View file

@ -5,13 +5,14 @@ title: About the etc_fstab Resource
# etc_fstab
Use the `etc_fstab` InSpec audit resource to test information about all partitions and storage devices on a system.
<br>
## Syntax
An etc_fstab rule specifies a device name, its mount point, its mount type, the options its mounted with,
its dump options, and the order the files system should be checked.
## Syntax
Use the where clause to match a property to one or more rules in the fstab file.
describe etc_fstab.where { device_name == 'value' } do
@ -91,6 +92,8 @@ where
its('file_system_options') { should cmp 0 }
end
<br>
## Examples
The following examples show how to use this InSpec resource.

100
docs/resources/etc_group.md.erb
View file

@ -6,6 +6,8 @@ title: About the etc_group Resource
Use the `etc_group` InSpec audit resource to test groups that are defined on Linux and Unix platforms. The `/etc/group` file stores details about each group---group name, password, group identifier, along with a comma-separate list of users that belong to the group.
<br>
## Syntax
A `etc_group` resource block declares a collection of properties to be tested:
@ -28,64 +30,6 @@ where
* `.where()` may specify a specific item and value, to which the matchers are compared
* `'gids'`, `'groups'`, and `'users'` are valid matchers for this resource
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### gids
The `gids` matcher tests if the named group identifier is present or if it contains duplicates:
its('gids') { should_not contain_duplicates }
### groups
The `groups` matcher tests all groups for the named user:
its('groups') { should include 'my_group' }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### users
The `users` matcher tests all groups for the named user:
its('users') { should include 'my_user' }
### where
The `where` matcher allows the test to be focused to one (or more) specific items:
etc_group.where(item: 'value', item: 'value')
where `item` may be one (or more) of:
* `name: 'name'`
* `group_name: 'group_name'`
* `password: 'password'`
* `gid: 'gid'`
* `group_id: 'gid'`
* `users: 'user_name'`
* `members: 'member_name'`
## Examples
@ -114,3 +58,43 @@ The following examples show how to use this InSpec audit resource.
describe etc_group.where(name: 'my_group') do
its('users') { should include 'my_user' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### gids
The `gids` matcher tests if the named group identifier is present or if it contains duplicates:
its('gids') { should_not contain_duplicates }
### groups
The `groups` matcher tests all groups for the named user:
its('groups') { should include 'my_group' }
### users
The `users` matcher tests all groups for the named user:
its('users') { should include 'my_user' }
### where
The `where` matcher allows the test to be focused to one (or more) specific items:
etc_group.where(item: 'value', item: 'value')
where `item` may be one (or more) of:
* `name: 'name'`
* `group_name: 'group_name'`
* `password: 'password'`
* `gid: 'gid'`
* `group_id: 'gid'`
* `users: 'user_name'`
* `members: 'member_name'`

6
docs/resources/etc_hosts.md.erb
View file

@ -9,6 +9,8 @@ Use the `etc_hosts` InSpec audit resource to test rules set to match IP addresse
An etc/hosts rule specifies an IP address and what its hostname is along with optional aliases it can have.
<br>
## Syntax
Use the where clause to match a property to one or more rules in the hosts file.
@ -31,10 +33,14 @@ where
* `primary_name` is the name associated with the ip address.
* `all_host_names` is a list including the primary_name as the first entry followed by any aliase names the host has.
<br>
## Supported Properties
'ip_address', 'primary_name', 'all_host_names'
<br>
## Property Examples and Return Types
### ip_address

8
docs/resources/etc_hosts_allow.md.erb
View file

@ -6,13 +6,13 @@ title: About the etc_hosts_allow Resource
Use the `etc_hosts_allow` InSpec audit resource to test rules set to accept daemon and client traffic set in /etc/hosts.allow file.
<br>
## Syntax
An etc/hosts.allow rule specifies one or more daemons mapped to one or more clients,
with zero or more options to use to accept traffic when found.
## Syntax
Use the where clause to match a property to one or more rules in the hosts.allow file.
describe etc_hosts_allow.where { daemon == 'value' } do
@ -33,10 +33,14 @@ where
* `client_list` is a list of clients will be allowed to pass traffic in.
* `options` is a list of tasks that to be done with the rule when traffic is found.
<br>
## Supported Properties
'daemon', 'client_list', 'options'
<br>
## Property Examples and Return Types
### daemon

8
docs/resources/etc_hosts_deny.md.erb
View file

@ -6,13 +6,13 @@ title: About the etc_hosts_deny Resource
Use the `etc_hosts_deny` InSpec audit resource to test rules set to reject daemon and client traffic set in /etc/hosts.deny.
<br>
## Syntax
An etc/hosts.deny rule specifies one or more daemons mapped to one or more clients,
with zero or more options to use to reject traffic when found.
## Syntax
Use the where clause to match a property to one or more rules in the hosts.deny file.
describe etc_hosts_deny.where { daemon == 'value' } do
@ -33,10 +33,14 @@ where
* `client_list` is a list of clients will be rejected to pass traffic in.
* `options` is a list of tasks that to be done with the rule when traffic is found.
<br>
## Supported Properties
'daemon', 'client_list', 'options'
<br>
## Property Examples and Return Types
### daemon

615
docs/resources/file.md.erb
View file

@ -6,6 +6,8 @@ title: About the file Resource
Use the `file` InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
<br>
## Syntax
A `file` resource block declares the location of the file type to be tested, what type that file should be (if required), and then one (or more) matchers:
@ -20,321 +22,7 @@ where
* `MATCHER` is a valid matcher for this resource
* `'value'` is the value to be tested
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be\_block\_device
The `be_block_device` matcher tests if the file exists as a block device, such as `/dev/disk0` or `/dev/disk0s9`:
it { should be_block_device }
### be\_character\_device
The `be_character_device` matcher tests if the file exists as a character device (that corresponds to a block device), such as `/dev/rdisk0` or `/dev/rdisk0s9`:
it { should be_character_device }
### be_directory
The `be_directory` matcher tests if the file exists as a directory, such as `/etc/passwd`, `/etc/shadow`, or `/var/log/httpd`:
it { should be_directory }
### be_executable
The `be_executable` matcher tests if the file exists as an executable:
it { should be_executable }
The `be_executable` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
it { should be_executable.by('group') }
an owner:
it { should be_executable.by('owner') }
any user other than the owner or members of the file's group:
it { should be_executable.by('others') }
a user:
it { should be_executable.by_user('user') }
### be_file
The `be_file` matcher tests if the file exists as a file. This can be useful with configuration files like `/etc/passwd` where there typically is not an associated file extension---`passwd.txt`:
it { should be_file }
### be\_grouped\_into
The `be_grouped_into` matcher tests if the file exists as part of the named group:
it { should be_grouped_into 'group' }
### be_immutable
The `be_immutable` matcher tests if the file is immutable, i.e. "cannot be changed":
it { should be_immutable }
### be\_linked\_to
The `be_linked_to` matcher tests if the file is linked to the named target:
it { should be_linked_to '/etc/target-file' }
### be_mounted
The `be_mounted` matcher tests if the file is accessible from the file system:
it { should be_mounted }
### be\_owned\_by
The `be_owned_by` matcher tests if the file is owned by the named user, such as `root`:
it { should be_owned_by 'root' }
### be_pipe
The `be_pipe` matcher tests if the file exists as first-in, first-out special file (`.fifo`) that is typically used to define a named pipe, such as `/var/log/nginx/access.log.fifo`:
it { should be_pipe }
### be_readable
The `be_readable` matcher tests if the file is readable:
it { should be_readable }
The `be_readable` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
it { should be_readable.by('group') }
an owner:
it { should be_readable.by('owner') }
any user other than the owner or members of the file's group:
it { should be_readable.by('others') }
a user:
it { should be_readable.by_user('user') }
### be_setgid
The `be_setgid` matcher tests if the 'setgid' permission is set on the file or directory. On executable files, this causes the process to be started owned by the group that owns the file, rather than the primary group of the invocating user. This can result in escalation of privilege. On Linux, when setgid is set on directories, setgid causes newly created files and directories to be owned by the group that owns the setgid parent directory; additionally, newly created subdirectories will have the setgid bit set. To use this matcher:
it { should be_setgid }
### be_socket
The `be_socket` matcher tests if the file exists as socket (`.sock`), such as `/var/run/php-fpm.sock`:
it { should be_socket }
### be_sticky
The `be_sticky` matcher tests if the 'sticky bit' permission is set on the directory. On directories, this restricts file deletion to the owner of the file, even if the permission of the parent directory would normally permit deletion by others. This is commonly used on /tmp filesystems. To use this matcher:
it { should be_sticky }
### be_setuid
The `be_setuid` matcher tests if the 'setuid' permission is set on the file. On executable files, this causes the process to be started owned by the user that owns the file, rather than invocating user. This can result in escalation of privilege. To use this matcher:
it { should be_setuid }
### be_symlink
The `be_symlink` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
it { should be_symlink }
### be_version
The `be_version` matcher tests the version of the file:
it { should be_version '1.2.3' }
### be_writable
The `be_writable` matcher tests if the file is writable:
it { should be_writable }
The `be_writable` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
it { should be_writable.by('group') }
an owner:
it { should be_writable.by('owner') }
any user other than the owner or members of the file's group:
it { should be_writable.by('others') }
a user:
it { should be_writable.by_user('user') }
### cmp
<%= partial "/shared/matcher_cmp" %>
### content
The `content` matcher tests if contents in the file match the value specified in a regular expression. The values of the `content` matcher are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
its('content') { should match REGEX }
The following complete example tests the `pg_hba.conf` file in PostgreSQL for MD5 requirements. The tests look at all `host` and `local` settings in that file, and then compare the MD5 checksums against the values in the test:
describe file(hba_config_file) do
its('content') { should match(%r{local\s.*?all\s.*?all\s.*?md5}) }
its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5})
end
### eq
<%= partial "/shared/matcher_eq" %>
### exist
The `exist` matcher tests if the named file exists:
it { should exist }
### file_version
The `file_version` matcher tests if the file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
its('file_version') { should eq '1.2.3' }
### group
The `group` matcher tests if the group to which a file belongs matches the specified value:
its('group') { should eq 'admins' }
### have_mode
The `have_mode` matcher tests if a file has a mode assigned to it:
it { should have_mode }
### include
<%= partial "/shared/matcher_include" %>
### link_path
The `link_path` matcher tests if the file exists at the specified path. If the file is a symlink,
InSpec will resolve the symlink and return the ultimate linked file:
its('link_path') { should eq '/some/path/to/file' }
### match
<%= partial "/shared/matcher_match" %>
### md5sum
The `md5sum` matcher tests if the MD5 checksum for a file matches the specified value:
its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
### mode
The `mode` matcher tests if the mode assigned to the file matches the specified value:
its('mode') { should cmp '0644' }
### mtime
The `mtime` matcher tests if the file modification time for the file matches the specified value:
its('mtime') { should eq 'October 31 2015 12:10:45' }
or:
describe file('/').mtime.to_i do
it { should <= Time.now.to_i }
it { should >= Time.now.to_i - 1000}
end
### owner
The `owner` matcher tests if the owner of the file matches the specified value:
its('owner') { should eq 'root' }
### product_version
The `product_version` matcher tests if the file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
its('product_version') { should eq 2.3.4 }
### selinux_label
The `selinux_label` matcher tests if the SELinux label for a file matches the specified value:
its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
### sha256sum
The `sha256sum` matcher tests if the SHA-256 checksum for a file matches the specified value:
its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
### size
The `size` matcher tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
its('size') { should eq 32375 }
Greater than:
its('size') { should > 64 }
Less than:
its('size') { should < 10240 }
### type
The `type` matcher tests if the first letter of the file's mode string contains one of the following characters:
* `-` or `f` (the file is a file); use `'file` to test for this file type
* `d` (the file is a directory); use `'directory` to test for this file type
* `l` (the file is a symbolic link); use `'link` to test for this file type
* `p` (the file is a named pipe); use `'pipe` to test for this file type
* `s` (the file is a socket); use `'socket` to test for this file type
* `c` (the file is a character device); use `'character` to test for this file type
* `b` (the file is a block device); use `'block` to test for this file type
* `D` (the file is a door); use `'door` to test for this file type
For example:
its('type') { should eq 'file' }
or:
its('type') { should eq 'socket' }
<br>
## Examples
@ -505,3 +193,300 @@ For example, for the following symlink:
it { should be_owned_by 'ovirtagent' }
it { should be_grouped_into 'ovirtagent' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be\_block\_device
The `be_block_device` matcher tests if the file exists as a block device, such as `/dev/disk0` or `/dev/disk0s9`:
it { should be_block_device }
### be\_character\_device
The `be_character_device` matcher tests if the file exists as a character device (that corresponds to a block device), such as `/dev/rdisk0` or `/dev/rdisk0s9`:
it { should be_character_device }
### be_directory
The `be_directory` matcher tests if the file exists as a directory, such as `/etc/passwd`, `/etc/shadow`, or `/var/log/httpd`:
it { should be_directory }
### be_executable
The `be_executable` matcher tests if the file exists as an executable:
it { should be_executable }
The `be_executable` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
it { should be_executable.by('group') }
an owner:
it { should be_executable.by('owner') }
any user other than the owner or members of the file's group:
it { should be_executable.by('others') }
a user:
it { should be_executable.by_user('user') }
### be_file
The `be_file` matcher tests if the file exists as a file. This can be useful with configuration files like `/etc/passwd` where there typically is not an associated file extension---`passwd.txt`:
it { should be_file }
### be\_grouped\_into
The `be_grouped_into` matcher tests if the file exists as part of the named group:
it { should be_grouped_into 'group' }
### be_immutable
The `be_immutable` matcher tests if the file is immutable, i.e. "cannot be changed":
it { should be_immutable }
### be\_linked\_to
The `be_linked_to` matcher tests if the file is linked to the named target:
it { should be_linked_to '/etc/target-file' }
### be_mounted
The `be_mounted` matcher tests if the file is accessible from the file system:
it { should be_mounted }
### be\_owned\_by
The `be_owned_by` matcher tests if the file is owned by the named user, such as `root`:
it { should be_owned_by 'root' }
### be_pipe
The `be_pipe` matcher tests if the file exists as first-in, first-out special file (`.fifo`) that is typically used to define a named pipe, such as `/var/log/nginx/access.log.fifo`:
it { should be_pipe }
### be_readable
The `be_readable` matcher tests if the file is readable:
it { should be_readable }
The `be_readable` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
it { should be_readable.by('group') }
an owner:
it { should be_readable.by('owner') }
any user other than the owner or members of the file's group:
it { should be_readable.by('others') }
a user:
it { should be_readable.by_user('user') }
### be_setgid
The `be_setgid` matcher tests if the 'setgid' permission is set on the file or directory. On executable files, this causes the process to be started owned by the group that owns the file, rather than the primary group of the invocating user. This can result in escalation of privilege. On Linux, when setgid is set on directories, setgid causes newly created files and directories to be owned by the group that owns the setgid parent directory; additionally, newly created subdirectories will have the setgid bit set. To use this matcher:
it { should be_setgid }
### be_socket
The `be_socket` matcher tests if the file exists as socket (`.sock`), such as `/var/run/php-fpm.sock`:
it { should be_socket }
### be_sticky
The `be_sticky` matcher tests if the 'sticky bit' permission is set on the directory. On directories, this restricts file deletion to the owner of the file, even if the permission of the parent directory would normally permit deletion by others. This is commonly used on /tmp filesystems. To use this matcher:
it { should be_sticky }
### be_setuid
The `be_setuid` matcher tests if the 'setuid' permission is set on the file. On executable files, this causes the process to be started owned by the user that owns the file, rather than invocating user. This can result in escalation of privilege. To use this matcher:
it { should be_setuid }
### be_symlink
The `be_symlink` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
it { should be_symlink }
### be_version
The `be_version` matcher tests the version of the file:
it { should be_version '1.2.3' }
### be_writable
The `be_writable` matcher tests if the file is writable:
it { should be_writable }
The `be_writable` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
it { should be_writable.by('group') }
an owner:
it { should be_writable.by('owner') }
any user other than the owner or members of the file's group:
it { should be_writable.by('others') }
a user:
it { should be_writable.by_user('user') }
### content
The `content` matcher tests if contents in the file match the value specified in a regular expression. The values of the `content` matcher are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
its('content') { should match REGEX }
The following complete example tests the `pg_hba.conf` file in PostgreSQL for MD5 requirements. The tests look at all `host` and `local` settings in that file, and then compare the MD5 checksums against the values in the test:
describe file(hba_config_file) do
its('content') { should match(%r{local\s.*?all\s.*?all\s.*?md5}) }
its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5})
end
### exist
The `exist` matcher tests if the named file exists:
it { should exist }
### file_version
The `file_version` matcher tests if the file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
its('file_version') { should eq '1.2.3' }
### group
The `group` matcher tests if the group to which a file belongs matches the specified value:
its('group') { should eq 'admins' }
### have_mode
The `have_mode` matcher tests if a file has a mode assigned to it:
it { should have_mode }
### link_path
The `link_path` matcher tests if the file exists at the specified path. If the file is a symlink,
InSpec will resolve the symlink and return the ultimate linked file:
its('link_path') { should eq '/some/path/to/file' }
### md5sum
The `md5sum` matcher tests if the MD5 checksum for a file matches the specified value:
its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
### mode
The `mode` matcher tests if the mode assigned to the file matches the specified value:
its('mode') { should cmp '0644' }
### mtime
The `mtime` matcher tests if the file modification time for the file matches the specified value:
its('mtime') { should eq 'October 31 2015 12:10:45' }
or:
describe file('/').mtime.to_i do
it { should <= Time.now.to_i }
it { should >= Time.now.to_i - 1000}
end
### owner
The `owner` matcher tests if the owner of the file matches the specified value:
its('owner') { should eq 'root' }
### product_version
The `product_version` matcher tests if the file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
its('product_version') { should eq 2.3.4 }
### selinux_label
The `selinux_label` matcher tests if the SELinux label for a file matches the specified value:
its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
### sha256sum
The `sha256sum` matcher tests if the SHA-256 checksum for a file matches the specified value:
its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
### size
The `size` matcher tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
its('size') { should eq 32375 }
Greater than:
its('size') { should > 64 }
Less than:
its('size') { should < 10240 }
### type
The `type` matcher tests if the first letter of the file's mode string contains one of the following characters:
* `-` or `f` (the file is a file); use `'file` to test for this file type
* `d` (the file is a directory); use `'directory` to test for this file type
* `l` (the file is a symbolic link); use `'link` to test for this file type
* `p` (the file is a named pipe); use `'pipe` to test for this file type
* `s` (the file is a socket); use `'socket` to test for this file type
* `c` (the file is a character device); use `'character` to test for this file type
* `b` (the file is a block device); use `'block` to test for this file type
* `D` (the file is a door); use `'door` to test for this file type
For example:
its('type') { should eq 'file' }
or:
its('type') { should eq 'socket' }

