From f8302b63830aca2269add41eb4ece1e4f34b3caf Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 11:54:47 +0100 Subject: [PATCH 01/14] use ssh_config instead of sshd_conf --- docs/resources.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/resources.rst b/docs/resources.rst index 2331ef7ff..8f5f34d97 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -4015,7 +4015,7 @@ The following examples show how to use this InSpec audit resource. its('protocol') {should eq 'tcp'} end - describe sshd_conf do + describe sshd_config do its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') } end From afb9c2441a299d5660c29a528d9c6b966ceb06fb Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 12:07:19 +0100 Subject: [PATCH 02/14] update cli options --- docs/ctl_inspec.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/ctl_inspec.rst b/docs/ctl_inspec.rst index 23a173ceb..c3a603d3d 100644 --- a/docs/ctl_inspec.rst +++ b/docs/ctl_inspec.rst @@ -17,14 +17,14 @@ The following options may be used with any of the InSpec CLI subcommands: ``--host`` The remote host to be tested. -``--key`` +``--key_files`` The login key or certificate file required for remote scanning. ``--password`` The login password for remote scanning. ``--path`` - The login path used to connect to the target. + The login path used to connect to the target for |winrm|. ``--port`` The port over which remote scanning will occur. @@ -192,3 +192,4 @@ Use ``inspec version`` to print the version of the InSpec CLI. .. _winrm: https://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx .. |docker| replace:: Docker .. _docker: https://www.docker.com/ +.. |json| replace:: JSON From d8b4b1d7b4694ff9995791ee8b011b977bef4caa Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 12:10:14 +0100 Subject: [PATCH 03/14] update cli description of --path --- bin/inspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/inspec b/bin/inspec index 3a5a4ecd4..06e572987 100755 --- a/bin/inspec +++ b/bin/inspec @@ -25,7 +25,7 @@ class InspecCLI < Thor option :key_files, type: :array, default: nil, desc: 'Login key or certificate file for a remote scan.' option :path, type: :string, default: nil, - desc: 'Login path to use when connecting to the target.' + desc: 'Login path to use when connecting to the target (WinRM).' option :sudo, type: :boolean, default: false, desc: 'Run scans with sudo. Only activates on Unix and non-root user.' option :sudo_password, type: :string, default: nil, From 789b6cf83f372b7d4da0c8ecf56b8af6a3f57e07 Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 12:10:35 +0100 Subject: [PATCH 04/14] fix typo in readme --- docs/readme.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/readme.rst b/docs/readme.rst index 81d291be3..090148d4c 100644 --- a/docs/readme.rst +++ b/docs/readme.rst @@ -90,7 +90,7 @@ bundle exec bin/inspec exec demo/test/example_spec.rb Stability Index ----------------------------------------------------- -Every available InSpec resource will indiate its stability. As InSpec matures, certain parts are more reliable than others. Brand new features are likely to be redesigned and marked as such. +Every available InSpec resource will indicate its stability. As InSpec matures, certain parts are more reliable than others. Brand new features are likely to be redesigned and marked as such. The stability indices are as follows: From e52e3b675348aabb6d105e6e196c70979e5e838a Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 12:46:12 +0100 Subject: [PATCH 05/14] update examples in docs --- docs/resources.rst | 102 ++++++++------------------------------------- 1 file changed, 18 insertions(+), 84 deletions(-) diff --git a/docs/resources.rst b/docs/resources.rst index 8f5f34d97..3e3e36d93 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -41,7 +41,7 @@ The following InSpec audit resources are available: * ``port`` * ``postgres_conf`` * ``postgres_session`` -* ``processes`` << process? +* ``processes`` * ``registry_key`` * ``script`` * ``security_policy`` @@ -169,7 +169,7 @@ Examples ----------------------------------------------------- The following examples show how to use this InSpec audit resource in a test. -**Test if Ubuntu is updated to the latest stable Juju package** +**Test if apt repository exists and is enabled** .. code-block:: ruby @@ -178,16 +178,7 @@ The following examples show how to use this InSpec audit resource in a test. it { should be_enabled } end -**Test if Nginx is updated to the latest stable package** - -.. code-block:: ruby - - describe apt('ppa:nginx/stable') do - it { should exist } - it { should be_enabled } - end - -**Verify that a repository exists and is enabled** +**Verify that a PPA repository exists and is enabled** .. code-block:: ruby @@ -236,7 +227,7 @@ Examples ----------------------------------------------------- The following examples show how to use this InSpec audit resource. -**Test that a parameter is set to "No Auditing"** +**Test that a parameter is not set to "No Auditing"** .. code-block:: ruby @@ -249,7 +240,7 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby describe audit_policy do - its('User Account Management') { should_not eq 'No Auditing' } + its('User Account Management') { should eq 'Success' } end @@ -315,6 +306,8 @@ auditd_rules ===================================================== Use the ``auditd_rules`` |inspec resource| to test the rules for logging that exist on the system. The ``audit.rules`` file is typically located under ``/etc/audit/`` and contains the list of rules that define what is captured in log files. +**Stability: Experimental** + Syntax ----------------------------------------------------- A ``auditd_rules`` |inspec resource| block declares one (or more) rules to be tested, and then what that rule should do: @@ -333,78 +326,21 @@ A ``auditd_rules`` |inspec resource| block declares one (or more) rules to be te ] } end -or: +or test that individual rules are defined: .. code-block:: ruby - audit = command('/sbin/auditctl -l').stdout - options = { - assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/, - multiple_values: true - } - - describe auditd_rules(audit, options) do - its('rule') { should