inspec-core 4.3.2 → 4.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +37 -21
- data/etc/deprecations.json +10 -0
- data/etc/plugin_filters.json +8 -0
- data/lib/bundles/inspec-compliance/api.rb +1 -1
- data/lib/bundles/inspec-compliance/configuration.rb +1 -1
- data/lib/bundles/inspec-compliance/http.rb +1 -1
- data/lib/bundles/inspec-compliance/support.rb +1 -1
- data/lib/bundles/inspec-compliance/target.rb +1 -1
- data/lib/bundles/inspec-supermarket.rb +3 -7
- data/lib/bundles/inspec-supermarket/api.rb +10 -13
- data/lib/bundles/inspec-supermarket/cli.rb +12 -15
- data/lib/bundles/inspec-supermarket/target.rb +7 -11
- data/lib/fetchers/git.rb +14 -15
- data/lib/fetchers/local.rb +6 -10
- data/lib/fetchers/mock.rb +3 -5
- data/lib/fetchers/url.rb +42 -44
- data/lib/inspec.rb +23 -24
- data/lib/inspec/archive/tar.rb +2 -6
- data/lib/inspec/archive/zip.rb +3 -7
- data/lib/inspec/backend.rb +8 -9
- data/lib/inspec/base_cli.rb +64 -65
- data/lib/inspec/cached_fetcher.rb +2 -3
- data/lib/inspec/cli.rb +136 -97
- data/lib/inspec/config.rb +71 -61
- data/lib/inspec/control_eval_context.rb +22 -18
- data/lib/inspec/dependencies/cache.rb +2 -3
- data/lib/inspec/dependencies/dependency_set.rb +2 -3
- data/lib/inspec/dependencies/lockfile.rb +8 -9
- data/lib/inspec/dependencies/requirement.rb +7 -8
- data/lib/inspec/dependencies/resolver.rb +5 -7
- data/lib/inspec/describe.rb +2 -6
- data/lib/inspec/dist.rb +20 -0
- data/lib/inspec/dsl.rb +4 -7
- data/lib/inspec/dsl_shared.rb +1 -2
- data/lib/inspec/env_printer.rb +11 -12
- data/lib/inspec/errors.rb +0 -4
- data/lib/inspec/exceptions.rb +0 -1
- data/lib/inspec/expect.rb +5 -8
- data/lib/inspec/fetcher.rb +7 -10
- data/lib/inspec/file_provider.rb +24 -24
- data/lib/inspec/formatters.rb +3 -3
- data/lib/inspec/formatters/base.rb +8 -8
- data/lib/inspec/globals.rb +2 -2
- data/lib/inspec/impact.rb +5 -7
- data/lib/inspec/input_registry.rb +84 -33
- data/lib/inspec/library_eval_context.rb +3 -6
- data/lib/inspec/log.rb +1 -5
- data/lib/inspec/metadata.rb +17 -16
- data/lib/inspec/method_source.rb +5 -9
- data/lib/inspec/objects.rb +10 -12
- data/lib/inspec/objects/control.rb +7 -9
- data/lib/inspec/objects/describe.rb +9 -11
- data/lib/inspec/objects/each_loop.rb +1 -3
- data/lib/inspec/objects/input.rb +24 -26
- data/lib/inspec/objects/list.rb +4 -6
- data/lib/inspec/objects/or_test.rb +2 -4
- data/lib/inspec/objects/ruby_helper.rb +3 -5
- data/lib/inspec/objects/tag.rb +0 -2
- data/lib/inspec/objects/test.rb +9 -11
- data/lib/inspec/objects/value.rb +3 -5
- data/lib/inspec/plugin/v1.rb +2 -2
- data/lib/inspec/plugin/v1/plugin_types/cli.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/fetcher.rb +2 -5
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +4 -6
- data/lib/inspec/plugin/v1/plugin_types/secret.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/source_reader.rb +1 -5
- data/lib/inspec/plugin/v1/plugins.rb +15 -19
- data/lib/inspec/plugin/v1/registry.rb +0 -4
- data/lib/inspec/plugin/v2.rb +8 -8
- data/lib/inspec/plugin/v2/activator.rb +1 -1
- data/lib/inspec/plugin/v2/config_file.rb +6 -6
- data/lib/inspec/plugin/v2/filter.rb +13 -13
- data/lib/inspec/plugin/v2/installer.rb +36 -24
- data/lib/inspec/plugin/v2/loader.rb +28 -28
- data/lib/inspec/plugin/v2/plugin_base.rb +15 -2
- data/lib/inspec/plugin/v2/plugin_types/cli.rb +5 -5
- data/lib/inspec/plugin/v2/plugin_types/input.rb +34 -0
- data/lib/inspec/plugin/v2/plugin_types/mock.rb +1 -1
- data/lib/inspec/plugin/v2/registry.rb +7 -7
- data/lib/inspec/polyfill.rb +0 -3
- data/lib/inspec/profile.rb +55 -63
- data/lib/inspec/profile_context.rb +27 -30
- data/lib/inspec/profile_vendor.rb +6 -9
- data/lib/inspec/reporters.rb +24 -24
- data/lib/inspec/reporters/automate.rb +17 -19
- data/lib/inspec/reporters/base.rb +1 -1
- data/lib/inspec/reporters/cli.rb +88 -91
- data/lib/inspec/reporters/json.rb +2 -4
- data/lib/inspec/reporters/json_automate.rb +1 -3
- data/lib/inspec/reporters/json_min.rb +1 -3
- data/lib/inspec/reporters/junit.rb +26 -28
- data/lib/inspec/reporters/yaml.rb +1 -3
- data/lib/inspec/require_loader.rb +0 -4
- data/lib/inspec/resource.rb +4 -125
- data/lib/inspec/resources.rb +121 -0
- data/lib/{resources → inspec/resources}/aide_conf.rb +24 -25
- data/lib/{resources → inspec/resources}/apache.rb +13 -14
