inspec-core 4.3.2 → 4.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +37 -21
- data/etc/deprecations.json +10 -0
- data/etc/plugin_filters.json +8 -0
- data/lib/bundles/inspec-compliance/api.rb +1 -1
- data/lib/bundles/inspec-compliance/configuration.rb +1 -1
- data/lib/bundles/inspec-compliance/http.rb +1 -1
- data/lib/bundles/inspec-compliance/support.rb +1 -1
- data/lib/bundles/inspec-compliance/target.rb +1 -1
- data/lib/bundles/inspec-supermarket.rb +3 -7
- data/lib/bundles/inspec-supermarket/api.rb +10 -13
- data/lib/bundles/inspec-supermarket/cli.rb +12 -15
- data/lib/bundles/inspec-supermarket/target.rb +7 -11
- data/lib/fetchers/git.rb +14 -15
- data/lib/fetchers/local.rb +6 -10
- data/lib/fetchers/mock.rb +3 -5
- data/lib/fetchers/url.rb +42 -44
- data/lib/inspec.rb +23 -24
- data/lib/inspec/archive/tar.rb +2 -6
- data/lib/inspec/archive/zip.rb +3 -7
- data/lib/inspec/backend.rb +8 -9
- data/lib/inspec/base_cli.rb +64 -65
- data/lib/inspec/cached_fetcher.rb +2 -3
- data/lib/inspec/cli.rb +136 -97
- data/lib/inspec/config.rb +71 -61
- data/lib/inspec/control_eval_context.rb +22 -18
- data/lib/inspec/dependencies/cache.rb +2 -3
- data/lib/inspec/dependencies/dependency_set.rb +2 -3
- data/lib/inspec/dependencies/lockfile.rb +8 -9
- data/lib/inspec/dependencies/requirement.rb +7 -8
- data/lib/inspec/dependencies/resolver.rb +5 -7
- data/lib/inspec/describe.rb +2 -6
- data/lib/inspec/dist.rb +20 -0
- data/lib/inspec/dsl.rb +4 -7
- data/lib/inspec/dsl_shared.rb +1 -2
- data/lib/inspec/env_printer.rb +11 -12
- data/lib/inspec/errors.rb +0 -4
- data/lib/inspec/exceptions.rb +0 -1
- data/lib/inspec/expect.rb +5 -8
- data/lib/inspec/fetcher.rb +7 -10
- data/lib/inspec/file_provider.rb +24 -24
- data/lib/inspec/formatters.rb +3 -3
- data/lib/inspec/formatters/base.rb +8 -8
- data/lib/inspec/globals.rb +2 -2
- data/lib/inspec/impact.rb +5 -7
- data/lib/inspec/input_registry.rb +84 -33
- data/lib/inspec/library_eval_context.rb +3 -6
- data/lib/inspec/log.rb +1 -5
- data/lib/inspec/metadata.rb +17 -16
- data/lib/inspec/method_source.rb +5 -9
- data/lib/inspec/objects.rb +10 -12
- data/lib/inspec/objects/control.rb +7 -9
- data/lib/inspec/objects/describe.rb +9 -11
- data/lib/inspec/objects/each_loop.rb +1 -3
- data/lib/inspec/objects/input.rb +24 -26
- data/lib/inspec/objects/list.rb +4 -6
- data/lib/inspec/objects/or_test.rb +2 -4
- data/lib/inspec/objects/ruby_helper.rb +3 -5
- data/lib/inspec/objects/tag.rb +0 -2
- data/lib/inspec/objects/test.rb +9 -11
- data/lib/inspec/objects/value.rb +3 -5
- data/lib/inspec/plugin/v1.rb +2 -2
- data/lib/inspec/plugin/v1/plugin_types/cli.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/fetcher.rb +2 -5
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +4 -6
- data/lib/inspec/plugin/v1/plugin_types/secret.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/source_reader.rb +1 -5
- data/lib/inspec/plugin/v1/plugins.rb +15 -19
- data/lib/inspec/plugin/v1/registry.rb +0 -4
- data/lib/inspec/plugin/v2.rb +8 -8
- data/lib/inspec/plugin/v2/activator.rb +1 -1
- data/lib/inspec/plugin/v2/config_file.rb +6 -6
- data/lib/inspec/plugin/v2/filter.rb +13 -13
- data/lib/inspec/plugin/v2/installer.rb +36 -24
- data/lib/inspec/plugin/v2/loader.rb +28 -28
- data/lib/inspec/plugin/v2/plugin_base.rb +15 -2
- data/lib/inspec/plugin/v2/plugin_types/cli.rb +5 -5
- data/lib/inspec/plugin/v2/plugin_types/input.rb +34 -0
- data/lib/inspec/plugin/v2/plugin_types/mock.rb +1 -1
- data/lib/inspec/plugin/v2/registry.rb +7 -7
- data/lib/inspec/polyfill.rb +0 -3
- data/lib/inspec/profile.rb +55 -63
- data/lib/inspec/profile_context.rb +27 -30
- data/lib/inspec/profile_vendor.rb +6 -9
- data/lib/inspec/reporters.rb +24 -24
- data/lib/inspec/reporters/automate.rb +17 -19
- data/lib/inspec/reporters/base.rb +1 -1
- data/lib/inspec/reporters/cli.rb +88 -91
- data/lib/inspec/reporters/json.rb +2 -4
- data/lib/inspec/reporters/json_automate.rb +1 -3
- data/lib/inspec/reporters/json_min.rb +1 -3
- data/lib/inspec/reporters/junit.rb +26 -28
- data/lib/inspec/reporters/yaml.rb +1 -3
- data/lib/inspec/require_loader.rb +0 -4
- data/lib/inspec/resource.rb +4 -125
- data/lib/inspec/resources.rb +121 -0
- data/lib/{resources → inspec/resources}/aide_conf.rb +24 -25
- data/lib/{resources → inspec/resources}/apache.rb +13 -14
- data/lib/{resources → inspec/resources}/apache_conf.rb +16 -17
- data/lib/{resources → inspec/resources}/apt.rb +17 -17
- data/lib/{resources → inspec/resources}/audit_policy.rb +7 -6
- data/lib/{resources → inspec/resources}/auditd.rb +62 -64
- data/lib/{resources → inspec/resources}/auditd_conf.rb +7 -8
- data/lib/{resources → inspec/resources}/bash.rb +6 -8
- data/lib/{resources → inspec/resources}/bond.rb +15 -14
- data/lib/{resources → inspec/resources}/bridge.rb +8 -8
- data/lib/{resources → inspec/resources}/chocolatey_package.rb +10 -8
- data/lib/{resources → inspec/resources}/command.rb +11 -10
- data/lib/{resources → inspec/resources}/cpan.rb +12 -12
- data/lib/{resources → inspec/resources}/cran.rb +9 -9
