inspec-core 4.21.3 → 4.23.4

data/lib/inspec/reporters/cli.rb

@@ -72,6 +72,7 @@ module Inspec::Reporters
         "Profile" => format_profile_name(profile),
         "Version" => profile[:version] || "(not specified)",
       }
+      header["Failure Message"] = profile[:status_message] if profile[:status] == "failed"
       header["Target"] = run_data[:platform][:target] unless run_data[:platform][:target].nil?
       header["Target ID"] = @config["target_id"] unless @config["target_id"].nil?
 

data/lib/inspec/reporters/json.rb

@@ -45,8 +45,8 @@ module Inspec::Reporters
     end
 
     def profiles
-      run_data[:profiles].map { |p|
-        {
+      run_data[:profiles].map do |p|
+        res = {
           name:            p[:name],
           version:         p[:version],
           sha256:          p[:sha256],
@@ -64,10 +64,15 @@ module Inspec::Reporters
           groups:          profile_groups(p),
           controls:        profile_controls(p),
           status:          p[:status],
-          skip_message:    p[:skip_message],
+          status_message:  p[:status_message],
           waiver_data:     p[:waiver_data],
         }.reject { |_k, v| v.nil? }
-      }
+
+        # For backwards compatibility
+        res[:skip_message] = res[:status_message] if res[:status] == "skipped"
+
+        res
+      end
     end
 
     def profile_groups(profile)

data/lib/inspec/resources/apt.rb

@@ -90,12 +90,14 @@ module Inspec::Resources
         # deb               "http://archive.ubuntu.com/ubuntu/" wily main restricted ...
         # deb               http://archive.ubuntu.com/ubuntu/ wily main restricted ...
         # deb [trusted=yes] http://archive.ubuntu.com/ubuntu/ wily main restricted ...
+        # deb cdrom:[Ubuntu 15.10 _Wily Werewolf_ - Release amd64 (20151021)]/ wily main restricted ...
 
         words = line.split
         words.delete_at 1 if words[1] && words[1].start_with?("[")
         type, url, distro, *components = words
         url = url.delete('"') if url
 
+        next if words[1] && words[1].start_with?("cdrom:") # skip unsupported apt-cdrom repos
         next if components.empty?
         next unless URI::HTTP === URI.parse(url)
         next unless %w{deb deb-src}.include? type

data/lib/inspec/resources/bridge.rb

@@ -27,7 +27,7 @@ module Inspec::Resources
       elsif inspec.os.windows?
         @bridge_provider = WindowsBridge.new(inspec)
       else
-        return skip_resource "The `bridge` resource is not supported on your OS yet."
+        skip_resource "The `bridge` resource is not supported on your OS yet."
       end
     end
 

data/lib/inspec/resources/host.rb

@@ -71,7 +71,7 @@ module Inspec::Resources
 
       missing_requirements = @host_provider.missing_requirements(protocol)
       unless missing_requirements.empty?
-        return skip_resource "The following requirements are not met for this resource: " \
+        skip_resource "The following requirements are not met for this resource: " \
           "#{missing_requirements.join(", ")}"
       end
     end

data/lib/inspec/resources/mount.rb

@@ -61,7 +61,7 @@ module Inspec::Resources
       os = inspec.os
       if os.linux?
         LinuxMounts.new(inspec)
-      elsif ["freebsd"].include?(os[:family])
+      elsif os.bsd?
         BsdMounts.new(inspec)
       end
     end

data/lib/inspec/resources/mysql_session.rb

@@ -4,6 +4,27 @@ require "inspec/resources/command"
 require "shellwords"
 
 module Inspec::Resources
+  class Lines
+    attr_reader :output, :stdout, :stderr, :exit_status
+
+    def initialize(raw, desc, exit_status)
+      @output = raw
+      @desc = desc
+      @exit_status = exit_status
+      # backwards compatibility
+      @stdout = raw
+      @stderr = raw
+    end
+
+    def lines
+      output.split("\n")
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
   class MysqlSession < Inspec.resource(1)
     name "mysql_session"
     supports platform: "unix"
@@ -12,7 +33,7 @@ module Inspec::Resources
     example <<~EXAMPLE
       sql = mysql_session('my_user','password','host')
       describe sql.query('show databases like \'test\';') do
-        its('stdout') { should_not match(/test/) }
+        its('output') { should_not match(/test/) }
       end
     EXAMPLE
 
