inspec-core 2.1.67

data/lib/resources/powershell.rb

@@ -0,0 +1,67 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+
+module Inspec::Resources
+  class PowershellScript < Cmd
+    name 'powershell'
+    supports platform: 'windows'
+    supports platform: 'unix'
+    desc 'Use the powershell InSpec audit resource to test a Windows PowerShell script on the Microsoft Windows platform.'
+    example "
+      script = <<-EOH
+        # your powershell script
+      EOH
+
+      describe powershell(script) do
+        its('matcher') { should eq 'output' }
+      end
+    "
+
+    def initialize(script)
+      # PowerShell is the default shell on Windows, use the `command` resource
+      return super(script) if inspec.os.windows?
+
+      unless inspec.command('pwsh').exist?
+        raise Inspec::Exceptions::ResourceSkipped, 'Can not find `pwsh` command'
+      end
+
+      # Prevent progress stream from leaking into stderr
+      command = "$ProgressPreference='SilentlyContinue';" + script
+
+      # Encode as Base64 to remove any quotes/escapes/etc issues
+      command = command.encode('UTF-16LE', 'UTF-8')
+      command = Base64.strict_encode64(command)
+
+      # Use the `command` resource to execute the command via `pwsh`
+      super("pwsh -encodedCommand '#{command}'")
+    end
+
+    # we cannot determine if a command exists, because that does not work for scripts
+    def exist?
+      nil
+    end
+
+    # Removes leading and trailing whitespace from stdout
+    def strip
+      result.stdout&.strip
+    end
+
+    def to_s
+      'Powershell'
+    end
+  end
+
+  # this is deprecated syntax and will be removed in future versions
+  class LegacyPowershellScript < PowershellScript
+    name 'script'
+
+    def initialize(script)
+      deprecated
+      super(script)
+    end
+
+    def deprecated
+      warn '[DEPRECATION] `script(script)` is deprecated.  Please use `powershell(script)` instead.'
+    end
+  end
+end

