inspec-core 4.3.2 → 4.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +37 -21
- data/etc/deprecations.json +10 -0
- data/etc/plugin_filters.json +8 -0
- data/lib/bundles/inspec-compliance/api.rb +1 -1
- data/lib/bundles/inspec-compliance/configuration.rb +1 -1
- data/lib/bundles/inspec-compliance/http.rb +1 -1
- data/lib/bundles/inspec-compliance/support.rb +1 -1
- data/lib/bundles/inspec-compliance/target.rb +1 -1
- data/lib/bundles/inspec-supermarket.rb +3 -7
- data/lib/bundles/inspec-supermarket/api.rb +10 -13
- data/lib/bundles/inspec-supermarket/cli.rb +12 -15
- data/lib/bundles/inspec-supermarket/target.rb +7 -11
- data/lib/fetchers/git.rb +14 -15
- data/lib/fetchers/local.rb +6 -10
- data/lib/fetchers/mock.rb +3 -5
- data/lib/fetchers/url.rb +42 -44
- data/lib/inspec.rb +23 -24
- data/lib/inspec/archive/tar.rb +2 -6
- data/lib/inspec/archive/zip.rb +3 -7
- data/lib/inspec/backend.rb +8 -9
- data/lib/inspec/base_cli.rb +64 -65
- data/lib/inspec/cached_fetcher.rb +2 -3
- data/lib/inspec/cli.rb +136 -97
- data/lib/inspec/config.rb +71 -61
- data/lib/inspec/control_eval_context.rb +22 -18
- data/lib/inspec/dependencies/cache.rb +2 -3
- data/lib/inspec/dependencies/dependency_set.rb +2 -3
- data/lib/inspec/dependencies/lockfile.rb +8 -9
- data/lib/inspec/dependencies/requirement.rb +7 -8
- data/lib/inspec/dependencies/resolver.rb +5 -7
- data/lib/inspec/describe.rb +2 -6
- data/lib/inspec/dist.rb +20 -0
- data/lib/inspec/dsl.rb +4 -7
- data/lib/inspec/dsl_shared.rb +1 -2
- data/lib/inspec/env_printer.rb +11 -12
- data/lib/inspec/errors.rb +0 -4
- data/lib/inspec/exceptions.rb +0 -1
- data/lib/inspec/expect.rb +5 -8
- data/lib/inspec/fetcher.rb +7 -10
- data/lib/inspec/file_provider.rb +24 -24
- data/lib/inspec/formatters.rb +3 -3
- data/lib/inspec/formatters/base.rb +8 -8
- data/lib/inspec/globals.rb +2 -2
- data/lib/inspec/impact.rb +5 -7
- data/lib/inspec/input_registry.rb +84 -33
- data/lib/inspec/library_eval_context.rb +3 -6
- data/lib/inspec/log.rb +1 -5
- data/lib/inspec/metadata.rb +17 -16
- data/lib/inspec/method_source.rb +5 -9
- data/lib/inspec/objects.rb +10 -12
- data/lib/inspec/objects/control.rb +7 -9
- data/lib/inspec/objects/describe.rb +9 -11
- data/lib/inspec/objects/each_loop.rb +1 -3
- data/lib/inspec/objects/input.rb +24 -26
- data/lib/inspec/objects/list.rb +4 -6
- data/lib/inspec/objects/or_test.rb +2 -4
- data/lib/inspec/objects/ruby_helper.rb +3 -5
- data/lib/inspec/objects/tag.rb +0 -2
- data/lib/inspec/objects/test.rb +9 -11
- data/lib/inspec/objects/value.rb +3 -5
- data/lib/inspec/plugin/v1.rb +2 -2
- data/lib/inspec/plugin/v1/plugin_types/cli.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/fetcher.rb +2 -5
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +4 -6
- data/lib/inspec/plugin/v1/plugin_types/secret.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/source_reader.rb +1 -5
- data/lib/inspec/plugin/v1/plugins.rb +15 -19
- data/lib/inspec/plugin/v1/registry.rb +0 -4
- data/lib/inspec/plugin/v2.rb +8 -8
- data/lib/inspec/plugin/v2/activator.rb +1 -1
- data/lib/inspec/plugin/v2/config_file.rb +6 -6
- data/lib/inspec/plugin/v2/filter.rb +13 -13
- data/lib/inspec/plugin/v2/installer.rb +36 -24
- data/lib/inspec/plugin/v2/loader.rb +28 -28
- data/lib/inspec/plugin/v2/plugin_base.rb +15 -2
- data/lib/inspec/plugin/v2/plugin_types/cli.rb +5 -5
- data/lib/inspec/plugin/v2/plugin_types/input.rb +34 -0
- data/lib/inspec/plugin/v2/plugin_types/mock.rb +1 -1
- data/lib/inspec/plugin/v2/registry.rb +7 -7
- data/lib/inspec/polyfill.rb +0 -3
- data/lib/inspec/profile.rb +55 -63
- data/lib/inspec/profile_context.rb +27 -30
- data/lib/inspec/profile_vendor.rb +6 -9
- data/lib/inspec/reporters.rb +24 -24
- data/lib/inspec/reporters/automate.rb +17 -19
- data/lib/inspec/reporters/base.rb +1 -1
- data/lib/inspec/reporters/cli.rb +88 -91
- data/lib/inspec/reporters/json.rb +2 -4
- data/lib/inspec/reporters/json_automate.rb +1 -3
- data/lib/inspec/reporters/json_min.rb +1 -3
- data/lib/inspec/reporters/junit.rb +26 -28
- data/lib/inspec/reporters/yaml.rb +1 -3
- data/lib/inspec/require_loader.rb +0 -4
- data/lib/inspec/resource.rb +4 -125
- data/lib/inspec/resources.rb +121 -0
- data/lib/{resources → inspec/resources}/aide_conf.rb +24 -25
- data/lib/{resources → inspec/resources}/apache.rb +13 -14
- data/lib/{resources → inspec/resources}/apache_conf.rb +16 -17
- data/lib/{resources → inspec/resources}/apt.rb +17 -17
- data/lib/{resources → inspec/resources}/audit_policy.rb +7 -6
- data/lib/{resources → inspec/resources}/auditd.rb +62 -64
- data/lib/{resources → inspec/resources}/auditd_conf.rb +7 -8
