inspec-core 2.1.67

data/lib/resources/mysql_conf.rb

@@ -0,0 +1,127 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+
+require 'utils/simpleconfig'
+require 'utils/find_files'
+require 'utils/file_reader'
+require 'utils/hash'
+require 'resources/mysql'
+
+module Inspec::Resources
+  class MysqlConfEntry
+    def initialize(path, params)
+      @params = params
+      @path = path
+    end
+
+    def method_missing(name, *_)
+      k = name.to_s
+      res = @params[k]
+      return true if res.nil? && @params.key?(k)
+      @params[k]
+    end
+
+    def to_s
+      "MySQL Config entry [#{@path.join(' ')}]"
+    end
+  end
+
+  class MysqlConf < Inspec.resource(1)
+    name 'mysql_conf'
+    supports platform: 'unix'
+    supports platform: 'windows'
+    desc 'Use the mysql_conf InSpec audit resource to test the contents of the configuration file for MySQL, typically located at /etc/mysql/my.cnf or /etc/my.cnf.'
+    example "
+      describe mysql_conf('path') do
+        its('setting') { should eq 'value' }
+      end
+
+      # Test a parameter set within the [mysqld] section
+      describe mysql_conf do
+        its('mysqld.port') { should cmp 3306 }
+      end
+
+      # Test a parameter set within the [mariadb] section using array notation
+      describe mysql_conf do
+        its(['mariadb', 'max-connections']) { should_not be_nil }
+      end
+    "
+
+    include FindFiles
+    include FileReader
+
+    def initialize(conf_path = nil)
+      @conf_path = conf_path || inspec.mysql.conf_path
+      @files_contents = {}
+      @content = nil
+      @params = nil
+      read_content
+    end
+
+    def content
+      @content ||= read_content
+    end
+
+    def params(*opts)
+      @params || read_content
+      res = @params
+      opts.each do |opt|
+        res = res[opt] unless res.nil?
+      end
+      MysqlConfEntry.new(opts, res)
+    end
+
+    def method_missing(name)
+      @params || read_content
+      @params[name.to_s]
+    end
+
+    def read_content
+      @content = ''
+      @params = {}
+
+      to_read = [@conf_path]
+      until to_read.empty?
+        cur_file = to_read[0]
+        raw_conf = read_file(cur_file)
+        @content += raw_conf
+
+        params = SimpleConfig.new(raw_conf).params
+        @params = @params.deep_merge(params)
+
+        to_read = to_read.drop(1)
+        # see if there is more stuff to include
+
+        dir = File.dirname(cur_file)
+        to_read += include_files(dir, raw_conf).find_all do |fp|
+          not @files_contents.key? fp
+        end
+      end
+      #
+      @content
+    end
+
+    def include_files(reldir, conf)
+      files = conf.scan(/^!include\s+(.*)\s*/).flatten.compact.map { |x| abs_path(reldir, x) }
+      dirs = conf.scan(/^!includedir\s+(.*)\s*/).flatten.compact.map { |x| abs_path(reldir, x) }
+      dirs.map do |dir|
+        # @TODO: non local glob
+        files += find_files(dir, depth: 1, type: 'file')
+      end
+      files
+    end
+
+    def abs_path(dir, f)
+      return f if f.start_with? '/'
+      File.join(dir, f)
+    end
+
+    def read_file(path)
+      @files_contents[path] ||= read_file_content(path)
+    end
+
+    def to_s
+      'MySQL Configuration'
+    end
+  end
+end