- data/lib/{resources → inspec/resources}/crontab.rb +47 -48
- data/lib/{resources → inspec/resources}/csv.rb +5 -5
- data/lib/{resources → inspec/resources}/dh_params.rb +5 -7
- data/lib/{resources → inspec/resources}/directory.rb +5 -7
- data/lib/{resources → inspec/resources}/docker.rb +63 -63
- data/lib/{resources → inspec/resources}/docker_container.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_image.rb +9 -9
- data/lib/{resources → inspec/resources}/docker_object.rb +8 -13
- data/lib/{resources → inspec/resources}/docker_plugin.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_service.rb +7 -7
- data/lib/{resources → inspec/resources}/elasticsearch.rb +40 -42
- data/lib/{resources → inspec/resources}/etc_fstab.rb +23 -24
- data/lib/{resources → inspec/resources}/etc_group.rb +26 -27
- data/lib/{resources → inspec/resources}/etc_hosts.rb +11 -13
- data/lib/{resources → inspec/resources}/etc_hosts_allow_deny.rb +25 -27
- data/lib/{resources → inspec/resources}/file.rb +80 -79
- data/lib/{resources → inspec/resources}/filesystem.rb +20 -15
- data/lib/{resources → inspec/resources}/firewalld.rb +26 -26
- data/lib/{resources → inspec/resources}/gem.rb +12 -12
- data/lib/{resources → inspec/resources}/groups.rb +28 -27
- data/lib/{resources → inspec/resources}/grub_conf.rb +46 -48
- data/lib/{resources → inspec/resources}/host.rb +31 -29
- data/lib/{resources → inspec/resources}/http.rb +24 -24
- data/lib/{resources → inspec/resources}/iis_app.rb +6 -7
- data/lib/{resources → inspec/resources}/iis_app_pool.rb +21 -19
- data/lib/{resources → inspec/resources}/iis_site.rb +17 -15
- data/lib/{resources → inspec/resources}/inetd_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/ini.rb +7 -8
- data/lib/{resources → inspec/resources}/interface.rb +30 -30
- data/lib/{resources → inspec/resources}/iptables.rb +8 -8
- data/lib/{resources → inspec/resources}/json.rb +8 -10
- data/lib/{resources → inspec/resources}/kernel_module.rb +15 -15
- data/lib/{resources → inspec/resources}/kernel_parameter.rb +8 -8
- data/lib/{resources → inspec/resources}/key_rsa.rb +8 -10
- data/lib/{resources → inspec/resources}/ksh.rb +6 -8
- data/lib/{resources → inspec/resources}/limits_conf.rb +8 -9
- data/lib/{resources/login_def.rb → inspec/resources/login_defs.rb} +9 -10
- data/lib/{resources → inspec/resources}/mount.rb +6 -8
- data/lib/{resources → inspec/resources}/mssql_session.rb +16 -18
- data/lib/inspec/resources/mysql.rb +81 -0
- data/lib/{resources → inspec/resources}/mysql_conf.rb +13 -14
- data/lib/{resources → inspec/resources}/mysql_session.rb +16 -16
- data/lib/{resources → inspec/resources}/nginx.rb +16 -17
- data/lib/{resources → inspec/resources}/nginx_conf.rb +26 -27
- data/lib/{resources → inspec/resources}/npm.rb +9 -10
- data/lib/{resources → inspec/resources}/ntp_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/oneget.rb +8 -8
- data/lib/{resources → inspec/resources}/oracledb_session.rb +33 -34
- data/lib/{resources → inspec/resources}/os.rb +6 -8
- data/lib/{resources → inspec/resources}/os_env.rb +11 -12
- data/lib/{resources → inspec/resources}/package.rb +66 -65
- data/lib/{resources → inspec/resources}/packages.rb +13 -13
- data/lib/{resources → inspec/resources}/parse_config.rb +8 -8
- data/lib/{resources → inspec/resources}/passwd.rb +18 -19
- data/lib/{resources → inspec/resources}/pip.rb +19 -19
- data/lib/{resources → inspec/resources}/platform.rb +9 -11
- data/lib/{resources → inspec/resources}/port.rb +134 -136
- data/lib/{resources → inspec/resources}/postgres.rb +40 -32
- data/lib/{resources → inspec/resources}/postgres_conf.rb +17 -17
- data/lib/{resources → inspec/resources}/postgres_hba_conf.rb +21 -23
- data/lib/{resources → inspec/resources}/postgres_ident_conf.rb +12 -14
- data/lib/{resources → inspec/resources}/postgres_session.rb +8 -9
- data/lib/{resources → inspec/resources}/powershell.rb +17 -13
- data/lib/{resources → inspec/resources}/processes.rb +29 -29
- data/lib/{resources/rabbitmq_conf.rb → inspec/resources/rabbitmq_config.rb} +10 -11
- data/lib/{resources → inspec/resources}/registry_key.rb +14 -14
- data/lib/inspec/resources/script.rb +1 -0
- data/lib/{resources → inspec/resources}/security_identifier.rb +11 -10
- data/lib/{resources → inspec/resources}/security_policy.rb +59 -58
- data/lib/{resources → inspec/resources}/service.rb +74 -75
- data/lib/{resources → inspec/resources}/shadow.rb +44 -45
- data/lib/{resources/ssh_conf.rb → inspec/resources/ssh_config.rb} +16 -17
- data/lib/{resources → inspec/resources}/ssl.rb +28 -29
- data/lib/inspec/resources/sys_info.rb +30 -0
- data/lib/{resources → inspec/resources}/toml.rb +5 -7
- data/lib/{resources → inspec/resources}/users.rb +65 -65
- data/lib/{resources → inspec/resources}/vbscript.rb +8 -9
- data/lib/{resources → inspec/resources}/virtualization.rb +60 -62
- data/lib/{resources → inspec/resources}/windows_feature.rb +9 -9
- data/lib/{resources → inspec/resources}/windows_hotfix.rb +5 -5