- data/lib/{resources → inspec/resources}/apache_conf.rb +16 -17
- data/lib/{resources → inspec/resources}/apt.rb +17 -17
- data/lib/{resources → inspec/resources}/audit_policy.rb +7 -6
- data/lib/{resources → inspec/resources}/auditd.rb +62 -64
- data/lib/{resources → inspec/resources}/auditd_conf.rb +7 -8
- data/lib/{resources → inspec/resources}/bash.rb +6 -8
- data/lib/{resources → inspec/resources}/bond.rb +15 -14
- data/lib/{resources → inspec/resources}/bridge.rb +8 -8
- data/lib/{resources → inspec/resources}/chocolatey_package.rb +10 -8
- data/lib/{resources → inspec/resources}/command.rb +11 -10
- data/lib/{resources → inspec/resources}/cpan.rb +12 -12
- data/lib/{resources → inspec/resources}/cran.rb +9 -9
- data/lib/{resources → inspec/resources}/crontab.rb +47 -48
- data/lib/{resources → inspec/resources}/csv.rb +5 -5
- data/lib/{resources → inspec/resources}/dh_params.rb +5 -7
- data/lib/{resources → inspec/resources}/directory.rb +5 -7
- data/lib/{resources → inspec/resources}/docker.rb +63 -63
- data/lib/{resources → inspec/resources}/docker_container.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_image.rb +9 -9
- data/lib/{resources → inspec/resources}/docker_object.rb +8 -13
- data/lib/{resources → inspec/resources}/docker_plugin.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_service.rb +7 -7
- data/lib/{resources → inspec/resources}/elasticsearch.rb +40 -42
- data/lib/{resources → inspec/resources}/etc_fstab.rb +23 -24
- data/lib/{resources → inspec/resources}/etc_group.rb +26 -27
- data/lib/{resources → inspec/resources}/etc_hosts.rb +11 -13
- data/lib/{resources → inspec/resources}/etc_hosts_allow_deny.rb +25 -27
- data/lib/{resources → inspec/resources}/file.rb +80 -79
- data/lib/{resources → inspec/resources}/filesystem.rb +20 -15
- data/lib/{resources → inspec/resources}/firewalld.rb +26 -26
- data/lib/{resources → inspec/resources}/gem.rb +12 -12
- data/lib/{resources → inspec/resources}/groups.rb +28 -27
- data/lib/{resources → inspec/resources}/grub_conf.rb +46 -48
- data/lib/{resources → inspec/resources}/host.rb +31 -29
- data/lib/{resources → inspec/resources}/http.rb +24 -24
- data/lib/{resources → inspec/resources}/iis_app.rb +6 -7
- data/lib/{resources → inspec/resources}/iis_app_pool.rb +21 -19
- data/lib/{resources → inspec/resources}/iis_site.rb +17 -15
- data/lib/{resources → inspec/resources}/inetd_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/ini.rb +7 -8
- data/lib/{resources → inspec/resources}/interface.rb +30 -30
- data/lib/{resources → inspec/resources}/iptables.rb +8 -8
- data/lib/{resources → inspec/resources}/json.rb +8 -10
- data/lib/{resources → inspec/resources}/kernel_module.rb +15 -15
- data/lib/{resources → inspec/resources}/kernel_parameter.rb +8 -8
- data/lib/{resources → inspec/resources}/key_rsa.rb +8 -10
- data/lib/{resources → inspec/resources}/ksh.rb +6 -8
- data/lib/{resources → inspec/resources}/limits_conf.rb +8 -9
- data/lib/{resources/login_def.rb → inspec/resources/login_defs.rb} +9 -10
- data/lib/{resources → inspec/resources}/mount.rb +6 -8
- data/lib/{resources → inspec/resources}/mssql_session.rb +16 -18
- data/lib/inspec/resources/mysql.rb +81 -0
- data/lib/{resources → inspec/resources}/mysql_conf.rb +13 -14
- data/lib/{resources → inspec/resources}/mysql_session.rb +16 -16
- data/lib/{resources → inspec/resources}/nginx.rb +16 -17
- data/lib/{resources → inspec/resources}/nginx_conf.rb +26 -27
- data/lib/{resources → inspec/resources}/npm.rb +9 -10
- data/lib/{resources → inspec/resources}/ntp_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/oneget.rb +8 -8
- data/lib/{resources → inspec/resources}/oracledb_session.rb +33 -34
- data/lib/{resources → inspec/resources}/os.rb +6 -8
- data/lib/{resources → inspec/resources}/os_env.rb +11 -12
- data/lib/{resources → inspec/resources}/package.rb +66 -65
- data/lib/{resources → inspec/resources}/packages.rb +13 -13
- data/lib/{resources → inspec/resources}/parse_config.rb +8 -8
- data/lib/{resources → inspec/resources}/passwd.rb +18 -19
- data/lib/{resources → inspec/resources}/pip.rb +19 -19
- data/lib/{resources → inspec/resources}/platform.rb +9 -11
- data/lib/{resources → inspec/resources}/port.rb +134 -136
- data/lib/{resources → inspec/resources}/postgres.rb +40 -32