- data/lib/{resources → inspec/resources}/bash.rb +6 -8
- data/lib/{resources → inspec/resources}/bond.rb +15 -14
- data/lib/{resources → inspec/resources}/bridge.rb +8 -8
- data/lib/{resources → inspec/resources}/chocolatey_package.rb +10 -8
- data/lib/{resources → inspec/resources}/command.rb +11 -10
- data/lib/{resources → inspec/resources}/cpan.rb +12 -12
- data/lib/{resources → inspec/resources}/cran.rb +9 -9
- data/lib/{resources → inspec/resources}/crontab.rb +47 -48
- data/lib/{resources → inspec/resources}/csv.rb +5 -5
- data/lib/{resources → inspec/resources}/dh_params.rb +5 -7
- data/lib/{resources → inspec/resources}/directory.rb +5 -7
- data/lib/{resources → inspec/resources}/docker.rb +63 -63
- data/lib/{resources → inspec/resources}/docker_container.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_image.rb +9 -9
- data/lib/{resources → inspec/resources}/docker_object.rb +8 -13
- data/lib/{resources → inspec/resources}/docker_plugin.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_service.rb +7 -7
- data/lib/{resources → inspec/resources}/elasticsearch.rb +40 -42
- data/lib/{resources → inspec/resources}/etc_fstab.rb +23 -24
- data/lib/{resources → inspec/resources}/etc_group.rb +26 -27
- data/lib/{resources → inspec/resources}/etc_hosts.rb +11 -13
- data/lib/{resources → inspec/resources}/etc_hosts_allow_deny.rb +25 -27
- data/lib/{resources → inspec/resources}/file.rb +80 -79
- data/lib/{resources → inspec/resources}/filesystem.rb +20 -15
- data/lib/{resources → inspec/resources}/firewalld.rb +26 -26
- data/lib/{resources → inspec/resources}/gem.rb +12 -12
- data/lib/{resources → inspec/resources}/groups.rb +28 -27
- data/lib/{resources → inspec/resources}/grub_conf.rb +46 -48
- data/lib/{resources → inspec/resources}/host.rb +31 -29
- data/lib/{resources → inspec/resources}/http.rb +24 -24
- data/lib/{resources → inspec/resources}/iis_app.rb +6 -7
- data/lib/{resources → inspec/resources}/iis_app_pool.rb +21 -19
- data/lib/{resources → inspec/resources}/iis_site.rb +17 -15
- data/lib/{resources → inspec/resources}/inetd_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/ini.rb +7 -8
- data/lib/{resources → inspec/resources}/interface.rb +30 -30
- data/lib/{resources → inspec/resources}/iptables.rb +8 -8
- data/lib/{resources → inspec/resources}/json.rb +8 -10
- data/lib/{resources → inspec/resources}/kernel_module.rb +15 -15
- data/lib/{resources → inspec/resources}/kernel_parameter.rb +8 -8
- data/lib/{resources → inspec/resources}/key_rsa.rb +8 -10
- data/lib/{resources → inspec/resources}/ksh.rb +6 -8
- data/lib/{resources → inspec/resources}/limits_conf.rb +8 -9
- data/lib/{resources/login_def.rb → inspec/resources/login_defs.rb} +9 -10
- data/lib/{resources → inspec/resources}/mount.rb +6 -8
- data/lib/{resources → inspec/resources}/mssql_session.rb +16 -18
- data/lib/inspec/resources/mysql.rb +81 -0
- data/lib/{resources → inspec/resources}/mysql_conf.rb +13 -14
- data/lib/{resources → inspec/resources}/mysql_session.rb +16 -16
- data/lib/{resources → inspec/resources}/nginx.rb +16 -17
- data/lib/{resources → inspec/resources}/nginx_conf.rb +26 -27
- data/lib/{resources → inspec/resources}/npm.rb +9 -10
- data/lib/{resources → inspec/resources}/ntp_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/oneget.rb +8 -8
- data/lib/{resources → inspec/resources}/oracledb_session.rb +33 -34
- data/lib/{resources → inspec/resources}/os.rb +6 -8
- data/lib/{resources → inspec/resources}/os_env.rb +11 -12
- data/lib/{resources → inspec/resources}/package.rb +66 -65
- data/lib/{resources → inspec/resources}/packages.rb +13 -13
- data/lib/{resources → inspec/resources}/parse_config.rb +8 -8
- data/lib/{resources → inspec/resources}/passwd.rb +18 -19
- data/lib/{resources → inspec/resources}/pip.rb +19 -19
- data/lib/{resources → inspec/resources}/platform.rb +9 -11
- data/lib/{resources → inspec/resources}/port.rb +134 -136
- data/lib/{resources → inspec/resources}/postgres.rb +40 -32
- data/lib/{resources → inspec/resources}/postgres_conf.rb +17 -17
- data/lib/{resources → inspec/resources}/postgres_hba_conf.rb +21 -23
- data/lib/{resources → inspec/resources}/postgres_ident_conf.rb +12 -14
- data/lib/{resources → inspec/resources}/postgres_session.rb +8 -9
- data/lib/{resources → inspec/resources}/powershell.rb +17 -13
- data/lib/{resources → inspec/resources}/processes.rb +29 -29
- data/lib/{resources/rabbitmq_conf.rb → inspec/resources/rabbitmq_config.rb} +10 -11
- data/lib/{resources → inspec/resources}/registry_key.rb +14 -14
- data/lib/inspec/resources/script.rb +1 -0
- data/lib/{resources → inspec/resources}/security_identifier.rb +11 -10