data/lib/resources/mysql_session.rb

@@ -0,0 +1,85 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+
+require 'shellwords'
+
+module Inspec::Resources
+  class MysqlSession < Inspec.resource(1)
+    name 'mysql_session'
+    supports platform: 'unix'
+    supports platform: 'windows'
+    desc 'Use the mysql_session InSpec audit resource to test SQL commands run against a MySQL database.'
+    example "
+      sql = mysql_session('my_user','password','host')
+      describe sql.query('show databases like \'test\';') do
+        its('stdout') { should_not match(/test/) }
+      end
+    "
+
+    def initialize(user = nil, pass = nil, host = 'localhost', port = nil, socket = nil)
+      @user = user
+      @pass = pass
+      @host = host
+      @port = port
+      @socket = socket
+      init_fallback if user.nil? or pass.nil?
+      skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? or @pass.nil?
+    end
+
+    def query(q, db = '')
+      mysql_cmd = create_mysql_cmd(q, db)
+      cmd = inspec.command(mysql_cmd)
+      out = cmd.stdout + "\n" + cmd.stderr
+      if out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error/
+        # skip this test if the server can't run the query
+        warn("Can't connect to MySQL instance for SQL checks.")
+      end
+
+      # return the raw command output
+      cmd
+    end
+
+    def to_s
+      'MySQL Session'
+    end
+
+    private
+
+    def escape_string(query)
+      Shellwords.escape(query)
+    end
+
+    def create_mysql_cmd(q, db = '')
+      # TODO: simple escape, must be handled by a library
+      # that does this securely
+      escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
+
+      # construct the query
+      command = 'mysql'
+      command += " -u#{escape_string(@user)}" unless @user.nil?
+      command += " -p#{escape_string(@pass)}" unless @pass.nil?
+
+      if !@socket.nil?
+        command += " -S #{@socket}"
+      else
+        command += " -h #{@host}"
+      end
+      command += " --port #{@port}" unless @port.nil?
+      command += " #{db}" unless db.empty?
+      command += %{ -s -e "#{escaped_query}"}
+      command
+    end
+
+    def init_fallback
+      # support debian mysql administration login
+      debian = inspec.command('test -f /etc/mysql/debian.cnf && cat /etc/mysql/debian.cnf').stdout
+      return if debian.empty?
+
+      user = debian.match(/^\s*user\s*=\s*([^ ]*)\s*$/)
+      pass = debian.match(/^\s*password\s*=\s*([^ ]*)\s*$/)
+      return if user.nil? or pass.nil?
+      @user = user[1]
+      @pass = pass[1]
+    end
+  end
+end

data/lib/resources/nginx.rb

@@ -0,0 +1,96 @@
+# encoding: utf-8
+
+require 'pathname'
+require 'hashie/mash'
+
+module Inspec::Resources
+  class Nginx < Inspec.resource(1)
+    name 'nginx'
+    supports platform: 'unix'
+    desc 'Use the nginx InSpec audit resource to test information about your NGINX instance.'
+    example "
+      describe nginx do
+        its('conf_path') { should cmp '/etc/nginx/nginx.conf' }
+      end
+      describe nginx('/etc/sbin/') do
+        its('version') { should be >= '1.0.0' }
+      end
+      describe nginx do
+        its('modules') { should include 'my_module' }
+      end
+    "
+    attr_reader :params, :bin_dir
+
+    def initialize(nginx_path = '/usr/sbin/nginx')
+      return skip_resource 'The `nginx` resource is not yet available on your OS.' if inspec.os.windows?
+      return skip_resource 'The `nginx` binary not found in the path provided.' unless inspec.command(nginx_path).exist?
+
+      cmd = inspec.command("#{nginx_path} -V 2>&1")
+      if !cmd.exit_status.zero?
+        return skip_resource 'Error using the command nginx -V'
+      end
+      @data = cmd.stdout
+      @params = {}
+      read_content
+    end
+
+    %w{error_log_path http_client_body_temp_path http_fastcgi_temp_path http_log_path http_proxy_temp_path http_scgi_temp_path http_uwsgi_temp_path lock_path modules_path prefix sbin_path service version}.each do |property|
+      define_method(property.to_sym) do
+        @params[property.to_sym]
+      end
+    end
+
+    def openssl_version
+      result = @data.scan(/built with OpenSSL\s(\S+)\s(\d+\s\S+\s\d{4})/).flatten
+      Hashie::Mash.new({ 'version' => result[0], 'date' => result[1] })
+    end
+
+    def compiler_info
+      result = @data.scan(/built by (\S+)\s(\S+)\s(\S+)/).flatten
+      Hashie::Mash.new({ 'compiler' => result[0], 'version' => result[1], 'date' => result[2] })
+    end
+
+    def support_info
+      support_info = @data.scan(/(.*\S+) support enabled/).flatten
+      support_info.empty? ? nil : support_info.join(' ')
+    end
+
+    def modules
+      @data.scan(/--with-(\S+)_module/).flatten
+    end
+
+    def to_s
+      'Nginx Environment'
+    end
+
+    private
+
+    def read_content
+      parse_config
+      parse_path
+      parse_http_path
+    end
+
+    def parse_config
+      @params[:prefix] = @data.scan(/--prefix=(\S+)\s/).flatten.first
+      @params[:service] = 'nginx'
+      @params[:version] = @data.scan(%r{nginx version: nginx\/(\S+)\s}).flatten.first
+    end
+
+    def parse_path
+      @params[:sbin_path] = @data.scan(/--sbin-path=(\S+)\s/).flatten.first
+      @params[:modules_path] = @data.scan(/--modules-path=(\S+)\s/).flatten.first
+      @params[:error_log_path] = @data.scan(/--error-log-path=(\S+)\s/).flatten.first
+      @params[:http_log_path] = @data.scan(/--http-log-path=(\S+)\s/).flatten.first
+      @params[:lock_path] = @data.scan(/--lock-path=(\S+)\s/).flatten.first
+    end
+
+    def parse_http_path
+      @params[:http_client_body_temp_path] = @data.scan(/--http-client-body-temp-path=(\S+)\s/).flatten.first
+      @params[:http_proxy_temp_path] = @data.scan(/--http-proxy-temp-path=(\S+)\s/).flatten.first
+      @params[:http_fastcgi_temp_path] = @data.scan(/--http-fastcgi-temp-path=(\S+)\s/).flatten.first
+      @params[:http_uwsgi_temp_path] = @data.scan(/--http-uwsgi-temp-path=(\S+)\s/).flatten.first
+      @params[:http_scgi_temp_path] = @data.scan(/--http-scgi-temp-path=(\S+)\s/).flatten.first
+    end
+  end
+end