- data/lib/{resources → inspec/resources}/postgres_conf.rb +17 -17
- data/lib/{resources → inspec/resources}/postgres_hba_conf.rb +21 -23
- data/lib/{resources → inspec/resources}/postgres_ident_conf.rb +12 -14
- data/lib/{resources → inspec/resources}/postgres_session.rb +8 -9
- data/lib/{resources → inspec/resources}/powershell.rb +17 -13
- data/lib/{resources → inspec/resources}/processes.rb +29 -29
- data/lib/{resources/rabbitmq_conf.rb → inspec/resources/rabbitmq_config.rb} +10 -11
- data/lib/{resources → inspec/resources}/registry_key.rb +14 -14
- data/lib/inspec/resources/script.rb +1 -0
- data/lib/{resources → inspec/resources}/security_identifier.rb +11 -10
- data/lib/{resources → inspec/resources}/security_policy.rb +59 -58
- data/lib/{resources → inspec/resources}/service.rb +74 -75
- data/lib/{resources → inspec/resources}/shadow.rb +44 -45
- data/lib/{resources/ssh_conf.rb → inspec/resources/ssh_config.rb} +16 -17
- data/lib/{resources → inspec/resources}/ssl.rb +28 -29
- data/lib/inspec/resources/sys_info.rb +30 -0
- data/lib/{resources → inspec/resources}/toml.rb +5 -7
- data/lib/{resources → inspec/resources}/users.rb +65 -65
- data/lib/{resources → inspec/resources}/vbscript.rb +8 -9
- data/lib/{resources → inspec/resources}/virtualization.rb +60 -62
- data/lib/{resources → inspec/resources}/windows_feature.rb +9 -9
- data/lib/{resources → inspec/resources}/windows_hotfix.rb +5 -5
- data/lib/{resources → inspec/resources}/windows_task.rb +16 -15
- data/lib/{resources → inspec/resources}/wmi.rb +7 -8
- data/lib/{resources → inspec/resources}/x509_certificate.rb +9 -11
- data/lib/{resources/xinetd.rb → inspec/resources/xinetd_conf.rb} +27 -29
- data/lib/{resources → inspec/resources}/xml.rb +7 -7
- data/lib/{resources → inspec/resources}/yaml.rb +5 -6
- data/lib/{resources → inspec/resources}/yum.rb +10 -10
- data/lib/{resources → inspec/resources}/zfs_dataset.rb +6 -6
- data/lib/{resources → inspec/resources}/zfs_pool.rb +4 -4
- data/lib/inspec/rspec_extensions.rb +24 -8
- data/lib/inspec/rule.rb +14 -15
- data/lib/inspec/runner.rb +28 -28
- data/lib/inspec/runner_mock.rb +1 -5
- data/lib/inspec/runner_rspec.rb +18 -20
- data/lib/inspec/runtime_profile.rb +2 -5
- data/lib/inspec/schema.rb +142 -143
- data/lib/inspec/secrets.rb +3 -7
- data/lib/inspec/secrets/yaml.rb +3 -5
- data/lib/inspec/shell.rb +11 -15
- data/lib/inspec/shell_detector.rb +6 -7
- data/lib/inspec/source_reader.rb +4 -8
- data/lib/inspec/ui.rb +33 -39
- data/lib/inspec/ui_table_helper.rb +12 -0
- data/lib/{utils → inspec/utils}/command_wrapper.rb +4 -8
- data/lib/{utils → inspec/utils}/convert.rb +0 -4
- data/lib/{utils → inspec/utils}/database_helpers.rb +4 -8
- data/lib/inspec/utils/deprecation.rb +6 -0
- data/lib/{utils → inspec/utils}/deprecation/config_file.rb +19 -19
- data/lib/{utils → inspec/utils}/deprecation/deprecator.rb +12 -12
- data/lib/{utils → inspec/utils}/deprecation/errors.rb +1 -1
- data/lib/{utils → inspec/utils}/deprecation/global_method.rb +2 -2
- data/lib/{utils → inspec/utils}/enumerable_delegation.rb +0 -2
- data/lib/{utils → inspec/utils}/erlang_parser.rb +61 -65
- data/lib/{utils → inspec/utils}/file_reader.rb +1 -2
- data/lib/{utils → inspec/utils}/filter.rb +30 -33
- data/lib/{utils → inspec/utils}/filter_array.rb +0 -2
- data/lib/{utils → inspec/utils}/find_files.rb +9 -12
- data/lib/{utils → inspec/utils}/hash.rb +1 -5
- data/lib/inspec/utils/json_log.rb +15 -0
- data/lib/inspec/utils/latest_version.rb +13 -0
- data/lib/{utils → inspec/utils}/modulator.rb +0 -3
- data/lib/{utils → inspec/utils}/nginx_parser.rb +31 -35
- data/lib/{utils → inspec/utils}/object_traversal.rb +0 -3
- data/lib/{utils → inspec/utils}/parser.rb +45 -45
- data/lib/{utils → inspec/utils}/pkey_reader.rb +4 -2
- data/lib/{utils → inspec/utils}/simpleconfig.rb +8 -10
- data/lib/{utils → inspec/utils}/spdx.rb +1 -4
- data/lib/{utils → inspec/utils}/spdx.txt +0 -0
- data/lib/inspec/utils/telemetry.rb +3 -3
- data/lib/inspec/utils/telemetry/collector.rb +30 -9
- data/lib/inspec/utils/telemetry/data_series.rb +3 -1
- data/lib/inspec/utils/telemetry/global_methods.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +22 -25
- data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb +1 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +52 -45
