inspec-core 4.22.1 → 4.23.11

data/lib/inspec/resources/postgres.rb

@@ -19,7 +19,7 @@ module Inspec::Resources
         @conf_path = File.join @conf_dir, "postgresql.conf"
       else
         @conf_path = nil
-        return skip_resource "Seems like PostgreSQL is not installed on your system"
+        skip_resource "Seems like PostgreSQL is not installed on your system"
       end
     end
 

data/lib/inspec/resources/postgres_session.rb

@@ -26,12 +26,13 @@ module Inspec::Resources
     supports platform: "windows"
     desc "Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database."
     example <<~EXAMPLE
-      sql = postgres_session('username', 'password', 'host')
+      sql = postgres_session('username', 'password', 'host', 'port')
       query('sql_query', ['database_name'])` contains the query and (optional) database to execute
 
       # default values:
       # username: 'postgres'
       # host: 'localhost'
+      # port: 5432
       # db: databse == db_user running the sql query
 
       describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
@@ -39,15 +40,16 @@ module Inspec::Resources
       end
     EXAMPLE
 
-    def initialize(user, pass, host = nil)
+    def initialize(user, pass, host = nil, port = nil)
       @user = user || "postgres"
       @pass = pass
       @host = host || "localhost"
+      @port = port || 5432
     end
 
     def query(query, db = [])
       psql_cmd = create_psql_cmd(query, db)
-      cmd = inspec.command(psql_cmd)
+      cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/)
       out = cmd.stdout + "\n" + cmd.stderr
       if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
         Lines.new(out, "PostgreSQL query with errors: #{query}")
@@ -64,7 +66,7 @@ module Inspec::Resources
 
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "-d #{x}" }.join(" ")
-      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"
+      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}"
     end
   end
 end

data/lib/inspec/resources/processes.rb

@@ -138,7 +138,7 @@ module Inspec::Resources
           command: 8,
         }
       else
-        command = "ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command"
+        command = "ps wwaxo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command"
         regex = /^(.+?)\s+(\d+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
         field_map = {
           label: 1,

data/lib/inspec/resources/service.rb

@@ -141,7 +141,7 @@ module Inspec::Resources
         elsif version > 0
           SysV.new(inspec, service_ctl || "/usr/sbin/service")
         end
-      when "redhat", "fedora", "centos", "oracle", "cloudlinux"
+      when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific"
         version = os[:release].to_i
 
         systemd = ((platform != "fedora" && version >= 7) ||

data/lib/inspec/resources/users.rb

@@ -20,7 +20,7 @@ module Inspec::Resources
         WindowsUser.new(inspec)
       elsif ["darwin"].include?(os[:family])
         DarwinUser.new(inspec)
-      elsif ["freebsd"].include?(os[:family])
+      elsif ["bsd"].include?(os[:family])
         FreeBSDUser.new(inspec)
       elsif ["aix"].include?(os[:family])
         AixUser.new(inspec)