eq 1 } - end + describe auditd_rules do + its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/group perm=wa key=identity/) } + its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/passwd perm=wa key=identity/) } + its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/gshadow perm=wa key=identity/)} + its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/shadow perm=wa key=identity/)} + its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)} + end where each test * Must declare one (or more) rules to be tested -* May run a command to ``stdout``, and then run the test against that output -* May use options to define how configuration data is to be parsed - -Options ------------------------------------------------------ -This |inspec resource| supports the following options for parsing configuration data. Use them in an ``options`` block stated outside of (and immediately before) the actual test: - -.. code-block:: ruby - - options = { - assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/, - multiple_values: true - } - describe auditd_rules(options) do - its('rule') { should eq 1 } - end - - -assignment_re -+++++++++++++++++++++++++++++++++++++++++++++++++++++ -Use ``assignment_re`` to test a key value using a regular expression: - -.. code-block:: ruby - - 'key = value' - -may be tested using the following regular expression, which determines assignment from key to value: - -.. code-block:: ruby - - assignment_re: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/ - -multiple_values -+++++++++++++++++++++++++++++++++++++++++++++++++++++ -Use ``multiple_values`` to test for the presence of multiple key values: - -.. code-block:: ruby - - 'key = a' and 'key = b' - params['key'] = ['a', 'b'] - -or: - -.. code-block:: ruby - - 'key = a' and 'key = b' - params['key'] = 'b' - -To test if multiple values are present, use: - -.. code-block:: ruby - - multiple_values: false - -The preceding test will fail with the first example and will pass with the second. Examples ----------------------------------------------------- @@ -416,9 +352,7 @@ The following examples show how to use this InSpec audit resource. describe audit_daemon_rules do its("LIST_RULES") { - should contain_match(/^exit,always arch=.* - key=time-change - syscall=adjtimex,settimeofday/) + should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/) } end @@ -426,7 +360,7 @@ The following examples show how to use this InSpec audit resource. bond ===================================================== -Use the ``bond`` |inspec resource| to test a logical, bonded network interface (i.e. "two or more network interfaces aggregated into a single, logical network interface"). On |unix| and |linux| platforms, any value in the ``/proc/net/bonding`` directory may be tested. +Use the ``bond`` |inspec resource| to test a logical, bonded network interface (i.e. "two or more network interfaces aggregated into a single, logical network interface"). On |linux| platforms, any value in the ``/proc/net/bonding`` directory may be tested. **Stability: Stable** @@ -523,7 +457,7 @@ bridge ===================================================== Use the ``bridge`` |inspec resource| to test basic network bridge properties, such as name, if an interface is defined, and the associations for any defined interface. -* On |unix| and |linux| platforms, any value in the ``/sys/class/net/{interface}/bridge`` directory may be tested +* On |linux| platforms, any value in the ``/sys/class/net/{interface}/bridge`` directory may be tested * On the |windows| platform, the ``Get-NetAdapter`` cmdlet is associated with the ``Get-NetAdapterBinding`` cmdlet and returns the ``ComponentID ms_bridge`` value as a |json| object .. not sure the previous two bullet items are actually true, but keeping there for reference for now, just in case From 64f1e5ee1e290ddd971a6f0c271d5307c17aca9c Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 13:58:53 +0100 Subject: [PATCH 06/14] fix resource doc typos --- docs/resources.rst | 94 +++++++++++++++++----------------------------- 1 file changed, 35 insertions(+), 59 deletions(-) diff --git a/docs/resources.rst b/docs/resources.rst index 3e3e36d93..ff73ec0e1 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -510,9 +510,9 @@ The ``interfaces`` matcher tests if the named interface is present: .. code-block:: ruby - its('interfaces') { should eq foo } - its('interfaces') { should eq bar } - its('interfaces') { should include foo, bar } + its('interfaces') { should eq 'foo' } + its('interfaces') { should eq 'bar' } + its('interfaces') { should include('foo') } .. .. Examples @@ -548,18 +548,9 @@ A ``command`` |inspec resource| block declares a command to be run, one (or more its('matcher') { should eq 'output' } end -or: - -.. code-block:: ruby - - describe command('command').exist? do - its('matcher') { should eq 'output' } - end - where * ``'command'`` must specify a command to be run -* ``.exist?`` is the ``exist`` matcher * ``'matcher'`` is one of ``exit_status``, ``stderr``, or ``stdout`` * ``'output'`` tests the output of the command run on the system versus the output value stated in the test @@ -589,7 +580,7 @@ The ``stderr`` matcher tests results of the command as returned in standard erro .. code-block:: ruby - its('stderr') { should eq 'error\n' } + its('stderr') { should eq 'error' } stdout +++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -603,24 +594,16 @@ Examples ----------------------------------------------------- The following examples show how to use this InSpec audit resource. -**Test for PostgreSQL database running a RC, development, or beta release** +**Test for PostgreSQL database running a RC, but no development, or beta release** .. code-block:: ruby - describe command('sudo -i psql -V') do - its('stdout') { should_not eq '/RC/' } + describe command('psql -V') do + its('stdout') { should eq '/RC/' } its('stdout') { should_not eq '/DEVEL/' } its('stdout') { should_not eq '/BETA/' } end -**Test for multiple instances of Nginx** - -.. code-block:: ruby - - describe command('ps aux | egrep "nginx: master" | egrep -v "grep" | wc -l') do - its('stdout') (should