8
docs/resources/firewalld.md.erb
View file

@ -8,6 +8,8 @@ Use the `firewalld` InSpec audit resource to test that firewalld is configured t
A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports.
<br>
## Syntax
describe firewalld do
@ -24,6 +26,8 @@ Use the where clause to test open interfaces, sources, and services in active zo
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
its('services') { should cmp ['ssh', 'icmp'] }
end
<br>
## Supported Properties
@ -57,9 +61,11 @@ The `default_zone` property displays the default active zone to be used.
its('default_zone') { should eq 'public' }
<br>
## Matchers
This InSpec audit resource has the following matchers:
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### `be_installed`

56
docs/resources/gem.md.erb
View file

@ -6,6 +6,8 @@ title: About the gem Resource
Use the `gem` InSpec audit resource to test if a global Gem package is installed.
<br>
## Syntax
A `gem` resource block declares a package and (optionally) a package version:
@ -20,41 +22,7 @@ where
* `('gem_binary')` can specify the path to a non-default gem binary, defaults to `'gem'`
* `be_installed` is a valid matcher for this resource
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_installed
The `be_installed` matcher tests if the named Gem package is installed:
it { should be_installed }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '0.33.0' }
<br>
## Examples
@ -90,3 +58,21 @@ The following examples show how to use this InSpec audit resource.
describe gem('knife-backup', :chef_server) do
it { should be_installed }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_installed
The `be_installed` matcher tests if the named Gem package is installed:
it { should be_installed }
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '0.33.0' }

50
docs/resources/group.md.erb
View file

@ -6,6 +6,8 @@ title: About the group Resource
Use the `group` InSpec audit resource to test groups on the system.
<br>
## Syntax
A `group` resource block declares a group, and then the details to be tested, such as if the group is a local group, the group identifier, or if the group exists:
@ -20,13 +22,24 @@ where
* `'group_name'` must specify the name of a group on the system
* `exist` and `'gid'` are valid matchers for this resource
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test the group identifier for the root group
describe group('root') do
it { should exist }
its('gid') { should eq 0 }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_local
@ -34,14 +47,6 @@ The `be_local` matcher tests if the group is a local group:
it { should be_local }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### exist
The `exist` matcher tests if the named user exists:
@ -53,22 +58,3 @@ The `exist` matcher tests if the named user exists:
The `gid` matcher tests the named group identifier:
its('gid') { should eq 1234 }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
## Examples
The following examples show how to use this InSpec audit resource.
### Test the group identifier for the root group
describe group('root') do
it { should exist }
its('gid') { should eq 0 }
end

33
docs/resources/grub_conf.md.erb
View file

@ -6,6 +6,8 @@ title: About the grub_conf Resource
Grub is a boot loader on the Linux platform used to load and then transfer control to an operating system kernel, after which that kernel initializes the rest of the operating system. Use the `grub_conf` InSpec audit resource to test boot loader configuration settings that are defined in the `grub.conf` configuration file.
<br>
## Syntax
A `grub_conf` resource block declares a list of settings in a `grub.conf` file:
@ -28,30 +30,7 @@ where
* `'kernel'` specifies the default kernel (by using `'default'`) or a specific kernel; `'default'` defines the position in the list of kernels at which the default kernel is defined, i.e. `should eq '0'` for the first kernel listed or `'path', 'default'` to use the default kernel as specified in the `grub.conf` file
* `'value'` is the value that is expected
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -113,3 +92,9 @@ The following test verifies the `ramdisk_size` for the non-deault kernel:
grub_conf('/etc/grub.conf', 'CentOS (2.6.32-573.12.1.el6.x86_64)') do
its('kernel') { should include 'audit=1' }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

69
docs/resources/host.md.erb
View file

@ -6,6 +6,8 @@ title: About the host Resource
Use the `host` InSpec audit resource to test the name used to refer to a specific host and its availability, including the Internet protocols and ports over which that host name should be available.
<br>
## Syntax
A `host` resource block declares a host name, and then (depending on what is to be tested) a port and/or a protocol:
@ -25,48 +27,7 @@ where
* `port:` is the port number
* `protocol: 'name'` is the Internet protocol: TCP (`protocol: 'tcp'`), UDP (`protocol: 'udp'` or ICMP (`protocol: 'icmp'`))
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_reachable
The `be_reachable` matcher tests if the host name is available:
it { should be_reachable }
### be_resolvable
The `be_resolvable` matcher tests for host name resolution, i.e. "resolvable to an IP address":
it { should be_resolvable }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### ipaddress
The `ipaddress` matcher tests if a host name is resolvable to a specific IP address:
its('ipaddress') { should include '93.184.216.34' }
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -92,3 +53,27 @@ The following examples show how to use this InSpec audit resource.
its('connection') { should_not match /connection refused/ }
its('socket') { should match /STATUS_OK/ }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_reachable
The `be_reachable` matcher tests if the host name is available:
it { should be_reachable }
### be_resolvable
The `be_resolvable` matcher tests for host name resolution, i.e. "resolvable to an IP address":
it { should be_resolvable }
### ipaddress
The `ipaddress` matcher tests if a host name is resolvable to a specific IP address:
its('ipaddress') { should include '93.184.216.34' }

76
docs/resources/http.md.erb
View file

@ -10,6 +10,8 @@ Use the `http` InSpec audit resource to test an http endpoint.
<br>
This will be corrected in a future version of InSpec. New InSpec releases are posted in the <a href="https://discourse.chef.io/c/chef-release" target="_blank">Release Announcements Category in Discourse</a>.</p>
<br>
## Syntax
An `http` resource block declares the configuration settings to be tested:
@ -32,51 +34,7 @@ where
* `read_timeout` may be specified for a timeout for reading connections (default to 60)
* `ssl_verify` may be specified to enable or disable verification of SSL certificates (default to `true`)
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### body
The `body` matcher tests body content of http response:
its('body') { should eq 'hello\n' }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### headers
The `headers` matcher returns an hash of all http headers:
its('headers') { should eq {} }
Individual headers can be tested via:
its('headers.Content-Type') { should cmp 'text/html' }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### status
The `status` matcher tests status of the http response:
its('status') { should eq 200 }
<br>
## Examples
@ -102,3 +60,31 @@ For example, a service is listening on default http port can be tested like this
its('body') { should cmp 'pong' }
its('headers.Content-Type') { should cmp 'text/html' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### body
The `body` matcher tests body content of http response:
its('body') { should eq 'hello\n' }
### headers
The `headers` matcher returns an hash of all http headers:
its('headers') { should eq {} }
Individual headers can be tested via:
its('headers.Content-Type') { should cmp 'text/html' }
### status
The `status` matcher tests status of the http response:
its('status') { should eq 200 }

66
docs/resources/iis_app.md.erb
View file

@ -6,6 +6,8 @@ title: About the iis_app Resource
Use the `iis_app` InSpec audit resource to test the state of IIS on Windows Server 2012 (and later).
<br>
## Syntax
An `iis_app` resource block declares details about the named site:
@ -38,17 +40,34 @@ For example:
it { should have_path('\\My Application') }
end
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test a default IIS web application
describe iis_app('Default Web Site') do
it { should exist }
it { should be_running }
it { should have_app_pool('DefaultAppPool') }
it { should have_binding('http *:80:') }
it { should have_path('%SystemDrive%\\inetpub\\wwwroot') }
end
### Test if IIS service is running
describe service('W3SVC') do
it { should be_installed }
it { should be_running }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exist
@ -95,32 +114,3 @@ Testing a web application with https enabled and http enabled:
The `have_physical_path` matcher tests if the named path is defined for the web application:
it { should have_physical_path('C:\\inetpub\\wwwroot') }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
## Examples
The following examples show how to use this InSpec audit resource.
### Test a default IIS web application
describe iis_app('Default Web Site') do
it { should exist }
it { should be_running }
it { should have_app_pool('DefaultAppPool') }
it { should have_binding('http *:80:') }
it { should have_path('%SystemDrive%\\inetpub\\wwwroot') }
end
### Test if IIS service is running
describe service('W3SVC') do
it { should be_installed }
it { should be_running }
end

