inspec-core 2.1.67

data/lib/resources/vbscript.rb

@@ -0,0 +1,68 @@
+# encoding: utf-8
+
+require 'securerandom'
+
+module Inspec::Resources
+  # This resource allows users to run vbscript on windows machines. We decided
+  # not to use scriptcontrol, due to the fact that it works on 32 bit systems only:
+  # $script = new-object -comobject MSScriptControl.ScriptControl
+  # $script.language = "vbscript"
+  # $script.ExecuteStatement($Cmd)
+  #
+  # For that reason, we call csript.exe directy with the script. Vbscript is
+  # embedded in Powershell to ease the file transfer and reuse powershell
+  # encodedCommand since train does not allow file upload yet.
+  #
+  # We run cscript with /nologo option to get the expected output only with the
+  # version information.
+  #
+  # Since Windows does not delete tmp files automatically, we remove the VBScript
+  # after we executed it
+  # @see https://msdn.microsoft.com/en-us/library/aa364991.aspx
+  class VBScript < PowershellScript
+    name 'vbscript'
+    supports platform: 'windows'
+    desc ''
+    example "
+      script = <<-EOH
+        # you vbscript
+      EOH
+
+      describe vbscript(script) do
+        its('stdout') { should eq 'output' }
+      end
+    "
+
+    def initialize(vbscript)
+      @seperator = SecureRandom.uuid
+      cmd = <<~EOH
+        $vbscript = @"
+        #{vbscript}
+        Wscript.Stdout.Write "#{@seperator}"
+        "@
+        $filename = [System.IO.Path]::GetTempFileName() + ".vbs"
+        New-Item $filename -type file -force -value $vbscript | Out-Null
+        cscript.exe /nologo $filename
+        Remove-Item $filename | Out-Null
+      EOH
+      super(cmd)
+    end
+
+    def result
+      @result ||= parse_stdout
+    end
+
+    def to_s
+      'Windows VBScript'
+    end
+
+    private
+
+    def parse_stdout
+      res = inspec.backend.run_command(@command)
+      parsed_result = res.stdout.gsub(/#{@seperator}\r\n$/, '')
+      res.stdout = parsed_result
+      res
+    end
+  end
+end