eq '/^1$/' ) - end - **Test standard output (stdout)** .. code-block:: ruby @@ -667,19 +650,6 @@ The following examples show how to use this InSpec audit resource. it { should eq false } end -**Test for one peer and one indent** - -.. code-block:: ruby - - describe command('sudo -i cat #{hba_config_file} | egrep 'peer|ident' | wc -l') do - its('stdout') { should eq '(/^[2|1]/)' } - end - - describe command('sudo -i cat #{hba_config_file} | egrep 'trust|password|crypt' | wc -l') do - its('stdout') { should eq '(/^0/)' } - end - - @@ -768,7 +738,7 @@ This |inspec resource| may use any of the matchers available to the ``file`` res etc_group ===================================================== -Use the ``etc_group`` |inspec resource| to test groups that are defined on on |linux| and |unix| platforms. The ``/etc/group`` file stores details about each group---group name, password, group identifier, along with a comma-separate list of users that belong to the group. +Use the ``etc_group`` |inspec resource| to test groups that are defined on |linux| and |unix| platforms. The ``/etc/group`` file stores details about each group---group name, password, group identifier, along with a comma-separate list of users that belong to the group. **Stability: Experimental** @@ -816,7 +786,7 @@ The ``groups`` matcher tests all groups for the named user: .. code-block:: ruby - its('groups') { should include 'my_user' } + its('groups') { should include 'my_group' } users +++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -861,7 +831,7 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby describe etc_group do - its('groups') { should include 'my_user' } + its('groups') { should include 'my_group' } end @@ -869,7 +839,7 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby - describe etc_group.where(name: 'my_user') do + describe etc_group do its('users') { should include 'my_user' } end @@ -877,7 +847,7 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby - describe etc_group.where(name: 'my_user') do + describe etc_group.where(name: 'my_group') do its('users') { should include 'my_user' } end @@ -1104,9 +1074,9 @@ The following complete example tests the ``pg_hba.conf`` file in |postgresql| fo .. code-block:: bash describe file(hba_config_file) do - its('content') { should eq '/local\s.*?all\s.*?all\s.*?md5/' } - its('content') { should eq '%r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/}' } - its('content') { should eq '%r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/}' } + its('content') { should match '/local\s.*?all\s.*?all\s.*?md5/' } + its('content') { should match '%r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/}' } + its('content') { should match '%r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/}' } end exist @@ -1212,7 +1182,7 @@ The ``selinux_label`` matcher tests if the |selinux| label for a file matches th .. code-block:: ruby - its('product_version') { should eq 'system_u:system_r:httpd_t:s0' } + its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' } sha256sum +++++++++++++++++++++++++++++++++++++++++++++++++++++ @@ -1276,9 +1246,9 @@ The following examples show how to use this InSpec audit resource. .. code-block:: bash describe file(hba_config_file) do - its('content') { should eq '/local\s.*?all\s.*?all\s.*?md5/' } - its('content') { should eq '%r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/}' } - its('content') { should eq '%r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/}' } + its('content') { should match '/local\s.*?all\s.*?all\s.*?md5/' } + its('content') { should match '%r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/}' } + its('content') { should match '%r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/}' } end **Test if a file exists** @@ -1297,7 +1267,7 @@ The following examples show how to use this InSpec audit resource. it { should_not exist } end -**Test if a file is a directory** +**Test if a path is a directory** .. code-block:: bash @@ -1306,7 +1276,7 @@ The following examples show how to use this InSpec audit resource. it { should be_directory } end -**Test if a file is a file and not a directory** +**Test if a path is a file and not a directory** .. code-block:: bash @@ -1413,7 +1383,6 @@ The following examples show how to use this InSpec audit resource. require 'digest' cpuinfo = file('/proc/cpuinfo').content - md5sum = Digest::MD5.hexdigest(cpuinfo) describe file('/proc/cpuinfo') do @@ -1426,7 +1395,6 @@ The following examples show how to use this InSpec audit resource. require 'digest' cpuinfo = file('/proc/cpuinfo').content - sha256sum = Digest::SHA256.hexdigest(cpuinfo) describe file('/proc/cpuinfo') do @@ -1572,7 +1540,7 @@ A ``host`` |inspec resource| block declares a host name, and then (depending on .. code-block:: ruby - describe host('example.com', port: 80, proto: 'udp') do + describe host('example.com', port: 80, proto: 'tcp') do it { should be_reachable } end @@ -1581,7 +1549,7 @@ where * ``host()`` must specify a host name and may specify a port number and/or a protocol * ``'example.com'`` is the host name * ``port:`` is the port number -* ``proto: 'name'`` is the Internet protocol: |icmp| (``proto: 'icmp'``), |tcp| (``proto: 'tcp'``), or |udp| (``proto: 'udp'``) +* ``proto: 'name'`` is the Internet protocol: |tcp| (``proto: 'tcp'``), |udp| (``proto: 'udp'`` or |icmp| (``proto: 'icmp'``)) * ``be_reachable`` is a valid matcher for this |inspec resource| Matchers @@ -1644,7 +1612,7 @@ Use the ``inetd_conf`` |inspec resource| to test if a service is enabled in the Syntax ----------------------------------------------------- -An ``inetd_conf`` |inspec resource| block declares the list of services that should be disabled in the ``inetd.conf`` file: +An ``inetd_conf`` |inspec resource| block declares the list of services that are enabled in the ``inetd.conf`` file: .. code-block:: ruby @@ -1660,7 +1628,7 @@ where Matchers ----------------------------------------------------- -This |inspec resource| matches any service that is listed in the ``inetd.conf`` file: +This |inspec resource| matches any service that is listed in the ``inetd.conf`` file. You may