data/lib/resources/nginx_conf.rb

@@ -0,0 +1,226 @@
+# encoding: utf-8
+
+require 'utils/nginx_parser'
+require 'utils/find_files'
+require 'utils/file_reader'
+require 'forwardable'
+
+# STABILITY: Experimental
+# This resouce needs a proper interace to the underlying data, which is currently missing.
+# Until it is added, we will keep it experimental.
+#
+# TODO: Support it on Windows. To do so, we need to recognize the base os and how
+# it combines the file path. Calling `File.join` or similar methods may lead to errors
+# when running remotely.
+module Inspec::Resources
+  class NginxConf < Inspec.resource(1)
+    name 'nginx_conf'
+    supports platform: 'unix'
+    desc 'Use the nginx_conf InSpec resource to test configuration data '\
+         'for the NginX web server located in /etc/nginx/nginx.conf on '\
+         'Linux and UNIX platforms.'
+    example "
+      describe nginx_conf.params ...
+      describe nginx_conf('/path/to/my/nginx.conf').params ...
+    "
+
+    extend Forwardable
+
+    include FindFiles
+    include FileReader
+
+    attr_reader :contents
+
+    def initialize(conf_path = nil)
+      @conf_path = conf_path || '/etc/nginx/nginx.conf'
+      @contents = {}
+      return skip_resource 'The `nginx_conf` resource is currently not supported on Windows.' if inspec.os.windows?
+      read_content(@conf_path)
+    end
+
+    def params
+      @params ||= parse_nginx(@conf_path)
+    rescue StandardError => e
+      skip_resource e.message
+      @params = {}
+    end
+
+    def http
+      NginxConfHttp.new(params['http'], self)
+    end
+
+    def_delegators :http, :servers, :locations
+
+    def to_s
+      "nginx_conf #{@conf_path}"
+    end
+
+    private
+
+    def read_content(path)
+      return @contents[path] if @contents.key?(path)
+      @contents[path] = read_file_content(path, allow_empty: true)
+    end
+
+    def parse_nginx(path)
+      return nil if inspec.os.windows?
+      content = read_content(path)
+      data = NginxConfig.parse(content)
+      resolve_references(data, File.dirname(path))
+    rescue StandardError => _
+      raise "Cannot parse NginX config in #{path}."
+    end
+
+    # Cycle through the complete parsed data structure and try to find any
+    # calls to `include`. In NginX, this is used to embed data from other
+    # files into the current data structure.
+    #
+    # The method steps through the object structure that is passed in to
+    # find any calls to 'include' and returns the object structure with the
+    # included data merged in.
+    #
+    # @param data [Hash] data structure from NginxConfig.parse
+    # @param rel_path [String] the relative path from which this config is read
+    # @return [Hash] data structure with references included
+    def resolve_references(data, rel_path)
+      # Walk through all array entries to find more references
+      return data.map { |x| resolve_references(x, rel_path) } if data.is_a?(Array)
+
+      # Return any data that we cannot step into to find more `include` calls
+      return data unless data.is_a?(Hash)
+
+      # Any call to `include` gets its data read, parsed, and merged back
+      # into the current data structure
+      if data.key?('include')
+        data.delete('include').flatten
+            .map { |x| File.expand_path(x, rel_path) }
+            .map { |x| find_files(x) }.flatten
+            .map { |path| parse_nginx(path) }
+            .each { |conf| merge_config!(data, conf) }
+      end
