Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 15:14:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

Updated docs as per review comments

Browse source 
Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>
This commit is contained in:
Vasu1105 2021-04-26 12:37:18 +05:30
parent a09fb159d3
commit ecf60297b2
2 changed files with 41 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
docs-chef-io/content/inspec/resources/selinux.md
View file

@ -11,9 +11,9 @@ platform = "linux"
parent = "inspec/resources/os" parent = "inspec/resources/os"
+++ +++
Use the `selinux` Chef Inspec audit resource to test the configuration data of the SELinux policy, SELinux modules and SELinux booleans. Use the `selinux` Chef InSpec audit resource to test the configuration data of the SELinux policy, SELinux modules and SELinux booleans.
The `selinux` resource extracts and exposes data reported by the `sestatus`, `semodule -lfull`and `semanage boolean -l -n` command. The `selinux` resource extracts and exposes data reported by the `sestatus`, `semodule -lfull`, and `semanage boolean -l -n` command.
## Availability ## Availability
@ -36,7 +36,7 @@ The `selinux` Chef InSpec resource block tests the state and mode of SELinux pol
it { should_not be_permissive } it { should_not be_permissive }
end end
The `selinux` resource block also declares allows you to write test for many modules: The `selinux` resource block also allows you to write tests for multiple modules:
describe selinux.modules.where("zebra") do describe selinux.modules.where("zebra") do
it { should exist } it { should exist }
@ -45,31 +45,32 @@ The `selinux` resource block also declares allows you to write test for many mod
end end
or: or:
describe selinux.modules.where(status: "installed") do describe selinux.modules.where(status: "installed") do
it { should exist } it { should exist }
its('count') { should cmp 404 } its('count') { should cmp 404 }
end end
where where:
- `.where()` may specify a specific item and value, to which the resource parameters are compared - `.where()` specifies the parameter and expected value.
- `name`, `status`, `state`, `priority` are valid parameters for `modules` - `name`, `status`, `state`, and `priority` are valid parameters.
The `selinux` resource block also declares allows you to write test for many booleans: The `selinux` resource block also allows you to write tests for multiple booleans:
describe selinux.booleans.where(name: "httpd_enable_homedirs") do describe selinux.booleans.where(name: "httpd_enable_homedirs") do
it { should_not be_on } it { should_not be_on }
end end
or: or:
describe selinux.booleans.where(name: "xend_run_blktap", state: "on") do describe selinux.booleans.where(name: "xend_run_blktap", state: "on") do
it { should exist } it { should exist }
its('defaults') { should cmp "on" } its('defaults') { should cmp "on" }
end end
- `.where()` may specify a specific item and value, to which the resource parameters are compared - `.where()` specifies the parameter and expected value.
- `name`, `state`, `default` are valid parameters for `booleans` - `name`, `state`, and `default` are valid parameters for `booleans`.
## Examples ## Examples
@ -77,22 +78,23 @@ The following examples show how to use this Chef InSpec selinux resource.
### Test if SELinux is installed and enabled ### Test if SELinux is installed and enabled
describe selinux do describe selinux do
it { should be_installed } it { should be_installed }
it { should_not be_disabled } it { should_not be_disabled }
end end
### Test if SELinux is enabled and running in enforcing mode ### Test if SELinux is enabled and running in enforcing mode
describe selinux do describe selinux do
it { should_not be_disabled } it { should_not be_disabled }
it { should be_enforcing } it { should be_enforcing }
end end
### Test if selinux policy type ### Test the selinux policy type
describe selinux do
its('policy') { should eq "targeted"} describe selinux do
end its('policy') { should eq "targeted"}
end
## Matchers ## Matchers
@ -100,7 +102,7 @@ For a full list of available matchers, please visit our [matchers page](/inspec/
### be_installed ### be_installed
The `be_installed` matcher tests if the SElinux policy or SElinux modules is installed on the system: The `be_installed` matcher tests if the SElinux policy or SElinux modules are installed on the system:
it { should be_installed } it { should be_installed }
@ -136,29 +138,31 @@ The `be_enabled` matcher tests if the SElinux module is enabled:
## Resource Parameters ## Resource Parameters
- `names`, `status`, `states`, `priorities`, are valid parameters for SELinux `modules` - `names`, `status`, `states`, and `priorities` are valid parameters for SELinux policy modules.
- `names`, `status`, `states`, `defaults`, are valid parameters for SELinux `booleans` - `names`, `status`, `states`, and `defaults` are valid parameters for SELinux `booleans`.
## Resource Parameter Examples ## Resource Parameter Examples
### modules ### modules
`modules` returns the information about SELinux modules as returned by [semodule -lfull](https://man7.org/linux/man-pages/man8/semodule.8.html). `modules` returns information about SELinux modules using the [semodule -lfull](https://man7.org/linux/man-pages/man8/semodule.8.html) command.
Note: The `semodule -l` command does not provide `version` information in newer versions of Linux based systems like RHEL8 and Centos8 so we are not supporting that option [REF](https://access.redhat.com/solutions/2760071). Note: The `semodule -l` command [does not provide version information](https://access.redhat.com/solutions/2760071) for newer versions of Linux-based systems like RHEL8 and Centos8, so we do not support that option.
```ruby
describe selinux.modules do describe selinux.modules do
its("names") { should include "zebra" } its("names") { should include "zebra" }
its("status") { should include "installed" } its("status") { should include "installed" }
its("states") { should include "enabled" } its("states") { should include "enabled" }
its("priorities") { should include "100" } its("priorities") { should include "100" }
end end
```
### booleans ### booleans
`booleans` returns the information about SELinux booleans as returned by [semanage boolean -l -n](https://man7.org/linux/man-pages/man8/semanage-boolean.8.html) `booleans` returns information about SELinux booleans using the [semanage boolean -l -n](https://man7.org/linux/man-pages/man8/semanage-boolean.8.html) command.
```ruby
describe selinux.booleans do describe selinux.booleans do
its("names") { should include "httpd_enable_homedirs" } its("names") { should include "httpd_enable_homedirs" }
its("states") { should include "on" } its("states") { should include "on" }
@ -166,3 +170,4 @@ describe selinux.booleans do
its("defaults") { should include "on" } its("defaults") { should include "on" }
its("defaults") { should include "off" } its("defaults") { should include "off" }
end end
```

6
lib/inspec/resources/selinux.rb
View file

@ -20,7 +20,7 @@ module Inspec::Resources
end end
def to_s def to_s
"SElinux modules" "SELinux modules"
end end
end end
@ -40,7 +40,7 @@ module Inspec::Resources
end end
def to_s def to_s
"SElinux booleans" "SELinux booleans"
end end
end end
@ -48,7 +48,7 @@ module Inspec::Resources
name "selinux" name "selinux"
supports platform: "linux" supports platform: "linux"
desc "Use selinux Chef Inspec resource to test the configuration data of the selinux policy, selinux modules and selinux booleans." desc "Use the selinux Chef InSpec resource to test the configuration data of the SELinux policy, SELinux modules, and SELinux booleans."
example <<~EXAMPLE example <<~EXAMPLE
describe selinux do describe selinux do