data/lib/resources/processes.rb

@@ -0,0 +1,204 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+
+require 'utils/filter'
+require 'ostruct'
+
+module Inspec::Resources
+  class Processes < Inspec.resource(1)
+    name 'processes'
+    supports platform: 'unix'
+    supports platform: 'windows'
+    desc 'Use the processes InSpec audit resource to test properties for programs that are running on the system.'
+    example "
+      describe processes('mysqld') do
+        its('entries.length') { should eq 1 }
+        its('users') { should eq ['mysql'] }
+        its('states') { should include 'S' }
+      end
+
+      describe processes(/.+/).where { label != 'unconfined' && pid < 1000 } do
+        its('users') { should cmp [] }
+      end
+
+      # work with all processes
+      describe processes do
+        its('entries.length') { should be <= 100 }
+      end
+    "
+
+    def initialize(grep = /.*/)
+      @grep = grep
+      # turn into a regexp if it isn't one yet
+      if grep.class == String
+        # if windows ignore case as we can't make up our minds
+        if inspec.os.windows?
+          grep = '(?i)' + grep
+        else
+          grep = '(/[^/]*)*' + grep unless grep[0] == '/'
+          grep = '^' + grep + '(\s|$)'
+        end
+        grep = Regexp.new(grep)
+      end
+
+      all_cmds = ps_axo
+      @list = all_cmds.find_all do |hm|
+        hm[:command] =~ grep
+      end
+    end
+
+    def exists?
+      !@list.empty?
+    end
+
+    def to_s
+      "Processes #{@grep.class == String ? @grep : @grep.inspect}"
+    end
+
+    def list
+      warn '[DEPRECATION] `processes.list` is deprecated. Please use `processes.entries` instead. It will be removed in version 2.0.0.'
+      @list
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:labels,   field: 'label')
+          .add(:pids,     field: 'pid')
+          .add(:cpus,     field: 'cpu')
+          .add(:mem,      field: 'mem')
+          .add(:vsz,      field: 'vsz')
+          .add(:rss,      field: 'rss')
+          .add(:tty,      field: 'tty')
+          .add(:states,   field: 'stat')
+          .add(:start,    field: 'start')
+          .add(:time,     field: 'time')
+          .add(:users,    field: 'user')
+          .add(:commands, field: 'command')
+          .connect(self, :filtered_processes)
+
+    private
+
+    def filtered_processes
+      @list
+    end
+
+    def ps_axo
+      os = inspec.os
+
+      if os.linux?
+        command, regex, field_map = ps_configuration_for_linux
+      elsif os.windows?
+        command = '$Proc = Get-Process -IncludeUserName | Where-Object {$_.Path -ne $null } | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
+        # Wanted to use /(?:^|,)([^,]*)/; works on rubular.com not sure why here?
+        regex = /^(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+)$/
+        field_map = {
+          pid: 2,
+          cpu: 3,
+          mem: 4,
+          vsz: 5,
+          rss: 6,
+          tty: 7,
+          stat: 8,
+          start: 9,
+          time: 10,
+          user: 11,
+          command: 12,
+        }
+      else
+        command = 'ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command'
+        regex = /^\s*([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
+        field_map = {
+          pid: 1,
+          cpu: 2,
+          mem: 3,
+          vsz: 4,
+          rss: 5,
+          tty: 6,
+          stat: 7,
+          start: 8,
+          time: 9,
+          user: 10,
+          command: 11,
+        }
+      end
+      build_process_list(command, regex, field_map)
+    end
+
+    def ps_configuration_for_linux
+      if busybox_ps?
+        command = 'ps -o pid,vsz,rss,tty,stat,time,ruser,args'
+        regex = /^\s*(\d+)\s+(\d+)\s+(\d+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)$/
+        field_map = {
+          pid: 1,
+          vsz: 2,
+          rss: 3,
+          tty: 4,
+          stat: 5,
+          time: 6,
+          user: 7,
+          command: 8,
+        }
+      else
+        command = 'ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command'
+        regex = /^(.+?)\s+(\d+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
+        field_map = {
+          label: 1,
+          pid: 2,
+          cpu: 3,
+          mem: 4,
+          vsz: 5,
+          rss: 6,
+          tty: 7,
+          stat: 8,
+          start: 9,
+          time: 10,
+          user: 11,
+          command: 12,
+        }
+      end
+
+      [command, regex, field_map]
+    end
+
+    def busybox_ps?
+      @busybox_ps ||= inspec.command('ps --help').stderr.include?('BusyBox')
+    end
+
+    def build_process_list(command, regex, field_map)
+      cmd = inspec.command(command)
+      all = cmd.stdout.split("\n")[1..-1]
+      return [] if all.nil?
+
+      # map all the process lines into match objects, fetch the available fields,
+      # and then build an OpenStruct of the process data for each process
+      all.map do |line|
+        line = line.match(regex)
+
+        # skip this line if we couldn't match the regular expression
+        next if line.nil?
+
+        # skip this entry if there's no command for this line
+        next if line[field_map[:command]].nil?
+
+        # build a hash of process data that we'll turn into a struct for FilterTable
+        process_data = {}
+        [:label, :pid, :cpu, :mem, :vsz, :rss, :tty, :stat, :start, :time, :user, :command].each do |param|
+          # not all operating systems support all fields, so skip the field if we don't have it
+          process_data[param] = line[field_map[param]] if field_map.key?(param)
+        end
+
+        # ensure pid, vsz, and rss are integers for backward compatibility
+        [:pid, :vsz, :rss].each do |int_param|
+          process_data[int_param] = process_data[int_param].to_i if process_data.key?(int_param)
+        end
+
+        # strip any newlines off the command
+        process_data[:command].strip!
+
+        # return an OpenStruct of the process for future use by FilterTable
+        OpenStruct.new(process_data)
+      end.compact
+    end
+  end
+end

data/lib/resources/rabbitmq_conf.rb

@@ -0,0 +1,51 @@
+# encoding: utf-8
+
+require 'utils/erlang_parser'
+require 'utils/file_reader'
+
+module Inspec::Resources
+  class RabbitmqConf < Inspec.resource(1)
+    name 'rabbitmq_config'
+    supports platform: 'unix'
+    desc 'Use the rabbitmq_config InSpec resource to test configuration data '\
+         'for the RabbitMQ service located in /etc/rabbitmq/rabbitmq.config on '\
+         'Linux and UNIX platforms.'
+    example "
+      describe rabbitmq_config.params('rabbit', 'ssl_listeners') do
+        it { should cmp 5671 }
+      end
+    "
+
+    include FileReader
+
+    def initialize(conf_path = nil)
+      @conf_path = conf_path || '/etc/rabbitmq/rabbitmq.config'
+      @content = read_file_content(@conf_path, allow_empty: true)
+    end
+
+    def params(*opts)
+      opts.inject(read_params) do |res, nxt|
+        res.respond_to?(:key) ? res[nxt] : nil
+      end
+    end
+
+    def to_s
+      "rabbitmq_config #{@conf_path}"
+    end
+
+    private
+
+    def read_content
+      return @content if defined?(@content)
+      @content = read_file_content(@conf_path, allow_empty: true)
+    end
+
+    def read_params
+      return @params if defined?(@params)
+      return @params = {} if read_content.nil?
+      @params = ErlangConfigFile.parse(read_content)
+    rescue Parslet::ParseFailed
+      raise "Cannot parse RabbitMQ config: \"#{read_content}\""
+    end
+  end
+end