70
docs/resources/iis_site.md.erb
View file

@ -6,6 +6,8 @@ title: About the iis_site Resource
Use the `iis_site` InSpec audit resource to test the state of IIS on Windows Server 2012 (and later).
<br>
## Syntax
An `iis_site` resource block declares details about the named site:
@ -36,13 +38,34 @@ For example:
it { should have_path('C:\\inetpub\\wwwroot') }
end
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test a default IIS site
describe iis_site('Default Web Site') do
it { should exist }
it { should be_running }
it { should have_app_pool('DefaultAppPool') }
it { should have_binding('http *:80:') }
it { should have_path('%SystemDrive%\\inetpub\\wwwroot') }
end
### Test if IIS service is running
describe service('W3SVC') do
it { should be_installed }
it { should be_running }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_running
@ -50,14 +73,6 @@ The `be_running` matcher tests if the site is running:
it { should be_running }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### exist
The `exist` matcher tests if the site exists:
@ -111,32 +126,3 @@ Testing a site with 128-bit SSL enabled:
The `have_path` matcher tests if the named path is defined for the site:
it { should have_path('C:\\inetpub\\wwwroot') }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
## Examples
The following examples show how to use this InSpec audit resource.
### Test a default IIS site
describe iis_site('Default Web Site') do
it { should exist }
it { should be_running }
it { should have_app_pool('DefaultAppPool') }
it { should have_binding('http *:80:') }
it { should have_path('%SystemDrive%\\inetpub\\wwwroot') }
end
### Test if IIS service is running
describe service('W3SVC') do
it { should be_installed }
it { should be_running }
end

69
docs/resources/inetd_conf.md.erb
View file

@ -6,6 +6,8 @@ title: About the inetd_conf Resource
Use the `inetd_conf` InSpec audit resource to test if a service is listed in the `inetd.conf` file on Linux and Unix platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The `inetd.conf` file is typically located at `/etc/inetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.`
<br>
## Syntax
An `inetd_conf` resource block declares the list of services that are enabled in the `inetd.conf` file:
@ -20,48 +22,7 @@ where
* `('path')` is the non-default path to the `inetd.conf` file
* `should eq 'value'` is the value that is expected
## Matchers
This resource matches any service that is listed in the `inetd.conf` file. You may want to ensure that specific services do not listen via `inetd.conf`:
its('shell') { should eq nil }
or:
its('netstat') { should eq nil }
or:
its('systat') { should eq nil }
For example:
describe inetd_conf do
its('shell') { should eq nil }
its('login') { should eq nil }
its('exec') { should eq nil }
end
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -97,3 +58,27 @@ then the same test will return `false` for `ftp` and the entire test will fail.
describe inetd_conf do
its('telnet') { should eq nil }
end
<br>
## Matchers
This resource matches any service that is listed in the `inetd.conf` file. You may want to ensure that specific services do not listen via `inetd.conf`. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
its('shell') { should eq nil }
or:
its('netstat') { should eq nil }
or:
its('systat') { should eq nil }
For example:
describe inetd_conf do
its('shell') { should eq nil }
its('login') { should eq nil }
its('exec') { should eq nil }
end

32
docs/resources/ini.md.erb
View file

@ -6,6 +6,8 @@ title: About the ini Resource
Use the `ini` InSpec audit resource to test settings in an INI file.
<br>
## Syntax
An `ini` resource block declares the configuration settings to be tested:
@ -27,29 +29,7 @@ For example:
its('server') { should eq '192.0.2.62' }
end
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -67,3 +47,9 @@ and can be tested like this:
describe ini(/etc/php5/apache2/php.ini) do
its('smtp_port') { should eq('465') }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

30
docs/resources/interface.md.erb
View file

@ -9,6 +9,8 @@ Use the `interface` InSpec audit resource to test basic network adapter properti
* On Linux platforms, `/sys/class/net/#{iface}` is used as source
* On the Windows platform, the `Get-NetAdapter` cmdlet is used as source
<br>
## Syntax
An `interface` resource block declares network interface properties to be tested:
@ -19,13 +21,11 @@ An `interface` resource block declares network interface properties to be tested
its('name') { should eq eth0 }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_up
@ -33,22 +33,6 @@ The `be_up` matcher tests if the network interface is available:
it { should be_up }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### name
The `name` matcher tests if the named network interface exists:
@ -60,7 +44,3 @@ The `name` matcher tests if the named network interface exists:
The `speed` matcher tests the speed of the network interface, in MB/sec:
its('speed') { should eq 1000 }
## Examples
None.

44
docs/resources/iptables.md.erb
View file

@ -6,6 +6,8 @@ title: About the iptables Resource
Use the `iptables` InSpec audit resource to test rules that are defined in `iptables`, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
<br>
## Syntax
A `iptables` resource block declares tests for rules in IP tables:
@ -22,35 +24,7 @@ where
* `chain: 'name'` is the name of a user-defined chain or one of `ACCEPT`, `DROP`, `QUEUE`, or `RETURN`
* `have_rule('RULE')` tests that rule in the iptables list. This must match the entire line taken from `iptables -S CHAIN`.
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### have_rule
The `have_rule` matcher tests the named rule against the information in the `iptables` file:
it { should have_rule('RULE') }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -75,3 +49,15 @@ The following examples show how to use this InSpec audit resource.
end
Note that the rule specification must exactly match what's in the output of `iptables -S INPUT`, which will depend on how you've built your rules.
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### have_rule
The `have_rule` matcher tests the named rule against the information in the `iptables` file:
it { should have_rule('RULE') }

45
docs/resources/json.md.erb
View file

@ -6,6 +6,8 @@ title: About the json Resource
Use the `json` InSpec audit resource to test data in a JSON file.
<br>
## Syntax
A `json` resource block declares the data to be tested. Assume the following JSON file:
@ -34,36 +36,7 @@ where
* `name` is a configuration setting in a JSON file
* `should eq 'foo'` tests a value of `name` as read from a JSON file versus the value declared in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### name
The `name` matcher tests the value of `name` as read from a JSON file versus the value declared in the test:
its('name') { should eq 'foo' }
<br>
## Examples
@ -74,3 +47,15 @@ The following examples show how to use this InSpec audit resource.
describe json('policyfile.lock.json') do
its(['cookbook_locks', 'omnibus', 'version']) { should eq('2.2.0') }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### name
The `name` matcher tests the value of `name` as read from a JSON file versus the value declared in the test:
its('name') { should eq 'foo' }

132
docs/resources/kernel_module.md.erb
View file

@ -12,6 +12,8 @@ The `kernel_module` resource can also verify if a kernel module is `blacklisted`
or if a module is disabled via a fake install using the `bin_true` or `bin_false`
method.
<br>
## Syntax
A `kernel_module` resource block declares a module name, and then tests if that
@ -32,13 +34,65 @@ where
* `{ should be_blacklisted }` tests if the module is blacklisted or if the module is disabled via a fake install using /bin/false or /bin/true
* `{ should be_disabled }` tests if the module is disabled via a fake install using /bin/false or /bin/true
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test a modules 'version'
describe kernel_module('bridge') do
it { should be_loaded }
its(:version) { should cmp >= '2.2.2' }
end
### Test if a module is loaded, not disabled and not blacklisted
describe kernel_module('video') do
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
### Check if a module is blacklisted
describe kernel_module('floppy') do
it { should be_blacklisted }
end
### Ensure a module is *not* blacklisted and it is loaded
describe kernel_module('video') do
it { should_not be_blacklisted }
it { should be_loaded }
end
### Ensure a module is disabled via 'bin_false'
describe kernel_module('sstfb') do
it { should_not be_loaded }
it { should be_disabled }
end
### Ensure a module is 'blacklisted'/'disabled' via 'bin_true'
describe kernel_module('nvidiafb') do
it { should_not be_loaded }
it { should be_blacklisted }
end
### Ensure a module is not loaded
describe kernel_module('dhcp') do
it { should_not be_loaded }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_loaded
@ -46,76 +100,8 @@ The `be_loaded` matcher tests if the module is a loadable kernel module:
it { should be_loaded }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### version
The `version` matcher tests if the named module version is on the system:
its(:version) { should eq '3.2.2' }
## Examples
The following examples show how to use this InSpec audit resource.
### Test a modules 'version'
describe kernel_module('bridge') do
it { should be_loaded }
its(:version) { should cmp >= '2.2.2' }
end
### Test if a module is loaded, not disabled and not blacklisted
describe kernel_module('video') do
it { should be_loaded }
it { should_not be_disabled }
it { should_not be_blacklisted }
end
### Check if a module is blacklisted
describe kernel_module('floppy') do
it { should be_blacklisted }
end
### Ensure a module is *not* blacklisted and it is loaded
describe kernel_module('video') do
it { should_not be_blacklisted }
it { should be_loaded }
end
### Ensure a module is disabled via 'bin_false'
describe kernel_module('sstfb') do
it { should_not be_loaded }
it { should be_disabled }
end
### Ensure a module is 'blacklisted'/'disabled' via 'bin_true'
describe kernel_module('nvidiafb') do
it { should_not be_loaded }
it { should be_blacklisted }
end
### Ensure a module is not loaded
describe kernel_module('dhcp') do
it { should_not be_loaded }
end

44
docs/resources/kernel_parameter.md.erb
View file

@ -6,6 +6,8 @@ title: About the kernel_parameter Resource
Use the `kernel_parameter` InSpec audit resource to test kernel parameters on Linux platforms.
<br>
## Syntax
A `kernel_parameter` resource block declares a parameter and then a value to be tested:
@ -19,35 +21,7 @@ where
* `'kernel.parameter'` must specify a kernel parameter, such as `'net.ipv4.conf.all.forwarding'`
* `{ should eq 0 }` states the value to be tested
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### value
The `value` matcher tests the value assigned to the named IP address versus the value declared in the test:
its('value') { should eq 0 }
<br>
## Examples
@ -70,3 +44,15 @@ The following examples show how to use this InSpec audit resource.
describe kernel_parameter('net.ipv6.conf.interface.accept_redirects') do
its('value') { should eq 'true' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### value
The `value` matcher tests the value assigned to the named IP address versus the value declared in the test:
its('value') { should eq 0 }

3
docs/resources/key_rsa.md.erb
View file

@ -8,6 +8,7 @@ Use the `key_rsa` InSpec audit resource to test RSA public/private keypairs.
This resource is mainly useful when used in conjunction with the x509_certificate resource but it can also be used for checking SSH keys.
<br>
## Syntax
@ -26,6 +27,8 @@ You can use an optional passphrase with `key_rsa`
it { should be_private }
end
<br>
## Supported Properties
### public?

30
docs/resources/launchd_service.md.erb
View file

@ -6,6 +6,8 @@ title: About the launchd_service Resource
Use the ``launchd_service`` InSpec audit resource to test a service using Launchd.
<br>
## Syntax
A ``launchd_service`` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
@ -29,13 +31,11 @@ The path to the service manager's control may be specified for situations where
it { should be_running }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabled
@ -54,23 +54,3 @@ The `be_installed` matcher tests if the named service is installed:
The `be_running` matcher tests if the named service is running:
it { should be_running }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
## Examples
None.