want to ensure that specific services do not listen via ``inetd.conf``: .. code-block:: ruby @@ -3518,12 +3486,20 @@ Examples ----------------------------------------------------- The following examples show how to use this InSpec audit resource. -**Test if the list length for the mysqld process is 1** +**Test for multiple instances of Nginx** + +.. code-block:: ruby + + describe processes('postgres') do + its('list.length') { should be(1) } + end + +**Test for multiple instances of mysqld** .. code-block:: ruby describe processes('mysqld') do - its('list.length') { should eq '1' } + its('list.length') { should eq 1 } end **Test if the init process is owned by the root user** From bfcfe747a78c65cd0939e57448e611abaad57762 Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 14:44:16 +0100 Subject: [PATCH 07/14] fix resource doc typos --- docs/resources.rst | 59 ++++++++++++++++------------------------------ 1 file changed, 20 insertions(+), 39 deletions(-) diff --git a/docs/resources.rst b/docs/resources.rst index ff73ec0e1..3dc343c77 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -1705,10 +1705,8 @@ interface ===================================================== Use the ``interface`` |inspec resource| to test basic network adapter properties, such as name, status, state, address, and link speed (in MB/sec). -* On |unix| and |linux| platforms, any value in the ``/sys/class/net/#{iface}`` directory may be tested -* On the |windows| platform, the ``Get-NetAdapter`` cmdlet returns the following values: ``Property Name``, ``InterfaceDescription``, ``Status``, ``State``, ``MacAddress``, ``LinkSpeed``, ``ReceiveLinkSpeed``, ``TransmitLinkSpeed``, and ``Virtual``, returned as a |json| object - -.. not sure the previous two bullet items are actually true, but keeping there for reference for now, just in case +* On |linux| platforms, ``/sys/class/net/#{iface}`` is used as source +* On the |windows| platform, the ``Get-NetAdapter`` cmdlet is used as source **Stability: Stable** @@ -1724,14 +1722,6 @@ An ``interface`` |inspec resource| block declares network interface properties t its('name') { should eq eth0 } end -.. -.. where -.. -.. * ``xxxxx`` must specify xxxxx -.. * xxxxx -.. * ``xxxxx`` is a valid matcher for this InSpec audit resource -.. - Matchers ----------------------------------------------------- @@ -1930,7 +1920,7 @@ The following examples show how to use this InSpec audit resource. kernel_parameter ===================================================== -Use the ``kernel_parameter`` |inspec resource| to test kernel parameters on |linux| platforms. These parameters are located under ``/proc/sys/net``. Any subdirectory may be tested using this resource. +Use the ``kernel_parameter`` |inspec resource| to test kernel parameters on |linux| platforms. **Stability: Stable** @@ -1946,7 +1936,7 @@ A ``kernel_parameter`` |inspec resource| block declares a parameter and then a v where -* ``'path.to.parameter'`` must specify a kernel parameter, such as ``'net.ipv4.conf.all.forwarding'`` +* ``'kernel.parameter'`` must specify a kernel parameter, such as ``'net.ipv4.conf.all.forwarding'`` * ``{ should eq 0 }`` states the value to be tested Matchers @@ -2055,7 +2045,8 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby describe limits_conf('path') do - its('*') { should include ['soft', 'core', '0'], ['hard', 'rss', '10000'] } + its('*') { should include ['soft', 'core', '0'] } + its('*') { should include ['hard', 'rss', '10000'] } its('ftp') { should eq ['hard', 'nproc', '0'] } end @@ -2126,7 +2117,7 @@ The following examples show how to use this InSpec audit resource. mysql_conf ===================================================== -Use the ``mysql_conf`` |inspec resource| to test the contents of the configuration file for |mysql|, typically located at ``/etc/mysql//my.cnf``. +Use the ``mysql_conf`` |inspec resource| to test the contents of the configuration file for |mysql|, typically located at ``/etc/mysql/my.cnf`` or ``/etc/my.cnf``. Syntax ----------------------------------------------------- @@ -2231,16 +2222,14 @@ A ``mysql_session`` |inspec resource| block declares the username and password t .. code-block:: ruby - sql = mysql_session('username', 'password') - - sql.describe('QUERY') do + describe mysql_session('username', 'password').query('QUERY') do its('output') { should eq('') } end where -* ``sql = mysql_session`` declares a username and password with permission to run the query -* ``describe('QUERY')`` contains the query to be run +* ``mysql_session`` declares a username and password with permission to run the query +* ``query('QUERY')`` contains the query to be run * ``its('output') { should eq('') }`` compares the results of the query against the expected result in the test Matchers @@ -2264,8 +2253,7 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby sql = mysql_session('my_user','password') - - sql.describe('show databases like \'test\';') do + describe sql.query('show databases like \'test\';') do its(:stdout) { should_not match(/test/) } end @@ -2274,7 +2262,7 @@ The following examples show how to use this InSpec audit resource. npm ===================================================== -Use the ``npm`` |inspec resource| to test if a global |npm| package is installed. |npm| is the `the package manager for Javascript packages `__, such as |bower| and |statsd|. +Use the ``npm`` |inspec resource| to test if a global |npm| package is installed. |npm| is the `the package manager for Nodejs packages `__, such as |bower| and |statsd|. **Stability: Experimental** @@ -2465,7 +2453,7 @@ A ``os`` |inspec resource| block declares the platform to be tested: .. code-block:: ruby - describe os do + describe os['family'] do it { should eq 'platform' } end @@ -2486,7 +2474,7 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby - describe os do + describe os['family'] do it { should eq 'redhat' } end @@ -2494,7 +2482,7 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby - describe os do + describe os['family'] do it { should eq 'debian' } end @@ -2502,7 +2490,7 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby - describe os do + describe