module Inspec::Resources

copyright: 2015, Vulcano Security GmbH

Advanced Auditing: As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored. reference: technet.microsoft.com/en-us/library/cc753632.aspx use:

- list all categories: Auditpol /list /subcategory:* /r
- list parameters: Auditpol /get /category:"System" /subcategory:"IPsec Driver"
- list specific parameter: Auditpol /get /subcategory:"IPsec Driver"

@link: blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

Valid values are:

Further information is available at: msdn.microsoft.com/en-us/library/dd973859.aspx

Usage: describe bridge('br0') do

it { should exist }
it { should have_interface 'eth0' }

end

Check for Chocolatey packages to be installed

Usage: describe cpan('DBD::Pg') do

it { should be_installed }

end

Usage: describe cran('DBI') do

it { should be_installed }

end

Parses a csv document This implementation was inspired by a blog post @see technicalpickles.com/posts/parsing-csv-with-ruby

circular: require “inspec/resource” but… already being included by inspec/resource.rb

check for web applications in IIS Note: this is only supported in windows 2012 and later

check for web applications in IIS Note: this is only supported in windows 2012 and later

check for site in IIS Usage: describe iis_site('Default Web Site') do

it{ should exist }
it{ should be_running }
it{ should be_in_app_pool('Default App Pool') }
it{ should have_path('C:\\inetpub\wwwroot\\DefaultWebSite') }
it{ should have_binding('https :443:www.contoso.com sslFlags=0') }
it{ should have_binding('net.pipe *') }

end

Note: this is only supported in windows 2012 and later

Usage: describe ip6tables do

it { should have_rule('-P INPUT ACCEPT') }

end

The following serverspec sytax is not implemented: describe ip6tables do

it { should have_rule('-P INPUT ACCEPT').with_table('mangle').with_chain('INPUT') }

end Please use the new sytax: describe ip6tables(table:'mangle', chain: 'input') do

it { should have_rule('-P INPUT ACCEPT') }

end

Note: Docker containers normally do not have ip6tables installed

@see ipset.netfilter.org/ip6tables.man.html @see ipset.netfilter.org/ip6tables.man.html

Usage: describe iptables do

it { should have_rule('-P INPUT ACCEPT') }

end

The following serverspec sytax is not implemented: describe iptables do

it { should have_rule('-P INPUT ACCEPT').with_table('mangle').with_chain('INPUT') }

end Please use the new sytax: describe iptables(table:'mangle', chain: 'input') do

it { should have_rule('-P INPUT ACCEPT') }

end

Note: Docker containers normally do not have iptables installed

@see ipset.netfilter.org/iptables.man.html @see ipset.netfilter.org/iptables.man.html @see www.frozentux.net/iptables-tutorial/iptables-tutorial.html

Usage:

describe login_def do

its('UMASK') {
  should eq '077'
}

its('PASS_MAX_DAYS.to_i') {
  should be <= 90
}

end

copyright: 2015, Vulcano Security GmbH

STABILITY: Experimental This resouce needs a proper interace to the underlying data, which is currently missing. Until it is added, we will keep it experimental.

TODO: Support it on Windows. To do so, we need to recognize the base os and how it combines the file path. Calling `File.join` or similar methods may lead to errors when running remotely.

This resource talks with OneGet (github.com/OneGet/oneget) Its part of Windows Management Framework 5.0 and part of Windows 10

Usage: describe oneget('zoomit') do

it { should be_installed }

end

Resource to determine package information

Usage: describe package('nginx') do

it { should be_installed }

end

Usage: describe pip('Jinja2') do

it { should be_installed }

end

TODO: currently we return local ip only TODO: improve handling of same port on multiple interfaces

copyright: 2015, Vulcano Security GmbH

Three constructor methods are available:

  1. resistry_key(path'):

describe registry_key('HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSchedule') do

its('Start') { should eq 2 }

end

  1. resistry_key('name','path'):

describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSchedule') do

its('Start') { should eq 2 }

end

  1. options hash

describe registry_key({

name: 'Task Scheduler',
hive: 'HKEY_LOCAL_MACHINE',
key: '\SYSTEM\CurrentControlSet\services\Schedule'

}) do

its('Start') { should eq 2 }

end

Get all childs of a registry key: describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINESYSTEMCurrentControlSet').children do

it { should_not eq [] }

end

Example to use regular expressions for keys describe registry_key({

hive: HKEY_USERS

}).children(/^S-1-5-21--[0-9]-+-[0-9]{3,}\Software\Policies\Microsoft\Windows\Installer/).each { |key|

describe registry_key(key) do
  its('AlwaysInstallElevated') { should eq 'value' }
end

}

Example to use regular expressions in responses describe registry_key({

hive: 'HKEY_LOCAL_MACHINE',
key: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion'

}) do

its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ }

end

The file format consists of

Custom resource based on the InSpec resource DSL

Parses a yaml document Usage: describe yaml('.kitchen.yaml') do

its('driver.name') { should eq('vagrant') }

end

Usage: describe yum do

its('repos') { should exist }

end

describe yum do

its('repos') { should include 'base/7/x86_64' }
its('epel') { should exist }
its('epel') { should be_enabled }

end

Filter for a specific repo by name

describe yum.repo('epel') do

it { should exist }
it { should be_enabled }
its('baseurl') { should include 'mycompany.biz' }

end

deprecated: describe yumrepo('epel') do

it { should exist }
it { should be_enabled }

end

Constants

LegacyPowershellScript

this is deprecated syntax and will be removed in future versions

MS_PRIVILEGES_RIGHTS

known and supported MS privilege rights @see technet.microsoft.com/en-us/library/dd277311.aspx @see msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx

PowershellScript