- data/lib/{resources → inspec/resources}/security_policy.rb +59 -58
- data/lib/{resources → inspec/resources}/service.rb +74 -75
- data/lib/{resources → inspec/resources}/shadow.rb +44 -45
- data/lib/{resources/ssh_conf.rb → inspec/resources/ssh_config.rb} +16 -17
- data/lib/{resources → inspec/resources}/ssl.rb +28 -29
- data/lib/inspec/resources/sys_info.rb +30 -0
- data/lib/{resources → inspec/resources}/toml.rb +5 -7
- data/lib/{resources → inspec/resources}/users.rb +65 -65
- data/lib/{resources → inspec/resources}/vbscript.rb +8 -9
- data/lib/{resources → inspec/resources}/virtualization.rb +60 -62
- data/lib/{resources → inspec/resources}/windows_feature.rb +9 -9
- data/lib/{resources → inspec/resources}/windows_hotfix.rb +5 -5
- data/lib/{resources → inspec/resources}/windows_task.rb +16 -15
- data/lib/{resources → inspec/resources}/wmi.rb +7 -8
- data/lib/{resources → inspec/resources}/x509_certificate.rb +9 -11
- data/lib/{resources/xinetd.rb → inspec/resources/xinetd_conf.rb} +27 -29
- data/lib/{resources → inspec/resources}/xml.rb +7 -7
- data/lib/{resources → inspec/resources}/yaml.rb +5 -6
- data/lib/{resources → inspec/resources}/yum.rb +10 -10
- data/lib/{resources → inspec/resources}/zfs_dataset.rb +6 -6
- data/lib/{resources → inspec/resources}/zfs_pool.rb +4 -4
- data/lib/inspec/rspec_extensions.rb +24 -8
- data/lib/inspec/rule.rb +14 -15
- data/lib/inspec/runner.rb +28 -28
- data/lib/inspec/runner_mock.rb +1 -5
- data/lib/inspec/runner_rspec.rb +18 -20
- data/lib/inspec/runtime_profile.rb +2 -5
- data/lib/inspec/schema.rb +142 -143
- data/lib/inspec/secrets.rb +3 -7
- data/lib/inspec/secrets/yaml.rb +3 -5
- data/lib/inspec/shell.rb +11 -15
- data/lib/inspec/shell_detector.rb +6 -7
- data/lib/inspec/source_reader.rb +4 -8
- data/lib/inspec/ui.rb +33 -39
- data/lib/inspec/ui_table_helper.rb +12 -0
- data/lib/{utils → inspec/utils}/command_wrapper.rb +4 -8
- data/lib/{utils → inspec/utils}/convert.rb +0 -4
- data/lib/{utils → inspec/utils}/database_helpers.rb +4 -8
- data/lib/inspec/utils/deprecation.rb +6 -0
- data/lib/{utils → inspec/utils}/deprecation/config_file.rb +19 -19
- data/lib/{utils → inspec/utils}/deprecation/deprecator.rb +12 -12
- data/lib/{utils → inspec/utils}/deprecation/errors.rb +1 -1
- data/lib/{utils → inspec/utils}/deprecation/global_method.rb +2 -2
- data/lib/{utils → inspec/utils}/enumerable_delegation.rb +0 -2
- data/lib/{utils → inspec/utils}/erlang_parser.rb +61 -65
- data/lib/{utils → inspec/utils}/file_reader.rb +1 -2
- data/lib/{utils → inspec/utils}/filter.rb +30 -33
- data/lib/{utils → inspec/utils}/filter_array.rb +0 -2
- data/lib/{utils → inspec/utils}/find_files.rb +9 -12
- data/lib/{utils → inspec/utils}/hash.rb +1 -5
- data/lib/inspec/utils/json_log.rb +15 -0
- data/lib/inspec/utils/latest_version.rb +13 -0
- data/lib/{utils → inspec/utils}/modulator.rb +0 -3
- data/lib/{utils → inspec/utils}/nginx_parser.rb +31 -35
- data/lib/{utils → inspec/utils}/object_traversal.rb +0 -3
- data/lib/{utils → inspec/utils}/parser.rb +45 -45
- data/lib/{utils → inspec/utils}/pkey_reader.rb +4 -2
- data/lib/{utils → inspec/utils}/simpleconfig.rb +8 -10
- data/lib/{utils → inspec/utils}/spdx.rb +1 -4
- data/lib/{utils → inspec/utils}/spdx.txt +0 -0
- data/lib/inspec/utils/telemetry.rb +3 -3
- data/lib/inspec/utils/telemetry/collector.rb +30 -9
- data/lib/inspec/utils/telemetry/data_series.rb +3 -1
- data/lib/inspec/utils/telemetry/global_methods.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +22 -25
- data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb +1 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +52 -45
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb +18 -16
- data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +73 -73
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +66 -62
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +59 -57
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/configuration.rb +11 -11
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +20 -22
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/support.rb +2 -4
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +30 -27
- data/lib/plugins/inspec-habitat/Berksfile +2 -2
- data/lib/plugins/inspec-habitat/lib/inspec-habitat.rb +1 -1
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/cli.rb +15 -13
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +64 -63
- data/lib/plugins/inspec-habitat/templates/habitat/hooks/run.erb +3 -3
- data/lib/plugins/inspec-habitat/templates/habitat/plan.sh.erb +11 -11
- data/lib/plugins/inspec-init/lib/inspec-init.rb +1 -1