- data/lib/{resources → inspec/resources}/windows_task.rb +16 -15
- data/lib/{resources → inspec/resources}/wmi.rb +7 -8
- data/lib/{resources → inspec/resources}/x509_certificate.rb +9 -11
- data/lib/{resources/xinetd.rb → inspec/resources/xinetd_conf.rb} +27 -29
- data/lib/{resources → inspec/resources}/xml.rb +7 -7
- data/lib/{resources → inspec/resources}/yaml.rb +5 -6
- data/lib/{resources → inspec/resources}/yum.rb +10 -10
- data/lib/{resources → inspec/resources}/zfs_dataset.rb +6 -6
- data/lib/{resources → inspec/resources}/zfs_pool.rb +4 -4
- data/lib/inspec/rspec_extensions.rb +24 -8
- data/lib/inspec/rule.rb +14 -15
- data/lib/inspec/runner.rb +28 -28
- data/lib/inspec/runner_mock.rb +1 -5
- data/lib/inspec/runner_rspec.rb +18 -20
- data/lib/inspec/runtime_profile.rb +2 -5
- data/lib/inspec/schema.rb +142 -143
- data/lib/inspec/secrets.rb +3 -7
- data/lib/inspec/secrets/yaml.rb +3 -5
- data/lib/inspec/shell.rb +11 -15
- data/lib/inspec/shell_detector.rb +6 -7
- data/lib/inspec/source_reader.rb +4 -8
- data/lib/inspec/ui.rb +33 -39
- data/lib/inspec/ui_table_helper.rb +12 -0
- data/lib/{utils → inspec/utils}/command_wrapper.rb +4 -8
- data/lib/{utils → inspec/utils}/convert.rb +0 -4
- data/lib/{utils → inspec/utils}/database_helpers.rb +4 -8
- data/lib/inspec/utils/deprecation.rb +6 -0
- data/lib/{utils → inspec/utils}/deprecation/config_file.rb +19 -19
- data/lib/{utils → inspec/utils}/deprecation/deprecator.rb +12 -12
- data/lib/{utils → inspec/utils}/deprecation/errors.rb +1 -1
- data/lib/{utils → inspec/utils}/deprecation/global_method.rb +2 -2
- data/lib/{utils → inspec/utils}/enumerable_delegation.rb +0 -2
- data/lib/{utils → inspec/utils}/erlang_parser.rb +61 -65
- data/lib/{utils → inspec/utils}/file_reader.rb +1 -2
- data/lib/{utils → inspec/utils}/filter.rb +30 -33
- data/lib/{utils → inspec/utils}/filter_array.rb +0 -2
- data/lib/{utils → inspec/utils}/find_files.rb +9 -12
- data/lib/{utils → inspec/utils}/hash.rb +1 -5
- data/lib/inspec/utils/json_log.rb +15 -0
- data/lib/inspec/utils/latest_version.rb +13 -0
- data/lib/{utils → inspec/utils}/modulator.rb +0 -3
- data/lib/{utils → inspec/utils}/nginx_parser.rb +31 -35
- data/lib/{utils → inspec/utils}/object_traversal.rb +0 -3
- data/lib/{utils → inspec/utils}/parser.rb +45 -45
- data/lib/{utils → inspec/utils}/pkey_reader.rb +4 -2
- data/lib/{utils → inspec/utils}/simpleconfig.rb +8 -10
- data/lib/{utils → inspec/utils}/spdx.rb +1 -4
- data/lib/{utils → inspec/utils}/spdx.txt +0 -0
- data/lib/inspec/utils/telemetry.rb +3 -3
- data/lib/inspec/utils/telemetry/collector.rb +30 -9
- data/lib/inspec/utils/telemetry/data_series.rb +3 -1
- data/lib/inspec/utils/telemetry/global_methods.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +22 -25
- data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb +1 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +52 -45
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb +18 -16
- data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +73 -73
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +66 -62
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +59 -57
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/configuration.rb +11 -11
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +20 -22
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/support.rb +2 -4
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +30 -27
- data/lib/plugins/inspec-habitat/Berksfile +2 -2
- data/lib/plugins/inspec-habitat/lib/inspec-habitat.rb +1 -1
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/cli.rb +15 -13
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +64 -63
- data/lib/plugins/inspec-habitat/templates/habitat/hooks/run.erb +3 -3
- data/lib/plugins/inspec-habitat/templates/habitat/plan.sh.erb +11 -11
- data/lib/plugins/inspec-init/lib/inspec-init.rb +1 -1
- data/lib/plugins/inspec-init/lib/inspec-init/cli.rb +6 -8
- data/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +72 -74
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +9 -11
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +4 -4
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile +0 -1
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb +0 -2
- data/lib/plugins/inspec-init/templates/profiles/os/controls/example.rb +6 -7
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli.rb +1 -2
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +72 -70
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/plugin.rb +1 -1
- data/lib/plugins/shared/core_plugin_test_helper.rb +43 -38
- data/lib/source_readers/flat.rb +6 -10
- data/lib/source_readers/inspec.rb +8 -12
- metadata +139 -140
- data/lib/resources/mysql.rb +0 -82
- data/lib/resources/sys_info.rb +0 -28
- data/lib/utils/deprecation.rb +0 -6
- data/lib/utils/json_log.rb +0 -18
- data/lib/utils/latest_version.rb +0 -22
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
|
|
1
|
+
require "inspec/resources/command"
|
|
2
2
|
|
|
3
3
|
module Inspec::Resources
|
|
4
4
|
class FirewallD < Inspec.resource(1)
