inspec-core 4.3.2 → 4.6.3

data/lib/{resources → inspec/resources}/ksh.rb

@@ -1,13 +1,11 @@
-# encoding: utf-8
-
-require 'utils/command_wrapper'
-require 'resources/command'
+require "inspec/utils/command_wrapper"
+require "inspec/resources/command"
 
 module Inspec::Resources
   class Ksh < Cmd
-    name 'ksh'
-    supports platform: 'unix'
-    desc 'Run a command or script in KornShell.'
+    name "ksh"
+    supports platform: "unix"
+    desc "Run a command or script in KornShell."
     example <<~EXAMPLE
       describe ksh('ls -al /') do
         its('stdout') { should match /bin/ }
@@ -24,7 +22,7 @@ module Inspec::Resources
 
     def initialize(command, options = {})
       @raw_command = command
-      options[:shell] = 'ksh' if options.is_a?(Hash)
+      options[:shell] = "ksh" if options.is_a?(Hash)
       super(CommandWrapper.wrap(command, options))
     end
 

data/lib/{resources → inspec/resources}/limits_conf.rb

@@ -1,14 +1,13 @@
-# encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
 
-require 'utils/simpleconfig'
-require 'utils/file_reader'
+require "inspec/utils/simpleconfig"
+require "inspec/utils/file_reader"
 
 module Inspec::Resources
   class LimitsConf < Inspec.resource(1)
-    name 'limits_conf'
-    supports platform: 'unix'
-    desc 'Use the limits_conf InSpec audit resource to test configuration settings in the /etc/security/limits.conf file. The limits.conf defines limits for processes (by user and/or group names) and helps ensure that the system on which those processes are running remains stable. Each process may be assigned a hard or soft limit.'
+    name "limits_conf"
+    supports platform: "unix"
+    desc "Use the limits_conf InSpec audit resource to test configuration settings in the /etc/security/limits.conf file. The limits.conf defines limits for processes (by user and/or group names) and helps ensure that the system on which those processes are running remains stable. Each process may be assigned a hard or soft limit."
     example <<~EXAMPLE
       describe limits_conf do
         its('*') { should include ['hard','core','0'] }
@@ -18,7 +17,7 @@ module Inspec::Resources
     include FileReader
 
     def initialize(path = nil)
-      @conf_path = path || '/etc/security/limits.conf'
+      @conf_path = path || "/etc/security/limits.conf"
       @content = read_file_content(@conf_path)
     end
 
@@ -34,13 +33,13 @@ module Inspec::Resources
         @content,
         assignment_regex: /^\s*(\S+?)\s+(.*?)\s+(.*?)\s+(.*?)\s*$/,
         key_values: 3,
-        multiple_values: true,
+        multiple_values: true
       )
       @params = conf.params
     end
 
     def to_s
-      'limits.conf'
+      "limits.conf"
     end
   end
 end

data/lib/{resources/login_def.rb → inspec/resources/login_defs.rb}

@@ -1,8 +1,7 @@
-# encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
 
-require 'utils/simpleconfig'
-require 'utils/file_reader'
+require "inspec/utils/simpleconfig"
+require "inspec/utils/file_reader"
 
 # Usage:
 #
@@ -17,10 +16,10 @@ require 'utils/file_reader'
 # end
 
 module Inspec::Resources
-  class LoginDef < Inspec.resource(1)
-    name 'login_defs'
-    supports platform: 'unix'
-    desc 'Use the login_defs InSpec audit resource to test configuration settings in the /etc/login.defs file. The logins.defs file defines site-specific configuration for the shadow password suite on Linux and UNIX platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.'
+  class LoginDefs < Inspec.resource(1)
+    name "login_defs"
+    supports platform: "unix"
+    desc "Use the login_defs InSpec audit resource to test configuration settings in the /etc/login.defs file. The logins.defs file defines site-specific configuration for the shadow password suite on Linux and UNIX platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted."
     example <<~EXAMPLE
       describe login_defs do
         its('ENCRYPT_METHOD') { should eq 'SHA512' }
@@ -30,7 +29,7 @@ module Inspec::Resources
     include FileReader
 
     def initialize(path = nil)
-      @conf_path = path || '/etc/login.defs'
+      @conf_path = path || "/etc/login.defs"
       @content = read_file_content(@conf_path)
     end
 