@@ -28,15 +49,17 @@ module Inspec::Resources
 
     def query(q, db = "")
       mysql_cmd = create_mysql_cmd(q, db)
-      cmd = inspec.command(mysql_cmd)
+      cmd = if !@pass.nil?
+              inspec.command(mysql_cmd, redact_regex: /(mysql -u\w+ -p).+(\s-(h|S).*)/)
+            else
+              inspec.command(mysql_cmd)
+            end
       out = cmd.stdout + "\n" + cmd.stderr
-      if out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error /
-        # skip this test if the server can't run the query
-        warn("Can't connect to MySQL instance for SQL checks.")
+      if cmd.exit_status != 0 || out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error:.*/
+        Lines.new(out, "MySQL query with errors: #{q}", cmd.exit_status)
+      else
+        Lines.new(cmd.stdout.strip, "MySQL query: #{q}", cmd.exit_status)
       end
-
-      # return the raw command output
-      cmd
     end
 
     def to_s

data/lib/inspec/resources/postgres.rb

@@ -19,7 +19,7 @@ module Inspec::Resources
         @conf_path = File.join @conf_dir, "postgresql.conf"
       else
         @conf_path = nil
-        return skip_resource "Seems like PostgreSQL is not installed on your system"
+        skip_resource "Seems like PostgreSQL is not installed on your system"
       end
     end
 

data/lib/inspec/resources/postgres_session.rb

@@ -26,12 +26,13 @@ module Inspec::Resources
     supports platform: "windows"
     desc "Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database."
     example <<~EXAMPLE
-      sql = postgres_session('username', 'password', 'host')
+      sql = postgres_session('username', 'password', 'host', 'port')
       query('sql_query', ['database_name'])` contains the query and (optional) database to execute
 
       # default values:
       # username: 'postgres'
       # host: 'localhost'
+      # port: 5432
       # db: databse == db_user running the sql query
 
       describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
@@ -39,15 +40,16 @@ module Inspec::Resources
       end
     EXAMPLE
 
-    def initialize(user, pass, host = nil)
+    def initialize(user, pass, host = nil, port = nil)
       @user = user || "postgres"
       @pass = pass
       @host = host || "localhost"
+      @port = port || 5432
     end
 
     def query(query, db = [])
       psql_cmd = create_psql_cmd(query, db)
-      cmd = inspec.command(psql_cmd)
+      cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/)
       out = cmd.stdout + "\n" + cmd.stderr
       if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
         Lines.new(out, "PostgreSQL query with errors: #{query}")
@@ -64,7 +66,7 @@ module Inspec::Resources
 
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "-d #{x}" }.join(" ")
-      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"
+      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}"
     end
   end
 end

data/lib/inspec/resources/processes.rb

@@ -138,7 +138,7 @@ module Inspec::Resources
           command: 8,
         }
       else
-        command = "ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command"
+        command = "ps wwaxo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command"
         regex = /^(.+?)\s+(\d+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
         field_map = {
           label: 1,

data/lib/inspec/resources/service.rb

@@ -141,7 +141,7 @@ module Inspec::Resources
         elsif version > 0
           SysV.new(inspec, service_ctl || "/usr/sbin/service")
         end
-      when "redhat", "fedora", "centos", "oracle", "cloudlinux"
+      when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific"
         version = os[:release].to_i
 
         systemd = ((platform != "fedora" && version >= 7) ||
@@ -154,7 +154,7 @@ module Inspec::Resources
         end
       when "wrlinux"
         SysV.new(inspec, service_ctl)
-      when "mac_os_x"
+      when "mac_os_x", "darwin"
         LaunchCtl.new(inspec, service_ctl)
       when "freebsd"
         BSDInit.new(inspec, service_ctl)