|
|
@@ -7,9 +7,9 @@ module Inspec::Resources
|
|
|
7
7
|
# set to allow users in group "wheel" to perform any commands without authentication.
|
|
8
8
|
###
|
|
9
9
|
|
|
10
|
-
name
|
|
11
|
-
supports platform:
|
|
12
|
-
desc
|
|
10
|
+
name "firewalld"
|
|
11
|
+
supports platform: "linux"
|
|
12
|
+
desc "Use the firewalld resource to check and see if firewalld is configured to grand or deny access to specific hosts or services"
|
|
13
13
|
example <<~EXAMPLE
|
|
14
14
|
describe firewalld do
|
|
15
15
|
it { should be_running }
|
|
@@ -28,10 +28,10 @@ module Inspec::Resources
|
|
|
28
28
|
attr_reader :params
|
|
29
29
|
|
|
30
30
|
filter = FilterTable.create
|
|
31
|
-
filter.register_column(:zone, field:
|
|
32
|
-
.register_column(:interfaces, field:
|
|
33
|
-
.register_column(:sources, field:
|
|
34
|
-
.register_column(:services, field:
|
|
31
|
+
filter.register_column(:zone, field: "zone")
|
|
32
|
+
.register_column(:interfaces, field: "interfaces")
|
|
33
|
+
.register_column(:sources, field: "sources")
|
|
34
|
+
.register_column(:services, field: "services")
|
|
35
35
|
|
|
36
36
|
filter.install_filter_methods_on_resource(self, :params)
|
|
37
37
|
|
|
@@ -40,50 +40,50 @@ module Inspec::Resources
|
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
def installed?
|
|
43
|
-
inspec.command(
|
|
43
|
+
inspec.command("firewall-cmd").exist?
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
def has_zone?(query_zone)
|
|
47
47
|
return false unless installed?
|
|
48
|
-
result = firewalld_command(
|
|
48
|
+
result = firewalld_command("--get-zones").split(" ")
|
|
49
49
|
result.include?(query_zone)
|
|
50
50
|
end
|
|
51
51
|
|
|
52
52
|
def running?
|
|
53
53
|
return false unless installed?
|
|
54
|
-
result = firewalld_command(
|
|
54
|
+
result = firewalld_command("--state")
|
|
55
55
|
result =~ /^running/ ? true : false
|
|
56
56
|
end
|
|
57
57
|
|
|
58
58
|
def default_zone
|
|
59
59
|
# return: word associated with the name of the default zone
|
|
60
60
|
# example: 'public'
|
|
61
|
-
firewalld_command(
|
|
61
|
+
firewalld_command("--get-default-zone")
|
|
62
62
|
end
|
|
63
63
|
|
|
64
64
|
def has_service_enabled_in_zone?(query_service, query_zone = default_zone)
|
|
65
|
-
firewalld_command("--zone=#{query_zone} --query-service=#{query_service}") ==
|
|
65
|
+
firewalld_command("--zone=#{query_zone} --query-service=#{query_service}") == "yes"
|
|
66
66
|
end
|
|
67
67
|
|
|
68
68
|
def service_ports_enabled_in_zone(query_service, query_zone = default_zone)
|
|
69
69
|
# return: String of ports open
|
|
70
70
|
# example: ['22/tcp', '4722/tcp']
|
|
71
|
-
firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-ports --permanent").split(
|
|
71
|
+
firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-ports --permanent").split(" ")
|
|
72
72
|
end
|
|
73
73
|
|
|
74
74
|
def service_protocols_enabled_in_zone(query_service, query_zone = default_zone)
|
|
75
75
|
# return: String of protocoals open
|
|
76
76
|
# example: ['icmp', 'ipv4', 'igmp']
|
|
77
|
-
firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(
|
|
77
|
+
firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(" ")
|
|
78
78
|
end
|
|
79
79
|
|
|
80
80
|
def has_port_enabled_in_zone?(query_port, query_zone = default_zone)
|
|
81
|
-
firewalld_command("--zone=#{query_zone} --query-port=#{query_port}") ==
|
|
81
|
+
firewalld_command("--zone=#{query_zone} --query-port=#{query_port}") == "yes"
|
|
82
82
|
end
|
|
83
83
|
|
|
84
84
|
def has_rule_enabled?(rule, query_zone = default_zone)
|
|
85
|
-
rule = "rule #{rule}" unless rule.start_with?(
|
|
86
|
-
firewalld_command("--zone=#{query_zone} --query-rich-rule='#{rule}'") ==
|
|
85
|
+
rule = "rule #{rule}" unless rule.start_with?("rule")
|
|
86
|
+
firewalld_command("--zone=#{query_zone} --query-rich-rule='#{rule}'") == "yes"
|
|
87
87
|
end
|
|
88
88
|
|
|
89
89
|
private
|
|
@@ -96,7 +96,7 @@ module Inspec::Resources
|
|
|
96
96
|
# example:
|
|
97
97
|
# public
|
|
98
98
|
# interfaces: enp0s3
|
|
99
|
-
firewalld_command(
|
|
99
|
+
firewalld_command("--get-active-zones")
|
|
100
100
|
end
|
|
101
101
|
|
|
102
102
|
def parse_active_zones(content)
|
|
@@ -110,29 +110,29 @@ module Inspec::Resources
|
|
|
110
110
|
def parse_line(line)
|
|
111
111
|
zone = line.split("\n")[0]
|
|
112
112
|
{
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
113
|
+
"zone" => zone,
|
|
114
|
+
"interfaces" => line.split(":")[1].split(" "),
|
|
115
|
+
"services" => services_bound(zone),
|
|
116
|
+
"sources" => sources_bound(zone),
|
|
117
117
|
}
|
|
118
118
|
end
|
|
119
119
|
|
|
120
120
|
def sources_bound(query_zone)
|
|
121
121
|
# result: a list containing either an ip address or ip address with a mask, or a ipset or an ipset with the ipset prefix.