52
docs/resources/limits_conf.md.erb
View file

@ -17,6 +17,8 @@ Entries in the `limits.conf` file are similar to:
^^^^^^^^^ ^^^^ ^^^^^^ ^^^^^
domain type item value
<br>
## Syntax
A `limits_conf` resource block declares a domain to be tested, along with associated type, item, and value:
@ -34,39 +36,7 @@ where
* `'item'` is the item for which limits are defined, such as `core`, `nofile`, `stack`, `nproc`, `priority`, or `maxlogins`
* `'value'` is the value associated with the `item`
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### domain
The `domain` matcher tests the domain in the `limits.conf` file, along with associated type, item, and value:
its('domain') { should include ['type', 'item', 'value'] }
`
For example:
its('grantmc') { should include ['hard', 'nofile', '63536'] }
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -78,3 +48,19 @@ The following examples show how to use this InSpec audit resource.
its('*') { should include ['soft', 'core', '0'], ['hard', 'rss', '10000'] }
its('ftp') { should eq ['hard', 'nproc', '0'] }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### domain
The `domain` matcher tests the domain in the `limits.conf` file, along with associated type, item, and value:
its('domain') { should include ['type', 'item', 'value'] }
`
For example:
its('grantmc') { should include ['hard', 'nofile', '63536'] }

45
docs/resources/login_def.md.erb
View file

@ -6,6 +6,8 @@ title: About the login_defs Resource
Use the `login_defs` InSpec audit resource to test configuration settings in the `/etc/login.defs` file. The `logins.defs` file defines site-specific configuration for the shadow password suite on Linux and Unix platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.
<br>
## Syntax
A `login_defs` resource block declares the `login.defs` configuration data to be tested:
@ -19,36 +21,7 @@ where
* `name` is a configuration setting in `login.defs`
* `{ should include('foo') }` tests the value of `name` as read from `login.defs` versus the value declared in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### name
The `name` matcher tests the value of `name` as read from `login.defs` versus the value declared in the test:
its('name') { should eq 'foo' }
<br>
## Examples
@ -75,3 +48,15 @@ The following examples show how to use this InSpec audit resource.
its('UMASK') { should eq '077' }
its('PASS_MAX_DAYS') { should eq '90' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### name
The `name` matcher tests the value of `name` as read from `login.defs` versus the value declared in the test:
its('name') { should eq 'foo' }

81
docs/resources/mount.md.erb
View file

@ -6,6 +6,8 @@ title: About the mount Resource
Use the `mount` InSpec audit resource to test the mount points on FreeBSD and Linux systems.
<br>
## Syntax
An `mount` resource block declares the synchronization settings that should be tested:
@ -20,54 +22,7 @@ where
* `MATCHER` is a valid matcher for this resource
* `'value'` is the value to be tested
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_mounted
The `be_mounted` matcher tests if the file is accessible from the file system:
it { should be_mounted }
### cmp
<%= partial "/shared/matcher_cmp" %>
### device
The `device` matcher tests the device from the `fstab` table:
its('device') { should eq '/dev/mapper/VolGroup-lv_root' }
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### options
The `options` matcher tests the mount options for the file system from the `fstab` table:
its('options') { should eq ['rw', 'mode=620'] }
### type
The `type` matcher tests the file system type:
its('type') { should eq 'ext4' }
<br>
## Examples
@ -81,3 +36,33 @@ The following examples show how to use this InSpec audit resource.
its('type') { should eq 'ext4' }
its('options') { should eq ['rw', 'mode=620'] }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_mounted
The `be_mounted` matcher tests if the file is accessible from the file system:
it { should be_mounted }
### device
The `device` matcher tests the device from the `fstab` table:
its('device') { should eq '/dev/mapper/VolGroup-lv_root' }
### options
The `options` matcher tests the mount options for the file system from the `fstab` table:
its('options') { should eq ['rw', 'mode=620'] }
### type
The `type` matcher tests the file system type:
its('type') { should eq 'ext4' }

21
docs/resources/mssql_session.md.erb
View file

@ -6,6 +6,8 @@ title: About the mssql_session Resource
Use the `mssql_session` InSpec audit resource to test SQL commands run against a Microsoft SQL database.
<br>
## Syntax
A `mssql_session` resource block declares the username and password to use for the session, and then the command to be run:
@ -20,18 +22,7 @@ where
* `query('QUERY')` contains the query to be run
* `its('value') { should eq('') }` compares the results of the query against the expected result in the test
## Matchers
This InSpec audit resource has the following matchers:
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
<br>
## Examples
@ -60,3 +51,9 @@ The following examples show how to use this InSpec audit resource.
describe sql.query("SELECT SERVERPROPERTY('ProductVersion') as result").row(0).column('result') do
its("value") { should cmp > '12.00.4457' }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

49
docs/resources/mysql_conf.md.erb
View file

@ -6,6 +6,8 @@ title: About the mysql_conf Resource
Use the `mysql_conf` InSpec audit resource to test the contents of the configuration file for MySQL, typically located at `/etc/mysql/my.cnf` or `/etc/my.cnf`.
<br>
## Syntax
A `mysql_conf` resource block declares one (or more) settings in the `my.cnf` file, and then compares the setting in the configuration file to the value stated in the test:
@ -31,38 +33,7 @@ where
* `('path')` is the non-default path to the `my.cnf` file
* `should eq 'value'` is the value that is expected
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### setting
The `setting` matcher tests specific, named settings in the `my.cnf` file:
its('setting') { should eq 'value' }
Use a `setting` matcher for each setting to be tested.
<br>
## Examples
@ -111,3 +82,17 @@ The following examples show how to use this InSpec audit resource.
describe mysql_conf.params('mysqld') do
its('safe-user-create') { should eq('1') }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### setting
The `setting` matcher tests specific, named settings in the `my.cnf` file:
its('setting') { should eq 'value' }
Use a `setting` matcher for each setting to be tested.

44
docs/resources/mysql_session.md.erb
View file

@ -6,6 +6,8 @@ title: About the mysql_session Resource
Use the `mysql_session` InSpec audit resource to test SQL commands run against a MySQL database.
<br>
## Syntax
A `mysql_session` resource block declares the username and password to use for the session, and then the command to be run:
@ -20,35 +22,7 @@ where
* `query('QUERY')` contains the query to be run
* `its('output') { should eq('') }` compares the results of the query against the expected result in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### output
The `output` matcher tests the results of the query:
its('output') { should eq(/^0/) }
<br>
## Examples
@ -73,3 +47,15 @@ The following examples show how to use this InSpec audit resource.
### Alternate Connection: Using a socket
sql = mysql_session('my_user','password', nil, nil, '/var/lib/mysql-default/mysqld.sock')
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### output
The `output` matcher tests the results of the query:
its('output') { should eq(/^0/) }

6
docs/resources/nginx.md.erb
View file

@ -8,6 +8,8 @@ Use the `nginx` InSpec audit resource to test the fields and validity of nginx.
Nginx resource extracts and exposes data reported by the command 'nginx -V'
<br>
## Syntax
An `nginx` InSpec audit resource block extracts configuration settings that should be tested:
@ -25,10 +27,14 @@ where
* `'attribute'` is a configuration parsed from result of the command 'nginx -V'
* `'value'` is the value that is expected of the attribute
<br>
## Supported Properties
* 'compiler_info', 'error_log_path', 'http_client_body_temp_path', 'http_fastcgi_temp_path', 'http_log_path', 'http_proxy_temp_path', 'http_scgi_temp_path', 'http_uwsgi_temp_path', 'lock_path', 'modules', 'modules_path', 'openssl_version', 'prefix', 'sbin_path', 'service', 'support_info', 'version'
<br>
## Property Examples and Return Types
### version(String)

45
docs/resources/nginx_conf.md.erb
View file

@ -8,6 +8,8 @@ Use the `nginx_conf` InSpec resource to test configuration data for the NGINX se
**Stability: Experimental**
<br>
## Syntax
An `nginx_conf` resource block declares the client NGINX configuration data to be tested:
@ -23,10 +25,32 @@ where
* `params['pid']` selects the `pid` entry from the global NGINX configuration
* `{ should cmp 'logs/nginx.pid' }` tests if the PID is set to `logs/nginx.pid` (via `cmp` matcher)
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Find a specific server
servers = nginx_conf.servers
domain2 = servers.find { |s| s.params['server_name'].flatten.include? 'domain2.com' }
describe 'No server serves domain2' do
subject { domain2 }
it { should be_nil }
end
### Test a raw parameter
describe nginx_conf.params['worker_processes'].flatten do
it { should cmp 5 }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### http
@ -101,22 +125,3 @@ Locations provide access to their parent server entry and raw parameters:
location.params
=> {"_"=>["~", "\\.php$"], "fastcgi_pass"=>[["127.0.0.1:1025"]]}
## Examples
The following examples show how to use this InSpec audit resource.
### Find a specific server
servers = nginx_conf.servers
domain2 = servers.find { |s| s.params['server_name'].flatten.include? 'domain2.com' }
describe 'No server serves domain2' do
subject { domain2 }
it { should be_nil }
end
### Test a raw parameter
describe nginx_conf.params['worker_processes'].flatten do
it { should cmp 5 }
end

56
docs/resources/npm.md.erb
View file

@ -6,6 +6,7 @@ title: About the npm Resource
Use the `npm` InSpec audit resource to test if a global NPM package is installed. NPM is the the package manager for Node.js packages (https://docs.npmjs.com), such as Bower and StatsD.
<br>
## Syntax
@ -20,42 +21,7 @@ where
* `('npm_package_name')` must specify an NPM package, such as `'bower'` or `'statsd'`
* `be_installed` is a valid matcher for this resource
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_installed
The `be_installed` matcher tests if the named Gem package and package version (if specified) is installed:
it { should be_installed }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '1.2.3' }
<br>
## Examples
@ -73,3 +39,21 @@ The following examples show how to use this InSpec audit resource.
describe npm('statsd') do
it { should_not be_installed }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_installed
The `be_installed` matcher tests if the named Gem package and package version (if specified) is installed:
it { should be_installed }
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '1.2.3' }

59
docs/resources/ntp_conf.md.erb
View file

@ -6,6 +6,7 @@ title: About the ntp_conf Resource
Use the `ntp_conf` InSpec audit resource to test the synchronization settings defined in the `ntp.conf` file. This file is typically located at `/etc/ntp.conf`.
<br>
## Syntax
@ -21,44 +22,7 @@ where
* `('path')` is the non-default path to the `ntp.conf` file
* `{ should eq 'value' }` is the value that is expected
## Matchers
This resource matches any service that is listed in the `ntp.conf` file:
its('server') { should_not eq nil }
or:
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
For example:
describe ntp_conf do
its('server') { should_not eq nil }
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
end
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -74,3 +38,22 @@ The following examples show how to use this InSpec audit resource.
2.ubuntu.pool.ntp.org
] }
end
<br>
## Matchers
This resource matches any service that is listed in the `ntp.conf` file. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
its('server') { should_not eq nil }
or:
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
For example:
describe ntp_conf do
its('server') { should_not eq nil }
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
end

57
docs/resources/oneget.md.erb
View file

@ -6,6 +6,8 @@ title: About the oneget Resource
Use the `oneget` InSpec audit resource to test if the named package and/or package version is installed on the system. This resource uses Oneget, which is `part of the Windows Management Framework 5.0 and Windows 10 <https://github.com/OneGet/oneget>`__. This resource uses the `Get-Package` cmdlet to return all of the package names in the Oneget repository.
<br>
## Syntax
A `oneget` resource block declares a package and (optionally) a package version:
@ -19,42 +21,7 @@ where
* `('name')` must specify the name of a package, such as `'VLC'`
* `be_installed` is a valid matcher for this resource
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_installed
The `be_installed` matcher tests if the named package is installed on the system:
it { should be_installed }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '1.2.3' }
<br>
## Examples
@ -65,3 +32,21 @@ The following examples show how to use this InSpec audit resource.
describe oneget('VLC') do
it { should be_installed }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_installed
The `be_installed` matcher tests if the named package is installed on the system:
it { should be_installed }
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '1.2.3' }

20
docs/resources/oracledb_session.md.erb
View file

@ -6,6 +6,8 @@ title: About the oracledb_session Resource
Use the `oracledb_session` InSpec audit resource to test SQL commands run against a Oracle database.
<br>
## Syntax
A `oracledb_session` resource block declares the username and password to use for the session with an optional service to connect to, and then the command to be run:
@ -20,17 +22,7 @@ where
* `query('QUERY')` contains the query to be run
* `its('value') { should eq('') }` compares the results of the query against the expected result in the test
## Matchers
This InSpec audit resource has the following matchers:
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
<br>
## Examples
@ -51,3 +43,9 @@ The following examples show how to use this InSpec audit resource.
describe sql.query('SELECT NAME FROM v$database;').row(0).column('name') do
its('value') { should cmp 'ORCL' }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

72
docs/resources/os.md.erb
View file

@ -6,6 +6,8 @@ title: About the os Resource
Use the `os` InSpec audit resource to test the platform on which the system is running.
<br>
## Syntax
An `os` resource block declares the platform to be tested. The platform may specified via matcher or control block name. For example, using a matcher:
@ -22,29 +24,35 @@ or using the block name:
* `'platform_name'` (a string) or `:family_name` (a symbol) is one of `aix`, `bsd`, `darwin`, `debian`, `hpux`, `linux`, `redhat`, `solaris`, `suse`, `unix`, or `windows`
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test for RedHat
describe os[:family] do
it { should eq 'redhat' }
end
### Test for Ubuntu
describe os[:family] do
it { should eq 'debian' }
end
### Test for Microsoft Windows
describe os[:family] do
it { should eq 'windows' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
## os.family? Helpers
@ -130,25 +138,3 @@ For example, both of the following tests should have the same result:
its('processes') { should include 'xinetd' }
end
end
## Examples
The following examples show how to use this InSpec audit resource.
### Test for RedHat
describe os[:family] do
it { should eq 'redhat' }
end
### Test for Ubuntu
describe os[:family] do
it { should eq 'debian' }
end
### Test for Microsoft Windows
describe os[:family] do
it { should eq 'windows' }
end

73
docs/resources/os_env.md.erb
View file

@ -6,6 +6,8 @@ title: About the os_env Resource
Use the `os_env` InSpec audit resource to test the environment variables for the platform on which the system is running.
<br>
## Syntax
A `os_env` resource block declares an environment variable, and then declares its value:
@ -19,50 +21,7 @@ where
* `('VARIABLE')` must specify an environment variable, such as `PATH`
* `matcher` is a valid matcher for this resource
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### content
The `content` matcher return the value of the environment variable:
its('content') { should eq '/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin' }
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### split
The `split` splits the content with the `:` deliminator:
its('split') { should include (':') }
or:
its('split') { should_not include ('.') }
Use `-1` to test for cases where there is a trailing colon (`:`), such as `dir1::dir2:`:
its('split') { should include ('-1') }
<br>
## Examples
@ -96,3 +55,29 @@ Habitat uses the `os_env` resource to test environment variables. The environmen
its('content') { should eq nil }
end
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### content
The `content` matcher return the value of the environment variable:
its('content') { should eq '/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin' }
### split
The `split` splits the content with the `:` deliminator:
its('split') { should include (':') }
or:
its('split') { should_not include ('.') }
Use `-1` to test for cases where there is a trailing colon (`:`), such as `dir1::dir2:`:
its('split') { should include ('-1') }