- data/lib/plugins/inspec-init/lib/inspec-init/cli.rb +6 -8
- data/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +72 -74
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +9 -11
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +4 -4
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile +0 -1
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb +0 -2
- data/lib/plugins/inspec-init/templates/profiles/os/controls/example.rb +6 -7
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli.rb +1 -2
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +72 -70
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/plugin.rb +1 -1
- data/lib/plugins/shared/core_plugin_test_helper.rb +43 -38
- data/lib/source_readers/flat.rb +6 -10
- data/lib/source_readers/inspec.rb +8 -12
- metadata +139 -140
- data/lib/resources/mysql.rb +0 -82
- data/lib/resources/sys_info.rb +0 -28
- data/lib/utils/deprecation.rb +0 -6
- data/lib/utils/json_log.rb +0 -18
- data/lib/utils/latest_version.rb +0 -22
@@ -1,12 +1,10 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
require 'utils/parser'
|
4
|
-
require 'utils/file_reader'
|
1
|
+
require "inspec/utils/parser"
|
2
|
+
require "inspec/utils/file_reader"
|
5
3
|
|
6
4
|
module Inspec::Resources
|
7
5
|
class EtcHostsAllow < Inspec.resource(1)
|
8
|
-
name
|
9
|
-
supports platform:
|
6
|
+
name "etc_hosts_allow"
|
7
|
+
supports platform: "unix"
|
10
8
|
desc 'Use the etc_hosts_allow InSpec audit resource to test the connections
|
11
9
|
the client will allow. Controlled by the /etc/hosts.allow file.'
|
12
10
|
example <<~EXAMPLE
|
@@ -22,23 +20,23 @@ module Inspec::Resources
|
|
22
20
|
include FileReader
|
23
21
|
|
24
22
|
def initialize(hosts_allow_path = nil)
|
25
|
-
@conf_path = hosts_allow_path ||
|
23
|
+
@conf_path = hosts_allow_path || "/etc/hosts.allow"
|
26
24
|
@content = nil
|
27
25
|
@params = nil
|
28
26
|
read_content
|
29
27
|
end
|
30
28
|
|
31
29
|
filter = FilterTable.create
|
32
|
-
filter.register_column(:daemon, field:
|
33
|
-
.register_column(:client_list, field:
|
34
|
-
.register_column(:options, field:
|
30
|
+
filter.register_column(:daemon, field: "daemon")
|
31
|
+
.register_column(:client_list, field: "client_list")
|
32
|
+
.register_column(:options, field: "options")
|
35
33
|
|
36
34
|
filter.install_filter_methods_on_resource(self, :params)
|
37
35
|
|
38
36
|
private
|
39
37
|
|
40
38
|
def read_content
|
41
|
-
@content =
|
39
|
+
@content = ""
|
42
40
|
@params = {}
|
43
41
|
@content = split_daemons(read_file(@conf_path))
|
44
42
|
@params = parse_conf(@content)
|
@@ -47,10 +45,10 @@ module Inspec::Resources
|
|
47
45
|
def split_daemons(content)
|
48
46
|
split_daemons_list = []
|
49
47
|
content.each do |line|
|
50
|
-
data, = parse_comment_line(line, comment_char:
|
51
|
-
next unless data !=
|
52
|
-
data.split(
|
53
|
-
split_daemons_list.push("#{daemon} : " + line.split(
|
48
|
+
data, = parse_comment_line(line, comment_char: "#", standalone_comments: false)
|
49
|
+
next unless data != ""
|
50
|
+
data.split(":")[0].split(",").each do |daemon|
|
51
|
+
split_daemons_list.push("#{daemon} : " + line.split(":", 2)[1])
|
54
52
|
end
|
55
53
|
end
|
56
54
|
split_daemons_list
|
@@ -58,8 +56,8 @@ module Inspec::Resources
|
|
58
56
|
|
59
57
|
def parse_conf(content)
|
60
58
|
content.map do |line|
|
61
|
-
data, = parse_comment_line(line, comment_char:
|
62
|
-
parse_line(data) unless data ==
|
59
|
+
data, = parse_comment_line(line, comment_char: "#", standalone_comments: false)
|
60
|
+
parse_line(data) unless data == ""
|
63
61
|
end.compact
|
64
62
|
end
|
65
63
|
|
@@ -67,17 +65,17 @@ module Inspec::Resources
|
|
67
65
|
daemon, clients_and_options = line.split(/:\s+/, 2)
|
68
66
|
daemon = daemon.strip
|
69
67
|
|
70
|
-
clients_and_options ||=
|
68
|
+
clients_and_options ||= ""
|
71
69
|
clients, options = clients_and_options.split(/\s+:\s+/, 2)
|
72
70
|
client_list = clients.split(/,/).map(&:strip)
|
73
71
|
|
74
|
-
options ||=
|
72
|
+
options ||= ""
|
75
73
|
options_list = options.split(/:\s+/).map(&:strip)
|
76
74
|
|
77
75
|
{
|
78
|
-
|
79
|
-
|
80
|
-
|
76
|
+
"daemon" => daemon,
|
77
|
+
"client_list" => client_list,
|
78
|
+
"options" => options_list,
|
81
79
|
}
|
82
80
|
end
|
83
81
|
|
@@ -87,8 +85,8 @@ module Inspec::Resources
|
|
87
85
|
end
|
88
86
|
|
89
87
|
class EtcHostsDeny < EtcHostsAllow
|
90
|
-
name
|
91
|
-
supports platform:
|
88
|
+
name "etc_hosts_deny"
|
89
|
+
supports platform: "unix"
|
92
90
|
desc 'Use the etc_hosts_deny InSpec audit resource to test the connections
|
93
91
|
the client will deny. Controlled by the /etc/hosts.deny file.'