|
|
122
122
|
# example: ['192.168.0.4', '192.168.0.0/16', '2111:DB28:ABC:12::', '2111:db89:ab3d:0112::0/64']
|
|
123
|
-
firewalld_command("--zone=#{query_zone} --list-sources").split(
|
|
123
|
+
firewalld_command("--zone=#{query_zone} --list-sources").split(" ")
|
|
124
124
|
end
|
|
125
125
|
|
|
126
126
|
def services_bound(query_zone)
|
|
127
127
|
# result: a list of services bound to a zone.
|
|
128
128
|
# example: ['ssh', 'dhcpv6-client']
|
|
129
|
-
firewalld_command("--zone=#{query_zone} --list-services").split(
|
|
129
|
+
firewalld_command("--zone=#{query_zone} --list-services").split(" ")
|
|
130
130
|
end
|
|
131
131
|
|
|
132
132
|
def firewalld_command(command)
|
|
133
133
|
command = "firewall-cmd #{command}"
|
|
134
134
|
result = inspec.command(command)
|
|
135
|
-
if result.stderr !=
|
|
135
|
+
if result.stderr != ""
|
|
136
136
|
return "Error on command #{command}: #{result.stderr}"
|
|
137
137
|
end
|
|
138
138
|
result.stdout.strip
|
|
@@ -1,11 +1,11 @@
|
|
|
1
|
-
|
|
1
|
+
require "inspec/resources/command"
|
|
2
2
|
|
|
3
3
|
module Inspec::Resources
|
|
4
4
|
class GemPackage < Inspec.resource(1)
|
|
5
|
-
name
|
|
6
|
-
supports platform:
|
|
7
|
-
supports platform:
|
|
8
|
-
desc
|
|
5
|
+
name "gem"
|
|
6
|
+
supports platform: "unix"
|
|
7
|
+
supports platform: "windows"
|
|
8
|
+
desc "Use the gem InSpec audit resource to test if a global gem package is installed."
|
|
9
9
|
example <<~EXAMPLE
|
|
10
10
|
describe gem('rubocop') do
|
|
11
11
|
it { should be_installed }
|
|
@@ -19,37 +19,37 @@ module Inspec::Resources
|
|
|
19
19
|
@package_name = package_name
|
|
20
20
|
@gem_binary = case gem_binary
|
|
21
21
|
when nil
|
|
22
|
-
|
|
22
|
+
"gem"
|
|
23
23
|
when :chef
|
|
24
24
|
if inspec.os.windows?
|
|
25
25
|
'c:\opscode\chef\embedded\bin\gem.bat'
|
|
26
26
|
else
|
|
27
|
-
|
|
27
|
+
"/opt/chef/embedded/bin/gem"
|
|
28
28
|
end
|
|
29
29
|
when :chef_server
|
|
30
|
-
|
|
30
|
+
"/opt/opscode/embedded/bin/gem"
|
|
31
31
|
else
|
|
32
32
|
gem_binary
|
|
33
33
|
end
|
|
34
|
-
skip_resource
|
|
34
|
+
skip_resource "Unable to retrieve gem information" if info.empty?
|
|
35
35
|
end
|
|
36
36
|
|
|
37
37
|
def info
|
|
38
38
|
return @info if defined?(@info)
|
|
39
39
|
|
|
40
40
|
cmd = inspec.command("#{@gem_binary} list --local -a -q \^#{@package_name}\$")
|
|
41
|
-
return {} unless cmd.exit_status
|
|
41
|
+
return {} unless cmd.exit_status == 0
|
|
42
42
|
|
|
43
43
|
# extract package name and version
|
|
44
44
|
# parses data like winrm (1.3.4, 1.3.3)
|
|
45
45
|
params = /^\s*([^\(]*?)\s*\((.*?)\)\s*$/.match(cmd.stdout.chomp)
|
|
46
46
|
@info = {
|
|
47
47
|
installed: !params.nil?,
|
|
48
|
-
type:
|
|
48
|
+
type: "gem",
|
|
49
49
|
}
|
|
50
50
|
return @info unless @info[:installed]
|
|
51
51
|
|
|
52
|
-
versions = params[2].split(
|
|
52
|
+
versions = params[2].split(",").map(&:strip)
|
|
53
53
|
@info[:name] = params[1]
|
|
54
54
|
@info[:version] = versions[0]
|
|
55
55
|
@info[:versions] = versions
|
|
@@ -1,6 +1,7 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
require
|
|
1
|
+
require "inspec/resources/etc_group"
|
|
2
|
+
require "inspec/resources/powershell"
|
|
3
|
+
require "inspec/resources/parse_config"
|
|
4
|
+
require "inspec/utils/filter"
|
|
4
5
|
|
|
5
6
|
module Inspec::Resources
|
|
6
7
|
# This file contains two resources, the `group` and `groups` resource.
|
|
@@ -24,10 +25,10 @@ module Inspec::Resources
|
|
|
24
25
|
class Groups < Inspec.resource(1)
|
|
25
26
|
include GroupManagementSelector
|
|
26
27
|
|
|
27
|
-
name
|
|
28
|
-
supports platform:
|
|
29
|
-
supports platform:
|
|
30
|
-
desc
|
|
28
|
+
name "groups"
|
|
29
|
+
supports platform: "unix"
|
|
30
|
+
supports platform: "windows"
|
|
31
|
+
desc "Use the group InSpec audit resource to test groups on the system. Groups can be filtered."