data/lib/resources/virtualization.rb

@@ -0,0 +1,247 @@
+# encoding: utf-8
+
+require 'hashie/mash'
+
+module Inspec::Resources
+  class Virtualization < Inspec.resource(1)
+    name 'virtualization'
+    supports platform: 'linux'
+    desc 'Use the virtualization InSpec audit resource to test the virtualization platform on which the system is running'
+    example "
+      describe virtualization do
+        its('system') { should eq 'docker' }
+      end
+
+      describe virtualization do
+        its('role') { should eq 'guest' }
+      end
+
+      control 'test' do
+        describe file('/var/tmp/foo') do
+          it { should be_file }
+        end
+        only_if { virtualization.system == 'docker' }
+      end
+    "
+
+    def initialize
+      @virtualization_data = Hashie::Mash.new
+      collect_data_linux
+    end
+
+    # add helper methods for easy access of properties
+    # allows users to use virtualization.role, virtualization.system
+    %w{role system}.each do |property|
+      define_method(property.to_sym) do
+        @virtualization_data[property.to_sym]
+      end
+    end
+
+    def params
+      collect_data_linux
+    end
+
+    def to_s
+      'Virtualization Detection'
+    end
+
+    private
+
+    def lxc_version_exists?
+      inspec.command('lxc-version').exist?
+    end
+
+    def docker_exists?
+      inspec.command('docker').exist?
+    end
+
+    def nova_exists?
+      inspec.command('nova').exist?
+    end
+
+    # Detect Xen
+    # /proc/xen is an empty dir for EL6 + Linode Guests + Paravirt EC2 instances
+    # Notes:
+    # - cpuid of guests, if we could get it, would also be a clue
+    # - may be able to determine if under paravirt from /dev/xen/evtchn (See OHAI-253)
+    # - Additional edge cases likely should not change the above assumptions
+    #   but rather be additive - btm
+    def detect_xen
+      return false unless inspec.file('/proc/xen').exist?
+      @virtualization_data[:system] = 'xen'
+      @virtualization_data[:role] = 'guest'
+
+      # This file should exist on most Xen systems, normally empty for guests
+      if inspec.file('/proc/xen/capabilities').exist? &&
+          inspec.file('/proc/xen/capabilities').content =~ /control_d/i # rubocop:disable Layout/MultilineOperationIndentation
+        @virtualization_data[:role] = 'host'
+      end
+      true
+    end
+
+    # Detect Virtualbox from kernel module
+    def detect_virtualbox
+      return false unless inspec.file('/proc/modules').exist?
+      modules = inspec.file('/proc/modules').content
+      if modules =~ /^vboxdrv/
+        Inspec::Log.debug('Plugin Virtualization: /proc/modules contains vboxdrv. Detecting as vbox host')
+        @virtualization_data[:system] = 'vbox'
+        @virtualization_data[:role] = 'host'
+      elsif modules =~ /^vboxguest/
+        Inspec::Log.debug('Plugin Virtualization: /proc/modules contains vboxguest. Detecting as vbox guest')
+        @virtualization_data[:system] = 'vbox'
+        @virtualization_data[:role] = 'guest'
+      else
+        return false
+      end
+      true
+    end
+
+    # if nova binary is present we're on an openstack host
+    def detect_openstack
+      return false unless nova_exists?
+      @virtualization_data[:system] = 'openstack'
+      @virtualization_data[:role] = 'host'
+      true
+    end
+
+    # Detect paravirt KVM/QEMU from cpuinfo, report as KVM
+    def detect_kvm_from_cpuinfo
+      return false unless inspec.file('/proc/cpuinfo').content =~ /QEMU Virtual CPU|Common KVM processor|Common 32-bit KVM processor/
+      @virtualization_data[:system] = 'kvm'
+      @virtualization_data[:role] = 'guest'
+      true
+    end
+
+    # Detect KVM systems via /sys
+    # guests will have the hypervisor cpu feature that hosts don't have
+    def detect_kvm_from_sys
+      return false unless inspec.file('/sys/devices/virtual/misc/kvm').exist?
+      @virtualization_data[:system] = 'kvm'
+      if inspec.file('/proc/cpuinfo').content =~ /hypervisor/
+        @virtualization_data[:role] = 'guest'
+      else
+        @virtualization_data[:role] = 'host'
+      end
+      true
+    end
+
+    # Detect OpenVZ / Virtuozzo.
+    # http://wiki.openvz.org/BC_proc_entries
+    def detect_openvz
+      if inspec.file('/proc/bc/0').exist?
+        @virtualization_data[:system] = 'openvz'
+        @virtualization_data[:role] = 'host'
+      elsif inspec.file('/proc/vz').exist?
+        @virtualization_data[:system] = 'openvz'
+        @virtualization_data[:role] = 'guest'
+      else
+        return false
+      end
+      true
+    end
+
+    # Detect Parallels virtual machine from pci devices
+    def detect_parallels
+      return false unless inspec.file('/proc/bus/pci/devices').content =~ /1ab84000/
+      @virtualization_data[:system] = 'parallels'
+      @virtualization_data[:role] = 'guest'
+      true
+    end
+
+    # Detect Linux-VServer
+    def detect_linux_vserver
+      return false unless inspec.file('/proc/self/status').exist?
+      proc_self_status = inspec.file('/proc/self/status').content
+      vxid = proc_self_status.match(/^(s_context|VxID):\s*(\d+)$/)
+      return false unless vxid && vxid[2]
+      @virtualization_data[:system] = 'linux-vserver'
+      if vxid[2] == '0'
+        @virtualization_data[:role] = 'host'
+      else
+        @virtualization_data[:role] = 'guest'
+      end
+      true
+    end
+
+    # Detect LXC/Docker
+    #
+    # /proc/self/cgroup will look like this inside a docker container:
+    # <index #>:<subsystem>:/lxc/<hexadecimal container id>
+    #
+    # /proc/self/cgroup could have a name including alpha/digit/dashes
+    # <index #>:<subsystem>:/lxc/<named container id>
+    #
+    # /proc/self/cgroup could have a non-lxc cgroup name indicating other uses
+    # of cgroups.  This is probably not LXC/Docker.
+    # <index #>:<subsystem>:/Charlie
+    #
+    # A host which supports cgroups, and has capacity to host lxc containers,
+    # will show the subsystems and root (/) namespace.
+    # <index #>:<subsystem>:/
+    #
+    # Full notes, https://tickets.opscode.com/browse/OHAI-551
+    # Kernel docs, https://www.kernel.org/doc/Documentation/cgroups
+    def detect_lxc_docker
+      return false unless inspec.file('/proc/self/cgroup').exist?
+      cgroup_content = inspec.file('/proc/self/cgroup').content
+      if cgroup_content =~ %r{^\d+:[^:]+:/(lxc|docker)/.+$} ||
+          cgroup_content =~ %r{^\d+:[^:]+:/[^/]+/(lxc|docker)-.+$} # rubocop:disable Layout/MultilineOperationIndentation
+        @virtualization_data[:system] = $1 # rubocop:disable Style/PerlBackrefs
+        @virtualization_data[:role] = 'guest'
+      elsif lxc_version_exists? && cgroup_content =~ %r{\d:[^:]+:/$}
+        # lxc-version shouldn't be installed by default
+        # Even so, it is likely we are on an LXC capable host that is not being used as such
+        # So we're cautious here to not overwrite other existing values (OHAI-573)
+        unless @virtualization_data[:system] && @virtualization_data[:role]
+          @virtualization_data[:system] = 'lxc'
+          @virtualization_data[:role] = 'host'
+        end
+      else
+        return false
+      end
+      true
+    end
+
+    def detect_docker
+      return false unless inspec.file('/.dockerenv').exist? || inspec.file('/.dockerinit').exist?
+      @virtualization_data[:system] = 'docker'
+      @virtualization_data[:role] = 'guest'
+      true
+    end
+
+    # Detect LXD
+    # See https://github.com/lxc/lxd/blob/master/doc/dev-lxd.md
+    def detect_lxd
+      if inspec.file('/dev/lxd/sock').exist?
+        @virtualization_data[:system] = 'lxd'
+        @virtualization_data[:role] = 'guest'
+      elsif inspec.file('/var/lib/lxd/devlxd').exist?
+        @virtualization_data[:system] = 'lxd'
+        @virtualization_data[:role] = 'host'
+      else
+        return false
+      end
+      true
+    end
+
+    def collect_data_linux # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity
+      # This avoids doing multiple detections in a single test
+      return unless @virtualization_data.empty?
+
+      # each detect method will return true if it matched and was successfully
+      # able to populate @virtualization_data with stuff.
+      return if detect_xen
+      return if detect_virtualbox
+      return if detect_openstack
+      return if detect_kvm_from_cpuinfo
+      return if detect_kvm_from_sys
+      return if detect_openvz
+      return if detect_parallels
+      return if detect_linux_vserver
+      return if detect_lxc_docker
+      return if detect_docker
+      return if detect_lxd
+    end
+  end
+end