|
94
92
|
example <<~EXAMPLE
|
@@ -99,12 +97,12 @@ module Inspec::Resources
|
|
99
97
|
EXAMPLE
|
100
98
|
|
101
99
|
def initialize(path = nil)
|
102
|
-
return skip_resource
|
103
|
-
super(path ||
|
100
|
+
return skip_resource "`etc_hosts_deny` is not supported on your OS" unless inspec.os.linux?
|
101
|
+
super(path || "/etc/hosts.deny")
|
104
102
|
end
|
105
103
|
|
106
104
|
def to_s
|
107
|
-
|
105
|
+
"hosts.deny Configuration"
|
108
106
|
end
|
109
107
|
end
|
110
108
|
end
|
@@ -1,7 +1,7 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Vulcano Security GmbH
|
3
2
|
|
4
|
-
require
|
3
|
+
require "shellwords"
|
4
|
+
require "inspec/utils/parser"
|
5
5
|
|
6
6
|
module Inspec::Resources
|
7
7
|
module FilePermissionsSelector
|
@@ -14,14 +14,15 @@ module Inspec::Resources
|
|
14
14
|
end
|
15
15
|
end
|
16
16
|
|
17
|
+
# TODO: rename file_resource.rb
|
17
18
|
class FileResource < Inspec.resource(1)
|
18
19
|
include FilePermissionsSelector
|
19
20
|
include LinuxMountParser
|
20
21
|
|
21
|
-
name
|
22
|
-
supports platform:
|
23
|
-
supports platform:
|
24
|
-
desc
|
22
|
+
name "file"
|
23
|
+
supports platform: "unix"
|
24
|
+
supports platform: "windows"
|
25
|
+
desc "Use the file InSpec audit resource to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors."
|
25
26
|
example <<~EXAMPLE
|
26
27
|
describe file('path') do
|
27
28
|
it { should exist }
|
@@ -48,45 +49,45 @@ module Inspec::Resources
|
|
48
49
|
product_version file_version version? md5sum sha256sum
|
49
50
|
path basename source source_path uid gid
|
50
51
|
}.each do |m|
|
51
|
-
define_method m
|
52
|
-
file.
|
52
|
+
define_method m do |*args|
|
53
|
+
file.send(m, *args)
|
53
54
|
end
|
54
55
|
end
|
55
56
|
|
56
57
|
def content
|
57
58
|
res = file.content
|
58
59
|
return nil if res.nil?
|
59
|
-
res.force_encoding(
|
60
|
+
res.force_encoding("utf-8")
|
60
61
|
end
|
61
62
|
|
62
63
|
def contain(*_)
|
63
|
-
raise
|
64
|
+
raise "Contain is not supported. Please use standard RSpec matchers."
|
64
65
|
end
|
65
66
|
|
66
67
|
def readable?(by_usergroup, by_specific_user)
|
67
68
|
return false unless exist?
|
68
|
-
return skip_resource
|
69
|
+
return skip_resource "`readable?` is not supported on your OS yet." if @perms_provider.nil?
|
69
70
|
|
70
|
-
file_permission_granted?(
|
71
|
+
file_permission_granted?("read", by_usergroup, by_specific_user)
|
71
72
|
end
|
72
73
|
|
73
74
|
def writable?(by_usergroup, by_specific_user)
|
74
75
|
return false unless exist?
|
75
|
-
return skip_resource
|
76
|
+
return skip_resource "`writable?` is not supported on your OS yet." if @perms_provider.nil?
|
76
77
|
|
77
|
-
file_permission_granted?(
|
78
|
+
file_permission_granted?("write", by_usergroup, by_specific_user)
|
78
79
|
end
|
79
80
|
|
80
81
|
def executable?(by_usergroup, by_specific_user)
|
81
82
|
return false unless exist?
|
82
|
-
return skip_resource
|
83
|
+
return skip_resource "`executable?` is not supported on your OS yet." if @perms_provider.nil?