@@ -45,13 +44,13 @@ module Inspec::Resources
       conf = SimpleConfig.new(
         @content,
         assignment_regex: /^\s*(\S+)\s+(\S*)\s*$/,
-        multiple_values: false,
+        multiple_values: false
       )
       @params = conf.params
     end
 
     def to_s
-      'login.defs'
+      "login.defs"
     end
   end
 end

data/lib/{resources → inspec/resources}/mount.rb

@@ -1,12 +1,10 @@
-# encoding: utf-8
-
-require 'utils/simpleconfig'
+require "inspec/utils/simpleconfig"
 
 module Inspec::Resources
   class Mount < Inspec.resource(1)
-    name 'mount'
-    supports platform: 'unix'
-    desc 'Use the mount InSpec audit resource to test if mount points.'
+    name "mount"
+    supports platform: "unix"
+    desc "Use the mount InSpec audit resource to test if mount points."
     example <<~EXAMPLE
       describe mount('/') do
         it { should be_mounted }
@@ -22,7 +20,7 @@ module Inspec::Resources
     def initialize(path)
       @path = path
       @mount_manager = mount_manager_for_os
-      return skip_resource 'The `mount` resource is not supported on your OS yet.' if @mount_manager.nil?
+      return skip_resource "The `mount` resource is not supported on your OS yet." if @mount_manager.nil?
       @file = inspec.backend.file(@path)
     end
 
@@ -61,7 +59,7 @@ module Inspec::Resources
       os = inspec.os
       if os.linux?
         LinuxMounts.new(inspec)
-      elsif ['freebsd'].include?(os[:family])
+      elsif ["freebsd"].include?(os[:family])
         BsdMounts.new(inspec)
       end
     end

data/lib/{resources → inspec/resources}/mssql_session.rb

@@ -1,7 +1,6 @@
-# encoding: utf-8
-
-require 'hashie/mash'
-require 'utils/database_helpers'
+require "inspec/resources/command"
+require "hashie/mash"
+require "inspec/utils/database_helpers"
 
 module Inspec::Resources
   # STABILITY: Experimental
@@ -11,9 +10,8 @@ module Inspec::Resources
   # @see https://docs.microsoft.com/en-us/sql/relational-databases/scripting/sqlcmd-use-the-utility
   # @see https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-connect-and-query-sqlcmd
   class MssqlSession < Inspec.resource(1)
-    name 'mssql_session'
-    supports platform: 'windows'
-    desc 'Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database.'
+    name "mssql_session"
+    desc "Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database."
     example <<~EXAMPLE
       # Using SQL authentication
       sql = mssql_session(user: 'myuser', pass: 'mypassword')
@@ -34,22 +32,22 @@ module Inspec::Resources
       @user = opts[:user]
       @password = opts[:password] || opts[:pass]
       if opts[:pass]
-        Inspec.deprecate(:mssql_session_pass_option, 'The mssql_session `pass` option is deprecated. Please use `password`.')
+        Inspec.deprecate(:mssql_session_pass_option, "The mssql_session `pass` option is deprecated. Please use `password`.")
       end
       @local_mode = opts[:local_mode]
       unless local_mode?
-        @host = opts[:host] || 'localhost'
+        @host = opts[:host] || "localhost"
         if opts.key?(:port)
           @port = opts[:port]
         else
-          @port = '1433'
+          @port = "1433"
         end
       end
       @instance = opts[:instance]
       @db_name = opts[:db_name]
 
       # check if sqlcmd is available
-      raise Inspec::Exceptions::ResourceSkipped, 'sqlcmd is missing' unless inspec.command('sqlcmd').exist?
+      raise Inspec::Exceptions::ResourceSkipped, "sqlcmd is missing" unless inspec.command("sqlcmd").exist?
       # check that database is reachable
       raise Inspec::Exceptions::ResourceSkipped, "Can't connect to the MS SQL Server." unless test_connection
     end
@@ -82,7 +80,7 @@ module Inspec::Resources
     end
 
     def to_s
-      'MSSQL session'
+      "MSSQL session"
     end
 
     private
@@ -92,11 +90,11 @@ module Inspec::Resources
     end
 
     def test_connection
-      !query('select getdate()').empty?
+      !query("select getdate()").empty?
     end
 
     def parse_csv_result(cmd)
-      require 'csv'
+      require "csv"
       table = CSV.parse(cmd.stdout, { headers: true })
 