data/lib/resources/windows_feature.rb

@@ -0,0 +1,84 @@
+# encoding: utf-8
+
+# check for a Windows feature
+# Usage:
+# describe windows_feature('DHCP Server') do
+#   it{ should be_installed }
+# end
+#
+# deprecated serverspec syntax:
+# describe windows_feature('IIS-Webserver') do
+#   it{ should be_installed.by("dism") }
+# end
+#
+# describe windows_feature('Web-Webserver') do
+#   it{ should be_installed.by("powershell") }
+# end
+#
+# This implementation uses the Get-WindowsFeature commandlet:
+# Get-WindowsFeature | Where-Object {$_.Name -eq 'XPS Viewer' -or $_.DisplayName -eq 'XPS Viewe
+# r'} | Select-Object -Property Name,DisplayName,Description,Installed,InstallState | ConvertTo-Json
+# {
+#     "Name":  "XPS-Viewer",
+#     "DisplayName":  "XPS Viewer",
+#     "Description":  "The XPS Viewer is used to read, set permissions for, and digitally sign XPS documents.",
+#     "Installed":  false,
+#     "InstallState":  0
+# }
+module Inspec::Resources
+  class WindowsFeature < Inspec.resource(1)
+    name 'windows_feature'
+    supports platform: 'windows'
+    desc 'Use the windows_feature InSpec audit resource to test features on Microsoft Windows.'
+    example "
+      describe windows_feature('dhcp') do
+        it { should be_installed }
+      end
+    "
+
+    def initialize(feature)
+      @feature = feature
+      @cache = nil
+
+      # verify that this resource is only supported on Windows
+      return skip_resource 'The `windows_feature` resource is not supported on your OS.' if !inspec.os.windows?
+    end
+
+    # returns true if the package is installed
+    def installed?(_provider = nil, _version = nil)
+      info[:installed] == true
+    end
+
+    # returns the package description
+    def info
+      return @cache if !@cache.nil?
+      features_cmd = "Get-WindowsFeature | Where-Object {$_.Name -eq '#{@feature}' -or $_.DisplayName -eq '#{@feature}'} | Select-Object -Property Name,DisplayName,Description,Installed,InstallState | ConvertTo-Json"
+      cmd = inspec.command(features_cmd)
+
+      @cache = {
+        name: @feature,
+        type: 'windows-feature',
+      }
+
+      # cannot rely on exit code for now, successful command returns exit code 1
+      # return nil if cmd.exit_status != 0
+      # try to parse json
+      begin
+        params = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return @cache
+      end
+
+      @cache = {
+        name: params['Name'],
+        description: params['Description'],
+        installed: params['Installed'],
+        type: 'windows-feature',
+      }
+    end
+
+    def to_s
+      "Windows Feature '#{@feature}'"
+    end
+  end
+end