|
|
31
32
|
example <<~EXAMPLE
|
|
32
33
|
describe groups.where { name == 'root'} do
|
|
33
34
|
its('names') { should eq ['root'] }
|
|
@@ -43,19 +44,19 @@ module Inspec::Resources
|
|
|
43
44
|
def initialize
|
|
44
45
|
# select group manager
|
|
45
46
|
@group_provider = select_group_manager(inspec.os)
|
|
46
|
-
return skip_resource
|
|
47
|
+
return skip_resource "The `groups` resource is not supported on your OS yet." if @group_provider.nil?
|
|
47
48
|
end
|
|
48
49
|
|
|
49
50
|
filter = FilterTable.create
|
|
50
51
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
|
51
|
-
filter.register_column(:names, field:
|
|
52
|
-
.register_column(:gids, field:
|
|
53
|
-
.register_column(:domains, field:
|
|
54
|
-
.register_column(:members, field:
|
|
52
|
+
filter.register_column(:names, field: "name")
|
|
53
|
+
.register_column(:gids, field: "gid")
|
|
54
|
+
.register_column(:domains, field: "domain")
|
|
55
|
+
.register_column(:members, field: "members", style: :simple)
|
|
55
56
|
filter.install_filter_methods_on_resource(self, :collect_group_details)
|
|
56
57
|
|
|
57
58
|
def to_s
|
|
58
|
-
|
|
59
|
+
"Groups"
|
|
59
60
|
end
|
|
60
61
|
|
|
61
62
|
private
|
|
@@ -76,10 +77,10 @@ module Inspec::Resources
|
|
|
76
77
|
class Group < Inspec.resource(1)
|
|
77
78
|
include GroupManagementSelector
|
|
78
79
|
|
|
79
|
-
name
|
|
80
|
-
supports platform:
|
|
81
|
-
supports platform:
|
|
82
|
-
desc
|
|
80
|
+
name "group"
|
|
81
|
+
supports platform: "unix"
|
|
82
|
+
supports platform: "windows"
|
|
83
|
+
desc "Use the group InSpec audit resource to test groups on the system."
|
|
83
84
|
example <<~EXAMPLE
|
|
84
85
|
describe group('root') do
|
|
85
86
|
it { should exist }
|
|
@@ -96,7 +97,7 @@ module Inspec::Resources
|
|
|
96
97
|
|
|
97
98
|
# select group manager
|
|
98
99
|
@group_provider = select_group_manager(inspec.os)
|
|
99
|
-
return skip_resource
|
|
100
|
+
return skip_resource "The `group` resource is not supported on your OS yet." if @group_provider.nil?
|
|
100
101
|
end
|
|
101
102
|
|
|
102
103
|
# verifies if a group exists
|
|
@@ -105,11 +106,11 @@ module Inspec::Resources
|
|
|
105
106
|
end
|
|
106
107
|
|
|
107
108
|
def gid
|
|
108
|
-
flatten_entry(group_info,
|
|
109
|
+
flatten_entry(group_info, "gid")
|
|
109
110
|
end
|
|
110
111
|
|
|
111
112
|
def members
|
|
112
|
-
flatten_entry(group_info,
|
|
113
|
+
flatten_entry(group_info, "members")
|
|
113
114
|
end
|
|
114
115
|
|
|
115
116
|
def local
|
|
@@ -130,7 +131,7 @@ module Inspec::Resources
|
|
|
130
131
|
elsif entries.size == 1
|
|
131
132
|
entries.first.send(prop)
|
|
132
133
|
else
|
|
133
|
-
raise
|
|
134
|
+
raise "found more than one group with the same name, please use `groups` resource"
|
|
134
135
|
end
|
|
135
136
|
end
|
|
136
137
|
|
|
@@ -148,7 +149,7 @@ module Inspec::Resources
|
|
|
148
149
|
end
|
|
149
150
|
|
|
150
151
|
def groups
|
|
151
|
-
raise
|
|
152
|
+
raise "group provider must implement the `groups` method"
|
|
152
153
|
end
|
|
153
154
|
end
|
|
154
155
|
|
|
@@ -163,7 +164,7 @@ module Inspec::Resources
|
|
|
163
164
|
# This uses `dscacheutil` to get the group info instead of `etc_group`
|
|
164
165
|
class DarwinGroup < GroupInfo
|
|
165
166
|
def groups
|
|
166
|
-
group_info = inspec.command(
|
|
167
|
+
group_info = inspec.command("dscacheutil -q group").stdout.split("\n\n")
|
|
167
168
|
|
|
168
169
|
groups = []
|
|
169
170
|
regex = /^([^:]*?)\s*:\s(.*?)\s*$/
|
|
@@ -172,11 +173,11 @@ module Inspec::Resources
|
|
|
172
173
|
end
|
|
173
174
|
|
|
174
175
|
# Convert the `dscacheutil` groups to match `inspec.etc_group.entries`
|
|
175
|
-
groups.each { |g| g[
|
|
176
|
+
groups.each { |g| g["gid"] = g["gid"].to_i }
|
|
176
177
|
groups.each do |g|
|
|
177
|
-
next if g[
|
|
178
|
-
g[
|
|
179
|
-
g[
|
|
178
|
+
next if g["users"].nil?