|
83
84
|
|
84
|
-
file_permission_granted?(
|
85
|
+
file_permission_granted?("execute", by_usergroup, by_specific_user)
|
85
86
|
end
|
86
87
|
|
87
88
|
def allowed?(permission, opts = {})
|
88
89
|
return false unless exist?
|
89
|
-
return skip_resource
|
90
|
+
return skip_resource "`allowed?` is not supported on your OS yet." if @perms_provider.nil?
|
90
91
|
|
91
92
|
file_permission_granted?(permission, opts[:by], opts[:by_user])
|
92
93
|
end
|
@@ -98,7 +99,7 @@ module Inspec::Resources
|
|
98
99
|
return file.mounted? if expected_options.nil?
|
99
100
|
|
100
101
|
# deprecation warning, this functionality will be removed in future version
|
101
|
-
Inspec.deprecate(:file_resource_be_mounted_matchers,
|
102
|
+
Inspec.deprecate(:file_resource_be_mounted_matchers, "The file resource `be_mounted.with` and `be_mounted.only_with` matchers are deprecated. Please use the `mount` resource instead")
|
102
103
|
|
103
104
|
# we cannot read mount data on non-Linux systems
|
104
105
|
return nil if !inspec.os.linux?
|
@@ -134,10 +135,10 @@ module Inspec::Resources
|
|
134
135
|
alias sticky? sticky
|
135
136
|
|
136
137
|
def more_permissive_than?(max_mode = nil)
|
137
|
-
raise Inspec::Exceptions::ResourceFailed,
|
138
|
-
raise ArgumentError,
|
139
|
-
raise ArgumentError,
|
140
|
-
raise ArgumentError,
|
138
|
+
raise Inspec::Exceptions::ResourceFailed, "The file" + file.path + "doesn't seem to exist" unless exist?
|
139
|
+
raise ArgumentError, "You must proivde a value for the `maximum allowable permission` for the file." if max_mode.nil?
|
140
|
+
raise ArgumentError, "You must proivde the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String)
|
141
|
+
raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-ditgit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode)
|
141
142
|
|
142
143
|
# Using the files mode and a few bit-wise calculations we can ensure a
|
143
144
|
# file is no more permisive than desired.
|
@@ -156,10 +157,10 @@ module Inspec::Resources
|
|
156
157
|
# to or less permissive than the desired mode (PASS). Otherwise, the files
|
157
158
|
# mode is more permissive than the desired mode (FAIL).
|
158
159
|
|
159
|
-
max_mode = max_mode.
|
160
|
-
|
161
|
-
|
162
|
-
|
160
|
+
max_mode = max_mode.to_i(8)
|
161
|
+
inv_mode = 0777 ^ max_mode
|
162
|
+
|
163
|
+
inv_mode & file.mode != 0
|
163
164
|
end
|
164
165
|
|
165
166
|
def to_s
|
@@ -169,7 +170,7 @@ module Inspec::Resources
|
|
169
170
|
private
|
170
171
|
|
171
172
|
def file_permission_granted?(access_type, by_usergroup, by_specific_user)
|
172
|
-
raise
|
173
|
+
raise "`file_permission_granted?` is not supported on your OS" if @perms_provider.nil?
|
173
174
|
if by_specific_user.nil? || by_specific_user.empty?
|
174
175
|
@perms_provider.check_file_permission_by_mask(file, access_type, by_usergroup, by_specific_user)
|
175
176
|
else
|
@@ -188,22 +189,22 @@ module Inspec::Resources
|
|
188
189
|
class UnixFilePermissions < FilePermissions
|
189
190
|
def permission_flag(access_type)
|
190
191
|
case access_type
|
191
|
-
when
|
192
|
-
|
193
|
-
when
|
194
|
-
|
195
|
-
when
|
196
|
-
|
192
|
+
when "read"
|
193
|
+
"r"
|
194
|
+
when "write"
|
195
|
+
"w"
|
196
|
+
when "execute"
|
197
|
+
"x"
|
197
198
|
else
|
198
|
-
raise
|
199
|
+
raise "Invalid access_type provided"
|
199
200
|
end
|
200
201
|
end
|
201
202
|
|
202
203
|
def usergroup_for(usergroup, specific_user)
|
203
|
-
if usergroup ==
|
204
|
-
|
204
|
+
if usergroup == "others"
|
205
|
+
"other"
|
205
206
|
elsif (usergroup.nil? || usergroup.empty?) && specific_user.nil?
|
206
|
-
|
207
|
+
"all"
|
207
208
|
else
|
208
209
|
usergroup
|
209
210
|
end
|
@@ -213,7 +214,7 @@ module Inspec::Resources
|
|
213
214
|
usergroup = usergroup_for(usergroup, specific_user)
|
214
215
|
flag = permission_flag(access_type)
|
215
216
|
mask = file.unix_mode_mask(usergroup, flag)
|
216
|
-
raise
|
217
|
+
raise "Invalid usergroup/owner provided" if mask.nil?
|
217
218
|
(file.mode & mask) != 0
|
218
219
|
end
|
219
220
|
|
@@ -228,7 +229,7 @@ module Inspec::Resources
|
|
228
229
|
elsif inspec.os.hpux?
|
229
230
|
perm_cmd = "su #{user} -c \"test -#{flag} #{path}\""
|
230
231
|
else
|
231
|
-
return skip_resource
|
232
|
+
return skip_resource "The `file` resource does not support `by_user` on your OS."