data/lib/resources/windows_hotfix.rb

@@ -0,0 +1,35 @@
+# encoding: utf-8
+
+module Inspec::Resources
+  class WindowsHotfix < Inspec.resource(1)
+    name 'windows_hotfix'
+    supports platform: 'windows'
+    desc 'Use the windows_hotfix InSpec audit resource to test if the hotfix has been installed on the Windows system.'
+    example "
+      describe windows_hotfix('KB4012212') do
+        it { should be_installed }
+      end
+    "
+
+    attr_accessor :content
+
+    def initialize(hotfix_id = nil)
+      @id = hotfix_id.upcase
+      @content = nil
+      os = inspec.os
+      return skip_resource 'The `windows_hotfix` resource is not a feature of your OS.' unless os.windows?
+      query = "get-hotfix -id #{@id}"
+      cmd = inspec.powershell(query)
+      @content = cmd.stdout
+    end
+
+    def to_s
+      "Windows Hotfix #{@id}"
+    end
+
+    def installed?
+      return false if @content.nil?
+      @content.include?(@id)
+    end
+  end
+end

data/lib/resources/windows_task.rb

@@ -0,0 +1,102 @@
+# encoding: utf-8
+module Inspec::Resources
+  class WindowsTasks < Inspec.resource(1)
+    name 'windows_task'
+    supports platform: 'windows'
+    desc 'Use the windows_task InSpec audit resource to test task schedules on Microsoft Windows.'
+    example "
+      describe windows_task('\\Microsoft\\Windows\\Time Synchronization\\SynchronizeTime') do
+        it { should be_enabled }
+      end
+
+      describe windows_task('\\Microsoft\\Windows\\AppID\\PolicyConverter') do
+        it { should be_disabled }
+      end
+
+      describe windows_task('\\Microsoft\\Windows\\Defrag\\ScheduledDefrag') do
+        it { should exist }
+      end
+
+      describe windows_task('\\Microsoft\\Windows\\AppID\\PolicyConverter') do
+        its('logon_mode') { should eq 'Interactive/Background' }
+        its('last_result') { should eq '1' }
+        its('task_to_run') { should cmp '%Windir%\\system32\\appidpolicyconverter.exe' }
+        its('run_as_user') { should eq 'LOCAL SERVICE' }
+      end
+    "
+
+    def initialize(taskuri)
+      @taskuri = taskuri
+      @cache = nil
+    end
+
+    def exists?
+      return true unless info.nil? || info[:uri].nil?
+      false
+    end
+
+    # rubocop:disable Style/WordArray
+    def enabled?
+      return false if info.nil? || info[:state].nil?
+      ['Ready', 'Running'].include?(info[:state])
+    end
+
+    def disabled?
+      return false if info.nil? || info[:state].nil?
+      info[:scheduled_task_state] == 'Disabled' || info[:state] == 'Disabled'
+    end
+
+    def logon_mode
+      info[:logon_mode]
+    end
+
+    def last_result
+      info[:last_result]
+    end
+
+    def task_to_run
+      info[:task_to_run].to_s.strip
+    end
+
+    def run_as_user
+      info[:run_as_user]
+    end
+
+    def type
+      info[:type] unless info.nil?
+    end
+
+    def info
+      return @cache unless @cache.nil?
+      # PowerShell v5 has Get-ScheduledTask cmdlet,
+      # _using something with backward support to v3_
+      # script = "Get-ScheduledTask | ? { $_.URI -eq '#{@taskuri}' } | Select-Object URI,@{N='State';E={$_.State.ToString()}} | ConvertTo-Json"
+
+      # Using schtasks as suggested by @modille but aligning property names to match cmdlet to future proof.
+      script = "schtasks /query /v /fo csv /tn '#{@taskuri}' | ConvertFrom-Csv | Select @{N='URI';E={$_.TaskName}},@{N='State';E={$_.Status.ToString()}},'Logon Mode','Last Result','Task To Run','Run As User','Scheduled Task State' | ConvertTo-Json -Compress"
+
+      cmd = inspec.powershell(script)
+
+      begin
+        params = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return nil
+      end
+
+      @cache = {
+        uri: params['URI'],
+        state: params['State'],
+        logon_mode: params['Logon Mode'],
+        last_result: params['Last Result'],
+        task_to_run: params['Task To Run'],
+        run_as_user: params['Run As User'],
+        scheduled_task_state: params['Scheduled Task State'],
+        type: 'windows-task',
+      }
+    end
+
+    def to_s
+      "Windows Task '#{@taskuri}'"
+    end
+  end
+end