os['family'] do it { should eq 'windows' } end @@ -2532,17 +2520,17 @@ Matchers ----------------------------------------------------- This InSpec audit resource has the following matchers. -exit_status +content +++++++++++++++++++++++++++++++++++++++++++++++++++++ -The ``exit_status`` matcher tests the exit status of the platform environment: +The ``content`` matcher return the value of the environment variable: .. code-block:: ruby - its('exit_status') { should eq 0 } + its('content') { should eq '/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin' } split +++++++++++++++++++++++++++++++++++++++++++++++++++++ -The ``split`` matcher tests the delimiter between environment variables: +The ``split`` splits the content with the ``:``` deliminator: .. code-block:: ruby @@ -2560,13 +2548,6 @@ Use ``-1`` to test for cases where there is a trailing colon (``:``), such as `` its('split') { should include ('-1') } -stderr -+++++++++++++++++++++++++++++++++++++++++++++++++++++ -The ``stderr`` matcher tests environment variables after they are output to stderr: - -.. code-block:: ruby - - its('stderr') { should include('PWD=/root') } Examples ----------------------------------------------------- From ed092b6c0fecfc2c1781f56fb0910d22c0215b55 Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 17:43:40 +0100 Subject: [PATCH 08/14] update parse_config & passwd --- docs/resources.rst | 173 ++++++++++++++++++++++----------------------- 1 file changed, 85 insertions(+), 88 deletions(-) diff --git a/docs/resources.rst b/docs/resources.rst index 3dc343c77..59aff7f85 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -2744,51 +2744,45 @@ contains three values. To test that value to ensure it only contains one, use: multiple_values +++++++++++++++++++++++++++++++++++++++++++++++++++++ -Use ``multiple_values`` to test for the presence of multiple key values: +Use ``multiple_values`` if the source file uses the same key multiple times. All values will be aggregated in an array: .. code-block:: ruby - 'key = a' and 'key = b' + # # file structure: + # key = a + # key = b + # key2 = c params['key'] = ['a', 'b'] + params['key2'] = ['c'] -or: +To use plain key value mapping, use ``multiple_values: false``: .. code-block:: ruby - 'key = a' and 'key = b' + # # file structure: + # key = a + # key = b + # key2 = c params['key'] = 'b' + params['key2'] = 'c' -To test if multiple values are present, use: - -.. code-block:: ruby - - multiple_values: false - -The preceding test will fail with the first example and will pass with the second. standalone_comments +++++++++++++++++++++++++++++++++++++++++++++++++++++ -Use ``standalone_comments`` to test for comments in a configuration file and to ensure they are not integrated into the same lines as code: - -.. code-block:: ruby - - 'key = value # comment' - params['key'] = 'value' - -or: +Use ``standalone_comments`` to parse comments as a line , otherwise inline comments are allowed: .. code-block:: ruby 'key = value # comment' params['key'] = 'value # comment' -To test if comments are standalone, use: + +Use ``standalone_comments: false``, to parse the following: .. code-block:: ruby - standalone_comments: true - -The preceding test will fail with the second example and will pass with the first. + 'key = value # comment' + params['key'] = 'value' Examples ----------------------------------------------------- @@ -2815,13 +2809,13 @@ The following examples show how to use this InSpec audit resource. parse_config_file ===================================================== -Use the ``parse_config_file`` InSpec audit resource to test arbitrary configuration files. +Use the ``parse_config_file`` InSpec audit resource to test arbitrary configuration files. It works identiacal to ``parse_config``. Instead of using a command output, this resource works with files. **Stability: Experimental** Syntax ----------------------------------------------------- -A ``parse_config_file`` InSpec audit resource block declares the location of the configuration file to be tested, and then which settings in that file are to be tested. Because this InSpec audit resource relies on arbitrary configuration files, the test itself is often arbitrary and relies on custom |ruby| code: +A ``parse_config_file`` InSpec audit resource block declares the location of the configuration file to be tested, and then which settings in that file are to be tested. .. code-block:: ruby @@ -2859,19 +2853,19 @@ This |inspec resource| supports the following options for parsing configuration assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/, multiple_values: true } - describe parse_config_file(options) do + describe parse_config_file('path/to/file', options) do its('setting') { should eq 1 } end assignment_re +++++++++++++++++++++++++++++++++++++++++++++++++++++ -Use ``assignment_re`` to test a key value using a regular expression: +Use ``assignment_re`` to parse a key value using a regular expression: .. code-block:: ruby 'key = value' -may be tested using the following regular expression, which determines assignment from key to value: +may be parsed using the following regular expression, which determines assignment from key to value: .. code-block:: ruby @@ -2879,7 +2873,7 @@ may be tested using the following regular expression, which determines assignmen comment_char +++++++++++++++++++++++++++++++++++++++++++++++++++++ -Use ``comment_char`` to test for comments in a configuration file: +Use ``comment_char`` to parse for comments in a configuration file: .. code-block:: ruby @@ -2887,7 +2881,7 @@ Use ``comment_char`` to test for comments in a configuration file: key_vals +++++++++++++++++++++++++++++++++++++++++++++++++++++ -Use ``key_vals`` to test how many values a key contains: +Use ``key_vals`` to parse how many values a key contains: .. code-block:: ruby @@ -2902,51 +2896,45 @@ contains three values. To test that value to ensure it only contains one, use: multiple_values +++++++++++++++++++++++++++++++++++++++++++++++++++++ -Use ``multiple_values`` to test for the presence of multiple key values: +Use ``multiple_values`` if the source file uses the same key multiple