data/lib/inspec/resources/windows_firewall.rb

@@ -0,0 +1,110 @@
+module Inspec::Resources
+  class WindowsFirewall < Inspec.resource(1)
+    name "windows_firewall"
+    supports platform: "windows"
+    desc "Check properties of the Windows Firewall for a specific profile."
+    example <<~EXAMPLE
+      describe windows_firewall("Public") do
+        it { should be_enabled }
+        its("default_inbound_action") { should_not cmp "NotConfigured" }
+        its("num_rules") { should be 19 }
+      end
+    EXAMPLE
+
+    def initialize(profile = "Public")
+      @profile = profile
+      @state = {}
+
+      load_profile_cmd = load_firewall_profile(profile)
+      cmd = inspec.powershell(load_profile_cmd)
+
+      @state = JSON.load(cmd.stdout) unless cmd.stdout.empty?
+    end
+
+    def to_s
+      "Windows Firewall (Profile #{@profile})"
+    end
+
+    def exist?
+      !@state.empty?
+    end
+
+    def enabled?
+      @state["enabled"]
+    end
+
+    def default_inbound_allowed?
+      @state["default_inbound_action"] == "Allow"
+    end
+
+    def default_outbound_allowed?
+      @state["default_outbound_action"] == "Allow"
+    end
+
+    # Access to return values from Powershell via `its("PROPERTY")` and `have_PROPERTY "VALUE"`
+    def method_missing(method_name, *arguments, &_block)
+      property = normalize_for_have_access(method_name)
+
+      if method_name.to_s.start_with? "has_"
+        expected_value = arguments.first
+        respond_to_have(property, expected_value)
+      else
+        access_property(property)
+      end
+    end
+
+    def respond_to_missing?(method_name, _include_private = false)
+      property = normalize_for_have_access(method_name)
+
+      @state.key? property
+    end
+
+    private
+
+    def normalize_for_have_access(property)
+      property.to_s
+        .delete_prefix("has_")
+        .delete_suffix("?")
+    end
+
+    def access_property(property)
+      @state[property]
+    end
+
+    def respond_to_have(property, value)
+      @state[property] == value
+    end
+
+    def load_firewall_profile(profile_name)
+      <<-EOH
+        Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+        $profile = Get-NetFirewallProfile -Name "#{profile_name}"
+        $count = @($profile | Get-NetFirewallRule).Count
+        ([PSCustomObject]@{
+          profile_name = $profile.Name
+          profile = $profile.Profile.ToString()
+          description = $profile.Description
+          enabled = [bool]::Parse($profile.Enabled.ToString())
+          default_inbound_action = $profile.DefaultInboundAction.ToString()
+          default_outbound_action = $profile.DefaultOutboundAction.ToString()
+
+          allow_inbound_rules = $profile.AllowInboundRules.ToString()
+          allow_local_firewall_rules = $profile.AllowLocalFirewallRules.ToString()
+          allow_local_ipsec_rules = $profile.AllowLocalIPsecRules.ToString()
+          allow_user_apps = $profile.AllowUserApps.ToString()
+          allow_user_ports = $profile.AllowUserPorts.ToString()
+          allow_unicast_response_to_multicast = $profile.AllowUnicastResponseToMulticast.ToString()
+
+          notify_on_listen = $profile.NotifyOnListen.ToString()
+          enable_stealth_mode_for_ipsec = $profile.EnableStealthModeForIPsec.ToString()
+          log_max_size_kilobytes = $profile.LogMaxSizeKilobytes
+          log_allowed = $profile.LogAllowed.ToString()
+          log_blocked = $profile.LogBlocked.ToString()
+          log_ignored = $profile.LogIgnored.ToString()
+
+          num_rules = $count
+        }) | ConvertTo-Json
+      EOH
+    end
+  end
+end