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb +18 -16
- data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +73 -73
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +66 -62
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +59 -57
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/configuration.rb +11 -11
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +20 -22
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/support.rb +2 -4
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +30 -27
- data/lib/plugins/inspec-habitat/Berksfile +2 -2
- data/lib/plugins/inspec-habitat/lib/inspec-habitat.rb +1 -1
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/cli.rb +15 -13
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +64 -63
- data/lib/plugins/inspec-habitat/templates/habitat/hooks/run.erb +3 -3
- data/lib/plugins/inspec-habitat/templates/habitat/plan.sh.erb +11 -11
- data/lib/plugins/inspec-init/lib/inspec-init.rb +1 -1
- data/lib/plugins/inspec-init/lib/inspec-init/cli.rb +6 -8
- data/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +72 -74
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +9 -11
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +4 -4
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile +0 -1
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb +0 -2
- data/lib/plugins/inspec-init/templates/profiles/os/controls/example.rb +6 -7
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli.rb +1 -2
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +72 -70
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/plugin.rb +1 -1
- data/lib/plugins/shared/core_plugin_test_helper.rb +43 -38
- data/lib/source_readers/flat.rb +6 -10
- data/lib/source_readers/inspec.rb +8 -12
- metadata +139 -140
- data/lib/resources/mysql.rb +0 -82
- data/lib/resources/sys_info.rb +0 -28
- data/lib/utils/deprecation.rb +0 -6
- data/lib/utils/json_log.rb +0 -18
- data/lib/utils/latest_version.rb +0 -22
@@ -1,11 +1,10 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Vulcano Security GmbH
|
3
2
|
|
4
3
|
module Inspec::Resources
|
5
4
|
class Apache < Inspec.resource(1)
|
6
|
-
name
|
7
|
-
supports platform:
|
8
|
-
desc
|
5
|
+
name "apache"
|
6
|
+
supports platform: "unix"
|
7
|
+
desc "Use the apache InSpec audit resource to retrieve Apache environment settings."
|
9
8
|
example <<~EXAMPLE
|
10
9
|
describe apache do
|
11
10
|
its ('service') { should cmp 'apache2' }
|
@@ -26,23 +25,23 @@ module Inspec::Resources
|
|
26
25
|
|
27
26
|
attr_reader :service, :conf_dir, :conf_path, :user
|
28
27
|
def initialize
|
29
|
-
Inspec.deprecate(:resource_apache,
|
28
|
+
Inspec.deprecate(:resource_apache, "The apache resource is deprecated")
|
30
29
|
|
31
30
|
if inspec.os.debian?
|
32
|
-
@service =
|
33
|
-
@conf_dir =
|
34
|
-
@conf_path = File.join @conf_dir,
|
35
|
-
@user =
|
31
|
+
@service = "apache2"
|
32
|
+
@conf_dir = "/etc/apache2/"
|
33
|
+
@conf_path = File.join @conf_dir, "apache2.conf"
|
34
|
+
@user = "www-data"
|
36
35
|
else
|
37
|
-
@service =
|
38
|
-
@conf_dir =
|
39
|
-
@conf_path = File.join @conf_dir,
|
40
|
-
@user =
|
36
|
+
@service = "httpd"
|
37
|
+
@conf_dir = "/etc/httpd/"
|
38
|
+
@conf_path = File.join @conf_dir, "/conf/httpd.conf"
|
39
|
+
@user = "apache"
|
41
40
|
end
|
42
41
|
end
|
43
42
|
|
44
43
|
def to_s
|
45
|
-
|
44
|
+
"Apache Environment"
|
46
45
|
end
|
47
46
|
end
|
48
47
|
end
|
@@ -1,16 +1,15 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Vulcano Security GmbH
|
3
2
|
|
4
|
-
require
|
5
|
-
require
|
6
|
-
require
|
3
|
+
require "inspec/utils/simpleconfig"
|
4
|
+
require "inspec/utils/find_files"
|
5
|
+
require "inspec/utils/file_reader"
|
7
6
|
|
8
7
|
module Inspec::Resources
|
9
8
|
class ApacheConf < Inspec.resource(1)
|
10
|
-
name
|
11
|
-
supports platform:
|
12
|
-
supports platform:
|
13
|
-
desc
|
9
|
+
name "apache_conf"
|
10
|
+
supports platform: "linux"
|
11
|
+
supports platform: "debian"
|
12
|
+
desc "Use the apache_conf InSpec audit resource to test the configuration settings for Apache. This file is typically located under /etc/apache2 on the Debian and Ubuntu platforms and under /etc/httpd on the Fedora, CentOS, Red Hat Enterprise Linux, and Arch Linux platforms. The configuration settings may vary significantly from platform to platform."