69
docs/resources/package.md.erb
View file

@ -6,6 +6,7 @@ title: About the package Resource
Use the `package` InSpec audit resource to test if the named package and/or package version is installed on the system.
<br>
## Syntax
@ -20,48 +21,7 @@ where
* `('name')` must specify the name of a package, such as `'nginx'`
* `be_installed` is a valid matcher for this resource
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_held
The `be_held` matcher tests if the named package is "held". On dpkg platforms, a "held" package
will not be upgraded to a later version.
it { should be_held }
### be_installed
The `be_installed` matcher tests if the named package is installed on the system:
it { should be_installed }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '1.2.3' }
<br>
## Examples
@ -126,3 +86,28 @@ Memcached is an in-memory key-value store that helps improve the performance of
describe port(11_211) do
it { should be_listening }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_held
The `be_held` matcher tests if the named package is "held". On dpkg platforms, a "held" package
will not be upgraded to a later version.
it { should be_held }
### be_installed
The `be_installed` matcher tests if the named package is installed on the system:
it { should be_installed }
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '1.2.3' }

30
docs/resources/parse_config.md.erb
View file

@ -6,6 +6,8 @@ title: About the parse_config Resource
Use the `parse_config` InSpec audit resource to test arbitrary configuration files.
<br>
## Syntax
A `parse_config` resource block declares the location of the configuration setting to be tested, and then what value is to be tested. Because this resource relies on arbitrary configuration files, the test itself is often arbitrary and relies on custom Ruby code:
@ -35,9 +37,11 @@ where each test
* May run a command to `stdout`, and then run the test against that output
* May use options to define how configuration data is to be parsed
<br>
## Matchers
This InSpec audit resource has the following matchers:
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### assignment_regex
@ -49,28 +53,12 @@ may be tested using the following regular expression, which determines assignmen
assignment_regex: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### comment_char
Use `comment_char` to test for comments in a configuration file:
comment_char: '#'
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### key_values
Use `key_values` to test how many values a key contains:
@ -81,10 +69,6 @@ contains three values. To test that value to ensure it only contains one, use:
key_values: 1
### match
<%= partial "/shared/matcher_match" %>
### multiple_values
Use `multiple_values` if the source file uses the same key multiple times. All values will be aggregated in an array:
@ -116,7 +100,3 @@ Use `standalone_comments: false`, to parse the following:
'key = value # comment'
params['key'] = 'value'
## Examples
None.

74
docs/resources/parse_config_file.md.erb
View file

@ -6,6 +6,8 @@ title: About the parse_config_file Resource
Use the `parse_config_file` InSpec audit resource to test arbitrary configuration files. It works in the same way as `parse_config`. Instead of using a command output, this resource works with files.
<br>
## Syntax
A `parse_config_file` InSpec audit resource block declares the location of the configuration file to be tested, and then which settings in that file are to be tested.
@ -32,6 +34,8 @@ where each test
* May run a command to `stdout`, and then run the test against that output
* May use options to define how configuration data is to be parsed
<br>
## Options
This resource supports the following options for parsing configuration data. Use them in an `options` block stated outside of (and immediately before) the actual test:
@ -44,9 +48,35 @@ This resource supports the following options for parsing configuration data. Use
its('setting') { should eq 1 }
end
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test a configuration setting
describe parse_config_file('/path/to/file.conf') do
its('PARAM_X') { should eq 'Y' }
end
### Use options, and then test a configuration setting
describe parse_config_file('/path/to/file.conf', { multiple_values: true }) do
its('PARAM_X') { should include 'Y' }
end
## Test a file with an ini-like structure (such as a yum.conf)
describe parse_config_file('/path/to/yum.conf') do
its('main') { should include('gpgcheck' => '1') }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### assignment_regex
@ -58,28 +88,12 @@ may be tested using the following regular expression, which determines assignmen
assignment_regex: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### comment_char
Use `comment_char` to test for comments in a configuration file:
comment_char: '#'
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### key_values
Use `key_values` to test how many values a key contains:
@ -90,10 +104,6 @@ contains three values. To test that value to ensure it only contains one, use:
key_values: 1
### match
<%= partial "/shared/matcher_match" %>
### multiple_values
Use `multiple_values` if the source file uses the same key multiple times. All values will be aggregated in an array:
@ -125,25 +135,3 @@ Use `standalone_comments: false`, to parse the following:
'key = value # comment'
params['key'] = 'value'
## Examples
The following examples show how to use this InSpec audit resource.
### Test a configuration setting
describe parse_config_file('/path/to/file.conf') do
its('PARAM_X') { should eq 'Y' }
end
### Use options, and then test a configuration setting
describe parse_config_file('/path/to/file.conf', { multiple_values: true }) do
its('PARAM_X') { should include 'Y' }
end
## Test a file with an ini-like structure (such as a yum.conf)
describe parse_config_file('/path/to/yum.conf') do
its('main') { should include('gpgcheck' => '1') }
end

73
docs/resources/passwd.md.erb
View file

@ -18,6 +18,8 @@ These entries are defined as a colon-delimited row in the file, one row per user
root:x:1234:5678:additional_info:/home/dir/:/bin/bash
<br>
## Syntax
A `passwd` resource block declares one (or more) users and associated user information to be tested:
@ -37,22 +39,36 @@ where
* `filter` one (or more) arguments, for example: `passwd.users(/name/)` used to define filtering
* `filter` may take any of the following arguments: `count` (retrieves the number of entries), `lines` (provides raw `passwd` lines), and `params` (returns an array of maps for all entries)
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test usernames and UIDs
describe passwd do
its('users') { should eq ['root', 'www-data'] }
its('uids') { should eq [0, 33] }
end
### Select one user and test for multiple occurrences
describe passwd.uids(0) do
its('users') { should cmp 'root' }
its('count') { should eq 1 }
end
describe passwd.filter(user: 'www-data') do
its('uids') { should cmp 33 }
its('count') { should eq 1 }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### gids
@ -67,10 +83,6 @@ The `homes` matcher tests the absolute path to a user's home directory:
its('home') { should eq '/' }
### include
<%= partial "/shared/matcher_include" %>
### length
The `length` matcher tests the length of a password that appears in `/etc/passwd`:
@ -83,10 +95,6 @@ This matcher is best used in conjunction with filters. For example:
its('length') { should_not be < 16 }
end
### match
<%= partial "/shared/matcher_match" %>
### passwords
The `passwords` matcher tests if passwords are
@ -130,26 +138,3 @@ or:
The `users` matcher tests if the user names in the test match user names in `/etc/passwd`:
its('users') { should eq ['root', 'www-data'] }
## Examples
The following examples show how to use this InSpec audit resource.
### Test usernames and UIDs
describe passwd do
its('users') { should eq ['root', 'www-data'] }
its('uids') { should eq [0, 33] }
end
### Select one user and test for multiple occurrences
describe passwd.uids(0) do
its('users') { should cmp 'root' }
its('count') { should eq 1 }
end
describe passwd.filter(user: 'www-data') do
its('uids') { should cmp 33 }
its('count') { should eq 1 }
end

57
docs/resources/pip.md.erb
View file

@ -6,6 +6,8 @@ title: About the pip Resource
Use the `pip` InSpec audit resource to test packages that are installed using the Python PIP installer.
<br>
## Syntax
A `pip` resource block declares a package and (optionally) a package version:
@ -19,42 +21,7 @@ where
* `'package_name'` is the name of the package, such as `'Jinja2'`
* `be_installed` tests to see if the package described above is installed
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_installed
The `be_installed` matcher tests if the named package is installed on the system:
it { should be_installed }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '1.2.3' }
<br>
## Examples
@ -72,3 +39,21 @@ The following examples show how to use this InSpec audit resource.
it { should be_installed }
its('version') { should eq '2.8' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_installed
The `be_installed` matcher tests if the named package is installed on the system:
it { should be_installed }
### version
The `version` matcher tests if the named package version is on the system:
its('version') { should eq '1.2.3' }

100
docs/resources/port.md.erb
View file

@ -6,6 +6,8 @@ title: About the port Resource
Use the `port` InSpec audit resource to test basic port properties, such as port, process, if it's listening.
<br>
## Syntax
A `port` resource block declares a port, and then depending on what needs to be tested, a process, protocol, process identifier, and its state (is it listening?):
@ -35,63 +37,7 @@ For example, to test if the SSH daemon is available on a Linux machine via the d
its('addresses') { should include '0.0.0.0' }
end
## Matchers
This InSpec audit resource has the following matchers:
### address
The `addresses` matcher tests if the specified address is associated with a port:
its('addresses') { should include '0.0.0.0' }
### be
<%= partial "/shared/matcher_be" %>
### be_listening
The `be_listening` matcher tests if the port is listening for traffic:
it { should be_listening }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### pids
The `pids` matcher tests the process identifiers (PIDs):
its('pids') { should cmp 27808 }
### processes
The `processes` matcher tests if the named process is running on the system:
its('processes') { should cmp 'syslog' }
### protocols
The `protocols` matcher tests the Internet protocol: ICMP (`'icmp'`), TCP (`'tcp'` or `'tcp6'`), or UDP (`'udp'` or `'udp6'`):
its('protocols') { should include 'tcp' }
or for the IPv6 protocol:
its('protocols') { should include 'tcp6' }
<br>
## Examples
@ -148,3 +94,43 @@ or:
describe port(65432) do
it { should_not be_listening }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### address
The `addresses` matcher tests if the specified address is associated with a port:
its('addresses') { should include '0.0.0.0' }
### be_listening
The `be_listening` matcher tests if the port is listening for traffic:
it { should be_listening }
### pids
The `pids` matcher tests the process identifiers (PIDs):
its('pids') { should cmp 27808 }
### processes
The `processes` matcher tests if the named process is running on the system:
its('processes') { should cmp 'syslog' }
### protocols
The `protocols` matcher tests the Internet protocol: ICMP (`'icmp'`), TCP (`'tcp'` or `'tcp6'`), or UDP (`'udp'` or `'udp6'`):
its('protocols') { should include 'tcp' }
or for the IPv6 protocol:
its('protocols') { should include 'tcp6' }

48
docs/resources/postgres_conf.md.erb
View file

@ -6,6 +6,8 @@ title: About the postgres_conf Resource
Use the `postgres_conf` InSpec audit resource to test the contents of the configuration file for PostgreSQL, typically located at `/etc/postgresql/<version>/main/postgresql.conf` or `/var/lib/postgres/data/postgresql.conf`, depending on the platform.
<br>
## Syntax
A `postgres_conf` resource block declares one (or more) settings in the `postgresql.conf` file, and then compares the setting in the configuration file to the value stated in the test:
@ -21,37 +23,7 @@ where
* `('path')` is the non-default path to the `postgresql.conf` file (optional)
* `should eq 'value'` is the value that is expected
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### setting
The `setting` matcher tests specific, named settings in the `postgresql.conf` file:
its('setting') { should eq 'value' }
Use a `setting` matcher for each setting to be tested.
<br>
## Examples
@ -90,3 +62,17 @@ The following examples show how to use this InSpec audit resource.
end
where `unix_socket_group` is set to the PostgreSQL default setting (the group to which the server user belongs).
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### setting
The `setting` matcher tests specific, named settings in the `postgresql.conf` file:
its('setting') { should eq 'value' }
Use a `setting` matcher for each setting to be tested.