data/lib/inspec/resources/windows_firewall_rule.rb

@@ -0,0 +1,137 @@
+module Inspec::Resources
+  class WindowsFirewallRule < Inspec.resource(1)
+    name "windows_firewall_rule"
+    supports platform: "windows"
+    desc "Check properties of a Windows Firewall rule."
+    example <<~EXAMPLE
+      describe windows_firewall_rule("Name") do
+        it { should exist }
+        it { should be_enabled }
+
+        it { should be_outbound}
+        it { should be_tcp }
+        it { should have_remote_port 80 }
+      end
+    EXAMPLE
+
+    def initialize(name)
+      @name = name
+      @state = {}
+
+      query = load_firewall_state(name)
+      cmd = inspec.powershell(query)
+      @state = JSON.load(cmd.stdout) unless cmd.stdout.empty?
+    end
+
+    def to_s
+      "Windows Firewall Rule #{@name}"
+    end
+
+    def exist?
+      !@state.empty?
+    end
+
+    def enabled?
+      @state["enabled"]
+    end
+
+    def allowed?
+      @state["action"] == "Allow"
+    end
+
+    def inbound?
+      @state["direction"] == "Inbound"
+    end
+
+    def outbound?
+      ! inbound?
+    end
+
+    def tcp?
+      @state["protocol"] == "TCP"
+    end
+
+    def udp?
+      @state["protocol"] == "UDP"
+    end
+
+    def icmp?
+      @state["protocol"].start_with? "ICMP"
+    end
+
+    def icmpv4?
+      @state["protocol"] == "ICMPv4"
+    end
+
+    def icmpv6?
+      @state["protocol"] == "ICMPv6"
+    end
+
+    # Access to return values from Powershell via `its("PROPERTY")` and `have_PROPERTY? "VALUE"`
+    def method_missing(method_name, *arguments, &_block)
+      property = normalize_for_have_access(method_name)
+
+      if method_name.to_s.start_with? "has_"
+        expected_value = arguments.first
+        respond_to_have(property, expected_value)
+      else
+        access_property(property)
+      end
+    end
+
+    def respond_to_missing?(method_name, _include_private = false)
+      property = normalize_for_have_access(method_name)
+
+      @state.key? property
+    end
+
+    private
+
+    def normalize_for_have_access(property)
+      property.to_s
+        .delete_prefix("has_")
+        .delete_suffix("?")
+    end
+
+    def access_property(property)
+      @state[property]
+    end
+
+    def respond_to_have(property, value)
+      @state[property] == value
+    end
+
+    # Taken from Chef, but changed `firewall_action` to `action` for consistency
+    # @see https://github.com/chef/chef/blob/master/lib/chef/resource/windows_firewall_rule.rb
+    def load_firewall_state(rule_name)
+      <<-EOH
+        Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M
+        $rule = Get-NetFirewallRule -Name "#{rule_name}"
+        $addressFilter = $rule | Get-NetFirewallAddressFilter
+        $portFilter = $rule | Get-NetFirewallPortFilter
+        $applicationFilter = $rule | Get-NetFirewallApplicationFilter
+        $serviceFilter = $rule | Get-NetFirewallServiceFilter
+        $interfaceTypeFilter = $rule | Get-NetFirewallInterfaceTypeFilter
+        ([PSCustomObject]@{
+          rule_name = $rule.Name
+          description = $rule.Description
+          displayname = $rule.DisplayName
+          group = $rule.Group
+          local_address = $addressFilter.LocalAddress
+          local_port = $portFilter.LocalPort
+          remote_address = $addressFilter.RemoteAddress
+          remote_port = $portFilter.RemotePort
+          direction = $rule.Direction.ToString()
+          protocol = $portFilter.Protocol
+          icmp_type = $portFilter.IcmpType
+          action = $rule.Action.ToString()
+          profile = $rule.Profile.ToString()
+          program = $applicationFilter.Program
+          service = $serviceFilter.Service
+          interface_type = $interfaceTypeFilter.InterfaceType.ToString()
+          enabled = [bool]::Parse($rule.Enabled.ToString())
+        }) | ConvertTo-Json
+      EOH
+    end
+  end
+end

data/lib/inspec/run_data/profile.rb

@@ -96,11 +96,12 @@ module Inspec
           # There are probably others
           :value,
           :type,
-          :required
+          :required,
+          :sensitive
         ) do
           include HashLikeStruct
           def initialize(raw_opts_data)
-            %i{value type required}.each { |f| self[f] = raw_opts_data[f] }
+            %i{value type required sensitive}.each { |f| self[f] = raw_opts_data[f] }
           end
         end
       end

data/lib/inspec/schema/exec_json.rb

@@ -74,7 +74,7 @@ module Inspec
         },
       }, [CONTROL_DESCRIPTION, Primitives::REFERENCE, Primitives::SOURCE_LOCATION, CONTROL_RESULT])
 
-      # Based loosely on https://www.inspec.io/docs/reference/profiles/ as of July 3, 2019
+      # Based loosely on https://docs.chef.io/inspec/profiles/ as of July 3, 2019
       # However, concessions were made to the reality of current reporters, specifically
       # with how description is omitted and version/inspec_version aren't as advertised online
       PROFILE = Primitives::SchemaType.new("Exec JSON Profile", {

data/lib/inspec/shell.rb

@@ -1,4 +1,4 @@
-require "pry"
+autoload :Pry, "pry"
 
 module Inspec
   # A pry based shell for inspec. Given a runner (with a configured backend and
@@ -137,7 +137,7 @@ module Inspec
         end
 
         info += "#{mark "Web Reference:"}\n\n"
-        info += "https://www.inspec.io/docs/reference/resources/#{topic}\n\n"
+        info += "https://docs.chef.io/inspec/resources/#{topic}\n\n"
         puts info
       else
         begin
@@ -208,7 +208,7 @@ module Inspec
 
           its('content') { should_not match /^MyKey:\\s+some value/ }
 
-        For more examples, see: https://www.inspec.io/docs/reference/matchers/
+        For more examples, see: https://docs.chef.io/inspec/matchers/
 
