6.6 KiB
Resources
audit_policy
Check Microsoft Windows Audit Policies:
describe audit_policy do
its('Other Account Logon Events') { should_not eq 'No Auditing' }
end
etc_group
Parse the /etc/group file:
etc_group # uses /etc/group
You can also specify the file's location:
etc_group('/etc/group')
:gids
Access all group IDs:
describe etc_group do
its('gids') { should_not contain_duplicates }
end
:groups
Access all group names:
describe etc_group do
its('groups') { should include 'my_user' }
end
:users
Access all group names:
describe etc_group.where(name: 'my_user') do
its('users') { should include 'my_user' }
end
:where
Filter the list of groups. Filter choices are name for the group name, gid for a group ID (a number), password, and users.
describe etc_group.where(name: 'my_user') do
its('users') { should include 'my_user' }
end
group_policy
Test Microsoft Windows Group Policies:
describe group_policy('Local Policies\Security Options') do
its('Network access: Restrict anonymous access to Named Pipes and Shares') { should eq 1 }
end
inetd_config
Test inetd config files:
describe inetd_conf do
its('shell') { should eq nil }
its('login') { should eq nil }
its('exec') { should eq nil }
end
You can also specify a custom config path:
inetd_conf('/path/to/inetd.conf')
limits_conf
Test Linux-based /etc/security/limits.conf:
describe limits_conf do
its('*') { should include ['hard','core','0'] }
end
You can also specify a custom path:
limits_conf('/path/to/limits.conf')
login_def
Test Linux-based /etc/login.defs:
describe login_def do
its('UMASK') {
should eq '077'
}
its('PASS_MAX_DAYS.to_i') {
should be <= 90
}
end
mysql_conf
!!! warning "Difference to Serverspec" See Serverspec resource reference for comparison,
Test default MySQL and MariaDB configuration files:
mysql_conf
You can also specify the configuration path:
mysql_conf('/etc/mysql/my.cnf')
:params
Retrieve parameters in a group and test them. In this example,
we take a look at the safe-user-create parameter, which is in the
mysqld group.
describe mysql_conf.params('mysqld') do
its('safe-user-create') { should eq('1') }
end
mysql_session
Run commands on a MySQL server and test their output:
sql = mysql_session('my_user','password')
:describe
All tests are structured with the describe command:
sql.describe('show databases like \'test\';') do
its(:stdout) { should_not match(/test/) }
end
ntp_conf
Test NTP configuration files:
describe ntp_conf do
its('server') { should_not eq nil }
its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
end
os_env
Test environment variables:
describe os_env('PATH') do |dirs|
its(:split) { should_not include('') }
its(:split) { should_not include('.') }
end
parse_config
Parse and test arbitrary configuration strings:
output = command('useradd -D').stdout
describe parse_config(output) do
its('INACTIVE.to_i') { should be >= 35 }
end
You can configure the way in which config data is parsed:
describe parse_config(data, { multiple_values: true }) do
its('users') { should include 'bob'}
end
The following options are supported:
{
# A regular expression which determines
# an assignment from key to value
# This example would match 'key = value'
assignment_re: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/,
# How many values a key contains;
# e.g. key = a b c
# would contain 3 values
key_vals: 1,
# What is identified as a comment.
comment_char: '#',
# Determine if comments must always be
# in a separate line. Examples:
# set to false: 'key = value # comment'
# results to: params['key'] = 'value'
# set to true: 'key = value # comment'
# results to: params['key'] = 'value # comment'
standalone_comments: false,
# Configure if multiple values are possible
# for each key. Examples:
# set to true: 'key = a' and 'key = b'
# results to: params['key'] = ['a', 'b']
# set to false: 'key = a' and 'key = b'
# results to: params['key'] = 'b'
multiple_values: false
}
parse_config_file
Parse and test arbitrary configuration files:
describe parse_config_file('/path/to/file.conf') do
its('PARAM_X') { should eq 'Y' }
end
Options can be configure similar to parse_config:
describe parse_config_file('/path/to/file.conf', { multiple_values: true }) do
its('PARAM_X') { should include 'Y' }
end
passwd
Test /etc/passwd:
describe passwd(0) do
its(:username) { should eq 'root' }
its(:count) { should eq 1 }
end
postgres_conf
Test default PostgreSQL configuration files:
postgres_conf
You can also specify the configuration path:
postgres_conf('/var/lib/pgsql/data/postgresql.conf')
:params
Retrieve parameters and test them:
describe postgres_conf.params do
it { should include('log_disconnections' => 'on') }
end
postgres_session
Run commands on a MySQL server and test their output:
sql = postgres_session('my_user','password')
:describe
All tests are structured with the describe command:
sql.describe('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
its('output') { should eq('') }
end
processes
Check the list of running programs and test it:
describe processes('mysqld') do
its('list.length') { should be(1) }
end
registry_key
This resource allows you to test Windows Registry keys by checking the resulting values:
describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule') do
its('Start') { should eq 2 }
end
ssh_config
Test default OpenSSH configuration files:
ssh_config # /etc/ssh/ssh_config
sshd_config # /etc/ssh/sshd_config
Parse custom SSH client and server configuration files:
client = ssh_config('/path/to/ssh_config')
server = sshd_config('/path/to/sshd_config')
Usage:
describe sshd_config do
its('Protocol') { should eq('2') }
end
security_policy
Test Microsoft Windows Security Policies:
describe security_policy do
# verifies that only the 'Administrators' group has remote access
its('SeRemoteInteractiveLogonRight') { should eq '*S-1-5-32-544' }
end