inspec/docs
2016-03-28 00:48:15 +02:00
..
ctl_inspec.rst Updated documentation and examples to include tags and references 2016-03-27 12:40:34 -04:00
dsl_inspec.rst document tags and refs 2016-03-25 00:58:27 +01:00
dsl_resource.rst add doc links 2016-01-25 12:44:48 -05:00
inspec_and_friends.rst fix errors introduced in #593 2016-03-28 00:48:15 +02:00
matchers.rst add matchers docs 2016-02-18 13:58:46 +01:00
profiles.rst add doc code formatting 2016-01-25 12:44:48 -05:00
readme.rst fix errors introduced in #593 2016-03-28 00:48:15 +02:00
resources.rst rename script to powershell 2016-03-18 15:41:54 +01:00
template.rst split resources and template 2015-10-20 17:57:36 +02:00

=====================================================
InSpec Documentation
=====================================================

InSpec a collection of resources and matchers to test the compliance of your nodes. This documentation provides an introduction to this mechanism and shows how to write custom tests.

Introduction
-----------------------------------------------------

At first, we add our tests to the ``test`` folder. Each test file must end with ``_spec.rb``:

.. code-block:: bash

    mkdir test
    touch test/example_spec.rb

We add a control to this file, to check the ``/tmp`` path in our system:

.. code-block:: ruby

  # encoding: utf-8

  control "cis-fs-2.1" do                     # A unique ID for this control
    impact 0.7                                # The criticality, if this control fails.
    title "Create separate /tmp partition"    # A human-readable title
    desc "An optional description..."
    tag mygroup: "tag"                        # A tag can be a simple value or
    tag "tag"                                 # can have a more complex key/value pair.
    ref "name", url: "http://..."              # A reference to a document, uri: is optional
    describe file('/tmp') do                  # The actual test
      it { should be_mounted }
    end
  end


Let's add another spec for checking the SSH server configuration:

.. code-block:: bash

    touch test/sshd_spec.rb

It will contain:

.. code-block:: ruby

  # encoding: utf-8

  # Skip all controls, if SSH doesn't exist on the system
  only_if do
    command('sshd').exist?
  end

  control "sshd-11" do
    impact 1.0
    title "Server: Set protocol version to SSHv2"
    desc "Set the SSH protocol version to 2. Don't use legacy
          insecure SSHv1 connections anymore."
    tag security: "openssh-server"
    ref "Document A-12"

    describe sshd_config do
      its('Protocol') { should eq('2') }
    end
  end

  control "sshd-7" do
    impact 1.0
    title "Server: Do not permit root-based login with password."
    desc "To reduce the potential to gain full privileges
          of a system in the course of an attack (by either misconfiguration
          or vulnerabilities), do not allow login as root with password"
    tag security: "openssh-server"
    ref "Document A-12"

    describe sshd_config do
      its('PermitRootLogin') { should match(/no|without-password/) }
    end
  end


Now, we are ready to run the tests locally:

bundle exec bin/inspec exec demo/test/example_spec.rb

.. code-block:: bash

  # run tests individually
  $ inspec exec test/example_spec.rb
  $ inspec exec test/sshd_spec.rb

  # if you want to run all test located within the directory
  $ inspec exec ./test


Stability Index
-----------------------------------------------------

Every available InSpec resource will indicate its stability. As InSpec matures, certain parts are more reliable than others. Brand new features are likely to be redesigned and marked as such.

The stability indices are as follows:

* ``Stability: Deprecated`` - This features will be removed in future versions, because its known for being problematic. Do not rely on it.
* ``Stability: Experimental`` - New features may change or are removed in future versions
* ``Stability: Stable`` - API is well established and proofed. Maintaining compatibility is a high priority
* ``Stability: Locked`` - Only security and performance fixes are allowed