+
+      # Walk through the remaining hash fields to find more references
+      Hash[data.map { |k, v| [k, resolve_references(v, rel_path)] }]
+    end
+
+    # Deep merge fields from NginxConfig.parse.
+    # A regular merge would overwrite values so a deep merge is needed.
+    # @param data [Hash] data structure from NginxConfig.parse
+    # @param conf [Hash] data structure to be deep merged into data
+    # @return [Hash] data structure with conf and data deep merged
+    def merge_config!(data, conf)
+      # Catch edge-cases
+      return if data.nil? || conf.nil?
+      # Step through all conf items and create combined return value
+      data.merge!(conf) do |_, v1, v2|
+        if v1.is_a?(Array) && v2.is_a?(Array)
+          # If both the data field and the conf field are arrays, then combine them
+          v1 + v2
+        elsif v1.is_a?(Hash) && v2.is_a?(Hash)
+          # If both the data field and the conf field are maps, then deep merge them
+          merge_config!(v1, v2)
+        else
+          # All other cases, just use the new value (regular merge behavior)
+          v2
+        end
+      end
+    end
+  end
+
+  class NginxConfHttp
+    attr_reader :entries
+    def initialize(params, parent)
+      @parent = parent
+      @entries = (params || []).map { |x| NginxConfHttpEntry.new(x, parent) }
+    end
+
+    def servers
+      @entries.map(&:servers).flatten
+    end
+
+    def locations
+      servers.map(&:locations).flatten
+    end
+
+    def to_s
+      @parent.to_s + ', http entries'
+    end
+    alias inspect to_s
+  end
+
+  class NginxConfHttpEntry
+    attr_reader :params, :parent
+    def initialize(params, parent)
+      @params = params || {}
+      @parent = parent
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add(:servers, field: 'server')
+          .connect(self, :server_table)
+
+    def locations
+      servers.map(&:locations).flatten
+    end
+
+    def to_s
+      @parent.to_s + ', http entry'
+    end
+    alias inspect to_s
+
+    private
+
+    def server_table
+      @server_table ||= (params['server'] || []).map { |x| { 'server' => NginxConfServer.new(x, self) } }
+    end
+  end
+
+  class NginxConfServer
+    attr_reader :params, :parent
+    def initialize(params, parent)
+      @parent = parent
+      @params = params || {}
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add(:locations, field: 'location')
+          .connect(self, :location_table)
+
+    def to_s
+      server = ''
+      name = Array(params['server_name']).flatten.first
+      unless name.nil?
+        server += name
+        listen = Array(params['listen']).flatten.first
+        server += ":#{listen}" unless listen.nil?
+      end
+
+      # go two levels up: 1. to the http entry and 2. to the root nginx conf
+      @parent.parent.to_s + ", server #{server}"
+    end
+    alias inspect to_s
+
+    private
+
+    def location_table
+      @location_table ||= (params['location'] || []).map { |x| { 'location' => NginxConfLocation.new(x, self) } }
+    end
+  end
+
+  class NginxConfLocation
+    attr_reader :params, :parent
+    def initialize(params, parent)
+      @parent = parent
+      @params = params || {}
+    end
+
+    def to_s
+      location = Array(params['_']).join(' ')
+      # go three levels up: 1. to the server entry, 2. http entry and 3. to the root nginx conf
+      @parent.parent.parent.to_s + ", location #{location.inspect}"
+    end
+    alias inspect to_s
+  end
+end