|
14
13
|
example <<~EXAMPLE
|
15
14
|
describe apache_conf do
|
16
15
|
its('setting_name') { should eq 'value' }
|
@@ -52,7 +51,7 @@ module Inspec::Resources
|
|
52
51
|
end
|
53
52
|
|
54
53
|
def filter_comments(data)
|
55
|
-
content =
|
54
|
+
content = ""
|
56
55
|
data.each_line do |line|
|
57
56
|
if !line.match(/^\s*#/)
|
58
57
|
content << line
|
@@ -62,7 +61,7 @@ module Inspec::Resources
|
|
62
61
|
end
|
63
62
|
|
64
63
|
def read_content
|
65
|
-
@content =
|
64
|
+
@content = ""
|
66
65
|
@params = {}
|
67
66
|
|
68
67
|
read_file_content(conf_path)
|
@@ -83,7 +82,7 @@ module Inspec::Resources
|
|
83
82
|
params = SimpleConfig.new(
|
84
83
|
raw_conf,
|
85
84
|
assignment_regex: /^\s*(\S+)\s+['"]*((?=.*\s+$).*?|.*?)['"]*\s*$/,
|
86
|
-
multiple_values: true
|
85
|
+
multiple_values: true
|
87
86
|
).params
|
88
87
|
|
89
88
|
# Capture any characters between quotes that are not escaped in values
|
@@ -108,14 +107,14 @@ module Inspec::Resources
|
|
108
107
|
|
109
108
|
def include_files(params)
|
110
109
|
# see if there is more config files to include
|
111
|
-
include_files = params[
|
112
|
-
include_files_optional = params[
|
110
|
+
include_files = params["Include"] || []
|
111
|
+
include_files_optional = params["IncludeOptional"] || []
|
113
112
|
|
114
113
|
includes = []
|
115
114
|
(include_files + include_files_optional).each do |f|
|
116
115
|
id = Pathname.new(f).absolute? ? f : File.join(conf_dir, f)
|
117
|
-
files = find_files(id, depth: 1, type:
|
118
|
-
files += find_files(id, depth: 1, type:
|
116
|
+
files = find_files(id, depth: 1, type: "file")
|
117
|
+
files += find_files(id, depth: 1, type: "link")
|
119
118
|
|
120
119
|
includes.push(files) if files
|
121
120
|
end
|
@@ -148,9 +147,9 @@ module Inspec::Resources
|
|
148
147
|
|
149
148
|
def default_conf_path
|
150
149
|
if inspec.os.debian?
|
151
|
-
|
150
|
+
"/etc/apache2/apache2.conf"
|
152
151
|
else
|
153
|
-
|
152
|
+
"/etc/httpd/conf/httpd.conf"
|
154
153
|
end
|
155
154
|
end
|
156
155
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
|
1
|
+
require "inspec/resources/command"
|
2
2
|
|
3
3
|
# Verifies apt and ppa repositories
|
4
4
|
#
|
@@ -24,13 +24,13 @@
|
|
24
24
|
# apt-get install software-properties-common
|
25
25
|
# add-apt-repository ppa:ubuntu-wine/ppa
|
26
26
|
|
27
|
-
require
|
27
|
+
require "uri"
|
28
28
|
|
29
29
|
module Inspec::Resources
|
30
30
|
class AptRepository < Inspec.resource(1)
|
31
|
-
name
|
32
|
-
supports platform:
|
33
|
-
desc
|
31
|
+
name "apt"
|
32
|
+
supports platform: "unix"
|
33
|
+
desc "Use the apt InSpec audit resource to verify Apt repositories on the Debian and Ubuntu platforms, and also PPA repositories on the Ubuntu platform."
|
34
34
|
example <<~EXAMPLE
|
35
35
|
describe apt('nginx/stable') do
|
36
36
|
it { should exist }
|
@@ -45,7 +45,7 @@ module Inspec::Resources
|
|
45
45
|
@deb_url = determine_ppa_url(ppa_name)
|
46
46
|
else
|
47
47
|
# this resource is only supported on ubuntu and debian
|
48
|
-
skip_resource
|
48
|
+
skip_resource "The `apt` resource is not supported on your OS yet."
