mirror of
https://github.com/inspec/inspec
synced 2024-11-24 05:33:17 +00:00
9283f19b6e
Signed-off-by: David Wrede <dwrede@chef.io>
170 lines
4.7 KiB
Text
170 lines
4.7 KiB
Text
---
|
|
title: About the xinetd_conf Resource
|
|
---
|
|
|
|
# xinetd_conf
|
|
|
|
Use the `xinetd_conf` InSpec audit resource to test services under `/etc/xinet.d` on Linux and Unix platforms. xinetd---the extended Internet service daemon---listens on all ports, and then loads the appropriate program based on a request. The `xinetd.conf` file is typically located at `/etc/xinetd.conf` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
|
|
|
|
## Syntax
|
|
|
|
An `xinetd_conf` resource block declares settings found in a `xinetd.conf` file for the named service:
|
|
|
|
describe xinetd_conf('service_name') do
|
|
it { should be_enabled } # or be_disabled
|
|
its('setting') { should eq 'value' }
|
|
end
|
|
|
|
where
|
|
|
|
* `'service_name'` is a service located under `/etc/xinet.d`
|
|
* `('setting')` is a setting in the `xinetd.conf` file
|
|
* `should eq 'value'` is the value that is expected
|
|
|
|
|
|
## Matchers
|
|
|
|
This InSpec audit resource has the following matchers:
|
|
|
|
### be
|
|
|
|
<%= partial "/shared/matcher_be" %>
|
|
|
|
### be_enabed
|
|
|
|
The `be_enabled` matcher tests if a service listed under `/etc/xinet.d` is enabled:
|
|
|
|
it { should be_enabled }
|
|
|
|
### cmp
|
|
|
|
<%= partial "/shared/matcher_cmp" %>
|
|
|
|
### eq
|
|
|
|
<%= partial "/shared/matcher_eq" %>
|
|
|
|
### ids
|
|
|
|
The `ids` matcher tests if the named service is located under `/etc/xinet.d`:
|
|
|
|
its('ids') { should include 'service_name' }
|
|
|
|
For example:
|
|
|
|
its('ids') { should include 'chargen-stream chargen-dgram'}
|
|
|
|
### include
|
|
|
|
<%= partial "/shared/matcher_include" %>
|
|
|
|
### match
|
|
|
|
<%= partial "/shared/matcher_match" %>
|
|
|
|
### services
|
|
|
|
The `services` matcher tests if the named service is listed under `/etc/xinet.d`:
|
|
|
|
its('services') { should include 'service_name' }
|
|
|
|
### socket_types
|
|
|
|
The `socket_types` matcher tests if a service listed under `/etc/xinet.d` is configured to use the named socket type:
|
|
|
|
its('socket_types') { should eq 'socket' }
|
|
|
|
where `socket` is one of `dgram`, `raw`, or `stream`. For a UDP-based service:
|
|
|
|
its('socket_types') { should eq 'dgram' }
|
|
|
|
For a raw socket (such as a service using a non-standard protocol or a service that requires direct access to IP):
|
|
|
|
its('socket_types') { should eq 'raw' }
|
|
|
|
For a TCP-based service:
|
|
|
|
its('socket_types') { should eq 'stream' }
|
|
|
|
### types
|
|
|
|
The `types` matcher tests the service type:
|
|
|
|
its('type') { should eq 'TYPE' }
|
|
|
|
where `'TYPE'` is `INTERNAL` (for a service provided by xinetd), `RPC` (for a service based on remote procedure call), or `UNLISTED` (for services not under `/etc/services` or `/etc/rpc`).
|
|
|
|
### wait
|
|
|
|
The `wait` matcher tests how a service handles incoming connections.
|
|
|
|
For UDP (`dgram`) socket types the `wait` matcher should test for `yes`:
|
|
|
|
its('socket_types') { should eq 'dgram' }
|
|
its('wait') { should eq 'yes' }
|
|
|
|
For TCP (`stream`) socket types the `wait` matcher should test for `no`:
|
|
|
|
its('socket_types') { should eq 'stream' }
|
|
its('wait') { should eq 'no' }
|
|
|
|
## Examples
|
|
|
|
The following examples show how to use this InSpec audit resource.
|
|
|
|
### Test a socket_type
|
|
|
|
The network socket type: `dgram` (a datagram-based service), `raw` (a service that requires direct access to an IP address), `stream` (a stream-based service), or `seqpacket` (a service that requires a sequenced packet).
|
|
|
|
describe xinetd_conf.services('service_name') do
|
|
its('socket_types') { should include 'dgram' }
|
|
end
|
|
|
|
### Test a service type
|
|
|
|
The type of service: `INTERNAL` (a service provided by xinetd), `RPC` (an RPC-based service), `TCPMUX` (a service that is started on a well-known TPCMUX port), or `UNLISTED` (a service that is not listed in a standard system file location).
|
|
|
|
describe xinetd_conf.services('service_name') do
|
|
its('type') { should include 'RPC' }
|
|
end
|
|
|
|
### Test the telnet service
|
|
|
|
For example, a `telnet` file under `/etc/xinet.d` contains the following settings:
|
|
|
|
service telnet
|
|
{
|
|
disable = yes
|
|
flags = REUSE
|
|
socket_type = stream
|
|
wait = no
|
|
user = root
|
|
server = /usr/sbin/in.telnetd
|
|
log_on_failure += USERID
|
|
}
|
|
|
|
Some examples of tests that can be run against that file include:
|
|
|
|
describe xinetd_conf.services('telnet') do
|
|
it { should be_disabled }
|
|
end
|
|
|
|
and
|
|
|
|
describe xinetd_conf.services('telnet') do
|
|
its('socket_type') { should include 'stream' }
|
|
end
|
|
|
|
and
|
|
|
|
describe xinetd_conf.services('telnet') do
|
|
its('wait') { should eq 'no' }
|
|
end
|
|
|
|
All three settings can be tested in the same block as well:
|
|
|
|
describe xinetd_conf.services('telnet') do
|
|
it { should be_disabled }
|
|
its('socket_type') { should include 'stream' }
|
|
its('wait') { should eq 'no' }
|
|
end
|