       EOL
     end

data/lib/inspec/utils/parser.rb

@@ -84,7 +84,7 @@ module Inspec
         end
 
         # parse device and type
-        mount_options    = { device: mount[0], type: mount[4] }
+        mount_options = { device: mount[0], type: mount[4] }
 
         if compatibility == false
           # parse options as array

data/lib/inspec/utils/run_data_filters.rb

@@ -0,0 +1,104 @@
+module Inspec
+  module Utils
+    #   RunDataFilters is a mixin for core Reporters and plugin reporters.
+    # The methods operate on the run_data Hash (prior to any conversion to a
+    # full RunData object).
+    #   All methods here operate using the run_data accessor and modify
+    # its contents in place (if needed).
+    module RunDataFilters
+
+      # Long name, but we want to be clear this operates on the Hash
+      # This is the only method that client libraries need to call; any future
+      # feature growth should be handled internally here.
+      def apply_run_data_filters_to_hash
+        @config[:runtime_config] = Inspec::Config.cached || {}
+        apply_report_resize_options
+        redact_sensitive_inputs
+        suppress_diff_output
+        sort_controls
+      end
+
+      # Apply options such as message truncation and removal of backtraces
+      def apply_report_resize_options
+        runtime_config = @config[:runtime_config]
+
+        message_truncation = runtime_config[:reporter_message_truncation] || "ALL"
+        @trunc = message_truncation == "ALL" ? -1 : message_truncation.to_i
+        include_backtrace = runtime_config[:reporter_backtrace_inclusion].nil? ? true : runtime_config[:reporter_backtrace_inclusion]
+
+        @run_data[:profiles]&.each do |p|
+          p[:controls].each do |c|
+            c[:results]&.map! do |r|
+              r.delete(:backtrace) unless include_backtrace
+              process_message_truncation(r)
+            end
+          end
+        end
+      end
+
+      # Find any inputs with :sensitive = true and replace their values with "***"
+      def redact_sensitive_inputs
+        @run_data[:profiles]&.each do |p|
+          p[:inputs]&.each do |i|
+            next unless i[:options][:sensitive]
+
+            i[:options][:value] = "***"
+          end
+        end
+      end
+
+      # Optionally suppress diff output in the message field
+      def suppress_diff_output
+        return if @config[:runtime_config][:diff]
+
+        @run_data[:profiles]&.each do |p|
+          p[:controls]&.each do |c|
+            c[:results]&.each do |r|
+              next unless r[:message] # :message only set on failure
+
+              pos = r[:message].index("\n\nDiff:")
+              next unless pos # Only textual tests get Diffs
+
+              r[:message] = r[:message].slice(0, pos)
+            end
+          end
+        end
+      end
+
+      # Optionally sort controls within each profile in report
+      def sort_controls
+        sort_type = @config[:runtime_config][:sort_results_by]
+        return unless sort_type
+        return if sort_type == "none"
+
+        @run_data[:profiles]&.each do |p|
+          p[:controls] ||= []
+          p[:groups] ||= []
+
+          case sort_type
+          when "control"
+            p[:controls].sort_by! { |c| c[:id] }
+          when "random"
+            p[:controls].shuffle!
+          when "file"
+            # Sort the controls by file, but preserve order within the file.
+            # Files are called "groups" in the run_data, and the filename is in the id.
+            sorted_control_ids = p[:groups].sort_by { |g| g[:id] }.map { |g| g[:controls] }.flatten
+            controls_by_id = {}
+            p[:controls].each { |c| controls_by_id[c[:id]] = c }
+            p[:controls] = sorted_control_ids.map { |cid| controls_by_id[cid] }
+          end
+        end
+      end
+
+      private
+
+      def process_message_truncation(result)
+        if result.key?(:message) && result[:message] != "" && @trunc > -1 && result[:message].length > @trunc
+          result[:message] = result[:message][0...@trunc] + "[Truncated to #{@trunc} characters]"
+        end
+        result
+      end
+    end
+  end
+end