|
49
49
|
end
|
50
50
|
end
|
51
51
|
|
@@ -67,10 +67,10 @@ module Inspec::Resources
|
|
67
67
|
private
|
68
68
|
|
69
69
|
def find_repo
|
70
|
-
read_debs.select { |repo| repo[:url] == @deb_url && repo[:type] ==
|
70
|
+
read_debs.select { |repo| repo[:url] == @deb_url && repo[:type] == "deb" }
|
71
71
|
end
|
72
72
|
|
73
|
-
HTTP_URL_RE = /\A#{URI::DEFAULT_PARSER.make_regexp(%w{http https})}\z
|
73
|
+
HTTP_URL_RE = /\A#{URI::DEFAULT_PARSER.make_regexp(%w{http https})}\z/.freeze
|
74
74
|
|
75
75
|
# read
|
76
76
|
def read_debs
|
@@ -84,7 +84,7 @@ module Inspec::Resources
|
|
84
84
|
active = true
|
85
85
|
|
86
86
|
# detect if the repo is commented out
|
87
|
-
line = raw_line.gsub(/^(#\s*)*/,
|
87
|
+
line = raw_line.gsub(/^(#\s*)*/, "")
|
88
88
|
active = false if raw_line != line
|
89
89
|
|
90
90
|
# eg.: deb http://archive.ubuntu.com/ubuntu/ wily main restricted
|
@@ -99,10 +99,10 @@ module Inspec::Resources
|
|
99
99
|
type: parse_repo[1],
|
100
100
|
url: parse_repo[2],
|
101
101
|
distro: parse_repo[3],
|
102
|
-
components: parse_repo[4].chomp.split(
|
102
|
+
components: parse_repo[4].chomp.split(" "),
|
103
103
|
active: active,
|
104
104
|
}
|
105
|
-
next unless [
|
105
|
+
next unless ["deb", "deb-src"].include? repo[:type]
|
106
106
|
|
107
107
|
lines.push(repo)
|
108
108
|
end
|
@@ -116,19 +116,19 @@ module Inspec::Resources
|
|
116
116
|
# otherwise start generating the ppa url
|
117
117
|
|
118
118
|
# special care if the name stats with :
|
119
|
-
ppa_url = ppa_url.split(
|
119
|
+
ppa_url = ppa_url.split(":")[1] if ppa_url.start_with?("ppa:")
|
120
120
|
|
121
121
|
# parse ppa owner and repo
|
122
|
-
ppa_owner, ppa_repo = ppa_url.split(
|
123
|
-
ppa_repo =
|
122
|
+
ppa_owner, ppa_repo = ppa_url.split("/")
|
123
|
+
ppa_repo = "ppa" if ppa_repo.nil?
|
124
124
|
|
125
125
|
# construct new ppa url and return it
|
126
|
-
format(
|
126
|
+
format("http://ppa.launchpad.net/%s/%s/ubuntu", ppa_owner, ppa_repo)
|
127
127
|
end
|
128
128
|
end
|
129
129
|
|
130
130
|
class PpaRepository < AptRepository
|
131
|
-
name
|
131
|
+
name "ppa"
|
132
132
|
|
133
133
|
def exists?
|
134
134
|
deprecated
|
@@ -141,7 +141,7 @@ module Inspec::Resources
|
|
141
141
|
end
|
142
142
|
|
143
143
|
def deprecated
|
144
|
-
Inspec.deprecate(:resource_ppa,
|
144
|
+
Inspec.deprecate(:resource_ppa, "The `ppa` resource is deprecated. Please use `apt`")
|
145
145
|
end
|
146
146
|
end
|
147
147
|
end
|
@@ -1,4 +1,5 @@
|
|
1
|
-
|
1
|
+
require "inspec/resources/command"
|
2
|
+
|
2
3
|
# copyright: 2015, Vulcano Security GmbH
|
3
4
|
|
4
5
|
# Advanced Auditing:
|
@@ -23,9 +24,9 @@
|
|
23
24
|
|
24
25
|
module Inspec::Resources
|
25
26
|
class AuditPolicy < Inspec.resource(1)
|
26
|
-
name
|
27
|
-
supports platform:
|
28
|
-
desc
|
27
|
+
name "audit_policy"
|
28
|
+
supports platform: "windows"
|
29
|
+
desc "Use the audit_policy InSpec audit resource to test auditing policies on the Microsoft Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each enabled auditing category property, the auditing level may be set to No Auditing, Not Specified, Success, Success and Failure, or Failure."
|
29
30
|
example <<~EXAMPLE
|
30
31
|
describe audit_policy do
|
31
32
|
its('parameter') { should eq 'value' }
|
@@ -50,14 +51,14 @@ module Inspec::Resources
|
|
50
51
|
values = nil
|
51
52
|
unless target.nil?
|
52
53
|
# split csv values and return value
|
53
|
-
values = target.split(
|
54
|
+
values = target.split(",")[4]
|
54
55
|
end
|
55
56
|
|
56
57
|
values
|
57
58
|
end
|
58
59
|
|
59
60
|
def to_s
|
60
|
-
|
61
|
+
"Audit Policy"
|
61
62
|
end
|
62
63
|
end
|
63
64
|
end
|
@@ -1,9 +1,7 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
require
|
4
|
-
require
|
5
|
-
require 'utils/filter'
|
6
|
-
require 'utils/parser'
|
1
|
+
require "forwardable"
|
2
|
+
require "inspec/utils/filter_array"
|
3
|
+
require "inspec/utils/filter"
|
4
|
+
require "inspec/utils/parser"
|
7
5
|
|
8
6
|
module Inspec::Resources
|
9
7
|
class AuditDaemon < Inspec.resource(1)
|
@@ -11,9 +9,9 @@ module Inspec::Resources
|
|
11
9
|
attr_accessor :lines
|
12
10
|
attr_reader :params
|
13
11
|
|
14
|
-
name
|
15
|
-
supports platform:
|
16
|
-
desc
|
12
|
+
name "auditd"
|
13
|
+
supports platform: "unix"
|
14
|
+
desc "Use the auditd InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files. These rules are output using the auditcl -l command."
