iis_site

Use the iis_site InSpec audit resource to test the state of IIS on Windows Server 2012 (and later).

Syntax

An iis_site resource block declares details about the named site:

describe iis_site('site_name') do
  it { should exist }
  it { should be_running }
  it { should have_app_pool('app_pool_name') }
  it { should have_binding('binding_details') }
  it { should have_path('path_to_site') }
end

where

  • 'site_name' is the name of the site, such as 'Default Web Site'
  • ('app_pool_name') is the name of the application pool in which the site’s root application is run, such as 'DefaultAppPool'
  • ('binding_details') is a binding for the site, such as 'net.pipe *'. A site may have multiple bindings; therefore, use a have_binding matcher for each site binding to be tested
  • ('path_to_site') is the path to the site, such as 'C:\\inetpub\\wwwroot'

For example:

describe iis_site('Default Web Site') do
  it { should exist }
  it { should be_running }
  it { should have_app_pool('DefaultAppPool') }
  it { should have_binding('https :443:www.contoso.com sslFlags=0') }
  it { should have_binding('net.pipe *') }
  it { should have_path('C:\\inetpub\\wwwroot') }
end

Matchers

This InSpec audit resource has the following matchers:

be

Use the be matcher to use a comparison operator—= (equal to), > (greater than), < (less than), >= (greater than or equal to), and <= (less than or equal to)—to compare two values: its('value') { should be >= value }, its('value') { should be < value }, and so on.

be_running

The be_running matcher tests if the site is running:

it { should be_running }

cmp

Use the cmp matcher compare two values, such as comparing strings to numbers, comparing a single value to an array of values, comparing an array of strings to a regular expression, improving the printing of octal values, and comparing while ignoring case sensitivity.

Compare a single value to an array:

describe some_resource do
  its('users') { should cmp 'root' }
  its('users') { should cmp ['root'] }
end

Compare strings and regular expressions:

describe some_resource do
  its('setting') { should cmp /raw/i }
end

Compare strings and numbers:

describe some_resource do
  its('setting') { should eq '2' }
end

vs:

describe some_resource do
  its('setting') { should cmp '2' }
  its('setting') { should cmp 2 }
end

Ignoring case sensitivity:

describe some_resource do
  its('setting') { should cmp 'raw' }
  its('setting') { should cmp 'RAW' }
end

Printing octal values:

describe some_resource('/proc/cpuinfo') do
  its('mode') { should cmp '0345' }
end

expected: 0345
got: 0444

eq

Use the eq matcher to test the equality of two values: its('Port') { should eq '22' }.

Using its('Port') { should eq 22 } will fail because 22 is not a string value! Use the cmp matcher for less restrictive value comparisons.

exist

The exist matcher tests if the site exists:

it { should exist }

have_app_pool

The have_app_pool matcher tests if the named application pool exists for the site:

it { should have_app_pool('DefaultAppPool') }

For example, testing if a site’s application pool inherits the settings of the parent application pool:

it { should have_app_pool('/') }

have_binding

The have_binding matcher tests if the specified binding exists for the site:

it { should have_binding('http :80:*') }

or:

it { should have_binding('net.pipe *') }

A site may have multiple bindings; use a have_binding matcher for each unique site binding to be tested.

Binding Attributes

The have_binding matcher can also test attributes that are defined for a site binding. For example, the sslFlags attribute defines if SSL is enabled, and (when enabled) what level of SSL is applied to the site.

Testing a site with SSL disabled:

it { should have_binding('https :443:www.contoso.com sslFlags=0') }

Testing a site with SSL enabled:

it { should have_binding('https :443:www.contoso.com sslFlags=Ssl') }

Testing a site with certificate mapping authentication enabled:

it { should have_binding('https :443:www.contoso.com sslFlags=SslMapCert') }

Testing a site with 128-bit SSL enabled:

it { should have_binding('https :443:www.contoso.com sslFlags=Ssl128') }

have_path

The have_path matcher tests if the named path is defined for the site:

it { should have_path('C:\\inetpub\\wwwroot') }

include

Use the include matcher to verify that a string value is included in a list: its('list') { should include 'string' }.

match

Use the match matcher to check if a string matches a regular expression: its('string') { should_not match /regex/ }.

Examples

The following examples show how to use this InSpec audit resource.

Test a default IIS site

describe iis_site('Default Web Site') do
  it { should exist }
  it { should be_running }
  it { should have_app_pool('DefaultAppPool') }
  it { should have_binding('http *:80:') }
  it { should have_path('%SystemDrive%\\inetpub\\wwwroot') }
end

Test if IIS service is running

describe service('W3SVC') do
  it { should be_installed }
  it { should be_running }
end