---
title: About the etc_hosts_deny Resource
---

# etc_hosts_deny

Use the `etc_hosts_deny` InSpec audit resource to test rules set to reject daemon and client traffic set in /etc/hosts.deny.

## Syntax

An etc/hosts.deny rule specifies one or more daemons mapped to one or more clients,
with zero or more options to use to reject traffic when found.

## Syntax

Use the where clause to match a property to one or more rules in the hosts.deny file.

    describe etc_hosts_deny.where { daemon == 'value' } do
      its ('client_list') { should include ['values'] }
      its ('options') { should include ['values'] }
    end

Use the optional constructor parameter to give an alternative path to hosts.deny

    describe etc_hosts_deny(hosts_path).where { daemon == 'value' } do
      its ('client_list') { should include ['values'] }
      its ('options') { should include ['values'] }
    end

where

* `daemon` is a daemon that will be rejected to pass traffic in.
* `client_list` is a list of clients will be rejected to pass traffic in.
* `options` is a list of tasks that to be done with the rule when traffic is found.

## Supported Properties

    'daemon', 'client_list', 'options'

## Property Examples and Return Types

### daemon

`daemon` returns a string containing the daemon that is allowed in the rule.

    describe etc_hosts_deny.where { client_list == ['127.0.1.154',  '[:fff:fAb0::]'] } do
      its('daemon') { should eq ['vsftpd', 'sshd'] }
    end

### client_list

`client_list` returns a 2d string array where each entry contains the clients specified for the rule.

    describe etc_hosts_deny.where { daemon == 'sshd' } do
      its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
    end

### options

`options` returns a 2d string array where each entry contains any options specified for the rule.

    describe etc_hosts_deny.where { daemon == 'sshd' } do
      its('options') { should include ['deny', 'echo "REJECTED"'] }
    end