data/lib/inspec/resources/users.rb

@@ -20,7 +20,7 @@ module Inspec::Resources
         WindowsUser.new(inspec)
       elsif ["darwin"].include?(os[:family])
         DarwinUser.new(inspec)
-      elsif ["freebsd"].include?(os[:family])
+      elsif ["bsd"].include?(os[:family])
         FreeBSDUser.new(inspec)
       elsif ["aix"].include?(os[:family])
         AixUser.new(inspec)

data/lib/inspec/resources/windows_firewall.rb

@@ -0,0 +1,110 @@
+module Inspec::Resources
+  class WindowsFirewall < Inspec.resource(1)
+    name "windows_firewall"
+    supports platform: "windows"
+    desc "Check properties of the Windows Firewall for a specific profile."
+    example <<~EXAMPLE
+      describe windows_firewall("Public") do
+        it { should be_enabled }
+        its("default_inbound_action") { should_not cmp "NotConfigured" }
+        its("num_rules") { should be 19 }
+      end
+    EXAMPLE
+
+    def initialize(profile = "Public")
+      @profile = profile
+      @state = {}
+
+      load_profile_cmd = load_firewall_profile(profile)
+      cmd = inspec.powershell(load_profile_cmd)
+
+      @state = JSON.load(cmd.stdout) unless cmd.stdout.empty?
+    end
+
+    def to_s
+      "Windows Firewall (Profile #{@profile})"
+    end
+
+    def exist?
+      !@state.empty?
+    end
+
+    def enabled?
+      @state["enabled"]
+    end
+
+    def default_inbound_allowed?
+      @state["default_inbound_action"] == "Allow"
+    end
+
+    def default_outbound_allowed?
+      @state["default_outbound_action"] == "Allow"
+    end
+
+    # Access to return values from Powershell via `its("PROPERTY")` and `have_PROPERTY "VALUE"`
+    def method_missing(method_name, *arguments, &_block)
+      property = normalize_for_have_access(method_name)
+
+      if method_name.to_s.start_with? "has_"
+        expected_value = arguments.first
+        respond_to_have(property, expected_value)
+      else
+        access_property(property)
+      end
+    end
+
+    def respond_to_missing?(method_name, _include_private = false)
+      property = normalize_for_have_access(method_name)
+
+      @state.key? property
+    end
+
+    private
+
+    def normalize_for_have_access(property)
+      property.to_s
+        .delete_prefix("has_")
+        .delete_suffix("?")
+    end
+
+    def access_property(property)
+      @state[property]
+    end
+
+    def respond_to_have(property, value)
+      @state[property] == value
+    end
+
+    def load_firewall_profile(profile_name)
+      <<-EOH
+        Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+        $profile = Get-NetFirewallProfile -Name "#{profile_name}"
+        $count = @($profile | Get-NetFirewallRule).Count
+        ([PSCustomObject]@{
+          profile_name = $profile.Name
+          profile = $profile.Profile.ToString()
+          description = $profile.Description
+          enabled = [bool]::Parse($profile.Enabled.ToString())
+          default_inbound_action = $profile.DefaultInboundAction.ToString()
+          default_outbound_action = $profile.DefaultOutboundAction.ToString()
+
+          allow_inbound_rules = $profile.AllowInboundRules.ToString()
+          allow_local_firewall_rules = $profile.AllowLocalFirewallRules.ToString()
+          allow_local_ipsec_rules = $profile.AllowLocalIPsecRules.ToString()
+          allow_user_apps = $profile.AllowUserApps.ToString()
+          allow_user_ports = $profile.AllowUserPorts.ToString()
+          allow_unicast_response_to_multicast = $profile.AllowUnicastResponseToMulticast.ToString()
+
+          notify_on_listen = $profile.NotifyOnListen.ToString()
+          enable_stealth_mode_for_ipsec = $profile.EnableStealthModeForIPsec.ToString()
+          log_max_size_kilobytes = $profile.LogMaxSizeKilobytes
+          log_allowed = $profile.LogAllowed.ToString()
+          log_blocked = $profile.LogBlocked.ToString()
+          log_ignored = $profile.LogIgnored.ToString()
+
+          num_rules = $count
+        }) | ConvertTo-Json
+      EOH
+    end
+  end
+end