64
docs/resources/postgres_hba_conf.md.erb
View file

@ -5,6 +5,9 @@ title: About the postgres_hba_conf Resource
# postgres_hba_conf
Use the `postgres_hba_conf` InSpec audit resource to test the client authentication data defined in the pg_hba.conf file.
<br>
## Syntax
An `postgres_hba_conf` InSpec audit resource block declares client authentication data that should be tested:
@ -19,48 +22,14 @@ where
* `'filter_value'` is the value that is to be filtered for
* `'value'` is the value that is to be matched expected
## Matchers
This InSpec audit resource matches any service that is listed in the HBA configuration file:
its('auth_method') { should_not cmp 'peer' }
or:
its('auth_method') { should cmp 'peer' }
For example:
describe postgres_hba_conf.where { type == 'type' } do
its('auth_method') { should cmp 'value' }
its('user') { should cmp 'value' }
end
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Supported Properties
'address', 'auth_method', 'auth_params', 'conf_dir' , 'conf_file' , 'database', 'params' ,'type', 'user'
<br>
## Property Examples and Return Types
### address([String])
@ -70,7 +39,7 @@ For example:
describe postgres_hba_conf.where { type == 'local' } do
its('address') { should cmp 'value' }
end
### auth_method([String])
`auth_method` returns a an array of strings that matches the where condition of the filter table
@ -102,3 +71,22 @@ For example:
describe postgres_hba_conf.where { database == 'acme_test_db' } do
its('user') { should cmp 'value' }
end
<br>
## Matchers
This InSpec audit resource matches any service that is listed in the HBA configuration file. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
its('auth_method') { should_not cmp 'peer' }
or:
its('auth_method') { should cmp 'peer' }
For example:
describe postgres_hba_conf.where { type == 'type' } do
its('auth_method') { should cmp 'value' }
its('user') { should cmp 'value' }
end

62
docs/resources/postgres_ident_conf.md.erb
View file

@ -5,6 +5,9 @@ title: About the postgres_ident_conf Resource
# postgres_ident_conf
Use the `postgres_ident_conf` InSpec audit resource to test the client authentication data defined in the pg_hba.conf file.
<br>
## Syntax
An `postgres_ident_conf` InSpec audit resource block declares client authentication data that should be tested:
@ -19,48 +22,14 @@ where
* `'filter_value'` is the value that is to be filtered for
* `'value'` is the value that is to be matched expected
## Matchers
This InSpec audit resource matches any service that is listed in the pg ident configuration file:
its('pg_username') { should_not eq ['peer'] }
or:
its('map_name') { should eq ['value'] }
For example:
describe postgres_ident_conf.where { pg_username == 'name' } do
its('system_username') { should eq ['value'] }
its('map_name') { should eq ['value'] }
end
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Supported Properties
'conf_file', 'map_name', 'params', 'pg_username', 'system_username'
<br>
## Property Examples and Return Types
### map_name([String])
@ -85,3 +54,22 @@ For example:
describe pg_hba_conf.where { pg_username == 'name' } do
its('system_username') { should eq ['value'] }
end
<br>
## Matchers
This InSpec audit resource matches any service that is listed in the pg ident configuration file. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
its('pg_username') { should_not eq ['peer'] }
or:
its('map_name') { should eq ['value'] }
For example:
describe postgres_ident_conf.where { pg_username == 'name' } do
its('system_username') { should eq ['value'] }
its('map_name') { should eq ['value'] }
end

44
docs/resources/postgres_session.md.erb
View file

@ -6,6 +6,8 @@ title: About the postgres_session Resource
Use the `postgres_session` InSpec audit resource to test SQL commands run against a PostgreSQL database.
<br>
## Syntax
A `postgres_session` resource block declares the username and password to use for the session, and then the command to be run:
@ -29,35 +31,7 @@ A full example is:
where `its('output') { should eq '' }` compares the results of the query against the expected result in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### output
The `output` matcher tests the results of the query:
its('output') { should eq(/^0/) }
<br>
## Examples
@ -80,3 +54,15 @@ The following examples show how to use this InSpec audit resource.
AND lanname!=\'c\';', ['postgres']) do
its('output') { should eq '0' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### output
The `output` matcher tests the results of the query:
its('output') { should eq(/^0/) }

69
docs/resources/powershell.md.erb
View file

@ -6,6 +6,8 @@ title: About the powershell Resource
Use the `powershell` InSpec audit resource to test a Powershell script on the Windows platform.
<br>
## Syntax
A `powershell` resource block declares a Powershell script to be tested, and then compares the output of that command to the matcher in the test:
@ -24,48 +26,7 @@ where
* `'matcher'` is one of `exit_status`, `stderr`, or `stdout`
* `'output'` tests the output of the command run on the system versus the output value stated in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### exit_status
The `exit_status` matcher tests the exit status for the command:
its('exit_status') { should eq 123 }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### stderr
The `stderr` matcher tests results of the command as returned in standard error (stderr):
its('stderr') { should eq 'error' }
### stdout
The `stdout` matcher tests results of the command as returned in standard output (stdout):
its('stdout') { should eq '/^1$/' }
<br>
## Examples
@ -114,3 +75,27 @@ No newline:
its('stdout') { should eq 'hello' }
its('stderr') { should eq '' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exit_status
The `exit_status` matcher tests the exit status for the command:
its('exit_status') { should eq 123 }
### stderr
The `stderr` matcher tests results of the command as returned in standard error (stderr):
its('stderr') { should eq 'error' }
### stdout
The `stdout` matcher tests results of the command as returned in standard output (stdout):
its('stdout') { should eq '/^1$/' }

48
docs/resources/processes.md.erb
View file

@ -6,6 +6,8 @@ title: About the processes Resource
Use the `processes` InSpec audit resource to test properties for programs that are running on the system.
<br>
## Syntax
A `processes` resource block declares the name of the process to be tested, and then declares one (or more) property/value pairs:
@ -19,36 +21,7 @@ where
* `processes('process_name')` specifies the name of a process to check. If this is a string, it will be converted to a Regexp. For more specificity, pass a Regexp directly.
* `property_name` may be used to test user (`its('users')`) and state properties (`its('states')`)
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### property_name
The `property_name` matcher tests the named property for the specified value:
its('property_name') { should eq ['property_value'] }
<br>
## Examples
@ -100,9 +73,9 @@ needed.
### Notes for auditing Windows systems
Sometimes with system properties there isn't a direct comparison between different operating systems.
Most of the `property_name`'s do align between the different OS's.
Most of the `property_name`'s do align between the different OS's.
There are however some exception's, for example, within linux `states` offers multiple properties.
There are however some exception's, for example, within linux `states` offers multiple properties.
Windows doesn't have direct comparison that is a single property so instead `states` is mapped to the property of `Responding`, This is a boolean true/false flag to help determine if the process is hung.
Below is a mapping table to help you understand what property the unix field maps to the windows `Get-Process` Property
@ -121,3 +94,14 @@ Below is a mapping table to help you understand what property the unix field map
|time |TotalProcessorTime|
|users |UserName|
|commands |Path|
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### property_name
The `property_name` matcher tests the named property for the specified value:
its('property_name') { should eq ['property_value'] }

33
docs/resources/rabbitmq_config.md.erb
View file

@ -6,6 +6,8 @@ title: About the rabbitmq_config Resource
Use the `rabbitmq_config` InSpec audit resource to test configuration data for the RabbitMQ daemon located at `/etc/rabbitmq/rabbitmq.config` on Linux and Unix platforms.
<br>
## Syntax
A `rabbitmq_config` resource block declares the RabbitMQ configuration data to be tested:
@ -19,30 +21,7 @@ where
* `params` is the list of parameters configured in the RabbitMQ config file
* `{ should cmp 5671 }` tests the value of `rabbit.ssl_listeners` as read from `rabbitmq.config` versus the value declared in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -53,3 +32,9 @@ The following examples show how to use this InSpec audit resource.
describe rabbitmq_config.params('rabbit', 'tcp_listeners') do
it { should eq [5672] }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

71
docs/resources/registry_key.md.erb
View file

@ -6,6 +6,8 @@ title: About the registry_key Resource
Use the `registry_key` InSpec audit resource to test key values in the Windows registry.
<br>
## Syntax
A `registry_key` resource block declares the item in the Windows registry, the path to a setting under that item, and then one (or more) name/value pairs to be tested.
@ -61,13 +63,34 @@ Please make sure that you use backslashes instead of forward slashes. Forward sl
its('Release') { should eq 378675 }
end
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test the start time for the Schedule service
describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\...\Schedule') do
its('Start') { should eq 2 }
end
where `'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule'` is the full path to the setting.
### Use a regular expression in responses
describe registry_key({
hive: 'HKEY_LOCAL_MACHINE',
key: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion'
}) do
its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### children
@ -93,14 +116,6 @@ The following example shows how find a property that may exist against multiple
end
}
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### exist
The `exist` matcher tests if the registry key is present:
@ -125,14 +140,6 @@ The `have_value` matcher tests if a value exists for a registry key:
it { should have_value 'value' }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### name
The `name` matcher tests the value for the specified registry setting:
@ -148,25 +155,3 @@ Any name with a dot will not work as expected: <code>its('explorer.exe') { shoul
# its('explorer.exe') { should eq 'test' }
# use the following solution:
it { should have_property_value('explorer.exe', :string, 'test') }
## Examples
The following examples show how to use this InSpec audit resource.
### Test the start time for the Schedule service
describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\...\Schedule') do
its('Start') { should eq 2 }
end
where `'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule'` is the full path to the setting.
### Use a regular expression in responses
describe registry_key({
hive: 'HKEY_LOCAL_MACHINE',
key: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion'
}) do
its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ }
end

30
docs/resources/runit_service.md.erb
View file

@ -6,6 +6,8 @@ title: About the runit_service Resource
Use the `runit_service` InSpec audit resource to test a service using runit.
<br>
## Syntax
A `runit_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
@ -29,13 +31,11 @@ The path to the service manager's control may be specified for situations where
it { should be_running }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabled
@ -54,23 +54,3 @@ The `be_installed` matcher tests if the named service is installed:
The `be_running` matcher tests if the named service is running:
it { should be_running }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
## Examples
None.

45
docs/resources/security_policy.md.erb
View file

@ -6,6 +6,8 @@ title: About the security_policy Resource
Use the `security_policy` InSpec audit resource to test security policies on the Windows platform.
<br>
## Syntax
A `security_policy` resource block declares the name of a security policy and the value to be tested:
@ -19,36 +21,7 @@ where
* `'policy_name'` must specify a security policy
* `{ should eq 'value' }` tests the value of `policy_name` against the value declared in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### policy_name
The `policy_name` matcher must be the name of a security policy:
its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
<br>
## Examples
@ -59,3 +32,15 @@ The following examples show how to use this InSpec audit resource.
describe security_policy do
its('SeRemoteInteractiveLogonRight') { should eq '*S-1-5-32-544' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### policy_name
The `policy_name` matcher must be the name of a security policy:
its('SeNetworkLogonRight') { should eq '*S-1-5-11' }

69
docs/resources/service.md.erb
View file

@ -8,6 +8,8 @@ Use the `service` InSpec audit resource to test if the named service is installe
Under some circumstances, it may be necessary to specify the service manager by using one of the following service manager-specific resources: `bsd_service`, `launchd_service`, `runit_service`, `systemd_service`, `sysv_service`, or `upstart_service`. These resources are based on the `service` resource.
<br>
## Syntax
A `service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
@ -23,48 +25,7 @@ where
* `('service_name')` must specify a service name
* `be_installed`, `be_enabled`, and `be_running` are valid matchers for this resource
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_enabled
The `be_enabled` matcher tests if the named service is enabled:
it { should be_enabled }
### be_installed
The `be_installed` matcher tests if the named service is installed:
it { should be_installed }
### be_running
The `be_running` matcher tests if the named service is running:
it { should be_running }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -133,3 +94,27 @@ This is also possible with `systemd_service`, `runit_service`, `sysv_service`, `
it { should be_installed }
it { should be_running }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabled
The `be_enabled` matcher tests if the named service is enabled:
it { should be_enabled }
### be_installed
The `be_installed` matcher tests if the named service is installed:
it { should be_installed }
### be_running
The `be_running` matcher tests if the named service is running:
it { should be_running }

61
docs/resources/shadow.md.erb
View file

@ -19,6 +19,8 @@ These entries are defined as a colon-delimited row in the file, one row per user
dannos:Gb7crrO5CDF.:10063:0:99999:7:::
<br>
## Syntax
A `shadow` resource block declares one (or more) users and associated user information to be tested:
@ -39,18 +41,30 @@ where
* `homes`, `gids`, `passwords`, `shells`, `uids`, and `users` are valid accessors for `passwd`
* `filter` one (or more) arguments, for example: `passwd.users(/name/)` used to define filtering; `filter` may take any of the following arguments: `count` (retrieves the number of entries), `lines` (provides raw `passwd` lines), and `params` (returns an array of maps for all entries)
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test for a forbidden user
describe shadow do
its('users') { should_not include 'forbidden_user' }
end
### Test that a user appears one time
describe shadow.users('bin') do
its('passwords') { should cmp 'x' }
its('count') { should eq 1 }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### count
@ -64,10 +78,6 @@ TThis matcher is best used in conjunction with filters. For example:
its('count') { should eq 1 }
end
### eq
<%= partial "/shared/matcher_eq" %>
### expiry_dates
The `expiry_dates` matcher tests the number of days a user account has been disabled:
@ -80,20 +90,12 @@ The `inactive_days` matcher tests the number of days a user must be inactive bef
its('inactive_days') { should eq '' }
### include
<%= partial "/shared/matcher_include" %>
### last_changes
The `last_changes` matcher tests the last time a password was changed:
its('last_changes') { should eq '' }
### match
<%= partial "/shared/matcher_match" %>
### max_days
The `max_days` matcher tests the maximum number of days after which a password must be changed:
@ -130,20 +132,3 @@ The `users` matcher tests if the user name exists `/etc/shadow`:
The `warn_days` matcher tests the number of days a user is warned about an expiring password:
its('warn_days') { should eq 7 }
## Examples
The following examples show how to use this InSpec audit resource.
### Test for a forbidden user
describe shadow do
its('users') { should_not include 'forbidden_user' }
end
### Test that a user appears one time
describe shadow.users('bin') do
its('passwords') { should cmp 'x' }
its('count') { should eq 1 }
end