times. All values will be aggregated in an array: .. code-block:: ruby - 'key = a' and 'key = b' - params['key'] = ['a', 'b'] + # # file structure: + # key = a + # key = b + # key2 = c + params['key'] = ['a', 'b'] + params['key2'] = ['c'] -or: +To use plain key value mapping, use ``multiple_values: false``: .. code-block:: ruby - 'key = a' and 'key = b' - params['key'] = 'b' + # # file structure: + # key = a + # key = b + # key2 = c + params['key'] = 'b' + params['key2'] = 'c' -To test if multiple values are present, use: - -.. code-block:: ruby - - multiple_values: false - -The preceding test will fail with the first example and will pass with the second. standalone_comments +++++++++++++++++++++++++++++++++++++++++++++++++++++ -Use ``standalone_comments`` to test for comments in a configuration file and to ensure they are not integrated into the same lines as code: - -.. code-block:: ruby - - 'key = value # comment' - params['key'] = 'value' - -or: +Use ``standalone_comments`` to parse comments as a line , otherwise inline comments are allowed: .. code-block:: ruby 'key = value # comment' params['key'] = 'value # comment' -To test if comments are standalone, use: + +Use ``standalone_comments: false``, to parse the following: .. code-block:: ruby - standalone_comments: true - -The preceding test will fail with the second example and will pass with the first. + 'key = value # comment' + params['key'] = 'value' Examples ----------------------------------------------------- @@ -2975,7 +2963,7 @@ passwd Use the ``passwd`` |inspec resource| to test the contents of ``/etc/passwd``, which contains the following information for users that may log into the system and/or as users that own running processes. The format for ``/etc/passwd`` includes: * A username -* The password for that user +* The password for that user (on newer systems passwords should be stored in ``/etc/shadow`` ) * The user identifier (UID) assigned to that user * The group identifier (GID) assigned to that user * Additional information about that user @@ -3000,22 +2988,22 @@ A ``passwd`` |inspec resource| block declares one (or more) users and associated its('matcher') { should eq 0 } end + describe passwd.uid(userid) do + its(:username) { should eq 'root' } + its(:count) { should eq 1 } + end + where -* ``count``, ``gids``, ``passwords``, ``uid``, ``uids``, ``username``, ``usernames``, and ``users`` are valid matchers for this InSpec resource +* ``gids``, ``passwords``, ``uids``, and ``usernames`` are valid matchers for ``passwd`` +* ``userid`` is a filter for a specific uid +* ``count``, ``uid``, ``username`` are valid matchers for ``passwd.uid(userid)`` -Matchers + +Matchers for ``passwd`` ----------------------------------------------------- This InSpec audit resource has the following matchers. -count -+++++++++++++++++++++++++++++++++++++++++++++++++++++ -The ``count`` matcher tests the number of times the named user appears in ``/etc/passwd``: - -.. code-block:: ruby - - its('count') { should eq 1 } - gids +++++++++++++++++++++++++++++++++++++++++++++++++++++ The ``gids`` matcher tests if the group indentifiers in the test match group identifiers in ``/etc/passwd``: @@ -3038,14 +3026,6 @@ For example: its('passwords') { should eq 'x' } -uid -+++++++++++++++++++++++++++++++++++++++++++++++++++++ -The ``uid`` matcher tests if the user identifier in the test matches a user identifier in ``/etc/passwd``: - -.. code-block:: ruby - - its('uid') { should eq 1234 } - uids +++++++++++++++++++++++++++++++++++++++++++++++++++++ The ``uids`` matcher tests if the user indentifiers in the test match user identifiers in ``/etc/passwd``: @@ -3054,14 +3034,6 @@ The ``uids`` matcher tests if the user indentifiers in the test match user ident its('uids') { should eq ['1234', '1235'] } -username -+++++++++++++++++++++++++++++++++++++++++++++++++++++ -The ``username`` matcher tests if the user name in the test matches a user name in ``/etc/passwd``: - -.. code-block:: ruby - - its('username') { should eq 'root' } - usernames +++++++++++++++++++++++++++++++++++++++++++++++++++++ The ``usernames`` matcher tests if the usernames in the test match usernames in ``/etc/passwd``: @@ -3070,13 +3042,34 @@ The ``usernames`` matcher tests if the usernames in the test match usernames in its('usernames') { should eq ['root', 'www-data'] } -users + +Matchers for ``passwd.uid(userid)`` +----------------------------------------------------- +This InSpec audit resource has the following matchers. + +count +++++++++++++++++++++++++++++++++++++++++++++++++++++ -The ``users`` matcher tests if the user in the test matches a user in ``/etc/passwd`` +The ``count`` matcher tests the number of times the named user appears in ``/etc/passwd``: .. code-block:: ruby - its('users') { should eq 'root' } + its('count') { should eq 1 } + +uid ++++++++++++++++++++++++++++++++++++++++++++++++++++++ +The ``uid`` matcher tests if the user identifier in the test matches a user identifier in ``/etc/passwd``: + +.. code-block:: ruby + + its('uid') { should eq 1234 } + +username ++++++++++++++++++++++++++++++++++++++++++++++++++++++ +The ``username`` matcher tests if the user name in the test matches a user name in ``/etc/passwd``: + +.. code-block:: ruby + + its('username') { should eq 'root' } Examples ----------------------------------------------------- @@ -3087,11 +3080,11 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby describe passwd do - its('usernames') { should eq 'root' } - its('uids') { should eq 1 } + its('usernames') { should eq ['root', 'www-data'] } + its('uids') { should eq [0, 33] } end -**Test for multiple root users** +**Select one user and test for multiple occurances in passwd** .. code-block:: ruby @@ -3100,6 +3093,10 @@ The following examples show how to use this InSpec audit resource. its('count') { should eq 1 } end + describe passwd.uid(33) do + its('username') { should eq 'www-data' } + its('count') { should eq 1 } + end pip From dc1959327ff73ec2c84766adbc894d24cb610e0c Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 17:49:41 +0100 Subject: [PATCH 09/14] update description for passwd docs --- docs/resources.