data/lib/inspec/resources/windows_firewall_rule.rb

@@ -0,0 +1,137 @@
+module Inspec::Resources
+  class WindowsFirewallRule < Inspec.resource(1)
+    name "windows_firewall_rule"
+    supports platform: "windows"
+    desc "Check properties of a Windows Firewall rule."
+    example <<~EXAMPLE
+      describe windows_firewall_rule("Name") do
+        it { should exist }
+        it { should be_enabled }
+
+        it { should be_outbound}
+        it { should be_tcp }
+        it { should have_remote_port 80 }
+      end
+    EXAMPLE
+
+    def initialize(name)
+      @name = name
+      @state = {}
+
+      query = load_firewall_state(name)
+      cmd = inspec.powershell(query)
+      @state = JSON.load(cmd.stdout) unless cmd.stdout.empty?
+    end
+
+    def to_s
+      "Windows Firewall Rule #{@name}"
+    end
+
+    def exist?
+      !@state.empty?
+    end
+
+    def enabled?
+      @state["enabled"]
+    end
+
+    def allowed?
+      @state["action"] == "Allow"
+    end
+
+    def inbound?
+      @state["direction"] == "Inbound"
+    end
+
+    def outbound?
+      ! inbound?
+    end
+
+    def tcp?
+      @state["protocol"] == "TCP"
+    end
+
+    def udp?
+      @state["protocol"] == "UDP"
+    end
+
+    def icmp?
+      @state["protocol"].start_with? "ICMP"
+    end
+
+    def icmpv4?
+      @state["protocol"] == "ICMPv4"
+    end
+
+    def icmpv6?
+      @state["protocol"] == "ICMPv6"
+    end
+
+    # Access to return values from Powershell via `its("PROPERTY")` and `have_PROPERTY? "VALUE"`
+    def method_missing(method_name, *arguments, &_block)
+      property = normalize_for_have_access(method_name)
+
+      if method_name.to_s.start_with? "has_"
+        expected_value = arguments.first
+        respond_to_have(property, expected_value)
+      else
+        access_property(property)
+      end
+    end
+
+    def respond_to_missing?(method_name, _include_private = false)
+      property = normalize_for_have_access(method_name)
+
+      @state.key? property
+    end
+
+    private
+
+    def normalize_for_have_access(property)
+      property.to_s
+        .delete_prefix("has_")
+        .delete_suffix("?")
+    end
+
+    def access_property(property)
+      @state[property]
+    end
+
+    def respond_to_have(property, value)
+      @state[property] == value
+    end
+
+    # Taken from Chef, but changed `firewall_action` to `action` for consistency
+    # @see https://github.com/chef/chef/blob/master/lib/chef/resource/windows_firewall_rule.rb
+    def load_firewall_state(rule_name)
+      <<-EOH
+        Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+        $rule = Get-NetFirewallRule -Name "#{rule_name}"
+        $addressFilter = $rule | Get-NetFirewallAddressFilter
+        $portFilter = $rule | Get-NetFirewallPortFilter
+        $applicationFilter = $rule | Get-NetFirewallApplicationFilter
+        $serviceFilter = $rule | Get-NetFirewallServiceFilter
+        $interfaceTypeFilter = $rule | Get-NetFirewallInterfaceTypeFilter
+        ([PSCustomObject]@{
+          rule_name = $rule.Name
+          description = $rule.Description
+          displayname = $rule.DisplayName
+          group = $rule.Group
+          local_address = $addressFilter.LocalAddress
+          local_port = $portFilter.LocalPort
+          remote_address = $addressFilter.RemoteAddress
+          remote_port = $portFilter.RemotePort
+          direction = $rule.Direction.ToString()
+          protocol = $portFilter.Protocol
+          icmp_type = $portFilter.IcmpType
+          action = $rule.Action.ToString()
+          profile = $rule.Profile.ToString()
+          program = $applicationFilter.Program
+          service = $serviceFilter.Service
+          interface_type = $interfaceTypeFilter.InterfaceType.ToString()
+          enabled = [bool]::Parse($rule.Enabled.ToString())
+        }) | ConvertTo-Json
+      EOH
+    end
+  end
+end