|
17
15
|
example <<~EXAMPLE
|
18
16
|
describe auditd.syscall('chown').where {arch == 'b32'} do
|
19
17
|
its('action') { should eq ['always'] }
|
@@ -30,12 +28,12 @@ module Inspec::Resources
|
|
30
28
|
EXAMPLE
|
31
29
|
|
32
30
|
def initialize
|
33
|
-
unless inspec.command(
|
31
|
+
unless inspec.command("/sbin/auditctl").exist?
|
34
32
|
raise Inspec::Exceptions::ResourceFailed,
|
35
|
-
|
33
|
+
"Command `/sbin/auditctl` does not exist"
|
36
34
|
end
|
37
35
|
|
38
|
-
auditctl_cmd =
|
36
|
+
auditctl_cmd = "/sbin/auditctl -l"
|
39
37
|
result = inspec.command(auditctl_cmd)
|
40
38
|
|
41
39
|
if result.exit_status != 0
|
@@ -48,35 +46,35 @@ module Inspec::Resources
|
|
48
46
|
|
49
47
|
if @content =~ /^LIST_RULES:/
|
50
48
|
raise Inspec::Exceptions::RsourceFailed,
|
51
|
-
|
52
|
-
|
49
|
+
"The version of audit is outdated." \
|
50
|
+
"The `auditd` resource supports versions of audit >= 2.3."
|
53
51
|
end
|
54
52
|
parse_content
|
55
53
|
end
|
56
54
|
|
57
55
|
filter = FilterTable.create
|
58
|
-
filter.register_column(:file, field:
|
59
|
-
.register_column(:list, field:
|
60
|
-
.register_column(:action, field:
|
61
|
-
.register_column(:fields, field:
|
62
|
-
.register_column(:fields_nokey, field:
|
63
|
-
.register_column(:syscall, field:
|
64
|
-
.register_column(:key, field:
|
65
|
-
.register_column(:arch, field:
|
66
|
-
.register_column(:path, field:
|
67
|
-
.register_column(:permissions, field:
|
68
|
-
.register_column(:exit, field:
|
56
|
+
filter.register_column(:file, field: "file")
|
57
|
+
.register_column(:list, field: "list")
|
58
|
+
.register_column(:action, field: "action")
|
59
|
+
.register_column(:fields, field: "fields")
|
60
|
+
.register_column(:fields_nokey, field: "fields_nokey")
|
61
|
+
.register_column(:syscall, field: "syscall")
|
62
|
+
.register_column(:key, field: "key")
|
63
|
+
.register_column(:arch, field: "arch")
|
64
|
+
.register_column(:path, field: "path")
|
65
|
+
.register_column(:permissions, field: "permissions")
|
66
|
+
.register_column(:exit, field: "exit")
|
69
67
|
|
70
68
|
filter.install_filter_methods_on_resource(self, :params)
|
71
69
|
|
72
70
|
def status(name = nil)
|
73
|
-
@status_content ||= inspec.command(
|
71
|
+
@status_content ||= inspec.command("/sbin/auditctl -s").stdout.chomp
|
74
72
|
|
75
73
|
# See: https://github.com/inspec/inspec/issues/3113
|
76
74
|
if @status_content =~ /^AUDIT_STATUS/
|
77
|
-
@status_content = @status_content.gsub(
|
78
|
-
.tr(
|
79
|
-
.tr(
|
75
|
+
@status_content = @status_content.gsub("AUDIT_STATUS: ", "")
|
76
|
+
.tr(" ", "\n")
|
77
|
+
.tr("=", " ")
|
80
78
|
end
|
81
79
|
|
82
80
|
@status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]
|
@@ -107,19 +105,19 @@ module Inspec::Resources
|
|
107
105
|
action, list = action_list_for(line)
|
108
106
|
fields = rule_fields_for(line)
|
109
107
|
key_field, fields_nokey = remove_key_from(fields)
|
110
|
-
key = key_in(key_field.join(
|
108
|
+
key = key_in(key_field.join(""))
|
111
109
|
perms = perms_in(fields)
|
112
110
|
|
113
111
|
@params.push(
|
114
112
|
{
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
}
|
113
|
+
"file" => file,
|
114
|
+
"list" => list,
|
115
|
+
"action" => action,
|
116
|
+
"fields" => fields,
|
117
|
+
"permissions" => perms,
|
118
|
+
"key" => key,
|
119
|
+
"fields_nokey" => fields_nokey,
|
120
|
+
}
|
123
121
|
)
|
124
122
|
end
|
125
123
|
|
@@ -128,7 +126,7 @@ module Inspec::Resources
|
|
128
126
|
action, list = action_list_for(line)
|
129
127
|