|
|
179
|
+
g["members"] = g.delete("users")
|
|
180
|
+
g["members"].tr!(" ", ",")
|
|
180
181
|
end
|
|
181
182
|
end
|
|
182
183
|
end
|
|
@@ -1,12 +1,10 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
require 'utils/simpleconfig'
|
|
4
|
-
require 'utils/file_reader'
|
|
1
|
+
require "inspec/utils/simpleconfig"
|
|
2
|
+
require "inspec/utils/file_reader"
|
|
5
3
|
|
|
6
4
|
class GrubConfig < Inspec.resource(1)
|
|
7
|
-
name
|
|
8
|
-
supports platform:
|
|
9
|
-
desc
|
|
5
|
+
name "grub_conf"
|
|
6
|
+
supports platform: "unix"
|
|
7
|
+
desc "Use the grub_conf InSpec audit resource to test the boot config of Linux systems that use Grub."
|
|
10
8
|
example <<~EXAMPLE
|
|
11
9
|
describe grub_conf('/etc/grub.conf', 'default') do
|
|
12
10
|
its('kernel') { should include '/vmlinuz-2.6.32-573.7.1.el6.x86_64' }
|
|
@@ -28,23 +26,23 @@ class GrubConfig < Inspec.resource(1)
|
|
|
28
26
|
def initialize(path = nil, kernel = nil)
|
|
29
27
|
config_for_platform(path)
|
|
30
28
|
@content = read_file(@conf_path)
|
|
31
|
-
@kernel = kernel ||
|
|
29
|
+
@kernel = kernel || "default"
|
|
32
30
|
rescue UnknownGrubConfig
|
|
33
|
-
|
|
31
|
+
skip_resource "The `grub_config` resource is not supported on your OS yet."
|
|
34
32
|
end
|
|
35
33
|
|
|
36
34
|
def config_for_platform(path)
|
|
37
35
|
os = inspec.os
|
|
38
|
-
if os.redhat? || os[:name] ==
|
|
36
|
+
if os.redhat? || os[:name] == "fedora"
|
|
39
37
|
config_for_redhatish(path)
|
|
40
38
|
elsif os.debian?
|
|
41
|
-
@conf_path = path ||
|
|
42
|
-
@defaults_path =
|
|
43
|
-
@grubenv_path =
|
|
44
|
-
@version =
|
|
45
|
-
elsif os[:name] ==
|
|
46
|
-
@conf_path = path ||
|
|
47
|
-
@version =
|
|
39
|
+
@conf_path = path || "/boot/grub/grub.cfg"
|
|
40
|
+
@defaults_path = "/etc/default/grub"
|
|
41
|
+
@grubenv_path = "/boot/grub2/grubenv"
|
|
42
|
+
@version = "grub2"
|
|
43
|
+
elsif os[:name] == "amazon"
|
|
44
|
+
@conf_path = path || "/etc/grub.conf"
|
|
45
|
+
@version = "legacy"
|
|
48
46
|
else
|
|
49
47
|
raise UnknownGrubConfig
|
|
50
48
|
end
|
|
@@ -52,13 +50,13 @@ class GrubConfig < Inspec.resource(1)
|
|
|
52
50
|
|
|
53
51
|
def config_for_redhatish(path)
|
|
54
52
|
if inspec.os[:release].to_f < 7
|
|
55
|
-
@conf_path = path ||
|
|
56
|
-
@version =
|
|
53
|
+
@conf_path = path || "/etc/grub.conf"
|
|
54
|
+
@version = "legacy"
|
|
57
55
|
else
|
|
58
|
-
@conf_path = path ||
|
|
59
|
-
@defaults_path =
|
|
60
|
-
@grubenv_path =
|
|
61
|
-
@version =
|
|
56
|
+
@conf_path = path || "/boot/grub2/grub.cfg"
|
|
57
|
+
@defaults_path = "/etc/default/grub"
|
|
58
|
+
@grubenv_path = "/boot/grub2/grubenv"
|
|
59
|
+
@version = "grub2"
|
|
62
60
|
end
|
|
63
61
|
end
|
|
64
62
|
|
|
@@ -67,7 +65,7 @@ class GrubConfig < Inspec.resource(1)
|
|
|
67
65
|
end
|
|
68
66
|
|
|
69
67
|
def to_s
|
|
70
|
-
|
|
68
|
+
"Grub Config"
|
|
71
69
|
end
|
|
72
70
|
|
|
73
71
|
private
|
|
@@ -79,10 +77,10 @@ class GrubConfig < Inspec.resource(1)
|
|
|
79
77
|
def grub2_parse_kernel_lines(content, conf)
|
|
80
78
|
menu_entries = extract_menu_entries(content)
|
|
81
79
|
|
|
82
|
-
if @kernel ==
|
|
83
|
-
default_menu_entry(menu_entries, conf[
|
|
80
|
+
if @kernel == "default"
|
|
81
|
+
default_menu_entry(menu_entries, conf["GRUB_DEFAULT"])
|
|
84
82
|
else
|
|
85
|
-
menu_entries.find { |entry| entry[
|
|
83
|
+
menu_entries.find { |entry| entry["name"] == @kernel }
|
|
86
84
|
end
|
|
87
85
|
end
|
|
88
86
|
|
|
@@ -93,7 +91,7 @@ class GrubConfig < Inspec.resource(1)
|
|
|
93
91
|
lines.each_with_index do |line, index|
|
|
94
92
|
next unless line =~ /^menuentry\s+.*/
|
|
95
93
|
entry = {}
|
|
96
|
-
entry[
|
|
94
|
+
entry["insmod"] = []
|
|
97
95
|
|
|
98
96
|
# Extract name from menuentry line
|
|
99
97
|
capture_data = line.match(/(?:^|\s+).*menuentry\s*['|"](.*)['|"]\s*--/)
|
|
@@ -101,20 +99,20 @@ class GrubConfig < Inspec.resource(1)
|
|
|
101
99
|
raise Inspec::Exceptions::ResourceFailed "Failed to extract menuentry name from #{line}"
|
|
102
100
|
end
|
|
103
101
|
|
|
104
|
-
