Merge pull request #4314 from inspec/ja/add-shadow-example

Add SHA512 password example to `shadow` resource
2024-11-23 05:03:07 +00:00 · 2019-07-26 11:48:44 -07:00 · 2019-07-26 11:48:44 -07:00 · e88468736a
commit e88468736a
parent 33d8eb15e5 74f0e7cf0e
1 changed files with 12 additions and 0 deletions
--- a/docs/resources/shadow.md.erb
+++ b/docs/resources/shadow.md.erb
@ -87,6 +87,18 @@ Use `where` to match any of the supported [filter criteria](#filter_criteria). `
      its('users') { should be_empty }
    end

+Use `where` with [expect syntax](https://www.inspec.io/docs/reference/profiles/#should-vs-expect-syntax) to show all users (that aren't disabled or locked) without SHA512 hashed passwords.
+
+    # Users with password fields that are not *, !, or don't begin with $6$
+    bad_users = inspec.shadow.where { password !~ /^[*!]$|^\$6\$.*/ }.users
+
+    describe 'Password hashes in /etc/shadow' do
+      it 'should only contain SHA512 hashes' do
+        message = "Users without SHA512 hashes: #{bad_users.join(', ')}"
+        expect(bad_users).to be_empty, message
+      end
+    end
+
 <br>

 ## Properties