data/lib/resources/registry_key.rb

@@ -0,0 +1,297 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+
+require 'json'
+
+# Three constructor methods are available:
+# 1. resistry_key(path'):
+# describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule') do
+#   its('Start') { should eq 2 }
+# end
+#
+# 2. resistry_key('name','path'):
+# describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule') do
+#   its('Start') { should eq 2 }
+# end
+#
+# 3. options hash
+# describe registry_key({
+#            name: 'Task Scheduler',
+#            hive: 'HKEY_LOCAL_MACHINE',
+#            key: '\SYSTEM\CurrentControlSet\services\Schedule'
+# }) do
+#   its('Start') { should eq 2 }
+# end
+#
+# Get all childs of a registry key:
+# describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet').children do
+#   it { should_not eq [] }
+# end
+#
+# Example to use regular expressions for keys
+# describe registry_key({
+#   hive: HKEY_USERS
+# }).children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}\\Software\\Policies\\Microsoft\\Windows\\Installer/).each { |key|
+#   describe registry_key(key) do
+#     its('AlwaysInstallElevated') { should eq 'value' }
+#   end
+# }
+#
+# Example to use regular expressions in responses
+# describe registry_key({
+#   hive: 'HKEY_LOCAL_MACHINE',
+#   key: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion'
+# }) do
+#   its('ProductName') { should match /^[a-zA-Z0-9\(\)\s]*2012\s[rR]2[a-zA-Z0-9\(\)\s]*$/ }
+# end
+
+module Inspec::Resources
+  class RegistryKey < Inspec.resource(1)
+    name 'registry_key'
+    supports platform: 'windows'
+    desc 'Use the registry_key InSpec audit resource to test key values in the Microsoft Windows registry.'
+    example "
+      describe registry_key('path\to\key') do
+        its('name') { should eq 'value' }
+      end
+    "
+
+    def initialize(name, reg_key = nil)
+      # if we have one parameter, we use it as name
+      reg_key ||= name
+      @options = {}
+      if reg_key && reg_key.is_a?(Hash)
+        @options = @options.merge!(reg_key)
+
+        # generate registry_key if we do not have a regular expression
+        @options[:path] = generate_registry_key_path_from_options
+        @options[:name] ||= @options[:path]
+      else
+        @options[:name] = name
+        @options[:path] = reg_key
+      end
+
+      return skip_resource 'The `registry_key` resource is not supported on your OS yet.' if !inspec.os.windows?
+    end
+
+    def exists?
+      !registry_key(@options[:path]).nil?
+    end
+
+    def has_value?(value)
+      val = registry_key(@options[:path])
+      !val.nil? && registry_property_value(val, '(default)') == value ? true : false
+    end
+
+    def has_property?(property_name, property_type = nil)
+      val = registry_key(@options[:path])
+      !val.nil? && registry_property_exists(val, property_name) && (property_type.nil? || registry_property_type(val, property_name) == map2type(property_type)) ? true : false
+    end
+
+    # deactivate rubocop, because we need to stay compatible with Serverspe
+    # rubocop:disable Style/OptionalArguments
+    def has_property_value?(property_name, property_type = nil, value)
+      # rubocop:enable Style/OptionalArguments
+      val = registry_key(@options[:path])
+
+      # convert value to binary if required
+      value = value.bytes if !property_type.nil? && map2type(property_type) == 3 && !value.is_a?(Array)
+
+      !val.nil? && registry_property_value(val, property_name) == value && (property_type.nil? || registry_property_type(val, property_name) == map2type(property_type)) ? true : false
+    end
+
+    # returns an arrray of child nodes
+    def children(filter = nil)
+      children_keys(@options[:path], filter)
+    end
+
+    # returns nil, if not existant or value
+    def method_missing(*keys)
+      # allow the use of array syntax in an `its` block so that users
+      # can use it to query for keys with . characters in them
+      if keys.is_a?(Array)
+        keys.shift if keys[0] == :[]
+        key = keys.first
+      else
+        key = keys
+      end
+
+      # get data
+      val = registry_key(@options[:path])
+      registry_property_value(val, key)
+    end
+
+    def to_s
+      "Registry Key #{@options[:name]}"
+    end
+
+    private
+
+    def prep_prop(property)
+      property.to_s.downcase
+    end
+
+    def registry_property_exists(regkey, property)
+      return false if regkey.nil? || property.nil?
+      # always ensure the key is lower case
+      !regkey[prep_prop(property)].nil?
+    end
+
+    def registry_property_value(regkey, property)
+      return nil if !registry_property_exists(regkey, property)
+      # always ensure the key is lower case