53
docs/resources/ssh_config.md.erb
View file

@ -6,6 +6,8 @@ title: About the ssh_config Resource
Use the `ssh_config` InSpec audit resource to test OpenSSH client configuration data located at `/etc/ssh/ssh_config` on Linux and Unix platforms.
<br>
## Syntax
An `ssh_config` resource block declares the client OpenSSH configuration data to be tested:
@ -20,40 +22,7 @@ where
* `('path')` is the non-default `/path/to/ssh_config`
* `{ should include('foo') }` tests the value of `name` as read from `ssh_config` versus the value declared in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### name
The `name` matcher tests the value of `name` as read from `ssh_config` versus the value declared in the test:
its('name') { should eq 'foo' }
or:
its('name') { should include('bar') }
<br>
## Examples
@ -92,3 +61,19 @@ The following examples show how to use this InSpec audit resource.
its('SendEnv') { should eq 'LANG LC_*' }
its('HashKnownHosts') { should eq 'yes' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### name
The `name` matcher tests the value of `name` as read from `ssh_config` versus the value declared in the test:
its('name') { should eq 'foo' }
or:
its('name') { should include('bar') }

53
docs/resources/sshd_config.md.erb
View file

@ -6,6 +6,8 @@ title: About the sshd_config Resource
Use the `sshd_config` InSpec audit resource to test configuration data for the OpenSSH daemon located at `/etc/ssh/sshd_config` on Linux and Unix platforms. sshd---the OpenSSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges.
<br>
## Syntax
An `sshd_config` resource block declares the client OpenSSH configuration data to be tested:
@ -20,40 +22,7 @@ where
* `('path')` is the non-default `/path/to/sshd_config`
* `{ should include('foo') }` tests the value of `name` as read from `sshd_config` versus the value declared in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### name
The `name` matcher tests the value of `name` as read from `sshd_config` versus the value declared in the test:
its('name') { should cmp 'foo' }
or:
its('name') {should include('bar') }
<br>
## Examples
@ -95,3 +64,19 @@ The following examples show how to use this InSpec audit resource.
'/etc/ssh/ssh_host_ecdsa_key',
] }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### name
The `name` matcher tests the value of `name` as read from `sshd_config` versus the value declared in the test:
its('name') { should cmp 'foo' }
or:
its('name') {should include('bar') }

93
docs/resources/ssl.md.erb
View file

@ -6,6 +6,8 @@ title: About the ssl Resource
Use the `ssl` InSpec audit resource to test SSL settings for the named port.
<br>
## Syntax
An `ssl` resource block declares an SSL port, and then other properties of the test like cipher and/or protocol:
@ -25,60 +27,7 @@ where
* `ssl(port: #)` is the port number, such as `ssl(port: 443)`
* `filter` may take any of the following arguments: `ciphers`, `protocols`, and `handshake`
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_enabled
The `be_enabled` matcher tests if SSL is enabled:
it { should be_enabled }
### ciphers
The `ciphers` matcher tests the named cipher:
its('ciphers') { should_not eq '/rc4/i' }
or:
describe ssl(port: 443).ciphers(/rc4/i) do
it { should_not be_enabled }
end
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### protocols
The `protocols` matcher tests what protocol versions (SSLv3, TLSv1.1, etc) are enabled:
its('protocols') { should eq 'ssl2' }
or:
describe ssl(port: 443).protocols('ssl2') do
it { should_not be_enabled }
end
<br>
## Examples
@ -131,3 +80,39 @@ and then run:
Or execute the profile directly via URL:
$ inspec exec https://github.com/dev-sec/ssl-benchmark
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabled
The `be_enabled` matcher tests if SSL is enabled:
it { should be_enabled }
### ciphers
The `ciphers` matcher tests the named cipher:
its('ciphers') { should_not eq '/rc4/i' }
or:
describe ssl(port: 443).ciphers(/rc4/i) do
it { should_not be_enabled }
end
### protocols
The `protocols` matcher tests what protocol versions (SSLv3, TLSv1.1, etc) are enabled:
its('protocols') { should eq 'ssl2' }
or:
describe ssl(port: 443).protocols('ssl2') do
it { should_not be_enabled }
end

44
docs/resources/sys_info.md.erb
View file

@ -6,6 +6,8 @@ title: About the sys_info Resource
Use the `sys_info` InSpec audit resource to test for operating system properties for the named host, and then returns that info as standard output.
<br>
## Syntax
An `sys_info` resource block declares the hostname to be tested:
@ -14,35 +16,7 @@ An `sys_info` resource block declares the hostname to be tested:
its('hostname') { should eq 'value' }
end
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### hostname
The `hostname` matcher tests the host for which standard output is returned:
its('hostname') { should eq 'value' }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -53,3 +27,15 @@ The following examples show how to use this InSpec audit resource.
describe sys_info do
its('hostname') { should eq 'example.com' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### hostname
The `hostname` matcher tests the host for which standard output is returned:
its('hostname') { should eq 'value' }

30
docs/resources/systemd_service.md.erb
View file

@ -6,6 +6,8 @@ title: About the systemd_service Resource
Use the `systemd_service` InSpec audit resource to test a service using SystemD.
<br>
## Syntax
A `systemd_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
@ -29,13 +31,11 @@ The path to the service manager's control may be specified for situations where
it { should be_running }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabled
@ -54,23 +54,3 @@ The `be_installed` matcher tests if the named service is installed:
The `be_running` matcher tests if the named service is running:
it { should be_running }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
## Examples
None.

30
docs/resources/sysv_service.md.erb
View file

@ -6,6 +6,8 @@ title: About the sysv_service Resource
Use the `sysv_service` InSpec audit resource to test a service using SystemV.
<br>
## Syntax
A `sysv_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
@ -29,13 +31,11 @@ The path to the service manager's control may be specified for situations where
it { should be_running }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabled
@ -54,23 +54,3 @@ The `be_installed` matcher tests if the named service is installed:
The `be_running` matcher tests if the named service is running:
it { should be_running }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
## Examples
None.

30
docs/resources/upstart_service.md.erb
View file

@ -6,6 +6,8 @@ title: About the upstart_service Resource
Use the `upstart_service` InSpec audit resource to test a service using Upstart.
<br>
## Syntax
An `upstart_service` resource block declares the name of a service and then one (or more) matchers to test the state of the service:
@ -29,13 +31,11 @@ The path to the service manager's control may be specified for situations where
it { should be_running }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabled
@ -54,23 +54,3 @@ The `be_installed` matcher tests if the named service is installed:
The `be_running` matcher tests if the named service is running:
it { should be_running }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
## Examples
None.

83
docs/resources/user.md.erb
View file

@ -6,6 +6,8 @@ title: About the user Resource
Use the `user` InSpec audit resource to test user profiles for a single, known/expected local user, including the groups to which that user belongs, the frequency of required password changes, and the directory paths to home and shell.
<br>
## Syntax
A `user` resource block declares a user name, and then one (or more) matchers:
@ -29,21 +31,40 @@ where
* `it { should exist }` tests if the user exists
* `gid`, `group`, `groups`, `home`, `maxdays`, `mindays`, `shell`, `uid`, and `warndays` are valid matchers for this resource
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Verify available users for the MySQL server
describe user('root') do
it { should exist }
it { should belong_to_group 'root' }
its('uid') { should eq 0 }
its('groups') { should eq ['root'] }
end
describe user('mysql') do
it { should_not exist }
end
### Test users on multiple platforms
The `nginx` user is typically `www-data`, but on CentOS it's `nginx`. The following example shows how to test for the `nginx` user with a single test, but accounting for all platforms:
web_user = 'www-data'
web_user = 'nginx' if os[:family] == 'centos'
describe user(web_user) do
it { should exist }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exist
@ -79,14 +100,6 @@ The `home` matcher tests the home directory path for the user:
its('home') { should eq '/root' }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### maxdays
The `maxdays` matcher tests the maximum number of days between password changes:
@ -124,31 +137,3 @@ The `warndays` matcher tests the number of days a user is warned before a passwo
its('warndays') { should eq 5 }
where `5` represents the number of days a user is warned.
## Examples
The following examples show how to use this InSpec audit resource.
### Verify available users for the MySQL server
describe user('root') do
it { should exist }
it { should belong_to_group 'root' }
its('uid') { should eq 0 }
its('groups') { should eq ['root'] }
end
describe user('mysql') do
it { should_not exist }
end
### Test users on multiple platforms
The `nginx` user is typically `www-data`, but on CentOS it's `nginx`. The following example shows how to test for the `nginx` user with a single test, but accounting for all platforms:
web_user = 'www-data'
web_user = 'nginx' if os[:family] == 'centos'
describe user(web_user) do
it { should exist }
end

48
docs/resources/users.md.erb
View file

@ -6,6 +6,8 @@ title: About the users Resource
Use the `users` InSpec audit resource to look up all local users available on the system, and then test specific properties of those users. This resource does not return information about users that may be located on other systems, such as LDAP or Active Directory.
<br>
## Syntax
A `users` resource block declares a user name, and then one (or more) matchers:
@ -33,21 +35,23 @@ or:
it { should exist }
end
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Use a regular expression to find users
describe users.where { uid =~ /S\-1\-5\-21\-\d+\-\d+\-\d+\-500/ } do
it { should exist }
end
<br>
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### exist
@ -83,14 +87,6 @@ The `home` matcher tests the home directory path for the user:
its('home') { should eq '/root' }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### maxdays
The `maxdays` matcher tests the maximum number of days between password changes:
@ -128,13 +124,3 @@ The `warndays` matcher tests the number of days a user is warned before a passwo
its('warndays') { should eq 5 }
where `5` represents the number of days a user is warned.
## Examples
The following examples show how to use this InSpec audit resource.
### Use a regular expression to find users
describe users.where { uid =~ /S\-1\-5\-21\-\d+\-\d+\-\d+\-500/ } do
it { should exist }
end

33
docs/resources/vbscript.md.erb
View file

@ -6,6 +6,8 @@ title: About the vbscript Resource
Use the `vbscript` InSpec audit resource to test a VBScript on the Windows platform.
<br>
## Syntax
A `vbscript` resource block tests the output of a VBScript on the Windows platform:
@ -19,30 +21,7 @@ where
* `'script_name'` is the name of the VBScript to test
* `('output')` is the expected output of the VBScript
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -67,3 +46,9 @@ and tested for whitespace removal from standard output:
describe vbscript(script) do
its('strip') { should eq "hello" }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

31
docs/resources/virtualization.md.erb
View file

@ -6,6 +6,8 @@ title: About the virtualization Resource
Use the `virtualization` InSpec audit resource to test the virtualization platform on which the system is running.
<br>
## Syntax
An `virtualization` resource block declares the virtualization platform that should be tested:
@ -20,29 +22,7 @@ where
* `MATCHER` is a valid matcher for this resource
* `'value'` is the value to be tested
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -69,3 +49,8 @@ The following examples show how to use this InSpec audit resource.
end
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

45
docs/resources/windows_feature.md.erb
View file

@ -6,6 +6,8 @@ title: About the windows_feature Resource
Use the `windows_feature` InSpec audit resource to test features on Windows via the `Get-WindowsFeature` cmdlet.
<br>
## Syntax
A `windows_feature` resource block declares the name of the Windows feature, tests if that feature is installed, and then returns information about that feature:
@ -19,36 +21,7 @@ where
* `('feature_name')` must specify a Windows feature name, such as `DHCP Server` or `IIS-Webserver`
* `be_installed` is a valid matcher for this resource
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_installed
The `be_installed` matcher tests if the named Windows feature is installed:
it { should be_installed }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -59,3 +32,15 @@ The following examples show how to use this InSpec audit resource.
describe windows_feature('DHCP Server') do
it{ should be_installed }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_installed
The `be_installed` matcher tests if the named Windows feature is installed:
it { should be_installed }

24
docs/resources/windows_hotfix.md.erb
View file

@ -4,6 +4,8 @@ title: About the windows_hotfix Resource
Use the `windows_hotfix` InSpec audit resource to test if the hotfix has been installed on a Windows system.
<br>
## Syntax
A `windows_hotfix` resource block declares a hotfix to validate:
@ -17,15 +19,7 @@ where
* `('name')` must specify the name of a hotfix, such as `'KB4012213'`
* `be_installed` is a valid matcher for this resource
## Matcher
This InSpec audit resource has the following matcher:
### be_installed
The `be_installed` matcher tests if the named hotfix is installed on the system:
it { should be_installed }
<br>
## Examples
@ -42,3 +36,15 @@ The following examples show how to use this InSpec audit resource.
describe windows_hotfix('KB9999999') do
it { should_not be_installed }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_installed
The `be_installed` matcher tests if the named hotfix is installed on the system:
it { should be_installed }