fields = rule_fields_for(line)
|
130
128
|
key_field, fields_nokey = remove_key_from(fields)
|
131
|
-
key = key_in(key_field.join(
|
129
|
+
key = key_in(key_field.join(""))
|
132
130
|
arch = arch_in(fields)
|
133
131
|
path = path_in(fields)
|
134
132
|
perms = perms_in(fields)
|
@@ -137,17 +135,17 @@ module Inspec::Resources
|
|
137
135
|
syscalls.each do |s|
|
138
136
|
@params.push(
|
139
137
|
{
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
}
|
138
|
+
"syscall" => s,
|
139
|
+
"list" => list,
|
140
|
+
"action" => action,
|
141
|
+
"fields" => fields,
|
142
|
+
"key" => key,
|
143
|
+
"arch" => arch,
|
144
|
+
"path" => path,
|
145
|
+
"permissions" => perms,
|
146
|
+
"exit" => exit_field,
|
147
|
+
"fields_nokey" => fields_nokey,
|
148
|
+
}
|
151
149
|
)
|
152
150
|
end
|
153
151
|
end
|
@@ -159,15 +157,15 @@ module Inspec::Resources
|
|
159
157
|
|
160
158
|
@params.push(
|
161
159
|
{
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
}
|
160
|
+
"file" => file,
|
161
|
+
"key" => key,
|
162
|
+
"permissions" => perms,
|
163
|
+
}
|
166
164
|
)
|
167
165
|
end
|
168
166
|
|
169
167
|
def to_s
|
170
|
-
|
168
|
+
"Auditd Rules"
|
171
169
|
end
|
172
170
|
|
173
171
|
private
|
@@ -185,7 +183,7 @@ module Inspec::Resources
|
|
185
183
|
end
|
186
184
|
|
187
185
|
def syscalls_for(line)
|
188
|
-
line.scan(/-S ([^ ]+)\s?/).flatten.first.split(
|
186
|
+
line.scan(/-S ([^ ]+)\s?/).flatten.first.split(",")
|
189
187
|
end
|
190
188
|
|
191
189
|
def action_list_for(line)
|
@@ -193,7 +191,7 @@ module Inspec::Resources
|
|
193
191
|
end
|
194
192
|
|
195
193
|
def key_for(line)
|
196
|
-
line.match(/-k ([^ ]+)\s?/)[1] if line.include?(
|
194
|
+
line.match(/-k ([^ ]+)\s?/)[1] if line.include?("-k ")
|
197
195
|
end
|
198
196
|
|
199
197
|
def file_for(line)
|
@@ -209,44 +207,44 @@ module Inspec::Resources
|
|
209
207
|
end
|
210
208
|
|
211
209
|
def rule_fields_for(line)
|
212
|
-
line.gsub(/-[aS] [^ ]+ /,
|
210
|
+
line.gsub(/-[aS] [^ ]+ /, "").split("-F ").map { |l| l.split(" ") }.flatten
|
213
211
|
end
|
214
212
|
|
215
213
|
def arch_in(fields)
|
216
214
|
fields.each do |field|
|
217
|
-
return field.match(/arch=(\S+)\s?/)[1] if field.start_with?(
|
215
|
+
return field.match(/arch=(\S+)\s?/)[1] if field.start_with?("arch=")
|
218
216
|
end
|
219
217
|
nil
|
220
218
|
end
|
221
219
|
|
222
220
|
def perms_in(fields)
|
223
221
|
fields.each do |field|
|
224
|
-
return field.match(/perm=(\S+)\s?/)[1].scan(/\w/) if field.start_with?(
|
222
|
+
return field.match(/perm=(\S+)\s?/)[1].scan(/\w/) if field.start_with?("perm=")
|
225
223
|
end
|
226
224
|
nil
|
227
225
|
end
|
228
226
|
|
229
227
|
def path_in(fields)
|
230
228
|
fields.each do |field|
|
231
|
-
return field.match(/path=(\S+)\s?/)[1] if field.start_with?(
|
229
|
+
return field.match(/path=(\S+)\s?/)[1] if field.start_with?("path=")
|
232
230
|
end
|
233
231
|
nil
|
234
232
|
end
|
235
233
|
|
236
234
|
def exit_in(fields)
|
237
235
|
fields.each do |field|
|
238
|
-
return field.match(/exit=(\S+)\s?/)[1] if field.start_with?(
|
236
|
+
return field.match(/exit=(\S+)\s?/)[1] if field.start_with?("exit=")
|
239
237
|
end
|
240
238
|
nil
|
241
239
|
end
|
242
240
|
|
243
241
|
def key_in(field)
|
244
|
-
_, v = field.split(
|
242
|
+
_, v = field.split("=")
|
245
243
|
v
|
246
244
|
end
|
247
245
|
|
248
246
|
def remove_key_from(fields)
|
249
|
-
fields.partition { |x| x.start_with?
|
247
|
+
fields.partition { |x| x.start_with? "key" }
|
250
248
|
end
|
251
249
|
end
|
252
250
|
end
|