       # remove first row, since it will be a seperator line
@@ -105,13 +103,13 @@ module Inspec::Resources
       # convert to hash
       headers = table.headers
 
-      results = table.map { |row|
+      results = table.map do |row|
         res = {}
-        headers.each { |header|
+        headers.each do |header|
           res[header.downcase] = row[header] if header
-        }
+        end
         Hashie::Mash.new(res)
-      }
+      end
       results
     end
   end

data/lib/inspec/resources/mysql.rb

@@ -0,0 +1,81 @@
+# copyright: 2015, Vulcano Security GmbH
+
+module Inspec::Resources
+  class Mysql < Inspec.resource(1)
+    name "mysql"
+    supports platform: "unix"
+    desc "The 'mysql' resource is a helper for the 'mysql_conf' & 'mysql_session' resources.  Please use those instead."
+
+    attr_reader :package, :service, :conf_dir, :conf_path, :data_dir, :log_dir, :log_path, :log_group, :log_dir_group
+    def initialize
+      # set OS-dependent filenames and paths
+      case inspec.os[:family]
+      when "debian"
+        init_ubuntu
+      when "redhat", "fedora"
+        init_redhat
+      when "arch"
+        init_arch
+      else
+        # TODO: could not detect
+        init_default
+      end
+    end
+
+    def init_ubuntu
+      @package = "mysql-server"
+      @service = "mysql"
+      @conf_path = "/etc/mysql/my.cnf"
+      @conf_dir = "/etc/mysql/"
+      @data_dir = "/var/lib/mysql/"
+      @log_dir = "/var/log/"
+      @log_path = "/var/log/mysql.log"
+      @log_group = "adm"
+      case inspec.os[:release]
+      when "14.04"
+        @log_dir_group = "syslog"
+      else
+        @log_dir_group = "root"
+      end
+    end
+
+    def init_redhat
+      @package = "mysql-server"
+      @service = "mysqld"
+      @conf_path = "/etc/my.cnf"
+      @conf_dir = "/etc/"
+      @data_dir = "/var/lib/mysql/"
+      @log_dir = "/var/log/"
+      @log_path = "/var/log/mysqld.log"
+      @log_group = "mysql"
+      @log_dir_group = "root"
+    end
+
+    def init_arch
+      @package = "mariadb"
+      @service = "mysql"
+      @conf_path = "/etc/mysql/my.cnf"
+      @conf_dir = "/etc/mysql/"
+      @data_dir = "/var/lib/mysql/"
+      @log_dir = "/var/log/"
+      @log_path = "/var/log/mysql.log"
+      @log_group = "mysql"
+      @log_dir_group = "root"
+    end
+
+    def init_default
+      @service = "mysqld"
+      @conf_path = "/etc/my.cnf"
+      @conf_dir = "/etc/"
+      @data_dir = "/var/lib/mysql/"
+      @log_dir = "/var/log/"
+      @log_path = "/var/log/mysqld.log"
+      @log_group = "mysql"
+      @log_dir_group = "root"
+    end
+
+    def to_s
+      "MySQL"
+    end
+  end
+end

data/lib/{resources → inspec/resources}/mysql_conf.rb

@@ -1,11 +1,10 @@
-# encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
 
-require 'utils/simpleconfig'
-require 'utils/find_files'
-require 'utils/file_reader'
-require 'utils/hash'
-require 'resources/mysql'
+require "inspec/utils/simpleconfig"
+require "inspec/utils/find_files"
+require "inspec/utils/file_reader"
+require "inspec/utils/hash"
+require "inspec/resources/mysql"
 
 module Inspec::Resources
   class MysqlConfEntry
@@ -27,10 +26,10 @@ module Inspec::Resources
   end
 