38
docs/resources/windows_task.md.erb
View file

@ -4,9 +4,11 @@ title: About the windows_task Resource
# windows_task
Use the `windows_task` Inspec audit resource to test a scheduled tasks configuration on a Windows platform.
Use the `windows_task` Inspec audit resource to test a scheduled tasks configuration on a Windows platform.
Microsoft and application vendors use scheduled tasks to perform a variety of system maintaince tasks but system administrators can schedule their own.
<br>
## Syntax
A `windows_task` resource block declares the name of the task (as its full path) and tests its configuration:
@ -18,33 +20,11 @@ A `windows_task` resource block declares the name of the task (as its full path)
where
* `'parameter'` must be a valid parameter defined within this resource ie `logon_mode`, `last_result`, `task_to_run`, `run_as_user`
* `'parameter'` must be a valid parameter defined within this resource ie `logon_mode`, `last_result`, `task_to_run`, `run_as_user`
* `'value'` will be used to compare the value gather from your chosen parameter
* `'be_enabled'` is an example of a valid matcher that checks the state of a task, other examples are `exist` or `be_disabled`
* `'be_enabled'` is an example of a valid matcher that checks the state of a task, other examples are `exist` or `be_disabled`
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -101,3 +81,9 @@ Status: Ready
Logon Mode: Interactive/Background
...
```
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

33
docs/resources/wmi.md.erb
View file

@ -6,6 +6,8 @@ title: About the wmi Resource
Use the `wmi` InSpec audit resource to test WMI settings on the Windows platform.
<br>
## Syntax
A `wmi` resource block tests WMI settings on the Windows platform:
@ -46,30 +48,7 @@ and the second uses a filter in the Ruby Hash to first identify WinRM, and then
its('DisplayName') { should eq 'Windows Remote Management (WS-Management)'}
end
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -93,3 +72,9 @@ The following examples show how to use this InSpec audit resource.
}) do
its('Setting') { should eq false }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

4
docs/resources/x509_certificate.md.erb
View file

@ -12,6 +12,8 @@ or communications over a network. They may also be used for authentication.
Examples include SSL certificates, S/MIME certificates and VPN authentication
certificates.
<br>
## Syntax
An `x509_certificate` resource block declares a certificate `key file` to be tested.
@ -20,6 +22,8 @@ An `x509_certificate` resource block declares a certificate `key file` to be tes
its('validity_in_days') { should be > 30 }
end
<br>
## Supported Properties
### subject.XX

157
docs/resources/xinetd_conf.md.erb
View file

@ -6,6 +6,8 @@ title: About the xinetd_conf Resource
Use the `xinetd_conf` InSpec audit resource to test services under `/etc/xinet.d` on Linux and Unix platforms. xinetd---the extended Internet service daemon---listens on all ports, and then loads the appropriate program based on a request. The `xinetd.conf` file is typically located at `/etc/xinetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
<br>
## Syntax
An `xinetd_conf` resource block declares settings found in a `xinetd.conf` file for the named service:
@ -21,92 +23,7 @@ where
* `('setting')` is a setting in the `xinetd.conf` file
* `should eq 'value'` is the value that is expected
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_enabed
The `be_enabled` matcher tests if a service listed under `/etc/xinet.d` is enabled:
it { should be_enabled }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### ids
The `ids` matcher tests if the named service is located under `/etc/xinet.d`:
its('ids') { should include 'service_name' }
For example:
its('ids') { should include 'chargen-stream chargen-dgram'}
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### services
The `services` matcher tests if the named service is listed under `/etc/xinet.d`:
its('services') { should include 'service_name' }
### socket_types
The `socket_types` matcher tests if a service listed under `/etc/xinet.d` is configured to use the named socket type:
its('socket_types') { should eq 'socket' }
where `socket` is one of `dgram`, `raw`, or `stream`. For a UDP-based service:
its('socket_types') { should eq 'dgram' }
For a raw socket (such as a service using a non-standard protocol or a service that requires direct access to IP):
its('socket_types') { should eq 'raw' }
For a TCP-based service:
its('socket_types') { should eq 'stream' }
### types
The `types` matcher tests the service type:
its('type') { should eq 'TYPE' }
where `'TYPE'` is `INTERNAL` (for a service provided by xinetd), `RPC` (for a service based on remote procedure call), or `UNLISTED` (for services not under `/etc/services` or `/etc/rpc`).
### wait
The `wait` matcher tests how a service handles incoming connections.
For UDP (`dgram`) socket types the `wait` matcher should test for `yes`:
its('socket_types') { should eq 'dgram' }
its('wait') { should eq 'yes' }
For TCP (`stream`) socket types the `wait` matcher should test for `no`:
its('socket_types') { should eq 'stream' }
its('wait') { should eq 'no' }
<br>
## Examples
@ -168,3 +85,71 @@ All three settings can be tested in the same block as well:
its('socket_type') { should include 'stream' }
its('wait') { should eq 'no' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabed
The `be_enabled` matcher tests if a service listed under `/etc/xinet.d` is enabled:
it { should be_enabled }
### ids
The `ids` matcher tests if the named service is located under `/etc/xinet.d`:
its('ids') { should include 'service_name' }
For example:
its('ids') { should include 'chargen-stream chargen-dgram'}
### services
The `services` matcher tests if the named service is listed under `/etc/xinet.d`:
its('services') { should include 'service_name' }
### socket_types
The `socket_types` matcher tests if a service listed under `/etc/xinet.d` is configured to use the named socket type:
its('socket_types') { should eq 'socket' }
where `socket` is one of `dgram`, `raw`, or `stream`. For a UDP-based service:
its('socket_types') { should eq 'dgram' }
For a raw socket (such as a service using a non-standard protocol or a service that requires direct access to IP):
its('socket_types') { should eq 'raw' }
For a TCP-based service:
its('socket_types') { should eq 'stream' }
### types
The `types` matcher tests the service type:
its('type') { should eq 'TYPE' }
where `'TYPE'` is `INTERNAL` (for a service provided by xinetd), `RPC` (for a service based on remote procedure call), or `UNLISTED` (for services not under `/etc/services` or `/etc/rpc`).
### wait
The `wait` matcher tests how a service handles incoming connections.
For UDP (`dgram`) socket types the `wait` matcher should test for `yes`:
its('socket_types') { should eq 'dgram' }
its('wait') { should eq 'yes' }
For TCP (`stream`) socket types the `wait` matcher should test for `no`:
its('socket_types') { should eq 'stream' }
its('wait') { should eq 'no' }

44
docs/resources/xml.md.erb
View file

@ -6,6 +6,8 @@ title: About the xml Resource
Use the `xml` InSpec audit resource to test data in an XML file.
<br>
## Syntax
An `xml` resource block declares the data to be tested. Assume the following XML file:
@ -34,35 +36,7 @@ where
* `root/name` is an XPath expression
* `should eq ['foo']` tests a value of `root/name` as read from an XML file versus the value declared in the test
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### name
The `name` matcher tests the value of `name` as read from a JSON file versus the value declared in the test:
its('name') { should eq 'foo' }
<br>
## Examples
@ -73,3 +47,15 @@ The following examples show how to use this InSpec audit resource.
describe xml('applicationHost.config') do
its('configuration/system.applicationHost/applicationPools/add@name') { should contain('my_pool') }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### name
The `name` matcher tests the value of `name` as read from a JSON file versus the value declared in the test:
its('name') { should eq 'foo' }

45
docs/resources/yaml.md.erb
View file

@ -6,6 +6,8 @@ title: About the yaml Resource
Use the `yaml` InSpec audit resource to test configuration data in a Yaml file.
<br>
## Syntax
A `yaml` resource block declares the configuration data to be tested. Assume the following Yaml file:
@ -41,36 +43,7 @@ Like the `json` resource, the `yaml` resource can read a file, run a command, or
its('key2') { should cmp 'value2' }
end
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### name
The `name` matcher tests the value of `name` as read from a Yaml file versus the value declared in the test:
its('name') { should eq 'foo' }
<br>
## Examples
@ -81,3 +54,15 @@ The following examples show how to use this InSpec audit resource.
describe yaml('.kitchen.yaml') do
its('driver.name') { should eq('vagrant') }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### name
The `name` matcher tests the value of `name` as read from a Yaml file versus the value declared in the test:
its('name') { should eq 'foo' }

100
docs/resources/yum.md.erb
View file

@ -6,6 +6,8 @@ title: About the yum Resource
Use the `yum` InSpec audit resource to test packages in the Yum repository.
<br>
## Syntax
A `yum` resource block declares a package repo, tests if the package repository is present, and if it that package repository is a valid package source (i.e. "is enabled"):
@ -19,63 +21,7 @@ where
* `repo('name')` is the (optional) name of a package repo, using either a full identifier (`'updates/7/x86_64'`) or a short identifier (`'updates'`)
## Matchers
This InSpec audit resource has the following matchers:
### be
<%= partial "/shared/matcher_be" %>
### be_enabled
The `be_enabled` matcher tests if the package repository is a valid package source:
it { should be_enabled }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### exist
The `exist` matcher tests if the package repository exists:
it { should exist }
### include
<%= partial "/shared/matcher_include" %>
### match
<%= partial "/shared/matcher_match" %>
### repo('name')
The `repo('name')` matcher names a specific package repository:
describe yum.repo('epel') do
...
end
### repos
The `repos` matcher tests if a named repo, using either a full identifier (`'updates/7/x86_64'`) or a short identifier (`'updates'`), is included in the Yum repo:
its('repos') { should include 'some_repo' }
### shortname
The `shortname` matcher names a specific package repository's group identifier. For example, if a repository's group name is "Directory Server", the corresponding group idenfier is typically "directory-server":
describe yum.repo('Directory Server') do
its('shortname') { should eq 'directory-server' }
end
<br>
## Examples
@ -109,3 +55,43 @@ The following examples show how to use this InSpec audit resource.
it { should be_enabled }
its('baseurl') { should include 'mycompany.biz' }
end
<br>
## Matchers
This InSpec audit resource has the following matchers. For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_enabled
The `be_enabled` matcher tests if the package repository is a valid package source:
it { should be_enabled }
### exist
The `exist` matcher tests if the package repository exists:
it { should exist }
### repo('name')
The `repo('name')` matcher names a specific package repository:
describe yum.repo('epel') do
...
end
### repos
The `repos` matcher tests if a named repo, using either a full identifier (`'updates/7/x86_64'`) or a short identifier (`'updates'`), is included in the Yum repo:
its('repos') { should include 'some_repo' }
### shortname
The `shortname` matcher names a specific package repository's group identifier. For example, if a repository's group name is "Directory Server", the corresponding group idenfier is typically "directory-server":
describe yum.repo('Directory Server') do
its('shortname') { should eq 'directory-server' }
end

41
docs/resources/zfs_dataset.md.erb
View file

@ -6,6 +6,8 @@ title: About the zfs_dataset Resource
Use the `zfs_dataset` InSpec audit resource to test the ZFS datasets on FreeBSD systems.
<br>
## Syntax
A `zfs_dataset` resource block declares the ZFS dataset properties that should be tested:
@ -20,32 +22,7 @@ where
* `MATCHER` is a valid matcher for this resource
* `'value'` is the value to be tested
## Matchers
This InSpec audit resource has the matchers listed below, in addition to dynamically exposing all ZFS dataset properties available (see: `man zfs` for the list of supported properties.)
### be
<%= partial "/shared/matcher_be" %>
### be_mounted
The `be_mounted` matcher tests if the dataset is accessible from the file system:
it { should be_mounted }
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -61,3 +38,15 @@ The following examples show how to use this InSpec audit resource.
its('readonly') { should eq 'off' }
its('setuid') { should eq 'off' }
end
<br>
## Matchers
This InSpec audit resource has the matchers listed below, in addition to dynamically exposing all ZFS dataset properties available (see: `man zfs` for the list of supported properties). For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
### be_mounted
The `be_mounted` matcher tests if the dataset is accessible from the file system:
it { should be_mounted }

29
docs/resources/zfs_pool.md.erb
View file

@ -6,6 +6,8 @@ title: About the zfs_pool Resource
Use the `zfs_pool` InSpec audit resource to test the ZFS pools on FreeBSD systems.
<br>
## Syntax
A `zfs_pool` resource block declares the ZFS pool properties that should be tested:
@ -20,26 +22,7 @@ where
* `MATCHER` is a valid matcher for this resource
* `'value'` is the value to be tested
## Matchers
This InSpec audit resource has the matchers listed below, in addition to dynamically exposing all ZFS pool properties available (see: `man zpool` for the list of supported properties.)
### be
<%= partial "/shared/matcher_be" %>
### cmp
<%= partial "/shared/matcher_cmp" %>
### eq
<%= partial "/shared/matcher_eq" %>
### match
<%= partial "/shared/matcher_match" %>
<br>
## Examples
@ -55,3 +38,9 @@ The following examples show how to use this InSpec audit resource.
its('listsnapshots') { should eq 'off' }
its('readonly') { should eq 'off' }
end
<br>
## Matchers
This InSpec audit resource dynamically exposes all ZFS pool properties available (see: `man zpool` for the list of supported properties). For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

15
www/source/stylesheets/_code.scss
View file

@ -1,10 +1,10 @@
//default
code {
color: $color_link;
border-radius: 7px;
background: $color_lt_blue;
border-color: $color_lt_blue;
color: white;
border-radius: 4px;
background: $color_paragraph;
border-color: $color_paragraph;
}
.highlight code {
@ -12,11 +12,12 @@ code {
}
pre {
border-radius: 7px;
padding: 10px;
margin-bottom: 1em;
background: $color_lt_blue;
border: 1px solid rgba(65,151,181,0.3);
color: $color_link
background: $color_paragraph;
border: $color_paragraph;
color: white
}
// Container for code example

4
www/source/stylesheets/_nav.scss
View file

@ -33,7 +33,7 @@
.main-nav--link-ctas {
padding: 9px 0 9px $side-nav-padding-small;
border-bottom: 1px solid lighten($color_gray, 40%);
border-bottom: 1px solid lighten($color_paragraph, 40%);
& > .button {
margin-bottom: 0;
@ -116,7 +116,7 @@
.main-nav--link {
a {
color: $color_gray;
color: $color_paragraph;
}
a:hover, a.btn, a:active {