entry[
|
|
102
|
+
entry["name"] = capture_data.captures[0]
|
|
105
103
|
|
|
106
104
|
# Begin processing from index forward until a `}` line is met
|
|
107
|
-
lines.drop(index+1).each do |mline|
|
|
105
|
+
lines.drop(index + 1).each do |mline|
|
|
108
106
|
break if mline =~ /^\s*}\s*$/
|
|
109
107
|
case mline
|
|
110
108
|
when /(?:^|\s*)initrd.*/
|
|
111
|
-
entry[
|
|
109
|
+
entry["initrd"] = mline.split(" ")[1]
|
|
112
110
|
when /(?:^|\s*)linux.*/
|
|
113
|
-
entry[
|
|
111
|
+
entry["kernel"] = mline.split
|
|
114
112
|
when /(?:^|\s*)set root=.*/
|
|
115
|
-
entry[
|
|
113
|
+
entry["root"] = mline.split("=")[1].tr("'", "")
|
|
116
114
|
when /(?:^|\s*)insmod.*/
|
|
117
|
-
entry[
|
|
115
|
+
entry["insmod"] << mline.split(" ")[1]
|
|
118
116
|
end
|
|
119
117
|
end
|
|
120
118
|
|
|
@@ -127,7 +125,7 @@ class GrubConfig < Inspec.resource(1)
|
|
|
127
125
|
def default_menu_entry(menu_entries, default)
|
|
128
126
|
# If the default entry isn't `saved` then a number is used as an index.
|
|
129
127
|
# By default this is `0`, which would be the first item in the list.
|
|
130
|
-
return menu_entries[default.to_i] unless default ==
|
|
128
|
+
return menu_entries[default.to_i] unless default == "saved"
|
|
131
129
|
|
|
132
130
|
grubenv_contents = inspec.file(@grubenv_path).content
|
|
133
131
|
|
|
@@ -137,8 +135,8 @@ class GrubConfig < Inspec.resource(1)
|
|
|
137
135
|
# of these reflect the default Grub2 behavior.
|
|
138
136
|
return menu_entries[0] if grubenv_contents.nil?
|
|
139
137
|
|
|
140
|
-
default_name = SimpleConfig.new(grubenv_contents).params[
|
|
141
|
-
default_entry = menu_entries.select { |k| k[
|
|
138
|
+
default_name = SimpleConfig.new(grubenv_contents).params["saved_entry"]
|
|
139
|
+
default_entry = menu_entries.select { |k| k["name"] == default_name }[0]
|
|
142
140
|
return default_entry unless default_entry.nil?
|
|
143
141
|
|
|
144
142
|
# It is possible for the saved entry to not be valid . For example, grubenv
|
|
@@ -157,14 +155,14 @@ class GrubConfig < Inspec.resource(1)
|
|
|
157
155
|
kernel_opts = {}
|
|
158
156
|
lines.each_with_index do |file_line, index|
|
|
159
157
|
next unless file_line =~ /^title.*/
|
|
160
|
-
current_kernel = file_line.split(
|
|
161
|
-
lines.drop(index+1).each do |kernel_line|
|
|
158
|
+
current_kernel = file_line.split(" ", 2)[1]
|
|
159
|
+
lines.drop(index + 1).each do |kernel_line|
|
|
162
160
|
if kernel_line =~ /^\s.*/
|
|
163
|
-
option_type = kernel_line.split(
|
|
164
|
-
line_options = kernel_line.split(
|
|
165
|
-
if (menu_entry == conf[
|
|
166
|
-
if option_type ==
|
|
167
|
-
kernel_opts[
|
|
161
|
+
option_type = kernel_line.split(" ")[0]
|
|
162
|
+
line_options = kernel_line.split(" ").drop(1)
|
|
163
|
+
if (menu_entry == conf["default"].to_i && @kernel == "default") || current_kernel == @kernel
|
|
164
|
+
if option_type == "kernel"
|
|
165
|
+
kernel_opts["kernel"] = line_options
|
|
168
166
|
else
|
|
169
167
|
kernel_opts[option_type] = line_options[0]
|
|
170
168
|
end
|
|
@@ -187,11 +185,11 @@ class GrubConfig < Inspec.resource(1)
|
|
|
187
185
|
|
|
188
186
|
content = read_file(@conf_path)
|
|
189
187
|
|
|
190
|
-
if @version ==
|
|
188
|
+
if @version == "legacy"
|
|
191
189
|
# parse the file
|
|
192
190
|
conf = SimpleConfig.new(
|
|
193
191
|
content,
|
|
194
|
-
multiple_values: true
|
|
192
|
+
multiple_values: true
|
|
195
193
|
).params
|
|
196
194
|
# convert single entry arrays into strings
|
|
197
195
|
conf.each do |key, value|
|
|
@@ -203,13 +201,13 @@ class GrubConfig < Inspec.resource(1)
|
|
|
203
201
|
@params = conf.merge(kernel_opts)
|
|
204
202
|
end
|
|
205
203
|
|
|
206
|
-
if @version ==
|
|
204
|
+
if @version == "grub2"
|
|
207
205
|
# read defaults
|
|
208
206
|
defaults = read_file(@defaults_path)
|
|
209
207
|
|
|
210
208
|
conf = SimpleConfig.new(
|
|
211
209
|
defaults,
|
|
212
|
-
multiple_values: true
|
|
210
|
+
multiple_values: true
|
|
213
211
|
).params
|
|
214
212
|
|
|
215
213
|
# convert single entry arrays into strings
|