   class MysqlConf < Inspec.resource(1)
-    name 'mysql_conf'
-    supports platform: 'unix'
-    supports platform: 'windows'
-    desc 'Use the mysql_conf InSpec audit resource to test the contents of the configuration file for MySQL, typically located at /etc/mysql/my.cnf or /etc/my.cnf.'
+    name "mysql_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the mysql_conf InSpec audit resource to test the contents of the configuration file for MySQL, typically located at /etc/mysql/my.cnf or /etc/my.cnf."
     example <<~EXAMPLE
       describe mysql_conf('path') do
         its('setting') { should eq 'value' }
@@ -77,7 +76,7 @@ module Inspec::Resources
     end
 
     def read_content
-      @content = ''
+      @content = ""
       @params = {}
 
       to_read = [@conf_path]
@@ -106,13 +105,13 @@ module Inspec::Resources
       dirs = conf.scan(/^!includedir\s+(.*)\s*/).flatten.compact.map { |x| abs_path(reldir, x) }
       dirs.map do |dir|
         # @TODO: non local glob
-        files += find_files(dir, depth: 1, type: 'file')
+        files += find_files(dir, depth: 1, type: "file")
       end
       files
     end
 
     def abs_path(dir, f)
-      return f if f.start_with? '/'
+      return f if f.start_with? "/"
       File.join(dir, f)
     end
 
@@ -121,7 +120,7 @@ module Inspec::Resources
     end
 
     def to_s
-      'MySQL Configuration'
+      "MySQL Configuration"
     end
   end
 end

data/lib/{resources → inspec/resources}/mysql_session.rb

@@ -1,14 +1,14 @@
-# encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
 
-require 'shellwords'
+require "inspec/resources/command"
+require "shellwords"
 
 module Inspec::Resources
   class MysqlSession < Inspec.resource(1)
-    name 'mysql_session'
-    supports platform: 'unix'
-    supports platform: 'windows'
-    desc 'Use the mysql_session InSpec audit resource to test SQL commands run against a MySQL database.'
+    name "mysql_session"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the mysql_session InSpec audit resource to test SQL commands run against a MySQL database."
     example <<~EXAMPLE
       sql = mysql_session('my_user','password','host')
       describe sql.query('show databases like \'test\';') do
@@ -16,17 +16,17 @@ module Inspec::Resources
       end
     EXAMPLE
 
-    def initialize(user = nil, pass = nil, host = 'localhost', port = nil, socket = nil)
+    def initialize(user = nil, pass = nil, host = "localhost", port = nil, socket = nil)
       @user = user
       @pass = pass
       @host = host
       @port = port
       @socket = socket
-      init_fallback if user.nil? or pass.nil?
-      skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? or @pass.nil?
+      init_fallback if user.nil? || pass.nil?
+      skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? || @pass.nil?
     end
 
-    def query(q, db = '')
+    def query(q, db = "")
       mysql_cmd = create_mysql_cmd(q, db)
       cmd = inspec.command(mysql_cmd)
       out = cmd.stdout + "\n" + cmd.stderr
@@ -40,7 +40,7 @@ module Inspec::Resources
     end
 
     def to_s
-      'MySQL Session'
+      "MySQL Session"
     end
 
     private
@@ -49,13 +49,13 @@ module Inspec::Resources
       Shellwords.escape(query)
     end
 
-    def create_mysql_cmd(q, db = '')
+    def create_mysql_cmd(q, db = "")
       # TODO: simple escape, must be handled by a library
       # that does this securely
       escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
 
       # construct the query
-      command = 'mysql'
+      command = "mysql"
       command += " -u#{escape_string(@user)}" unless @user.nil?
       command += " -p#{escape_string(@pass)}" unless @pass.nil?
 
@@ -72,13 +72,13 @@ module Inspec::Resources
 
     def init_fallback
       # support debian mysql administration login
-      return if inspec.platform.in_family?('windows')
-      debian = inspec.command('test -f /etc/mysql/debian.cnf && cat /etc/mysql/debian.cnf').stdout
+      return if inspec.platform.in_family?("windows")
+      debian = inspec.command("test -f /etc/mysql/debian.cnf && cat /etc/mysql/debian.cnf").stdout
       return if debian.empty?
 
       user = debian.match(/^\s*user\s*=\s*([^ ]*)\s*$/)
       pass = debian.match(/^\s*password\s*=\s*([^ ]*)\s*$/)
-      return if user.nil? or pass.nil?
+      return if user.nil? || pass.nil?
       @user = user[1]
       @pass = pass[1]
     end