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/resources.rst b/docs/resources.rst index 59aff7f85..c32ef21ad 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -2988,7 +2988,7 @@ A ``passwd`` |inspec resource| block declares one (or more) users and associated its('matcher') { should eq 0 } end - describe passwd.uid(userid) do + describe passwd.uid(filter) do its(:username) { should eq 'root' } its(:count) { should eq 1 } end @@ -2996,7 +2996,7 @@ A ``passwd`` |inspec resource| block declares one (or more) users and associated where * ``gids``, ``passwords``, ``uids``, and ``usernames`` are valid matchers for ``passwd`` -* ``userid`` is a filter for a specific uid +* ``filter`` is a filter for a specific uid * ``count``, ``uid``, ``username`` are valid matchers for ``passwd.uid(userid)`` From d44a9173855dff3d233de0e640661c7bdfb144ed Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 17:49:58 +0100 Subject: [PATCH 10/14] update port description --- docs/resources.rst | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/docs/resources.rst b/docs/resources.rst index c32ef21ad..471cd89c1 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -3179,7 +3179,7 @@ A ``port`` |inspec resource| block declares a port, and then depending on what n its('process') {should eq 'syslog'} end -where the ``syslog`` process is tested to see if it's listening on port 514. +where the ``process`` returns the process listening on port 514. Matchers ----------------------------------------------------- @@ -3193,22 +3193,6 @@ The ``be_listening`` matcher tests if the port is listening for traffic: it { should be_listening } -be_listening.with() -+++++++++++++++++++++++++++++++++++++++++++++++++++++ -The ``be_listening`` matcher can also test if the port is listening for traffic over a specific protocol or on local binding address. Use ``.with()`` to specify a protocol or local binding address. For example, a protocol: - -.. code-block:: ruby - - it { should be_listening.with('tcp') } - -A local binding address: - - it { should be_listening.with('127.0.0.1:631') } - -A protocol and a local binding address: - - it { should be_listening.with('tcp', '127.0.0.1:631') } - pid +++++++++++++++++++++++++++++++++++++++++++++++++++++ The ``pid`` matcher tests the process identifier (PID): @@ -3261,7 +3245,7 @@ The following examples show how to use this InSpec audit resource. its('protocol') {should eq 'tcp6'} end -**Test ports for SSL, then verify ciphers** +**Test ports for HTTPs** .. code-block:: ruby @@ -3274,10 +3258,6 @@ The following examples show how to use this InSpec audit resource. its('protocol') {should eq 'tcp'} end - describe sshd_conf do - its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') } - end - postgres_conf ===================================================== Use the ``postgres_conf`` |inspec resource| to test the contents of the configuration file for |postgresql|, typically located at ``/etc/postgresql//main/postgresql.conf`` or ``/var/lib/postgres/data/postgresql.conf``, depending on the platform. From 4e1029f65fac357a9d5578f59bf60de86e61f30b Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 18:15:10 +0100 Subject: [PATCH 11/14] update postgres and script docs --- docs/resources.rst | 74 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 51 insertions(+), 23 deletions(-) diff --git a/docs/resources.rst b/docs/resources.rst index 471cd89c1..cef4c4816 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -3277,7 +3277,7 @@ A ``postgres_conf`` |inspec resource| block declares one (or more) settings in t where * ``'setting'`` specifies a setting in the ``postgresql.conf`` file -* ``('path')`` is the non-default path to the ``postgresql.conf`` file +* ``('path')`` is the non-default path to the ``postgresql.conf`` file (optional) * ``should eq 'value'`` is the value that is expected Matchers @@ -3395,9 +3395,7 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby - sql = postgres_session('my_user', 'password') - - describe sql.query('SELECT count (*) + describe postgres_session('my_user', 'password').query('SELECT count (*) FROM pg_language WHERE lanpltrusted = 'f' AND lanname!='internal' @@ -3493,9 +3491,13 @@ A ``registry_key`` |inspec resource| block declares the item in the |windows| re its('name') { should eq 'value' } end + describe registry_key('path\to\key') do + its('name') { should eq 'value' } + end + where -* ``'registry_item'`` is a key in the |windows| registry +* ``'registry_item'`` is a key in the |windows| registry (optional) * ``'path\to\key'`` is the path in the |windows| registry * ``('name')`` and ``'value'`` represent the name of the key and the value assigned to that key @@ -3538,44 +3540,70 @@ A ``script`` |inspec resource| block declares a script to be tested, and then a .. code-block:: ruby - describe script do - its('script_name') { should include 'command' } + script = <<-EOH + # you powershell script + EOH + + describe script(script) do + its('matcher') { should eq 'output' } end -.. -.. where -.. -.. * ``xxxxx`` must specify xxxxx -.. * xxxxx -.. * ``xxxxx`` is a valid matcher for this InSpec audit resource -.. + +where + +* ``'script'`` must specify a Powershell script to be run +* ``'matcher'`` is one of ``exit_status``, ``stderr``, or ``stdout`` +* ``'output'`` tests the output of the command run on the system versus the output value stated in the test + Matchers ----------------------------------------------------- This InSpec audit resource has the following matchers. -script_name +exit_status +++++++++++++++++++++++++++++++++++++++++++++++++++++ -The ``script_name`` matcher tests the named script against the value specified by the test: +The ``exit_status`` matcher tests the exit status for the command: .. code-block:: ruby - its('script_name') { should include 'Part-Of -Script' } + its('exit_status') { should eq 123 } + +stderr ++++++++++++++++++++++++++++++++++++++++++++++++++++++ +The ``stderr`` matcher tests results of the command as returned in standard error (stderr): + +.. code-block:: ruby + + its('stderr') { should eq 'error' } + +stdout ++++++++++++++++++++++++++++++++++++++++++++++++++++++ +The ``stdout`` matcher