|
232
233
|
end
|
233
234
|
|
234
235
|
cmd = inspec.command(perm_cmd)
|
@@ -238,11 +239,11 @@ module Inspec::Resources
|
|
238
239
|
|
239
240
|
class WindowsFilePermissions < FilePermissions
|
240
241
|
def check_file_permission_by_mask(_file, _access_type, _usergroup, _specific_user)
|
241
|
-
raise
|
242
|
+
raise "`check_file_permission_by_mask` is not supported on Windows"
|
242
243
|
end
|
243
244
|
|
244
245
|
def more_permissive_than?(*)
|
245
|
-
raise Inspec::Exceptions::ResourceSkipped,
|
246
|
+
raise Inspec::Exceptions::ResourceSkipped, "The `more_permissive_than?` matcher is not supported on your OS yet."
|
246
247
|
end
|
247
248
|
|
248
249
|
def check_file_permission_by_user(access_type, user, path)
|
@@ -250,14 +251,14 @@ module Inspec::Resources
|
|
250
251
|
access_rule = convert_to_powershell_array(access_rule)
|
251
252
|
|
252
253
|
cmd = inspec.command("@(@((Get-Acl '#{path}').access | Where-Object {$_.AccessControlType -eq 'Allow' -and $_.IdentityReference -eq '#{user}' }) | Where-Object {($_.FileSystemRights.ToString().Split(',') | % {$_.trim()} | ? {#{access_rule} -contains $_}) -ne $null}) | measure | % { $_.Count }")
|
253
|
-
cmd.stdout.chomp ==
|
254
|
+
cmd.stdout.chomp == "0" ? false : true
|
254
255
|
end
|
255
256
|
|
256
257
|
private
|
257
258
|
|
258
259
|
def convert_to_powershell_array(arr)
|
259
260
|
if arr.empty?
|
260
|
-
|
261
|
+
"@()"
|
261
262
|
else
|
262
263
|
%{@('#{arr.join("', '")}')}
|
263
264
|
end
|
@@ -272,59 +273,59 @@ module Inspec::Resources
|
|
272
273
|
names = translate_common_perms(access_type)
|
273
274
|
names ||= translate_granular_perms(access_type)
|
274
275
|
names ||= translate_uncommon_perms(access_type)
|
275
|
-
raise
|
276
|
+
raise "Invalid access_type provided" unless names
|
276
277
|
|
277
278
|
names
|
278
279
|
end
|
279
280
|
|
280
281
|
def translate_common_perms(access_type)
|
281
282
|
case access_type
|
282
|
-
when
|
283
|
+
when "full-control"
|
283
284
|
%w{FullControl}
|
284
|
-
when
|
285
|
-
translate_perm_names(
|
286
|
-
when
|
287
|
-
translate_perm_names(
|
288
|
-
when
|
289
|
-
translate_perm_names(
|
290
|
-
when
|
291
|
-
translate_perm_names(
|
292
|
-
when
|
293
|
-
translate_perm_names(
|
285
|
+
when "modify"
|
286
|
+
translate_perm_names("full-control") + %w{Modify}
|
287
|
+
when "read"
|
288
|
+
translate_perm_names("modify") + %w{ReadAndExecute Read}
|
289
|
+
when "write"
|
290
|
+
translate_perm_names("modify") + %w{Write}
|
291
|
+
when "execute"
|
292
|
+
translate_perm_names("modify") + %w{ReadAndExecute ExecuteFile Traverse}
|
293
|
+
when "delete"
|
294
|
+
translate_perm_names("modify") + %w{Delete}
|
294
295
|
end
|
295
296
|
end
|
296
297
|
|
297
298
|
def translate_uncommon_perms(access_type)
|
298
299
|
case access_type
|
299
|
-
when
|
300
|
-
translate_perm_names(
|
301
|
-
when
|
302
|
-
translate_perm_names(
|
303
|
-
when
|
304
|
-
translate_perm_names(
|
305
|
-
when
|
306
|
-
translate_perm_names(
|
300
|
+
when "delete-subdirectories-and-files"
|
301
|
+
translate_perm_names("full-control") + %w{DeleteSubdirectoriesAndFiles}
|
302
|
+
when "change-permissions"
|
303
|
+
translate_perm_names("full-control") + %w{ChangePermissions}
|
304
|
+
when "take-ownership"
|
305
|
+
translate_perm_names("full-control") + %w{TakeOwnership}
|
306
|
+
when "synchronize"
|
307
|
+
translate_perm_names("full-control") + %w{Synchronize}
|
307
308
|
end
|
308
309
|
end
|
309
310
|
|
310
311
|
def translate_granular_perms(access_type)
|
311
312
|
case access_type
|
312
|
-
when
|
313
|
-
translate_perm_names(
|
314
|
-
when
|
315
|
-
translate_perm_names(
|
316
|
-
when
|
317
|
-
translate_perm_names(
|
318
|
-
when
|
319
|
-
translate_perm_names(
|
320
|
-
when
|
321
|
-
translate_perm_names(
|
322
|
-
when
|
323
|
-
translate_perm_names(
|
324
|
-
when
|
325
|
-
translate_perm_names(
|
326
|
-
when
|
327
|
-
translate_perm_names(
|
313
|
+
when "write-data", "create-files"
|
314
|
+
translate_perm_names("write") + %w{WriteData CreateFiles}
|
315
|
+