+      regkey[prep_prop(property)]['value']
+    end
+
+    def registry_property_type(regkey, property)
+      return nil if !registry_property_exists(regkey, property)
+      # always ensure the key is lower case
+      regkey[prep_prop(property)]['type']
+    end
+
+    def registry_key(path)
+      return @registry_cache if defined?(@registry_cache)
+      # load registry key and all properties
+      script = <<-EOH
+      Function InSpec-GetRegistryKey($path) {
+        $reg = Get-Item ('Registry::' + $path)
+        if ($reg -eq $null) {
+          Write-Error "InSpec: Failed to find registry key"
+          exit 1001
+        }
+
+        $properties = New-Object -Type PSObject
+        $reg.Property | ForEach-Object {
+            $key = $_
+            $keytype = $key
+            if ("(default)".Equals($key)) { $keytype = '' }
+            $value = New-Object psobject -Property @{
+              "value" =  $(Get-ItemProperty ('Registry::' + $path)).$key;
+              "type"  = $reg.GetValueKind($keytype);
+            }
+            $properties | Add-Member NoteProperty $_ $value
+        }
+        $properties
+      }
+      $path = '#{path}'
+      InSpec-GetRegistryKey($path) | ConvertTo-Json -Compress
+      EOH
+
+      cmd = inspec.powershell(script)
+      # cannot rely on exit code for now, successful command returns exit code 1
+      # return nil if cmd.exit_status != 0, try to parse json
+      begin
+        if cmd.exit_status == 1001 && cmd.stderr =~ /InSpec: Failed to find registry key/
+          # TODO: provide the stderr output
+          @registry_cache = nil
+        else
+          @registry_cache = JSON.parse(cmd.stdout)
+          # convert keys to lower case
+          @registry_cache = Hash[@registry_cache.map do |key, value|
+            [key.downcase, value]
+          end]
+        end
+      rescue JSON::ParserError => _e
+        @registry_cache = nil
+      end
+      @registry_cache
+    end
+
+    def children_keys(path, filter = '')
+      return @children_cache if defined?(@children_cache)
+      filter = filter.source if filter.is_a? ::Regexp
+      script = <<-EOH
+      Function InSpec-FindChildsRegistryKeys($path, $filter) {
+        # get information about the child registry keys
+        $items = Get-ChildItem -Path ('Registry::' + $path) -rec -ea SilentlyContinue
+        # filter entries
+        $items | Where-Object {
+            $name = $_.Name
+            $simple = $name -replace "HKEY_LOCAL_MACHINE\\\\",""
+            $simple = $name -replace "HKEY_USERS\\\\",""
+            $simple -Match $filter
+        } | % { $_.Name }
+      }
+
+      $path = '#{path}'
+      $filter = "#{filter}"
+      ConvertTo-Json @(InSpec-FindChildsRegistryKeys $path $filter)
+      EOH
+      cmd = inspec.powershell(script)
+      begin
+        @children_cache = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        @children_cache = []
+      end
+      @children_cache
+    end
+
+    # Registry key value types
+    # @see https://msdn.microsoft.com/en-us/library/windows/desktop/ms724884(v=vs.85).aspx
+    # REG_NONE 0
+    # REG_SZ 1
+    # REG_EXPAND_SZ 2
+    # REG_BINARY 3
+    # REG_DWORD 4
+    # REG_DWORD_LITTLE_ENDIAN 4
+    # REG_DWORD_BIG_ENDIAN 5
+    # REG_LINK 6
+    # REG_MULTI_SZ 7
+    # REG_RESOURCE_LIST 8
+    # REG_FULL_RESOURCE_DESCRIPTOR 9
+    # REG_RESOURCE_REQUIREMENTS_LIST 10
+    # REG_QWORD 11
+    # REG_QWORD_LITTLE_ENDIAN 11
+    def map2type(symbol)
+      options = {}
+
+      # chef symbols, we prefer those
+      options[:binary] = 3
+      options[:string] = 1
+      options[:multi_string] = 7
+      options[:expand_string] = 2
+      options[:dword] = 4
+      options[:dword_big_endian] = 5
+      options[:qword] = 11
+
+      # serverspec symbols
+      options[:type_string] = 1
+      options[:type_binary] = 3
+      options[:type_dword] = 4
+      options[:type_qword] = 11
+      options[:type_multistring] = 7
+      options[:type_expandstring] = 2
+
+      options[symbol]
+    end
+
+    def generate_registry_key_path_from_options
+      path = @options[:hive]
+      path += format_key_from_options
+
+      path
+    end
+
+    def format_key_from_options
+      key = @options[:key]
+      return '' unless key
+
+      key.start_with?('\\') ? key : "\\#{key}"
+    end
+  end
+
+  # for compatability with serverspec
+  # this is deprecated syntax and will be removed in future versions
+  class WindowsRegistryKey < RegistryKey
+    name 'windows_registry_key'
+
+    def initialize(name)
+      deprecated
+      super(name)
+    end
+
+    def deprecated
+      warn '[DEPRECATION] `windows_registry_key(reg_key)` is deprecated.  Please use `registry_key(\'path\to\key\')` instead.'
+    end
+  end
+end