tests results of the command as returned in standard output (stdout): + +.. code-block:: ruby + + its('stdout') { should eq '/^1$/' } Examples ----------------------------------------------------- The following examples show how to use this InSpec audit resource. -.. stoopid test below; probably need a better one - -**Test that user Grantmc belongs to the Active Directory object** +**Test for PostgreSQL database running a RC, but no development, or beta release** .. code-block:: ruby - describe script do - its('ADObject') { should include 'Get-ADPermission -Identity Grantmc' } - end + script = <<-EOH + # find user + $user = Get-WmiObject Win32_UserAccount -filter "Name = 'Administrator'" + # get related groups + $groups = $user.GetRelated('Win32_Group') | Select-Object -Property Caption, Domain, Name, LocalAccount, SID, SIDType, Status + $groups | ConvertTo-Json + EOH + + describe script('psql -V') do + its('stdout') { should_not eq '' } + end security_policy From ad73a606ff17cb9254af5d0ff7f85cc703818f7e Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 18:27:55 +0100 Subject: [PATCH 12/14] update script and ssh docs --- docs/resources.rst | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/resources.rst b/docs/resources.rst index cef4c4816..a6b54d96d 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -3588,12 +3588,11 @@ Examples ----------------------------------------------------- The following examples show how to use this InSpec audit resource. -**Test for PostgreSQL database running a RC, but no development, or beta release** +**Get all groups of Administrator user** .. code-block:: ruby - - script = <<-EOH + myscript = <<-EOH # find user $user = Get-WmiObject Win32_UserAccount -filter "Name = 'Administrator'" # get related groups @@ -3601,7 +3600,7 @@ The following examples show how to use this InSpec audit resource. $groups | ConvertTo-Json EOH - describe script('psql -V') do + describe script(myscript) do its('stdout') { should_not eq '' } end @@ -3743,7 +3742,7 @@ The following examples show how to use this InSpec audit resource. ssh_config ===================================================== -Use the ``ssh_config`` |inspec resource| to test |openssh| |ssh| client configuration data located at ``etc/ssh/ssh_config`` on |linux| and |unix| platforms. +Use the ``ssh_config`` |inspec resource| to test |openssh| |ssh| client configuration data located at ``/etc/ssh/ssh_config`` on |linux| and |unix| platforms. **Stability: Experimental** @@ -3779,7 +3778,7 @@ or: .. code-block:: ruby - it's('name') { should include('bar') } + its('name') { should include('bar') } Examples ----------------------------------------------------- @@ -3790,7 +3789,7 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby describe ssh_config do - its('cipher') { should eq '3des' } + its('cipher') { should contain '3des' } its('port') { should '22' } its('hostname') { should include('example.com') } end @@ -3799,7 +3798,9 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby - return unless command('ssh').exist? + only_if do + command('sshd').exist? or command('ssh').exists? + end describe ssh_config do its('SendEnv') { should include('GORDON_CLIENT') } From ee3e56adae18d0db286f1c39867bcc18b2d487be Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sat, 31 Oct 2015 20:46:12 +0100 Subject: [PATCH 13/14] update ssh docs --- docs/resources.rst | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/docs/resources.rst b/docs/resources.rst index a6b54d96d..8269900ca 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -3829,7 +3829,7 @@ The following examples show how to use this InSpec audit resource. sshd_config ===================================================== -Use the ``sshd_config`` |inspec resource| to test configuration data for the |openssh| daemon located at ``etc/ssh/sshd_config`` on |linux| and |unix| platforms. sshd---the |openssh| daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges. +Use the ``sshd_config`` |inspec resource| to test configuration data for the |openssh| daemon located at ``/etc/ssh/sshd_config`` on |linux| and |unix| platforms. sshd---the |openssh| daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges. **Stability: Experimental** @@ -3875,8 +3875,6 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby - return unless command('sshd').exist? - describe sshd_config do its('AcceptEnv') { should include('GORDON_SERVER') } end @@ -3885,8 +3883,6 @@ The following examples show how to use this InSpec audit resource. .. code-block:: ruby - return unless command('sshd').exist? - describe sshd_config do its('AddressFamily') { should eq 'inet6' } end @@ -3899,19 +3895,10 @@ The following examples show how to use this InSpec audit resource. its('Protocol') { should eq '2' } end -**Test ports for SSL, then verify ciphers** +**Test ciphers** .. code-block:: ruby - describe port(80) do - it { should_not be_listening } - end - - describe port(443) do - it { should be_listening } - its('protocol') {should eq 'tcp'} - end - describe sshd_config do its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') } end @@ -4135,8 +4122,6 @@ The ``be_installed`` matcher tests if the named |windows| feature is installed: it { should be_installed } -If the feature is installed, the ``Get-WindowsFeature`` cmdlet is run and the name, display name, description, and install state is returned as a |json| object. - Examples ----------------------------------------------------- The following examples show how to use this InSpec audit resource. From 4c3dce0aec8737ce36ab2861e7a2a5c6a46ba63d Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Mon, 2 Nov 2015 01:56:51 +0100 Subject: [PATCH 14/14] fix key-files option in docs --- docs/ctl_inspec.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ctl_inspec.rst b/docs/ctl_inspec.rst index c3a603d3d..e8e4ba0c7 100644 --- a/docs/ctl_inspec.rst +++ b/docs/ctl_inspec.rst @@ -17,7 +17,7 @@ The following options may be used with any of the InSpec CLI subcommands: ``--host`` The remote host to be tested. -``--key_files`` +``--key-files`` The login key or certificate file required for remote scanning. ``--password``