when "append-data", "create-directories"
|
316
|
+
translate_perm_names("write") + %w{CreateDirectories AppendData}
|
317
|
+
when "write-extended-attributes"
|
318
|
+
translate_perm_names("write") + %w{WriteExtendedAttributes}
|
319
|
+
when "write-attributes"
|
320
|
+
translate_perm_names("write") + %w{WriteAttributes}
|
321
|
+
when "read-data", "list-directory"
|
322
|
+
translate_perm_names("read") + %w{ReadData ListDirectory}
|
323
|
+
when "read-attributes"
|
324
|
+
translate_perm_names("read") + %w{ReadAttributes}
|
325
|
+
when "read-extended-attributes"
|
326
|
+
translate_perm_names("read") + %w{ReadExtendedAttributes}
|
327
|
+
when "read-permissions"
|
328
|
+
translate_perm_names("read") + %w{ReadPermissions}
|
328
329
|
end
|
329
330
|
end
|
330
331
|
end
|
@@ -1,9 +1,11 @@
|
|
1
|
+
require "inspec/resources/command"
|
2
|
+
|
1
3
|
module Inspec::Resources
|
2
4
|
class FileSystemResource < Inspec.resource(1)
|
3
|
-
name
|
4
|
-
supports platform:
|
5
|
-
supports platform:
|
6
|
-
desc
|
5
|
+
name "filesystem"
|
6
|
+
supports platform: "linux"
|
7
|
+
supports platform: "windows"
|
8
|
+
desc "Use the filesystem InSpec resource to test file system"
|
7
9
|
example <<~EXAMPLE
|
8
10
|
describe filesystem('/') do
|
9
11
|
its('size_kb') { should be >= 32000 }
|
@@ -32,7 +34,7 @@ module Inspec::Resources
|
|
32
34
|
elsif os.windows?
|
33
35
|
@fsman = WindowsFileSystemResource.new(inspec)
|
34
36
|
else
|
35
|
-
raise Inspec::Exceptions::ResourceSkipped,
|
37
|
+
raise Inspec::Exceptions::ResourceSkipped, "The `filesystem` resource is not supported on your OS yet."
|
36
38
|
end
|
37
39
|
end
|
38
40
|
|
@@ -52,7 +54,7 @@ module Inspec::Resources
|
|
52
54
|
end
|
53
55
|
|
54
56
|
def size
|
55
|
-
Inspec.deprecate(:property_filesystem_size,
|
57
|
+
Inspec.deprecate(:property_filesystem_size, "The `size` property did not reliably use the correct units. Please use `size_kb` instead.")
|
56
58
|
if inspec.os.windows?
|
57
59
|
# On windows, we had a bug prior to #3767 in which the
|
58
60
|
# 'size' value was be scaled to GB in powershell.
|
@@ -93,8 +95,11 @@ module Inspec::Resources
|
|
93
95
|
class LinuxFileSystemResource < FsManagement
|
94
96
|
def info(partition)
|
95
97
|
cmd = inspec.command("df #{partition} -T")
|
96
|
-
|
97
|
-
|
98
|
+
if cmd.stdout.nil? || cmd.stdout.empty? || cmd.exit_status != 0
|
99
|
+
raise Inspec::Exceptions::ResourceFailed,
|
100
|
+
"Unable to get available space for partition #{partition}"
|
101
|
+
end
|
102
|
+
value = cmd.stdout.split(/\n/)[1].strip.split(" ")
|
98
103
|
{
|
99
104
|
name: partition,
|
100
105
|
size_kb: value[2].to_i,
|
@@ -106,26 +111,26 @@ module Inspec::Resources
|
|
106
111
|
|
107
112
|
class WindowsFileSystemResource < FsManagement
|
108
113
|
def info(partition)
|
109
|
-
cmd = inspec.command <<-EOF.gsub(/^\s*/,
|
114
|
+
cmd = inspec.command <<-EOF.gsub(/^\s*/, "")
|
110
115
|
$disk = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='#{partition}'"
|
111
116
|
$disk.Size = $disk.Size / 1KB
|
112
117
|
$disk.FreeSpace = $disk.FreeSpace / 1KB
|
113
118
|
$disk | select -property DeviceID,Size,FileSystem,FreeSpace | ConvertTo-Json
|
114
119
|
EOF
|
115
120
|
|
116
|
-
raise Inspec::Exceptions::ResourceSkipped, "Unable to get available space for partition #{partition}" if cmd.stdout ==
|
121
|
+
raise Inspec::Exceptions::ResourceSkipped, "Unable to get available space for partition #{partition}" if cmd.stdout == "" || cmd.exit_status.to_i != 0
|
117
122
|
begin
|
118
123
|
fs = JSON.parse(cmd.stdout)
|
119
124
|
rescue JSON::ParserError => e
|
120
125
|
raise Inspec::Exceptions::ResourceFailed,
|
121
|
-
|
126
|
+
"Failed to parse JSON from Powershell. " \
|
122
127
|
"Error: #{e}"
|
123
128
|
end
|
124
129
|
{
|
125
|
-
name: fs[
|
126
|
-
size_kb: fs[
|
127
|
-
free_kb: fs[
|
128
|
-
type: fs[
|
130
|
+
name: fs["DeviceID"],
|
131
|
+
size_kb: fs["Size"].to_i,
|
132
|
+
free_kb: fs["FreeSpace"].to_i,
|
133
|
+
type: fs["FileSystem"],
|
129
134
|
}
|
130
135
|
end
|
131
136
|
end
|